summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--sys-auth/pambase/Manifest1
-rw-r--r--sys-auth/pambase/files/pambase-20120417-drop-motd-for-now.patch12
-rw-r--r--sys-auth/pambase/files/pambase-20120417-lastlog-silent.patch20
-rw-r--r--sys-auth/pambase/files/pambase-20120417-systemd-2.patch29
-rw-r--r--sys-auth/pambase/metadata.xml84
-rw-r--r--sys-auth/pambase/pambase-20120417-r5.ebuild106
6 files changed, 252 insertions, 0 deletions
diff --git a/sys-auth/pambase/Manifest b/sys-auth/pambase/Manifest
new file mode 100644
index 00000000..04effc7e
--- /dev/null
+++ b/sys-auth/pambase/Manifest
@@ -0,0 +1 @@
+DIST pambase-20120417.tar.bz2 3361 SHA256 3fde3ff7714b3722b45545da36fdde6ca95a55d1b0a8cfb23666ec0de3ec5871 SHA512 7a666eb67f6484e536ecb070402036bcfdd137aced27df3f08b136d06eee5c13a6dc14aa93ea09e94c7f31e5a98db97dbaccd0c46af24b57028247de3a7cd9fe WHIRLPOOL 323edb9ef488a0ba562ef279d4acfb682540bf87838be9a3319ad2029ba1465d015fdf94c3192e24517ae9f0ed264e38d17aba65934211bd7b39bf309ee12540
diff --git a/sys-auth/pambase/files/pambase-20120417-drop-motd-for-now.patch b/sys-auth/pambase/files/pambase-20120417-drop-motd-for-now.patch
new file mode 100644
index 00000000..3543c640
--- /dev/null
+++ b/sys-auth/pambase/files/pambase-20120417-drop-motd-for-now.patch
@@ -0,0 +1,12 @@
+--- pambase-20120417.orig/system-login.in
++++ pambase-20120417/system-login.in
+@@ -56,9 +56,6 @@ session optional pam_gnome_keyring.so a
+ #if HAVE_SELINUX
+ session required pam_selinux.so multiple open
+ #endif
+-#if HAVE_MOTD
+-session optional pam_motd.so motd=/etc/motd
+-#endif
+ #if HAVE_MAIL
+ session optional pam_mail.so
+ #endif
diff --git a/sys-auth/pambase/files/pambase-20120417-lastlog-silent.patch b/sys-auth/pambase/files/pambase-20120417-lastlog-silent.patch
new file mode 100644
index 00000000..79266a74
--- /dev/null
+++ b/sys-auth/pambase/files/pambase-20120417-lastlog-silent.patch
@@ -0,0 +1,20 @@
+--- pambase-20120417/login.in.orig 2012-11-21 14:31:49.031948988 +0100
++++ pambase-20120417/login.in 2012-11-21 14:32:41.172330601 +0100
+@@ -3,4 +3,6 @@
+
+ account include system-local-login
+ password include system-local-login
++
++session optional pam_lastlog.so DEBUG
+ session include system-local-login
+--- pambase-20120417/system-login.in.orig 2012-11-21 14:31:42.232160039 +0100
++++ pambase-20120417/system-login.in 2012-11-21 14:35:20.738025880 +0100
+@@ -41,7 +41,7 @@
+ session required pam_env.so DEBUG
+ #endif
+ #if HAVE_LASTLOG
+-session optional pam_lastlog.so DEBUG
++session optional pam_lastlog.so silent DEBUG
+ #endif
+ session include system-auth
+ #if HAVE_CONSOLEKIT
diff --git a/sys-auth/pambase/files/pambase-20120417-systemd-2.patch b/sys-auth/pambase/files/pambase-20120417-systemd-2.patch
new file mode 100644
index 00000000..047fb41c
--- /dev/null
+++ b/sys-auth/pambase/files/pambase-20120417-systemd-2.patch
@@ -0,0 +1,29 @@
+http://bugs.gentoo.org/372229
+
+--- Makefile
++++ Makefile
+@@ -28,6 +28,10 @@
+ PAMFLAGS += -DHAVE_CONSOLEKIT=1
+ endif
+
++ifeq "$(SYSTEMD)" "yes"
++PAMFLAGS += -DHAVE_SYSTEMD=1
++endif
++
+ ifeq "$(GNOME_KEYRING)" "yes"
+ PAMFLAGS += -DHAVE_GNOME_KEYRING=1
+ endif
+--- system-login.in
++++ system-login.in
+@@ -45,7 +45,10 @@
+ #endif
+ session include system-auth
+ #if HAVE_CONSOLEKIT
+-session optional pam_ck_connector.so nox11
++-session optional pam_ck_connector.so nox11
++#endif
++#if HAVE_SYSTEMD
++-session optional pam_systemd.so
+ #endif
+ #if HAVE_GNOME_KEYRING
+ session optional pam_gnome_keyring.so auto_start
diff --git a/sys-auth/pambase/metadata.xml b/sys-auth/pambase/metadata.xml
new file mode 100644
index 00000000..7a357751
--- /dev/null
+++ b/sys-auth/pambase/metadata.xml
@@ -0,0 +1,84 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <herd>pam</herd>
+ <maintainer>
+ <email>pam-bugs@gentoo.org</email>
+ </maintainer>
+ <use>
+ <flag name="cracklib">
+ Enable pam_cracklib module on system authentication stack. This
+ produces warnings when changing password to something easily
+ crackable. It requires the same USE flag to be enabled on
+ <pkg>sys-libs/pam</pkg> or system login might be impossible.
+ </flag>
+ <flag name="consolekit">
+ Enable pam_ck_connector module on local system logins. This
+ allows for console logins to make use of ConsoleKit
+ authorization.
+ </flag>
+ <flag name="systemd">
+ Use pam_systemd module to register user sessions in the systemd
+ control group hierarchy.
+ </flag>
+ <flag name="gnome-keyring">
+ Enable pam_gnome_keyring module on system login stack. This
+ enables proper Gnome Keyring access to logins, whether they are
+ done with the login shell, a Desktop Manager or a remote login
+ systems such as SSH.
+ </flag>
+ <flag name="debug">
+ Enable debug information logging on syslog(3) for all the
+ modules supporting this in the system authentication and system
+ login stacks.
+ </flag>
+ <flag name="passwdqc">
+ Enable pam_passwdqc module on system auth stack for password
+ quality validation. This is an alternative to pam_cracklib
+ producing warnings, rejecting or providing example passwords
+ when changing your system password. It is used by default by
+ OpenWall GNU/*/Linux and by FreeBSD.
+ </flag>
+ <flag name="mktemp">
+ Enable pam_mktemp module on system auth stack for session
+ handling. This module creates a private temporary directory for
+ the user, and sets TMP and TMPDIR accordingly.
+ </flag>
+ <flag name="pam_ssh">
+ Enable pam_ssh module on system auth stack for authentication
+ and session handling. This module will accept as password the
+ passphrase of a private SSH key (one of ~/.ssh/id_rsa,
+ ~/.ssh/id_dsa or ~/.ssh/identity), and will spawn an ssh-agent
+ instance to cache the open key.
+ </flag>
+ <flag name="sha512">
+ Switch Linux-PAM's pam_unix module to use sha512 for passwords
+ hashes rather than MD5. This option requires
+ <pkg>&gt;=sys-libs/pam-1.0.1</pkg> built against
+ <pkg>&gt;=sys-libs/glibc-2.7</pkg>, if it's built against an
+ earlier version, it will silently be ignored, and MD5 hashes
+ will be used. All the passwords changed after this USE flag is
+ enabled will be saved to the shadow file hashed using SHA512
+ function. The password previously saved will be left
+ untouched. Please note that while SHA512-hashed passwords will
+ still be recognised if the USE flag is removed, the shadow file
+ will not be compatible with systems using an earlier glibc
+ version.
+ </flag>
+ <flag name="pam_krb5">
+ Enable pam_krb5 module on system auth stack, as an alternative
+ to pam_unix. If Kerberos authentication succeed, only pam_unix
+ will be ignore, and all the other modules will proceed as usual,
+ including Gnome Keyring and other session modules. It requires
+ <pkg>sys-libs/pam</pkg> as PAM implementation.
+ </flag>
+ <flag name="minimal">
+ Disables the standard PAM modules that provide extra information
+ to users on login; this includes pam_tally (and pam_tally2 for
+ Linux PAM 1.1 and later), pam_lastlog, pam_motd and other
+ similar modules. This might not be a good idea on a multi-user
+ system but could reduce slightly the overhead on single-user
+ non-networked systems.
+ </flag>
+ </use>
+</pkgmetadata>
diff --git a/sys-auth/pambase/pambase-20120417-r5.ebuild b/sys-auth/pambase/pambase-20120417-r5.ebuild
new file mode 100644
index 00000000..fe791970
--- /dev/null
+++ b/sys-auth/pambase/pambase-20120417-r5.ebuild
@@ -0,0 +1,106 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: $
+
+EAPI=4
+inherit eutils
+
+DESCRIPTION="PAM base configuration files"
+HOMEPAGE="http://www.gentoo.org/proj/en/base/pam/"
+SRC_URI="http://dev.gentoo.org/~flameeyes/${PN}/${P}.tar.bz2
+ http://dev.gentoo.org/~phajdan.jr/${PN}/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 -sparc-fbsd -x86-fbsd ~x86-freebsd ~amd64-linux ~ia64-linux ~x86-linux"
+IUSE="consolekit cracklib debug minimal mktemp pam_krb5 pam_ssh passwdqc selinux +sha512 systemd"
+
+RESTRICT=binchecks
+
+MIN_PAM_REQ=1.1.3
+
+RDEPEND="
+ || (
+ >=sys-libs/pam-${MIN_PAM_REQ}
+ ( sys-auth/openpam || ( sys-freebsd/freebsd-pam-modules sys-netbsd/netbsd-pam-modules ) )
+ )
+ consolekit? ( sys-auth/consolekit[pam] )
+ cracklib? ( >=sys-libs/pam-${MIN_PAM_REQ}[cracklib] )
+ mktemp? ( sys-auth/pam_mktemp )
+ pam_krb5? (
+ >=sys-libs/pam-${MIN_PAM_REQ}
+ >=sys-auth/pam_krb5-4.3
+ )
+ pam_ssh? ( sys-auth/pam_ssh )
+ passwdqc? ( >=sys-auth/pam_passwdqc-1.0.4 )
+ selinux? ( >=sys-libs/pam-${MIN_PAM_REQ}[selinux] )
+ sha512? ( >=sys-libs/pam-${MIN_PAM_REQ} )
+ !<sys-apps/shadow-4.1.5-r1
+ !<sys-freebsd/freebsd-pam-modules-6.2-r1
+ !<sys-libs/pam-0.99.9.0-r1"
+DEPEND="app-portage/portage-utils"
+
+src_prepare() {
+ epatch "${FILESDIR}"/${P}-systemd-2.patch
+ epatch "${FILESDIR}"/${P}-lastlog-silent.patch
+ # Drop pam_motd for now, since it breaks DEs autologin
+ epatch "${FILESDIR}"/${P}-drop-motd-for-now.patch
+}
+
+src_compile() {
+ local implementation=
+ local linux_pam_version=
+ if has_version sys-libs/pam; then
+ implementation=linux-pam
+ local ver_str=$(qatom `best_version sys-libs/pam` | cut -d ' ' -f 3)
+ linux_pam_version=$(printf "0x%02x%02x%02x" ${ver_str//\./ })
+ elif has_version sys-auth/openpam; then
+ implementation=openpam
+ else
+ die "PAM implementation not identified"
+ fi
+
+ use_var() {
+ local varname=$(echo $1 | tr [a-z] [A-Z])
+ local usename=${2-$(echo $1 | tr [A-Z] [a-z])}
+ local varvalue=$(usex $usename)
+ echo "${varname}=${varvalue}"
+ }
+
+ emake \
+ GIT=true \
+ $(use_var debug) \
+ $(use_var cracklib) \
+ $(use_var passwdqc) \
+ $(use_var selinux) \
+ $(use_var mktemp) \
+ $(use_var PAM_SSH pam_ssh) \
+ $(use_var sha512) \
+ $(use_var KRB5 pam_krb5) \
+ $(use_var minimal) \
+ $(use_var consolekit) \
+ GNOME_KEYRING=yes \
+ SYSTEMD=yes \
+ IMPLEMENTATION=${implementation} \
+ LINUX_PAM_VERSION=${linux_pam_version}
+}
+
+src_test() { :; }
+
+src_install() {
+ emake GIT=true DESTDIR="${ED}" install
+}
+
+pkg_postinst() {
+ if use sha512; then
+ elog "Starting from version 20080801, pambase optionally enables"
+ elog "SHA512-hashed passwords. For this to work, you need sys-libs/pam-1.0.1"
+ elog "built against sys-libs/glibc-2.7 or later."
+ elog "If you don't have support for this, it will automatically fallback"
+ elog "to MD5-hashed passwords, just like before."
+ elog
+ elog "Please note that the change only affects the newly-changed passwords"
+ elog "and that SHA512-hashed passwords will not work on earlier versions"
+ elog "of glibc or Linux-PAM."
+ fi
+}