Date: Sat, 24 May 2014 17:50:00 GMT From: Ben Morrow <ben@morrow.me.uk> To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/188483: [PATCH] update pam_abl to 0.6.0 Message-ID: <201405241750.s4OHo0T8076997@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/188483; it has been noted by GNATS.
From: Ben Morrow <ben@morrow.me.uk>
To: bug-followup@FreeBSD.org, antiduh@csh.rit.edu
Cc:
Subject: Re: ports/188483: [PATCH] update pam_abl to 0.6.0
Date: Sat, 24 May 2014 18:38:01 +0100
--Q68bSM7Ycu6FN28Q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
I've done up a patch to update the port to 0.6.0.
Ben
--Q68bSM7Ycu6FN28Q
Content-Type: text/x-diff; charset=us-ascii
Content-Disposition: attachment; filename="pam_abl-0.6.0-ports.patch"
diff --git a/security/pam_abl/Makefile b/security/pam_abl/Makefile
index 5dc8c19..33d3503 100644
--- a/security/pam_abl/Makefile
+++ b/security/pam_abl/Makefile
@@ -2,33 +2,39 @@
# $FreeBSD$
PORTNAME= pam_abl
-PORTVERSION= 0.2.3
+PORTVERSION= 0.6.0
CATEGORIES= security
-MASTER_SITES= SF/pam-abl/pam-abl/${PORTVERSION}
+DISTNAME= pam-abl-${PORTVERSION}
+MASTER_SITES= SF/pam-abl/pam-abl
MAINTAINER= prehor@gmail.com
COMMENT= Blacklisting responsible for repeated failed authentication attempts
-WRKSRC= ${WRKDIR}/${PORTNAME}
+NO_WRKSUBDIR=
PAMABLDB?= /var/db/pam_abl
-USE_BDB= 42+
+USES= cmake
+USE_BDB= 5
-SUB_FILES= pkg-deinstall pkg-message pkg-plist pam_abl.8 190.clean-pam-abl
+SUB_FILES= pkg-deinstall pkg-message pkg-plist 190.clean-pam-abl
SUB_LIST= PAMABLDB=${PAMABLDB}
PKGMESSAGE= ${WRKDIR}/pkg-message
PKGDEINSTALL= ${WRKDIR}/pkg-deinstall
PLIST= ${WRKDIR}/pkg-plist
+MAN1= pam_abl.1
+MAN5= pam_abl.conf.5
MAN8= pam_abl.8
+PORTDOCS= README Changelog.txt
-.if !defined(NOPORTDOCS)
-PORTDOCS= *
+.if !defined(NO_INSTALL_MANPAGES)
+BUILD_DEPENDS+= a2x:${PORTSDIR}/textproc/asciidoc \
+ xsltproc:${PORTSDIR}/textproc/libxslt \
+ ${LOCALBASE}/share/xsl/docbook/manpages/docbook.xsl:${PORTSDIR}/textproc/docbook-xsl
.endif
-NO_STAGE= yes
.include <bsd.port.pre.mk>
.if ${PREFIX} == / || ${PREFIX} == /usr
@@ -38,33 +44,42 @@ ETCPREFIX= ${PREFIX}
.endif
SUB_LIST+= ETCPREFIX=${ETCPREFIX}
-SED_SCRIPT= -e 's|<db.h>|<${BDB_INCLUDE_DIR}/db.h>|' \
- -e 's|-ldb|-l${BDB_LIB_NAME}|' \
- -e 's|%%PREFIX%%|${PREFIX}|' \
- -e 's|%%LOCALBASE%%|${LOCALBASE}|' \
- -e 's|%%ETCPREFIX%%|${ETCPREFIX}|' \
+CMAKE_ARGS+= -DBDB_INCLUDE_DIR=${BDB_INCLUDE_DIR} \
+ -DBDB_LIB_NAME=${BDB_LIB_NAME} \
+ -DBDB_LIB_DIR=${BDB_LIB_DIR}
+
+SED_SCRIPT= -e 's|%%ETCPREFIX%%|${ETCPREFIX}|' \
-e 's|%%PAMABLDB%%|${PAMABLDB}|'
+SED_FILES= test_abl.c pam_abl.c tools.c \
+ doc/pam_abl.1.txt doc/pam_abl.8.txt doc/pam_abl.conf.5.txt \
+ conf/pam_abl.conf
+
post-patch:
-.for file in Makefile pam_abl.h conf/pam_abl.conf conf/system-auth doc/index.html doc/pam_abl.html tools/Makefile
+.for file in ${SED_FILES}
@${REINPLACE_CMD} ${SED_SCRIPT} ${WRKSRC}/${file}
.endfor
-pre-install:
+.if !defined(NO_INSTALL_MANPAGES)
+post-build:
+ (cd ${WRKSRC}/doc && ./generate.sh)
+.endif
+
+post-install:
.if !defined(NOPORTDOCS)
- @${MKDIR} ${DOCSDIR}
-.for file in AUTHORS COPYING Copyright NEWS README THANKS conf/system-auth doc/index.html doc/pam_abl.html doc/copying.html doc/style.css
- ${INSTALL_DATA} ${WRKSRC}/${file} ${DOCSDIR}
+ @${MKDIR} ${STAGEDIR}${DOCSDIR}
+.for file in ${PORTDOCS}
+ ${INSTALL_DATA} ${WRKSRC}/${file} ${STAGEDIR}${DOCSDIR}
.endfor
.endif
.if !defined(NO_INSTALL_MANPAGES)
- @${MKDIR} ${MAN8PREFIX}/man/man8
- ${INSTALL_MAN} ${WRKDIR}/pam_abl.8 ${MAN8PREFIX}/man/man8/
+ ${INSTALL_MAN} ${WRKDIR}/doc/pam_abl.1 ${STAGEDIR}${MAN8PREFIX}/man/man1/
+ ${INSTALL_MAN} ${WRKDIR}/doc/pam_abl.8 ${STAGEDIR}${MAN8PREFIX}/man/man8/
+ ${INSTALL_MAN} ${WRKDIR}/doc/pam_abl.conf.5 ${STAGEDIR}${MAN8PREFIX}/man/man5/
.endif
- @${MKDIR} ${PREFIX}/etc/periodic/daily
- ${INSTALL_SCRIPT} ${WRKDIR}/190.clean-pam-abl ${PREFIX}/etc/periodic/daily/
-
-post-install:
+ ${INSTALL_DATA} ${WRKDIR}/conf/pam_abl.conf ${STAGEDIR}${ETCPREFIX}/etc/pam_abl.conf.sample
+ @${MKDIR} ${STAGEDIR}${PREFIX}/etc/periodic/daily
+ ${INSTALL_SCRIPT} ${WRKDIR}/190.clean-pam-abl ${STAGEDIR}${ETCPREFIX}/etc/periodic/daily/
@${CAT} ${PKGMESSAGE}
.include <bsd.port.post.mk>
diff --git a/security/pam_abl/distinfo b/security/pam_abl/distinfo
index e419f73..8db2f40 100644
--- a/security/pam_abl/distinfo
+++ b/security/pam_abl/distinfo
@@ -1,2 +1,2 @@
-SHA256 (pam_abl-0.2.3.tar.gz) = 9bb4059fba96f9846784d5e70bec72893630bdd70bc840be767cc33b83c6b163
-SIZE (pam_abl-0.2.3.tar.gz) = 19000
+SHA256 (pam-abl-0.6.0.tar.gz) = dff9437af247fee19e8269919a3eed44c1e69874c1fa06325997c8d1eeb7eeb4
+SIZE (pam-abl-0.6.0.tar.gz) = 48882
diff --git a/security/pam_abl/files/190.clean-pam-abl.in b/security/pam_abl/files/190.clean-pam-abl.in
index 3b3ca29..4f52bd5 100644
--- a/security/pam_abl/files/190.clean-pam-abl.in
+++ b/security/pam_abl/files/190.clean-pam-abl.in
@@ -17,7 +17,9 @@ case "$daily_clean_pam_abl_enable" in
echo ""
echo "Purging pam_abl databases:"
- %%PREFIX%%/sbin/pam_abl -p -v ${daily_clean_pam_abl_config_file}
+ conf="${daily_clean_pam_abl_config_file:-%%ETCPREFIX%%/etc/pam_abl.conf}
+
+ %%PREFIX%%/bin/pam_abl -p -v ${conf}
[ $? -ne 0 ] && rc=3 || rc=0;;
*) rc=0;;
esac
diff --git a/security/pam_abl/files/pam_abl.8.in b/security/pam_abl/files/pam_abl.8.in
deleted file mode 100644
index 9395d43..0000000
--- a/security/pam_abl/files/pam_abl.8.in
+++ /dev/null
@@ -1,270 +0,0 @@
-.\"
-.\" $FreeBSD$
-.\"
-.Dd January 14, 2006
-.Dt pam_abl 8
-.Os
-.Sh NAME
-.Nm pam_abl
-.Nd auto blacklist PAM module
-.Sh SYNOPSIS
-.Ss Auto Blacklist PAM module
-.Op Ar service-name
-.Ar module-name
-.Ar control-flag
-.Pa pam_abl
-.Op Ar options
-.Ss Blacklist maintenance tool
-.Nm
-.Op Fl h | Fl -help
-.Op Fl p | Fl -purge
-.Op Fl r | Fl -relative
-.Op Fl v | Fl -verbose
-.Op Fl -okhost Ns No = Ns Ar host
-.Op Fl -okuser Ns No = Ns Ar user
-.Op Ar config-file
-.Sh DESCRIPTION
-The Auto Blacklist module for PAM,
-.Nm
-provides functionality for only one PAM category: authentication.
-In terms of the
-.Ar module-type
-parameter, this is the
-.Dq Li auth
-feature.
-.Ss Auto Blacklist PAM Authentication Module
-.Nm
-provides auto blacklisting of hosts and users responsible for repeated
-failed authentication attempts. Generally configured so that blacklisted
-users still see normal login prompts but are guaranteed to fail to
-authenticate. This functionality is only available to services which call
-PAM as root. If
-.Nm
-is called for uid != 0 it will silently succeed.
-
-The following options may be passed to the authentication module:
-.Bl -tag -width indent
-.It Cm debug
-.Xr syslog 3
-debugging information at
-.Dv LOG_DEBUG
-level.
-.It Cm expose_account
-Ignored.
-.It Cm no_warn
-suppress warning messages to the user.
-These messages include reasons why the user's authentication attempt was
-declined.
-.It Cm try_first_pass
-Ignored.
-.It Cm use_first_pass
-Ignored.
-.It Cm use_mapped_pass
-Ignored.
-.It Cm config Ns No = Ns Ar config-file
-The configuration file contains additional arguments. In order for the
-.Nm
-blacklist maintenance tool to work correctly most of the configuration
-should be placed in the config file rather than being provided by arguments.
-The format of the config file is described below.
-.It Cm host_db Ns No = Ns Ar host-database-file
-Path to the Berkeley DB which is used to log the host responsible for failed
-authentication attempts.
-If host_db is omitted the corresponding auto blacklisting will be disabled.
-.It Cm host_purge Ns No = Ns Ar time
-Defines how long failed hosts are retained in the host database.
-Defaults to 1 day.
-.It Cm host_rule Ns No = Ns Ar host-rule
-The rule (see below for format) which defines the conditions under which a
-failed hosts will be blackisted.
-.It Cm user_db Ns No = Ns Ar user-database-file
-Path to the Berkeley DB which is used to log the user responsible for failed
-authentication attempts.
-If user_db is omitted the corresponding auto blacklisting will be disabled.
-.It Cm user_purge Ns No = Ns Ar time
-Defines how long failed users are retained in the user database.
-Defaults to 1 day.
-.It Cm user_rule Ns No = Ns Ar user-rule
-The rule (see below for format) which defines the conditions under which a
-failed users will be blackisted.
-.El
-.Ss Rules syntax
-.Cm host_rule No Cm user_rule
-are the rules which determine the circumstances under which accounts ares
-auto blacklisted.
-The
-.Cm host_rule
-is used to block access to hosts that are responsible for excessive
-authentication failures and the
-.Cm user_rule
-is used to disable accounts for which there have been excessive
-authentication failures.
-Each rule consists of a number of space separated
-.Sy user clauses Ns No .
-A
-.Sy user clause
-specifies the user names and services to match and a set of triggers.
-A simple example would be:
-.Bd -literal -offset indent
-*:10/1h
-.Ed
-.Pp
-which means 'block any user (*) if they are responsible for ten or more
-failed authentication attempts in the last hour'.
-In place of the '*' which matches any user a list of usernames can be
-supplied like this:
-.Bd -literal -offset indent
-root|dba|admin:10/1h
-.Ed
-.Pp
-which means 'block the users root, dba and admin if they are responsible
-for ten or more failed authentication attempts in the last hour'.
-You can also specify a service name to match against like this:
-.Bd -literal -offset indent
-root/sshd|dba/*:3/1d
-.Ed
-.Pp
-which means 'block the users root for service sshd and user dba for any
-service if they are responsible for three or more failed authentication
-attempts in the last day'.
-Finally you can specify multiple triggers like this:
-.Bd -literal -offset indent
-root:10/1h,20/1d
-.Ed
-.Pp
-which means 'block the user root if they are responsible for ten or more
-failed attempts in the last hour or twenty or more failed attempts in the
-last day.
-.Pp
-Multiple rules can be provided separated by spaces like this:
-.Bd -literal -offset indent
-*:10/1h root:5/1h,10/1d
-.Ed
-.Pp
-in which case all rules that match a particular user and service will be
-checked.
-The user or host will be blocked if any of the rule triggers matches.
-.Pp
-The sense of the user matching can be inverted by placing a '!' in front
-of the rule so that:
-.Bd -literal -offset indent
-!root:20/1d
-.Ed
-.Pp
-is a rule which would match for all users apart from root.
-.Pp
-It is important to treat root as a special case in the
-.Cm user_rule
-otherwise excessive attempts to authenticate as root will result in the
-root account being locked out even for valid holders of root credentials.
-.Pp
-Here is the full syntax for rules:
-.Bd -literal -offset indent
-word ::= /[^\\s\\|\\/\\*]+/
-name ::= word | '*'
-username ::= name
-servicename ::= name
-userservice ::= username | username '/' servicename
-namelist ::= userservice | userservice '|' namelist
-userspec ::= namelist | '!' namelist
-multiplier ::= 's' | 'm' | 'h' | 'd'
-number ::= /\d+/
-period ::= number | number multiplier
-trigger ::= number '/' period
-triglist ::= trigger | trigger ',' triglist
-userclause ::= userspec ':' triglist
-rule ::= userclause | userclause /\s+/ rule
-.Ed
-.Pp
-For rules to work correctly
-.Cm host_purge No and Cm user_purge
-must be at least as long as the longest period specified in a corresponding
-rule.
-You may wish to retain information about failed attempts for longer than
-this so that the
-.Nm
-blacklist maintenance tool can report information over a longer period of
-time.
-The format for this items is a number with an optional multiplier suffix,
-'s', 'm', 'h' or 'd' which correspond with seconds, minutes, hours and days.
-To specify seven days for example one would use '7d'.
-Note that in normal operation
-.Nm
-PAM module will only purge the logged data for a particular host or user
-if it happens to be updating it, i.e. if that host or user makes another
-failed attempt.
-To purge all old entries the
-.Nm
-blacklist maintenance tool should be used.
-.Ss Blacklist maintenance tool
-Blacklist maintenance tool
-.Nm
-perform maintenance on the databases used by the
-.Nm
-PAM module.
-The options are as follows:
-.Bl -tag -width indent
-.It Fl h | Fl -help
-Print help page and exit.
-.It Fl p | Fl -purge
-Purge databases according to purge rules in config.
-.It Fl r | Fl -relative
-Display times relative to now otherwise absolute times will be displayed.
-.It Fl v | Fl -verbose
-Verbose output.
-.It Fl -okhost Ns No = Ns Ar host-name
-Unblock host.
-.It Fl -okuser Ns No = Ns Ar user-name
-Unblock user.
-.It Ar config-file
-Name of the
-.Nm
-configuration file (default: %%ETCPREFIX%%/etc/pam_abl.conf).
-The config file is read to discover the names of the
-.Nm
-databases and the rules that control purging of old data from them.
-.El
-.Sh EXAMPLES
-.Ss Auto Blacklist PAM module
-Typically
-.Nm
-PAM module is added to the auth stack as a required module just before
-whatever modules actually peform authentication.
-Here's a fragment of the PAM config:
-.Bd -literal -offset indent
-auth required pam_env
-auth required pam_abl config=%%ETCPREFIX%%/etc/pam_abl.conf
-auth sufficient pam_unix likeauth nullok
-auth required pam_deny
-.Ed
-.Ss Blacklist maintenance tool
-Obtain a list of failed hosts and users:
-.Bd -literal -offset indent
-$ pam_abl
-.Ed
-.Pp
-Obtain a full list of failures listing times relative to now:
-.Bd -literal -offset indent
-$ pam_abl -rv
-.Ed
-.Pp
-Purge old data:
-.Bd -literal -offset indent
-$ pam_abl -p
-.Ed
-.Pp
-Unblock all example.com hosts and all users:
-.Bd -literal -offset indent
-$ pam_abl -v --okhost='*.example.com' --okuser='*'
-.Ed
-.Sh SEE ALSO
-.Xr pam.conf 5 ,
-.Xr pam 8
-.Bd -literal
-http://www.hexten.net/pam_abl/
-http://sourceforge.net/project/showfiles.php?group_id=148927
-.Ed
-.Sh AUTHORS
-Written by Andy Armstrong <andy@hexten.net>.
-.Sh BUGS
-Report bugs to Andy Armstrong <andy@hexten.net>.
diff --git a/security/pam_abl/files/patch-CMakeLists.txt b/security/pam_abl/files/patch-CMakeLists.txt
new file mode 100644
index 0000000..e06c4c1
--- /dev/null
+++ b/security/pam_abl/files/patch-CMakeLists.txt
@@ -0,0 +1,9 @@
+diff -ur CMakeLists.txt CMakeLists.txt
+--- CMakeLists.txt 2013-08-29 21:52:11.000000000 +0100
++++ CMakeLists.txt 2014-05-24 15:52:49.476475638 +0100
+@@ -73,4 +73,4 @@
+ INSTALL(TARGETS pam-abl_bin
+ RUNTIME DESTINATION bin
+ )
+-INSTALL(TARGETS pam-abl_lib DESTINATION lib/security)
++INSTALL(TARGETS pam-abl_lib DESTINATION lib)
diff --git a/security/pam_abl/files/patch-Makefile b/security/pam_abl/files/patch-Makefile
deleted file mode 100644
index 633b85f..0000000
--- a/security/pam_abl/files/patch-Makefile
+++ /dev/null
@@ -1,42 +0,0 @@
---- Makefile.orig Wed Oct 12 21:22:25 2005
-+++ Makefile Sun Dec 11 00:29:31 2005
-@@ -1,11 +1,11 @@
- # Makefile
- # $Id: Makefile,v 1.1.1.1 2005/10/12 19:22:25 tagishandy Exp $
-
--CFLAGS=-Wall -fPIC
--PAMDIR=/lib/security
--CONFDIR=/etc/security
--DBDIR=/var/lib/abl
--LIBS=-ldb -lpthread
-+CFLAGS=-Wall -fPIC -I%%PREFIX%%/include -I%%LOCALBASE%%/include
-+PAMDIR=%%PREFIX%%/lib
-+CONFDIR=%%ETCPREFIX%%/etc
-+DBDIR=%%PAMABLDB%%
-+LIBS=-L%%PREFIX%%/lib -L%%LOCALBASE%% -ldb -lpthread
- MODULE=pam_abl.so
- OBJ=pam_abl.o log.o config.o rule.o
- SUBDIRS=tools
-@@ -14,17 +14,17 @@
- for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done
-
- $(MODULE) : $(OBJ)
-- ld -x --shared $(LIBS) -o $@ $^
-+ ld -x --shared $(LIBS) -o $(MODULE) $(OBJ)
-
- clean :
- rm -f $(MODULE) $(OBJ)
- for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done
-
- install : $(MODULE)
-- install --mode=755 --strip $(MODULE) $(PAMDIR)
-- #install --mode=644 conf/pam_abl.conf $(CONFDIR)
-- install -d --mode=755 $(DBDIR)
-- for d in t $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done
-+ install -m 755 -s $(MODULE) $(PAMDIR)
-+ install -m 644 conf/pam_abl.conf $(CONFDIR)/pam_abl.conf.sample
-+ install -d -m 755 $(DBDIR)
-+ for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done
-
- depend :
- cc -MM *.c > deps
diff --git a/security/pam_abl/files/patch-cmake-Modules-FindBerkeleyDB.cmake b/security/pam_abl/files/patch-cmake-Modules-FindBerkeleyDB.cmake
new file mode 100644
index 0000000..a52fe61
--- /dev/null
+++ b/security/pam_abl/files/patch-cmake-Modules-FindBerkeleyDB.cmake
@@ -0,0 +1,31 @@
+diff -ur cmake/Modules/FindBerkeleyDB.cmake cmake/Modules/FindBerkeleyDB.cmake
+--- cmake/Modules/FindBerkeleyDB.cmake 2013-08-29 21:52:11.000000000 +0100
++++ cmake/Modules/FindBerkeleyDB.cmake 2014-05-24 16:00:54.469441914 +0100
+@@ -8,22 +8,18 @@
+ NAMES
+ db.h
+ PATHS
+- /usr/include
+- /usr/local/include
+- /opt/local/include
+- /sw/include
++ ${BDB_INCLUDE_DIR}
++ NO_DEFAULT_PATH
+ )
+ endif (NOT DB_INCLUDE_DIR)
+
+ if (NOT DB_LIBRARY)
+ find_library(DB_LIBRARY
+ NAMES
+- db
++ ${BDB_LIB_NAME}
+ PATHS
+- /usr/lib
+- /usr/local/lib
+- /opt/local/lib
+- /sw/lib
++ ${BDB_LIB_DIR}
++ NO_DEFAULT_PATH
+ )
+ endif (NOT DB_LIBRARY)
+
diff --git a/security/pam_abl/files/patch-conf-pam_abl.conf b/security/pam_abl/files/patch-conf-pam_abl.conf
index c668e08..e66a0cb 100644
--- a/security/pam_abl/files/patch-conf-pam_abl.conf
+++ b/security/pam_abl/files/patch-conf-pam_abl.conf
@@ -1,14 +1,15 @@
---- conf/pam_abl.conf.orig Sat Dec 10 23:27:33 2005
-+++ conf/pam_abl.conf Sun Dec 11 00:07:41 2005
+diff -ur conf/pam_abl.conf conf/pam_abl.conf
+--- conf/pam_abl.conf 2013-08-29 21:52:11.000000000 +0100
++++ conf/pam_abl.conf 2014-05-24 16:03:44.560424677 +0100
@@ -1,8 +1,8 @@
--# /etc/security/pam_abl.conf
-+# %%ETCPREFIX%%/etc/pam_abl.conf
- # debug
+-db_home=/var/lib/abl
-host_db=/var/lib/abl/hosts.db
++db_home=%%PAMABLDB%%
+host_db=%%PAMABLDB%%/hosts.db
- host_purge=2d
- host_rule=*:10/1h,30/1d
+ host_purge=1d
+ host_rule=*:30/1h
-user_db=/var/lib/abl/users.db
+user_db=%%PAMABLDB%%/users.db
- user_purge=2d
- user_rule=!root:10/1h,30/1d
+ user_purge=1d
+ user_rule=*:3/1h
+ host_clear_cmd=[logger] [clear] [host] [%h]
diff --git a/security/pam_abl/files/patch-conf-system-auth b/security/pam_abl/files/patch-conf-system-auth
deleted file mode 100644
index 4f287c1..0000000
--- a/security/pam_abl/files/patch-conf-system-auth
+++ /dev/null
@@ -1,39 +0,0 @@
---- conf/system-auth.orig Wed Oct 12 21:22:27 2005
-+++ conf/system-auth Sat Jan 14 22:37:20 2006
-@@ -1,15 +1,24 @@
--#%PAM-1.0
--auth required /lib/security/$ISA/pam_env.so
--auth required /lib/security/$ISA/pam_abl.so config=/etc/security/pam_abl.conf
--auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
--auth required /lib/security/$ISA/pam_deny.so
-+#
-+# System-wide defaults
-+#
-
--account required /lib/security/$ISA/pam_unix.so
-+# auth
-+auth required %%PREFIX%%/lib/pam_abl.so config=%%ETCPREFIX%%/etc/pam_abl.conf
-+auth sufficient pam_opie.so no_warn no_fake_prompts
-+auth requisite pam_opieaccess.so no_warn allow_local
-+#auth sufficient pam_krb5.so no_warn try_first_pass
-+#auth sufficient pam_ssh.so no_warn try_first_pass
-+auth required pam_unix.so no_warn try_first_pass nullok
-
--password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
--password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
--password required /lib/security/$ISA/pam_deny.so
-+# account
-+#account required pam_krb5.so
-+account required pam_login_access.so
-+account required pam_unix.so
-
--session required /lib/security/$ISA/pam_limits.so
--session required /lib/security/$ISA/pam_abl.so
--session required /lib/security/$ISA/pam_unix.so
-+# session
-+#session optional pam_ssh.so
-+session required pam_lastlog.so no_fail
-+
-+# password
-+#password sufficient pam_krb5.so no_warn try_first_pass
-+password required pam_unix.so no_warn try_first_pass
diff --git a/security/pam_abl/files/patch-doc-generate.sh b/security/pam_abl/files/patch-doc-generate.sh
new file mode 100644
index 0000000..02560fc
--- /dev/null
+++ b/security/pam_abl/files/patch-doc-generate.sh
@@ -0,0 +1,12 @@
+diff -ur doc/generate.sh doc/generate.sh
+--- doc/generate.sh 2013-08-29 21:52:11.000000000 +0100
++++ doc/generate.sh 2014-05-24 15:56:08.034510743 +0100
+@@ -1,6 +1,6 @@
+-#!/bin/bash
++#!/bin/sh
+
+-if [[ "$1" == "clean" ]]
++if [ "$1" = "clean" ]
+ then
+ ls ./|grep -v 'Makefile\|txt\|generate'|xargs rm
+ else
diff --git a/security/pam_abl/files/patch-doc-index.html b/security/pam_abl/files/patch-doc-index.html
deleted file mode 100644
index 1b63b62..0000000
--- a/security/pam_abl/files/patch-doc-index.html
+++ /dev/null
@@ -1,75 +0,0 @@
---- doc/index.html.orig Wed Oct 12 21:22:27 2005
-+++ doc/index.html Sat Jan 14 22:48:16 2006
-@@ -44,7 +44,7 @@
- <dd>Requires <a href="http://www.sleepycat.com/products/db.shtml">Berkeley DB</a>
- (tested with 4.3.21 and 4.2.50).<br />
-
-- Requires a configuration file (by convention /etc/security/pam_abl.conf)</dd>
-+ Requires a configuration file (by convention %%ETCPREFIX%%/etc/pam_abl.conf)</dd>
-
- <dt>Network aware:</dt>
-
-@@ -171,28 +171,26 @@
- <p>Typically pam_abl.so is added to the auth stack as a required module just before whatever modules actually peform authentication. Here's a fragment of the PAM config for a production server that is running pam_abl:</p>
-
- <table class="config">
-- <tr><td>auth</td><td>required</td><td>/lib/security/pam_env.so</td></tr>
-- <tr><td>auth</td><td>required</td><td>/lib/security/pam_abl.so config=/etc/security/pam_abl.conf</td></tr>
-- <tr><td>auth</td><td>sufficient</td><td>/lib/security/pam_unix.so likeauth nullok</td></tr>
-- <tr><td>auth</td><td>required</td><td>/lib/security/pam_deny.so</td></tr>
-+ <tr><td>auth</td><td>required</td><td>%%PREFIX%%/lib/pam_abl.so config=%%ETCPREFIX%%/etc/pam_abl.conf</td></tr>
-+ <tr><td>auth</td><td>required</td><td>pam_unix.so no_warn try_first_pass nullok</td></tr>
- </table>
-
-- <p>Although all of accepted arguments can be supplied here they will usually be placed in a separate config file and linked to using the config argument as in the above example. The <a href="pam_abl.html">pam_abl command line tool</a> reads the external config file (/etc/security/pam_abl.conf in this case) to find the databases so in order for it work correctly an external config should be used.</p>
-+ <p>Although all of accepted arguments can be supplied here they will usually be placed in a separate config file and linked to using the config argument as in the above example. The <a href="pam_abl.html">pam_abl command line tool</a> reads the external config file (%%ETCPREFIX%%/etc/pam_abl.conf in this case) to find the databases so in order for it work correctly an external config should be used.</p>
-
- </dd>
-
- <dt>Config file syntax:</dt>
-
- <dd>
-- <p>The config file can contain any arguments that would be supplied via PAM config. In the config file arguments are placed on separate lines. Comments may be included after a '#' and line continuation is possible by placing a back slash at the end of the line to be continued. Here is a sample /etc/security/pam_abl.conf:</p>
-+ <p>The config file can contain any arguments that would be supplied via PAM config. In the config file arguments are placed on separate lines. Comments may be included after a '#' and line continuation is possible by placing a back slash at the end of the line to be continued. Here is a sample %%ETCPREFIX%%/etc/pam_abl.conf:</p>
-
- <table class="config">
-- <tr><td># /etc/security/pam_abl.conf</td></tr>
-+ <tr><td># %%ETCPREFIX%%/etc/pam_abl.conf</td></tr>
- <tr><td>debug</td></tr>
-- <tr><td>host_db=/var/lib/abl/hosts.db</td></tr>
-+ <tr><td>host_db=%%PAMABLDB%%/hosts.db</td></tr>
- <tr><td>host_purge=2d</td></tr>
- <tr><td>host_rule=*:10/1h,30/1d</td></tr>
-- <tr><td>user_db=/var/lib/abl/users.db</td></tr>
-+ <tr><td>user_db=%%PAMABLDB%%/users.db</td></tr>
- <tr><td>user_purge=2d</td></tr>
- <tr><td>user_rule=!root:10/1h,30/1d</td></tr>
- </table>
-@@ -282,21 +280,19 @@
- <p>Sample PAM config fragment:</p>
-
- <table class="config">
-- <tr><td>auth</td><td>required</td><td>/lib/security/pam_env.so</td></tr>
-- <tr><td>auth</td><td>required</td><td>/lib/security/pam_abl.so config=/etc/security/pam_abl.conf</td></tr>
-- <tr><td>auth</td><td>sufficient</td><td>/lib/security/pam_unix.so likeauth nullok</td></tr>
-- <tr><td>auth</td><td>required</td><td>/lib/security/pam_deny.so</td></tr>
-+ <tr><td>auth</td><td>required</td><td>%%PREFIX%%/lib/pam_abl.so %%ETCPREFIX%%/etc/pam_abl.conf</td></tr>
-+ <tr><td>auth</td><td>required</td><td>pam_unix.so no_warn try_first_pass nullok</td></tr>
- </table>
-
-- <p>Sample /etc/security/pam_abl.conf:</p>
-+ <p>Sample %%ETCPREFIX%%/etc/pam_abl.conf:</p>
-
- <table class="config">
-- <tr><td># /etc/security/pam_abl.conf</td></tr>
-+ <tr><td># %%ETCPREFIX%%/etc/pam_abl.conf</td></tr>
- <tr><td>debug</td></tr>
-- <tr><td>host_db=/var/lib/abl/hosts.db</td></tr>
-+ <tr><td>host_db=%%PAMABLDB%%/hosts.db</td></tr>
- <tr><td>host_purge=2d</td></tr>
- <tr><td>host_rule=*:10/1h,30/1d</td></tr>
-- <tr><td>user_db=/var/lib/abl/users.db</td></tr>
-+ <tr><td>user_db=%%PAMABLDB%%/users.db</td></tr>
- <tr><td>user_purge=2d</td></tr>
- <tr><td>user_rule=!root:10/1h,30/1d</td></tr>
- </table>
diff --git a/security/pam_abl/files/patch-doc-pam_abl.1.txt b/security/pam_abl/files/patch-doc-pam_abl.1.txt
new file mode 100644
index 0000000..8f281cf
--- /dev/null
+++ b/security/pam_abl/files/patch-doc-pam_abl.1.txt
@@ -0,0 +1,12 @@
+diff -ur doc/pam_abl.1.txt doc/pam_abl.1.txt
+--- doc/pam_abl.1.txt 2013-08-29 21:52:11.000000000 +0100
++++ doc/pam_abl.1.txt 2014-05-24 15:17:27.228641197 +0100
+@@ -19,7 +19,7 @@
+
+ Provides a non-pam interface to the infomration stored in the pam_abl module
+ databases. CONFIG is the name of the pam_abl config file (default:
+-/etc/security/pam_abl.conf). The config file is read to discover the names of
++%%ETCPREFIX%%/etc/pam_abl.conf). The config file is read to discover the names of
+ the pam_abl databases, the rules that control purging of old data from them and
+ commands to run when a user or host switches state.
+
diff --git a/security/pam_abl/files/patch-doc-pam_abl.8.txt b/security/pam_abl/files/patch-doc-pam_abl.8.txt
new file mode 100644
index 0000000..4173252
--- /dev/null
+++ b/security/pam_abl/files/patch-doc-pam_abl.8.txt
@@ -0,0 +1,37 @@
+diff -ur doc/pam_abl.8.txt doc/pam_abl.8.txt
+--- doc/pam_abl.8.txt 2013-08-29 21:52:11.000000000 +0100
++++ doc/pam_abl.8.txt 2014-05-24 15:26:37.856617372 +0100
+@@ -155,17 +155,14 @@
+ authentication. Here's a fragment of the PAM config for a
+ production server that is running pam_abl:
+
+-auth required /lib/security/pam_env.so
+-auth required /lib/security/pam_abl.so
+- config=/etc/security/pam_abl.conf
+-auth sufficient /lib/security/pam_unix.so likeauth nullok
+-auth required /lib/security/pam_deny.so
++auth required pam_abl.so config=%%ETCPREFIX%%/etc/pam_abl.conf
++auth required pam_unix.so no_warn try_first_pass
+
+ Although all of accepted arguments can be supplied here they will
+ usually be placed in a separate config file and linked to using
+ the config argument as in the above example. The pam_abl command
+ line tool reads the external config file
+-(/etc/security/pam_abl.conf in this case) to find the databases so
++(%%ETCPREFIX%%/etc/pam_abl.conf in this case) to find the databases so
+ in order for it work correctly an external config should be used.
+
+
+@@ -173,10 +170,8 @@
+ --------
+
+ -------------------------------------
+-auth required /lib/security/pam_env.so
+-auth required /lib/security/pam_abl.so config=/etc/security/pam_abl.conf
+-auth sufficient /lib/security/pam_unix.so likeauth nullok
+-auth required /lib/security/pam_deny.so
++auth required pam_abl.so config=%%ETCPREFIX%%/etc/pam_abl.conf
++auth required pam_unix.so no_warn try_first_pass
+ -------------------------------------
+
+
diff --git a/security/pam_abl/files/patch-doc-pam_abl.conf.5.txt b/security/pam_abl/files/patch-doc-pam_abl.conf.5.txt
new file mode 100644
index 0000000..6c72d93
--- /dev/null
+++ b/security/pam_abl/files/patch-doc-pam_abl.conf.5.txt
@@ -0,0 +1,41 @@
+diff -ur doc/pam_abl.conf.5.txt doc/pam_abl.conf.5.txt
+--- doc/pam_abl.conf.5.txt 2013-08-29 21:52:11.000000000 +0100
++++ doc/pam_abl.conf.5.txt 2014-05-24 15:32:36.201559056 +0100
+@@ -109,15 +109,15 @@
+ via PAM config. In the config file arguments are placed on
+ separate lines. Comments may be included after a '#' and line
+ continuation is possible by placing a back slash at the end of the
+-line to be continued. Here is a sample /etc/security/pam_abl.conf:
++line to be continued. Here is a sample %%ETCPREFIX%%/etc/pam_abl.conf:
+
+ ----------------------------
+-# /etc/security/pam_abl.conf
++# %%ETCPREFIX%%/etc/pam_abl.conf
+ debug
+-host_db=/var/lib/abl/hosts.db
++host_db=%%PAMABLDB%%/hosts.db
+ host_purge=2d
+ host_rule=*:10/1h,30/1d
+-user_db=/var/lib/abl/users.db
++user_db=%%PAMABLDB%%/users.db
+ user_purge=2d
+ user_rule=!root:10/1h,30/1d
+ ---------------------------
+@@ -219,13 +219,13 @@
+ -------
+
+ ----------------------------
+-# /etc/security/pam_abl.conf
++# %%ETCPREFIX%%/etc/pam_abl.conf
+ debug
+-host_db=/var/lib/abl/hosts.db
++host_db=%%PAMABLDB%%/hosts.db
+ host_purge=2d
+ host_rule=*:10/1h,30/1d
+-host_block_cmd=[/sbin/iptables] [-I] [INPUT] [-s] [%h] [-j] [DROP]
+-user_db=/var/lib/abl/users.db
++host_block_cmd=[/sbin/ipfw] [table] [1] [add] [%h]
++user_db=%%PAMABLDB%%/users.db
+ user_purge=2d
+ user_rule=!root:10/1h,30/1d
+ user_clear_cmd=[/usr/bin/logger] [block] [user] [%u]
diff --git a/security/pam_abl/files/patch-doc-pam_abl.html b/security/pam_abl/files/patch-doc-pam_abl.html
deleted file mode 100644
index fd162fd..0000000
--- a/security/pam_abl/files/patch-doc-pam_abl.html
+++ /dev/null
@@ -1,11 +0,0 @@
---- doc/pam_abl.html.orig Wed Oct 12 21:22:27 2005
-+++ doc/pam_abl.html Sat Jan 14 23:00:43 2006
-@@ -15,7 +15,7 @@
- <dd>pam_abl [OPTION] [CONFIG]</dd>
- <dt>DESCRIPTION</dt>
- <dd>
-- <p>Perform maintenance on the databases used by the pam_abl (auto blacklist) module. CONFIG is the name of the pam_abl config file (default: /etc/security/pam_abl.conf). The config file is read to discover the names of the pam_abl databases and the rules that control purging of old data from them. The following options are available</p>
-+ <p>Perform maintenance on the databases used by the pam_abl (auto blacklist) module. CONFIG is the name of the pam_abl config file (default: %%ETCPREFIX%%/etc/pam_abl.conf). The config file is read to discover the names of the pam_abl databases and the rules that control purging of old data from them. The following options are available</p>
- <table>
- <tr>
- <td>-h, --help</td>
diff --git a/security/pam_abl/files/patch-pam_abl.c b/security/pam_abl/files/patch-pam_abl.c
deleted file mode 100644
index 3ef097a..0000000
--- a/security/pam_abl/files/patch-pam_abl.c
+++ /dev/null
@@ -1,24 +0,0 @@
---- pam_abl.c.orig Wed Oct 12 21:22:26 2005
-+++ pam_abl.c Sat Jan 14 21:39:41 2006
-@@ -344,7 +344,7 @@
- abl_args *args = data;
- log_debug(args, "In cleanup, err is %08x", err);
-
-- if (err && (err & PAM_DATA_REPLACE) == 0) {
-+ if (err == PAM_AUTH_ERR) {
- record_attempt(args);
- }
- config_free(args);
-@@ -359,6 +359,12 @@
- int err = PAM_SUCCESS;
-
- /*log_debug(NULL, "pam_sm_authenticate(), flags=%08x", flags);*/
-+
-+ if (err = pam_get_data(pamh, DATA_NAME, &args), PAM_SUCCESS == err) {
-+ record_attempt(args);
-+ } else if (PAM_NO_MODULE_DATA != err) {
-+ return err;
-+ }
-
- if (args = malloc(sizeof(abl_args)), NULL == args) {
- return PAM_BUF_ERR;
diff --git a/security/pam_abl/files/patch-pam_abl.h b/security/pam_abl/files/patch-pam_abl.h
deleted file mode 100644
index 2d21d06..0000000
--- a/security/pam_abl/files/patch-pam_abl.h
+++ /dev/null
@@ -1,19 +0,0 @@
---- pam_abl.h.orig Wed Oct 12 21:22:27 2005
-+++ pam_abl.h Sat Jan 14 19:25:44 2006
-@@ -51,6 +51,7 @@
- #define __PAM_ABL_H
-
- #include <security/pam_modules.h>
-+#include <security/pam_appl.h>
- #include <db.h>
-
- #include <ctype.h>
-@@ -74,7 +75,7 @@
- /* User purge time in seconds */
- #define USER_PURGE (HOURSECS * 24)
-
--#define CONFIG "/etc/security/pam_abl.conf"
-+#define CONFIG "%%ETCPREFIX%%/etc/pam_abl.conf"
-
- typedef struct abl_string {
- struct abl_string *link;
diff --git a/security/pam_abl/files/patch-pam_functions.c b/security/pam_abl/files/patch-pam_functions.c
new file mode 100644
index 0000000..df69f32
--- /dev/null
+++ b/security/pam_abl/files/patch-pam_functions.c
@@ -0,0 +1,14 @@
+diff -ur pam_functions.c pam_functions.c
+--- pam_functions.c 2013-08-29 21:52:11.000000000 +0100
++++ pam_functions.c 2014-05-24 15:10:30.138694832 +0100
+@@ -36,10 +36,6 @@
+
+ static void cleanup(pam_handle_t *pamh, void *data, int err) {
+ (void)(pamh);
+- //if we are replacing our data pointer, ignore the cleanup.
+- //the function replacing our data should handle the cleanup
+- if (err & PAM_DATA_REPLACE)
+- return;
+
+ if (NULL != data) {
+ abl_context *context = data;
diff --git a/security/pam_abl/files/patch-tools-Makefile b/security/pam_abl/files/patch-tools-Makefile
deleted file mode 100644
index c790887..0000000
--- a/security/pam_abl/files/patch-tools-Makefile
+++ /dev/null
@@ -1,26 +0,0 @@
---- tools/Makefile.orig Wed Oct 12 21:22:27 2005
-+++ tools/Makefile Sun Dec 11 00:22:30 2005
-@@ -1,18 +1,18 @@
- # Makefile
-
--CFLAGS=-Wall
--LIBS=-ldb -lpthread
-+CFLAGS=-Wall -I/usr/local/include
-+LIBS=-L/usr/local/lib -ldb -lpthread
- TARGET=pam_abl
- OBJ=log.o config.o rule.o pam_abl.o
--INSTDIR=/usr/bin
-+INSTDIR=%%PREFIX%%/sbin
-
- all : $(TARGET)
-
- $(TARGET) : $(OBJ)
-- cc $(LIBS) -o $@ $^
-+ cc $(LIBS) -o $(TARGET) $(OBJ)
-
- install : $(TARGET)
-- install --mode=755 --strip $(TARGET) $(INSTDIR)
-+ install -m 755 -s $(TARGET) $(INSTDIR)
-
- clean :
- rm -f $(TARGET) $(OBJ)
diff --git a/security/pam_abl/files/patch-tools.c b/security/pam_abl/files/patch-tools.c
new file mode 100644
index 0000000..22e4b63
--- /dev/null
+++ b/security/pam_abl/files/patch-tools.c
@@ -0,0 +1,12 @@
+diff -ur tools.c tools.c
+--- tools.c 2013-08-29 21:52:11.000000000 +0100
++++ tools.c 2014-05-24 15:15:50.184663121 +0100
+@@ -29,7 +29,7 @@
+ #include <getopt.h>
+
+ #define PAD "\t"
+-#define DEFAULT_CONFIG "/etc/security/pam_abl.conf"
++#define DEFAULT_CONFIG "%%ETCPREFIX%%/etc/pam_abl.conf"
+ #define MAXNAMES 200
+
+ typedef enum {
diff --git a/security/pam_abl/files/pkg-plist.in b/security/pam_abl/files/pkg-plist.in
index 7b2d602..1e59ead 100644
--- a/security/pam_abl/files/pkg-plist.in
+++ b/security/pam_abl/files/pkg-plist.in
@@ -1,7 +1,12 @@
+bin/pam_abl
+@unexec if cmp -s %D/etc/pam_abl.conf.sample %D/etc/pam_abl.conf; then rm -f %D/etc/pam_abl.conf; fi
etc/pam_abl.conf.sample
+@exec if [ ! -f %D/etc/pam_abl.conf ]; then cp -p %D/%F %B/pam_abl.conf; fi
etc/periodic/daily/190.clean-pam-abl
lib/pam_abl.so
-sbin/pam_abl
+man/man1/pam_abl.1.gz
+man/man5/pam_abl.conf.5.gz
+man/man8/pam_abl.8.gz
@exec mkdir -p %%PAMABLDB%%
@dirrmtry etc/periodic/daily
@dirrmtry etc/periodic
--Q68bSM7Ycu6FN28Q--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201405241750.s4OHo0T8076997>