[linux-pam] #4: [PATCH] po/ja.po: Fix some wrong translations and so on
by fedora-badges
#4: [PATCH] po/ja.po: Fix some wrong translations and so on
--------------------+-------------------------------------------------------
Reporter: fumiyas | Owner: pam-developers(a)lists.fedorahosted.org
Type: defect | Status: new
Priority: major | Component: library
Version: 1.1.x | Keywords: l10n
--------------------+-------------------------------------------------------
I've updated po/ja.po to fix some wrong translations and so on.
Please see and commit the attached patch to master repository if you feel
good.
Should I contact the original translator (Kiyoto Hashida
<khashida(a)redhat.com>) to check and confirm this patch?
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/4>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
8 years, 11 months
[linux-pam] #5: multiple pam_namespace unmount problems
by fedora-badges
#5: multiple pam_namespace unmount problems
-----------------------------+------------------------------
Reporter: andersblomdell | Owner: pam-developers@…
Type: defect | Status: new
Priority: major | Component: library
Version: 1.1.x | Keywords:
Blocked By: | Blocking:
-----------------------------+------------------------------
This is essentially a short version of the bug in:
http://bugzilla.redhat.com/show_bug.cgi?id=755216
Essentially pam_namespace (1.1.5) suffers the following problems:
1. The (bind) mounts done in the new namespace is visible in the
original namespace (Error "too many levels of symbolic links").
2. At pam_namespace exit, the original mounting is restored for any
remaining child processes (daemons), which is a security problem.
Patch is attached
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/5>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
10 years, 3 months
[linux-pam] #8: [PATCH] pam_exec: Support showing stdout via pam_info, and only running for a specified module type
by fedora-badges
#8: [PATCH] pam_exec: Support showing stdout via pam_info, and only running for
a specified module type
---------------------------+------------------------------
Reporter: joshtriplett | Owner: pam-developers@…
Type: enhancement | Status: new
Priority: major | Component: modules
Version: | Keywords: patch
Blocked By: | Blocking:
---------------------------+------------------------------
The attached patches implement two new options for the pam_exec module.
Patch 1 adds a "stdout" option, which shows the stdout (and stderr) of
the executed command via pam_info. For instance, adding the following
line to /etc/pam.d/login right before the line for pam_motd:
{{{
session optional pam_exec.so stdout /usr/bin/seq 5
}}}
will print five lines (numbered 1-5) at the start and end of the
session. In order to implement this option without breaking the
existing support for the expose_authtok option, I had to
reorganize the file descriptor handling to move the loop that closes all
unwanted
file descriptors below all the code that sets up stdin/stdout/stderr,
and add some new code before that setup to ensure that none of the pipes
ended up on stdin/stdout/stderr where they might get closed by dup2.
Patch 2 adds a "type" option, which causes pam_exec to only execute the
command when the PAM module type matches the given type. In particular,
this makes it possible to run only at the start or end of a session,
without having to write a separate wrapper script to check the PAM_TYPE
environment variable. For example, adding the following to
/etc/pam.d/login right before the line for pam_motd:
{{{
session optional pam_exec.so type=open_session /bin/sleep 5
}}}
will sleep for 5 seconds at login time, but not at logout time,
demonstrating that the option works.
Together, these options make it possible to show dynamically generated
output at the start of a PAM session. For example, the following
pam_exec invocation produces the same output as the current dynamically
generated first line of the Debian motd:
{{{
session optional pam_exec.so type=open_session stdout /bin/uname -snrvm
}}}
(As an aside, I attempted to submit these patches to pam-
developers(a)lists.fedorahosted.org, but I couldn't seem to subscribe to
that list (no response to my subscription confirmation), and thus my mail
got moderated. Does pam-developers moderate subscriptions?)
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/8>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
10 years, 7 months
[linux-pam] #6: Password history (pam_unix) only available on MD5
by fedora-badges
#6: Password history (pam_unix) only available on MD5
-------------------------+-------------------------------------------------
Reporter: alarrere | Owner: pam-developers@…
Type: security | Status: new
Priority: critical | Component: modules
Version: 1.1.x | Keywords: pam_unix password history remember
Blocked By: | md5 sha512
| Blocking:
-------------------------+-------------------------------------------------
The management of password history is a function of PAM module
'pam_unix.so'
The SHA 256 and 512 are now supported.
Unfortunately, the pam_unix.so module only support MD5 for password
history. (File /etc/security/opasswd)
This lack induced a password storage on 2 different cryptographic modes
which implies a loss of security level.
After reading the source code of pam_unix module, i can confirm the lack
of pam_unix cryptographic mode configuration consultation in 2 specific
files:
- passwdverify.c => save_old_password() function
- pam_unix_passwd.c => check_old_password() function
The observed side effect is, with a 'sha512' configuration on pam_unix in
configuration files of directory /etc/pam.d, we have
password stored in /etc/shadow on SHA512 (starting with $6$) and history
password stored in /etc/security/opasswd on MD5 (starting with $1$).
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/6>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
11 years, 8 months
Add new checks to pam_cracklib and drop unused difignore option
by Tomas Mraz
The attached patch adds checks for maximum number of consecutive
characters of the same class and checks for words from the GECOS field
of passwd entry. It also drops the obsolete and unused difignore option
and updates the documentation accordingly. The option is still
recognized for backwards compatibility, just ignored.
OK to commit?
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
11 years, 12 months
Skip the inactive account lock out for root
by Tomas Mraz
The simple attached patch skips the inactive account lock out for root
in pam_lastlog. OK to commit?
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
11 years, 12 months
Symmetric open/close call
by Jan Engelhardt
Hi,
it has been revealed that sudo calls pam in a rather strange way. In
particular, it calls pam_open_session in one process, and
pam_close_session in another process, which can and does totally confuse
modules that assume that pam calls are symmetric and/or modules that
store data (pam_set_data).
The PAM Application Writer's manual leaves no word about whether
programs must properly nest open_session with close_session, or whether
modules must anticipate spurious calls to close_session without a
preceding open_session.
Some clarification would be welcome.
11 years, 12 months
[PATCH] pam_exec: Support showing stdout via pam_info, and only running for a specified module type
by Josh Triplett
The attached patches implement two new options for the pam_exec module.
Patch 1 adds a "stdout" option, which shows the stdout (and stderr) of
the executed command via pam_info. For instance, adding the following
line to /etc/pam.d/login right before the line for pam_motd:
session optional pam_exec.so stdout /usr/bin/seq 5
will print five lines (numbered 1-5) at the start and end of the
session. In order to implement this option without breaking the
existing support for the expose_authtok option, I had to
reorganize the file descriptor handling to move the loop that closes all unwanted
file descriptors below all the code that sets up stdin/stdout/stderr,
and add some new code before that setup to ensure that none of the pipes
ended up on stdin/stdout/stderr where they might get closed by dup2.
Patch 2 adds a "type" option, which causes pam_exec to only execute the
command when the PAM module type matches the given type. In particular,
this makes it possible to run only at the start or end of a session,
without having to write a separate wrapper script to check the PAM_TYPE
environment variable. For example, adding the following to
/etc/pam.d/login right before the line for pam_motd:
session optional pam_exec.so type=open_session /bin/sleep 5
will sleep for 5 seconds at login time, but not at logout time,
demonstrating that the option works.
Together, these options make it possible to show dynamically generated
output at the start of a PAM session. For example, the following
pam_exec invocation produces the same output as the current dynamically
generated first line of the Debian motd:
session optional pam_exec.so type=open_session stdout /bin/uname -snrvm
- Josh Triplett
12 years
Add user lock out based on days since last login
by Tomas Mraz
The attached patch adds auth and account types to the pam_lastlog
module. The module will then provide possibility to lock out users that
did not log-in (based on the lastlog file contents) recently enough.
This is a preliminary patch - if you are OK with the approach, I'll add
patch for the module manual page that documents this new functionality.
Any comments?
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
12 years