[linux-pam] #4: [PATCH] po/ja.po: Fix some wrong translations and so on
by fedora-badges
#4: [PATCH] po/ja.po: Fix some wrong translations and so on
--------------------+-------------------------------------------------------
Reporter: fumiyas | Owner: pam-developers(a)lists.fedorahosted.org
Type: defect | Status: new
Priority: major | Component: library
Version: 1.1.x | Keywords: l10n
--------------------+-------------------------------------------------------
I've updated po/ja.po to fix some wrong translations and so on.
Please see and commit the attached patch to master repository if you feel
good.
Should I contact the original translator (Kiyoto Hashida
<khashida(a)redhat.com>) to check and confirm this patch?
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/4>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
8 years, 11 months
[linux-pam] #9: Allow pam_lastlog to write to utmp as an option
by fedora-badges
#9: Allow pam_lastlog to write to utmp as an option
-------------------------+-------------------------------------------------
Reporter: | Owner: pam-developers@…
shadowkyogre | Status: new
Type: | Component: modules
enhancement | Keywords: pam_lastlog utmp update patch
Priority: major | prototype
Version: 1.1.x | Blocking:
Blocked By: |
-------------------------+-------------------------------------------------
The following patch for pam_lastlog allows it to write to utmp as well as
wtmp. Part of the code is from xorg-sessreg to help make a utmp entry. I
only tested this on my desktop, which is running Arch Linux, so some
modifications may need to be made in order to make it more portable.
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/9>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
9 years, 1 month
[linux-pam] #5: multiple pam_namespace unmount problems
by fedora-badges
#5: multiple pam_namespace unmount problems
-----------------------------+------------------------------
Reporter: andersblomdell | Owner: pam-developers@…
Type: defect | Status: new
Priority: major | Component: library
Version: 1.1.x | Keywords:
Blocked By: | Blocking:
-----------------------------+------------------------------
This is essentially a short version of the bug in:
http://bugzilla.redhat.com/show_bug.cgi?id=755216
Essentially pam_namespace (1.1.5) suffers the following problems:
1. The (bind) mounts done in the new namespace is visible in the
original namespace (Error "too many levels of symbolic links").
2. At pam_namespace exit, the original mounting is restored for any
remaining child processes (daemons), which is a security problem.
Patch is attached
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/5>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
10 years, 3 months
[linux-pam] #8: [PATCH] pam_exec: Support showing stdout via pam_info, and only running for a specified module type
by fedora-badges
#8: [PATCH] pam_exec: Support showing stdout via pam_info, and only running for
a specified module type
---------------------------+------------------------------
Reporter: joshtriplett | Owner: pam-developers@…
Type: enhancement | Status: new
Priority: major | Component: modules
Version: | Keywords: patch
Blocked By: | Blocking:
---------------------------+------------------------------
The attached patches implement two new options for the pam_exec module.
Patch 1 adds a "stdout" option, which shows the stdout (and stderr) of
the executed command via pam_info. For instance, adding the following
line to /etc/pam.d/login right before the line for pam_motd:
{{{
session optional pam_exec.so stdout /usr/bin/seq 5
}}}
will print five lines (numbered 1-5) at the start and end of the
session. In order to implement this option without breaking the
existing support for the expose_authtok option, I had to
reorganize the file descriptor handling to move the loop that closes all
unwanted
file descriptors below all the code that sets up stdin/stdout/stderr,
and add some new code before that setup to ensure that none of the pipes
ended up on stdin/stdout/stderr where they might get closed by dup2.
Patch 2 adds a "type" option, which causes pam_exec to only execute the
command when the PAM module type matches the given type. In particular,
this makes it possible to run only at the start or end of a session,
without having to write a separate wrapper script to check the PAM_TYPE
environment variable. For example, adding the following to
/etc/pam.d/login right before the line for pam_motd:
{{{
session optional pam_exec.so type=open_session /bin/sleep 5
}}}
will sleep for 5 seconds at login time, but not at logout time,
demonstrating that the option works.
Together, these options make it possible to show dynamically generated
output at the start of a PAM session. For example, the following
pam_exec invocation produces the same output as the current dynamically
generated first line of the Debian motd:
{{{
session optional pam_exec.so type=open_session stdout /bin/uname -snrvm
}}}
(As an aside, I attempted to submit these patches to pam-
developers(a)lists.fedorahosted.org, but I couldn't seem to subscribe to
that list (no response to my subscription confirmation), and thus my mail
got moderated. Does pam-developers moderate subscriptions?)
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/8>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
10 years, 7 months
Re: [Pam-developers] [linux-pam] release version 1.1.6
by Thorsten Kukuk
On Fri, Aug 17, kukuk wrote:
> commit d4931cce402b5957189ccd34fb283b1e8db47901
> Author: Thorsten Kukuk <kukuk(a)orinoco.thkukuk.de>
> Date: Fri Aug 17 11:48:15 2012 +0200
>
> release version 1.1.6
Ok, Linux-1.1.6 is released, www.linux-pam.org is updated.
Thorsten
--
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
11 years, 6 months
[PATCH]: fix build error on recent glibc (pam_unix module)
by Guido Trentalancia
Fix build error: include <sys/resource.h> for the pam_unix module.
Signed-off-by: Guido Trentalancia <guido(a)trentalancia.com>
---
modules/pam_unix/pam_unix_passwd.c | 1 +
1 file changed, 1 insertion(+)
--- Linux-PAM-1.1.6-orig/modules/pam_unix/pam_unix_passwd.c 2012-08-15
13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c 2012-08-24
21:05:35.438881865 +0200
@@ -58,6 +58,7 @@
#include <signal.h>
#include <errno.h>
#include <sys/wait.h>
+#include <sys/resource.h>
#include <security/_pam_macros.h>
11 years, 8 months
Caps-Lock tolerance.
by Rob Meijer
Primary for personal use I wrote a little patch to the pam_unix module
so that my Ubuntu desktop system would accept my password even if I
accidentally have my caps-lock key pressed.
https://github.com/pibara/pam_unix
Basically I added a function verify_pwd_hash_caps_ignore to
passverify.c and passverify.h and changed all invocations of
verify_pwd_hash to invocations of verify_pwd_hash_caps_ignore.
https://github.com/pibara/pam_unix/blob/master/passverify.c Line 138..167,1031
https://github.com/pibara/pam_unix/blob/master/support.c Line 645
Its likely not a patch that would be ready for general use, but I feel
that the concept of having caps-lock insensitivity in password
authentication is something that greatly enhances the usability at the
price of just a single bit of password security, and thus is something
that might be very much useful as a general setting for PAM
authentication modules.
Hope someone on this list finds this simple patch useful enough to
expand on it and maybe integrate it into the code-base.
Rob
11 years, 8 months
pam_namespace and MS_SLAVE
by Thorsten Kukuk
Hi,
trying currently to prepare a new Linux-PAM release and found
the following problem:
pam_namespace.c: In function 'setup_namespace':
pam_namespace.c:1712: error: 'MS_SLAVE' undeclared (first use in this function)
MS_SLAVE exists only in linux/fs.h on my system, but that's not
included. It looks like to me something has changed in glibc that
this head isn't included anymore in glibc 2.11.x, but the defines are
still missing there in sys/mount.h.
Any ideas how to workaround/fix this in the configure scipt?
Thorsten
--
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
11 years, 8 months
[linux-pam] #10: The maxlogins limit doesn't work
by fedora-badges
#10: The maxlogins limit doesn't work
-----------------------+------------------------------
Reporter: wmknapik | Owner: pam-developers@…
Type: defect | Status: new
Priority: major | Component: library
Version: 1.1.x | Keywords: maxlogins
Blocked By: | Blocking:
-----------------------+------------------------------
{{{
# We limit the max number of logins for user "user" to 1 on machine1.
# The machine has since been rebooted.
machine1 $ grep '^user.*maxlogins' /etc/security/limits.conf
user soft maxlogins 1
user hard maxlogins 1
machine1 $
# On machine2 we have a simple test written as a makefile.
machine2 $ cat test.mk
MAKEFLAGS += -j
tests := test1 test2
all: $(tests)
$(tests):
ssh -f -q -t -t -i key -p 22210 -o 'StrictHostKeyChecking no'
user@machine1 "sleep 1d; echo $@"
machine2 $
# We run the makefile in parallel (-j set in the makefile).
machine2 $ make -f test.mk
machine2 $
# Two processes managed to log in to machine1 despite the limit.
machine2 $ pgrep -lf 'ssh.*test[12]$'
28871 ssh -f -q -t -t -i key -p 22210 -o StrictHostKeyChecking no
user@machine1 sleep 1d; echo test2
28872 ssh -f -q -t -t -i key -p 22210 -o StrictHostKeyChecking no
user@machine1 sleep 1d; echo test1
machine2 $
# Let's log into machine1 as root and see if there are actually two
# sessions open for user "user".
machine2 $ ssh -i key -p 22210 -o "StrictHostKeyChecking no" root@machine1
machine1 $ w
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
k3 pts/0 10.159.69.154 13:14 3:34 0.00s 0.00s bash -c
sleep 1d; echo test1
k3 pts/1 10.159.69.154 13:14 3:34 0.00s 0.00s bash -c
sleep 1d; echo test2
root pts/2 10.159.69.154 13:17 0.00s 0.03s 0.00s w
machine1 $
# This test works as described above in at least one in 5 tries.
# Sometimes the limits do work and the second ssh process is not let in.
}}}
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/10>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
11 years, 8 months