* [gentoo-commits] proj/pambase:master commit in: tests/rendered/minimal/, tests/rendered/custom/, tests/rendered/default/, ...
@ 2025-04-13 21:15 Mike Gilbert
0 siblings, 0 replies; only message in thread
From: Mike Gilbert @ 2025-04-13 21:15 UTC (permalink / raw
To: gentoo-commits
commit: 9ca1508d12fcafc0dc5ef1f37ccbe349fe6fdc74
Author: Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Fri Apr 4 19:14:26 2025 +0000
Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Sat Apr 5 20:48:20 2025 +0000
URL: https://gitweb.gentoo.org/proj/pambase.git/commit/?id=9ca1508d
Replace --sha512 and --yescrypt with --encrypt option
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>
pambase.py | 19 ++++---------------
templates/system-auth.tpl | 6 +-----
tests/rendered/custom/system-auth | 2 +-
tests/rendered/default/system-auth | 2 +-
tests/rendered/minimal/system-auth | 2 +-
tox.ini | 2 +-
6 files changed, 9 insertions(+), 24 deletions(-)
diff --git a/pambase.py b/pambase.py
index d7ded77..4180cbb 100755
--- a/pambase.py
+++ b/pambase.py
@@ -51,14 +51,10 @@ def main():
)
parser.add_argument("--sssd", action="store_true", help="enable sssd.so module")
parser.add_argument(
- "--yescrypt",
- action="store_true",
- help="enable yescrypt option for pam_unix.so module",
- )
- parser.add_argument(
- "--sha512",
- action="store_true",
- help="enable sha512 option for pam_unix.so module",
+ "--encrypt",
+ choices=["md5", "sha256", "sha512", "blowfish", "gost_yescrypt", "yescrypt"],
+ default="md5",
+ help="select encryption to use for passwords stored by pam_unix.so module",
)
parser.add_argument("--krb5", action="store_true", help="enable pam_krb5.so module")
parser.add_argument(
@@ -91,13 +87,6 @@ def process_args(args):
output = vars(args)
- if args.yescrypt:
- output["unix_extended_encryption"] = "yescrypt shadow"
- elif args.sha512:
- output["unix_extended_encryption"] = "sha512 shadow"
- else:
- output["unix_extended_encryption"] = "md5 shadow"
-
return output
diff --git a/templates/system-auth.tpl b/templates/system-auth.tpl
index 7740ae6..d5f1895 100644
--- a/templates/system-auth.tpl
+++ b/templates/system-auth.tpl
@@ -70,11 +70,7 @@ password [success=1 default=ignore] pam_krb5.so {{ debug }} ignore_root try_firs
password [success=1 default=ignore] pam_systemd_home.so
{% endif %}
-{% if passwdqc or pwquality %}
-password {{ 'sufficient' if sssd else 'required' }} pam_unix.so try_first_pass use_authtok {{ nullok }} {{ unix_extended_encryption|default('', true) }} {{ debug }}
-{% else %}
-password {{ 'sufficient' if sssd else 'required' }} pam_unix.so try_first_pass {{ nullok }} {{ unix_extended_encryption|default('', true) }} {{ debug }}
-{% endif %}
+password {{ 'sufficient' if sssd else 'required' }} pam_unix.so try_first_pass shadow {% if passwdqc or pwquality %}use_authtok{% endif %} {{ nullok }} {{ encrypt }} {{ debug }}
{% if sssd %}
password sufficient pam_sss.so use_authtok
diff --git a/tests/rendered/custom/system-auth b/tests/rendered/custom/system-auth
index 92d48e4..2339e18 100644
--- a/tests/rendered/custom/system-auth
+++ b/tests/rendered/custom/system-auth
@@ -5,7 +5,7 @@ auth [default=die] pam_faillock.so authfail
account required pam_unix.so
account required pam_faillock.so
password required pam_passwdqc.so config=/etc/security/passwdqc.conf
-password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow
+password required pam_unix.so try_first_pass shadow use_authtok nullok sha512
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
diff --git a/tests/rendered/default/system-auth b/tests/rendered/default/system-auth
index 98f5305..3a3b25e 100644
--- a/tests/rendered/default/system-auth
+++ b/tests/rendered/default/system-auth
@@ -4,7 +4,7 @@ auth [success=1 new_authtok_reqd=1 ignore=ignore default=bad] pam_unix.so try
auth [default=die] pam_faillock.so authfail
account required pam_unix.so
account required pam_faillock.so
-password required pam_unix.so try_first_pass md5 shadow
+password required pam_unix.so try_first_pass shadow md5
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
diff --git a/tests/rendered/minimal/system-auth b/tests/rendered/minimal/system-auth
index 98f5305..3a3b25e 100644
--- a/tests/rendered/minimal/system-auth
+++ b/tests/rendered/minimal/system-auth
@@ -4,7 +4,7 @@ auth [success=1 new_authtok_reqd=1 ignore=ignore default=bad] pam_unix.so try
auth [default=die] pam_faillock.so authfail
account required pam_unix.so
account required pam_faillock.so
-password required pam_unix.so try_first_pass md5 shadow
+password required pam_unix.so try_first_pass shadow md5
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
diff --git a/tox.ini b/tox.ini
index 6f76183..ff7ef8f 100644
--- a/tox.ini
+++ b/tox.ini
@@ -14,5 +14,5 @@ commands =
default: diff -Nru tests/rendered/default stack
minimal: python pambase.py --minimal
minimal: diff -Nru tests/rendered/minimal stack
- custom: python pambase.py --elogind --nullok --passwdqc --sha512 --shells
+ custom: python pambase.py --elogind --nullok --passwdqc --encrypt sha512 --shells
custom: diff -Nru tests/rendered/custom stack
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2025-04-13 21:15 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-04-13 21:15 [gentoo-commits] proj/pambase:master commit in: tests/rendered/minimal/, tests/rendered/custom/, tests/rendered/default/, Mike Gilbert
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox