Bug#566718: libpam-ccreds: Should be possible to enable using pam-auth-update

[Petter Reinholdtsen]

tags 566718 + patch
thanks

[Guido Günther]
> No, not from my end due to time constraints.
p
I've now tested the configuration provided in comment #2 in the Ubuntu
bug using libpam-ldapd, and as far as I can see, it work as it should.
Attaching the patch here and tagging this bug patch.  The patch needed
some minor update to its debian/rules part as the file has changed a
lot since the patch was created.

Please apply the patch to allow ccreds to be enabled automatically.
It do not apply cleanly

BTW: I did notice one problem when using libpam-ccreds with
libpam-heimdal.  The ccreds stuff in common-auth is inserted too late,
as libpam-heimdal have very high priority value.  Not sure if the
correct fix is for libpam-heimdal to reduce its priority or
libpam-ccreds to increase its priority, but I expect such issues will
be discovered and addressed when people start using this new
configuration.

This is the configuration generated with libpam-ccreds and
libpam-ldapd installed:

r...@localhost:~# grep -v '^#' /etc/pam.d/common-auth

auth    optional                        pam_group.so
auth    [success=4 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    [success=3 default=ignore]      pam_ldap.so use_first_pass
auth    [success=2 default=ignore]      pam_ccreds.so action=validate 
use_first_pass
auth    [default=ignore]                pam_ccreds.so action=update
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
auth    optional                        pam_ccreds.so action=store
r...@localhost:~#

Happy hacking,
-- 
Petter Reinholdtsen

diff -u libpam-ccreds-8/debian/changelog libpam-ccreds-8/debian/changelog
--- libpam-ccreds-8/debian/changelog
+++ libpam-ccreds-8/debian/changelog
@@ -1,3 +1,12 @@
+libpam-ccreds (8-1ubuntu1) jaunty; urgency=low
+
+  * debian/libpam-ccreds.pam-auth-update.ccreds-{check,save},
+    debian/libpam-ccreds.{postinst,prerm}, debian/rules: provide config
+    blocks for the new PAM framework, allowing this PAM module to
+    auto-configure itself.  LP: #294977
+
+ -- Steve Langasek <steve.langa...@ubuntu.com>  Sun, 08 Mar 2009 11:38:54 -0700
+
 libpam-ccreds (8-1) unstable; urgency=low
 
   * New Upstream Version
diff -u libpam-ccreds-8/debian/control libpam-ccreds-8/debian/control
--- libpam-ccreds-8/debian/control
+++ libpam-ccreds-8/debian/control
@@ -1,7 +1,8 @@
 Source: libpam-ccreds
 Section: net
 Priority: extra
-Maintainer: Guido Guenther <a...@sigxcpu.org>
+Maintainer: Ubuntu MOTU Developers <ubuntu-m...@lists.ubuntu.com>
+XSBC-Original-Maintainer: Guido Guenther <a...@sigxcpu.org>
 Build-Depends: debhelper (>= 4.0.0), autotools-dev, libgcrypt11-dev,  
libpam0g-dev, libdb-dev, automake1.9, autoconf, quilt
 Standards-Version: 3.7.2
 Homepage: http://www.padl.com/OSS/pam_ccreds.html
diff -u libpam-ccreds-8/debian/rules libpam-ccreds-8/debian/rules
--- libpam-ccreds-8/debian/rules
+++ libpam-ccreds-8/debian/rules
@@ -74,6 +74,11 @@
        $(MAKE) install DESTDIR=$(CURDIR)/debian/libpam-ccreds
        install -m 644 -D debian/libpam-ccreds.lintian \
            
$(CURDIR)/debian/libpam-ccreds/usr/share/lintian/overrides/libpam-ccreds
+       mkdir -p debian/libpam-ccreds/usr/share/pam-configs
+       install -m 0644 debian/libpam-ccreds.pam-auth-update.ccreds-save \
+               debian/libpam-ccreds/usr/share/pam-configs/ccreds-save
+       install -m 0644 debian/libpam-ccreds.pam-auth-update.ccreds-check \
+               debian/libpam-ccreds/usr/share/pam-configs/ccreds-check
 
 # Build architecture-independent files here.
 binary-indep: build install
only in patch2:
unchanged:
--- libpam-ccreds-8.orig/debian/libpam-ccreds.postinst
+++ libpam-ccreds-8/debian/libpam-ccreds.postinst
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -e
+
+pam-auth-update --package
+
+#DEBHELPER#
only in patch2:
unchanged:
--- libpam-ccreds-8.orig/debian/libpam-ccreds.pam-auth-update.ccreds-save
+++ libpam-ccreds-8/debian/libpam-ccreds.pam-auth-update.ccreds-save
@@ -0,0 +1,6 @@
+Name: Ccreds credential caching - password saving
+Default: yes
+Priority: 512
+Auth-Type: Additional
+Auth:
+       optional                        pam_ccreds.so action=store
only in patch2:
unchanged:
--- libpam-ccreds-8.orig/debian/libpam-ccreds.pam-auth-update.ccreds-check
+++ libpam-ccreds-8/debian/libpam-ccreds.pam-auth-update.ccreds-check
@@ -0,0 +1,7 @@
+Name: Ccreds credential caching - password checking
+Default: yes
+Priority: 0
+Auth-Type: Primary
+Auth:
+       [success=end default=ignore]    pam_ccreds.so action=validate 
use_first_pass
+       [default=ignore]                pam_ccreds.so action=update
only in patch2:
unchanged:
--- libpam-ccreds-8.orig/debian/libpam-ccreds.prerm
+++ libpam-ccreds-8/debian/libpam-ccreds.prerm
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+set -e
+
+if [ "$1" = remove ]; then
+       pam-auth-update --package --remove ccreds-check ccreds-save
+fi
+
+#DEBHELPER#