222 lines
5.8 KiB
Plaintext
222 lines
5.8 KiB
Plaintext
# Description: The Shadow package contains programs for handling passwords in a secure way.
|
|
# URL: http://shadow.pld.org.pl/
|
|
# Maintainer: pkg-shadow-devel@lists.alioth.debian.org
|
|
# Packager: pierre at nutyx dot org
|
|
name=shadow
|
|
version=4.2.1
|
|
release=1
|
|
|
|
source=( http://pkg-shadow.alioth.debian.org/releases/shadow-$version.tar.xz)
|
|
|
|
build()
|
|
{
|
|
cd shadow-$version
|
|
|
|
sed -i 's/groups$(EXEEXT) //' src/Makefile.in
|
|
find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \;
|
|
|
|
sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
|
|
-e 's@/var/spool/mail@/var/mail@' etc/login.defs
|
|
|
|
sed -i 's/1000/999/' etc/useradd
|
|
|
|
./configure --sysconfdir=/etc
|
|
make
|
|
make DESTDIR=$PKG install
|
|
sed -i 's/yes/no/' $PKG/etc/default/useradd
|
|
sed -i 's/GROUP/# GROUP/' $PKG/etc/default/useradd
|
|
mv -v $PKG/usr/bin/* $PKG/bin
|
|
mv -v $PKG/usr/sbin/* $PKG/sbin
|
|
#
|
|
# Following sed comment appropriate lines in etc/login.defs, and stop login
|
|
# from performing these functions. First backup the etc/login.defs
|
|
install -v -m644 $PKG/etc/login.defs{,.orig}
|
|
for FUNCTION in FAIL_DELAY FAILLOG_ENAB \
|
|
LASTLOG_ENAB \
|
|
MAIL_CHECK_ENAB \
|
|
OBSCURE_CHECKS_ENAB \
|
|
PORTTIME_CHECKS_ENAB \
|
|
QUOTAS_ENAB \
|
|
CONSOLE MOTD_FILE \
|
|
FTMP_FILE NOLOGINS_FILE \
|
|
ENV_HZ PASS_MIN_LEN \
|
|
SU_WHEEL_ONLY \
|
|
CRACKLIB_DICTPATH \
|
|
PASS_CHANGE_TRIES \
|
|
PASS_ALWAYS_WARN \
|
|
CHFN_AUTH ENCRYPT_METHOD \
|
|
ENVIRON_FILE
|
|
do
|
|
sed -i "s/^${FUNCTION}/# &/" $PKG/etc/login.defs
|
|
done
|
|
|
|
#
|
|
# Configuration files for pam
|
|
mkdir -p $PKG/etc/pam.d
|
|
cat > $PKG/etc/pam.d/system-account << "EOF"
|
|
# Begin /etc/pam.d/system-account
|
|
|
|
account required pam_unix.so
|
|
|
|
# End /etc/pam.d/system-account
|
|
EOF
|
|
|
|
cat > $PKG/etc/pam.d/system-auth << "EOF"
|
|
# Begin /etc/pam.d/system-auth
|
|
|
|
auth required pam_unix.so
|
|
|
|
# End /etc/pam.d/system-auth
|
|
EOF
|
|
|
|
cat > $PKG/etc/pam.d/system-password << "EOF"
|
|
# Begin /etc/pam.d/system-password
|
|
|
|
# use sha512 hash for encryption, use shadow, and try to use any previously
|
|
# defined authentication token (chosen password) set by any prior module
|
|
password required pam_pwhistory.so retry=3
|
|
password required pam_unix.so sha512 shadow try_first_pass
|
|
|
|
# End /etc/pam.d/system-password
|
|
EOF
|
|
|
|
cat > $PKG/etc/pam.d/system-session << "EOF"
|
|
# Begin /etc/pam.d/system-session
|
|
|
|
session required pam_unix.so
|
|
session optional pam_loginuid.so
|
|
session optional pam_ck_connector.so nox11
|
|
|
|
# End /etc/pam.d/system-session
|
|
EOF
|
|
|
|
cat > $PKG/etc/pam.d/login << "EOF"
|
|
# Begin /etc/pam.d/login
|
|
|
|
# Set failure delay before next prompt to 3 seconds
|
|
auth optional pam_faildelay.so delay=3000000
|
|
|
|
# Check to make sure that the user is allowed to login
|
|
auth requisite pam_nologin.so
|
|
|
|
# Check to make sure that root is allowed to login
|
|
# Disabled by default. You will need to create /etc/securetty
|
|
# file for this module to function. See man 5 securetty.
|
|
#auth required pam_securetty.so
|
|
|
|
# Additional group memberships - disabled by default
|
|
#auth optional pam_group.so
|
|
|
|
# include the default auth settings
|
|
auth include system-auth
|
|
|
|
# check access for the user
|
|
account required pam_access.so
|
|
|
|
# include the default account settings
|
|
account include system-account
|
|
|
|
# Set default environment variables for the user
|
|
session required pam_env.so
|
|
|
|
# Set resource limits for the user
|
|
session required pam_limits.so
|
|
|
|
# Display date of last login - Disabled by default
|
|
#session optional pam_lastlog.so
|
|
|
|
# Display the message of the day - Disabled by default
|
|
#session optional pam_motd.so
|
|
|
|
# Check user's mail - Disabled by default
|
|
#session optional pam_mail.so standard quiet
|
|
|
|
# include the default session and password settings
|
|
session include system-session
|
|
password include system-password
|
|
|
|
# End /etc/pam.d/login
|
|
EOF
|
|
|
|
cat > $PKG/etc/pam.d/passwd << "EOF"
|
|
# Begin /etc/pam.d/passwd
|
|
|
|
password include system-password
|
|
|
|
# End /etc/pam.d/passwd
|
|
EOF
|
|
|
|
cat > $PKG/etc/pam.d/su << "EOF"
|
|
# Begin /etc/pam.d/su
|
|
|
|
# always allow root
|
|
auth sufficient pam_rootok.so
|
|
auth include system-auth
|
|
|
|
# include the default account settings
|
|
account include system-account
|
|
|
|
# Set default environment variables for the service user
|
|
session required pam_env.so
|
|
|
|
# include system session defaults
|
|
session include system-session
|
|
|
|
# End /etc/pam.d/su
|
|
EOF
|
|
|
|
cat > $PKG/etc/pam.d/chage << "EOF"
|
|
#Begin /etc/pam.d/chage
|
|
|
|
# always allow root
|
|
auth sufficient pam_rootok.so
|
|
|
|
# include system defaults for auth account and session
|
|
auth include system-auth
|
|
account include system-account
|
|
session include system-session
|
|
|
|
# Always permit for authentication updates
|
|
password required pam_permit.so
|
|
|
|
# End /etc/pam.d/chage
|
|
EOF
|
|
|
|
for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \
|
|
groupmems groupmod newusers useradd userdel usermod
|
|
do
|
|
install -v -m644 $PKG/etc/pam.d/chage $PKG/etc/pam.d/${PROGRAM}
|
|
sed -i "s/chage/$PROGRAM/" $PKG/etc/pam.d/${PROGRAM}
|
|
done
|
|
|
|
# Backup others
|
|
[ -f $PKG/pam.d/other ] && install -v -m644 $PKG/etc/pam.d/other{,.orig}
|
|
|
|
# Other
|
|
#
|
|
cat > $PKG/etc/pam.d/other << "EOF"
|
|
# Begin /etc/pam.d/other
|
|
|
|
auth required pam_warn.so
|
|
auth required pam_deny.so
|
|
account required pam_warn.so
|
|
account required pam_deny.so
|
|
password required pam_warn.so
|
|
password required pam_deny.so
|
|
session required pam_warn.so
|
|
session required pam_deny.so
|
|
|
|
# End /etc/pam.d/other
|
|
EOF
|
|
|
|
# Replace the login and ressource limits file
|
|
if [ -f $PKG/etc/login.access ]; then
|
|
mv -v $PKG/etc/login.access{,.NOUSE}
|
|
fi
|
|
if [ -f $PKG/etc/limits ]; then
|
|
mv -v $PKG/etc/limits{,.NOUSE}
|
|
fi
|
|
rm $PKG/usr/share/man/man8/nologin.8
|
|
rm $PKG/sbin/nologin
|
|
}
|