Remove options not supported by faillock, Drop sha512 option to pam_u…

…nix, Fix pam_faillock support, Pass option user_readenv=1 to pam_env at end of session in system-login git-svn-id: file:///srv/repos/svn-packages/svn@393562 eb2447ed-0c53-47e4-bac8-5bc4a241df78
archlinux · Aug 12, 2020 · 2d5af94 · 2d5af94
1 parent 001648d
commit 2d5af94
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 17 deletions.
diff --git a/trunk/PKGBUILD b/trunk/PKGBUILD
@@ -2,7 +2,7 @@
 
 pkgname=pambase
 pkgver=20200721.1
-pkgrel=1
+pkgrel=2
 pkgdesc="Base PAM configuration for services"
 arch=('any')
 url="https://www.archlinux.org"
@@ -19,9 +19,9 @@ backup=('etc/pam.d/system-auth'
         'etc/pam.d/system-remote-login'
         'etc/pam.d/system-services'
         'etc/pam.d/other')
-sha256sums=('3eb67872e436817ec97c4f3795adba2cf1d3829ea4e107ef5747569e4eeb5746'
+sha256sums=('89d62406b2d623a76d53c33aca98ce8ee124ed4a450ff6c8a44cfccca78baa2f'
             '005736b9bd650ff5e5d82a7e288853776d5bb8c90185d5774c07231c1e1c64a9'
-            '7ed354fca93af277cb139a7b98be985d573c6a5e5585528b0e76b9a401e59749'
+            '2ed270c2789526336cc6479e63f6263b5c6f41cfc829a17a449a38621b6bf020'
             '005736b9bd650ff5e5d82a7e288853776d5bb8c90185d5774c07231c1e1c64a9'
             '6eb1acdd3fa9f71a7f93fbd529be57ea65bcafc6e3a98a06af4d88013fc6a567'
             'd5ed59ec2157c19c87964a162f7ca84d53c19fb2bd68d3fbc1671ba8d906346f')

diff --git a/trunk/system-auth b/trunk/system-auth
@@ -1,16 +1,26 @@
 #%PAM-1.0
 
-auth      required  pam_unix.so     try_first_pass nullok
+auth       required                    pam_faillock.so      preauth
-auth      optional  pam_permit.so
+# Optionally use requisite above if you do not want to prompt for the password
-auth      required  pam_env.so
+# on locked accounts.
+auth       [success=2 default=ignore]  pam_unix.so          try_first_pass nullok
+-auth      [success=1 default=ignore]  pam_systemd_home.so
+auth       [default=die]               pam_faillock.so      authfail
+auth       optional                    pam_permit.so
+auth       required                    pam_env.so
+auth       required                    pam_faillock.so      authsucc
+# If you drop the above call to pam_faillock.so the lock will be done also
+# on non-consecutive authentication failures.
 
-account   required  pam_unix.so
+-account   [success=1 default=ignore]  pam_systemd_home.so
-account   optional  pam_permit.so
+account    required                    pam_unix.so
-account   required  pam_time.so
+account    optional                    pam_permit.so
+account    required                    pam_time.so
 
-password  required  pam_unix.so     try_first_pass nullok sha512 shadow
+-password  [success=1 default=ignore]  pam_systemd_home.so
-password  optional  pam_permit.so
+password   required                    pam_unix.so          try_first_pass nullok shadow
+password   optional                    pam_permit.so
 
-session   required  pam_limits.so
+session    required                    pam_limits.so
-session   required  pam_unix.so
+session    required                    pam_unix.so
-session   optional  pam_permit.so
+session    optional                    pam_permit.so
diff --git a/trunk/system-login b/trunk/system-login
@@ -1,11 +1,9 @@
 #%PAM-1.0
 
-auth       required   pam_faillock.so        onerr=succeed file=/var/log/tallylog
 auth       required   pam_shells.so
 auth       requisite  pam_nologin.so
 auth       include    system-auth
 
-account    required   pam_faillock.so 
 account    required   pam_access.so
 account    required   pam_nologin.so
 account    include    system-auth
@@ -18,4 +16,4 @@ session    include    system-auth
 session    optional   pam_motd.so          motd=/etc/motd
 session    optional   pam_mail.so          dir=/var/spool/mail standard quiet
 -session   optional   pam_systemd.so
-session    required   pam_env.so
+session    required   pam_env.so           user_readenv=1