lp:ubuntu/jaunty-security/pam
- Get this branch:
- bzr branch lp:ubuntu/jaunty-security/pam
Branch merges
Branch information
Recent revisions
- 52. By Steve Langasek
-
When no profiles are chosen in pam-auth-update, throw an error message
and prompt again instead of letting the user end up with an insecure
system. This introduces a new debconf template. LP: #410171. - 51. By Steve Langasek
-
* Merge from Debian unstable
* Remaining changes:
- debian/libpam- modules. postinst: Add PATH to /etc/environment if it's not
present there or in /etc/security/pam_env. conf. (should send to Debian).
- debian/libpam0g. postinst: only ask questions during update-manager when
there are non-default services running.
- debian/patches- applied/ series: Ubuntu patches are as below ...
- debian/patches- applied/ ubuntu- fix_standard_ types: Use standard u_int8_t
type rather than __u8.
- debian/patches- applied/ ubuntu- no-error- if-missingok: add a new, magic
module option 'missingok' which will suppress logging of errors by
libpam if the module is not found.
- debian/patches- applied/ ubuntu- regression_ fix_securetty: prompt for
password on bad username.
- debian/patches- applied/ ubuntu- rlimit_ nice_correction : Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/patches- applied/ ubuntu- user_defined_ environment: Look at
~/.pam_environment too, with the same format as
/etc/security/ pam_env. conf. (Originally patch 100; converted to quilt.)
- Change Vcs-Bzr to point at the Ubuntu branch.
- debian/local/common- password, debian/ pam-configs/ unix: switch from
"md5" to "sha512" as password crypt default. - 50. By Steve Langasek
-
* Merge from Debian unstable
* Remaining changes:
- debian/libpam- modules. postinst: Add PATH to /etc/environment if it's not
present there or in /etc/security/pam_env. conf. (should send to Debian).
- debian/libpam0g. postinst: only ask questions during update-manager when
there are non-default services running.
- debian/patches- applied/ series: Ubuntu patches are as below ...
- debian/patches- applied/ ubuntu- fix_standard_ types: Use standard u_int8_t
type rather than __u8.
- debian/patches- applied/ ubuntu- no-error- if-missingok: add a new, magic
module option 'missingok' which will suppress logging of errors by
libpam if the module is not found.
- debian/patches- applied/ ubuntu- regression_ fix_securetty: prompt for
password on bad username.
- debian/patches- applied/ ubuntu- rlimit_ nice_correction : Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/patches- applied/ ubuntu- user_defined_ environment: Look at
~/.pam_environment too, with the same format as
/etc/security/ pam_env. conf. (Originally patch 100; converted to quilt.)
- Change Vcs-Bzr to point at the Ubuntu branch.
- debian/local/common- password, debian/ pam-configs/ unix: switch from
"md5" to "sha512" as password crypt default.
* Dropped changes, merged in Debian:
- debian/local/pam- auth-update (et al): new interface for managing
/etc/pam.d/common- *, using drop-in config snippets provided by module
packages.
- New patch dont_freeze_password_ chain, cherry-picked from upstream:
don't always follow the same path through the password stack on
the PAM_UPDATE_AUTHTOK pass as was used in the PAM_PRELIM_CHECK
pass; this Linux-PAM deviation from the original PAM spec causes a
number of problems, in particular causing wrong return values when
using the refactored pam-auth-update stack. LP: #303515, #305882.
- debian/patches/ 027_pam_ limits_ better_ init_allow_ explicit_ root:
Add documentation to the patch showing how to set limits for root.
* Bump the libpam-cracklib dependency on libpam-runtime to 1.0.1-6,
reducing the delta with Debian.
* Drop upgrade handling code from libpam-runtime. postinst that's only
needed when upgrading from 1.0.1-2ubuntu1, a superseded intrepid
pre-release version of the package.
* pam-auth-update: swap out known md5sums from intrepid pre-release versions
with the md5sums from the released intrepid version
* pam-auth-update: drop some md5sums that will only be seen on upgrade from
pre-intrepid versions; skipping over the 8.10 final release is not
supported, and upgrading via 8.10 means those config files will be
replaced so the old md5sums will never be seen again. - 49. By Steve Langasek
-
New patch dont_freeze_
password_ chain, cherry-picked from upstream:
don't always follow the same path through the password stack on
the PAM_UPDATE_AUTHTOK pass as was used in the PAM_PRELIM_CHECK
pass; this Linux-PAM deviation from the original PAM spec causes a
number of problems, in particular causing wrong return values when
using the refactored pam-auth-update stack. LP: #303515, #305882. - 48. By Steve Langasek
-
* Merge from Debian unstable
* Remaining changes:
- debian/libpam- modules. postinst: Add PATH to /etc/environment if it's not
present there or in /etc/security/pam_env. conf. (should send to Debian).
- debian/libpam0g. postinst: only ask questions during update-manager when
there are non-default services running.
- debian/patches- applied/ series: Ubuntu patches are as below ...
- debian/patches- applied/ ubuntu- fix_standard_ types: Use standard u_int8_t
type rather than __u8.
- debian/patches- applied/ ubuntu- no-error- if-missingok: add a new, magic
module option 'missingok' which will suppress logging of errors by
libpam if the module is not found.
- debian/patches- applied/ ubuntu- regression_ fix_securetty: prompt for
password on bad username.
- debian/patches- applied/ ubuntu- rlimit_ nice_correction : Explicitly
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/patches- applied/ ubuntu- user_defined_ environment: Look at
~/.pam_environment too, with the same format as
/etc/security/ pam_env. conf. (Originally patch 100; converted to quilt.)
- Change Vcs-Bzr to point at the Ubuntu branch.
- debian/local/pam- auth-update (et al): new interface for managing
/etc/pam.d/common- *, using drop-in config snippets provided by module
packages.
- debian/local/common- password, debian/ pam-configs/ unix: switch from
"md5" to "sha512" as password crypt default.
* Bump the version numbers referenced in the config files, again, as pam
has revved in Debian and moved the bar.
* pam-auth-update: If /var/lib/pam/seen is absent, treat this the same
as a present but empty file; thanks to Greg Price for the patch.
LP: #294513.
* pam-auth-update: Ignore removed profiles when detecting an empty set
of currently-enabled modules. Thanks to Greg Price for this as well.
* debian/control: libpam-runtime needs a versioned dependency on
debconf, because it uses the x_loadtemplatefile extension that's
not supported by debconf versions before hardy. LP: #295135.
* pam-auth-update: trim leading whitespace from multiline fields when
parsing PAM profiles. LP: #295441.
* pam-auth-update: factor out the duplicate code used for returning
the lines for a given module[ Jonathan Marsden ]
* debian/patches/ 027_pam_ limits_ better_ init_allow_ explicit_ root:
Add to patch, documenting how to set limits for root user.
Include an example. Alters limits.conf, limits.conf.5.xml,
and limits.conf.5 . (LP: #65244) - 46. By Martin Pitt
-
No-change upload of 1.0.1-4ubuntu5.1 to -updates. -proposed package was
copied while some ports were not built yet. - 45. By Steve Langasek
-
No-change rebuild because the archive admin (me) copied the package
to jaunty too soon. - 44. By Kees Cook
-
Allow passwords to change on expired accounts, by passing
new_authtok_reqd return codes immediately (LP: #291091). - 43. By Steve Langasek
-
* debian/
libpam0g. postinst: change 'cupsys' to 'cups' in the list of
default desktop services that are ignored in deciding whether to prompt
for service restarts on upgrade. Partially addresses LP #278117.
* debian/libpam0g. postinst: also filter out samba, which may be installed
on the desktop to enable filesharing.
* debian/libpam- cracklib. prerm, debian/ libpam- runtime. prerm: add the
ubiquitous debhelper tokens (currently a no-op)
* pam-auth-update: Use -Initial only for the first profile, even when
there's no explicit -Initial config for that first profile
* fix common-session/ common- password to use the same overall stack
structure as auth/account, so that we get the correct behavior when
all password modules fail. LP: #272232.
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/karmic/pam