packages: pam-pam_google-authenticator/0001-Add-no-drop-privs-option-to-man...

glen glen at pld-linux.org
Sat Mar 31 23:25:02 CEST 2012 

Author: glen                         Date: Sat Mar 31 21:25:02 2012 GMT
Module: packages                      Tag: HEAD
---- Log message:
- new, based on fedora package

---- Files affected:
packages/pam-pam_google-authenticator:
   0001-Add-no-drop-privs-option-to-manage-secret-files-as-r.patch (NONE -> 1.1)  (NEW), 0002-Allow-expansion-of-PAM-environment-variables-in-secr.patch (NONE -> 1.1)  (NEW), pam-pam_google-authenticator.spec (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: packages/pam-pam_google-authenticator/0001-Add-no-drop-privs-option-to-manage-secret-files-as-r.patch
diff -u /dev/null packages/pam-pam_google-authenticator/0001-Add-no-drop-privs-option-to-manage-secret-files-as-r.patch:1.1
--- /dev/null	Sat Mar 31 23:25:02 2012
+++ packages/pam-pam_google-authenticator/0001-Add-no-drop-privs-option-to-manage-secret-files-as-r.patch	Sat Mar 31 23:24:57 2012
@@ -0,0 +1,47 @@
+From b9dba3310e01a378014520d23e05ed432d0f8266 Mon Sep 17 00:00:00 2001
+From: David Woodhouse <David.Woodhouse at intel.com>
+Date: Sun, 11 Sep 2011 23:10:16 +0100
+Subject: [PATCH] Add no-drop-privs option to manage secret files as root
+
+---
+ libpam/pam_google_authenticator.c |   10 +++++++---
+ 1 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/libpam/pam_google_authenticator.c b/libpam/pam_google_authenticator.c
+index c6b8e58..1b83c38 100644
+--- a/libpam/pam_google_authenticator.c
++++ b/libpam/pam_google_authenticator.c
+@@ -60,6 +60,7 @@ typedef struct Params {
+   const char *secret_filename_spec;
+   int        noskewadj;
+   int        echocode;
++  int        no_drop_privs;
+ } Params;
+ 
+ static char oom;
+@@ -1083,6 +1084,8 @@ static int parse_args(pam_handle_t *pamh, int argc, const char **argv,
+       params->noskewadj = 1;
+     } else if (!strcmp(argv[i], "echo-verification-code")) {
+       params->echocode = PAM_PROMPT_ECHO_ON;
++    } else if (!strcmp(argv[i], "no-drop-privs")) {
++      params->no_drop_privs = 1;
+     } else {
+       log_message(LOG_ERR, pamh, "Unrecognized option \"%s\"", argv[i]);
+       return -1;
+@@ -1118,9 +1121,10 @@ static int google_authenticator(pam_handle_t *pamh, int flags,
+   int updated = 0;
+   if ((username = get_user_name(pamh)) &&
+       (secret_filename = get_secret_filename(pamh, &params, username, &uid)) &&
+-      (old_uid = drop_privileges(pamh, username, uid)) >= 0 &&
+-      (fd = open_secret_file(pamh, secret_filename, username, uid,
+-                             &filesize, &mtime)) >= 0 &&
++      (params.no_drop_privs ||
++       (old_uid = drop_privileges(pamh, username, uid))) >= 0 &&
++      (fd = open_secret_file(pamh, secret_filename, params.no_drop_privs?"root":username,
++			     params.no_drop_privs?0:uid, &filesize, &mtime)) >= 0 &&
+       (buf = read_file_contents(pamh, secret_filename, &fd, filesize)) &&
+       (secret = get_shared_secret(pamh, secret_filename, buf, &secretLen)) &&
+       (rate_limit(pamh, secret_filename, &updated, &buf) >= 0) &&
+-- 
+1.7.6
+

================================================================
Index: packages/pam-pam_google-authenticator/0002-Allow-expansion-of-PAM-environment-variables-in-secr.patch
diff -u /dev/null packages/pam-pam_google-authenticator/0002-Allow-expansion-of-PAM-environment-variables-in-secr.patch:1.1
--- /dev/null	Sat Mar 31 23:25:02 2012
+++ packages/pam-pam_google-authenticator/0002-Allow-expansion-of-PAM-environment-variables-in-secr.patch	Sat Mar 31 23:24:57 2012
@@ -0,0 +1,62 @@
+From 82eae28e2fd4f7ddfcbc185c7478db5806b4b4ea Mon Sep 17 00:00:00 2001
+From: David Woodhouse <David.Woodhouse at intel.com>
+Date: Mon, 26 Sep 2011 23:55:55 +0100
+Subject: [PATCH 2/2] Allow expansion of PAM environment variables in secret
+ file name
+
+https://bugzilla.mindrot.org/show_bug.cgi?id=983#c43 makes OpenSSH set
+a PAM environment variable indicating which SSH public key was used to
+authenticate. This lets Google Authenticator use that information (or
+anything else in PAM environment variables) to select an appropriate
+secret file.
+---
+ libpam/Makefile                   |    4 ++--
+ libpam/pam_google_authenticator.c |   13 ++++++++++++-
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/libpam/Makefile b/libpam/Makefile
+index 9137d68..fbe93a8 100644
+--- a/libpam/Makefile
++++ b/libpam/Makefile
+@@ -60,7 +60,7 @@ google-authenticator: google-authenticator.o base32.o hmac.o sha1.o
+ 	      echo " -ldl") -o $@ $+
+ 
+ demo: demo.o pam_google_authenticator_demo.o base32.o hmac.o sha1.o
+-	$(CC) -g $(DEF_LDFLAGS) -rdynamic                                     \
++	$(CC) -g $(DEF_LDFLAGS) -rdynamic -lpam                                    \
+ 	      $(shell [ -f /usr/lib/libdl.so ] && echo " -ldl") -o $@ $+
+ 
+ pam_google_authenticator_unittest: pam_google_authenticator_unittest.o        \
+@@ -92,4 +92,4 @@ sha1.o: sha1.c sha1.h
+ .c.o:
+ 	$(CC) --std=gnu99 -Wall -O2 -g -fPIC -c $(DEF_CFLAGS) -o $@ $<
+ .o.so:
+-	$(CC) -shared -g $(DEF_LDFLAGS) -o $@ $+
++	$(CC) -shared -g $(DEF_LDFLAGS) -lpam -o $@ $+
+diff --git a/libpam/pam_google_authenticator.c b/libpam/pam_google_authenticator.c
+index 1b83c38..4708c1e 100644
+--- a/libpam/pam_google_authenticator.c
++++ b/libpam/pam_google_authenticator.c
+@@ -170,7 +170,18 @@ static char *get_secret_filename(pam_handle_t *pamh, const Params *params,
+       subst = pw->pw_dir;
+       var = cur;
+     } else if (secret_filename[offset] == '$') {
+-      if (!memcmp(cur, "${HOME}", 7)) {
++      if (!memcmp(cur, "${PAM:", 6)) {
++	char *cls = strchr(cur + 6, '}');
++	if (cls) {
++	  char *envname = strndup(cur + 6, cls - cur - 6);
++	  subst = pam_getenv(pamh, envname);
++	  if (!subst)
++	    subst = "";
++	  free (envname);
++	  var = cur;
++	  var_len = cls - cur + 1;
++	}
++      } else if (!memcmp(cur, "${HOME}", 7)) {
+         var_len = 7;
+         subst = pw->pw_dir;
+         var = cur;
+-- 
+1.7.6.2
+

================================================================
Index: packages/pam-pam_google-authenticator/pam-pam_google-authenticator.spec
diff -u /dev/null packages/pam-pam_google-authenticator/pam-pam_google-authenticator.spec:1.1
--- /dev/null	Sat Mar 31 23:25:02 2012
+++ packages/pam-pam_google-authenticator/pam-pam_google-authenticator.spec	Sat Mar 31 23:24:57 2012
@@ -0,0 +1,77 @@
+# $Revision$, $Date$
+#
+# Conditional build:
+%bcond_with	tests		# build with tests
+
+%define snapshot d525a9bab875
+%define snapdate 20110830
+Summary:	PAM module for One-time passcode support using open standards
+Name:		pam-pam_google-authenticator
+Version:	0
+Release:	0.3.%{snapdate}.hg%{snapshot}
+License:	ASL 2.0
+URL:		http://code.google.com/p/google-authenticator/
+# hg archive -r ${snapshot} %{name}-0.%{snapdate}.hg%{snapshot}.tar.gz
+#Source0:        %{name}-0.%{snapdate}.hg%{snapshot}.tar.gz
+Group:		Libraries
+Source0:	http://pkgs.fedoraproject.org/repo/pkgs/google-authenticator/google-authenticator-0.20110830.hgd525a9bab875.tar.gz/82b01c66812d1a2ceef51c0e375c18f3/google-authenticator-0.20110830.hgd525a9bab875.tar.gz
+# Source0-md5:	82b01c66812d1a2ceef51c0e375c18f3
+Patch1:		0001-Add-no-drop-privs-option-to-manage-secret-files-as-r.patch
+Patch2:		0002-Allow-expansion-of-PAM-environment-variables-in-secr.patch
+BuildRequires:	pam-devel
+BuildRequires:	qrencode-devel
+BuildRoot:	%{tmpdir}/%{name}-%{version}-root-%(id -u -n)
+
+%description
+The Google Authenticator package contains a pluggable authentication
+module (PAM) which allows login using one-time passcodes conforming to
+the open standards developed by the Initiative for Open Authentication
+(OATH) (which is unrelated to OAuth).
+
+Passcode generators are available (separately) for several mobile
+platforms.
+
+These implementations support the HMAC-Based One-time Password (HOTP)
+algorithm specified in RFC 4226 and the Time-based One-time Password
+(TOTP) algorithm currently in draft.
+
+%prep
+%setup -q -n google-authenticator-%{version}.%{snapdate}.hg%{snapshot}
+%patch1 -p1
+%patch2 -p1
+
+%build
+%{__make} -C libpam \
+	CC="%{__cc}" \
+	CFLAGS="%{rpmcflags}" \
+	LDFLAGS="-ldl"
+
+%if %{with tests}
+cd libpam
+./pam_google_authenticator_unittest
+%endif
+
+%install
+rm -rf $RPM_BUILD_ROOT
+install -d $RPM_BUILD_ROOT{/%{_lib}/security,%{_bindir}}
+cd libpam
+install -p pam_google_authenticator.so $RPM_BUILD_ROOT/%{_lib}/security
+install -p google-authenticator $RPM_BUILD_ROOT%{_bindir}/google-authenticator
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%files
+%defattr(644,root,root,755)
+%doc libpam/FILEFORMAT libpam/README libpam/totp.html
+%attr(755,root,root) /%{_lib}/security/pam_google_authenticator.so
+%attr(755,root,root) %{_bindir}/google-authenticator
+
+%define date	%(echo `LC_ALL="C" date +"%a %b %d %Y"`)
+%changelog
+* %{date} PLD Team <feedback at pld-linux.org>
+All persons listed below can be reached at <cvs_login>@pld-linux.org
+
+$Log$
+Revision 1.1  2012/03/31 21:24:57  glen
+- new, based on fedora package
================================================================

More information about the pld-cvs-commit mailing list