diff --git a/debian/patches/debian/Adapt-login.defs-for-Debian.patch b/debian/patches/debian/Adapt-login.defs-for-Debian.patch index 10cc9341..35829955 100644 --- a/debian/patches/debian/Adapt-login.defs-for-Debian.patch +++ b/debian/patches/debian/Adapt-login.defs-for-Debian.patch @@ -5,11 +5,11 @@ Subject: Adapt login.defs for Debian Remove settings only applicable to shadow's su, which we do not use. Remove settings only applicable without PAM support enabled. --- - etc/login.defs | 420 ++++++++++++++------------------------------------------- - 1 file changed, 99 insertions(+), 321 deletions(-) + etc/login.defs | 413 +++++++++++++-------------------------------------------- + 1 file changed, 89 insertions(+), 324 deletions(-) diff --git a/etc/login.defs b/etc/login.defs -index 33622c2..9711ad1 100644 +index 33622c2..b27f72c 100644 --- a/etc/login.defs +++ b/etc/login.defs @@ -1,24 +1,38 @@ @@ -233,7 +233,7 @@ index 33622c2..9711ad1 100644 TTYGROUP tty TTYPERM 0600 -@@ -180,113 +88,68 @@ TTYPERM 0600 +@@ -180,143 +88,116 @@ TTYPERM 0600 # # ERASECHAR Terminal ERASE character ('\010' = backspace). # KILLCHAR Terminal KILL character ('\025' = CTRL/U). @@ -334,43 +334,65 @@ index 33622c2..9711ad1 100644 # -# Maximum number of attempts to change password if rejected (too easy) --# ++# Which fields may be changed by regular users using chfn - use ++# any combination of letters "frwh" (full name, room number, work ++# phone, home phone). If not defined, no changes are allowed. ++# For backward compatibility, "yes" = "rwh" and "no" = "frwh". + # -PASS_CHANGE_TRIES 5 -- --# ++CHFN_RESTRICT rwh + + # -# Warn about weak passwords (but still allow them) if you are root. --# ++# Should login be allowed if we can't cd to the home directory? ++# Default is no. + # -PASS_ALWAYS_WARN yes -- --# ++DEFAULT_HOME yes + + # -# Number of significant characters in the password for crypt(). -# Default is 8, don't change unless your crypt() is better. -# Ignored if MD5_CRYPT_ENAB set to "yes". --# ++# If defined, this command is run when removing a user. ++# It should remove any at/cron/print jobs etc. owned by ++# the user to be removed (passed as the first argument). + # -#PASS_MAX_LEN 8 -- --# ++#USERDEL_CMD /usr/sbin/userdel_local + + # -# Require password before chfn(1)/chsh(1) can make any changes. --# ++# If set to yes, userdel will remove the user's group if it contains no ++# more members, and useradd will create by default a group with the name ++# of the user. + # -CHFN_AUTH yes - -# -# Which fields may be changed by regular users using chfn(1) - use -+# Which fields may be changed by regular users using chfn - use - # any combination of letters "frwh" (full name, room number, work - # phone, home phone). If not defined, no changes are allowed. - # For backward compatibility, "yes" = "rwh" and "no" = "frwh". -@@ -294,104 +157,73 @@ CHFN_AUTH yes - CHFN_RESTRICT rwh +-# any combination of letters "frwh" (full name, room number, work +-# phone, home phone). If not defined, no changes are allowed. +-# For backward compatibility, "yes" = "rwh" and "no" = "frwh". ++# Other former uses of this variable such as setting the umask when ++# user==primary group are not used in PAM environments, such as Debian + # +-CHFN_RESTRICT rwh ++USERGROUPS_ENAB yes # -# Password prompt (%s will be replaced by user name). --# ++# Instead of the real user shell, the program specified by this parameter ++# will be launched, although its visible name (argv[0]) will be the shell's. ++# The program may do whatever it wants (logging, additional authentification, ++# banner, ...) before running the actual shell. + # -# XXX - it doesn't work correctly yet, for now leave it commented out -# to use the default which is just "Password: ". -#LOGIN_STRING "%s's Password: " -- --# ++# FAKE_SHELL /bin/fakeshell + + # -# Only works if compiled with MD5_CRYPT defined: -# If set to "yes", new passwords will be encrypted using the MD5-based -# algorithm compatible with the one used by recent releases of FreeBSD. @@ -380,58 +402,50 @@ index 33622c2..9711ad1 100644 -# -# Note: If you use PAM, it is recommended to use a value consistent with -# the PAM modules configuration. --# ++# If defined, either full pathname of a file containing device names or ++# a ":" delimited list of device names. Root logins will be allowed only ++# upon these devices. + # -# This variable is deprecated. You should use ENCRYPT_METHOD instead. -+# Should login be allowed if we can't cd to the home directory? -+# Default is no. ++# This variable is used by login and su. # -#MD5_CRYPT_ENAB no -+DEFAULT_HOME yes ++#CONSOLE /etc/consoles ++#CONSOLE console:tty01:tty02:tty03:tty04 # -# Only works if compiled with ENCRYPTMETHOD_SELECT defined: --# If set to MD5, MD5-based algorithm will be used for encrypting password --# If set to SHA256, SHA256-based algorithm will be used for encrypting password --# If set to SHA512, SHA512-based algorithm will be used for encrypting password --# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password --# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password --# If set to DES, DES-based algorithm will be used for encrypting password (default) --# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations. --# Overrides the MD5_CRYPT_ENAB option --# + # If set to MD5, MD5-based algorithm will be used for encrypting password + # If set to SHA256, SHA256-based algorithm will be used for encrypting password + # If set to SHA512, SHA512-based algorithm will be used for encrypting password +@@ -326,72 +207,10 @@ CHFN_RESTRICT rwh + # MD5 and DES should not be used for new hashes, see crypt(5) for recommendations. + # Overrides the MD5_CRYPT_ENAB option + # -# Note: If you use PAM, it is recommended to use a value consistent with --# the PAM modules configuration. -+# If defined, this command is run when removing a user. -+# It should remove any at/cron/print jobs etc. owned by -+# the user to be removed (passed as the first argument). ++# Note: It is recommended to use a value consistent with + # the PAM modules configuration. # -#ENCRYPT_METHOD DES -+#USERDEL_CMD /usr/sbin/userdel_local - - # +- +-# -# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. -# -# Define the number of SHA rounds. -# With a lot of rounds, it is more difficult to brute-force the password. -# However, more CPU resources will be needed to authenticate users if -# this value is increased. -+# If set to yes, userdel will remove the user's group if it contains no -+# more members, and useradd will create by default a group with the name -+# of the user. - # +-# -# If not specified, the libc will choose the default number of rounds (5000), -# which is orders of magnitude too low for modern hardware. -# The values must be within the 1000-999999999 range. -# If only one of the MIN or MAX values is set, then this value will be used. -# If MIN > MAX, the highest value will be used. -+# Other former uses of this variable such as setting the umask when -+# user==primary group are not used in PAM environments, such as Debian - # +-# -#SHA_CRYPT_MIN_ROUNDS 5000 -#SHA_CRYPT_MAX_ROUNDS 5000 -+USERGROUPS_ENAB yes - - # +- +-# -# Only works if ENCRYPT_METHOD is set to BCRYPT. -# -# Define the number of BCRYPT rounds. @@ -442,70 +456,44 @@ index 33622c2..9711ad1 100644 -# If not specified, 13 rounds will be attempted. -# If only one of the MIN or MAX values is set, then this value will be used. -# If MIN > MAX, the highest value will be used. -+# Instead of the real user shell, the program specified by this parameter -+# will be launched, although its visible name (argv[0]) will be the shell's. -+# The program may do whatever it wants (logging, additional authentification, -+# banner, ...) before running the actual shell. - # +-# -#BCRYPT_MIN_ROUNDS 13 -#BCRYPT_MAX_ROUNDS 13 -+# FAKE_SHELL /bin/fakeshell - - # +- +-# -# Only works if ENCRYPT_METHOD is set to YESCRYPT. -# -# Define the YESCRYPT cost factor. -# With a higher cost factor, it is more difficult to brute-force the password. -# However, more CPU time and more memory will be needed to authenticate users -# if this value is increased. -+# If defined, either full pathname of a file containing device names or -+# a ":" delimited list of device names. Root logins will be allowed only -+# upon these devices. - # +-# -# If not specified, a cost factor of 5 will be used. -# The value must be within the 1-11 range. -+# This variable is used by login and su. - # +-# -#YESCRYPT_COST_FACTOR 5 -+#CONSOLE /etc/consoles -+#CONSOLE console:tty01:tty02:tty03:tty04 - - # - # List of groups to add to the user's supplementary group set +- +-# +-# List of groups to add to the user's supplementary group set -# when logging in from the console (as determined by the CONSOLE -+# when logging in on the console (as determined by the CONSOLE - # setting). Default is none. - # - # Use with caution - it is possible for users to gain permanent +-# setting). Default is none. +-# +-# Use with caution - it is possible for users to gain permanent -# access to these groups, even when not logged in from the console. -+# access to these groups, even when not logged in on the console. - # How to do it is left as an exercise for the reader... - # -+# This variable is used by login and su. -+# - #CONSOLE_GROUPS floppy:audio:cdrom - - # +-# How to do it is left as an exercise for the reader... +-# +-#CONSOLE_GROUPS floppy:audio:cdrom +- +-# -# Should login be allowed if we can't cd to the home directory? -# Default is no. -+# If set to MD5, MD5-based algorithm will be used for encrypting password -+# If set to SHA256, SHA256-based algorithm will be used for encrypting password -+# If set to SHA512, SHA512-based algorithm will be used for encrypting password -+# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password -+# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password -+# If set to DES, DES-based algorithm will be used for encrypting password (default) -+# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations. -+# Overrides the MD5_CRYPT_ENAB option - # +-# -DEFAULT_HOME yes -+# Note: It is recommended to use a value consistent with -+# the PAM modules configuration. -+# +ENCRYPT_METHOD YESCRYPT # # The pwck(8) utility emits a warning for any system account with a home -@@ -401,67 +233,12 @@ DEFAULT_HOME yes +@@ -401,67 +220,12 @@ DEFAULT_HOME yes # NONEXISTENT /nonexistent @@ -573,7 +561,7 @@ index 33622c2..9711ad1 100644 # # Select the HMAC cryptography algorithm. # Used in pam_timestamp module to calculate the keyed-hash message -@@ -471,3 +248,4 @@ PREVENT_NO_AUTH superuser +@@ -471,3 +235,4 @@ PREVENT_NO_AUTH superuser # that are available in your system. # #HMAC_CRYPTO_ALGO SHA512