Update to libpam 1.5.2
This updates to libpam 1.5.2. This version removes support for
pam_cracklib and pam_tally2. They are replaced by pam_pwquality and
pam_faillock respectively.
Since parameters of pam_cracklb and pam_tally2 are configurable through
Redfish, it's possible that they will remain in the overlay of
/etc/pam.d with the old module names preventing PAM from working
correctly. To avoid this, this commit includes a script that will detect
if the old modules are in the overlay and update the overlay with the
new modules and configuration.
The script will allow updates from libpam 1.3.1 to libpam 1.5.2, but if there
are configured parameters during a downgrade from libpam 1.5.2 to libpam
1.3.1, it will require a factory reset before the downgrade.
pam_pwquality was selected over pam_passwdqc because of better security
and compatibility with pam_cracklib.
Note pam_faillock is necessarily configured into the pam module stack
differently than pam_tally2.
This patchset causes a BMC operational change:
- The pam_tally2 command (invoked from the BMC's command line) is no
longer present. If you used the "pam_tally2 -u USER -r" command
to unlock a user after repeated authentication failures, change to
use: faillock --user USER --reset
Compatibility note / migration issue. If your BMC cannot authenticate
users after installing this change, the cause might be an overlayfs file
hiding the new /etc/pam.d/common-auth file. To find out, use
`grep deny= /etc/pam.d/common-auth` on your BMC. If it shows "tally2"
then your BMC is affected. The recovery is to delete the overlay file,
to factory reset the BMC, or manually-install the changed files.
The convert-pam-configs service is intended to handle this problem.
Tested: as follows, for local users only (not tested with LDAP)
Note OpenBMC configuration defaults to an AccountLockoutThreshold
value of 0 which does not lock account passwords no matter how many
consecutive failed authentication attempts. To configure this on
the BMC, for example, use:
curl -X PATCH https://${bmc}/redfish/v1/AccountService
-d '{"AccountLockoutThreshold": 3, "AccountLockoutDuration": 60}'
Tested update scenarios:
1. Install from scratch. Success.
2. Install over firmware which had old PAM configs. Success.
Tested update scenarios for the convert-pam-configs service.
Tested changing the password via various interfaces:
- the passwd command
- the PATCH Refish AccountService {Password: NEW}
- SSH (accessible only when the password is expired)
- IPMI user set password (accessible for unexpired password)
Tested both good and bad (unacceptable) passwords.
Tested account lockout after N bad passwords
Tested unlock via Redfish.
Also, because its implementation changed, ensure reading and writing the
D-Bus User AccountPolicy RememberOldPasswordTimes property continues to
work. There is no Redfish API for this.
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com>
Change-Id: I7b712cf7cfbf7b0bc79da42f822540baee66ca4f
diff --git a/meta-ampere/meta-common/recipes-extended/libpwquality/libpwquality/pwquality.conf b/meta-ampere/meta-common/recipes-extended/libpwquality/libpwquality/pwquality.conf
new file mode 100644
index 0000000..378154e
--- /dev/null
+++ b/meta-ampere/meta-common/recipes-extended/libpwquality/libpwquality/pwquality.conf
@@ -0,0 +1,8 @@
+enforce_for_root
+minlen=9
+difok=0
+lcredit=-1
+ocredit=-1
+dcredit=-1
+ucredit=-1
+maxrepeat=3
diff --git a/meta-ampere/meta-common/recipes-extended/libpwquality/libpwquality_%.bbappend b/meta-ampere/meta-common/recipes-extended/libpwquality/libpwquality_%.bbappend
new file mode 100644
index 0000000..f72de93
--- /dev/null
+++ b/meta-ampere/meta-common/recipes-extended/libpwquality/libpwquality_%.bbappend
@@ -0,0 +1,5 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += " \
+ file://pwquality.conf \
+ "
diff --git a/meta-ampere/meta-common/recipes-extended/pam/libpam/faillock.conf b/meta-ampere/meta-common/recipes-extended/pam/libpam/faillock.conf
new file mode 100644
index 0000000..1d702f3
--- /dev/null
+++ b/meta-ampere/meta-common/recipes-extended/pam/libpam/faillock.conf
@@ -0,0 +1,2 @@
+deny=5
+unlock_time=1800
diff --git a/meta-ampere/meta-common/recipes-extended/pam/libpam/pam.d/common-auth b/meta-ampere/meta-common/recipes-extended/pam/libpam/pam.d/common-auth
deleted file mode 100644
index 508ef7a..0000000
--- a/meta-ampere/meta-common/recipes-extended/pam/libpam/pam.d/common-auth
+++ /dev/null
@@ -1,21 +0,0 @@
-#
-# /etc/pam.d/common-auth - authentication settings common to all services
-#
-# This file is included from other service-specific PAM config files,
-# and should contain a list of the authentication modules that define
-# the central authentication scheme for use on the system
-# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
-# traditional Unix authentication mechanisms.
-
-# here are the per-package modules (the "Primary" block)
-auth [success=ok user_unknown=ignore default=2] pam_tally2.so deny=5 unlock_time=1800
-# Try for local user first, and then try for ldap
-auth [success=2 default=ignore] pam_unix.so quiet
--auth [success=1 default=ignore] pam_ldap.so ignore_unknown_user ignore_authinfo_unavail
-# here's the fallback if no module succeeds
-auth requisite pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-auth required pam_permit.so
-# and here are more per-package modules (the "Additional" block)
diff --git a/meta-ampere/meta-common/recipes-extended/pam/libpam/pam.d/common-password b/meta-ampere/meta-common/recipes-extended/pam/libpam/pam.d/common-password
deleted file mode 100644
index 5a42680..0000000
--- a/meta-ampere/meta-common/recipes-extended/pam/libpam/pam.d/common-password
+++ /dev/null
@@ -1,30 +0,0 @@
-#
-# /etc/pam.d/common-password - password-related modules common to all services
-#
-# This file is included from other service-specific PAM config files,
-# and should contain a list of modules that define the services to be
-# used to change user passwords. The default is pam_unix.
-
-# Explanation of pam_unix options:
-#
-# The "sha512" option enables salted SHA512 passwords. Without this option,
-# the default is Unix crypt. Prior releases used the option "md5".
-#
-# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
-# login.defs.
-#
-# See the pam_unix manpage for other options.
-
-# here are the per-package modules (the "Primary" block)
-password [success=ok default=die] pam_cracklib.so debug enforce_for_root reject_username minlen=9 difok=0 lcredit=-1 ocredit=-1 dcredit=-1 ucredit=-1 maxrepeat=3
-password [success=ok default=die] pam_ipmicheck.so spec_grp_name=ipmi use_authtok
-password [success=ok ignore=ignore default=die] pam_pwhistory.so debug enforce_for_root remember=0 use_authtok
-password [success=ok default=die] pam_unix.so sha512 use_authtok
-password [success=1 default=die] pam_ipmisave.so spec_grp_name=ipmi spec_pass_file=/etc/ipmi_pass key_file=/etc/key_file
-# here's the fallback if no module succeeds
-password requisite pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-password required pam_permit.so
-# and here are more per-package modules (the "Additional" block)
diff --git a/meta-ampere/meta-common/recipes-extended/pam/libpam_%.bbappend b/meta-ampere/meta-common/recipes-extended/pam/libpam_%.bbappend
index ad820d1..1aa78d3 100644
--- a/meta-ampere/meta-common/recipes-extended/pam/libpam_%.bbappend
+++ b/meta-ampere/meta-common/recipes-extended/pam/libpam_%.bbappend
@@ -1,5 +1,4 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
-SRC_URI += " file://pam.d/common-password \
- file://pam.d/common-auth \
+SRC_URI += " file://faillock.conf \
"
diff --git a/meta-google/recipes-extended/pam/libpam_%.bbappend b/meta-google/recipes-extended/pam/libpam_%.bbappend
index d57b0ea..3b35e56 100644
--- a/meta-google/recipes-extended/pam/libpam_%.bbappend
+++ b/meta-google/recipes-extended/pam/libpam_%.bbappend
@@ -1,20 +1,14 @@
-# Remove cracklib from PAM, to avoid breaking PAM and further dependencies
-# This allows cracklib to be neatly severed from the system.
+# Remove pwquality from PAM, to avoid breaking PAM and further dependencies
+# This allows pwquality to be neatly severed from the system.
-EXTRA_OECONF:append:gbmc = " --disable-cracklib"
-
-DEPENDS:remove:gbmc = "cracklib"
-
-RDEPENDS:${PN}-runtime:remove:gbmc = "pam-plugin-cracklib-suffix"
-
-RDEPENDS:${PN}-xtests:remove:gbmc = "${MLPREFIX}pam-plugin-cracklib-${libpam_suffix}"
+RDEPENDS:${PN}-runtime:remove:gbmc = "libpwquality"
do_install:append:gbmc() {
- # Remove reference to cracklib library from PAM config file
- sed -i '/pam_cracklib.so/d' ${D}${sysconfdir}/pam.d/common-password
+ # Remove reference to pwquality library from PAM config file
+ sed -i '/pam_pwquality.so/d' ${D}${sysconfdir}/pam.d/common-password
# Remove the first occurrence of "use_authtok" in the first line starting
- # with "password". This makes sure that if pam_cracklib.so was the first
+ # with "password". This makes sure that if pam_pwquality.so was the first
# entry, we didn't invalidate the next entry in the stack. If the first
# entry has the "use_authtok" set, this "forces the module to not prompt
# the user for a new password but use the one provided by the previously
diff --git a/meta-google/recipes-phosphor/images/obmc-phosphor-image.bbappend b/meta-google/recipes-phosphor/images/obmc-phosphor-image.bbappend
index 68ae270..8627011 100644
--- a/meta-google/recipes-phosphor/images/obmc-phosphor-image.bbappend
+++ b/meta-google/recipes-phosphor/images/obmc-phosphor-image.bbappend
@@ -29,5 +29,5 @@
OBMC_IMAGE_EXTRA_INSTALL:append:gbmc = " virtual/bmc-update"
# Jettison the cracklib package to save space.
-PACKAGE_INSTALL:remove:gbmc = "cracklib pam-plugin-cracklib"
-PACKAGE_EXCLUDE:gbmc = "cracklib pam-plugin-cracklib"
+PACKAGE_INSTALL:remove:gbmc = "cracklib libpwquality"
+PACKAGE_EXCLUDE:gbmc = "cracklib libpwquality"
diff --git a/meta-phosphor/recipes-extended/libpwquality/libpwquality/pwquality.conf b/meta-phosphor/recipes-extended/libpwquality/libpwquality/pwquality.conf
new file mode 100644
index 0000000..048c0fd
--- /dev/null
+++ b/meta-phosphor/recipes-extended/libpwquality/libpwquality/pwquality.conf
@@ -0,0 +1,7 @@
+enforce_for_root
+minlen=8
+difok=0
+lcredit=0
+ocredit=0
+dcredit=0
+ucredit=0
diff --git a/meta-phosphor/recipes-extended/libpwquality/libpwquality_%.bbappend b/meta-phosphor/recipes-extended/libpwquality/libpwquality_%.bbappend
new file mode 100644
index 0000000..5986567
--- /dev/null
+++ b/meta-phosphor/recipes-extended/libpwquality/libpwquality_%.bbappend
@@ -0,0 +1,12 @@
+EXTRA_OECONF:append = " --enable-python-bindings=no"
+RDEPENDS:${PN}:remove:class-target = " ${PYTHON_PN}-core"
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
+SRC_URI += " \
+ file://pwquality.conf \
+ "
+
+do_install:append() {
+ install -d ${D}/etc/security
+ install -m 0644 ${WORKDIR}/pwquality.conf ${D}/etc/security
+}
diff --git a/meta-phosphor/recipes-extended/pam/libpam/convert-pam-configs.service b/meta-phosphor/recipes-extended/pam/libpam/convert-pam-configs.service
new file mode 100644
index 0000000..099a5c6
--- /dev/null
+++ b/meta-phosphor/recipes-extended/pam/libpam/convert-pam-configs.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Convert PAM config files
+
+[Service]
+RemainAfterExit=yes
+Type=oneshot
+ExecStart=/usr/bin/convert-pam-configs.sh
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta-phosphor/recipes-extended/pam/libpam/convert-pam-configs.sh b/meta-phosphor/recipes-extended/pam/libpam/convert-pam-configs.sh
new file mode 100755
index 0000000..27ec218
--- /dev/null
+++ b/meta-phosphor/recipes-extended/pam/libpam/convert-pam-configs.sh
@@ -0,0 +1,48 @@
+#!/bin/sh
+# Convert OpenBMC linux-PAM config files
+
+# Location of config files this script modifies:
+# PAM_CONF_DIR - path to the PAM config files
+# SECURITY_CONF_DIR - path to the security config files
+PAM_CONF_DIR=/etc/pam.d
+SECURITY_CONF_DIR=/etc/security
+
+# Handle common-password:
+# Change cracklib to pwquality and handle the minlen parameter
+pam_cracklib=$(grep "^password.*pam_cracklib.so" ${PAM_CONF_DIR}/common-password)
+if [ -n "${pam_cracklib}" ]
+then
+ echo "Changing ${PAM_CONF_DIR}/common-password to use pam_pwquality.so (was pam_cracklib.so)" >&2
+ minlen=$(echo "${pam_cracklib}" | sed -e "s/.*minlen=\([[:alnum:]]*\).*/\1/")
+ echo " Converting parameter minlen=${minlen} to ${SECURITY_CONF_DIR}/pwquality.conf minlen" >&2
+ sed -i.bak -e "s/^minlen=.*/minlen=$minlen/" ${SECURITY_CONF_DIR}/pwquality.conf
+ pwquality='password [success=ok default=die] pam_pwquality.so debug'
+ sed -i.bak -e "s/^password.*pam_cracklib.so.*/$pwquality/" ${PAM_CONF_DIR}/common-password
+ echo "# This file was converted by $0" >>${PAM_CONF_DIR}/common-password
+fi
+
+# Handle common-auth:
+# Change tally2 to faillock and handle the deny & unlock_time parameters
+pam_tally2=$(grep "^auth.*pam_tally2.so" ${PAM_CONF_DIR}/common-auth)
+if [ -n "${pam_tally2}" ]
+then
+ echo "Changing ${PAM_CONF_DIR}/common-auth to use pam_faillock.so (was pam_tally2.so)" >&2
+ deny=$(echo "${pam_tally2}" | sed -e "s/.*deny=\([[:alnum:]]*\).*/\1/")
+ unlock_time=$(echo "${pam_tally2}" | sed -e "s/.*unlock_time=\([[:alnum:]]*\).*/\1/")
+ # Change faillock.conf parameters
+ echo " Converting parameter deny=${deny} to ${SECURITY_CONF_DIR}/faillock.conf deny" >&2
+ echo " Converting parameter unlock_time=${unlock_time} to ${SECURITY_CONF_DIR}/faillock.conf unlock_time" >&2
+ sed -i.bak \
+ -e "s/^deny=.*/deny=$deny/" \
+ -e "s/^unlock_time=.*/unlock_time=$unlock_time/" \
+ ${SECURITY_CONF_DIR}/faillock.conf
+ # Change pam_tally2 to pam_faillock (changes the overall auth stack)
+ authfail='auth [default=die] pam_faillock.so authfail'
+ authsucc='auth sufficient pam_faillock.so authsucc'
+ sed -i.bak \
+ -e "/^auth.*pam_tally2.so.*$/d" \
+ -e "/^auth.*pam_deny.so/i $authfail\n$authsucc" \
+ ${PAM_CONF_DIR}/common-auth
+ echo "# This file was converted by $0" >>${PAM_CONF_DIR}/common-auth
+fi
+
diff --git a/meta-phosphor/recipes-extended/pam/libpam/faillock.conf b/meta-phosphor/recipes-extended/pam/libpam/faillock.conf
new file mode 100644
index 0000000..dba79c4
--- /dev/null
+++ b/meta-phosphor/recipes-extended/pam/libpam/faillock.conf
@@ -0,0 +1,2 @@
+deny=0
+unlock_time=0
diff --git a/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-account b/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-account
index 82449ca..9a739ec 100644
--- a/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-account
+++ b/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-account
@@ -18,7 +18,8 @@
-account [success=1 new_authtok_reqd=done default=ignore] pam_ldap.so ignore_unknown_user ignore_authinfo_unavail
# here's the fallback if no module succeeds
account requisite pam_deny.so
-account required pam_tally2.so
+# Announce if faillock is blocking access
+account required pam_faillock.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
diff --git a/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth b/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth
index 8eef164..c051ab7 100644
--- a/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth
+++ b/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-auth
@@ -8,14 +8,19 @@
# traditional Unix authentication mechanisms.
# here are the per-package modules (the "Primary" block)
-auth [success=ok user_unknown=ignore default=2] pam_tally2.so deny=0 unlock_time=0
# Try for local user first, and then try for ldap
auth [success=2 default=ignore] pam_unix.so quiet
-auth [success=1 default=ignore] pam_ldap.so ignore_unknown_user ignore_authinfo_unavail
-# here's the fallback if no module succeeds
-auth requisite pam_deny.so
+# Control gets here when no authentication module succeeds. Increment the
+# failure tally and return failure status to PAM.
+auth [default=die] pam_faillock.so authfail
+# Control gets here when authentication succeeds. Check if the user is locked
+# out due to consecutive authentication failures and return status accordingly.
+auth sufficient pam_faillock.so authsucc
+# If authsucc failed, deny access
+auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
-auth required pam_permit.so
+auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
diff --git a/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-password b/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-password
index ef706f3..2fc4011 100644
--- a/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-password
+++ b/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-password
@@ -10,13 +10,10 @@
# The "sha512" option enables salted SHA512 passwords. Without this option,
# the default is Unix crypt. Prior releases used the option "md5".
#
-# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
-# login.defs.
-#
# See the pam_unix manpage for other options.
# here are the per-package modules (the "Primary" block)
-password [success=ok default=die] pam_cracklib.so debug enforce_for_root reject_username minlen=8 difok=0 lcredit=0 ocredit=0 dcredit=0 ucredit=0
+password [success=ok default=die] pam_pwquality.so debug
password [success=ok default=die] pam_ipmicheck.so spec_grp_name=ipmi use_authtok
password [success=ok ignore=ignore default=die] pam_pwhistory.so debug enforce_for_root remember=0 use_authtok
password [success=ok default=die] pam_unix.so sha512 use_authtok
diff --git a/meta-phosphor/recipes-extended/pam/libpam_%.bbappend b/meta-phosphor/recipes-extended/pam/libpam_%.bbappend
index 658dc0b..d9ffdac 100644
--- a/meta-phosphor/recipes-extended/pam/libpam_%.bbappend
+++ b/meta-phosphor/recipes-extended/pam/libpam_%.bbappend
@@ -4,19 +4,80 @@
file://pam.d/common-account \
file://pam.d/common-auth \
file://pam.d/common-session \
+ file://faillock.conf \
+ file://convert-pam-configs.service \
+ file://convert-pam-configs.sh \
"
+inherit systemd
+SYSTEMD_SERVICE:${PN} += "convert-pam-configs.service"
+
+FILES:${PN} += "${bindir}/convert-pam-configs.sh \
+ ${systemd_system_unitdir}/convert-pam-configs.service \
+ "
+
do_install:append() {
# The libpam recipe will always add a pam_systemd.so line to
# common-session if systemd is enabled; however systemd only
# builds pam_systemd.so if logind is enabled, and we disable
# that package. So, remove the pam_systemd.so line here.
sed -i '/pam_systemd.so/d' ${D}${sysconfdir}/pam.d/common-session
+
+ install -d ${D}/etc/security
+ install -m 0644 ${WORKDIR}/faillock.conf ${D}/etc/security
+
+ install -d ${D}${bindir}
+ install -m 0755 ${WORKDIR}/convert-pam-configs.sh ${D}${bindir}
+
+ install -d ${D}${systemd_system_unitdir}
+ install -m 0644 ${WORKDIR}/convert-pam-configs.service ${D}${systemd_system_unitdir}
}
-RDEPENDS:${PN}-runtime += "${MLPREFIX}pam-plugin-cracklib-${libpam_suffix} \
- ${MLPREFIX}pam-plugin-tally2-${libpam_suffix} \
+RDEPENDS:${PN}-runtime += "libpwquality \
+ ${MLPREFIX}pam-plugin-faillock-${libpam_suffix} \
${MLPREFIX}pam-plugin-pwhistory-${libpam_suffix} \
${MLPREFIX}pam-plugin-succeed-if-${libpam_suffix} \
${MLPREFIX}pam-plugin-localuser-${libpam_suffix} \
"
+
+#
+# Background:
+# 1. Linux-PAM modules tally2 and cracklib were removed in libpam_1.5,
+# which prompted OpenBMC to change to the faillock and pwquality modules.
+# The PAM config files under /etc/pam.d were changed accordingly.
+# 2. OpenBMC implementations store Redfish property values in PAM config files.
+# For example, the D-Bus property maxLoginAttemptBeforeLockout is stored in
+# /etc/pam.d/common-auth as the pam_tally2.so deny= parameter value.
+# 3. The /etc directory is readonly and has a readwrite overlayfs. That
+# means when a config file changes, an overlay file is created which hides
+# the readonly version.
+#
+# Problem scenario:
+# 1. Begin with a BMC that has a firmware image which has the old PAM
+# modules and the old PAM config files which have modified parameters.
+# For example, there is an overlay file for /etc/pam.d/common-auth.
+# 2. Perform a firmware update to a firmware image which has the new PAM
+# modules. The updated image will have not have the old PAM modules.
+# It will have the new PAM config files in its readonly file system and
+# the old PAM config files in its readwrite overlay.
+# 3. Note that PAM authentication will always fail at this point because
+# the old PAM config files in the overlay tell PAM to use the old PAM
+# modules which are not present on the system.
+#
+# Two possible recoveries are:
+# A. Factory reset the BMC. This will clear the readwrite overlay,
+# allowing PAM to use the readonly version.
+# B. Convert the old PAM config files to the new style. See below.
+#
+# Service: The convert-pam-configs.service updates the old-style PAM config
+# files on the BMC: it changes uses of the old modules to the new modules
+# and carries forward configuration parameters. A key point is that files
+# are written to *only* as needed to convert uses of the old modules to the
+# new modules. See the conversion tool for details.
+#
+# This service can be removed when the BMC no longer supports a direct
+# firware update path from a version which has the old PAM configs to a
+# version which has the new PAM configs.
+#
+# In case of downgrade, Factory reset is recommended. Current logic in existing
+# images won't be able to take care of these settings during downgrade.
diff --git a/meta-supermicro/meta-common/recipes-extended/libpwquality/libpwquality/pwquality.conf b/meta-supermicro/meta-common/recipes-extended/libpwquality/libpwquality/pwquality.conf
new file mode 100644
index 0000000..378154e
--- /dev/null
+++ b/meta-supermicro/meta-common/recipes-extended/libpwquality/libpwquality/pwquality.conf
@@ -0,0 +1,8 @@
+enforce_for_root
+minlen=9
+difok=0
+lcredit=-1
+ocredit=-1
+dcredit=-1
+ucredit=-1
+maxrepeat=3
diff --git a/meta-supermicro/meta-common/recipes-extended/libpwquality/libpwquality_%.bbappend b/meta-supermicro/meta-common/recipes-extended/libpwquality/libpwquality_%.bbappend
new file mode 100644
index 0000000..f72de93
--- /dev/null
+++ b/meta-supermicro/meta-common/recipes-extended/libpwquality/libpwquality_%.bbappend
@@ -0,0 +1,5 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += " \
+ file://pwquality.conf \
+ "
diff --git a/meta-supermicro/meta-common/recipes-extended/pam/libpam/pam.d/common-password b/meta-supermicro/meta-common/recipes-extended/pam/libpam/pam.d/common-password
deleted file mode 100644
index 5a42680..0000000
--- a/meta-supermicro/meta-common/recipes-extended/pam/libpam/pam.d/common-password
+++ /dev/null
@@ -1,30 +0,0 @@
-#
-# /etc/pam.d/common-password - password-related modules common to all services
-#
-# This file is included from other service-specific PAM config files,
-# and should contain a list of modules that define the services to be
-# used to change user passwords. The default is pam_unix.
-
-# Explanation of pam_unix options:
-#
-# The "sha512" option enables salted SHA512 passwords. Without this option,
-# the default is Unix crypt. Prior releases used the option "md5".
-#
-# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
-# login.defs.
-#
-# See the pam_unix manpage for other options.
-
-# here are the per-package modules (the "Primary" block)
-password [success=ok default=die] pam_cracklib.so debug enforce_for_root reject_username minlen=9 difok=0 lcredit=-1 ocredit=-1 dcredit=-1 ucredit=-1 maxrepeat=3
-password [success=ok default=die] pam_ipmicheck.so spec_grp_name=ipmi use_authtok
-password [success=ok ignore=ignore default=die] pam_pwhistory.so debug enforce_for_root remember=0 use_authtok
-password [success=ok default=die] pam_unix.so sha512 use_authtok
-password [success=1 default=die] pam_ipmisave.so spec_grp_name=ipmi spec_pass_file=/etc/ipmi_pass key_file=/etc/key_file
-# here's the fallback if no module succeeds
-password requisite pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-password required pam_permit.so
-# and here are more per-package modules (the "Additional" block)
diff --git a/meta-supermicro/meta-common/recipes-extended/pam/libpam_%.bbappend b/meta-supermicro/meta-common/recipes-extended/pam/libpam_%.bbappend
deleted file mode 100644
index 20fe5e4..0000000
--- a/meta-supermicro/meta-common/recipes-extended/pam/libpam_%.bbappend
+++ /dev/null
@@ -1,4 +0,0 @@
-FILESEXTRAPATHS:append := "${THISDIR}/${PN}:"
-
-SRC_URI += " file://pam.d/common-password \
- "
diff --git a/poky/meta/recipes-extended/pam/libpam/crypt_configure.patch b/poky/meta/recipes-extended/pam/libpam/crypt_configure.patch
deleted file mode 100644
index 917a8af..0000000
--- a/poky/meta/recipes-extended/pam/libpam/crypt_configure.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From b86575ab4a0df07da160283459da270e1c0372a0 Mon Sep 17 00:00:00 2001
-From: "Maxin B. John" <maxin.john@intel.com>
-Date: Tue, 24 May 2016 14:11:09 +0300
-Subject: [PATCH] crypt_configure
-
-This patch fixes a case where it find crypt defined in libc (musl) but
-not in specified libraries then it ends up assigning
-LIBCRYPT="-l" which then goes into makefile cause all sort of problems
-e.g.
-
-ld: cannot find -l-m32
-| collect2: error: ld returned 1 exit status
-The reason is that -l appears on commandline with
-out any library and compiler treats the next argument as library name
-whatever it is.
-
-Upstream-Status: Pending
-
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-Signed-off-by: Maxin B. John <maxin.john@intel.com>
----
- configure.ac | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index df39d07..e68d856 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -401,7 +401,7 @@ AS_IF([test "x$ac_cv_header_xcrypt_h" = "xyes"],
- [crypt_libs="crypt"])
-
- BACKUP_LIBS=$LIBS
--AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="${ac_lib:+-l$ac_lib}", LIBCRYPT="")
-+AC_SEARCH_LIBS([crypt],[$crypt_libs], [test "$ac_cv_search_crypt" = "none required" || LIBCRYPT="$ac_cv_search_crypt"])
- AC_CHECK_FUNCS(crypt_r crypt_gensalt_r)
- LIBS=$BACKUP_LIBS
- AC_SUBST(LIBCRYPT)
---
-2.4.0
-
diff --git a/poky/meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch b/poky/meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch
deleted file mode 100644
index 9b8d4c2..0000000
--- a/poky/meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch
+++ /dev/null
@@ -1,203 +0,0 @@
-Description: extract the securetty logic for use with the "nullok_secure" option
- introduced in the "055_pam_unix_nullok_secure" patch.
-
-Upstream-Status: Pending
-
-Signed-off-by: Ming Liu <ming.liu@windriver.com>
-===================================================================
-Index: Linux-PAM-1.3.0/modules/pam_securetty/Makefile.am
-===================================================================
---- Linux-PAM-1.3.0.orig/modules/pam_securetty/Makefile.am
-+++ Linux-PAM-1.3.0/modules/pam_securetty/Makefile.am
-@@ -24,6 +24,10 @@ endif
- securelib_LTLIBRARIES = pam_securetty.la
- pam_securetty_la_LIBADD = $(top_builddir)/libpam/libpam.la
-
-+pam_securetty_la_SOURCES = \
-+ pam_securetty.c \
-+ tty_secure.c
-+
- if ENABLE_REGENERATE_MAN
- noinst_DATA = README
- README: pam_securetty.8.xml
-Index: Linux-PAM-1.3.0/modules/pam_securetty/pam_securetty.c
-===================================================================
---- Linux-PAM-1.3.0.orig/modules/pam_securetty/pam_securetty.c
-+++ Linux-PAM-1.3.0/modules/pam_securetty/pam_securetty.c
-@@ -1,7 +1,5 @@
- /* pam_securetty module */
-
--#define SECURETTY_FILE "/etc/securetty"
--#define TTY_PREFIX "/dev/"
- #define CMDLINE_FILE "/proc/cmdline"
- #define CONSOLEACTIVE_FILE "/sys/class/tty/console/active"
-
-@@ -40,6 +38,9 @@
- #include <security/pam_modutil.h>
- #include <security/pam_ext.h>
-
-+extern int _pammodutil_tty_secure(const pam_handle_t *pamh,
-+ const char *uttyname);
-+
- #define PAM_DEBUG_ARG 0x0001
- #define PAM_NOCONSOLE_ARG 0x0002
-
-@@ -73,11 +74,7 @@ securetty_perform_check (pam_handle_t *p
- const char *username;
- const char *uttyname;
- const void *void_uttyname;
-- char ttyfileline[256];
-- char ptname[256];
-- struct stat ttyfileinfo;
- struct passwd *user_pwd;
-- FILE *ttyfile;
-
- /* log a trail for debugging */
- if (ctrl & PAM_DEBUG_ARG) {
-@@ -105,50 +102,7 @@ securetty_perform_check (pam_handle_t *p
- return PAM_SERVICE_ERR;
- }
-
-- /* The PAM_TTY item may be prefixed with "/dev/" - skip that */
-- if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) {
-- uttyname += sizeof(TTY_PREFIX)-1;
-- }
--
-- if (stat(SECURETTY_FILE, &ttyfileinfo)) {
-- pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE);
-- return PAM_SUCCESS; /* for compatibility with old securetty handling,
-- this needs to succeed. But we still log the
-- error. */
-- }
--
-- if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) {
-- /* If the file is world writable or is not a
-- normal file, return error */
-- pam_syslog(pamh, LOG_ERR,
-- "%s is either world writable or not a normal file",
-- SECURETTY_FILE);
-- return PAM_AUTH_ERR;
-- }
--
-- ttyfile = fopen(SECURETTY_FILE,"r");
-- if (ttyfile == NULL) { /* Check that we opened it successfully */
-- pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE);
-- return PAM_SERVICE_ERR;
-- }
--
-- if (isdigit(uttyname[0])) {
-- snprintf(ptname, sizeof(ptname), "pts/%s", uttyname);
-- } else {
-- ptname[0] = '\0';
-- }
--
-- retval = 1;
--
-- while ((fgets(ttyfileline, sizeof(ttyfileline)-1, ttyfile) != NULL)
-- && retval) {
-- if (ttyfileline[strlen(ttyfileline) - 1] == '\n')
-- ttyfileline[strlen(ttyfileline) - 1] = '\0';
--
-- retval = ( strcmp(ttyfileline, uttyname)
-- && (!ptname[0] || strcmp(ptname, uttyname)) );
-- }
-- fclose(ttyfile);
-+ retval = _pammodutil_tty_secure(pamh, uttyname);
-
- if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) {
- FILE *cmdlinefile;
-Index: Linux-PAM-1.3.0/modules/pam_securetty/tty_secure.c
-===================================================================
---- /dev/null
-+++ Linux-PAM-1.3.0/modules/pam_securetty/tty_secure.c
-@@ -0,0 +1,90 @@
-+/*
-+ * A function to determine if a particular line is in /etc/securetty
-+ */
-+
-+
-+#define SECURETTY_FILE "/etc/securetty"
-+#define TTY_PREFIX "/dev/"
-+
-+/* This function taken out of pam_securetty by Sam Hartman
-+ * <hartmans@debian.org>*/
-+/*
-+ * by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
-+ * July 25, 1996.
-+ * Slight modifications AGM. 1996/12/3
-+ */
-+
-+#include <unistd.h>
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+#include <security/pam_modules.h>
-+#include <stdarg.h>
-+#include <syslog.h>
-+#include <sys/syslog.h>
-+#include <stdio.h>
-+#include <string.h>
-+#include <stdlib.h>
-+#include <ctype.h>
-+#include <security/pam_modutil.h>
-+#include <security/pam_ext.h>
-+
-+extern int _pammodutil_tty_secure(const pam_handle_t *pamh,
-+ const char *uttyname);
-+
-+int _pammodutil_tty_secure(const pam_handle_t *pamh, const char *uttyname)
-+{
-+ int retval = PAM_AUTH_ERR;
-+ char ttyfileline[256];
-+ char ptname[256];
-+ struct stat ttyfileinfo;
-+ FILE *ttyfile;
-+ /* The PAM_TTY item may be prefixed with "/dev/" - skip that */
-+ if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0)
-+ uttyname += sizeof(TTY_PREFIX)-1;
-+
-+ if (stat(SECURETTY_FILE, &ttyfileinfo)) {
-+ pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m",
-+ SECURETTY_FILE);
-+ return PAM_SUCCESS; /* for compatibility with old securetty handling,
-+ this needs to succeed. But we still log the
-+ error. */
-+ }
-+
-+ if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) {
-+ /* If the file is world writable or is not a
-+ normal file, return error */
-+ pam_syslog(pamh, LOG_ERR,
-+ "%s is either world writable or not a normal file",
-+ SECURETTY_FILE);
-+ return PAM_AUTH_ERR;
-+ }
-+
-+ ttyfile = fopen(SECURETTY_FILE,"r");
-+ if(ttyfile == NULL) { /* Check that we opened it successfully */
-+ pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE);
-+ return PAM_SERVICE_ERR;
-+ }
-+
-+ if (isdigit(uttyname[0])) {
-+ snprintf(ptname, sizeof(ptname), "pts/%s", uttyname);
-+ } else {
-+ ptname[0] = '\0';
-+ }
-+
-+ retval = 1;
-+
-+ while ((fgets(ttyfileline,sizeof(ttyfileline)-1, ttyfile) != NULL)
-+ && retval) {
-+ if(ttyfileline[strlen(ttyfileline) - 1] == '\n')
-+ ttyfileline[strlen(ttyfileline) - 1] = '\0';
-+ retval = ( strcmp(ttyfileline,uttyname)
-+ && (!ptname[0] || strcmp(ptname, uttyname)) );
-+ }
-+ fclose(ttyfile);
-+
-+ if(retval) {
-+ retval = PAM_AUTH_ERR;
-+ }
-+
-+ return retval;
-+}
diff --git a/poky/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch b/poky/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch
deleted file mode 100644
index d2cc668..0000000
--- a/poky/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch
+++ /dev/null
@@ -1,195 +0,0 @@
-From b6545b83f94c5fb7aec1478b8d458a1393f479c8 Mon Sep 17 00:00:00 2001
-From: "Maxin B. John" <maxin.john@intel.com>
-Date: Wed, 25 May 2016 14:12:25 +0300
-Subject: [PATCH] pam_unix: support 'nullok_secure' option
-
-Debian patch to add a new 'nullok_secure' option to pam_unix,
-which accepts users with null passwords only when the applicant is
-connected from a tty listed in /etc/securetty.
-
-Authors: Sam Hartman <hartmans@debian.org>,
- Steve Langasek <vorlon@debian.org>
-
-Upstream-Status: Pending
-
-Signed-off-by: Ming Liu <ming.liu@windriver.com>
-Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
-Signed-off-by: Maxin B. John <maxin.john@intel.com>
----
- modules/pam_unix/Makefile.am | 3 ++-
- modules/pam_unix/pam_unix.8.xml | 19 ++++++++++++++++++-
- modules/pam_unix/support.c | 40 +++++++++++++++++++++++++++++++++++-----
- modules/pam_unix/support.h | 8 ++++++--
- 4 files changed, 61 insertions(+), 9 deletions(-)
-
-diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am
-index 56df178..2bba460 100644
---- a/modules/pam_unix/Makefile.am
-+++ b/modules/pam_unix/Makefile.am
-@@ -30,7 +30,8 @@ if HAVE_VERSIONING
- pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
- endif
- pam_unix_la_LIBADD = $(top_builddir)/libpam/libpam.la \
-- @LIBCRYPT@ @LIBSELINUX@ @TIRPC_LIBS@ @NSL_LIBS@
-+ @LIBCRYPT@ @LIBSELINUX@ @TIRPC_LIBS@ @NSL_LIBS@ \
-+ ../pam_securetty/tty_secure.lo
-
- securelib_LTLIBRARIES = pam_unix.la
-
-diff --git a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml
-index 1b318f1..be0330e 100644
---- a/modules/pam_unix/pam_unix.8.xml
-+++ b/modules/pam_unix/pam_unix.8.xml
-@@ -159,7 +159,24 @@
- <para>
- The default action of this module is to not permit the
- user access to a service if their official password is blank.
-- The <option>nullok</option> argument overrides this default.
-+ The <option>nullok</option> argument overrides this default
-+ and allows any user with a blank password to access the
-+ service.
-+ </para>
-+ </listitem>
-+ </varlistentry>
-+ <varlistentry>
-+ <term>
-+ <option>nullok_secure</option>
-+ </term>
-+ <listitem>
-+ <para>
-+ The default action of this module is to not permit the
-+ user access to a service if their official password is blank.
-+ The <option>nullok_secure</option> argument overrides this
-+ default and allows any user with a blank password to access
-+ the service as long as the value of PAM_TTY is set to one of
-+ the values found in /etc/securetty.
- </para>
- </listitem>
- </varlistentry>
-diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
-index fc8595e..29e3341 100644
---- a/modules/pam_unix/support.c
-+++ b/modules/pam_unix/support.c
-@@ -183,13 +183,22 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
- /* now parse the arguments to this module */
-
- for (; argc-- > 0; ++argv) {
-+ int sl;
-
- D(("pam_unix arg: %s", *argv));
-
- for (j = 0; j < UNIX_CTRLS_; ++j) {
-- if (unix_args[j].token
-- && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) {
-- break;
-+ if (unix_args[j].token) {
-+ sl = strlen(unix_args[j].token);
-+ if (unix_args[j].token[sl-1] == '=') {
-+ /* exclude argument from comparison */
-+ if (!strncmp(*argv, unix_args[j].token, sl))
-+ break;
-+ } else {
-+ /* compare full strings */
-+ if (!strcmp(*argv, unix_args[j].token))
-+ break;
-+ }
- }
- }
-
-@@ -560,6 +569,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
- if (child == 0) {
- static char *envp[] = { NULL };
- const char *args[] = { NULL, NULL, NULL, NULL };
-+ int nullok = off(UNIX__NONULL, ctrl);
-
- /* XXX - should really tidy up PAM here too */
-
-@@ -587,7 +597,16 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
- /* exec binary helper */
- args[0] = CHKPWD_HELPER;
- args[1] = user;
-- if (off(UNIX__NONULL, ctrl)) { /* this means we've succeeded */
-+ if (on(UNIX_NULLOK_SECURE, ctrl)) {
-+ const void *uttyname;
-+ retval = pam_get_item(pamh, PAM_TTY, &uttyname);
-+ if (retval != PAM_SUCCESS || uttyname == NULL
-+ || _pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) {
-+ nullok = 0;
-+ }
-+ }
-+
-+ if (nullok) {
- args[2]="nullok";
- } else {
- args[2]="nonull";
-@@ -672,6 +691,17 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned int ctrl, const char *name)
- if (on(UNIX__NONULL, ctrl))
- return 0; /* will fail but don't let on yet */
-
-+ if (on(UNIX_NULLOK_SECURE, ctrl)) {
-+ int retval2;
-+ const void *uttyname;
-+ retval2 = pam_get_item(pamh, PAM_TTY, &uttyname);
-+ if (retval2 != PAM_SUCCESS || uttyname == NULL)
-+ return 0;
-+
-+ if (_pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS)
-+ return 0;
-+ }
-+
- /* UNIX passwords area */
-
- retval = get_pwd_hash(pamh, name, &pwd, &salt);
-@@ -758,7 +788,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name
- }
- }
- } else {
-- retval = verify_pwd_hash(p, salt, off(UNIX__NONULL, ctrl));
-+ retval = verify_pwd_hash(p, salt, _unix_blankpasswd(pamh, ctrl, name));
- }
-
- if (retval == PAM_SUCCESS) {
-diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
-index b4c279c..8da4a8e 100644
---- a/modules/pam_unix/support.h
-+++ b/modules/pam_unix/support.h
-@@ -98,8 +98,9 @@ typedef struct {
- #define UNIX_QUIET 28 /* Don't print informational messages */
- #define UNIX_NO_PASS_EXPIRY 29 /* Don't check for password expiration if not used for authentication */
- #define UNIX_DES 30 /* DES, default */
-+#define UNIX_NULLOK_SECURE 31 /* NULL passwords allowed only on secure ttys */
- /* -------------- */
--#define UNIX_CTRLS_ 31 /* number of ctrl arguments defined */
-+#define UNIX_CTRLS_ 32 /* number of ctrl arguments defined */
-
- #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
-
-@@ -117,7 +118,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
- /* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0100, 0},
- /* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200, 0},
- /* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400, 0},
--/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0},
-+/* UNIX__NONULL */ {NULL, _ALL_ON_^(02000000000), 01000, 0},
- /* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0},
- /* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0},
- /* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0},
-@@ -139,6 +140,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
- /* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0},
- /* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0},
- /* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1},
-+/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(01000), 02000000000, 0},
- };
-
- #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
-@@ -172,6 +174,8 @@ extern int _unix_read_password(pam_handle_t * pamh
- ,const char *data_name
- ,const void **pass);
-
-+extern int _pammodutil_tty_secure(const pam_handle_t *pamh, const char *uttyname);
-+
- extern int _unix_run_verify_binary(pam_handle_t *pamh,
- unsigned int ctrl, const char *user, int *daysleft);
- #endif /* _PAM_UNIX_SUPPORT_H */
---
-2.4.0
-
diff --git a/poky/meta/recipes-extended/pam/libpam_1.3.1.bb b/poky/meta/recipes-extended/pam/libpam_1.5.2.bb
similarity index 82%
rename from poky/meta/recipes-extended/pam/libpam_1.3.1.bb
rename to poky/meta/recipes-extended/pam/libpam_1.5.2.bb
index 59ed174..bec47ab 100644
--- a/poky/meta/recipes-extended/pam/libpam_1.3.1.bb
+++ b/poky/meta/recipes-extended/pam/libpam_1.5.2.bb
@@ -21,21 +21,23 @@
file://pam.d/common-session-noninteractive \
file://pam.d/other \
file://libpam-xtests.patch \
- file://pam-security-abstract-securetty-handling.patch \
- file://pam-unix-nullok-secure.patch \
- file://crypt_configure.patch \
+ file://0001-run-xtests.sh-check-whether-files-exist.patch \
+ file://run-ptest \
file://pam-volatiles.conf \
+ file://CVE-2022-28321-0002.patch \
+ file://0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch \
"
-SRC_URI[md5sum] = "558ff53b0fc0563ca97f79e911822165"
-SRC_URI[sha256sum] = "eff47a4ecd833fbf18de9686632a70ee8d0794b79aecb217ebd0ce11db4cd0db"
+SRC_URI[sha256sum] = "e4ec7131a91da44512574268f493c6d8ca105c87091691b8e9b56ca685d4f94d"
DEPENDS = "bison-native flex-native cracklib libxml2-native virtual/crypt"
EXTRA_OECONF = "--includedir=${includedir}/security \
--libdir=${base_libdir} \
+ --with-systemdunitdir=${systemd_system_unitdir} \
--disable-nis \
--disable-regenerate-docu \
+ --disable-doc \
--disable-prelude"
CFLAGS:append = " -fPIC "
@@ -51,7 +53,7 @@
PACKAGES += "${PN}-runtime ${PN}-xtests"
FILES:${PN} = "${base_libdir}/lib*${SOLIBS}"
FILES:${PN}-dev += "${base_libdir}/security/*.la ${base_libdir}/*.la ${base_libdir}/lib*${SOLIBSDEV}"
-FILES:${PN}-runtime = "${sysconfdir}"
+FILES:${PN}-runtime = "${sysconfdir} ${sbindir} ${systemd_system_unitdir}"
FILES:${PN}-xtests = "${datadir}/Linux-PAM/xtests"
PACKAGES_DYNAMIC += "^${MLPREFIX}pam-plugin-.*"
@@ -74,24 +76,16 @@
RDEPENDS:${PN}-xtests = "${PN}-${libpam_suffix} \
${MLPREFIX}pam-plugin-access-${libpam_suffix} \
${MLPREFIX}pam-plugin-debug-${libpam_suffix} \
- ${MLPREFIX}pam-plugin-cracklib-${libpam_suffix} \
${MLPREFIX}pam-plugin-pwhistory-${libpam_suffix} \
${MLPREFIX}pam-plugin-succeed-if-${libpam_suffix} \
${MLPREFIX}pam-plugin-time-${libpam_suffix} \
- coreutils"
+ bash coreutils"
# FIXME: Native suffix breaks here, disable it for now
RRECOMMENDS:${PN} = "${PN}-runtime-${libpam_suffix}"
-RRECOMMENDS:${PN}_class-native = ""
+RRECOMMENDS:${PN}:class-native = ""
python populate_packages:prepend () {
- def pam_plugin_append_file(pn, dir, file):
- nf = os.path.join(dir, file)
- of = d.getVar('FILES:' + pn)
- if of:
- nf = of + " " + nf
- d.setVar('FILES:' + pn, nf)
-
def pam_plugin_hook(file, pkg, pattern, format, basename):
pn = d.getVar('PN')
libpam_suffix = d.getVar('libpam_suffix')
@@ -119,13 +113,6 @@
do_split_packages(d, pam_libdir, r'^pam(.*)\.so$', pam_pkgname,
'PAM plugin for %s', hook=pam_plugin_hook, extra_depends='')
- pam_plugin_append_file('%spam-plugin-unix' % mlprefix, pam_sbindir, 'unix_chkpwd')
- pam_plugin_append_file('%spam-plugin-unix' % mlprefix, pam_sbindir, 'unix_update')
- pam_plugin_append_file('%spam-plugin-tally' % mlprefix, pam_sbindir, 'pam_tally')
- pam_plugin_append_file('%spam-plugin-tally2' % mlprefix, pam_sbindir, 'pam_tally2')
- pam_plugin_append_file('%spam-plugin-timestamp' % mlprefix, pam_sbindir, 'pam_timestamp_check')
- pam_plugin_append_file('%spam-plugin-mkhomedir' % mlprefix, pam_sbindir, 'mkhomedir_helper')
- pam_plugin_append_file('%spam-plugin-console' % mlprefix, pam_sbindir, 'pam_console_apply')
do_split_packages(d, pam_filterdir, r'^(.*)$', 'pam-filter-%s', 'PAM filter for %s', extra_depends='')
}
@@ -163,6 +150,10 @@
if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
echo "session optional pam_systemd.so" >> ${D}${sysconfdir}/pam.d/common-session
fi
+ if ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','false','true',d)}; then
+ install -d ${D}/${libdir}/
+ mv ${D}/${base_libdir}/pkgconfig ${D}/${libdir}/
+ fi
}
do_install_ptest() {
@@ -173,7 +164,7 @@
fi
}
-pkg_postinst_${PN}() {
+pkg_postinst:${PN}() {
if [ -z "$D" ] && [ -e /etc/init.d/populate-volatile.sh ] ; then
/etc/init.d/populate-volatile.sh update
fi