-
Notifications
You must be signed in to change notification settings - Fork 160
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Changes since 2.4.1: Version 2.6.7 (released 2021-05-01) pam_oath: Support variables in usersfile string parameter. the usersfile string in the pam_oath configuration file. The placeholder values allow the user credentials file to be stored in a file path that is relative to the user, and mimics similar behavior found in google-authenticator-libpam. The motivation for these changes is to allow for non-privileged processes to use pam_oath (e.g., for 2FA with xscreensaver). Non-privileged and non-suid programs are unable to use pam_oath. These changes are a proposed alternative to a suid helper binary as well. Thanks to Jason Graham for the patch. See https://gitlab.com/oath-toolkit/oath-toolkit/-/merge_requests/12. doc: Fix project URL in man pages. Thanks to Jason Graham for the patch. Fixes https://gitlab.com/oath-toolkit/oath-toolkit/-/issues/19. build: Drop use of libxml's AM_PATH_XML2 in favor of pkg-config. build: Modernize autotools usage. Most importantly, no longer use -Werror with AM_INIT_AUTOMAKE to make rebuilding from source more safe with future automake versions. Updated gnulib files. Version 2.6.6 (released 2021-01-20) oathtool: Handle HOTP --counter values larger than 0x7FFFFFFFFFFFFFFF. Thanks to Jason Lai for report. doc: GTK-DOC manual improvements. Updated gnulib files. Fixes test-parse-datetime self-check. Fixes https://gitlab.com/oath-toolkit/oath-toolkit/-/issues/20. Version 2.6.5 (released 2020-12-29) oathtool: Support for reading KEY and OTP from standard input or filename. KEY and OTP may now be given as - to mean stdin, or @file to read from a particular file. This is recommended on multi-user systems, since secrets as command line parameters leak. Based on a patch from Ian Jackson. Fixes #6. pam_oath: Fix unlikely logic fail on out of memory conditions. Patch from Matthias Gerstner. Doc fixes. Version 2.6.4 (released 2020-11-11) libpskc: New --with-xmlsec-crypto-engine to hard-code crypto engine. Fixes https://gitlab.com/oath-toolkit/oath-toolkit/-/issues/16. Use it like --with-xmlsec-crypto-engine=gnutls or --with-xmlsec-crypto-engine=openssl if the default dynamic loading fails because of runtime linker search path issues. oathtool --totp --verbose now prints TOTP hash mode. Fixes https://gitlab.com/oath-toolkit/oath-toolkit/-/issues/4. oathtool: Hash names (e.g., SHA256) for --totp are now upper case. Fixes https://gitlab.com/oath-toolkit/oath-toolkit/-/issues/3. Lower/mixed case hash names are supported for compatibility. pam_oath: Fail gracefully for missing users. Fixes https://savannah.nongnu.org/support/index.php?109111. This allows you to incrementally add support for OATH authentication instead of forcing it on all users. See updated pam_oath/README on the [user_unknown=ignore success=ok] parameter that can now be supplied to PAM configuration. Patch by Antoine Beaupra Fix libpskc memory corruption bug. Fixes https://savannah.nongnu.org/support/?108736. Thanks to David Woodhouse and Jaroslav A karvada for report, self check and patch. Fix man pages. Fixes https://savannah.nongnu.org/support/?108312. Thanks to Jaroslav A karvada for the patch. Build fixes. Version 2.6.3 (released 2020-11-07) pam_oath: Fix self-tests. build: Update gnulib. Fix compiler warnings. Doc fixes. Version 2.6.2 (released 2016-08-27) doc: Version controlled source code repository moved to GitLab. Version 2.6.1 (released 2015-07-31) liboath: Fix make check on 32-bit systems. Report and patch by Christian Hesse. Version 2.6.0 (released 2015-05-19) liboath: Support TOTP with HMAC-SHA256 and HMAC-SHA512. This adds new APIs oath_totp_generate2, oath_totp_validate4 and oath_totp_validate4_callback. oathtool: The --totp parameter now take an optional argument to specify MAC. For example use --totp=sha256 to use HMAC-SHA256. When --totp is used the default HMAC-SHA1 is used, as before. pam_oath: Mention in README that you shouldn???t use insecure keys. Suggested by Robin. pam_oath: Check return value from strdup. Patch by Eero Hakkinen. The files gdoc and expect.oath are now included in the tarball. Suggested by Jaroslav A karvada.
- Loading branch information
sborrill
committed
Aug 22, 2022
1 parent
077edbf
commit 5103c19
Showing
11 changed files
with
274 additions
and
39 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,11 @@ | ||
$NetBSD: distinfo,v 1.13 2021/10/26 11:17:21 nia Exp $ | ||
$NetBSD: distinfo,v 1.14 2022/08/22 07:42:52 sborrill Exp $ | ||
|
||
BLAKE2s (oath-toolkit-2.4.1.tar.gz) = 1c708e16554736cfe5d38e4b6ff4e2eda945c9bc72cfb889f0ce4aec6078c44d | ||
SHA512 (oath-toolkit-2.4.1.tar.gz) = 2a3440d5c97afef00dacd235d5471e8bf68086dfdb20234a894e7534d75670808fef444fe1062525800bc5ffe368898302e6cf250cd76b7238cd602d7d05e89b | ||
Size (oath-toolkit-2.4.1.tar.gz) = 4136649 bytes | ||
SHA1 (patch-liboath_gl_fflush.c) = d957eed6c3e653ee53bbcf0b95b0c032f092b07d | ||
SHA1 (patch-liboath_gl_fseeko.c) = bd67a1af8c01a2dbf849f8612cbb18470cb3b248 | ||
BLAKE2s (oath-toolkit-2.6.7.tar.gz) = 60abf1cd8341cc5ed887aea4c58928bfcac3347ab43dd3704bd69cf5e9a7e5ec | ||
SHA512 (oath-toolkit-2.6.7.tar.gz) = 50edff75c8366887d69cf4740c4cc3bdfc3e43cbd4910ff40f735bca489f0953d7e5a21130f12782ac7a1f2fb00f0db313aff139085f23daba78a69bc7b2eb12 | ||
Size (oath-toolkit-2.6.7.tar.gz) = 5625279 bytes | ||
SHA1 (patch-liboath_gl_fflush.c) = 65b10470b8ba45973d11e3bdf32b9511461f87dc | ||
SHA1 (patch-pam__oath_Makefile.in) = c3fd5dea44e6c604e77dbe81ff7b062dc12925bf | ||
SHA1 (patch-pam__oath_configure.ac) = 525c51b98d0fc444440aa77a9b821b4c820cca31 | ||
SHA1 (patch-pam__oath_pam__modutil.c) = f60b9d7a71efd79425be7ca3257d1a37b3d806fb | ||
SHA1 (patch-pam__oath_pam__modutil.h) = fe361f7430cf8a26c74653b4dbc42c01825f90f2 | ||
SHA1 (patch-pam__oath_pam__oath.c) = f138397e7f5593f248c3ff761449b968ce6d9129 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
# $NetBSD: options.mk,v 1.1 2022/08/22 07:42:52 sborrill Exp $ | ||
|
||
PKG_OPTIONS_VAR= PKG_OPTIONS.oath-toolkit | ||
PKG_SUPPORTED_OPTIONS+= pam | ||
PKG_SUGGESTED_OPTIONS= pam | ||
|
||
.include "../../mk/bsd.options.mk" | ||
|
||
PLIST_VARS+= pam | ||
|
||
.if !empty(PKG_OPTIONS:Mpam) | ||
PLIST.pam= yes | ||
. include "../../mk/pam.buildlink3.mk" | ||
.else | ||
CONFIGURE_ARGS+= --disable-pam | ||
.endif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
$NetBSD: patch-pam__oath_Makefile.in,v 1.1 2022/08/22 07:42:52 sborrill Exp $ | ||
|
||
Use local fragment of libpam, from FreeBSD | ||
|
||
--- pam_oath/Makefile.in.orig 2022-02-01 11:49:49 UTC | ||
+++ pam_oath/Makefile.in | ||
@@ -149,7 +149,7 @@ am__uninstall_files_from_dir = { \ | ||
am__installdirs = "$(DESTDIR)$(pammoddir)" | ||
LTLIBRARIES = $(pammod_LTLIBRARIES) | ||
pam_oath_la_DEPENDENCIES = ../liboath/liboath.la | ||
-am_pam_oath_la_OBJECTS = pam_oath.lo | ||
+am_pam_oath_la_OBJECTS = pam_oath.lo pam_modutil.lo | ||
pam_oath_la_OBJECTS = $(am_pam_oath_la_OBJECTS) | ||
AM_V_lt = $(am__v_lt_@AM_V@) | ||
am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) | ||
@@ -173,7 +173,8 @@ am__v_at_1 = | ||
DEFAULT_INCLUDES = -I.@am__isrc@ | ||
depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp | ||
am__maybe_remake_depfiles = depfiles | ||
-am__depfiles_remade = ./$(DEPDIR)/pam_oath.Plo | ||
+am__depfiles_remade = ./$(DEPDIR)/pam_modutil.Plo \ | ||
+ ./$(DEPDIR)/pam_oath.Plo | ||
am__mv = mv -f | ||
COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ | ||
$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) | ||
@@ -414,7 +416,7 @@ AM_CPPFLAGS = -I$(builddir)/../liboath | ||
EXTRA_DIST = README | ||
pammoddir = $(PAMDIR) | ||
pammod_LTLIBRARIES = pam_oath.la | ||
-pam_oath_la_SOURCES = pam_oath.c | ||
+pam_oath_la_SOURCES = pam_oath.c pam_modutil.c pam_modutil.h | ||
# XXX add -Wl,-x too? PAM documentation suggests it. | ||
pam_oath_la_LIBADD = ../liboath/liboath.la | ||
pam_oath_la_LDFLAGS = -module -avoid-version | ||
@@ -516,6 +518,7 @@ mostlyclean-compile: | ||
distclean-compile: | ||
-rm -f *.tab.c | ||
|
||
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_modutil.Plo@am__quote@ # am--include-marker | ||
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_oath.Plo@am__quote@ # am--include-marker | ||
|
||
$(am__depfiles_remade): | ||
@@ -896,7 +904,8 @@ clean-am: clean-generic clean-libtool clean-pammodLTLI | ||
|
||
distclean: distclean-recursive | ||
-rm -f $(am__CONFIG_DISTCLEAN_FILES) | ||
- -rm -f ./$(DEPDIR)/pam_oath.Plo | ||
+ -rm -f ./$(DEPDIR)/pam_modutil.Plo | ||
+ -rm -f ./$(DEPDIR)/pam_oath.Plo | ||
-rm -f Makefile | ||
distclean-am: clean-am distclean-compile distclean-generic \ | ||
distclean-hdr distclean-libtool distclean-tags | ||
@@ -944,7 +953,8 @@ installcheck-am: | ||
maintainer-clean: maintainer-clean-recursive | ||
-rm -f $(am__CONFIG_DISTCLEAN_FILES) | ||
-rm -rf $(top_srcdir)/autom4te.cache | ||
- -rm -f ./$(DEPDIR)/pam_oath.Plo | ||
+ -rm -f ./$(DEPDIR)/pam_modutil.Plo | ||
+ -rm -f ./$(DEPDIR)/pam_oath.Plo | ||
-rm -f Makefile | ||
maintainer-clean-am: distclean-am maintainer-clean-generic | ||
|
15 changes: 15 additions & 0 deletions
15
security/oath-toolkit/patches/patch-pam__oath_configure.ac
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
$NetBSD: patch-pam__oath_configure.ac,v 1.1 2022/08/22 07:42:52 sborrill Exp $ | ||
|
||
Use local fragment of libpam, from FreeBSD | ||
|
||
--- pam_oath/configure.ac.orig 2022-08-17 14:42:32.924331123 +0000 | ||
+++ pam_oath/configure.ac 2022-08-17 14:43:19.893846965 +0000 | ||
@@ -29,8 +29,6 @@ | ||
|
||
AC_CHECK_HEADERS([security/pam_appl.h], [], | ||
[AC_MSG_ERROR([[PAM header files not found, install libpam-dev.]])]) | ||
-AC_CHECK_HEADERS([security/pam_modutil.h], [], | ||
- [AC_MSG_ERROR([[PAM header files not found, install libpam-dev.]])]) | ||
AC_CHECK_HEADERS([security/pam_modules.h security/_pam_macros.h], [], [], | ||
[#include <security/pam_appl.h>]) | ||
|
89 changes: 89 additions & 0 deletions
89
security/oath-toolkit/patches/patch-pam__oath_pam__modutil.c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
$NetBSD: patch-pam__oath_pam__modutil.c,v 1.1 2022/08/22 07:42:52 sborrill Exp $ | ||
|
||
Use local fragment of libpam, from FreeBSD | ||
|
||
--- pam_oath/pam_modutil.c.orig 2022-01-31 11:03:40 UTC | ||
+++ pam_oath/pam_modutil.c | ||
@@ -0,0 +1,82 @@ | ||
+#include <config.h> | ||
+ | ||
+#ifndef HAVE_SECURITY_PAM_MODUTIL_H | ||
+ | ||
+#include "pam_modutil.h" | ||
+ | ||
+#ifdef HAVE_SECURITY_PAM_APPL_H | ||
+#include <security/pam_appl.h> | ||
+#endif | ||
+#ifdef HAVE_SECURITY_PAM_MODULES_H | ||
+#include <security/pam_modules.h> | ||
+#endif | ||
+ | ||
+#include <errno.h> | ||
+#include <pwd.h> | ||
+#include <stddef.h> | ||
+#include <stdlib.h> | ||
+#include <unistd.h> | ||
+ | ||
+#define PWD_INITIAL_LENGTH 0x400 | ||
+#define PWD_ABSURD_PWD_LENGTH 0x4000 | ||
+ | ||
+void _pam_modutil_cleanup(pam_handle_t *pamh, void *data, int error_status) { | ||
+ if (data) { | ||
+ (void) free(data); | ||
+ } | ||
+} | ||
+ | ||
+struct passwd *pam_modutil_getpwnam(pam_handle_t *pamh, const char *user) { | ||
+ void *buffer = NULL; | ||
+ size_t length = PWD_INITIAL_LENGTH; | ||
+ long sc_init_length = sysconf(_SC_GETPW_R_SIZE_MAX); | ||
+ | ||
+ if (sc_init_length != -1 && sc_init_length < PWD_ABSURD_PWD_LENGTH) { | ||
+ length = (size_t) sc_init_length; | ||
+ } | ||
+ | ||
+ do { | ||
+ int status; | ||
+ void *new_buffer; | ||
+ struct passwd *result = NULL; | ||
+ | ||
+ new_buffer = realloc(buffer, sizeof(struct passwd) + length); | ||
+ if (new_buffer == NULL) { | ||
+ // out of memory | ||
+ if (buffer) { | ||
+ free(buffer); | ||
+ } | ||
+ return NULL; | ||
+ } | ||
+ buffer = new_buffer; | ||
+ | ||
+ status = getpwnam_r(user, buffer, | ||
+ sizeof(struct passwd) + (char *) buffer, | ||
+ length, &result); | ||
+ if (!status && result) { | ||
+ status = pam_set_data(pamh, "_pammodutil_getpwnam", result, | ||
+ _pam_modutil_cleanup); | ||
+ if (status == PAM_SUCCESS) { | ||
+ return result; | ||
+ } | ||
+ // unable to set data item | ||
+ free(buffer); | ||
+ return NULL; | ||
+ } | ||
+ if (status != ERANGE) { | ||
+ // no matching record found (if status == 0) | ||
+ // or getpwnam_r encountered an error | ||
+ free(buffer); | ||
+ return NULL; | ||
+ } | ||
+ | ||
+ length <<= 1; | ||
+ } while (length < PWD_ABSURD_PWD_LENGTH); | ||
+ | ||
+ // exceeded maximum buffer size | ||
+ free(buffer); | ||
+ return NULL; | ||
+} | ||
+#else | ||
+typedef int make_iso_compilers_happy; | ||
+#endif /* HAVE_SECURITY_PAM_MODUTIL_H */ |
24 changes: 24 additions & 0 deletions
24
security/oath-toolkit/patches/patch-pam__oath_pam__modutil.h
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
$NetBSD: patch-pam__oath_pam__modutil.h,v 1.1 2022/08/22 07:42:52 sborrill Exp $ | ||
|
||
Use local fragment of libpam, from FreeBSD | ||
|
||
--- pam_oath/pam_modutil.h.orig 2022-01-31 11:03:40 UTC | ||
+++ pam_oath/pam_modutil.h | ||
@@ -0,0 +1,17 @@ | ||
+#ifndef PAM_MODUTIL_H | ||
+#define PAM_MODUTIL_H | ||
+ | ||
+#ifdef HAVE_SECURITY_PAM_MODUTIL_H | ||
+#include <security/pam_modutil.h> | ||
+#else | ||
+ | ||
+#ifdef HAVE_SECURITY_PAM_MODULES_H | ||
+#include <security/pam_modules.h> | ||
+#endif | ||
+ | ||
+#include <pwd.h> | ||
+ | ||
+struct passwd *pam_modutil_getpwnam(pam_handle_t *pamh, const char *user); | ||
+ | ||
+#endif | ||
+#endif |
Oops, something went wrong.