linux-pam: 1.7.0

2be4eeeb · Vivek Dutta · a49407ad · 2be4eeeb · 2be4eeeb
Verified Commit 2be4eeeb authored 3 months ago by Vivek Dutta
--- a/linux-pam/Makefile
+++ b/linux-pam/Makefile
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=linux-pam
+PKG_VERSION:=1.7.0
+PKG_RELEASE:=1
+
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://github.com/linux-pam/linux-pam.git
+PKG_SOURCE_VERSION:=v$(PKG_VERSION)
+PKG_MIRROR_HASH:=skip
+
+include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/meson.mk
+
+define Package/linux-pam
+  SECTION:=libs
+  CATEGORY:=Libraries
+  TITLE:=Linux PAM Module
+  DEPENDS:=+libpam
+endef
+
+MESON_ARGS += \
+	-Dprefix=/usr \
+	-Ddefault_library=shared \
+	-Ddocs=disabled \
+	-Deconf=disabled \
+	-Dselinux=disabled \
+	-Dnis=disabled \
+	-Dexamples=false \
+	-Dxtests=false
+
+define Package/linux-pam/install
+	$(INSTALL_DIR) $(1)/usr/lib/security
+	$(INSTALL_DIR) $(1)/etc/uci-defaults/
+	$(INSTALL_BIN) ./files/pam_faillock.uci_default $(1)/etc/uci-defaults/99-add_pam_faillock
+endef
+
+$(eval $(call BuildPackage,linux-pam))
--- a/linux-pam/files/pam_faillock.uci_default
+++ b/linux-pam/files/pam_faillock.uci_default
+#!/bin/sh
+
+create_faillock_files()
+{
+	# also create files needed by pam_faillock
+	touch /var/log/faillock
+	chmod 700 /var/log/faillock
+	touch /var/log/btmp
+	chmod 700 /var/log/btmp
+}
+
+update_pam_common_auth()
+{
+	local file="/etc/pam.d/common-auth"
+	local deny=6
+	local unlock_time=300
+
+	# update pam_unix.so line
+	sed -i -E 's|^.*pam_unix\.so.*|auth\t sufficient\tpam_unix.so nullok_secure|' "$file"
+
+	# Insert pam_faillock lines before and after pam_unix.so
+	sed -i -E "/pam_unix.so nullok_secure/i auth     required       pam_faillock.so preauth deny=$deny even_deny_root unlock_time=$unlock_time" "$file"
+	sed -i -E "/pam_unix.so nullok_secure/a auth     [default=die]  pam_faillock.so authfail audit deny=$deny even_deny_root unlock_time=$unlock_time" "$file"
+}
+
+update_pam_common_account()
+{
+	# update account file
+	sed -i "/pam_unix.so/ i account  required       pam_faillock.so" /etc/pam.d/common-account
+}
+
+if [ -f "/usr/lib/security/pam_faillock.so" ]; then
+	update_pam_common_auth
+	update_pam_common_account
+	create_faillock_files
+fi
+
+if [ -f /etc/config/sshd ]; then
+	uci -q set sshd.@sshd[0].UsePAM=1
+	uci commit sshd
+fi
+
+exit 0