From owner-freebsd-ports-bugs@FreeBSD.ORG Sat May 24 17:50:01 2014 Return-Path: Delivered-To: freebsd-ports-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3145D29F for ; Sat, 24 May 2014 17:50:01 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1CA872E60 for ; Sat, 24 May 2014 17:50:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s4OHo0Ut077004 for ; Sat, 24 May 2014 17:50:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s4OHo0T8076997; Sat, 24 May 2014 17:50:00 GMT (envelope-from gnats) Date: Sat, 24 May 2014 17:50:00 GMT Message-Id: <201405241750.s4OHo0T8076997@freefall.freebsd.org> To: freebsd-ports-bugs@FreeBSD.org Cc: From: Ben Morrow Subject: Re: ports/188483: [PATCH] update pam_abl to 0.6.0 Reply-To: Ben Morrow X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 May 2014 17:50:01 -0000 The following reply was made to PR ports/188483; it has been noted by GNATS. From: Ben Morrow To: bug-followup@FreeBSD.org, antiduh@csh.rit.edu Cc: Subject: Re: ports/188483: [PATCH] update pam_abl to 0.6.0 Date: Sat, 24 May 2014 18:38:01 +0100 --Q68bSM7Ycu6FN28Q Content-Type: text/plain; charset=us-ascii Content-Disposition: inline I've done up a patch to update the port to 0.6.0. Ben --Q68bSM7Ycu6FN28Q Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="pam_abl-0.6.0-ports.patch" diff --git a/security/pam_abl/Makefile b/security/pam_abl/Makefile index 5dc8c19..33d3503 100644 --- a/security/pam_abl/Makefile +++ b/security/pam_abl/Makefile @@ -2,33 +2,39 @@ # $FreeBSD$ PORTNAME= pam_abl -PORTVERSION= 0.2.3 +PORTVERSION= 0.6.0 CATEGORIES= security -MASTER_SITES= SF/pam-abl/pam-abl/${PORTVERSION} +DISTNAME= pam-abl-${PORTVERSION} +MASTER_SITES= SF/pam-abl/pam-abl MAINTAINER= prehor@gmail.com COMMENT= Blacklisting responsible for repeated failed authentication attempts -WRKSRC= ${WRKDIR}/${PORTNAME} +NO_WRKSUBDIR= PAMABLDB?= /var/db/pam_abl -USE_BDB= 42+ +USES= cmake +USE_BDB= 5 -SUB_FILES= pkg-deinstall pkg-message pkg-plist pam_abl.8 190.clean-pam-abl +SUB_FILES= pkg-deinstall pkg-message pkg-plist 190.clean-pam-abl SUB_LIST= PAMABLDB=${PAMABLDB} PKGMESSAGE= ${WRKDIR}/pkg-message PKGDEINSTALL= ${WRKDIR}/pkg-deinstall PLIST= ${WRKDIR}/pkg-plist +MAN1= pam_abl.1 +MAN5= pam_abl.conf.5 MAN8= pam_abl.8 +PORTDOCS= README Changelog.txt -.if !defined(NOPORTDOCS) -PORTDOCS= * +.if !defined(NO_INSTALL_MANPAGES) +BUILD_DEPENDS+= a2x:${PORTSDIR}/textproc/asciidoc \ + xsltproc:${PORTSDIR}/textproc/libxslt \ + ${LOCALBASE}/share/xsl/docbook/manpages/docbook.xsl:${PORTSDIR}/textproc/docbook-xsl .endif -NO_STAGE= yes .include .if ${PREFIX} == / || ${PREFIX} == /usr @@ -38,33 +44,42 @@ ETCPREFIX= ${PREFIX} .endif SUB_LIST+= ETCPREFIX=${ETCPREFIX} -SED_SCRIPT= -e 's||<${BDB_INCLUDE_DIR}/db.h>|' \ - -e 's|-ldb|-l${BDB_LIB_NAME}|' \ - -e 's|%%PREFIX%%|${PREFIX}|' \ - -e 's|%%LOCALBASE%%|${LOCALBASE}|' \ - -e 's|%%ETCPREFIX%%|${ETCPREFIX}|' \ +CMAKE_ARGS+= -DBDB_INCLUDE_DIR=${BDB_INCLUDE_DIR} \ + -DBDB_LIB_NAME=${BDB_LIB_NAME} \ + -DBDB_LIB_DIR=${BDB_LIB_DIR} + +SED_SCRIPT= -e 's|%%ETCPREFIX%%|${ETCPREFIX}|' \ -e 's|%%PAMABLDB%%|${PAMABLDB}|' +SED_FILES= test_abl.c pam_abl.c tools.c \ + doc/pam_abl.1.txt doc/pam_abl.8.txt doc/pam_abl.conf.5.txt \ + conf/pam_abl.conf + post-patch: -.for file in Makefile pam_abl.h conf/pam_abl.conf conf/system-auth doc/index.html doc/pam_abl.html tools/Makefile +.for file in ${SED_FILES} @${REINPLACE_CMD} ${SED_SCRIPT} ${WRKSRC}/${file} .endfor -pre-install: +.if !defined(NO_INSTALL_MANPAGES) +post-build: + (cd ${WRKSRC}/doc && ./generate.sh) +.endif + +post-install: .if !defined(NOPORTDOCS) - @${MKDIR} ${DOCSDIR} -.for file in AUTHORS COPYING Copyright NEWS README THANKS conf/system-auth doc/index.html doc/pam_abl.html doc/copying.html doc/style.css - ${INSTALL_DATA} ${WRKSRC}/${file} ${DOCSDIR} + @${MKDIR} ${STAGEDIR}${DOCSDIR} +.for file in ${PORTDOCS} + ${INSTALL_DATA} ${WRKSRC}/${file} ${STAGEDIR}${DOCSDIR} .endfor .endif .if !defined(NO_INSTALL_MANPAGES) - @${MKDIR} ${MAN8PREFIX}/man/man8 - ${INSTALL_MAN} ${WRKDIR}/pam_abl.8 ${MAN8PREFIX}/man/man8/ + ${INSTALL_MAN} ${WRKDIR}/doc/pam_abl.1 ${STAGEDIR}${MAN8PREFIX}/man/man1/ + ${INSTALL_MAN} ${WRKDIR}/doc/pam_abl.8 ${STAGEDIR}${MAN8PREFIX}/man/man8/ + ${INSTALL_MAN} ${WRKDIR}/doc/pam_abl.conf.5 ${STAGEDIR}${MAN8PREFIX}/man/man5/ .endif - @${MKDIR} ${PREFIX}/etc/periodic/daily - ${INSTALL_SCRIPT} ${WRKDIR}/190.clean-pam-abl ${PREFIX}/etc/periodic/daily/ - -post-install: + ${INSTALL_DATA} ${WRKDIR}/conf/pam_abl.conf ${STAGEDIR}${ETCPREFIX}/etc/pam_abl.conf.sample + @${MKDIR} ${STAGEDIR}${PREFIX}/etc/periodic/daily + ${INSTALL_SCRIPT} ${WRKDIR}/190.clean-pam-abl ${STAGEDIR}${ETCPREFIX}/etc/periodic/daily/ @${CAT} ${PKGMESSAGE} .include diff --git a/security/pam_abl/distinfo b/security/pam_abl/distinfo index e419f73..8db2f40 100644 --- a/security/pam_abl/distinfo +++ b/security/pam_abl/distinfo @@ -1,2 +1,2 @@ -SHA256 (pam_abl-0.2.3.tar.gz) = 9bb4059fba96f9846784d5e70bec72893630bdd70bc840be767cc33b83c6b163 -SIZE (pam_abl-0.2.3.tar.gz) = 19000 +SHA256 (pam-abl-0.6.0.tar.gz) = dff9437af247fee19e8269919a3eed44c1e69874c1fa06325997c8d1eeb7eeb4 +SIZE (pam-abl-0.6.0.tar.gz) = 48882 diff --git a/security/pam_abl/files/190.clean-pam-abl.in b/security/pam_abl/files/190.clean-pam-abl.in index 3b3ca29..4f52bd5 100644 --- a/security/pam_abl/files/190.clean-pam-abl.in +++ b/security/pam_abl/files/190.clean-pam-abl.in @@ -17,7 +17,9 @@ case "$daily_clean_pam_abl_enable" in echo "" echo "Purging pam_abl databases:" - %%PREFIX%%/sbin/pam_abl -p -v ${daily_clean_pam_abl_config_file} + conf="${daily_clean_pam_abl_config_file:-%%ETCPREFIX%%/etc/pam_abl.conf} + + %%PREFIX%%/bin/pam_abl -p -v ${conf} [ $? -ne 0 ] && rc=3 || rc=0;; *) rc=0;; esac diff --git a/security/pam_abl/files/pam_abl.8.in b/security/pam_abl/files/pam_abl.8.in deleted file mode 100644 index 9395d43..0000000 --- a/security/pam_abl/files/pam_abl.8.in +++ /dev/null @@ -1,270 +0,0 @@ -.\" -.\" $FreeBSD$ -.\" -.Dd January 14, 2006 -.Dt pam_abl 8 -.Os -.Sh NAME -.Nm pam_abl -.Nd auto blacklist PAM module -.Sh SYNOPSIS -.Ss Auto Blacklist PAM module -.Op Ar service-name -.Ar module-name -.Ar control-flag -.Pa pam_abl -.Op Ar options -.Ss Blacklist maintenance tool -.Nm -.Op Fl h | Fl -help -.Op Fl p | Fl -purge -.Op Fl r | Fl -relative -.Op Fl v | Fl -verbose -.Op Fl -okhost Ns No = Ns Ar host -.Op Fl -okuser Ns No = Ns Ar user -.Op Ar config-file -.Sh DESCRIPTION -The Auto Blacklist module for PAM, -.Nm -provides functionality for only one PAM category: authentication. -In terms of the -.Ar module-type -parameter, this is the -.Dq Li auth -feature. -.Ss Auto Blacklist PAM Authentication Module -.Nm -provides auto blacklisting of hosts and users responsible for repeated -failed authentication attempts. Generally configured so that blacklisted -users still see normal login prompts but are guaranteed to fail to -authenticate. This functionality is only available to services which call -PAM as root. If -.Nm -is called for uid != 0 it will silently succeed. - -The following options may be passed to the authentication module: -.Bl -tag -width indent -.It Cm debug -.Xr syslog 3 -debugging information at -.Dv LOG_DEBUG -level. -.It Cm expose_account -Ignored. -.It Cm no_warn -suppress warning messages to the user. -These messages include reasons why the user's authentication attempt was -declined. -.It Cm try_first_pass -Ignored. -.It Cm use_first_pass -Ignored. -.It Cm use_mapped_pass -Ignored. -.It Cm config Ns No = Ns Ar config-file -The configuration file contains additional arguments. In order for the -.Nm -blacklist maintenance tool to work correctly most of the configuration -should be placed in the config file rather than being provided by arguments. -The format of the config file is described below. -.It Cm host_db Ns No = Ns Ar host-database-file -Path to the Berkeley DB which is used to log the host responsible for failed -authentication attempts. -If host_db is omitted the corresponding auto blacklisting will be disabled. -.It Cm host_purge Ns No = Ns Ar time -Defines how long failed hosts are retained in the host database. -Defaults to 1 day. -.It Cm host_rule Ns No = Ns Ar host-rule -The rule (see below for format) which defines the conditions under which a -failed hosts will be blackisted. -.It Cm user_db Ns No = Ns Ar user-database-file -Path to the Berkeley DB which is used to log the user responsible for failed -authentication attempts. -If user_db is omitted the corresponding auto blacklisting will be disabled. -.It Cm user_purge Ns No = Ns Ar time -Defines how long failed users are retained in the user database. -Defaults to 1 day. -.It Cm user_rule Ns No = Ns Ar user-rule -The rule (see below for format) which defines the conditions under which a -failed users will be blackisted. -.El -.Ss Rules syntax -.Cm host_rule No Cm user_rule -are the rules which determine the circumstances under which accounts ares -auto blacklisted. -The -.Cm host_rule -is used to block access to hosts that are responsible for excessive -authentication failures and the -.Cm user_rule -is used to disable accounts for which there have been excessive -authentication failures. -Each rule consists of a number of space separated -.Sy user clauses Ns No . -A -.Sy user clause -specifies the user names and services to match and a set of triggers. -A simple example would be: -.Bd -literal -offset indent -*:10/1h -.Ed -.Pp -which means 'block any user (*) if they are responsible for ten or more -failed authentication attempts in the last hour'. -In place of the '*' which matches any user a list of usernames can be -supplied like this: -.Bd -literal -offset indent -root|dba|admin:10/1h -.Ed -.Pp -which means 'block the users root, dba and admin if they are responsible -for ten or more failed authentication attempts in the last hour'. -You can also specify a service name to match against like this: -.Bd -literal -offset indent -root/sshd|dba/*:3/1d -.Ed -.Pp -which means 'block the users root for service sshd and user dba for any -service if they are responsible for three or more failed authentication -attempts in the last day'. -Finally you can specify multiple triggers like this: -.Bd -literal -offset indent -root:10/1h,20/1d -.Ed -.Pp -which means 'block the user root if they are responsible for ten or more -failed attempts in the last hour or twenty or more failed attempts in the -last day. -.Pp -Multiple rules can be provided separated by spaces like this: -.Bd -literal -offset indent -*:10/1h root:5/1h,10/1d -.Ed -.Pp -in which case all rules that match a particular user and service will be -checked. -The user or host will be blocked if any of the rule triggers matches. -.Pp -The sense of the user matching can be inverted by placing a '!' in front -of the rule so that: -.Bd -literal -offset indent -!root:20/1d -.Ed -.Pp -is a rule which would match for all users apart from root. -.Pp -It is important to treat root as a special case in the -.Cm user_rule -otherwise excessive attempts to authenticate as root will result in the -root account being locked out even for valid holders of root credentials. -.Pp -Here is the full syntax for rules: -.Bd -literal -offset indent -word ::= /[^\\s\\|\\/\\*]+/ -name ::= word | '*' -username ::= name -servicename ::= name -userservice ::= username | username '/' servicename -namelist ::= userservice | userservice '|' namelist -userspec ::= namelist | '!' namelist -multiplier ::= 's' | 'm' | 'h' | 'd' -number ::= /\d+/ -period ::= number | number multiplier -trigger ::= number '/' period -triglist ::= trigger | trigger ',' triglist -userclause ::= userspec ':' triglist -rule ::= userclause | userclause /\s+/ rule -.Ed -.Pp -For rules to work correctly -.Cm host_purge No and Cm user_purge -must be at least as long as the longest period specified in a corresponding -rule. -You may wish to retain information about failed attempts for longer than -this so that the -.Nm -blacklist maintenance tool can report information over a longer period of -time. -The format for this items is a number with an optional multiplier suffix, -'s', 'm', 'h' or 'd' which correspond with seconds, minutes, hours and days. -To specify seven days for example one would use '7d'. -Note that in normal operation -.Nm -PAM module will only purge the logged data for a particular host or user -if it happens to be updating it, i.e. if that host or user makes another -failed attempt. -To purge all old entries the -.Nm -blacklist maintenance tool should be used. -.Ss Blacklist maintenance tool -Blacklist maintenance tool -.Nm -perform maintenance on the databases used by the -.Nm -PAM module. -The options are as follows: -.Bl -tag -width indent -.It Fl h | Fl -help -Print help page and exit. -.It Fl p | Fl -purge -Purge databases according to purge rules in config. -.It Fl r | Fl -relative -Display times relative to now otherwise absolute times will be displayed. -.It Fl v | Fl -verbose -Verbose output. -.It Fl -okhost Ns No = Ns Ar host-name -Unblock host. -.It Fl -okuser Ns No = Ns Ar user-name -Unblock user. -.It Ar config-file -Name of the -.Nm -configuration file (default: %%ETCPREFIX%%/etc/pam_abl.conf). -The config file is read to discover the names of the -.Nm -databases and the rules that control purging of old data from them. -.El -.Sh EXAMPLES -.Ss Auto Blacklist PAM module -Typically -.Nm -PAM module is added to the auth stack as a required module just before -whatever modules actually peform authentication. -Here's a fragment of the PAM config: -.Bd -literal -offset indent -auth required pam_env -auth required pam_abl config=%%ETCPREFIX%%/etc/pam_abl.conf -auth sufficient pam_unix likeauth nullok -auth required pam_deny -.Ed -.Ss Blacklist maintenance tool -Obtain a list of failed hosts and users: -.Bd -literal -offset indent -$ pam_abl -.Ed -.Pp -Obtain a full list of failures listing times relative to now: -.Bd -literal -offset indent -$ pam_abl -rv -.Ed -.Pp -Purge old data: -.Bd -literal -offset indent -$ pam_abl -p -.Ed -.Pp -Unblock all example.com hosts and all users: -.Bd -literal -offset indent -$ pam_abl -v --okhost='*.example.com' --okuser='*' -.Ed -.Sh SEE ALSO -.Xr pam.conf 5 , -.Xr pam 8 -.Bd -literal -http://www.hexten.net/pam_abl/ -http://sourceforge.net/project/showfiles.php?group_id=148927 -.Ed -.Sh AUTHORS -Written by Andy Armstrong . -.Sh BUGS -Report bugs to Andy Armstrong . diff --git a/security/pam_abl/files/patch-CMakeLists.txt b/security/pam_abl/files/patch-CMakeLists.txt new file mode 100644 index 0000000..e06c4c1 --- /dev/null +++ b/security/pam_abl/files/patch-CMakeLists.txt @@ -0,0 +1,9 @@ +diff -ur CMakeLists.txt CMakeLists.txt +--- CMakeLists.txt 2013-08-29 21:52:11.000000000 +0100 ++++ CMakeLists.txt 2014-05-24 15:52:49.476475638 +0100 +@@ -73,4 +73,4 @@ + INSTALL(TARGETS pam-abl_bin + RUNTIME DESTINATION bin + ) +-INSTALL(TARGETS pam-abl_lib DESTINATION lib/security) ++INSTALL(TARGETS pam-abl_lib DESTINATION lib) diff --git a/security/pam_abl/files/patch-Makefile b/security/pam_abl/files/patch-Makefile deleted file mode 100644 index 633b85f..0000000 --- a/security/pam_abl/files/patch-Makefile +++ /dev/null @@ -1,42 +0,0 @@ ---- Makefile.orig Wed Oct 12 21:22:25 2005 -+++ Makefile Sun Dec 11 00:29:31 2005 -@@ -1,11 +1,11 @@ - # Makefile - # $Id: Makefile,v 1.1.1.1 2005/10/12 19:22:25 tagishandy Exp $ - --CFLAGS=-Wall -fPIC --PAMDIR=/lib/security --CONFDIR=/etc/security --DBDIR=/var/lib/abl --LIBS=-ldb -lpthread -+CFLAGS=-Wall -fPIC -I%%PREFIX%%/include -I%%LOCALBASE%%/include -+PAMDIR=%%PREFIX%%/lib -+CONFDIR=%%ETCPREFIX%%/etc -+DBDIR=%%PAMABLDB%% -+LIBS=-L%%PREFIX%%/lib -L%%LOCALBASE%% -ldb -lpthread - MODULE=pam_abl.so - OBJ=pam_abl.o log.o config.o rule.o - SUBDIRS=tools -@@ -14,17 +14,17 @@ - for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done - - $(MODULE) : $(OBJ) -- ld -x --shared $(LIBS) -o $@ $^ -+ ld -x --shared $(LIBS) -o $(MODULE) $(OBJ) - - clean : - rm -f $(MODULE) $(OBJ) - for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done - - install : $(MODULE) -- install --mode=755 --strip $(MODULE) $(PAMDIR) -- #install --mode=644 conf/pam_abl.conf $(CONFDIR) -- install -d --mode=755 $(DBDIR) -- for d in t $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done -+ install -m 755 -s $(MODULE) $(PAMDIR) -+ install -m 644 conf/pam_abl.conf $(CONFDIR)/pam_abl.conf.sample -+ install -d -m 755 $(DBDIR) -+ for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done - - depend : - cc -MM *.c > deps diff --git a/security/pam_abl/files/patch-cmake-Modules-FindBerkeleyDB.cmake b/security/pam_abl/files/patch-cmake-Modules-FindBerkeleyDB.cmake new file mode 100644 index 0000000..a52fe61 --- /dev/null +++ b/security/pam_abl/files/patch-cmake-Modules-FindBerkeleyDB.cmake @@ -0,0 +1,31 @@ +diff -ur cmake/Modules/FindBerkeleyDB.cmake cmake/Modules/FindBerkeleyDB.cmake +--- cmake/Modules/FindBerkeleyDB.cmake 2013-08-29 21:52:11.000000000 +0100 ++++ cmake/Modules/FindBerkeleyDB.cmake 2014-05-24 16:00:54.469441914 +0100 +@@ -8,22 +8,18 @@ + NAMES + db.h + PATHS +- /usr/include +- /usr/local/include +- /opt/local/include +- /sw/include ++ ${BDB_INCLUDE_DIR} ++ NO_DEFAULT_PATH + ) + endif (NOT DB_INCLUDE_DIR) + + if (NOT DB_LIBRARY) + find_library(DB_LIBRARY + NAMES +- db ++ ${BDB_LIB_NAME} + PATHS +- /usr/lib +- /usr/local/lib +- /opt/local/lib +- /sw/lib ++ ${BDB_LIB_DIR} ++ NO_DEFAULT_PATH + ) + endif (NOT DB_LIBRARY) + diff --git a/security/pam_abl/files/patch-conf-pam_abl.conf b/security/pam_abl/files/patch-conf-pam_abl.conf index c668e08..e66a0cb 100644 --- a/security/pam_abl/files/patch-conf-pam_abl.conf +++ b/security/pam_abl/files/patch-conf-pam_abl.conf @@ -1,14 +1,15 @@ ---- conf/pam_abl.conf.orig Sat Dec 10 23:27:33 2005 -+++ conf/pam_abl.conf Sun Dec 11 00:07:41 2005 +diff -ur conf/pam_abl.conf conf/pam_abl.conf +--- conf/pam_abl.conf 2013-08-29 21:52:11.000000000 +0100 ++++ conf/pam_abl.conf 2014-05-24 16:03:44.560424677 +0100 @@ -1,8 +1,8 @@ --# /etc/security/pam_abl.conf -+# %%ETCPREFIX%%/etc/pam_abl.conf - # debug +-db_home=/var/lib/abl -host_db=/var/lib/abl/hosts.db ++db_home=%%PAMABLDB%% +host_db=%%PAMABLDB%%/hosts.db - host_purge=2d - host_rule=*:10/1h,30/1d + host_purge=1d + host_rule=*:30/1h -user_db=/var/lib/abl/users.db +user_db=%%PAMABLDB%%/users.db - user_purge=2d - user_rule=!root:10/1h,30/1d + user_purge=1d + user_rule=*:3/1h + host_clear_cmd=[logger] [clear] [host] [%h] diff --git a/security/pam_abl/files/patch-conf-system-auth b/security/pam_abl/files/patch-conf-system-auth deleted file mode 100644 index 4f287c1..0000000 --- a/security/pam_abl/files/patch-conf-system-auth +++ /dev/null @@ -1,39 +0,0 @@ ---- conf/system-auth.orig Wed Oct 12 21:22:27 2005 -+++ conf/system-auth Sat Jan 14 22:37:20 2006 -@@ -1,15 +1,24 @@ --#%PAM-1.0 --auth required /lib/security/$ISA/pam_env.so --auth required /lib/security/$ISA/pam_abl.so config=/etc/security/pam_abl.conf --auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok --auth required /lib/security/$ISA/pam_deny.so -+# -+# System-wide defaults -+# - --account required /lib/security/$ISA/pam_unix.so -+# auth -+auth required %%PREFIX%%/lib/pam_abl.so config=%%ETCPREFIX%%/etc/pam_abl.conf -+auth sufficient pam_opie.so no_warn no_fake_prompts -+auth requisite pam_opieaccess.so no_warn allow_local -+#auth sufficient pam_krb5.so no_warn try_first_pass -+#auth sufficient pam_ssh.so no_warn try_first_pass -+auth required pam_unix.so no_warn try_first_pass nullok - --password required /lib/security/$ISA/pam_cracklib.so retry=3 type= --password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow --password required /lib/security/$ISA/pam_deny.so -+# account -+#account required pam_krb5.so -+account required pam_login_access.so -+account required pam_unix.so - --session required /lib/security/$ISA/pam_limits.so --session required /lib/security/$ISA/pam_abl.so --session required /lib/security/$ISA/pam_unix.so -+# session -+#session optional pam_ssh.so -+session required pam_lastlog.so no_fail -+ -+# password -+#password sufficient pam_krb5.so no_warn try_first_pass -+password required pam_unix.so no_warn try_first_pass diff --git a/security/pam_abl/files/patch-doc-generate.sh b/security/pam_abl/files/patch-doc-generate.sh new file mode 100644 index 0000000..02560fc --- /dev/null +++ b/security/pam_abl/files/patch-doc-generate.sh @@ -0,0 +1,12 @@ +diff -ur doc/generate.sh doc/generate.sh +--- doc/generate.sh 2013-08-29 21:52:11.000000000 +0100 ++++ doc/generate.sh 2014-05-24 15:56:08.034510743 +0100 +@@ -1,6 +1,6 @@ +-#!/bin/bash ++#!/bin/sh + +-if [[ "$1" == "clean" ]] ++if [ "$1" = "clean" ] + then + ls ./|grep -v 'Makefile\|txt\|generate'|xargs rm + else diff --git a/security/pam_abl/files/patch-doc-index.html b/security/pam_abl/files/patch-doc-index.html deleted file mode 100644 index 1b63b62..0000000 --- a/security/pam_abl/files/patch-doc-index.html +++ /dev/null @@ -1,75 +0,0 @@ ---- doc/index.html.orig Wed Oct 12 21:22:27 2005 -+++ doc/index.html Sat Jan 14 22:48:16 2006 -@@ -44,7 +44,7 @@ -
Requires Berkeley DB - (tested with 4.3.21 and 4.2.50).
- -- Requires a configuration file (by convention /etc/security/pam_abl.conf)
-+ Requires a configuration file (by convention %%ETCPREFIX%%/etc/pam_abl.conf) - -
Network aware:
- -@@ -171,28 +171,26 @@ -

Typically pam_abl.so is added to the auth stack as a required module just before whatever modules actually peform authentication. Here's a fragment of the PAM config for a production server that is running pam_abl:

- - -- -- -- -- -+ -+ -
authrequired/lib/security/pam_env.so
authrequired/lib/security/pam_abl.so config=/etc/security/pam_abl.conf
authsufficient/lib/security/pam_unix.so likeauth nullok
authrequired/lib/security/pam_deny.so
authrequired%%PREFIX%%/lib/pam_abl.so config=%%ETCPREFIX%%/etc/pam_abl.conf
authrequiredpam_unix.so no_warn try_first_pass nullok
- --

Although all of accepted arguments can be supplied here they will usually be placed in a separate config file and linked to using the config argument as in the above example. The pam_abl command line tool reads the external config file (/etc/security/pam_abl.conf in this case) to find the databases so in order for it work correctly an external config should be used.

-+

Although all of accepted arguments can be supplied here they will usually be placed in a separate config file and linked to using the config argument as in the above example. The pam_abl command line tool reads the external config file (%%ETCPREFIX%%/etc/pam_abl.conf in this case) to find the databases so in order for it work correctly an external config should be used.

- - - -
Config file syntax:
- -
--

The config file can contain any arguments that would be supplied via PAM config. In the config file arguments are placed on separate lines. Comments may be included after a '#' and line continuation is possible by placing a back slash at the end of the line to be continued. Here is a sample /etc/security/pam_abl.conf:

-+

The config file can contain any arguments that would be supplied via PAM config. In the config file arguments are placed on separate lines. Comments may be included after a '#' and line continuation is possible by placing a back slash at the end of the line to be continued. Here is a sample %%ETCPREFIX%%/etc/pam_abl.conf:

- - -- -+ - -- -+ - - -- -+ - - -
# /etc/security/pam_abl.conf
# %%ETCPREFIX%%/etc/pam_abl.conf
debug
host_db=/var/lib/abl/hosts.db
host_db=%%PAMABLDB%%/hosts.db
host_purge=2d
host_rule=*:10/1h,30/1d
user_db=/var/lib/abl/users.db
user_db=%%PAMABLDB%%/users.db
user_purge=2d
user_rule=!root:10/1h,30/1d
-@@ -282,21 +280,19 @@ -

Sample PAM config fragment:

- - -- -- -- -- -+ -+ -
authrequired/lib/security/pam_env.so
authrequired/lib/security/pam_abl.so config=/etc/security/pam_abl.conf
authsufficient/lib/security/pam_unix.so likeauth nullok
authrequired/lib/security/pam_deny.so
authrequired%%PREFIX%%/lib/pam_abl.so %%ETCPREFIX%%/etc/pam_abl.conf
authrequiredpam_unix.so no_warn try_first_pass nullok
- --

Sample /etc/security/pam_abl.conf:

-+

Sample %%ETCPREFIX%%/etc/pam_abl.conf:

- - -- -+ - -- -+ - - -- -+ - - -
# /etc/security/pam_abl.conf
# %%ETCPREFIX%%/etc/pam_abl.conf
debug
host_db=/var/lib/abl/hosts.db
host_db=%%PAMABLDB%%/hosts.db
host_purge=2d
host_rule=*:10/1h,30/1d
user_db=/var/lib/abl/users.db
user_db=%%PAMABLDB%%/users.db
user_purge=2d
user_rule=!root:10/1h,30/1d
diff --git a/security/pam_abl/files/patch-doc-pam_abl.1.txt b/security/pam_abl/files/patch-doc-pam_abl.1.txt new file mode 100644 index 0000000..8f281cf --- /dev/null +++ b/security/pam_abl/files/patch-doc-pam_abl.1.txt @@ -0,0 +1,12 @@ +diff -ur doc/pam_abl.1.txt doc/pam_abl.1.txt +--- doc/pam_abl.1.txt 2013-08-29 21:52:11.000000000 +0100 ++++ doc/pam_abl.1.txt 2014-05-24 15:17:27.228641197 +0100 +@@ -19,7 +19,7 @@ + + Provides a non-pam interface to the infomration stored in the pam_abl module + databases. CONFIG is the name of the pam_abl config file (default: +-/etc/security/pam_abl.conf). The config file is read to discover the names of ++%%ETCPREFIX%%/etc/pam_abl.conf). The config file is read to discover the names of + the pam_abl databases, the rules that control purging of old data from them and + commands to run when a user or host switches state. + diff --git a/security/pam_abl/files/patch-doc-pam_abl.8.txt b/security/pam_abl/files/patch-doc-pam_abl.8.txt new file mode 100644 index 0000000..4173252 --- /dev/null +++ b/security/pam_abl/files/patch-doc-pam_abl.8.txt @@ -0,0 +1,37 @@ +diff -ur doc/pam_abl.8.txt doc/pam_abl.8.txt +--- doc/pam_abl.8.txt 2013-08-29 21:52:11.000000000 +0100 ++++ doc/pam_abl.8.txt 2014-05-24 15:26:37.856617372 +0100 +@@ -155,17 +155,14 @@ + authentication. Here's a fragment of the PAM config for a + production server that is running pam_abl: + +-auth required /lib/security/pam_env.so +-auth required /lib/security/pam_abl.so +- config=/etc/security/pam_abl.conf +-auth sufficient /lib/security/pam_unix.so likeauth nullok +-auth required /lib/security/pam_deny.so ++auth required pam_abl.so config=%%ETCPREFIX%%/etc/pam_abl.conf ++auth required pam_unix.so no_warn try_first_pass + + Although all of accepted arguments can be supplied here they will + usually be placed in a separate config file and linked to using + the config argument as in the above example. The pam_abl command + line tool reads the external config file +-(/etc/security/pam_abl.conf in this case) to find the databases so ++(%%ETCPREFIX%%/etc/pam_abl.conf in this case) to find the databases so + in order for it work correctly an external config should be used. + + +@@ -173,10 +170,8 @@ + -------- + + ------------------------------------- +-auth required /lib/security/pam_env.so +-auth required /lib/security/pam_abl.so config=/etc/security/pam_abl.conf +-auth sufficient /lib/security/pam_unix.so likeauth nullok +-auth required /lib/security/pam_deny.so ++auth required pam_abl.so config=%%ETCPREFIX%%/etc/pam_abl.conf ++auth required pam_unix.so no_warn try_first_pass + ------------------------------------- + + diff --git a/security/pam_abl/files/patch-doc-pam_abl.conf.5.txt b/security/pam_abl/files/patch-doc-pam_abl.conf.5.txt new file mode 100644 index 0000000..6c72d93 --- /dev/null +++ b/security/pam_abl/files/patch-doc-pam_abl.conf.5.txt @@ -0,0 +1,41 @@ +diff -ur doc/pam_abl.conf.5.txt doc/pam_abl.conf.5.txt +--- doc/pam_abl.conf.5.txt 2013-08-29 21:52:11.000000000 +0100 ++++ doc/pam_abl.conf.5.txt 2014-05-24 15:32:36.201559056 +0100 +@@ -109,15 +109,15 @@ + via PAM config. In the config file arguments are placed on + separate lines. Comments may be included after a '#' and line + continuation is possible by placing a back slash at the end of the +-line to be continued. Here is a sample /etc/security/pam_abl.conf: ++line to be continued. Here is a sample %%ETCPREFIX%%/etc/pam_abl.conf: + + ---------------------------- +-# /etc/security/pam_abl.conf ++# %%ETCPREFIX%%/etc/pam_abl.conf + debug +-host_db=/var/lib/abl/hosts.db ++host_db=%%PAMABLDB%%/hosts.db + host_purge=2d + host_rule=*:10/1h,30/1d +-user_db=/var/lib/abl/users.db ++user_db=%%PAMABLDB%%/users.db + user_purge=2d + user_rule=!root:10/1h,30/1d + --------------------------- +@@ -219,13 +219,13 @@ + ------- + + ---------------------------- +-# /etc/security/pam_abl.conf ++# %%ETCPREFIX%%/etc/pam_abl.conf + debug +-host_db=/var/lib/abl/hosts.db ++host_db=%%PAMABLDB%%/hosts.db + host_purge=2d + host_rule=*:10/1h,30/1d +-host_block_cmd=[/sbin/iptables] [-I] [INPUT] [-s] [%h] [-j] [DROP] +-user_db=/var/lib/abl/users.db ++host_block_cmd=[/sbin/ipfw] [table] [1] [add] [%h] ++user_db=%%PAMABLDB%%/users.db + user_purge=2d + user_rule=!root:10/1h,30/1d + user_clear_cmd=[/usr/bin/logger] [block] [user] [%u] diff --git a/security/pam_abl/files/patch-doc-pam_abl.html b/security/pam_abl/files/patch-doc-pam_abl.html deleted file mode 100644 index fd162fd..0000000 --- a/security/pam_abl/files/patch-doc-pam_abl.html +++ /dev/null @@ -1,11 +0,0 @@ ---- doc/pam_abl.html.orig Wed Oct 12 21:22:27 2005 -+++ doc/pam_abl.html Sat Jan 14 23:00:43 2006 -@@ -15,7 +15,7 @@ -
pam_abl [OPTION] [CONFIG]
-
DESCRIPTION
-
--

Perform maintenance on the databases used by the pam_abl (auto blacklist) module. CONFIG is the name of the pam_abl config file (default: /etc/security/pam_abl.conf). The config file is read to discover the names of the pam_abl databases and the rules that control purging of old data from them. The following options are available

-+

Perform maintenance on the databases used by the pam_abl (auto blacklist) module. CONFIG is the name of the pam_abl config file (default: %%ETCPREFIX%%/etc/pam_abl.conf). The config file is read to discover the names of the pam_abl databases and the rules that control purging of old data from them. The following options are available

- - - diff --git a/security/pam_abl/files/patch-pam_abl.c b/security/pam_abl/files/patch-pam_abl.c deleted file mode 100644 index 3ef097a..0000000 --- a/security/pam_abl/files/patch-pam_abl.c +++ /dev/null @@ -1,24 +0,0 @@ ---- pam_abl.c.orig Wed Oct 12 21:22:26 2005 -+++ pam_abl.c Sat Jan 14 21:39:41 2006 -@@ -344,7 +344,7 @@ - abl_args *args = data; - log_debug(args, "In cleanup, err is %08x", err); - -- if (err && (err & PAM_DATA_REPLACE) == 0) { -+ if (err == PAM_AUTH_ERR) { - record_attempt(args); - } - config_free(args); -@@ -359,6 +359,12 @@ - int err = PAM_SUCCESS; - - /*log_debug(NULL, "pam_sm_authenticate(), flags=%08x", flags);*/ -+ -+ if (err = pam_get_data(pamh, DATA_NAME, &args), PAM_SUCCESS == err) { -+ record_attempt(args); -+ } else if (PAM_NO_MODULE_DATA != err) { -+ return err; -+ } - - if (args = malloc(sizeof(abl_args)), NULL == args) { - return PAM_BUF_ERR; diff --git a/security/pam_abl/files/patch-pam_abl.h b/security/pam_abl/files/patch-pam_abl.h deleted file mode 100644 index 2d21d06..0000000 --- a/security/pam_abl/files/patch-pam_abl.h +++ /dev/null @@ -1,19 +0,0 @@ ---- pam_abl.h.orig Wed Oct 12 21:22:27 2005 -+++ pam_abl.h Sat Jan 14 19:25:44 2006 -@@ -51,6 +51,7 @@ - #define __PAM_ABL_H - - #include -+#include - #include - - #include -@@ -74,7 +75,7 @@ - /* User purge time in seconds */ - #define USER_PURGE (HOURSECS * 24) - --#define CONFIG "/etc/security/pam_abl.conf" -+#define CONFIG "%%ETCPREFIX%%/etc/pam_abl.conf" - - typedef struct abl_string { - struct abl_string *link; diff --git a/security/pam_abl/files/patch-pam_functions.c b/security/pam_abl/files/patch-pam_functions.c new file mode 100644 index 0000000..df69f32 --- /dev/null +++ b/security/pam_abl/files/patch-pam_functions.c @@ -0,0 +1,14 @@ +diff -ur pam_functions.c pam_functions.c +--- pam_functions.c 2013-08-29 21:52:11.000000000 +0100 ++++ pam_functions.c 2014-05-24 15:10:30.138694832 +0100 +@@ -36,10 +36,6 @@ + + static void cleanup(pam_handle_t *pamh, void *data, int err) { + (void)(pamh); +- //if we are replacing our data pointer, ignore the cleanup. +- //the function replacing our data should handle the cleanup +- if (err & PAM_DATA_REPLACE) +- return; + + if (NULL != data) { + abl_context *context = data; diff --git a/security/pam_abl/files/patch-tools-Makefile b/security/pam_abl/files/patch-tools-Makefile deleted file mode 100644 index c790887..0000000 --- a/security/pam_abl/files/patch-tools-Makefile +++ /dev/null @@ -1,26 +0,0 @@ ---- tools/Makefile.orig Wed Oct 12 21:22:27 2005 -+++ tools/Makefile Sun Dec 11 00:22:30 2005 -@@ -1,18 +1,18 @@ - # Makefile - --CFLAGS=-Wall --LIBS=-ldb -lpthread -+CFLAGS=-Wall -I/usr/local/include -+LIBS=-L/usr/local/lib -ldb -lpthread - TARGET=pam_abl - OBJ=log.o config.o rule.o pam_abl.o --INSTDIR=/usr/bin -+INSTDIR=%%PREFIX%%/sbin - - all : $(TARGET) - - $(TARGET) : $(OBJ) -- cc $(LIBS) -o $@ $^ -+ cc $(LIBS) -o $(TARGET) $(OBJ) - - install : $(TARGET) -- install --mode=755 --strip $(TARGET) $(INSTDIR) -+ install -m 755 -s $(TARGET) $(INSTDIR) - - clean : - rm -f $(TARGET) $(OBJ) diff --git a/security/pam_abl/files/patch-tools.c b/security/pam_abl/files/patch-tools.c new file mode 100644 index 0000000..22e4b63 --- /dev/null +++ b/security/pam_abl/files/patch-tools.c @@ -0,0 +1,12 @@ +diff -ur tools.c tools.c +--- tools.c 2013-08-29 21:52:11.000000000 +0100 ++++ tools.c 2014-05-24 15:15:50.184663121 +0100 +@@ -29,7 +29,7 @@ + #include + + #define PAD "\t" +-#define DEFAULT_CONFIG "/etc/security/pam_abl.conf" ++#define DEFAULT_CONFIG "%%ETCPREFIX%%/etc/pam_abl.conf" + #define MAXNAMES 200 + + typedef enum { diff --git a/security/pam_abl/files/pkg-plist.in b/security/pam_abl/files/pkg-plist.in index 7b2d602..1e59ead 100644 --- a/security/pam_abl/files/pkg-plist.in +++ b/security/pam_abl/files/pkg-plist.in @@ -1,7 +1,12 @@ +bin/pam_abl +@unexec if cmp -s %D/etc/pam_abl.conf.sample %D/etc/pam_abl.conf; then rm -f %D/etc/pam_abl.conf; fi etc/pam_abl.conf.sample +@exec if [ ! -f %D/etc/pam_abl.conf ]; then cp -p %D/%F %B/pam_abl.conf; fi etc/periodic/daily/190.clean-pam-abl lib/pam_abl.so -sbin/pam_abl +man/man1/pam_abl.1.gz +man/man5/pam_abl.conf.5.gz +man/man8/pam_abl.8.gz @exec mkdir -p %%PAMABLDB%% @dirrmtry etc/periodic/daily @dirrmtry etc/periodic --Q68bSM7Ycu6FN28Q--
-h, --help