[svn] r5075 - in trunk/rpms: . gnash mpg123 pam_abl pam_ssh
regionset varconf vnstat
packagers at lists.rpmforge.net
packagers at lists.rpmforge.net
Mon Jan 15 08:49:12 CET 2007
Author: dag
Date: 2007-01-15 08:49:10 +0100 (Mon, 15 Jan 2007)
New Revision: 5075
Added:
trunk/rpms/pam_abl/
trunk/rpms/pam_abl/pam_abl-0.2.3-fixes.patch
trunk/rpms/pam_abl/pam_abl.spec
trunk/rpms/pam_ssh/
trunk/rpms/pam_ssh/pam_ssh-1.91-getpwnam.patch
trunk/rpms/pam_ssh/pam_ssh-1.91-include_md5.diff
trunk/rpms/pam_ssh/pam_ssh-1.91-include_syslog.diff
trunk/rpms/pam_ssh/pam_ssh-1.91-man_agent_files.diff
trunk/rpms/pam_ssh/pam_ssh-1.91-var_run.patch
trunk/rpms/pam_ssh/pam_ssh.spec
Modified:
trunk/rpms/gnash/gnash.spec
trunk/rpms/mpg123/mpg123.spec
trunk/rpms/regionset/regionset.spec
trunk/rpms/varconf/varconf.spec
trunk/rpms/vnstat/vnstat.spec
Log:
Updates
Modified: trunk/rpms/gnash/gnash.spec
===================================================================
--- trunk/rpms/gnash/gnash.spec 2007-01-15 06:39:36 UTC (rev 5074)
+++ trunk/rpms/gnash/gnash.spec 2007-01-15 07:49:10 UTC (rev 5075)
@@ -18,7 +18,7 @@
Summary: Flash player
Name: gnash
-Version: 0.7.1
+Version: 0.7.2
Release: 1
License: GPL
Group: Applications/Multimedia
@@ -128,5 +128,8 @@
%{_libdir}/mozilla/plugins/
%changelog
+* Mon Jan 15 2007 Dag Wieers <dag at wieers.com> - 0.7.2-1
+- Updated to release 0.7.2.
+
* Thu May 11 2006 Dag Wieers <dag at wieers.com> - 0.7.1-1
- Initial package (using DAR)
Modified: trunk/rpms/mpg123/mpg123.spec
===================================================================
--- trunk/rpms/mpg123/mpg123.spec 2007-01-15 06:39:36 UTC (rev 5074)
+++ trunk/rpms/mpg123/mpg123.spec 2007-01-15 07:49:10 UTC (rev 5075)
@@ -42,7 +42,7 @@
Summary: MPEG audio player
Name: mpg123
-Version: 0.61
+Version: 0.63
Release: 1
License: GPL/LGPL
Group: Applications/Multimedia
@@ -95,6 +95,9 @@
%changelog
+* Mon Jan 15 2007 Dag Wieers <dag at wieers.com> - 0.63-1
+- Updated to release 0.63.
+
* Sun Oct 22 2006 Dag Wieers <dag at wieers.com> - 0.61-1
- Updated to release 0.61.
Added: trunk/rpms/pam_abl/pam_abl-0.2.3-fixes.patch
===================================================================
--- trunk/rpms/pam_abl/pam_abl-0.2.3-fixes.patch (rev 0)
+++ trunk/rpms/pam_abl/pam_abl-0.2.3-fixes.patch 2007-01-15 07:49:10 UTC (rev 5075)
@@ -0,0 +1,540 @@
+Patch by Robert Scheck <robert at fedoraproject.org> for pam_abl 0.2.3, changes:
+
+* pam_abl/pam_abl.c
+ - Fixed compiler warning "dereferencing type-punned pointer will break
+ strict-aliasing rules"
+
+* pam_abl/Makefile
+ - Always honor $RPM_OPT_FLAGS when available
+ - Fixed the make warning "jobserver unavailable: using -j1. Add `+' to
+ parent make rule"
+
+* pam_abl/tools/Makefile
+ - Always honor $RPM_OPT_FLAGS when available
+
+* pam_abl/doc/pam_abl.1
+ - Initial version of a pam_abl man page based on the current docs
+
+* pam_abl/CONFIGURATION
+ - Initial version of a pam_abl text documentation based on the HTML files
+
+* pam_abl/conf/system-auth
+ - Removed use of /lib/security/$ISA, because it will break on any 64 bit
+ system having /lib64 instead of /lib; should fix sf.net Bug ID #1325837
+
+* pam_abl/doc/index.html
+ - Never ever use /lib/security, will break any 64 bit compatibility
+
+* pam_abl/QUICKSTART
+ - Quickstart guide heavily based on README.fedora written by the Fedora
+ Extras maintainer Alexander Dalloz <alex {%} dalloz {*} de>
+
+Following patch was sent upstream at Sat, 17 Jun 2006 21:24:50 +0200 and it
+was confirmed by the upstream maintainer, that this patch will be added to
+the next pam_abl release - but unfortunately nothing happened, yet.
+
+--- pam_abl/pam_abl.c 2005-10-12 21:22:26.000000000 +0200
++++ pam_abl/pam_abl.c.rsc 2006-06-17 18:36:44.000000000 +0200
+@@ -168,7 +168,7 @@
+ const char *rhost;
+ int err;
+
+- if (err = pam_get_item(args->pamh, PAM_RHOST, (const void **) &rhost), PAM_SUCCESS != err) {
++ if (err = pam_get_item(args->pamh, PAM_RHOST, (const void **)( const void*) &rhost), PAM_SUCCESS != err) {
+ log_pam_error(args, err, "getting PAM_RHOST");
+ return err;
+ }
+@@ -187,7 +187,7 @@
+ if (NULL != args->user_db) {
+ const char *user;
+ int err;
+- if (err = pam_get_item(args->pamh, PAM_USER, (const void **) &user), PAM_SUCCESS != err) {
++ if (err = pam_get_item(args->pamh, PAM_USER, (const void **) (const void*) &user), PAM_SUCCESS != err) {
+ log_pam_error(args, err, "getting PAM_USER");
+ return err;
+ }
+@@ -285,7 +285,7 @@
+ if (NULL != args->host_db) {
+ const char *rhost;
+ int err;
+- if (err = pam_get_item(args->pamh, PAM_RHOST, (const void **) &rhost), PAM_SUCCESS != err) {
++ if (err = pam_get_item(args->pamh, PAM_RHOST, (const void **) (const void*) &rhost), PAM_SUCCESS != err) {
+ log_pam_error(args, err, "getting PAM_RHOST");
+ return err;
+ }
+@@ -316,12 +316,12 @@
+ const char *user;
+ const char *service;
+
+- if (err = pam_get_item(args->pamh, PAM_USER, (const void **) &user), PAM_SUCCESS != err) {
++ if (err = pam_get_item(args->pamh, PAM_USER, (const void **) (const void*) &user), PAM_SUCCESS != err) {
+ log_pam_error(args, err, "getting PAM_USER");
+ return err;
+ }
+
+- if (err = pam_get_item(args->pamh, PAM_SERVICE, (const void **) &service), PAM_SUCCESS != err) {
++ if (err = pam_get_item(args->pamh, PAM_SERVICE, (const void **) (const void*) &service), PAM_SUCCESS != err) {
+ log_pam_error(args, err, "getting PAM_SERVICE");
+ return err;
+ }
+@@ -374,9 +374,9 @@
+ check_attempt(args, &rv);
+ if (rv) {
+ const char *rhost, *user, *service;
+- if (PAM_SUCCESS == pam_get_item(args->pamh, PAM_RHOST, (const void **) &rhost ) &&
+- PAM_SUCCESS == pam_get_item(args->pamh, PAM_USER, (const void **) &user ) &&
+- PAM_SUCCESS == pam_get_item(args->pamh, PAM_SERVICE, (const void **) &service)) {
++ if (PAM_SUCCESS == pam_get_item(args->pamh, PAM_RHOST, (const void **) (const void*) &rhost ) &&
++ PAM_SUCCESS == pam_get_item(args->pamh, PAM_USER, (const void **) (const void*) &user ) &&
++ PAM_SUCCESS == pam_get_item(args->pamh, PAM_SERVICE, (const void **) (const void*) &service)) {
+ log_info(args, "Blocking access from %s to service %s, user %s", rhost, service, user);
+ }
+ return PAM_AUTH_ERR;
+--- pam_abl/Makefile 2005-10-12 21:22:25.000000000 +0200
++++ pam_abl/Makefile.rsc 2006-06-17 18:45:43.000000000 +0200
+@@ -1,7 +1,7 @@
+ # Makefile
+ # $Id: Makefile,v 1.1.1.1 2005/10/12 19:22:25 tagishandy Exp $
+
+-CFLAGS=-Wall -fPIC
++CFLAGS=-Wall -fPIC $(RPM_OPT_FLAGS)
+ PAMDIR=/lib/security
+ CONFDIR=/etc/security
+ DBDIR=/var/lib/abl
+@@ -11,26 +11,26 @@
+ SUBDIRS=tools
+
+ all : $(MODULE)
+- for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done
++ for d in $(SUBDIRS) ; do cd $$d && $(MAKE) $@ && cd .. ; done
+
+ $(MODULE) : $(OBJ)
+ ld -x --shared $(LIBS) -o $@ $^
+
+ clean :
+ rm -f $(MODULE) $(OBJ)
+- for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done
++ for d in $(SUBDIRS) ; do cd $$d && $(MAKE) $@ && cd .. ; done
+
+ install : $(MODULE)
+ install --mode=755 --strip $(MODULE) $(PAMDIR)
+ #install --mode=644 conf/pam_abl.conf $(CONFDIR)
+ install -d --mode=755 $(DBDIR)
+- for d in t $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done
++ for d in t $(SUBDIRS) ; do cd $$d && $(MAKE) $@ && cd .. ; done
+
+ depend :
+ cc -MM *.c > deps
+- for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done
++ for d in $(SUBDIRS) ; do cd $$d && $(MAKE) $@ && cd .. ; done
+
+ test :
+- cd t && make && cd ..
++ cd t && $(MAKE) && cd ..
+
+ include deps
+--- pam_abl/tools/Makefile 2005-10-12 21:22:27.000000000 +0200
++++ pam_abl/tools/Makefile.rsc 2006-06-17 19:15:25.000000000 +0200
+@@ -1,6 +1,6 @@
+ # Makefile
+
+-CFLAGS=-Wall
++CFLAGS=-Wall -fPIC $(RPM_OPT_FLAGS)
+ LIBS=-ldb -lpthread
+ TARGET=pam_abl
+ OBJ=log.o config.o rule.o pam_abl.o
+--- pam_abl/doc/pam_abl.1 1970-01-01 01:00:00.000000000 +0100
++++ pam_abl/doc/pam_abl.1.rsc 2006-06-17 20:02:44.000000000 +0200
+@@ -0,0 +1,52 @@
++.TH pam_abl 1 "Oct 13, 2005"
++.LO 1
++.SH NAME
++pam_abl - query or purge the databases used by the pam_abl module
++.SH OVERVIEW
++\fBpam_abl\fR [ \fIOPTIONS \fR] [ \fICONFIG \fR]
++.SH DESCRIPTION
++Performs maintenance on the databases used by the pam_abl (auto blacklist) module. CONFIG is the name of the pam_abl config file (/etc/security/pam_abl.conf). The config file is read to discover the names of the pam_abl databases and the rules that control purging of old data from them.
++.SH OPTIONS
++.TP
++.B -h, --help
++See a help message
++.TP
++.B -p, --purge
++Purge databases according to purge rules in config
++.TP
++.B -r, --relative
++Display times relative to now otherwise absolute times will be displayed
++.TP
++.B -v, --verbose
++Verbose output
++.TP
++.B --okuser=USER
++Unblock USER
++.TP
++.B --okhost=HOST
++Unblock HOST
++.SH EXAMPLES
++.TP
++Obtain a list of failed hosts and users:
++$ pam_abl
++.TP
++Obtain a full list of failures listing times relative to now:
++$ pam_abl -rv
++.br
++$ pam_abl --relative --verbose
++.TP
++Purge old data:
++$ pam_abl -p
++.br
++$ pam_abl --purge
++.TP
++Unblock all example.com, somewhere.com hosts:
++$ pam_abl -v --okhost=*.example.com --okhost=*.somewhere.com
++.SH AUTHOR
++Andy Armstrong <andy at hexten.net>
++.SH SEE ALSO
++/usr/share/doc/pam_abl-*/CONFIGURATION
++.SH REPORT BUGS
++Please report bugs in English language to the author.
++.SH COPYRIGHT
++pam_abl is licensed under GNU General Public License, the complete license you can get at: http://www.gnu.org/copyleft/gpl.html
+--- pam_abl/CONFIGURATION 1970-01-01 01:00:00.000000000 +0100
++++ pam_abl/CONFIGURATION.rsc 2006-06-17 20:02:44.000000000 +0200
+@@ -0,0 +1,251 @@
++The Auto Blacklist Module: pam_abl
++
++Synopsis
++
++Module name:
++ pam_abl
++Author:
++ Andy Armstrong <andy at hexten.net>
++Maintainer:
++ Andy Armstrong <andy at hexten.net>
++Management groups provided:
++ auth
++Cryptographically sensitive:
++ No.
++Security rating:
++Clean code base:
++ Clean.
++System dependencies:
++ Requires Berkeley DB (tested with 4.3.21 and 4.2.50).
++ Requires a configuration file (by convention /etc/security/pam_abl.conf)
++Network aware:
++ No.
++
++Overview of module
++
++Provides auto blacklisting of hosts and users responsible for repeated failed
++authentication attempts. Generally configured so that blacklisted users still
++see normal login prompts but are guaranteed to fail to authenticate.
++
++This functionality is only available to services which call PAM as root. If
++pam_abl is called for uid != 0 it will silently succeed.
++
++Auth component
++
++Recognised arguments:
++
++ Name Arguments Description
++ debug None Enable debug output to syslog.
++ expose_account None Ignored
++ no_warn None Disable warnings which are otherwise output
++ to syslog.
++ try_first_pass None Ignored
++ use_first_pass None Ignored
++ use_mapped_pass None Ignored
++ The configuration file contains additional
++ arguments. In order for the pam_abl command
++ Path to the line tool to work correctly most of the
++ config configuration configuration should be placed in the config
++ file. file rather than being provided by arguments.
++ The format of the config file is described
++ below.
++ Path to host Path to the Berkeley DB which is used to log
++ host_db database the host responsible for failed
++ file. authentication attempts.
++ Purge time Defines how long failed hosts are retained in
++ host_purge for the host the host database. Defaults to 1 day.
++ database.
++ Rule for host The rule (see below for format) which defines
++ host_rule blacklisting. the conditions under which a failed hosts
++ will be blackisted.
++ Path to user Path to the Berkeley DB which is used to log
++ user_db database the user responsible for failed
++ file. authentication attempts.
++ Purge time Defines how long failed users are retained in
++ user_purge for the user the user database. Defaults to 1 day.
++ database.
++ Rule for user The rule (see below for format) which defines
++ user_rule blacklisting. the conditions under which a failed users
++ will be blackisted.
++
++Description:
++
++ Brute force password discovery attacks involve repeated attempts to
++ authenticate against a service using a dictionary of common passwords.
++ While it is desirable to enforce strong passwords for users this is not
++ always possible and in cases where a weak password has been used brute
++ force attacks can be effective.
++
++ The pam_abl module monitors failed authentication attempts and
++ automatically blacklists those hosts (and accounts) that are responsible
++ for large numbers of failed attempts. Once a host is blacklisted it is
++ guaranteed to fail authentication even if the correct credentials are
++ provided.
++
++ Blacklisting is triggered when the number of failed authentication attempts
++ in a particular period of time exceeds a predefined limit. Hosts which stop
++ attempting to authenticate will, after a period of time, be un-blacklisted.
++
++ This functionality is only available to services which call PAM as root. If
++ pam_abl is called for uid != 0 it will silently succeed. If this was not
++ the case it would be possible for a malicious local user to poison the
++ pam_abl data by, for example, discovering the names of the hosts from which
++ root typically logs in and then constructing PAM authentication code to
++ lock out root login attempts from those hosts.
++
++Usage:
++
++ Typically pam_abl.so is added to the auth stack as a required module just
++ before whatever modules actually peform authentication. Here's a fragment
++ of the PAM config for a production server that is running pam_abl:
++
++ auth required pam_env.so
++ auth required pam_abl.so config=/etc/security/pam_abl.conf
++ auth sufficient pam_unix.so try_first_pass nullok
++ auth required pam_deny.so
++
++ Although all of accepted arguments can be supplied here they will usually
++ be placed in a separate config file and linked to using the config argument
++ as in the above example. The pam_abl command line tool reads the external
++ config file (/etc/security/pam_abl.conf in this case) to find the databases
++ so in order for it work correctly an external config should be used.
++
++Config file syntax:
++
++ The config file can contain any arguments that would be supplied via PAM
++ config. In the config file arguments are placed on separate lines. Comments
++ may be included after a '#' and line continuation is possible by placing a
++ back slash at the end of the line to be continued. Here is a sample /etc/
++ security/pam_abl.conf:
++
++ # /etc/security/pam_abl.conf
++ debug
++ host_db=/var/lib/abl/hosts.db
++ host_purge=2d
++ host_rule=*:10/1h,30/1d
++ user_db=/var/lib/abl/users.db
++ user_purge=2d
++ user_rule=!root:10/1h,30/1d
++
++ All of the standard PAM arguments (debug, expose_account, no_warn,
++ try_first_pass, use_first_pass, use_mapped_pass) are accepted; with the
++ exception of debug and no_warn these are ignored.
++
++ The arguments that are specific to pam_abl are as follows:
++
++ Specify the name of the databases that will be used to log
++ failed authentication attempts. The host database is used to
++ host_db, log the hostname responsible for a failed auth and the user
++ user_db database is used to log the requested username. If host_db or
++ user_db is omitted the corresponding auto blacklisting will be
++ disabled.
++ Specify the length of time for which failed attempts should be
++ kept in the databases. For rules to work correctly this must be
++ at least as long as the longest period specified in a
++ corresponding rule. You may wish to retain information about
++ failed attempts for longer than this so that the pam_abl
++ command line tool can report information over a longer period
++ host_purge, of time. The format for this item is a number with an optional
++ user_purge multiplier suffix, 's', 'm', 'h' or 'd' which correspond with
++ seconds, minutes, hours and days. To specify seven days for
++ example one would use '7d'. Note that in normal operation
++ pam_abl will only purge the logged data for a particular host
++ or user if it happens to be updating it, i.e. if that host or
++ user makes another failed attempt. To purge all old entries the
++ pam_abl command line tool should be used.
++ These are the rules which determine the circumstances under
++ which accounts are auto-blacklisted. The host_rule is used to
++ host_rule, block access to hosts that are responsible for excessive
++ user_rule authentication failures and the user_rule is used to disable
++ accounts for which there have been excessive authentication
++ failures. The rule syntax is described in full below.
++
++Rule syntax:
++
++ Each rule consists of a number of space separated 'user clauses'. A user
++ clause specifies the user (and service) names to match and a set of
++ triggers. A simple example would be
++
++ *:10/1h
++
++ which means 'block any user (*) if they are responsible for ten or more
++ failed authentication attempts in the last hour'. In place of the '*' which
++ matches any user a list of usernames can be supplied like this
++
++ root|dba|admin:10/1h
++
++ which means 'block the users root, dba and admin if they are responsible
++ for ten or more failed authentication attempts in the last hour'. You can
++ also specify a service name to match against like this
++
++ root/sshd|dba/*:3/1d
++
++ which means 'block the users root for service 'sshd' and dba for any
++ service if they are responsible for three or more failed authentication
++ attempts in the last day'. Finally you can specify multiple triggers like
++ this
++
++ root:10/1h,20/1d
++
++ which means 'block the user root if they are responsible for ten or more
++ failed attempts in the last hour or twenty or more failed attempts in the
++ last day.
++
++ Multiple rules can be provided separated by spaces like this
++
++ *:10/1h root:5/1h,10/1d
++
++ in which case all rules that match a particular user and service will be
++ checked. The user or host will be blocked if any of the rule triggers
++ matches. The sense of the user matching can be inverted by placing a '!' in
++ front of the rule so that
++
++ !root:20/1d
++
++ is a rule which would match for all users apart from root. It is important
++ to treat root as a special case in the user_rule otherwise excessive
++ attempts to authenticate as root will result in the root account being
++ locked out even for valid holders of root credentials.
++
++ Here is the full syntax for rules:
++
++ word ::= /[^\s\|\/\*]+/
++ name ::= word | '*'
++ username ::= name
++ servicename ::= name
++ userservice ::= username
++ | username '/' servicename
++ namelist ::= userservice
++ | userservice '|' namelist
++ userspec ::= namelist
++ | '!' namelist
++ multiplier ::= 's' | 'm' | 'h' | 'd'
++ number ::= /\d+/
++ period ::= number
++ | number multiplier
++ trigger ::= number '/' period
++ triglist ::= trigger
++ | trigger ',' triglist
++ userclause ::= userspec ':' triglist
++ rule ::= userclause
++ | userclause /\s+/ rule
++
++Examples/suggested usage:
++
++ Sample PAM config fragment:
++
++ auth required pam_env.so
++ auth required pam_abl.so config=/etc/security/pam_abl.conf
++ auth sufficient pam_unix.so try_first_pass nullok
++ auth required pam_deny.so
++
++ Sample /etc/security/pam_abl.conf:
++
++ # /etc/security/pam_abl.conf
++ debug
++ host_db=/var/lib/abl/hosts.db
++ host_purge=2d
++ host_rule=*:10/1h,30/1d
++ user_db=/var/lib/abl/users.db
++ user_purge=2d
++ user_rule=!root:10/1h,30/1d
+--- pam_abl/conf/system-auth 2006-06-17 20:02:05.000000000 +0200
++++ pam_abl/conf/system-auth.rsc 2006-06-17 20:07:49.000000000 +0200
+@@ -1,15 +1,14 @@
+ #%PAM-1.0
+-auth required /lib/security/$ISA/pam_env.so
+-auth required /lib/security/$ISA/pam_abl.so config=/etc/security/pam_abl.conf
+-auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
+-auth required /lib/security/$ISA/pam_deny.so
++auth required pam_env.so
++auth required pam_abl.so config=/etc/security/pam_abl.conf
++auth sufficient pam_unix.so try_first_pass nullok
++auth required pam_deny.so
+
+-account required /lib/security/$ISA/pam_unix.so
++account required pam_unix.so
+
+-password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
+-password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
+-password required /lib/security/$ISA/pam_deny.so
++password required pam_cracklib.so try_first_pass retry=3
++password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow
++password required pam_deny.so
+
+-session required /lib/security/$ISA/pam_limits.so
+-session required /lib/security/$ISA/pam_abl.so
+-session required /lib/security/$ISA/pam_unix.so
++session required pam_limits.so
++session required pam_unix.so
+--- pam_abl/doc/index.html 2005-10-12 21:22:27.000000000 +0200
++++ pam_abl/doc/index.html.rsc 2006-06-17 20:23:22.000000000 +0200
+@@ -171,10 +171,10 @@
+ <p>Typically pam_abl.so is added to the auth stack as a required module just before whatever modules actually peform authentication. Here's a fragment of the PAM config for a production server that is running pam_abl:</p>
+
+ <table class="config">
+- <tr><td>auth</td><td>required</td><td>/lib/security/pam_env.so</td></tr>
+- <tr><td>auth</td><td>required</td><td>/lib/security/pam_abl.so config=/etc/security/pam_abl.conf</td></tr>
+- <tr><td>auth</td><td>sufficient</td><td>/lib/security/pam_unix.so likeauth nullok</td></tr>
+- <tr><td>auth</td><td>required</td><td>/lib/security/pam_deny.so</td></tr>
++ <tr><td>auth</td><td>required</td><td>pam_env.so</td></tr>
++ <tr><td>auth</td><td>required</td><td>pam_abl.so config=/etc/security/pam_abl.conf</td></tr>
++ <tr><td>auth</td><td>sufficient</td><td>pam_unix.so try_first_pass nullok</td></tr>
++ <tr><td>auth</td><td>required</td><td>pam_deny.so</td></tr>
+ </table>
+
+ <p>Although all of accepted arguments can be supplied here they will usually be placed in a separate config file and linked to using the config argument as in the above example. The <a href="pam_abl.html">pam_abl command line tool</a> reads the external config file (/etc/security/pam_abl.conf in this case) to find the databases so in order for it work correctly an external config should be used.</p>
+@@ -282,10 +282,10 @@
+ <p>Sample PAM config fragment:</p>
+
+ <table class="config">
+- <tr><td>auth</td><td>required</td><td>/lib/security/pam_env.so</td></tr>
+- <tr><td>auth</td><td>required</td><td>/lib/security/pam_abl.so config=/etc/security/pam_abl.conf</td></tr>
+- <tr><td>auth</td><td>sufficient</td><td>/lib/security/pam_unix.so likeauth nullok</td></tr>
+- <tr><td>auth</td><td>required</td><td>/lib/security/pam_deny.so</td></tr>
++ <tr><td>auth</td><td>required</td><td>pam_env.so</td></tr>
++ <tr><td>auth</td><td>required</td><td>pam_abl.so config=/etc/security/pam_abl.conf</td></tr>
++ <tr><td>auth</td><td>sufficient</td><td>pam_unix.so try_first_pass nullok</td></tr>
++ <tr><td>auth</td><td>required</td><td>pam_deny.so</td></tr>
+ </table>
+
+ <p>Sample /etc/security/pam_abl.conf:</p>
+--- pam_abl/QUICKSTART 1970-01-01 01:00:00.000000000 +0100
++++ pam_abl/QUICKSTART.rsc 2006-06-17 20:34:27.000000000 +0200
+@@ -0,0 +1,23 @@
++QUICKSTART GUIDE
++
++------------------------------------------------------------------------
++Any time changes to the PAM configuration are done by hand, they have
++to be done with great care to avoid disabling system access by accident.
++------------------------------------------------------------------------
++
++To activate the use of pam_abl.so you need to add a PAM rule like
++
++ auth required pam_abl.so config=/etc/security/pam_abl.conf
++
++i.e. in /etc/pam.d/system-auth. Doing so please be aware that
++/etc/pam.d/system-auth is auto-generated at e.g. Fedora Core and Red
++Hat Enterprise Linux systems and that user changes will be destroyed
++the next time authconfig is run, thus this step has to be redone.
++
++You are able to customize the pam_abl.so behaviour by editing
++/etc/security/pam_abl.conf. For detailed instructions please read
++the application's page online at
++
++ http://www.hexten.net/sw/pam_abl/doc/index.html
++
++or have a look to the index.html and pam_abl.html documentation.
Added: trunk/rpms/pam_abl/pam_abl.spec
===================================================================
--- trunk/rpms/pam_abl/pam_abl.spec (rev 0)
+++ trunk/rpms/pam_abl/pam_abl.spec 2007-01-15 07:49:10 UTC (rev 5075)
@@ -0,0 +1,60 @@
+# $Id$
+# Authority: dag
+
+%define _libdir /%{_lib}
+
+Summary: PAM module for auto blacklisting
+Name: pam_abl
+Version: 0.2.3
+Release: 1
+License: GPL
+Group: System Environment/Base
+URL: http://www.hexten.net/sw/pam_abl/
+
+Source: http://dl.sf.net/sourceforge/pam-abl/pam_abl-%{version}.tar.gz
+Patch: pam_abl-0.2.3-fixes.patch
+BuildRequires: pam-devel, db4-devel
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
+
+%description
+Provides auto blacklisting of hosts and users responsible for repeated failed
+authentication attempts. Generally configured so that blacklisted users still
+see normal login prompts but are guaranteed to fail to authenticate.
+
+A command line tool allows to query or purge the databases used by the pam_abl
+module.
+
+%prep
+%setup -n %{name}
+%patch0 -p1
+
+%build
+%{__make} %{?_smp_mflags}
+
+%install
+%{__rm} -rf %{buildroot}
+%{__install} -Dp -m0755 pam_abl.so %{buildroot}%{_libdir}/security/pam_abl.so
+%{__install} -Dp -m0644 conf/pam_abl.conf %{buildroot}%{_sysconfdir}/security/pam_abl.conf
+%{__install} -Dp -m0755 tools/pam_abl %{buildroot}%{_sbindir}/pam_abl
+%{__install} -Dp -m0644 doc/pam_abl.1 %{buildroot}%{_mandir}/man1/pam_abl.1
+%{__install} -d -m0755 %{buildroot}%{_localstatedir}/lib/abl/
+
+### Clean up docdir
+%{__rm} -rf doc/{CVS,._pam_abl.html,pam_abl.1}
+
+%clean
+%{__rm} -rf %{buildroot}
+
+%files
+%defattr(-, root, root, 0755)
+%doc AUTHORS CONFIGURATION COPYING Copyright NEWS QUICKSTART THANKS
+%doc conf/system-auth doc/
+%doc %{_mandir}/man1/pam_abl.1*
+%config(noreplace) %{_sysconfdir}/security/pam_abl.conf
+%{_libdir}/security/pam_abl.so
+%dir %{_localstatedir}/lib/abl/
+%{_sbindir}/pam_abl
+
+%changelog
+* Mon Jan 15 2007 Dag Wieers <dag at wieers.com> - 0.2.3-1
+- Initial package. (using DAR)
Property changes on: trunk/rpms/pam_abl/pam_abl.spec
___________________________________________________________________
Name: svn:keywords
+ Id Revision
Name: svn:eol-style
+ native
Added: trunk/rpms/pam_ssh/pam_ssh-1.91-getpwnam.patch
===================================================================
--- trunk/rpms/pam_ssh/pam_ssh-1.91-getpwnam.patch (rev 0)
+++ trunk/rpms/pam_ssh/pam_ssh-1.91-getpwnam.patch 2007-01-15 07:49:10 UTC (rev 5075)
@@ -0,0 +1,70 @@
+diff -Nrbu pam_ssh-1.91/pam_ssh.c pam_ssh-1.91-OK/pam_ssh.c
+--- pam_ssh-1.91/pam_ssh.c 2004-04-12 17:55:08.000000000 +0400
++++ pam_ssh-1.91-OK/pam_ssh.c 2004-10-04 18:45:43.000000000 +0400
+@@ -350,7 +350,6 @@
+ #endif
+ const char *pass; /* passphrase */
+ const struct passwd *pwent; /* user's passwd entry */
+- struct passwd *pwent_keep; /* our own copy */
+ int retval; /* from calls */
+ const char *user; /* username */
+
+@@ -461,22 +460,6 @@
+ return PAM_AUTH_ERR;
+ }
+
+- /* copy the passwd entry (in case successive calls are made) and
+- save it for the session phase */
+-
+- if (!(pwent_keep = malloc(sizeof *pwent))) {
+- pam_ssh_log(LOG_CRIT, "out of memory");
+- openpam_restore_cred(pamh);
+- return PAM_SERVICE_ERR;
+- }
+- memcpy(pwent_keep, pwent, sizeof *pwent_keep);
+- if ((retval = pam_set_data(pamh, "ssh_passwd_entry", pwent_keep,
+- ssh_cleanup)) != PAM_SUCCESS) {
+- free(pwent_keep);
+- openpam_restore_cred(pamh);
+- return retval;
+- }
+-
+ openpam_restore_cred(pamh);
+ return PAM_SUCCESS;
+ }
+@@ -515,14 +498,16 @@
+ int start_agent; /* start agent? */
+ const char *tty_raw; /* raw tty or display name */
+ char *tty_nodir; /* tty without / chars */
++ const char *user; /* username */
+
+ log_init(MODULE_NAME, SYSLOG_LEVEL_ERROR, SYSLOG_FACILITY_AUTHPRIV, 0);
+
+ /* dump output of ssh-agent in ~/.ssh */
+- if ((retval = pam_get_data(pamh, "ssh_passwd_entry",
+- (const void **)(void *)&pwent))
+- != PAM_SUCCESS)
++ if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
+ return retval;
++ if (!(user && (pwent = getpwnam(user)) && pwent->pw_dir &&
++ *pwent->pw_dir))
++ return PAM_AUTH_ERR;
+
+ retval = openpam_borrow_cred(pamh, pwent);
+ if (retval != PAM_SUCCESS && retval != PAM_PERM_DENIED) {
+@@ -842,10 +827,13 @@
+ const char *ssh_agent_pid; /* ssh-agent pid string */
+ const struct passwd *pwent; /* user's passwd entry */
+ struct stat sb; /* to check st_nlink */
++ const char *user; /* username */
+
+- if ((retval = pam_get_data(pamh, "ssh_passwd_entry",
+- (const void **)(void *)&pwent)) != PAM_SUCCESS)
++ if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
+ return retval;
++ if (!(user && (pwent = getpwnam(user)) && pwent->pw_dir &&
++ *pwent->pw_dir))
++ return PAM_AUTH_ERR;
+
+ retval = openpam_borrow_cred(pamh, pwent);
+ if (retval != PAM_SUCCESS && retval != PAM_PERM_DENIED) {
Added: trunk/rpms/pam_ssh/pam_ssh-1.91-include_md5.diff
===================================================================
--- trunk/rpms/pam_ssh/pam_ssh-1.91-include_md5.diff (rev 0)
+++ trunk/rpms/pam_ssh/pam_ssh-1.91-include_md5.diff 2007-01-15 07:49:10 UTC (rev 5075)
@@ -0,0 +1,13 @@
+diff -u pam_ssh-1.91-orig/cipher.c pam_ssh-1.91/cipher.c
+--- pam_ssh-1.91-orig/cipher.c 2004-02-19 19:58:20.000000000 +0100
++++ pam_ssh-1.91/cipher.c 2005-11-13 20:13:20.000000000 +0100
+@@ -39,6 +39,7 @@
+ #include <string.h>
+
+ #include <openssl/evp.h>
++#include <openssl/md5.h>
+
+ #include <config.h>
+ #include "cipher.h"
+Les sous-répertoires pam_ssh-1.91-orig/.deps et pam_ssh-1.91/.deps sont identiques.
+Les sous-répertoires pam_ssh-1.91-orig/.libs et pam_ssh-1.91/.libs sont identiques.
Added: trunk/rpms/pam_ssh/pam_ssh-1.91-include_syslog.diff
===================================================================
--- trunk/rpms/pam_ssh/pam_ssh-1.91-include_syslog.diff (rev 0)
+++ trunk/rpms/pam_ssh/pam_ssh-1.91-include_syslog.diff 2007-01-15 07:49:10 UTC (rev 5075)
@@ -0,0 +1,10 @@
+--- pam_ssh-1.91/pam_ssh.c 2004-04-12 15:55:08.000000000 +0200
++++ pam_ssh-1.91-pat/pam_ssh.c 2005-12-22 10:37:21.000000000 +0100
+@@ -63,6 +63,7 @@
+ #include <string.h>
+ #include <sysexits.h>
+ #include <unistd.h>
++#include <syslog.h>
+
+ #define PAM_SM_AUTH
+ #define PAM_SM_SESSION
Added: trunk/rpms/pam_ssh/pam_ssh-1.91-man_agent_files.diff
===================================================================
--- trunk/rpms/pam_ssh/pam_ssh-1.91-man_agent_files.diff (rev 0)
+++ trunk/rpms/pam_ssh/pam_ssh-1.91-man_agent_files.diff 2007-01-15 07:49:10 UTC (rev 5075)
@@ -0,0 +1,13 @@
+--- ./pam_ssh.8.old 2005-08-16 18:32:35.000000000 +0200
++++ pam_ssh.8 2005-08-17 09:13:19.000000000 +0200
+@@ -146,6 +146,10 @@
+ SSH2 RSA keys
+ .It Pa $HOME/.ssh2/id_dsa_*
+ SSH2 DSA keys
++.It Pa /var/run/pam_ssh/<user>*
++ssh-agent environment information. The files are owned by the superuser but
++readable by the users. The location is Fedora specific, in the original package
++these files are in $HOME/.ssh/agent-*
+ .El
+ .Sh SEE ALSO
+ .Xr ssh-agent 1 ,
Added: trunk/rpms/pam_ssh/pam_ssh-1.91-var_run.patch
===================================================================
--- trunk/rpms/pam_ssh/pam_ssh-1.91-var_run.patch (rev 0)
+++ trunk/rpms/pam_ssh/pam_ssh-1.91-var_run.patch 2007-01-15 07:49:10 UTC (rev 5075)
@@ -0,0 +1,110 @@
+diff -Nrbu pam_ssh-1.91/pam_ssh.c pam_ssh-1.91-OK/pam_ssh.c
+--- pam_ssh-1.91/pam_ssh.c 2005-08-16 19:22:54.000000000 +0400
++++ pam_ssh-1.91-OK/pam_ssh.c 2005-08-16 19:22:03.000000000 +0400
+@@ -109,6 +109,7 @@
+ #define PAM_OPT_BLANK_PASSPHRASE_NAME "allow_blank_passphrase"
+ #define SEP_KEYFILES ","
+ #define SSH_CLIENT_DIR ".ssh"
++#define STATE_DIR "/var/run/" MODULE_NAME
+
+ enum {
+ #if HAVE_OPENPAM || HAVE_PAM_STRUCT_OPTIONS || !HAVE_PAM_STD_OPTION
+@@ -489,7 +490,6 @@
+ char env_string[BUFSIZ]; /* environment string */
+ char *env_value; /* envariable value */
+ int env_write; /* env file descriptor */
+- char hname[MAXHOSTNAMELEN]; /* local hostname */
+ int no_link; /* link per-agent file? */
+ char *per_agent; /* to store env */
+ char *per_session; /* per-session filename */
+@@ -502,7 +502,6 @@
+
+ log_init(MODULE_NAME, SYSLOG_LEVEL_ERROR, SYSLOG_FACILITY_AUTHPRIV, 0);
+
+- /* dump output of ssh-agent in ~/.ssh */
+ if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
+ return retval;
+ if (!(user && (pwent = getpwnam(user)) && pwent->pw_dir &&
+@@ -521,17 +520,16 @@
+ * Technique: Create an environment file containing
+ * information about the agent. Only one file is created, but
+ * it may be given many names. One name is given for the
+- * agent itself, agent-<host>. Another name is given for each
+- * session, agent-<host>-<display> or agent-<host>-<tty>. We
++ * agent itself, /var/run/pam_ssh/<user>. Another name is given
++ * for each session, <user>-<display> or <user>-<tty>. We
+ * delete the per-session filename on session close, and when
+ * the link count goes to unity on the per-agent file, we
+ * delete the file and kill the agent.
+ */
+
+- /* the per-agent file contains just the hostname */
++ /* the per-agent file contains just the username */
+
+- gethostname(hname, sizeof hname);
+- if (asprintf(&per_agent, "%s/.ssh/agent-%s", pwent->pw_dir, hname)
++ if (asprintf(&per_agent, STATE_DIR "/%s", pwent->pw_name)
+ == -1) {
+ pam_ssh_log(LOG_CRIT, "out of memory");
+ openpam_restore_cred(pamh);
+@@ -555,9 +553,14 @@
+
+ env_write = child_pid = no_link = start_agent = 0;
+ env_read = NULL;
+- if ((env_write = open(per_agent, O_CREAT | O_EXCL | O_WRONLY, S_IRUSR))
+- < 0 && !(env_read = fopen(per_agent, "r")))
++
++ openpam_restore_cred(pamh);
++ if ((env_write = open(per_agent, O_CREAT | O_EXCL | O_WRONLY,
++ S_IRUSR | S_IRGRP | S_IROTH)) < 0 &&
++ !(env_read = fopen(per_agent, "r")))
+ no_link = 1;
++ openpam_borrow_cred(pamh, pwent);
++
+ if (!env_read) {
+ start_agent = 1;
+ if (pipe(child_pipe) < 0) {
+@@ -790,7 +793,7 @@
+ for (cp = tty_nodir; (cp = strchr(cp, '/')); )
+ *cp = '_';
+
+- if (asprintf(&per_session, "%s/.ssh/agent-%s-%s", pwent->pw_dir, hname,
++ if (asprintf(&per_session, STATE_DIR "/%s-%s", pwent->pw_name,
+ tty_nodir) == -1) {
+ pam_ssh_log(LOG_CRIT, "out of memory");
+ free(tty_nodir);
+@@ -809,10 +812,10 @@
+ return retval;
+ }
+
++ openpam_restore_cred(pamh);
+ unlink(per_session); /* remove cruft */
+ link(per_agent, per_session);
+
+- openpam_restore_cred(pamh);
+ return PAM_SUCCESS;
+ }
+
+@@ -842,8 +845,11 @@
+ }
+
+ if (pam_get_data(pamh, "ssh_agent_env_session",
+- (const void **)(void *)&env_file) == PAM_SUCCESS && env_file)
++ (const void **)(void *)&env_file) == PAM_SUCCESS && env_file) {
++ openpam_restore_cred(pamh);
+ unlink(env_file);
++ openpam_borrow_cred(pamh, pwent);
++ }
+
+ /* Retrieve per-agent filename and check link count. If it's
+ greater than unity, other sessions are still using this
+@@ -858,7 +864,9 @@
+ openpam_restore_cred(pamh);
+ return PAM_SUCCESS;
+ }
++ openpam_restore_cred(pamh);
+ unlink(env_file);
++ openpam_borrow_cred(pamh, pwent);
+ }
+ }
+
Added: trunk/rpms/pam_ssh/pam_ssh.spec
===================================================================
--- trunk/rpms/pam_ssh/pam_ssh.spec (rev 0)
+++ trunk/rpms/pam_ssh/pam_ssh.spec 2007-01-15 07:49:10 UTC (rev 5075)
@@ -0,0 +1,64 @@
+# $Id$
+# Authority: dag
+
+%define _libdir /%{_lib}
+
+Summary: PAM module for use with SSH keys and ssh-agent
+Name: pam_ssh
+Version: 1.91
+Release: 1
+License: BSD
+Group: System Environment/Base
+URL: http://sourceforge.net/projects/pam-ssh/
+
+Source: http://dl.sf.net/sourceforge/pam-ssh/pam_ssh-%{version}.tar.bz2
+Patch0: pam_ssh-1.91-getpwnam.patch
+Patch1: pam_ssh-1.91-var_run.patch
+Patch2: pam_ssh-1.91-man_agent_files.diff
+Patch3: pam_ssh-1.91-include_md5.diff
+Patch4: pam_ssh-1.91-include_syslog.diff
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
+
+Requires: openssh-clients
+BuildRequires: pam-devel, openssh-clients, openssl-devel
+
+%description
+This PAM module provides single sign-on behavior for UNIX using SSH keys.
+Users are authenticated by decrypting their SSH private keys with the
+password provided. In the first PAM login session phase, an ssh-agent
+process is started and keys are added. The same agent is used for the
+following PAM sessions. In any case the appropriate environment variables
+are set in the session phase.
+
+%prep
+%setup
+%patch0 -p1
+%patch1 -p1
+%patch2 -p0
+%patch3 -p1
+%patch4 -p1
+
+%build
+%configure --with-pam-dir="%{_libdir}/security/"
+%{__make} %{?_smp_mflags}
+
+%install
+%{__rm} -rf %{buildroot}
+%{__make} install DESTDIR="%{buildroot}"
+
+%{__install} -d -m0755 %{buildroot}%{_localstatedir}/run/pam_ssh/
+
+%clean
+%{__rm} -rf %{buildroot}
+
+%files
+%defattr(-, root, root, 0755)
+%doc AUTHORS ChangeLog COPYING NEWS README TODO
+%doc %{_mandir}/man8/pam_ssh.8*
+%exclude %{_libdir}/security/pam_ssh.la
+%{_libdir}/security/pam_ssh.so
+%dir %{_localstatedir}/run/pam_ssh/
+
+%changelog
+* Mon Jan 15 2007 Dag Wieers <dag at wieers.com> - 1.91-1
+- Initial package. (using DAR)
Property changes on: trunk/rpms/pam_ssh/pam_ssh.spec
___________________________________________________________________
Name: svn:keywords
+ Id Revision
Name: svn:eol-style
+ native
Modified: trunk/rpms/regionset/regionset.spec
===================================================================
--- trunk/rpms/regionset/regionset.spec 2007-01-15 06:39:36 UTC (rev 5074)
+++ trunk/rpms/regionset/regionset.spec 2007-01-15 07:49:10 UTC (rev 5075)
@@ -35,8 +35,5 @@
%{_sbindir}/regionset
%changelog
-* Sat Apr 08 2006 Dries Verachtert <dries at ulyssis.org> - 0.1-1.2
-- Rebuild for Fedora Core 5.
-
* Fri Mar 11 2005 Dag Wieers <dag at wieers.com> - 0.1-1
- Initial package. (using DAR)
Modified: trunk/rpms/varconf/varconf.spec
===================================================================
--- trunk/rpms/varconf/varconf.spec 2007-01-15 06:39:36 UTC (rev 5074)
+++ trunk/rpms/varconf/varconf.spec 2007-01-15 07:49:10 UTC (rev 5075)
@@ -39,36 +39,30 @@
%install
%{__rm} -rf %{buildroot}
-%makeinstall
+%{__make} install DESTDIR="%{buildroot}"
-%post
-/sbin/ldconfig 2>/dev/null
+%post -p /sbin/ldconfig
+%postun -p /sbin/ldconfig
-%postun
-/sbin/ldconfig 2>/dev/null
-
%clean
%{__rm} -rf %{buildroot}
%files
%defattr(-, root, root, 0755)
%doc AUTHORS ChangeLog COPYING INSTALL NEWS README THANKS TODO
-%{_libdir}/libvarconf*.so.*
+%{_libdir}/libvarconf-1.0.so.*
%files devel
%defattr(-, root, root, 0755)
-%{_includedir}/varconf-*/
-%{_libdir}/libvarconf*.so
-%exclude %{_libdir}/*.la
-%{_libdir}/pkgconfig/varconf*.pc
+%{_includedir}/varconf-1.0/
+%{_libdir}/libvarconf-1.0.so
+%exclude %{_libdir}/libvarconf-1.0.la
+%{_libdir}/pkgconfig/varconf-1.0.pc
%changelog
* Sun Jan 14 2007 Dries Verachtert <dries at ulyssis.org> - 0.6.5-1
- Updated to release 0.6.5.
-* Sat Apr 08 2006 Dries Verachtert <dries at ulyssis.org> - 0.6.4-1.2
-- Rebuild for Fedora Core 5.
-
* Mon Jan 16 2006 Dries Verachtert <dries at ulyssis.org> - 0.6.4-1
- Updated to release 0.6.4.
Modified: trunk/rpms/vnstat/vnstat.spec
===================================================================
--- trunk/rpms/vnstat/vnstat.spec 2007-01-15 06:39:36 UTC (rev 5074)
+++ trunk/rpms/vnstat/vnstat.spec 2007-01-15 07:49:10 UTC (rev 5075)
@@ -78,9 +78,6 @@
%{_localstatedir}/lib/vnstat/
%changelog
-* Sat Apr 08 2006 Dries Verachtert <dries at ulyssis.org> - 1.4-3.2
-- Rebuild for Fedora Core 5.
-
* Sat Jul 23 2005 Dag Wieers <dag at wieers.com> - 1.4-3
- Fixed permissions of /etc/cron.d/vnstat. (Alexander Dalloz)
More information about the svn-commits
mailing list