packages: pam-pam_ssh/pam-pam_ssh.spec (NEW), pam-pam_ssh/var_run.patch (NE...

glen glen at pld-linux.org
Sat Apr 2 21:02:58 CEST 2011


Author: glen                         Date: Sat Apr  2 19:02:58 2011 GMT
Module: packages                      Tag: HEAD
---- Log message:
- new, based on fc package

---- Files affected:
packages/pam-pam_ssh:
   pam-pam_ssh.spec (NONE -> 1.1)  (NEW), var_run.patch (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: packages/pam-pam_ssh/pam-pam_ssh.spec
diff -u /dev/null packages/pam-pam_ssh/pam-pam_ssh.spec:1.1
--- /dev/null	Sat Apr  2 21:02:58 2011
+++ packages/pam-pam_ssh/pam-pam_ssh.spec	Sat Apr  2 21:02:53 2011
@@ -0,0 +1,80 @@
+# $Revision$, $Date$
+Summary:	PAM module for use with SSH keys and ssh-agent
+Name:		pam-pam_ssh
+Version:	1.97
+Release:	1
+License:	BSD
+Group:		Base
+URL:		http://sourceforge.net/projects/pam-ssh/
+Source0:	http://downloads.sourceforge.net/pam-ssh/pam_ssh-%{version}.tar.bz2
+# Source0-md5:	ef114d67b4951c88a62893437f850784
+Patch0:		var_run.patch
+BuildRequires:	libtool
+BuildRequires:	openssh-clients
+BuildRequires:	openssl-devel
+BuildRequires:	pam-devel
+Requires:	openssh-clients
+Conflicts:	selinux-policy-targeted < 3.0.8-55
+BuildRoot:	%{tmpdir}/%{name}-%{version}-root-%(id -u -n)
+
+%description
+This PAM module provides single sign-on behavior for UNIX using SSH
+keys. Users are authenticated by decrypting their SSH private keys
+with the password provided. In the first PAM login session phase, an
+ssh-agent process is started and keys are added. The same agent is
+used for the following PAM sessions. In any case the appropriate
+environment variables are set in the session phase.
+
+%prep
+%setup -q -n pam_ssh-%{version}
+%patch0 -p1
+
+cat >>pam_ssh.sym <<EOF
+pam_sm_acct_mgmt
+pam_sm_authenticate
+pam_sm_chauthtok
+pam_sm_close_session
+pam_sm_open_session
+pam_sm_setcred
+EOF
+
+%build
+%{__libtoolize}
+%{__aclocal}
+%{__autoconf}
+%{__autoheader}
+%{__automake}
+%configure \
+	--with-pam-dir=/%{_lib}/security
+
+%{__make} -j1 \
+	CPPFLAGS=-I/usr/include/security \
+	LDFLAGS="-export-symbols pam_ssh.sym"
+
+%install
+rm -rf $RPM_BUILD_ROOT
+install -d $RPM_BUILD_ROOT%{_localstatedir}/run/pam_ssh
+%{__make} install \
+	INSTALL="install -p" \
+	DESTDIR=$RPM_BUILD_ROOT
+
+%{__rm} $RPM_BUILD_ROOT/%{_lib}/security/*.la
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%files
+%defattr(644,root,root,755)
+%doc AUTHORS NEWS README ChangeLog TODO COPYING
+%attr(755,root,root) /%{_lib}/security/pam_ssh.so
+%{_mandir}/man8/pam_ssh.8*
+%ghost %dir %{_localstatedir}/run/pam_ssh
+
+%define date	%(echo `LC_ALL="C" date +"%a %b %d %Y"`)
+%changelog
+* %{date} PLD Team <feedback at pld-linux.org>
+All persons listed below can be reached at <cvs_login>@pld-linux.org
+
+$Log$
+Revision 1.1  2011/04/02 19:02:53  glen
+- new, based on fc package

================================================================
Index: packages/pam-pam_ssh/var_run.patch
diff -u /dev/null packages/pam-pam_ssh/var_run.patch:1.1
--- /dev/null	Sat Apr  2 21:02:58 2011
+++ packages/pam-pam_ssh/var_run.patch	Sat Apr  2 21:02:53 2011
@@ -0,0 +1,113 @@
+diff -Nrbu pam_ssh-1.97/pam_ssh.8 pam_ssh-1.97-OK/pam_ssh.8
+--- pam_ssh-1.97/pam_ssh.8	2008-05-12 22:57:12.000000000 +0400
++++ pam_ssh-1.97-OK/pam_ssh.8	2010-12-13 19:54:24.000000000 +0300
+@@ -148,6 +148,10 @@
+ SSH2 RSA keys
+ .It Pa $HOME/.ssh2/id_dsa_*
+ SSH2 DSA keys
++.It Pa /var/run/pam_ssh/<user>*
++ssh-agent environment information. The files are owned by the superuser but
++readable by the users. The location is Fedora specific, in the original package
++these files are in $HOME/.ssh/agent-*
+ .El
+ .Sh SEE ALSO
+ .Xr ssh-agent 1 ,
+diff -Nrbu pam_ssh-1.97/pam_ssh.c pam_ssh-1.97-OK/pam_ssh.c
+--- pam_ssh-1.97/pam_ssh.c	2008-05-12 22:57:12.000000000 +0400
++++ pam_ssh-1.97-OK/pam_ssh.c	2010-12-13 20:19:36.000000000 +0300
+@@ -114,6 +114,7 @@
+ #define PAM_OPT_NULLOK_NAME             "nullok"
+ #define SEP_KEYFILES			","
+ #define SSH_CLIENT_DIR			".ssh"
++#define STATE_DIR			"/var/run/" MODULE_NAME
+ 
+ enum {
+ #if HAVE_OPENPAM || HAVE_PAM_STRUCT_OPTIONS || !HAVE_PAM_STD_OPTION
+@@ -540,7 +541,6 @@
+ 	char env_string[BUFSIZ];	/* environment string */
+ 	char *env_value;		/* envariable value */
+ 	int env_write;			/* env file descriptor */
+-	char hname[MAXHOSTNAMELEN];	/* local hostname */
+ 	char *per_agent;		/* to store env */
+ 	char *per_session;		/* per-session filename */
+ 	const struct passwd *pwent;	/* user's passwd entry */
+@@ -583,17 +583,16 @@
+ 	 * Technique: Create an environment file containing
+ 	 * information about the agent.  Only one file is created, but
+ 	 * it may be given many names.  One name is given for the
+-	 * agent itself, agent-<host>.  Another name is given for each
+-	 * session, agent-<host>-<display> or agent-<host>-<tty>.  We
++	 * agent itself, /var/run/pam_ssh/<user>.  Another name is given
++	 * for each session, <user>-<display> or <user>-<tty>.  We
+ 	 * delete the per-session filename on session close, and when
+ 	 * the link count goes to unity on the per-agent file, we
+ 	 * delete the file and kill the agent.
+ 	 */
+ 
+-	/* the per-agent file contains just the hostname */
++	/* the per-agent file contains just the username */
+ 
+-	gethostname(hname, sizeof hname);
+-	if (asprintf(&per_agent, "%s/.ssh/agent-%s", pwent->pw_dir, hname)
++	if (asprintf(&per_agent, STATE_DIR "/%s", pwent->pw_name)
+ 	    == -1) {
+ 		pam_ssh_log(LOG_CRIT, "out of memory");
+ 		openpam_restore_cred(pamh);
+@@ -644,7 +643,12 @@
+         }
+         
+ 	if (start_agent) {
+-                if ((env_write = open(per_agent, O_CREAT | O_WRONLY, S_IRUSR | S_IWUSR)) < 0) {
++		openpam_restore_cred(pamh);
++		if (stat(STATE_DIR, &stat_buf) < 0)
++			mkdir(STATE_DIR, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH);
++                env_write = open(per_agent, O_CREAT | O_WRONLY, S_IRUSR | S_IRGRP | S_IROTH);
++		openpam_borrow_cred(pamh, pwent);
++                if (env_write < 0) {
+                         pam_ssh_log(LOG_ERR, "can't write to %s", per_agent);
+                         free(per_agent);
+                         openpam_restore_cred(pamh);
+@@ -880,7 +884,7 @@
+ 	for (cp = tty_nodir; (cp = strchr(cp, '/')); )
+ 		*cp = '_';
+ 
+-	if (asprintf(&per_session, "%s/.ssh/agent-%s-%s", pwent->pw_dir, hname,
++	if (asprintf(&per_session, STATE_DIR "/%s-%s", pwent->pw_name,
+ 	    tty_nodir) == -1) {
+ 		pam_ssh_log(LOG_CRIT, "out of memory");
+ 		free(tty_nodir);
+@@ -899,10 +903,10 @@
+ 		return retval;
+ 	}
+ 
++	openpam_restore_cred(pamh);
+ 	unlink(per_session);	/* remove cruft */
+ 	link(per_agent, per_session);
+ 
+-	openpam_restore_cred(pamh);
+ 	return PAM_SUCCESS;
+ }
+ 
+@@ -932,8 +936,11 @@
+ 	}
+ 
+ 	if (pam_get_data(pamh, "ssh_agent_env_session",
+-	    (const void **)(void *)&env_file) == PAM_SUCCESS && env_file)
++	    (const void **)(void *)&env_file) == PAM_SUCCESS && env_file) {
++		openpam_restore_cred(pamh);
+ 		unlink(env_file);
++		openpam_borrow_cred(pamh, pwent);
++	}
+ 
+ 	/* Retrieve per-agent filename and check link count.  If it's
+            greater than unity, other sessions are still using this
+@@ -948,7 +955,9 @@
+ 				openpam_restore_cred(pamh);
+ 				return PAM_SUCCESS;
+ 			}
++			openpam_restore_cred(pamh);
+ 			unlink(env_file);
++			openpam_borrow_cred(pamh, pwent);
+ 		}
+ 	}
+ 
================================================================


More information about the pld-cvs-commit mailing list