diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..0b8fb32
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+SOURCES/Linux-PAM-1.1.8.tar.bz2
+SOURCES/pam-redhat-0.99.11.tar.bz2
diff --git a/.pam.metadata b/.pam.metadata
new file mode 100644
index 0000000..201ea93
--- /dev/null
+++ b/.pam.metadata
@@ -0,0 +1,2 @@
+f8ce53c67363f78d520392fa1c253c4978058be1 SOURCES/Linux-PAM-1.1.8.tar.bz2
+42206fe8319723ef23ab646b2eab496c86de3f5b SOURCES/pam-redhat-0.99.11.tar.bz2
diff --git a/README.md b/README.md
deleted file mode 100644
index 0e7897f..0000000
--- a/README.md
+++ /dev/null
@@ -1,5 +0,0 @@
-The master branch has no content
-
-Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6
-
-If you find this file in a distro specific branch, it means that no content has been checked in yet
diff --git a/SOURCES/20-nproc.conf b/SOURCES/20-nproc.conf
new file mode 100644
index 0000000..d6e2578
--- /dev/null
+++ b/SOURCES/20-nproc.conf
@@ -0,0 +1,6 @@
+# Default limit for number of user's processes to prevent
+# accidental fork bombs.
+# See rhbz #432903 for reasoning.
+
+* soft nproc 4096
+root soft nproc unlimited
diff --git a/SOURCES/config-util.5 b/SOURCES/config-util.5
new file mode 100644
index 0000000..17d7f8a
--- /dev/null
+++ b/SOURCES/config-util.5
@@ -0,0 +1,36 @@
+.TH SYSTEM-AUTH 5 "2006 Feb 3" "Red Hat" "Linux-PAM Manual"
+.SH NAME
+
+config-util \- Common PAM configuration file for configuration utilities
+
+.SH SYNOPSIS
+.B /etc/pam.d/config-util
+.sp 2
+.SH DESCRIPTION
+
+The purpose of this configuration file is to provide common
+configuration file for all configuration utilities which must be run
+from the supervisor account and use the userhelper wrapper application.
+
+.sp
+The
+.BR config-util
+configuration file is included from all individual configuration
+files of such utilities with the help of the
+.BR include
+directive.
+There are not usually any other modules in the individual configuration
+files of these utilities.
+
+.sp
+It is possible for example to modify duration of the validity of the
+authentication timestamp there. See
+.BR pam_timestamp(8)
+for details.
+
+.SH BUGS
+.sp 2
+None known.
+
+.SH "SEE ALSO"
+pam(8), config-util(5), pam_timestamp(8)
diff --git a/SOURCES/config-util.pamd b/SOURCES/config-util.pamd
new file mode 100644
index 0000000..8e70d9a
--- /dev/null
+++ b/SOURCES/config-util.pamd
@@ -0,0 +1,8 @@
+#%PAM-1.0
+auth sufficient pam_rootok.so
+auth sufficient pam_timestamp.so
+auth include system-auth
+account required pam_permit.so
+session required pam_permit.so
+session optional pam_xauth.so
+session optional pam_timestamp.so
diff --git a/SOURCES/dlopen.sh b/SOURCES/dlopen.sh
new file mode 100755
index 0000000..053289a
--- /dev/null
+++ b/SOURCES/dlopen.sh
@@ -0,0 +1,75 @@
+#!/bin/sh
+
+tempdir=`mktemp -d /tmp/dlopenXXXXXX`
+test -n "$tempdir" || exit 1
+cat >> $tempdir/dlopen.c << _EOF
+#include <dlfcn.h>
+#include <stdio.h>
+#include <limits.h>
+#include <sys/stat.h>
+/* Simple program to see if dlopen() would succeed. */
+int main(int argc, char **argv)
+{
+ int i;
+ struct stat st;
+ char buf[PATH_MAX];
+ for (i = 1; i < argc; i++) {
+ if (dlopen(argv[i], RTLD_NOW)) {
+ fprintf(stdout, "dlopen() of \"%s\" succeeded.\n",
+ argv[i]);
+ } else {
+ snprintf(buf, sizeof(buf), "./%s", argv[i]);
+ if ((stat(buf, &st) == 0) && dlopen(buf, RTLD_NOW)) {
+ fprintf(stdout, "dlopen() of \"./%s\" "
+ "succeeded.\n", argv[i]);
+ } else {
+ fprintf(stdout, "dlopen() of \"%s\" failed: "
+ "%s\n", argv[i], dlerror());
+ return 1;
+ }
+ }
+ }
+ return 0;
+}
+_EOF
+
+for arg in $@ ; do
+ case "$arg" in
+ "")
+ ;;
+ -I*|-D*|-f*|-m*|-g*|-O*|-W*)
+ cflags="$cflags $arg"
+ ;;
+ -l*|-L*)
+ ldflags="$ldflags $arg"
+ ;;
+ /*)
+ modules="$modules $arg"
+ ;;
+ *)
+ modules="$modules $arg"
+ ;;
+ esac
+done
+
+${CC:-gcc} $RPM_OPT_FLAGS $CFLAGS -o $tempdir/dlopen $cflags $tempdir/dlopen.c $ldflags -ldl
+
+retval=0
+for module in $modules ; do
+ case "$module" in
+ "")
+ ;;
+ /*)
+ $tempdir/dlopen "$module"
+ retval=$?
+ ;;
+ *)
+ $tempdir/dlopen ./"$module"
+ retval=$?
+ ;;
+ esac
+done
+
+rm -f $tempdir/dlopen $tempdir/dlopen.c
+rmdir $tempdir
+exit $retval
diff --git a/SOURCES/fingerprint-auth.pamd b/SOURCES/fingerprint-auth.pamd
new file mode 100644
index 0000000..604b95f
--- /dev/null
+++ b/SOURCES/fingerprint-auth.pamd
@@ -0,0 +1,19 @@
+#%PAM-1.0
+# This file is auto-generated.
+# User changes will be destroyed the next time authconfig is run.
+auth required pam_env.so
+auth sufficient pam_fprintd.so
+auth required pam_deny.so
+
+account required pam_unix.so
+account sufficient pam_localuser.so
+account sufficient pam_succeed_if.so uid < 500 quiet
+account required pam_permit.so
+
+password required pam_deny.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
diff --git a/SOURCES/other.pamd b/SOURCES/other.pamd
new file mode 100644
index 0000000..c286c82
--- /dev/null
+++ b/SOURCES/other.pamd
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth required pam_deny.so
+account required pam_deny.so
+password required pam_deny.so
+session required pam_deny.so
diff --git a/SOURCES/pam-1.0.90-redhat-modules.patch b/SOURCES/pam-1.0.90-redhat-modules.patch
new file mode 100644
index 0000000..3ad41cc
--- /dev/null
+++ b/SOURCES/pam-1.0.90-redhat-modules.patch
@@ -0,0 +1,23 @@
+diff -up Linux-PAM-1.0.90/modules/Makefile.am.redhat-modules Linux-PAM-1.0.90/modules/Makefile.am
+--- Linux-PAM-1.0.90/modules/Makefile.am.redhat-modules 2008-11-29 08:27:35.000000000 +0100
++++ Linux-PAM-1.0.90/modules/Makefile.am 2008-12-16 13:40:16.000000000 +0100
+@@ -3,6 +3,7 @@
+ #
+
+ SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \
++ pam_chroot pam_console pam_postgresok \
+ pam_env pam_exec pam_faildelay pam_filter pam_ftp \
+ pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
+ pam_listfile pam_localuser pam_loginuid pam_mail \
+diff -up Linux-PAM-1.0.90/configure.in.redhat-modules Linux-PAM-1.0.90/configure.in
+--- Linux-PAM-1.0.90/configure.in.redhat-modules 2008-12-02 16:25:01.000000000 +0100
++++ Linux-PAM-1.0.90/configure.in 2008-12-16 13:39:11.000000000 +0100
+@@ -531,6 +531,8 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
+ libpam_misc/Makefile conf/Makefile conf/pam_conv1/Makefile \
+ po/Makefile.in \
+ modules/Makefile \
++ modules/pam_chroot/Makefile modules/pam_console/Makefile \
++ modules/pam_postgresok/Makefile \
+ modules/pam_access/Makefile modules/pam_cracklib/Makefile \
+ modules/pam_debug/Makefile modules/pam_deny/Makefile \
+ modules/pam_echo/Makefile modules/pam_env/Makefile \
diff --git a/SOURCES/pam-1.1.0-console-nochmod.patch b/SOURCES/pam-1.1.0-console-nochmod.patch
new file mode 100644
index 0000000..e41adad
--- /dev/null
+++ b/SOURCES/pam-1.1.0-console-nochmod.patch
@@ -0,0 +1,26 @@
+diff -up Linux-PAM-1.1.0/modules/pam_console/console.handlers.nochmod Linux-PAM-1.1.0/modules/pam_console/console.handlers
+--- Linux-PAM-1.1.0/modules/pam_console/console.handlers.nochmod 2008-12-16 13:37:52.000000000 +0100
++++ Linux-PAM-1.1.0/modules/pam_console/console.handlers 2009-09-01 17:20:08.000000000 +0200
+@@ -15,5 +15,3 @@
+ # touch unlock wait /var/run/console-unlocked
+
+ console consoledevs tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]+\.[0-9]+ :[0-9]+
+-/sbin/pam_console_apply lock logfail wait -t tty -s
+-/sbin/pam_console_apply unlock logfail wait -r -t tty -s
+diff -up Linux-PAM-1.1.0/modules/pam_console/Makefile.am.nochmod Linux-PAM-1.1.0/modules/pam_console/Makefile.am
+--- Linux-PAM-1.1.0/modules/pam_console/Makefile.am.nochmod 2008-12-16 13:37:52.000000000 +0100
++++ Linux-PAM-1.1.0/modules/pam_console/Makefile.am 2009-09-01 17:42:47.000000000 +0200
+@@ -38,7 +38,6 @@ sbin_PROGRAMS = pam_console_apply
+
+
+ secureconf_DATA = console.perms console.handlers
+-permsd_DATA = 50-default.perms
+
+ FLEX_OPTS = -Cr
+ BISON_OPTS = -d
+@@ -62,4 +61,5 @@ configfile.c: configfile.tab.c configfil
+
+ install-data-local:
+ mkdir -p $(DESTDIR)$(secureconfdir)/console.apps
++ mkdir -p $(DESTDIR)$(permsddir)
+ mkdir -m $(LOCKMODE) -p -p $(DESTDIR)$(LOCKDIR)
diff --git a/SOURCES/pam-1.1.0-notally.patch b/SOURCES/pam-1.1.0-notally.patch
new file mode 100644
index 0000000..9327eec
--- /dev/null
+++ b/SOURCES/pam-1.1.0-notally.patch
@@ -0,0 +1,12 @@
+diff -up Linux-PAM-1.1.0/modules/Makefile.am.notally Linux-PAM-1.1.0/modules/Makefile.am
+--- Linux-PAM-1.1.0/modules/Makefile.am.notally 2009-07-27 17:39:25.000000000 +0200
++++ Linux-PAM-1.1.0/modules/Makefile.am 2009-09-01 17:40:16.000000000 +0200
+@@ -10,7 +10,7 @@ SUBDIRS = pam_access pam_cracklib pam_de
+ pam_mkhomedir pam_motd pam_namespace pam_nologin \
+ pam_permit pam_pwhistory pam_rhosts pam_rootok pam_securetty \
+ pam_selinux pam_sepermit pam_shells pam_stress \
+- pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \
++ pam_succeed_if pam_tally2 pam_time pam_timestamp \
+ pam_tty_audit pam_umask \
+ pam_unix pam_userdb pam_warn pam_wheel pam_xauth
+
diff --git a/SOURCES/pam-1.1.1-console-errmsg.patch b/SOURCES/pam-1.1.1-console-errmsg.patch
new file mode 100644
index 0000000..f2fe846
--- /dev/null
+++ b/SOURCES/pam-1.1.1-console-errmsg.patch
@@ -0,0 +1,12 @@
+diff -up Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c.errmsg Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c
+--- Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c.errmsg 2008-12-16 13:37:52.000000000 +0100
++++ Linux-PAM-1.1.1/modules/pam_console/pam_console_apply.c 2014-06-19 13:23:28.948343737 +0200
+@@ -65,7 +65,7 @@ parse_files(void)
+ on system locale */
+ oldlocale = setlocale(LC_COLLATE, "C");
+
+- rc = glob(PERMS_GLOB, GLOB_NOCHECK, NULL, &globbuf);
++ rc = glob(PERMS_GLOB, 0, NULL, &globbuf);
+ setlocale(LC_COLLATE, oldlocale);
+ if (rc)
+ return;
diff --git a/SOURCES/pam-1.1.1-faillock.patch b/SOURCES/pam-1.1.1-faillock.patch
new file mode 100644
index 0000000..eaee896
--- /dev/null
+++ b/SOURCES/pam-1.1.1-faillock.patch
@@ -0,0 +1,1714 @@
+diff -up Linux-PAM-1.1.1/configure.in.faillock Linux-PAM-1.1.1/configure.in
+--- Linux-PAM-1.1.1/configure.in.faillock 2010-09-17 15:58:41.000000000 +0200
++++ Linux-PAM-1.1.1/configure.in 2010-09-17 15:58:41.000000000 +0200
+@@ -539,7 +539,7 @@ AC_CONFIG_FILES([Makefile libpam/Makefil
+ modules/pam_access/Makefile modules/pam_cracklib/Makefile \
+ modules/pam_debug/Makefile modules/pam_deny/Makefile \
+ modules/pam_echo/Makefile modules/pam_env/Makefile \
+- modules/pam_faildelay/Makefile \
++ modules/pam_faildelay/Makefile modules/pam_faillock/Makefile \
+ modules/pam_filter/Makefile modules/pam_filter/upperLOWER/Makefile \
+ modules/pam_ftp/Makefile modules/pam_group/Makefile \
+ modules/pam_issue/Makefile modules/pam_keyinit/Makefile \
+diff -up Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock Linux-PAM-1.1.1/doc/sag/pam_faillock.xml
+--- Linux-PAM-1.1.1/doc/sag/pam_faillock.xml.faillock 2010-09-17 16:05:56.000000000 +0200
++++ Linux-PAM-1.1.1/doc/sag/pam_faillock.xml 2010-09-17 16:08:26.000000000 +0200
+@@ -0,0 +1,38 @@
++<?xml version='1.0' encoding='UTF-8'?>
++<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
++ "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
++<section id='sag-pam_faillock'>
++ <title>pam_faillock - temporarily locking access based on failed authentication attempts during an interval</title>
++ <cmdsynopsis>
++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
++ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_faillock-cmdsynopsisauth"]/*)'/>
++ </cmdsynopsis>
++ <cmdsynopsis>
++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
++ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_faillock-cmdsynopsisacct"]/*)'/>
++ </cmdsynopsis>
++ <section id='sag-pam_faillock-description'>
++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
++ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-description"]/*)'/>
++ </section>
++ <section id='sag-pam_faillock-options'>
++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
++ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-options"]/*)'/>
++ </section>
++ <section id='sag-pam_faillock-types'>
++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
++ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-types"]/*)'/>
++ </section>
++ <section id='sag-pam_faillock-return_values'>
++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
++ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-return_values"]/*)'/>
++ </section>
++ <section id='sag-pam_faillock-examples'>
++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
++ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-examples"]/*)'/>
++ </section>
++ <section id='sag-pam_faillock-author'>
++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
++ href="../../modules/pam_faillock/pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-author"]/*)'/>
++ </section>
++</section>
+diff -up Linux-PAM-1.1.1/modules/Makefile.am.faillock Linux-PAM-1.1.1/modules/Makefile.am
+--- Linux-PAM-1.1.1/modules/Makefile.am.faillock 2010-09-17 15:58:41.000000000 +0200
++++ Linux-PAM-1.1.1/modules/Makefile.am 2010-09-17 15:58:41.000000000 +0200
+@@ -3,7 +3,7 @@
+ #
+
+ SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \
+- pam_chroot pam_console pam_postgresok \
++ pam_chroot pam_console pam_postgresok pam_faillock \
+ pam_env pam_exec pam_faildelay pam_filter pam_ftp \
+ pam_group pam_issue pam_keyinit pam_lastlog pam_limits \
+ pam_listfile pam_localuser pam_loginuid pam_mail \
+diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.c
+--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.c.faillock 2010-09-17 15:58:41.000000000 +0200
++++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.c 2010-09-17 15:58:41.000000000 +0200
+@@ -0,0 +1,147 @@
++/*
++ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, and the entire permission notice in its entirety,
++ * including the disclaimer of warranties.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. The name of the author may not be used to endorse or promote
++ * products derived from this software without specific prior
++ * written permission.
++ *
++ * ALTERNATIVELY, this product may be distributed under the terms of
++ * the GNU Public License, in which case the provisions of the GPL are
++ * required INSTEAD OF the above restrictions. (This clause is
++ * necessary due to a potential bad interaction between the GPL and
++ * the restrictions contained in a BSD-style copyright.)
++ *
++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#include "config.h"
++#include <string.h>
++#include <stdlib.h>
++#include <unistd.h>
++#include <errno.h>
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <sys/file.h>
++#include <fcntl.h>
++#include <security/pam_modutil.h>
++
++#include "faillock.h"
++
++int
++open_tally (const char *dir, const char *user, int create)
++{
++ char *path;
++ int flags = O_RDWR;
++ int fd;
++
++ if (strstr(user, "../") != NULL)
++ /* just a defensive programming as the user must be a
++ * valid user on the system anyway
++ */
++ return -1;
++ path = malloc(strlen(dir) + strlen(user) + 2);
++ if (path == NULL)
++ return -1;
++
++ strcpy(path, dir);
++ if (*dir && dir[strlen(dir) - 1] != '/') {
++ strcat(path, "/");
++ }
++ strcat(path, user);
++
++ if (create) {
++ flags |= O_CREAT;
++ }
++
++ fd = open(path, flags, 0600);
++
++ if (fd != -1)
++ while (flock(fd, LOCK_EX) == -1 && errno == EINTR);
++
++ return fd;
++}
++
++#define CHUNK_SIZE (64 * sizeof(struct tally))
++#define MAX_RECORDS 1024
++
++int
++read_tally(int fd, struct tally_data *tallies)
++{
++ void *data = NULL, *newdata;
++ unsigned int count = 0;
++ ssize_t chunk = 0;
++
++ do {
++ newdata = realloc(data, count * sizeof(struct tally) + CHUNK_SIZE);
++ if (newdata == NULL) {
++ free(data);
++ return -1;
++ }
++
++ data = newdata;
++
++ chunk = pam_modutil_read(fd, (char *)data + count * sizeof(struct tally), CHUNK_SIZE);
++ if (chunk < 0) {
++ free(data);
++ return -1;
++ }
++
++ count += chunk/sizeof(struct tally);
++
++ if (count >= MAX_RECORDS)
++ break;
++ }
++ while (chunk == CHUNK_SIZE);
++
++ tallies->records = data;
++ tallies->count = count;
++
++ return 0;
++}
++
++int
++update_tally(int fd, struct tally_data *tallies)
++{
++ void *data = tallies->records;
++ unsigned int count = tallies->count;
++ ssize_t chunk;
++
++ if (tallies->count > MAX_RECORDS) {
++ data = tallies->records + (count - MAX_RECORDS);
++ count = MAX_RECORDS;
++ }
++
++ if (lseek(fd, 0, SEEK_SET) == (off_t)-1) {
++ return -1;
++ }
++
++ chunk = pam_modutil_write(fd, data, count * sizeof(struct tally));
++
++ if (chunk != (ssize_t)(count * sizeof(struct tally))) {
++ return -1;
++ }
++
++ if (ftruncate(fd, count * sizeof(struct tally)) == -1)
++ return -1;
++
++ return 0;
++}
+diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.h
+--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.h.faillock 2010-09-17 15:58:41.000000000 +0200
++++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.h 2010-09-17 15:58:41.000000000 +0200
+@@ -0,0 +1,72 @@
++/*
++ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, and the entire permission notice in its entirety,
++ * including the disclaimer of warranties.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. The name of the author may not be used to endorse or promote
++ * products derived from this software without specific prior
++ * written permission.
++ *
++ * ALTERNATIVELY, this product may be distributed under the terms of
++ * the GNU Public License, in which case the provisions of the GPL are
++ * required INSTEAD OF the above restrictions. (This clause is
++ * necessary due to a potential bad interaction between the GPL and
++ * the restrictions contained in a BSD-style copyright.)
++ *
++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++/*
++ * faillock.h - authentication failure data file record structure
++ *
++ * Each record in the file represents an instance of login failure of
++ * the user at the recorded time
++ */
++
++
++#ifndef _FAILLOCK_H
++#define _FAILLOCK_H
++
++#include <stdint.h>
++
++#define TALLY_STATUS_VALID 0x1 /* the tally file entry is valid */
++#define TALLY_STATUS_RHOST 0x2 /* the source is rhost */
++#define TALLY_STATUS_TTY 0x4 /* the source is tty - if both TALLY_FLAG_RHOST and TALLY_FLAG_TTY are not set the source is service */
++
++struct tally {
++ char source[52]; /* rhost or tty of the login failure (not necessarily NULL terminated) */
++ uint16_t reserved; /* reserved for future use */
++ uint16_t status; /* record status */
++ uint64_t time; /* time of the login failure */
++};
++/* 64 bytes per entry */
++
++struct tally_data {
++ struct tally *records; /* array of tallies */
++ unsigned int count; /* number of records */
++};
++
++#define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock"
++
++int open_tally(const char *dir, const char *user, int create);
++int read_tally(int fd, struct tally_data *tallies);
++int update_tally(int fd, struct tally_data *tallies);
++#endif
++
+diff -up Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml
+--- Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml.faillock 2010-09-17 15:58:41.000000000 +0200
++++ Linux-PAM-1.1.1/modules/pam_faillock/faillock.8.xml 2010-09-17 15:58:41.000000000 +0200
+@@ -0,0 +1,123 @@
++<?xml version="1.0" encoding='UTF-8'?>
++<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
++ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
++
++<refentry id="faillock">
++
++ <refmeta>
++ <refentrytitle>faillock</refentrytitle>
++ <manvolnum>8</manvolnum>
++ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
++ </refmeta>
++
++ <refnamediv id="pam_faillock-name">
++ <refname>faillock</refname>
++ <refpurpose>Tool for displaying and modifying the authentication failure record files</refpurpose>
++ </refnamediv>
++
++ <refsynopsisdiv>
++ <cmdsynopsis id="faillock-cmdsynopsis">
++ <command>faillock</command>
++ <arg choice="opt">
++ --dir <replaceable>/path/to/tally-directory</replaceable>
++ </arg>
++ <arg choice="opt">
++ --user <replaceable>username</replaceable>
++ </arg>
++ <arg choice="opt">
++ --reset
++ </arg>
++ </cmdsynopsis>
++ </refsynopsisdiv>
++
++ <refsect1 id="faillock-description">
++
++ <title>DESCRIPTION</title>
++
++ <para>
++ The <emphasis>pam_faillock.so</emphasis> module maintains a list of
++ failed authentication attempts per user during a specified interval
++ and locks the account in case there were more than
++ <replaceable>deny</replaceable> consecutive failed authentications.
++ It stores the failure records into per-user files in the tally
++ directory.
++ </para>
++ <para>
++ The <command>faillock</command> command is an application which
++ can be used to examine and modify the contents of the
++ the tally files. It can display the recent failed authentication
++ attempts of the <replaceable>username</replaceable> or clear the tally
++ files of all or individual <replaceable>usernames</replaceable>.
++ </para>
++ </refsect1>
++
++ <refsect1 id="faillock-options">
++
++ <title>OPTIONS</title>
++ <variablelist>
++ <varlistentry>
++ <term>
++ <option>--dir <replaceable>/path/to/tally-directory</replaceable></option>
++ </term>
++ <listitem>
++ <para>
++ The directory where the user files with the failure records are kept. The
++ default is <filename>/var/run/faillock</filename>.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>--user <replaceable>username</replaceable></option>
++ </term>
++ <listitem>
++ <para>
++ The user whose failure records should be displayed or cleared.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>--reset</option>
++ </term>
++ <listitem>
++ <para>
++ Instead of displaying the user's failure records, clear them.
++ </para>
++ </listitem>
++ </varlistentry>
++ </variablelist>
++ </refsect1>
++
++ <refsect1 id="faillock-files">
++ <title>FILES</title>
++ <variablelist>
++ <varlistentry>
++ <term><filename>/var/run/faillock/*</filename></term>
++ <listitem>
++ <para>the files logging the authentication failures for users</para>
++ </listitem>
++ </varlistentry>
++ </variablelist>
++ </refsect1>
++
++ <refsect1 id='faillock-see_also'>
++ <title>SEE ALSO</title>
++ <para>
++ <citerefentry>
++ <refentrytitle>pam_faillock</refentrytitle><manvolnum>8</manvolnum>
++ </citerefentry>,
++ <citerefentry>
++ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ </citerefentry>
++ </para>
++ </refsect1>
++
++ <refsect1 id='faillock-author'>
++ <title>AUTHOR</title>
++ <para>
++ faillock was written by Tomas Mraz.
++ </para>
++ </refsect1>
++
++</refentry>
+diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/main.c
+--- Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock 2010-09-17 15:58:41.000000000 +0200
++++ Linux-PAM-1.1.1/modules/pam_faillock/main.c 2010-09-17 15:58:41.000000000 +0200
+@@ -0,0 +1,233 @@
++/*
++ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, and the entire permission notice in its entirety,
++ * including the disclaimer of warranties.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. The name of the author may not be used to endorse or promote
++ * products derived from this software without specific prior
++ * written permission.
++ *
++ * ALTERNATIVELY, this product may be distributed under the terms of
++ * the GNU Public License, in which case the provisions of the GPL are
++ * required INSTEAD OF the above restrictions. (This clause is
++ * necessary due to a potential bad interaction between the GPL and
++ * the restrictions contained in a BSD-style copyright.)
++ *
++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#include "config.h"
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <dirent.h>
++#include <errno.h>
++#include <pwd.h>
++#include <time.h>
++#include <sys/types.h>
++#include <unistd.h>
++#ifdef HAVE_LIBAUDIT
++#include <libaudit.h>
++#endif
++
++#include "faillock.h"
++
++struct options {
++ unsigned int reset;
++ const char *dir;
++ const char *user;
++ const char *progname;
++};
++
++static int
++args_parse(int argc, char **argv, struct options *opts)
++{
++ int i;
++ memset(opts, 0, sizeof(*opts));
++
++ opts->dir = FAILLOCK_DEFAULT_TALLYDIR;
++ opts->progname = argv[0];
++
++ for (i = 1; i < argc; ++i) {
++
++ if (strcmp(argv[i], "--dir") == 0) {
++ ++i;
++ if (i >= argc || strlen(argv[i]) == 0) {
++ fprintf(stderr, "%s: No directory supplied.\n", argv[0]);
++ return -1;
++ }
++ opts->dir = argv[i];
++ }
++ else if (strcmp(argv[i], "--user") == 0) {
++ ++i;
++ if (i >= argc || strlen(argv[i]) == 0) {
++ fprintf(stderr, "%s: No user name supplied.\n", argv[0]);
++ return -1;
++ }
++ opts->user = argv[i];
++ }
++ else if (strcmp(argv[i], "--reset") == 0) {
++ opts->reset = 1;
++ }
++ else {
++ fprintf(stderr, "%s: Unknown option: %s\n", argv[0], argv[i]);
++ return -1;
++ }
++ }
++ return 0;
++}
++
++static void
++usage(const char *progname)
++{
++ fprintf(stderr, _("Usage: %s [--dir /path/to/tally-directory] [--user username] [--reset]\n"),
++ progname);
++}
++
++static int
++do_user(struct options *opts, const char *user)
++{
++ int fd;
++ int rv;
++ struct tally_data tallies;
++
++ fd = open_tally(opts->dir, user, 0);
++
++ if (fd == -1) {
++ if (errno == ENOENT) {
++ return 0;
++ }
++ else {
++ fprintf(stderr, "%s: Error opening the tally file for %s:",
++ opts->progname, user);
++ perror(NULL);
++ return 3;
++ }
++ }
++ if (opts->reset) {
++#ifdef HAVE_LIBAUDIT
++ char buf[64];
++ int audit_fd;
++#endif
++
++ while ((rv=ftruncate(fd, 0)) == -1 && errno == EINTR);
++ if (rv == -1) {
++ fprintf(stderr, "%s: Error clearing the tally file for %s:",
++ opts->progname, user);
++ perror(NULL);
++#ifdef HAVE_LIBAUDIT
++ }
++ if ((audit_fd=audit_open()) >= 0) {
++ struct passwd *pwd;
++
++ if ((pwd=getpwnam(user)) != NULL) {
++ snprintf(buf, sizeof(buf), "faillock reset uid=%u",
++ pwd->pw_uid);
++ audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
++ buf, NULL, NULL, NULL, rv == 0);
++ }
++ close(audit_fd);
++ }
++ if (rv == -1) {
++#endif
++ close(fd);
++ return 4;
++ }
++ }
++ else {
++ unsigned int i;
++
++ memset(&tallies, 0, sizeof(tallies));
++ if ((rv=read_tally(fd, &tallies)) == -1) {
++ fprintf(stderr, "%s: Error reading the tally file for %s:",
++ opts->progname, user);
++ perror(NULL);
++ close(fd);
++ return 5;
++ }
++
++ printf("%s:\n", user);
++ printf("%-19s %-5s %-48s %-5s\n", "When", "Type", "Source", "Valid");
++
++ for (i = 0; i < tallies.count; i++) {
++ struct tm *tm;
++ char timebuf[80];
++ uint16_t status = tallies.records[i].status;
++ time_t when = tallies.records[i].time;
++
++ tm = localtime(&when);
++ strftime(timebuf, sizeof(timebuf), "%Y-%m-%d %H:%M:%S", tm);
++ printf("%-19s %-5s %-52.52s %s\n", timebuf,
++ status & TALLY_STATUS_RHOST ? "RHOST" : (status & TALLY_STATUS_TTY ? "TTY" : "SVC"),
++ tallies.records[i].source, status & TALLY_STATUS_VALID ? "V":"I");
++ }
++ free(tallies.records);
++ }
++ close(fd);
++ return 0;
++}
++
++static int
++do_allusers(struct options *opts)
++{
++ struct dirent **userlist;
++ int rv, i;
++
++ rv = scandir(opts->dir, &userlist, NULL, alphasort);
++ if (rv < 0) {
++ fprintf(stderr, "%s: Error reading tally directory: ", opts->progname);
++ perror(NULL);
++ return 2;
++ }
++
++ for (i = 0; i < rv; i++) {
++ if (userlist[i]->d_name[0] == '.') {
++ if ((userlist[i]->d_name[1] == '.' && userlist[i]->d_name[2] == '\0') ||
++ userlist[i]->d_name[1] == '\0')
++ continue;
++ }
++ do_user(opts, userlist[i]->d_name);
++ free(userlist[i]);
++ }
++ free(userlist);
++
++ return 0;
++}
++
++
++/*-----------------------------------------------------------------------*/
++int
++main (int argc, char *argv[])
++{
++ struct options opts;
++
++ if (args_parse(argc, argv, &opts)) {
++ usage(argv[0]);
++ return 1;
++ }
++
++ if (opts.user == NULL) {
++ return do_allusers(&opts);
++ }
++
++ return do_user(&opts, opts.user);
++}
++
+diff -up Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am
+--- Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock 2010-09-17 15:58:41.000000000 +0200
++++ Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am 2010-09-17 15:58:41.000000000 +0200
+@@ -0,0 +1,43 @@
++#
++# Copyright (c) 2005, 2006, 2007, 2009 Thorsten Kukuk <kukuk@thkukuk.de>
++# Copyright (c) 2008 Red Hat, Inc.
++# Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
++#
++
++CLEANFILES = *~
++MAINTAINERCLEANFILES = $(MANS) README
++
++EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_faillock
++
++man_MANS = pam_faillock.8 faillock.8
++XMLS = README.xml pam_faillock.8.xml faillock.8.xml
++
++TESTS = tst-pam_faillock
++
++securelibdir = $(SECUREDIR)
++secureconfdir = $(SCONFIGDIR)
++
++noinst_HEADERS = faillock.h
++
++faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
++pam_faillock_la_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
++
++pam_faillock_la_LDFLAGS = -no-undefined -avoid-version -module
++pam_faillock_la_LIBADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT)
++if HAVE_VERSIONING
++ pam_faillock_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
++endif
++
++faillock_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT)
++
++securelib_LTLIBRARIES = pam_faillock.la
++sbin_PROGRAMS = faillock
++
++pam_faillock_la_SOURCES = pam_faillock.c faillock.c
++faillock_SOURCES = main.c faillock.c
++
++if ENABLE_REGENERATE_MAN
++noinst_DATA = README
++README: pam_faillock.8.xml
++-include $(top_srcdir)/Make.xml.rules
++endif
+diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c
+--- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock 2010-09-17 15:58:41.000000000 +0200
++++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c 2010-09-17 15:58:41.000000000 +0200
+@@ -0,0 +1,550 @@
++/*
++ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, and the entire permission notice in its entirety,
++ * including the disclaimer of warranties.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. The name of the author may not be used to endorse or promote
++ * products derived from this software without specific prior
++ * written permission.
++ *
++ * ALTERNATIVELY, this product may be distributed under the terms of
++ * the GNU Public License, in which case the provisions of the GPL are
++ * required INSTEAD OF the above restrictions. (This clause is
++ * necessary due to a potential bad interaction between the GPL and
++ * the restrictions contained in a BSD-style copyright.)
++ *
++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#include "config.h"
++#include <stdio.h>
++#include <string.h>
++#include <unistd.h>
++#include <stdint.h>
++#include <stdlib.h>
++#include <errno.h>
++#include <time.h>
++#include <pwd.h>
++#include <syslog.h>
++
++#ifdef HAVE_LIBAUDIT
++#include <libaudit.h>
++#endif
++
++#include <security/pam_modules.h>
++#include <security/pam_modutil.h>
++#include <security/pam_ext.h>
++
++#include "faillock.h"
++
++#define PAM_SM_AUTH
++#define PAM_SM_ACCOUNT
++
++#define FAILLOCK_ACTION_PREAUTH 0
++#define FAILLOCK_ACTION_AUTHSUCC 1
++#define FAILLOCK_ACTION_AUTHFAIL 2
++
++#define FAILLOCK_FLAG_DENY_ROOT 0x1
++#define FAILLOCK_FLAG_AUDIT 0x2
++#define FAILLOCK_FLAG_SILENT 0x4
++#define FAILLOCK_FLAG_NO_LOG_INFO 0x8
++#define FAILLOCK_FLAG_UNLOCKED 0x10
++
++#define MAX_TIME_INTERVAL 604800 /* 7 days */
++
++struct options {
++ unsigned int action;
++ unsigned int flags;
++ unsigned short deny;
++ unsigned int fail_interval;
++ unsigned int unlock_time;
++ unsigned int root_unlock_time;
++ const char *dir;
++ const char *user;
++ int failures;
++ uint64_t latest_time;
++ uid_t uid;
++ uint64_t now;
++};
++
++static void
++args_parse(pam_handle_t *pamh, int argc, const char **argv,
++ int flags, struct options *opts)
++{
++ int i;
++ memset(opts, 0, sizeof(*opts));
++
++ opts->dir = FAILLOCK_DEFAULT_TALLYDIR;
++ opts->deny = 3;
++ opts->fail_interval = 900;
++ opts->unlock_time = 600;
++ opts->root_unlock_time = MAX_TIME_INTERVAL+1;
++
++ for (i = 0; i < argc; ++i) {
++
++ if (strncmp(argv[i], "dir=", 4) == 0) {
++ if (argv[i][4] != '/') {
++ pam_syslog(pamh, LOG_ERR,
++ "Tally directory is not absolute path (%s); keeping default", argv[i]);
++ } else {
++ opts->dir = argv[i]+4;
++ }
++ }
++ else if (strncmp(argv[i], "deny=", 5) == 0) {
++ if (sscanf(argv[i]+5, "%hu", &opts->deny) != 1) {
++ pam_syslog(pamh, LOG_ERR,
++ "Bad number supplied for deny argument");
++ }
++ }
++ else if (strncmp(argv[i], "fail_interval=", 14) == 0) {
++ unsigned int temp;
++ if (sscanf(argv[i]+14, "%u", &temp) != 1 ||
++ temp > MAX_TIME_INTERVAL) {
++ pam_syslog(pamh, LOG_ERR,
++ "Bad number supplied for fail_interval argument");
++ } else {
++ opts->fail_interval = temp;
++ }
++ }
++ else if (strncmp(argv[i], "unlock_time=", 12) == 0) {
++ unsigned int temp;
++ if (sscanf(argv[i]+12, "%u", &temp) != 1 ||
++ temp > MAX_TIME_INTERVAL) {
++ pam_syslog(pamh, LOG_ERR,
++ "Bad number supplied for unlock_time argument");
++ } else {
++ opts->unlock_time = temp;
++ }
++ }
++ else if (strncmp(argv[i], "root_unlock_time=", 17) == 0) {
++ unsigned int temp;
++ if (sscanf(argv[i]+17, "%u", &temp) != 1 ||
++ temp > MAX_TIME_INTERVAL) {
++ pam_syslog(pamh, LOG_ERR,
++ "Bad number supplied for root_unlock_time argument");
++ } else {
++ opts->root_unlock_time = temp;
++ }
++ }
++ else if (strcmp(argv[i], "preauth") == 0) {
++ opts->action = FAILLOCK_ACTION_PREAUTH;
++ }
++ else if (strcmp(argv[i], "authfail") == 0) {
++ opts->action = FAILLOCK_ACTION_AUTHFAIL;
++ }
++ else if (strcmp(argv[i], "authsucc") == 0) {
++ opts->action = FAILLOCK_ACTION_AUTHSUCC;
++ }
++ else if (strcmp(argv[i], "even_deny_root") == 0) {
++ opts->flags |= FAILLOCK_FLAG_DENY_ROOT;
++ }
++ else if (strcmp(argv[i], "audit") == 0) {
++ opts->flags |= FAILLOCK_FLAG_AUDIT;
++ }
++ else if (strcmp(argv[i], "silent") == 0) {
++ opts->flags |= FAILLOCK_FLAG_SILENT;
++ }
++ else if (strcmp(argv[i], "no_log_info") == 0) {
++ opts->flags |= FAILLOCK_FLAG_NO_LOG_INFO;
++ }
++ else {
++ pam_syslog(pamh, LOG_ERR, "Unknown option: %s", argv[i]);
++ }
++ }
++
++ if (opts->root_unlock_time == MAX_TIME_INTERVAL+1)
++ opts->root_unlock_time = opts->unlock_time;
++ if (flags & PAM_SILENT)
++ opts->flags |= FAILLOCK_FLAG_SILENT;
++}
++
++static int get_pam_user(pam_handle_t *pamh, struct options *opts)
++{
++ const char *user;
++ int rv;
++ struct passwd *pwd;
++
++ if ((rv=pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) {
++ return rv;
++ }
++
++ if (*user == '\0') {
++ return PAM_IGNORE;
++ }
++
++ if ((pwd=pam_modutil_getpwnam(pamh, user)) == NULL) {
++ if (opts->flags & FAILLOCK_FLAG_AUDIT) {
++ pam_syslog(pamh, LOG_ERR, "User unknown: %s", user);
++ }
++ else {
++ pam_syslog(pamh, LOG_ERR, "User unknown");
++ }
++ return PAM_IGNORE;
++ }
++ opts->user = user;
++ opts->uid = pwd->pw_uid;
++ return PAM_SUCCESS;
++}
++
++static int
++check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies, int *fd)
++{
++ int tfd;
++ unsigned int i;
++ uint64_t latest_time;
++ int failures;
++
++ opts->now = time(NULL);
++
++ tfd = open_tally(opts->dir, opts->user, 0);
++
++ *fd = tfd;
++
++ if (tfd == -1) {
++ if (errno == EACCES || errno == ENOENT) {
++ return PAM_SUCCESS;
++ }
++ pam_syslog(pamh, LOG_ERR, "Error opening the tally file for %s: %m", opts->user);
++ return PAM_SYSTEM_ERR;
++ }
++
++ if (read_tally(tfd, tallies) != 0) {
++ pam_syslog(pamh, LOG_ERR, "Error reading the tally file for %s: %m", opts->user);
++ return PAM_SYSTEM_ERR;
++ }
++
++ if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
++ return PAM_SUCCESS;
++ }
++
++ latest_time = 0;
++ for(i = 0; i < tallies->count; i++) {
++ if ((tallies->records[i].status & TALLY_STATUS_VALID) &&
++ tallies->records[i].time > latest_time)
++ latest_time = tallies->records[i].time;
++ }
++
++ opts->latest_time = latest_time;
++
++ failures = 0;
++ for(i = 0; i < tallies->count; i++) {
++ if ((tallies->records[i].status & TALLY_STATUS_VALID) &&
++ latest_time - tallies->records[i].time < opts->fail_interval) {
++ ++failures;
++ }
++ }
++
++ opts->failures = failures;
++
++ if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
++ return PAM_SUCCESS;
++ }
++
++ if (opts->deny && failures >= opts->deny) {
++ if ((opts->uid && latest_time + opts->unlock_time < opts->now) ||
++ (!opts->uid && latest_time + opts->root_unlock_time < opts->now)) {
++#ifdef HAVE_LIBAUDIT
++ if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */
++ char buf[64];
++ int audit_fd;
++
++ audit_fd = audit_open();
++ /* If there is an error & audit support is in the kernel report error */
++ if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT ||
++ errno == EAFNOSUPPORT))
++ return PAM_SYSTEM_ERR;
++
++ snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
++ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
++ NULL, NULL, NULL, 1);
++ }
++#endif
++ opts->flags |= FAILLOCK_FLAG_UNLOCKED;
++ return PAM_SUCCESS;
++ }
++ return PAM_AUTH_ERR;
++ }
++ return PAM_SUCCESS;
++}
++
++static void
++reset_tally(pam_handle_t *pamh, struct options *opts, int *fd)
++{
++ int rv;
++
++ while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR);
++ if (rv == -1) {
++ pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user);
++ }
++}
++
++static int
++write_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies, int *fd)
++{
++ struct tally *records;
++ unsigned int i;
++ int failures;
++ unsigned int oldest;
++ uint64_t oldtime;
++ const void *source = NULL;
++
++ if (*fd == -1) {
++ *fd = open_tally(opts->dir, opts->user, 1);
++ }
++ if (*fd == -1) {
++ if (errno == EACCES) {
++ return PAM_SUCCESS;
++ }
++ pam_syslog(pamh, LOG_ERR, "Error opening the tally file for %s: %m", opts->user);
++ return PAM_SYSTEM_ERR;
++ }
++
++ oldtime = 0;
++ oldest = 0;
++ failures = 0;
++
++ for (i = 0; i < tallies->count; ++i) {
++ if (tallies->records[i].time < oldtime) {
++ oldtime = tallies->records[i].time;
++ oldest = i;
++ }
++ if (opts->flags & FAILLOCK_FLAG_UNLOCKED ||
++ opts->now - tallies->records[i].time >= opts->fail_interval ) {
++ tallies->records[i].status &= ~TALLY_STATUS_VALID;
++ } else {
++ ++failures;
++ }
++ }
++
++ if (oldest >= tallies->count || (tallies->records[oldest].status & TALLY_STATUS_VALID)) {
++ oldest = tallies->count;
++
++ if ((records=realloc(tallies->records, (oldest+1) * sizeof (*tallies->records))) == NULL) {
++ pam_syslog(pamh, LOG_CRIT, "Error allocating memory for tally records: %m");
++ return PAM_BUF_ERR;
++ }
++
++ ++tallies->count;
++ tallies->records = records;
++ }
++
++ memset(&tallies->records[oldest], 0, sizeof (*tallies->records));
++
++ tallies->records[oldest].status = TALLY_STATUS_VALID;
++ if (pam_get_item(pamh, PAM_RHOST, &source) != PAM_SUCCESS || source == NULL) {
++ if (pam_get_item(pamh, PAM_TTY, &source) != PAM_SUCCESS || source == NULL) {
++ if (pam_get_item(pamh, PAM_SERVICE, &source) != PAM_SUCCESS || source == NULL) {
++ source = "";
++ }
++ }
++ else {
++ tallies->records[oldest].status |= TALLY_STATUS_TTY;
++ }
++ }
++ else {
++ tallies->records[oldest].status |= TALLY_STATUS_RHOST;
++ }
++
++ strncpy(tallies->records[oldest].source, source, sizeof(tallies->records[oldest].source));
++ /* source does not have to be null terminated */
++
++ tallies->records[oldest].time = opts->now;
++
++ ++failures;
++
++ if (opts->deny && failures == opts->deny) {
++#ifdef HAVE_LIBAUDIT
++ char buf[64];
++ int audit_fd;
++
++ audit_fd = audit_open();
++ /* If there is an error & audit support is in the kernel report error */
++ if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT ||
++ errno == EAFNOSUPPORT))
++ return PAM_SYSTEM_ERR;
++
++ snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
++ audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
++ NULL, NULL, NULL, 1);
++
++ if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
++ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,
++ NULL, NULL, NULL, 1);
++ }
++ close(audit_fd);
++#endif
++ if (!(opts->flags & FAILLOCK_FLAG_NO_LOG_INFO)) {
++ pam_syslog(pamh, LOG_INFO, "Consecutive login failures for user %s account temporarily locked",
++ opts->user);
++ }
++ }
++
++ if (update_tally(*fd, tallies) == 0)
++ return PAM_SUCCESS;
++
++ return PAM_SYSTEM_ERR;
++}
++
++static void
++faillock_message(pam_handle_t *pamh, struct options *opts)
++{
++ int64_t left;
++
++ if (!(opts->flags & FAILLOCK_FLAG_SILENT)) {
++ if (opts->uid) {
++ left = opts->latest_time + opts->unlock_time - opts->now;
++ }
++ else {
++ left = opts->latest_time + opts->root_unlock_time - opts->now;
++ }
++
++ left /= 60; /* minutes */
++
++ pam_info(pamh, _("Account temporarily locked due to %d failed logins"),
++ opts->failures);
++ pam_info(pamh, _("(%d minutes left to unlock)"), (int)left);
++ }
++}
++
++static void
++tally_cleanup(struct tally_data *tallies, int fd)
++{
++ if (fd != -1) {
++ close(fd);
++ }
++
++ free(tallies->records);
++}
++
++/*---------------------------------------------------------------------*/
++
++PAM_EXTERN int
++pam_sm_authenticate(pam_handle_t *pamh, int flags,
++ int argc, const char **argv)
++{
++ struct options opts;
++ int rv, fd = -1;
++ struct tally_data tallies;
++
++ memset(&tallies, 0, sizeof(tallies));
++
++ args_parse(pamh, argc, argv, flags, &opts);
++
++ pam_fail_delay(pamh, 2000000); /* 2 sec delay for on failure */
++
++ if ((rv=get_pam_user(pamh, &opts)) != PAM_SUCCESS) {
++ return rv;
++ }
++
++ switch (opts.action) {
++ case FAILLOCK_ACTION_PREAUTH:
++ rv = check_tally(pamh, &opts, &tallies, &fd);
++ if (rv == PAM_AUTH_ERR && !(opts.flags & FAILLOCK_FLAG_SILENT)) {
++ faillock_message(pamh, &opts);
++ }
++ break;
++
++ case FAILLOCK_ACTION_AUTHSUCC:
++ rv = check_tally(pamh, &opts, &tallies, &fd);
++ if (rv == PAM_SUCCESS && fd != -1) {
++ reset_tally(pamh, &opts, &fd);
++ }
++ break;
++
++ case FAILLOCK_ACTION_AUTHFAIL:
++ rv = check_tally(pamh, &opts, &tallies, &fd);
++ if (rv == PAM_SUCCESS) {
++ rv = PAM_IGNORE; /* this return value should be ignored */
++ write_tally(pamh, &opts, &tallies, &fd);
++ }
++ break;
++ }
++
++ tally_cleanup(&tallies, fd);
++
++ return rv;
++}
++
++/*---------------------------------------------------------------------*/
++
++PAM_EXTERN int
++pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED,
++ int argc UNUSED, const char **argv UNUSED)
++{
++ return PAM_SUCCESS;
++}
++
++/*---------------------------------------------------------------------*/
++
++PAM_EXTERN int
++pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
++ int argc, const char **argv)
++{
++ struct options opts;
++ int rv, fd = -1;
++ struct tally_data tallies;
++
++ memset(&tallies, 0, sizeof(tallies));
++
++ args_parse(pamh, argc, argv, flags, &opts);
++
++ opts.action = FAILLOCK_ACTION_AUTHSUCC;
++
++ if ((rv=get_pam_user(pamh, &opts)) != PAM_SUCCESS) {
++ return rv;
++ }
++
++ check_tally(pamh, &opts, &tallies, &fd);
++ if (fd != -1) {
++ reset_tally(pamh, &opts, &fd);
++ }
++
++ tally_cleanup(&tallies, fd);
++
++ return PAM_SUCCESS;
++}
++
++/*-----------------------------------------------------------------------*/
++
++#ifdef PAM_STATIC
++
++/* static module data */
++
++struct pam_module _pam_faillock_modstruct = {
++ MODULE_NAME,
++#ifdef PAM_SM_AUTH
++ pam_sm_authenticate,
++ pam_sm_setcred,
++#else
++ NULL,
++ NULL,
++#endif
++#ifdef PAM_SM_ACCOUNT
++ pam_sm_acct_mgmt,
++#else
++ NULL,
++#endif
++ NULL,
++ NULL,
++ NULL,
++};
++
++#endif /* #ifdef PAM_STATIC */
++
+diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml
+--- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock 2010-09-17 15:58:41.000000000 +0200
++++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml 2010-09-17 15:58:41.000000000 +0200
+@@ -0,0 +1,396 @@
++<?xml version="1.0" encoding='UTF-8'?>
++<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
++ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
++
++<refentry id="pam_faillock">
++
++ <refmeta>
++ <refentrytitle>pam_faillock</refentrytitle>
++ <manvolnum>8</manvolnum>
++ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
++ </refmeta>
++
++ <refnamediv id="pam_faillock-name">
++ <refname>pam_faillock</refname>
++ <refpurpose>Module counting authentication failures during a specified interval</refpurpose>
++ </refnamediv>
++
++ <refsynopsisdiv>
++ <cmdsynopsis id="pam_faillock-cmdsynopsisauth">
++ <command>auth ... pam_faillock.so</command>
++ <arg choice="req">
++ preauth|authfail|authsucc
++ </arg>
++ <arg choice="opt">
++ dir=<replaceable>/path/to/tally-directory</replaceable>
++ </arg>
++ <arg choice="opt">
++ even_deny_root
++ </arg>
++ <arg choice="opt">
++ deny=<replaceable>n</replaceable>
++ </arg>
++ <arg choice="opt">
++ fail_interval=<replaceable>n</replaceable>
++ </arg>
++ <arg choice="opt">
++ unlock_time=<replaceable>n</replaceable>
++ </arg>
++ <arg choice="opt">
++ root_unlock_time=<replaceable>n</replaceable>
++ </arg>
++ <arg choice="opt">
++ audit
++ </arg>
++ <arg choice="opt">
++ silent
++ </arg>
++ <arg choice="opt">
++ no_log_info
++ </arg>
++ </cmdsynopsis>
++ <cmdsynopsis id="pam_faillock-cmdsynopsisacct">
++ <command>account ... pam_faillock.so</command>
++ <arg choice="opt">
++ dir=<replaceable>/path/to/tally-directory</replaceable>
++ </arg>
++ <arg choice="opt">
++ no_log_info
++ </arg>
++ </cmdsynopsis>
++ </refsynopsisdiv>
++
++ <refsect1 id="pam_faillock-description">
++
++ <title>DESCRIPTION</title>
++
++ <para>
++ This module maintains a list of failed authentication attempts per
++ user during a specified interval and locks the account in case
++ there were more than <replaceable>deny</replaceable> consecutive
++ failed authentications.
++ </para>
++ <para>
++ Normally, failed attempts to authenticate <emphasis>root</emphasis> will
++ <emphasis remap='B'>not</emphasis> cause the root account to become
++ blocked, to prevent denial-of-service: if your users aren't given
++ shell accounts and root may only login via <command>su</command> or
++ at the machine console (not telnet/rsh, etc), this is safe.
++ </para>
++ </refsect1>
++
++ <refsect1 id="pam_faillock-options">
++
++ <title>OPTIONS</title>
++ <variablelist>
++ <varlistentry>
++ <term>
++ <option>{preauth|authfail|authsucc}</option>
++ </term>
++ <listitem>
++ <para>
++ This argument must be set accordingly to the position of this module
++ instance in the PAM stack.
++ </para>
++ <para>
++ The <emphasis>preauth</emphasis> argument must be used when the module
++ is called before the modules which ask for the user credentials such
++ as the password. The module just examines whether the user should
++ be blocked from accessing the service in case there were anomalous
++ number of failed consecutive authentication attempts recently. This
++ call is optional if <emphasis>authsucc</emphasis> is used.
++ </para>
++ <para>
++ The <emphasis>authfail</emphasis> argument must be used when the module
++ is called after the modules which determine the authentication outcome,
++ failed. Unless the user is already blocked due to previous authentication
++ failures, the module will record the failure into the appropriate user
++ tally file.
++ </para>
++ <para>
++ The <emphasis>authsucc</emphasis> argument must be used when the module
++ is called after the modules which determine the authentication outcome,
++ succeded. Unless the user is already blocked due to previous authentication
++ failures, the module will then clear the record of the failures in the
++ respective user tally file. Otherwise it will return authentication error.
++ If this call is not done, the pam_faillock will not distinguish between
++ consecutive and non-consecutive failed authentication attempts. The
++ <emphasis>preauth</emphasis> call must be used in such case. Due to
++ complications in the way the PAM stack can be configured it is also
++ possible to call <emphasis>pam_faillock</emphasis> as an account module.
++ In such configuration the module must be also called in the
++ <emphasis>preauth</emphasis> stage.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>dir=<replaceable>/path/to/tally-directory</replaceable></option>
++ </term>
++ <listitem>
++ <para>
++ The directory where the user files with the failure records are kept. The
++ default is <filename>/var/run/faillock</filename>.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>audit</option>
++ </term>
++ <listitem>
++ <para>
++ Will log the user name into the system log if the user is not found.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>silent</option>
++ </term>
++ <listitem>
++ <para>
++ Don't print informative messages. This option is implicite
++ in the <emphasis>authfail</emphasis> and <emphasis>authsucc</emphasis>
++ functions.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>no_log_info</option>
++ </term>
++ <listitem>
++ <para>
++ Don't log informative messages via <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>deny=<replaceable>n</replaceable></option>
++ </term>
++ <listitem>
++ <para>
++ Deny access if the number of consecutive authentication failures
++ for this user during the recent interval exceeds
++ <replaceable>n</replaceable>. The default is 3.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>fail_interval=<replaceable>n</replaceable></option>
++ </term>
++ <listitem>
++ <para>
++ The length of the interval during which the consecutive
++ authentication failures must happen for the user account
++ lock out is <replaceable>n</replaceable> seconds.
++ The default is 900 (15 minutes).
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>unlock_time=<replaceable>n</replaceable></option>
++ </term>
++ <listitem>
++ <para>
++ The access will be reenabled after
++ <replaceable>n</replaceable> seconds after the lock out.
++ The default is 600 (10 minutes).
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>even_deny_root</option>
++ </term>
++ <listitem>
++ <para>
++ Root account can become locked as well as regular accounts.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>root_unlock_time=<replaceable>n</replaceable></option>
++ </term>
++ <listitem>
++ <para>
++ This option implies <option>even_deny_root</option> option.
++ Allow access after <replaceable>n</replaceable> seconds
++ to root account after the account is locked. In case the
++ option is not specified the value is the same as of the
++ <option>unlock_time</option> option.
++ </para>
++ </listitem>
++ </varlistentry>
++ </variablelist>
++ </refsect1>
++
++ <refsect1 id="pam_faillock-types">
++ <title>MODULE TYPES PROVIDED</title>
++ <para>
++ The <option>auth</option> and <option>account</option> module types are
++ provided.
++ </para>
++ </refsect1>
++
++ <refsect1 id='pam_faillock-return_values'>
++ <title>RETURN VALUES</title>
++ <variablelist>
++ <varlistentry>
++ <term>PAM_AUTH_ERR</term>
++ <listitem>
++ <para>
++ A invalid option was given, the module was not able
++ to retrieve the user name, no valid counter file
++ was found, or too many failed logins.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>PAM_SUCCESS</term>
++ <listitem>
++ <para>
++ Everything was successful.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>PAM_IGNORE</term>
++ <listitem>
++ <para>
++ User not present in passwd database.
++ </para>
++ </listitem>
++ </varlistentry>
++ </variablelist>
++ </refsect1>
++
++ <refsect1 id='pam_faillock-notes'>
++ <title>NOTES</title>
++ <para>
++ <emphasis>pam_faillock</emphasis> setup in the PAM stack is different
++ from the <emphasis>pam_tally2</emphasis> module setup.
++ </para>
++ <para>
++ There is no setuid wrapper for access to the data file such as when the
++ <emphasis remap='B'>pam_faillock.so</emphasis> module is called from
++ a screensaver. As this would make it impossible to share PAM configuration
++ with such services the following workaround is used: If the data file
++ cannot be opened because of insufficient permissions
++ (<errorcode>EACCES</errorcode>) the module returns
++ <errorcode>PAM_SUCCESS</errorcode>.
++ </para>
++ <para>
++ Note that using the module in <option>preauth</option> without the
++ <option>silent</option> option or with <emphasis>requisite</emphasis>
++ control field leaks an information about existence or
++ non-existence of an user account in the system because
++ the failures are not recorded for the unknown users. The message
++ about the user account being locked is never displayed for nonexisting
++ user accounts allowing the adversary to infer that a particular account
++ is not existing on a system.
++ </para>
++ </refsect1>
++
++ <refsect1 id='pam_faillock-examples'>
++ <title>EXAMPLES</title>
++ <para>
++ Here are two possible configuration examples for <filename>/etc/pam.d/login</filename>.
++ They make <emphasis>pam_faillock</emphasis> to lock the account after 4 consecutive
++ failed logins during the default interval of 15 minutes. Root account will be locked
++ as well. The accounts will be automatically unlocked after 20 minutes.
++ </para>
++ <para>
++ In the first example the module is called only in the <emphasis>auth</emphasis>
++ phase and the module does not print any information about the account blocking
++ by <emphasis>pam_faillock</emphasis>. The <emphasis>preauth</emphasis> call can
++ be added to tell the user that his login is blocked by the module and also to abort
++ the authentication without even asking for password in such case.
++ </para>
++ <programlisting>
++auth required pam_securetty.so
++auth required pam_env.so
++auth required pam_nologin.so
++# optionally call: auth requisite pam_faillock.so preauth deny=4 even_deny_root unlock_time=1200
++# to display the message about account being locked
++auth [success=1 default=bad] pam_unix.so
++auth [default=die] pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200
++auth sufficient pam_faillock.so authsucc deny=4 even_deny_root unlock_time=1200
++auth required pam_deny.so
++account required pam_unix.so
++password required pam_unix.so shadow
++session required pam_selinux.so close
++session required pam_loginuid.so
++session required pam_unix.so
++session required pam_selinux.so open
++ </programlisting>
++ <para>
++ In the second example the module is called both in the <emphasis>auth</emphasis>
++ and <emphasis>account</emphasis> phases and the module gives the authenticating
++ user message when the account is locked
++ </para>
++ <programlisting>
++auth required pam_securetty.so
++auth required pam_env.so
++auth required pam_nologin.so
++auth required pam_faillock.so preauth silent deny=4 even_deny_root unlock_time=1200
++# optionally use requisite above if you do not want to prompt for the password
++# on locked accounts, possibly with removing the silent option as well
++auth sufficient pam_unix.so
++auth [default=die] pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200
++auth required pam_deny.so
++account required pam_faillock.so
++# if you drop the above call to pam_faillock.so the lock will be done also
++# on non-consecutive authentication failures
++account required pam_unix.so
++password required pam_unix.so shadow
++session required pam_selinux.so close
++session required pam_loginuid.so
++session required pam_unix.so
++session required pam_selinux.so open
++ </programlisting>
++ </refsect1>
++
++ <refsect1 id="pam_faillock-files">
++ <title>FILES</title>
++ <variablelist>
++ <varlistentry>
++ <term><filename>/var/run/faillock/*</filename></term>
++ <listitem>
++ <para>the files logging the authentication failures for users</para>
++ </listitem>
++ </varlistentry>
++ </variablelist>
++ </refsect1>
++
++ <refsect1 id='pam_faillock-see_also'>
++ <title>SEE ALSO</title>
++ <para>
++ <citerefentry>
++ <refentrytitle>faillock</refentrytitle><manvolnum>8</manvolnum>
++ </citerefentry>,
++ <citerefentry>
++ <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
++ </citerefentry>,
++ <citerefentry>
++ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
++ </citerefentry>,
++ <citerefentry>
++ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ </citerefentry>
++ </para>
++ </refsect1>
++
++ <refsect1 id='pam_faillock-author'>
++ <title>AUTHOR</title>
++ <para>
++ pam_faillock was written by Tomas Mraz.
++ </para>
++ </refsect1>
++
++</refentry>
+diff -up Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/README.xml
+--- Linux-PAM-1.1.1/modules/pam_faillock/README.xml.faillock 2010-09-17 15:58:41.000000000 +0200
++++ Linux-PAM-1.1.1/modules/pam_faillock/README.xml 2010-09-17 15:58:41.000000000 +0200
+@@ -0,0 +1,46 @@
++<?xml version="1.0" encoding='UTF-8'?>
++<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
++"http://www.docbook.org/xml/4.3/docbookx.dtd"
++[
++<!--
++<!ENTITY pamaccess SYSTEM "pam_faillock.8.xml">
++-->
++]>
++
++<article>
++
++ <articleinfo>
++
++ <title>
++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
++ href="pam_faillock.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_faillock-name"]/*)'/>
++ </title>
++
++ </articleinfo>
++
++ <section>
++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
++ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-description"]/*)'/>
++ </section>
++
++ <section>
++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
++ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-options"]/*)'/>
++ </section>
++
++ <section>
++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
++ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-notes"]/*)'/>
++ </section>
++
++ <section>
++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
++ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-examples"]/*)'/>
++ </section>
++
++ <section>
++ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
++ href="pam_faillock.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faillock-author"]/*)'/>
++ </section>
++
++</article>
+diff -up Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock
+--- Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock.faillock 2010-09-17 15:58:41.000000000 +0200
++++ Linux-PAM-1.1.1/modules/pam_faillock/tst-pam_faillock 2010-09-17 15:58:41.000000000 +0200
+@@ -0,0 +1,2 @@
++#!/bin/sh
++../../tests/tst-dlopen .libs/pam_faillock.so
diff --git a/SOURCES/pam-1.1.3-faillock-screensaver.patch b/SOURCES/pam-1.1.3-faillock-screensaver.patch
new file mode 100644
index 0000000..249d285
--- /dev/null
+++ b/SOURCES/pam-1.1.3-faillock-screensaver.patch
@@ -0,0 +1,167 @@
+diff -up Linux-PAM-1.1.3/modules/pam_faillock/faillock.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/faillock.c
+--- Linux-PAM-1.1.3/modules/pam_faillock/faillock.c.screensaver 2010-11-10 11:46:07.000000000 +0100
++++ Linux-PAM-1.1.3/modules/pam_faillock/faillock.c 2010-11-10 11:46:07.000000000 +0100
+@@ -41,13 +41,14 @@
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <sys/file.h>
++#include <sys/stat.h>
+ #include <fcntl.h>
+ #include <security/pam_modutil.h>
+
+ #include "faillock.h"
+
+ int
+-open_tally (const char *dir, const char *user, int create)
++open_tally (const char *dir, const char *user, uid_t uid, int create)
+ {
+ char *path;
+ int flags = O_RDWR;
+@@ -69,8 +70,18 @@ open_tally (const char *dir, const char
+
+ fd = open(path, flags, 0600);
+
+- if (fd != -1)
++ free(path);
++
++ if (fd != -1) {
++ struct stat st;
++
+ while (flock(fd, LOCK_EX) == -1 && errno == EINTR);
++ if (fstat(fd, &st) == 0) {
++ if (st.st_uid != uid) {
++ fchown(fd, uid, -1);
++ }
++ }
++ }
+
+ return fd;
+ }
+diff -up Linux-PAM-1.1.3/modules/pam_faillock/faillock.h.screensaver Linux-PAM-1.1.3/modules/pam_faillock/faillock.h
+--- Linux-PAM-1.1.3/modules/pam_faillock/faillock.h.screensaver 2010-11-10 11:46:07.000000000 +0100
++++ Linux-PAM-1.1.3/modules/pam_faillock/faillock.h 2010-11-10 11:46:07.000000000 +0100
+@@ -45,6 +45,7 @@
+ #define _FAILLOCK_H
+
+ #include <stdint.h>
++#include <sys/types.h>
+
+ #define TALLY_STATUS_VALID 0x1 /* the tally file entry is valid */
+ #define TALLY_STATUS_RHOST 0x2 /* the source is rhost */
+@@ -65,7 +66,7 @@ struct tally_data {
+
+ #define FAILLOCK_DEFAULT_TALLYDIR "/var/run/faillock"
+
+-int open_tally(const char *dir, const char *user, int create);
++int open_tally(const char *dir, const char *user, uid_t uid, int create);
+ int read_tally(int fd, struct tally_data *tallies);
+ int update_tally(int fd, struct tally_data *tallies);
+ #endif
+diff -up Linux-PAM-1.1.3/modules/pam_faillock/main.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/main.c
+--- Linux-PAM-1.1.3/modules/pam_faillock/main.c.screensaver 2010-11-10 11:46:07.000000000 +0100
++++ Linux-PAM-1.1.3/modules/pam_faillock/main.c 2010-11-10 11:46:07.000000000 +0100
+@@ -106,8 +106,11 @@ do_user(struct options *opts, const char
+ int fd;
+ int rv;
+ struct tally_data tallies;
++ struct passwd *pwd;
+
+- fd = open_tally(opts->dir, user, 0);
++ pwd = getpwnam(user);
++
++ fd = open_tally(opts->dir, user, pwd != NULL ? pwd->pw_uid : 0, 0);
+
+ if (fd == -1) {
+ if (errno == ENOENT) {
+@@ -134,9 +137,8 @@ do_user(struct options *opts, const char
+ #ifdef HAVE_LIBAUDIT
+ }
+ if ((audit_fd=audit_open()) >= 0) {
+- struct passwd *pwd;
+
+- if ((pwd=getpwnam(user)) != NULL) {
++ if (pwd != NULL) {
+ snprintf(buf, sizeof(buf), "faillock reset uid=%u",
+ pwd->pw_uid);
+ audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
+diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c
+--- Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c.screensaver 2010-11-10 11:46:07.000000000 +0100
++++ Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c 2010-11-10 11:46:07.000000000 +0100
+@@ -213,7 +213,7 @@ check_tally(pam_handle_t *pamh, struct o
+
+ opts->now = time(NULL);
+
+- tfd = open_tally(opts->dir, opts->user, 0);
++ tfd = open_tally(opts->dir, opts->user, opts->uid, 0);
+
+ *fd = tfd;
+
+@@ -289,9 +289,14 @@ reset_tally(pam_handle_t *pamh, struct o
+ {
+ int rv;
+
+- while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR);
+- if (rv == -1) {
+- pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user);
++ if (*fd == -1) {
++ *fd = open_tally(opts->dir, opts->user, opts->uid, 1);
++ }
++ else {
++ while ((rv=ftruncate(*fd, 0)) == -1 && errno == EINTR);
++ if (rv == -1) {
++ pam_syslog(pamh, LOG_ERR, "Error clearing the tally file for %s: %m", opts->user);
++ }
+ }
+ }
+
+@@ -306,7 +311,7 @@ write_tally(pam_handle_t *pamh, struct o
+ const void *source = NULL;
+
+ if (*fd == -1) {
+- *fd = open_tally(opts->dir, opts->user, 1);
++ *fd = open_tally(opts->dir, opts->user, opts->uid, 1);
+ }
+ if (*fd == -1) {
+ if (errno == EACCES) {
+@@ -463,7 +468,7 @@ pam_sm_authenticate(pam_handle_t *pamh,
+
+ case FAILLOCK_ACTION_AUTHSUCC:
+ rv = check_tally(pamh, &opts, &tallies, &fd);
+- if (rv == PAM_SUCCESS && fd != -1) {
++ if (rv == PAM_SUCCESS) {
+ reset_tally(pamh, &opts, &fd);
+ }
+ break;
+@@ -511,10 +516,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int
+ return rv;
+ }
+
+- check_tally(pamh, &opts, &tallies, &fd);
+- if (fd != -1) {
+- reset_tally(pamh, &opts, &fd);
+- }
++ check_tally(pamh, &opts, &tallies, &fd); /* for auditing */
++ reset_tally(pamh, &opts, &fd);
+
+ tally_cleanup(&tallies, fd);
+
+diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml.screensaver Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml
+--- Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml.screensaver 2010-11-10 11:46:07.000000000 +0100
++++ Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml 2010-11-10 11:47:14.000000000 +0100
+@@ -277,13 +277,9 @@
+ from the <emphasis>pam_tally2</emphasis> module setup.
+ </para>
+ <para>
+- There is no setuid wrapper for access to the data file such as when the
+- <emphasis remap='B'>pam_faillock.so</emphasis> module is called from
+- a screensaver. As this would make it impossible to share PAM configuration
+- with such services the following workaround is used: If the data file
+- cannot be opened because of insufficient permissions
+- (<errorcode>EACCES</errorcode>) the module returns
+- <errorcode>PAM_SUCCESS</errorcode>.
++ The individual files with the failure records are created as owned by
++ the user. This allows <emphasis remap='B'>pam_faillock.so</emphasis> module
++ to work correctly when it is called from a screensaver.
+ </para>
+ <para>
+ Note that using the module in <option>preauth</option> without the
diff --git a/SOURCES/pam-1.1.3-nouserenv.patch b/SOURCES/pam-1.1.3-nouserenv.patch
new file mode 100644
index 0000000..f3a742c
--- /dev/null
+++ b/SOURCES/pam-1.1.3-nouserenv.patch
@@ -0,0 +1,27 @@
+diff -up pam/modules/pam_env/pam_env.c.nouserenv pam/modules/pam_env/pam_env.c
+--- pam/modules/pam_env/pam_env.c.nouserenv 2010-10-20 09:59:30.000000000 +0200
++++ pam/modules/pam_env/pam_env.c 2010-11-01 14:42:01.000000000 +0100
+@@ -10,7 +10,7 @@
+ #define DEFAULT_READ_ENVFILE 1
+
+ #define DEFAULT_USER_ENVFILE ".pam_environment"
+-#define DEFAULT_USER_READ_ENVFILE 1
++#define DEFAULT_USER_READ_ENVFILE 0
+
+ #include "config.h"
+
+diff -up pam/modules/pam_env/pam_env.8.xml.nouserenv pam/modules/pam_env/pam_env.8.xml
+--- pam/modules/pam_env/pam_env.8.xml.nouserenv 2010-10-20 09:59:30.000000000 +0200
++++ pam/modules/pam_env/pam_env.8.xml 2010-11-01 14:42:01.000000000 +0100
+@@ -147,7 +147,10 @@
+ <listitem>
+ <para>
+ Turns on or off the reading of the user specific environment
+- file. 0 is off, 1 is on. By default this option is on.
++ file. 0 is off, 1 is on. By default this option is off as user
++ supplied environment variables in the PAM environment could affect
++ behavior of subsequent modules in the stack without the consent
++ of the system administrator.
+ </para>
+ </listitem>
+ </varlistentry>
diff --git a/SOURCES/pam-1.1.5-unix-no-fallback.patch b/SOURCES/pam-1.1.5-unix-no-fallback.patch
new file mode 100644
index 0000000..7857196
--- /dev/null
+++ b/SOURCES/pam-1.1.5-unix-no-fallback.patch
@@ -0,0 +1,69 @@
+diff -up Linux-PAM-1.1.5/modules/pam_unix/pam_unix.8.xml.no-fallback Linux-PAM-1.1.5/modules/pam_unix/pam_unix.8.xml
+--- Linux-PAM-1.1.5/modules/pam_unix/pam_unix.8.xml.no-fallback 2011-06-21 11:04:56.000000000 +0200
++++ Linux-PAM-1.1.5/modules/pam_unix/pam_unix.8.xml 2012-05-09 11:54:34.442036404 +0200
+@@ -265,11 +265,10 @@
+ <listitem>
+ <para>
+ When a user changes their password next,
+- encrypt it with the SHA256 algorithm. If the
+- SHA256 algorithm is not known to the <citerefentry>
++ encrypt it with the SHA256 algorithm. The
++ SHA256 algorithm must be supported by the <citerefentry>
+ <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
+- </citerefentry> function,
+- fall back to MD5.
++ </citerefentry> function.
+ </para>
+ </listitem>
+ </varlistentry>
+@@ -280,11 +279,10 @@
+ <listitem>
+ <para>
+ When a user changes their password next,
+- encrypt it with the SHA512 algorithm. If the
+- SHA512 algorithm is not known to the <citerefentry>
++ encrypt it with the SHA512 algorithm. The
++ SHA512 algorithm must be supported by the <citerefentry>
+ <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
+- </citerefentry> function,
+- fall back to MD5.
++ </citerefentry> function.
+ </para>
+ </listitem>
+ </varlistentry>
+@@ -295,11 +293,10 @@
+ <listitem>
+ <para>
+ When a user changes their password next,
+- encrypt it with the blowfish algorithm. If the
+- blowfish algorithm is not known to the <citerefentry>
++ encrypt it with the blowfish algorithm. The
++ blowfish algorithm must be supported by the <citerefentry>
+ <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
+- </citerefentry> function,
+- fall back to MD5.
++ </citerefentry> function.
+ </para>
+ </listitem>
+ </varlistentry>
+diff -up Linux-PAM-1.1.5/modules/pam_unix/passverify.c.no-fallback Linux-PAM-1.1.5/modules/pam_unix/passverify.c
+--- Linux-PAM-1.1.5/modules/pam_unix/passverify.c.no-fallback 2012-05-09 11:48:12.409632377 +0200
++++ Linux-PAM-1.1.5/modules/pam_unix/passverify.c 2012-05-09 11:48:36.953172291 +0200
+@@ -427,15 +427,14 @@ PAMH_ARG_DECL(char * create_password_has
+ if (!sp || strncmp(algoid, sp, strlen(algoid)) != 0) {
+ /* libxcrypt/libc doesn't know the algorithm, use MD5 */
+ pam_syslog(pamh, LOG_ERR,
+- "Algo %s not supported by the crypto backend, "
+- "falling back to MD5\n",
++ "Algo %s not supported by the crypto backend.\n",
+ on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" :
+ on(UNIX_SHA256_PASS, ctrl) ? "sha256" :
+ on(UNIX_SHA512_PASS, ctrl) ? "sha512" : algoid);
+ if(sp) {
+ memset(sp, '\0', strlen(sp));
+ }
+- return crypt_md5_wrapper(password);
++ return NULL;
+ }
+
+ return x_strdup(sp);
diff --git a/SOURCES/pam-1.1.6-limits-user.patch b/SOURCES/pam-1.1.6-limits-user.patch
new file mode 100644
index 0000000..3c17b78
--- /dev/null
+++ b/SOURCES/pam-1.1.6-limits-user.patch
@@ -0,0 +1,20 @@
+diff -up Linux-PAM-1.1.6/modules/pam_limits/limits.conf.limits Linux-PAM-1.1.6/modules/pam_limits/limits.conf
+--- Linux-PAM-1.1.6/modules/pam_limits/limits.conf.limits 2012-08-15 13:08:43.000000000 +0200
++++ Linux-PAM-1.1.6/modules/pam_limits/limits.conf 2013-03-14 16:43:37.615087671 +0100
+@@ -1,5 +1,16 @@
+ # /etc/security/limits.conf
+ #
++#This file sets the resource limits for the users logged in via PAM.
++#It does not affect resource limits of the system services.
++#
++#Also note that configuration files in /etc/security/limits.d directory,
++#which are read in alphabetical order, override the settings in this
++#file in case the domain is the same or more specific.
++#That means for example that setting a limit for wildcard domain here
++#can be overriden with a wildcard setting in a config file in the
++#subdirectory, but a user specific setting here can be overriden only
++#with a user specific setting in the subdirectory.
++#
+ #Each line describes a limit for a user in the form:
+ #
+ #<domain> <type> <item> <value>
diff --git a/SOURCES/pam-1.1.6-noflex.patch b/SOURCES/pam-1.1.6-noflex.patch
new file mode 100644
index 0000000..6410a8d
--- /dev/null
+++ b/SOURCES/pam-1.1.6-noflex.patch
@@ -0,0 +1,24 @@
+diff -up Linux-PAM-1.1.6/doc/Makefile.am.noflex Linux-PAM-1.1.6/doc/Makefile.am
+--- Linux-PAM-1.1.6/doc/Makefile.am.noflex 2012-08-15 13:08:43.000000000 +0200
++++ Linux-PAM-1.1.6/doc/Makefile.am 2012-08-17 14:13:11.904949748 +0200
+@@ -2,7 +2,7 @@
+ # Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de>
+ #
+
+-SUBDIRS = man specs sag adg mwg
++SUBDIRS = man sag adg mwg
+
+ CLEANFILES = *~
+
+diff -up Linux-PAM-1.1.6/Makefile.am.noflex Linux-PAM-1.1.6/Makefile.am
+--- Linux-PAM-1.1.6/Makefile.am.noflex 2012-08-15 13:08:43.000000000 +0200
++++ Linux-PAM-1.1.6/Makefile.am 2012-08-17 14:15:36.705359892 +0200
+@@ -4,7 +4,7 @@
+
+ AUTOMAKE_OPTIONS = 1.9 gnu dist-bzip2 check-news
+
+-SUBDIRS = libpam tests libpamc libpam_misc modules po conf doc examples xtests
++SUBDIRS = libpam tests libpamc libpam_misc modules po doc examples xtests
+
+ CLEANFILES = *~
+
diff --git a/SOURCES/pam-1.1.6-std-noclose.patch b/SOURCES/pam-1.1.6-std-noclose.patch
new file mode 100644
index 0000000..2c1331b
--- /dev/null
+++ b/SOURCES/pam-1.1.6-std-noclose.patch
@@ -0,0 +1,146 @@
+diff -up Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c
+--- Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c.std-noclose 2012-08-15 13:08:43.000000000 +0200
++++ Linux-PAM-1.1.6/modules/pam_mkhomedir/pam_mkhomedir.c 2013-04-24 13:11:14.768817086 +0200
+@@ -35,6 +35,7 @@
+ #include <sys/time.h>
+ #include <sys/resource.h>
+ #include <sys/wait.h>
++#include <fcntl.h>
+ #include <unistd.h>
+ #include <pwd.h>
+ #include <errno.h>
+@@ -133,13 +134,21 @@ create_homedir (pam_handle_t *pamh, opti
+ if (child == 0) {
+ int i;
+ struct rlimit rlim;
++ int dummyfds[2];
+ static char *envp[] = { NULL };
+ char *args[] = { NULL, NULL, NULL, NULL, NULL };
+
++ /* replace std file descriptors with a dummy pipe */
++ if (pipe2(dummyfds, O_NONBLOCK) == 0) {
++ dup2(dummyfds[0], STDIN_FILENO);
++ dup2(dummyfds[1], STDOUT_FILENO);
++ dup2(dummyfds[1], STDERR_FILENO);
++ }
++
+ if (getrlimit(RLIMIT_NOFILE, &rlim)==0) {
+ if (rlim.rlim_max >= MAX_FD_NO)
+ rlim.rlim_max = MAX_FD_NO;
+- for (i=0; i < (int)rlim.rlim_max; i++) {
++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
+ close(i);
+ }
+ }
+diff -up Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c
+--- Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c.std-noclose 2012-08-15 13:08:43.000000000 +0200
++++ Linux-PAM-1.1.6/modules/pam_unix/pam_unix_acct.c 2013-04-24 13:12:17.105990961 +0200
+@@ -39,6 +39,7 @@
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <string.h>
++#include <fcntl.h>
+ #include <unistd.h>
+ #include <sys/types.h>
+ #include <sys/resource.h>
+@@ -100,21 +101,26 @@ int _unix_run_verify_binary(pam_handle_t
+ if (child == 0) {
+ int i=0;
+ struct rlimit rlim;
++ int dummyfds[2];
+ static char *envp[] = { NULL };
+ char *args[] = { NULL, NULL, NULL, NULL };
+
+ /* reopen stdout as pipe */
+ dup2(fds[1], STDOUT_FILENO);
+
++ /* replace std file descriptors with a dummy pipe */
++ if (pipe2(dummyfds, O_NONBLOCK) == 0) {
++ dup2(dummyfds[0], STDIN_FILENO);
++ dup2(dummyfds[1], STDERR_FILENO);
++ }
++
+ /* XXX - should really tidy up PAM here too */
+
+ if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
+ if (rlim.rlim_max >= MAX_FD_NO)
+ rlim.rlim_max = MAX_FD_NO;
+- for (i=0; i < (int)rlim.rlim_max; i++) {
+- if (i != STDOUT_FILENO) {
+- close(i);
+- }
++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
++ close(i);
+ }
+ }
+
+diff -up Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c
+--- Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c.std-noclose 2012-08-15 13:08:43.000000000 +0200
++++ Linux-PAM-1.1.6/modules/pam_unix/pam_unix_passwd.c 2013-04-23 17:13:49.047499806 +0200
+@@ -202,6 +202,7 @@ static int _unix_run_update_binary(pam_h
+ if (child == 0) {
+ int i=0;
+ struct rlimit rlim;
++ int dummyfds[2];
+ static char *envp[] = { NULL };
+ char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL };
+ char buffer[16];
+@@ -211,11 +212,17 @@ static int _unix_run_update_binary(pam_h
+ /* reopen stdin as pipe */
+ dup2(fds[0], STDIN_FILENO);
+
++ /* replace std file descriptors with a dummy pipe */
++ if (pipe2(dummyfds, O_NONBLOCK) == 0) {
++ dup2(dummyfds[1], STDOUT_FILENO);
++ dup2(dummyfds[1], STDERR_FILENO);
++ }
++
+ if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
+ if (rlim.rlim_max >= MAX_FD_NO)
+ rlim.rlim_max = MAX_FD_NO;
+- for (i=0; i < (int)rlim.rlim_max; i++) {
+- if (i != STDIN_FILENO)
++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
++ if (i != dummyfds[0])
+ close(i);
+ }
+ }
+diff -up Linux-PAM-1.1.6/modules/pam_unix/support.c.std-noclose Linux-PAM-1.1.6/modules/pam_unix/support.c
+--- Linux-PAM-1.1.6/modules/pam_unix/support.c.std-noclose 2012-08-15 13:08:43.000000000 +0200
++++ Linux-PAM-1.1.6/modules/pam_unix/support.c 2013-04-24 13:12:42.893064361 +0200
+@@ -5,6 +5,7 @@
+ #include "config.h"
+
+ #include <stdlib.h>
++#include <fcntl.h>
+ #include <unistd.h>
+ #include <stdarg.h>
+ #include <stdio.h>
+@@ -462,6 +463,7 @@ static int _unix_run_helper_binary(pam_h
+ if (child == 0) {
+ int i=0;
+ struct rlimit rlim;
++ int dummyfds[2];
+ static char *envp[] = { NULL };
+ char *args[] = { NULL, NULL, NULL, NULL };
+
+@@ -470,11 +472,17 @@ static int _unix_run_helper_binary(pam_h
+ /* reopen stdin as pipe */
+ dup2(fds[0], STDIN_FILENO);
+
++ /* replace std file descriptors with a dummy pipe */
++ if (pipe2(dummyfds, O_NONBLOCK) == 0) {
++ dup2(dummyfds[1], STDOUT_FILENO);
++ dup2(dummyfds[1], STDERR_FILENO);
++ }
++
+ if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
+ if (rlim.rlim_max >= MAX_FD_NO)
+ rlim.rlim_max = MAX_FD_NO;
+- for (i=0; i < (int)rlim.rlim_max; i++) {
+- if (i != STDIN_FILENO)
++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++) {
++ if (i != dummyfds[0])
+ close(i);
+ }
+ }
diff --git a/SOURCES/pam-1.1.6-use-links.patch b/SOURCES/pam-1.1.6-use-links.patch
new file mode 100644
index 0000000..2c56c6f
--- /dev/null
+++ b/SOURCES/pam-1.1.6-use-links.patch
@@ -0,0 +1,15 @@
+diff -up Linux-PAM-1.1.6/configure.in.links Linux-PAM-1.1.6/configure.in
+--- Linux-PAM-1.1.6/configure.in.links 2013-04-24 13:13:36.000000000 +0200
++++ Linux-PAM-1.1.6/configure.in 2013-08-07 14:08:03.818055990 +0200
+@@ -548,9 +548,9 @@ JH_CHECK_XML_CATALOG([-//OASIS//DTD DocB
+ JH_CHECK_XML_CATALOG([http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl],
+ [DocBook XSL Stylesheets], [], enable_docu=no)
+
+-AC_PATH_PROG([BROWSER], [w3m])
++AC_PATH_PROG([BROWSER], [links])
+ if test ! -z "$BROWSER"; then
+- BROWSER="$BROWSER -T text/html -dump"
++ BROWSER="$BROWSER -no-numbering -no-references -dump"
+ else
+ enable_docu=no
+ fi
diff --git a/SOURCES/pam-1.1.7-tty-audit-init.patch b/SOURCES/pam-1.1.7-tty-audit-init.patch
new file mode 100644
index 0000000..5ddaebb
--- /dev/null
+++ b/SOURCES/pam-1.1.7-tty-audit-init.patch
@@ -0,0 +1,48 @@
+diff -up Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-init Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c
+--- Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-init 2013-08-28 10:53:40.000000000 +0200
++++ Linux-PAM-1.1.7/modules/pam_tty_audit/pam_tty_audit.c 2013-10-04 14:51:19.944994905 +0200
+@@ -36,6 +36,7 @@
+ USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+ DAMAGE. */
+
++#include "config.h"
+ #include <errno.h>
+ #include <fnmatch.h>
+ #include <stdlib.h>
+@@ -108,7 +109,7 @@ nl_recv (int fd, unsigned type, void *bu
+ struct msghdr msg;
+ struct nlmsghdr nlm;
+ struct iovec iov[2];
+- ssize_t res;
++ ssize_t res, resdiff;
+
+ again:
+ iov[0].iov_base = &nlm;
+@@ -160,12 +161,17 @@ nl_recv (int fd, unsigned type, void *bu
+ res = recvmsg (fd, &msg, 0);
+ if (res == -1)
+ return -1;
+- if ((size_t)res != NLMSG_LENGTH (size)
++ resdiff = NLMSG_LENGTH(size) - (size_t)res;
++ if (resdiff < 0
+ || nlm.nlmsg_type != type)
+ {
+ errno = EIO;
+ return -1;
+ }
++ else if (resdiff > 0)
++ {
++ memset((char *)buf + size - resdiff, 0, resdiff);
++ }
+ return 0;
+ }
+
+@@ -275,6 +281,8 @@ pam_sm_open_session (pam_handle_t *pamh,
+ return PAM_SESSION_ERR;
+ }
+
++ memcpy(&new_status, old_status, sizeof(new_status));
++
+ new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
+ #ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
+ new_status.log_passwd = log_passwd;
diff --git a/SOURCES/pam-1.1.8-access-update.patch b/SOURCES/pam-1.1.8-access-update.patch
new file mode 100644
index 0000000..4a4b0a4
--- /dev/null
+++ b/SOURCES/pam-1.1.8-access-update.patch
@@ -0,0 +1,392 @@
+diff -up Linux-PAM-1.1.8/modules/pam_access/access.conf.access-update Linux-PAM-1.1.8/modules/pam_access/access.conf
+--- Linux-PAM-1.1.8/modules/pam_access/access.conf.access-update 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_access/access.conf 2017-09-08 14:06:16.420102221 +0200
+@@ -18,7 +18,7 @@
+ # pam_access with X applications that provide PAM_TTY values that are
+ # the display variable like "host:0".]
+ #
+-# permission : users : origins
++# permission:users:origins
+ #
+ # The first field should be a "+" (access granted) or "-" (access denied)
+ # character.
+@@ -79,44 +79,44 @@
+ ##############################################################################
+ #
+ # User "root" should be allowed to get access via cron .. tty5 tty6.
+-#+ : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
++#+:root:cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
+ #
+ # User "root" should be allowed to get access from hosts with ip addresses.
+-#+ : root : 192.168.200.1 192.168.200.4 192.168.200.9
+-#+ : root : 127.0.0.1
++#+:root:192.168.200.1 192.168.200.4 192.168.200.9
++#+:root:127.0.0.1
+ #
+ # User "root" should get access from network 192.168.201.
+ # This term will be evaluated by string matching.
+ # comment: It might be better to use network/netmask instead.
+ # The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0
+-#+ : root : 192.168.201.
++#+:root:192.168.201.
+ #
+ # User "root" should be able to have access from domain.
+ # Uses string matching also.
+-#+ : root : .foo.bar.org
++#+:root:.foo.bar.org
+ #
+ # User "root" should be denied to get access from all other sources.
+-#- : root : ALL
++#-:root:ALL
+ #
+ # User "foo" and members of netgroup "nis_group" should be
+ # allowed to get access from all sources.
+ # This will only work if netgroup service is available.
+-#+ : @nis_group foo : ALL
++#+:@nis_group foo:ALL
+ #
+ # User "john" should get access from ipv4 net/mask
+-#+ : john : 127.0.0.0/24
++#+:john:127.0.0.0/24
+ #
+ # User "john" should get access from ipv4 as ipv6 net/mask
+-#+ : john : ::ffff:127.0.0.0/127
++#+:john:::ffff:127.0.0.0/127
+ #
+ # User "john" should get access from ipv6 host address
+-#+ : john : 2001:4ca0:0:101::1
++#+:john:2001:4ca0:0:101::1
+ #
+ # User "john" should get access from ipv6 host address (same as above)
+-#+ : john : 2001:4ca0:0:101:0:0:0:1
++#+:john:2001:4ca0:0:101:0:0:0:1
+ #
+ # User "john" should get access from ipv6 net/mask
+-#+ : john : 2001:4ca0:0:101::/64
++#+:john:2001:4ca0:0:101::/64
+ #
+ # All other users should be denied to get access from all sources.
+-#- : ALL : ALL
++#-:ALL:ALL
+diff -up Linux-PAM-1.1.8/modules/pam_access/access.conf.5.xml.access-update Linux-PAM-1.1.8/modules/pam_access/access.conf.5.xml
+--- Linux-PAM-1.1.8/modules/pam_access/access.conf.5.xml.access-update 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_access/access.conf.5.xml 2017-09-08 14:05:41.126320653 +0200
+@@ -21,8 +21,12 @@
+ <para>
+ The <filename>/etc/security/access.conf</filename> file specifies
+ (<replaceable>user/group</replaceable>, <replaceable>host</replaceable>),
+- (<replaceable>user/group</replaceable>, <replaceable>network/netmask</replaceable>) or
+- (<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>)
++ (<replaceable>user/group</replaceable>, <replaceable>network/netmask</replaceable>),
++ (<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>),
++ (<replaceable>user/group</replaceable>,
++ <replaceable>X-$DISPLAY-value</replaceable>), or
++ (<replaceable>user/group</replaceable>,
++ <replaceable>pam-service-name</replaceable>)
+ combinations for which a login will be either accepted or refused.
+ </para>
+ <para>
+@@ -33,7 +37,14 @@
+ combination, or, in case of non-networked logins, the first entry
+ that matches the
+ (<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>)
+- combination. The permissions field of that table entry determines
++ combination, or in the case of non-networked logins without a
++ tty, the first entry that matches the
++ (<replaceable>user/group</replaceable>,
++ <replaceable>X-$DISPLAY-value</replaceable>) or
++ (<replaceable>user/group</replaceable>,
++ <replaceable>pam-service-name/</replaceable>)
++ combination. The permissions field of that table entry
++ determines
+ whether the login will be accepted or refused.
+ </para>
+
+@@ -65,14 +76,27 @@
+ <para>
+ The third field, the <replaceable>origins</replaceable>
+ field, should be a list of one or more tty names (for non-networked
+- logins), host names, domain names (begin with "."), host addresses,
++ logins), X <varname>$DISPLAY</varname> values or PAM service
++ names (for non-networked logins without a tty), host names,
++ domain names (begin with "."), host addresses,
+ internet network numbers (end with "."), internet network addresses
+ with network mask (where network mask can be a decimal number or an
+ internet address also), <emphasis>ALL</emphasis> (which always matches)
+- or <emphasis>LOCAL</emphasis>. <emphasis>LOCAL</emphasis>
+- keyword matches if and only if the <emphasis>PAM_RHOST</emphasis> is
+- not set and <origin> field is thus set from
+- <emphasis>PAM_TTY</emphasis> or <emphasis>PAM_SERVICE</emphasis>".
++ or <emphasis>LOCAL</emphasis>. The <emphasis>LOCAL</emphasis>
++ keyword matches if and only if
++ <citerefentry><refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
++ when called with an <parameter>item_type</parameter> of
++ <emphasis>PAM_RHOST</emphasis>, returns <code>NULL</code> or an
++ empty string (and therefore the
++ <replaceable>origins</replaceable> field is compared against the
++ return value of
++ <citerefentry><refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum></citerefentry>
++ called with an <parameter>item_type</parameter> of
++ <emphasis>PAM_TTY</emphasis> or, absent that,
++ <emphasis>PAM_SERVICE</emphasis>).
++ </para>
++
++ <para>
+ If supported by the system you can use
+ <emphasis>@netgroupname</emphasis> in host or user patterns. The
+ <emphasis>@@netgroupname</emphasis> syntax is supported in the user
+@@ -115,7 +139,7 @@
+ <emphasis>tty1</emphasis>, ..., <emphasis>tty5</emphasis>,
+ <emphasis>tty6</emphasis>.
+ </para>
+- <para>+ : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6</para>
++ <para>+:root:crond :0 tty1 tty2 tty3 tty4 tty5 tty6</para>
+
+ <para>
+ User <emphasis>root</emphasis> should be allowed to get access from
+@@ -123,8 +147,8 @@
+ connection have to be a IPv4 one, a IPv6 connection from a host with
+ one of this IPv4 addresses does work, too.
+ </para>
+- <para>+ : root : 192.168.200.1 192.168.200.4 192.168.200.9</para>
+- <para>+ : root : 127.0.0.1</para>
++ <para>+:root:192.168.200.1 192.168.200.4 192.168.200.9</para>
++ <para>+:root:127.0.0.1</para>
+
+ <para>
+ User <emphasis>root</emphasis> should get access from network
+@@ -134,44 +158,44 @@
+ <emphasis>192.168.201.0/24</emphasis> or
+ <emphasis>192.168.201.0/255.255.255.0</emphasis>.
+ </para>
+- <para>+ : root : 192.168.201.</para>
++ <para>+:root:192.168.201.</para>
+
+ <para>
+ User <emphasis>root</emphasis> should be able to have access from hosts
+ <emphasis>foo1.bar.org</emphasis> and <emphasis>foo2.bar.org</emphasis>
+ (uses string matching also).
+ </para>
+- <para>+ : root : foo1.bar.org foo2.bar.org</para>
++ <para>+:root:foo1.bar.org foo2.bar.org</para>
+
+ <para>
+ User <emphasis>root</emphasis> should be able to have access from
+ domain <emphasis>foo.bar.org</emphasis> (uses string matching also).
+ </para>
+- <para>+ : root : .foo.bar.org</para>
++ <para>+:root:.foo.bar.org</para>
+
+ <para>
+ User <emphasis>root</emphasis> should be denied to get access
+ from all other sources.
+ </para>
+- <para>- : root : ALL</para>
++ <para>-:root:ALL</para>
+
+ <para>
+ User <emphasis>foo</emphasis> and members of netgroup
+ <emphasis>admins</emphasis> should be allowed to get access
+ from all sources. This will only work if netgroup service is available.
+ </para>
+- <para>+ : @admins foo : ALL</para>
++ <para>+:@admins foo:ALL</para>
+
+ <para>
+ User <emphasis>john</emphasis> and <emphasis>foo</emphasis>
+ should get access from IPv6 host address.
+ </para>
+- <para>+ : john foo : 2001:db8:0:101::1</para>
++ <para>+:john foo:2001:db8:0:101::1</para>
+
+ <para>
+ User <emphasis>john</emphasis> should get access from IPv6 net/mask.
+ </para>
+- <para>+ : john : 2001:db8:0:101::/64</para>
++ <para>+:john:2001:db8:0:101::/64</para>
+
+ <para>
+ Disallow console logins to all but the shutdown, sync and all
+@@ -182,10 +206,22 @@
+ <para>
+ All other users should be denied to get access from all sources.
+ </para>
+- <para>- : ALL : ALL</para>
++ <para>-:ALL:ALL</para>
+
+ </refsect1>
+
++ <refsect1 id="access.conf-notes">
++ <title>NOTES</title>
++ <para>
++ The default separators of list items in a field are space, ',', and tabulator
++ characters. Thus conveniently if spaces are put at the beginning and the end of
++ the fields they are ignored. However if the list separator is changed with the
++ <emphasis>listsep</emphasis> option, the spaces will become part of the actual
++ item and the line will be most probably ignored. For this reason, it is not
++ recommended to put spaces around the ':' characters.
++ </para>
++ </refsect1>
++
+ <refsect1 id="access.conf-see_also">
+ <title>SEE ALSO</title>
+ <para>
+diff -up Linux-PAM-1.1.8/modules/pam_access/Makefile.am.access-update Linux-PAM-1.1.8/modules/pam_access/Makefile.am
+--- Linux-PAM-1.1.8/modules/pam_access/Makefile.am.access-update 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_access/Makefile.am 2017-09-08 14:10:47.223163175 +0200
+@@ -15,7 +15,8 @@ securelibdir = $(SECUREDIR)
+ secureconfdir = $(SCONFIGDIR)
+
+ AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
+- -DPAM_ACCESS_CONFIG=\"$(SCONFIGDIR)/access.conf\" $(NIS_CFLAGS)
++ -DPAM_ACCESS_CONFIG=\"$(SCONFIGDIR)/access.conf\" \
++ -DACCESS_CONF_GLOB=\"$(SCONFIGDIR)/access.d/*.conf\" $(NIS_CFLAGS)
+ AM_LDFLAGS = -no-undefined -avoid-version -module
+ if HAVE_VERSIONING
+ AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
+diff -up Linux-PAM-1.1.8/modules/pam_access/pam_access.c.access-update Linux-PAM-1.1.8/modules/pam_access/pam_access.c
+--- Linux-PAM-1.1.8/modules/pam_access/pam_access.c.access-update 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_access/pam_access.c 2017-09-08 14:03:45.620762824 +0200
+@@ -44,6 +44,7 @@
+ #include <arpa/inet.h>
+ #include <netdb.h>
+ #include <sys/socket.h>
++#include <glob.h>
+ #ifdef HAVE_RPCSVC_YPCLNT_H
+ #include <rpcsvc/ypclnt.h>
+ #endif
+@@ -90,6 +91,7 @@
+ #define ALL 2
+ #define YES 1
+ #define NO 0
++#define NOMATCH -1
+
+ /*
+ * A structure to bundle up all login-related information to keep the
+@@ -412,13 +414,17 @@ login_access (pam_handle_t *pamh, struct
+ return NO;
+ }
+ #ifdef HAVE_LIBAUDIT
+- if (!item->noaudit && line[0] == '-' && (match == YES || (match == ALL &&
+- nonall_match == YES))) {
++ if (!item->noaudit && (match == YES || (match == ALL &&
++ nonall_match == YES)) && line[0] == '-') {
+ pam_modutil_audit_write(pamh, AUDIT_ANOM_LOGIN_LOCATION,
+ "pam_access", 0);
+ }
+ #endif
+- return (match == NO || (line[0] == '+'));
++ if (match == NO)
++ return NOMATCH;
++ if (line[0] == '+')
++ return YES;
++ return NO;
+ }
+
+
+@@ -524,7 +530,9 @@ user_match (pam_handle_t *pamh, char *to
+ /* Try to split on a pattern (@*[^@]+)(@+.*) */
+ for (at = tok; *at == '@'; ++at);
+
+- if ((at = strchr(at, '@')) != NULL) {
++ if (tok[0] == '(' && tok[strlen(tok) - 1] == ')') {
++ return (group_match (pamh, tok, string, item->debug));
++ } else if ((at = strchr(at, '@')) != NULL) {
+ /* split user@host pattern */
+ if (item->hostname == NULL)
+ return NO;
+@@ -549,9 +557,7 @@ user_match (pam_handle_t *pamh, char *to
+ hostname = item->hostname;
+ }
+ return (netgroup_match (pamh, tok + 1, hostname, string, item->debug));
+- } else if (tok[0] == '(' && tok[strlen(tok) - 1] == ')')
+- return (group_match (pamh, tok, string, item->debug));
+- else if ((rv=string_match (pamh, tok, string, item->debug)) != NO) /* ALL or exact match */
++ } else if ((rv=string_match (pamh, tok, string, item->debug)) != NO) /* ALL or exact match */
+ return rv;
+ else if (item->only_new_group_syntax == NO &&
+ pam_modutil_user_in_group_nam_nam (pamh,
+@@ -573,7 +579,7 @@ group_match (pam_handle_t *pamh, const c
+
+ if (debug)
+ pam_syslog (pamh, LOG_DEBUG,
+- "group_match: grp=%s, user=%s", grptok, usr);
++ "group_match: grp=%s, user=%s", tok, usr);
+
+ if (strlen(tok) < 3)
+ return NO;
+@@ -808,6 +814,7 @@ pam_sm_authenticate (pam_handle_t *pamh,
+ const char *user=NULL;
+ const void *void_from=NULL;
+ const char *from;
++ const char const *default_config = PAM_ACCESS_CONFIG;
+ struct passwd *user_pw;
+ char hostname[MAXHOSTNAMELEN + 1];
+ int rv;
+@@ -829,7 +836,7 @@ pam_sm_authenticate (pam_handle_t *pamh,
+ */
+ memset(&loginfo, '\0', sizeof(loginfo));
+ loginfo.user = user_pw;
+- loginfo.config_file = PAM_ACCESS_CONFIG;
++ loginfo.config_file = default_config;
+
+ /* parse the argument list */
+
+@@ -900,6 +907,26 @@ pam_sm_authenticate (pam_handle_t *pamh,
+
+ rv = login_access(pamh, &loginfo);
+
++ if (rv == NOMATCH && loginfo.config_file == default_config) {
++ glob_t globbuf;
++ int i, glob_rv;
++
++ /* We do not manipulate locale as setlocale() is not
++ * thread safe. We could use uselocale() in future.
++ */
++ glob_rv = glob(ACCESS_CONF_GLOB, GLOB_ERR, NULL, &globbuf);
++ if (!glob_rv) {
++ /* Parse the *.conf files. */
++ for (i = 0; globbuf.gl_pathv[i] != NULL; i++) {
++ loginfo.config_file = globbuf.gl_pathv[i];
++ rv = login_access(pamh, &loginfo);
++ if (rv != NOMATCH)
++ break;
++ }
++ globfree(&globbuf);
++ }
++ }
++
+ if (loginfo.gai_rv == 0 && loginfo.res)
+ freeaddrinfo(loginfo.res);
+
+diff -up Linux-PAM-1.1.8/modules/pam_access/pam_access.8.xml.access-update Linux-PAM-1.1.8/modules/pam_access/pam_access.8.xml
+--- Linux-PAM-1.1.8/modules/pam_access/pam_access.8.xml.access-update 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_access/pam_access.8.xml 2017-09-08 14:04:25.365642960 +0200
+@@ -50,16 +50,25 @@
+ The pam_access PAM module is mainly for access management.
+ It provides logdaemon style login access control based on login
+ names, host or domain names, internet addresses or network numbers,
+- or on terminal line names in case of non-networked logins.
++ or on terminal line names, X <varname>$DISPLAY</varname> values,
++ or PAM service names in case of non-networked logins.
+ </para>
+ <para>
+ By default rules for access management are taken from config file
+ <filename>/etc/security/access.conf</filename> if you don't specify
+ another file.
++ Then individual <filename>*.conf</filename> files from the
++ <filename>/etc/security/access.d/</filename> directory are read.
++ The files are parsed one after another in the order of the system locale.
++ The effect of the individual files is the same as if all the files were
++ concatenated together in the order of parsing. This means that once
++ a pattern is matched in some file no further files are parsed.
++ If a config file is explicitly specified with the <option>accessfile</option>
++ option the files in the above directory are not parsed.
+ </para>
+ <para>
+ If Linux PAM is compiled with audit support the module will report
+- when it denies access based on origin (host or tty).
++ when it denies access based on origin (host, tty, etc.).
+ </para>
+ </refsect1>
+
diff --git a/SOURCES/pam-1.1.8-audit-grantor.patch b/SOURCES/pam-1.1.8-audit-grantor.patch
new file mode 100644
index 0000000..451634b
--- /dev/null
+++ b/SOURCES/pam-1.1.8-audit-grantor.patch
@@ -0,0 +1,435 @@
+From 0d29e379601819c7f7ed8de18b54de803a9f4049 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Fri, 5 Sep 2014 09:09:37 +0200
+Subject: [PATCH] Add grantor field to audit records of libpam.
+
+The grantor field gives audit trail of PAM modules which granted access
+for successful return from libpam calls. In case of failed return
+the grantor field is set to '?'.
+libpam/pam_account.c (pam_acct_mgmt): Remove _pam_auditlog() call.
+libpam/pam_auth.c (pam_authenticate, pam_setcred): Likewise.
+libpam/pam_password.c (pam_chauthtok): Likewise.
+libpam/pam_session.c (pam_open_session, pam_close_session): Likewise.
+libpam/pam_audit.c (_pam_audit_writelog): Add grantors parameter,
+add grantor= field to the message if grantors is set.
+(_pam_list_grantors): New function creating the string with grantors list.
+(_pam_auditlog): Add struct handler pointer parameter, call _pam_list_grantors()
+to list the grantors from the handler list.
+(_pam_audit_end): Add NULL handler parameter to _pam_auditlog() call.
+(pam_modutil_audit_write): Add NULL grantors parameter to _pam_audit_writelog().
+libpam/pam_dispatch.c (_pam_dispatch_aux): Set h->grantor where appropriate.
+(_pam_clear_grantors): New function to clear grantor field of handler.
+(_pam_dispatch): Call _pam_clear_grantors() before executing the stack.
+Call _pam_auditlog() when appropriate.
+libpam/pam_handlers.c (extract_modulename): Do not allow empty module name
+or just "?" to avoid confusing audit trail.
+(_pam_add_handler): Test for NULL return from extract_modulename().
+Clear grantor field of handler.
+libpam/pam_private.h: Add grantor field to struct handler, add handler pointer
+parameter to _pam_auditlog().
+---
+ libpam/pam_account.c | 4 ---
+ libpam/pam_audit.c | 84 +++++++++++++++++++++++++++++++++++++++++++--------
+ libpam/pam_auth.c | 8 -----
+ libpam/pam_dispatch.c | 41 ++++++++++++++++++++-----
+ libpam/pam_handlers.c | 14 +++++++--
+ libpam/pam_password.c | 4 ---
+ libpam/pam_private.h | 3 +-
+ libpam/pam_session.c | 7 -----
+ 8 files changed, 119 insertions(+), 46 deletions(-)
+
+diff --git a/libpam/pam_account.c b/libpam/pam_account.c
+index 572acc4..3a4fb1f 100644
+--- a/libpam/pam_account.c
++++ b/libpam/pam_account.c
+@@ -19,9 +19,5 @@ int pam_acct_mgmt(pam_handle_t *pamh, int flags)
+
+ retval = _pam_dispatch(pamh, flags, PAM_ACCOUNT);
+
+-#ifdef HAVE_LIBAUDIT
+- retval = _pam_auditlog(pamh, PAM_ACCOUNT, retval, flags);
+-#endif
+-
+ return retval;
+ }
+diff --git a/libpam/pam_audit.c b/libpam/pam_audit.c
+index 531746a..24fb799 100644
+--- a/libpam/pam_audit.c
++++ b/libpam/pam_audit.c
+@@ -6,12 +6,12 @@
+ Authors:
+ Steve Grubb <sgrubb@redhat.com> */
+
+-#include <stdio.h>
+-#include <syslog.h>
+ #include "pam_private.h"
+ #include "pam_modutil_private.h"
+
+ #ifdef HAVE_LIBAUDIT
++#include <stdio.h>
++#include <syslog.h>
+ #include <libaudit.h>
+ #include <pwd.h>
+ #include <netdb.h>
+@@ -25,17 +25,24 @@
+
+ static int
+ _pam_audit_writelog(pam_handle_t *pamh, int audit_fd, int type,
+- const char *message, int retval)
++ const char *message, const char *grantors, int retval)
+ {
+ static int old_errno = -1;
+- int rc;
+- char buf[32];
++ int rc = -ENOMEM;
++ char *buf;
++ const char *grantors_field = " grantors=";
+
+- snprintf(buf, sizeof(buf), "PAM:%s", message);
++ if (grantors == NULL) {
++ grantors = "";
++ grantors_field = "";
++ }
+
+- rc = audit_log_acct_message (audit_fd, type, NULL, buf,
+- (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?",
+- -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS );
++ if (asprintf(&buf, "PAM:%s%s%s", message, grantors_field, grantors) >= 0) {
++ rc = audit_log_acct_message(audit_fd, type, NULL, buf,
++ (retval != PAM_USER_UNKNOWN && pamh->user) ? pamh->user : "?",
++ -1, pamh->rhost, NULL, pamh->tty, retval == PAM_SUCCESS);
++ free(buf);
++ }
+
+ /* libaudit sets errno to his own negative error code. This can be
+ an official errno number, but must not. It can also be a audit
+@@ -78,12 +85,54 @@ _pam_audit_open(pam_handle_t *pamh)
+ return audit_fd;
+ }
+
++static int
++_pam_list_grantors(struct handler *hlist, int retval, char **list)
++{
++ *list = NULL;
++
++ if (retval == PAM_SUCCESS) {
++ struct handler *h;
++ char *p = NULL;
++ size_t len = 0;
++
++ for (h = hlist; h != NULL; h = h->next) {
++ if (h->grantor) {
++ len += strlen(h->mod_name) + 1;
++ }
++ }
++
++ if (len == 0) {
++ return 0;
++ }
++
++ *list = malloc(len);
++ if (*list == NULL) {
++ return -1;
++ }
++
++ for (h = hlist; h != NULL; h = h->next) {
++ if (h->grantor) {
++ if (p == NULL) {
++ p = *list;
++ } else {
++ p = stpcpy(p, ",");
++ }
++
++ p = stpcpy(p, h->mod_name);
++ }
++ }
++ }
++
++ return 0;
++}
++
+ int
+-_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags)
++_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags, struct handler *h)
+ {
+ const char *message;
+ int type;
+ int audit_fd;
++ char *grantors;
+
+ if ((audit_fd=_pam_audit_open(pamh)) == -1) {
+ return PAM_SYSTEM_ERR;
+@@ -134,8 +183,17 @@ _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags)
+ retval = PAM_SYSTEM_ERR;
+ }
+
+- if (_pam_audit_writelog(pamh, audit_fd, type, message, retval) < 0)
++ if (_pam_list_grantors(h, retval, &grantors) < 0) {
++ /* allocation failure */
++ pam_syslog(pamh, LOG_CRIT, "_pam_list_grantors() failed: %m");
+ retval = PAM_SYSTEM_ERR;
++ }
++
++ if (_pam_audit_writelog(pamh, audit_fd, type, message,
++ grantors ? grantors : "?", retval) < 0)
++ retval = PAM_SYSTEM_ERR;
++
++ free(grantors);
+
+ audit_close(audit_fd);
+ return retval;
+@@ -149,7 +207,7 @@ _pam_audit_end(pam_handle_t *pamh, int status UNUSED)
+ * stacks having been run. Assume that this is sshd faking
+ * things for an unknown user.
+ */
+- _pam_auditlog(pamh, _PAM_ACTION_DONE, PAM_USER_UNKNOWN, 0);
++ _pam_auditlog(pamh, _PAM_ACTION_DONE, PAM_USER_UNKNOWN, 0, NULL);
+ }
+
+ return 0;
+@@ -168,7 +226,7 @@ pam_modutil_audit_write(pam_handle_t *pamh, int type,
+ return retval;
+ }
+
+- rc = _pam_audit_writelog(pamh, audit_fd, type, message, retval);
++ rc = _pam_audit_writelog(pamh, audit_fd, type, message, NULL, retval);
+
+ audit_close(audit_fd);
+
+diff --git a/libpam/pam_auth.c b/libpam/pam_auth.c
+index 5984fa5..1e7bc6e 100644
+--- a/libpam/pam_auth.c
++++ b/libpam/pam_auth.c
+@@ -45,10 +45,6 @@ int pam_authenticate(pam_handle_t *pamh, int flags)
+ prelude_send_alert(pamh, retval);
+ #endif
+
+-#ifdef HAVE_LIBAUDIT
+- retval = _pam_auditlog(pamh, PAM_AUTHENTICATE, retval, flags);
+-#endif
+-
+ return retval;
+ }
+
+@@ -71,10 +67,6 @@ int pam_setcred(pam_handle_t *pamh, int flags)
+
+ retval = _pam_dispatch(pamh, flags, PAM_SETCRED);
+
+-#ifdef HAVE_LIBAUDIT
+- retval = _pam_auditlog(pamh, PAM_SETCRED, retval, flags);
+-#endif
+-
+ D(("pam_setcred exit"));
+
+ return retval;
+diff --git a/libpam/pam_dispatch.c b/libpam/pam_dispatch.c
+index eb52c82..cf632e8 100644
+--- a/libpam/pam_dispatch.c
++++ b/libpam/pam_dispatch.c
+@@ -217,8 +217,14 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
+ status = retval;
+ }
+ }
+- if ( impression == _PAM_POSITIVE && action == _PAM_ACTION_DONE ) {
+- goto decision_made;
++ if ( impression == _PAM_POSITIVE ) {
++ if ( retval == PAM_SUCCESS ) {
++ h->grantor = 1;
++ }
++
++ if ( action == _PAM_ACTION_DONE ) {
++ goto decision_made;
++ }
+ }
+ break;
+
+@@ -262,6 +268,9 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
+ || (impression == _PAM_POSITIVE
+ && status == PAM_SUCCESS) ) {
+ if ( retval != PAM_IGNORE || cached_retval == retval ) {
++ if ( impression == _PAM_UNDEF && retval == PAM_SUCCESS ) {
++ h->grantor = 1;
++ }
+ impression = _PAM_POSITIVE;
+ status = retval;
+ }
+@@ -308,6 +317,13 @@ decision_made: /* by getting here we have made a decision */
+ return status;
+ }
+
++static void _pam_clear_grantors(struct handler *h)
++{
++ for (; h != NULL; h = h->next) {
++ h->grantor = 0;
++ }
++}
++
+ /*
+ * This function translates the module dispatch request into a pointer
+ * to the stack of modules that will actually be run. the
+@@ -318,21 +334,21 @@ decision_made: /* by getting here we have made a decision */
+ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
+ {
+ struct handler *h = NULL;
+- int retval, use_cached_chain;
++ int retval = PAM_SYSTEM_ERR, use_cached_chain;
+ _pam_boolean resumed;
+
+ IF_NO_PAMH("_pam_dispatch", pamh, PAM_SYSTEM_ERR);
+
+ if (__PAM_FROM_MODULE(pamh)) {
+ D(("called from a module!?"));
+- return PAM_SYSTEM_ERR;
++ goto end;
+ }
+
+ /* Load all modules, resolve all symbols */
+
+ if ((retval = _pam_init_handlers(pamh)) != PAM_SUCCESS) {
+ pam_syslog(pamh, LOG_ERR, "unable to dispatch function");
+- return retval;
++ goto end;
+ }
+
+ use_cached_chain = _PAM_PLEASE_FREEZE;
+@@ -360,7 +376,8 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
+ break;
+ default:
+ pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice);
+- return PAM_ABORT;
++ retval = PAM_ABORT;
++ goto end;
+ }
+
+ if (h == NULL) { /* there was no handlers.conf... entry; will use
+@@ -393,11 +410,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
+ pam_syslog(pamh, LOG_ERR,
+ "application failed to re-exec stack [%d:%d]",
+ pamh->former.choice, choice);
+- return PAM_ABORT;
++ retval = PAM_ABORT;
++ goto end;
+ }
+ resumed = PAM_TRUE;
+ } else {
+ resumed = PAM_FALSE;
++ _pam_clear_grantors(h);
+ }
+
+ __PAM_TO_MODULE(pamh);
+@@ -417,5 +436,13 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice)
+ pamh->former.choice = PAM_NOT_STACKED;
+ }
+
++end:
++
++#ifdef HAVE_LIBAUDIT
++ if (choice != PAM_CHAUTHTOK || flags & PAM_UPDATE_AUTHTOK || retval != PAM_SUCCESS) {
++ retval = _pam_auditlog(pamh, choice, retval, flags, h);
++ }
++#endif
++
+ return retval;
+ }
+diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c
+index 02714f7..df3a1d9 100644
+--- a/libpam/pam_handlers.c
++++ b/libpam/pam_handlers.c
+@@ -611,6 +611,12 @@ extract_modulename(const char *mod_path)
+ if (dot)
+ *dot = '\0';
+
++ if (*retval == '\0' || strcmp(retval, "?") == 0) {
++ /* do not allow empty module name or "?" to avoid confusing audit trail */
++ _pam_drop(retval);
++ return NULL;
++ }
++
+ return retval;
+ }
+
+@@ -888,7 +894,9 @@ int _pam_add_handler(pam_handle_t *pamh
+ (*handler_p)->cached_retval_p = &((*handler_p)->cached_retval);
+ (*handler_p)->argc = argc;
+ (*handler_p)->argv = argv; /* not a copy */
+- (*handler_p)->mod_name = extract_modulename(mod_path);
++ if (((*handler_p)->mod_name = extract_modulename(mod_path)) == NULL)
++ return PAM_ABORT;
++ (*handler_p)->grantor = 0;
+ (*handler_p)->next = NULL;
+
+ /* some of the modules have a second calling function */
+@@ -920,7 +928,9 @@ int _pam_add_handler(pam_handle_t *pamh
+ } else {
+ (*handler_p2)->argv = NULL; /* no arguments */
+ }
+- (*handler_p2)->mod_name = extract_modulename(mod_path);
++ if (((*handler_p2)->mod_name = extract_modulename(mod_path)) == NULL)
++ return PAM_ABORT;
++ (*handler_p2)->grantor = 0;
+ (*handler_p2)->next = NULL;
+ }
+
+diff --git a/libpam/pam_password.c b/libpam/pam_password.c
+index 75db5e5..592e01f 100644
+--- a/libpam/pam_password.c
++++ b/libpam/pam_password.c
+@@ -57,9 +57,5 @@ int pam_chauthtok(pam_handle_t *pamh, int flags)
+ D(("will resume when ready", retval));
+ }
+
+-#ifdef HAVE_LIBAUDIT
+- retval = _pam_auditlog(pamh, PAM_CHAUTHTOK, retval, flags);
+-#endif
+-
+ return retval;
+ }
+diff --git a/libpam/pam_private.h b/libpam/pam_private.h
+index 134dc72..d93283c 100644
+--- a/libpam/pam_private.h
++++ b/libpam/pam_private.h
+@@ -55,6 +55,7 @@ struct handler {
+ struct handler *next;
+ char *mod_name;
+ int stack_level;
++ int grantor;
+ };
+
+ #define PAM_HT_MODULE 0
+@@ -316,7 +317,7 @@ if ((pamh) == NULL) { \
+ do { (pamh)->caller_is = _PAM_CALLED_FROM_APP; } while (0)
+
+ #ifdef HAVE_LIBAUDIT
+-extern int _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags);
++extern int _pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags, struct handler *h);
+ extern int _pam_audit_end(pam_handle_t *pamh, int pam_status);
+ #endif
+
+diff --git a/libpam/pam_session.c b/libpam/pam_session.c
+index 512153f..cb393c1 100644
+--- a/libpam/pam_session.c
++++ b/libpam/pam_session.c
+@@ -22,9 +22,6 @@ int pam_open_session(pam_handle_t *pamh, int flags)
+ }
+ retval = _pam_dispatch(pamh, flags, PAM_OPEN_SESSION);
+
+-#ifdef HAVE_LIBAUDIT
+- retval = _pam_auditlog(pamh, PAM_OPEN_SESSION, retval, flags);
+-#endif
+ return retval;
+ }
+
+@@ -43,10 +40,6 @@ int pam_close_session(pam_handle_t *pamh, int flags)
+
+ retval = _pam_dispatch(pamh, flags, PAM_CLOSE_SESSION);
+
+-#ifdef HAVE_LIBAUDIT
+- retval = _pam_auditlog(pamh, PAM_CLOSE_SESSION, retval, flags);
+-#endif
+-
+ return retval;
+
+ }
+--
+1.8.3.1
+
diff --git a/SOURCES/pam-1.1.8-audit-user-mgmt.patch b/SOURCES/pam-1.1.8-audit-user-mgmt.patch
new file mode 100644
index 0000000..8459997
--- /dev/null
+++ b/SOURCES/pam-1.1.8-audit-user-mgmt.patch
@@ -0,0 +1,47 @@
+diff -urp Linux-PAM-1.1.8.orig/modules/pam_faillock/main.c Linux-PAM-1.1.8/modules/pam_faillock/main.c
+--- Linux-PAM-1.1.8.orig/modules/pam_faillock/main.c 2014-10-16 10:12:57.117554380 -0400
++++ Linux-PAM-1.1.8/modules/pam_faillock/main.c 2014-10-16 10:38:00.199510093 -0400
+@@ -141,10 +141,8 @@ do_user(struct options *opts, const char
+ if ((audit_fd=audit_open()) >= 0) {
+
+ if (pwd != NULL) {
+- snprintf(buf, sizeof(buf), "faillock reset uid=%u",
+- pwd->pw_uid);
+- audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
+- buf, NULL, NULL, NULL, rv == 0);
++ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL,
++ "faillock-reset", NULL, pwd->pw_uid, NULL, NULL, NULL, rv == 0);
+ }
+ close(audit_fd);
+ }
+diff -urp Linux-PAM-1.1.8.orig/modules/pam_tally2/pam_tally2.c Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c
+--- Linux-PAM-1.1.8.orig/modules/pam_tally2/pam_tally2.c 2013-06-18 10:11:21.000000000 -0400
++++ Linux-PAM-1.1.8/modules/pam_tally2/pam_tally2.c 2014-10-16 10:37:05.072511717 -0400
+@@ -997,9 +997,9 @@ main( int argc UNUSED, char **argv )
+ #ifdef HAVE_LIBAUDIT
+ char buf[64];
+ int audit_fd = audit_open();
+- snprintf(buf, sizeof(buf), "pam_tally2 uid=%u reset=%hu", uid, cline_reset);
+- audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
+- buf, NULL, NULL, ttyname(STDIN_FILENO), 1);
++ snprintf(buf, sizeof(buf), "pam_tally2 reset=%hu", cline_reset);
++ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL,
++ buf, NULL, uid, NULL, NULL, ttyname(STDIN_FILENO), 1);
+ if (audit_fd >=0)
+ close(audit_fd);
+ #endif
+@@ -1040,11 +1040,10 @@ main( int argc UNUSED, char **argv )
+ }
+ else if ( !cline_reset ) {
+ #ifdef HAVE_LIBAUDIT
+- char buf[64];
+ int audit_fd = audit_open();
+- snprintf(buf, sizeof(buf), "pam_tally2 uid=all reset=0");
+- audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
+- buf, NULL, NULL, ttyname(STDIN_FILENO), 1);
++ audit_log_acct_message(audit_fd, AUDIT_USER_MGMT, NULL,
++ "pam_tally2-reset-all-accts reset=0", "*", -1,
++ NULL, NULL, ttyname(STDIN_FILENO), 1);
+ if (audit_fd >=0)
+ close(audit_fd);
+ #endif
diff --git a/SOURCES/pam-1.1.8-canonicalize-username.patch b/SOURCES/pam-1.1.8-canonicalize-username.patch
new file mode 100644
index 0000000..a3786be
--- /dev/null
+++ b/SOURCES/pam-1.1.8-canonicalize-username.patch
@@ -0,0 +1,21 @@
+diff -up Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c.canonicalize Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c
+--- Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c.canonicalize 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_selinux/pam_selinux.c 2014-03-06 12:03:54.429639972 +0100
+@@ -491,12 +491,17 @@ compute_exec_context(pam_handle_t *pamh,
+ char *level = NULL;
+ security_context_t *contextlist = NULL;
+ int num_contexts = 0;
++ const struct passwd *pwd;
+
+ if (!(username = get_item(pamh, PAM_USER))) {
+ pam_syslog(pamh, LOG_ERR, "Cannot obtain the user name");
+ return PAM_USER_UNKNOWN;
+ }
+
++ if ((pwd = pam_modutil_getpwnam(pamh, username)) != NULL) {
++ username = pwd->pw_name;
++ } /* ignore error and keep using original username */
++
+ /* compute execute context */
+ #ifdef HAVE_GETSEUSER
+ if (!(service = get_item(pamh, PAM_SERVICE))) {
diff --git a/SOURCES/pam-1.1.8-cve-2013-7041.patch b/SOURCES/pam-1.1.8-cve-2013-7041.patch
new file mode 100644
index 0000000..96fa916
--- /dev/null
+++ b/SOURCES/pam-1.1.8-cve-2013-7041.patch
@@ -0,0 +1,52 @@
+From 57a1e2b274d0a6376d92ada9926e5c5741e7da20 Mon Sep 17 00:00:00 2001
+From: "Dmitry V. Levin" <ldv@altlinux.org>
+Date: Fri, 24 Jan 2014 22:18:32 +0000
+Subject: [PATCH] pam_userdb: fix password hash comparison
+
+Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed
+passwords support in pam_userdb, hashes are compared case-insensitively.
+This bug leads to accepting hashes for completely different passwords in
+addition to those that should be accepted.
+
+Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for
+modern password hashes with different lengths and settings, did not
+update the hash comparison accordingly, which leads to accepting
+computed hashes longer than stored hashes when the latter is a prefix
+of the former.
+
+* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed
+hash whose length differs from the stored hash length.
+Compare computed and stored hashes case-sensitively.
+Fixes CVE-2013-7041.
+
+Bug-Debian: http://bugs.debian.org/731368
+---
+ modules/pam_userdb/pam_userdb.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c
+index de8b5b1..ff040e6 100644
+--- a/modules/pam_userdb/pam_userdb.c
++++ b/modules/pam_userdb/pam_userdb.c
+@@ -222,12 +222,15 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
+ } else {
+ cryptpw = crypt (pass, data.dptr);
+
+- if (cryptpw) {
+- compare = strncasecmp (data.dptr, cryptpw, data.dsize);
++ if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) {
++ compare = memcmp(data.dptr, cryptpw, data.dsize);
+ } else {
+ compare = -2;
+ if (ctrl & PAM_DEBUG_ARG) {
+- pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
++ if (cryptpw)
++ pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ");
++ else
++ pam_syslog(pamh, LOG_INFO, "crypt() returned NULL");
+ }
+ };
+
+--
+1.8.3.1
+
diff --git a/SOURCES/pam-1.1.8-cve-2014-2583.patch b/SOURCES/pam-1.1.8-cve-2014-2583.patch
new file mode 100644
index 0000000..f2aa2de
--- /dev/null
+++ b/SOURCES/pam-1.1.8-cve-2014-2583.patch
@@ -0,0 +1,56 @@
+From 9dcead87e6d7f66d34e7a56d11a30daca367dffb Mon Sep 17 00:00:00 2001
+From: "Dmitry V. Levin" <ldv@altlinux.org>
+Date: Wed, 26 Mar 2014 22:17:23 +0000
+Subject: [PATCH] pam_timestamp: fix potential directory traversal issue
+ (ticket #27)
+
+pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of
+the timestamp pathname it creates, so extra care should be taken to
+avoid potential directory traversal issues.
+
+* modules/pam_timestamp/pam_timestamp.c (check_tty): Treat
+"." and ".." tty values as invalid.
+(get_ruser): Treat "." and ".." ruser values, as well as any ruser
+value containing '/', as invalid.
+
+Fixes CVE-2014-2583.
+
+Reported-by: Sebastian Krahmer <krahmer@suse.de>
+---
+ modules/pam_timestamp/pam_timestamp.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
+index 5193733..b3f08b1 100644
+--- a/modules/pam_timestamp/pam_timestamp.c
++++ b/modules/pam_timestamp/pam_timestamp.c
+@@ -158,7 +158,7 @@ check_tty(const char *tty)
+ tty = strrchr(tty, '/') + 1;
+ }
+ /* Make sure the tty wasn't actually a directory (no basename). */
+- if (strlen(tty) == 0) {
++ if (!strlen(tty) || !strcmp(tty, ".") || !strcmp(tty, "..")) {
+ return NULL;
+ }
+ return tty;
+@@ -243,6 +243,17 @@ get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen)
+ if (pwd != NULL) {
+ ruser = pwd->pw_name;
+ }
++ } else {
++ /*
++ * This ruser is used by format_timestamp_name as a component
++ * of constructed timestamp pathname, so ".", "..", and '/'
++ * are disallowed to avoid potential path traversal issues.
++ */
++ if (!strcmp(ruser, ".") ||
++ !strcmp(ruser, "..") ||
++ strchr(ruser, '/')) {
++ ruser = NULL;
++ }
+ }
+ if (ruser == NULL || strlen(ruser) >= ruserbuflen) {
+ *ruserbuf = '\0';
+--
+1.8.3.1
+
diff --git a/SOURCES/pam-1.1.8-cve-2015-3238.patch b/SOURCES/pam-1.1.8-cve-2015-3238.patch
new file mode 100644
index 0000000..24179d6
--- /dev/null
+++ b/SOURCES/pam-1.1.8-cve-2015-3238.patch
@@ -0,0 +1,130 @@
+diff -up linux-pam/modules/pam_exec/pam_exec.c.password-limit linux-pam/modules/pam_exec/pam_exec.c
+--- linux-pam/modules/pam_exec/pam_exec.c.password-limit 2014-08-26 14:02:19.000000000 +0200
++++ linux-pam/modules/pam_exec/pam_exec.c 2015-06-11 16:10:13.938035623 +0200
+@@ -178,11 +178,11 @@ call_exec (const char *pam_type, pam_han
+ }
+
+ pam_set_item (pamh, PAM_AUTHTOK, resp);
+- authtok = strdupa (resp);
++ authtok = strndupa (resp, PAM_MAX_RESP_SIZE);
+ _pam_drop (resp);
+ }
+ else
+- authtok = void_pass;
++ authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE);
+
+ if (pipe(fds) != 0)
+ {
+diff -up linux-pam/modules/pam_exec/pam_exec.8.xml.password-limit linux-pam/modules/pam_exec/pam_exec.8.xml
+--- linux-pam/modules/pam_exec/pam_exec.8.xml.password-limit 2013-09-11 13:59:00.072175034 +0200
++++ linux-pam/modules/pam_exec/pam_exec.8.xml 2015-06-11 16:09:06.446512718 +0200
+@@ -106,7 +106,8 @@
+ During authentication the calling command can read
+ the password from <citerefentry>
+ <refentrytitle>stdin</refentrytitle><manvolnum>3</manvolnum>
+- </citerefentry>.
++ </citerefentry>. Only first <emphasis>PAM_MAX_RESP_SIZE</emphasis>
++ bytes of a password are provided to the command.
+ </para>
+ </listitem>
+ </varlistentry>
+diff -up linux-pam/modules/pam_unix/pam_unix_passwd.c.password-limit linux-pam/modules/pam_unix/pam_unix_passwd.c
+--- linux-pam/modules/pam_unix/pam_unix_passwd.c.password-limit 2014-06-19 13:50:08.000000000 +0200
++++ linux-pam/modules/pam_unix/pam_unix_passwd.c 2015-06-11 16:34:02.226260435 +0200
+@@ -240,15 +240,22 @@ static int _unix_run_update_binary(pam_h
+ /* wait for child */
+ /* if the stored password is NULL */
+ int rc=0;
+- if (fromwhat)
+- pam_modutil_write(fds[1], fromwhat, strlen(fromwhat)+1);
+- else
+- pam_modutil_write(fds[1], "", 1);
+- if (towhat) {
+- pam_modutil_write(fds[1], towhat, strlen(towhat)+1);
++ if (fromwhat) {
++ int len = strlen(fromwhat);
++
++ if (len > PAM_MAX_RESP_SIZE)
++ len = PAM_MAX_RESP_SIZE;
++ pam_modutil_write(fds[1], fromwhat, len);
+ }
+- else
+- pam_modutil_write(fds[1], "", 1);
++ pam_modutil_write(fds[1], "", 1);
++ if (towhat) {
++ int len = strlen(towhat);
++
++ if (len > PAM_MAX_RESP_SIZE)
++ len = PAM_MAX_RESP_SIZE;
++ pam_modutil_write(fds[1], towhat, len);
++ }
++ pam_modutil_write(fds[1], "", 1);
+
+ close(fds[0]); /* close here to avoid possible SIGPIPE above */
+ close(fds[1]);
+diff -up linux-pam/modules/pam_unix/pam_unix.8.xml.password-limit linux-pam/modules/pam_unix/pam_unix.8.xml
+--- linux-pam/modules/pam_unix/pam_unix.8.xml.password-limit 2015-06-11 15:46:55.000000000 +0200
++++ linux-pam/modules/pam_unix/pam_unix.8.xml 2015-06-11 16:38:42.628587102 +0200
+@@ -80,6 +80,13 @@
+ </para>
+
+ <para>
++ The maximum length of a password supported by the pam_unix module
++ via the helper binary is <emphasis>PAM_MAX_RESP_SIZE</emphasis>
++ - currently 512 bytes. The rest of the password provided by the
++ conversation function to the module will be ignored.
++ </para>
++
++ <para>
+ The password component of this module performs the task of updating
+ the user's password. The default encryption hash is taken from the
+ <emphasis remap='B'>ENCRYPT_METHOD</emphasis> variable from
+diff -up linux-pam/modules/pam_unix/passverify.c.password-limit linux-pam/modules/pam_unix/passverify.c
+--- linux-pam/modules/pam_unix/passverify.c.password-limit 2015-04-07 10:23:50.000000000 +0200
++++ linux-pam/modules/pam_unix/passverify.c 2015-06-15 10:53:32.903900010 +0200
+@@ -1115,12 +1115,15 @@ getuidname(uid_t uid)
+ int
+ read_passwords(int fd, int npass, char **passwords)
+ {
++ /* The passwords array must contain npass preallocated
++ * buffers of length MAXPASS + 1
++ */
+ int rbytes = 0;
+ int offset = 0;
+ int i = 0;
+ char *pptr;
+ while (npass > 0) {
+- rbytes = read(fd, passwords[i]+offset, MAXPASS-offset);
++ rbytes = read(fd, passwords[i]+offset, MAXPASS+1-offset);
+
+ if (rbytes < 0) {
+ if (errno == EINTR) continue;
+diff -up linux-pam/modules/pam_unix/passverify.h.password-limit linux-pam/modules/pam_unix/passverify.h
+--- linux-pam/modules/pam_unix/passverify.h.password-limit 2011-03-21 21:59:22.000000000 +0100
++++ linux-pam/modules/pam_unix/passverify.h 2015-06-11 16:26:27.184994387 +0200
+@@ -8,7 +8,7 @@
+
+ #define PAM_UNIX_RUN_HELPER PAM_CRED_INSUFFICIENT
+
+-#define MAXPASS 200 /* the maximum length of a password */
++#define MAXPASS PAM_MAX_RESP_SIZE /* the maximum length of a password */
+
+ #define OLD_PASSWORDS_FILE "/etc/security/opasswd"
+
+diff -up linux-pam/modules/pam_unix/support.c.password-limit linux-pam/modules/pam_unix/support.c
+--- linux-pam/modules/pam_unix/support.c.password-limit 2014-01-27 18:08:28.000000000 +0100
++++ linux-pam/modules/pam_unix/support.c 2015-06-11 16:30:35.452595477 +0200
+@@ -609,7 +609,12 @@ static int _unix_run_helper_binary(pam_h
+ /* if the stored password is NULL */
+ int rc=0;
+ if (passwd != NULL) { /* send the password to the child */
+- if (write(fds[1], passwd, strlen(passwd)+1) == -1) {
++ int len = strlen(passwd);
++
++ if (len > PAM_MAX_RESP_SIZE)
++ len = PAM_MAX_RESP_SIZE;
++ if (write(fds[1], passwd, len) == -1 ||
++ write(fds[1], "", 1) == -1) {
+ pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m");
+ retval = PAM_AUTH_ERR;
+ }
diff --git a/SOURCES/pam-1.1.8-faillock-admin-group.patch b/SOURCES/pam-1.1.8-faillock-admin-group.patch
new file mode 100644
index 0000000..76be07a
--- /dev/null
+++ b/SOURCES/pam-1.1.8-faillock-admin-group.patch
@@ -0,0 +1,151 @@
+diff -up Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c.admin-group Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c
+--- Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c.admin-group 2016-04-22 15:25:57.673445386 +0200
++++ Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c 2017-09-08 14:39:47.411306464 +0200
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
++ * Copyright (c) 2010, 2017 Tomas Mraz <tmraz@redhat.com>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+@@ -78,9 +78,11 @@ struct options {
+ unsigned int root_unlock_time;
+ const char *dir;
+ const char *user;
++ const char *admin_group;
+ int failures;
+ uint64_t latest_time;
+ uid_t uid;
++ int is_admin;
+ uint64_t now;
+ };
+
+@@ -152,6 +154,9 @@ args_parse(pam_handle_t *pamh, int argc,
+ opts->root_unlock_time = temp;
+ }
+ }
++ else if (strncmp(argv[i], "admin_group=", 12) == 0) {
++ opts->admin_group = argv[i] + 12;
++ }
+ else if (strcmp(argv[i], "preauth") == 0) {
+ opts->action = FAILLOCK_ACTION_PREAUTH;
+ }
+@@ -209,6 +214,17 @@ static int get_pam_user(pam_handle_t *pa
+ }
+ opts->user = user;
+ opts->uid = pwd->pw_uid;
++
++ if (pwd->pw_uid == 0) {
++ opts->is_admin = 1;
++ return PAM_SUCCESS;
++ }
++
++ if (opts->admin_group && *opts->admin_group) {
++ opts->is_admin = pam_modutil_user_in_group_uid_nam(pamh,
++ pwd->pw_uid, opts->admin_group);
++ }
++
+ return PAM_SUCCESS;
+ }
+
+@@ -239,7 +255,7 @@ check_tally(pam_handle_t *pamh, struct o
+ return PAM_SYSTEM_ERR;
+ }
+
+- if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
++ if (opts->is_admin && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
+ return PAM_SUCCESS;
+ }
+
+@@ -262,17 +278,14 @@ check_tally(pam_handle_t *pamh, struct o
+
+ opts->failures = failures;
+
+- if (opts->uid == 0 && !(opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
+- return PAM_SUCCESS;
+- }
+-
+ if (opts->deny && failures >= opts->deny) {
+- if ((opts->uid && opts->unlock_time && latest_time + opts->unlock_time < opts->now) ||
+- (!opts->uid && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) {
++ if ((!opts->is_admin && opts->unlock_time && latest_time + opts->unlock_time < opts->now) ||
++ (opts->is_admin && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) {
+ #ifdef HAVE_LIBAUDIT
+ if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */
+ char buf[64];
+ int audit_fd;
++ const void *rhost = NULL, *tty = NULL;
+
+ audit_fd = audit_open();
+ /* If there is an error & audit support is in the kernel report error */
+@@ -280,9 +293,11 @@ check_tally(pam_handle_t *pamh, struct o
+ errno == EAFNOSUPPORT))
+ return PAM_SYSTEM_ERR;
+
++ (void)pam_get_item(pamh, PAM_TTY, &tty);
++ (void)pam_get_item(pamh, PAM_RHOST, &rhost);
+ snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
+ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
+- NULL, NULL, NULL, 1);
++ rhost, NULL, tty, 1);
+ }
+ #endif
+ opts->flags |= FAILLOCK_FLAG_UNLOCKED;
+@@ -398,7 +413,7 @@ write_tally(pam_handle_t *pamh, struct o
+ audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
+ NULL, NULL, NULL, 1);
+
+- if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
++ if (!opts->is_admin || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
+ audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,
+ NULL, NULL, NULL, 1);
+ }
+@@ -422,11 +437,11 @@ faillock_message(pam_handle_t *pamh, str
+ int64_t left;
+
+ if (!(opts->flags & FAILLOCK_FLAG_SILENT)) {
+- if (opts->uid) {
+- left = opts->latest_time + opts->unlock_time - opts->now;
++ if (opts->is_admin) {
++ left = opts->latest_time + opts->root_unlock_time - opts->now;
+ }
+ else {
+- left = opts->latest_time + opts->root_unlock_time - opts->now;
++ left = opts->latest_time + opts->unlock_time - opts->now;
+ }
+
+ if (left > 0) {
+diff -up Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml.admin-group Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml
+--- Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml.admin-group 2016-04-28 16:43:14.109794294 +0200
++++ Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml 2017-09-08 14:37:33.535130222 +0200
+@@ -40,6 +40,9 @@
+ root_unlock_time=<replaceable>n</replaceable>
+ </arg>
+ <arg choice="opt">
++ admin_group=<replaceable>name</replaceable>
++ </arg>
++ <arg choice="opt">
+ audit
+ </arg>
+ <arg choice="opt">
+@@ -242,6 +245,20 @@
+ </para>
+ </listitem>
+ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>admin_group=<replaceable>name</replaceable></option>
++ </term>
++ <listitem>
++ <para>
++ If a group name is specified with this option, members
++ of the group will be handled by this module the same as
++ the root account (the options <option>even_deny_root></option>
++ and <option>root_unlock_time</option> will apply to them.
++ By default the option is not set.
++ </para>
++ </listitem>
++ </varlistentry>
+ </variablelist>
+ </refsect1>
+
diff --git a/SOURCES/pam-1.1.8-faillock-never.patch b/SOURCES/pam-1.1.8-faillock-never.patch
new file mode 100644
index 0000000..be84329
--- /dev/null
+++ b/SOURCES/pam-1.1.8-faillock-never.patch
@@ -0,0 +1,91 @@
+diff -up Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c.never Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c
+--- Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c.never 2016-03-03 10:01:15.000000000 +0100
++++ Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c 2016-04-22 14:31:34.239752334 +0200
+@@ -125,17 +125,26 @@ args_parse(pam_handle_t *pamh, int argc,
+ }
+ else if (strncmp(argv[i], "unlock_time=", 12) == 0) {
+ unsigned int temp;
+- if (sscanf(argv[i]+12, "%u", &temp) != 1 ||
++
++ if (strcmp(argv[i]+12, "never") == 0) {
++ opts->unlock_time = 0;
++ }
++ else if (sscanf(argv[i]+12, "%u", &temp) != 1 ||
+ temp > MAX_TIME_INTERVAL) {
+ pam_syslog(pamh, LOG_ERR,
+ "Bad number supplied for unlock_time argument");
+- } else {
++ }
++ else {
+ opts->unlock_time = temp;
+ }
+ }
+ else if (strncmp(argv[i], "root_unlock_time=", 17) == 0) {
+ unsigned int temp;
+- if (sscanf(argv[i]+17, "%u", &temp) != 1 ||
++
++ if (strcmp(argv[i]+17, "never") == 0) {
++ opts->root_unlock_time = 0;
++ }
++ else if (sscanf(argv[i]+17, "%u", &temp) != 1 ||
+ temp > MAX_TIME_INTERVAL) {
+ pam_syslog(pamh, LOG_ERR,
+ "Bad number supplied for root_unlock_time argument");
+@@ -258,8 +267,8 @@ check_tally(pam_handle_t *pamh, struct o
+ }
+
+ if (opts->deny && failures >= opts->deny) {
+- if ((opts->uid && latest_time + opts->unlock_time < opts->now) ||
+- (!opts->uid && latest_time + opts->root_unlock_time < opts->now)) {
++ if ((opts->uid && opts->unlock_time && latest_time + opts->unlock_time < opts->now) ||
++ (!opts->uid && opts->root_unlock_time && latest_time + opts->root_unlock_time < opts->now)) {
+ #ifdef HAVE_LIBAUDIT
+ if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */
+ char buf[64];
+@@ -420,11 +429,17 @@ faillock_message(pam_handle_t *pamh, str
+ left = opts->latest_time + opts->root_unlock_time - opts->now;
+ }
+
+- left /= 60; /* minutes */
++ if (left > 0) {
++ left = (left + 59)/60; /* minutes */
+
+- pam_info(pamh, _("Account temporarily locked due to %d failed logins"),
+- opts->failures);
+- pam_info(pamh, _("(%d minutes left to unlock)"), (int)left);
++ pam_info(pamh, _("Account temporarily locked due to %d failed logins"),
++ opts->failures);
++ pam_info(pamh, _("(%d minutes left to unlock)"), (int)left);
++ }
++ else {
++ pam_info(pamh, _("Account locked due to %d failed logins"),
++ opts->failures);
++ }
+ }
+ }
+
+diff -up Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml.never Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml
+--- Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml.never 2016-04-22 15:25:57.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.8.xml 2016-04-28 16:43:14.109794294 +0200
+@@ -201,6 +201,21 @@
+ <replaceable>n</replaceable> seconds after the lock out.
+ The default is 600 (10 minutes).
+ </para>
++ <para>
++ If the <replaceable>n</replaceable> is set to never or 0
++ the access will not be reenabled at all until administrator
++ explicitly reenables it with the <command>faillock</command> command.
++ Note though that the default directory that <emphasis>pam_faillock</emphasis>
++ uses is usually cleared on system boot so the access will be also reenabled
++ after system reboot. If that is undesirable a different tally directory
++ must be set with the <option>dir</option> option.
++ </para>
++ <para>
++ Also note that it is usually undesirable to permanently lock
++ out the users as they can become easily a target of denial of service
++ attack unless the usernames are random and kept secret to potential
++ attackers.
++ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
diff --git a/SOURCES/pam-1.1.8-full-relro.patch b/SOURCES/pam-1.1.8-full-relro.patch
new file mode 100644
index 0000000..0337062
--- /dev/null
+++ b/SOURCES/pam-1.1.8-full-relro.patch
@@ -0,0 +1,108 @@
+diff -up Linux-PAM-1.1.8/modules/pam_console/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_console/Makefile.am
+--- Linux-PAM-1.1.8/modules/pam_console/Makefile.am.relro 2014-08-13 16:02:49.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_console/Makefile.am 2014-09-10 17:14:33.245554314 +0200
+@@ -33,6 +33,8 @@ pam_console_la_LIBADD = -L$(top_builddir
+
+ pam_console_apply_LDADD = -L$(top_builddir)/libpam -lpam
+
++pam_console_apply_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
++
+ securelib_LTLIBRARIES = pam_console.la
+ sbin_PROGRAMS = pam_console_apply
+
+@@ -47,7 +49,7 @@ pam_console_apply_SOURCES = pam_console_
+ configfile.c configfile.h hashtable.c hashtable.h hashtable_private.h
+
+ pam_console_la_CFLAGS = $(AM_CFLAGS)
+-pam_console_apply_CFLAGS = $(AM_CFLAGS)
++pam_console_apply_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
+
+ configfile.tab.c: configfile.y
+ $(YACC) $(BISON_OPTS) -o $@ -p _pc_yy $<
+diff -up Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am
+--- Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am.relro 2014-08-13 16:02:49.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_faillock/Makefile.am 2014-09-10 17:16:11.102808189 +0200
+@@ -19,7 +19,7 @@ secureconfdir = $(SCONFIGDIR)
+
+ noinst_HEADERS = faillock.h
+
+-faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
++faillock_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include @PIE_CFLAGS@
+ pam_faillock_la_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
+
+ pam_faillock_la_LDFLAGS = -no-undefined -avoid-version -module
+@@ -28,6 +28,7 @@ if HAVE_VERSIONING
+ pam_faillock_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
+ endif
+
++faillock_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
+ faillock_LDADD = -L$(top_builddir)/libpam -lpam $(LIBAUDIT)
+
+ securelib_LTLIBRARIES = pam_faillock.la
+diff -up Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am
+--- Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am.relro 2014-09-10 17:17:20.273401344 +0200
++++ Linux-PAM-1.1.8/modules/pam_filter/upperLOWER/Makefile.am 2014-09-10 17:17:07.857115369 +0200
+@@ -9,7 +9,7 @@ securelibfilterdir = $(SECUREDIR)/pam_fi
+
+ AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
+ -I$(srcdir)/.. @PIE_CFLAGS@
+-AM_LDFLAGS = @PIE_LDFLAGS@
++AM_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
+ LDADD = $(top_builddir)/libpam/libpam.la
+
+ securelibfilter_PROGRAMS = upperLOWER
+diff -up Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am
+--- Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_mkhomedir/Makefile.am 2014-09-10 17:18:42.922304935 +0200
+@@ -30,6 +30,8 @@ endif
+
+ sbin_PROGRAMS = mkhomedir_helper
+ mkhomedir_helper_SOURCES = mkhomedir_helper.c
++mkhomedir_helper_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
++mkhomedir_helper_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
+ mkhomedir_helper_LDADD = $(top_builddir)/libpam/libpam.la
+
+ if ENABLE_REGENERATE_MAN
+diff -up Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am
+--- Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_tally2/Makefile.am 2014-09-10 17:22:04.339944040 +0200
+@@ -26,6 +26,8 @@ if HAVE_VERSIONING
+ pam_tally2_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
+ endif
+
++pam_tally2_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
++pam_tally2_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
+ pam_tally2_LDADD = $(top_builddir)/libpam/libpam.la $(LIBAUDIT)
+
+ securelib_LTLIBRARIES = pam_tally2.la
+diff -up Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am
+--- Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_timestamp/Makefile.am 2014-08-13 16:02:49.906688139 +0200
+@@ -36,7 +36,7 @@ pam_timestamp_la_CFLAGS = $(AM_CFLAGS)
+ pam_timestamp_check_SOURCES = pam_timestamp_check.c
+ pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
+ pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la
+-pam_timestamp_check_LDFLAGS = @PIE_LDFLAGS@
++pam_timestamp_check_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
+
+ hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c
+ hmacfile_LDADD = $(top_builddir)/libpam/libpam.la
+diff -up Linux-PAM-1.1.8/modules/pam_unix/Makefile.am.relro Linux-PAM-1.1.8/modules/pam_unix/Makefile.am
+--- Linux-PAM-1.1.8/modules/pam_unix/Makefile.am.relro 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_unix/Makefile.am 2014-08-13 16:02:49.906688139 +0200
+@@ -55,13 +55,13 @@ bigcrypt_LDADD = @LIBCRYPT@
+ unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \
+ passverify.c
+ unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\"
+-unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@
++unix_chkpwd_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
+ unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@
+
+ unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \
+ passverify.c
+ unix_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\"
+-unix_update_LDFLAGS = @PIE_LDFLAGS@
++unix_update_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
+ unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@
+
+ if ENABLE_REGENERATE_MAN
diff --git a/SOURCES/pam-1.1.8-lastlog-localtime.patch b/SOURCES/pam-1.1.8-lastlog-localtime.patch
new file mode 100644
index 0000000..8108ff2
--- /dev/null
+++ b/SOURCES/pam-1.1.8-lastlog-localtime.patch
@@ -0,0 +1,22 @@
+diff -up Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c.localtime Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c
+--- Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c.localtime 2016-03-03 10:01:15.000000000 +0100
++++ Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c 2016-04-22 15:24:10.085018141 +0200
+@@ -276,12 +276,12 @@ last_login_read(pam_handle_t *pamh, int
+ time_t ll_time;
+
+ ll_time = last_login.ll_time;
+- tm = localtime_r (&ll_time, &tm_buf);
+- strftime (the_time, sizeof (the_time),
+- /* TRANSLATORS: "strftime options for date of last login" */
+- _(" %a %b %e %H:%M:%S %Z %Y"), tm);
+-
+- date = the_time;
++ if ((tm = localtime_r (&ll_time, &tm_buf)) != NULL) {
++ strftime (the_time, sizeof (the_time),
++ /* TRANSLATORS: "strftime options for date of last login" */
++ _(" %a %b %e %H:%M:%S %Z %Y"), tm);
++ date = the_time;
++ }
+ }
+
+ /* we want & have the host? */
diff --git a/SOURCES/pam-1.1.8-lastlog-uninitialized.patch b/SOURCES/pam-1.1.8-lastlog-uninitialized.patch
new file mode 100644
index 0000000..8c545d9
--- /dev/null
+++ b/SOURCES/pam-1.1.8-lastlog-uninitialized.patch
@@ -0,0 +1,37 @@
+diff -up Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c.uninitialized Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c
+--- Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c.uninitialized 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_lastlog/pam_lastlog.c 2014-08-25 16:44:24.365174752 +0200
+@@ -350,6 +350,8 @@ last_login_write(pam_handle_t *pamh, int
+ return PAM_SERVICE_ERR;
+ }
+
++ memset(&last_login, 0, sizeof(last_login));
++
+ /* set this login date */
+ D(("set the most recent login time"));
+ (void) time(&ll_time); /* set the time */
+@@ -364,14 +366,12 @@ last_login_write(pam_handle_t *pamh, int
+ }
+
+ /* copy to last_login */
+- last_login.ll_host[0] = '\0';
+ strncat(last_login.ll_host, remote_host, sizeof(last_login.ll_host)-1);
+
+ /* set the terminal line */
+ terminal_line = get_tty(pamh);
+
+ /* copy to last_login */
+- last_login.ll_line[0] = '\0';
+ strncat(last_login.ll_line, terminal_line, sizeof(last_login.ll_line)-1);
+ terminal_line = NULL;
+
+@@ -628,7 +628,8 @@ pam_sm_authenticate(pam_handle_t *pamh,
+ lltime = (time(NULL) - lltime) / (24*60*60);
+
+ if (lltime > inactive_days) {
+- pam_syslog(pamh, LOG_INFO, "user %s inactive for %d days - denied", user, lltime);
++ pam_syslog(pamh, LOG_INFO, "user %s inactive for %ld days - denied",
++ user, (long) lltime);
+ return PAM_AUTH_ERR;
+ }
+
diff --git a/SOURCES/pam-1.1.8-limits-check-process.patch b/SOURCES/pam-1.1.8-limits-check-process.patch
new file mode 100644
index 0000000..f37f799
--- /dev/null
+++ b/SOURCES/pam-1.1.8-limits-check-process.patch
@@ -0,0 +1,41 @@
+diff -up Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c.check-process Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c
+--- Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c.check-process 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_limits/pam_limits.c 2014-09-10 16:39:36.263256066 +0200
+@@ -27,6 +27,7 @@
+ #include <errno.h>
+ #include <syslog.h>
+ #include <stdarg.h>
++#include <signal.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <sys/resource.h>
+@@ -269,16 +270,27 @@ check_logins (pam_handle_t *pamh, const
+ continue;
+ }
+ if (!pl->flag_numsyslogins) {
++ char user[sizeof(ut->UT_USER) + 1];
++ user[0] = '\0';
++ strncat(user, ut->UT_USER, sizeof(ut->UT_USER));
++
+ if (((pl->login_limit_def == LIMITS_DEF_USER)
+ || (pl->login_limit_def == LIMITS_DEF_GROUP)
+ || (pl->login_limit_def == LIMITS_DEF_DEFAULT))
+- && strncmp(name, ut->UT_USER, sizeof(ut->UT_USER)) != 0) {
++ && strcmp(name, user) != 0) {
+ continue;
+ }
+ if ((pl->login_limit_def == LIMITS_DEF_ALLGROUP)
+- && !pam_modutil_user_in_group_nam_nam(pamh, ut->UT_USER, pl->login_group)) {
++ && !pam_modutil_user_in_group_nam_nam(pamh, user, pl->login_group)) {
+ continue;
+ }
++ if (kill(ut->ut_pid, 0) == -1 && errno == ESRCH) {
++ /* process does not exist anymore */
++ pam_syslog(pamh, LOG_WARNING,
++ "Stale utmp entry (pid %d) for '%s' ignored",
++ ut->ut_pid, user);
++ continue;
++ }
+ }
+ if (++count > limit) {
+ break;
diff --git a/SOURCES/pam-1.1.8-limits-docfix.patch b/SOURCES/pam-1.1.8-limits-docfix.patch
new file mode 100644
index 0000000..37703e3
--- /dev/null
+++ b/SOURCES/pam-1.1.8-limits-docfix.patch
@@ -0,0 +1,54 @@
+diff -up Linux-PAM-1.1.8/modules/pam_limits/limits.conf.docfix Linux-PAM-1.1.8/modules/pam_limits/limits.conf
+--- Linux-PAM-1.1.8/modules/pam_limits/limits.conf.docfix 2014-07-14 14:58:05.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_limits/limits.conf 2014-09-10 16:42:51.254747161 +0200
+@@ -32,7 +32,7 @@
+ # - data - max data size (KB)
+ # - fsize - maximum filesize (KB)
+ # - memlock - max locked-in-memory address space (KB)
+-# - nofile - max number of open files
++# - nofile - max number of open file descriptors
+ # - rss - max resident set size (KB)
+ # - stack - max stack size (KB)
+ # - cpu - max CPU time (MIN)
+diff -up Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml.docfix Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml
+--- Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml.docfix 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_limits/limits.conf.5.xml 2014-09-10 16:44:01.624367933 +0200
+@@ -178,7 +178,7 @@
+ <varlistentry>
+ <term><option>nofile</option></term>
+ <listitem>
+- <para>maximum number of open files</para>
++ <para>maximum number of open file descriptors</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+@@ -214,14 +214,17 @@
+ <varlistentry>
+ <term><option>maxlogins</option></term>
+ <listitem>
+- <para>maximum number of logins for this user except
+- for this with <emphasis>uid=0</emphasis></para>
++ <para>maximum number of logins for this user (this limit does
++ not apply to user with <emphasis>uid=0</emphasis>)</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><option>maxsyslogins</option></term>
+ <listitem>
+- <para>maximum number of all logins on system</para>
++ <para>maximum number of all logins on system; user is not
++ allowed to log-in if total number of all users' logins is
++ greater than specified number (this limit does not apply to
++ user with <emphasis>uid=0</emphasis>)</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+@@ -292,7 +295,7 @@
+ permanent; existing only for the duration of the session.
+ One exception is the <emphasis>maxlogin</emphasis> option, this one
+ is system wide. But there is a race, concurrent logins at the same
+- time will not always be detect as such but only counted as one.
++ time will not always be detected as such but only counted as one.
+ </para>
+ <para>
+ In the <emphasis>limits</emphasis> configuration file, the
diff --git a/SOURCES/pam-1.1.8-loginuid-log-auditd.patch b/SOURCES/pam-1.1.8-loginuid-log-auditd.patch
new file mode 100644
index 0000000..6ccadc7
--- /dev/null
+++ b/SOURCES/pam-1.1.8-loginuid-log-auditd.patch
@@ -0,0 +1,19 @@
+diff -up Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c.log-auditd Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c
+--- Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c.log-auditd 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_loginuid/pam_loginuid.c 2016-04-22 14:21:35.868204427 +0200
+@@ -195,9 +195,12 @@ _pam_loginuid(pam_handle_t *pamh, int fl
+ argv++;
+ }
+
+- if (require_auditd)
+- return check_auditd();
+- else
++ if (require_auditd) {
++ int rc = check_auditd();
++ if (rc != PAM_SUCCESS)
++ pam_syslog(pamh, LOG_ERR, "required running auditd not detected");
++ return rc;
++ } else
+ #endif
+ return PAM_SUCCESS;
+ }
diff --git a/SOURCES/pam-1.1.8-man-dbsuffix.patch b/SOURCES/pam-1.1.8-man-dbsuffix.patch
new file mode 100644
index 0000000..be2e231
--- /dev/null
+++ b/SOURCES/pam-1.1.8-man-dbsuffix.patch
@@ -0,0 +1,22 @@
+diff -up Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml.dbsuffix Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml
+--- Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml.dbsuffix 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_userdb/pam_userdb.8.xml 2014-09-10 16:28:19.916678273 +0200
+@@ -89,7 +89,8 @@
+ Use the <filename>/path/database</filename> database for
+ performing lookup. There is no default; the module will
+ return <emphasis remap='B'>PAM_IGNORE</emphasis> if no
+- database is provided.
++ database is provided. Note that the path to the database file
++ should be specified without the <filename>.db</filename> suffix.
+ </para>
+ </listitem>
+ </varlistentry>
+@@ -260,7 +261,7 @@
+ <refsect1 id='pam_userdb-examples'>
+ <title>EXAMPLES</title>
+ <programlisting>
+-auth sufficient pam_userdb.so icase db=/etc/dbtest.db
++auth sufficient pam_userdb.so icase db=/etc/dbtest
+ </programlisting>
+ </refsect1>
+
diff --git a/SOURCES/pam-1.1.8-man-delay.patch b/SOURCES/pam-1.1.8-man-delay.patch
new file mode 100644
index 0000000..5a4833a
--- /dev/null
+++ b/SOURCES/pam-1.1.8-man-delay.patch
@@ -0,0 +1,30 @@
+diff -up Linux-PAM-1.1.8/doc/man/pam_fail_delay.3.xml.delay Linux-PAM-1.1.8/doc/man/pam_fail_delay.3.xml
+--- Linux-PAM-1.1.8/doc/man/pam_fail_delay.3.xml.delay 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/doc/man/pam_fail_delay.3.xml 2016-05-30 12:08:40.708053159 +0200
+@@ -39,7 +39,7 @@
+ <citerefentry>
+ <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry> fail, the failing return to the application is
+- delayed by an amount of time randomly distributed (by up to 25%)
++ delayed by an amount of time randomly distributed (by up to 50%)
+ about this longest value.
+ </para>
+ <para>
+@@ -135,7 +135,7 @@ void (*delay_fn)(int retval, unsigned us
+
+ <para>
+ if the modules do not request a delay, the failure delay will be
+- between 2.25 and 3.75 seconds.
++ between 1.5 and 4.5 seconds.
+ </para>
+
+ <para>
+@@ -150,7 +150,7 @@ module #2: pam_fail_delay (pamh, 4000
+
+ <para>
+ in this case, it is the largest requested value that is used to
+- compute the actual failed delay: here between 3 and 5 seconds.
++ compute the actual failed delay: here between 2 and 6 seconds.
+ </para>
+ </refsect1>
+
diff --git a/SOURCES/pam-1.1.8-man-environment.patch b/SOURCES/pam-1.1.8-man-environment.patch
new file mode 100644
index 0000000..d869211
--- /dev/null
+++ b/SOURCES/pam-1.1.8-man-environment.patch
@@ -0,0 +1,78 @@
+diff -up Linux-PAM-1.1.8/modules/pam_env/Makefile.am.environment Linux-PAM-1.1.8/modules/pam_env/Makefile.am
+--- Linux-PAM-1.1.8/modules/pam_env/Makefile.am.environment 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_env/Makefile.am 2016-04-22 14:10:49.921649262 +0200
+@@ -7,7 +7,7 @@ MAINTAINERCLEANFILES = $(MANS) README
+
+ EXTRA_DIST = README pam_env.conf $(MANS) $(XMLS) tst-pam_env environment
+
+-man_MANS = pam_env.conf.5 pam_env.8
++man_MANS = pam_env.conf.5 pam_env.8 environment.5
+
+ XMLS = README.xml pam_env.conf.5.xml pam_env.8.xml
+
+@@ -30,6 +30,7 @@ sysconf_DATA = environment
+ if ENABLE_REGENERATE_MAN
+ noinst_DATA = README
+ README: pam_env.8.xml pam_env.conf.5.xml
++environment.5: pam_env.conf.5.xml
+ -include $(top_srcdir)/Make.xml.rules
+ endif
+
+diff -up Linux-PAM-1.1.8/modules/pam_env/Makefile.in.environment Linux-PAM-1.1.8/modules/pam_env/Makefile.in
+--- Linux-PAM-1.1.8/modules/pam_env/Makefile.in.environment 2016-04-22 14:14:41.475866891 +0200
++++ Linux-PAM-1.1.8/modules/pam_env/Makefile.in 2016-04-22 14:13:58.239892651 +0200
+@@ -285,7 +285,7 @@ top_srcdir = @top_srcdir@
+ CLEANFILES = *~
+ MAINTAINERCLEANFILES = $(MANS) README
+ EXTRA_DIST = README pam_env.conf $(MANS) $(XMLS) tst-pam_env environment
+-man_MANS = pam_env.conf.5 pam_env.8
++man_MANS = pam_env.conf.5 pam_env.8 environment.5
+ XMLS = README.xml pam_env.conf.5.xml pam_env.8.xml
+ securelibdir = $(SECUREDIR)
+ secureconfdir = $(SCONFIGDIR)
+@@ -836,6 +836,7 @@ uninstall-man: uninstall-man5 uninstall-
+ uninstall-sysconfDATA
+
+ @ENABLE_REGENERATE_MAN_TRUE@README: pam_env.8.xml pam_env.conf.5.xml
++@ENABLE_REGENERATE_MAN_TRUE@environment.5: pam_env.conf.5.xml
+ @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules
+
+ # Tell versions [3.59,3.63) of GNU make to not export all variables.
+diff -up Linux-PAM-1.1.8/modules/pam_env/pam_env.conf.5.xml.environment Linux-PAM-1.1.8/modules/pam_env/pam_env.conf.5.xml
+--- Linux-PAM-1.1.8/modules/pam_env/pam_env.conf.5.xml.environment 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_env/pam_env.conf.5.xml 2016-04-22 14:12:49.150335851 +0200
+@@ -12,7 +12,8 @@
+
+ <refnamediv>
+ <refname>pam_env.conf</refname>
+- <refpurpose>the environment variables config file</refpurpose>
++ <refname>environment</refname>
++ <refpurpose>the environment variables config files</refpurpose>
+ </refnamediv>
+
+
+@@ -58,6 +59,14 @@
+ at front) can be used to mark this line as a comment line.
+ </para>
+
++ <para>
++ The <filename>/etc/environment</filename> file specifies
++ the environment variables to be set. The file must consist of simple
++ <emphasis>NAME=VALUE</emphasis> pairs on separate lines.
++ The <citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>
++ module will read the file after the <filename>pam_env.conf</filename>
++ file.
++ </para>
+ </refsect1>
+
+ <refsect1 id="pam_env.conf-examples">
+@@ -110,7 +119,8 @@
+ <para>
+ <citerefentry><refentrytitle>pam_env</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+- <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
++ <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
++ <citerefentry><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
diff --git a/SOURCES/pam-1.1.8-man-space.patch b/SOURCES/pam-1.1.8-man-space.patch
new file mode 100644
index 0000000..774e834
--- /dev/null
+++ b/SOURCES/pam-1.1.8-man-space.patch
@@ -0,0 +1,13 @@
+diff -up Linux-PAM-1.1.8/doc/man/pam.8.xml.space Linux-PAM-1.1.8/doc/man/pam.8.xml
+--- Linux-PAM-1.1.8/doc/man/pam.8.xml.space 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/doc/man/pam.8.xml 2017-09-08 14:22:58.878416174 +0200
+@@ -48,8 +48,7 @@
+ can be set by individual configuration files located in the
+ <filename>/etc/pam.d/</filename> directory. The presence of this
+ directory will cause <emphasis remap='B'>Linux-PAM</emphasis> to
+- <emphasis remap='I'>ignore</emphasis>
+- <filename>/etc/pam.conf</filename>.
++ <emphasis remap='I'>ignore </emphasis><filename>/etc/pam.conf</filename>.
+ </para>
+
+
diff --git a/SOURCES/pam-1.1.8-mkhomedir-inroot.patch b/SOURCES/pam-1.1.8-mkhomedir-inroot.patch
new file mode 100644
index 0000000..3936de4
--- /dev/null
+++ b/SOURCES/pam-1.1.8-mkhomedir-inroot.patch
@@ -0,0 +1,29 @@
+diff -up Linux-PAM-1.1.8/modules/pam_mkhomedir/mkhomedir_helper.c.mkhomedir-inroot Linux-PAM-1.1.8/modules/pam_mkhomedir/mkhomedir_helper.c
+--- Linux-PAM-1.1.8/modules/pam_mkhomedir/mkhomedir_helper.c.mkhomedir-inroot 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_mkhomedir/mkhomedir_helper.c 2017-11-03 10:20:59.823998481 +0100
+@@ -352,16 +352,18 @@ make_parent_dirs(char *dir, int make)
+ char *cp = strrchr(dir, '/');
+ struct stat st;
+
+- if (!cp || cp == dir)
++ if (!cp)
+ return rc;
+
+- *cp = '\0';
+- if (stat(dir, &st) && errno == ENOENT)
+- rc = make_parent_dirs(dir, 1);
+- *cp = '/';
++ if (cp != dir) {
++ *cp = '\0';
++ if (stat(dir, &st) && errno == ENOENT)
++ rc = make_parent_dirs(dir, 1);
++ *cp = '/';
+
+- if (rc != PAM_SUCCESS)
+- return rc;
++ if (rc != PAM_SUCCESS)
++ return rc;
++ }
+
+ if (make && mkdir(dir, 0755) && errno != EEXIST) {
+ pam_syslog(NULL, LOG_ERR, "unable to create directory %s: %m", dir);
diff --git a/SOURCES/pam-1.1.8-opasswd-tolerant.patch b/SOURCES/pam-1.1.8-opasswd-tolerant.patch
new file mode 100644
index 0000000..fb9b198
--- /dev/null
+++ b/SOURCES/pam-1.1.8-opasswd-tolerant.patch
@@ -0,0 +1,50 @@
+diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c
+index 836d713..c36628e 100644
+--- a/modules/pam_pwhistory/opasswd.c
++++ b/modules/pam_pwhistory/opasswd.c
+@@ -82,10 +82,15 @@ parse_entry (char *line, opwd *data)
+ {
+ const char delimiters[] = ":";
+ char *endptr;
++ char *count;
+
+ data->user = strsep (&line, delimiters);
+ data->uid = strsep (&line, delimiters);
+- data->count = strtol (strsep (&line, delimiters), &endptr, 10);
++ count = strsep (&line, delimiters);
++ if (data->user == NULL || data->uid == NULL || count == NULL)
++ return 1;
++
++ data->count = strtol (count, &endptr, 10);
+ if (endptr != NULL && *endptr != '\0')
+ return 1;
+
+diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
+index 4840bb2..7f7bc49 100644
+--- a/modules/pam_unix/passverify.c
++++ b/modules/pam_unix/passverify.c
+@@ -639,11 +639,23 @@ save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass,
+ continue;
+ buf[strlen(buf) - 1] = '\0';
+ s_luser = strtok_r(buf, ":", &sptr);
++ if (s_luser == NULL) {
++ found = 0;
++ continue;
++ }
+ s_uid = strtok_r(NULL, ":", &sptr);
++ if (s_uid == NULL) {
++ found = 0;
++ continue;
++ }
+ s_npas = strtok_r(NULL, ":", &sptr);
++ if (s_npas == NULL) {
++ found = 0;
++ continue;
++ }
+ s_pas = strtok_r(NULL, ":", &sptr);
+ npas = strtol(s_npas, NULL, 10) + 1;
+- while (npas > howmany) {
++ while (npas > howmany && s_pas != NULL) {
+ s_pas = strpbrk(s_pas, ",");
+ if (s_pas != NULL)
+ s_pas++;
diff --git a/SOURCES/pam-1.1.8-pwhistory-helper.patch b/SOURCES/pam-1.1.8-pwhistory-helper.patch
new file mode 100644
index 0000000..8d08003
--- /dev/null
+++ b/SOURCES/pam-1.1.8-pwhistory-helper.patch
@@ -0,0 +1,812 @@
+diff --git a/modules/pam_pwhistory/Makefile.am b/modules/pam_pwhistory/Makefile.am
+index 4bb4d6d..9157b91 100644
+--- a/modules/pam_pwhistory/Makefile.am
++++ b/modules/pam_pwhistory/Makefile.am
+@@ -1,5 +1,6 @@
+ #
+ # Copyright (c) 2008, 2009 Thorsten Kukuk <kukuk@suse.de>
++# Copyright (c) 2013 Red Hat, Inc.
+ #
+
+ CLEANFILES = *~
+@@ -9,25 +10,33 @@ EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_pwhistory
+
+ TESTS = tst-pam_pwhistory
+
+-man_MANS = pam_pwhistory.8
++man_MANS = pam_pwhistory.8 pwhistory_helper.8
+
+-XMLS = README.xml pam_pwhistory.8.xml
++XMLS = README.xml pam_pwhistory.8.xml pwhistory_helper.8.xml
+
+ securelibdir = $(SECUREDIR)
+ secureconfdir = $(SCONFIGDIR)
+
+-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
+-AM_LDFLAGS = -no-undefined -avoid-version -module
++AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
++ -DPWHISTORY_HELPER=\"$(sbindir)/pwhistory_helper\"
++
++pam_pwhistory_la_LDFLAGS = -no-undefined -avoid-version -module
+ if HAVE_VERSIONING
+- AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
++ pam_pwhistory_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
+ endif
+
+ noinst_HEADERS = opasswd.h
+
+ securelib_LTLIBRARIES = pam_pwhistory.la
+-pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@
++pam_pwhistory_la_CFLAGS = $(AM_CFLAGS)
++pam_pwhistory_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@ @LIBSELINUX@
+ pam_pwhistory_la_SOURCES = pam_pwhistory.c opasswd.c
+
++sbin_PROGRAMS = pwhistory_helper
++pwhistory_helper_CFLAGS = $(AM_CFLAGS) -DHELPER_COMPILE=\"pwhistory_helper\"
++pwhistory_helper_SOURCES = pwhistory_helper.c opasswd.c
++pwhistory_helper_LDADD = $(top_builddir)/libpam/libpam.la @LIBCRYPT@
++
+ if ENABLE_REGENERATE_MAN
+ noinst_DATA = README
+ README: pam_pwhistory.8.xml
+diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c
+index 836d713..e319ff3 100644
+--- a/modules/pam_pwhistory/opasswd.c
++++ b/modules/pam_pwhistory/opasswd.c
+@@ -1,5 +1,6 @@
+ /*
+ * Copyright (c) 2008 Thorsten Kukuk <kukuk@suse.de>
++ * Copyright (c) 2013 Red Hat, Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+@@ -38,6 +39,7 @@
+ #endif
+
+ #include <pwd.h>
++#include <shadow.h>
+ #include <time.h>
+ #include <ctype.h>
+ #include <errno.h>
+@@ -47,6 +49,7 @@
+ #include <string.h>
+ #include <stdlib.h>
+ #include <syslog.h>
++#include <stdarg.h>
+ #include <sys/stat.h>
+
+ #if defined (HAVE_XCRYPT_H)
+@@ -55,7 +58,14 @@
+ #include <crypt.h>
+ #endif
+
++#ifdef HELPER_COMPILE
++#define pam_modutil_getpwnam(h,n) getpwnam(n)
++#define pam_modutil_getspnam(h,n) getspnam(n)
++#define pam_syslog(h,a,...) helper_log_err(a,__VA_ARGS__)
++#else
++#include <security/pam_modutil.h>
+ #include <security/pam_ext.h>
++#endif
+ #include <security/pam_modules.h>
+
+ #include "opasswd.h"
+@@ -76,6 +86,19 @@ typedef struct {
+ char *old_passwords;
+ } opwd;
+
++#ifdef HELPER_COMPILE
++void
++helper_log_err(int err, const char *format, ...)
++{
++ va_list args;
++
++ va_start(args, format);
++ openlog(HELPER_COMPILE, LOG_CONS | LOG_PID, LOG_AUTHPRIV);
++ vsyslog(err, format, args);
++ va_end(args);
++ closelog();
++}
++#endif
+
+ static int
+ parse_entry (char *line, opwd *data)
+@@ -112,8 +135,8 @@ compare_password(const char *newpass, const char *oldpass)
+ }
+
+ /* Check, if the new password is already in the opasswd file. */
+-int
+-check_old_pass (pam_handle_t *pamh, const char *user,
++PAMH_ARG_DECL(int
++check_old_pass, const char *user,
+ const char *newpass, int debug)
+ {
+ int retval = PAM_SUCCESS;
+@@ -123,6 +146,11 @@ check_old_pass (pam_handle_t *pamh, const char *user,
+ opwd entry;
+ int found = 0;
+
++#ifndef HELPER_COMPILE
++ if (SELINUX_ENABLED)
++ return PAM_PWHISTORY_RUN_HELPER;
++#endif
++
+ if ((oldpf = fopen (OLD_PASSWORDS_FILE, "r")) == NULL)
+ {
+ if (errno != ENOENT)
+@@ -208,9 +236,9 @@ check_old_pass (pam_handle_t *pamh, const char *user,
+ return retval;
+ }
+
+-int
+-save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid,
+- const char *oldpass, int howmany, int debug UNUSED)
++PAMH_ARG_DECL(int
++save_old_pass, const char *user,
++ int howmany, int debug UNUSED)
+ {
+ char opasswd_tmp[] = TMP_PASSWORDS_FILE;
+ struct stat opasswd_stat;
+@@ -221,10 +249,35 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid,
+ char *buf = NULL;
+ size_t buflen = 0;
+ int found = 0;
++ struct passwd *pwd;
++ const char *oldpass;
++
++ pwd = pam_modutil_getpwnam (pamh, user);
++ if (pwd == NULL)
++ return PAM_USER_UNKNOWN;
+
+ if (howmany <= 0)
+ return PAM_SUCCESS;
+
++#ifndef HELPER_COMPILE
++ if (SELINUX_ENABLED)
++ return PAM_PWHISTORY_RUN_HELPER;
++#endif
++
++ if ((strcmp(pwd->pw_passwd, "x") == 0) ||
++ ((pwd->pw_passwd[0] == '#') &&
++ (pwd->pw_passwd[1] == '#') &&
++ (strcmp(pwd->pw_name, pwd->pw_passwd + 2) == 0)))
++ {
++ struct spwd *spw = pam_modutil_getspnam (pamh, user);
++
++ if (spw == NULL)
++ return PAM_USER_UNKNOWN;
++ oldpass = spw->sp_pwdp;
++ }
++ else
++ oldpass = pwd->pw_passwd;
++
+ if (oldpass == NULL || *oldpass == '\0')
+ return PAM_SUCCESS;
+
+@@ -447,7 +500,7 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid,
+ {
+ char *out;
+
+- if (asprintf (&out, "%s:%d:1:%s\n", user, uid, oldpass) < 0)
++ if (asprintf (&out, "%s:%d:1:%s\n", user, pwd->pw_uid, oldpass) < 0)
+ {
+ retval = PAM_AUTHTOK_ERR;
+ if (oldpf)
+diff --git a/modules/pam_pwhistory/opasswd.h b/modules/pam_pwhistory/opasswd.h
+index db3e656..1b08699 100644
+--- a/modules/pam_pwhistory/opasswd.h
++++ b/modules/pam_pwhistory/opasswd.h
+@@ -1,5 +1,6 @@
+ /*
+ * Copyright (c) 2008 Thorsten Kukuk <kukuk@suse.de>
++ * Copyright (c) 2013 Red Hat, Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+@@ -36,10 +37,32 @@
+ #ifndef __OPASSWD_H__
+ #define __OPASSWD_H__
+
+-extern int check_old_pass (pam_handle_t *pamh, const char *user,
+- const char *newpass, int debug);
+-extern int save_old_pass (pam_handle_t *pamh, const char *user,
+- uid_t uid, const char *oldpass,
+- int howmany, int debug);
++#define PAM_PWHISTORY_RUN_HELPER PAM_CRED_INSUFFICIENT
++
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h>
++#define SELINUX_ENABLED is_selinux_enabled()>0
++#else
++#define SELINUX_ENABLED 0
++#endif
++
++#ifdef HELPER_COMPILE
++#define PAMH_ARG_DECL(fname, ...) fname(__VA_ARGS__)
++#define PAMH_ARG(...) __VA_ARGS__
++#else
++#define PAMH_ARG_DECL(fname, ...) fname(pam_handle_t *pamh, __VA_ARGS__)
++#define PAMH_ARG(...) pamh, __VA_ARGS__
++#endif
++
++#ifdef HELPER_COMPILE
++void
++helper_log_err(int err, const char *format, ...);
++#endif
++
++PAMH_ARG_DECL(int
++check_old_pass, const char *user, const char *newpass, int debug);
++
++PAMH_ARG_DECL(int
++save_old_pass, const char *user, int howmany, int debug);
+
+ #endif /* __OPASSWD_H__ */
+diff --git a/modules/pam_pwhistory/pam_pwhistory.c b/modules/pam_pwhistory/pam_pwhistory.c
+index 654edd3..d6c5c47 100644
+--- a/modules/pam_pwhistory/pam_pwhistory.c
++++ b/modules/pam_pwhistory/pam_pwhistory.c
+@@ -1,6 +1,7 @@
+ /*
+ * Copyright (c) 2008, 2012 Thorsten Kukuk
+ * Author: Thorsten Kukuk <kukuk@thkukuk.de>
++ * Copyright (c) 2013 Red Hat, Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+@@ -46,10 +47,14 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <unistd.h>
+-#include <shadow.h>
+ #include <syslog.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
++#include <sys/time.h>
++#include <sys/resource.h>
++#include <sys/wait.h>
++#include <signal.h>
++#include <fcntl.h>
+
+ #include <security/pam_modules.h>
+ #include <security/pam_modutil.h>
+@@ -59,6 +64,7 @@
+ #include "opasswd.h"
+
+ #define DEFAULT_BUFLEN 2048
++#define MAX_FD_NO 20000
+
+ struct options_t {
+ int debug;
+@@ -102,6 +108,184 @@ parse_option (pam_handle_t *pamh, const char *argv, options_t *options)
+ pam_syslog (pamh, LOG_ERR, "pam_pwhistory: unknown option: %s", argv);
+ }
+
++static int
++run_save_helper(pam_handle_t *pamh, const char *user,
++ int howmany, int debug)
++{
++ int retval, child;
++ struct sigaction newsa, oldsa;
++
++ memset(&newsa, '\0', sizeof(newsa));
++ newsa.sa_handler = SIG_DFL;
++ sigaction(SIGCHLD, &newsa, &oldsa);
++
++ child = fork();
++ if (child == 0)
++ {
++ int i = 0;
++ struct rlimit rlim;
++ int dummyfds[2];
++ static char *envp[] = { NULL };
++ char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL };
++
++ /* replace std file descriptors with a dummy pipe */
++ if (pipe2(dummyfds, O_NONBLOCK) == 0)
++ {
++ dup2(dummyfds[0], STDIN_FILENO);
++ dup2(dummyfds[1], STDOUT_FILENO);
++ dup2(dummyfds[1], STDERR_FILENO);
++ }
++
++ if (getrlimit(RLIMIT_NOFILE,&rlim) == 0)
++ {
++ if (rlim.rlim_max >= MAX_FD_NO)
++ rlim.rlim_max = MAX_FD_NO;
++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++)
++ {
++ if (i != dummyfds[0])
++ close(i);
++ }
++ }
++
++ /* exec binary helper */
++ args[0] = strdup(PWHISTORY_HELPER);
++ args[1] = strdup("save");
++ args[2] = x_strdup(user);
++ asprintf(&args[3], "%d", howmany);
++ asprintf(&args[4], "%d", debug);
++
++ execve(args[0], args, envp);
++
++ _exit(PAM_SYSTEM_ERR);
++ }
++ else if (child > 0)
++ {
++ /* wait for child */
++ int rc = 0;
++ rc = waitpid(child, &retval, 0); /* wait for helper to complete */
++ if (rc < 0)
++ {
++ pam_syslog(pamh, LOG_ERR, "pwhistory_helper save waitpid returned %d: %m", rc);
++ retval = PAM_SYSTEM_ERR;
++ }
++ else if (!WIFEXITED(retval))
++ {
++ pam_syslog(pamh, LOG_ERR, "pwhistory_helper save abnormal exit: %d", retval);
++ retval = PAM_SYSTEM_ERR;
++ }
++ else
++ {
++ retval = WEXITSTATUS(retval);
++ }
++ }
++ else
++ {
++ retval = PAM_SYSTEM_ERR;
++ }
++
++ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */
++
++ return retval;
++}
++
++static int
++run_check_helper(pam_handle_t *pamh, const char *user,
++ const char *newpass, int debug)
++{
++ int retval, child, fds[2];
++ struct sigaction newsa, oldsa;
++
++ /* create a pipe for the password */
++ if (pipe(fds) != 0)
++ return PAM_SYSTEM_ERR;
++
++ memset(&newsa, '\0', sizeof(newsa));
++ newsa.sa_handler = SIG_DFL;
++ sigaction(SIGCHLD, &newsa, &oldsa);
++
++ child = fork();
++ if (child == 0)
++ {
++ int i = 0;
++ struct rlimit rlim;
++ int dummyfds[2];
++ static char *envp[] = { NULL };
++ char *args[] = { NULL, NULL, NULL, NULL, NULL };
++
++ /* reopen stdin as pipe */
++ dup2(fds[0], STDIN_FILENO);
++
++ /* replace std file descriptors with a dummy pipe */
++ if (pipe2(dummyfds, O_NONBLOCK) == 0)
++ {
++ dup2(dummyfds[1], STDOUT_FILENO);
++ dup2(dummyfds[1], STDERR_FILENO);
++ }
++
++ if (getrlimit(RLIMIT_NOFILE,&rlim) == 0)
++ {
++ if (rlim.rlim_max >= MAX_FD_NO)
++ rlim.rlim_max = MAX_FD_NO;
++ for (i = STDERR_FILENO + 1; i < (int)rlim.rlim_max; i++)
++ {
++ if (i != dummyfds[0])
++ close(i);
++ }
++ }
++
++ /* exec binary helper */
++ args[0] = strdup(PWHISTORY_HELPER);
++ args[1] = strdup("check");
++ args[2] = x_strdup(user);
++ asprintf(&args[3], "%d", debug);
++
++ execve(args[0], args, envp);
++
++ _exit(PAM_SYSTEM_ERR);
++ }
++ else if (child > 0)
++ {
++ /* wait for child */
++ int rc = 0;
++ if (newpass == NULL)
++ newpass = "";
++
++ /* send the password to the child */
++ if (write(fds[1], newpass, strlen(newpass)+1) == -1)
++ {
++ pam_syslog(pamh, LOG_ERR, "Cannot send password to helper: %m");
++ retval = PAM_SYSTEM_ERR;
++ }
++ newpass = NULL;
++ close(fds[0]); /* close here to avoid possible SIGPIPE above */
++ close(fds[1]);
++ rc = waitpid(child, &retval, 0); /* wait for helper to complete */
++ if (rc < 0)
++ {
++ pam_syslog(pamh, LOG_ERR, "pwhistory_helper check waitpid returned %d: %m", rc);
++ retval = PAM_SYSTEM_ERR;
++ }
++ else if (!WIFEXITED(retval))
++ {
++ pam_syslog(pamh, LOG_ERR, "pwhistory_helper check abnormal exit: %d", retval);
++ retval = PAM_SYSTEM_ERR;
++ }
++ else
++ {
++ retval = WEXITSTATUS(retval);
++ }
++ }
++ else
++ {
++ close(fds[0]);
++ close(fds[1]);
++ retval = PAM_SYSTEM_ERR;
++ }
++
++ sigaction(SIGCHLD, &oldsa, NULL); /* restore old signal handler */
++
++ return retval;
++}
+
+ /* This module saves the current crypted password in /etc/security/opasswd
+ and then compares the new password with all entries in this file. */
+@@ -109,7 +293,6 @@ parse_option (pam_handle_t *pamh, const char *argv, options_t *options)
+ PAM_EXTERN int
+ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv)
+ {
+- struct passwd *pwd;
+ const char *newpass;
+ const char *user;
+ int retval, tries;
+@@ -154,31 +337,13 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv)
+ return PAM_SUCCESS;
+ }
+
+- pwd = pam_modutil_getpwnam (pamh, user);
+- if (pwd == NULL)
+- return PAM_USER_UNKNOWN;
++ retval = save_old_pass (pamh, user, options.remember, options.debug);
+
+- if ((strcmp(pwd->pw_passwd, "x") == 0) ||
+- ((pwd->pw_passwd[0] == '#') &&
+- (pwd->pw_passwd[1] == '#') &&
+- (strcmp(pwd->pw_name, pwd->pw_passwd + 2) == 0)))
+- {
+- struct spwd *spw = pam_modutil_getspnam (pamh, user);
+- if (spw == NULL)
+- return PAM_USER_UNKNOWN;
++ if (retval == PAM_PWHISTORY_RUN_HELPER)
++ retval = run_save_helper(pamh, user, options.remember, options.debug);
+
+- retval = save_old_pass (pamh, user, pwd->pw_uid, spw->sp_pwdp,
+- options.remember, options.debug);
+- if (retval != PAM_SUCCESS)
+- return retval;
+- }
+- else
+- {
+- retval = save_old_pass (pamh, user, pwd->pw_uid, pwd->pw_passwd,
+- options.remember, options.debug);
+- if (retval != PAM_SUCCESS)
+- return retval;
+- }
++ if (retval != PAM_SUCCESS)
++ return retval;
+
+ newpass = NULL;
+ tries = 0;
+@@ -207,8 +372,11 @@ pam_sm_chauthtok (pam_handle_t *pamh, int flags, int argc, const char **argv)
+ if (options.debug)
+ pam_syslog (pamh, LOG_DEBUG, "check against old password file");
+
+- if (check_old_pass (pamh, user, newpass,
+- options.debug) != PAM_SUCCESS)
++ retval = check_old_pass (pamh, user, newpass, options.debug);
++ if (retval == PAM_PWHISTORY_RUN_HELPER)
++ retval = run_check_helper(pamh, user, newpass, options.debug);
++
++ if (retval != PAM_SUCCESS)
+ {
+ if (getuid() || options.enforce_for_root ||
+ (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
+diff --git a/modules/pam_pwhistory/pwhistory_helper.8.xml b/modules/pam_pwhistory/pwhistory_helper.8.xml
+new file mode 100644
+index 0000000..a030176
+--- /dev/null
++++ b/modules/pam_pwhistory/pwhistory_helper.8.xml
+@@ -0,0 +1,68 @@
++<?xml version="1.0" encoding='UTF-8'?>
++<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
++ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
++
++<refentry id="pwhistory_helper">
++
++ <refmeta>
++ <refentrytitle>pwhistory_helper</refentrytitle>
++ <manvolnum>8</manvolnum>
++ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
++ </refmeta>
++
++ <refnamediv id="pwhistory_helper-name">
++ <refname>pwhistory_helper</refname>
++ <refpurpose>Helper binary that transfers password hashes from passwd or shadow to opasswd</refpurpose>
++ </refnamediv>
++
++ <refsynopsisdiv>
++ <cmdsynopsis id="pwhistory_helper-cmdsynopsis">
++ <command>pwhistory_helper</command>
++ <arg choice="opt">
++ ...
++ </arg>
++ </cmdsynopsis>
++ </refsynopsisdiv>
++
++ <refsect1 id="pwhistory_helper-description">
++
++ <title>DESCRIPTION</title>
++
++ <para>
++ <emphasis>pwhistory_helper</emphasis> is a helper program for the
++ <emphasis>pam_pwhistory</emphasis> module that transfers password hashes
++ from passwd or shadow file to the opasswd file and checks a password
++ supplied by user against the existing hashes in the opasswd file.
++ </para>
++
++ <para>
++ The purpose of the helper is to enable tighter confinement of
++ login and password changing services. The helper is thus called only
++ when SELinux is enabled on the system.
++ </para>
++
++ <para>
++ The interface of the helper - command line options, and input/output
++ data format are internal to the <emphasis>pam_pwhistory</emphasis>
++ module and it should not be called directly from applications.
++ </para>
++ </refsect1>
++
++ <refsect1 id='pwhistory_helper-see_also'>
++ <title>SEE ALSO</title>
++ <para>
++ <citerefentry>
++ <refentrytitle>pam_pwhistory</refentrytitle><manvolnum>8</manvolnum>
++ </citerefentry>
++ </para>
++ </refsect1>
++
++ <refsect1 id='pwhistory_helper-author'>
++ <title>AUTHOR</title>
++ <para>
++ Written by Tomas Mraz based on the code originally in
++ <emphasis>pam_pwhistory and pam_unix</emphasis> modules.
++ </para>
++ </refsect1>
++
++</refentry>
+diff --git a/modules/pam_pwhistory/pwhistory_helper.c b/modules/pam_pwhistory/pwhistory_helper.c
+new file mode 100644
+index 0000000..b07ab81
+--- /dev/null
++++ b/modules/pam_pwhistory/pwhistory_helper.c
+@@ -0,0 +1,209 @@
++/*
++ * Copyright (c) 2013 Red Hat, Inc.
++ * Author: Tomas Mraz <tmraz@redhat.com>
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, and the entire permission notice in its entirety,
++ * including the disclaimer of warranties.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. The name of the author may not be used to endorse or promote
++ * products derived from this software without specific prior
++ * written permission.
++ *
++ * ALTERNATIVELY, this product may be distributed under the terms of
++ * the GNU Public License, in which case the provisions of the GPL are
++ * required INSTEAD OF the above restrictions. (This clause is
++ * necessary due to a potential bad interaction between the GPL and
++ * the restrictions contained in a BSD-style copyright.)
++ *
++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#include "config.h"
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <syslog.h>
++#include <errno.h>
++#include <unistd.h>
++#include <signal.h>
++#include <security/_pam_types.h>
++#include <security/_pam_macros.h>
++#include "opasswd.h"
++
++#define MAXPASS 200
++
++static void
++su_sighandler(int sig)
++{
++#ifndef SA_RESETHAND
++ /* emulate the behaviour of the SA_RESETHAND flag */
++ if ( sig == SIGILL || sig == SIGTRAP || sig == SIGBUS || sig = SIGSERV ) {
++ struct sigaction sa;
++ memset(&sa, '\0', sizeof(sa));
++ sa.sa_handler = SIG_DFL;
++ sigaction(sig, &sa, NULL);
++ }
++#endif
++ if (sig > 0) {
++ _exit(sig);
++ }
++}
++
++static void
++setup_signals(void)
++{
++ struct sigaction action; /* posix signal structure */
++
++ /*
++ * Setup signal handlers
++ */
++ (void) memset((void *) &action, 0, sizeof(action));
++ action.sa_handler = su_sighandler;
++#ifdef SA_RESETHAND
++ action.sa_flags = SA_RESETHAND;
++#endif
++ (void) sigaction(SIGILL, &action, NULL);
++ (void) sigaction(SIGTRAP, &action, NULL);
++ (void) sigaction(SIGBUS, &action, NULL);
++ (void) sigaction(SIGSEGV, &action, NULL);
++ action.sa_handler = SIG_IGN;
++ action.sa_flags = 0;
++ (void) sigaction(SIGTERM, &action, NULL);
++ (void) sigaction(SIGHUP, &action, NULL);
++ (void) sigaction(SIGINT, &action, NULL);
++ (void) sigaction(SIGQUIT, &action, NULL);
++}
++
++static int
++read_passwords(int fd, int npass, char **passwords)
++{
++ int rbytes = 0;
++ int offset = 0;
++ int i = 0;
++ char *pptr;
++ while (npass > 0)
++ {
++ rbytes = read(fd, passwords[i]+offset, MAXPASS-offset);
++
++ if (rbytes < 0)
++ {
++ if (errno == EINTR) continue;
++ break;
++ }
++ if (rbytes == 0)
++ break;
++
++ while (npass > 0 && (pptr=memchr(passwords[i]+offset, '\0', rbytes))
++ != NULL)
++ {
++ rbytes -= pptr - (passwords[i]+offset) + 1;
++ i++;
++ offset = 0;
++ npass--;
++ if (rbytes > 0)
++ {
++ if (npass > 0)
++ memcpy(passwords[i], pptr+1, rbytes);
++ memset(pptr+1, '\0', rbytes);
++ }
++ }
++ offset += rbytes;
++ }
++
++ /* clear up */
++ if (offset > 0 && npass > 0)
++ memset(passwords[i], '\0', offset);
++
++ return i;
++}
++
++
++static int
++check_history(const char *user, const char *debug)
++{
++ char pass[MAXPASS + 1];
++ char *passwords[] = { pass };
++ int npass;
++ int dbg = atoi(debug); /* no need to be too fancy here */
++ int retval;
++
++ /* read the password from stdin (a pipe from the pam_pwhistory module) */
++ npass = read_passwords(STDIN_FILENO, 1, passwords);
++
++ if (npass != 1)
++ { /* is it a valid password? */
++ helper_log_err(LOG_DEBUG, "no password supplied");
++ return PAM_AUTHTOK_ERR;
++ }
++
++ retval = check_old_pass(user, pass, dbg);
++
++ memset(pass, '\0', MAXPASS); /* clear memory of the password */
++
++ return retval;
++}
++
++static int
++save_history(const char *user, const char *howmany, const char *debug)
++{
++ int num = atoi(howmany);
++ int dbg = atoi(debug); /* no need to be too fancy here */
++ int retval;
++
++ retval = save_old_pass(user, num, dbg);
++
++ return retval;
++}
++
++int
++main(int argc, char *argv[])
++{
++ const char *option;
++ const char *user;
++
++ /*
++ * Catch or ignore as many signal as possible.
++ */
++ setup_signals();
++
++ /*
++ * we establish that this program is running with non-tty stdin.
++ * this is to discourage casual use.
++ */
++
++ if (isatty(STDIN_FILENO) || argc < 4)
++ {
++ fprintf(stderr,
++ "This binary is not designed for running in this way.\n");
++ sleep(10); /* this should discourage/annoy the user */
++ return PAM_SYSTEM_ERR;
++ }
++
++ option = argv[1];
++ user = argv[2];
++
++ if (strcmp(option, "check") == 0 && argc == 4)
++ return check_history(user, argv[3]);
++ else if (strcmp(option, "save") == 0 && argc == 5)
++ return save_history(user, argv[3], argv[4]);
++
++ return PAM_SYSTEM_ERR;
++}
++
diff --git a/SOURCES/pam-1.1.8-relax-audit.patch b/SOURCES/pam-1.1.8-relax-audit.patch
new file mode 100644
index 0000000..8355fa4
--- /dev/null
+++ b/SOURCES/pam-1.1.8-relax-audit.patch
@@ -0,0 +1,12 @@
+diff -up Linux-PAM-1.1.8/libpam/pam_audit.c.relax-audit Linux-PAM-1.1.8/libpam/pam_audit.c
+--- Linux-PAM-1.1.8/libpam/pam_audit.c.relax-audit 2016-03-03 10:01:15.000000000 +0100
++++ Linux-PAM-1.1.8/libpam/pam_audit.c 2016-04-22 15:18:55.692925308 +0200
+@@ -53,7 +53,7 @@ _pam_audit_writelog(pam_handle_t *pamh,
+ pamh->audit_state |= PAMAUDIT_LOGGED;
+
+ if (rc < 0) {
+- if (rc == -EPERM && getuid() != 0)
++ if (rc == -EPERM)
+ return 0;
+ if (errno != old_errno) {
+ old_errno = errno;
diff --git a/SOURCES/pam-1.1.8-succeed-if-large-uid.patch b/SOURCES/pam-1.1.8-succeed-if-large-uid.patch
new file mode 100644
index 0000000..74ec3f3
--- /dev/null
+++ b/SOURCES/pam-1.1.8-succeed-if-large-uid.patch
@@ -0,0 +1,85 @@
+diff -up Linux-PAM-1.1.8/modules/pam_succeed_if/pam_succeed_if.c.large-uid Linux-PAM-1.1.8/modules/pam_succeed_if/pam_succeed_if.c
+--- Linux-PAM-1.1.8/modules/pam_succeed_if/pam_succeed_if.c.large-uid 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_succeed_if/pam_succeed_if.c 2016-07-19 15:00:57.366549150 +0200
+@@ -68,20 +68,20 @@
+ * PAM_SERVICE_ERR if the arguments can't be parsed as numbers. */
+ static int
+ evaluate_num(const pam_handle_t *pamh, const char *left,
+- const char *right, int (*cmp)(int, int))
++ const char *right, int (*cmp)(long long, long long))
+ {
+- long l, r;
++ long long l, r;
+ char *p;
+ int ret = PAM_SUCCESS;
+
+ errno = 0;
+- l = strtol(left, &p, 0);
++ l = strtoll(left, &p, 0);
+ if ((p == NULL) || (*p != '\0') || errno) {
+ pam_syslog(pamh, LOG_INFO, "\"%s\" is not a number", left);
+ ret = PAM_SERVICE_ERR;
+ }
+
+- r = strtol(right, &p, 0);
++ r = strtoll(right, &p, 0);
+ if ((p == NULL) || (*p != '\0') || errno) {
+ pam_syslog(pamh, LOG_INFO, "\"%s\" is not a number", right);
+ ret = PAM_SERVICE_ERR;
+@@ -96,32 +96,32 @@ evaluate_num(const pam_handle_t *pamh, c
+
+ /* Simple numeric comparison callbacks. */
+ static int
+-eq(int i, int j)
++eq(long long i, long long j)
+ {
+ return i == j;
+ }
+ static int
+-ne(int i, int j)
++ne(long long i, long long j)
+ {
+ return i != j;
+ }
+ static int
+-lt(int i, int j)
++lt(long long i, long long j)
+ {
+ return i < j;
+ }
+ static int
+-le(int i, int j)
++le(long long i, long long j)
+ {
+ return lt(i, j) || eq(i, j);
+ }
+ static int
+-gt(int i, int j)
++gt(long long i, long long j)
+ {
+ return i > j;
+ }
+ static int
+-ge(int i, int j)
++ge(long long i, long long j)
+ {
+ return gt(i, j) || eq(i, j);
+ }
+@@ -298,7 +298,7 @@ evaluate(pam_handle_t *pamh, int debug,
+ }
+ if (strcasecmp(left, "rhost") == 0) {
+ const void *rhost;
+- if (pam_get_item(pamh, PAM_SERVICE, &rhost) != PAM_SUCCESS ||
++ if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS ||
+ rhost == NULL)
+ rhost = "";
+ snprintf(buf, sizeof(buf), "%s", (const char *)rhost);
+@@ -306,7 +306,7 @@ evaluate(pam_handle_t *pamh, int debug,
+ }
+ if (strcasecmp(left, "tty") == 0) {
+ const void *tty;
+- if (pam_get_item(pamh, PAM_SERVICE, &tty) != PAM_SUCCESS ||
++ if (pam_get_item(pamh, PAM_TTY, &tty) != PAM_SUCCESS ||
+ tty == NULL)
+ tty = "";
+ snprintf(buf, sizeof(buf), "%s", (const char *)tty);
diff --git a/SOURCES/pam-1.1.8-translation-updates.patch b/SOURCES/pam-1.1.8-translation-updates.patch
new file mode 100644
index 0000000..a0ba9aa
--- /dev/null
+++ b/SOURCES/pam-1.1.8-translation-updates.patch
@@ -0,0 +1,1522 @@
+diff -urN a/Linux-PAM-1.1.8/po/bn_IN.po b/Linux-PAM-1.1.8/po/bn_IN.po
+--- a/Linux-PAM-1.1.8/po/bn_IN.po 2013-11-28 17:24:14.190596598 +0530
++++ b/Linux-PAM-1.1.8/po/bn_IN.po 2013-11-28 17:27:02.136118296 +0530
+@@ -1,314 +1,335 @@
+ # SOME DESCRIPTIVE TITLE.
+ # Copyright (C) YEAR Linux-PAM Project
+ # This file is distributed under the same license as the PACKAGE package.
+-#
++#
+ # Translators:
+ # Runa Bhattacharjee <runab@fedoraproject.org>, 2009.
+ # Runa Bhattacharjee <runab@redhat.com>, 2007, 2008.
+ # <runabh@gmail.com>, 2012.
++# sray <sray@redhat.com>, 2013. #zanata
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: Linux-PAM\n"
+ "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n"
+-"POT-Creation-Date: 2013-09-19 10:02+0200\n"
+-"PO-Revision-Date: 2012-02-28 10:38+0000\n"
+-"Last-Translator: runa <runabh@gmail.com>\n"
++"POT-Creation-Date: 2012-08-17 11:35+0200\n"
++"PO-Revision-Date: 2013-10-03 02:24-0400\n"
++"Last-Translator: sray <sray@redhat.com>\n"
+ "Language-Team: Bengali (India) <anubad@lists.ankur.org.in>\n"
+ "MIME-Version: 1.0\n"
+ "Content-Type: text/plain; charset=UTF-8\n"
+ "Content-Transfer-Encoding: 8bit\n"
+-"Language: bn_IN\n"
++"Language: bn-IN\n"
+ "Plural-Forms: nplurals=2; plural=(n != 1)\n"
++"X-Generator: Zanata 3.1.2\n"
+
+-#: libpam_misc/misc_conv.c:33
++#. * external timeout definitions - these can be overriden by the
++#. * application.
++#. time when we warn
++#. time when we timeout
++#: .././libpam_misc/misc_conv.c:33
+ msgid "...Time is running out...\n"
+ msgstr "...সময় সমাপ্তির পথে...\n"
+
+-#: libpam_misc/misc_conv.c:34
++#: .././libpam_misc/misc_conv.c:34
+ msgid "...Sorry, your time is up!\n"
+ msgstr "...দুঃখিত, সময় সমাপ্ত!\n"
+
+-#: libpam_misc/misc_conv.c:342
++#: .././libpam_misc/misc_conv.c:342
+ #, c-format
+ msgid "erroneous conversation (%d)\n"
+ msgstr "ত্রুটিপূর্ণ তথ্যবিনিময় (conversation) (%d)\n"
+
+-#: libpam/pam_get_authtok.c:39 modules/pam_exec/pam_exec.c:170
+-#: modules/pam_unix/pam_unix_auth.c:160 modules/pam_userdb/pam_userdb.c:64
++#. get this user's authentication token
++#: .././libpam/pam_get_authtok.c:39
++#: .././modules/pam_exec/pam_exec.c:142
++#: .././modules/pam_unix/pam_unix_auth.c:160
++#: .././modules/pam_userdb/pam_userdb.c:64
+ msgid "Password: "
+ msgstr "পাসওয়ার্ড: "
+
+-#: libpam/pam_get_authtok.c:41 modules/pam_cracklib/pam_cracklib.c:68
++#. For Translators: "%s%s" could be replaced with "<service> " or "".
++#: .././libpam/pam_get_authtok.c:41
++#: .././modules/pam_cracklib/pam_cracklib.c:68
+ #, c-format
+ msgid "New %s%spassword: "
+ msgstr "নতুন %s%s পাসওয়ার্ড: "
+
+-#: libpam/pam_get_authtok.c:43 modules/pam_cracklib/pam_cracklib.c:70
++#. For Translators: "%s%s" could be replaced with "<service> " or "".
++#: .././libpam/pam_get_authtok.c:43
++#: .././modules/pam_cracklib/pam_cracklib.c:70
+ #, c-format
+ msgid "Retype new %s%spassword: "
+ msgstr "নতুন %s%s পাসওয়ার্ড পুনরায় লিখুন: "
+
+-#: libpam/pam_get_authtok.c:44 modules/pam_cracklib/pam_cracklib.c:71
++#: .././libpam/pam_get_authtok.c:44
++#: .././modules/pam_cracklib/pam_cracklib.c:71
+ msgid "Sorry, passwords do not match."
+ msgstr "দুঃখিত, পাসওয়ার্ড দুটি এক নয়।"
+
+-#: libpam/pam_get_authtok.c:135 libpam/pam_get_authtok.c:211
++#: .././libpam/pam_get_authtok.c:135
++#: .././libpam/pam_get_authtok.c:211
+ #, c-format
+ msgid "Retype %s"
+ msgstr "%s পুনরায় লিখুন"
+
+-#: libpam/pam_get_authtok.c:155 libpam/pam_get_authtok.c:227
++#. We want to abort the password change
++#: .././libpam/pam_get_authtok.c:155
++#: .././libpam/pam_get_authtok.c:227
+ msgid "Password change aborted."
+ msgstr "পাসওয়ার্ড পরিবর্তনের কর্ম পরিত্যাগ করা হয়েছে।"
+
+-#: libpam/pam_item.c:311
++#: .././libpam/pam_item.c:311
+ msgid "login:"
+ msgstr "লগ-ইন:"
+
+-#: libpam/pam_strerror.c:40
++#: .././libpam/pam_strerror.c:40
+ msgid "Success"
+ msgstr "সফল"
+
+-#: libpam/pam_strerror.c:42
++#: .././libpam/pam_strerror.c:42
+ msgid "Critical error - immediate abort"
+ msgstr "গুরুতব সমস্যা - এই মুহূর্তে পরিত্যাগ করা হবে"
+
+-#: libpam/pam_strerror.c:44
++#: .././libpam/pam_strerror.c:44
+ msgid "Failed to load module"
+ msgstr "মডিউল লোড করতে ব্যর্থ"
+
+-#: libpam/pam_strerror.c:46
++#: .././libpam/pam_strerror.c:46
+ msgid "Symbol not found"
+ msgstr "চিহ্ন পাওয়া যায়নি"
+
+-#: libpam/pam_strerror.c:48
++#: .././libpam/pam_strerror.c:48
+ msgid "Error in service module"
+ msgstr "পরিসেবা মডিউলে সমস্যা"
+
+-#: libpam/pam_strerror.c:50
++#: .././libpam/pam_strerror.c:50
+ msgid "System error"
+ msgstr "সিস্টেম সংক্রান্ত সমস্যা"
+
+-#: libpam/pam_strerror.c:52
++#: .././libpam/pam_strerror.c:52
+ msgid "Memory buffer error"
+ msgstr "মেমরি বাফার সংক্রান্ত সমস্যা"
+
+-#: libpam/pam_strerror.c:54
++#: .././libpam/pam_strerror.c:54
+ msgid "Permission denied"
+ msgstr "অনুমতি প্রদান করা হয়নি"
+
+-#: libpam/pam_strerror.c:56
++#: .././libpam/pam_strerror.c:56
+ msgid "Authentication failure"
+ msgstr "অনুমোদন ব্যর্থ"
+
+-#: libpam/pam_strerror.c:58
++#: .././libpam/pam_strerror.c:58
+ msgid "Insufficient credentials to access authentication data"
+ msgstr "অনুমোদন সংক্রান্ত তথ্য প্রাপ্ত করার জন্য পর্যাপ্ত প্রমাণ উপলব্ধ নেই"
+
+-#: libpam/pam_strerror.c:60
++#: .././libpam/pam_strerror.c:60
+ msgid "Authentication service cannot retrieve authentication info"
+ msgstr "অনুমোদন পরিসেবা দ্বারা অনুমোদন সংক্রান্ত তথ্য উদ্ধার করা সম্ভব হয়নি"
+
+-#: libpam/pam_strerror.c:62
++#: .././libpam/pam_strerror.c:62
+ msgid "User not known to the underlying authentication module"
+ msgstr "পটভূমিতে চলমান অনুমোদন ব্যবস্থায় ব্যবহারকারী পরিচিত নন।"
+
+-#: libpam/pam_strerror.c:64
++#: .././libpam/pam_strerror.c:64
+ msgid "Have exhausted maximum number of retries for service"
+ msgstr "পরিসেবায় উপলব্ধ সর্বাধিক প্রচেষ্টার সুযোগ সংখ্যা সমাপ্ত"
+
+-#: libpam/pam_strerror.c:66
++#: .././libpam/pam_strerror.c:66
+ msgid "Authentication token is no longer valid; new one required"
+ msgstr "অনুমোদনের টোকেন বৈধ নয়; নতুন টোকেন ব্যবহার করা আবশ্যক"
+
+-#: libpam/pam_strerror.c:68
++#: .././libpam/pam_strerror.c:68
+ msgid "User account has expired"
+ msgstr "ব্যবহারকারী অ্যাকাউন্টের মেয়াদ পূর্ণ হয়েছে"
+
+-#: libpam/pam_strerror.c:70
++#: .././libpam/pam_strerror.c:70
+ msgid "Cannot make/remove an entry for the specified session"
+ msgstr "সুনির্দিষ্ট সেশানের জন্য কোনো এন্ট্রি নির্মাণ/অপসারণ করা সম্ভব নয়"
+
+-#: libpam/pam_strerror.c:72
++#: .././libpam/pam_strerror.c:72
+ msgid "Authentication service cannot retrieve user credentials"
+ msgstr "অনুমোদন পরিসেবা দ্বারা প্রয়োজনীয় প্রমাণ উদ্ধার করা সম্ভব হয়নি"
+
+-#: libpam/pam_strerror.c:74
++#: .././libpam/pam_strerror.c:74
+ msgid "User credentials expired"
+ msgstr "ব্যবহারকারীর পরিচয়প্রমাণের তথ্যের মেয়াদ পূর্ণ হয়েছে"
+
+-#: libpam/pam_strerror.c:76
++#: .././libpam/pam_strerror.c:76
+ msgid "Failure setting user credentials"
+ msgstr "ব্যবহারকারীর পরিচয়প্রমাণের তথ্য নির্ধারণ করতে ব্যর্থ"
+
+-#: libpam/pam_strerror.c:78
++#: .././libpam/pam_strerror.c:78
+ msgid "No module specific data is present"
+ msgstr "মডিউল সংক্রান্ত কোনো তথ্য উপস্থিত নেই"
+
+-#: libpam/pam_strerror.c:80
++#: .././libpam/pam_strerror.c:80
+ msgid "Bad item passed to pam_*_item()"
+ msgstr "pam_*_item()-এ সঠিক মান প্রেরিত হয়নি"
+
+-#: libpam/pam_strerror.c:82
++#: .././libpam/pam_strerror.c:82
+ msgid "Conversation error"
+ msgstr "Conversation অর্থাৎ তথ্য বিনিময়কালীন সমস্যা"
+
+-#: libpam/pam_strerror.c:84
++#: .././libpam/pam_strerror.c:84
+ msgid "Authentication token manipulation error"
+ msgstr "অনুমোদন টোকেন ব্যবস্থাপনা করতে সমস্যা"
+
+-#: libpam/pam_strerror.c:86
++#: .././libpam/pam_strerror.c:86
+ msgid "Authentication information cannot be recovered"
+ msgstr "অনুমোদন সংক্রান্ত তথ্য পুনরুদ্ধার করতে ব্যর্থ"
+
+-#: libpam/pam_strerror.c:88
++#: .././libpam/pam_strerror.c:88
+ msgid "Authentication token lock busy"
+ msgstr "অনুমোদন টোকেনের লক ব্যস্ত"
+
+-#: libpam/pam_strerror.c:90
++#: .././libpam/pam_strerror.c:90
+ msgid "Authentication token aging disabled"
+ msgstr "অনুমোদন টোকেনের মেয়াদ পূর্তী ব্যবস্থা নিষ্ক্রিয়"
+
+-#: libpam/pam_strerror.c:92
++#: .././libpam/pam_strerror.c:92
+ msgid "Failed preliminary check by password service"
+ msgstr "পাসওয়ার্ড পরিসেবা দ্বারা প্রারম্ভিক পরীক্ষা ব্যর্থ"
+
+-#: libpam/pam_strerror.c:94
++#: .././libpam/pam_strerror.c:94
+ msgid "The return value should be ignored by PAM dispatch"
+ msgstr "উৎপন্ন মান PAM dispatch দ্বারা অগ্রাহ্য করা হবে"
+
+-#: libpam/pam_strerror.c:96
++#: .././libpam/pam_strerror.c:96
+ msgid "Module is unknown"
+ msgstr "মডিউল অজানা"
+
+-#: libpam/pam_strerror.c:98
++#: .././libpam/pam_strerror.c:98
+ msgid "Authentication token expired"
+ msgstr "অনুমোদন টোকেনের মেয়াদ পূর্ণ হয়েছে"
+
+-#: libpam/pam_strerror.c:100
++#: .././libpam/pam_strerror.c:100
+ msgid "Conversation is waiting for event"
+-msgstr "Conversation অর্থাৎ তথ্য বিনিময় প্রক্রিয়া একটি ইভেন্টের অপেক্ষায় রয়েছে"
++msgstr ""
++"Conversation অর্থাৎ তথ্য বিনিময় প্রক্রিয়া একটি ইভেন্টের অপেক্ষায় রয়েছে"
+
+-#: libpam/pam_strerror.c:102
++#: .././libpam/pam_strerror.c:102
+ msgid "Application needs to call libpam again"
+ msgstr "অ্যাপ্লিকেশন দ্বারা পুনরায় libpam আরম্ভ করা আবশ্যক"
+
+-#: libpam/pam_strerror.c:105
++#: .././libpam/pam_strerror.c:105
+ msgid "Unknown PAM error"
+ msgstr "PAM সংক্রান্ত অজানা ত্রুটি"
+
+-#: modules/pam_cracklib/pam_cracklib.c:618
++#: .././modules/pam_cracklib/pam_cracklib.c:618
+ msgid "is the same as the old one"
+ msgstr "পুরোনোটির অনুরূপ"
+
+-#: modules/pam_cracklib/pam_cracklib.c:624
+-#: modules/pam_cracklib/pam_cracklib.c:628
+-#: modules/pam_cracklib/pam_cracklib.c:638
++#: .././modules/pam_cracklib/pam_cracklib.c:624
++#: .././modules/pam_cracklib/pam_cracklib.c:628
++#: .././modules/pam_cracklib/pam_cracklib.c:638
+ msgid "memory allocation error"
+ msgstr "মেমরি বরাদ্দ করতে সমস্যা"
+
+-#: modules/pam_cracklib/pam_cracklib.c:643
++#: .././modules/pam_cracklib/pam_cracklib.c:643
+ msgid "is a palindrome"
+ msgstr "উভমুখী শব্দ"
+
+-#: modules/pam_cracklib/pam_cracklib.c:646
++#: .././modules/pam_cracklib/pam_cracklib.c:646
+ msgid "case changes only"
+ msgstr "শুধুমাত্র হরফের ছাঁদ পরিবর্তন করা হয়েছে"
+
+-#: modules/pam_cracklib/pam_cracklib.c:649
++#: .././modules/pam_cracklib/pam_cracklib.c:649
+ msgid "is too similar to the old one"
+ msgstr "পুরোনো পাসওয়ার্ডের সমতূল্য"
+
+-#: modules/pam_cracklib/pam_cracklib.c:652
++#: .././modules/pam_cracklib/pam_cracklib.c:652
+ msgid "is too simple"
+ msgstr "জটিল নয়"
+
+-#: modules/pam_cracklib/pam_cracklib.c:655
++#: .././modules/pam_cracklib/pam_cracklib.c:655
+ msgid "is rotated"
+ msgstr "ঘোরানো হয়েছে"
+
+-#: modules/pam_cracklib/pam_cracklib.c:658
++#: .././modules/pam_cracklib/pam_cracklib.c:658
+ msgid "not enough character classes"
+ msgstr "পর্যাপ্ত অক্ষর শ্রেণী উপস্থিত নেই"
+
+-#: modules/pam_cracklib/pam_cracklib.c:661
++#: .././modules/pam_cracklib/pam_cracklib.c:661
+ msgid "contains too many same characters consecutively"
+ msgstr "একই অক্ষর অত্যাধিক বার ক্রমাগত ব্যবহার করা হয়েছে"
+
+-#: modules/pam_cracklib/pam_cracklib.c:664
+-#, fuzzy
++#: .././modules/pam_cracklib/pam_cracklib.c:664
+ msgid "contains too long of a monotonic character sequence"
+ msgstr "একই অক্ষর অত্যাধিক বার ক্রমাগত ব্যবহার করা হয়েছে"
+
+-#: modules/pam_cracklib/pam_cracklib.c:667
++#: .././modules/pam_cracklib/pam_cracklib.c:667
+ msgid "contains the user name in some form"
+ msgstr "কোনো রূপে ব্যবহারকারী নাম অন্তর্ভুক্ত হয়েছে"
+
+-#: modules/pam_cracklib/pam_cracklib.c:701
+-#: modules/pam_unix/pam_unix_passwd.c:496
++#: .././modules/pam_cracklib/pam_cracklib.c:701
++#: .././modules/pam_unix/pam_unix_passwd.c:502
+ msgid "No password supplied"
+ msgstr "কোনো পাসওয়ার্ড উল্লিখিত হয়নি"
+
+-#: modules/pam_cracklib/pam_cracklib.c:701
+-#: modules/pam_unix/pam_unix_passwd.c:496
++#: .././modules/pam_cracklib/pam_cracklib.c:701
++#: .././modules/pam_unix/pam_unix_passwd.c:502
+ msgid "Password unchanged"
+ msgstr "পাসওয়ার্ড পরিবর্তন করা হয়নি"
+
+-#: modules/pam_cracklib/pam_cracklib.c:721
+-#: modules/pam_cracklib/pam_cracklib.c:803
++#: .././modules/pam_cracklib/pam_cracklib.c:721
++#: .././modules/pam_cracklib/pam_cracklib.c:803
+ #, c-format
+ msgid "BAD PASSWORD: %s"
+ msgstr "পাসওয়ার্ড ভাল নয়: %s"
+
+-#: modules/pam_exec/pam_exec.c:273
++#: .././modules/pam_exec/pam_exec.c:215
+ #, c-format
+ msgid "%s failed: exit code %d"
+ msgstr "%s বিফল: প্রস্থানকালীন কোড %d"
+
+-#: modules/pam_exec/pam_exec.c:282
++#: .././modules/pam_exec/pam_exec.c:224
+ #, c-format
+ msgid "%s failed: caught signal %d%s"
+ msgstr "%s বিফল: %d%s সিগনাল প্রাপ্ত"
+
+-#: modules/pam_exec/pam_exec.c:291
++#: .././modules/pam_exec/pam_exec.c:233
+ #, c-format
+ msgid "%s failed: unknown status 0x%x"
+ msgstr "%s বিফল: অজানা অবস্থা 0x%x"
+
+ #. TRANSLATORS: "strftime options for date of last login"
+-#: modules/pam_lastlog/pam_lastlog.c:282 modules/pam_lastlog/pam_lastlog.c:496
++#: .././modules/pam_lastlog/pam_lastlog.c:282
++#: .././modules/pam_lastlog/pam_lastlog.c:496
+ msgid " %a %b %e %H:%M:%S %Z %Y"
+ msgstr " %a %b %e %H:%M:%S %Z %Y"
+
+ #. TRANSLATORS: " from <host>"
+-#: modules/pam_lastlog/pam_lastlog.c:291 modules/pam_lastlog/pam_lastlog.c:505
++#: .././modules/pam_lastlog/pam_lastlog.c:291
++#: .././modules/pam_lastlog/pam_lastlog.c:505
+ #, c-format
+ msgid " from %.*s"
+ msgstr " %.*s থেকে"
+
+ #. TRANSLATORS: " on <terminal>"
+-#: modules/pam_lastlog/pam_lastlog.c:303 modules/pam_lastlog/pam_lastlog.c:517
++#: .././modules/pam_lastlog/pam_lastlog.c:303
++#: .././modules/pam_lastlog/pam_lastlog.c:517
+ #, c-format
+ msgid " on %.*s"
+ msgstr " %.*s -র উপর"
+
+ #. TRANSLATORS: "Last login: <date> from <host> on <terminal>"
+-#: modules/pam_lastlog/pam_lastlog.c:313
++#: .././modules/pam_lastlog/pam_lastlog.c:313
+ #, c-format
+ msgid "Last login:%s%s%s"
+ msgstr "সর্বশেষ লগ-ইন:%s%s%s"
+
+-#: modules/pam_lastlog/pam_lastlog.c:319
++#: .././modules/pam_lastlog/pam_lastlog.c:319
+ msgid "Welcome to your new account!"
+ msgstr "নতুন অ্যাকাউন্টে স্বাগতম!"
+
+ #. TRANSLATORS: "Last failed login: <date> from <host> on <terminal>"
+-#: modules/pam_lastlog/pam_lastlog.c:527
++#: .././modules/pam_lastlog/pam_lastlog.c:527
+ #, c-format
+ msgid "Last failed login:%s%s%s"
+ msgstr "সর্বশেষ বিফল লগ-ইন:%s%s%s"
+
+-#: modules/pam_lastlog/pam_lastlog.c:536 modules/pam_lastlog/pam_lastlog.c:543
++#: .././modules/pam_lastlog/pam_lastlog.c:536
++#: .././modules/pam_lastlog/pam_lastlog.c:543
+ #, c-format
+ msgid "There was %d failed login attempt since the last successful login."
+ msgid_plural ""
+@@ -317,199 +338,209 @@
+ msgstr[1] "সর্বশেষ সফল লগ-ইনের পরে %d-টি ব্যর্থ লগ-ইনের প্রচেষ্টা করা হয়েছে।"
+
+ #. TRANSLATORS: only used if dngettext is not supported
+-#: modules/pam_lastlog/pam_lastlog.c:548
++#: .././modules/pam_lastlog/pam_lastlog.c:548
+ #, c-format
+ msgid "There were %d failed login attempts since the last successful login."
+ msgstr "সর্বশেষ সফল লগ-ইনের পরে %d-টি ব্যর্থ লগ-ইনের প্রচেষ্টা করা হয়েছে।"
+
+-#: modules/pam_limits/pam_limits.c:1079
++#: .././modules/pam_limits/pam_limits.c:1079
+ #, c-format
+ msgid "Too many logins for '%s'."
+ msgstr "'%s'-র ক্ষেত্রে অত্যাধিক লগ-ইন"
+
+-#: modules/pam_mail/pam_mail.c:297
++#: .././modules/pam_mail/pam_mail.c:297
+ msgid "No mail."
+ msgstr "কোনো মেইল নেই।"
+
+-#: modules/pam_mail/pam_mail.c:300
++#: .././modules/pam_mail/pam_mail.c:300
+ msgid "You have new mail."
+ msgstr "নতুন মেইল প্রাপ্ত।"
+
+-#: modules/pam_mail/pam_mail.c:303
++#: .././modules/pam_mail/pam_mail.c:303
+ msgid "You have old mail."
+ msgstr "পুরোনো মেইল রয়েছে।"
+
+-#: modules/pam_mail/pam_mail.c:307
++#: .././modules/pam_mail/pam_mail.c:307
+ msgid "You have mail."
+ msgstr "মেইল রয়েছে।"
+
+-#: modules/pam_mail/pam_mail.c:314
++#: .././modules/pam_mail/pam_mail.c:314
+ #, c-format
+ msgid "You have no mail in folder %s."
+ msgstr "%s ফোল্ডারে কোনো মেইল উপস্থিত নেই।"
+
+-#: modules/pam_mail/pam_mail.c:318
++#: .././modules/pam_mail/pam_mail.c:318
+ #, c-format
+ msgid "You have new mail in folder %s."
+ msgstr "%s ফোল্ডারে নতুন মেইল উপস্থিত।"
+
+-#: modules/pam_mail/pam_mail.c:322
++#: .././modules/pam_mail/pam_mail.c:322
+ #, c-format
+ msgid "You have old mail in folder %s."
+ msgstr "%s ফোল্ডারে পুরোনো মেইল উপস্থিত রয়েছে।"
+
+-#: modules/pam_mail/pam_mail.c:327
++#: .././modules/pam_mail/pam_mail.c:327
+ #, c-format
+ msgid "You have mail in folder %s."
+ msgstr "%s ফোল্ডারে মেইল উপস্থিত রয়েছে।"
+
+-#: modules/pam_mkhomedir/pam_mkhomedir.c:113
++#: .././modules/pam_mkhomedir/pam_mkhomedir.c:114
+ #, c-format
+ msgid "Creating directory '%s'."
+ msgstr "'%s' ডিরেক্টরি নির্মাণ করা হচ্ছে।"
+
+-#: modules/pam_mkhomedir/pam_mkhomedir.c:183
++#: .././modules/pam_mkhomedir/pam_mkhomedir.c:192
+ #, c-format
+ msgid "Unable to create and initialize directory '%s'."
+ msgstr "ডিরেক্টরি '%s' নির্মাণ ও আরম্ভ করতে ব্যর্থ।"
+
+-#: modules/pam_pwhistory/pam_pwhistory.c:217
+-#: modules/pam_unix/pam_unix_passwd.c:517
++#: .././modules/pam_pwhistory/pam_pwhistory.c:384
++#: .././modules/pam_unix/pam_unix_passwd.c:523
+ msgid "Password has been already used. Choose another."
+ msgstr "পাসওয়ার্ড পূর্বে ব্যবহৃত হয়েছে। একটি পৃথক পাসওয়ার্ড নির্বাচন করুন।"
+
+-#: modules/pam_pwhistory/pam_pwhistory.c:224
+-#, fuzzy
++#: .././modules/pam_pwhistory/pam_pwhistory.c:391
+ msgid "Password has been already used."
+-msgstr "পাসওয়ার্ড পূর্বে ব্যবহৃত হয়েছে। একটি পৃথক পাসওয়ার্ড নির্বাচন করুন।"
++msgstr "পাসওয়ার্ড পূর্বে ব্যবহৃত হয়েছে।"
+
+-#: modules/pam_selinux/pam_selinux.c:210
++#: .././modules/pam_selinux/pam_selinux.c:210
+ #, c-format
+ msgid "Default Security Context %s\n"
+ msgstr "ডিফল্ট Security Context %s\n"
+
+-#: modules/pam_selinux/pam_selinux.c:214
++#: .././modules/pam_selinux/pam_selinux.c:214
+ msgid "Would you like to enter a different role or level?"
+ msgstr "ভিন্ন role অথবা level লিখতে ইচ্ছুক কি?"
+
+-#: modules/pam_selinux/pam_selinux.c:227
++#. Allow the user to enter role and level individually
++#: .././modules/pam_selinux/pam_selinux.c:227
+ msgid "role:"
+ msgstr "role: "
+
+-#: modules/pam_selinux/pam_selinux.c:230
++#: .././modules/pam_selinux/pam_selinux.c:230
+ #, c-format
+ msgid "No default type for role %s\n"
+ msgstr "role %s-র জন্য কোনো ডিফল্ট type উপস্থিত নেই\n"
+
+-#: modules/pam_selinux/pam_selinux.c:262
++#: .././modules/pam_selinux/pam_selinux.c:262
+ msgid "level:"
+ msgstr "level: "
+
+-#: modules/pam_selinux/pam_selinux.c:295
++#: .././modules/pam_selinux/pam_selinux.c:295
+ msgid "Not a valid security context"
+ msgstr "বৈধ নিরাপত্তা সংক্রান্ত context নয়"
+
+-#: modules/pam_selinux/pam_selinux.c:539
++#: .././modules/pam_selinux/pam_selinux.c:539
+ #, c-format
+ msgid "Unable to get valid context for %s"
+ msgstr "%s-র বৈধ context প্রাপ্ত করতে ব্যর্থ"
+
+-#: modules/pam_selinux/pam_selinux.c:658
++#: .././modules/pam_selinux/pam_selinux.c:658
+ #, c-format
+ msgid "Security Context %s Assigned"
+ msgstr "Security Context %s ধার্য করা হয়েছে"
+
+-#: modules/pam_selinux/pam_selinux.c:674
++#: .././modules/pam_selinux/pam_selinux.c:674
+ #, c-format
+ msgid "Key Creation Context %s Assigned"
+ msgstr "কি নির্মাণের Context %s ধার্য করা হয়েছে"
+
+-#: modules/pam_selinux/pam_selinux_check.c:99
++#: .././modules/pam_selinux/pam_selinux_check.c:99
+ #, c-format
+ msgid "failed to initialize PAM\n"
+ msgstr "PAM আরম্ভ করতে ব্যর্থ\n"
+
+-#: modules/pam_selinux/pam_selinux_check.c:105
++#: .././modules/pam_selinux/pam_selinux_check.c:105
+ #, c-format
+ msgid "failed to pam_set_item()\n"
+ msgstr "pam_set_item() করতে ব্যর্থ\n"
+
+-#: modules/pam_selinux/pam_selinux_check.c:133
++#. error in fork()
++#: .././modules/pam_selinux/pam_selinux_check.c:133
+ #, c-format
+ msgid "login: failure forking: %m"
+ msgstr "লগ-ইন: fork করতে ব্যর্থ: %m"
+
+-#: modules/pam_stress/pam_stress.c:476
++#: .././modules/pam_stress/pam_stress.c:476
+ #, c-format
+ msgid "Changing STRESS password for %s."
+ msgstr "%s-র STRESS পাসওয়ার্ড পরিবর্তন করা হচ্ছে।"
+
+-#: modules/pam_stress/pam_stress.c:490
++#: .././modules/pam_stress/pam_stress.c:490
+ msgid "Enter new STRESS password: "
+ msgstr "নতুন STRESS পাসওয়ার্ড লিখুন: "
+
+-#: modules/pam_stress/pam_stress.c:493
++#: .././modules/pam_stress/pam_stress.c:493
+ msgid "Retype new STRESS password: "
+ msgstr "নতুন STRESS পাসওয়ার্ড পুনরায় লিখুন: "
+
+-#: modules/pam_stress/pam_stress.c:522
++#: .././modules/pam_stress/pam_stress.c:522
+ msgid "Verification mis-typed; password unchanged"
+ msgstr "নিশ্চায়ন কাল ভুল টাইপ করা হয়েছে; পাসওয়ার্ড পরিবর্তন করা হয়নি"
+
+-#: modules/pam_tally/pam_tally.c:541 modules/pam_tally2/pam_tally2.c:599
++#: .././modules/pam_tally/pam_tally.c:541
++#: .././modules/pam_tally2/pam_tally2.c:599
+ #, c-format
+ msgid "Account temporary locked (%ld seconds left)"
+ msgstr "সাময়িকরূপে অ্যাকাউন্ট লক করা হয়েছে (%ld সেকেন্ড অবশিষ্ট)"
+
+-#: modules/pam_tally/pam_tally.c:566 modules/pam_tally2/pam_tally2.c:578
++#: .././modules/pam_tally/pam_tally.c:566
++#: .././modules/pam_tally2/pam_tally2.c:578
+ #, c-format
+ msgid "Account locked due to %u failed logins"
+ msgstr "%u ব্যর্থ লগ-ইনের ফলে অ্যাকাউন্ট লক করা হয়েছে"
+
+-#: modules/pam_tally/pam_tally.c:777 modules/pam_tally2/pam_tally2.c:887
++#: .././modules/pam_tally/pam_tally.c:777
++#: .././modules/pam_tally2/pam_tally2.c:887
+ msgid "Authentication error"
+ msgstr "অনুমোদন সংক্রান্ত সমস্যা"
+
+-#: modules/pam_tally/pam_tally.c:778 modules/pam_tally2/pam_tally2.c:888
++#: .././modules/pam_tally/pam_tally.c:778
++#: .././modules/pam_tally2/pam_tally2.c:888
+ msgid "Service error"
+ msgstr "পরিসেবা সংক্রান্ত সমস্যা"
+
+-#: modules/pam_tally/pam_tally.c:779 modules/pam_tally2/pam_tally2.c:889
++#: .././modules/pam_tally/pam_tally.c:779
++#: .././modules/pam_tally2/pam_tally2.c:889
+ msgid "Unknown user"
+ msgstr "অজানা ব্যবহারকারী"
+
+-#: modules/pam_tally/pam_tally.c:780 modules/pam_tally2/pam_tally2.c:890
++#: .././modules/pam_tally/pam_tally.c:780
++#: .././modules/pam_tally2/pam_tally2.c:890
+ msgid "Unknown error"
+ msgstr "অজানা সমস্যা"
+
+-#: modules/pam_tally/pam_tally.c:796 modules/pam_tally2/pam_tally2.c:909
++#: .././modules/pam_tally/pam_tally.c:796
++#: .././modules/pam_tally2/pam_tally2.c:909
+ #, c-format
+ msgid "%s: Bad number given to --reset=\n"
+ msgstr "%s: --reset= এর জন্য ভুল সংখ্যা উল্লিখিত\n"
+
+-#: modules/pam_tally/pam_tally.c:800 modules/pam_tally2/pam_tally2.c:913
++#: .././modules/pam_tally/pam_tally.c:800
++#: .././modules/pam_tally2/pam_tally2.c:913
+ #, c-format
+ msgid "%s: Unrecognised option %s\n"
+ msgstr "%s: অজানা বিকল্প %s\n"
+
+-#: modules/pam_tally/pam_tally.c:812
++#: .././modules/pam_tally/pam_tally.c:812
+ #, c-format
+ msgid ""
+ "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n"
+ msgstr ""
+ "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n"
+
+-#: modules/pam_tally/pam_tally.c:886 modules/pam_tally2/pam_tally2.c:1039
++#: .././modules/pam_tally/pam_tally.c:886
++#: .././modules/pam_tally2/pam_tally2.c:1039
+ #, c-format
+ msgid "%s: Can't reset all users to non-zero\n"
+ msgstr "%s: সব ব্যবহারকারীর জন্য শূণ্য-ভিন্ন মান ধার্য করতে ব্যর্থ\n"
+
+-#: modules/pam_tally2/pam_tally2.c:940
++#: .././modules/pam_tally2/pam_tally2.c:940
+ #, c-format
+ msgid "Login Failures Latest failure From\n"
+ msgstr "লগ-ইন বিফলতা সর্বশেষ বিফলতা চিহ্নিত স্থান থেকে\n"
+
+-#: modules/pam_tally2/pam_tally2.c:956
++#: .././modules/pam_tally2/pam_tally2.c:956
+ #, c-format
+ msgid ""
+ "%s: [-f rooted-filename] [--file rooted-filename]\n"
+@@ -520,26 +551,31 @@
+ " [-u username] [--user username]\n"
+ " [-r] [--reset[=n]] [--quiet]\n"
+
+-#: modules/pam_timestamp/pam_timestamp.c:345
++#: .././modules/pam_timestamp/pam_timestamp.c:345
+ #, c-format
+ msgid "Access granted (last access was %ld seconds ago)."
+ msgstr "প্রবেশাধিকার প্রদান করা হয়েছে (%ld পূর্বে সর্বশেষ লগ-ইন করা হয়েছে)।"
+
+-#: modules/pam_unix/pam_unix_acct.c:247 modules/pam_unix/pam_unix_acct.c:269
++#: .././modules/pam_unix/pam_unix_acct.c:249
++#: .././modules/pam_unix/pam_unix_acct.c:271
+ msgid "Your account has expired; please contact your system administrator"
+ msgstr ""
+-"আপনার অ্যাকাউন্টের মেয়াদপূর্ণ হয়েছে; অনুগ্রহ করে সিস্টেম অ্যাডমিনিস্ট্রেটরের সাথে "
+-"যোগাযোগ করুন।"
++"আপনার অ্যাকাউন্টের মেয়াদপূর্ণ হয়েছে; অনুগ্রহ করে সিস্টেম অ্যাডমিনিস্ট্রেটরের "
++"সাথে যোগাযোগ করুন।"
+
+-#: modules/pam_unix/pam_unix_acct.c:255
++#: .././modules/pam_unix/pam_unix_acct.c:257
+ msgid "You are required to change your password immediately (root enforced)"
+-msgstr "আপনার পাসওয়ার্ড এই মুহূর্তে পরিবর্তন করা আবশ্যক (root দ্বারা কার্যকরী)"
++msgstr ""
++"আপনার পাসওয়ার্ড এই মুহূর্তে পরিবর্তন করা আবশ্যক (root দ্বারা কার্যকরী)"
+
+-#: modules/pam_unix/pam_unix_acct.c:261
++#: .././modules/pam_unix/pam_unix_acct.c:263
+ msgid "You are required to change your password immediately (password aged)"
+-msgstr "আপনার পাসওয়ার্ড এই মুহূর্তে পরিবর্তন করা আবশ্যক (password-র মেয়াদ পূর্ণ হয়েছে)"
++msgstr ""
++"আপনার পাসওয়ার্ড এই মুহূর্তে পরিবর্তন করা আবশ্যক (password-র মেয়াদ পূর্ণ "
++"হয়েছে)"
+
+-#: modules/pam_unix/pam_unix_acct.c:282 modules/pam_unix/pam_unix_acct.c:289
++#: .././modules/pam_unix/pam_unix_acct.c:284
++#: .././modules/pam_unix/pam_unix_acct.c:291
+ #, c-format
+ msgid "Warning: your password will expire in %d day"
+ msgid_plural "Warning: your password will expire in %d days"
+@@ -547,39 +583,37 @@
+ msgstr[1] "সতর্কবাণী: %d দিন পরে পাসওয়ার্ডের মেয়াদপূর্ণ হবে"
+
+ #. TRANSLATORS: only used if dngettext is not supported
+-#: modules/pam_unix/pam_unix_acct.c:294
++#: .././modules/pam_unix/pam_unix_acct.c:296
+ #, c-format
+ msgid "Warning: your password will expire in %d days"
+ msgstr "সতর্কবাণী: %d দিন পরে পাসওয়ার্ডের মেয়াদপূর্ণ হবে"
+
+-#: modules/pam_unix/pam_unix_passwd.c:398
++#: .././modules/pam_unix/pam_unix_passwd.c:404
+ msgid "NIS password could not be changed."
+ msgstr "NIS পাসওয়ার্ড পরিবর্তন করা সম্ভব হয়নি।"
+
+-#: modules/pam_unix/pam_unix_passwd.c:513
++#: .././modules/pam_unix/pam_unix_passwd.c:519
+ msgid "You must choose a longer password"
+ msgstr "চিহ্নিত পাসওয়ার্ডের থেকে লম্বা পাসওয়ার্ড উল্লেখ করা আবশ্যক"
+
+-#: modules/pam_unix/pam_unix_passwd.c:619
++#. instruct user what is happening
++#: .././modules/pam_unix/pam_unix_passwd.c:625
+ #, c-format
+ msgid "Changing password for %s."
+ msgstr "%s-র পাসওয়ার্ড পরিবর্তন করা হচ্ছে।"
+
+-#: modules/pam_unix/pam_unix_passwd.c:630
++#: .././modules/pam_unix/pam_unix_passwd.c:636
+ msgid "(current) UNIX password: "
+ msgstr "(বর্তমান) UNIX পাসওয়ার্ড: "
+
+-#: modules/pam_unix/pam_unix_passwd.c:665
++#: .././modules/pam_unix/pam_unix_passwd.c:671
+ msgid "You must wait longer to change your password"
+ msgstr "কিছু কাল পরে পাসওয়ার্ড পরিবর্তন করা সম্ভব হবে"
+
+-#: modules/pam_unix/pam_unix_passwd.c:725
++#: .././modules/pam_unix/pam_unix_passwd.c:731
+ msgid "Enter new UNIX password: "
+ msgstr "নতুন UNIX পাসওয়ার্ড উল্লেখ করুন: "
+
+-#: modules/pam_unix/pam_unix_passwd.c:726
++#: .././modules/pam_unix/pam_unix_passwd.c:732
+ msgid "Retype new UNIX password: "
+ msgstr "নতুন UNIX পাসওয়ার্ড পুনরায় লিখুন: "
+-
+-#~ msgid "Would you like to enter a security context? [N] "
+-#~ msgstr "নিরাপত্তা সংক্রান্ত context উল্লেখ করতে ইচ্ছুক কি? [N] "
+diff -up a/Linux-PAM-1.1.8/po/pt_BR.po.translations b/Linux-PAM-1.1.8/po/pt_BR.po
+--- a/Linux-PAM-1.1.8/po/pt_BR.po.translations 2013-09-19 10:02:24.000000000 +0200
++++ b/Linux-PAM-1.1.8/po/pt_BR.po 2017-09-08 14:14:24.857295156 +0200
+@@ -1,516 +1,546 @@
+ # SOME DESCRIPTIVE TITLE.
+ # Copyright (C) YEAR Linux-PAM Project
+ # This file is distributed under the same license as the PACKAGE package.
+-#
++#
+ # Translators:
+ # Diego Búrigo Zacarão <diegobz@projetofedora.org>, 2008.
+ # Elder Marco <eldermarco@gmail.com>, 2012.
+ # Glaucia Cintra <gcintra@redhat.com>, 2007.
+ # Taylon Silmer <taylonsilva@gmail.com>, 2008, 2009.
++# gcintra <gcintra@redhat.com>, 2013. #zanata
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: Linux-PAM\n"
+ "Report-Msgid-Bugs-To: http://sourceforge.net/projects/pam\n"
+-"POT-Creation-Date: 2013-09-19 10:02+0200\n"
+-"PO-Revision-Date: 2012-02-21 12:49+0000\n"
+-"Last-Translator: Elder Marco <eldermarco@gmail.com>\n"
++"POT-Creation-Date: 2012-08-17 11:35+0200\n"
++"PO-Revision-Date: 2013-09-30 08:32-0400\n"
++"Last-Translator: gcintra <gcintra@redhat.com>\n"
+ "Language-Team: Portuguese (Brazil) <trans-pt_br@lists.fedoraproject.org>\n"
+ "MIME-Version: 1.0\n"
+ "Content-Type: text/plain; charset=UTF-8\n"
+ "Content-Transfer-Encoding: 8bit\n"
+-"Language: pt_BR\n"
++"Language: pt-BR\n"
+ "Plural-Forms: nplurals=2; plural=(n > 1)\n"
++"X-Generator: Zanata 3.1.2\n"
+
+-#: libpam_misc/misc_conv.c:33
++#. * external timeout definitions - these can be overriden by the
++#. * application.
++#. time when we warn
++#. time when we timeout
++#: .././libpam_misc/misc_conv.c:33
+ msgid "...Time is running out...\n"
+ msgstr "...O tempo está acabando...\n"
+
+-#: libpam_misc/misc_conv.c:34
++#: .././libpam_misc/misc_conv.c:34
+ msgid "...Sorry, your time is up!\n"
+ msgstr "...Desculpe, seu tempo está aumentando!\n"
+
+-#: libpam_misc/misc_conv.c:342
++#: .././libpam_misc/misc_conv.c:342
+ #, c-format
+ msgid "erroneous conversation (%d)\n"
+ msgstr "conversação errônea (%d)\n"
+
+-#: libpam/pam_get_authtok.c:39 modules/pam_exec/pam_exec.c:170
+-#: modules/pam_unix/pam_unix_auth.c:160 modules/pam_userdb/pam_userdb.c:64
++#. get this user's authentication token
++#: .././libpam/pam_get_authtok.c:39
++#: .././modules/pam_exec/pam_exec.c:142
++#: .././modules/pam_unix/pam_unix_auth.c:160
++#: .././modules/pam_userdb/pam_userdb.c:64
+ msgid "Password: "
+ msgstr "Senha:"
+
+-#: libpam/pam_get_authtok.c:41 modules/pam_cracklib/pam_cracklib.c:68
++#. For Translators: "%s%s" could be replaced with "<service> " or "".
++#: .././libpam/pam_get_authtok.c:41
++#: .././modules/pam_cracklib/pam_cracklib.c:68
+ #, c-format
+ msgid "New %s%spassword: "
+ msgstr "Nova %s%ssenha:"
+
+-#: libpam/pam_get_authtok.c:43 modules/pam_cracklib/pam_cracklib.c:70
++#. For Translators: "%s%s" could be replaced with "<service> " or "".
++#: .././libpam/pam_get_authtok.c:43
++#: .././modules/pam_cracklib/pam_cracklib.c:70
+ #, c-format
+ msgid "Retype new %s%spassword: "
+ msgstr "Redigite a nova %s%ssenha:"
+
+-#: libpam/pam_get_authtok.c:44 modules/pam_cracklib/pam_cracklib.c:71
++#: .././libpam/pam_get_authtok.c:44
++#: .././modules/pam_cracklib/pam_cracklib.c:71
+ msgid "Sorry, passwords do not match."
+ msgstr "As senhas não são iguais."
+
+-#: libpam/pam_get_authtok.c:135 libpam/pam_get_authtok.c:211
++#: .././libpam/pam_get_authtok.c:135
++#: .././libpam/pam_get_authtok.c:211
+ #, c-format
+ msgid "Retype %s"
+ msgstr "Redigite %s"
+
+-#: libpam/pam_get_authtok.c:155 libpam/pam_get_authtok.c:227
++#. We want to abort the password change
++#: .././libpam/pam_get_authtok.c:155
++#: .././libpam/pam_get_authtok.c:227
+ msgid "Password change aborted."
+ msgstr "A alteração de senha foi abortada."
+
+-#: libpam/pam_item.c:311
++#: .././libpam/pam_item.c:311
+ msgid "login:"
+ msgstr "login:"
+
+-#: libpam/pam_strerror.c:40
++#: .././libpam/pam_strerror.c:40
+ msgid "Success"
+ msgstr "Sucesso"
+
+-#: libpam/pam_strerror.c:42
++#: .././libpam/pam_strerror.c:42
+ msgid "Critical error - immediate abort"
+ msgstr "Erro crítico - abortar imediatamente"
+
+-#: libpam/pam_strerror.c:44
++#: .././libpam/pam_strerror.c:44
+ msgid "Failed to load module"
+ msgstr "Falha ao carregar módulo"
+
+-#: libpam/pam_strerror.c:46
++#: .././libpam/pam_strerror.c:46
+ msgid "Symbol not found"
+ msgstr "Símbolo não encontrado"
+
+-#: libpam/pam_strerror.c:48
++#: .././libpam/pam_strerror.c:48
+ msgid "Error in service module"
+ msgstr "Erro no módulo de serviço"
+
+-#: libpam/pam_strerror.c:50
++#: .././libpam/pam_strerror.c:50
+ msgid "System error"
+ msgstr "Erro do sistema"
+
+-#: libpam/pam_strerror.c:52
++#: .././libpam/pam_strerror.c:52
+ msgid "Memory buffer error"
+ msgstr "Erro do buffer de memória"
+
+-#: libpam/pam_strerror.c:54
++#: .././libpam/pam_strerror.c:54
+ msgid "Permission denied"
+ msgstr "Permissão negada"
+
+-#: libpam/pam_strerror.c:56
++#: .././libpam/pam_strerror.c:56
+ msgid "Authentication failure"
+ msgstr "Falha de autenticação"
+
+-#: libpam/pam_strerror.c:58
++#: .././libpam/pam_strerror.c:58
+ msgid "Insufficient credentials to access authentication data"
+ msgstr "Credenciais insuficientes para acessar dados de autenticação"
+
+-#: libpam/pam_strerror.c:60
++#: .././libpam/pam_strerror.c:60
+ msgid "Authentication service cannot retrieve authentication info"
+ msgstr "O serviço de autenticação não recuperou informações de autenticação"
+
+-#: libpam/pam_strerror.c:62
++#: .././libpam/pam_strerror.c:62
+ msgid "User not known to the underlying authentication module"
+ msgstr "Usuário desconhecido para o módulo de autenticação subjacente"
+
+-#: libpam/pam_strerror.c:64
++#: .././libpam/pam_strerror.c:64
+ msgid "Have exhausted maximum number of retries for service"
+ msgstr "Esgotado o número máximo de tentativas para serviço"
+
+-#: libpam/pam_strerror.c:66
++#: .././libpam/pam_strerror.c:66
+ msgid "Authentication token is no longer valid; new one required"
+ msgstr "O token de autenticação não é mais válido; é necessario um novo token"
+
+-#: libpam/pam_strerror.c:68
++#: .././libpam/pam_strerror.c:68
+ msgid "User account has expired"
+ msgstr "A conta do usuário expirou"
+
+-#: libpam/pam_strerror.c:70
++#: .././libpam/pam_strerror.c:70
+ msgid "Cannot make/remove an entry for the specified session"
+ msgstr "Impossível fazer/remover uma entrada para a sessão específica"
+
+-#: libpam/pam_strerror.c:72
++#: .././libpam/pam_strerror.c:72
+ msgid "Authentication service cannot retrieve user credentials"
+ msgstr "O serviço de autenticação não recuperou as credenciais do usuário"
+
+-#: libpam/pam_strerror.c:74
++#: .././libpam/pam_strerror.c:74
+ msgid "User credentials expired"
+ msgstr "Credenciais do usuário expiradas"
+
+-#: libpam/pam_strerror.c:76
++#: .././libpam/pam_strerror.c:76
+ msgid "Failure setting user credentials"
+ msgstr "Falha ao definir credenciais do usuário"
+
+-#: libpam/pam_strerror.c:78
++#: .././libpam/pam_strerror.c:78
+ msgid "No module specific data is present"
+ msgstr "Não há nenhum dado específico para o módulo "
+
+-#: libpam/pam_strerror.c:80
++#: .././libpam/pam_strerror.c:80
+ msgid "Bad item passed to pam_*_item()"
+ msgstr "Ítem incorreto passado para pam_*_item()"
+
+-#: libpam/pam_strerror.c:82
++#: .././libpam/pam_strerror.c:82
+ msgid "Conversation error"
+ msgstr "Erro de conversação"
+
+-#: libpam/pam_strerror.c:84
++#: .././libpam/pam_strerror.c:84
+ msgid "Authentication token manipulation error"
+ msgstr "Erro de manipulação de token de autenticação"
+
+-#: libpam/pam_strerror.c:86
++#: .././libpam/pam_strerror.c:86
+ msgid "Authentication information cannot be recovered"
+ msgstr "Impossível recuperar informações de autenticação"
+
+-#: libpam/pam_strerror.c:88
++#: .././libpam/pam_strerror.c:88
+ msgid "Authentication token lock busy"
+ msgstr "Bloqueio de token de autenticação ocupado"
+
+-#: libpam/pam_strerror.c:90
++#: .././libpam/pam_strerror.c:90
+ msgid "Authentication token aging disabled"
+ msgstr "Validade do token de autenticação desabilitado"
+
+-#: libpam/pam_strerror.c:92
++#: .././libpam/pam_strerror.c:92
+ msgid "Failed preliminary check by password service"
+ msgstr "Falha na verificação preliminar por serviço de senha"
+
+-#: libpam/pam_strerror.c:94
++#: .././libpam/pam_strerror.c:94
+ msgid "The return value should be ignored by PAM dispatch"
+ msgstr "O valor de retorno deve ser ignorado pelo despacho PAM"
+
+-#: libpam/pam_strerror.c:96
++#: .././libpam/pam_strerror.c:96
+ msgid "Module is unknown"
+ msgstr "Módulo desconhecido"
+
+-#: libpam/pam_strerror.c:98
++#: .././libpam/pam_strerror.c:98
+ msgid "Authentication token expired"
+ msgstr "Token de autenticação expirado"
+
+-#: libpam/pam_strerror.c:100
++#: .././libpam/pam_strerror.c:100
+ msgid "Conversation is waiting for event"
+ msgstr "Conversação aguardando por evento"
+
+-#: libpam/pam_strerror.c:102
++#: .././libpam/pam_strerror.c:102
+ msgid "Application needs to call libpam again"
+ msgstr "O aplicativo precisa chamar libpam novamente"
+
+-#: libpam/pam_strerror.c:105
++#: .././libpam/pam_strerror.c:105
+ msgid "Unknown PAM error"
+ msgstr "Erro desconhecido no PAM"
+
+-#: modules/pam_cracklib/pam_cracklib.c:618
++#: .././modules/pam_cracklib/pam_cracklib.c:618
+ msgid "is the same as the old one"
+ msgstr "é igual à antiga senha"
+
+-#: modules/pam_cracklib/pam_cracklib.c:624
+-#: modules/pam_cracklib/pam_cracklib.c:628
+-#: modules/pam_cracklib/pam_cracklib.c:638
++#: .././modules/pam_cracklib/pam_cracklib.c:624
++#: .././modules/pam_cracklib/pam_cracklib.c:628
++#: .././modules/pam_cracklib/pam_cracklib.c:638
+ msgid "memory allocation error"
+ msgstr "Erro de alocação de memória"
+
+-#: modules/pam_cracklib/pam_cracklib.c:643
++#: .././modules/pam_cracklib/pam_cracklib.c:643
+ msgid "is a palindrome"
+ msgstr "é um palíndromo"
+
+-#: modules/pam_cracklib/pam_cracklib.c:646
++#: .././modules/pam_cracklib/pam_cracklib.c:646
+ msgid "case changes only"
+ msgstr "mudou apenas maiúsculas/minúsculas"
+
+-#: modules/pam_cracklib/pam_cracklib.c:649
++#: .././modules/pam_cracklib/pam_cracklib.c:649
+ msgid "is too similar to the old one"
+ msgstr "é muito semelhante à antiga"
+
+-#: modules/pam_cracklib/pam_cracklib.c:652
++#: .././modules/pam_cracklib/pam_cracklib.c:652
+ msgid "is too simple"
+ msgstr "é simples demais"
+
+-#: modules/pam_cracklib/pam_cracklib.c:655
++#: .././modules/pam_cracklib/pam_cracklib.c:655
+ msgid "is rotated"
+ msgstr "foi invertida"
+
+-#: modules/pam_cracklib/pam_cracklib.c:658
++#: .././modules/pam_cracklib/pam_cracklib.c:658
+ msgid "not enough character classes"
+ msgstr "classes de caractere insuficientes"
+
+-#: modules/pam_cracklib/pam_cracklib.c:661
++#: .././modules/pam_cracklib/pam_cracklib.c:661
+ msgid "contains too many same characters consecutively"
+ msgstr "contém muitos caracteres igual consecutivamente"
+
+-#: modules/pam_cracklib/pam_cracklib.c:664
+-#, fuzzy
++#: .././modules/pam_cracklib/pam_cracklib.c:664
+ msgid "contains too long of a monotonic character sequence"
+-msgstr "contém muitos caracteres igual consecutivamente"
++msgstr "contém uma sequência de caracteres monotônica muito longa"
+
+-#: modules/pam_cracklib/pam_cracklib.c:667
++#: .././modules/pam_cracklib/pam_cracklib.c:667
+ msgid "contains the user name in some form"
+ msgstr "contém o nome de usuário em algum formulário"
+
+-#: modules/pam_cracklib/pam_cracklib.c:701
+-#: modules/pam_unix/pam_unix_passwd.c:496
++#: .././modules/pam_cracklib/pam_cracklib.c:701
++#: .././modules/pam_unix/pam_unix_passwd.c:502
+ msgid "No password supplied"
+ msgstr "Nenhuma senha informada"
+
+-#: modules/pam_cracklib/pam_cracklib.c:701
+-#: modules/pam_unix/pam_unix_passwd.c:496
++#: .././modules/pam_cracklib/pam_cracklib.c:701
++#: .././modules/pam_unix/pam_unix_passwd.c:502
+ msgid "Password unchanged"
+ msgstr "Senha inalterada"
+
+-#: modules/pam_cracklib/pam_cracklib.c:721
+-#: modules/pam_cracklib/pam_cracklib.c:803
++#: .././modules/pam_cracklib/pam_cracklib.c:721
++#: .././modules/pam_cracklib/pam_cracklib.c:803
+ #, c-format
+ msgid "BAD PASSWORD: %s"
+ msgstr "SENHA INCORRETA: %s"
+
+-#: modules/pam_exec/pam_exec.c:273
++#: .././modules/pam_exec/pam_exec.c:215
+ #, c-format
+ msgid "%s failed: exit code %d"
+ msgstr "%s falhou: código de saída %d"
+
+-#: modules/pam_exec/pam_exec.c:282
++#: .././modules/pam_exec/pam_exec.c:224
+ #, c-format
+ msgid "%s failed: caught signal %d%s"
+ msgstr "%s falhou: detectou sinal %d%s"
+
+-#: modules/pam_exec/pam_exec.c:291
++#: .././modules/pam_exec/pam_exec.c:233
+ #, c-format
+ msgid "%s failed: unknown status 0x%x"
+ msgstr "%s falhou: status desconhecido 0x%x"
+
+ #. TRANSLATORS: "strftime options for date of last login"
+-#: modules/pam_lastlog/pam_lastlog.c:282 modules/pam_lastlog/pam_lastlog.c:496
++#: .././modules/pam_lastlog/pam_lastlog.c:282
++#: .././modules/pam_lastlog/pam_lastlog.c:496
+ msgid " %a %b %e %H:%M:%S %Z %Y"
+ msgstr "%a %b %e %H:%M:%S %Z %Y"
+
+ #. TRANSLATORS: " from <host>"
+-#: modules/pam_lastlog/pam_lastlog.c:291 modules/pam_lastlog/pam_lastlog.c:505
++#: .././modules/pam_lastlog/pam_lastlog.c:291
++#: .././modules/pam_lastlog/pam_lastlog.c:505
+ #, c-format
+ msgid " from %.*s"
+ msgstr "de %.*s"
+
+ #. TRANSLATORS: " on <terminal>"
+-#: modules/pam_lastlog/pam_lastlog.c:303 modules/pam_lastlog/pam_lastlog.c:517
++#: .././modules/pam_lastlog/pam_lastlog.c:303
++#: .././modules/pam_lastlog/pam_lastlog.c:517
+ #, c-format
+ msgid " on %.*s"
+ msgstr "em %.*s"
+
+ #. TRANSLATORS: "Last login: <date> from <host> on <terminal>"
+-#: modules/pam_lastlog/pam_lastlog.c:313
++#: .././modules/pam_lastlog/pam_lastlog.c:313
+ #, c-format
+ msgid "Last login:%s%s%s"
+ msgstr "Último login:%s%s%s"
+
+-#: modules/pam_lastlog/pam_lastlog.c:319
++#: .././modules/pam_lastlog/pam_lastlog.c:319
+ msgid "Welcome to your new account!"
+ msgstr "Bem-vindo à sua nova conta!"
+
+ #. TRANSLATORS: "Last failed login: <date> from <host> on <terminal>"
+-#: modules/pam_lastlog/pam_lastlog.c:527
++#: .././modules/pam_lastlog/pam_lastlog.c:527
+ #, c-format
+ msgid "Last failed login:%s%s%s"
+ msgstr "Falha no último login:%s%s%s"
+
+-#: modules/pam_lastlog/pam_lastlog.c:536 modules/pam_lastlog/pam_lastlog.c:543
++#: .././modules/pam_lastlog/pam_lastlog.c:536
++#: .././modules/pam_lastlog/pam_lastlog.c:543
+ #, c-format
+ msgid "There was %d failed login attempt since the last successful login."
+ msgid_plural ""
+ "There were %d failed login attempts since the last successful login."
+ msgstr[0] "Houve %d falhas de login desde o último login bem sucedido."
+-msgstr[1] "Houveram %d falhas de login desde o último login bem sucedido."
++msgstr[1] "Houve %d falhas de login desde o último login bem sucedido."
+
+ #. TRANSLATORS: only used if dngettext is not supported
+-#: modules/pam_lastlog/pam_lastlog.c:548
++#: .././modules/pam_lastlog/pam_lastlog.c:548
+ #, c-format
+ msgid "There were %d failed login attempts since the last successful login."
+-msgstr "Houveram %d falhas de login desde o último login bem sucedido."
++msgstr "Houve %d falhas de login desde o último login bem sucedido."
+
+-#: modules/pam_limits/pam_limits.c:1079
++#: .././modules/pam_limits/pam_limits.c:1079
+ #, c-format
+ msgid "Too many logins for '%s'."
+ msgstr "Há logins demais para '%s'."
+
+-#: modules/pam_mail/pam_mail.c:297
++#: .././modules/pam_mail/pam_mail.c:297
+ msgid "No mail."
+ msgstr "Não há mensagens."
+
+-#: modules/pam_mail/pam_mail.c:300
++#: .././modules/pam_mail/pam_mail.c:300
+ msgid "You have new mail."
+ msgstr "Há novas mensagens."
+
+-#: modules/pam_mail/pam_mail.c:303
++#: .././modules/pam_mail/pam_mail.c:303
+ msgid "You have old mail."
+ msgstr "Há mensagens antigas."
+
+-#: modules/pam_mail/pam_mail.c:307
++#: .././modules/pam_mail/pam_mail.c:307
+ msgid "You have mail."
+ msgstr "Há mensagens."
+
+-#: modules/pam_mail/pam_mail.c:314
++#: .././modules/pam_mail/pam_mail.c:314
+ #, c-format
+ msgid "You have no mail in folder %s."
+ msgstr "Não há mensagens na pasta %s."
+
+-#: modules/pam_mail/pam_mail.c:318
++#: .././modules/pam_mail/pam_mail.c:318
+ #, c-format
+ msgid "You have new mail in folder %s."
+ msgstr "Há novas mensagens na pasta %s."
+
+-#: modules/pam_mail/pam_mail.c:322
++#: .././modules/pam_mail/pam_mail.c:322
+ #, c-format
+ msgid "You have old mail in folder %s."
+ msgstr "Há mensagens antigas na pasta %s."
+
+-#: modules/pam_mail/pam_mail.c:327
++#: .././modules/pam_mail/pam_mail.c:327
+ #, c-format
+ msgid "You have mail in folder %s."
+ msgstr "Há mensagens na pasta %s."
+
+-#: modules/pam_mkhomedir/pam_mkhomedir.c:113
++#: .././modules/pam_mkhomedir/pam_mkhomedir.c:114
+ #, c-format
+ msgid "Creating directory '%s'."
+ msgstr "Criando o diretório '%s'."
+
+-#: modules/pam_mkhomedir/pam_mkhomedir.c:183
++#: .././modules/pam_mkhomedir/pam_mkhomedir.c:192
+ #, c-format
+ msgid "Unable to create and initialize directory '%s'."
+ msgstr "Impossível criar e inicializar o diretório \"%s\"."
+
+-#: modules/pam_pwhistory/pam_pwhistory.c:217
+-#: modules/pam_unix/pam_unix_passwd.c:517
++#: .././modules/pam_pwhistory/pam_pwhistory.c:384
++#: .././modules/pam_unix/pam_unix_passwd.c:523
+ msgid "Password has been already used. Choose another."
+ msgstr "A senha já foi usada. Escolha outra."
+
+-#: modules/pam_pwhistory/pam_pwhistory.c:224
+-#, fuzzy
++#: .././modules/pam_pwhistory/pam_pwhistory.c:391
+ msgid "Password has been already used."
+-msgstr "A senha já foi usada. Escolha outra."
++msgstr "A senha já foi usada."
+
+-#: modules/pam_selinux/pam_selinux.c:210
++#: .././modules/pam_selinux/pam_selinux.c:210
+ #, c-format
+ msgid "Default Security Context %s\n"
+ msgstr "Contexto de Segurança Padrão %s\n"
+
+-#: modules/pam_selinux/pam_selinux.c:214
++#: .././modules/pam_selinux/pam_selinux.c:214
+ msgid "Would you like to enter a different role or level?"
+ msgstr "Deseja digitar uma função ou nível diferente?"
+
+-#: modules/pam_selinux/pam_selinux.c:227
++#. Allow the user to enter role and level individually
++#: .././modules/pam_selinux/pam_selinux.c:227
+ msgid "role:"
+ msgstr "função:"
+
+-#: modules/pam_selinux/pam_selinux.c:230
++#: .././modules/pam_selinux/pam_selinux.c:230
+ #, c-format
+ msgid "No default type for role %s\n"
+ msgstr "Não existe tipo padrão para a função %s\n"
+
+-#: modules/pam_selinux/pam_selinux.c:262
++#: .././modules/pam_selinux/pam_selinux.c:262
+ msgid "level:"
+ msgstr "nível:"
+
+-#: modules/pam_selinux/pam_selinux.c:295
++#: .././modules/pam_selinux/pam_selinux.c:295
+ msgid "Not a valid security context"
+ msgstr "Não é um contexto de segurança válido"
+
+-#: modules/pam_selinux/pam_selinux.c:539
++#: .././modules/pam_selinux/pam_selinux.c:539
+ #, c-format
+ msgid "Unable to get valid context for %s"
+ msgstr "Impossível obter um contexto válido para %s"
+
+-#: modules/pam_selinux/pam_selinux.c:658
++#: .././modules/pam_selinux/pam_selinux.c:658
+ #, c-format
+ msgid "Security Context %s Assigned"
+ msgstr "Contexto de segurança %s atribuído"
+
+-#: modules/pam_selinux/pam_selinux.c:674
++#: .././modules/pam_selinux/pam_selinux.c:674
+ #, c-format
+ msgid "Key Creation Context %s Assigned"
+ msgstr "Contexto de criação de chave %s atribuído"
+
+-#: modules/pam_selinux/pam_selinux_check.c:99
++#: .././modules/pam_selinux/pam_selinux_check.c:99
+ #, c-format
+ msgid "failed to initialize PAM\n"
+ msgstr "falha ao inicializar PAM\n"
+
+-#: modules/pam_selinux/pam_selinux_check.c:105
++#: .././modules/pam_selinux/pam_selinux_check.c:105
+ #, c-format
+ msgid "failed to pam_set_item()\n"
+ msgstr "falha em pam_set_item()\n"
+
+-#: modules/pam_selinux/pam_selinux_check.c:133
++#. error in fork()
++#: .././modules/pam_selinux/pam_selinux_check.c:133
+ #, c-format
+ msgid "login: failure forking: %m"
+ msgstr "login: falha na bifurcação: %m"
+
+-#: modules/pam_stress/pam_stress.c:476
++#: .././modules/pam_stress/pam_stress.c:476
+ #, c-format
+ msgid "Changing STRESS password for %s."
+ msgstr "Mudando senha STRESS para %s."
+
+-#: modules/pam_stress/pam_stress.c:490
++#: .././modules/pam_stress/pam_stress.c:490
+ msgid "Enter new STRESS password: "
+ msgstr "Digite a nova senha STRESS:"
+
+-#: modules/pam_stress/pam_stress.c:493
++#: .././modules/pam_stress/pam_stress.c:493
+ msgid "Retype new STRESS password: "
+ msgstr "Digite novamente a nova senha STRESS:"
+
+-#: modules/pam_stress/pam_stress.c:522
++#: .././modules/pam_stress/pam_stress.c:522
+ msgid "Verification mis-typed; password unchanged"
+ msgstr "Verificação digitada incorretamente; senha inalterada"
+
+-#: modules/pam_tally/pam_tally.c:541 modules/pam_tally2/pam_tally2.c:599
++#: .././modules/pam_tally/pam_tally.c:541
++#: .././modules/pam_tally2/pam_tally2.c:599
+ #, c-format
+ msgid "Account temporary locked (%ld seconds left)"
+ msgstr "Conta temporariamente bloqueada (restam %ld segundos)"
+
+-#: modules/pam_tally/pam_tally.c:566 modules/pam_tally2/pam_tally2.c:578
++#: .././modules/pam_tally/pam_tally.c:566
++#: .././modules/pam_tally2/pam_tally2.c:578
+ #, c-format
+ msgid "Account locked due to %u failed logins"
+ msgstr "Conta bloqueada devido a %u falhas de login"
+
+-#: modules/pam_tally/pam_tally.c:777 modules/pam_tally2/pam_tally2.c:887
++#: .././modules/pam_tally/pam_tally.c:777
++#: .././modules/pam_tally2/pam_tally2.c:887
+ msgid "Authentication error"
+ msgstr "Erro de autenticação"
+
+-#: modules/pam_tally/pam_tally.c:778 modules/pam_tally2/pam_tally2.c:888
++#: .././modules/pam_tally/pam_tally.c:778
++#: .././modules/pam_tally2/pam_tally2.c:888
+ msgid "Service error"
+ msgstr "Erro de serviço"
+
+-#: modules/pam_tally/pam_tally.c:779 modules/pam_tally2/pam_tally2.c:889
++#: .././modules/pam_tally/pam_tally.c:779
++#: .././modules/pam_tally2/pam_tally2.c:889
+ msgid "Unknown user"
+ msgstr "Usuário desconhecido"
+
+-#: modules/pam_tally/pam_tally.c:780 modules/pam_tally2/pam_tally2.c:890
++#: .././modules/pam_tally/pam_tally.c:780
++#: .././modules/pam_tally2/pam_tally2.c:890
+ msgid "Unknown error"
+ msgstr "Erro desconhecido"
+
+-#: modules/pam_tally/pam_tally.c:796 modules/pam_tally2/pam_tally2.c:909
++#: .././modules/pam_tally/pam_tally.c:796
++#: .././modules/pam_tally2/pam_tally2.c:909
+ #, c-format
+ msgid "%s: Bad number given to --reset=\n"
+ msgstr "%s: Número insuficiente fornecido para --reset=\n"
+
+-#: modules/pam_tally/pam_tally.c:800 modules/pam_tally2/pam_tally2.c:913
++#: .././modules/pam_tally/pam_tally.c:800
++#: .././modules/pam_tally2/pam_tally2.c:913
+ #, c-format
+ msgid "%s: Unrecognised option %s\n"
+ msgstr "%s: Opção não reconhecida %s\n"
+
+-#: modules/pam_tally/pam_tally.c:812
++#: .././modules/pam_tally/pam_tally.c:812
+ #, c-format
+ msgid ""
+ "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n"
+ msgstr ""
+ "%s: [--file rooted-filename] [--user username] [--reset[=n]] [--quiet]\n"
+
+-#: modules/pam_tally/pam_tally.c:886 modules/pam_tally2/pam_tally2.c:1039
++#: .././modules/pam_tally/pam_tally.c:886
++#: .././modules/pam_tally2/pam_tally2.c:1039
+ #, c-format
+ msgid "%s: Can't reset all users to non-zero\n"
+ msgstr "%s: Impossível redefinir todos os usuários para não-zero\n"
+
+-#: modules/pam_tally2/pam_tally2.c:940
++#: .././modules/pam_tally2/pam_tally2.c:940
+ #, c-format
+ msgid "Login Failures Latest failure From\n"
+ msgstr "Login Falhas Último falha De\n"
+
+-#: modules/pam_tally2/pam_tally2.c:956
++#: .././modules/pam_tally2/pam_tally2.c:956
+ #, c-format
+ msgid ""
+ "%s: [-f rooted-filename] [--file rooted-filename]\n"
+@@ -521,24 +551,26 @@
+ " [-u username] [--user username]\n"
+ " [-r] [--reset[=n]] [--quiet]\n"
+
+-#: modules/pam_timestamp/pam_timestamp.c:345
++#: .././modules/pam_timestamp/pam_timestamp.c:345
+ #, c-format
+ msgid "Access granted (last access was %ld seconds ago)."
+ msgstr "Acesso concedido (o último acesso foi a %ld segundos atrás)."
+
+-#: modules/pam_unix/pam_unix_acct.c:247 modules/pam_unix/pam_unix_acct.c:269
++#: .././modules/pam_unix/pam_unix_acct.c:249
++#: .././modules/pam_unix/pam_unix_acct.c:271
+ msgid "Your account has expired; please contact your system administrator"
+ msgstr "Sua conta expirou; entre em contato com o administrador do sistema"
+
+-#: modules/pam_unix/pam_unix_acct.c:255
++#: .././modules/pam_unix/pam_unix_acct.c:257
+ msgid "You are required to change your password immediately (root enforced)"
+ msgstr "Mude sua senha imediatamente (aplicado pela raiz)"
+
+-#: modules/pam_unix/pam_unix_acct.c:261
++#: .././modules/pam_unix/pam_unix_acct.c:263
+ msgid "You are required to change your password immediately (password aged)"
+ msgstr "Mude sua senha imediatamente (senha expirada)"
+
+-#: modules/pam_unix/pam_unix_acct.c:282 modules/pam_unix/pam_unix_acct.c:289
++#: .././modules/pam_unix/pam_unix_acct.c:284
++#: .././modules/pam_unix/pam_unix_acct.c:291
+ #, c-format
+ msgid "Warning: your password will expire in %d day"
+ msgid_plural "Warning: your password will expire in %d days"
+@@ -546,39 +578,37 @@
+ msgstr[1] "Aviso: sua senha irá expirar em %d dias"
+
+ #. TRANSLATORS: only used if dngettext is not supported
+-#: modules/pam_unix/pam_unix_acct.c:294
++#: .././modules/pam_unix/pam_unix_acct.c:296
+ #, c-format
+ msgid "Warning: your password will expire in %d days"
+ msgstr "Aviso: sua senha irá expirar em %d dias"
+
+-#: modules/pam_unix/pam_unix_passwd.c:398
++#: .././modules/pam_unix/pam_unix_passwd.c:404
+ msgid "NIS password could not be changed."
+ msgstr "A senha NIS não pôde ser mudada."
+
+-#: modules/pam_unix/pam_unix_passwd.c:513
++#: .././modules/pam_unix/pam_unix_passwd.c:519
+ msgid "You must choose a longer password"
+ msgstr "Escolha uma senha mais longa"
+
+-#: modules/pam_unix/pam_unix_passwd.c:619
++#. instruct user what is happening
++#: .././modules/pam_unix/pam_unix_passwd.c:625
+ #, c-format
+ msgid "Changing password for %s."
+ msgstr "Mudando senha para %s."
+
+-#: modules/pam_unix/pam_unix_passwd.c:630
++#: .././modules/pam_unix/pam_unix_passwd.c:636
+ msgid "(current) UNIX password: "
+ msgstr "Senha UNIX (atual):"
+
+-#: modules/pam_unix/pam_unix_passwd.c:665
++#: .././modules/pam_unix/pam_unix_passwd.c:671
+ msgid "You must wait longer to change your password"
+ msgstr "Aguarde mais tempo para mudar a senha"
+
+-#: modules/pam_unix/pam_unix_passwd.c:725
++#: .././modules/pam_unix/pam_unix_passwd.c:731
+ msgid "Enter new UNIX password: "
+ msgstr "Digite a nova senha UNIX:"
+
+-#: modules/pam_unix/pam_unix_passwd.c:726
++#: .././modules/pam_unix/pam_unix_passwd.c:732
+ msgid "Retype new UNIX password: "
+ msgstr "Redigite a nova senha UNIX:"
+-
+-#~ msgid "Would you like to enter a security context? [N] "
+-#~ msgstr "Deseja digitar um contexto de segurança? [N]"
diff --git a/SOURCES/pam-1.1.8-tty-audit-uid-range.patch b/SOURCES/pam-1.1.8-tty-audit-uid-range.patch
new file mode 100644
index 0000000..4d5f63f
--- /dev/null
+++ b/SOURCES/pam-1.1.8-tty-audit-uid-range.patch
@@ -0,0 +1,167 @@
+diff -up Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.c.uid-range Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.c
+--- Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.c.uid-range 2017-09-08 14:46:58.869496414 +0200
++++ Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.c 2017-10-09 17:42:13.947599041 +0200
+@@ -198,6 +198,54 @@ cleanup_old_status (pam_handle_t *pamh,
+ free (data);
+ }
+
++enum uid_range { UID_RANGE_NONE, UID_RANGE_MM, UID_RANGE_MIN,
++ UID_RANGE_ONE, UID_RANGE_ERR };
++
++static enum uid_range
++parse_uid_range(pam_handle_t *pamh, const char *s,
++ uid_t *min_uid, uid_t *max_uid)
++{
++ const char *range = s;
++ const char *pmax;
++ char *endptr;
++ enum uid_range rv = UID_RANGE_MM;
++
++ if ((pmax=strchr(range, ':')) == NULL)
++ return UID_RANGE_NONE;
++ ++pmax;
++
++ if (range[0] == ':')
++ rv = UID_RANGE_ONE;
++ else {
++ errno = 0;
++ *min_uid = strtoul (range, &endptr, 10);
++ if (errno != 0 || (range == endptr) || *endptr != ':') {
++ pam_syslog(pamh, LOG_DEBUG,
++ "wrong min_uid value in '%s'", s);
++ return UID_RANGE_ERR;
++ }
++ }
++
++ if (*pmax == '\0') {
++ if (rv == UID_RANGE_ONE)
++ return UID_RANGE_ERR;
++
++ return UID_RANGE_MIN;
++ }
++
++ errno = 0;
++ *max_uid = strtoul (pmax, &endptr, 10);
++ if (errno != 0 || (pmax == endptr) || *endptr != '\0') {
++ pam_syslog(pamh, LOG_DEBUG,
++ "wrong max_uid value in '%s'", s);
++ return UID_RANGE_ERR;
++ }
++
++ if (rv == UID_RANGE_ONE)
++ *min_uid = *max_uid;
++ return rv;
++}
++
+ int
+ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
+ {
+@@ -207,6 +255,7 @@ pam_sm_open_session (pam_handle_t *pamh,
+ struct audit_tty_status *old_status, new_status;
+ const char *user;
+ int i, fd, open_only;
++ struct passwd *pwd;
+ #ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
+ int log_passwd;
+ #endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
+@@ -219,6 +268,14 @@ pam_sm_open_session (pam_handle_t *pamh,
+ return PAM_SESSION_ERR;
+ }
+
++ pwd = pam_modutil_getpwnam(pamh, user);
++ if (pwd == NULL)
++ {
++ pam_syslog(pamh, LOG_WARNING,
++ "open_session unknown user '%s'", user);
++ return PAM_SESSION_ERR;
++ }
++
+ command = CMD_NONE;
+ open_only = 0;
+ #ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
+@@ -236,13 +293,31 @@ pam_sm_open_session (pam_handle_t *pamh,
+ copy = strdup (strchr (argv[i], '=') + 1);
+ if (copy == NULL)
+ return PAM_SESSION_ERR;
+- for (tok = strtok_r (copy, ",", &tok_data); tok != NULL;
++ for (tok = strtok_r (copy, ",", &tok_data);
++ tok != NULL && command != this_command;
+ tok = strtok_r (NULL, ",", &tok_data))
+ {
+- if (fnmatch (tok, user, 0) == 0)
++ uid_t min_uid = 0, max_uid = 0;
++ switch (parse_uid_range(pamh, tok, &min_uid, &max_uid))
+ {
+- command = this_command;
+- break;
++ case UID_RANGE_NONE:
++ if (fnmatch (tok, user, 0) == 0)
++ command = this_command;
++ break;
++ case UID_RANGE_MM:
++ if (pwd->pw_uid >= min_uid && pwd->pw_uid <= max_uid)
++ command = this_command;
++ break;
++ case UID_RANGE_MIN:
++ if (pwd->pw_uid >= min_uid)
++ command = this_command;
++ break;
++ case UID_RANGE_ONE:
++ if (pwd->pw_uid == max_uid)
++ command = this_command;
++ break;
++ case UID_RANGE_ERR:
++ break;
+ }
+ }
+ free (copy);
+diff -up Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.8.xml.uid-range Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.8.xml
+--- Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.8.xml.uid-range 2013-08-28 10:53:40.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_tty_audit/pam_tty_audit.8.xml 2017-09-08 14:46:58.895497022 +0200
+@@ -44,10 +44,10 @@
+ </term>
+ <listitem>
+ <para>
+- For each user matching one of comma-separated glob
+- <option><replaceable>patterns</replaceable></option>, disable
+- TTY auditing. This overrides any previous <option>enable</option>
+- option matching the same user name on the command line.
++ For each user matching <option><replaceable>patterns</replaceable></option>,
++ disable TTY auditing. This overrides any previous <option>enable</option>
++ option matching the same user name on the command line. See NOTES
++ for further description of <option><replaceable>patterns</replaceable></option>.
+ </para>
+ </listitem>
+ </varlistentry>
+@@ -57,10 +57,10 @@
+ </term>
+ <listitem>
+ <para>
+- For each user matching one of comma-separated glob
+- <option><replaceable>patterns</replaceable></option>, enable
+- TTY auditing. This overrides any previous <option>disable</option>
+- option matching the same user name on the command line.
++ For each user matching <option><replaceable>patterns</replaceable></option>,
++ enable TTY auditing. This overrides any previous <option>disable</option>
++ option matching the same user name on the command line. See NOTES
++ for further description of <option><replaceable>patterns</replaceable></option>.
+ </para>
+ </listitem>
+ </varlistentry>
+@@ -139,6 +139,16 @@
+ To view the data that was logged by the kernel to audit use
+ the command <command>aureport --tty</command>.
+ </para>
++ <para>
++ The <option><replaceable>patterns</replaceable></option> are comma separated
++ lists of glob patterns or ranges of uids. A range is specified as
++ <replaceable>min_uid</replaceable>:<replaceable>max_uid</replaceable> where
++ one of these values can be empty. If <replaceable>min_uid</replaceable> is
++ empty only user with the uid <replaceable>max_uid</replaceable> will be
++ matched. If <replaceable>max_uid</replaceable> is empty users with the uid
++ greater than or equal to <replaceable>min_uid</replaceable> will be
++ matched.
++ </para>
+ </refsect1>
+
+ <refsect1 id='pam_tty_audit-examples'>
diff --git a/SOURCES/pam-1.1.8-unix-expiry.patch b/SOURCES/pam-1.1.8-unix-expiry.patch
new file mode 100644
index 0000000..7e0e9f0
--- /dev/null
+++ b/SOURCES/pam-1.1.8-unix-expiry.patch
@@ -0,0 +1,134 @@
+diff -up Linux-PAM-1.1.8/modules/pam_unix/pam_unix_acct.c.expiry Linux-PAM-1.1.8/modules/pam_unix/pam_unix_acct.c
+--- Linux-PAM-1.1.8/modules/pam_unix/pam_unix_acct.c.expiry 2016-03-03 09:58:52.677684261 +0100
++++ Linux-PAM-1.1.8/modules/pam_unix/pam_unix_acct.c 2016-03-03 09:58:52.712685101 +0100
+@@ -244,6 +244,19 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int
+ } else
+ retval = check_shadow_expiry(pamh, spent, &daysleft);
+
++ if (on(UNIX_NO_PASS_EXPIRY, ctrl)) {
++ const void *pretval = NULL;
++ int authrv = PAM_AUTHINFO_UNAVAIL; /* authentication not called */
++
++ if (pam_get_data(pamh, "unix_setcred_return", &pretval) == PAM_SUCCESS
++ && pretval)
++ authrv = *(const int *)pretval;
++
++ if (authrv != PAM_SUCCESS
++ && (retval == PAM_NEW_AUTHTOK_REQD || retval == PAM_AUTHTOK_EXPIRED))
++ retval = PAM_SUCCESS;
++ }
++
+ switch (retval) {
+ case PAM_ACCT_EXPIRED:
+ pam_syslog(pamh, LOG_NOTICE,
+diff -up Linux-PAM-1.1.8/modules/pam_unix/pam_unix_auth.c.expiry Linux-PAM-1.1.8/modules/pam_unix/pam_unix_auth.c
+--- Linux-PAM-1.1.8/modules/pam_unix/pam_unix_auth.c.expiry 2013-06-18 16:11:21.000000000 +0200
++++ Linux-PAM-1.1.8/modules/pam_unix/pam_unix_auth.c 2016-03-03 09:58:52.712685101 +0100
+@@ -82,14 +82,13 @@
+
+ #define AUTH_RETURN \
+ do { \
+- if (on(UNIX_LIKE_AUTH, ctrl) && ret_data) { \
++ if (ret_data) { \
+ D(("recording return code for next time [%d]", \
+ retval)); \
+ *ret_data = retval; \
+ pam_set_data(pamh, "unix_setcred_return", \
+ (void *) ret_data, setcred_free); \
+- } else if (ret_data) \
+- free (ret_data); \
++ } \
+ D(("done. [%s]", pam_strerror(pamh, retval))); \
+ return retval; \
+ } while (0)
+@@ -115,9 +114,8 @@ pam_sm_authenticate(pam_handle_t *pamh,
+ ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv);
+
+ /* Get a few bytes so we can pass our return value to
+- pam_sm_setcred(). */
+- if (on(UNIX_LIKE_AUTH, ctrl))
+- ret_data = malloc(sizeof(int));
++ pam_sm_setcred() and pam_sm_acct_mgmt(). */
++ ret_data = malloc(sizeof(int));
+
+ /* get the user'name' */
+
+@@ -194,20 +192,24 @@ pam_sm_authenticate(pam_handle_t *pamh,
+ */
+
+ int
+-pam_sm_setcred (pam_handle_t *pamh, int flags UNUSED,
+- int argc UNUSED, const char **argv UNUSED)
++pam_sm_setcred (pam_handle_t *pamh, int flags,
++ int argc, const char **argv)
+ {
+ int retval;
+ const void *pretval = NULL;
++ unsigned int ctrl;
+
+ D(("called."));
+
++ ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv);
++
+ retval = PAM_SUCCESS;
+
+ D(("recovering return code from auth call"));
+ /* We will only find something here if UNIX_LIKE_AUTH is set --
+ don't worry about an explicit check of argv. */
+- if (pam_get_data(pamh, "unix_setcred_return", &pretval) == PAM_SUCCESS
++ if (on(UNIX_LIKE_AUTH, ctrl)
++ && pam_get_data(pamh, "unix_setcred_return", &pretval) == PAM_SUCCESS
+ && pretval) {
+ retval = *(const int *)pretval;
+ pam_set_data(pamh, "unix_setcred_return", NULL, NULL);
+diff -up Linux-PAM-1.1.8/modules/pam_unix/pam_unix.8.xml.expiry Linux-PAM-1.1.8/modules/pam_unix/pam_unix.8.xml
+--- Linux-PAM-1.1.8/modules/pam_unix/pam_unix.8.xml.expiry 2016-03-03 09:58:52.710685053 +0100
++++ Linux-PAM-1.1.8/modules/pam_unix/pam_unix.8.xml 2016-03-03 09:58:52.712685101 +0100
+@@ -346,6 +346,25 @@
+ </para>
+ </listitem>
+ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>no_pass_expiry</option>
++ </term>
++ <listitem>
++ <para>
++ When set ignore password expiration as defined by the
++ <emphasis>shadow</emphasis> entry of the user. The option has an
++ effect only in case <emphasis>pam_unix</emphasis> was not used
++ for the authentication or it returned authentication failure
++ meaning that other authentication source or method succeeded.
++ The example can be public key authentication in
++ <emphasis>sshd</emphasis>. The module will return
++ <emphasis remap='B'>PAM_SUCCESS</emphasis> instead of eventual
++ <emphasis remap='B'>PAM_NEW_AUTHTOK_REQD</emphasis> or
++ <emphasis remap='B'>PAM_AUTHTOK_EXPIRED</emphasis>.
++ </para>
++ </listitem>
++ </varlistentry>
+ </variablelist>
+ <para>
+ Invalid arguments are logged with <citerefentry>
+diff -up Linux-PAM-1.1.8/modules/pam_unix/support.h.expiry Linux-PAM-1.1.8/modules/pam_unix/support.h
+--- Linux-PAM-1.1.8/modules/pam_unix/support.h.expiry 2016-03-03 09:58:52.712685101 +0100
++++ Linux-PAM-1.1.8/modules/pam_unix/support.h 2016-03-03 10:00:31.642061166 +0100
+@@ -97,8 +97,9 @@ typedef struct {
+ password hash algorithms */
+ #define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */
+ #define UNIX_MIN_PASS_LEN 27 /* min length for password */
++#define UNIX_NO_PASS_EXPIRY 28 /* Don't check for password expiration if not used for authentication */
+ /* -------------- */
+-#define UNIX_CTRLS_ 28 /* number of ctrl arguments defined */
++#define UNIX_CTRLS_ 29 /* number of ctrl arguments defined */
+
+ #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
+
+@@ -135,6 +136,7 @@ static const UNIX_Ctrls unix_args[UNIX_C
+ /* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0},
+ /* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000, 1},
+ /* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
++/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0},
+ };
+
+ #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
diff --git a/SOURCES/pamtmp.conf b/SOURCES/pamtmp.conf
new file mode 100644
index 0000000..61f4c3e
--- /dev/null
+++ b/SOURCES/pamtmp.conf
@@ -0,0 +1,3 @@
+d /var/run/console 0755 root root -
+d /var/run/faillock 0755 root root -
+d /var/run/sepermit 0755 root root -
diff --git a/SOURCES/password-auth.pamd b/SOURCES/password-auth.pamd
new file mode 100644
index 0000000..2e01bf9
--- /dev/null
+++ b/SOURCES/password-auth.pamd
@@ -0,0 +1,18 @@
+#%PAM-1.0
+# This file is auto-generated.
+# User changes will be destroyed the next time authconfig is run.
+auth required pam_env.so
+auth sufficient pam_unix.so try_first_pass nullok
+auth required pam_deny.so
+
+account required pam_unix.so
+
+password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
+password required pam_deny.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
diff --git a/SOURCES/postlogin.5 b/SOURCES/postlogin.5
new file mode 100644
index 0000000..3a8abcf
--- /dev/null
+++ b/SOURCES/postlogin.5
@@ -0,0 +1,46 @@
+.TH POSTLOGIN 5 "2010 Dec 22" "Red Hat" "Linux-PAM Manual"
+.SH NAME
+
+postlogin \- Common configuration file for PAMified services
+
+.SH SYNOPSIS
+.B /etc/pam.d/postlogin
+.sp 2
+.SH DESCRIPTION
+
+The purpose of this PAM configuration file is to provide a common
+place for all PAM modules which should be called after the stack
+configured in
+.BR system-auth
+or the other common PAM configuration files.
+
+.sp
+The
+.BR postlogin
+configuration file is included from all individual service configuration
+files that provide login service with shell or file access.
+
+.SH NOTES
+The modules in the postlogin configuration file are executed regardless
+of the success or failure of the modules in the
+.BR system-auth
+configuration file.
+
+.SH BUGS
+.sp 2
+Sometimes it would be useful to be able to skip the postlogin modules in
+case the substack of the
+.BR system-auth
+modules failed. Unfortunately the current Linux-PAM library does not
+provide any way how to achieve this.
+
+.SH "SEE ALSO"
+pam(8), config-util(5), system-auth(5)
+
+The three
+.BR Linux-PAM
+Guides, for
+.BR "system administrators" ", "
+.BR "module developers" ", "
+and
+.BR "application developers" ". "
diff --git a/SOURCES/postlogin.pamd b/SOURCES/postlogin.pamd
new file mode 100644
index 0000000..e036f4e
--- /dev/null
+++ b/SOURCES/postlogin.pamd
@@ -0,0 +1,7 @@
+#%PAM-1.0
+# This file is auto-generated.
+# User changes will be destroyed the next time authconfig is run.
+
+session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
+session [default=1] pam_lastlog.so nowtmp showfailed
+session optional pam_lastlog.so silent noupdate showfailed
diff --git a/SOURCES/smartcard-auth.pamd b/SOURCES/smartcard-auth.pamd
new file mode 100644
index 0000000..e5b57e3
--- /dev/null
+++ b/SOURCES/smartcard-auth.pamd
@@ -0,0 +1,19 @@
+#%PAM-1.0
+# This file is auto-generated.
+# User changes will be destroyed the next time authconfig is run.
+auth required pam_env.so
+auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card
+auth required pam_deny.so
+
+account required pam_unix.so
+account sufficient pam_localuser.so
+account sufficient pam_succeed_if.so uid < 500 quiet
+account required pam_permit.so
+
+password optional pam_pkcs11.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
diff --git a/SOURCES/system-auth.5 b/SOURCES/system-auth.5
new file mode 100644
index 0000000..c0ca80b
--- /dev/null
+++ b/SOURCES/system-auth.5
@@ -0,0 +1,58 @@
+.TH SYSTEM-AUTH 5 "2010 Dec 22" "Red Hat" "Linux-PAM Manual"
+.SH NAME
+
+system-auth \- Common configuration file for PAMified services
+
+.SH SYNOPSIS
+.B /etc/pam.d/system-auth
+.B /etc/pam.d/password-auth
+.B /etc/pam.d/fingerprint-auth
+.B /etc/pam.d/smartcard-auth
+.sp 2
+.SH DESCRIPTION
+
+The purpose of these configuration files are to provide a common
+interface for all applications and service daemons calling into
+the PAM library.
+
+.sp
+The
+.BR system-auth
+configuration file is included from nearly all individual service configuration
+files with the help of the
+.BR substack
+directive.
+
+.sp
+The
+.BR password-auth
+.BR fingerprint-auth
+.BR smartcard-auth
+configuration files are for applications which handle authentication from
+different types of devices via simultaneously running individual conversations
+instead of one aggregate conversation.
+
+.SH NOTES
+Previously these common configuration files were included with the help
+of the
+.BR include
+directive. This limited the use of the different action types of modules.
+With the use of
+.BR substack
+directive to include these common configuration files this limitation
+no longer applies.
+
+.SH BUGS
+.sp 2
+None known.
+
+.SH "SEE ALSO"
+pam(8), config-util(5), postlogin(5)
+
+The three
+.BR Linux-PAM
+Guides, for
+.BR "system administrators" ", "
+.BR "module developers" ", "
+and
+.BR "application developers" ". "
diff --git a/SOURCES/system-auth.pamd b/SOURCES/system-auth.pamd
new file mode 100644
index 0000000..2e01bf9
--- /dev/null
+++ b/SOURCES/system-auth.pamd
@@ -0,0 +1,18 @@
+#%PAM-1.0
+# This file is auto-generated.
+# User changes will be destroyed the next time authconfig is run.
+auth required pam_env.so
+auth sufficient pam_unix.so try_first_pass nullok
+auth required pam_deny.so
+
+account required pam_unix.so
+
+password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
+password required pam_deny.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+-session optional pam_systemd.so
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
diff --git a/SPECS/pam.spec b/SPECS/pam.spec
new file mode 100644
index 0000000..0faa1d3
--- /dev/null
+++ b/SPECS/pam.spec
@@ -0,0 +1,2118 @@
+%define pam_redhat_version 0.99.11
+
+Summary: An extensible library which provides authentication for applications
+Name: pam
+Version: 1.1.8
+Release: 22%{?dist}
+# The library is BSD licensed with option to relicense as GPLv2+
+# - this option is redundant as the BSD license allows that anyway.
+# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
+License: BSD and GPLv2+
+Group: System Environment/Base
+Source0: http://www.linux-pam.org/library/Linux-PAM-%{version}.tar.bz2
+# This is the old location that might be revived in future:
+#Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2
+#Source1: http://ftp.us.kernel.org/pub/linux/libs/pam/library/Linux-PAM-%{version}.tar.bz2.sign
+Source2: https://fedorahosted.org/releases/p/a/pam-redhat/pam-redhat-%{pam_redhat_version}.tar.bz2
+Source5: other.pamd
+Source6: system-auth.pamd
+Source7: password-auth.pamd
+Source8: fingerprint-auth.pamd
+Source9: smartcard-auth.pamd
+Source10: config-util.pamd
+Source11: dlopen.sh
+Source12: system-auth.5
+Source13: config-util.5
+Source14: 20-nproc.conf
+Source15: pamtmp.conf
+Source16: postlogin.pamd
+Source17: postlogin.5
+Patch1: pam-1.0.90-redhat-modules.patch
+Patch2: pam-1.1.6-std-noclose.patch
+Patch4: pam-1.1.0-console-nochmod.patch
+Patch5: pam-1.1.0-notally.patch
+Patch8: pam-1.1.1-faillock.patch
+Patch9: pam-1.1.6-noflex.patch
+Patch10: pam-1.1.3-nouserenv.patch
+Patch12: pam-1.1.3-faillock-screensaver.patch
+Patch13: pam-1.1.6-limits-user.patch
+Patch15: pam-1.1.8-full-relro.patch
+# FIPS related - non upstreamable
+Patch20: pam-1.1.5-unix-no-fallback.patch
+Patch28: pam-1.1.1-console-errmsg.patch
+# Upstreamed partially
+Patch29: pam-1.1.8-pwhistory-helper.patch
+Patch31: pam-1.1.6-use-links.patch
+Patch32: pam-1.1.7-tty-audit-init.patch
+Patch33: pam-1.1.8-translation-updates.patch
+Patch34: pam-1.1.8-canonicalize-username.patch
+Patch35: pam-1.1.8-cve-2013-7041.patch
+Patch36: pam-1.1.8-cve-2014-2583.patch
+Patch37: pam-1.1.8-lastlog-uninitialized.patch
+Patch38: pam-1.1.8-opasswd-tolerant.patch
+Patch39: pam-1.1.8-audit-grantor.patch
+Patch40: pam-1.1.8-man-dbsuffix.patch
+Patch41: pam-1.1.8-limits-check-process.patch
+Patch42: pam-1.1.8-limits-docfix.patch
+Patch43: pam-1.1.8-audit-user-mgmt.patch
+Patch44: pam-1.1.8-cve-2015-3238.patch
+Patch45: pam-1.1.8-unix-expiry.patch
+Patch46: pam-1.1.8-man-environment.patch
+Patch47: pam-1.1.8-loginuid-log-auditd.patch
+Patch48: pam-1.1.8-faillock-never.patch
+Patch49: pam-1.1.8-relax-audit.patch
+Patch50: pam-1.1.8-lastlog-localtime.patch
+Patch51: pam-1.1.8-man-delay.patch
+Patch52: pam-1.1.8-succeed-if-large-uid.patch
+Patch53: pam-1.1.8-access-update.patch
+Patch54: pam-1.1.8-man-space.patch
+Patch55: pam-1.1.8-tty-audit-uid-range.patch
+Patch56: pam-1.1.8-faillock-admin-group.patch
+Patch57: pam-1.1.8-mkhomedir-inroot.patch
+
+%define _pamlibdir %{_libdir}
+%define _moduledir %{_libdir}/security
+%define _secconfdir %{_sysconfdir}/security
+%define _pamconfdir %{_sysconfdir}/pam.d
+
+%if %{?WITH_SELINUX:0}%{!?WITH_SELINUX:1}
+%define WITH_SELINUX 1
+%endif
+%if %{?WITH_AUDIT:0}%{!?WITH_AUDIT:1}
+%define WITH_AUDIT 1
+%endif
+%global _performance_build 1
+
+Requires: cracklib-dicts >= 2.8
+Requires: libpwquality >= 0.9.9
+Requires(post): coreutils, /sbin/ldconfig
+BuildRequires: autoconf >= 2.60
+BuildRequires: automake, libtool
+BuildRequires: bison, flex, sed
+BuildRequires: cracklib-devel, cracklib-dicts >= 2.8
+BuildRequires: perl, pkgconfig, gettext-devel
+%if %{WITH_AUDIT}
+BuildRequires: audit-libs-devel >= 1.0.8
+Requires: audit-libs >= 1.0.8
+%endif
+%if %{WITH_SELINUX}
+BuildRequires: libselinux-devel >= 1.33.2
+Requires: libselinux >= 1.33.2
+%endif
+Requires: glibc >= 2.3.90-37
+BuildRequires: libdb-devel
+# Following deps are necessary only to build the pam library documentation.
+BuildRequires: linuxdoc-tools, elinks, libxslt
+BuildRequires: docbook-style-xsl, docbook-dtds
+
+URL: http://www.linux-pam.org/
+
+%description
+PAM (Pluggable Authentication Modules) is a system security tool that
+allows system administrators to set authentication policy without
+having to recompile programs that handle authentication.
+
+%package devel
+Group: Development/Libraries
+Summary: Files needed for developing PAM-aware applications and modules for PAM
+Requires: pam%{?_isa} = %{version}-%{release}
+
+%description devel
+PAM (Pluggable Authentication Modules) is a system security tool that
+allows system administrators to set authentication policy without
+having to recompile programs that handle authentication. This package
+contains header files used for building both PAM-aware applications
+and modules for use with the PAM system.
+
+%prep
+%setup -q -n Linux-PAM-%{version} -a 2
+perl -pi -e "s/ppc64-\*/ppc64-\* \| ppc64p7-\*/" build-aux/config.sub
+
+# Add custom modules.
+mv pam-redhat-%{pam_redhat_version}/* modules
+
+%patch1 -p1 -b .redhat-modules
+%patch2 -p1 -b .std-noclose
+%patch4 -p1 -b .nochmod
+%patch5 -p1 -b .notally
+%patch8 -p1 -b .faillock
+%patch9 -p1 -b .noflex
+%patch10 -p1 -b .nouserenv
+%patch12 -p1 -b .screensaver
+%patch13 -p1 -b .limits
+%patch15 -p1 -b .relro
+%patch20 -p1 -b .no-fallback
+%patch28 -p1 -b .errmsg
+%patch29 -p1 -b .pwhhelper
+%patch31 -p1 -b .links
+%patch32 -p1 -b .tty-audit-init
+%patch33 -p2 -b .translations
+%patch34 -p1 -b .canonicalize
+%patch35 -p1 -b .case
+%patch36 -p1 -b .timestamp-ruser
+%patch37 -p1 -b .uninitialized
+%patch38 -p1 -b .opasswd-tolerant
+%patch39 -p1 -b .grantor
+%patch40 -p1 -b .dbsuffix
+%patch41 -p1 -b .check-process
+%patch42 -p1 -b .docfix
+%patch43 -p1 -b .audit-user-mgmt
+%patch44 -p1 -b .password-limit
+%patch45 -p1 -b .expiry
+%patch46 -p1 -b .man-environment
+%patch47 -p1 -b .log-auditd
+%patch48 -p1 -b .never
+%patch49 -p1 -b .relax-audit
+%patch50 -p1 -b .localtime
+%patch51 -p1 -b .delay
+%patch52 -p1 -b .large-uid
+%patch53 -p1 -b .access-update
+%patch54 -p1 -b .space
+%patch55 -p1 -b .uid-range
+%patch56 -p1 -b .admin-group
+%patch57 -p1 -b .mkhomedir-inroot
+
+%build
+autoreconf -i
+%configure \
+ --libdir=%{_pamlibdir} \
+ --includedir=%{_includedir}/security \
+%if ! %{WITH_SELINUX}
+ --disable-selinux \
+%endif
+%if ! %{WITH_AUDIT}
+ --disable-audit \
+%endif
+ --disable-static \
+ --disable-prelude
+make -C po update-gmo
+make
+# we do not use _smp_mflags because the build of sources in yacc/flex fails
+
+%install
+mkdir -p doc/txts
+for readme in modules/pam_*/README ; do
+ cp -f ${readme} doc/txts/README.`dirname ${readme} | sed -e 's|^modules/||'`
+done
+
+# Install the binaries, libraries, and modules.
+make install DESTDIR=$RPM_BUILD_ROOT LDCONFIG=:
+
+%if %{WITH_SELINUX}
+# Temporary compat link
+ln -sf pam_sepermit.so $RPM_BUILD_ROOT%{_moduledir}/pam_selinux_permit.so
+%endif
+
+# RPM uses docs from source tree
+rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/Linux-PAM
+# Included in setup package
+rm -f $RPM_BUILD_ROOT%{_sysconfdir}/environment
+
+# Install default configuration files.
+install -d -m 755 $RPM_BUILD_ROOT%{_pamconfdir}
+install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{_pamconfdir}/other
+install -m 644 %{SOURCE6} $RPM_BUILD_ROOT%{_pamconfdir}/system-auth
+install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{_pamconfdir}/password-auth
+install -m 644 %{SOURCE8} $RPM_BUILD_ROOT%{_pamconfdir}/fingerprint-auth
+install -m 644 %{SOURCE9} $RPM_BUILD_ROOT%{_pamconfdir}/smartcard-auth
+install -m 644 %{SOURCE10} $RPM_BUILD_ROOT%{_pamconfdir}/config-util
+install -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{_pamconfdir}/postlogin
+install -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{_secconfdir}/limits.d/20-nproc.conf
+install -m 600 /dev/null $RPM_BUILD_ROOT%{_secconfdir}/opasswd
+install -d -m 755 $RPM_BUILD_ROOT/var/log
+install -m 600 /dev/null $RPM_BUILD_ROOT/var/log/tallylog
+install -d -m 755 $RPM_BUILD_ROOT/var/run/faillock
+
+# Install man pages.
+install -m 644 %{SOURCE12} %{SOURCE13} %{SOURCE17} $RPM_BUILD_ROOT%{_mandir}/man5/
+ln -sf system-auth.5 $RPM_BUILD_ROOT%{_mandir}/man5/password-auth.5
+ln -sf system-auth.5 $RPM_BUILD_ROOT%{_mandir}/man5/fingerprint-auth.5
+ln -sf system-auth.5 $RPM_BUILD_ROOT%{_mandir}/man5/smartcard-auth.5
+
+
+for phase in auth acct passwd session ; do
+ ln -sf pam_unix.so $RPM_BUILD_ROOT%{_moduledir}/pam_unix_${phase}.so
+done
+
+# Remove .la files and make new .so links -- this depends on the value
+# of _libdir not changing, and *not* being /usr/lib.
+for lib in libpam libpamc libpam_misc ; do
+rm -f $RPM_BUILD_ROOT%{_pamlibdir}/${lib}.la
+done
+rm -f $RPM_BUILD_ROOT%{_moduledir}/*.la
+
+%if "%{_pamlibdir}" != "%{_libdir}"
+install -d -m 755 $RPM_BUILD_ROOT%{_libdir}
+for lib in libpam libpamc libpam_misc ; do
+pushd $RPM_BUILD_ROOT%{_libdir}
+ln -sf %{_pamlibdir}/${lib}.so.*.* ${lib}.so
+popd
+rm -f $RPM_BUILD_ROOT%{_pamlibdir}/${lib}.so
+done
+%endif
+
+# Duplicate doc file sets.
+rm -fr $RPM_BUILD_ROOT/usr/share/doc/pam
+
+# Install the file for autocreation of /var/run subdirectories on boot
+install -m644 -D %{SOURCE15} $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/pam.conf
+
+%find_lang Linux-PAM
+
+%check
+# Make sure every module subdirectory gave us a module. Yes, this is hackish.
+for dir in modules/pam_* ; do
+if [ -d ${dir} ] ; then
+%if ! %{WITH_SELINUX}
+ [ ${dir} = "modules/pam_selinux" ] && continue
+ [ ${dir} = "modules/pam_sepermit" ] && continue
+%endif
+%if ! %{WITH_AUDIT}
+ [ ${dir} = "modules/pam_tty_audit" ] && continue
+%endif
+ [ ${dir} = "modules/pam_tally" ] && continue
+ if ! ls -1 $RPM_BUILD_ROOT%{_moduledir}/`basename ${dir}`*.so ; then
+ echo ERROR `basename ${dir}` did not build a module.
+ exit 1
+ fi
+fi
+done
+
+# Check for module problems. Specifically, check that every module we just
+# installed can actually be loaded by a minimal PAM-aware application.
+/sbin/ldconfig -n $RPM_BUILD_ROOT%{_pamlibdir}
+for module in $RPM_BUILD_ROOT%{_moduledir}/pam*.so ; do
+ if ! env LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_pamlibdir} \
+ %{SOURCE11} -ldl -lpam -L$RPM_BUILD_ROOT%{_libdir} ${module} ; then
+ echo ERROR module: ${module} cannot be loaded.
+ exit 1
+ fi
+done
+
+%post
+/sbin/ldconfig
+if [ ! -e /var/log/tallylog ] ; then
+ /usr/bin/install -m 600 /dev/null /var/log/tallylog
+fi
+
+%postun -p /sbin/ldconfig
+
+%files -f Linux-PAM.lang
+%defattr(-,root,root)
+%dir %{_pamconfdir}
+%config(noreplace) %{_pamconfdir}/other
+%config(noreplace) %{_pamconfdir}/system-auth
+%config(noreplace) %{_pamconfdir}/password-auth
+%config(noreplace) %{_pamconfdir}/fingerprint-auth
+%config(noreplace) %{_pamconfdir}/smartcard-auth
+%config(noreplace) %{_pamconfdir}/config-util
+%config(noreplace) %{_pamconfdir}/postlogin
+%doc Copyright
+%doc doc/txts
+%doc doc/sag/*.txt doc/sag/html
+%doc doc/specs/rfc86.0.txt
+%{_pamlibdir}/libpam.so.*
+%{_pamlibdir}/libpamc.so.*
+%{_pamlibdir}/libpam_misc.so.*
+%{_sbindir}/pam_console_apply
+%{_sbindir}/pam_tally2
+%{_sbindir}/faillock
+%attr(4755,root,root) %{_sbindir}/pam_timestamp_check
+%attr(4755,root,root) %{_sbindir}/unix_chkpwd
+%attr(0700,root,root) %{_sbindir}/unix_update
+%attr(0755,root,root) %{_sbindir}/mkhomedir_helper
+%attr(0755,root,root) %{_sbindir}/pwhistory_helper
+%dir %{_moduledir}
+%{_moduledir}/pam_access.so
+%{_moduledir}/pam_chroot.so
+%{_moduledir}/pam_console.so
+%{_moduledir}/pam_cracklib.so
+%{_moduledir}/pam_debug.so
+%{_moduledir}/pam_deny.so
+%{_moduledir}/pam_echo.so
+%{_moduledir}/pam_env.so
+%{_moduledir}/pam_exec.so
+%{_moduledir}/pam_faildelay.so
+%{_moduledir}/pam_faillock.so
+%{_moduledir}/pam_filter.so
+%{_moduledir}/pam_ftp.so
+%{_moduledir}/pam_group.so
+%{_moduledir}/pam_issue.so
+%{_moduledir}/pam_keyinit.so
+%{_moduledir}/pam_lastlog.so
+%{_moduledir}/pam_limits.so
+%{_moduledir}/pam_listfile.so
+%{_moduledir}/pam_localuser.so
+%{_moduledir}/pam_loginuid.so
+%{_moduledir}/pam_mail.so
+%{_moduledir}/pam_mkhomedir.so
+%{_moduledir}/pam_motd.so
+%{_moduledir}/pam_namespace.so
+%{_moduledir}/pam_nologin.so
+%{_moduledir}/pam_permit.so
+%{_moduledir}/pam_postgresok.so
+%{_moduledir}/pam_pwhistory.so
+%{_moduledir}/pam_rhosts.so
+%{_moduledir}/pam_rootok.so
+%if %{WITH_SELINUX}
+%{_moduledir}/pam_selinux.so
+%{_moduledir}/pam_selinux_permit.so
+%{_moduledir}/pam_sepermit.so
+%endif
+%{_moduledir}/pam_securetty.so
+%{_moduledir}/pam_shells.so
+%{_moduledir}/pam_stress.so
+%{_moduledir}/pam_succeed_if.so
+%{_moduledir}/pam_tally2.so
+%{_moduledir}/pam_time.so
+%{_moduledir}/pam_timestamp.so
+%if %{WITH_AUDIT}
+%{_moduledir}/pam_tty_audit.so
+%endif
+%{_moduledir}/pam_umask.so
+%{_moduledir}/pam_unix.so
+%{_moduledir}/pam_unix_acct.so
+%{_moduledir}/pam_unix_auth.so
+%{_moduledir}/pam_unix_passwd.so
+%{_moduledir}/pam_unix_session.so
+%{_moduledir}/pam_userdb.so
+%{_moduledir}/pam_warn.so
+%{_moduledir}/pam_wheel.so
+%{_moduledir}/pam_xauth.so
+%{_moduledir}/pam_filter
+%dir %{_secconfdir}
+%config(noreplace) %{_secconfdir}/access.conf
+%config(noreplace) %{_secconfdir}/chroot.conf
+%config %{_secconfdir}/console.perms
+%config(noreplace) %{_secconfdir}/console.handlers
+%config(noreplace) %{_secconfdir}/group.conf
+%config(noreplace) %{_secconfdir}/limits.conf
+%dir %{_secconfdir}/limits.d
+%config(noreplace) %{_secconfdir}/limits.d/20-nproc.conf
+%config(noreplace) %{_secconfdir}/namespace.conf
+%dir %{_secconfdir}/namespace.d
+%attr(755,root,root) %config(noreplace) %{_secconfdir}/namespace.init
+%config(noreplace) %{_secconfdir}/pam_env.conf
+%config(noreplace) %{_secconfdir}/time.conf
+%config(noreplace) %{_secconfdir}/opasswd
+%dir %{_secconfdir}/console.apps
+%dir %{_secconfdir}/console.perms.d
+%dir /var/run/console
+%if %{WITH_SELINUX}
+%config(noreplace) %{_secconfdir}/sepermit.conf
+%dir /var/run/sepermit
+%endif
+%ghost %verify(not md5 size mtime) /var/log/tallylog
+%dir /var/run/faillock
+%{_prefix}/lib/tmpfiles.d/pam.conf
+%{_mandir}/man5/*
+%{_mandir}/man8/*
+
+%files devel
+%defattr(-,root,root)
+%{_includedir}/security
+%{_mandir}/man3/*
+%{_libdir}/libpam.so
+%{_libdir}/libpamc.so
+%{_libdir}/libpam_misc.so
+%doc doc/mwg/*.txt doc/mwg/html
+%doc doc/adg/*.txt doc/adg/html
+
+%changelog
+* Fri Nov 3 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.8-22
+- pam_mkhomedir: do not fail creating parent dir if in /
+
+* Thu Nov 2 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.8-21
+- pam(8) Manual page missing space fix (#1382302)
+
+* Mon Oct 9 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.8-20
+- pam_tty_audit: add support for uid range matching
+
+* Fri Sep 8 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.8-19
+- pam_access: (group) match syntax is prioritized over network@netgroup
+ match (#1358881), add support for additional /etc/security/access.d/*.conf
+ files, improve documentation (#1421735)
+- pam_lastlog: fix pt_BR translation (#1185697)
+- pam_faillock: support admin_group with users equivalent to root in
+ faillock handling (#1285550)
+
+* Tue Jul 19 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.8-18
+- pam_succeed_if: fix handling of large uids, tty, and rhost
+
+* Mon May 30 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.8-17
+- fix pam_fail_delay() manual page (#1130053)
+
+* Thu Apr 28 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.8-15
+- pam_faillock: support permanent locking of user with
+ unlock_time=never option
+
+* Fri Apr 22 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.8-14
+- pam_unix: add no_pass_expiry option for ignoring password
+ expiration in crond and sshd with public key authentication
+- add manual page for environment(5) (#1110257)
+- pam_loginuid: log if auditd not detected
+- always ignore audit error when -EPERM is returned (#1287800)
+- pam_lastlog: fix possible NULL dereference when localtime fails (#1313537)
+
+* Tue Aug 4 2015 Tomáš Mráz <tmraz@redhat.com> 1.1.8-13
+- fix CVE-2015-3238 - DoS due to blocking pipe with very long password
+
+* Fri Oct 17 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-12
+- use USER_MGMT type for auditing in the pam_tally2 and faillock
+ apps (#1151576)
+
+* Thu Sep 11 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-11
+- be tolerant to corrupted opasswd file
+- audit the module names that granted access
+- pam_userdb: correct the example in man page (#1078784)
+- pam_limits: check whether the utmp login entry is valid (#1080023)
+- pam_console_apply: do not print error if console.perms.d is empty
+- pam_limits: nofile refers to open file descriptors (#1111220)
+- apply PIE and full RELRO to all binaries built
+
+* Mon Aug 25 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-10
+- pam_lastlog: fix uninitialized access of parts of lastlog structure
+
+* Mon Mar 31 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-9
+- fix CVE-2014-2583: potential path traversal issue in pam_timestamp
+- pam_pwhistory: call the helper if SELinux enabled
+
+* Tue Mar 11 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-8
+- fix CVE-2013-7041: use case sensitive comparison in pam_userdb
+
+* Mon Mar 10 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-7
+- rename the 90-nproc.conf to 20-nproc.conf (#1071618)
+- canonicalize user name in pam_selinux (#1071010)
+
+* Fri Jan 31 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-6
+- refresh the pam-redhat tarball
+
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 1.1.8-5
+- Mass rebuild 2014-01-24
+
+* Wed Jan 15 2014 Tomáš Mráz <tmraz@redhat.com> 1.1.8-4
+- rebuild with -O3 on ppc64 architecture
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 1.1.8-3
+- Mass rebuild 2013-12-27
+
+* Tue Dec 3 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.8-2
+- updated translations
+
+* Mon Oct 14 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.8-1
+- new upstream release
+
+* Sat Oct 5 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.7-4
+- pam_tty_audit: proper initialization of the tty_audit_status struct
+
+* Mon Sep 30 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.7-2
+- add "local_users_only" to pam_pwquality in default configuration
+
+* Fri Sep 13 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.7-1
+- new upstream release
+
+* Wed Aug 7 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.6-14
+- use links instead of w3m to create txt documentation
+- recognize login session in pam_sepermit to prevent gdm from locking (#969174)
+- add support for disabling password logging in pam_tty_audit
+
+* Thu Jul 11 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.6-13
+- add auditing of SELinux policy violation in pam_rootok (#965723)
+- add SELinux helper to pam_pwhistory
+
+* Wed Jun 12 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.6-12
+- lastlog must be updated also for su
+
+* Tue May 7 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.6-11
+- the default isadir is more correct
+
+* Wed Apr 24 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.6-10
+- pam_unix: do not fail with bad ld.so.preload
+
+* Fri Mar 22 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.6-9
+- do not fail if btmp file is corrupted (#906852)
+- fix strict aliasing warnings in build
+- UsrMove
+- use authtok_type with pam_pwquality in system-auth
+- remove manual_context handling from pam_selinux (#876976)
+- other minor specfile cleanups
+
+* Tue Mar 19 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.6-8
+- check NULL return from crypt() calls (#915316)
+
+* Thu Mar 14 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.6-7
+- add workaround for low nproc limit for confined root user (#432903)
+
+* Thu Feb 21 2013 Karsten Hopp <karsten@redhat.com> 1.1.6-6
+- add support for ppc64p7 arch (Power7 optimized)
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1.6-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Tue Jan 22 2013 Tomas Mraz <tmraz@redhat.com> 1.1.6-4
+- fix build with current autotools
+
+* Mon Oct 15 2012 Tomas Mraz <tmraz@redhat.com> 1.1.6-3
+- add support for tmpfs mount options in pam_namespace
+
+* Mon Sep 3 2012 Tomas Mraz <tmraz@redhat.com> 1.1.6-2
+- link setuid binaries with full relro (#853158)
+- add rhost and tty to auditing data in modules (#677664)
+
+* Fri Aug 17 2012 Tomas Mraz <tmraz@redhat.com> - 1.1.6-1
+- new upstream release
+
+* Thu Aug 9 2012 Tomas Mraz <tmraz@redhat.com> - 1.1.5-9
+- make the pam_lastlog module in postlogin 'optional' (#846843)
+
+* Mon Aug 6 2012 Tomas Mraz <tmraz@redhat.com> - 1.1.5-8
+- fix build failure in pam_unix
+- add display of previous bad login attempts to postlogin.pamd
+- put the tmpfiles.d config to /usr/lib and rename it to pam.conf
+- build against libdb-5
+
+* Wed May 9 2012 Tomas Mraz <tmraz@redhat.com> 1.1.5-7
+- add inactive account lock out functionality to pam_lastlog
+- fix pam_unix remember user name matching
+- add gecoscheck and maxclassrepeat functionality to pam_cracklib
+- correctly check for crypt() returning NULL in pam_unix
+- pam_unix - do not fallback to MD5 on password change
+ if requested algorithm not supported by crypt() (#818741)
+- install empty directories
+
+* Wed May 9 2012 Tomas Mraz <tmraz@redhat.com> 1.1.5-6
+- add pam_systemd to session modules
+
+* Tue Jan 31 2012 Tomas Mraz <tmraz@redhat.com> 1.1.5-5
+- fix pam_namespace leaking the protect mounts to parent namespace (#755216)
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1.5-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Wed Dec 21 2011 Tomas Mraz <tmraz@redhat.com> 1.1.5-3
+- add a note to limits.conf (#754285)
+
+* Thu Nov 24 2011 Tomas Mraz <tmraz@redhat.com> 1.1.5-2
+- use pam_pwquality instead of pam_cracklib
+
+* Thu Nov 24 2011 Tomas Mraz <tmraz@redhat.com> 1.1.5-1
+- upgrade to new upstream release
+
+* Thu Aug 25 2011 Tomas Mraz <tmraz@redhat.com> 1.1.4-4
+- fix dereference in pam_env
+- fix wrong parse of user@host pattern in pam_access (#732081)
+
+* Sat Jul 23 2011 Ville Skyttä <ville.skytta@iki.fi> - 1.1.4-3
+- Rebuild to fix trailing slashes in provided dirs added by rpm 4.9.1.
+
+* Fri Jul 15 2011 Tomas Mraz <tmraz@redhat.com> 1.1.4-2
+- clear supplementary groups in pam_console handler execution
+
+* Mon Jun 27 2011 Tomas Mraz <tmraz@redhat.com> 1.1.4-1
+- upgrade to new upstream release
+
+* Tue Jun 7 2011 Tomas Mraz <tmraz@redhat.com> 1.1.3-10
+- detect the shared / and make the polydir mounts private based on that
+- fix memory leak and other small errors in pam_namespace
+
+* Thu Jun 2 2011 Tomas Mraz <tmraz@redhat.com> 1.1.3-9
+- add support for explicit marking of the polydir mount private (#623522)
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1.3-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Wed Dec 22 2010 Tomas Mraz <tmraz@redhat.com> 1.1.3-7
+- add postlogin common PAM configuration file (#665059)
+
+* Tue Dec 14 2010 Tomas Mraz <tmraz@redhat.com> 1.1.3-6
+- include patches recently submitted and applied to upstream CVS
+
+* Thu Nov 25 2010 Tomas Mraz <tmraz@redhat.com> 1.1.3-5
+- add config for autocreation of subdirectories in /var/run (#656655)
+- automatically enable kernel console in pam_securetty
+
+* Wed Nov 10 2010 Tomas Mraz <tmraz@redhat.com> 1.1.3-4
+- fix memory leak in pam_faillock
+
+* Wed Nov 10 2010 Tomas Mraz <tmraz@redhat.com> 1.1.3-3
+- fix segfault in faillock utility
+- remove some cases where the information of existence of
+ an user account could be leaked by the pam_faillock,
+ document the remaining case
+
+* Fri Nov 5 2010 Tomas Mraz <tmraz@redhat.com> 1.1.3-2
+- fix a mistake in the abstract X-socket connect
+- make pam_faillock work with screensaver
+
+* Mon Nov 1 2010 Tomas Mraz <tmraz@redhat.com> 1.1.3-1
+- upgrade to new upstream release fixing CVE-2010-3316 CVE-2010-3435
+ CVE-2010-3853
+- try to connect to an abstract X-socket first to verify we are
+ at real console (#647191)
+
+* Wed Sep 29 2010 jkeating - 1.1.2-2
+- Rebuilt for gcc bug 634757
+
+* Mon Sep 20 2010 Tomas Mraz <tmraz@redhat.com> 1.1.2-1
+- add pam_faillock module implementing temporary account lock out based
+ on authentication failures during a specified interval
+- do not build some auxiliary tools that are not installed that require
+ flex-static to build
+- upgrade to new upstream release
+
+* Thu Jul 15 2010 Tomas Mraz <tmraz@redhat.com> 1.1.1-5
+- do not overwrite tallylog with empty file on upgrade
+
+* Mon Feb 15 2010 Tomas Mraz <tmraz@redhat.com> 1.1.1-4
+- change the default password hash to sha512
+
+* Fri Jan 22 2010 Tomas Mraz <tmraz@redhat.com> 1.1.1-3
+- fix wrong prompt when pam_get_authtok is used for new password
+
+* Mon Jan 18 2010 Tomas Mraz <tmraz@redhat.com> 1.1.1-2
+- fix build with disabled audit and SELinux (#556211, #556212)
+
+* Thu Dec 17 2009 Tomas Mraz <tmraz@redhat.com> 1.1.1-1
+- new upstream version with minor changes
+
+* Mon Nov 2 2009 Tomas Mraz <tmraz@redhat.com> 1.1.0-7
+- pam_console: fix memory corruption when executing handlers (patch by
+ Stas Sergeev) and a few more fixes in the handler execution code (#532302)
+
+* Thu Oct 29 2009 Tomas Mraz <tmraz@redhat.com> 1.1.0-6
+- pam_xauth: set the approprate context when creating .xauth files (#531530)
+
+* Tue Sep 1 2009 Tomas Mraz <tmraz@redhat.com> 1.1.0-5
+- do not change permissions with pam_console_apply
+- drop obsolete pam_tally module and the faillog file (#461258)
+
+* Wed Aug 19 2009 Tomas Mraz <tmraz@redhat.com> 1.1.0-4
+- rebuild with new libaudit
+
+* Mon Jul 27 2009 Tomas Mraz <tmraz@redhat.com> 1.1.0-3
+- fix for pam_cracklib from upstream
+
+* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Tue Jun 23 2009 Tomas Mraz <tmraz@redhat.com> 1.1.0-1
+- update to new upstream version
+
+* Wed May 13 2009 Tomas Mraz <tmraz@redhat.com> 1.0.92-1
+- update to new upstream version
+
+* Fri Apr 10 2009 Tomas Mraz <tmraz@redhat.com> 1.0.91-6
+- add password-auth, fingerprint-auth, and smartcard-auth
+ for applications which can use them namely gdm (#494874)
+ patch by Ray Strode
+
+* Thu Mar 26 2009 Tomas Mraz <tmraz@redhat.com> 1.0.91-5
+- replace also other std descriptors (#491471)
+
+* Tue Mar 17 2009 Tomas Mraz <tmraz@redhat.com> 1.0.91-3
+- we must replace the stdin when execing the helper (#490644)
+
+* Mon Mar 16 2009 Tomas Mraz <tmraz@redhat.com> 1.0.91-2
+- do not close stdout/err when execing the helpers (#488147)
+
+* Mon Mar 9 2009 Tomas Mraz <tmraz@redhat.com> 1.0.91-1
+- upgrade to new upstream release
+
+* Fri Feb 27 2009 Tomas Mraz <tmraz@redhat.com> 1.0.90-4
+- fix parsing of config files containing non-ASCII characters
+- fix CVE-2009-0579 (mininimum days for password change ignored) (#487216)
+- pam_access: improve handling of hostname resolution
+
+* Thu Feb 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.90-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Mon Jan 19 2009 Tomas Mraz <tmraz@redhat.com> 1.0.90-2
+- add helper to pam_mkhomedir for proper SELinux confinement (#476784)
+
+* Tue Dec 16 2008 Tomas Mraz <tmraz@redhat.com> 1.0.90-1
+- upgrade to new upstream release
+- add --disable-prelude (#466242)
+
+* Tue Sep 23 2008 Tomas Mraz <tmraz@redhat.com> 1.0.2-2
+- new password quality checks in pam_cracklib
+- report failed logins from btmp in pam_lastlog
+- allow larger groups in modutil functions
+- fix leaked file descriptor in pam_tally
+
+* Mon Sep 8 2008 Tomas Mraz <tmraz@redhat.com> 1.0.2-1
+- pam_loginuid: uids are unsigned (#460241)
+- new minor upstream release
+- use external db4
+- drop tests for not pulling in libpthread (as NPTL should
+ be safe)
+
+* Wed Jul 9 2008 Tomas Mraz <tmraz@redhat.com> 1.0.1-5
+- update internal db4
+
+* Wed May 21 2008 Tomas Mraz <tmraz@redhat.com> 1.0.1-4
+- pam_namespace: allow safe creation of directories owned by user (#437116)
+- pam_unix: fix multiple error prompts on password change (#443872)
+
+* Tue May 20 2008 Tomas Mraz <tmraz@redhat.com> 1.0.1-3
+- pam_selinux: add env_params option which will be used by OpenSSH
+- fix build with new autoconf
+
+* Tue Apr 22 2008 Tomas Mraz <tmraz@redhat.com> 1.0.1-2
+- pam_selinux: restore execcon properly (#443667)
+
+* Fri Apr 18 2008 Tomas Mraz <tmraz@redhat.com> 1.0.1-1
+- upgrade to new upstream release (one bugfix only)
+- fix pam_sepermit use in screensavers
+
+* Mon Apr 7 2008 Tomas Mraz <tmraz@redhat.com> 1.0.0-2
+- fix regression in pam_set_item
+
+* Fri Apr 4 2008 Tomas Mraz <tmraz@redhat.com> 1.0.0-1
+- upgrade to new upstream release (bugfix only)
+
+* Thu Mar 20 2008 Tomas Mraz <tmraz@redhat.com> 0.99.10.0-4
+- pam_namespace: fix problem with level polyinst (#438264)
+- pam_namespace: improve override checking for umount
+- pam_selinux: fix syslogging a context after free() (#438338)
+
+* Thu Feb 28 2008 Tomas Mraz <tmraz@redhat.com> 0.99.10.0-3
+- update pam-redhat module tarball
+- update internal db4
+
+* Fri Feb 22 2008 Tomas Mraz <tmraz@redhat.com> 0.99.10.0-2
+- if shadow is readable for an user do not prevent him from
+ authenticating any user with unix_chkpwd (#433459)
+- call audit from unix_chkpwd when appropriate
+
+* Fri Feb 15 2008 Tomas Mraz <tmraz@redhat.com> 0.99.10.0-1
+- new upstream release
+- add default soft limit for nproc of 1024 to prevent
+ accidental fork bombs (#432903)
+
+* Mon Feb 4 2008 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-18
+- allow the package to build without SELinux and audit support (#431415)
+- macro usage cleanup
+
+* Mon Jan 28 2008 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-17
+- test for setkeycreatecon correctly
+- add exclusive login mode of operation to pam_selinux_permit (original
+ patch by Dan Walsh)
+
+* Tue Jan 22 2008 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-16
+- add auditing to pam_access, pam_limits, and pam_time
+- moved sanity testing code to check script
+
+* Mon Jan 14 2008 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-15
+- merge review fixes (#226228)
+
+* Tue Jan 8 2008 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-14
+- support for sha256 and sha512 password hashes
+- account expiry checks moved to unix_chkpwd helper
+
+* Wed Jan 2 2008 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-13
+- wildcard match support in pam_tty_audit (by Miloslav Trmač)
+
+* Thu Nov 29 2007 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-12
+- add pam_tty_audit module (#244352) - written by Miloslav Trmač
+
+* Wed Nov 7 2007 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-11
+- add substack support
+
+* Tue Sep 25 2007 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-10
+- update db4 to 4.6.19 (#274661)
+
+* Fri Sep 21 2007 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-9
+- do not preserve contexts when copying skel and other namespace.init
+ fixes (#298941)
+- do not free memory sent to putenv (#231698)
+
+* Wed Sep 19 2007 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-8
+- add pam_selinux_permit module
+- pam_succeed_if: fix in operator (#295151)
+
+* Tue Sep 18 2007 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-7
+- when SELinux enabled always run the helper binary instead of
+ direct shadow access (#293181)
+
+* Fri Aug 24 2007 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-6
+- do not ask for blank password when SELinux confined (#254044)
+- initialize homedirs in namespace init script (original patch by dwalsh)
+
+* Wed Aug 22 2007 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-5
+- most devices are now handled by HAL and not pam_console (patch by davidz)
+- license tag fix
+- multifunction scanner device support (#251468)
+
+* Mon Aug 13 2007 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-4
+- fix auth regression when uid != 0 from previous build (#251804)
+
+* Mon Aug 6 2007 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-3
+- updated db4 to 4.6.18 (#249740)
+- added user and new instance parameters to namespace init
+- document the new features of pam_namespace
+- do not log an audit error when uid != 0 (#249870)
+
+* Wed Jul 25 2007 Jeremy Katz <katzj@redhat.com> - 0.99.8.1-2
+- rebuild for toolchain bug
+
+* Mon Jul 23 2007 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-1
+- upgrade to latest upstream version
+- add some firewire devices to default console perms (#240770)
+
+* Thu Apr 26 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-6
+- pam_namespace: better document behavior on failure (#237249)
+- pam_unix: split out passwd change to a new helper binary (#236316)
+- pam_namespace: add support for temporary logons (#241226)
+
+* Fri Apr 13 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-5
+- pam_selinux: improve context change auditing (#234781)
+- pam_namespace: fix parsing config file with unknown users (#234513)
+
+* Fri Mar 23 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-4
+- pam_console: always decrement use count (#230823)
+- pam_namespace: use raw context for poly dir name (#227345)
+- pam_namespace: truncate long poly dir name (append hash) (#230120)
+- we don't patch any po files anymore
+
+* Wed Feb 21 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-3
+- correctly relabel tty in the default case (#229542)
+- pam_unix: cleanup of bigcrypt support
+- pam_unix: allow modification of '*' passwords to root
+
+* Tue Feb 6 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-2
+- more X displays as consoles (#227462)
+
+* Wed Jan 24 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-1
+- upgrade to new upstream version resolving CVE-2007-0003
+- pam_namespace: unmount poly dir for override users
+
+* Mon Jan 22 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.0-2
+- add back min salt length requirement which was erroneously removed
+ upstream (CVE-2007-0003)
+
+* Fri Jan 19 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.0-1
+- upgrade to new upstream version
+- drop pam_stack module as it is obsolete
+- some changes to silence rpmlint
+
+* Tue Jan 16 2007 Tomas Mraz <tmraz@redhat.com> 0.99.6.2-8
+- properly include /var/log/faillog and tallylog as ghosts
+ and create them in post script (#209646)
+- update gmo files as we patch some po files (#218271)
+- add use_current_range option to pam_selinux (#220487)
+- improve the role selection in pam_selinux
+- remove shortcut on Password: in ja locale (#218271)
+- revert to old euid and not ruid when setting euid in pam_keyinit (#219486)
+- rename selinux-namespace patch to namespace-level
+
+* Fri Dec 1 2006 Dan Walsh <dwalsh@redhat.com> 0.99.6.2-7
+- fix selection of role
+
+* Fri Dec 1 2006 Dan Walsh <dwalsh@redhat.com> 0.99.6.2-6
+- add possibility to pam_namespace to only change MLS component
+- Resolves: Bug #216184
+
+* Thu Nov 30 2006 Tomas Mraz <tmraz@redhat.com> 0.99.6.2-5
+- add select-context option to pam_selinux (#213812)
+- autoreconf won't work with autoconf-2.61 as configure.in is not yet adjusted
+ for it
+
+* Mon Nov 13 2006 Tomas Mraz <tmraz@redhat.com> 0.99.6.2-4
+- update internal db4 to 4.5.20 version
+- move setgid before setuid in pam_keyinit (#212329)
+- make username check in pam_unix consistent with useradd (#212153)
+
+* Tue Oct 24 2006 Tomas Mraz <tmraz@redhat.com> 0.99.6.2-3.3
+- don't overflow a buffer in pam_namespace (#211989)
+
+* Mon Oct 16 2006 Tomas Mraz <tmraz@redhat.com> 0.99.6.2-3.2
+- /var/log/faillog and tallylog must be config(noreplace)
+
+* Fri Oct 13 2006 Tomas Mraz <tmraz@redhat.com> 0.99.6.2-3.1
+- preserve effective uid in namespace.init script (LSPP for newrole)
+- include /var/log/faillog and tallylog to filelist (#209646)
+- add ids to .xml docs so the generated html is always the same (#210569)
+
+* Thu Sep 28 2006 Tomas Mraz <tmraz@redhat.com> 0.99.6.2-3
+- add pam_namespace option no_unmount_on_close, required for newrole
+
+* Mon Sep 4 2006 Tomas Mraz <tmraz@redhat.com> 0.99.6.2-2
+- silence pam_succeed_if in default system-auth (#205067)
+- round the pam_timestamp_check sleep up to wake up at the start of the
+ wallclock second (#205068)
+
+* Thu Aug 31 2006 Tomas Mraz <tmraz@redhat.com> 0.99.6.2-1
+- upgrade to new upstream version, as there are mostly bugfixes except
+ improved documentation
+- add support for session and password service for pam_access and
+ pam_succeed_if
+- system-auth: skip session pam_unix for crond service
+
+* Thu Aug 10 2006 Dan Walsh <dwalsh@redhat.com> 0.99.5.0-8
+- Add new setkeycreatecon call to pam_selinux to make sure keyring has correct context
+
+* Thu Aug 10 2006 Tomas Mraz <tmraz@redhat.com> 0.99.5.0-7
+- revoke keyrings properly when pam_keyinit called as root (#201048)
+- pam_succeed_if should return PAM_USER_UNKNOWN when getpwnam fails (#197748)
+
+* Wed Aug 2 2006 Tomas Mraz <tmraz@redhat.com> 0.99.5.0-6
+- revoke keyrings properly when pam_keyinit called more than once (#201048)
+ patch by David Howells
+
+* Fri Jul 21 2006 Tomas Mraz <tmraz@redhat.com> 0.99.5.0-5
+- don't log pam_keyinit debug messages by default (#199783)
+
+* Fri Jul 21 2006 Tomas Mraz <tmraz@redhat.com> 0.99.5.0-4
+- drop ainit from console.handlers (#199561)
+
+* Mon Jul 17 2006 Tomas Mraz <tmraz@redhat.com> 0.99.5.0-3
+- don't report error in pam_selinux for nonexistent tty (#188722)
+- add pam_keyinit to the default system-auth file (#198623)
+
+* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 0.99.5.0-2.1
+- rebuild
+
+* Mon Jul 3 2006 Tomas Mraz <tmraz@redhat.com> 0.99.5.0-2
+- fixed network match in pam_access (patch by Dan Yefimov)
+
+* Fri Jun 30 2006 Tomas Mraz <tmraz@redhat.com> 0.99.5.0-1
+- updated to a new upstream release
+- added service as value to be matched and list matching to
+ pam_succeed_if
+- namespace.init was missing from EXTRA_DIST
+
+* Thu Jun 8 2006 Tomas Mraz <tmraz@redhat.com> 0.99.4.0-5
+- updated pam_namespace with latest patch by Janak Desai
+- merged pam_namespace patches
+- added buildrequires libtool
+- fixed a few rpmlint warnings
+
+* Wed May 24 2006 Tomas Mraz <tmraz@redhat.com> 0.99.4.0-4
+- actually don't link to libssl as it is not used (#191915)
+
+* Wed May 17 2006 Tomas Mraz <tmraz@redhat.com> 0.99.4.0-3
+- use md5 implementation from pam_unix in pam_namespace
+- pam_namespace should call setexeccon only when selinux is enabled
+
+* Tue May 16 2006 Tomas Mraz <tmraz@redhat.com> 0.99.4.0-2
+- pam_console_apply shouldn't access /var when called with -r (#191401)
+- actually apply the large-uid patch
+- don't build hmactest in pam_timestamp so openssl-devel is not required
+- add missing buildrequires (#191915)
+
+* Wed May 10 2006 Tomas Mraz <tmraz@redhat.com> 0.99.4.0-1
+- upgrade to new upstream version
+- make pam_console_apply not dependent on glib
+- support large uids in pam_tally, pam_tally2
+
+* Thu May 4 2006 Tomas Mraz <tmraz@redhat.com> 0.99.3.0-5
+- the namespace instance init script is now in /etc/security (#190148)
+- pam_namespace: added missing braces (#190026)
+- pam_tally(2): never call fclose twice on the same FILE (from upstream)
+
+* Wed Apr 26 2006 Tomas Mraz <tmraz@redhat.com> 0.99.3.0-4
+- fixed console device class for irda (#189966)
+- make pam_console_apply fail gracefully when a class is missing
+
+* Tue Apr 25 2006 Tomas Mraz <tmraz@redhat.com> 0.99.3.0-3
+- added pam_namespace module written by Janak Desai (per-user /tmp
+support)
+- new pam-redhat modules version
+
+* Fri Feb 24 2006 Tomas Mraz <tmraz@redhat.com> 0.99.3.0-2
+- added try_first_pass option to pam_cracklib
+- use try_first_pass for pam_unix and pam_cracklib in
+ system-auth (#182350)
+
+* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 0.99.3.0-1.2
+- bump again for double-long bug on ppc(64)
+
+* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 0.99.3.0-1.1
+- rebuilt for new gcc4.1 snapshot and glibc changes
+
+* Fri Feb 3 2006 Tomas Mraz <tmraz@redhat.com> 0.99.3.0-1
+- new upstream version
+- updated db4 to 4.3.29
+- added module pam_tally2 with auditing support
+- added manual pages for system-auth and config-util (#179584)
+
+* Tue Jan 3 2006 Tomas Mraz <tmraz@redhat.com> 0.99.2.1-3
+- remove 'initscripts' dependency (#176508)
+- update pam-redhat modules, merged patches
+
+* Fri Dec 16 2005 Tomas Mraz <tmraz@redhat.com> 0.99.2.1-2
+- fix dangling symlinks in -devel (#175929)
+- link libaudit only where necessary
+- actually compile in audit support
+
+* Thu Dec 15 2005 Tomas Mraz <tmraz@redhat.com> 0.99.2.1-1
+- support netgroup matching in pam_succeed_if
+- upgrade to new release
+- drop pam_pwdb as it was obsolete long ago
+- we don't build static libraries anymore
+
+* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
+- rebuilt
+
+* Tue Nov 15 2005 Tomas Mraz <tmraz@redhat.com> 0.80-14
+- pam_stack is deprecated - log its usage
+
+* Wed Oct 26 2005 Tomas Mraz <tmraz@redhat.com> 0.80-13
+- fixed CAN-2005-2977 unix_chkpwd should skip user verification only if
+ run as root (#168181)
+- link pam_loginuid to libaudit
+- support no tty in pam_access (#170467)
+- updated audit patch (by Steve Grubb)
+- the previous pam_selinux change was not applied properly
+- pam_xauth: look for the xauth binary in multiple directories (#171164)
+
+* Wed Oct 26 2005 Dan Walsh <dwalsh@redhat.com> 0.80-12
+- Eliminate multiple in pam_selinux
+
+* Fri Oct 14 2005 Dan Walsh <dwalsh@redhat.com> 0.80-11
+- Eliminate fail over for getseuserbyname call
+
+* Thu Oct 13 2005 Dan Walsh <dwalsh@redhat.com> 0.80-10
+- Add getseuserbyname call for SELinux MCS/MLS policy
+
+* Tue Oct 4 2005 Tomas Mraz <tmraz@redhat.com>
+- pam_console manpage fixes (#169373)
+
+* Fri Sep 30 2005 Tomas Mraz <tmraz@redhat.com> 0.80-9
+- don't include ps and pdf docs (#168823)
+- new common config file for configuration utilities
+- remove glib2 dependency (#166979)
+
+* Tue Sep 20 2005 Tomas Mraz <tmraz@redhat.com> 0.80-8
+- process limit values other than RLIMIT_NICE correctly (#168790)
+- pam_unix: always honor nis flag on password change (by Aaron Hope)
+
+* Wed Aug 24 2005 Tomas Mraz <tmraz@redhat.com> 0.80-7
+- don't fail in audit code when audit is not compiled in
+ on the newest kernels (#166422)
+
+* Mon Aug 01 2005 Tomas Mraz <tmraz@redhat.com> 0.80-6
+- add option to pam_loginuid to require auditd
+
+* Fri Jul 29 2005 Tomas Mraz <tmraz@redhat.com> 0.80-5
+- fix NULL dereference in pam_userdb (#164418)
+
+* Tue Jul 26 2005 Tomas Mraz <tmraz@redhat.com> 0.80-4
+- fix 64bit bug in pam_pwdb
+- don't crash in pam_unix if pam_get_data fail
+
+* Fri Jul 22 2005 Tomas Mraz <tmraz@redhat.com> 0.80-3
+- more pam_selinux permissive fixes (Dan Walsh)
+- make binaries PIE (#158938)
+
+* Mon Jul 18 2005 Tomas Mraz <tmraz@redhat.com> 0.80-2
+- fixed module tests so the pam doesn't require itself to build (#163502)
+- added buildprereq for building the documentation (#163503)
+- relaxed permissions of binaries (u+w)
+
+* Thu Jul 14 2005 Tomas Mraz <tmraz@redhat.com> 0.80-1
+- upgrade to new upstream sources
+- removed obsolete patches
+- pam_selinux module shouldn't fail on broken configs unless
+ policy is set to enforcing (Dan Walsh)
+
+* Tue Jun 21 2005 Tomas Mraz <tmraz@redhat.com> 0.79-11
+- update pam audit patch
+- add support for new limits in kernel-2.6.12 (#157050)
+
+* Thu Jun 9 2005 Tomas Mraz <tmraz@redhat.com> 0.79-10
+- add the Requires dependency on audit-libs (#159885)
+- pam_loginuid shouldn't report error when /proc/self/loginuid
+ is missing (#159974)
+
+* Fri May 20 2005 Tomas Mraz <tmraz@redhat.com> 0.79-9
+- update the pam audit patch to support newest audit library,
+ audit also pam_setcred calls (Steve Grubb)
+- don't use the audit_fd as global static variable
+- don't unset the XAUTHORITY when target user is root
+
+* Mon May 2 2005 Tomas Mraz <tmraz@redhat.com> 0.79-8
+- pam_console: support loading .perms files in the console.perms.d (#156069)
+
+* Tue Apr 26 2005 Tomas Mraz <tmraz@redhat.com> 0.79-7
+- pam_xauth: unset the XAUTHORITY variable on error, fix
+ potential memory leaks
+- modify path to IDE floppy devices in console.perms (#155560)
+
+* Sat Apr 16 2005 Steve Grubb <sgrubb@redhat.com> 0.79-6
+- Adjusted pam audit patch to make exception for ECONNREFUSED
+
+* Tue Apr 12 2005 Tomas Mraz <tmraz@redhat.com> 0.79-5
+- added auditing patch by Steve Grubb
+- added cleanup patches for bugs found by Steve Grubb
+- don't clear the shadow option of pam_unix if nis option used
+
+* Fri Apr 8 2005 Tomas Mraz <tmraz@redhat.com> 0.79-4
+- #150537 - flush input first then write the prompt
+
+* Thu Apr 7 2005 Tomas Mraz <tmraz@redhat.com> 0.79-3
+- make pam_unix LSB 2.0 compliant even when SELinux enabled
+- #88127 - change both local and NIS passwords to keep them in sync,
+ also fix a regression in passwd functionality on NIS master server
+
+* Tue Apr 5 2005 Tomas Mraz <tmraz@redhat.com>
+- #153711 fix wrong logging in pam_selinux when restoring tty label
+
+* Sun Apr 3 2005 Tomas Mraz <tmraz@redhat.com> 0.79-2
+- fix NULL deref in pam_tally when it's used in account phase
+
+* Thu Mar 31 2005 Tomas Mraz <tmraz@redhat.com> 0.79-1
+- upgrade to the new upstream release
+- moved pam_loginuid to pam-redhat repository
+
+* Wed Mar 23 2005 Tomas Mraz <tmraz@redhat.com> 0.78-9
+- fix wrong logging in pam_console handlers
+- add executing ainit handler for alsa sound dmix
+- #147879, #112777 - change permissions for dri devices
+
+* Fri Mar 18 2005 Tomas Mraz <tmraz@redhat.com> 0.78-8
+- remove ownership and permissions handling from pam_console call
+ pam_console_apply as a handler instead
+
+* Mon Mar 14 2005 Tomas Mraz <tmraz@redhat.com> 0.78-7
+- add pam_loginuid module for setting the the login uid for auditing purposes
+ (by Steve Grubb)
+
+* Thu Mar 10 2005 Tomas Mraz <tmraz@redhat.com> 0.78-6
+- add functionality for running handler executables from pam_console
+ when console lock was obtained/lost
+- removed patches merged to pam-redhat
+
+* Tue Mar 1 2005 Tomas Mraz <tmraz@redhat.com> 0.78-5
+- echo why tests failed when rebuilding
+- fixed some warnings and errors in pam_console for gcc4 build
+- improved parsing pam_console config file
+
+* Mon Feb 21 2005 Tomas Mraz <tmraz@redhat.com>
+- don't log garbage in pam_console_apply (#147879)
+
+* Tue Jan 18 2005 Tomas Mraz <tmraz@redhat.com>
+- don't require exact db4 version only conflict with incompatible one
+
+* Wed Jan 12 2005 Tomas Mraz <tmraz@redhat.com> 0.78-4
+- updated pam-redhat from elvis CVS
+- removed obsolete patches
+
+* Mon Jan 3 2005 Jeff Johnson <jbj@redhat.com> 0.78-3
+- depend on db-4.3.27, not db-4.3.21.
+
+* Thu Nov 25 2004 Tomas Mraz <tmraz@redhat.com> 0.78-2
+- add argument to pam_console_apply to restrict its work to specified files
+
+* Tue Nov 23 2004 Tomas Mraz <tmraz@redhat.com> 0.78-1
+- update to Linux-PAM-0.78
+- #140451 parse passwd entries correctly and test for failure
+- #137802 allow using pam_console for authentication
+
+* Fri Nov 12 2004 Jeff Johnson <jbj@jbj.org> 0.77-67
+- rebuild against db-4.3.21.
+
+* Thu Nov 11 2004 Tomas Mraz <tmraz@redhat.com> 0.77-66
+- #77646 log failures when renaming the files when changing password
+- Log failure on missing /etc/security/opasswd when remember option is present
+
+* Wed Nov 10 2004 Tomas Mraz <tmraz@redhat.com>
+- #87628 pam_timestamp remembers authorization after logout
+- #116956 fixed memory leaks in pam_stack
+
+* Wed Oct 20 2004 Tomas Mraz <tmraz@redhat.com> 0.77-65
+- #74062 modify the pwd-lock patch to remove NIS passwd changing deadlock
+
+* Wed Oct 20 2004 Tomas Mraz <tmraz@redhat.com> 0.77-64
+- #134941 pam_console should check X11 socket only on login
+
+* Tue Oct 19 2004 Tomas Mraz <tmraz@redhat.com> 0.77-63
+- Fix checking of group %%group syntax in pam_limits
+- Drop fencepost patch as it was already fixed
+ by upstream change from 0.75 to 0.77
+- Fix brokenshadow patch
+
+* Mon Oct 11 2004 Tomas Mraz <tmraz@redhat.com> 0.77-62
+- Added bluetooth, raw1394 and flash to console.perms
+- pam_console manpage fix
+
+* Mon Oct 11 2004 Tomas Mraz <tmraz@redhat.com> 0.77-61
+- #129328 pam_env shouldn't abort on missing /etc/environment
+- #126985 pam_stack should always copy the conversation function
+- #127524 add /etc/security/opasswd to files
+
+* Tue Sep 28 2004 Phil Knirsch <pknirsch@redhat.com> 0.77-60
+- Drop last patch again, fixed now correctly elsewhere
+
+* Thu Sep 23 2004 Phil Knirsch <pknirsch@redhat.com> 0.77-59
+- Fixed bug in pam_env where wrong initializer was used
+
+* Fri Sep 17 2004 Dan Walsh <dwalsh@redhat.com> 0.77-58
+- rebuild selinux patch using checkPasswdAccess
+
+* Mon Sep 13 2004 Jindrich Novy <jnovy@redhat.com>
+- rebuilt
+
+* Mon Sep 13 2004 Tomas Mraz <tmraz@redhat.com> 0.77-56
+- #75454 fixed locking when changing password
+- #127054
+- #125653 removed unnecessary getgrouplist call
+- #124979 added quiet option to pam_succeed_if
+
+* Mon Aug 30 2004 Warren Togami <wtogami@redhat.com> 0.77-55
+- #126024 /dev/pmu console perms
+
+* Wed Aug 4 2004 Dan Walsh <dwalsh@redhat.com> 0.77-54
+- Move pam_console.lock to /var/run/console/
+
+* Thu Jul 29 2004 Dan Walsh <dwalsh@redhat.com> 0.77-53
+- Close fd[1] before pam_modutilread so that unix_verify will complete
+
+* Tue Jul 27 2004 Alan Cox <alan@redhat.com> 0.77-52
+- First chunk of Steve Grubb's resource leak and other fixes
+
+* Tue Jul 27 2004 Alan Cox <alan@redhat.com> 0.77-51
+- Fixed build testing of modules
+- Fixed dependancies
+
+* Tue Jul 20 2004 Dan Walsh <dwalsh@redhat.com> 0.77-50
+- Change unix_chkpwd to return pam error codes
+
+* Sat Jul 10 2004 Alan Cox <alan@redhat.com>
+- Fixed the pam glib2 dependancy issue
+
+* Mon Jun 21 2004 Alan Cox <alan@redhat.com>
+- Fixed the pam_limits fencepost error (#79989) since nobody seems to
+ be doing it
+
+* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Wed Jun 9 2004 Dan Walsh <dwalsh@redhat.com> 0.77-45
+- Add requires libselinux > 1.8
+
+* Thu Jun 3 2004 Dan Walsh <dwalsh@redhat.com> 0.77-44
+- Add MLS Support to selinux patch
+
+* Wed Jun 2 2004 Dan Walsh <dwalsh@redhat.com> 0.77-43
+- Modify pam_selinux to use open and close param
+
+* Fri May 28 2004 Dan Walsh <dwalsh@redhat.com> 0.77-42
+- Split pam module into two parts open and close
+
+* Tue May 18 2004 Phil Knirsch <pknirsch@redhat.com> 0.77-41
+- Fixed 64bit segfault in pam_succeed_if module.
+
+* Wed Apr 14 2004 Dan Walsh <dwalsh@redhat.com> 0.77-40
+- Apply changes from audit.
+
+* Mon Apr 12 2004 Dan Walsh <dwalsh@redhat.com> 0.77-39
+- Change to only report failure on relabel if debug
+
+* Wed Mar 3 2004 Dan Walsh <dwalsh@redhat.com> 0.77-38
+- Fix error handling of pam_unix
+
+* Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Thu Feb 26 2004 Dan Walsh <dwalsh@redhat.com> 0.77-36
+- fix tty handling
+
+* Thu Feb 26 2004 Dan Walsh <dwalsh@redhat.com> 0.77-35
+- remove tty closing and opening from pam_selinux, it does not work.
+
+* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Thu Feb 12 2004 Nalin Dahyabhai <nalin@redhat.com>
+- pam_unix: also log successful password changes when using shadowed passwords
+
+* Tue Feb 10 2004 Dan Walsh <dwalsh@redhat.com> 0.77-33
+- close and reopen terminal after changing context.
+
+* Thu Feb 5 2004 Dan Walsh <dwalsh@redhat.com> 0.77-32
+- Check for valid tty
+
+* Tue Feb 3 2004 Dan Walsh <dwalsh@redhat.com> 0.77-31
+- Check for multiple > 1
+
+* Mon Feb 2 2004 Dan Walsh <dwalsh@redhat.com> 0.77-30
+- fix is_selinux_enabled call for pam_rootok
+
+* Wed Jan 28 2004 Dan Walsh <dwalsh@redhat.com> 0.77-29
+- More fixes to pam_selinux,pam_rootok
+
+* Wed Jan 28 2004 Dan Walsh <dwalsh@redhat.com> 0.77-28
+- turn on selinux
+
+* Wed Jan 28 2004 Dan Walsh <dwalsh@redhat.com> 0.77-27
+- Fix rootok check.
+
+* Mon Jan 26 2004 Dan Walsh <dwalsh@redhat.com> 0.77-26
+- fix is_selinux_enabled call
+
+* Sun Jan 25 2004 Dan Walsh <dwalsh@redhat.com> 0.77-25
+- Check if ROOTOK for SELinux
+
+* Thu Jan 15 2004 Dan Walsh <dwalsh@redhat.com> 0.77-24
+- Fix tty handling for pts in pam_selinux
+
+* Thu Jan 15 2004 Dan Walsh <dwalsh@redhat.com> 0.77-23
+- Need to add qualifier context for sudo situation
+
+* Thu Jan 15 2004 Dan Walsh <dwalsh@redhat.com> 0.77-22
+- Fix pam_selinux to use prevcon instead of pam_user so it will work for su.
+
+* Fri Dec 12 2003 Bill Nottingham <notting@redhat.com> 0.77-21.sel
+- add alsa devs to console.perms
+
+* Thu Dec 11 2003 Jeff Johnson <jbj@jbj.org> 0.77-20.sel
+- rebuild with db-4.2.52.
+- build db4 in build_unix, not dist.
+
+* Wed Nov 26 2003 Dan Walsh <dwalsh@redhat.com> 0.77-19.sel
+- Change unix_chkpwd to handle unix_passwd and unix_acct
+- This eliminates the need for pam modules to have read/write access to /etc/shadow.
+
+* Thu Nov 20 2003 Dan Walsh <dwalsh@redhat.com> 0.77-18.sel
+- Cleanup unix_chkpwd
+
+* Mon Nov 03 2003 Dan Walsh <dwalsh@redhat.com> 0.77-17.sel
+- Fix tty handling
+- Add back multiple handling
+
+* Mon Oct 27 2003 Dan Walsh <dwalsh@redhat.com> 0.77-16.sel
+- Remove Multiple from man page of pam_selinux
+
+* Thu Oct 23 2003 Nalin Dahyabhai <nalin@redhat.com> 0.77-15
+- don't install _pam_aconf.h -- apps don't use it, other PAM headers which
+ are installed don't use it, and its contents may be different for arches
+ on a multilib system
+- check for linkage problems in modules at %%install-time (kill #107093 dead)
+- add buildprereq on flex (#101563)
+
+* Wed Oct 22 2003 Nalin Dahyabhai <nalin@redhat.com>
+- make pam_pwdb.so link with libnsl again so that it loads (#107093)
+- remove now-bogus buildprereq on db4-devel (we use a bundled copy for
+ pam_userdb to avoid symbol collisions with other db libraries in apps)
+
+* Mon Oct 20 2003 Dan Walsh <dwalsh@redhat.com> 0.77-14.sel
+- Add Russell Coker patch to handle /dev/pty
+
+* Fri Oct 17 2003 Dan Walsh <dwalsh@redhat.com> 0.77-13.sel
+- Turn on Selinux
+
+* Fri Oct 17 2003 Dan Walsh <dwalsh@redhat.com> 0.77-12
+- Fix pam_timestamp to work when 0 seconds have elapsed
+
+* Mon Oct 6 2003 Dan Walsh <dwalsh@redhat.com> 0.77-11
+- Turn off selinux
+
+* Thu Sep 25 2003 Dan Walsh <dwalsh@redhat.com> 0.77-10.sel
+- Turn on Selinux and remove multiple choice of context.
+
+* Wed Sep 24 2003 Dan Walsh <dwalsh@redhat.com> 0.77-10
+- Turn off selinux
+
+* Wed Sep 24 2003 Dan Walsh <dwalsh@redhat.com> 0.77-9.sel
+- Add Russell's patch to check password
+
+* Wed Sep 17 2003 Dan Walsh <dwalsh@redhat.com> 0.77-8.sel
+- handle ttys correctly in pam_selinux
+
+* Fri Sep 05 2003 Dan Walsh <dwalsh@redhat.com> 0.77-7.sel
+- Clean up memory problems and fix tty handling.
+
+* Mon Jul 28 2003 Dan Walsh <dwalsh@redhat.com> 0.77-6
+- Add manual context selection to pam_selinux
+
+* Mon Jul 28 2003 Dan Walsh <dwalsh@redhat.com> 0.77-5
+- Add pam_selinux
+
+* Mon Jul 28 2003 Dan Walsh <dwalsh@redhat.com> 0.77-4
+- Add SELinux support
+
+* Thu Jul 24 2003 Nalin Dahyabhai <nalin@redhat.com> 0.77-3
+- pam_postgresok: add
+- pam_xauth: add "targetuser" argument
+
+* Tue Jul 22 2003 Nalin Dahyabhai <nalin@redhat.com>
+- pam_succeed_if: fix thinko in argument parsing which would walk past the
+ end of the argument list
+
+* Wed Jul 9 2003 Nalin Dahyabhai <nalin@redhat.com> 0.77-2
+- reapply:
+ - set handler for SIGCHLD to SIG_DFL around *_chkpwd, not SIG_IGN
+
+* Mon Jul 7 2003 Nalin Dahyabhai <nalin@redhat.com> 0.77-1
+- pam_timestamp: fail if the key file doesn't contain enough data
+
+* Thu Jul 3 2003 Nalin Dahyabhai <nalin@redhat.com> 0.77-0
+- update to 0.77 upstream release
+ - pam_limits: limits now affect root as well
+ - pam_nologin: returns PAM_IGNORE instead of PAM_SUCCESS unless "successok"
+ is given as an argument
+ - pam_userdb: correctly return PAM_AUTH_ERR instead of PAM_USER_UNKNOWN when
+ invoked with the "key_only" argument and the database has an entry of the
+ form "user-<wrongpassword>"
+- use a bundled libdb for pam_userdb.so because the system copy uses threads,
+ and demand-loading a shared library which uses threads into an application
+ which doesn't is a Very Bad Idea
+
+* Thu Jul 3 2003 Nalin Dahyabhai <nalin@redhat.com>
+- pam_timestamp: use a message authentication code to validate timestamp files
+
+* Mon Jun 30 2003 Nalin Dahyabhai <nalin@redhat.com> 0.75-48.1
+- rebuild
+
+* Mon Jun 9 2003 Nalin Dahyabhai <nalin@redhat.com> 0.75-49
+- modify calls to getlogin() to check the directory of the current TTY before
+ searching for an entry in the utmp/utmpx file (#98020, #98826, CAN-2003-0388)
+
+* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Mon Feb 10 2003 Bill Nottingham <notting@redhat.com> 0.75-48
+- set handler for SIGCHLD to SIG_DFL around *_chkpwd, not SIG_IGN
+
+* Wed Jan 22 2003 Tim Powers <timp@redhat.com> 0.75-47
+- rebuilt
+
+* Tue Dec 17 2002 Nalin Dahyabhai <nalin@redhat.com> 0.75-46
+- pam_xauth: reintroduce ACL support, per the original white paper
+- pam_xauth: default root's export ACL to none instead of everyone
+
+* Mon Dec 2 2002 Nalin Dahyabhai <nalin@redhat.com> 0.75-45
+- create /lib/security, even if it isn't /%%{_lib}/security, because we
+ can't locate /lib/security/$ISA without it (noted by Arnd Bergmann)
+- clear out the duplicate docs directory created during %%install
+
+* Thu Nov 21 2002 Nalin Dahyabhai <nalin@redhat.com> 0.75-44
+- fix syntax errors in pam_console's yacc parser which newer bison chokes on
+- forcibly set FAKEROOT at make install time
+
+* Tue Oct 22 2002 Nalin Dahyabhai <nalin@redhat.com> 0.75-43
+- patch to interpret $ISA in case the fist module load attempt fails
+- use $ISA in default configs
+
+* Fri Oct 04 2002 Elliot Lee <sopwith@redhat.com> 0.75-42
+- Since cracklib-dicts location will not be correctly detected without
+ that package being installed, add buildreq for cracklib-dicts.
+- Add patch57: makes configure use $LIBNAME when searching for cracklib
+ dicts, and error out if not found.
+
+* Thu Sep 12 2002 Than Ngo <than@redhat.com> 0.75-41.1
+- Fixed pam config files
+
+* Wed Sep 11 2002 Than Ngo <than@redhat.com> 0.75-41
+- Added fix to install libs in correct directory on 64bit machine
+
+* Fri Aug 2 2002 Nalin Dahyabhai <nalin@redhat.com> 0.75-40
+- pam_timestamp_check: check that stdio descriptors are open before we're
+ invoked
+- add missing chroot.conf
+
+* Mon Jul 29 2002 Nalin Dahyabhai <nalin@redhat.com> 0.75-39
+- pam_timestamp: sundry fixes, use "unknown" as the tty when none is found
+
+* Thu Jun 27 2002 Nalin Dahyabhai <nalin@redhat.com> 0.75-38
+- pam_timestamp_check: be as smart about figuring out the tty as the module is
+
+* Wed Jun 19 2002 Nalin Dahyabhai <nalin@redhat.com> 0.75-37
+- pam_timestamp_check: remove extra unlink() call spotted by Havoc
+
+* Mon Jun 17 2002 Nalin Dahyabhai <nalin@redhat.com> 0.75-36
+- pam_timestamp: chown intermediate directories when creating them
+- pam_timestamp_check: add -d flag to poll
+
+* Thu May 23 2002 Nalin Dahyabhai <nalin@redhat.com> 0.75-35
+- pam_timestamp: add some sanity checks
+- pam_timestamp_check: add
+
+* Wed May 22 2002 Nalin Dahyabhai <nalin@redhat.com> 0.75-34
+- pam_timestamp: add a 'verbose' option
+
+* Thu May 16 2002 Nalin Dahyabhai <nalin@redhat.com> 0.75-33
+- rebuild with db4
+- just bundle install-sh into the source package
+
+* Tue Apr 9 2002 Nalin Dahyabhai <nalin@redhat.com> 0.75-32
+- pam_unix: be more compatible with AIX-style shadowing (#19236)
+
+* Thu Mar 28 2002 Nalin Dahyabhai <nalin@redhat.com> 0.75-31
+- libpam_misc: fix possible infinite loop in misc_conv (#62195)
+- pam_xauth: fix cases where DISPLAY is "localhost:screen" and the xauth
+ key is actually stored using the system's hostname (#61524)
+
+* Mon Mar 25 2002 Nalin Dahyabhai <nalin@redhat.com> 0.75-30
+- rebuild
+
+* Mon Mar 25 2002 Nalin Dahyabhai <nalin@redhat.com> 0.75-29
+- rebuild
+
+* Mon Mar 11 2002 Nalin Dahyabhai <nalin@redhat.com> 0.75-28
+- include the pwdb config file
+
+* Fri Mar 1 2002 Nalin Dahyabhai <nalin@redhat.com> 0.75-27
+- adjust the pwdb-static patch to build pam_radius correctly (#59408)
+
+* Fri Mar 1 2002 Nalin Dahyabhai <nalin@redhat.com> 0.75-26
+- change the db4-devel build dependency to db3-devel
+
+* Thu Feb 21 2002 Nalin Dahyabhai <nalin@redhat.com> 0.75-25
+- rebuild
+
+* Fri Feb 8 2002 Nalin Dahyabhai <nalin@redhat.com> 0.75-24
+- pam_unix: log successful password changes
+- remove pam_timestamp
+
+* Thu Feb 7 2002 Nalin Dahyabhai <nalin@redhat.com> 0.75-23
+- fix pwdb embedding
+- add pam_timestamp
+
+* Thu Jan 31 2002 Nalin Dahyabhai <nalin@redhat.com> 0.75-22
+- swallow up pwdb 0.61.1 for building pam_pwdb
+
+* Wed Jan 23 2002 Nalin Dahyabhai <nalin@redhat.com> 0.75-21
+- pam_userdb: build with db4 instead of db3
+
+* Thu Nov 22 2001 Nalin Dahyabhai <nalin@redhat.com> 0.75-20
+- pam_stack: fix some memory leaks (reported by Fernando Trias)
+- pam_chroot: integrate Owl patch to report the more common causes of failures
+
+* Fri Nov 9 2001 Nalin Dahyabhai <nalin@redhat.com> 0.75-19
+- fix a bug in the getpwnam_r wrapper which sometimes resulted in false
+ positives for non-existent users
+
+* Wed Nov 7 2001 Nalin Dahyabhai <nalin@redhat.com> 0.75-18
+- include libpamc in the pam package (#55651)
+
+* Fri Nov 2 2001 Nalin Dahyabhai <nalin@redhat.com> 0.75-17
+- pam_xauth: don't free a string after passing it to putenv()
+
+* Wed Oct 24 2001 Nalin Dahyabhai <nalin@redhat.com> 0.75-16
+- pam_xauth: always return PAM_SUCCESS or PAM_SESSION_ERR instead of PAM_IGNORE,
+ matching the previous behavior (libpam treats PAM_IGNORE from a single module
+ in a stack as a session error, leading to false error messages if we just
+ return PAM_IGNORE for all cases)
+
+* Mon Oct 22 2001 Nalin Dahyabhai <nalin@redhat.com> 0.75-15
+- reorder patches so that the reentrancy patch is applied last -- we never
+ came to a consensus on how to guard against the bugs in calling applications
+ which this sort of change addresses, and having them last allows for dropping
+ in a better strategy for addressing this later on
+
+* Mon Oct 15 2001 Nalin Dahyabhai <nalin@redhat.com>
+- pam_rhosts: allow "+hostname" as a synonym for "hostname" to jive better
+ with the hosts.equiv(5) man page
+- use the automake install-sh instead of the autoconf install-sh, which
+ disappeared somewhere between 2.50 and now
+
+* Mon Oct 8 2001 Nalin Dahyabhai <nalin@redhat.com>
+- add pwdb as a buildprereq
+
+* Fri Oct 5 2001 Nalin Dahyabhai <nalin@redhat.com>
+- pam_tally: don't try to read past the end of faillog -- it probably contains
+ garbage, which if written into the file later on will confuse /usr/bin/faillog
+
+* Thu Oct 4 2001 Nalin Dahyabhai <nalin@redhat.com>
+- pam_limits: don't just return if the user is root -- we'll want to set the
+ priority (it could be negative to elevate root's sessions)
+- pam_issue: fix off-by-one error allocating space for the prompt string
+
+* Wed Oct 3 2001 Nalin Dahyabhai <nalin@redhat.com>
+- pam_mkhomedir: recurse into subdirectories properly
+- pam_mkhomedir: handle symlinks
+- pam_mkhomedir: skip over special items in the skeleton directory
+
+* Tue Oct 2 2001 Nalin Dahyabhai <nalin@redhat.com>
+- add cracklib as a buildprereq
+- pam_wheel: don't ignore out if the user is attempting to switch to a
+ unprivileged user (this lets pam_wheel do its thing when users attempt
+ to get to system accounts or accounts of other unprivileged users)
+
+* Fri Sep 28 2001 Nalin Dahyabhai <nalin@redhat.com>
+- pam_xauth: close a possible DoS due to use of dotlock-style locking in
+ world-writable directories by relocating the temporary file to the target
+ user's home directory
+- general: include headers local to this tree using relative paths so that
+ system headers for PAM won't be pulled in, in case include paths don't
+ take care of it
+
+* Thu Sep 27 2001 Nalin Dahyabhai <nalin@redhat.com>
+- pam_xauth: rewrite to skip refcounting and just use a temporary file
+ created using mkstemp() in /tmp
+
+* Tue Sep 25 2001 Nalin Dahyabhai <nalin@redhat.com>
+- pam_userdb: fix the key_only flag so that the null-terminator of the
+ user-password string isn't expected to be part of the key in the db file,
+ matching the behavior of db_load 3.2.9
+
+* Mon Sep 24 2001 Nalin Dahyabhai <nalin@redhat.com>
+- pam_unix: use crypt() instead of bigcrypt() when salted field is less than
+ the critical size which lets us know it was generated with bigcrypt()
+- use a wrapper to handle ERANGE errors when calling get....._r functions:
+ defining PAM_GETPWNAM_R and such (for getpwnam, getpwuid, getgrnam,
+ getgrgid, and getspnam) before including _pam_macros.h will cause them
+ to be implemented as static functions, similar to how defining PAM_SM_xxx
+ is used to control whether or not PAM declares prototypes for certain
+ functions
+
+* Mon Sep 24 2001 Nalin Dahyabhai <nalin@redhat.com> 0.75-14
+- pam_unix: argh, compare entire pruned salt string with crypted result, always
+
+* Sat Sep 8 2001 Bill Nottingham <notting@redhat.com> 0.75-13
+- ship /lib/lib{pam,pam_misc}.so for legacy package builds
+
+* Thu Sep 6 2001 Nalin Dahyabhai <nalin@redhat.com> 0.75-12
+- noreplace configuration files in /etc/security
+- pam_console: update pam_console_apply and man pages to reflect
+ /var/lock -> /var/run move
+
+* Wed Sep 5 2001 Nalin Dahyabhai <nalin@redhat.com> 0.75-11
+- pam_unix: fix the fix for #42394
+
+* Tue Sep 4 2001 Nalin Dahyabhai <nalin@redhat.com>
+- modules: use getpwnam_r and friends instead of non-reentrant versions
+- pam_console: clear generated .c and .h files in "clean" makefile target
+
+* Thu Aug 30 2001 Nalin Dahyabhai <nalin@redhat.com>
+- pam_stack: perform deep copy of conversation structures
+- include the static libpam in the -devel subpackage (#52321)
+- move development .so and .a files to %%{_libdir}
+- pam_unix: don't barf on empty passwords (#51846)
+- pam_unix: redo compatibility with "hash,age" data wrt bigcrypt (#42394)
+- console.perms: add usb camera, scanner, and rio devices (#15528)
+- pam_cracklib: initialize all options properly (#49613)
+
+* Wed Aug 22 2001 Nalin Dahyabhai <nalin@redhat.com>
+- pam_limits: don't rule out negative priorities
+
+* Mon Aug 13 2001 Nalin Dahyabhai <nalin@redhat.com> 0.75-10
+- pam_xauth: fix errors due to uninitialized data structure (fix from Tse Huong
+ Choo)
+- pam_xauth: random cleanups
+- pam_console: use /var/run/console instead of /var/lock/console at install-time
+- pam_unix: fix preserving of permissions on files which are manipulated
+
+* Fri Aug 10 2001 Bill Nottingham <notting@redhat.com>
+- fix segfault in pam_securetty
+
+* Thu Aug 9 2001 Nalin Dahyabhai <nalin@redhat.com>
+- pam_console: use /var/run/console instead of /var/lock/console for lock files
+- pam_issue: read the right number of bytes from the file
+
+* Mon Jul 9 2001 Nalin Dahyabhai <nalin@redhat.com>
+- pam_wheel: don't error out if the group has no members, but is the user's
+ primary GID (reported by David Vos)
+- pam_unix: preserve permissions on files which are manipulated (#43706)
+- pam_securetty: check if the user is the superuser before checking the tty,
+ thereby allowing regular users access to services which don't set the
+ PAM_TTY item (#39247)
+- pam_access: define NIS and link with libnsl (#36864)
+
+* Thu Jul 5 2001 Nalin Dahyabhai <nalin@redhat.com>
+- link libpam_misc against libpam
+
+* Tue Jul 3 2001 Nalin Dahyabhai <nalin@redhat.com>
+- pam_chroot: chdir() before chroot()
+
+* Fri Jun 29 2001 Nalin Dahyabhai <nalin@redhat.com>
+- pam_console: fix logic bug when changing permissions on single
+ file and/or lists of files
+- pam_console: return the proper error code (reported and patches
+ for both from Frederic Crozat)
+- change deprecated Copyright: tag in .spec file to License:
+
+* Mon Jun 25 2001 Nalin Dahyabhai <nalin@redhat.com>
+- console.perms: change js* to js[0-9]*
+- include pam_aconf.h in more modules (patches from Harald Welte)
+
+* Thu May 24 2001 Nalin Dahyabhai <nalin@redhat.com>
+- console.perms: add apm_bios to the list of devices the console owner can use
+- console.perms: add beep to the list of sound devices
+
+* Mon May 7 2001 Nalin Dahyabhai <nalin@redhat.com>
+- link pam_console_apply statically with libglib (#38891)
+
+* Mon Apr 30 2001 Nalin Dahyabhai <nalin@redhat.com>
+- pam_access: compare IP addresses with the terminating ".", as documented
+ (patch from Carlo Marcelo Arenas Belon, I think) (#16505)
+
+* Mon Apr 23 2001 Nalin Dahyabhai <nalin@redhat.com>
+- merge up to 0.75
+- pam_unix: temporarily ignore SIGCHLD while running the helper
+- pam_pwdb: temporarily ignore SIGCHLD while running the helper
+- pam_dispatch: default to uncached behavior if the cached chain is empty
+
+* Fri Apr 6 2001 Nalin Dahyabhai <nalin@redhat.com>
+- correct speling errors in various debug messages and doc files (#33494)
+
+* Thu Apr 5 2001 Nalin Dahyabhai <nalin@redhat.com>
+- prereq sed, fileutils (used in %%post)
+
+* Wed Apr 4 2001 Nalin Dahyabhai <nalin@redhat.com>
+- remove /dev/dri from console.perms -- XFree86 munges it, so it's outside of
+ our control (reminder from Daryll Strauss)
+- add /dev/3dfx to console.perms
+
+* Fri Mar 23 2001 Nalin Dahyabhai <nalin@redhat.com>
+- pam_wheel: make 'trust' and 'deny' work together correctly
+- pam_wheel: also check the user's primary gid
+- pam_group: also initialize groups when called with PAM_REINITIALIZE_CRED
+
+* Tue Mar 20 2001 Nalin Dahyabhai <nalin@redhat.com>
+- mention pam_console_apply in the see also section of the pam_console man pages
+
+* Fri Mar 16 2001 Nalin Dahyabhai <nalin@redhat.com>
+- console.perms: /dev/vc/* should be a regexp, not a glob (thanks to
+ Charles Lopes)
+
+* Mon Mar 12 2001 Nalin Dahyabhai <nalin@redhat.com>
+- console.perms: /dev/cdroms/* should belong to the user, from Douglas
+ Gilbert via Tim Waugh
+
+* Thu Mar 8 2001 Nalin Dahyabhai <nalin@redhat.com>
+- pam_console_apply: muck with devices even if the mount point doesn't exist
+
+* Wed Mar 7 2001 Nalin Dahyabhai <nalin@redhat.com>
+- pam_console: error out on undefined classes in pam_console config file
+- console.perms: actually change the permissions on the new device classes
+- pam_console: add an fstab= argument, and -f and -c flags to pam_console_apply
+- pam_console: use g_log instead of g_critical when bailing out
+- console.perms: logins on /dev/vc/* are also console logins, from Douglas
+ Gilbert via Tim Waugh
+
+* Tue Mar 6 2001 Nalin Dahyabhai <nalin@redhat.com>
+- add pam_console_apply
+- /dev/pilot's usually a serial port (or a USB serial port), so revert its
+ group to 'uucp' instead of 'tty' in console.perms
+- change pam_console's behavior wrt directories -- directories which are
+ mount points according to /etc/fstab are taken to be synonymous with
+ their device special nodes, and directories which are not mount points
+ are ignored
+
+* Tue Feb 27 2001 Nalin Dahyabhai <nalin@redhat.com>
+- handle errors fork()ing in pam_xauth
+- make the "other" config noreplace
+
+* Mon Feb 26 2001 Nalin Dahyabhai <nalin@redhat.com>
+- user should own the /dev/video directory, not the non-existent /dev/v4l
+- tweak pam_limits doc
+
+* Wed Feb 21 2001 Nalin Dahyabhai <nalin@redhat.com>
+- own /etc/security
+- be more descriptive when logging messages from pam_limits
+- pam_listfile: remove some debugging code (#28346)
+
+* Mon Feb 19 2001 Nalin Dahyabhai <nalin@redhat.com>
+- pam_lastlog: don't pass NULL to logwtmp()
+
+* Fri Feb 16 2001 Nalin Dahyabhai <nalin@redhat.com>
+- pam_listfile: fix argument parser (#27773)
+- pam_lastlog: link to libutil
+
+* Tue Feb 13 2001 Nalin Dahyabhai <nalin@redhat.com>
+- pam_limits: change the documented default config file to reflect the defaults
+- pam_limits: you should be able to log in a total of maxlogins times, not
+ (maxlogins - 1)
+- handle group limits on maxlogins correctly (#25690)
+
+* Mon Feb 12 2001 Nalin Dahyabhai <nalin@redhat.com>
+- change the pam_xauth default maximum "system user" ID from 499 to 99 (#26343)
+
+* Wed Feb 7 2001 Nalin Dahyabhai <nalin@redhat.com>
+- refresh the default system-auth file, pam_access is out
+
+* Mon Feb 5 2001 Nalin Dahyabhai <nalin@redhat.com>
+- actually time out when attempting to lckpwdf() (#25889)
+- include time.h in pam_issue (#25923)
+- update the default system-auth to the one generated by authconfig 4.1.1
+- handle getpw??? and getgr??? failures more gracefully (#26115)
+- get rid of some extraneous {set,end}{pw,gr}ent() calls
+
+* Tue Jan 30 2001 Nalin Dahyabhai <nalin@redhat.com>
+- overhaul pam_stack to account for abstraction libpam now provides
+
+* Tue Jan 23 2001 Nalin Dahyabhai <nalin@redhat.com>
+- remove pam_radius at request of author
+
+* Mon Jan 22 2001 Nalin Dahyabhai <nalin@redhat.com>
+- merge to 0.74
+- make console.perms match perms set by MAKEDEV, and add some devfs device names
+- add 'sed' to the buildprereq list (#24666)
+
+* Sun Jan 21 2001 Matt Wilson <msw@redhat.com>
+- added "exit 0" to the end of the pre script
+
+* Fri Jan 19 2001 Nalin Dahyabhai <nalin@redhat.com>
+- self-hosting fix from Guy Streeter
+
+* Wed Jan 17 2001 Nalin Dahyabhai <nalin@redhat.com>
+- use gcc for LD_L to pull in intrinsic stuff on ia64
+
+* Fri Jan 12 2001 Nalin Dahyabhai <nalin@redhat.com>
+- take another whack at compatibility with "hash,age" data in pam_unix (#21603)
+
+* Wed Jan 10 2001 Nalin Dahyabhai <nalin@redhat.com>
+- make the -devel subpackage unconditional
+
+* Tue Jan 9 2001 Nalin Dahyabhai <nalin@redhat.com>
+- merge/update to 0.73
+
+* Mon Dec 18 2000 Nalin Dahyabhai <nalin@redhat.com>
+- refresh from CVS -- some weird stuff crept into pam_unix
+
+* Tue Dec 12 2000 Nalin Dahyabhai <nalin@redhat.com>
+- fix handling of "nis" when changing passwords by adding the checks for the
+ data source to the password-updating module in pam_unix
+- add the original copyright for pam_access (fix from Michael Gerdts)
+
+* Thu Nov 30 2000 Nalin Dahyabhai <nalin@redhat.com>
+- redo similar() using a distance algorithm and drop the default dif_ok to 5
+- readd -devel
+
+* Wed Nov 29 2000 Nalin Dahyabhai <nalin@redhat.com>
+- fix similar() function in pam_cracklib (#14740)
+- fix example in access.conf (#21467)
+- add conditional compilation for building for 6.2 (for pam_userdb)
+- tweak post to not use USESHADOW any more
+
+* Tue Nov 28 2000 Nalin Dahyabhai <nalin@redhat.com>
+- make EINVAL setting lock limits in pam_limits non-fatal, because it's a 2.4ism
+
+* Tue Nov 21 2000 Nalin Dahyabhai <nalin@redhat.com>
+- revert to DB 3.1, which is what we were supposed to be using from the get-go
+
+* Mon Nov 20 2000 Nalin Dahyabhai <nalin@redhat.com>
+- add RLIMIT_LOCKS to pam_limits (patch from Jes Sorensen) (#20542)
+- link pam_userdb to Berkeley DB 2.x to match 6.2's setup correctly
+
+* Mon Nov 6 2000 Matt Wilson <msw@redhat.com>
+- remove prereq on sh-utils, test ([) is built in to bash
+
+* Thu Oct 19 2000 Nalin Dahyabhai <nalin@redhat.com>
+- fix the pam_userdb module breaking
+
+* Wed Oct 18 2000 Nalin Dahyabhai <nalin@redhat.com>
+- fix pam_unix likeauth argument for authenticate(),setcred(),setcred()
+
+* Tue Oct 17 2000 Nalin Dahyabhai <nalin@redhat.com>
+- tweak pre script to be called in all upgrade cases
+- get pam_unix to only care about the significant pieces of passwords it checks
+- add /usr/include/db1/db.h as a build prereq to pull in the right include
+ files, no matter whether they're in glibc-devel or db1-devel
+- pam_userdb.c: include db1/db.h instead of db.h
+
+* Wed Oct 11 2000 Nalin Dahyabhai <nalin@redhat.com>
+- add BuildPrereq for bison (suggested by Bryan Stillwell)
+
+* Fri Oct 6 2000 Nalin Dahyabhai <nalin@redhat.com>
+- patch from Dmitry V. Levin to have pam_stack propagate the PAM fail_delay
+- roll back the README for pam_xauth to actually be the right one
+- tweak pam_stack to use the parent's service name when calling the substack
+
+* Wed Oct 4 2000 Nalin Dahyabhai <nalin@redhat.com>
+- create /etc/sysconfig/authconfig at install-time if upgrading
+
+* Mon Oct 2 2000 Nalin Dahyabhai <nalin@redhat.com>
+- modify the files list to make sure #16456 stays fixed
+- make pam_stack track PAM_AUTHTOK and PAM_OLDAUTHTOK items
+- add pam_chroot module
+- self-hosting fixes from the -devel split
+- update generated docs in the tree
+
+* Tue Sep 12 2000 Nalin Dahyabhai <nalin@redhat.com>
+- split off a -devel subpackage
+- install the developer man pages
+
+* Sun Sep 10 2000 Bill Nottingham <notting@redhat.com>
+- build libraries before modules
+
+* Wed Sep 6 2000 Nalin Dahyabhai <nalin@redhat.com>
+- fix problems when looking for headers in /usr/include (#17236)
+- clean up a couple of compile warnings
+
+* Tue Aug 22 2000 Nalin Dahyabhai <nalin@redhat.com>
+- give users /dev/cdrom* instead of /dev/cdrom in console.perms (#16768)
+- add nvidia control files to console.perms
+
+* Tue Aug 22 2000 Bill Nottingham <notting@redhat.com>
+- add DRI devices to console.perms (#16731)
+
+* Thu Aug 17 2000 Nalin Dahyabhai <nalin@redhat.com>
+- move pam_filter modules to /lib/security/pam_filter (#16111)
+- add pam_tally's application to allow counts to be reset (#16456)
+- move README files to the txts subdirectory
+
+* Mon Aug 14 2000 Nalin Dahyabhai <nalin@redhat.com>
+- add a postun that runs ldconfig
+- clean up logging in pam_xauth
+
+* Fri Aug 4 2000 Nalin Dahyabhai <nalin@redhat.com>
+- make the tarball include the release number in its name
+
+* Mon Jul 31 2000 Nalin Dahyabhai <nalin@redhat.com>
+- add a broken_shadow option to pam_unix
+- add all module README files to the documentation list (#16456)
+
+* Tue Jul 25 2000 Nalin Dahyabhai <nalin@redhat.com>
+- fix pam_stack debug and losing-track-of-the-result bug
+
+* Mon Jul 24 2000 Nalin Dahyabhai <nalin@redhat.com>
+- rework pam_console's usage of syslog to actually be sane (#14646)
+
+* Sat Jul 22 2000 Nalin Dahyabhai <nalin@redhat.com>
+- take the LOG_ERR flag off of some of pam_console's new messages
+
+* Fri Jul 21 2000 Nalin Dahyabhai <nalin@redhat.com>
+- add pam_localuser
+
+* Wed Jul 12 2000 Nalin Dahyabhai <nalin@redhat.com>
+- need to make pam_console's checking a little stronger
+- only pass data up from pam_stack if the parent didn't already define it
+
+* Wed Jul 12 2000 Prospector <bugzilla@redhat.com>
+- automatic rebuild
+
+* Tue Jul 11 2000 Nalin Dahyabhai <nalin@redhat.com>
+- make pam_console's extra checks disableable
+- simplify extra check to just check if the device owner is root
+- add a debug log when pam_stack comes across a NULL item
+- have pam_stack hand items up to the parent from the child
+
+* Mon Jul 3 2000 Nalin Dahyabhai <nalin@redhat.com>
+- fix installation of pam_xauth man pages (#12417)
+- forcibly strip helpers (#12430)
+- try to make pam_console a little more discriminating
+
+* Mon Jun 19 2000 Nalin Dahyabhai <nalin@redhat.com>
+- symlink libpam.so to libpam.so.%%{version}, and likewise for libpam_misc
+- reverse order of checks in _unix_getpwnam for pam_unix
+
+* Wed Jun 14 2000 Preston Brown <pbrown@redhat.com>
+- include gpmctl in pam_console
+
+* Mon Jun 05 2000 Nalin Dahyabhai <nalin@redhat.com>
+- add MANDIR definition and use it when installing man pages
+
+* Mon Jun 05 2000 Preston Brown <pbrown@redhat.com>
+- handle scanner and cdwriter devices in pam_console
+
+* Sat Jun 3 2000 Nalin Dahyabhai <nalin@redhat.com>
+- add account management wrappers for pam_listfile, pam_nologin, pam_securetty,
+ pam_shells, and pam_wheel
+
+* Thu Jun 1 2000 Nalin Dahyabhai <nalin@redhat.com>
+- add system-auth control file
+- let gethostname() call in pam_access.c be implicitly declared to avoid
+ conflicting types if unistd.c declares it
+
+* Mon May 15 2000 Nalin Dahyabhai <nalin@redhat.com>
+- fix problems compiling on Red Hat Linux 5.x (bug #11005)
+
+* Wed Apr 26 2000 Bill Nottingham <notting@redhat.com>
+- fix size assumptions in pam_(pwdb|unix) md5 code
+
+* Mon Mar 20 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Add new pam_stack module.
+- Install pwdb_chkpwd and unix_chkpwd as the current user for non-root builds
+
+* Sat Feb 05 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Fix pam_xauth bug #6191.
+
+* Thu Feb 03 2000 Elliot Lee <sopwith@redhat.com>
+- Add a patch to accept 'pts/N' in /etc/securetty as a match for tty '5'
+ (which is what other pieces of the system think it is). Fixes bug #7641.
+
+* Mon Jan 31 2000 Nalin Dahyabhai <nalin@redhat.com>
+- argh, turn off gratuitous debugging
+
+* Wed Jan 19 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to 0.72
+- fix pam_unix password-changing bug
+- fix pam_unix's cracklib support
+- change package URL
+
+* Mon Jan 03 2000 Cristian Gafton <gafton@redhat.com>
+- don't allow '/' on service_name
+
+* Thu Oct 21 1999 Cristian Gafton <gafton@redhat.com>
+- enhance the pam_userdb module some more
+
+* Fri Sep 24 1999 Cristian Gafton <gafton@redhat.com>
+- add documenatation
+
+* Tue Sep 21 1999 Michael K. Johnson <johnsonm@redhat.com>
+- a tiny change to pam_console to make it not loose track of console users
+
+* Mon Sep 20 1999 Michael K. Johnson <johnsonm@redhat.com>
+- a few fixes to pam_xauth to make it more robust
+
+* Wed Jul 14 1999 Michael K. Johnson <johnsonm@redhat.com>
+- pam_console: added <xconsole> to manage /dev/console
+
+* Thu Jul 01 1999 Michael K. Johnson <johnsonm@redhat.com>
+- pam_xauth: New refcounting implementation based on idea from Stephen Tweedie
+
+* Sat Apr 17 1999 Michael K. Johnson <johnsonm@redhat.com>
+- added video4linux devices to /etc/security/console.perms
+
+* Fri Apr 16 1999 Michael K. Johnson <johnsonm@redhat.com>
+- added joystick lines to /etc/security/console.perms
+
+* Thu Apr 15 1999 Michael K. Johnson <johnsonm@redhat.com>
+- fixed a couple segfaults in pam_xauth uncovered by yesterday's fix...
+
+* Wed Apr 14 1999 Cristian Gafton <gafton@redhat.com>
+- use gcc -shared to link the shared libs
+
+* Wed Apr 14 1999 Michael K. Johnson <johnsonm@redhat.com>
+- many bug fixes in pam_xauth
+- pam_console can now handle broken applications that do not set
+ the PAM_TTY item.
+
+* Tue Apr 13 1999 Michael K. Johnson <johnsonm@redhat.com>
+- fixed glob/regexp confusion in pam_console, added kbd and fixed fb devices
+- added pam_xauth module
+
+* Sat Apr 10 1999 Cristian Gafton <gafton@redhat.com>
+- pam_lastlog does wtmp handling now
+
+* Thu Apr 08 1999 Michael K. Johnson <johnsonm@redhat.com>
+- added option parsing to pam_console
+- added framebuffer devices to default console.perms settings
+
+* Wed Apr 07 1999 Cristian Gafton <gafton@redhat.com>
+- fixed empty passwd handling in pam_pwdb
+
+* Mon Mar 29 1999 Michael K. Johnson <johnsonm@redhat.com>
+- changed /dev/cdrom default user permissions back to 0600 in console.perms
+ because some cdrom players open O_RDWR.
+
+* Fri Mar 26 1999 Michael K. Johnson <johnsonm@redhat.com>
+- added /dev/jaz and /dev/zip to console.perms
+
+* Thu Mar 25 1999 Michael K. Johnson <johnsonm@redhat.com>
+- changed the default user permissions for /dev/cdrom to 0400 in console.perms
+
+* Fri Mar 19 1999 Michael K. Johnson <johnsonm@redhat.com>
+- fixed a few bugs in pam_console
+
+* Thu Mar 18 1999 Michael K. Johnson <johnsonm@redhat.com>
+- pam_console authentication working
+- added /etc/security/console.apps directory
+
+* Mon Mar 15 1999 Michael K. Johnson <johnsonm@redhat.com>
+- added pam_console files to filelist
+
+* Fri Feb 12 1999 Cristian Gafton <gafton@redhat.com>
+- upgraded to 0.66, some source cleanups
+
+* Mon Dec 28 1998 Cristian Gafton <gafton@redhat.com>
+- add patch from Savochkin Andrey Vladimirovich <saw@msu.ru> for umask
+ security risk
+
+* Fri Dec 18 1998 Cristian Gafton <gafton@redhat.com>
+- upgrade to ver 0.65
+- build the package out of internal CVS server