diff options
62 files changed, 424 insertions, 521 deletions
diff --git a/.gitmodules b/.gitmodules index 527e24f..67e703b 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,6 @@ [submodule "imprimatur"] path = imprimatur url = git://git.gnu.org.ua/imprimatur.git +[submodule "lib/wordsplit"] + path = lib/wordsplit + url = git://git.gnu.org.ua/wordsplit.git @@ -1,5 +1,4 @@ -# Copyright (C) 2001, 2006-2007, 2010-2012, 2014-2015, 2018 Sergey -# Poznyakoff +# Copyright (C) 2001-2022 Sergey Poznyakoff # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/Makefile.am b/Makefile.am index f2f416b..f64685c 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,20 +1,19 @@ -# This file is part of pam-modules. -# Copyright (C) 2001, 2006, 2008-2012, 2014-2015, 2018 Sergey Poznyakoff -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 3, or (at your option) -# any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program. If not, see <http://www.gnu.org/licenses/>. +## This file is part of pam-modules. +## Copyright (C) 2001-2022 Sergey Poznyakoff +## +## This program is free software; you can redistribute it and/or modify +## it under the terms of the GNU General Public License as published by +## the Free Software Foundation; either version 3, or (at your option) +## any later version. +## +## This program is distributed in the hope that it will be useful, +## but WITHOUT ANY WARRANTY; without even the implied warranty of +## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +## GNU General Public License for more details. +## +## You should have received a copy of the GNU General Public License along +## with this program. If not, see <http://www.gnu.org/licenses/>. -AUTOMAKE_OPTIONS = gnits 1.8 ACLOCAL_AMFLAGS = -I m4 -I imprimatur SUBDIRS = \ @@ -52,16 +51,21 @@ EXTRA_DIST=ChangeLog.svn # Name of the previous ChangeLog file. prev_change_log = ChangeLog.svn # Start Git ChangeLog from this date. -gen_start_date = 2012-05-13 +gen_start_date = 2012-05-14 .PHONY: ChangeLog ChangeLog: - $(AM_V_GEN)if test -d .git; then \ - git log --pretty='format:%ct %an <%ae>%n%n%s%n%n%b%n' | \ - awk -f $(top_srcdir)/git2chg.awk \ - -vsince="$(gen_start_date)" -vappend="$(prev_change_log)" \ - > ChangeLog.tmp; \ - cmp ChangeLog ChangeLog.tmp > /dev/null 2>&1 || \ - mv ChangeLog.tmp ChangeLog; \ - rm -f ChangeLog.tmp; \ + $(AM_V_GEN)if test -d .git; then \ + (git log --pretty='format:%ad %cn <%ae>%n%n%w(72,8,8)%s%n%n%b' \ + --date=short --since=$(gen_start_date); \ + echo ""; \ + cat ChangeLog.svn; \ + echo ""; \ + echo "Local Variables:"; \ + echo "mode: change-log"; \ + echo "version-control: never"; \ + echo "buffer-read-only: t"; \ + echo "End:"; \ + echo ""; \ + sed -n -e '2,/^$$/s/^##//p' Makefile.am) > ChangeLog; \ fi @@ -1,12 +1,40 @@ -pam-modules -- history of user-visible changes. 2018-08-16 +pam-modules -- history of user-visible changes. 2022-05-09 See the end of file for copying conditions. Please send pam-modules bug reports to <bug-pam-modules@gnu.org.ua> -Version 2.3.90 (git) +Version 2.5, 2022-05-09 + +* pam_fshadow: skip-password option + +Based on the proposal of Mirsad Goran Todorovac, the new option +skip-password instructs pam_fshadow to check whether the user +being authenticated is present in the passwd and/or shadow files, +without verifying his password. This way pam_fshadow can be used as +an auxiliary module in the stack, actual authentication being +performed by one of the modules before it. + + +Version 2.4.1, 2021-08-11 + +* Fix pam_mysql and pam_pgsql authentication + +* New pam_mysql configuration keywords: default-file and default-group + +The new keywords define the MySQL "default file" and name of the group +in it that should be used. In presense of "default-file", the rest of +connection and credentials keywords (host, login, etc.), become +optional. + +Version 2.4, 2020-12-30 * Major rewrite of memory allocation code +* Bugfixes + +** usage of pam_regex with 'transform=', but without 'regex=' + +** ldappubkey: Pass arguments to start_tls Version 2.3.1, 2018-08-13 @@ -23,7 +51,7 @@ This module checks if the current hostname and the name of the user trying to log in are mentioned in a triple of the specified NIS netgroup. -* The ldappubkey utility imporoved. +* The ldappubkey utility improved. The PublicKeyAttribute setting accepts a whitespace-separated list of attribute names. @@ -251,7 +279,7 @@ Version 0.1 ========================================================================= Copyright information: -Copyright (C) 2001, 2004-2005, 2007-2012, 2015, 2018 Sergey Poznyakoff +Copyright (C) 2001-2022 Sergey Poznyakoff Permission is granted to anyone to make or distribute verbatim copies of this document as received, in any medium, provided that the @@ -1,6 +1,4 @@ PAM-modules README -Copyright (C) 2001, 2004-2005, 2007, 2009-2012, 2014-2015, 2018 Sergey -Poznyakoff See the end of file for copying conditions. * Introduction @@ -74,7 +72,7 @@ Send bug reports to <bug-pam-modules@gnu.org.ua>. Read the chapter * Copyright information: -Copyright (C) 2001, 2004-2005, 2007, 2009-2014 Sergey Poznyakoff +Copyright (C) 2001-2022 Sergey Poznyakoff Permission is granted to anyone to make or distribute verbatim copies of this document as received, in any medium, provided that the @@ -0,0 +1,3 @@ +pam-modules THANKS file + +Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr> diff --git a/acinclude.m4 b/acinclude.m4 index 73bce6e..e095fe1 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -1,4 +1,4 @@ -# Copyright (C) 2001, 2006, 2008-2012, 2014-2015, 2018 Sergey Poznyakoff +# Copyright (C) 2001-2022 Sergey Poznyakoff # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -15,7 +15,7 @@ AC_DEFUN([PM_ENABLE],[ AC_ARG_ENABLE($1, - AC_HELP_STRING([--disable-$1], [Disable pam_$1]), + AS_HELP_STRING([--disable-$1], [Disable pam_$1]), [build_$1=$enableval], [build_$1=m4_if([$2],[],yes,probe)]) m4_pushdef([upmodname],translit($1, [a-z.-], [A-Z__])) diff --git a/configure.ac b/configure.ac index e146a65..f0a5c5e 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ # This file is part of pam-modules. -*- autoconf -*- -# Copyright (C) 2005-2012, 2014-2015, 2018 Sergey Poznyakoff +# Copyright (C) 2005-2022 Sergey Poznyakoff # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -14,14 +14,14 @@ # You should have received a copy of the GNU General Public License along # with this program. If not, see <http://www.gnu.org/licenses/>. -AC_PREREQ(2.63) +AC_PREREQ([2.71]) -AC_INIT(pam-modules, 2.3.90, bug-pam-modules@gnu.org.ua) +AC_INIT([pam-modules],[2.5.90],[bug-pam-modules@gnu.org.ua]) AC_CONFIG_SRCDIR(pam_fshadow/pam_fshadow.c) AC_CONFIG_AUX_DIR([build-aux]) AC_CONFIG_MACRO_DIR([m4]) -AM_INIT_AUTOMAKE([1.11 no-exeext tar-ustar dist-xz silent-rules]) -AM_CONFIG_HEADER(config.h) +AM_INIT_AUTOMAKE([1.16.5 no-exeext tar-ustar dist-xz silent-rules subdir-objects]) +AC_CONFIG_HEADERS([config.h]) # Enable silent rules by default: AM_SILENT_RULES([yes]) @@ -35,7 +35,7 @@ dnl Checks for programs. AC_PROG_CC AC_PROG_INSTALL -AM_DISABLE_STATIC +AC_DISABLE_STATIC([]) LT_PREREQ(2.2.5a) LT_INIT @@ -44,7 +44,7 @@ AC_CHECK_LIB(pam, pam_get_item,:, [AC_MSG_ERROR([Required library libpam is not found])]) AC_ARG_WITH(crypt-lib, - AC_HELP_STRING([--with-crypt-lib=LIB], + AS_HELP_STRING([--with-crypt-lib=LIB], [use -lLIB instead of -lcrypt]), [cryptlib=$withval], [cryptlib=crypt]) @@ -59,7 +59,6 @@ AC_CHECK_LIB(pam_misc, pam_misc_setenv, AC_DEFINE([HAVE_PAM_MISC_SETENV],1)],:,[-lpam]) dnl Checks for header files. -AC_HEADER_STDC AC_CHECK_HEADERS(security/pam_appl.h security/pam_modules.h, :, AC_MSG_ERROR([Required PAM header files not found])) @@ -89,20 +88,20 @@ PM_ENABLE(groupmember) # Check for SQL support AC_ARG_WITH(mysql, - AC_HELP_STRING([--without-mysql], + AS_HELP_STRING([--without-mysql], [Configure to work without MySQL]), [want_mysql=$withval]) AC_ARG_WITH(pgsql, - AC_HELP_STRING([--without-pgsql], + AS_HELP_STRING([--without-pgsql], [Configure to work without Postgres]), [want_pgsql=$withval]) AC_ARG_WITH(postgres, - AC_HELP_STRING([--without-postgres], + AS_HELP_STRING([--without-postgres], [Same as --without-pgsql]), [want_pgsql=$withval]) AC_ARG_WITH(sql, - AC_HELP_STRING([--without-sql], - [Do not build SQL dependent modules]), + AS_HELP_STRING([--without-sql], + [Do not build SQL dependent modules]), [want_mysql=$withval want_pgsql=$withval]) @@ -188,15 +187,15 @@ esac]) ## debugging support ## ***************** AC_ARG_ENABLE(debug, - AC_HELP_STRING([--enable-debug], [enable debugging mode]), + AS_HELP_STRING([--enable-debug],[enable debugging mode]), [if test "$enableval" = yes; then if test "$GCC" = yes; then AC_MSG_CHECKING(whether gcc accepts -ggdb) save_CFLAGS=$CFLAGS CFLAGS="-ggdb -Wall" - AC_TRY_COMPILE([],void f(){}, - AC_MSG_RESULT(yes), - [if test x"$ac_cv_prog_cc_g" = xyes; then + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[void f(){}]])], + [AC_MSG_RESULT(yes)], + [if test x"$ac_cv_prog_cc_g" = xyes; then CFLAGS="-g -Wall" else CFLAGS= @@ -212,8 +211,7 @@ AC_ARG_ENABLE(debug, ## ************** PAMDIR='$(prefix)/lib/security' AC_ARG_WITH(pamdir, - AC_HELP_STRING([--with-pamdir=DIR], - [install PAM modiles in DIR (PREFIX/lib/security)]), + AS_HELP_STRING([--with-pamdir=DIR],[install PAM modiles in DIR (PREFIX/lib/security)]), [PAMDIR=$withval]) AC_SUBST(PAMDIR) @@ -258,7 +256,7 @@ build_umotd=$build_umotd build_groupmember=$build_groupmember build_innetgr=$build_innetgr]) -AC_OUTPUT(Makefile +AC_CONFIG_FILES([Makefile doc/Makefile examples/Makefile lib/Makefile @@ -270,4 +268,5 @@ AC_OUTPUT(Makefile pam_umotd/Makefile pam_groupmember/Makefile pam_innetgr/Makefile - pamck/Makefile) + pamck/Makefile]) +AC_OUTPUT diff --git a/doc/.gitignore b/doc/.gitignore index 6ae86e7..a7d4dd7 100644 --- a/doc/.gitignore +++ b/doc/.gitignore @@ -25,4 +25,5 @@ pam-modules.ps pam-modules.toc pam-modules.tp pam-modules.vr +pam-modules.t2d manual diff --git a/doc/Makefile.am b/doc/Makefile.am index 368d3b0..88f57c8 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -1,6 +1,5 @@ # This file is part of pam-modules. -# Copyright (C) 2005, 2007-2008, 2010-2012, 2014-2015, 2018 Sergey -# Poznyakoff +# Copyright (C) 2005-2022 Sergey Poznyakoff # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -138,7 +137,7 @@ RENDITION = DISTRIB GENDOCS=$(srcdir)/gendocs.sh --no-copy-images --html '--init-file=$(abs_srcdir)/html.init' EXTRA_DIST += gendocs.sh -TEXI2DVI=texi2dvi -t '@set $(RENDITION)' -I $(top_srcdir)/imprimatur +TEXI2DVI=texi2dvi --build=tidy -t '@set $(RENDITION)' -I $(top_srcdir)/imprimatur # Make sure you set TEXINPUTS. # TEXINPUTS=/usr/share/texmf/pdftex/plain/misc/ is ok for most distributions diff --git a/doc/html.init b/doc/html.init index dc325d7..f017e4d 100644 --- a/doc/html.init +++ b/doc/html.init @@ -1,5 +1,5 @@ # Texi2any configuration for pam-modules documentation. -*- perl -*- -# Copyright (C) 2009, 2012, 2014-2015, 2018 Sergey Poznyakoff +# Copyright (C) 2009-2022 Sergey Poznyakoff # # PAM-Modules is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/doc/pam-modules.texi b/doc/pam-modules.texi index 840a4c1..daf4764 100644 --- a/doc/pam-modules.texi +++ b/doc/pam-modules.texi @@ -43,8 +43,7 @@ @end ifinfo @copying -Copyright @copyright{} 2005, 2007-2012, 2014-2015, 2018 Sergey -Poznyakoff +Copyright @copyright{} 2005--2022 Sergey Poznyakoff Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -107,6 +106,7 @@ Authentication against an alternative shadow file. * plain mode:: * virtual domain mode:: +* disabling password checking:: * summary of pam_fshadow options:: Authentication using regular expressions. @@ -345,6 +345,7 @@ describe the plain mode. @menu * plain mode:: * virtual domain mode:: +* disabling password checking:: * summary of pam_fshadow options:: @end menu @@ -490,6 +491,21 @@ user name was @samp{smith@@ftp}, then the module will look for the user name @samp{smith} in files @file{/etc/auth/ftp/passwd} and @file{/etc/auth/ftp/shadow}. +@node disabling password checking +@section Disabling password checking + +You can instruct @command{pam_fshadow} to skip password checking using +the @code{skip-password} option. When given this option, +the module will only check whether the user is listed in the password +and/or shadow files, and whether the user's account in the latter is +active and has not expired. This way @command{pam_fshadow} can +be used as an auxiliary module in the stack, actual authentication being +performed by one of the modules before it. + +This option can be used both in plain and in virtual domain mode. The +use of either file (but not both) can be disabled by the +@code{nopasswd} and @code{noshadow} options. + @node summary of pam_fshadow options @section Summary of pam_fshadow options @@ -531,6 +547,11 @@ name and authentication domain. selects authentication domain, and group #2 selects user name. @xref{virtual domain mode, revert-index}. +@opsummary{skip-password} +@item skip-password +Skip password verification. Check only that the user name is listed +in the password and/or shadow files. @xref{disabling password checking}. + @opsummary{sysconfdir} @item sysconfdir=@var{dir} Assume @var{dir} as the system configuration directory. @@ -607,7 +628,7 @@ return @code{PAM_AUTH_ERR}. Default is @samp{allow}. @section Using @command{pam_regex} to alter user names. Another common use for @command{pam_regex} is to alter user names. -This mode is enabled when the @option{transfer} option is used in the +This mode is enabled when the @option{transform} option is used in the command line: @table @option @@ -906,6 +927,18 @@ only if your database is running on a port different from the standard. @xkwindex{pass, described} @item pass @var{password} Sets @acronym{SQL} user password. + +@xkwindex{default-file, described} +@item default-file @var{file} +Name of the MySQL @dfn{default file}, which should be consulted in +order to obtain connection parameters and credentials. When +specified, the keywords described above become optional. + +@xkwindex{default-group, described} +@item default-group @var{name} +Name of the @dfn{group} in MySQL default file to use. Default is +@samp{mysql}. This keyword is meaningful only if @code{default-file} +is given. @end table @node sql auth diff --git a/doc/pam_fshadow.8in b/doc/pam_fshadow.8in index 35ad59e..2e91c10 100644 --- a/doc/pam_fshadow.8in +++ b/doc/pam_fshadow.8in @@ -1,5 +1,5 @@ .\" This file is part of PAM-Modules -*- nroff -*- -.\" Copyright (C) 2001-2018 Sergey Poznyakoff +.\" Copyright (C) 2001-2022 Sergey Poznyakoff .\" .\" PAM-Modules is free software; you can redistribute it and/or modify .\" it under the terms of the GNU General Public License as published by @@ -14,7 +14,7 @@ .\" You should have received a copy of the GNU General Public License .\" along with PAM-Modules. If not, see <http://www.gnu.org/licenses/>. .so config.so -.TH PAM_FSHADOW 8 "December 22, 2017" "PAM-MODULES" "Pam-Modules User Reference" +.TH PAM_FSHADOW 8 "February 3, 2022" "PAM-MODULES" "Pam-Modules User Reference" .SH NAME pam_fshadow \- use alternative passwd and/or shadow files .SH SYNOPSIS @@ -30,6 +30,7 @@ pam_fshadow \- use alternative passwd and/or shadow files [\fBnoshadow\fR]\ [\fBregex=\fIEXPR\fR]\ [\fBrevert\-index\fR]\ + [\fBskip\-password\fR]\ [\fBsysconfdir=\fIDIR\fR]\ [\fBuse_authtok\fR]\ [\fBusername\-index=\fIN\fR]\ @@ -101,6 +102,12 @@ regex=(.*)@(.*) This regular expression will match user names like \fBsmith@domain\fR. .TP +.B skip\-password +Disable password verification. With this flag, the module only checks +whether the user is listed in the password and shadow files and +whether the user's account has not expired. Use of either file +can be disabled using \fBnopasswd\fR or \fBnoshadow\fR (but not both). +.TP \fBusername\-index=\fIN\fR Use \fIN\fRth parenthesized group of the regular expression as the user name. Default is 1. @@ -214,7 +221,7 @@ Sergey Poznyakoff <gray@gnu.org> .SH "BUG REPORTS" Report bugs to <bug\-pam\-modules@gnu.org.ua>. .SH COPYRIGHT -Copyright \(co 2001-2014 Sergey Poznyakoff +Copyright \(co 2001-2022 Sergey Poznyakoff .br .na License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> diff --git a/doc/pam_groupmember.8 b/doc/pam_groupmember.8 index 26d8e0f..66f1392 100644 --- a/doc/pam_groupmember.8 +++ b/doc/pam_groupmember.8 @@ -1,5 +1,5 @@ .\" This file is part of PAM-Modules -*- nroff -*- -.\" Copyright (C) 2001-2015, 2018 Sergey Poznyakoff +.\" Copyright (C) 2001-2022 Sergey Poznyakoff .\" .\" PAM-Modules is free software; you can redistribute it and/or modify .\" it under the terms of the GNU General Public License as published by diff --git a/doc/pam_innetgr.8 b/doc/pam_innetgr.8 index 335409d..14879db 100644 --- a/doc/pam_innetgr.8 +++ b/doc/pam_innetgr.8 @@ -1,5 +1,5 @@ .\" This file is part of PAM-Modules -*- nroff -*- -.\" Copyright (C) 2018 Sergey Poznyakoff +.\" Copyright (C) 2018-2022 Sergey Poznyakoff .\" .\" PAM-Modules is free software; you can redistribute it and/or modify .\" it under the terms of the GNU General Public License as published by diff --git a/doc/pam_ldaphome.8in b/doc/pam_ldaphome.8in index 90bd418..f5635a8 100644 --- a/doc/pam_ldaphome.8in +++ b/doc/pam_ldaphome.8in @@ -1,5 +1,5 @@ .\" This file is part of PAM-Modules -*- nroff -*- -.\" Copyright (C) 2001-2015, 2018 Sergey Poznyakoff +.\" Copyright (C) 2001-2022 Sergey Poznyakoff .\" .\" PAM-Modules is free software; you can redistribute it and/or modify .\" it under the terms of the GNU General Public License as published by diff --git a/doc/pam_log.8 b/doc/pam_log.8 index ff84947..7af3767 100644 --- a/doc/pam_log.8 +++ b/doc/pam_log.8 @@ -1,5 +1,5 @@ .\" This file is part of PAM-Modules -*- nroff -*- -.\" Copyright (C) 2001-2015, 2018 Sergey Poznyakoff +.\" Copyright (C) 2001-2022 Sergey Poznyakoff .\" .\" PAM-Modules is free software; you can redistribute it and/or modify .\" it under the terms of the GNU General Public License as published by diff --git a/doc/pam_mysql.8in b/doc/pam_mysql.8in index a3c38fe..8c0f940 100644 --- a/doc/pam_mysql.8in +++ b/doc/pam_mysql.8in @@ -1,5 +1,5 @@ .\" This file is part of PAM-Modules -*- nroff -*- -.\" Copyright (C) 2001-2015, 2018 Sergey Poznyakoff +.\" Copyright (C) 2001-2022 Sergey Poznyakoff .\" |