[wheezy] On met à jour les fichiers de pam.d, et on bugfix groups.xml en attendant une amélioration

2013-04-19 16:49:19 +02:00 · 2013-04-19 16:49:19 +02:00 · ceaf481894
commit ceaf481894
parent cdec12422b
5 changed files with 110 additions and 13 deletions
--- a/Python/etc/pam.d/common-auth
+++ b/Python/etc/pam.d/common-auth
@ -10,7 +10,28 @@ and should contain a list of the authentication modules that define
 the central authentication scheme for use on the system
 (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
 traditional Unix authentication mechanisms.
+
+As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+To take advantage of this, it is recommended that you configure any
+local modules either before or after the default block, and use
+pam-auth-update to manage selection of other modules.  See
+pam-auth-update(8) for details.
 """)

-print "auth sufficient %s" % pam_module
-print "auth required   pam_unix.so nullok_secure use_first_pass"
+if not has('wheezy'):
+    print "auth sufficient %s" % pam_module
+    print "auth required   pam_unix.so nullok_secure use_first_pass"
+
+else:
+    @# here are the per-package modules (the "Primary" block)
+    @auth    [success=2 default=ignore]      pam_unix.so nullok_secure use_first_pass
+    if has('ldap'):
+        print "auth    [success=1 default=ignore]      %s minimum_uid=1000" % pam_module
+    @# here's the fallback if no module succeeds
+    @auth    requisite                       pam_deny.so
+    @# prime the stack with a positive return value if there isn't one already;
+    @# this avoids us returning an error just because nothing sets a success code
+    @# since the modules above will each just jump around
+    @auth    required                        pam_permit.so
+    @# and here are more per-package modules (the "Additional" block)
+    @# end of pam-auth-update config