1 | %define nss_version 3.10 |
---|
2 | %define nspr_version 4.6 |
---|
3 | %define with_curl 0 |
---|
4 | %define with_ldap 0 |
---|
5 | |
---|
6 | Summary: PKCS #11/NSS PAM login module |
---|
7 | Summary(ja): PKCS #11/NSS PAM ログインモジュール |
---|
8 | |
---|
9 | Name: pam_pkcs11 |
---|
10 | Version: 0.5.3 |
---|
11 | Release: 1%{?_dist_release} |
---|
12 | |
---|
13 | Group: System Environment/Base |
---|
14 | License: LGPLv2+ |
---|
15 | URL: http://www.opensc.org/pam_pkcs11 |
---|
16 | Source0: http://www.opensc.org/files/%{name}-%{version}.tar.gz |
---|
17 | Source1: rh_pam_pkcs11.conf |
---|
18 | Source2: rh_pkcs11_eventmgr.conf |
---|
19 | Patch1: pam_pkcs11-0.5.3-nss.patch |
---|
20 | Patch2: pam_pkcs11-0.5.3-cardonly.patch |
---|
21 | Patch3: pam_pkcs11-0.5.3-setup-tool.patch |
---|
22 | Patch4: pam_pkcs11-0.5.3-putenv-login-token.patch |
---|
23 | Patch5: pam_pkcs11-0.5.3-ocsp.patch |
---|
24 | Patch6: pam_pkcs11-0.5.3-wait-for-card.patch |
---|
25 | Patch7: pam_pkcs11-0.5.3-reject_unloaded_module.patch |
---|
26 | Patch8: pam_pkcs11-0.5.3-l10n.patch |
---|
27 | Patch9: pam_pkcs11-0.5.3-screen-saver.patch |
---|
28 | Patch10: pam_pkcs11-0.5.3-pin-fix.patch |
---|
29 | Patch11: pam_pkcs11-0.5.3-eventmgr-crash-fix.patch |
---|
30 | Patch12: pam_pkcs11-0.5.3-pam-syslog.patch |
---|
31 | Patch13: pam_pkcs11-0.5.3-password.patch |
---|
32 | Patch14: pam_pkcs11-0.5.3-export-auth-cert.patch |
---|
33 | BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root |
---|
34 | |
---|
35 | BuildRequires: pam-devel |
---|
36 | %{?_with_ldap:BuildRequires: openldap-devel} |
---|
37 | %{?_with_curl:BuildRequires: curl-devel} |
---|
38 | BuildRequires: libxslt |
---|
39 | BuildRequires: docbook-style-xsl |
---|
40 | BuildRequires: nss-devel >= %{nss_version} |
---|
41 | BuildRequires: nspr-devel |
---|
42 | BuildRequires: pkgconfig |
---|
43 | BuildRequires: intltool |
---|
44 | BuildRequires: gettext |
---|
45 | Requires: nss |
---|
46 | Requires: nspr |
---|
47 | Provides: pam_pkcs11 = %{version}-%{release} |
---|
48 | |
---|
49 | %description |
---|
50 | This Linux-PAM login module allows a X.509 certificate based user |
---|
51 | authentication. The certificate and its dedicated private key are thereby |
---|
52 | accessed by means of an appropriate PKCS #11 module. For the |
---|
53 | verification of the users' certificates, locally stored CA |
---|
54 | certificates as well as either online or locally accessible CRLs and |
---|
55 | OCSP are used. This version uses NSS to validate the Certificates and manage |
---|
56 | the PKCS #11 smartCards. |
---|
57 | Additional included pam_pkcs11 related tools |
---|
58 | - pkcs11_eventmgr: Generate actions on card insert/removal/timeout events |
---|
59 | - pklogin_finder: Get the loginname that maps to a certificate |
---|
60 | - pkcs11_inspect: Inspect the contents of a certificate |
---|
61 | |
---|
62 | %prep |
---|
63 | %setup -q -n pam_pkcs11-%{version} |
---|
64 | %patch1 -p0 -b .nss |
---|
65 | %patch2 -p0 -b .card-only |
---|
66 | %patch3 -p1 -b .setup |
---|
67 | %patch4 -p0 -b .putenv |
---|
68 | %patch5 -p0 -b .ocsp |
---|
69 | %patch6 -p1 -b .wait-for-card |
---|
70 | %patch7 -p0 -b .reject-unloaded-module |
---|
71 | %patch8 -p0 -b .l10n |
---|
72 | %patch9 -p0 -b .screen-saver |
---|
73 | %patch10 -p0 -b .pin-fix |
---|
74 | %patch11 -p0 -b .eventmgr-crash-fix |
---|
75 | %patch12 -p1 -b .pam-syslog |
---|
76 | %patch13 -p1 -b .password |
---|
77 | %patch14 -p0 -b .export-auth-cert |
---|
78 | |
---|
79 | %build |
---|
80 | |
---|
81 | %if %{with_curl} |
---|
82 | %define curl_flags --with-curl=yes |
---|
83 | %else |
---|
84 | %define curl_flags --with-curl=no |
---|
85 | %endif |
---|
86 | |
---|
87 | %if %{with_ldap} |
---|
88 | %define ldap_flags --with-ldap=yes |
---|
89 | %else |
---|
90 | %define ldap_flags --with-ldap=no |
---|
91 | %endif |
---|
92 | %configure \ |
---|
93 | --with-nss \ |
---|
94 | --with-debug \ |
---|
95 | --disable-dependency-tracking \ |
---|
96 | %{curl_flags} %{ldap_flags} |
---|
97 | make CFLAGS="$RPM_OPT_FLAGS -O0 -ggdb3" |
---|
98 | |
---|
99 | %install |
---|
100 | rm -rf $RPM_BUILD_ROOT |
---|
101 | make install DESTDIR=$RPM_BUILD_ROOT |
---|
102 | rm -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/*.*a |
---|
103 | # |
---|
104 | # pam security directory is in /%{_lib} not %{_libdir} |
---|
105 | # |
---|
106 | mkdir -p $RPM_BUILD_ROOT/%{_lib}/security |
---|
107 | install -m 755 $RPM_BUILD_ROOT/%{_libdir}/security/%{name}.so $RPM_BUILD_ROOT/%{_lib}/security |
---|
108 | rm -rf $RPM_BUILD_ROOT/%{_libdir}/security |
---|
109 | # |
---|
110 | # set up config files |
---|
111 | # |
---|
112 | install -dm 755 $RPM_BUILD_ROOT/%{_sysconfdir}/%{name} |
---|
113 | install -m 644 %{SOURCE1} $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/%{name}.conf |
---|
114 | install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/pkcs11_eventmgr.conf |
---|
115 | # |
---|
116 | # clean up those files that aren't part of this package |
---|
117 | # (makefile should install them if --without-pcsclite is supplied |
---|
118 | # |
---|
119 | rm -f $RPM_BUILD_ROOT/%{_mandir}/man1/card_eventmgr.1 |
---|
120 | rm -f $RPM_BUILD_ROOT/%{_datadir}/%{name}/card_eventmgr.conf.example |
---|
121 | |
---|
122 | # nss version does not need this script |
---|
123 | rm -f $RPM_BUILD_ROOT/%{_bindir}/make_hash_link.sh |
---|
124 | |
---|
125 | %clean |
---|
126 | rm -rf $RPM_BUILD_ROOT |
---|
127 | |
---|
128 | %files |
---|
129 | %defattr(-,root,root,-) |
---|
130 | %doc AUTHORS COPYING README TODO ChangeLog NEWS |
---|
131 | %doc doc/pam_pkcs11.html |
---|
132 | %doc doc/mappers_api.html |
---|
133 | %doc doc/README.autologin |
---|
134 | %doc doc/README.mappers |
---|
135 | %dir %{_sysconfdir}/%{name}/ |
---|
136 | %config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf |
---|
137 | %config(noreplace) %{_sysconfdir}/%{name}/pkcs11_eventmgr.conf |
---|
138 | %{_bindir}/pkcs11_eventmgr |
---|
139 | %{_bindir}/pklogin_finder |
---|
140 | %{_bindir}/pkcs11_inspect |
---|
141 | %{_bindir}/pkcs11_setup |
---|
142 | %dir %{_libdir}/%{name} |
---|
143 | %{_libdir}/%{name}/*.so |
---|
144 | /%{_lib}/security/%{name}.so |
---|
145 | %{_mandir}/man8/%{name}.8.gz |
---|
146 | %{_mandir}/man1/pkcs11_eventmgr.1.gz |
---|
147 | %{_mandir}/man1/pkcs11_inspect.1.gz |
---|
148 | %{_mandir}/man1/pklogin_finder.1.gz |
---|
149 | %dir %{_datadir}/%{name} |
---|
150 | %doc %{_datadir}/%{name}/%{name}.conf.example |
---|
151 | %doc %{_datadir}/%{name}/pam.d_login.example |
---|
152 | %doc %{_datadir}/%{name}/subject_mapping.example |
---|
153 | %doc %{_datadir}/%{name}/mail_mapping.example |
---|
154 | %doc %{_datadir}/%{name}/digest_mapping.example |
---|
155 | %doc %{_datadir}/%{name}/pkcs11_eventmgr.conf.example |
---|
156 | |
---|
157 | %changelog |
---|
158 | * Wed May 13 2009 Daisuke SUZUKI <daisuke@linux.or.jp> 0.5.3-1 |
---|
159 | - initial build for Vine Linux |
---|
160 | |
---|
161 | * Thu Feb 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.5.3-28 |
---|
162 | - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild |
---|
163 | |
---|
164 | * Sat Nov 8 2008 Michael Schwendt <mschwendt@fedoraproject.org> - 0.5.3-27 |
---|
165 | - Include missing directory entries (#233895). |
---|
166 | |
---|
167 | * Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 0.5.3-26 |
---|
168 | - Autorebuild for GCC 4.3 |
---|
169 | |
---|
170 | * Fri Aug 20 2007 Bob Relyea <rrelyea@redhat.com> - 0.5.3-25 |
---|
171 | - Update License description to the new Fedora standard |
---|
172 | |
---|
173 | * Thu Mar 08 2007 Florian La Roche <laroche@redhat.com> - 0.5.3-24 |
---|
174 | - remove empty rpm scripts |
---|
175 | |
---|
176 | * Sun Oct 13 2006 Jesse Keating <jkeating@redhat.com> - 0.5.3-23 |
---|
177 | - turn OCSP off by default |
---|
178 | |
---|
179 | * Sun Oct 01 2006 Jesse Keating <jkeating@redhat.com> - 0.5.3-22 |
---|
180 | - rebuilt for unwind info generation, broken in gcc-4.1.1-21 |
---|
181 | |
---|
182 | * Mon Sep 18 2006 Robert Relyea <rrelyea@redhat.com> 0.5.3-21 |
---|
183 | - update password supported patch. |
---|
184 | - fix bug where the user and smart card prompt was coming up in login after |
---|
185 | the username had been entered. |
---|
186 | - use pam_ignore for the case where we always want to drop to the other |
---|
187 | pam_modules. |
---|
188 | - add environment variables for the certificate used to authenticate. |
---|
189 | |
---|
190 | * Mon Sep 18 2006 Robert Relyea <rrelyea@redhat.com> 0.5.3-20 |
---|
191 | - Use pam_syslog rather than syslog (patch by Tmraz). |
---|
192 | - Signal to the user that change password is not supported by pam_pkcs11. |
---|
193 | |
---|
194 | * Wed Sep 14 2006 Robert Relyea <rrelyea@redhat.com> 0.5.3-19 |
---|
195 | - Fix problem where pin was not being passed in the pam password variable |
---|
196 | correctly. Needed for Kerberos PKInit |
---|
197 | |
---|
198 | * Tue Sep 13 2006 Robert Relyea <rrelyea@redhat.com> 0.5.3-18 |
---|
199 | - define those apps that we shouldn't login initially with (screen-savers) |
---|
200 | |
---|
201 | * Tue Sep 12 2006 Robert Relyea <rrelyea@redhat.com> 0.5.3-17 |
---|
202 | - restrict reauthentication to the token used in the inital login. |
---|
203 | - don't require reauthentication apps to log into a token if the user |
---|
204 | didn't initally log into the token. |
---|
205 | - handle the case where we have more than one token. |
---|
206 | |
---|
207 | * Thu Sep 7 2006 Robert Relyea <rrelyea@redhat.com> 0.5.3-16 |
---|
208 | - make sure we have l10n tools for the build itself |
---|
209 | |
---|
210 | * Mon Sep 1 2006 Robert Relyea <rrelyea@redhat.com> 0.5.3-15 |
---|
211 | - add l10n support |
---|
212 | - correct mapper order. |
---|
213 | - login should allow SSL Client Auth certs rather than restricting to Email |
---|
214 | Signing certs. |
---|
215 | |
---|
216 | * Mon Aug 28 2006 Robert Relyea <rrelyea@redhat.com> 0.5.3-14 |
---|
217 | - use implicit paths to load the PKCS #11 module |
---|
218 | |
---|
219 | * Mon Aug 28 2006 Tomas Mraz <tmraz@redhat.com> |
---|
220 | - pkcs11_setup should respect $LIB in module paths (#204252) |
---|
221 | |
---|
222 | * Mon Aug 28 2006 Robert Relyea <rrelyea@redhat.com> 0.5.3-13 |
---|
223 | - Fix the default mapping order. |
---|
224 | - Make ocsp support controlled by a config entry. |
---|
225 | - Fix login crash |
---|
226 | - revert to explicit paths until we can fix 'login' and 'authconfig' |
---|
227 | |
---|
228 | * Mon Aug 28 2006 Robert Relyea <rrelyea@redhat.com> 0.5.3-12 |
---|
229 | - use $LIB so the config file works for multi archs on the |
---|
230 | - same machine |
---|
231 | |
---|
232 | * Mon Aug 21 2006 Robert Relyea <rrelyea@redhat.com> 0.5.3-11 |
---|
233 | - Handle library paths in config file |
---|
234 | |
---|
235 | * Mon Aug 16 2006 Robert Relyea <rrelyea@redhat.com> 0.5.3-10 |
---|
236 | - remove sceventd |
---|
237 | |
---|
238 | * Mon Jul 24 2006 Ray Strode <rstrode@redhat.com> 0.5.3-9 |
---|
239 | - compile with better debugging flags |
---|
240 | |
---|
241 | * Sun Jul 23 2006 Ray Strode <rstrode@redhat.com> 0.5.3-8 |
---|
242 | - fix bug where it was ignoring first argument of module |
---|
243 | command line |
---|
244 | |
---|
245 | * Sun Jul 23 2006 Ray Strode <rstrode@redhat.com> 0.5.3-7 |
---|
246 | - add new wait_for_card option that stalls auth process |
---|
247 | until a card is inserted |
---|
248 | - if the user is reauthenticating (already logged in, but |
---|
249 | say unlocking the screen) then only treat the token the |
---|
250 | user logged in with as a valid authentication token |
---|
251 | - clean up "smart card" word. Before we had a mix of |
---|
252 | "smartcard", "Smart Card", "SmartCard", and "smart card" |
---|
253 | i think. |
---|
254 | - only say "Please insert your smart card." instead of |
---|
255 | "Please insert your Smart Card or enter username" if |
---|
256 | username based login isn't allowed. |
---|
257 | |
---|
258 | * Thu Jul 20 2006 Robert Relyea <rrelyea at redhat.com> 0.5.3-6 |
---|
259 | - Include the login token in the environment |
---|
260 | - Conditionally turn on OCSP |
---|
261 | - Treat uninitialized tokens as not present. |
---|
262 | |
---|
263 | * Tue Jul 18 2006 Tomas Mraz <tmraz at redhat.com> 0.5.3-5 |
---|
264 | - added a simple pkcs11_setup tool |
---|
265 | |
---|
266 | * Thu Jul 18 2006 Robert Relyea <rrelyea at redhat.com> |
---|
267 | - Fix memory error in card_only. |
---|
268 | - Use the TEXT_INFO field for smart card prompting |
---|
269 | |
---|
270 | * Mon Jul 17 2006 Jesse Keating <jkeating@redhat.com> 0.5.3-4 |
---|
271 | - rebuild |
---|
272 | |
---|
273 | * Thu Jun 10 2006 Robert Relyea <rrelyea at redhat.com> 0.5.3-3 |
---|
274 | - Updated to 0.5.3 with card_only and NSS support |
---|
275 | |
---|
276 | * Mon Apr 20 2006 Robert Relyea < rrelyea at redhat.com > 0:0.5.1.-2.exp |
---|
277 | - Added screenlocking helper support |
---|
278 | |
---|
279 | * Mon Mar 30 2006 Robert Relyea < rrelyea at redhat.com > 0:0.5.1.-1.exp |
---|
280 | - Added NSS support. |
---|
281 | |
---|
282 | * Mon Jan 30 2006 Robert Relyea < rrelyea at redhat.com > 0:0.5.1.-0.demo |
---|
283 | - include coolkey support |
---|
284 | - added card_only option. |
---|
285 | |
---|
286 | * Thu Sep 7 2005 Juan Antonio Martinez <jonsito at teleline.es 0:0.5.3-2 |
---|
287 | - Add ldap_mapper.so as separate package, as it depends on external library |
---|
288 | - Changes from FC4 team |
---|
289 | |
---|
290 | * Thu Sep 1 2005 Juan Antonio Martinez <jonsito at teleline.es 0:0.5.3-0 |
---|
291 | - Update to 0.5.3 |
---|
292 | - Remove tools package, and create pcsc one with pcsc-lite dependent files |
---|
293 | |
---|
294 | * Fri Apr 11 2005 Juan Antonio Martinez <jonsito at teleline.es 0:0.5.2-1 |
---|
295 | - Changed package name to pam_pkcs11 |
---|
296 | |
---|
297 | * Fri Apr 8 2005 Juan Antonio Martinez <jonsito at teleline.es 0:0.5.2-0 |
---|
298 | - Updated to 0.5.2 release |
---|
299 | - Changed /etc/pkcs11 for /etc/pam_pkcs11 |
---|
300 | - Changed /usr/share/pkcs11_login for /usr/share/pam_pkcs11 |
---|
301 | - Next item is change package name to pam_pkcs11 |
---|
302 | |
---|
303 | * Thu Apr 7 2005 Juan Antonio Martinez <jonsito at teleline.es 0:0.5.1-0 |
---|
304 | - patches to avoid autotools in compile from tgz |
---|
305 | |
---|
306 | * Thu Mar 29 2005 Juan Antonio Martinez <jonsito at teleline.es 0:0.5-1 |
---|
307 | - upgrade to 0.5beta1 version |
---|
308 | - BuildRequires now complains compilation of html manual from xml file |
---|
309 | |
---|
310 | * Thu Feb 28 2005 Juan Antonio Martinez <jonsito at teleline.es> 0:0.4.4-2 |
---|
311 | - New pkcs11_eventmgr app in "tools" package |
---|
312 | |
---|
313 | * Thu Feb 24 2005 Juan Antonio Martinez <jonsito at teleline.es> 0:0.4.4-1 |
---|
314 | - Fix pcsc-lite dependencies |
---|
315 | |
---|
316 | * Thu Feb 15 2005 Juan Antonio Martinez <jonsito at teleline.es> 0:0.4.4-0 |
---|
317 | - Update to 0.4.4b2 |
---|
318 | |
---|
319 | * Sun Sep 12 2004 Ville Skytt辰 <ville.skytta at iki.fi> - 0:0.3b-0.fdr.1 |
---|
320 | - Update to 0.3b. |
---|
321 | - Disable dependency tracking to speed up the build. |
---|
322 | |
---|
323 | * Tue May 4 2004 Ville Skytt辰 <ville.skytta at iki.fi> - 0:0.3-0.fdr.1 |
---|
324 | - Update to 0.3. |
---|
325 | - Do not use libcurl by default; rebuild using "--with curl" to use it. |
---|
326 | |
---|
327 | * Mon Mar 29 2004 Ville Skytt辰 <ville.skytta at iki.fi> - 0:0.2-0.fdr.1 |
---|
328 | - Update to 0.2. |
---|
329 | - Use libcurl by default; rebuild using "--without curl" to disable. |
---|
330 | |
---|
331 | * Wed Jan 21 2004 Ville Skytt辰 <ville.skytta at iki.fi> - 0:0.1-0.fdr.0.2.beta5 |
---|
332 | - Add the user_mapping config file. |
---|
333 | |
---|
334 | * Mon Jan 19 2004 Ville Skytt辰 <ville.skytta at iki.fi> - 0:0.1-0.fdr.0.1.beta5 |
---|
335 | - First build. |
---|