From 2e3596bfae20e87d76c2c45ce191deb3291bc0dc Mon Sep 17 00:00:00 2001
From: Steve Langasek <vorlon@debian.org>
Date: Tue, 19 Aug 2008 21:47:39 -0700
Subject: create the new default configs with support for pam-auth-update
 substitution, and set up libpam-runtime.postinst to invoke pam-auth-update

---
 debian/libpam-runtime.postinst       | 13 ++++++++-----
 debian/local/common-account          | 19 ++++++++++++++++++-
 debian/local/common-account.md5sums  |  1 +
 debian/local/common-auth             | 18 +++++++++++++++++-
 debian/local/common-auth.md5sums     |  1 +
 debian/local/common-password         | 32 ++++++++++++++++----------------
 debian/local/common-password.md5sums |  1 +
 debian/local/common-session          | 20 ++++++++++++++++++--
 debian/local/common-session.md5sums  |  1 +
 9 files changed, 81 insertions(+), 25 deletions(-)
 create mode 100644 debian/local/common-account.md5sums
 create mode 100644 debian/local/common-session.md5sums

diff --git a/debian/libpam-runtime.postinst b/debian/libpam-runtime.postinst
index 5a734671..fcfb88d5 100644
--- a/debian/libpam-runtime.postinst
+++ b/debian/libpam-runtime.postinst
@@ -3,19 +3,22 @@
 # If the user has removed the config file, respect this sign of dementia
 # -- only create on package install.
 
-if [ -z "$2" ] || dpkg --compare-versions "$2" lt 0.76-17
+force=
+if [ -z "$2" ] || dpkg --compare-versions "$2" lt 1.0.1-3
 then
+	force=--force
 	for configfile in common-auth common-account common-session  \
 	    common-password
 	do
-		if [ ! -f /etc/pam.d/$configfile ] || \
-		    fgrep -q `md5sum /etc/pam.d/$configfile` \
+		if [ -f /etc/pam.d/$configfile ] && \
+		    ! fgrep -q `md5sum /etc/pam.d/$configfile` \
 		    /usr/share/pam/$configfile.md5sums 2>/dev/null
 		then
-			cp /usr/share/pam/$configfile /etc/pam.d/
+			force=
 		fi
 	done
-	    rm -f /etc/pam.d/other.pre-upgrade 2>/dev/null || true
 fi
 
+pam-auth-update $force
+
 #DEBHELPER#
diff --git a/debian/local/common-account b/debian/local/common-account
index 67983019..16da5560 100644
--- a/debian/local/common-account
+++ b/debian/local/common-account
@@ -6,4 +6,21 @@
 # the central access policy for use on the system.  The default is to
 # only deny service to users whose accounts are expired in /etc/shadow.
 #
-account	required	pam_unix.so
+# As of pam 1.0.1-3, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+#
+
+# here are the per-package modules (the "Primary" block)
+$account_primary
+# here's the fallback if no module succeeds
+account	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+account	required			pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+$account_additional
+# end of pam-auth-update config
diff --git a/debian/local/common-account.md5sums b/debian/local/common-account.md5sums
new file mode 100644
index 00000000..39fbb426
--- /dev/null
+++ b/debian/local/common-account.md5sums
@@ -0,0 +1 @@
+9f04221fe44762047894adeb96ffd069  debian/local/common-account
diff --git a/debian/local/common-auth b/debian/local/common-auth
index 63d129aa..3d394f01 100644
--- a/debian/local/common-auth
+++ b/debian/local/common-auth
@@ -7,4 +7,20 @@
 # (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
 # traditional Unix authentication mechanisms.
 #
-auth	required	pam_unix.so nullok_secure
+# As of pam 1.0.1-3, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+$auth_primary
+# here's the fallback if no module succeeds
+auth	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth	required			pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+$auth_additional
+# end of pam-auth-update config
diff --git a/debian/local/common-auth.md5sums b/debian/local/common-auth.md5sums
index 31477ad0..7fd8f15c 100644
--- a/debian/local/common-auth.md5sums
+++ b/debian/local/common-auth.md5sums
@@ -1 +1,2 @@
 933d757dcd5974b00619f68955743be7  /etc/pam.d/common-auth
+b58d8e0a6cadbf879df94869cca6be98  /etc/pam.d/common-auth
diff --git a/debian/local/common-password b/debian/local/common-password
index 45959eb5..690a737e 100644
--- a/debian/local/common-password
+++ b/debian/local/common-password
@@ -7,28 +7,28 @@
 
 # Explanation of pam_unix options:
 #
-# The "nullok" option allows users to change an empty password, else
-# empty passwords are treated as locked accounts.
-#
 # The "md5" option enables MD5 passwords.  Without this option, the
 # default is Unix crypt.
 #
 # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
 # login.defs.
 #
-# You can also use the "min" option to enforce the length of the new
-# password.
-#
 # See the pam_unix manpage for other options.
 
-password   required   pam_unix.so nullok obscure md5
-
-# Alternate strength checking for password. Note that this
-# requires the libpam-cracklib package to be installed.
-# You will need to comment out the password line above and
-# uncomment the next two in order to use this.
-# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
-#
-# password required	  pam_cracklib.so retry=3 minlen=6 difok=3
-# password required	  pam_unix.so use_authtok nullok md5
+# As of pam 1.0.1-3, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
 
+# here are the per-package modules (the "Primary" block)
+$password_primary
+# here's the fallback if no module succeeds
+password	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+password	required			pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+$password_additional
+# end of pam-auth-update config
diff --git a/debian/local/common-password.md5sums b/debian/local/common-password.md5sums
index 569ca682..96faebf1 100644
--- a/debian/local/common-password.md5sums
+++ b/debian/local/common-password.md5sums
@@ -1,2 +1,3 @@
 601ecfbc99fd359877552cb5298087ad  /etc/pam.d/common-password
 e5ae8ba8d00083c922d9d82a0432ef78  /etc/pam.d/common-password
+5d518818f1c6c369040b782f7852f53e  /etc/pam.d/common-password
diff --git a/debian/local/common-session b/debian/local/common-session
index dc11da6d..4969b014 100644
--- a/debian/local/common-session
+++ b/debian/local/common-session
@@ -4,6 +4,22 @@
 # This file is included from other service-specific PAM config files,
 # and should contain a list of modules that define tasks to be performed
 # at the start and end of sessions of *any* kind (both interactive and
-# non-interactive).  The default is pam_unix.
+# non-interactive).
 #
-session	required	pam_unix.so
+# As of pam 1.0.1-3, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+$session_primary
+# here's the fallback if no module succeeds
+session	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session	required			pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+$session_additional
+# end of pam-auth-update config
diff --git a/debian/local/common-session.md5sums b/debian/local/common-session.md5sums
new file mode 100644
index 00000000..b177eaa8
--- /dev/null
+++ b/debian/local/common-session.md5sums
@@ -0,0 +1 @@
+4845c1632b3561a9debe8d59be1b238e  /etc/pam.d/common-session
-- 
cgit v1.2.3