lp:ubuntu/jaunty-security/pam

Created by James Westby on 2009-09-09 and last modified on 2009-09-09
Get this branch:
bzr branch lp:ubuntu/jaunty-security/pam
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

52. By Steve Langasek on 2009-08-07

When no profiles are chosen in pam-auth-update, throw an error message
and prompt again instead of letting the user end up with an insecure
system. This introduces a new debconf template. LP: #410171.

51. By Steve Langasek on 2009-03-20

* Merge from Debian unstable
* Remaining changes:
  - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
    present there or in /etc/security/pam_env.conf. (should send to Debian).
  - debian/libpam0g.postinst: only ask questions during update-manager when
    there are non-default services running.
  - debian/patches-applied/series: Ubuntu patches are as below ...
  - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
    type rather than __u8.
  - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
    module option 'missingok' which will suppress logging of errors by
    libpam if the module is not found.
  - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
    password on bad username.
  - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
    initialise RLIMIT_NICE rather than relying on the kernel limits.
  - debian/patches-applied/ubuntu-user_defined_environment: Look at
    ~/.pam_environment too, with the same format as
    /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
  - Change Vcs-Bzr to point at the Ubuntu branch.
  - debian/local/common-password, debian/pam-configs/unix: switch from
    "md5" to "sha512" as password crypt default.

50. By Steve Langasek on 2009-03-03

* Merge from Debian unstable
* Remaining changes:
  - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
    present there or in /etc/security/pam_env.conf. (should send to Debian).
  - debian/libpam0g.postinst: only ask questions during update-manager when
    there are non-default services running.
  - debian/patches-applied/series: Ubuntu patches are as below ...
  - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
    type rather than __u8.
  - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
    module option 'missingok' which will suppress logging of errors by
    libpam if the module is not found.
  - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
    password on bad username.
  - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
    initialise RLIMIT_NICE rather than relying on the kernel limits.
  - debian/patches-applied/ubuntu-user_defined_environment: Look at
    ~/.pam_environment too, with the same format as
    /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
  - Change Vcs-Bzr to point at the Ubuntu branch.
  - debian/local/common-password, debian/pam-configs/unix: switch from
    "md5" to "sha512" as password crypt default.
* Dropped changes, merged in Debian:
  - debian/local/pam-auth-update (et al): new interface for managing
    /etc/pam.d/common-*, using drop-in config snippets provided by module
    packages.
  - New patch dont_freeze_password_chain, cherry-picked from upstream:
    don't always follow the same path through the password stack on
    the PAM_UPDATE_AUTHTOK pass as was used in the PAM_PRELIM_CHECK
    pass; this Linux-PAM deviation from the original PAM spec causes a
    number of problems, in particular causing wrong return values when
    using the refactored pam-auth-update stack. LP: #303515, #305882.
  - debian/patches/027_pam_limits_better_init_allow_explicit_root:
    Add documentation to the patch showing how to set limits for root.
* Bump the libpam-cracklib dependency on libpam-runtime to 1.0.1-6,
  reducing the delta with Debian.
* Drop upgrade handling code from libpam-runtime.postinst that's only
  needed when upgrading from 1.0.1-2ubuntu1, a superseded intrepid
  pre-release version of the package.
* pam-auth-update: swap out known md5sums from intrepid pre-release versions
  with the md5sums from the released intrepid version
* pam-auth-update: drop some md5sums that will only be seen on upgrade from
  pre-intrepid versions; skipping over the 8.10 final release is not
  supported, and upgrading via 8.10 means those config files will be
  replaced so the old md5sums will never be seen again.

49. By Steve Langasek on 2009-02-27

New patch dont_freeze_password_chain, cherry-picked from upstream:
don't always follow the same path through the password stack on
the PAM_UPDATE_AUTHTOK pass as was used in the PAM_PRELIM_CHECK
pass; this Linux-PAM deviation from the original PAM spec causes a
number of problems, in particular causing wrong return values when
using the refactored pam-auth-update stack. LP: #303515, #305882.

48. By Steve Langasek on 2009-01-08

* Merge from Debian unstable
* Remaining changes:
  - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's not
    present there or in /etc/security/pam_env.conf. (should send to Debian).
  - debian/libpam0g.postinst: only ask questions during update-manager when
    there are non-default services running.
  - debian/patches-applied/series: Ubuntu patches are as below ...
  - debian/patches-applied/ubuntu-fix_standard_types: Use standard u_int8_t
    type rather than __u8.
  - debian/patches-applied/ubuntu-no-error-if-missingok: add a new, magic
    module option 'missingok' which will suppress logging of errors by
    libpam if the module is not found.
  - debian/patches-applied/ubuntu-regression_fix_securetty: prompt for
    password on bad username.
  - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
    initialise RLIMIT_NICE rather than relying on the kernel limits.
  - debian/patches-applied/ubuntu-user_defined_environment: Look at
    ~/.pam_environment too, with the same format as
    /etc/security/pam_env.conf. (Originally patch 100; converted to quilt.)
  - Change Vcs-Bzr to point at the Ubuntu branch.
  - debian/local/pam-auth-update (et al): new interface for managing
    /etc/pam.d/common-*, using drop-in config snippets provided by module
    packages.
  - debian/local/common-password, debian/pam-configs/unix: switch from
    "md5" to "sha512" as password crypt default.
* Bump the version numbers referenced in the config files, again, as pam
  has revved in Debian and moved the bar.
* pam-auth-update: If /var/lib/pam/seen is absent, treat this the same
  as a present but empty file; thanks to Greg Price for the patch.
  LP: #294513.
* pam-auth-update: Ignore removed profiles when detecting an empty set
  of currently-enabled modules. Thanks to Greg Price for this as well.
* debian/control: libpam-runtime needs a versioned dependency on
  debconf, because it uses the x_loadtemplatefile extension that's
  not supported by debconf versions before hardy. LP: #295135.
* pam-auth-update: trim leading whitespace from multiline fields when
  parsing PAM profiles. LP: #295441.
* pam-auth-update: factor out the duplicate code used for returning
  the lines for a given module

[ Jonathan Marsden ]
* debian/patches/027_pam_limits_better_init_allow_explicit_root:
  Add to patch, documenting how to set limits for root user.
  Include an example. Alters limits.conf, limits.conf.5.xml,
  and limits.conf.5 . (LP: #65244)

47. By Colin Watson on 2008-11-18

No-change upload to jaunty to fix publication on armel.

46. By Martin Pitt on 2008-11-11

No-change upload of 1.0.1-4ubuntu5.1 to -updates. -proposed package was
copied while some ports were not built yet.

45. By Steve Langasek on 2008-11-05

No-change rebuild because the archive admin (me) copied the package
to jaunty too soon.

44. By Kees Cook on 2008-11-05

Allow passwords to change on expired accounts, by passing
new_authtok_reqd return codes immediately (LP: #291091).

43. By Steve Langasek on 2008-10-15

* debian/libpam0g.postinst: change 'cupsys' to 'cups' in the list of
  default desktop services that are ignored in deciding whether to prompt
  for service restarts on upgrade. Partially addresses LP #278117.
* debian/libpam0g.postinst: also filter out samba, which may be installed
  on the desktop to enable filesharing.
* debian/libpam-cracklib.prerm, debian/libpam-runtime.prerm: add the
  ubiquitous debhelper tokens (currently a no-op)
* pam-auth-update: Use -Initial only for the first profile, even when
  there's no explicit -Initial config for that first profile
* fix common-session/common-password to use the same overall stack
  structure as auth/account, so that we get the correct behavior when
  all password modules fail. LP: #272232.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/karmic/pam
This branch contains Public information 
Everyone can see this information.

Subscribers