diff options
| author |   Mikle Kolyada <zlogene@gentoo.org> | 2020-06-10 14:32:46 +0300 |
|---|---|---|
| committer | Mikle Kolyada <zlogene@gentoo.org> | 2020-06-10 14:32:46 +0300 |
| commit | 7348fa57c7ada42820773f8c8b6f06f7181169ee (patch) | |
| tree | 51e168efc9bcbdffbae4145aef5d52c82cc77f26 | |
| parent | allow clang-cpp (diff) | |
| download | pambase-7348fa57c7ada42820773f8c8b6f06f7181169ee.tar.gz pambase-7348fa57c7ada42820773f8c8b6f06f7181169ee.tar.bz2 pambase-7348fa57c7ada42820773f8c8b6f06f7181169ee.zip | |
New release
- disable cracklib in favor of passwdqc
- disable tally{,2} in favor of faillock
Signed-off-by: Mikle Kolyada <zlogene@gentoo.org>
| -rw-r--r-- | Makefile | 4 | ||||
| -rw-r--r-- | basic-conf | 4 | ||||
| -rw-r--r-- | linux-pam-conf | 7 | ||||
| -rw-r--r-- | system-auth.in | 3 | ||||
| -rw-r--r-- | system-login.in | 8 |
5 files changed, 7 insertions, 19 deletions
@@ -11,10 +11,6 @@ GIT=git PAMFLAGS = -include linux-pam-conf -include basic-conf -DLINUX_PAM_VERSION=$(LINUX_PAM_VERSION) -ifeq "$(CRACKLIB)" "yes" -PAMFLAGS += -DHAVE_CRACKLIB=1 -endif - ifeq "$(PASSWDQC)" "yes" PAMFLAGS += -DHAVE_PASSWDQC=1 endif @@ -1,8 +1,8 @@ -// Only use_authtok (authentication token) when using cracklib or some other module +// Only use_authtok (authentication token) when using passwdqc or some other module // that checks for passwords, or pam_krb5 #define AUTHTOK use_authtok -#if HAVE_CRACKLIB || HAVE_PASSWDQC +#if HAVE_PASSWDQC # define PASSWORD_STRENGTH 1 #endif diff --git a/linux-pam-conf b/linux-pam-conf index ecd5697..962b2eb 100644 --- a/linux-pam-conf +++ b/linux-pam-conf @@ -12,12 +12,7 @@ # define HAVE_MOTD 1 # define HAVE_MAIL 1 # define HAVE_LASTLOG 1 - -# if LINUX_PAM_VERSION > 0x010100 /* 1.1.0 */ -# define TALLY_MODULE pam_tally2.so -# else -# define TALLY_MODULE pam_tally.so -# endif +# define HAVE_FAILLOCK 1 #endif diff --git a/system-auth.in b/system-auth.in index e65e4c2..dbb6971 100644 --- a/system-auth.in +++ b/system-auth.in @@ -18,9 +18,6 @@ account required pam_unix.so DEBUG /* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */ account optional pam_permit.so -#if HAVE_CRACKLIB -password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 DEBUG -#endif #if HAVE_PASSWDQC password required pam_passwdqc.so min=8,8,8,8,8 retry=3 #endif diff --git a/system-login.in b/system-login.in index f159f10..d93d926 100644 --- a/system-login.in +++ b/system-login.in @@ -1,5 +1,5 @@ -#if defined(TALLY_MODULE) -auth required TALLY_MODULE onerr=succeed +#if HAVE_FAILLOCK +auth required pam_faillock.so dir=/var/log deny=3 #endif #if HAVE_SHELLS auth required pam_shells.so DEBUG @@ -19,8 +19,8 @@ account required pam_login_access.so account required pam_nologin.so DEBUG_NOLOGIN #endif account include system-auth -#if defined(TALLY_MODULE) -account required TALLY_MODULE onerr=succeed DEBUG +#if HAVE_FAILLOCK +account required pam_faillock.so dir=/var/log deny=3 #endif password include system-auth |