diff --git a/debian/patches/debian/Adapt-login.defs-for-Debian.patch b/debian/patches/debian/Adapt-login.defs-for-Debian.patch index 35829955..47f9ba6e 100644 --- a/debian/patches/debian/Adapt-login.defs-for-Debian.patch +++ b/debian/patches/debian/Adapt-login.defs-for-Debian.patch @@ -5,11 +5,11 @@ Subject: Adapt login.defs for Debian Remove settings only applicable to shadow's su, which we do not use. Remove settings only applicable without PAM support enabled. --- - etc/login.defs | 413 +++++++++++++-------------------------------------------- - 1 file changed, 89 insertions(+), 324 deletions(-) + etc/login.defs | 411 ++++++++++++--------------------------------------------- + 1 file changed, 83 insertions(+), 328 deletions(-) diff --git a/etc/login.defs b/etc/login.defs -index 33622c2..b27f72c 100644 +index 33622c2..a338dc9 100644 --- a/etc/login.defs +++ b/etc/login.defs @@ -1,24 +1,38 @@ @@ -233,7 +233,7 @@ index 33622c2..b27f72c 100644 TTYGROUP tty TTYPERM 0600 -@@ -180,143 +88,116 @@ TTYPERM 0600 +@@ -180,143 +88,106 @@ TTYPERM 0600 # # ERASECHAR Terminal ERASE character ('\010' = backspace). # KILLCHAR Terminal KILL character ('\025' = CTRL/U). @@ -334,63 +334,58 @@ index 33622c2..b27f72c 100644 # -# Maximum number of attempts to change password if rejected (too easy) +-# +-PASS_CHANGE_TRIES 5 +- +-# +-# Warn about weak passwords (but still allow them) if you are root. +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". # --PASS_CHANGE_TRIES 5 -+CHFN_RESTRICT rwh - - # --# Warn about weak passwords (but still allow them) if you are root. -+# Should login be allowed if we can't cd to the home directory? -+# Default is no. - # -PASS_ALWAYS_WARN yes -+DEFAULT_HOME yes ++CHFN_RESTRICT rwh # -# Number of significant characters in the password for crypt(). -# Default is 8, don't change unless your crypt() is better. -# Ignored if MD5_CRYPT_ENAB set to "yes". ++# Should login be allowed if we can't cd to the home directory? ++# Default is no. + # +-#PASS_MAX_LEN 8 ++DEFAULT_HOME yes + + # +-# Require password before chfn(1)/chsh(1) can make any changes. +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). # --#PASS_MAX_LEN 8 +-CHFN_AUTH yes +#USERDEL_CMD /usr/sbin/userdel_local # --# Require password before chfn(1)/chsh(1) can make any changes. -+# If set to yes, userdel will remove the user's group if it contains no -+# more members, and useradd will create by default a group with the name -+# of the user. - # --CHFN_AUTH yes -- --# -# Which fields may be changed by regular users using chfn(1) - use -# any combination of letters "frwh" (full name, room number, work -# phone, home phone). If not defined, no changes are allowed. -# For backward compatibility, "yes" = "rwh" and "no" = "frwh". -+# Other former uses of this variable such as setting the umask when -+# user==primary group are not used in PAM environments, such as Debian ++# If set to yes, userdel will remove the user's group if it contains no ++# more members, and useradd will create by default a group with the name ++# of the user. # -CHFN_RESTRICT rwh -+USERGROUPS_ENAB yes - - # +- +-# -# Password prompt (%s will be replaced by user name). -+# Instead of the real user shell, the program specified by this parameter -+# will be launched, although its visible name (argv[0]) will be the shell's. -+# The program may do whatever it wants (logging, additional authentification, -+# banner, ...) before running the actual shell. ++# Other former uses of this variable such as setting the umask when ++# user==primary group are not used in PAM environments, such as Debian # -# XXX - it doesn't work correctly yet, for now leave it commented out -# to use the default which is just "Password: ". -#LOGIN_STRING "%s's Password: " -+# FAKE_SHELL /bin/fakeshell ++USERGROUPS_ENAB yes # -# Only works if compiled with MD5_CRYPT defined: @@ -399,26 +394,25 @@ index 33622c2..b27f72c 100644 -# It supports passwords of unlimited length and longer salt strings. -# Set to "no" if you need to copy encrypted passwords to other systems -# which don't understand the new algorithm. Default is "no". --# ++# Instead of the real user shell, the program specified by this parameter ++# will be launched, although its visible name (argv[0]) will be the shell's. ++# The program may do whatever it wants (logging, additional authentification, ++# banner, ...) before running the actual shell. + # -# Note: If you use PAM, it is recommended to use a value consistent with -# the PAM modules configuration. -+# If defined, either full pathname of a file containing device names or -+# a ":" delimited list of device names. Root logins will be allowed only -+# upon these devices. - # +-# -# This variable is deprecated. You should use ENCRYPT_METHOD instead. -+# This variable is used by login and su. - # +-# -#MD5_CRYPT_ENAB no -+#CONSOLE /etc/consoles -+#CONSOLE console:tty01:tty02:tty03:tty04 ++# FAKE_SHELL /bin/fakeshell # -# Only works if compiled with ENCRYPTMETHOD_SELECT defined: # If set to MD5, MD5-based algorithm will be used for encrypting password # If set to SHA256, SHA256-based algorithm will be used for encrypting password # If set to SHA512, SHA512-based algorithm will be used for encrypting password -@@ -326,72 +207,10 @@ CHFN_RESTRICT rwh +@@ -326,72 +197,10 @@ CHFN_RESTRICT rwh # MD5 and DES should not be used for new hashes, see crypt(5) for recommendations. # Overrides the MD5_CRYPT_ENAB option # @@ -493,7 +487,7 @@ index 33622c2..b27f72c 100644 # # The pwck(8) utility emits a warning for any system account with a home -@@ -401,67 +220,12 @@ DEFAULT_HOME yes +@@ -401,67 +210,12 @@ DEFAULT_HOME yes # NONEXISTENT /nonexistent @@ -561,7 +555,7 @@ index 33622c2..b27f72c 100644 # # Select the HMAC cryptography algorithm. # Used in pam_timestamp module to calculate the keyed-hash message -@@ -471,3 +235,4 @@ PREVENT_NO_AUTH superuser +@@ -471,3 +225,4 @@ PREVENT_NO_AUTH superuser # that are available in your system. # #HMAC_CRYPTO_ALGO SHA512