[521] | 1 | %define nss_version 3.10 |
---|
| 2 | %define nspr_version 4.6 |
---|
| 3 | %define with_curl 0 |
---|
| 4 | %define with_ldap 0 |
---|
| 5 | |
---|
| 6 | Summary: PKCS #11/NSS PAM login module |
---|
| 7 | Summary(ja): PKCS #11/NSS PAM ログインモジュール |
---|
| 8 | |
---|
| 9 | Name: pam_pkcs11 |
---|
| 10 | Version: 0.5.3 |
---|
| 11 | Release: 1%{?_dist_release} |
---|
| 12 | |
---|
| 13 | Group: System Environment/Base |
---|
| 14 | License: LGPLv2+ |
---|
| 15 | URL: http://www.opensc.org/pam_pkcs11 |
---|
| 16 | Source0: http://www.opensc.org/files/%{name}-%{version}.tar.gz |
---|
| 17 | Source1: rh_pam_pkcs11.conf |
---|
| 18 | Source2: rh_pkcs11_eventmgr.conf |
---|
| 19 | Patch1: pam_pkcs11-0.5.3-nss.patch |
---|
| 20 | Patch2: pam_pkcs11-0.5.3-cardonly.patch |
---|
| 21 | Patch3: pam_pkcs11-0.5.3-setup-tool.patch |
---|
| 22 | Patch4: pam_pkcs11-0.5.3-putenv-login-token.patch |
---|
| 23 | Patch5: pam_pkcs11-0.5.3-ocsp.patch |
---|
| 24 | Patch6: pam_pkcs11-0.5.3-wait-for-card.patch |
---|
| 25 | Patch7: pam_pkcs11-0.5.3-reject_unloaded_module.patch |
---|
| 26 | Patch8: pam_pkcs11-0.5.3-l10n.patch |
---|
| 27 | Patch9: pam_pkcs11-0.5.3-screen-saver.patch |
---|
| 28 | Patch10: pam_pkcs11-0.5.3-pin-fix.patch |
---|
| 29 | Patch11: pam_pkcs11-0.5.3-eventmgr-crash-fix.patch |
---|
| 30 | Patch12: pam_pkcs11-0.5.3-pam-syslog.patch |
---|
| 31 | Patch13: pam_pkcs11-0.5.3-password.patch |
---|
| 32 | Patch14: pam_pkcs11-0.5.3-export-auth-cert.patch |
---|
| 33 | BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root |
---|
| 34 | |
---|
| 35 | BuildRequires: pam-devel |
---|
| 36 | %{?_with_ldap:BuildRequires: openldap-devel} |
---|
| 37 | %{?_with_curl:BuildRequires: curl-devel} |
---|
| 38 | BuildRequires: libxslt |
---|
| 39 | BuildRequires: docbook-style-xsl |
---|
| 40 | BuildRequires: nss-devel >= %{nss_version} |
---|
| 41 | BuildRequires: nspr-devel |
---|
| 42 | BuildRequires: pkgconfig |
---|
| 43 | BuildRequires: intltool |
---|
| 44 | BuildRequires: gettext |
---|
| 45 | Requires: nss |
---|
| 46 | Requires: nspr |
---|
| 47 | Provides: pam_pkcs11 = %{version}-%{release} |
---|
| 48 | |
---|
| 49 | %description |
---|
| 50 | This Linux-PAM login module allows a X.509 certificate based user |
---|
| 51 | authentication. The certificate and its dedicated private key are thereby |
---|
| 52 | accessed by means of an appropriate PKCS #11 module. For the |
---|
| 53 | verification of the users' certificates, locally stored CA |
---|
| 54 | certificates as well as either online or locally accessible CRLs and |
---|
| 55 | OCSP are used. This version uses NSS to validate the Certificates and manage |
---|
| 56 | the PKCS #11 smartCards. |
---|
| 57 | Additional included pam_pkcs11 related tools |
---|
| 58 | - pkcs11_eventmgr: Generate actions on card insert/removal/timeout events |
---|
| 59 | - pklogin_finder: Get the loginname that maps to a certificate |
---|
| 60 | - pkcs11_inspect: Inspect the contents of a certificate |
---|
| 61 | |
---|
| 62 | %prep |
---|
| 63 | %setup -q -n pam_pkcs11-%{version} |
---|
| 64 | %patch1 -p0 -b .nss |
---|
| 65 | %patch2 -p0 -b .card-only |
---|
| 66 | %patch3 -p1 -b .setup |
---|
| 67 | %patch4 -p0 -b .putenv |
---|
| 68 | %patch5 -p0 -b .ocsp |
---|
| 69 | %patch6 -p1 -b .wait-for-card |
---|
| 70 | %patch7 -p0 -b .reject-unloaded-module |
---|
| 71 | %patch8 -p0 -b .l10n |
---|
| 72 | %patch9 -p0 -b .screen-saver |
---|
| 73 | %patch10 -p0 -b .pin-fix |
---|
| 74 | %patch11 -p0 -b .eventmgr-crash-fix |
---|
| 75 | %patch12 -p1 -b .pam-syslog |
---|
| 76 | %patch13 -p1 -b .password |
---|
| 77 | %patch14 -p0 -b .export-auth-cert |
---|
| 78 | |
---|
| 79 | %build |
---|
| 80 | |
---|
| 81 | %if %{with_curl} |
---|
| 82 | %define curl_flags --with-curl=yes |
---|
| 83 | %else |
---|
| 84 | %define curl_flags --with-curl=no |
---|
| 85 | %endif |
---|
| 86 | |
---|
| 87 | %if %{with_ldap} |
---|
| 88 | %define ldap_flags --with-ldap=yes |
---|
| 89 | %else |
---|
| 90 | %define ldap_flags --with-ldap=no |
---|
| 91 | %endif |
---|
| 92 | %configure \ |
---|
| 93 | --with-nss \ |
---|
| 94 | --with-debug \ |
---|
| 95 | --disable-dependency-tracking \ |
---|
| 96 | %{curl_flags} %{ldap_flags} |
---|
| 97 | make CFLAGS="$RPM_OPT_FLAGS -O0 -ggdb3" |
---|
| 98 | |
---|
| 99 | %install |
---|
| 100 | rm -rf $RPM_BUILD_ROOT |
---|
| 101 | make install DESTDIR=$RPM_BUILD_ROOT |
---|
| 102 | rm -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/*.*a |
---|
| 103 | # |
---|
| 104 | # pam security directory is in /%{_lib} not %{_libdir} |
---|
| 105 | # |
---|
| 106 | mkdir -p $RPM_BUILD_ROOT/%{_lib}/security |
---|
| 107 | install -m 755 $RPM_BUILD_ROOT/%{_libdir}/security/%{name}.so $RPM_BUILD_ROOT/%{_lib}/security |
---|
| 108 | rm -rf $RPM_BUILD_ROOT/%{_libdir}/security |
---|
| 109 | # |
---|
| 110 | # set up config files |
---|
| 111 | # |
---|
| 112 | install -dm 755 $RPM_BUILD_ROOT/%{_sysconfdir}/%{name} |
---|
| 113 | install -m 644 %{SOURCE1} $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/%{name}.conf |
---|
| 114 | install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/pkcs11_eventmgr.conf |
---|
| 115 | # |
---|
| 116 | # clean up those files that aren't part of this package |
---|
| 117 | # (makefile should install them if --without-pcsclite is supplied |
---|
| 118 | # |
---|
| 119 | rm -f $RPM_BUILD_ROOT/%{_mandir}/man1/card_eventmgr.1 |
---|
| 120 | rm -f $RPM_BUILD_ROOT/%{_datadir}/%{name}/card_eventmgr.conf.example |
---|
| 121 | |
---|
| 122 | # nss version does not need this script |
---|
| 123 | rm -f $RPM_BUILD_ROOT/%{_bindir}/make_hash_link.sh |
---|
| 124 | |
---|
| 125 | %clean |
---|
| 126 | rm -rf $RPM_BUILD_ROOT |
---|
| 127 | |
---|
| 128 | %files |
---|
| 129 | %defattr(-,root,root,-) |
---|
| 130 | %doc AUTHORS COPYING README TODO ChangeLog NEWS |
---|
| 131 | %doc doc/pam_pkcs11.html |
---|
| 132 | %doc doc/mappers_api.html |
---|
| 133 | %doc doc/README.autologin |
---|
| 134 | %doc doc/README.mappers |
---|
| 135 | %dir %{_sysconfdir}/%{name}/ |
---|
| 136 | %config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf |
---|
| 137 | %config(noreplace) %{_sysconfdir}/%{name}/pkcs11_eventmgr.conf |
---|
| 138 | %{_bindir}/pkcs11_eventmgr |
---|
| 139 | %{_bindir}/pklogin_finder |
---|
| 140 | %{_bindir}/pkcs11_inspect |
---|
| 141 | %{_bindir}/pkcs11_setup |
---|
| 142 | %dir %{_libdir}/%{name} |
---|
| 143 | %{_libdir}/%{name}/*.so |
---|
| 144 | /%{_lib}/security/%{name}.so |
---|
| 145 | %{_mandir}/man8/%{name}.8.gz |
---|
| 146 | %{_mandir}/man1/pkcs11_eventmgr.1.gz |
---|
| 147 | %{_mandir}/man1/pkcs11_inspect.1.gz |
---|
| 148 | %{_mandir}/man1/pklogin_finder.1.gz |
---|
| 149 | %dir %{_datadir}/%{name} |
---|
| 150 | %doc %{_datadir}/%{name}/%{name}.conf.example |
---|
| 151 | %doc %{_datadir}/%{name}/pam.d_login.example |
---|
| 152 | %doc %{_datadir}/%{name}/subject_mapping.example |
---|
| 153 | %doc %{_datadir}/%{name}/mail_mapping.example |
---|
| 154 | %doc %{_datadir}/%{name}/digest_mapping.example |
---|
| 155 | %doc %{_datadir}/%{name}/pkcs11_eventmgr.conf.example |
---|
| 156 | |
---|
| 157 | %changelog |
---|
| 158 | * Wed May 13 2009 Daisuke SUZUKI <daisuke@linux.or.jp> 0.5.3-1 |
---|
| 159 | - initial build for Vine Linux |
---|
| 160 | |
---|
| 161 | * Thu Feb 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.5.3-28 |
---|
| 162 | - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild |
---|
| 163 | |
---|
| 164 | * Sat Nov 8 2008 Michael Schwendt <mschwendt@fedoraproject.org> - 0.5.3-27 |
---|
| 165 | - Include missing directory entries (#233895). |
---|
| 166 | |
---|
| 167 | * Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 0.5.3-26 |
---|
| 168 | - Autorebuild for GCC 4.3 |
---|
| 169 | |
---|
| 170 | * Fri Aug 20 2007 Bob Relyea <rrelyea@redhat.com> - 0.5.3-25 |
---|
| 171 | - Update License description to the new Fedora standard |
---|
| 172 | |
---|
| 173 | * Thu Mar 08 2007 Florian La Roche <laroche@redhat.com> - 0.5.3-24 |
---|
| 174 | - remove empty rpm scripts |
---|
| 175 | |
---|
| 176 | * Sun Oct 13 2006 Jesse Keating <jkeating@redhat.com> - 0.5.3-23 |
---|
| 177 | - turn OCSP off by default |
---|
| 178 | |
---|
| 179 | * Sun Oct 01 2006 Jesse Keating <jkeating@redhat.com> - 0.5.3-22 |
---|
| 180 | - rebuilt for unwind info generation, broken in gcc-4.1.1-21 |
---|
| 181 | |
---|
| 182 | * Mon Sep 18 2006 Robert Relyea <rrelyea@redhat.com> 0.5.3-21 |
---|
| 183 | - update password supported patch. |
---|
| 184 | - fix bug where the user and smart card prompt was coming up in login after |
---|
| 185 | the username had been entered. |
---|
| 186 | - use pam_ignore for the case where we always want to drop to the other |
---|
| 187 | pam_modules. |
---|
| 188 | - add environment variables for the certificate used to authenticate. |
---|
| 189 | |
---|
| 190 | * Mon Sep 18 2006 Robert Relyea <rrelyea@redhat.com> 0.5.3-20 |
---|
| 191 | - Use pam_syslog rather than syslog (patch by Tmraz). |
---|
| 192 | - Signal to the user that change password is not supported by pam_pkcs11. |
---|
| 193 | |
---|
| 194 | * Wed Sep 14 2006 Robert Relyea <rrelyea@redhat.com> 0.5.3-19 |
---|
| 195 | - Fix problem where pin was not being passed in the pam password variable |
---|
| 196 | correctly. Needed for Kerberos PKInit |
---|
| 197 | |
---|
| 198 | * Tue Sep 13 2006 Robert Relyea <rrelyea@redhat.com> 0.5.3-18 |
---|
| 199 | - define those apps that we shouldn't login initially with (screen-savers) |
---|
| 200 | |
---|
| 201 | * Tue Sep 12 2006 Robert Relyea <rrelyea@redhat.com> 0.5.3-17 |
---|
| 202 | - restrict reauthentication to the token used in the inital login. |
---|
| 203 | - don't require reauthentication apps to log into a token if the user |
---|
| 204 | didn't initally log into the token. |
---|
| 205 | - handle the case where we have more than one token. |
---|
| 206 | |
---|
| 207 | * Thu Sep 7 2006 Robert Relyea <rrelyea@redhat.com> 0.5.3-16 |
---|
| 208 | - make sure we have l10n tools for the build itself |
---|
| 209 | |
---|
| 210 | * Mon Sep 1 2006 Robert Relyea <rrelyea@redhat.com> 0.5.3-15 |
---|
| 211 | - add l10n support |
---|
| 212 | - correct mapper order. |
---|
| 213 | - login should allow SSL Client Auth certs rather than restricting to Email |
---|
| 214 | Signing certs. |
---|
| 215 | |
---|
| 216 | * Mon Aug 28 2006 Robert Relyea <rrelyea@redhat.com> 0.5.3-14 |
---|
| 217 | - use implicit paths to load the PKCS #11 module |
---|
| 218 | |
---|
| 219 | * Mon Aug 28 2006 Tomas Mraz <tmraz@redhat.com> |
---|
| 220 | - pkcs11_setup should respect $LIB in module paths (#204252) |
---|
| 221 | |
---|
| 222 | * Mon Aug 28 2006 Robert Relyea <rrelyea@redhat.com> 0.5.3-13 |
---|
| 223 | - Fix the default mapping order. |
---|
| 224 | - Make ocsp support controlled by a config entry. |
---|
| 225 | - Fix login crash |
---|
| 226 | - revert to explicit paths until we can fix 'login' and 'authconfig' |
---|
| 227 | |
---|
| 228 | * Mon Aug 28 2006 Robert Relyea <rrelyea@redhat.com> 0.5.3-12 |
---|
| 229 | - use $LIB so the config file works for multi archs on the |
---|
| 230 | - same machine |
---|
| 231 | |
---|
| 232 | * Mon Aug 21 2006 Robert Relyea <rrelyea@redhat.com> 0.5.3-11 |
---|
| 233 | - Handle library paths in config file |
---|
| 234 | |
---|
| 235 | * Mon Aug 16 2006 Robert Relyea <rrelyea@redhat.com> 0.5.3-10 |
---|
| 236 | - remove sceventd |
---|
| 237 | |
---|
| 238 | * Mon Jul 24 2006 Ray Strode <rstrode@redhat.com> 0.5.3-9 |
---|
| 239 | - compile with better debugging flags |
---|
| 240 | |
---|
| 241 | * Sun Jul 23 2006 Ray Strode <rstrode@redhat.com> 0.5.3-8 |
---|
| 242 | - fix bug where it was ignoring first argument of module |
---|
| 243 | command line |
---|
| 244 | |
---|
| 245 | * Sun Jul 23 2006 Ray Strode <rstrode@redhat.com> 0.5.3-7 |
---|
| 246 | - add new wait_for_card option that stalls auth process |
---|
| 247 | until a card is inserted |
---|
| 248 | - if the user is reauthenticating (already logged in, but |
---|
| 249 | say unlocking the screen) then only treat the token the |
---|
| 250 | user logged in with as a valid authentication token |
---|
| 251 | - clean up "smart card" word. Before we had a mix of |
---|
| 252 | "smartcard", "Smart Card", "SmartCard", and "smart card" |
---|
| 253 | i think. |
---|
| 254 | - only say "Please insert your smart card." instead of |
---|
| 255 | "Please insert your Smart Card or enter username" if |
---|
| 256 | username based login isn't allowed. |
---|
| 257 | |
---|
| 258 | * Thu Jul 20 2006 Robert Relyea <rrelyea at redhat.com> 0.5.3-6 |
---|
| 259 | - Include the login token in the environment |
---|
| 260 | - Conditionally turn on OCSP |
---|
| 261 | - Treat uninitialized tokens as not present. |
---|
| 262 | |
---|
| 263 | * Tue Jul 18 2006 Tomas Mraz <tmraz at redhat.com> 0.5.3-5 |
---|
| 264 | - added a simple pkcs11_setup tool |
---|
| 265 | |
---|
| 266 | * Thu Jul 18 2006 Robert Relyea <rrelyea at redhat.com> |
---|
| 267 | - Fix memory error in card_only. |
---|
| 268 | - Use the TEXT_INFO field for smart card prompting |
---|
| 269 | |
---|
| 270 | * Mon Jul 17 2006 Jesse Keating <jkeating@redhat.com> 0.5.3-4 |
---|
| 271 | - rebuild |
---|
| 272 | |
---|
| 273 | * Thu Jun 10 2006 Robert Relyea <rrelyea at redhat.com> 0.5.3-3 |
---|
| 274 | - Updated to 0.5.3 with card_only and NSS support |
---|
| 275 | |
---|
| 276 | * Mon Apr 20 2006 Robert Relyea < rrelyea at redhat.com > 0:0.5.1.-2.exp |
---|
| 277 | - Added screenlocking helper support |
---|
| 278 | |
---|
| 279 | * Mon Mar 30 2006 Robert Relyea < rrelyea at redhat.com > 0:0.5.1.-1.exp |
---|
| 280 | - Added NSS support. |
---|
| 281 | |
---|
| 282 | * Mon Jan 30 2006 Robert Relyea < rrelyea at redhat.com > 0:0.5.1.-0.demo |
---|
| 283 | - include coolkey support |
---|
| 284 | - added card_only option. |
---|
| 285 | |
---|
| 286 | * Thu Sep 7 2005 Juan Antonio Martinez <jonsito at teleline.es 0:0.5.3-2 |
---|
| 287 | - Add ldap_mapper.so as separate package, as it depends on external library |
---|
| 288 | - Changes from FC4 team |
---|
| 289 | |
---|
| 290 | * Thu Sep 1 2005 Juan Antonio Martinez <jonsito at teleline.es 0:0.5.3-0 |
---|
| 291 | - Update to 0.5.3 |
---|
| 292 | - Remove tools package, and create pcsc one with pcsc-lite dependent files |
---|
| 293 | |
---|
| 294 | * Fri Apr 11 2005 Juan Antonio Martinez <jonsito at teleline.es 0:0.5.2-1 |
---|
| 295 | - Changed package name to pam_pkcs11 |
---|
| 296 | |
---|
| 297 | * Fri Apr 8 2005 Juan Antonio Martinez <jonsito at teleline.es 0:0.5.2-0 |
---|
| 298 | - Updated to 0.5.2 release |
---|
| 299 | - Changed /etc/pkcs11 for /etc/pam_pkcs11 |
---|
| 300 | - Changed /usr/share/pkcs11_login for /usr/share/pam_pkcs11 |
---|
| 301 | - Next item is change package name to pam_pkcs11 |
---|
| 302 | |
---|
| 303 | * Thu Apr 7 2005 Juan Antonio Martinez <jonsito at teleline.es 0:0.5.1-0 |
---|
| 304 | - patches to avoid autotools in compile from tgz |
---|
| 305 | |
---|
| 306 | * Thu Mar 29 2005 Juan Antonio Martinez <jonsito at teleline.es 0:0.5-1 |
---|
| 307 | - upgrade to 0.5beta1 version |
---|
| 308 | - BuildRequires now complains compilation of html manual from xml file |
---|
| 309 | |
---|
| 310 | * Thu Feb 28 2005 Juan Antonio Martinez <jonsito at teleline.es> 0:0.4.4-2 |
---|
| 311 | - New pkcs11_eventmgr app in "tools" package |
---|
| 312 | |
---|
| 313 | * Thu Feb 24 2005 Juan Antonio Martinez <jonsito at teleline.es> 0:0.4.4-1 |
---|
| 314 | - Fix pcsc-lite dependencies |
---|
| 315 | |
---|
| 316 | * Thu Feb 15 2005 Juan Antonio Martinez <jonsito at teleline.es> 0:0.4.4-0 |
---|
| 317 | - Update to 0.4.4b2 |
---|
| 318 | |
---|
| 319 | * Sun Sep 12 2004 Ville Skytt辰 <ville.skytta at iki.fi> - 0:0.3b-0.fdr.1 |
---|
| 320 | - Update to 0.3b. |
---|
| 321 | - Disable dependency tracking to speed up the build. |
---|
| 322 | |
---|
| 323 | * Tue May 4 2004 Ville Skytt辰 <ville.skytta at iki.fi> - 0:0.3-0.fdr.1 |
---|
| 324 | - Update to 0.3. |
---|
| 325 | - Do not use libcurl by default; rebuild using "--with curl" to use it. |
---|
| 326 | |
---|
| 327 | * Mon Mar 29 2004 Ville Skytt辰 <ville.skytta at iki.fi> - 0:0.2-0.fdr.1 |
---|
| 328 | - Update to 0.2. |
---|
| 329 | - Use libcurl by default; rebuild using "--without curl" to disable. |
---|
| 330 | |
---|
| 331 | * Wed Jan 21 2004 Ville Skytt辰 <ville.skytta at iki.fi> - 0:0.1-0.fdr.0.2.beta5 |
---|
| 332 | - Add the user_mapping config file. |
---|
| 333 | |
---|
| 334 | * Mon Jan 19 2004 Ville Skytt辰 <ville.skytta at iki.fi> - 0:0.1-0.fdr.0.1.beta5 |
---|
| 335 | - First build. |
---|