|
|
eed6a9 |
From 9da7355f1e2c8a148d4730fec4c4707c56e6dfa1 Mon Sep 17 00:00:00 2001
|
|
|
75334f |
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
|
75334f |
Date: Mon, 10 Jun 2019 10:53:15 +0200
|
|
|
eed6a9 |
Subject: [PATCH 2/4] rhel9: remove ecryptfs support
|
|
|
75334f |
|
|
|
75334f |
---
|
|
|
75334f |
profiles/nis/README | 3 ---
|
|
|
75334f |
profiles/nis/fingerprint-auth | 1 -
|
|
|
75334f |
profiles/nis/password-auth | 1 -
|
|
|
75334f |
profiles/nis/postlogin | 4 ----
|
|
|
75334f |
profiles/nis/system-auth | 1 -
|
|
|
75334f |
profiles/sssd/README | 3 ---
|
|
|
75334f |
profiles/sssd/fingerprint-auth | 1 -
|
|
|
75334f |
profiles/sssd/password-auth | 1 -
|
|
|
75334f |
profiles/sssd/postlogin | 4 ----
|
|
|
75334f |
profiles/sssd/smartcard-auth | 1 -
|
|
|
75334f |
profiles/sssd/system-auth | 1 -
|
|
|
75334f |
profiles/winbind/README | 3 ---
|
|
|
75334f |
profiles/winbind/fingerprint-auth | 1 -
|
|
|
75334f |
profiles/winbind/password-auth | 1 -
|
|
|
75334f |
profiles/winbind/postlogin | 4 ----
|
|
|
75334f |
profiles/winbind/system-auth | 1 -
|
|
|
75334f |
src/compat/authcompat.py.in.in | 1 -
|
|
|
75334f |
src/compat/authcompat_Options.py | 2 +-
|
|
|
75334f |
src/man/authselect-migration.7.adoc | 5 ++---
|
|
|
75334f |
19 files changed, 3 insertions(+), 36 deletions(-)
|
|
|
75334f |
|
|
|
75334f |
diff --git a/profiles/nis/README b/profiles/nis/README
|
|
|
eed6a9 |
index 895e8fa8650c04d41bf8bc8d6e3cda18db9bf814..71e23d61a8c1ea773c98524256a5eaad5a75d197 100644
|
|
|
75334f |
--- a/profiles/nis/README
|
|
|
75334f |
+++ b/profiles/nis/README
|
|
|
75334f |
@@ -21,9 +21,6 @@ with-mkhomedir::
|
|
|
75334f |
Enable automatic creation of home directories for users on their
|
|
|
75334f |
first login.
|
|
|
75334f |
|
|
|
75334f |
-with-ecryptfs::
|
|
|
75334f |
- Enable automatic per-user ecryptfs.
|
|
|
75334f |
-
|
|
|
75334f |
with-fingerprint::
|
|
|
75334f |
Enable authentication with fingerprint reader through *pam_fprintd*.
|
|
|
75334f |
|
|
|
75334f |
diff --git a/profiles/nis/fingerprint-auth b/profiles/nis/fingerprint-auth
|
|
|
eed6a9 |
index 3a2609df4ca29cdfcbff84b37576bb7b840d72b2..0b2f583a2fcf164647f7de387e9be2982bdf36cb 100644
|
|
|
75334f |
--- a/profiles/nis/fingerprint-auth
|
|
|
75334f |
+++ b/profiles/nis/fingerprint-auth
|
|
|
eed6a9 |
@@ -15,7 +15,6 @@ password required pam_deny.so
|
|
|
75334f |
|
|
|
75334f |
session optional pam_keyinit.so revoke
|
|
|
75334f |
session required pam_limits.so
|
|
|
75334f |
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
|
|
75334f |
-session optional pam_systemd.so
|
|
|
75334f |
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
|
|
75334f |
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
|
|
75334f |
diff --git a/profiles/nis/password-auth b/profiles/nis/password-auth
|
|
|
eed6a9 |
index f181a58ab7792c7e1a4234e677cbb7e3d0a6548d..79fb521eb5dff4978203166491b185887d1ec744 100644
|
|
|
75334f |
--- a/profiles/nis/password-auth
|
|
|
75334f |
+++ b/profiles/nis/password-auth
|
|
|
eed6a9 |
@@ -18,7 +18,6 @@ password required pam_deny.so
|
|
|
75334f |
|
|
|
75334f |
session optional pam_keyinit.so revoke
|
|
|
75334f |
session required pam_limits.so
|
|
|
75334f |
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
|
|
75334f |
-session optional pam_systemd.so
|
|
|
75334f |
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
|
|
75334f |
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
|
|
75334f |
diff --git a/profiles/nis/postlogin b/profiles/nis/postlogin
|
|
|
75334f |
index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644
|
|
|
75334f |
--- a/profiles/nis/postlogin
|
|
|
75334f |
+++ b/profiles/nis/postlogin
|
|
|
75334f |
@@ -1,7 +1,3 @@
|
|
|
75334f |
-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
|
|
75334f |
-
|
|
|
75334f |
-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
|
|
75334f |
-
|
|
|
75334f |
session optional pam_umask.so silent
|
|
|
75334f |
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
|
|
|
75334f |
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
|
|
|
75334f |
diff --git a/profiles/nis/system-auth b/profiles/nis/system-auth
|
|
|
eed6a9 |
index bc3f402435aafb5294dbae94096b184af51cf914..38c10c1afcf936c1d24d8edef941ae849d1186fc 100644
|
|
|
75334f |
--- a/profiles/nis/system-auth
|
|
|
75334f |
+++ b/profiles/nis/system-auth
|
|
|
eed6a9 |
@@ -19,7 +19,6 @@ password required pam_deny.so
|
|
|
75334f |
|
|
|
75334f |
session optional pam_keyinit.so revoke
|
|
|
75334f |
session required pam_limits.so
|
|
|
75334f |
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
|
|
75334f |
-session optional pam_systemd.so
|
|
|
75334f |
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
|
|
75334f |
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
|
|
75334f |
diff --git a/profiles/sssd/README b/profiles/sssd/README
|
|
|
eed6a9 |
index 61d5aedf65b2351cf23cea0a6b6b0932e32f0e48..ab9af237442089ded86b63942dd856397108ccf0 100644
|
|
|
75334f |
--- a/profiles/sssd/README
|
|
|
75334f |
+++ b/profiles/sssd/README
|
|
|
75334f |
@@ -40,9 +40,6 @@ with-mkhomedir::
|
|
|
75334f |
Enable automatic creation of home directories for users on their
|
|
|
75334f |
first login.
|
|
|
75334f |
|
|
|
75334f |
-with-ecryptfs::
|
|
|
75334f |
- Enable automatic per-user ecryptfs.
|
|
|
75334f |
-
|
|
|
75334f |
with-smartcard::
|
|
|
75334f |
Enable authentication with smartcards through SSSD. Please note that
|
|
|
75334f |
smartcard support must be also explicitly enabled within
|
|
|
75334f |
diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth
|
|
|
eed6a9 |
index 20ad3613e66ec85c7d2462d0449854e522383b3a..dc7befe7a4839a1ae5a4d21f4e5232126df55564 100644
|
|
|
75334f |
--- a/profiles/sssd/fingerprint-auth
|
|
|
75334f |
+++ b/profiles/sssd/fingerprint-auth
|
|
|
eed6a9 |
@@ -20,7 +20,6 @@ password required pam_deny.so
|
|
|
75334f |
|
|
|
75334f |
session optional pam_keyinit.so revoke
|
|
|
75334f |
session required pam_limits.so
|
|
|
75334f |
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
|
|
75334f |
-session optional pam_systemd.so
|
|
|
75334f |
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
|
|
75334f |
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
|
|
75334f |
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
|
|
|
eed6a9 |
index 3e33dcc09f68055f2f87709e638005929bd577b3..858c6db357d07dc554806f4807f9b0858a649f44 100644
|
|
|
75334f |
--- a/profiles/sssd/password-auth
|
|
|
75334f |
+++ b/profiles/sssd/password-auth
|
|
|
eed6a9 |
@@ -28,7 +28,6 @@ password required pam_deny.so
|
|
|
75334f |
|
|
|
75334f |
session optional pam_keyinit.so revoke
|
|
|
75334f |
session required pam_limits.so
|
|
|
75334f |
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
|
|
75334f |
-session optional pam_systemd.so
|
|
|
75334f |
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
|
|
75334f |
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
|
|
75334f |
diff --git a/profiles/sssd/postlogin b/profiles/sssd/postlogin
|
|
|
75334f |
index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644
|
|
|
75334f |
--- a/profiles/sssd/postlogin
|
|
|
75334f |
+++ b/profiles/sssd/postlogin
|
|
|
75334f |
@@ -1,7 +1,3 @@
|
|
|
75334f |
-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
|
|
75334f |
-
|
|
|
75334f |
-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
|
|
75334f |
-
|
|
|
75334f |
session optional pam_umask.so silent
|
|
|
75334f |
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
|
|
|
75334f |
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
|
|
|
75334f |
diff --git a/profiles/sssd/smartcard-auth b/profiles/sssd/smartcard-auth
|
|
|
eed6a9 |
index 0d8bcab250633b09bce0232a5747f3a7e740d5d7..754847f2d8885ff35cbc57ec2364d82b963caa3b 100644
|
|
|
75334f |
--- a/profiles/sssd/smartcard-auth
|
|
|
75334f |
+++ b/profiles/sssd/smartcard-auth
|
|
|
eed6a9 |
@@ -18,7 +18,6 @@ account required pam_permit.so
|
|
|
75334f |
|
|
|
75334f |
session optional pam_keyinit.so revoke
|
|
|
75334f |
session required pam_limits.so
|
|
|
75334f |
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
|
|
75334f |
-session optional pam_systemd.so
|
|
|
75334f |
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
|
|
75334f |
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
|
|
75334f |
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
|
|
|
eed6a9 |
index a43341120f55bad3fb07dfea1c04453d0a278329..88c49e2dd5b60847d1d19154622a8614a21e5e1f 100644
|
|
|
75334f |
--- a/profiles/sssd/system-auth
|
|
|
75334f |
+++ b/profiles/sssd/system-auth
|
|
|
eed6a9 |
@@ -35,7 +35,6 @@ password required pam_deny.so
|
|
|
75334f |
|
|
|
75334f |
session optional pam_keyinit.so revoke
|
|
|
75334f |
session required pam_limits.so
|
|
|
75334f |
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
|
|
75334f |
-session optional pam_systemd.so
|
|
|
75334f |
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
|
|
75334f |
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
|
|
75334f |
diff --git a/profiles/winbind/README b/profiles/winbind/README
|
|
|
eed6a9 |
index 0048c29256f5d4064edfb84a2f4b761fd09e90f6..6f7a7cab1efc768c4c82791d6a8f00def1771d37 100644
|
|
|
75334f |
--- a/profiles/winbind/README
|
|
|
75334f |
+++ b/profiles/winbind/README
|
|
|
75334f |
@@ -33,9 +33,6 @@ with-mkhomedir::
|
|
|
75334f |
Enable automatic creation of home directories for users on their
|
|
|
75334f |
first login.
|
|
|
75334f |
|
|
|
75334f |
-with-ecryptfs::
|
|
|
75334f |
- Enable automatic per-user ecryptfs.
|
|
|
75334f |
-
|
|
|
75334f |
with-fingerprint::
|
|
|
75334f |
Enable authentication with fingerprint reader through *pam_fprintd*.
|
|
|
75334f |
|
|
|
75334f |
diff --git a/profiles/winbind/fingerprint-auth b/profiles/winbind/fingerprint-auth
|
|
|
eed6a9 |
index e8997c6c78ce7305fa7068fb169c05c68167880d..c5485ab848989a252e4ff4b1376a41202d21fd67 100644
|
|
|
75334f |
--- a/profiles/winbind/fingerprint-auth
|
|
|
75334f |
+++ b/profiles/winbind/fingerprint-auth
|
|
|
eed6a9 |
@@ -19,7 +19,6 @@ password required pam_deny.so
|
|
|
75334f |
|
|
|
75334f |
session optional pam_keyinit.so revoke
|
|
|
75334f |
session required pam_limits.so
|
|
|
75334f |
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
|
|
75334f |
-session optional pam_systemd.so
|
|
|
75334f |
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
|
|
75334f |
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
|
|
75334f |
diff --git a/profiles/winbind/password-auth b/profiles/winbind/password-auth
|
|
|
eed6a9 |
index 58705f3b15165c8d8bd4938889e3fb4d89c1a528..e84e2fcbb2bad9af6156e6e6db23f089f2b5d210 100644
|
|
|
75334f |
--- a/profiles/winbind/password-auth
|
|
|
75334f |
+++ b/profiles/winbind/password-auth
|
|
|
eed6a9 |
@@ -25,7 +25,6 @@ password required pam_deny.so
|
|
|
75334f |
|
|
|
75334f |
session optional pam_keyinit.so revoke
|
|
|
75334f |
session required pam_limits.so
|
|
|
75334f |
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
|
|
75334f |
-session optional pam_systemd.so
|
|
|
75334f |
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
|
|
75334f |
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
|
|
75334f |
diff --git a/profiles/winbind/postlogin b/profiles/winbind/postlogin
|
|
|
75334f |
index 137cd00dc65ee9ea83123f1d3a6f7ba04f0aea04..04a11f049bc1e220c9064fba7b46eb243ddd4996 100644
|
|
|
75334f |
--- a/profiles/winbind/postlogin
|
|
|
75334f |
+++ b/profiles/winbind/postlogin
|
|
|
75334f |
@@ -1,7 +1,3 @@
|
|
|
75334f |
-auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
|
|
75334f |
-
|
|
|
75334f |
-password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
|
|
75334f |
-
|
|
|
75334f |
session optional pam_umask.so silent
|
|
|
75334f |
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
|
|
|
75334f |
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
|
|
|
75334f |
diff --git a/profiles/winbind/system-auth b/profiles/winbind/system-auth
|
|
|
eed6a9 |
index 994c342441a0ed2738765a9fa7f6cc84f692d1d8..b5c5cfaa964a31b1cd8ac4cb62998c0a0a53a03e 100644
|
|
|
75334f |
--- a/profiles/winbind/system-auth
|
|
|
75334f |
+++ b/profiles/winbind/system-auth
|
|
|
eed6a9 |
@@ -26,7 +26,6 @@ password required pam_deny.so
|
|
|
75334f |
|
|
|
75334f |
session optional pam_keyinit.so revoke
|
|
|
75334f |
session required pam_limits.so
|
|
|
75334f |
-session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
|
|
|
75334f |
-session optional pam_systemd.so
|
|
|
75334f |
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
|
|
|
75334f |
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
|
|
|
75334f |
diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
|
|
|
eed6a9 |
index 8334293911d1d4c2d98a6d233b91fc348cf06575..55e205bae2c0b1f7892f8b286c288dfeaa26a60d 100755
|
|
|
75334f |
--- a/src/compat/authcompat.py.in.in
|
|
|
75334f |
+++ b/src/compat/authcompat.py.in.in
|
|
|
eed6a9 |
@@ -523,7 +523,6 @@ class AuthCompat:
|
|
|
eed6a9 |
'smartcard': 'with-smartcard',
|
|
|
eed6a9 |
'requiresmartcard': 'with-smartcard-required',
|
|
|
eed6a9 |
'fingerprint': 'with-fingerprint',
|
|
|
eed6a9 |
- 'ecryptfs': 'with-ecryptfs',
|
|
|
eed6a9 |
'mkhomedir': 'with-mkhomedir',
|
|
|
eed6a9 |
'faillock': 'with-faillock',
|
|
|
eed6a9 |
'pamaccess': 'with-pamaccess',
|
|
|
75334f |
diff --git a/src/compat/authcompat_Options.py b/src/compat/authcompat_Options.py
|
|
|
eed6a9 |
index d26dedabdfb9519861076b58cddd0dd0eb04b7cb..5c8b21b55014198d6d9dfc98bd807c3c922b06f4 100644
|
|
|
75334f |
--- a/src/compat/authcompat_Options.py
|
|
|
75334f |
+++ b/src/compat/authcompat_Options.py
|
|
|
75334f |
@@ -93,7 +93,6 @@ class Options:
|
|
|
eed6a9 |
Option.Valued("smartcardaction", _("<0=Lock|1=Ignore>"), _("action to be taken on smart card removal")),
|
|
|
eed6a9 |
Option.Feature("requiresmartcard", _("require smart card for authentication by default")),
|
|
|
eed6a9 |
Option.Feature("fingerprint", _("authentication with fingerprint readers by default")),
|
|
|
eed6a9 |
- Option.Feature("ecryptfs", _("automatic per-user ecryptfs")),
|
|
|
eed6a9 |
Option.Feature("krb5", _("Kerberos authentication by default")),
|
|
|
eed6a9 |
Option.Valued("krb5kdc", _("<server>"), _("default Kerberos KDC")),
|
|
|
eed6a9 |
Option.Valued("krb5adminserver", _("<server>"), _("default Kerberos admin server")),
|
|
|
75334f |
@@ -141,6 +140,7 @@ class Options:
|
|
|
75334f |
# layers and will produce warning when used. They will not affect
|
|
|
75334f |
# the system.
|
|
|
75334f |
Option.UnsupportedFeature("cache"),
|
|
|
75334f |
+ Option.UnsupportedFeature("ecryptfs"),
|
|
|
75334f |
Option.UnsupportedFeature("shadow"),
|
|
|
eed6a9 |
Option.UnsupportedSwitch("useshadow"),
|
|
|
75334f |
Option.UnsupportedFeature("md5"),
|
|
|
75334f |
diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc
|
|
|
eed6a9 |
index 3513a7e7cd3d7cc0045167e8224248c5be90ab2c..888cd4e5a0750d4e1aa5898887f5f7fd42472741 100644
|
|
|
75334f |
--- a/src/man/authselect-migration.7.adoc
|
|
|
75334f |
+++ b/src/man/authselect-migration.7.adoc
|
|
|
75334f |
@@ -80,7 +80,6 @@ configuration file for required services.
|
|
|
75334f |
|*Authconfig options* |*Authselect profile feature*
|
|
|
75334f |
|--enablesmartcard |with-smartcard
|
|
|
75334f |
|--enablefingerprint |with-fingerprint
|
|
|
75334f |
-|--enableecryptfs |with-ecryptfs
|
|
|
75334f |
|--enablemkhomedir |with-mkhomedir
|
|
|
75334f |
|--enablefaillock |with-faillock
|
|
|
75334f |
|--enablepamaccess |with-pamaccess
|
|
|
eed6a9 |
@@ -103,8 +102,8 @@ authselect select sssd with-faillock
|
|
|
75334f |
authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --updateall
|
|
|
75334f |
authselect select sssd with-smartcard
|
|
|
75334f |
|
|
|
75334f |
-authconfig --enableecryptfs --enablepamaccess --updateall
|
|
|
75334f |
-authselect select sssd with-ecryptfs with-pamaccess
|
|
|
75334f |
+authconfig --enablepamaccess --updateall
|
|
|
75334f |
+authselect select sssd with-pamaccess
|
|
|
75334f |
|
|
|
75334f |
authconfig --enablewinbind --enablewinbindauth --winbindjoin=Administrator --updateall
|
|
|
75334f |
realm join -U Administrator --client-software=winbind WINBINDDOMAIN
|
|
|
75334f |
--
|
|
|
eed6a9 |
2.34.1
|
|
|
75334f |
|