Changeset 7e11b83c

Timestamp:

06/09/2020 06:16:16 PM (3 years ago)

Author:

Douglas R. Reno <renodr@…>

Branches:

10.0, 10.1, 11.0, 11.1, 11.2, 11.3, ken/inkscape-core-mods, lazarus, plabs/python-mods, qt5new, trunk, upgradedb, xry111/intltool, xry111/soup3, xry111/test-20220226

Children:

edcb4a5

Parents:

50c4929

Message:

Update to Linux-PAM-1.4.0
Update text on the libpwquality page to mention that pam_cracklib is now obsolete, and libpwquality is the intended replacement. See Ticket #13651
Move libpwquality.so.* to /lib

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@23270 af4574ff-66df-0310-9fd7-8a98e5e911e0

Files:

• general.ent (modified) (2 diffs)
• introduction/welcome/changelog.xml (modified) (1 diff)
• packages.ent (modified) (1 diff)
• postlfs/security/libpwquality.xml (modified) (4 diffs)
• postlfs/security/linux-pam.xml (modified) (9 diffs)

general.ent

@@ -1 +1 @@
 <!-- $LastChangedBy$ $Date$ -->
 
-<!ENTITY day          "08">                   <!-- Always 2 digits -->
+<!ENTITY day          "09">                   <!-- Always 2 digits -->
 <!ENTITY month        "06">                   <!-- Always 2 digits -->
 <!ENTITY year         "2020">
@@ -7 +7 @@
 <!ENTITY copyholder   "The BLFS Development Team">
 <!ENTITY version      "&year;-&month;-&day;">
-<!ENTITY releasedate  "June 8th, &year;">
+<!ENTITY releasedate  "June 9th, &year;">
 <!ENTITY pubdate      "&year;-&month;-&day;"> <!-- metadata req. by TLDP -->
 <!ENTITY blfs-version "svn">                  <!-- svn|[release #] -->

introduction/welcome/changelog.xml

@@ -43 +43 @@
     -->
     <listitem>
+      <para>June 9th, 2020</para>
+      <itemizedlist>
+        <listitem>
+          <para>[renodr] - Update to Linux-PAM-1.4.0. Fixes
+          <ulink url="&blfs-ticket-root;13651">#13651</ulink>.</para>
+        </listitem>
+        <listitem>
+          <para>[renodr] - Move the libpwquality.so library to /lib because
+          it is now used as an authentication module and should be available
+          if /usr is on a separate filesystem.</para>
+        </listitem>
+      </itemizedlist>
+    </listitem>
+
+    <listitem>
       <para>June 8th, 2020</para>
       <itemizedlist>

packages.ent

@@ -19 +19 @@
 <!ENTITY libcap-version               "2.36">
 <!ENTITY liboauth-version             "1.0.3">
-<!ENTITY linux-pam-version            "1.3.1">
-<!ENTITY linux-pam-docs-version       "1.3.1">
+<!ENTITY linux-pam-version            "1.4.0">
+<!ENTITY linux-pam-docs-version       "1.4.0">
 <!ENTITY libpwquality-version         "1.4.2">
 <!ENTITY make-ca-version              "1.7">

postlfs/security/libpwquality.xml

@@ -116 +116 @@
       Now, as the <systemitem class="username">root</systemitem> user:
     </para>
-
-<screen role="root"><userinput>make install</userinput></screen>
+    
+<screen role="root"><userinput>make install                          &amp;&amp;
+
+mv -v /usr/lib/libpwquality.so.* /lib &amp;&amp;
+ln -sfv ../../lib/$(readlink /usr/lib/libpwquality.so) /usr/lib/libpwquality.so</userinput></screen>
 
   </sect2>
@@ -129 +132 @@
       is <parameter>python</parameter>, and requires <xref linkend="python2"/>.
     </para>
+
   </sect2>
 
@@ -134 +138 @@
     <title>Configuring libpwquality</title>
 
+<!--
     <para>
       <application>libpwquality</application> is intended to be a
@@ -141 +146 @@
       <filename>pam_pwquality.so</filename> module, execute the following
       commands as the <systemitem class="username">root</systemitem> user:
+    </para>
+-->
+
+    <para>
+      <application>libpwquality</application> is intended to be a
+      functional replacement for the now-obsolete
+      <filename>pam_cracklib.so</filename> PAM module. To configure the system
+      to use the <filename>pam_pwquality</filename> module, execute the
+      following commands as the
+      <systemitem class="username">root</systemitem> user:
     </para>
 

postlfs/security/linux-pam.xml

@@ -7 +7 @@
   <!ENTITY linux-pam-download-http "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-version;.tar.xz">
   <!ENTITY linux-pam-download-ftp  " ">
-  <!ENTITY linux-pam-md5sum        "558ff53b0fc0563ca97f79e911822165">
-  <!ENTITY linux-pam-size          "892 MB">
-  <!ENTITY linux-pam-buildsize     "26 MB (with tests)">
+  <!ENTITY linux-pam-md5sum        "39fca0523bccec6af4b63b5322276c84">
+  <!ENTITY linux-pam-size          "968 KB">
+  <!ENTITY linux-pam-buildsize     "37 MB (with tests)">
   <!ENTITY linux-pam-time          "0.3 SBU (with tests)">
 
   <!ENTITY linux-pam-docs-download "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-docs-version;-docs.tar.xz">
-  <!ENTITY linux-pam-docs-md5sum   "1885fae049acd1b699a5459d7c4a0130">
-  <!ENTITY linux-pam-docs-size     "449 KB">
+  <!ENTITY linux-pam-docs-md5sum   "3440e619ff29074eb977a2ca6e34525a">
+  <!ENTITY linux-pam-docs-size     "468 KB">
   <!--
   <!ENTITY debian-pam-docs         "http://debian.securedservers.com/kernel/pub/linux/libs/pam">
@@ -105 +105 @@
     <para role="optional">
       <xref linkend="db"/>,
-      <xref linkend="cracklib"/>,
-      <xref linkend="libtirpc"/> and
+      <xref linkend="libnsl"/>,
+      <xref linkend="libpwquality"/>,
+      <xref linkend="libtirpc"/>, 
+      <ulink url="https://github.com/linux-audit/audit-userspace">libaudit</ulink>, and
       <ulink url="http://www.prelude-siem.org">Prelude</ulink>
     </para>
@@ -149 +151 @@
     </para>
 
-<screen><userinput>sed -e 's/dummy links/dummy lynx/'                                     \
+<screen><userinput>sed -e 's/dummy elinks/dummy lynx/'                                     \
     -e 's/-no-numbering -no-references/-force-html -nonumbers -stdin/' \
     -i configure</userinput></screen>
@@ -331 +333 @@
 
 # End /etc/pam.d/system-session</literal>
-EOF</userinput></screen>
-
+EOF
+cat &gt; /etc/pam.d/system-password &lt;&lt; "EOF"
+<literal># Begin /etc/pam.d/system-password
+
+# use sha512 hash for encryption, use shadow, and try to use any previously
+# defined authentication token (chosen password) set by any prior module
+password  required    pam_unix.so       sha512 shadow try_first_pass
+
+# End /etc/pam.d/system-password</literal>
+EOF
+</userinput></screen>
+
+     <para>
+       If you wish to enable strong password support, install
+       <xref linkend="libpwquality"/>, and follow the
+       instructions in that page to configure the pam_pwquality
+       PAM module with strong password support.
+     </para>
+
+<!-- With the removal of the pam_cracklib module, we're supposed to be using
+     libpwquality. That already includes instructions in it's configuration
+     information page, so we'll use those instead.
+
+     Linux-PAM must be installed prior to libpwquality so that PAM support
+     is built in, and the PAM module is built.
+-->
+<!--
       <para>
         The remaining generic file depends on whether <xref
@@ -380 +407 @@
 # End /etc/pam.d/system-password</literal>
 EOF</userinput></screen>
-
+-->
       <para>
         Now add a restrictive <filename>/etc/pam.d/other</filename>
@@ -435 +462 @@
       <seglistitem>
         <seg>
-          mkhomedir_helper, pam_tally, pam_tally2,
+          faillock, mkhomedir_helper,
           pam_timestamp_check, unix_chkpwd and
           unix_update
@@ -456 +483 @@
       <?dbhtml list-presentation="table"?>
 
+      <varlistentry id="faillock">
+        <term><command>faillock</command></term>
+        <listitem>
+          <para>
+            displays and modifies the authentication failure record files.
+          </para>
+          <indexterm zone="linux-pam faillock">
+            <primary sortas="b-faillock">faillock</primary>
+          </indexterm>
+        </listitem>
+      </varlistentry>
+
       <varlistentry id="mkhomedir_helper">
         <term><command>mkhomedir_helper</command></term>
@@ -468 +507 @@
       </varlistentry>
 
+<!-- Removed with the removal of the pam_tally{,2} module
       <varlistentry id="pam_tally">
         <term><command>pam_tally</command></term>
@@ -493 +533 @@
         </listitem>
       </varlistentry>
+-->
 
       <varlistentry id="pam_timestamp_check">