[wheezy] On met à jour les fichiers de pam.d, et on bugfix groups.xml en attendant une amélioration

Python/etc/pam.d/common-account

@@ -3,13 +3,36 @@
 include("pam")
 
 header("""
+
 /etc/pam.d/common-account - authorization settings common to all services
 
 This file is included from other service-specific PAM config files,
 and should contain a list of the authorization modules that define
 the central access policy for use on the system.  The default is to
 only deny service to users whose accounts are expired in /etc/shadow.
+
+As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+To take advantage of this, it is recommended that you configure any
+local modules either before or after the default block, and use
+pam-auth-update to manage selection of other modules.  See
+pam-auth-update(8) for details.
+
 """)
 
-print "account sufficient %s" % pam_module
-print "account required   pam_unix.so use_first_pass"
+if not has('wheezy'):
+    print "session required pam_unix.so use_first_pass"
+    print "session sufficient %s" %pam_module
+
+else:
+    @# here are the per-package modules (the "Primary" block)
+    @account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so use_first_pass
+    @# here's the fallback if no module succeeds
+    @account requisite                       pam_deny.so
+    @# prime the stack with a positive return value if there isn't one already;
+    @# this avoids us returning an error just because nothing sets a success code
+    @# since the modules above will each just jump around
+    @account required                        pam_permit.so
+    @# and here are more per-package modules (the "Additional" block)
+    if has("ldap"):
+        print "account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad]        %s minimum_uid=1000" % pam_module
+    @# end of pam-auth-update config

Python/etc/pam.d/common-auth

@@ -10,7 +10,28 @@ and should contain a list of the authentication modules that define
 the central authentication scheme for use on the system
 (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
 traditional Unix authentication mechanisms.
+
+As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+To take advantage of this, it is recommended that you configure any
+local modules either before or after the default block, and use
+pam-auth-update to manage selection of other modules.  See
+pam-auth-update(8) for details.
 """)
 
-print "auth sufficient %s" % pam_module
-print "auth required   pam_unix.so nullok_secure use_first_pass"
+if not has('wheezy'):
+    print "auth sufficient %s" % pam_module
+    print "auth required   pam_unix.so nullok_secure use_first_pass"
+
+else:
+    @# here are the per-package modules (the "Primary" block)
+    @auth    [success=2 default=ignore]      pam_unix.so nullok_secure use_first_pass
+    if has('ldap'):
+        print "auth    [success=1 default=ignore]      %s minimum_uid=1000" % pam_module
+    @# here's the fallback if no module succeeds
+    @auth    requisite                       pam_deny.so
+    @# prime the stack with a positive return value if there isn't one already;
+    @# this avoids us returning an error just because nothing sets a success code
+    @# since the modules above will each just jump around
+    @auth    required                        pam_permit.so
+    @# and here are more per-package modules (the "Additional" block)
+    @# end of pam-auth-update config

Python/etc/pam.d/common-password

@@ -6,8 +6,24 @@ header("""
 /etc/pam.d/common-password - password-related modules common to all services
 
 This file is included from other service-specific PAM config files,
-and should contain a list of modules that define  the services to be
-used to change user passwords.  The default is pam_unix
+and should contain a list of modules that define the services to be
+used to change user passwords.  The default is pam_unix.
+
+Explanation of pam_unix options:
+
+The "sha512" option enables salted SHA512 passwords.  Without this option,
+the default is Unix crypt.  Prior releases used the option "md5".
+
+The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
+login.defs.
+
+See the pam_unix manpage for other options.
+
+As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+To take advantage of this, it is recommended that you configure any
+local modules either before or after the default block, and use
+pam-auth-update to manage selection of other modules.  See
+pam-auth-update(8) for details.
 """)
 
 @# The "nullok" option allows users to change an empty password, else
@@ -19,12 +35,25 @@ used to change user passwords.  The default is pam_unix
 @# login.defs. Also the "min" and "max" options enforce the length of the
 @# new password.
 
-print "password   sufficient %s ignore_unknown_user md5 try_first_pass" % pam_module
-print "password   required   pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass"
-
 @# Alternate strength checking for password. Note that this
 @# requires the libpam-cracklib package to be installed.
 @# You will need to comment out the password line above and
 @# uncomment the next two in order to use this.
 @# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
 
+if not has('wheezy'):
+    print "password   sufficient %s ignore_unknown_user md5 try_first_pass" % pam_module
+    print "password   required   pam_unix.so nullok obscure min=4 max=8 md5 try_first_pass"
+
+else:
+    @# here are the per-package modules (the "Primary" block)
+    @password        [success=2 default=ignore]      pam_unix.so  nullok obscure sha512 min=4 max=8 md5 try_first_pass
+    print "password        [success=1 default=ignore]      %s minimum_uid=1000 ignore_unkown_user md5 try_first_pass" % pam_module
+    @# here's the fallback if no module succeeds
+    @password        requisite                       pam_deny.so
+    @# prime the stack with a positive return value if there isn't one already;
+    @# this avoids us returning an error just because nothing sets a success code
+    @# since the modules above will each just jump around
+    @password        required                        pam_permit.so
+    @# and here are more per-package modules (the "Additional" block)
+    @# end of pam-auth-update config

Python/etc/pam.d/common-session

@@ -8,9 +8,31 @@ header("""
 This file is included from other service-specific PAM config files,
 and should contain a list of modules that define tasks to be performed
 at the start and end of sessions of *any* kind (both interactive and
-non-interactive).  The default is pam_unix.
+non-interactive).
+
+As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+To take advantage of this, it is recommended that you configure any
+local modules either before or after the default block, and use
+pam-auth-update to manage selection of other modules.  See
+pam-auth-update(8) for details.
 """)
 
-print "session sufficient %s" % pam_module
-print "session required   pam_unix.so"
-print "session required   pam_mkhomedir.so"
+if not has('wheezy'):
+    print "session sufficient %s" % pam_module
+    print "session required   pam_unix.so"
+    print "session required   pam_mkhomedir.so"
+
+else:
+    @# here are the per-package modules (the "Primary" block)
+    @session [default=1]                     pam_permit.so
+    @# here's the fallback if no module succeeds
+    @session requisite                       pam_deny.so
+    @# prime the stack with a positive return value if there isn't one already;
+    @# this avoids us returning an error just because nothing sets a success code
+    @# since the modules above will each just jump around
+    @session required                        pam_permit.so
+    @# and here are more per-package modules (the "Additional" block)
+    @session required                        pam_unix.so 
+    if has('ldap'):
+        print "session [success=ok default=ignore]     %s minimum_uid=1000" % pam_module
+    @# end of pam-auth-update config