rpms
/
authselect
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:c10-beta
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9
rpms:i9c-beta
rpms:c9-beta
...
pull from: rpms:c9
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9
rpms:i9c-beta
rpms:c9-beta

No commits in common. 'c10-beta' and 'c9' have entirely different histories.
c10-beta ... c9

23 changed files with 29252 additions and 6207 deletions
Show Stats

2
.authselect.metadata
Unescape View File

@ -1 +1 @@
bc93feb781e01b2101e06e413f65924d4f633d0a SOURCES/authselect-1.5.0.tar.gz
9c2bb483de9209a00df4f69368245fdf3b8f635c SOURCES/authselect-1.2.6.tar.gz

2
.gitignore vendored
Unescape View File

@ -1 +1 @@
SOURCES/authselect-1.5.0.tar.gz
SOURCES/authselect-1.2.6.tar.gz

18677
SOURCES/0001-po-update-translations.patch
View File

File diff suppressed because it is too large Load Diff

101
SOURCES/0001-sssd-reintroduce-with-files-access-provider.patch
Unescape View File

@ -1,101 +0,0 @@
From adb36ae3633e2dfaa9c21bb45d05551f1ea3d749 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 21 Feb 2024 14:27:49 +0100
Subject: [PATCH 01/11] sssd: reintroduce with-files-access-provider
This is still needed to support .k5login file with proxy domain. For
example:
```
[domain/proxy]
id_provider = proxy
proxy_lib_name = files
access_provider = krb5
auth_provider = krb5
krb5_server = kdc.test
krb5_realm = TEST
```
---
profiles/sssd/README | 10 ++++++++++
profiles/sssd/fingerprint-auth | 2 +-
profiles/sssd/password-auth | 2 +-
profiles/sssd/smartcard-auth | 2 +-
profiles/sssd/system-auth | 2 +-
5 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/profiles/sssd/README b/profiles/sssd/README
index 770891a338754b53ee48ba34d9d80c2f2f31cdb6..f7aaba8ecca4bc18a0e57d2334c2030fd26fda0d 100644
--- a/profiles/sssd/README
+++ b/profiles/sssd/README
@@ -89,6 +89,16 @@ with-mdns4::
with-mdns6::
Enable multicast DNS over IPv6.
+with-files-access-provider:: If set, account management for local users is
+ handled also by pam_sss. This can be used to support SSSD's proxy domain
+ that is configured to serve users from local files but provide
+ authentication and access management (.k5login file) via Kerberos.
+
+ *WARNING:* SSSD access check will become mandatory for local users and
+ if SSSD is stopped then local users will not be able to log in. Only
+ system accounts (as defined by pam_usertype, including root) will be
+ able to log in.
+
with-gssapi::
If set, pam_sss_gss module is enabled to perform user authentication over
GSSAPI.
diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth
index 94232086a60f56976bd5182f5d10da9c63ec22b6..20ad3613e66ec85c7d2462d0449854e522383b3a 100644
--- a/profiles/sssd/fingerprint-auth
+++ b/profiles/sssd/fingerprint-auth
@@ -11,7 +11,7 @@ auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
account required pam_unix.so
-account sufficient pam_localuser.so
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index 05487ca293138a1154cb6820dbc9a53770904670..97c33b678706e7eeb86bf45251baa41739f2940f 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -18,7 +18,7 @@ account required pam_access.so
account required pam_faillock.so {include if "with-faillock"}
account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so
-account sufficient pam_localuser.so
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
diff --git a/profiles/sssd/smartcard-auth b/profiles/sssd/smartcard-auth
index 540556ce89b727a226bec4d3322a1775ef350253..78cb329bf332f4d629740a0fff7d2dfe43f7d78d 100644
--- a/profiles/sssd/smartcard-auth
+++ b/profiles/sssd/smartcard-auth
@@ -11,7 +11,7 @@ auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
account required pam_unix.so
-account sufficient pam_localuser.so
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 83f9214fdd0a97ec49a8df52a2e202e034cbc0c6..90c3504a414f0a151475cc207285b230fec381b1 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -25,7 +25,7 @@ account required pam_access.so
account required pam_faillock.so {include if "with-faillock"}
account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so
-account sufficient pam_localuser.so
+account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
--
2.42.0

48
SOURCES/0002-profiles-do-not-try-to-change-password-via-sssd-for-.patch
Unescape View File

@ -0,0 +1,48 @@
From 9b52842d6b4b6ae0ad1f36d3d731d7afc94338e1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 29 Jun 2023 14:07:25 +0200
Subject: [PATCH 2/8] profiles: do not try to change password via sssd for
local users
Steps to reproduce:
1. Create local user and set passsword
2. Log in as the local user
3. Run passwd and provide wrong password as "Current password"
"Current password" prompt should be printed only once.
Resolves: https://github.com/authselect/authselect/issues/338
(cherry picked from commit c9cc4b23badeb5e2fe3a38fa5b0649b3d7b0a718)
(cherry picked from commit 7fbb0454f2adfd8de44e17e1784eab79fce2232f)
---
profiles/sssd/password-auth | 1 +
profiles/sssd/system-auth | 1 +
2 files changed, 2 insertions(+)
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index 5ea280a..7fe23f2 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -25,6 +25,7 @@ password requisite pam_pwquality.so local_
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
+password [success=1 default=ignore] pam_localuser.so
password sufficient pam_sss.so use_authtok
password required pam_deny.so
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index fd1e31c..ce2e266 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -32,6 +32,7 @@ password requisite pam_pwquality.so local_
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
+password [success=1 default=ignore] pam_localuser.so
password sufficient pam_sss.so use_authtok
password required pam_deny.so
--
2.40.1

217
SOURCES/0002-spec-modify-specfile-for-Fedora-40-and-RHEL-10-as-mi.patch
Unescape View File

@ -1,217 +0,0 @@
From d498f7aa562cf41e0999f7733664c27fa62bcf7c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 23 Feb 2024 11:54:44 +0100
Subject: [PATCH 02/11] spec: modify specfile for Fedora 40 and RHEL 10 as
minimal version
- conditionals that are no longer used are removed
- upgrade path is removed
- this was already triggered in Fedora 38, so it is no longer useful
- RHEL is updated to authselect with leapp when going from 7 to 8
we don't want to touch existing configurations
---
rpm/authselect.spec.in | 102 ++---------------------------------------
1 file changed, 3 insertions(+), 99 deletions(-)
diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in
index 24ce4e603208ce26eb228bbee565c868428a2af1..e2c0482f1e7cfceac4aed3a3a4375bca031ac8c1 100644
--- a/rpm/authselect.spec.in
+++ b/rpm/authselect.spec.in
@@ -12,20 +12,6 @@ Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz
%global makedir %{_builddir}/%{name}-%{version}
-%if 0%{?fedora} >= 35 || 0%{?rhel} >= 10
-%global with_compat 0
-%else
-%global with_compat 1
-%endif
-
-%if 0%{?fedora} >= 36 || 0%{?rhel} >= 10
-%global with_user_nsswitch 0
-%global enforce_authselect 1
-%else
-%global with_user_nsswitch 1
-%global enforce_authselect 0
-%endif
-
# Set the default profile
%{?fedora:%global default_profile local with-silent-lastlog}
%{?rhel:%global default_profile local}
@@ -43,21 +29,14 @@ BuildRequires: po4a
BuildRequires: %{_bindir}/a2x
BuildRequires: libcmocka-devel >= 1.0.0
BuildRequires: libselinux-devel
-%if %{with_compat}
-BuildRequires: python3-devel
-%endif
Requires: authselect-libs%{?_isa} = %{version}-%{release}
Suggests: sssd
Suggests: samba-winbind
Suggests: fprintd-pam
Suggests: oddjob-mkhomedir
-%if !%{with_compat}
# Properly obsolete removed authselect-compat package.
-Obsoletes: authselect-compat < 1.2.4
-# Inherited from former authselect-compat package.
-Obsoletes: authconfig < 7.0.1-6
-%endif
+Obsoletes: authselect-compat < 1.3
%description
Authselect is designed to be a replacement for authconfig but it takes
@@ -74,14 +53,6 @@ Summary: Utility library used by the authselect tool
Requires: coreutils
Requires: sed
Suggests: systemd
-%if %{enforce_authselect}
-# authselect now owns nsswitch.conf (glibc) and pam files
-Conflicts: pam < 1.5.2-8
-Conflicts: glibc < 2.34.9000-27
-# systemd, nss-mdns no longer contains nsswitch.conf scriptlets
-Conflicts: systemd < 249.7-4
-Conflicts: nss-mdns < 0.15.1-3
-%endif
%description libs
Common library files for authselect. This package is used by the authselect
@@ -95,25 +66,6 @@ Requires: authselect-libs%{?_isa} = %{version}-%{release}
System header files and development libraries for authselect. Useful if
you develop a front-end for the authselect library.
-%if %{with_compat}
-%package compat
-Summary: Tool to provide minimum backwards compatibility with authconfig
-Obsoletes: authconfig < 7.0.1-6
-Provides: authconfig
-Requires: authselect%{?_isa} = %{version}-%{release}
-Recommends: oddjob-mkhomedir
-Suggests: sssd
-Suggests: realmd
-Suggests: samba-winbind
-
-%description compat
-This package will replace %{_sbindir}/authconfig with a tool that will
-translate some of the authconfig calls into authselect calls. It provides
-only minimum backward compatibility and users are encouraged to migrate
-to authselect completely.
-%endif
-
-
%prep
%setup -q
@@ -123,16 +75,7 @@ done
%build
autoreconf -if
-%configure \
-%if %{with_compat}
- --with-pythonbin="%{__python3}" \
- --with-compat \
-%endif
-%if %{with_user_nsswitch}
- --with-user-nsswitch \
-%endif
- %{nil}
-
+%configure
%make_build
%check
@@ -168,20 +111,14 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/postlogin
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/smartcard-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/system-auth
-%if %{enforce_authselect}
%ghost %attr(0644,root,root) %{_sysconfdir}/nsswitch.conf
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/fingerprint-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/password-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/postlogin
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/smartcard-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/system-auth
-%endif
%dir %{_localstatedir}/lib/authselect
%ghost %attr(0755,root,root) %{_localstatedir}/lib/authselect/backups/
-%if %{with_user_nsswitch}
-%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/user-nsswitch.conf
-%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/user-nsswitch-created
-%endif
%dir %{_datadir}/authselect
%dir %{_datadir}/authselect/vendor
%dir %{_datadir}/authselect/default
@@ -241,12 +178,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%{_libdir}/libauthselect.so
%{_libdir}/pkgconfig/authselect.pc
-%if %{with_compat}
-%files compat
-%{_sbindir}/authconfig
-%{python3_sitelib}/authselect/
-%endif
-
%files -f %{name}.8.lang -f %{name}-migration.7.lang
%{_bindir}/authselect
%{_mandir}/man8/authselect.8*
@@ -265,47 +196,21 @@ if [ $1 == 0 ] ; then
fi
%pre libs
-%if %{enforce_authselect}
# Check if this is a new installation.
%__rm -f %{forcefile}
if [ $1 -eq 1 ] ; then
touch %{forcefile}
fi
-
-# Check if we are upgrading from older version then authselect-1.3.0
-# The version command is not available on earlier versions
-if [ $1 -gt 1 ] ; then
- %{_bindir}/authselect check &> /dev/null
- if [ $? -ne 0 ]; then
- %{_bindir}/authselect version &> /dev/null
- if [ $? -ne 0 ]; then
- touch %{forcefile}
- fi
- fi
-fi
-%endif
-
exit 0
%posttrans libs
-# Copy nsswitch.conf to user-nsswitch.conf if it was not yet created
-%if %{with_user_nsswitch}
-if [ ! -f %{_localstatedir}/lib/authselect/user-nsswitch-created ]; then
- %__cp -n %{_sysconfdir}/nsswitch.conf %{_sysconfdir}/authselect/user-nsswitch.conf &> /dev/null
- touch %{_localstatedir}/lib/authselect/user-nsswitch-created &> /dev/null
-fi
-%endif
# Keep nss-altfiles for all rpm-ostree based systems.
# See https://github.com/authselect/authselect/issues/48
if test -e /run/ostree-booted; then
for PROFILE in `ls %{_datadir}/authselect/default`; do
%{_bindir}/authselect create-profile $PROFILE --vendor --base-on $PROFILE --symlink-pam --symlink-dconf --symlink=REQUIREMENTS --symlink=README &> /dev/null
-%if %{with_user_nsswitch}
- %__sed -ie "s/^\(passwd\|group\):\(.*\)systemd\(.*\)/\1:\2systemd altfiles\3/g" %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null
-%else
%__sed -ie 's/{if "with-altfiles":altfiles }/altfiles /g' %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null
-%endif
done
fi
@@ -314,8 +219,7 @@ if [ $? -eq 6 ]; then
NOBACKUP="--nobackup"
fi
-# If we are upgrading from pre authselect-1.3.0 or this is a new installation
-# select the default configuration.
+# If this is a new installation select the default configuration.
if [ -f %{forcefile} ]; then
%{_bindir}/authselect select %{default_profile} --force $NOBACKUP &> /dev/null
%__rm -f %{forcefile}
--
2.42.0

9396
SOURCES/0003-po-update-translations.patch
View File

File diff suppressed because it is too large Load Diff

177
SOURCES/0004-nis-install-nis-profile-conditionally.patch
Unescape View File

@ -1,177 +0,0 @@
From 9321126e20898b23c19e168177d8a383a750fefb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 23 Feb 2024 12:51:37 +0100
Subject: [PATCH 04/11] nis: install nis profile conditionally
NIS profile is installed only if --with-nis-profile configure flag is
given.
---
profiles/Makefile.am | 2 ++
rpm/authselect.spec.in | 37 +++++++++++++++++++----------
scripts/manpages-build.sh.in | 1 +
src/conf_macros.m4 | 10 ++++++++
src/man/authselect-migration.7.adoc | 7 ++++++
5 files changed, 45 insertions(+), 12 deletions(-)
diff --git a/profiles/Makefile.am b/profiles/Makefile.am
index bc437c158f6922afdba4ab261c73f31c93846118..61728cab77022ddc0bb35a3649a38123dc4987cf 100644
--- a/profiles/Makefile.am
+++ b/profiles/Makefile.am
@@ -15,6 +15,7 @@ dist_profile_local_DATA = \
$(top_srcdir)/profiles/local/dconf-locks \
$(NULL)
+if WITH_NIS_PROFILE
profile_nisdir = $(authselect_profile_dir)/nis
dist_profile_nis_DATA = \
$(top_srcdir)/profiles/nis/nsswitch.conf \
@@ -28,6 +29,7 @@ dist_profile_nis_DATA = \
$(top_srcdir)/profiles/nis/dconf-db \
$(top_srcdir)/profiles/nis/dconf-locks \
$(NULL)
+endif
profile_sssddir = $(authselect_profile_dir)/sssd
dist_profile_sssd_DATA = \
diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in
index e2c0482f1e7cfceac4aed3a3a4375bca031ac8c1..350ca953632f21be861c1ee75f25f71d107ca1ee 100644
--- a/rpm/authselect.spec.in
+++ b/rpm/authselect.spec.in
@@ -12,6 +12,13 @@ Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz
%global makedir %{_builddir}/%{name}-%{version}
+# Disable NIS profile on RHEL
+%if 0%{?rhel}
+%global with_nis_profile 0
+%else
+%global with_nis_profile 1
+%endif
+
# Set the default profile
%{?fedora:%global default_profile local with-silent-lastlog}
%{?rhel:%global default_profile local}
@@ -75,7 +82,11 @@ done
%build
autoreconf -if
-%configure
+%configure \
+%if %{with_nis_profile}
+ --with-nis-profile \
+%endif
+ %{nil}
%make_build
%check
@@ -123,7 +134,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%dir %{_datadir}/authselect/vendor
%dir %{_datadir}/authselect/default
%dir %{_datadir}/authselect/default/local/
-%dir %{_datadir}/authselect/default/nis/
%dir %{_datadir}/authselect/default/sssd/
%dir %{_datadir}/authselect/default/winbind/
%{_datadir}/authselect/default/local/dconf-db
@@ -136,16 +146,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%{_datadir}/authselect/default/local/REQUIREMENTS
%{_datadir}/authselect/default/local/smartcard-auth
%{_datadir}/authselect/default/local/system-auth
-%{_datadir}/authselect/default/nis/dconf-db
-%{_datadir}/authselect/default/nis/dconf-locks
-%{_datadir}/authselect/default/nis/fingerprint-auth
-%{_datadir}/authselect/default/nis/nsswitch.conf
-%{_datadir}/authselect/default/nis/password-auth
-%{_datadir}/authselect/default/nis/postlogin
-%{_datadir}/authselect/default/nis/README
-%{_datadir}/authselect/default/nis/REQUIREMENTS
-%{_datadir}/authselect/default/nis/smartcard-auth
-%{_datadir}/authselect/default/nis/system-auth
%{_datadir}/authselect/default/sssd/dconf-db
%{_datadir}/authselect/default/sssd/dconf-locks
%{_datadir}/authselect/default/sssd/fingerprint-auth
@@ -166,6 +166,19 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%{_datadir}/authselect/default/winbind/REQUIREMENTS
%{_datadir}/authselect/default/winbind/smartcard-auth
%{_datadir}/authselect/default/winbind/system-auth
+%if %{with_nis_profile}
+%dir %{_datadir}/authselect/default/nis/
+%{_datadir}/authselect/default/nis/dconf-db
+%{_datadir}/authselect/default/nis/dconf-locks
+%{_datadir}/authselect/default/nis/fingerprint-auth
+%{_datadir}/authselect/default/nis/nsswitch.conf
+%{_datadir}/authselect/default/nis/password-auth
+%{_datadir}/authselect/default/nis/postlogin
+%{_datadir}/authselect/default/nis/README
+%{_datadir}/authselect/default/nis/REQUIREMENTS
+%{_datadir}/authselect/default/nis/smartcard-auth
+%{_datadir}/authselect/default/nis/system-auth
+%endif
%{_libdir}/libauthselect.so.*
%{_mandir}/man5/authselect-profiles.5*
%{_datadir}/doc/authselect/COPYING
diff --git a/scripts/manpages-build.sh.in b/scripts/manpages-build.sh.in
index 314bb2b2a0e4432632478230ab5ff5b3dce2943f..9e553f755a64717f854f3aba33c62140130ce18f 100755
--- a/scripts/manpages-build.sh.in
+++ b/scripts/manpages-build.sh.in
@@ -233,6 +233,7 @@ ATTR+=" -a AUTHSELECT_PROFILE_DIR=\"@AUTHSELECT_PROFILE_DIR@\""
ATTR+=" -a AUTHSELECT_VENDOR_DIR=\"@AUTHSELECT_VENDOR_DIR@\""
ATTR+=" -a AUTHSELECT_BACKUP_DIR=\"@AUTHSELECT_BACKUP_DIR@\""
ATTR+=" -a BUILD_USER_NSSWITCH=\"@BUILD_USER_NSSWITCH@\""
+ATTR+=" -a WITH_NIS_PROFILE=\"@WITH_NIS_PROFILE@\""
manpages-translate
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
index 17c1629723066b0c4e354051366ce209428af6c1..9a81a6e194d16ecc0408e8631530cf7048fd9241 100644
--- a/src/conf_macros.m4
+++ b/src/conf_macros.m4
@@ -99,3 +99,13 @@ if test x"$with_user_nsswitch" = xyes; then
AC_DEFINE(BUILD_USER_NSSWITCH, 1, [whether to build with user nsswitch support])
AC_SUBST(BUILD_USER_NSSWITCH, 1)
fi
+
+AC_ARG_WITH([nis-profile],
+ [AC_HELP_STRING([--with-nis-profile], [Install NIS profile [no]])],
+ [], with_nis_profile=no
+)
+AM_CONDITIONAL([WITH_NIS_PROFILE], [test x$with_nis_profile = xyes])
+AC_SUBST(WITH_NIS_PROFILE, 0)
+if test x"$with_nis_profile" = xyes; then
+ AC_SUBST(WITH_NIS_PROFILE, 1)
+fi
diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc
index 3513a7e7cd3d7cc0045167e8224248c5be90ab2c..8cc58e60301925974fdb738c5b9a746749981df8 100644
--- a/src/man/authselect-migration.7.adoc
+++ b/src/man/authselect-migration.7.adoc
@@ -72,7 +72,12 @@ configuration file for required services.
|--enablesssd --enablesssdauth |sssd
|--enablekrb5 |sssd
|--enablewinbind --enablewinbindauth |winbind
+ifeval::[{WITH_NIS_PROFILE} == 1]
|--enablenis |nis
+endif::[]
+ifeval::[{WITH_NIS_PROFILE} != 1]
+|--enablenis |none
+endif::[]
|=========================================================
.Relation of authconfig options to authselect profile features
@@ -199,6 +204,7 @@ will perform an initial setup which involves creating a Kerberos keytab and
running `adcli` to join the domain. It also makes changes to `smb.conf`. You
can then tune it up by modifying {sysconfdir}/samba/smb.conf.
+ifeval::[{WITH_NIS_PROFILE} == 1]
NIS
~~~
There are several places that needs to be configured in order to make
@@ -227,6 +233,7 @@ $ domainname mydomain
$ setsebool -P allow_ypbind 1
----
+endif::[]
PASSWORD QUALITY
~~~~~~~~~~~~~~~~
Authselect enables `pam_pwquality` module to enforce password quality
--
2.42.0

349
SOURCES/0005-configure-drop-user-nsswitch.conf-support.patch
Unescape View File

@ -1,349 +0,0 @@
From 923fd37712eae8d99d514708e35894b6ea056628 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 23 Feb 2024 13:24:25 +0100
Subject: [PATCH 05/11] configure: drop user-nsswitch.conf support
user-nsswitch.conf support is now completely dropped, it can no
longer be enabled via configure flag
---
scripts/manpages-build.sh.in | 1 -
src/cli/main.c | 9 --
src/conf_macros.m4 | 10 --
src/lib/files/nsswitch.c | 156 -----------------------------
src/lib/paths.h | 3 -
src/man/authselect-profiles.5.adoc | 7 --
src/man/authselect.8.adoc | 61 -----------
7 files changed, 247 deletions(-)
diff --git a/scripts/manpages-build.sh.in b/scripts/manpages-build.sh.in
index 9e553f755a64717f854f3aba33c62140130ce18f..f4ac71e3a22723a52101bb9cbbadd79740515070 100755
--- a/scripts/manpages-build.sh.in
+++ b/scripts/manpages-build.sh.in
@@ -232,7 +232,6 @@ ATTR+=" -a AUTHSELECT_PAM_DIR=\"@AUTHSELECT_PAM_DIR@\""
ATTR+=" -a AUTHSELECT_PROFILE_DIR=\"@AUTHSELECT_PROFILE_DIR@\""
ATTR+=" -a AUTHSELECT_VENDOR_DIR=\"@AUTHSELECT_VENDOR_DIR@\""
ATTR+=" -a AUTHSELECT_BACKUP_DIR=\"@AUTHSELECT_BACKUP_DIR@\""
-ATTR+=" -a BUILD_USER_NSSWITCH=\"@BUILD_USER_NSSWITCH@\""
ATTR+=" -a WITH_NIS_PROFILE=\"@WITH_NIS_PROFILE@\""
manpages-translate
diff --git a/src/cli/main.c b/src/cli/main.c
index 18486b50bc42f9937cc7294c3e5e2b32cafab5e0..fe06a5d8ababa58209690a97e84ae254b859cdc6 100644
--- a/src/cli/main.c
+++ b/src/cli/main.c
@@ -186,15 +186,6 @@ static errno_t activate(struct cli_cmdline *cmdline)
goto done;
}
-#ifdef BUILD_USER_NSSWITCH
- maps = authselect_profile_nsswitch_maps(profile, features);
- if (maps == NULL) {
- ERROR("Unable to obtain nsswitch maps!");
- ret = EFAULT;
- goto done;
- }
-#endif
-
if (backup || backup_name != NULL || (enforce && !nobackup)) {
ret = perform_backup(quiet, 1, backup_name);
if (ret != EOK) {
diff --git a/src/conf_macros.m4 b/src/conf_macros.m4
index 9a81a6e194d16ecc0408e8631530cf7048fd9241..ae8fa0274e038e98115d000717487dbdbc04df4c 100644
--- a/src/conf_macros.m4
+++ b/src/conf_macros.m4
@@ -90,16 +90,6 @@ if test x"$with_compat" = xyes; then
fi
AM_CONDITIONAL([BUILD_COMPAT], [test x$with_compat = xyes])
-AC_ARG_WITH([user-nsswitch],
- [AC_HELP_STRING([--with-user-nsswitch], [Build with user nsswitch support [no]])],
- [], with_user_nsswitch=no
-)
-AC_SUBST(BUILD_USER_NSSWITCH, 0)
-if test x"$with_user_nsswitch" = xyes; then
- AC_DEFINE(BUILD_USER_NSSWITCH, 1, [whether to build with user nsswitch support])
- AC_SUBST(BUILD_USER_NSSWITCH, 1)
-fi
-
AC_ARG_WITH([nis-profile],
[AC_HELP_STRING([--with-nis-profile], [Install NIS profile [no]])],
[], with_nis_profile=no
diff --git a/src/lib/files/nsswitch.c b/src/lib/files/nsswitch.c
index 9598ea5cc5d5e30678acd91354629a87fc727be9..0e35380a2603316483cd6bcfdc58742c25b6a2b1 100644
--- a/src/lib/files/nsswitch.c
+++ b/src/lib/files/nsswitch.c
@@ -87,160 +87,6 @@ done:
return ret;
}
-#ifdef BUILD_USER_NSSWITCH
-
-static errno_t
-authselect_nsswitch_delete_maps(char **maps,
- char *content)
-{
- char *match_string;
- const char *map_name;
- size_t map_len;
- size_t orig_len;
- regmatch_t m[RE_NSS_MATCHES];
- regex_t regex;
- errno_t ret;
- int reret;
- int i;
-
- if (string_is_empty(content)) {
- return EOK;
- }
-
- orig_len = strlen(content);
-
- reret = regcomp(&regex, RE_NSS, REG_EXTENDED | REG_NEWLINE);
- if (reret != REG_NOERROR) {
- ERROR("Unable to compile regular expression: regex error %d", reret);
- ret = EFAULT;
- goto done;
- }
-
- match_string = content;
- while ((reret = regexec(&regex, match_string, 2, m, 0)) == REG_NOERROR) {
- map_name = match_string + m[1].rm_so;
- map_len = m[1].rm_eo - m[1].rm_so;
- for (i = 0; maps[i] != NULL; i++) {
- if (strncmp(map_name, maps[i], map_len) == 0) {
- string_remove_line(content, match_string, m[1].rm_so);
- break;
- }
- }
-
- /* Since the whole line could have been removed, we have to find first
- * non-zero position. */
- match_string += m[0].rm_eo;
- while (*match_string == '\0' && match_string - content < orig_len) {
- match_string++;
- }
- }
-
- if (reret != REG_NOMATCH) {
- ERROR("Unable to search string: regex error %d", reret);
- ret = EFAULT;
- goto done;
- }
-
- string_replace_shake(content, orig_len);
-
- ret = EOK;
-
-done:
- regfree(&regex);
-
- return ret;
-}
-
-errno_t
-authselect_nsswitch_generate(const char *template,
- const char **features,
- char **_content)
-{
- static const char *preambule = \
- "# If you want to make changes to nsswitch.conf please modify\n"
- "# " PATH_USER_NSSWITCH " and run 'authselect apply-changes'.\n"
- "#\n"
- "# Note that your changes may not be applied as they may be\n"
- "# overwritten by selected profile. Maps set in the authselect\n"
- "# profile takes always precedence and overwrites the same maps\n"
- "# set in the user file. Only maps that are not set by the profile\n"
- "# are applied from the user file.\n"
- "#\n"
- "# For example, if the profile sets:\n"
- "# passwd: sss files\n"
- "# and " PATH_USER_NSSWITCH " contains:\n"
- "# passwd: files\n"
- "# hosts: files dns\n"
- "# the resulting generated nsswitch.conf will be:\n"
- "# passwd: sss files # from profile\n"
- "# hosts: files dns # from user file\n\n";
- char *user_content = NULL;
- char *generated = NULL;
- char *content = NULL;
- char **maps = NULL;
- errno_t ret;
-
- generated = template_generate(template, features);
- if (generated == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
- ret = textfile_read(PATH_USER_NSSWITCH, AUTHSELECT_FILE_SIZE_LIMIT,
- &user_content);
- switch (ret) {
- case EOK:
- ret = authselect_nsswitch_find_maps(generated, &maps);
- if (ret != EOK) {
- goto done;
- }
-
- ret = authselect_nsswitch_delete_maps(maps, user_content);
- if (ret != EOK) {
- goto done;
- }
-
- if (string_is_empty(user_content)) {
- content = format("%s%s", preambule, generated);
- break;
- }
-
- content = format("%s%s\n# Included from %s\n\n%s",
- preambule, generated, PATH_USER_NSSWITCH,
- user_content);
- break;
- case ENOENT:
- content = format("%s%s", preambule, generated);
- break;
- default:
- ERROR("Unable to read [%s] [%d]: %s", PATH_USER_NSSWITCH,
- ret, strerror(ret));
- goto done;
- }
-
- if (content == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
- *_content = content;
-
- ret = EOK;
-
-done:
- if (ret != EOK) {
- ERROR("Unable to generate nsswitch.conf [%d]: %s", ret, strerror(ret));
- }
-
- free(user_content);
- free(generated);
- string_array_free(maps);
-
- return ret;
-}
-
-#else /* BUILD_USER_NSSWITCH */
-
errno_t
authselect_nsswitch_generate(const char *template,
const char **features,
@@ -257,5 +103,3 @@ authselect_nsswitch_generate(const char *template,
return EOK;
}
-
-#endif /* BUILD_USER_NSSWITCH */
diff --git a/src/lib/paths.h b/src/lib/paths.h
index ca30b784f8bc63150f46ef08a26ec2bc5bcb3d67..41e4534b2efd421be8b9fea3b1fa9ebc3a699749 100644
--- a/src/lib/paths.h
+++ b/src/lib/paths.h
@@ -53,9 +53,6 @@
#define PATH_DCONF_DB AUTHSELECT_CONFIG_DIR "/" FILE_DCONF_DB
#define PATH_DCONF_LOCK AUTHSELECT_CONFIG_DIR "/" FILE_DCONF_LOCK
-/* Path to files that can be modified by user. */
-#define PATH_USER_NSSWITCH AUTHSELECT_CONFIG_DIR "/user-nsswitch.conf"
-
/* Names of symbolic links that points to generated files. */
#define PATH_SYMLINK_SYSTEM AUTHSELECT_PAM_DIR "/" FILE_SYSTEM
#define PATH_SYMLINK_PASSWORD AUTHSELECT_PAM_DIR "/" FILE_PASSWORD
diff --git a/src/man/authselect-profiles.5.adoc b/src/man/authselect-profiles.5.adoc
index 76a48fa25a13a7052eeac662d7f5f1b11f1f9493..648b7980cfaabeb02913650a35dfffa8e17b0aaa 100644
--- a/src/man/authselect-profiles.5.adoc
+++ b/src/man/authselect-profiles.5.adoc
@@ -53,14 +53,7 @@ done to the system.
the modules in the system-auth configuration file._
*nsswitch.conf*::
-ifeval::[{BUILD_USER_NSSWITCH} == 0]
Name Service Switch configuration file.
-endif::[]
-ifeval::[{BUILD_USER_NSSWITCH} == 1]
- Name Service Switch configuration file. Only maps relevant to the profile
- must be set. Maps that are not specified by the profile are included from
- {AUTHSELECT_CONFIG_DIR}/user-nsswitch.conf.
-endif::[]
*dconf-db*::
Changes to dconf database. The main uses case of this file is to set
diff --git a/src/man/authselect.8.adoc b/src/man/authselect.8.adoc
index 39758a6ca71e962ae942ce3608ac3bd0ffd3fabf..5d695cced0fbdc2cda78d61eb3f7b8d929cae692 100644
--- a/src/man/authselect.8.adoc
+++ b/src/man/authselect.8.adoc
@@ -261,67 +261,6 @@ These options are available with all commands.
the program execution but may indicate some undesired situations
(e.g. unexpected file in a profile directory).
-ifeval::[{BUILD_USER_NSSWITCH} == 1]
-NSSWITCH.CONF MANAGEMENT
-------------------------
-Authselect generates {AUTHSELECT_NSSWITCH_CONF} and does not allow any user
-changes to this file. Such changes are detected and authselect will refuse to
-write any system configuration unless a *--force* option is provided to
-the *select* command. This mechanism prevents authselect from overwriting
-anything that does not match any available profile.
-
-Any user changes to nsswitch maps must be done in file
-{AUTHSELECT_CONFIG_DIR}/user-nsswitch.conf. When authselect generates
-new _nsswitch.conf_ it reads this file and combines it with configuration
-from selected profile. The profile configuration takes always precedence.
-In other words, profiles do not have to set all nsswitch maps but can set only
-those that are relevant to the profile. If a map is set within a profile,
-it always overwrites the same map from _user-nsswitch.conf_.
-
-.Example 1
-[subs="attributes"]
-----
-# "sssd" profile
-$ cat {AUTHSELECT_PROFILE_DIR}/sssd/nsswitch.conf
-passwd: sss files systemd
-group: sss files systemd
-netgroup: sss files
-automount: sss files
-services: sss files
-sudoers: files sss {include if "with-sudo"}
-
-$ cat {AUTHSELECT_CONFIG_DIR}/user-nsswitch.conf
-passwd: files sss
-group: files sss
-hosts: files dns myhostname
-sudoers: files
-
-$ authselect select sssd
-
-# passwd and group maps from user-nsswitch.conf are ignored
-$ cat {AUTHSELECT_NSSWITCH_CONF}
-passwd: sss files systemd
-group: sss files systemd
-netgroup: sss files
-automount: sss files
-services: sss files
-hosts: files dns myhostname
-sudoers: files
-
-$ authselect select sssd with-sudo
-
-# passwd, group and sudoers maps from user-nsswitch.conf are ignored
-$ cat {AUTHSELECT_NSSWITCH_CONF}
-passwd: sss files systemd
-group: sss files systemd
-netgroup: sss files
-automount: sss files
-services: sss files
-sudoers: files sss
-hosts: files dns myhostname
-----
-endif::[]
-
TROUBLESHOOTING
---------------
--
2.42.0

1510
SOURCES/0006-configure-drop-authconfig-compat-tool.patch
View File

File diff suppressed because it is too large Load Diff

46
SOURCES/0007-ci-remove-python-checks.patch
Unescape View File

@ -1,46 +0,0 @@
From 23936036c5b6cd51843a7f964998f5345877fa8e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 23 Feb 2024 13:34:31 +0100
Subject: [PATCH 07/11] ci: remove python checks
With the compat tool gone, there is no other python script.
---
.github/workflows/analyze.yml | 18 +-----------------
1 file changed, 1 insertion(+), 17 deletions(-)
diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml
index 37682f068b586dc0e7ba34f1098f4009b88e7254..16b48b031519b81221de9248d65f076b2616b2f7 100644
--- a/.github/workflows/analyze.yml
+++ b/.github/workflows/analyze.yml
@@ -25,7 +25,7 @@ jobs:
- name: Initialize CodeQL
uses: github/codeql-action/init@v1
with:
- languages: cpp, python
+ languages: cpp
queries: +security-and-quality
- name: Autobuild
@@ -33,19 +33,3 @@ jobs:
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v1
-
- flake8:
- runs-on: ubuntu-latest
- permissions:
- contents: read
- steps:
- - name: Checkout repository
- uses: actions/checkout@v2
-
- - name: Install flake8
- run: |
- sudo apt update
- sudo apt install -y flake8
-
- - name: Execute flake8 on the repository
- run: flake8 --ignore=W503,E501 src/compat/authcompat.py.in.in .
--
2.42.0

2561
SOURCES/0008-pot-update-pot-files.patch
View File

File diff suppressed because it is too large Load Diff

78
SOURCES/0009-profiles-merge-groups-records-with-SUCCESS-merge.patch
Unescape View File

@ -1,78 +0,0 @@
From 8d8adbd35c741d9038588386414ccbddb99bd31d Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 14 Dec 2023 14:16:11 +0100
Subject: [PATCH 09/11] profiles: merge groups records with [SUCCESS=merge]
Services such as systemd-homed would like to advertise users which are
part of system groups, such as "wheel". That only works if glibc's
[SUCCESS=merge] feature is used in nsswitch.conf, so that group records
from multiple sources are merged.
This is documented here:
https://www.freedesktop.org/software/systemd/man/latest/nss-systemd.html#Configuration%20in%20/etc/nsswitch.conf
This hence adds [SUCCESS=merge] expressions to all NSS modules listed in
the "groups" lines.
---
profiles/local/nsswitch.conf | 2 +-
profiles/nis/nsswitch.conf | 2 +-
profiles/sssd/nsswitch.conf | 2 +-
profiles/winbind/nsswitch.conf | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/profiles/local/nsswitch.conf b/profiles/local/nsswitch.conf
index c63692fc00c0815c5ba303ec5b48b6c9d7577df2..8582a955c8d03ea1d122a34cd273326d985bdcfb 100644
--- a/profiles/local/nsswitch.conf
+++ b/profiles/local/nsswitch.conf
@@ -1,7 +1,7 @@
# In order of likelihood of use to accelerate lookup.
passwd: files {if "with-altfiles":altfiles }systemd
shadow: files
-group: files {if "with-altfiles":altfiles }systemd
+group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }systemd
hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
services: files
netgroup: files
diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
index 685f92c326bc7767ee167a77b7ba782672bf801f..c033812facee9159c76e2d514ac652e4de2e0b6b 100644
--- a/profiles/nis/nsswitch.conf
+++ b/profiles/nis/nsswitch.conf
@@ -1,7 +1,7 @@
# In order of likelihood of use to accelerate lookup.
passwd: files {if "with-altfiles":altfiles }nis systemd
shadow: files nis
-group: files {if "with-altfiles":altfiles }nis systemd
+group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }nis [SUCCESS=merge] systemd
hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] nis dns
services: files nis
netgroup: files nis
diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
index 58844a62c8f52f8f25477a811b02a5e401120f30..9f194bc82cee52d4e12779def95afa2f794f66bf 100644
--- a/profiles/sssd/nsswitch.conf
+++ b/profiles/sssd/nsswitch.conf
@@ -1,7 +1,7 @@
# In order of likelihood of use to accelerate lookup.
passwd: {if "with-tlog":sss }files {if "with-altfiles":altfiles }{if not "with-tlog":sss }systemd
shadow: files
-group: {if "with-tlog":sss }files {if "with-altfiles":altfiles }{if not "with-tlog":sss }systemd
+group: {if "with-tlog":sss [SUCCESS=merge] }files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }{if not "with-tlog":sss [SUCCESS=merge] }systemd
hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
services: files sss
netgroup: files sss
diff --git a/profiles/winbind/nsswitch.conf b/profiles/winbind/nsswitch.conf
index f0a97e42e084f94fddd329d4cb93d5b5d1da3360..1591ccb3ffa8bd10b8ff06a0620328e275d09241 100644
--- a/profiles/winbind/nsswitch.conf
+++ b/profiles/winbind/nsswitch.conf
@@ -1,7 +1,7 @@
# In order of likelihood of use to accelerate lookup.
passwd: files {if "with-altfiles":altfiles }winbind systemd
shadow: files
-group: files {if "with-altfiles":altfiles }winbind systemd
+group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }winbind [SUCCESS=merge] systemd
hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
services: files
netgroup: files
--
2.42.0

26
SOURCES/0010-spec-use-altfiles-with-success-merge-on-ostree-syste.patch
Unescape View File

@ -1,26 +0,0 @@
From 565d8a76f1d6ec6c23cd38f7aa4812426e8cb460 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 23 Feb 2024 14:18:00 +0100
Subject: [PATCH 10/11] spec: use altfiles with success=merge on ostree systems
as well
---
rpm/authselect.spec.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in
index 350ca953632f21be861c1ee75f25f71d107ca1ee..39c4ca66058e0749e6d3aea6e7ff76a7a06c4ecc 100644
--- a/rpm/authselect.spec.in
+++ b/rpm/authselect.spec.in
@@ -223,7 +223,7 @@ exit 0
if test -e /run/ostree-booted; then
for PROFILE in `ls %{_datadir}/authselect/default`; do
%{_bindir}/authselect create-profile $PROFILE --vendor --base-on $PROFILE --symlink-pam --symlink-dconf --symlink=REQUIREMENTS --symlink=README &> /dev/null
- %__sed -ie 's/{if "with-altfiles":altfiles }/altfiles /g' %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null
+ %__sed -ie 's/{if "with-altfiles":altfiles \[SUCCESS=merge\] }/altfiles [SUCCESS=merge] /g' %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null
done
fi
--
2.42.0

72
SOURCES/0011-profiles-put-myhostname-before-dns.patch
Unescape View File

@ -1,72 +0,0 @@
From 7b7889507928610b37b73641d28d5bbe3f763a4a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 23 Feb 2024 17:22:45 +0100
Subject: [PATCH 11/11] profiles: put myhostname before dns
To allow `hostname --fqdn` to work correctly. Putting myhostname early
prevents lookup of canonical hostname if only shortname is provided.
myhostname has been moved back and forth several times, it looks
like this place is now functional and works as expected.
---
profiles/local/nsswitch.conf | 2 +-
profiles/nis/nsswitch.conf | 2 +-
profiles/sssd/nsswitch.conf | 2 +-
profiles/winbind/nsswitch.conf | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/profiles/local/nsswitch.conf b/profiles/local/nsswitch.conf
index 8582a955c8d03ea1d122a34cd273326d985bdcfb..538926e4d5cc8c190a7b2d10fd3756ad3269a720 100644
--- a/profiles/local/nsswitch.conf
+++ b/profiles/local/nsswitch.conf
@@ -2,7 +2,7 @@
passwd: files {if "with-altfiles":altfiles }systemd
shadow: files
group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }systemd
-hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns
services: files
netgroup: files
automount: files
diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
index c033812facee9159c76e2d514ac652e4de2e0b6b..488476e91879b549fe605008d500b1810360f3be 100644
--- a/profiles/nis/nsswitch.conf
+++ b/profiles/nis/nsswitch.conf
@@ -2,7 +2,7 @@
passwd: files {if "with-altfiles":altfiles }nis systemd
shadow: files nis
group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }nis [SUCCESS=merge] systemd
-hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] nis dns
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] nis myhostname dns
services: files nis
netgroup: files nis
automount: files nis
diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
index 9f194bc82cee52d4e12779def95afa2f794f66bf..b98094d9e0eaeb1559347b81a9505822ff713034 100644
--- a/profiles/sssd/nsswitch.conf
+++ b/profiles/sssd/nsswitch.conf
@@ -2,7 +2,7 @@
passwd: {if "with-tlog":sss }files {if "with-altfiles":altfiles }{if not "with-tlog":sss }systemd
shadow: files
group: {if "with-tlog":sss [SUCCESS=merge] }files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }{if not "with-tlog":sss [SUCCESS=merge] }systemd
-hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns
services: files sss
netgroup: files sss
sudoers: files sss {include if "with-sudo"}
diff --git a/profiles/winbind/nsswitch.conf b/profiles/winbind/nsswitch.conf
index 1591ccb3ffa8bd10b8ff06a0620328e275d09241..cc966b34464bb28776b903d61fff1f6a94a1eb6f 100644
--- a/profiles/winbind/nsswitch.conf
+++ b/profiles/winbind/nsswitch.conf
@@ -2,7 +2,7 @@
passwd: files {if "with-altfiles":altfiles }winbind systemd
shadow: files
group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }winbind [SUCCESS=merge] systemd
-hosts: files myhostname {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] dns
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns
services: files
netgroup: files
automount: files
--
2.42.0

376
SOURCES/0901-rhel10-remove-systemd-homed.patch
Unescape View File

@ -1,376 +0,0 @@
From 054c83d1a40d5e0f98230d0f6ac34bd7ecdf383e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 23 Feb 2024 15:49:09 +0100
Subject: [PATCH 1/3] rhel10: remove systemd-homed
systemd-homed is not present in rhel.
---
profiles/local/README | 3 ---
profiles/local/password-auth | 4 ----
profiles/local/system-auth | 4 ----
profiles/nis/README | 3 ---
profiles/nis/REQUIREMENTS | 3 ---
profiles/nis/password-auth | 4 ----
profiles/nis/system-auth | 4 ----
profiles/sssd/README | 3 ---
profiles/sssd/REQUIREMENTS | 3 ---
profiles/sssd/password-auth | 4 ----
profiles/sssd/system-auth | 4 ----
profiles/winbind/README | 3 ---
profiles/winbind/REQUIREMENTS | 3 ---
profiles/winbind/password-auth | 4 ----
profiles/winbind/system-auth | 4 ----
15 files changed, 53 deletions(-)
diff --git a/profiles/local/README b/profiles/local/README
index 03f602441fe95ee280b575508f20d1f1de949b25..eedb298090b5b7c068ee1dfec0ee36c8b3086af4 100644
--- a/profiles/local/README
+++ b/profiles/local/README
@@ -54,9 +54,6 @@ with-mdns4::
with-mdns6::
Enable multicast DNS over IPv6.
-with-systemd-homed::
- If set, pam_systemd_homed is enabled for all pam operations.
-
with-libvirt::
Enable connecting to libvirt VMs using the hostname configured in the
guest OS or, as a fallback, their name.
diff --git a/profiles/local/password-auth b/profiles/local/password-auth
index 13e10d93b1d43ade8c45c32c50c613f6cf2abcca..d50d7e1fefaf257b8ddcdd1610004ffca9d93634 100644
--- a/profiles/local/password-auth
+++ b/profiles/local/password-auth
@@ -4,17 +4,14 @@ auth required pam_faillock.so preauth
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth required pam_faillock.so authfail {include if "with-faillock"}
auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -24,7 +21,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/local/system-auth b/profiles/local/system-auth
index 7f3c56adb2329dd4a08b1cb08b63e8d0d9b13c86..290cd24eb9c50f196d6fc68a3688f097f49159fe 100644
--- a/profiles/local/system-auth
+++ b/profiles/local/system-auth
@@ -5,17 +5,14 @@ auth sufficient pam_fprintd.so
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth required pam_faillock.so authfail {include if "with-faillock"}
auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -25,7 +22,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/nis/README b/profiles/nis/README
index e3a1a0b986689bfd43d9531464bcd8fa7a0f5237..745138bbdb1e045db41990dcb8864477d3408e36 100644
--- a/profiles/nis/README
+++ b/profiles/nis/README
@@ -65,9 +65,6 @@ with-mdns4::
with-mdns6::
Enable multicast DNS over IPv6.
-with-systemd-homed::
- If set, pam_systemd_homed is enabled for all pam operations.
-
without-nullok::
Do not add nullok parameter to pam_unix.
diff --git a/profiles/nis/REQUIREMENTS b/profiles/nis/REQUIREMENTS
index 3e32879eba37e1bd2692aa2852c87036bfa78ed5..d8fe0456ee2b351e98af374fc0206717e6994031 100644
--- a/profiles/nis/REQUIREMENTS
+++ b/profiles/nis/REQUIREMENTS
@@ -16,6 +16,3 @@ Make sure that NIS service is configured and enabled. See NIS documentation for
- systemctl enable --now oddjobd.service {include if "with-mkhomedir"}
{include if "with-libvirt"}
- with-libvirt is selected, make sure that the libvirt NSS plugins are installed {include if "with-libvirt"}
- {include if "with-systemd-homed"}
-- with-systemd-homed is selected, make sure that the system-homed service is enabled {include if "with-systemd-homed"}
- - systemctl enable --now systemd-homed.service {include if "with-systemd-homed"}
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
index 45af4792df9f661fe04e1060e32cc6c0aa38c7c4..927fbcbda8fa4e910e29c88a3806fb5265bbc7bc 100644
--- a/profiles/nis/password-auth
+++ b/profiles/nis/password-auth
@@ -4,17 +4,14 @@ auth required pam_faillock.so preauth
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth required pam_faillock.so authfail {include if "with-faillock"}
auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so broken_shadow
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only}
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -24,7 +21,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
index 0bd022ee2286f37a5becb0daba2a5813693300a9..40a1bf74aaf3d721c4d720938e57766bfe651e47 100644
--- a/profiles/nis/system-auth
+++ b/profiles/nis/system-auth
@@ -5,17 +5,14 @@ auth sufficient pam_fprintd.so
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth required pam_faillock.so authfail {include if "with-faillock"}
auth optional pam_gnome_keyring.so only_if=login auto_start {include if "with-pam-gnome-keyring"}
auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so broken_shadow
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only}
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -25,7 +22,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/README b/profiles/sssd/README
index f7aaba8ecca4bc18a0e57d2334c2030fd26fda0d..a497da5dcffd0a03a122677c49ee2f8021927b04 100644
--- a/profiles/sssd/README
+++ b/profiles/sssd/README
@@ -106,9 +106,6 @@ with-gssapi::
with-subid::
Enable SSSD as a source of subid database in /etc/nsswitch.conf.
-with-systemd-homed::
- If set, pam_systemd_homed is enabled for all pam operations.
-
without-nullok::
Do not add nullok parameter to pam_unix.
diff --git a/profiles/sssd/REQUIREMENTS b/profiles/sssd/REQUIREMENTS
index 6aaf7c771f7c1bcbf2aee7152422acc9d53c71f5..b36f6069a54a5f711a10aa0700f33e1a8e37794e 100644
--- a/profiles/sssd/REQUIREMENTS
+++ b/profiles/sssd/REQUIREMENTS
@@ -25,6 +25,3 @@ Make sure that SSSD service is configured and enabled. See SSSD documentation fo
- with-tlog is selected, make sure that session recording is enabled in SSSD {include if "with-tlog"}
{include if "with-libvirt"}
- with-libvirt is selected, make sure that the libvirt NSS plugins are installed {include if "with-libvirt"}
- {include if "with-systemd-homed"}
-- with-systemd-homed is selected, make sure that the system-homed service is enabled {include if "with-systemd-homed"}
- - systemctl enable --now systemd-homed.service {include if "with-systemd-homed"}
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index 97c33b678706e7eeb86bf45251baa41739f2940f..f468507b938ea2a7ac305a65f5fdea14a1ae10f1 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -7,7 +7,6 @@ auth required pam_u2f.so cue {if not
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
@@ -16,14 +15,12 @@ auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so
account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so local_users_only
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -35,7 +32,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 90c3504a414f0a151475cc207285b230fec381b1..870e4d7024066e3e40786bde6c3c39c7ba8d62c0 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -12,7 +12,6 @@ auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth [default=2 ignore=ignore success=ok] pam_localuser.so {include if "with-smartcard"}
auth [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth {include if "with-smartcard"}
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular {include if "with-gssapi"}
auth sufficient pam_sss_gss.so {include if "with-gssapi"}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
@@ -23,14 +22,12 @@ auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so
account sufficient pam_localuser.so {exclude if "with-files-access-provider"}
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so local_users_only
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -42,7 +39,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/winbind/README b/profiles/winbind/README
index f65870d1d03da6465ad446dac87ed141d7115d8b..8844e1da2003a0266dfe8937774d6d6f7dad0210 100644
--- a/profiles/winbind/README
+++ b/profiles/winbind/README
@@ -75,9 +75,6 @@ with-mdns4::
with-mdns6::
Enable multicast DNS over IPv6.
-with-systemd-homed::
- If set, pam_systemd_homed is enabled for all pam operations.
-
without-nullok::
Do not add nullok parameter to pam_unix.
diff --git a/profiles/winbind/REQUIREMENTS b/profiles/winbind/REQUIREMENTS
index 232f6ee986ac66c5fed972c91c17080e0740e5c7..31a37d74ca5a4c46415545b8f6e0f61e8ad3b433 100644
--- a/profiles/winbind/REQUIREMENTS
+++ b/profiles/winbind/REQUIREMENTS
@@ -16,6 +16,3 @@ Make sure that winbind service is configured and enabled. See winbind documentat
- systemctl enable --now oddjobd.service {include if "with-mkhomedir"}
{include if "with-libvirt"}
- with-libvirt is selected, make sure that the libvirt NSS plugins are installed {include if "with-libvirt"}
- {include if "with-systemd-homed"}
-- with-systemd-homed is selected, make sure that the system-homed service is enabled {include if "with-systemd-homed"}
- - systemctl enable --now systemd-homed.service {include if "with-systemd-homed"}
diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
index 8d74149dd48643dbb4b80d62600d3ece0868ec30..8d1682b9301c2b9c92292a41120f69611f148108 100644
--- a/profiles/winbind/password-auth
+++ b/profiles/winbind/password-auth
@@ -4,7 +4,6 @@ auth required pam_faillock.so preauth
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
@@ -13,14 +12,12 @@ auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth}
account required pam_permit.so
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so local_users_only
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -31,7 +28,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
index 2326c859284c5823c5a6d34390d794dbf33110d2..612143d10fe502d7f6ed636b4fba6cc639aa66b0 100644
--- a/profiles/winbind/system-auth
+++ b/profiles/winbind/system-auth
@@ -5,7 +5,6 @@ auth sufficient pam_fprintd.so
auth sufficient pam_u2f.so cue {include if "with-pam-u2f"}
auth required pam_u2f.so cue {if not "without-pam-u2f-nouserok":nouserok} {include if "with-pam-u2f-2fa"}
auth sufficient pam_unix.so {if not "without-nullok":nullok}
-auth sufficient pam_systemd_home.so {include if "with-systemd-homed"}
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_first_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
@@ -14,14 +13,12 @@ auth required pam_deny.so
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
-account sufficient pam_systemd_home.so {include if "with-systemd-homed"}
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_winbind.so {if "with-krb5":krb5_auth}
account required pam_permit.so
-password sufficient pam_systemd_home.so {include if "with-systemd-homed"}
password requisite pam_pwquality.so local_users_only
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
@@ -32,7 +29,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd_home.so {include if "with-systemd-homed"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
--
2.42.0

25
SOURCES/0901-rhel9-remove-mention-of-Fedora-Change-page-in-compat.patch
Unescape View File

@ -0,0 +1,25 @@
From c3c2c3b7ffe04dc2e810c9fffdd82689543a94df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 30 Oct 2018 14:08:12 +0100
Subject: [PATCH 1/4] rhel9: remove mention of Fedora Change page in compat
tool
---
src/compat/authcompat.py.in.in | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
index 1a68d95c71b51beabe80e9b07c084ea9c2f3580d..8334293911d1d4c2d98a6d233b91fc348cf06575 100755
--- a/src/compat/authcompat.py.in.in
+++ b/src/compat/authcompat.py.in.in
@@ -471,7 +471,6 @@ class AuthCompat:
"It does not provide all capabilities of authconfig.\n"))
print(_("IMPORTANT: authconfig is replaced by authselect, "
"please update your scripts."))
- print(_("See Fedora 28 Change Page: https://fedoraproject.org/wiki/Changes/AuthselectAsDefault"))
print(_("See man authselect-migration(7) to help you with migration to authselect"))
options = self.options.getSetButUnsupported()
--
2.34.1

93
SOURCES/0902-rhel10-remove-ecryptfs-support.patch → SOURCES/0902-rhel9-remove-ecryptfs-support.patch
Unescape View File

@ -1,9 +1,8 @@
From 3167eaadde7a3f997925172b8d77cb380bf0d9d8 Mon Sep 17 00:00:00 2001
From 9da7355f1e2c8a148d4730fec4c4707c56e6dfa1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 10 Jun 2019 10:53:15 +0200
Subject: [PATCH 2/3] rhel10: remove ecryptfs support
Subject: [PATCH 2/4] rhel9: remove ecryptfs support
ecryptfs-utils is not present in rhel.
---
profiles/nis/README | 3 ---
profiles/nis/fingerprint-auth | 1 -
@ -21,11 +20,13 @@ ecryptfs-utils is not present in rhel.
profiles/winbind/password-auth | 1 -
profiles/winbind/postlogin | 4 ----
profiles/winbind/system-auth | 1 -
src/compat/authcompat.py.in.in | 1 -
src/compat/authcompat_Options.py | 2 +-
src/man/authselect-migration.7.adoc | 5 ++---
17 files changed, 2 insertions(+), 34 deletions(-)
19 files changed, 3 insertions(+), 36 deletions(-)
diff --git a/profiles/nis/README b/profiles/nis/README
index 745138bbdb1e045db41990dcb8864477d3408e36..3e2f8b01fa37f8c7060a9c263f66c3df9782061d 100644
index 895e8fa8650c04d41bf8bc8d6e3cda18db9bf814..71e23d61a8c1ea773c98524256a5eaad5a75d197 100644
--- a/profiles/nis/README
+++ b/profiles/nis/README
@@ -21,9 +21,6 @@ with-mkhomedir::
@ -51,10 +52,10 @@ index 3a2609df4ca29cdfcbff84b37576bb7b840d72b2..0b2f583a2fcf164647f7de387e9be298
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
index 927fbcbda8fa4e910e29c88a3806fb5265bbc7bc..56a51d9eebb2987da340805ddb4e4a6752ebdeb2 100644
index f181a58ab7792c7e1a4234e677cbb7e3d0a6548d..79fb521eb5dff4978203166491b185887d1ec744 100644
--- a/profiles/nis/password-auth
+++ b/profiles/nis/password-auth
@@ -20,7 +20,6 @@ password required pam_deny.so
@@ -18,7 +18,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
@ -75,10 +76,10 @@ index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb24
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
index 40a1bf74aaf3d721c4d720938e57766bfe651e47..74cf6ece9ce0b1b64b122fd2309ebf5d496c4787 100644
index bc3f402435aafb5294dbae94096b184af51cf914..38c10c1afcf936c1d24d8edef941ae849d1186fc 100644
--- a/profiles/nis/system-auth
+++ b/profiles/nis/system-auth
@@ -21,7 +21,6 @@ password required pam_deny.so
@@ -19,7 +19,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
@ -87,10 +88,10 @@ index 40a1bf74aaf3d721c4d720938e57766bfe651e47..74cf6ece9ce0b1b64b122fd2309ebf5d
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/README b/profiles/sssd/README
index a497da5dcffd0a03a122677c49ee2f8021927b04..2038a32b682f36d9eef51fda138730abc9666279 100644
index 61d5aedf65b2351cf23cea0a6b6b0932e32f0e48..ab9af237442089ded86b63942dd856397108ccf0 100644
--- a/profiles/sssd/README
+++ b/profiles/sssd/README
@@ -35,9 +35,6 @@ with-mkhomedir::
@@ -40,9 +40,6 @@ with-mkhomedir::
Enable automatic creation of home directories for users on their
first login.
@ -113,16 +114,16 @@ index 20ad3613e66ec85c7d2462d0449854e522383b3a..dc7befe7a4839a1ae5a4d21f4e523212
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index f468507b938ea2a7ac305a65f5fdea14a1ae10f1..c15121ad00ff00dfcd1743341594c853ba734d9c 100644
index 3e33dcc09f68055f2f87709e638005929bd577b3..858c6db357d07dc554806f4807f9b0858a649f44 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -31,7 +31,6 @@ password required pam_deny.so
@@ -28,7 +28,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/postlogin b/profiles/sssd/postlogin
index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644
@ -137,7 +138,7 @@ index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb24
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
diff --git a/profiles/sssd/smartcard-auth b/profiles/sssd/smartcard-auth
index 78cb329bf332f4d629740a0fff7d2dfe43f7d78d..13d3ee71f4d02c4ede777be6337031fc67baaa63 100644
index 0d8bcab250633b09bce0232a5747f3a7e740d5d7..754847f2d8885ff35cbc57ec2364d82b963caa3b 100644
--- a/profiles/sssd/smartcard-auth
+++ b/profiles/sssd/smartcard-auth
@@ -18,7 +18,6 @@ account required pam_permit.so
@ -145,23 +146,23 @@ index 78cb329bf332f4d629740a0fff7d2dfe43f7d78d..13d3ee71f4d02c4ede777be6337031fc
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
session optional pam_systemd.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 870e4d7024066e3e40786bde6c3c39c7ba8d62c0..4ea19acebe2208f9e21676bf0ae0a92e9a92b1f4 100644
index a43341120f55bad3fb07dfea1c04453d0a278329..88c49e2dd5b60847d1d19154622a8614a21e5e1f 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -38,7 +38,6 @@ password required pam_deny.so
@@ -35,7 +35,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/winbind/README b/profiles/winbind/README
index 8844e1da2003a0266dfe8937774d6d6f7dad0210..7397bb9a6c8086b9720cc355d98de70b8107e79b 100644
index 0048c29256f5d4064edfb84a2f4b761fd09e90f6..6f7a7cab1efc768c4c82791d6a8f00def1771d37 100644
--- a/profiles/winbind/README
+++ b/profiles/winbind/README
@@ -33,9 +33,6 @@ with-mkhomedir::
@ -187,10 +188,10 @@ index e8997c6c78ce7305fa7068fb169c05c68167880d..c5485ab848989a252e4ff4b1376a4120
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
index 8d1682b9301c2b9c92292a41120f69611f148108..8b260fa06f5ed8494d1f6fac74517d3a54622693 100644
index 58705f3b15165c8d8bd4938889e3fb4d89c1a528..e84e2fcbb2bad9af6156e6e6db23f089f2b5d210 100644
--- a/profiles/winbind/password-auth
+++ b/profiles/winbind/password-auth
@@ -27,7 +27,6 @@ password required pam_deny.so
@@ -25,7 +25,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
@ -211,10 +212,10 @@ index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb24
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
index 612143d10fe502d7f6ed636b4fba6cc639aa66b0..33aa13efb92405393236c3511ebb351facd916f0 100644
index 994c342441a0ed2738765a9fa7f6cc84f692d1d8..b5c5cfaa964a31b1cd8ac4cb62998c0a0a53a03e 100644
--- a/profiles/winbind/system-auth
+++ b/profiles/winbind/system-auth
@@ -28,7 +28,6 @@ password required pam_deny.so
@@ -26,7 +26,6 @@ password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
@ -222,11 +223,43 @@ index 612143d10fe502d7f6ed636b4fba6cc639aa66b0..33aa13efb92405393236c3511ebb351f
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
index 8334293911d1d4c2d98a6d233b91fc348cf06575..55e205bae2c0b1f7892f8b286c288dfeaa26a60d 100755
--- a/src/compat/authcompat.py.in.in
+++ b/src/compat/authcompat.py.in.in
@@ -523,7 +523,6 @@ class AuthCompat:
'smartcard': 'with-smartcard',
'requiresmartcard': 'with-smartcard-required',
'fingerprint': 'with-fingerprint',
- 'ecryptfs': 'with-ecryptfs',
'mkhomedir': 'with-mkhomedir',
'faillock': 'with-faillock',
'pamaccess': 'with-pamaccess',
diff --git a/src/compat/authcompat_Options.py b/src/compat/authcompat_Options.py
index d26dedabdfb9519861076b58cddd0dd0eb04b7cb..5c8b21b55014198d6d9dfc98bd807c3c922b06f4 100644
--- a/src/compat/authcompat_Options.py
+++ b/src/compat/authcompat_Options.py
@@ -93,7 +93,6 @@ class Options:
Option.Valued("smartcardaction", _("<0=Lock|1=Ignore>"), _("action to be taken on smart card removal")),
Option.Feature("requiresmartcard", _("require smart card for authentication by default")),
Option.Feature("fingerprint", _("authentication with fingerprint readers by default")),
- Option.Feature("ecryptfs", _("automatic per-user ecryptfs")),
Option.Feature("krb5", _("Kerberos authentication by default")),
Option.Valued("krb5kdc", _("<server>"), _("default Kerberos KDC")),
Option.Valued("krb5adminserver", _("<server>"), _("default Kerberos admin server")),
@@ -141,6 +140,7 @@ class Options:
# layers and will produce warning when used. They will not affect
# the system.
Option.UnsupportedFeature("cache"),
+ Option.UnsupportedFeature("ecryptfs"),
Option.UnsupportedFeature("shadow"),
Option.UnsupportedSwitch("useshadow"),
Option.UnsupportedFeature("md5"),
diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc
index 8cc58e60301925974fdb738c5b9a746749981df8..9056913dee9eef1590c8590d3cc0b51005a98af3 100644
index 3513a7e7cd3d7cc0045167e8224248c5be90ab2c..888cd4e5a0750d4e1aa5898887f5f7fd42472741 100644
--- a/src/man/authselect-migration.7.adoc
+++ b/src/man/authselect-migration.7.adoc
@@ -85,7 +85,6 @@ endif::[]
@@ -80,7 +80,6 @@ configuration file for required services.
|*Authconfig options* |*Authselect profile feature*
|--enablesmartcard |with-smartcard
|--enablefingerprint |with-fingerprint
@ -234,7 +267,7 @@ index 8cc58e60301925974fdb738c5b9a746749981df8..9056913dee9eef1590c8590d3cc0b510
|--enablemkhomedir |with-mkhomedir
|--enablefaillock |with-faillock
|--enablepamaccess |with-pamaccess
@@ -108,8 +107,8 @@ authselect select sssd with-faillock
@@ -103,8 +102,8 @@ authselect select sssd with-faillock
authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --updateall
authselect select sssd with-smartcard
@ -246,5 +279,5 @@ index 8cc58e60301925974fdb738c5b9a746749981df8..9056913dee9eef1590c8590d3cc0b510
authconfig --enablewinbind --enablewinbindauth --winbindjoin=Administrator --updateall
realm join -U Administrator --client-software=winbind WINBINDDOMAIN
--
2.42.0
2.34.1

68
SOURCES/0903-rhel10-remove-systemd-resolved.patch
Unescape View File

@ -1,68 +0,0 @@
From b259ca399de497e0fc5e0763257e89bcc2e5a902 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 23 Feb 2024 16:01:58 +0100
Subject: [PATCH 3/3] rhel10: remove systemd-resolved
systemd-resolved should not be enabled by default in rhel.
---
profiles/local/nsswitch.conf | 2 +-
profiles/nis/nsswitch.conf | 2 +-
profiles/sssd/nsswitch.conf | 2 +-
profiles/winbind/nsswitch.conf | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/profiles/local/nsswitch.conf b/profiles/local/nsswitch.conf
index 538926e4d5cc8c190a7b2d10fd3756ad3269a720..1ad4276566f775086fc091d8e1c35d4ac94a9786 100644
--- a/profiles/local/nsswitch.conf
+++ b/profiles/local/nsswitch.conf
@@ -2,7 +2,7 @@
passwd: files {if "with-altfiles":altfiles }systemd
shadow: files
group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }systemd
-hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }myhostname dns
services: files
netgroup: files
automount: files
diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
index 488476e91879b549fe605008d500b1810360f3be..88110258a69e7366980944ec3ccd9c79c0a1b323 100644
--- a/profiles/nis/nsswitch.conf
+++ b/profiles/nis/nsswitch.conf
@@ -2,7 +2,7 @@
passwd: files {if "with-altfiles":altfiles }nis systemd
shadow: files nis
group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }nis [SUCCESS=merge] systemd
-hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] nis myhostname dns
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }nis myhostname dns
services: files nis
netgroup: files nis
automount: files nis
diff --git a/profiles/sssd/nsswitch.conf b/profiles/sssd/nsswitch.conf
index b98094d9e0eaeb1559347b81a9505822ff713034..89a1f230487a18d12ff9c3862e3394035bf17cff 100644
--- a/profiles/sssd/nsswitch.conf
+++ b/profiles/sssd/nsswitch.conf
@@ -2,7 +2,7 @@
passwd: {if "with-tlog":sss }files {if "with-altfiles":altfiles }{if not "with-tlog":sss }systemd
shadow: files
group: {if "with-tlog":sss [SUCCESS=merge] }files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }{if not "with-tlog":sss [SUCCESS=merge] }systemd
-hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }myhostname dns
services: files sss
netgroup: files sss
sudoers: files sss {include if "with-sudo"}
diff --git a/profiles/winbind/nsswitch.conf b/profiles/winbind/nsswitch.conf
index cc966b34464bb28776b903d61fff1f6a94a1eb6f..5315640e39f7c84b4c138f393fa3b5c970e4afa5 100644
--- a/profiles/winbind/nsswitch.conf
+++ b/profiles/winbind/nsswitch.conf
@@ -2,7 +2,7 @@
passwd: files {if "with-altfiles":altfiles }winbind systemd
shadow: files
group: files [SUCCESS=merge] {if "with-altfiles":altfiles [SUCCESS=merge] }winbind [SUCCESS=merge] systemd
-hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }resolve [!UNAVAIL=return] myhostname dns
+hosts: files {if "with-libvirt":libvirt libvirt_guest }{if "with-mdns4" and "with-mdns6":mdns_minimal [NOTFOUND=return] }{if "with-mdns4" and not "with-mdns6":mdns4_minimal [NOTFOUND=return] }{if not "with-mdns4" and "with-mdns6":mdns6_minimal [NOTFOUND=return] }myhostname dns
services: files
netgroup: files
automount: files
--
2.42.0

42
SOURCES/0903-rhel9-Revert-profiles-add-support-for-resolved.patch
Unescape View File

@ -0,0 +1,42 @@
From 6381b49e90b3850fade68c8af03b17d0cc016d3c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 25 Nov 2020 14:05:00 +0100
Subject: [PATCH 3/4] rhel9: Revert "profiles: add support for resolved"
systemd-resolved should not be enabled by default on rhel8.
This reverts commit c5294c508a940291440eb32d5d750f33baf1ae54.
---
profiles/minimal/nsswitch.conf | 2 +-
profiles/nis/nsswitch.conf | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/profiles/minimal/nsswitch.conf b/profiles/minimal/nsswitch.conf
index a9e4bc79a1090304542ccd8b43d1107eeb5304df..a39e4d32ebf79e8bf05f2db5753b01596222dc35 100644
--- a/profiles/minimal/nsswitch.conf
+++ b/profiles/minimal/nsswitch.conf
@@ -2,7 +2,7 @@ aliases: files {exclude if "with-custom
automount: files {exclude if "with-custom-automount"}
ethers: files {exclude if "with-custom-ethers"}
group: files {if "with-altfiles":altfiles }systemd {exclude if "with-custom-group"}
-hosts: resolve [!UNAVAIL=return] files myhostname dns {exclude if "with-custom-hosts"}
+hosts: files dns myhostname {exclude if "with-custom-hosts"}
initgroups: files {exclude if "with-custom-initgroups"}
netgroup: files {exclude if "with-custom-netgroup"}
networks: files {exclude if "with-custom-networks"}
diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
index 50a3ffb7431a91b88b4bfef4c09df19310fac7e7..9bee7d839f84ff39d54cb6ead9dea38e51736b4d 100644
--- a/profiles/nis/nsswitch.conf
+++ b/profiles/nis/nsswitch.conf
@@ -2,7 +2,7 @@ aliases: files nis {exclude if "with-custom-aliases"}
automount: files nis {exclude if "with-custom-automount"}
ethers: files nis {exclude if "with-custom-ethers"}
group: files nis systemd {exclude if "with-custom-group"}
-hosts: resolve [!UNAVAIL=return] files nis myhostname dns {exclude if "with-custom-hosts"}
+hosts: files nis dns myhostname {exclude if "with-custom-hosts"}
initgroups: files nis {exclude if "with-custom-initgroups"}
netgroup: files nis {exclude if "with-custom-netgroup"}
networks: files nis {exclude if "with-custom-networks"}
--
2.34.1

297
SOURCES/0904-rhel9-remove-nis-support.patch
Unescape View File

@ -0,0 +1,297 @@
From fde1c60f1e87383596ee7060f4d748675b2efae9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 9 Jun 2021 13:59:01 +0200
Subject: [PATCH 4/4] rhel9: remove nis support
NIS is no longer supported in RHEL9.
---
profiles/Makefile.am | 14 -----
profiles/nis/dconf-db | 3 -
profiles/nis/dconf-locks | 2 -
profiles/nis/nsswitch.conf | 14 -----
profiles/nis/postlogin | 4 --
rpm/authselect.spec.in | 11 ----
src/compat/authcompat.py.in.in | 95 -----------------------------
src/compat/authcompat_Options.py | 8 ++-
src/man/authselect-migration.7.adoc | 2 +-
9 files changed, 6 insertions(+), 147 deletions(-)
delete mode 100644 profiles/nis/dconf-db
delete mode 100644 profiles/nis/dconf-locks
delete mode 100644 profiles/nis/nsswitch.conf
delete mode 100644 profiles/nis/postlogin
diff --git a/profiles/Makefile.am b/profiles/Makefile.am
index 7191b2604ca2c9ebaba3a4f1beb950e7d0e03970..4ab613f42a581df02c427636a0070092b58ec418 100644
--- a/profiles/Makefile.am
+++ b/profiles/Makefile.am
@@ -15,20 +15,6 @@ dist_profile_minimal_DATA = \
$(top_srcdir)/profiles/minimal/dconf-locks \
$(NULL)
-profile_nisdir = $(authselect_profile_dir)/nis
-dist_profile_nis_DATA = \
- $(top_srcdir)/profiles/nis/nsswitch.conf \
- $(top_srcdir)/profiles/nis/password-auth \
- $(top_srcdir)/profiles/nis/postlogin \
- $(top_srcdir)/profiles/nis/README \
- $(top_srcdir)/profiles/nis/REQUIREMENTS \
- $(top_srcdir)/profiles/nis/smartcard-auth \
- $(top_srcdir)/profiles/nis/system-auth \
- $(top_srcdir)/profiles/nis/fingerprint-auth \
- $(top_srcdir)/profiles/nis/dconf-db \
- $(top_srcdir)/profiles/nis/dconf-locks \
- $(NULL)
-
profile_sssddir = $(authselect_profile_dir)/sssd
dist_profile_sssd_DATA = \
$(top_srcdir)/profiles/sssd/nsswitch.conf \
diff --git a/profiles/nis/dconf-db b/profiles/nis/dconf-db
deleted file mode 100644
index bd32b2819f66acdc75ab0fc522ec85673d10ed72..0000000000000000000000000000000000000000
--- a/profiles/nis/dconf-db
+++ /dev/null
@@ -1,3 +0,0 @@
-[org/gnome/login-screen]
-enable-smartcard-authentication=false
-enable-fingerprint-authentication={if "with-fingerprint":true|false}
diff --git a/profiles/nis/dconf-locks b/profiles/nis/dconf-locks
deleted file mode 100644
index 8a36fa9568344338272786394aece872185d0ab3..0000000000000000000000000000000000000000
--- a/profiles/nis/dconf-locks
+++ /dev/null
@@ -1,2 +0,0 @@
-/org/gnome/login-screen/enable-smartcard-authentication
-/org/gnome/login-screen/enable-fingerprint-authentication
diff --git a/profiles/nis/nsswitch.conf b/profiles/nis/nsswitch.conf
deleted file mode 100644
index 9bee7d839f84ff39d54cb6ead9dea38e51736b4d..0000000000000000000000000000000000000000
--- a/profiles/nis/nsswitch.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-aliases: files nis {exclude if "with-custom-aliases"}
-automount: files nis {exclude if "with-custom-automount"}
-ethers: files nis {exclude if "with-custom-ethers"}
-group: files nis systemd {exclude if "with-custom-group"}
-hosts: files nis dns myhostname {exclude if "with-custom-hosts"}
-initgroups: files nis {exclude if "with-custom-initgroups"}
-netgroup: files nis {exclude if "with-custom-netgroup"}
-networks: files nis {exclude if "with-custom-networks"}
-passwd: files nis systemd {exclude if "with-custom-passwd"}
-protocols: files nis {exclude if "with-custom-protocols"}
-publickey: files nis {exclude if "with-custom-publickey"}
-rpc: files nis {exclude if "with-custom-rpc"}
-services: files nis {exclude if "with-custom-services"}
-shadow: files nis {exclude if "with-custom-shadow"}
diff --git a/profiles/nis/postlogin b/profiles/nis/postlogin
deleted file mode 100644
index 04a11f049bc1e220c9064fba7b46eb243ddd4996..0000000000000000000000000000000000000000
--- a/profiles/nis/postlogin
+++ /dev/null
@@ -1,4 +0,0 @@
-session optional pam_umask.so silent
-session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
-session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
-session optional pam_lastlog.so silent noupdate showfailed
diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in
index f8539d5a028da1a7184b47609a8efdb5ce0be14e..95da183a41a29f7913a0a255a94070908ed9a66c 100644
--- a/rpm/authselect.spec.in
+++ b/rpm/authselect.spec.in
@@ -165,7 +165,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%dir %{_datadir}/authselect/vendor
%dir %{_datadir}/authselect/default
%dir %{_datadir}/authselect/default/minimal/
-%dir %{_datadir}/authselect/default/nis/
%dir %{_datadir}/authselect/default/sssd/
%dir %{_datadir}/authselect/default/winbind/
%{_datadir}/authselect/default/minimal/dconf-db
@@ -178,16 +177,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%{_datadir}/authselect/default/minimal/REQUIREMENTS
%{_datadir}/authselect/default/minimal/smartcard-auth
%{_datadir}/authselect/default/minimal/system-auth
-%{_datadir}/authselect/default/nis/dconf-db
-%{_datadir}/authselect/default/nis/dconf-locks
-%{_datadir}/authselect/default/nis/fingerprint-auth
-%{_datadir}/authselect/default/nis/nsswitch.conf
-%{_datadir}/authselect/default/nis/password-auth
-%{_datadir}/authselect/default/nis/postlogin
-%{_datadir}/authselect/default/nis/README
-%{_datadir}/authselect/default/nis/REQUIREMENTS
-%{_datadir}/authselect/default/nis/smartcard-auth
-%{_datadir}/authselect/default/nis/system-auth
%{_datadir}/authselect/default/sssd/dconf-db
%{_datadir}/authselect/default/sssd/dconf-locks
%{_datadir}/authselect/default/sssd/fingerprint-auth
diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
index 55e205bae2c0b1f7892f8b286c288dfeaa26a60d..c6d1f2786c233f7ebdbfe5f2503aa0016012aee0 100755
--- a/src/compat/authcompat.py.in.in
+++ b/src/compat/authcompat.py.in.in
@@ -243,20 +243,6 @@ class Configuration:
config.write(keys)
- class Network(Base):
- def __init__(self, options):
- super(Configuration.Network, self).__init__(options)
-
- def write(self):
- nisdomain = self.get("nisdomain")
- config = EnvironmentFile(Path.System('network'))
-
- if nisdomain is None:
- return
-
- config.set("NISDOMAIN", nisdomain)
- config.write()
-
class SSSD(Base):
def __init__(self, options):
super(Configuration.SSSD, self).__init__(options, ServiceName="sssd")
@@ -378,83 +364,6 @@ class Configuration:
# other applications may depend on it.
return
- class NIS(Base):
- def __init__(self, options):
- super(Configuration.NIS, self).__init__(options)
- self.rpcbind = Service("rpcbind")
- self.ypbind = Service("ypbind")
-
- def isEnabled(self):
- if not self.isset("nis"):
- return None
-
- return self.getBool("nis")
-
- def enableService(self, nostart):
- if not self.isset("nisdomain"):
- return
-
- nisdom = self.get("nisdomain")
-
- if not nostart:
- cmd = Command(Path.System('cmd-domainname'), [nisdom])
- cmd.run()
-
- cmd = Command(Path.System('cmd-setsebool'),
- ['-P', 'allow_ypbind', '1'])
- cmd.run()
-
- self.rpcbind.enable()
- self.ypbind.enable()
-
- if not nostart:
- self.rpcbind.start(Restart=False)
- self.ypbind.start()
-
- def disableService(self, nostop):
- if not nostop:
- cmd = Command(Path.System('cmd-domainname'), ["(none)"])
- cmd.run()
-
- cmd = Command(Path.System('cmd-setsebool'),
- ['-P', 'allow_ypbind', '0'])
- cmd.run()
-
- self.rpcbind.disable()
- self.ypbind.disable()
-
- if not nostop:
- self.rpcbind.stop()
- self.ypbind.stop()
-
- def write(self):
- if not self.isset("nisdomain"):
- return
-
- output = "domain " + self.get("nisdomain")
-
- additional_servers = []
- if self.isset("nisserver"):
- servers = self.get("nisserver").split(",")
- additional_servers = servers[1:]
- output += " server " + servers[0] + "\n"
- else:
- output += " broadcast\n"
-
- for server in additional_servers:
- output += "ypserver " + server + "\n"
-
- filename = Path.System('yp.conf')
- if self.getBool("test-call"):
- print("========== BEGIN Content of [%s] ==========" % filename)
- print(output)
- print("========== END Content of [%s] ==========\n" % filename)
- return
-
- with open(filename, "w") as f:
- f.write(output)
-
-
class AuthCompat:
def __init__(self):
self.sysconfig = EnvironmentFile(Path.System('authconfig'))
@@ -538,8 +447,6 @@ class AuthCompat:
or self.options.getBool("sssd")
or self.options.getBool("sssdauth")):
profile = "sssd"
- elif self.options.getBool("nis"):
- profile = "nis"
elif self.options.getBool("winbind"):
profile = "winbind"
@@ -596,13 +503,11 @@ class AuthCompat:
def writeConfiguration(self):
configs = [
Configuration.LDAP(self.options),
- Configuration.Network(self.options),
Configuration.Kerberos(self.options),
Configuration.SSSD(self.options),
Configuration.Winbind(self.options),
Configuration.PWQuality(self.options),
Configuration.MakeHomedir(self.options),
- Configuration.NIS(self.options)
]
for config in configs:
diff --git a/src/compat/authcompat_Options.py b/src/compat/authcompat_Options.py
index 5c8b21b55014198d6d9dfc98bd807c3c922b06f4..79ead60fa9edc1244227e3b69df025471b7c7991 100644
--- a/src/compat/authcompat_Options.py
+++ b/src/compat/authcompat_Options.py
@@ -79,9 +79,6 @@ class Options:
# However, they will just make sure that an authentication against
# expected service is working. They may not result in the exact same
# configuration as authconfig would generate.
- Option.Feature("nis", _("NIS for user information by default")),
- Option.Valued("nisdomain", _("<domain>"), _("default NIS domain")),
- Option.Valued("nisserver", _("<server>"), _("default NIS server")),
Option.Feature("ldap", _("LDAP for user information by default")),
Option.Feature("ldapauth", _("LDAP for authentication by default")),
Option.Valued("ldapserver", _("<server>"), _("default LDAP server hostname or URI")),
@@ -164,6 +161,11 @@ class Options:
Option.UnsupportedFeature("locauthorize"),
Option.UnsupportedFeature("sysnetauth"),
Option.UnsupportedValued("faillockargs", _("<options>")),
+
+ # NIS is no longer supported
+ Option.UnsupportedFeature("nis"),
+ Option.UnsupportedValued("nisdomain", _("<domain>")),
+ Option.UnsupportedValued("nisserver", _("<server>")),
]
Map = {
diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc
index 888cd4e5a0750d4e1aa5898887f5f7fd42472741..d9777b9b473859d7ec532f39f7e14bd81c4f1b90 100644
--- a/src/man/authselect-migration.7.adoc
+++ b/src/man/authselect-migration.7.adoc
@@ -72,7 +72,7 @@ configuration file for required services.
|--enablesssd --enablesssdauth |sssd
|--enablekrb5 |sssd
|--enablewinbind --enablewinbindauth |winbind
-|--enablenis |nis
+|--enablenis |none
|=========================================================
.Relation of authconfig options to authselect profile features
--
2.34.1

947
SOURCES/0905-rhel9-Revert-yescrypt.patch
Unescape View File

@ -0,0 +1,947 @@
From f222ccb9f4d0ec1021d3117e9b91b3317722a3fe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 5 Dec 2022 19:03:00 +0100
Subject: [PATCH 8/8] rhel9: Revert yescrypt
(cherry picked from commit a5d390b6c2a98854c6b5a53f49e3e76e86d7eb28)
Patch-name: 0905-rhel9-Revert-yescrypt.patch
Patch-id: 905
From-dist-git-commit: 8461b94b1539db7f26c288e0d5d20dd71e6609bf
---
po/af.po | 2 +-
po/authselect.pot | 2 +-
po/ca.po | 2 +-
po/cs.po | 4 ++--
po/de.po | 4 ++--
po/es.po | 4 ++--
po/fa.po | 2 +-
po/fi.po | 4 ++--
po/fr.po | 4 ++--
po/hu.po | 4 ++--
po/id.po | 2 +-
po/it.po | 4 ++--
po/ja.po | 4 ++--
po/ka.po | 4 ++--
po/ko.po | 4 ++--
po/nl.po | 4 ++--
po/pl.po | 4 ++--
po/pt.po | 2 +-
po/pt_BR.po | 4 ++--
po/ru.po | 4 ++--
po/si.po | 2 +-
po/sv.po | 4 ++--
po/tr.po | 4 ++--
po/uk.po | 4 ++--
po/zh_CN.po | 4 ++--
po/zh_TW.po | 4 ++--
profiles/minimal/password-auth | 2 +-
profiles/minimal/system-auth | 2 +-
profiles/nis/password-auth | 2 +-
profiles/nis/system-auth | 2 +-
profiles/sssd/password-auth | 2 +-
profiles/sssd/system-auth | 2 +-
profiles/winbind/password-auth | 2 +-
profiles/winbind/system-auth | 2 +-
src/compat/authcompat_Options.py | 2 +-
src/man/authselect-migration.7.adoc | 2 +-
src/man/po/authselect-migration.7.adoc.ca.po | 2 +-
src/man/po/authselect-migration.7.adoc.cs.po | 2 +-
src/man/po/authselect-migration.7.adoc.de.po | 2 +-
src/man/po/authselect-migration.7.adoc.es.po | 2 +-
src/man/po/authselect-migration.7.adoc.fa.po | 2 +-
src/man/po/authselect-migration.7.adoc.fi.po | 4 ++--
src/man/po/authselect-migration.7.adoc.fr.po | 4 ++--
src/man/po/authselect-migration.7.adoc.hu.po | 2 +-
src/man/po/authselect-migration.7.adoc.it.po | 2 +-
src/man/po/authselect-migration.7.adoc.ja.po | 4 ++--
src/man/po/authselect-migration.7.adoc.ko.po | 4 ++--
src/man/po/authselect-migration.7.adoc.nl.po | 4 ++--
src/man/po/authselect-migration.7.adoc.pl.po | 2 +-
src/man/po/authselect-migration.7.adoc.pot | 2 +-
src/man/po/authselect-migration.7.adoc.pt.po | 2 +-
src/man/po/authselect-migration.7.adoc.pt_BR.po | 2 +-
src/man/po/authselect-migration.7.adoc.ru.po | 4 ++--
src/man/po/authselect-migration.7.adoc.si.po | 2 +-
src/man/po/authselect-migration.7.adoc.sv.po | 4 ++--
src/man/po/authselect-migration.7.adoc.tr.po | 4 ++--
src/man/po/authselect-migration.7.adoc.uk.po | 4 ++--
src/man/po/authselect-migration.7.adoc.zh_CN.po | 2 +-
src/man/po/authselect-migration.7.adoc.zh_TW.po | 2 +-
59 files changed, 87 insertions(+), 87 deletions(-)
diff --git a/po/af.po b/po/af.po
index e305029..b4f0418 100644
--- a/po/af.po
+++ b/po/af.po
@@ -1575,7 +1575,7 @@ msgid "<name>"
msgstr ""
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
msgstr ""
#: src/compat/authcompat_Options.py:149
diff --git a/po/authselect.pot b/po/authselect.pot
index ebb39b0..c308071 100644
--- a/po/authselect.pot
+++ b/po/authselect.pot
@@ -1535,7 +1535,7 @@ msgid "<name>"
msgstr ""
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
msgstr ""
#: src/compat/authcompat_Options.py:149
diff --git a/po/ca.po b/po/ca.po
index 3373e10..75d91ec 100644
--- a/po/ca.po
+++ b/po/ca.po
@@ -1569,7 +1569,7 @@ msgid "<name>"
msgstr ""
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
msgstr ""
#: src/compat/authcompat_Options.py:149
diff --git a/po/cs.po b/po/cs.po
index 48929b6..b9150b7 100644
--- a/po/cs.po
+++ b/po/cs.po
@@ -1600,8 +1600,8 @@ msgid "<name>"
msgstr "<jméno>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
# auto translated by TM merge from project: authconfig, version: master, DocId: po/authconfig
#: src/compat/authcompat_Options.py:149
diff --git a/po/de.po b/po/de.po
index 07eab1e..746d167 100644
--- a/po/de.po
+++ b/po/de.po
@@ -1600,8 +1600,8 @@ msgid "<name>"
msgstr "<name>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/es.po b/po/es.po
index 3868023..af5cde8 100644
--- a/po/es.po
+++ b/po/es.po
@@ -1598,8 +1598,8 @@ msgid "<name>"
msgstr "<nombre>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/fa.po b/po/fa.po
index 7776891..d74c1cd 100644
--- a/po/fa.po
+++ b/po/fa.po
@@ -1537,7 +1537,7 @@ msgid "<name>"
msgstr ""
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
msgstr ""
#: src/compat/authcompat_Options.py:149
diff --git a/po/fi.po b/po/fi.po
index 2ae32ff..7390590 100644
--- a/po/fi.po
+++ b/po/fi.po
@@ -1583,8 +1583,8 @@ msgid "<name>"
msgstr "<nimi>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/fr.po b/po/fr.po
index a40cf4c..d526c5d 100644
--- a/po/fr.po
+++ b/po/fr.po
@@ -1605,8 +1605,8 @@ msgid "<name>"
msgstr "<name>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/hu.po b/po/hu.po
index 758be29..e18d6bf 100644
--- a/po/hu.po
+++ b/po/hu.po
@@ -1590,8 +1590,8 @@ msgid "<name>"
msgstr "<név>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/id.po b/po/id.po
index a83e1e2..6a7e2a7 100644
--- a/po/id.po
+++ b/po/id.po
@@ -1538,7 +1538,7 @@ msgid "<name>"
msgstr ""
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
msgstr ""
#: src/compat/authcompat_Options.py:149
diff --git a/po/it.po b/po/it.po
index 9427893..4b27ef2 100644
--- a/po/it.po
+++ b/po/it.po
@@ -1585,8 +1585,8 @@ msgid "<name>"
msgstr "<name>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/ja.po b/po/ja.po
index fe83406..7ea9ae8 100644
--- a/po/ja.po
+++ b/po/ja.po
@@ -1598,8 +1598,8 @@ msgid "<name>"
msgstr "<name>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
# auto translated by TM merge from translation memory: authconfig, unique id: authconfig:6.2.8:authconfig:0bbce02e304562c295a1d57d66c296d3
#: src/compat/authcompat_Options.py:149
diff --git a/po/ka.po b/po/ka.po
index ef2e7c6..e19c0ab 100644
--- a/po/ka.po
+++ b/po/ka.po
@@ -1573,8 +1573,8 @@ msgid "<name>"
msgstr "<name>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/ko.po b/po/ko.po
index 52d2cac..eb768fe 100644
--- a/po/ko.po
+++ b/po/ko.po
@@ -1570,8 +1570,8 @@ msgid "<name>"
msgstr "<name>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/nl.po b/po/nl.po
index 1bd2a9b..ba50b52 100644
--- a/po/nl.po
+++ b/po/nl.po
@@ -1602,8 +1602,8 @@ msgid "<name>"
msgstr "<naam>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/pl.po b/po/pl.po
index 9b6627c..13553c8 100644
--- a/po/pl.po
+++ b/po/pl.po
@@ -1609,8 +1609,8 @@ msgid "<name>"
msgstr "<nazwa>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/pt.po b/po/pt.po
index ad02a0b..90d2aa3 100644
--- a/po/pt.po
+++ b/po/pt.po
@@ -1536,7 +1536,7 @@ msgid "<name>"
msgstr ""
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
msgstr ""
#: src/compat/authcompat_Options.py:149
diff --git a/po/pt_BR.po b/po/pt_BR.po
index a1215bb..544b8e9 100644
--- a/po/pt_BR.po
+++ b/po/pt_BR.po
@@ -1592,8 +1592,8 @@ msgid "<name>"
msgstr "<name>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/ru.po b/po/ru.po
index 4919002..d23284d 100644
--- a/po/ru.po
+++ b/po/ru.po
@@ -1590,8 +1590,8 @@ msgid "<name>"
msgstr "<name>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/si.po b/po/si.po
index 39f5a79..eaf4b3c 100644
--- a/po/si.po
+++ b/po/si.po
@@ -1536,7 +1536,7 @@ msgid "<name>"
msgstr ""
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
msgstr ""
#: src/compat/authcompat_Options.py:149
diff --git a/po/sv.po b/po/sv.po
index 9292b1f..cc70f2d 100644
--- a/po/sv.po
+++ b/po/sv.po
@@ -1580,8 +1580,8 @@ msgid "<name>"
msgstr "<namn>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/tr.po b/po/tr.po
index 9be388f..0aaa543 100644
--- a/po/tr.po
+++ b/po/tr.po
@@ -1589,8 +1589,8 @@ msgid "<name>"
msgstr "<ad>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/uk.po b/po/uk.po
index c66594f..bc4c93b 100644
--- a/po/uk.po
+++ b/po/uk.po
@@ -1591,8 +1591,8 @@ msgid "<name>"
msgstr "<назва>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/zh_CN.po b/po/zh_CN.po
index 75ec7d8..6c109a0 100644
--- a/po/zh_CN.po
+++ b/po/zh_CN.po
@@ -1559,8 +1559,8 @@ msgid "<name>"
msgstr "<name>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/po/zh_TW.po b/po/zh_TW.po
index 89fefed..0562435 100644
--- a/po/zh_TW.po
+++ b/po/zh_TW.po
@@ -1562,8 +1562,8 @@ msgid "<name>"
msgstr "<name>"
#: src/compat/authcompat_Options.py:148
-msgid "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
-msgstr "<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>"
+msgid "<descrypt|bigcrypt|md5|sha256|sha512>"
+msgstr "<descrypt|bigcrypt|md5|sha256|sha512>"
#: src/compat/authcompat_Options.py:149
msgid "<URL>"
diff --git a/profiles/minimal/password-auth b/profiles/minimal/password-auth
index 858c21f..8c4cb37 100644
--- a/profiles/minimal/password-auth
+++ b/profiles/minimal/password-auth
@@ -12,7 +12,7 @@ account required pam_unix.so
password requisite pam_pwquality.so
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
-password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
diff --git a/profiles/minimal/system-auth b/profiles/minimal/system-auth
index 858c21f..8c4cb37 100644
--- a/profiles/minimal/system-auth
+++ b/profiles/minimal/system-auth
@@ -12,7 +12,7 @@ account required pam_unix.so
password requisite pam_pwquality.so
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
-password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
index 56a51d9..56b19a6 100644
--- a/profiles/nis/password-auth
+++ b/profiles/nis/password-auth
@@ -15,7 +15,7 @@ account required pam_unix.so broken_shad
password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only}
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
-password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok nis
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok nis
password required pam_deny.so
session optional pam_keyinit.so revoke
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
index 74cf6ec..5d5010a 100644
--- a/profiles/nis/system-auth
+++ b/profiles/nis/system-auth
@@ -16,7 +16,7 @@ account required pam_unix.so broken_shad
password requisite pam_pwquality.so {if not "with-nispwquality":local_users_only}
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
-password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok nis
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok nis
password required pam_deny.so
session optional pam_keyinit.so revoke
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index 5b235de..b64f048 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -24,7 +24,7 @@ account required pam_permit.so
password requisite pam_pwquality.so local_users_only
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
-password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
password [success=1 default=ignore] pam_localuser.so
password sufficient pam_sss.so use_authtok
password required pam_deny.so
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 22e87d8..d338719 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -31,7 +31,7 @@ account required pam_permit.so
password requisite pam_pwquality.so local_users_only
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
-password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
password [success=1 default=ignore] pam_localuser.so
password sufficient pam_sss.so use_authtok
password required pam_deny.so
diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
index 8b260fa..4944b42 100644
--- a/profiles/winbind/password-auth
+++ b/profiles/winbind/password-auth
@@ -21,7 +21,7 @@ account required pam_permit.so
password requisite pam_pwquality.so local_users_only
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
-password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
password required pam_deny.so
diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
index 33aa13e..afe27d7 100644
--- a/profiles/winbind/system-auth
+++ b/profiles/winbind/system-auth
@@ -22,7 +22,7 @@ account required pam_permit.so
password requisite pam_pwquality.so local_users_only
password [default=1 ignore=ignore success=ok] pam_localuser.so {include if "with-pwhistory"}
password requisite pam_pwhistory.so use_authtok {include if "with-pwhistory"}
-password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} use_authtok
+password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok
password required pam_deny.so
diff --git a/src/compat/authcompat_Options.py b/src/compat/authcompat_Options.py
index 79ead60..5b80b80 100644
--- a/src/compat/authcompat_Options.py
+++ b/src/compat/authcompat_Options.py
@@ -142,7 +142,7 @@ class Options:
Option.UnsupportedSwitch("useshadow"),
Option.UnsupportedFeature("md5"),
Option.UnsupportedSwitch("usemd5"),
- Option.UnsupportedValued("passalgo", _("<descrypt|bigcrypt|md5|sha256|sha512|yescrypt>")),
+ Option.UnsupportedValued("passalgo", _("<descrypt|bigcrypt|md5|sha256|sha512>")),
Option.UnsupportedValued("ldaploadcacert", _("<URL>")),
Option.UnsupportedValued("smartcardmodule", _("<module>")),
Option.UnsupportedValued("smbsecurity", _("<user|server|domain|ads>")),
diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc
index d9777b9..9e3021a 100644
--- a/src/man/authselect-migration.7.adoc
+++ b/src/man/authselect-migration.7.adoc
@@ -90,7 +90,7 @@ configuration file for required services.
NOTE: Authconfig options `--enableshadow` and `--passalgo=sha512` were often
used to make sure that passwords are stored in `/etc/shadow` using `sha512`
-algorithm. *The authselect profiles now use the yescrypt hashing method* and
+algorithm. *The authselect profiles now use the sha512 hashing method* and
it cannot be changed through an option (only by creating a custom profile).
You can just omit these options.
diff --git a/src/man/po/authselect-migration.7.adoc.ca.po b/src/man/po/authselect-migration.7.adoc.ca.po
index 08b11b7..12f14d6 100644
--- a/src/man/po/authselect-migration.7.adoc.ca.po
+++ b/src/man/po/authselect-migration.7.adoc.ca.po
@@ -185,7 +185,7 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
diff --git a/src/man/po/authselect-migration.7.adoc.cs.po b/src/man/po/authselect-migration.7.adoc.cs.po
index d11809b..caf570b 100644
--- a/src/man/po/authselect-migration.7.adoc.cs.po
+++ b/src/man/po/authselect-migration.7.adoc.cs.po
@@ -242,7 +242,7 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
diff --git a/src/man/po/authselect-migration.7.adoc.de.po b/src/man/po/authselect-migration.7.adoc.de.po
index c166a0f..fff88c8 100644
--- a/src/man/po/authselect-migration.7.adoc.de.po
+++ b/src/man/po/authselect-migration.7.adoc.de.po
@@ -193,7 +193,7 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
diff --git a/src/man/po/authselect-migration.7.adoc.es.po b/src/man/po/authselect-migration.7.adoc.es.po
index 8cb3584..5403cde 100644
--- a/src/man/po/authselect-migration.7.adoc.es.po
+++ b/src/man/po/authselect-migration.7.adoc.es.po
@@ -241,7 +241,7 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
diff --git a/src/man/po/authselect-migration.7.adoc.fa.po b/src/man/po/authselect-migration.7.adoc.fa.po
index b902c0c..db37728 100644
--- a/src/man/po/authselect-migration.7.adoc.fa.po
+++ b/src/man/po/authselect-migration.7.adoc.fa.po
@@ -189,7 +189,7 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
diff --git a/src/man/po/authselect-migration.7.adoc.fi.po b/src/man/po/authselect-migration.7.adoc.fi.po
index 14c6894..79ff561 100644
--- a/src/man/po/authselect-migration.7.adoc.fi.po
+++ b/src/man/po/authselect-migration.7.adoc.fi.po
@@ -252,14 +252,14 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
"Authconfig-asetuksia `--enableshadow` ja `--passalgo=sha512` käytettiin "
"usein varmistamaan, että salasanat on tallennettu hakemistoon `/etc/shadow` "
"käyttämällä `sha512`-algoritmia. *Authselect-profiilit käyttävät nyt "
-"yescrypt-hajautusmenetelmää*, eikä sitä voi muuttaa valinnalla (onnistuu "
+"sha512-hajautusmenetelmää*, eikä sitä voi muuttaa valinnalla (onnistuu "
"vain luomalla mukautettu profiili). Voit jättää nämä vaihtoehdot pois."
#. type: Block title
diff --git a/src/man/po/authselect-migration.7.adoc.fr.po b/src/man/po/authselect-migration.7.adoc.fr.po
index cf3fcf9..55a7386 100644
--- a/src/man/po/authselect-migration.7.adoc.fr.po
+++ b/src/man/po/authselect-migration.7.adoc.fr.po
@@ -259,14 +259,14 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
"Les options dAuthconfig '--enableshadow' et '--passalgo=sha512' ont souvent "
"été utilisées pour sassurer que les mots de passe sont stockés dans '/etc/"
"shadow' en utilisant lalgorithme 'sha512'. *Les profils authselect "
-"utilisent maintenant la méthode de hachage yescrypt* et elle ne peut pas "
+"utilisent maintenant la méthode de hachage sha512* et elle ne peut pas "
"être modifiée via une option (uniquement en créant un profil personnalisé). "
"Vous pouvez simplement omettre ces options."
diff --git a/src/man/po/authselect-migration.7.adoc.hu.po b/src/man/po/authselect-migration.7.adoc.hu.po
index a058b22..368476a 100644
--- a/src/man/po/authselect-migration.7.adoc.hu.po
+++ b/src/man/po/authselect-migration.7.adoc.hu.po
@@ -189,7 +189,7 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
diff --git a/src/man/po/authselect-migration.7.adoc.it.po b/src/man/po/authselect-migration.7.adoc.it.po
index f28d362..d09af60 100644
--- a/src/man/po/authselect-migration.7.adoc.it.po
+++ b/src/man/po/authselect-migration.7.adoc.it.po
@@ -189,7 +189,7 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
diff --git a/src/man/po/authselect-migration.7.adoc.ja.po b/src/man/po/authselect-migration.7.adoc.ja.po
index 782e094..a8da7e2 100644
--- a/src/man/po/authselect-migration.7.adoc.ja.po
+++ b/src/man/po/authselect-migration.7.adoc.ja.po
@@ -246,13 +246,13 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
"Authconfig オプション `--enableshadow`と` --passalgo = sha512`は、パスワード"
"が `sha512`アルゴリズムを使用して` / etc / shadow`に確実に保存されるようにす"
-"るためによく使用されていました。 * authselect プロファイルはyescryptハッシュ"
+"るためによく使用されていました。 * authselect プロファイルはsha512ハッシュ"
"メソッドを使用するようになりました*。オプションを使用して変更することはできま"
"せん(カスタムプロファイルを作成する場合のみ)。 これらのオプションは省略でき"
"ます。"
diff --git a/src/man/po/authselect-migration.7.adoc.ko.po b/src/man/po/authselect-migration.7.adoc.ko.po
index 9704e0b..338bc33 100644
--- a/src/man/po/authselect-migration.7.adoc.ko.po
+++ b/src/man/po/authselect-migration.7.adoc.ko.po
@@ -249,13 +249,13 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
"Authconfig 선택 `--enableshadow`와 `--passalgo=sah512`는 비밀번호는 `sha512` "
"알고리즘을 사용하여 `/etc/shadow`에서 저장되어지도록 자주 사용되곤 합니다. "
-"*authselect 프로파일은 이제 yescrypt 해쉬 방법을 사용합니다* 그리고 이는 선택"
+"*authselect 프로파일은 이제 sha512 해쉬 방법을 사용합니다* 그리고 이는 선택"
"(사용자 정의 프로파일 생성에서만)을 통해 변경 될 수 없습니다. 당신은 다만 이"
"들 옵션을 생략 할 수 있습니다."
diff --git a/src/man/po/authselect-migration.7.adoc.nl.po b/src/man/po/authselect-migration.7.adoc.nl.po
index 15573ef..b587fa4 100644
--- a/src/man/po/authselect-migration.7.adoc.nl.po
+++ b/src/man/po/authselect-migration.7.adoc.nl.po
@@ -257,14 +257,14 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
"De authconfig-opties '--enableshadow' and '--passalgo=sha512' werden vaak "
"gebruikt om te verzekeren dat wachtwoorden worden opgeslagen in /etc/shadow "
"met gebruik van het sha512-algoritme. *De authselect-profielen gebruiken "
-"thans hashing met yescrypt.* Dit kan niet met een optie worden gewijzigd, "
+"thans hashing met sha512.* Dit kan niet met een optie worden gewijzigd, "
"maar alleen door een eigen profiel aan te maken. U kunt de voornoemde opties "
"gewoon weglaten."
diff --git a/src/man/po/authselect-migration.7.adoc.pl.po b/src/man/po/authselect-migration.7.adoc.pl.po
index e0e629a..d229fb7 100644
--- a/src/man/po/authselect-migration.7.adoc.pl.po
+++ b/src/man/po/authselect-migration.7.adoc.pl.po
@@ -191,7 +191,7 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
diff --git a/src/man/po/authselect-migration.7.adoc.pot b/src/man/po/authselect-migration.7.adoc.pot
index c35b730..bed9498 100644
--- a/src/man/po/authselect-migration.7.adoc.pot
+++ b/src/man/po/authselect-migration.7.adoc.pot
@@ -188,7 +188,7 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
diff --git a/src/man/po/authselect-migration.7.adoc.pt.po b/src/man/po/authselect-migration.7.adoc.pt.po
index 982c629..e67478b 100644
--- a/src/man/po/authselect-migration.7.adoc.pt.po
+++ b/src/man/po/authselect-migration.7.adoc.pt.po
@@ -192,7 +192,7 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
diff --git a/src/man/po/authselect-migration.7.adoc.pt_BR.po b/src/man/po/authselect-migration.7.adoc.pt_BR.po
index 51584e7..a63b8fb 100644
--- a/src/man/po/authselect-migration.7.adoc.pt_BR.po
+++ b/src/man/po/authselect-migration.7.adoc.pt_BR.po
@@ -198,7 +198,7 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
diff --git a/src/man/po/authselect-migration.7.adoc.ru.po b/src/man/po/authselect-migration.7.adoc.ru.po
index 469f463..fd0eb1a 100644
--- a/src/man/po/authselect-migration.7.adoc.ru.po
+++ b/src/man/po/authselect-migration.7.adoc.ru.po
@@ -256,14 +256,14 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
"Параметры Authconfig `--enableshadow` и`--passalgo=sha512` часто "
"использовались, чтобы гарантировать хранение паролей в `/ etc / shadow` с "
"использованием алгоритма`sha512`. *Профили authselect теперь используют "
-"метод хеширования yescrypt*, и его нельзя изменить с помощью параметра "
+"метод хеширования sha512*, и его нельзя изменить с помощью параметра "
"(только путем создания пользовательского профиля). Вы можете просто опустить "
"эти параметры."
diff --git a/src/man/po/authselect-migration.7.adoc.si.po b/src/man/po/authselect-migration.7.adoc.si.po
index 0dbdb2c..5f88382 100644
--- a/src/man/po/authselect-migration.7.adoc.si.po
+++ b/src/man/po/authselect-migration.7.adoc.si.po
@@ -188,7 +188,7 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
diff --git a/src/man/po/authselect-migration.7.adoc.sv.po b/src/man/po/authselect-migration.7.adoc.sv.po
index b3087ea..397e901 100644
--- a/src/man/po/authselect-migration.7.adoc.sv.po
+++ b/src/man/po/authselect-migration.7.adoc.sv.po
@@ -253,13 +253,13 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
"Authconfig-flaggorna ”--enableshadow” och ”--passalgo=sha512” användes ofta "
"för att säkerställa att lösenord lagras i ”/etc/shadow” med algoritmen "
-"”sha512”. *Authselect-profilerna använder nu hashningsmetoden yescrypt* och "
+"”sha512”. *Authselect-profilerna använder nu hashningsmetoden sha512* och "
"det kan inte ändras genom någon flagga (endast genom att skapa en anpassad "
"profil). Du kan helt enkelt utelämna dessa flaggor."
diff --git a/src/man/po/authselect-migration.7.adoc.tr.po b/src/man/po/authselect-migration.7.adoc.tr.po
index 35e5d5c..157f7d2 100644
--- a/src/man/po/authselect-migration.7.adoc.tr.po
+++ b/src/man/po/authselect-migration.7.adoc.tr.po
@@ -258,13 +258,13 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
"`--enableshadow` ve `--passalgo=sha512` authconfig seçenekleri, parolaların "
"`/etc/shadow` dosyasında `sha512` algoritması kullanılarak saklandığından "
-"emin olmak için sıklıkla kullanılırdı. *Authselect profilleri artık yescrypt "
+"emin olmak için sıklıkla kullanılırdı. *Authselect profilleri artık sha512 "
"şifreleme yöntemini kullanıyor* ve bir seçenek aracılığıyla değiştirilemez "
"(yalnızca özel bir profil oluşturarak değiştirilebilir). Bu seçenekleri "
"yalnızca atlayabilirsiniz."
diff --git a/src/man/po/authselect-migration.7.adoc.uk.po b/src/man/po/authselect-migration.7.adoc.uk.po
index 5a1b8a3..98d9841 100644
--- a/src/man/po/authselect-migration.7.adoc.uk.po
+++ b/src/man/po/authselect-migration.7.adoc.uk.po
@@ -257,14 +257,14 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
"Параметри authconfig `--enableshadow` і `--passalgo=sha512`часто "
"використовували для забезпечення зберігання паролів у `/etc/shadow` з "
"використанням алгоритму `sha512`. *У поточних версіях профілів authselect "
-"використано метод хешування yescrypt*, його не можна змінити якимось "
+"використано метод хешування sha512*, його не можна змінити якимось "
"параметром (лише за допомогою нетипового профілю). Ви можете просто не "
"використовувати ці параметри."
diff --git a/src/man/po/authselect-migration.7.adoc.zh_CN.po b/src/man/po/authselect-migration.7.adoc.zh_CN.po
index 6f5e562..2b95ca4 100644
--- a/src/man/po/authselect-migration.7.adoc.zh_CN.po
+++ b/src/man/po/authselect-migration.7.adoc.zh_CN.po
@@ -190,7 +190,7 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
diff --git a/src/man/po/authselect-migration.7.adoc.zh_TW.po b/src/man/po/authselect-migration.7.adoc.zh_TW.po
index 43ab062..e7112be 100644
--- a/src/man/po/authselect-migration.7.adoc.zh_TW.po
+++ b/src/man/po/authselect-migration.7.adoc.zh_TW.po
@@ -189,7 +189,7 @@ msgstr ""
msgid ""
"Authconfig options `--enableshadow` and `--passalgo=sha512` were often used "
"to make sure that passwords are stored in `/etc/shadow` using `sha512` "
-"algorithm. *The authselect profiles now use the yescrypt hashing method* and "
+"algorithm. *The authselect profiles now use the sha512 hashing method* and "
"it cannot be changed through an option (only by creating a custom profile). "
"You can just omit these options."
msgstr ""
--
2.40.1

349
SPECS/authselect.spec
Unescape View File

@ -2,46 +2,26 @@
%define _empty_manifest_terminate_build 0
Name: authselect
Version: 1.5.0
Release: 6%{?dist}
Version: 1.2.6
Release: 2%{?dist}
Summary: Configures authentication and identity sources from supported profiles
URL: https://github.com/authselect/authselect
License: GPL-3.0-or-later
License: GPLv3+
Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz
%global makedir %{_builddir}/%{name}-%{version}
Patch0001: 0001-po-update-translations.patch
Patch0002: 0002-profiles-do-not-try-to-change-password-via-sssd-for-.patch
Patch0003: 0003-po-update-translations.patch
### Downstream Patches ###
Patch0901: 0901-rhel9-remove-mention-of-Fedora-Change-page-in-compat.patch
Patch0902: 0902-rhel9-remove-ecryptfs-support.patch
Patch0903: 0903-rhel9-Revert-profiles-add-support-for-resolved.patch
Patch0904: 0904-rhel9-remove-nis-support.patch
Patch0905: 0905-rhel9-Revert-yescrypt.patch
# Disable NIS profile on RHEL
%if 0%{?rhel}
%global with_nis_profile 0
%else
%global with_nis_profile 1
%endif
# Set the default profile
%{?fedora:%global default_profile local with-silent-lastlog}
%{?rhel:%global default_profile local}
# Patches
Patch0001: 0001-sssd-reintroduce-with-files-access-provider.patch
Patch0002: 0002-spec-modify-specfile-for-Fedora-40-and-RHEL-10-as-mi.patch
Patch0003: 0003-po-update-translations.patch
Patch0004: 0004-nis-install-nis-profile-conditionally.patch
Patch0005: 0005-configure-drop-user-nsswitch.conf-support.patch
Patch0006: 0006-configure-drop-authconfig-compat-tool.patch
Patch0007: 0007-ci-remove-python-checks.patch
Patch0008: 0008-pot-update-pot-files.patch
Patch0009: 0009-profiles-merge-groups-records-with-SUCCESS-merge.patch
Patch0010: 0010-spec-use-altfiles-with-success-merge-on-ostree-syste.patch
Patch0011: 0011-profiles-put-myhostname-before-dns.patch
# RHEL-only patches
%if 0%{?rhel}
Patch0901: 0901-rhel10-remove-systemd-homed.patch
Patch0902: 0902-rhel10-remove-ecryptfs-support.patch
Patch0903: 0903-rhel10-remove-systemd-resolved.patch
%endif
%global makedir %{_builddir}/%{name}-%{version}
BuildRequires: autoconf
BuildRequires: automake
@ -56,15 +36,13 @@ BuildRequires: po4a
BuildRequires: %{_bindir}/a2x
BuildRequires: libcmocka-devel >= 1.0.0
BuildRequires: libselinux-devel
BuildRequires: python3-devel
Requires: authselect-libs%{?_isa} = %{version}-%{release}
Suggests: sssd
Suggests: samba-winbind
Suggests: fprintd-pam
Suggests: oddjob-mkhomedir
# Properly obsolete removed authselect-compat package.
Obsoletes: authselect-compat < 1.3
%description
Authselect is designed to be a replacement for authconfig but it takes
a different approach to configure the system. Instead of letting
@ -78,13 +56,35 @@ supported by authselect.
Summary: Utility library used by the authselect tool
# Required by scriptlets
Requires: coreutils
Requires: findutils
Requires: gawk
Requires: grep
Requires: sed
Suggests: systemd
Requires: systemd
Requires: pam >= 1.3.1-23
%description libs
Common library files for authselect. This package is used by the authselect
command line tool and any other potential front-ends.
%package compat
Summary: Tool to provide minimum backwards compatibility with authconfig
Obsoletes: authconfig < 7.0.1-6
Provides: authconfig
Requires: authselect%{?_isa} = %{version}-%{release}
Recommends: oddjob-mkhomedir
Suggests: sssd
Suggests: realmd
Suggests: samba-winbind
# Required by scriptlets
Requires: sed
%description compat
This package will replace %{_sbindir}/authconfig with a tool that will
translate some of the authconfig calls into authselect calls. It provides
only minimum backward compatibility and users are encouraged to migrate
to authselect completely.
%package devel
Summary: Development libraries and headers for authselect
Requires: authselect-libs%{?_isa} = %{version}-%{release}
@ -93,21 +93,13 @@ Requires: authselect-libs%{?_isa} = %{version}-%{release}
System header files and development libraries for authselect. Useful if
you develop a front-end for the authselect library.
%prep
%setup -q
for p in %patches ; do
%__patch -p1 -i $p
done
%prep
%autosetup -p1
%build
autoreconf -if
%configure \
%if %{with_nis_profile}
--with-nis-profile \
%endif
%{nil}
%configure --with-pythonbin="%{__python3}" --with-compat
%make_build
%check
@ -143,30 +135,34 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/postlogin
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/smartcard-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/system-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/nsswitch.conf
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/fingerprint-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/password-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/postlogin
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/smartcard-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/pam.d/system-auth
%ghost %attr(0644,root,root) %{_sysconfdir}/authselect/user-nsswitch.conf
%dir %{_localstatedir}/lib/authselect
%ghost %attr(0755,root,root) %{_localstatedir}/lib/authselect/backups/
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/dconf-db
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/dconf-locks
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/fingerprint-auth
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/nsswitch.conf
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/password-auth
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/postlogin
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/smartcard-auth
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/system-auth
%ghost %attr(0644,root,root) %{_localstatedir}/lib/authselect/user-nsswitch-created
%dir %{_datadir}/authselect
%dir %{_datadir}/authselect/vendor
%dir %{_datadir}/authselect/default
%dir %{_datadir}/authselect/default/local/
%dir %{_datadir}/authselect/default/minimal/
%dir %{_datadir}/authselect/default/sssd/
%dir %{_datadir}/authselect/default/winbind/
%{_datadir}/authselect/default/local/dconf-db
%{_datadir}/authselect/default/local/dconf-locks
%{_datadir}/authselect/default/local/fingerprint-auth
%{_datadir}/authselect/default/local/nsswitch.conf
%{_datadir}/authselect/default/local/password-auth
%{_datadir}/authselect/default/local/postlogin
%{_datadir}/authselect/default/local/README
%{_datadir}/authselect/default/local/REQUIREMENTS
%{_datadir}/authselect/default/local/smartcard-auth
%{_datadir}/authselect/default/local/system-auth
%{_datadir}/authselect/default/minimal/dconf-db
%{_datadir}/authselect/default/minimal/dconf-locks
%{_datadir}/authselect/default/minimal/fingerprint-auth
%{_datadir}/authselect/default/minimal/nsswitch.conf
%{_datadir}/authselect/default/minimal/password-auth
%{_datadir}/authselect/default/minimal/postlogin
%{_datadir}/authselect/default/minimal/README
%{_datadir}/authselect/default/minimal/REQUIREMENTS
%{_datadir}/authselect/default/minimal/smartcard-auth
%{_datadir}/authselect/default/minimal/system-auth
%{_datadir}/authselect/default/sssd/dconf-db
%{_datadir}/authselect/default/sssd/dconf-locks
%{_datadir}/authselect/default/sssd/fingerprint-auth
@ -187,19 +183,6 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%{_datadir}/authselect/default/winbind/REQUIREMENTS
%{_datadir}/authselect/default/winbind/smartcard-auth
%{_datadir}/authselect/default/winbind/system-auth
%if %{with_nis_profile}
%dir %{_datadir}/authselect/default/nis/
%{_datadir}/authselect/default/nis/dconf-db
%{_datadir}/authselect/default/nis/dconf-locks
%{_datadir}/authselect/default/nis/fingerprint-auth
%{_datadir}/authselect/default/nis/nsswitch.conf
%{_datadir}/authselect/default/nis/password-auth
%{_datadir}/authselect/default/nis/postlogin
%{_datadir}/authselect/default/nis/README
%{_datadir}/authselect/default/nis/REQUIREMENTS
%{_datadir}/authselect/default/nis/smartcard-auth
%{_datadir}/authselect/default/nis/system-auth
%endif
%{_libdir}/libauthselect.so.*
%{_mandir}/man5/authselect-profiles.5*
%{_datadir}/doc/authselect/COPYING
@ -207,6 +190,10 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%license COPYING
%doc README.md
%files compat
%{_sbindir}/authconfig
%{python3_sitelib}/authselect/
%files devel
%{_includedir}/authselect.h
%{_libdir}/libauthselect.so
@ -218,150 +205,148 @@ find $RPM_BUILD_ROOT -name "*.a" -exec %__rm -f {} \;
%{_mandir}/man7/authselect-migration.7*
%{_sysconfdir}/bash_completion.d/authselect-completion.sh
%global validfile %{_localstatedir}/lib/rpm-state/%{name}.config-valid
%preun
if [ $1 == 0 ] ; then
# Remove authselect symbolic links so all authselect files can be
# deleted safely. If this fail, the uninstallation must fail to avoid
# breaking the system by removing PAM files. However, the command can
# only fail if it can not write to the file system.
%{_bindir}/authselect opt-out
%{_bindir}/authselect uninstall
fi
%pre libs
%__rm -f %{validfile}
if [ $1 -gt 1 ] ; then
# Remember if the current configuration is valid
%{_bindir}/authselect check &> /dev/null
if [ $? -eq 0 ]; then
touch %{validfile}
fi
fi
exit 0
%posttrans libs
# Copy nsswitch.conf to user-nsswitch.conf if it was not yet created
if [ ! -f %{_localstatedir}/lib/authselect/user-nsswitch-created ]; then
%__cp -n %{_sysconfdir}/nsswitch.conf %{_sysconfdir}/authselect/user-nsswitch.conf &> /dev/null
touch %{_localstatedir}/lib/authselect/user-nsswitch-created &> /dev/null
# If we are upgrading from older version, we want to remove these comments.
%__sed -i '/^# Generated by authselect on .*$/{$!{
N;N # Read also next two lines
/# Generated by authselect on .*\n# Do not modify this file manually.\n/d
}}' %{_sysconfdir}/authselect/user-nsswitch.conf &> /dev/null
fi
# If the configuration is valid and we are upgrading from older version
# we need to create these files since they were added in 1.0.
if [ -f %{validfile} ]; then
FILES="nsswitch.conf system-auth password-auth fingerprint-auth \
smartcard-auth postlogin dconf-db dconf-locks"
for FILE in $FILES ; do
%__cp -n %{_sysconfdir}/authselect/$FILE \
%{_localstatedir}/lib/authselect/$FILE &> /dev/null
done
%__rm -f %{validfile}
fi
# Keep nss-altfiles for all rpm-ostree based systems.
# See https://github.com/authselect/authselect/issues/48
if test -e /run/ostree-booted; then
for PROFILE in `ls %{_datadir}/authselect/default`; do
%{_bindir}/authselect create-profile $PROFILE --vendor --base-on $PROFILE --symlink-pam --symlink-dconf --symlink=REQUIREMENTS --symlink=README &> /dev/null
%__sed -i -e 's/{if "with-altfiles":\([^}]\+\)}/\1/g' %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null
%__sed -ie "s/^\(passwd\|group\):\(.*\)systemd\(.*\)/\1:\2systemd altfiles\3/g" %{_datadir}/authselect/vendor/$PROFILE/nsswitch.conf &> /dev/null
done
fi
# If this is a new installation select the default configuration.
if [ $1 == 1 ] ; then
%{_bindir}/authselect select %{default_profile} --force --nobackup &> /dev/null
exit 0
fi
# Apply any changes to profiles (validates configuration first internally)
%{_bindir}/authselect apply-changes &> /dev/null
# Minimal profile was removed. Switch to local during upgrade.
%__sed -i '1 s/^minimal$/local/' %{_sysconfdir}/authselect/authselect.conf
for file in %{_sysconfdir}/authselect/custom/*/*; do
link=`%{_bindir}/readlink "$file"`
if [[ "$link" == %{_datadir}/authselect/default/minimal/* ]]; then
target=`%{_bindir}/basename "$link"`
%{_bindir}/ln -sfn "%{_datadir}/authselect/default/local/$target" "$file"
# Enable with-sudo feature if sssd-sudo responder is enabled. RHBZ#1582111
CURRENT=`%{_bindir}/authselect current --raw 2> /dev/null`
if [ $? -eq 0 ]; then
PROFILE=`echo $CURRENT | %__awk '{print $1;}'`
if [ $PROFILE == "sssd" ] ; then
if %__grep -E "services[[:blank:]]*=[[:blank:]]*.*sudo" /etc/sssd/sssd.conf &> /dev/null ; then
%{_bindir}/authselect enable-feature with-sudo &> /dev/null
elif systemctl is-active sssd-sudo.service sssd-sudo.socket --quiet || systemctl is-enabled sssd-sudo.socket --quiet ; then
%{_bindir}/authselect enable-feature with-sudo &> /dev/null
fi
fi
done
fi
# Apply any changes to profiles (validates configuration first internally)
%{_bindir}/authselect apply-changes &> /dev/null
exit 0
%posttrans compat
# Fix for RHBZ#1618865
# Remove invalid lines from pwquality.conf generated by authconfig compat tool
# - previous version could write some options without value, which is invalid
# - we delete all options without value from existing file
%__sed -i -E '/^\w+=$/d' %{_sysconfdir}/security/pwquality.conf.d/10-authconfig-pwquality.conf &> /dev/null
exit 0
%changelog
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.5.0-6
- Bump release for June 2024 mass rebuild
* Tue Feb 27 2024 Jonathan Lebon <jonathan@jlebon.com> - 1.5.0-5
- Fix altfiles rendering on OSTree variants
* Fri Feb 23 2024 Pavel Březina <pbrezina@redhat.com> - 1.5.0-4
- Add back with-files-access-provider
- Remove outdated scriptlets
- Group merging added to nsswitch.conf group in all profiles
- myhostname is put right before dns module in nsswitch.conf hosts (rhbz#2257197)
- Internal packaging changes
* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Thu Jan 18 2024 Pavel Březina <pbrezina@redhat.com> - 1.5.0-1
- Rebase to 1.5.0
- "minimal" profile was removed and replaced with "local". (rhbz#2253180)
- "local" profile is now default (rhbz#2253180)
* Wed Sep 27 2023 Pavel Březina <pbrezina@redhat.com> - 1.4.3-1
- Rebase to 1.4.3
* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Thu Aug 3 2023 Pavel Březina <pbrezina@redhat.com> - 1.2.6-2
- Fix Japanese translations (RHBZ #2153364)
- Update translations (RHBZ #2189498)
- Do not prompt for password twice when changing password of local user (RHBZ #2228098)
* Mon Dec 5 2022 Pavel Březina <pbrezina@redhat.com> - 1.4.2-1
- Rebase to 1.4.2
* Thu Dec 1 2022 Pavel Březina <pbrezina@redhat.com> - 1.2.6-1
- Rebase to 1.2.6 (RHBZ #2142805)
- update translations (RHBZ #2139642)
- Change password hashing algorithm from yescrypt back to sha512 (RHBZ #2151145)
* Thu Dec 1 2022 Pavel Březina <pbrezina@redhat.com> - 1.4.1-1
- Rebase to 1.4.1
* Thu May 5 2022 Pavel Březina <pbrezina@redhat.com> - 1.2.5-1
- Rebase to 1.2.5 (RHBZ #2080239)
- backup-restore now works correctly (RHBZ #2070541)
- add with-subid to sssd profile (RHBZ #2075192)
- add with-gssapi to sssd profile (RHBZ #2077893)
* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Thu Aug 26 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.3-7
- Avoid freeing uninitialized variable in authselect_apply_changes (rhbz#1970871)
* Fri Jul 8 2022 Pavel Březina <pbrezina@redhat.com> - 1.4.0-2
- Fix issues with popt-1.19
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.2.3-6
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Thu May 5 2022 Pavel Březina <pbrezina@redhat.com> - 1.4.0-1
- Rebase to 1.3.0
* Wed Jun 9 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.3-5
- Remove nis support (rhbz#1968396)
* Thu Feb 10 2022 Pavel Březina <pbrezina@redhat.com> - 1.3.0-10
- Fix mdns support (#2052269)
* Wed Jun 9 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.3-4
- Remove nis support (rhbz#1968396)
* Thu Feb 3 2022 Pavel Březina <pbrezina@redhat.com> - 1.3.0-9
- Make authselect compatible with ostree (#2034360)
- Authselect now requires explicit opt-out if users don't want to use it (#2051545)
* Tue Jun 1 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.3-3
- Remove systemd-resolved support (rhbz#1966484)
* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Thu Jan 13 2022 Pavel Březina <pbrezina@redhat.com> - 1.3.0-7
- Remove unnecessary dependencies (#2039869)
* Thu Jan 13 2022 Pavel Březina <pbrezina@redhat.com> - 1.3.0-6
- Fix detection of ostree system (#2034360)
* Tue Dec 28 2021 Frantisek Zatloukal <fzatlouk@redhat.com> - 1.3.0-5
- Try to use io.open() in pre scriptlet instead of rpm.open() (rpm >= 4.17.0)
* Tue Dec 21 2021 Frantisek Zatloukal <fzatlouk@redhat.com> - 1.3.0-4
- Use lua for pre scriptlets to reduce dependencies
* Fri Dec 10 2021 Pavel Březina <pbrezina@redhat.com> - 1.3.0-3
- Update conflicting versions of glibc and pam
* Mon Dec 6 2021 Pavel Březina <pbrezina@redhat.com> - 1.3.0-1
- Rebase to 1.3.0
- Authselect configuration is now enforced (#2000936)
* Sat Aug 14 2021 Björn Esser <besser82@fedoraproject.org> - 1.2.4-2
- Add proper Obsoletes for removed authselect-compat package
Fixes: rhbz#1993189
* Mon Aug 9 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.4-1
- Rebase to 1.2.4
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Mon Jun 21 2021 Björn Esser <besser82@fedoraproject.org> - 1.2.3-3
- Backport support for yescrypt hash method
* Fri Jun 04 2021 Python Maint <python-maint@redhat.com> - 1.2.3-2
- Rebuilt for Python 3.10
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.2.3-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Mar 31 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.3-1
- Rebase to 1.2.3
* Tue Mar 09 2021 Benjamin Berg <bberg@redhat.com> - 1.2.2-4
* Mon Mar 29 2021 Benjamin Berg <bberg@redhat.com> - 1.2.2-7
- Fix fingerprint-auth success result
The previous patch had an issue breaking fingerprint login
* Tue Mar 09 2021 Benjamin Berg <bberg@redhat.com> - 1.2.2-6
- Add patch to make fingerprint-auth return non-failing pam_fprintd.so errors
Resolves: #1935331
* Thu Mar 4 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.2-3
* Thu Mar 4 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.2-5
- minimal: add dconf settings to explicitly disable fingerprint and smartcard authentication
* Wed Feb 24 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.2-4
- Prepare authselect for RHEL-9, add downstream-only patches that will be synced
* Fri Feb 19 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.2-3
- Add RHEL9 only patch
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

Write Preview
Loading…
Cancel
Save