This commit replicates commits[1][2] from the openssh package.
Closes
[1]
https://salsa.debian.org/ssh-team/openssh/-/commit/ca7f6f719ad5f168b25165caaff658f21c784c4e
[2]
https://salsa.debian.org/ssh-team/openssh/-/commit/dc461e571bcc56f8d95e83c731007636d8e79da5
Closes: #1068378
---
debian/rules | 10 +-
debian/xdm.pam| 19 ---
debian/xdm.pam.in | 20
3 files changed, 29 insertions(+), 20 deletions(-)
delete mode 100644 debian/xdm.pam
create mode 100644 debian/xdm.pam.in
diff --git a/debian/rules b/debian/rules
index 5d2dbd3..ab9f5d4 100755
--- a/debian/rules
+++ b/debian/rules
@@ -38,6 +38,7 @@ ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
endif
DEB_HOST_ARCH ?= $(shell dpkg-architecture -qDEB_HOST_ARCH)
+DEB_HOST_ARCH_OS ?= $(shell dpkg-architecture -qDEB_HOST_ARCH_OS)
DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
DEB_BUILD_ARCH_OS ?= $(shell dpkg-architecture -qDEB_BUILD_ARCH_OS)
DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
@@ -58,6 +59,13 @@ endif
BUILD_DIR := build
+debian/xdm.pam: debian/xdm.pam.in
+ifeq ($(DEB_HOST_ARCH_OS),linux)
+ sed 's/^@IF_KEYINIT@//' $< > $@
+else
+ sed '/^@IF_KEYINIT@/d' $< > $@
+endif
+
stampdir_targets+=config
config: $(STAMP_DIR)/config
$(STAMP_DIR)/config: $(STAMP_DIR)/patch
@@ -121,7 +129,7 @@ clean: xsfclean
dh_clean
# Build architecture-dependent files here.
-binary-arch: $(STAMP_DIR)/install
+binary-arch: $(STAMP_DIR)/install debian/xdm.pam
dh_testdir
dh_testroot
diff --git a/debian/xdm.pam b/debian/xdm.pam
deleted file mode 100644
index 1108a71..000
--- a/debian/xdm.pam
+++ /dev/null
@@ -1,19 +0,0 @@
-auth requisite pam_nologin.so
-auth requiredpam_env.so
-auth requiredpam_env.so envfile=/etc/default/locale
-
-# SELinux needs to be the first session rule. This ensures that any
-# lingering context has been cleared. Without this it is possible
-# that a module could execute code in the wrong domain.
-session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so close
-session requiredpam_loginuid.so
-# SELinux needs to intervene at login time to ensure that the process
-# starts in the proper default security context. Only sessions which are
-# intended to run in the user's context should be run after this.
-session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so open
-sessionrequiredpam_limits.so
-
-@include common-auth
-@include common-account
-@include common-session
-@include common-password
diff --git a/debian/xdm.pam.in b/debian/xdm.pam.in
new file mode 100644
index 000..92c46b7
--- /dev/null
+++ b/debian/xdm.pam.in
@@ -0,0 +1,20 @@
+auth requisite pam_nologin.so
+auth requiredpam_env.so
+auth requiredpam_env.so envfile=/etc/default/locale
+
+# SELinux needs to be the first session rule. This ensures that any
+# lingering context has been cleared. Without this it is possible
+# that a module could execute code in the wrong domain.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so close
+session requiredpam_loginuid.so
+@IF_KEYINIT@session optionalpam_keyinit.so force revoke
+# SELinux needs to intervene at login time to ensure that the process
+# starts in the proper default security context. Only sessions which are
+# intended to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so open
+sessionrequiredpam_limits.so
+
+@include common-auth
+@include common-account
+@include common-session
+@include common-password
--
2.39.2