Compare commits
5 Commits
11_0_0-22_
...
11_0_0-26_
| Author | SHA1 | Date | |
|---|---|---|---|
| f1752e7aa5 | |||
| 4c64e91235 | |||
| 74d45e3c8e | |||
| 507734d114 | |||
| 0dfb543664 |
11
root/etc/e-smith/db/configuration/migrate/05pam_faillock
Normal file
11
root/etc/e-smith/db/configuration/migrate/05pam_faillock
Normal file
@@ -0,0 +1,11 @@
|
||||
{
|
||||
my $pamtally = $DB->get("pam_tally") or return;
|
||||
|
||||
my $pamfaillock = $DB->get("pam_faillock") ||
|
||||
$DB->new_record("pam_faillock", { type => "service" });
|
||||
|
||||
$pamfaillock->merge_props($pamtally->props);
|
||||
|
||||
$pamtally->delete;
|
||||
}
|
||||
|
||||
@@ -1,9 +1,10 @@
|
||||
{
|
||||
my $status = $pam_tally{status} || 'disabled';
|
||||
return unless $status eq 'enabled';
|
||||
$OUT .= "auth required pam_tally.so onerr=fail no_magic_root";
|
||||
}
|
||||
auth required pam_env.so
|
||||
{
|
||||
my $status = $pam_faillock{status} || 'disabled';
|
||||
return unless $status eq 'enabled';
|
||||
# lock out users after three unsuccessful attempts and unlock the user account after 10 minutes (600 seconds)
|
||||
$OUT .= "auth required pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=600 root_unlock_time=600";
|
||||
}
|
||||
{
|
||||
my $status = $pam_abl{status} || 'disabled';
|
||||
return unless $status eq 'enabled';
|
||||
@@ -15,5 +16,10 @@ auth sufficient pam_unix.so likeauth nullok
|
||||
return unless $status eq 'enabled';
|
||||
$OUT .= "auth sufficient pam_ldap.so use_first_pass";
|
||||
}
|
||||
{
|
||||
my $status = $pam_faillock{status} || 'disabled';
|
||||
return unless $status eq 'enabled';
|
||||
$OUT .= "auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600";
|
||||
}
|
||||
auth required pam_deny.so
|
||||
|
||||
|
||||
@@ -7,7 +7,9 @@ account sufficient pam_succeed_if.so uid < 100 quiet
|
||||
}
|
||||
account required pam_permit.so
|
||||
{
|
||||
my $status = $pam_tally{status} || 'disabled';
|
||||
my $status = $pam_faillock{status} || 'disabled';
|
||||
return unless $status eq 'enabled';
|
||||
$OUT .= "account required pam_tally.so deny=5 reset no_magic_root";
|
||||
# if you drop this call to pam_faillock.so the lock will be done also
|
||||
# on non-consecutive authentication failures
|
||||
$OUT .= "account required pam_faillock.so";
|
||||
}
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
Description=SME server bootstrap-console
|
||||
DefaultDependencies=no
|
||||
Conflicts=shutdown.target
|
||||
After=livesys.service plymouth-quit-wait.service
|
||||
After=livesys.service
|
||||
After=systemd-vconsole-setup.service
|
||||
Before=getty@tty1.service
|
||||
Before=shutdown.target
|
||||
|
||||
@@ -200,8 +200,9 @@ SSLv23:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1
|
||||
=cut
|
||||
|
||||
sub SSLprotoQpsmtpd{
|
||||
my $service= shift || 'qpsmtpd';
|
||||
my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
|
||||
my %qpsmtpd = %{$configdb->get('httpd-e-smith')};
|
||||
my %qpsmtpd = %{$configdb->get($service)};
|
||||
# SSLv2 and SSLv3 are not available in el8 openssl-1.1.1, while -ssl3 still referenced
|
||||
# it will throw Option unknown option -ssl3
|
||||
my $protocols = "SSLv23:!SSLv2:!SSLv3";
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
#! /bin/sh
|
||||
|
||||
exec \
|
||||
/usr/local/bin/setuidgid smelog \
|
||||
/usr/local/bin/multilog t s5000000 \
|
||||
/usr/bin/setuidgid smelog \
|
||||
/usr/bin/multilog t s5000000 \
|
||||
/var/log/ippp
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
#! /bin/sh
|
||||
|
||||
exec \
|
||||
/usr/local/bin/setuidgid smelog \
|
||||
/usr/local/bin/multilog t s5000000 \
|
||||
/usr/bin/setuidgid smelog \
|
||||
/usr/bin/multilog t s5000000 \
|
||||
/var/log/wan
|
||||
|
||||
|
||||
@@ -4,7 +4,7 @@ Summary: smeserver server and gateway - base module
|
||||
%define name smeserver-base
|
||||
Name: %{name}
|
||||
%define version 11.0.0
|
||||
%define release 22
|
||||
%define release 26
|
||||
Version: %{version}
|
||||
Release: %{release}%{?dist}
|
||||
License: GPL
|
||||
@@ -49,6 +49,10 @@ Requires: bash-completion
|
||||
Requires: smeserver-runit >= 2.6.0-7
|
||||
Requires: smeserver-php >= 3.0.0-22
|
||||
Requires: smeserver-yum >= 2.6.0-43
|
||||
# daemontools bins in use
|
||||
Requires: /usr/bin/softlimit
|
||||
Requires: /usr/bin/setuidgid
|
||||
Requires: /usr/bin/multilog
|
||||
Obsoletes: nss_ldap < 254
|
||||
Obsoletes: cpu
|
||||
Obsoletes: rlinetd, e-smith-mod_ssl
|
||||
@@ -65,7 +69,11 @@ BuildRequires: smeserver-devtools >= 1.13.1-03
|
||||
BuildRequires: gettext
|
||||
Requires: gdisk
|
||||
Requires: ppp
|
||||
Requires: rp-pppoe
|
||||
Requires: rp-pppoe
|
||||
# pam autoblock
|
||||
Requires: pam_abl
|
||||
# isdn wan connection (ippp)
|
||||
Requires: isdn4k-utils
|
||||
%define dbfiles accounts configuration domains hosts networks
|
||||
AutoReqProv: no
|
||||
|
||||
@@ -184,7 +192,18 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Sat Jan 18 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-22.sme
|
||||
* Wed Feb 12 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-26.sme
|
||||
- add pam_abl requirement [SME: 12914]
|
||||
- add isdn4k-utils requirement for ippp isdn connections [SME: 12909]
|
||||
- remove pam_tally as deprecated in favor of pam_faillock [SME: 12913]
|
||||
|
||||
* Tue Feb 04 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-25.sme
|
||||
- fix boot ordering cycle [SME: 12902]
|
||||
|
||||
* Sun Jan 26 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-24.sme
|
||||
- ippp and wan requires daemontools bins [SME: 12566]
|
||||
|
||||
* Sat Jan 18 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-23.sme
|
||||
- handle all ssl ciphers and protocol in one place esmith::ssl [SME: 12827]
|
||||
this will allow to sync all service default protocol and ciphers
|
||||
in one place.
|
||||
|
||||
Reference in New Issue
Block a user