* Wed Mar 05 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-29.sme

- change key type from service to configuration [SME: 11367]

root/etc/e-smith/db/configuration/defaults/modSSL/type

@@ -1 +1 @@
-service
+configuration

root/etc/e-smith/db/configuration/defaults/pam_abl/type

@@ -1 +1 @@
-service
+configuration

root/etc/e-smith/db/configuration/defaults/pam_faillock/type

@@ -0,0 +1 @@
+configuration

root/etc/e-smith/db/configuration/defaults/pam_tally/type

@@ -1 +0,0 @@
-service

root/etc/e-smith/db/configuration/defaults/pppoe/type

@@ -1 +1 @@
-service
+configuration

root/etc/e-smith/db/configuration/defaults/serial-console/type

@@ -1 +1 @@
-service
+configuration

root/etc/e-smith/db/configuration/migrate/05pam_faillock

@@ -0,0 +1,11 @@
+{
+    my $pamtally = $DB->get("pam_tally") or return;
+
+    my $pamfaillock = $DB->get("pam_faillock") ||
+        $DB->new_record("pam_faillock", { type => "service" });
+
+    $pamfaillock->merge_props($pamtally->props);
+
+    $pamtally->delete;
+}
+

root/etc/e-smith/db/configuration/migrate/smeserver-base-configuration

@@ -0,0 +1,5 @@
+{
+ foreach my $sservice (qw(serial-console pppoe modSSL pam_abl pam_faillock)) {
+  $DB->set_prop($sservice, "type", "configuration") if  ${$sservice}{type} eq "service";
+  }
+}

root/etc/e-smith/templates/etc/pam.d/system-auth/20auth

@@ -1,9 +1,10 @@
-{
-    my $status = $pam_tally{status} || 'disabled';
-    return unless $status eq 'enabled';
-    $OUT .= "auth        required      pam_tally.so onerr=fail no_magic_root";
-}
 auth        required      pam_env.so
+{
+    my $status = $pam_faillock{status} || 'disabled';
+    return unless $status eq 'enabled';
+    # lock out users after three unsuccessful attempts and unlock the user account after 10 minutes (600 seconds)
+    $OUT .= "auth        required      pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=600 root_unlock_time=600";
+}
 {
     my $status = $pam_abl{status} || 'disabled';
     return unless $status eq 'enabled';
@@ -15,5 +16,10 @@ auth        sufficient    pam_unix.so likeauth nullok
     return unless $status eq 'enabled';
     $OUT .= "auth        sufficient    pam_ldap.so use_first_pass";
 }
+{
+    my $status = $pam_faillock{status} || 'disabled';
+    return unless $status eq 'enabled';
+    $OUT .= "auth        [default=die]      pam_faillock.so authfail audit deny=3 unlock_time=600";
+}
 auth        required      pam_deny.so
 

root/etc/e-smith/templates/etc/pam.d/system-auth/30account

@@ -7,7 +7,9 @@ account     sufficient    pam_succeed_if.so uid < 100 quiet
 }
 account     required      pam_permit.so
 {
-    my $status = $pam_tally{status} || 'disabled';
+    my $status = $pam_faillock{status} || 'disabled';
     return unless $status eq 'enabled';
-    $OUT .= "account     required      pam_tally.so deny=5 reset no_magic_root";
+    # if you drop this call to pam_faillock.so the lock will be done also
+    # on non-consecutive authentication failures
+    $OUT .= "account     required      pam_faillock.so";
 }

root/etc/e-smith/templates/etc/shells/bash

@@ -1 +1,2 @@
 /bin/bash
+/usr/bin/bash

root/etc/e-smith/templates/etc/shells/bash2

@@ -1 +1,2 @@
 /bin/bash2
+/usr/bin/bash2

root/etc/e-smith/templates/etc/shells/console

@@ -1 +1,2 @@
 /sbin/e-smith/console
+/usr/sbin/e-smith/console

root/etc/e-smith/templates/etc/shells/csh

@@ -1 +1,2 @@
 /bin/csh
+/usr/bin/csh

root/etc/e-smith/templates/etc/shells/false

@@ -1 +1,2 @@
 /bin/false
+/usr/bin/false

root/etc/e-smith/templates/etc/shells/sh

@@ -1 +1,2 @@
 /bin/sh
+/usr/bin/sh

root/usr/lib/systemd/system/bootstrap-console.service

@@ -2,7 +2,7 @@
 Description=SME server bootstrap-console
 DefaultDependencies=no
 Conflicts=shutdown.target
-After=livesys.service plymouth-quit-wait.service
+After=livesys.service
 After=systemd-vconsole-setup.service
 Before=getty@tty1.service
 Before=shutdown.target

root/usr/lib/systemd/system/sme-server.target

@@ -8,6 +8,6 @@ Requires=basic.target
 Conflicts=rescue.service rescue.target multi-user.target
 After=basic.target rescue.service rescue.target runit.service
 AllowIsolate=yes
-Wants=atd.service auditd.service avahi-daemon.service brandbot.path nfs-client.target remote-fs.target rhel-configure.service
+Wants=atd.service auditd.service avahi-daemon.service nfs-client.target remote-fs.target 
 Wants=dbus.service plymouth-quit-wait.service plymouth-quit.service systemd-logind.service systemd-update-utmp-runlevel.service systemd-user-sessions.service
 

root/usr/share/perl5/vendor_perl/esmith/ssl.pm

@@ -200,8 +200,9 @@ SSLv23:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1
 =cut
 
 sub SSLprotoQpsmtpd{
+ my $service= shift || 'qpsmtpd';
  my $configdb = esmith::ConfigDB->open_ro or die "Could not open accounts db";
- my %qpsmtpd = %{$configdb->get('httpd-e-smith')};
+ my %qpsmtpd = %{$configdb->get($service)};
  # SSLv2 and SSLv3 are not available in el8 openssl-1.1.1, while -ssl3 still referenced
  # it will throw  Option unknown option -ssl3
  my $protocols = "SSLv23:!SSLv2:!SSLv3";

root/var/service/ippp/log/run

@@ -1,6 +1,6 @@
 #! /bin/sh
 
 exec                                    \
-    /usr/local/bin/setuidgid smelog     \
-    /usr/local/bin/multilog t s5000000  \
+    /usr/bin/setuidgid smelog     \
+    /usr/bin/multilog t s5000000  \
     /var/log/ippp

root/var/service/wan/log/run

@@ -1,7 +1,7 @@
 #! /bin/sh
 
 exec                                    \
-    /usr/local/bin/setuidgid smelog     \
-    /usr/local/bin/multilog t s5000000  \
+    /usr/bin/setuidgid smelog     \
+    /usr/bin/multilog t s5000000  \
     /var/log/wan
 

smeserver-base.spec

@@ -4,7 +4,7 @@ Summary: smeserver server and gateway - base module
 %define name smeserver-base
 Name: %{name}
 %define version 11.0.0
-%define release 22
+%define release 29
 Version: %{version}
 Release: %{release}%{?dist}
 License: GPL
@@ -49,6 +49,10 @@ Requires: bash-completion
 Requires: smeserver-runit >= 2.6.0-7
 Requires: smeserver-php >= 3.0.0-22
 Requires: smeserver-yum >= 2.6.0-43 
+# daemontools bins in use 
+Requires: /usr/bin/softlimit 
+Requires: /usr/bin/setuidgid
+Requires: /usr/bin/multilog
 Obsoletes: nss_ldap < 254
 Obsoletes: cpu
 Obsoletes: rlinetd, e-smith-mod_ssl
@@ -65,7 +69,11 @@ BuildRequires: smeserver-devtools >= 1.13.1-03
 BuildRequires: gettext
 Requires: gdisk
 Requires: ppp
-Requires: rp-pppoe 
+Requires: rp-pppoe
+# pam autoblock 
+Requires: pam_abl 
+# isdn wan connection (ippp)
+Requires: isdn4k-utils
 %define dbfiles accounts configuration domains hosts networks
 AutoReqProv: no
 
@@ -184,7 +192,27 @@ fi
 
 
 %changelog
-* Sat Jan 18 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-22.sme
+* Wed Mar 05 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-29.sme
+- change key type from service to configuration [SME: 11367]
+
+* Thu Feb 20 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-28.sme
+- clean sme-server.target [SME: 12931]
+
+* Sun Feb 16 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-27.sme
+- fix missing allowed shell for login [SME: 12926]
+
+* Wed Feb 12 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-26.sme
+- add pam_abl requirement [SME: 12914]
+- add isdn4k-utils requirement for ippp isdn connections [SME: 12909]
+- remove pam_tally as deprecated in favor of pam_faillock [SME: 12913]
+
+* Tue Feb 04 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-25.sme
+- fix boot ordering cycle [SME: 12902]
+
+* Sun Jan 26 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-24.sme
+- ippp and wan requires daemontools bins [SME: 12566]
+
+* Sat Jan 18 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-23.sme
 - handle all ssl ciphers and protocol in one place esmith::ssl [SME: 12827]
   this will allow to sync all service default protocol and ciphers
   in one place.