[kbd/f19] Fix vlock doesn't perform PAM account management or credential reinitialization
vcrhonek
vcrhonek at fedoraproject.org
Wed Nov 27 10:42:26 UTC 2013
commit 89f42700a3148adc8186e1baded46f84c3430b73
Author: Vitezslav Crhonek <vcrhonek at redhat.com>
Date: Wed Nov 27 11:42:11 2013 +0100
Fix vlock doesn't perform PAM account management or credential reinitialization
kbd-1.15.5-vlock-more-pam.patch | 61 +++++++++++++++++++++++++++++++++++++++
kbd.spec | 10 ++++++-
2 files changed, 70 insertions(+), 1 deletions(-)
---
diff --git a/kbd-1.15.5-vlock-more-pam.patch b/kbd-1.15.5-vlock-more-pam.patch
new file mode 100644
index 0000000..ba34255
--- /dev/null
+++ b/kbd-1.15.5-vlock-more-pam.patch
@@ -0,0 +1,61 @@
+--- a/src/vlock/auth.c
++++ b/src/vlock/auth.c
+@@ -4,7 +4,7 @@
+ PAM authentication routine for vlock, the VT locking program for linux.
+
+ Copyright (C) 1994-1998 Michael K. Johnson <johnsonm at redhat.com>
+- Copyright (C) 2002, 2005 Dmitry V. Levin <ldv at altlinux.org>
++ Copyright (C) 2002, 2005, 2013 Dmitry V. Levin <ldv at altlinux.org>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+@@ -36,6 +36,25 @@
+ /* Unrecognized PAM error timeout. */
+ #define ERROR_TIMEOUT 10
+
++static int
++do_account_password_management (pam_handle_t *pamh)
++{
++ int rc;
++
++ /* Whether the authenticated user is allowed to log in? */
++ rc = pam_acct_mgmt (pamh, 0);
++
++ /* Do we need to prompt the user for a new password? */
++ if (rc == PAM_NEW_AUTHTOK_REQD)
++ rc = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
++
++ /* Extend the lifetime of the existing credentials. */
++ if (rc == PAM_SUCCESS)
++ rc = pam_setcred (pamh, PAM_REFRESH_CRED);
++
++ return rc;
++}
++
+ int
+ get_password (pam_handle_t * pamh, const char *username, const char *tty)
+ {
+@@ -84,6 +103,23 @@ get_password (pam_handle_t * pamh, const char *username, const char *tty)
+ switch (rc)
+ {
+ case PAM_SUCCESS:
++ rc = do_account_password_management (pamh);
++
++ if (rc != PAM_SUCCESS)
++ {
++ /*
++ * The user was authenticated but
++ * either account or password management
++ * returned an error.
++ */
++ printf ("%s.\n\n\n",
++ pam_strerror (pamh, rc));
++ fflush (stdout);
++ pam_end (pamh, rc);
++ pamh = 0;
++ break;
++ }
++
+ pam_end (pamh, rc);
+ /* Log the fact of console unlocking. */
+ syslog (LOG_NOTICE,
diff --git a/kbd.spec b/kbd.spec
index 3b16c82..1b4267c 100644
--- a/kbd.spec
+++ b/kbd.spec
@@ -1,6 +1,6 @@
Name: kbd
Version: 1.15.5
-Release: 8%{?dist}
+Release: 9%{?dist}
Summary: Tools for configuring the console (keyboard, virtual terminals, etc.)
Group: System Environment/Base
@@ -25,6 +25,8 @@ Patch3: kbd-1.15.3-dumpkeys-man.patch
Patch4: kbd-1.15.5-loadkeys-regression.patch
# Patch5: fixes decimal separator in Swiss German keyboard layout, bz 882529
Patch5: kbd-1.15.5-sg-decimal-separator.patch
+# Patch6: implement PAM account and password management, backported from upstream
+Patch6: kbd-1.15.5-vlock-more-pam.patch
BuildRequires: bison, flex, gettext, pam-devel
BuildRequires: console-setup, xkeyboard-config
@@ -56,6 +58,7 @@ cp -fp %{SOURCE6} .
%patch3 -p1 -b .dumpkeys-man
%patch4 -p1 -b .loadkeys-regression
%patch5 -p1 -b .sg-decimal-separator
+%patch6 -p1 -b .vlock-more-pam
# 7-bit maps are obsolete; so are non-euro maps
pushd data/keymaps/i386
@@ -153,6 +156,11 @@ done < layouts-list-uniq.lst
/lib/kbd
%changelog
+* Wed Nov 27 2013 Vitezslav Crhonek <vcrhonek at redhat.com> - 1.15.5-9
+- Fix vlock doesn't perform PAM account management or credential reinitialization
+ (patch by Dmitry V. Levin)
+ Resolves: #913311
+
* Wed Nov 06 2013 Vitezslav Crhonek <vcrhonek at redhat.com> - 1.15.5-8
- Add PAM config for vlock
Resolves: #913309
More information about the scm-commits
mailing list