[gentoo-commits] proj/pambase:master commit in: tests/rendered/minimal/, tests/rendered/custom/, tests/rendered/default/, ...

Sun, 13 Apr 2025 14:15:37 -0700 

commit:     9ca1508d12fcafc0dc5ef1f37ccbe349fe6fdc74
Author:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Fri Apr  4 19:14:26 2025 +0000
Commit:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Sat Apr  5 20:48:20 2025 +0000
URL:        https://gitweb.gentoo.org/proj/pambase.git/commit/?id=9ca1508d

Replace --sha512 and --yescrypt with --encrypt option

Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>

 pambase.py                         | 19 ++++---------------
 templates/system-auth.tpl          |  6 +-----
 tests/rendered/custom/system-auth  |  2 +-
 tests/rendered/default/system-auth |  2 +-
 tests/rendered/minimal/system-auth |  2 +-
 tox.ini                            |  2 +-
 6 files changed, 9 insertions(+), 24 deletions(-)

diff --git a/pambase.py b/pambase.py
index d7ded77..4180cbb 100755
--- a/pambase.py
+++ b/pambase.py
@@ -51,14 +51,10 @@ def main():
     )
     parser.add_argument("--sssd", action="store_true", help="enable sssd.so 
module")
     parser.add_argument(
-        "--yescrypt",
-        action="store_true",
-        help="enable yescrypt option for pam_unix.so module",
-    )
-    parser.add_argument(
-        "--sha512",
-        action="store_true",
-        help="enable sha512 option for pam_unix.so module",
+        "--encrypt",
+        choices=["md5", "sha256", "sha512", "blowfish", "gost_yescrypt", 
"yescrypt"],
+        default="md5",
+        help="select encryption to use for passwords stored by pam_unix.so 
module",
     )
     parser.add_argument("--krb5", action="store_true", help="enable 
pam_krb5.so module")
     parser.add_argument(
@@ -91,13 +87,6 @@ def process_args(args):
 
     output = vars(args)
 
-    if args.yescrypt:
-        output["unix_extended_encryption"] = "yescrypt shadow"
-    elif args.sha512:
-        output["unix_extended_encryption"] = "sha512 shadow"
-    else:
-        output["unix_extended_encryption"] = "md5 shadow"
-
     return output
 
 

diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 7740ae6..d5f1895 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -70,11 +70,7 @@ password     [success=1 default=ignore]      pam_krb5.so {{ 
debug }} ignore_root try_firs
 password       [success=1 default=ignore]      pam_systemd_home.so
 {% endif %}
 
-{% if passwdqc or pwquality %}
-password       {{ 'sufficient' if sssd else 'required' }}      pam_unix.so 
try_first_pass use_authtok {{ nullok }} {{ unix_extended_encryption|default('', 
true) }} {{ debug }}
-{% else %}
-password       {{ 'sufficient' if sssd else 'required' }}      pam_unix.so 
try_first_pass {{ nullok }} {{ unix_extended_encryption|default('', true) }} {{ 
debug }}
-{% endif %}
+password       {{ 'sufficient' if sssd else 'required' }}      pam_unix.so 
try_first_pass shadow {% if passwdqc or pwquality %}use_authtok{% endif %} {{ 
nullok }} {{ encrypt }} {{ debug }}
 
 {% if sssd %}
 password       sufficient      pam_sss.so use_authtok

diff --git a/tests/rendered/custom/system-auth 
b/tests/rendered/custom/system-auth
index 92d48e4..2339e18 100644
--- a/tests/rendered/custom/system-auth
+++ b/tests/rendered/custom/system-auth
@@ -5,7 +5,7 @@ auth            [default=die]   pam_faillock.so authfail
 account                required        pam_unix.so
 account                required        pam_faillock.so
 password       required        pam_passwdqc.so 
config=/etc/security/passwdqc.conf
-password       required        pam_unix.so try_first_pass use_authtok nullok 
sha512 shadow
+password       required        pam_unix.so try_first_pass shadow use_authtok 
nullok sha512
 session                required        pam_limits.so
 session                required        pam_env.so
 session                required        pam_unix.so

diff --git a/tests/rendered/default/system-auth 
b/tests/rendered/default/system-auth
index 98f5305..3a3b25e 100644
--- a/tests/rendered/default/system-auth
+++ b/tests/rendered/default/system-auth
@@ -4,7 +4,7 @@ auth            [success=1 new_authtok_reqd=1 ignore=ignore 
default=bad]        pam_unix.so   try
 auth           [default=die]   pam_faillock.so authfail
 account                required        pam_unix.so
 account                required        pam_faillock.so
-password       required        pam_unix.so try_first_pass  md5 shadow
+password       required        pam_unix.so try_first_pass shadow   md5
 session                required        pam_limits.so
 session                required        pam_env.so
 session                required        pam_unix.so

diff --git a/tests/rendered/minimal/system-auth 
b/tests/rendered/minimal/system-auth
index 98f5305..3a3b25e 100644
--- a/tests/rendered/minimal/system-auth
+++ b/tests/rendered/minimal/system-auth
@@ -4,7 +4,7 @@ auth            [success=1 new_authtok_reqd=1 ignore=ignore 
default=bad]        pam_unix.so   try
 auth           [default=die]   pam_faillock.so authfail
 account                required        pam_unix.so
 account                required        pam_faillock.so
-password       required        pam_unix.so try_first_pass  md5 shadow
+password       required        pam_unix.so try_first_pass shadow   md5
 session                required        pam_limits.so
 session                required        pam_env.so
 session                required        pam_unix.so

diff --git a/tox.ini b/tox.ini
index 6f76183..ff7ef8f 100644
--- a/tox.ini
+++ b/tox.ini
@@ -14,5 +14,5 @@ commands =
     default: diff -Nru tests/rendered/default stack
     minimal: python pambase.py --minimal
     minimal: diff -Nru tests/rendered/minimal stack
-    custom: python pambase.py --elogind --nullok --passwdqc --sha512 --shells
+    custom: python pambase.py --elogind --nullok --passwdqc --encrypt sha512 
--shells
     custom: diff -Nru tests/rendered/custom stack

Reply via email to