]> granicus.if.org Git - linux-pam/log
linux-pam
5 years agodoc: fix module type written in MODULE TYPES PROVIDED master
MIZUTA Takeshi [Mon, 14 Oct 2019 15:55:36 +0000 (00:55 +0900)]
doc: fix module type written in MODULE TYPES PROVIDED

5 years agopam_unix: Add logging useful for debugging problems
Tomas Mraz [Mon, 14 Oct 2019 14:52:46 +0000 (16:52 +0200)]
pam_unix: Add logging useful for debugging problems

Two messages added about obtaining the username are guarded
by the debug option as these should not be normally
logged - they can be useful for debugging but they do not
indicate any special condition.

The message about authenticating user with blank password is
still just LOG_DEBUG priority but it is logged unconditionally
because it is somewhat extraordinary condition to have an user
with blank password.

* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace
  D() macro calls which are not enabled on production builds with
  regular pam_syslog() calls.

5 years agopam_unix: Fix the spelling of Jan Rękorajski's name.
Tomas Mraz [Thu, 10 Oct 2019 09:11:14 +0000 (11:11 +0200)]
pam_unix: Fix the spelling of Jan Rękorajski's name.

5 years agodoc: fix typo in manpage
MIZUTA Takeshi [Fri, 4 Oct 2019 15:18:35 +0000 (00:18 +0900)]
doc: fix typo in manpage

5 years agopam_mkhomedir: Add debug option to pam_mkhomedir(8) man page
MIZUTA Takeshi [Wed, 2 Oct 2019 16:30:21 +0000 (01:30 +0900)]
pam_mkhomedir: Add debug option to pam_mkhomedir(8) man page

5 years agoFixed missing quotes in configure script
Marek Černocký [Sun, 22 Sep 2019 06:57:36 +0000 (08:57 +0200)]
Fixed missing quotes in configure script

5 years agoAdd support for a vendor directory and libeconf (#136)
Thorsten Kukuk [Mon, 16 Sep 2019 15:17:49 +0000 (17:17 +0200)]
Add support for a vendor directory and libeconf (#136)

With this, it is possible for Linux distributors to store their
supplied default configuration files somewhere below /usr, while
/etc only contains the changes made by the user. The new option
--enable-vendordir defines where Linux-PAM should additional look
for pam.d/*, login.defs and securetty if this files are not in /etc.
libeconf is a key/value configuration file reading library, which
handles the split of configuration files in different locations
and merges them transparently for the application.

5 years agopam_lastlog: document the 'unlimited' option
Carlos Santos [Wed, 11 Sep 2019 14:50:28 +0000 (11:50 -0300)]
pam_lastlog: document the 'unlimited' option

Signed-off-by: Carlos Santos <casantos@redhat.com>
5 years agopam_lastlog: prevent crash due to reduced 'fsize' limit
Carlos Santos [Wed, 11 Sep 2019 02:08:30 +0000 (23:08 -0300)]
pam_lastlog: prevent crash due to reduced 'fsize' limit

It a reduced fsize limit is set in /etc/security/limits.conf and
pam_limits is in use pam_lastlog may cause a crash, e.g.

    ----- begin /etc/pam.d/su ----
    auth        sufficient   pam_rootok.so
    auth        required     pam_wheel.so use_uid
    auth        required     pam_env.so
    auth        required     pam_unix.so nullok
    account     required     pam_unix.so
    password    required     pam_unix.so nullok
    session     required     pam_limits.so
    session     required     pam_env.so
    session     required     pam_unix.so
    session     optional     pam_lastlog.so
    ----- end /etc/pam.d/su -----

    ----- begin /etc/security/limits.d/fsize.conf -----
    * soft fsize 1710
    * hard fsize 1710
    ----- end /etc/security/limits.d/fsize.conf -----

    # id user1
    uid=1000(user1) gid=1000(user1) groups=1000(user1)
    # su - user1
    Last login: Wed Sep 11 01:52:44 UTC 2019 on console
    $ exit
    # id user2
    uid=60000(user2) gid=60000(user2) groups=60000(user2)
    # su - user2
    File size limit exceeded

This happens because pam_limits sets RLIMIT_FSIZE before pam_lastlog
attempts to write /var/log/lastlog, leading to a SIGXFSZ signal.

In order to fix this, and an 'unlimited' option, which leads to saving
the 'fsize' limit and set it to unlimited before writing lastlog. After
that, restore the saved value. If 'fsize' is already unlimited nothing
is done.

Failing to set the 'fsize' limit is not a fatal error.  With luck the
configured limit will suffice, so we try to write lastlog anyway, even
under the risk of dying due to a SIGXFSZ.

Failing to restore the 'fsize' limit is a fatal error, since we don't
want to keep it unlimited.

Signed-off-by: Carlos Santos <casantos@redhat.com>
5 years agopam_unix_sess.c add uid for opening session
ed [Mon, 9 Sep 2019 19:16:25 +0000 (20:16 +0100)]
pam_unix_sess.c add uid for opening session

This adds the UID of the target user to the session open log.

Also fixing tabulation in pam_unix_sess.c.

5 years agoFix the man page for "pam_fail_delay()"
lifecrisis [Fri, 6 Sep 2019 21:11:17 +0000 (17:11 -0400)]
Fix the man page for "pam_fail_delay()"

This man page contained the incorrect statement that setting the
PAM_FAIL_DELAY item to NULL would disable any form of delay on
authentication failure.

I removed the incorrect statement and added a paragraph explaining
how an application should properly avoid delays.

Closes #137.

5 years agoFix a typo
lifecrisis [Fri, 6 Sep 2019 21:10:15 +0000 (17:10 -0400)]
Fix a typo

There is an extra space where there should not be one.

5 years agoUpdate a function comment
lifecrisis [Fri, 6 Sep 2019 21:09:30 +0000 (17:09 -0400)]
Update a function comment

The function comment for "_pam_await_timer()" does not mention the
intended behavior of prioritizing the "PAM_FAIL_DELAY" item.

I updated the comment to make this intention clear.

5 years agopwhistory: fix read of uninitialized data and memory leak when modifying opasswd
Matt Cowell [Thu, 29 Aug 2019 21:36:35 +0000 (16:36 -0500)]
pwhistory: fix read of uninitialized data and memory leak when modifying opasswd

The glibc implementation of getline/getdelim does not guarantee a NUL
terminator in lineptr if getline returns failure (-1).  This occurs when
the opasswd file exists but is empty.  Since strdup is called
immediately afterwards, this causes strdup to read uninitialized memory
and possibly buffer overrun / crash.

This also fixes a memory leak which always occurs when reading the last
line of the opasswd file.  Since the strdup is called before checking
the return code from getline, getdelim, or fgets+strlen, it will
duplicate and never free either:
- The last successfully read line (for getline or getdelim)
- Uninitialized data (if the file is empty)
- A 0 byte string (for fgets+strlen)

Fix by always checking the return code of getline, getdelim, or
fgets+strlen before calling strdup.

5 years agolibpam/pam_modutil_sanitize.c: optimize the way to close fds
Christophe Besson [Wed, 7 Aug 2019 12:25:51 +0000 (14:25 +0200)]
libpam/pam_modutil_sanitize.c: optimize the way to close fds

5 years agopam_tty_audit: Manual page clarification about password logging
Tomas Mraz [Wed, 7 Aug 2019 16:13:57 +0000 (18:13 +0200)]
pam_tty_audit: Manual page clarification about password logging

* modules/pam_tty_audit/pam_tty_audit.8.xml: Explanation why passwords
can be sometimes logged even when the option is not set.

5 years agopam_get_authtok_verify: Avoid duplicate password verification
Tomas Mraz [Wed, 7 Aug 2019 10:22:55 +0000 (12:22 +0200)]
pam_get_authtok_verify: Avoid duplicate password verification

If password was already verified by previous modules in the stack
it does not need to be verified by pam_get_authtok_verify either.

* libpam/pam_get_authtok.c (pam_get_authtok_internal): Set the authtok_verified
  appropriately.
  (pam_get_authtok_verify): Do not prompt if authtok_verified is set and
  set it when the password is verified.
* libpam/pam_private.h: Add authtok_verified to the pam handle struct.
* libpam/pam_start.c (pam_start): Initialize authtok_verified.

5 years agoMention that ./autogen.sh is needeed to be run if you check out the sources from git
2*yo [Tue, 16 Jul 2019 11:10:40 +0000 (13:10 +0200)]
Mention that ./autogen.sh is needeed to be run if you check out the sources from git

5 years agopam_unix: Correct MAXPASS define name in the previous two commits.
Tomas Mraz [Thu, 27 Jun 2019 17:00:41 +0000 (19:00 +0200)]
pam_unix: Correct MAXPASS define name in the previous two commits.

* modules/pam_unix/pam_unix_passwd.c: Change MAX_PASS to MAXPASS.
* modules/pam_unix/support.c: Likewise.

5 years agoRestrict password length when changing password
Florian Best [Wed, 26 Jun 2019 21:13:13 +0000 (23:13 +0200)]
Restrict password length when changing password

5 years agoTrim password at PAM_MAX_RESP_SIZE chars
Florian Best [Wed, 26 Jun 2019 11:49:23 +0000 (13:49 +0200)]
Trim password at PAM_MAX_RESP_SIZE chars

Issue #118: Protect against Denial of Service attacks.
To prevent hashsum generation via crypt of very long passwords the
password is now stripped to 512 characters. This is equivalent behavior
to unix_chkpwd.

5 years agopam_succeed_if: Request user data only when needed
Olaf Mandel [Thu, 23 May 2019 16:09:44 +0000 (16:09 +0000)]
pam_succeed_if: Request user data only when needed

Allow for conditions that just check the user field to also work for
users not known to the system. Before this caused a PAM_USER_UNKNOWN
even if no extra data for an existing user was needed. E.g.

    auth sufficient pam_succeed_if.so user = NotKnownToSystem

modules/pam_succeed_if/pam_succeed_if.c (evaluate): Change the pwd
parameter to an input/output parameter. Lazily request pwd with
pam_modutil_getpwnam() if needed and return PAM_USER_UNKNOWN on failure.

modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Don't
request the pwd if !use_uid anymore and shift the output from audit to
after the evaluate() call. Also make sure not to give the normal failure
message if the lazy pwd loading failed.

5 years agopam_tally2: Remove unnecessary fsync()
Maciej S. Szmigiero [Mon, 25 Feb 2019 19:50:48 +0000 (20:50 +0100)]
pam_tally2: Remove unnecessary fsync()

pam_tally2 does fsync() after writing to a tally file.
This causes hard drive cache flushes on every failed SSH login on many
(if not most) filesystems.
And an internet-exposed machine can have a lot of these failed logins.

This operation however doesn't seem to be necessary - the pam_tally2
module does not do any operation which would need explicit post-crash
ordering, it just does simple file reads and writes.
And doing a fsync() after them doesn't close any race if the system happens
to crash between a write being posted and its fsync() completion.

Let's remove this operation to get rid of all these extra cache flushes.

5 years agoFixed a grammer mistake
vkwitshana [Tue, 19 Feb 2019 11:36:37 +0000 (13:36 +0200)]
Fixed a grammer mistake

5 years agoFix documentation for pam_wheel
Christopher Head [Wed, 26 Sep 2018 04:52:04 +0000 (21:52 -0700)]
Fix documentation for pam_wheel

By default, pam_wheel checks for applicant membership in the wheel group
for *all* access requests, regardless of whether the target user is root
or non-root. Only if root_only is provided does it limit the membership
check to cases when the target user is root. Update the documentation to
reflect this.

5 years agoFix a typo in the documentation
Louis Sautier [Thu, 13 Dec 2018 15:12:42 +0000 (16:12 +0100)]
Fix a typo in the documentation

5 years agopam_lastlog: Improve silent option documentation
Nir Soffer [Wed, 9 Jan 2019 21:41:16 +0000 (23:41 +0200)]
pam_lastlog: Improve silent option documentation

The silent option explicitly silents only the last login message and not
bad logins. Add a note to the manual to make this clear.

* modules/pam_lastlog/pam_lastlog.8.xml: Clearify "silent showfailed"

5 years agopam_lastlog: Respect PAM_SILENT flag
Nir Soffer [Sat, 5 Jan 2019 22:36:27 +0000 (00:36 +0200)]
pam_lastlog: Respect PAM_SILENT flag

pam_lastlog module will not log info about failed login if the session
was opened with PAM_SILENT flag.

Example use case enabled by this change:

    sudo --non-interactive program

If this command is run by another program expecting specific output from
the command run by sudo, the unexpected info about failed logins will
break this program.

* modules/pam_lastlog/pam_lastlog.c: Respect silent option.
  (_pam_session_parse): Unset LASTLOG_BTMP if PAM_SILENT is set.

5 years agoFix regressions from the last commits.
Tomas Mraz [Fri, 4 Jan 2019 11:36:13 +0000 (12:36 +0100)]
Fix regressions from the last commits.

* configure.ac: Test for logwtmp needs -lutil in LIBS.
* modules/Makefile.am: Fix indentation of variable assignments causing
  creation of incorrect Makefile.

5 years agoReplace strndupa with strncpy
Rosen Penev [Mon, 16 Jul 2018 03:43:44 +0000 (20:43 -0700)]
Replace strndupa with strncpy

glibc only. A static string is better.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
5 years agobuild: ignore pam_lastlog when logwtmp is not available.
Yousong Zhou [Wed, 17 Jun 2015 13:18:05 +0000 (21:18 +0800)]
build: ignore pam_lastlog when logwtmp is not available.

* configure.ac: check logwtmp and set COND_BUILD_PAM_LASTLOG
* modules/pam_lastlog/Makefile.am: check COND_BUILD_PAM_LASTLOG

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
5 years agobuild: ignore pam_rhosts if neither ruserok nor ruserok_af is available.
Yousong Zhou [Wed, 17 Jun 2015 10:19:23 +0000 (18:19 +0800)]
build: ignore pam_rhosts if neither ruserok nor ruserok_af is available.

* configure.ac: check for ruserok and ruserok_af
* modules/Makefile.am: ignore pam_rhosts/ if it's disabled
* modules/pam_rhosts/pam_rhosts.c: include stdlib.h for malloc and free

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
6 years agopam_motd: Cleanup the code and avoid unnecessary logging
Tomas Mraz [Thu, 20 Dec 2018 12:59:25 +0000 (13:59 +0100)]
pam_motd: Cleanup the code and avoid unnecessary logging

The pam_motd module will not log if the default motd.d directories
are missing.

Also cleanup some code cleanliness issues and fix compilation
warnings.

* modules/pam_motd/pam_motd.c: Constification of constant strings.
  (try_to_display_directory): Removed unused function.
  (pam_split_string): Replace uint with unsigned int. Fix warnings.
  (compare_strings): Fix warnings by proper constification.
  (try_to_display_directories_with_overrides): Cleanups. Switch
  off the logging if the motd.d directories are missing and they
  are default ones.
  (pam_sm_open_session): Cleanup warnings. Pass the information
  to try_to_display_directories_with_overrides() that non-default
  motd options are used.

6 years agopam_lastlog: Limit lastlog file use by LASTLOG_UID_MAX option in login.defs.
Tomas Mraz [Tue, 11 Dec 2018 08:08:20 +0000 (09:08 +0100)]
pam_lastlog: Limit lastlog file use by LASTLOG_UID_MAX option in login.defs.

* modules/pam_lastlog/pam_lastlog.8.xml: Add the documentation of the
  LASTLOG_UID_MAX option.
* modules/pam_lastlog/pam_lastlog.c: New function get_lastlog_uid_max().
  (last_login_date): Check the uid against the get_lastlog_uid_max().
  (pam_authenticate): Likewise.

6 years agoMove the duplicated search_key function to pam_modutil.
Tomas Mraz [Mon, 10 Dec 2018 15:41:47 +0000 (16:41 +0100)]
Move the duplicated search_key function to pam_modutil.

* libpam/pam_modutil_searchkey.c: New source file with pam_modutil_search_key().
* libpam/Makefile.am: Add the pam_modutil_searchkey.c.
* libpam/include/security/pam_modutil.h: Add the pam_modutil_search_key() prototype.
* libpam/libpam.map: Add the pam_modutil_search_key() into a new version.
* modules/pam_faildelay/pam_faildelay.c: Drop search_key() and use
  pam_modutil_search_key().
* modules/pam_umask/pam_umask.c: Likewise.
* modules/pam_unix/support.c: Likewise.

6 years agopam_unix: Use pam_syslog instead of helper_log_err.
Tomas Mraz [Tue, 27 Nov 2018 15:11:03 +0000 (16:11 +0100)]
pam_unix: Use pam_syslog instead of helper_log_err.

* modules/pam_unix/passverify.c (verify_pwd_hash): Add pamh argument via
 PAMH_ARG_DECL. Call pam_syslog() instead of helper_log_err().
* modules/pam_unix/passverify.h: Adjust the declaration of verify_pwd_hash().
* modules/pam_unix/support.c (_unix_verify_password): Add the pamh argument
 to verify_pwd_hash() call.

6 years agopam_unix: Report unusable hashes found by checksalt to syslog.
Björn Esser [Mon, 26 Nov 2018 21:33:17 +0000 (22:33 +0100)]
pam_unix: Report unusable hashes found by checksalt to syslog.

libxcrypt can be build-time configured to support (or not support)
various hashing methods.  Future versions will also have support for
runtime configuration by the system's vendor and/or administrator.

For that reason adminstrator should be notified by pam if users cannot
log into their account anymore because of such a change in the system's
configuration of libxcrypt.

Also check for malformed hashes, like descrypt hashes starting with
"$2...", which might have been generated by unsafe base64 encoding
functions as used in glibc <= 2.16.
Such hashes are likely to be rejected by many recent implementations
of libcrypt.

* modules/pam_unix/passverify.c (verify_pwd_hash): Report unusable
hashes found by checksalt to syslog.

6 years agoRevert "pam_unix: Add crypt_default method, if supported."
Tomas Mraz [Tue, 27 Nov 2018 10:54:23 +0000 (11:54 +0100)]
Revert "pam_unix: Add crypt_default method, if supported."

This reverts commit ad435b386b22b456724dc5c5b8d9f2d1beffc558.

6 years agopam_unix: Add crypt_default method, if supported.
Björn Esser [Thu, 15 Nov 2018 15:57:35 +0000 (16:57 +0100)]
pam_unix: Add crypt_default method, if supported.

libxcrypt since v4.4.0 supports a default method for its
gensalt function on most system configurations.  As the
default method is to be considered the strongest available
hash method, it should be preferred over all other hash
methods supported by pam.

* modules/pam_unix/pam_unix.8.xml: Documentation for crypt_default.
* modules/pam_unix/passverify.c: Add crypt_default method.
* modules/pam_unix/support.h: Likewise.

6 years agoRevert part of the commit 4da9febc
Tomas Mraz [Mon, 26 Nov 2018 11:50:14 +0000 (12:50 +0100)]
Revert part of the commit 4da9febc

pam_unix: Do not return a hard failure on invalid or disabled salt
as in some cases the failure actually is not interesting and can
broke things such as password-less sudo.

* modules/pam_unix/passverify.c (check_shadow_expiry): Revert checking
  of disabled or invalid salt.

6 years agopam_unix: Add support for (gost-)yescrypt hashing methods.
Björn Esser [Thu, 15 Nov 2018 15:38:05 +0000 (16:38 +0100)]
pam_unix: Add support for (gost-)yescrypt hashing methods.

libxcrypt (v4.2 and later) has added support for the yescrypt
hashing method; gost-yescrypt has been added in v4.3.

* modules/pam_unix/pam_unix.8.xml: Documentation for (gost-)yescrypt.
* modules/pam_unix/pam_unix_acct.c: Use 64 bit type for control flags.
* modules/pam_unix/pam_unix_auth.c: Likewise.
* modules/pam_unix/pam_unix_passwd.c: Likewise.
* modules/pam_unix/pam_unix_sess.c: Likewise.
* modules/pam_unix/passverify.c: Add support for (gost-)yescrypt.
* modules/pam_unix/passverify.h: Use 64 bit type for control flags.
* modules/pam_unix/support.c: Set sane rounds for (gost-)yescrypt.
* modules/pam_unix/support.h: Add support for (gost-)yescrypt.

6 years agopam_unix: Fix closing curly brace. (#77)
Björn Esser [Thu, 22 Nov 2018 16:04:08 +0000 (17:04 +0100)]
pam_unix: Fix closing curly brace. (#77)

This has been overlooked during review of commit dce80b3f11b3.

* modules/pam_unix/support.c (_set_ctrl): Fix closing curly brace.

Closes: https://github.com/linux-pam/linux-pam/issues/77
6 years agopam_unix: Add support for crypt_checksalt, if libcrypt supports it.
Björn Esser [Thu, 15 Nov 2018 18:49:44 +0000 (19:49 +0100)]
pam_unix: Add support for crypt_checksalt, if libcrypt supports it.

libxcrypt v4.3 has added the crypt_checksalt function to whether
the prefix at the begining of a given hash string refers to a
supported hashing method.

Future revisions of this function will add support to check whether
the hashing method, the prefix refers to, was disabled or considered
deprecated by the system's factory presets or system administrator.
Furthermore it will be able to detect whether the parameters, which
are used by the corresponding hashing method, being encoded in the
hash string are not considered to be strong enough anymore.

*modules/pam_unix/passverify.c: Add support for crypt_checksalt.

6 years agopam_unix: Prefer a gensalt function, that supports auto entropy.
Björn Esser [Thu, 15 Nov 2018 14:58:56 +0000 (15:58 +0100)]
pam_unix: Prefer a gensalt function, that supports auto entropy.

* modules/pam_unix/pam_unix_passwd.c: Initialize rounds parameter to 0.
* modules/pam_unix/passverify.c: Prefer gensalt with auto entropy.
* modules/pam_unix/support.c: Fix sanitizing of rounds parameter.

6 years agopam_motd: Fix segmentation fault when no motd_dir specified (#76)
Robert Fairley [Wed, 21 Nov 2018 07:46:02 +0000 (02:46 -0500)]
pam_motd: Fix segmentation fault when no motd_dir specified (#76)

This fixes a regression introduced by #69, where motd_path was set
to NULL and passed into strdup() if the motd_dir argument was
not specified in the configuration file. This caused a segmentation
fault.

* modules/pam_motd/pam_motd.c: fix checks for NULL in arguments
* xtests/Makefile.am: add test scripts and config file
* xtests/tst-pam_motd.sh: add running tst-pam_motd4.sh
* xtests/tst-pam_motd4.pamd: create
* xtests/tst-pam_motd4.sh: create

6 years agopam_motd: Support multiple motd paths specified, with filename overrides (#69)
Robert Fairley [Mon, 19 Nov 2018 08:00:16 +0000 (03:00 -0500)]
pam_motd: Support multiple motd paths specified, with filename overrides (#69)

Adds specifying multiple paths to motd files and motd.d
directories to be displayed. A colon-separated list of
paths is specified as arguments motd and motd_dir to the
pam_motd module.

This gives packages several options to install motd files to.
By default, the paths are, with highest priority first:
/etc/motd
/run/motd
/usr/lib/motd
/etc/motd.d/
/run/motd.d/
/usr/lib/motd.d/

Which is equivalent to the following arguments:
motd=/etc/motd:/run/motd:/usr/lib/motd
motd_dir=/etc/motd.d:/run/motd.d:/usr/lib/motd.d

Files with the same filename in a lower-priority directory,
as specified by the order in the colon-separated list, are
overridden, meaning PAM will not display them.

This allows a package to contain motd files under
/usr/lib instead of the host configuration in /etc.
A service may also write a dynamically generated motd in
/run/motd.d/ and have PAM display it without needing a
symlink from /etc/motd.d/ installed.

Closes #68

* modules/pam_motd/pam_motd.8.xml: update documentation
* modules/pam_motd/pam_motd.c: add specifying multiple motd paths
* xtests/.gitignore: add generated test script
* xtests/Makefile.am: add test source, scripts and config files
* xtests/tst-pam_motd.c: create
* xtests/tst-pam_motd.sh: create
* xtests/tst-pam_motd1.pamd: create
* xtests/tst-pam_motd1.sh: create
* xtests/tst-pam_motd2.pamd: create
* xtests/tst-pam_motd2.sh: create
* xtests/tst-pam_motd3.pamd: create
* xtests/tst-pam_motd3.sh: create

6 years agopam_unix: Use bcrypt b-variant for computing new hashes.
Björn Esser [Thu, 15 Nov 2018 14:01:57 +0000 (15:01 +0100)]
pam_unix: Use bcrypt b-variant for computing new hashes.

Bcrypt hashes used the "$2a$" prefix since 1997.
However, in 2011 an implementation bug was discovered in bcrypt
affecting the handling of characters in passphrases with the 8th
bit set.

Besides fixing the bug, OpenBSD 5.5 introduced the "$2b$" prefix
for a behavior that exactly matches crypt_blowfish's "$2y$", and
the crypt_blowfish implementation supports it as well since v1.1.

That said new computed bcrypt hashes should use the "$2b$" prefix.

* modules/pam_unix/passverify.c: Use bcrypt b-variant.

6 years agopam_tally, pam_tally2: fix grammar and spelling (#54)
Dmitry V. Levin [Fri, 22 Jun 2018 10:21:22 +0000 (10:21 +0000)]
pam_tally, pam_tally2: fix grammar and spelling (#54)

* modules/pam_tally/pam_tally.c (tally_check): Replace
"Account is temporary locked" with "The account is temporarily locked"
in translated messages.
* modules/pam_tally2/pam_tally2.c (tally_check): Likewise.
* po/Linux-PAM.pot: Update pam_tally and pam_tally2 messages.

Closes: https://github.com/linux-pam/linux-pam/issues/54
6 years agoFix grammar of messages printed via pam_prompt
Dmitry V. Levin [Tue, 19 Jun 2018 00:00:00 +0000 (00:00 +0000)]
Fix grammar of messages printed via pam_prompt

Turn into proper sentences those messages that are printed without
further modifications using pam_prompt in contexts where proper
sentences are expected.

* libpam/pam_get_authtok.c (pam_get_authtok_internal): Fix grammar
of the message passed to pam_error.
* modules/pam_limits/pam_limits.c (pam_sm_open_session): Likewise.
* modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Fix
grammar of error messages passed to pam_error.
* modules/pam_mail/pam_mail.c (report_mail): Fix grammar of a message
passed to pam_info.
* modules/pam_timestamp/pam_timestamp.c (verbose_success): Likewise.
* modules/pam_selinux/pam_selinux.c (config_context, send_text): Fix
grammar of messages passed to pam_prompt.
* modules/pam_tally/pam_tally.c (tally_check): Fix grammar of messages
passed to pam_info.
* modules/pam_tally2/pam_tally2.c (tally_check): Likewise.
* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Fix grammar
of messages passed to _make_remark.
* modules/pam_unix/pam_unix_passwd.c (_pam_unix_approve_pass,
pam_sm_chauthtok): Likewise.
* po/Linux-PAM.pot: Regenerate.

6 years agopam_stress: do not mark messages for translation
Dmitry V. Levin [Tue, 19 Jun 2018 00:00:00 +0000 (00:00 +0000)]
pam_stress: do not mark messages for translation

pam_stress is not a regular module that needs to be translated.
Besides that, its messages are not easy to understand
and even harder to translate properly.

* modules/pam_stress/pam_stress.c (pam_sm_chauthtok): Do not mark
messages for translation.
* po/Linux-PAM.pot: Remove pam_stress messages.

6 years agopam_unix: remove obsolete _UNIX_AUTHTOK, _UNIX_OLD_AUTHTOK, and _UNIX_NEW_AUTHTOK...
Dmitry V. Levin [Thu, 31 May 2018 00:20:18 +0000 (00:20 +0000)]
pam_unix: remove obsolete _UNIX_AUTHTOK, _UNIX_OLD_AUTHTOK, and _UNIX_NEW_AUTHTOK macros

The last use of these macros was removed by commit Linux-PAM-1.3.0~5
so their definitions should go as well.

* modules/pam_unix/pam_unix_auth.c (_UNIX_AUTHTOK): Remove.
* modules/pam_unix/pam_unix_passwd.c (_UNIX_OLD_AUTHTOK,
_UNIX_NEW_AUTHTOK): Likewise.

Complements: 7e09188c5dc4 ("pam_unix: Use pam_get_authtok() instead of
direct pam_prompt() calls.")

6 years agopam_unix: remove obsolete _unix_read_password prototype
Dmitry V. Levin [Thu, 31 May 2018 00:20:18 +0000 (00:20 +0000)]
pam_unix: remove obsolete _unix_read_password prototype

The function was removed by commit Linux-PAM-1.3.0~5
so the function prototype should go as well.

* modules/pam_unix/support.h (_unix_read_password): Remove.

Complements: 7e09188c5dc4 ("pam_unix: Use pam_get_authtok() instead of
direct pam_prompt() calls.")

6 years agoRelease version 1.3.1 v1.3.1
Thorsten Kukuk [Fri, 18 May 2018 11:07:13 +0000 (13:07 +0200)]
Release version 1.3.1

6 years agoAdd xz compression
Thorsten Kukuk [Fri, 18 May 2018 11:06:22 +0000 (13:06 +0200)]
Add xz compression

6 years agopam_motd: add support for a motd.d directory (#48)
Allison Karlitskaya [Wed, 16 May 2018 12:44:41 +0000 (14:44 +0200)]
pam_motd: add support for a motd.d directory (#48)

Add a new feature to pam_motd to allow packages to install their own
message files in a "motd.d" directory, to be displayed after the primary
motd.

Add an option motd_d= to specify the location of this directory.

Modify the defaults, in the case where no options are given, to display
both /etc/motd and /etc/motd.d.

Fixes #47

 * modules/pam_motd/pam_motd.c: add support for motd.d
 * modules/pam_motd/pam_motd.8.xml: update the manpage

6 years agopam_umask: Fix documentation to align with order of loading umask
Tomas Mraz [Wed, 2 May 2018 12:12:20 +0000 (14:12 +0200)]
pam_umask: Fix documentation to align with order of loading umask

* modules/pam_umask/pam_umask.8.xml: Document the real order of loading
umask.

6 years agoFix missing word in documentation.
Joey Chagnon [Tue, 10 Apr 2018 15:40:58 +0000 (15:40 +0000)]
Fix missing word in documentation.

*  doc/man/pam_get_user.3.xml: Fix it.

7 years agopam_tally2 --reset: avoid creating a missing tallylog file
Dmitry V. Levin [Wed, 8 Nov 2017 23:58:58 +0000 (23:58 +0000)]
pam_tally2 --reset: avoid creating a missing tallylog file

There is no need for pam_tally2 in --reset=0 mode to create a missing
tallylog file because its absence has the same meaning as its existence
with the appropriate entry reset.

This was not a big deal until useradd(8) from shadow suite release 4.5
started to invoke /sbin/pam_tally2 --reset routinely regardless of PAM
configuration.

The positive effect of this change is noticeable when using tools like
cpio(1) that cannot archive huge sparse files efficiently.

* modules/pam_tally2/pam_tally2.c [MAIN] (main) <cline_user>: Stat
cline_filename when cline_reset == 0, exit early if the file is missing.

7 years agopam_mkhomedir: Allow creating parent of homedir under /
Tomas Mraz [Fri, 10 Nov 2017 07:56:09 +0000 (08:56 +0100)]
pam_mkhomedir: Allow creating parent of homedir under /

* modules/pam_mkhomedir/mkhomedir_helper.c (make_parent_dirs): Do not
skip creating the directory if we are under /.

7 years agopam_tty_audit: Fix regression introduced by adding the uid range support.
Tomas Mraz [Mon, 9 Oct 2017 15:37:56 +0000 (17:37 +0200)]
pam_tty_audit: Fix regression introduced by adding the uid range support.

* modules/pam_tty_audit/pam_tty_audit.c (parse_uid_range): Fix constification and
remove unneeded code carried from pam_limits.
(pam_sm_open_session): When multiple enable/disable options are present do not
stop after first match.

7 years agopam_access: Add note about spaces around ':' in access.conf(5)
Tomas Mraz [Wed, 6 Sep 2017 12:55:48 +0000 (14:55 +0200)]
pam_access: Add note about spaces around ':' in access.conf(5)

* modules/pam_access/access.conf.5.xml: Add note about spaces around ':'

7 years agoWorkaround formatting problem in pam(8)
Tomas Mraz [Wed, 6 Sep 2017 12:38:52 +0000 (14:38 +0200)]
Workaround formatting problem in pam(8)

* doc/man/pam.8.xml: Workaround formatting problem.

7 years agopam_unix: Check return value of malloc used for setcred data (#24)
Peter Urbanec [Wed, 12 Jul 2017 07:47:47 +0000 (17:47 +1000)]
pam_unix: Check return value of malloc used for setcred data (#24)

Check the return value of malloc and if it failed print debug info, send
a syslog message and return an error code.

The test in AUTH_RETURN for ret_data not being NULL becomes redundant.

Signed-off-by: Peter Urbanec <git.user@urbanec.net>
7 years agopam_cracklib: Drop unused prompt macros.
Tomas Mraz [Mon, 10 Jul 2017 10:06:58 +0000 (12:06 +0200)]
pam_cracklib: Drop unused prompt macros.

* modules/pam_cracklib/pam_cracklib.c: Drop the unused macros.

7 years agopam_tty_audit: Support matching users by uid range.
Tomas Mraz [Wed, 28 Jun 2017 13:52:16 +0000 (15:52 +0200)]
pam_tty_audit: Support matching users by uid range.

* modules/pam_tty_audit/pam_tty_audit.c (parse_uid_range): New function to
parse the uid range.
(pam_sm_open_session): Call parse_uid_range() and behave according to its result.
* modules/pam_tty_audit/pam_tty_audit.8.xml: Document the uid range matching.

7 years agopam_access: support parsing files in /etc/security/access.d/*.conf
Tomas Mraz [Wed, 31 May 2017 08:27:28 +0000 (10:27 +0200)]
pam_access: support parsing files in /etc/security/access.d/*.conf

* modules/pam_access/pam_access.c (login_access): Return NOMATCH if
there was no match in the parsed file.
(pam_sm_authenticate): Add glob() call to go through the ACCESS_CONF_GLOB
subdirectory and call login_access() on the individual files matched.
* modules/pam_access/pam_access.8.xml: Document the addition.
* modules/pam_access/Makefile.am: Add ACCESS_CONF_GLOB definition.

7 years agopam_localuser: Correct the example in documentation.
Tomas Mraz [Tue, 11 Apr 2017 10:13:59 +0000 (12:13 +0200)]
pam_localuser: Correct the example in documentation.

* modules/pam_localuser/pam_localuser.8.xml: The example configuration
  does something different.

7 years agopam_localuser: Correct documentation of return value.
Tomas Mraz [Tue, 11 Apr 2017 10:10:27 +0000 (12:10 +0200)]
pam_localuser: Correct documentation of return value.

* modules/pam_localuser/pam_localuser.8.xml: The module returns
  PAM_PERM_DENIED when the user is not listed.

7 years agoMake maxclassrepeat=1 behavior consistent with docs (#9)
Saul Johnson [Fri, 10 Mar 2017 13:03:03 +0000 (13:03 +0000)]
Make maxclassrepeat=1 behavior consistent with docs (#9)

* modules/pam_cracklib/pam_cracklib.c (simple): Apply the maxclassrepeat when greater than 0.

7 years agoProperly test for strtol() failure to find any digits.
Josef Moellers [Thu, 9 Feb 2017 11:27:59 +0000 (12:27 +0100)]
Properly test for strtol() failure to find any digits.

* modules/pam_access/pam_access.c (network_netmask_match): Test for endptr set
to beginning and not NULL.

7 years agopam_exec: fix a potential null pointer dereference
Daniel Abrecht [Thu, 19 Jan 2017 10:35:04 +0000 (11:35 +0100)]
pam_exec: fix a potential null pointer dereference

Fix a null pointer dereference when pam_prompt returns PAM_SUCCESS
but the response is set to NULL.

* modules/pam_exec/pam_exec.c (call_exec): Do not invoke strndupa
with a null pointer.

Closes: https://github.com/linux-pam/linux-pam/pull/2
8 years agoAdd missing comma in the limits.conf.5 manpage.
Antonio Ospite [Wed, 7 Dec 2016 07:52:54 +0000 (08:52 +0100)]
Add missing comma in the limits.conf.5 manpage.

* modules/pam_limits/limits.conf.5.xml: add a missing comma

8 years agoRegular links doesn't work with -no-numbering -no-references.
Tomas Mraz [Mon, 14 Nov 2016 10:43:12 +0000 (11:43 +0100)]
Regular links doesn't work with -no-numbering -no-references.

* configure.ac: Use elinks instead of links.

8 years agopam_access: First check for the (group) match.
Tomas Mraz [Tue, 1 Nov 2016 14:17:54 +0000 (15:17 +0100)]
pam_access: First check for the (group) match.

The (group) match is performed first to allow for groups
containing '@'.

* modules/pam_access/pam_access.c (user_match): First check for the (group) match.

8 years agopam_ftp: Properly use the first name from the supplied list
Tomas Mraz [Mon, 17 Oct 2016 12:18:24 +0000 (14:18 +0200)]
pam_ftp: Properly use the first name from the supplied list

* modules/pam_ftp/pam_ftp.c (lookup): Return first user from the list
of anonymous users if user name matches.
(pam_sm_authenticate): Free the returned value allocated in lookup().

8 years agopam_issue: Fix no prompting in parse escape codes mode.
Bartos-Elekes Zsolt [Mon, 12 Sep 2016 09:33:57 +0000 (11:33 +0200)]
pam_issue: Fix no prompting in parse escape codes mode.

* modules/pam_issue/pam_issue.c (read_issue_quoted): Fix misplaced strcat().

8 years agoxtests: remove bash dependency
Maxin B. John [Tue, 24 May 2016 14:43:33 +0000 (17:43 +0300)]
xtests: remove bash dependency

There are no bash specific syntax in the xtest scripts. So, remove
the bash dependency.

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Maxin B. John <maxin.john@intel.com>
8 years agoUnification and cleanup of syslog log levels.
Tomas Mraz [Thu, 30 Jun 2016 12:29:40 +0000 (14:29 +0200)]
Unification and cleanup of syslog log levels.

* libpam/pam_handlers.c: Make memory allocation failures LOG_CRIT.
* libpam/pam_modutil_priv.c: Make memory allocation failures LOG_CRIT.
* modules/pam_echo/pam_echo.c: Make memory allocation failures LOG_CRIT.
* modules/pam_env/pam_env.c: Make memory allocation failures LOG_CRIT.
* modules/pam_exec/pam_exec.c: Make memory allocation failures LOG_CRIT.
* modules/pam_filter/pam_filter.c: Make all non-memory call errors LOG_ERR.
* modules/pam_group/pam_group.c: Make memory allocation failures LOG_CRIT.
* modules/pam_issue/pam_issue.c: Make memory allocation failures LOG_CRIT.
* modules/pam_lastlog/pam_lastlog.c: The lastlog file creation is syslogged
  with LOG_NOTICE, memory allocation errors with LOG_CRIT, other errors
  with LOG_ERR.
* modules/pam_limits/pam_limits.c: User login limit messages are syslogged
  with LOG_NOTICE, stale utmp entry with LOG_INFO, non-memory errors with
  LOG_ERR.
* modules/pam_listfile/pam_listfile.c: Rejection of user is syslogged
  with LOG_NOTICE.
* modules/pam_namespace/pam_namespace.c: Make memory allocation failures
  LOG_CRIT.
* modules/pam_nologin/pam_nologin.c: Make memory allocation failures
  LOG_CRIT, other errors LOG_ERR.
* modules/pam_securetty/pam_securetty.c: Rejection of access is syslogged
  with LOG_NOTICE, non-memory errors with LOG_ERR.
* modules/pam_selinux/pam_selinux.c: Make memory allocation failures LOG_CRIT.
* modules/pam_succeed_if/pam_succeed_if.c: Make all non-memory call errors
  LOG_ERR.
* modules/pam_time/pam_time.c: Make memory allocation failures LOG_CRIT.
* modules/pam_timestamp/pam_timestamp.c: Make memory allocation failures
  LOG_CRIT.
* modules/pam_unix/pam_unix_acct.c: Make all non-memory call errors LOG_ERR.
* modules/pam_unix/pam_unix_passwd.c: Make memory allocation failures LOG_CRIT,
  other errors LOG_ERR.
* modules/pam_unix/pam_unix_sess.c: Make all non-memory call errors LOG_ERR.
* modules/pam_unix/passverify.c: Unknown user is syslogged with LOG_NOTICE.
* modules/pam_unix/support.c: Unknown user is syslogged with LOG_NOTICE and
  max retries ignorance by application likewise.
* modules/pam_unix/unix_chkpwd.c: Make all non-memory call errors LOG_ERR.
* modules/pam_userdb/pam_userdb.c: Password authentication error is syslogged
  with LOG_NOTICE.
* modules/pam_xauth/pam_xauth.c: Make memory allocation failures LOG_CRIT.

8 years agopam_timestamp: fix typo in strncmp usage
Dmitry V. Levin [Tue, 14 Jun 2016 23:03:13 +0000 (23:03 +0000)]
pam_timestamp: fix typo in strncmp usage

Before this fix, a typo in check_login_time resulted to ruser and
struct utmp.ut_user being compared by the first character only,
which in turn could lead to a too low timestamp value being assigned
to oldest_login, effectively causing bypass of check_login_time.

* modules/pam_timestamp/pam_timestamp.c (check_login_time): Fix typo
in strncmp usage.

Patch-by: Anton V. Boyarshinov <boyarsh@altlinux.org>
8 years agoCorrect the examples in pam_fail_delay(3) man page.
Tomas Mraz [Mon, 30 May 2016 10:06:46 +0000 (12:06 +0200)]
Correct the examples in pam_fail_delay(3) man page.

doc/man/pam_fail_delay.3.xml: Correct the examples.

8 years agoRemove spaces in examples for access.conf.
Tomas Mraz [Wed, 11 May 2016 13:22:33 +0000 (15:22 +0200)]
Remove spaces in examples for access.conf.

The spaces are ignored only with the default listsep. To remove confusion
if non-default listsep is used they are removed from the examples.

* modules/pam_access/access.conf: Remove all spaces around ':' in examples.
* modules/pam_access/access.conf.5.xml: Likewise.

8 years agobuild: avoid non-portable == with "test" (ticket #60)
Mike Frysinger [Thu, 5 May 2016 10:05:26 +0000 (10:05 +0000)]
build: avoid non-portable == with "test" (ticket #60)

POSIX says test only accepts =. Some shells (including bash) accept ==,
but we should still stick to = for portability.

* configure.ac: Replace == with = in "test" invocations.

8 years agoRelease version 1.3.0 Linux-PAM-1.3.0
Thorsten Kukuk [Thu, 28 Apr 2016 11:54:30 +0000 (13:54 +0200)]
Release version 1.3.0

* NEWS: add changes for 1.3.0.
* configure.ac: bump version number.
* libpam/Makefile.am: bump revision of libpam.so version.

8 years agoUpdated translations from Zanata.
Tomas Mraz [Thu, 28 Apr 2016 09:59:08 +0000 (11:59 +0200)]
Updated translations from Zanata.

* po/*.po: Updated translations from Zanata.

8 years agopam_wheel: Correct the documentation of the root_only option.
Tomas Mraz [Tue, 19 Apr 2016 09:02:58 +0000 (11:02 +0200)]
pam_wheel: Correct the documentation of the root_only option.

* modules/pam_wheel/pam_wheel.8.xml: Correct the documentation of the
root_only option.

8 years agopam_unix: Document that MD5 password hash is used to store old passwords.
Tomas Mraz [Tue, 19 Apr 2016 08:48:31 +0000 (10:48 +0200)]
pam_unix: Document that MD5 password hash is used to store old passwords.

modules/pam_unix/pam_unix.8.xml: Document that the MD5 password hash is used
to store the old passwords when remember option is set.

8 years agoProject registered at Zanata (fedora.zanata.org) for translations.
Tomas Mraz [Thu, 14 Apr 2016 15:48:03 +0000 (17:48 +0200)]
Project registered at Zanata (fedora.zanata.org) for translations.

* zanata.xml: Configuration file for zanata client.
* po/LINGUAS: Update languages as supported by Zanata.
* po/Linux-PAM.pot: Updated from sources.
* po/*.po: Updated from sources.

8 years agopam_unix: Use pam_get_authtok() instead of direct pam_prompt() calls.
Tomas Mraz [Wed, 6 Apr 2016 12:27:07 +0000 (14:27 +0200)]
pam_unix: Use pam_get_authtok() instead of direct pam_prompt() calls.

We have to drop support for not_set_pass option which is not much useful
anyway. Instead we get proper support for authtok_type option.

* modules/pam_unix/pam_unix.8.xml: Removed not_set_pass option, added authtok_ty
pe
option.
* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Replace _unix_read_pas
sword()
call with equivalent pam_get_authtok() call.
* modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Likewise and also drop
support for not_set_pass.
* modules/pam_unix/support.c (_unix_read_password): Remove.
* modules/pam_unix/support.h: Remove UNIX_NOT_SET_PASS add UNIX_AUTHTOK_TYPE.

8 years agopam_get_authtok(): Add authtok_type support to current password prompt.
Tomas Mraz [Wed, 6 Apr 2016 11:52:21 +0000 (13:52 +0200)]
pam_get_authtok(): Add authtok_type support to current password prompt.

* libpam/pam_get_authtok.c (pam_get_authtok_internal): When changing password,
use different prompt for current password allowing for authtok_type to be
displayed to the user.

8 years agopam_unix: Make password expiration messages more user-friendly.
Tomas Mraz [Mon, 4 Apr 2016 12:23:22 +0000 (14:23 +0200)]
pam_unix: Make password expiration messages more user-friendly.

* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Make password
expiration messages more user-friendly.

8 years agoinnetgr may not be there so make sure that when innetgr is not present
Thorsten Kukuk [Mon, 4 Apr 2016 09:39:45 +0000 (11:39 +0200)]
innetgr may not be there so make sure that when innetgr is not present
then we inform about it and not use it. [ticket#46]

* modules/pam_group/pam_group.c: ditto
* modules/pam_succeed_if/pam_succeed_if.c: ditto
* modules/pam_time/pam_time.c: ditto

Signed-off-by: Khem Raj <raj.khem at gmail.com>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
8 years agobuild: fix build when crypt() is not part of crypt_libs [ticket#46]
Thorsten Kukuk [Mon, 4 Apr 2016 09:35:57 +0000 (11:35 +0200)]
build: fix build when crypt() is not part of crypt_libs [ticket#46]

* configure.ac: Don't set empty -l option in crypt check

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
8 years agobuild: use $host_cpu for lib64 directory handling [ticket#46]
Thorsten Kukuk [Mon, 4 Apr 2016 09:33:11 +0000 (11:33 +0200)]
build: use $host_cpu for lib64 directory handling [ticket#46]

* configure.ac: use $host_cpu for lib64 directory handling.

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
8 years agoFix whitespace issues
Dmitry V. Levin [Fri, 1 Apr 2016 17:07:44 +0000 (17:07 +0000)]
Fix whitespace issues

Remove blank lines at EOF introduced by commit
a684595c0bbd88df71285f43fb27630e3829121e,
making the project free of warnings reported by
git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904 HEAD

* libpam/pam_dynamic.c: Remove blank line at EOF.
* modules/pam_echo/pam_echo.c: Likewise.
* modules/pam_keyinit/pam_keyinit.c: Likewise.
* modules/pam_mkhomedir/pam_mkhomedir.c: Likewise.
* modules/pam_pwhistory/pam_pwhistory.c: Likewise.
* modules/pam_rhosts/pam_rhosts.c: Likewise.
* modules/pam_sepermit/pam_sepermit.c: Likewise.
* modules/pam_stress/pam_stress.c: Likewise.

8 years agoUse TI-RPC functions if we compile and link against libtirpc.
Thorsten Kukuk [Fri, 1 Apr 2016 13:28:09 +0000 (15:28 +0200)]
Use TI-RPC functions if we compile and link against libtirpc.
The old SunRPC functions don't work with IPv6.

* configure.ac: Set and restore CPPFLAGS
* modules/pam_unix/pam_unix_passwd.c: Replace getrpcport with
  rpcb_getaddr if available.

8 years agoPAM_EXTERN isn't needed anymore, but don't remove it to not break lot of
Thorsten Kukuk [Tue, 29 Mar 2016 12:17:34 +0000 (14:17 +0200)]
PAM_EXTERN isn't needed anymore, but don't remove it to not break lot of
external code using it.

* libpam/include/security/pam_modules.h: Readd PAM_EXTERN for compatibility

8 years agoRemove "--enable-static-modules" option and support from
Thorsten Kukuk [Tue, 29 Mar 2016 12:14:03 +0000 (14:14 +0200)]
Remove "--enable-static-modules" option and support from
 Linux-PAM. It was never official supported and was broken since years.

* configure.ac: Remove --enable-static-modules option.
* doc/man/pam_sm_acct_mgmt.3.xml: Remove PAM_EXTERN.
* doc/man/pam_sm_authenticate.3.xml: Likewise.
* doc/man/pam_sm_chauthtok.3.xml: Likewise.
* doc/man/pam_sm_close_session.3.xml: Likewise.
* doc/man/pam_sm_open_session.3.xml: Likewise.
* doc/man/pam_sm_setcred.3.xml: Likewise.
* libpam/Makefile.am: Remove STATIC_MODULES cases.
* libpam/include/security/pam_modules.h: Remove PAM_STATIC parts.
* libpam/pam_dynamic.c: Likewise.
* libpam/pam_handlers.c: Likewise.
* libpam/pam_private.h: Likewise.
* libpam/pam_static.c: Remove file.
* libpam/pam_static_modules.h: Remove header file.
* modules/pam_access/pam_access.c: Remove PAM_EXTERN and PAM_STATIC parts.
* modules/pam_cracklib/pam_cracklib.c: Likewise.
* modules/pam_debug/pam_debug.c: Likewise.
* modules/pam_deny/pam_deny.c: Likewise.
* modules/pam_echo/pam_echo.c: Likewise.
* modules/pam_env/pam_env.c: Likewise.
* modules/pam_exec/pam_exec.c: Likewise.
* modules/pam_faildelay/pam_faildelay.c: Likewise.
* modules/pam_filter/pam_filter.c: Likewise.
* modules/pam_ftp/pam_ftp.c: Likewise.
* modules/pam_group/pam_group.c: Likewise.
* modules/pam_issue/pam_issue.c: Likewise.
* modules/pam_keyinit/pam_keyinit.c: Likewise.
* modules/pam_lastlog/pam_lastlog.c: Likewise.
* modules/pam_limits/pam_limits.c: Likewise.
* modules/pam_listfile/pam_listfile.c: Likewise.
* modules/pam_localuser/pam_localuser.c: Likewise.
* modules/pam_loginuid/pam_loginuid.c: Likewise.
* modules/pam_mail/pam_mail.c: Likewise.
* modules/pam_mkhomedir/pam_mkhomedir.c: Likewise.
* modules/pam_motd/pam_motd.c: Likewise.
* modules/pam_namespace/pam_namespace.c: Likewise.
* modules/pam_nologin/pam_nologin.c: Likewise.
* modules/pam_permit/pam_permit.c: Likewise.
* modules/pam_pwhistory/pam_pwhistory.c: Likewise.
* modules/pam_rhosts/pam_rhosts.c: Likewise.
* modules/pam_rootok/pam_rootok.c: Likewise.
* modules/pam_securetty/pam_securetty.c: Likewise.
* modules/pam_selinux/pam_selinux.c: Likewise.
* modules/pam_sepermit/pam_sepermit.c: Likewise.
* modules/pam_shells/pam_shells.c: Likewise.
* modules/pam_stress/pam_stress.c: Likewise.
* modules/pam_succeed_if/pam_succeed_if.c: Likewise.
* modules/pam_tally/pam_tally.c: Likewise.
* modules/pam_tally2/pam_tally2.c: Likewise.
* modules/pam_time/pam_time.c: Likewise.
* modules/pam_timestamp/pam_timestamp.c: Likewise.
* modules/pam_tty_audit/pam_tty_audit.c: Likewise.
* modules/pam_umask/pam_umask.c: Likewise.
* modules/pam_userdb/pam_userdb.c: Likewise.
* modules/pam_warn/pam_warn.c: Likewise.
* modules/pam_wheel/pam_wheel.c: Likewise.
* modules/pam_xauth/pam_xauth.c: Likewise.
* modules/pam_unix/Makefile.am: Remove STATIC_MODULES part.
* modules/pam_unix/pam_unix_acct.c: Remove PAM_STATIC part.
* modules/pam_unix/pam_unix_auth.c: Likewise.
* modules/pam_unix/pam_unix_passwd.c: Likewise.
* modules/pam_unix/pam_unix_sess.c: Likewise.
* modules/pam_unix/pam_unix_static.c: Removed.
* modules/pam_unix/pam_unix_static.h: Removed.
* po/POTFILES.in: Remove removed files.
* tests/tst-dlopen.c: Remove PAM_STATIC part.

8 years agoFix check for libtirpc and enhance check for libnsl to include
Thorsten Kukuk [Thu, 24 Mar 2016 11:46:29 +0000 (12:46 +0100)]
Fix check for libtirpc and enhance check for libnsl to include
new libnsl.

* configure.ac: fix setting of CFLAGS/LIBS, enhance libnsl check
* modules/pam_unix/Makefile.am: replace NIS_* with TIRPC_* and NSL_*

8 years agoRemove YP dependencies from pam_access, they were never used
Thorsten Kukuk [Wed, 23 Mar 2016 10:16:55 +0000 (11:16 +0100)]
Remove YP dependencies from pam_access, they were never used
and such not needed.

* modules/pam_access/Makefile.am: Remove NIS_CFLAGS and NIS_LIBS
* modules/pam_access/pam_access.c: Remove yp_get_default_domain case,
  it will never be used.

8 years agoAdd checks for localtime() returning NULL.
Tomas Mraz [Fri, 4 Mar 2016 13:19:01 +0000 (14:19 +0100)]
Add checks for localtime() returning NULL.

* modules/pam_lastlog/pam_lastlog.c (last_login_read): Check for localtime_r
returning NULL.
* modules/pam_tally2/pam_tally2.c (print_one): Check for localtime returning
NULL.