delta/linux-pam-git.git, branch ldv/master github.com: linux-pam/linux-pam.git pam_tty_audit: add an option to control logging of passwords: log_passwd 2013-06-21T21:36:20+00:00 Richard Guy Briggs rgb@redhat.com 2013-06-21T12:29:00+00:00 333686501468f66160c8eb50ae23f1dc08b82e12 Most commands are entered one line at a time and processed as complete lines in non-canonical mode. Commands that interactively require a password, enter canonical mode with echo set to off to do this. This feature (icanon and !echo) can be used to avoid logging passwords by audit while still logging the rest of the command. Adding a member to the struct audit_tty_status passed in by pam_tty_audit allows control of logging passwords per task. * configure.in: autoconf bits to conditionally add support at compile time depending on struct audit_tty_status kernel header version. * modules/pam_tty_audit/pam_tty_audit.8.xml: Document new pam_tty_audit module log_passwd option. * modules/pam_tty_audit/pam_tty_audit.c: (pam_sm_open_session): Added "log_passwd" option parsing. Signed-off-by: Richard Guy Briggs <rgb@redhat.com> 
Most commands are entered one line at a time and processed as complete lines
in non-canonical mode.  Commands that interactively require a password, enter
canonical mode with echo set to off to do this.  This feature (icanon and
!echo) can be used to avoid logging passwords by audit while still logging the
rest of the command.  Adding a member to the struct audit_tty_status passed in
by pam_tty_audit allows control of logging passwords per task.

* configure.in: autoconf bits to conditionally add support at compile time
depending on struct audit_tty_status kernel header version.
* modules/pam_tty_audit/pam_tty_audit.8.xml: Document new pam_tty_audit module
log_passwd option.
* modules/pam_tty_audit/pam_tty_audit.c: (pam_sm_open_session): Added
"log_passwd" option parsing.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Man page fix - unix_update runs in the permissive mode as well. 2013-06-20T08:11:43+00:00 Tomas Mraz tmraz@fedoraproject.org 2013-06-20T08:11:43+00:00 43a69398c33f8580c5925953fa7ee561666d8e33 modules/pam_unix/unix_update.8.xml: unix_update helper runs in the permissive mode as well. 
modules/pam_unix/unix_update.8.xml: unix_update helper runs in the
permissive mode as well.
Use hash from /etc/login.defs as default if no 2013-06-18T14:27:15+00:00 Thorsten Kukuk kukuk@orinoco.thkukuk.de 2013-06-18T14:27:15+00:00 a36df58aa78531a4629f90f732be475e9296a842 other one is specified as argument. * modules/pam_unix/support.c: Add search_key, call from __set_ctrl * modules/pam_unix/support.h: Add define for /etc/login.defs * modules/pam_unix/pam_unix.8.xml: Document new behavior. * modules/pam_umask/pam_umask.c: Add missing NULL pointer check 
other one is specified as argument.

* modules/pam_unix/support.c: Add search_key, call from __set_ctrl
* modules/pam_unix/support.h: Add define for /etc/login.defs
* modules/pam_unix/pam_unix.8.xml: Document new behavior.
* modules/pam_umask/pam_umask.c: Add missing NULL pointer check
pam_access: better not change the default function used to get domain name. 2013-04-12T10:49:55+00:00 Tomas Mraz tmraz@fedoraproject.org 2013-04-12T10:49:55+00:00 8c715834cd61f2d50d53f9af85d3bd2f87a26c61 modules/pam_access/pam_access.c (netgroup_match): As we did not use yp_get_default_domain() in the 1.1 branch due to typo in ifdef we should use it only as fallback. 
modules/pam_access/pam_access.c (netgroup_match): As we did not use
yp_get_default_domain() in the 1.1 branch due to typo in ifdef
we should use it only as fallback.
Fix strict aliasing issue in MD5 implementations. 2013-03-28T14:30:19+00:00 Tomas Mraz tmraz@fedoraproject.org 2013-03-28T14:30:19+00:00 183f91a212879229d37e4dce18edd7a141eefa12 modules/pam_namespace/md5.c (MD5Final): Use memcpy instead of assignment. modules/pam_unix/md5.c (MD5Final): Use memcpy instead of assignment. 
modules/pam_namespace/md5.c (MD5Final): Use memcpy instead of assignment.
modules/pam_unix/md5.c (MD5Final): Use memcpy instead of assignment.
pam_lastlog: Do not fail on short read if btmp is corrupted. 2013-03-22T12:50:54+00:00 Tomas Mraz tmraz@fedoraproject.org 2013-03-22T12:50:54+00:00 9909a2b6ab99a32853224ae8dc0bb24c018d45e7 modules/pam_lastlog/pam_lastlog.c (last_login_failed): Just warn, not fail on short read or read error. 
modules/pam_lastlog/pam_lastlog.c (last_login_failed): Just warn, not fail
on short read or read error.
pam_rootok: Allow proper logging of the user AVC if access disallowed by SELinux 2013-03-22T08:42:22+00:00 Tomas Mraz tmraz@fedoraproject.org 2013-03-22T08:42:22+00:00 74ab2ed83471c2b17c2176d7465f56ae32ae4507 modules/pam_rootok/pam_rootok.c (log_callback, selinux_check_root): New functions. (check_for_root): Use the selinux_check_root() instead of checkPasswdAccess. 
modules/pam_rootok/pam_rootok.c (log_callback, selinux_check_root): New functions.
(check_for_root): Use the selinux_check_root() instead of checkPasswdAccess.
Add checks for crypt() returning NULL. 2013-02-08T14:04:26+00:00 Tomas Mraz tmraz@fedoraproject.org 2013-02-08T14:04:26+00:00 8dc056c1c8bc7acb66c4decc49add2c3a24e6310 modules/pam_pwhistory/opasswd.c (compare_password): Add check for crypt() NULL return. modules/pam_unix/bigcrypt.c (bigcrypt): Likewise. 
modules/pam_pwhistory/opasswd.c (compare_password): Add check for crypt() NULL return.
modules/pam_unix/bigcrypt.c (bigcrypt): Likewise.
pam_userdb: Allow also modern password hashes supported by crypt(). 2013-02-07T16:06:57+00:00 Tomas Mraz tmraz@fedoraproject.org 2013-02-07T16:06:57+00:00 e2a818773f96d12fc9f91bf2792a5a216c3b9aa4 modules/pam_userdb/pam_userdb.c (user_lookup): Allow password hashes longer than 13 characters and long salt. 
modules/pam_userdb/pam_userdb.c (user_lookup): Allow password hashes
longer than 13 characters and long salt.
pam_access: fix typo in ifdef 2013-01-18T14:33:18+00:00 Walter de Jong walter.dejong@surfsara.nl 2013-01-18T13:51:40+00:00 d1ed6a6fc71967b31eb758cea715690e478844c9 modules/pam_access/pam_access.c (netgroup_match): Fix typo in #ifdef HAVE_YP_GET_DEFAULT_DOMAIN. 
modules/pam_access/pam_access.c (netgroup_match): Fix typo
in #ifdef HAVE_YP_GET_DEFAULT_DOMAIN.