%define nss_version 3.10 %define nspr_version 4.6 %define with_curl 0 %define with_ldap 0 Summary: PKCS #11/NSS PAM login module Summary(ja): PKCS #11/NSS PAM ログインモジュール Name: pam_pkcs11 Version: 0.5.3 Release: 1%{?_dist_release} Group: System Environment/Base License: LGPLv2+ URL: http://www.opensc.org/pam_pkcs11 Source0: http://www.opensc.org/files/%{name}-%{version}.tar.gz Source1: rh_pam_pkcs11.conf Source2: rh_pkcs11_eventmgr.conf Patch1: pam_pkcs11-0.5.3-nss.patch Patch2: pam_pkcs11-0.5.3-cardonly.patch Patch3: pam_pkcs11-0.5.3-setup-tool.patch Patch4: pam_pkcs11-0.5.3-putenv-login-token.patch Patch5: pam_pkcs11-0.5.3-ocsp.patch Patch6: pam_pkcs11-0.5.3-wait-for-card.patch Patch7: pam_pkcs11-0.5.3-reject_unloaded_module.patch Patch8: pam_pkcs11-0.5.3-l10n.patch Patch9: pam_pkcs11-0.5.3-screen-saver.patch Patch10: pam_pkcs11-0.5.3-pin-fix.patch Patch11: pam_pkcs11-0.5.3-eventmgr-crash-fix.patch Patch12: pam_pkcs11-0.5.3-pam-syslog.patch Patch13: pam_pkcs11-0.5.3-password.patch Patch14: pam_pkcs11-0.5.3-export-auth-cert.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: pam-devel %{?_with_ldap:BuildRequires: openldap-devel} %{?_with_curl:BuildRequires: curl-devel} BuildRequires: libxslt BuildRequires: docbook-style-xsl BuildRequires: nss-devel >= %{nss_version} BuildRequires: nspr-devel BuildRequires: pkgconfig BuildRequires: intltool BuildRequires: gettext Requires: nss Requires: nspr Provides: pam_pkcs11 = %{version}-%{release} %description This Linux-PAM login module allows a X.509 certificate based user authentication. The certificate and its dedicated private key are thereby accessed by means of an appropriate PKCS #11 module. For the verification of the users' certificates, locally stored CA certificates as well as either online or locally accessible CRLs and OCSP are used. This version uses NSS to validate the Certificates and manage the PKCS #11 smartCards. Additional included pam_pkcs11 related tools - pkcs11_eventmgr: Generate actions on card insert/removal/timeout events - pklogin_finder: Get the loginname that maps to a certificate - pkcs11_inspect: Inspect the contents of a certificate %prep %setup -q -n pam_pkcs11-%{version} %patch1 -p0 -b .nss %patch2 -p0 -b .card-only %patch3 -p1 -b .setup %patch4 -p0 -b .putenv %patch5 -p0 -b .ocsp %patch6 -p1 -b .wait-for-card %patch7 -p0 -b .reject-unloaded-module %patch8 -p0 -b .l10n %patch9 -p0 -b .screen-saver %patch10 -p0 -b .pin-fix %patch11 -p0 -b .eventmgr-crash-fix %patch12 -p1 -b .pam-syslog %patch13 -p1 -b .password %patch14 -p0 -b .export-auth-cert %build %if %{with_curl} %define curl_flags --with-curl=yes %else %define curl_flags --with-curl=no %endif %if %{with_ldap} %define ldap_flags --with-ldap=yes %else %define ldap_flags --with-ldap=no %endif %configure \ --with-nss \ --with-debug \ --disable-dependency-tracking \ %{curl_flags} %{ldap_flags} make CFLAGS="$RPM_OPT_FLAGS -O0 -ggdb3" %install rm -rf $RPM_BUILD_ROOT make install DESTDIR=$RPM_BUILD_ROOT rm -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/*.*a # # pam security directory is in /%{_lib} not %{_libdir} # mkdir -p $RPM_BUILD_ROOT/%{_lib}/security install -m 755 $RPM_BUILD_ROOT/%{_libdir}/security/%{name}.so $RPM_BUILD_ROOT/%{_lib}/security rm -rf $RPM_BUILD_ROOT/%{_libdir}/security # # set up config files # install -dm 755 $RPM_BUILD_ROOT/%{_sysconfdir}/%{name} install -m 644 %{SOURCE1} $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/%{name}.conf install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/pkcs11_eventmgr.conf # # clean up those files that aren't part of this package # (makefile should install them if --without-pcsclite is supplied # rm -f $RPM_BUILD_ROOT/%{_mandir}/man1/card_eventmgr.1 rm -f $RPM_BUILD_ROOT/%{_datadir}/%{name}/card_eventmgr.conf.example # nss version does not need this script rm -f $RPM_BUILD_ROOT/%{_bindir}/make_hash_link.sh %clean rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root,-) %doc AUTHORS COPYING README TODO ChangeLog NEWS %doc doc/pam_pkcs11.html %doc doc/mappers_api.html %doc doc/README.autologin %doc doc/README.mappers %dir %{_sysconfdir}/%{name}/ %config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf %config(noreplace) %{_sysconfdir}/%{name}/pkcs11_eventmgr.conf %{_bindir}/pkcs11_eventmgr %{_bindir}/pklogin_finder %{_bindir}/pkcs11_inspect %{_bindir}/pkcs11_setup %dir %{_libdir}/%{name} %{_libdir}/%{name}/*.so /%{_lib}/security/%{name}.so %{_mandir}/man8/%{name}.8.gz %{_mandir}/man1/pkcs11_eventmgr.1.gz %{_mandir}/man1/pkcs11_inspect.1.gz %{_mandir}/man1/pklogin_finder.1.gz %dir %{_datadir}/%{name} %doc %{_datadir}/%{name}/%{name}.conf.example %doc %{_datadir}/%{name}/pam.d_login.example %doc %{_datadir}/%{name}/subject_mapping.example %doc %{_datadir}/%{name}/mail_mapping.example %doc %{_datadir}/%{name}/digest_mapping.example %doc %{_datadir}/%{name}/pkcs11_eventmgr.conf.example %changelog * Wed May 13 2009 Daisuke SUZUKI 0.5.3-1 - initial build for Vine Linux * Thu Feb 26 2009 Fedora Release Engineering - 0.5.3-28 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild * Sat Nov 8 2008 Michael Schwendt - 0.5.3-27 - Include missing directory entries (#233895). * Tue Feb 19 2008 Fedora Release Engineering - 0.5.3-26 - Autorebuild for GCC 4.3 * Fri Aug 20 2007 Bob Relyea - 0.5.3-25 - Update License description to the new Fedora standard * Thu Mar 08 2007 Florian La Roche - 0.5.3-24 - remove empty rpm scripts * Sun Oct 13 2006 Jesse Keating - 0.5.3-23 - turn OCSP off by default * Sun Oct 01 2006 Jesse Keating - 0.5.3-22 - rebuilt for unwind info generation, broken in gcc-4.1.1-21 * Mon Sep 18 2006 Robert Relyea 0.5.3-21 - update password supported patch. - fix bug where the user and smart card prompt was coming up in login after the username had been entered. - use pam_ignore for the case where we always want to drop to the other pam_modules. - add environment variables for the certificate used to authenticate. * Mon Sep 18 2006 Robert Relyea 0.5.3-20 - Use pam_syslog rather than syslog (patch by Tmraz). - Signal to the user that change password is not supported by pam_pkcs11. * Wed Sep 14 2006 Robert Relyea 0.5.3-19 - Fix problem where pin was not being passed in the pam password variable correctly. Needed for Kerberos PKInit * Tue Sep 13 2006 Robert Relyea 0.5.3-18 - define those apps that we shouldn't login initially with (screen-savers) * Tue Sep 12 2006 Robert Relyea 0.5.3-17 - restrict reauthentication to the token used in the inital login. - don't require reauthentication apps to log into a token if the user didn't initally log into the token. - handle the case where we have more than one token. * Thu Sep 7 2006 Robert Relyea 0.5.3-16 - make sure we have l10n tools for the build itself * Mon Sep 1 2006 Robert Relyea 0.5.3-15 - add l10n support - correct mapper order. - login should allow SSL Client Auth certs rather than restricting to Email Signing certs. * Mon Aug 28 2006 Robert Relyea 0.5.3-14 - use implicit paths to load the PKCS #11 module * Mon Aug 28 2006 Tomas Mraz - pkcs11_setup should respect $LIB in module paths (#204252) * Mon Aug 28 2006 Robert Relyea 0.5.3-13 - Fix the default mapping order. - Make ocsp support controlled by a config entry. - Fix login crash - revert to explicit paths until we can fix 'login' and 'authconfig' * Mon Aug 28 2006 Robert Relyea 0.5.3-12 - use $LIB so the config file works for multi archs on the - same machine * Mon Aug 21 2006 Robert Relyea 0.5.3-11 - Handle library paths in config file * Mon Aug 16 2006 Robert Relyea 0.5.3-10 - remove sceventd * Mon Jul 24 2006 Ray Strode 0.5.3-9 - compile with better debugging flags * Sun Jul 23 2006 Ray Strode 0.5.3-8 - fix bug where it was ignoring first argument of module command line * Sun Jul 23 2006 Ray Strode 0.5.3-7 - add new wait_for_card option that stalls auth process until a card is inserted - if the user is reauthenticating (already logged in, but say unlocking the screen) then only treat the token the user logged in with as a valid authentication token - clean up "smart card" word. Before we had a mix of "smartcard", "Smart Card", "SmartCard", and "smart card" i think. - only say "Please insert your smart card." instead of "Please insert your Smart Card or enter username" if username based login isn't allowed. * Thu Jul 20 2006 Robert Relyea 0.5.3-6 - Include the login token in the environment - Conditionally turn on OCSP - Treat uninitialized tokens as not present. * Tue Jul 18 2006 Tomas Mraz 0.5.3-5 - added a simple pkcs11_setup tool * Thu Jul 18 2006 Robert Relyea - Fix memory error in card_only. - Use the TEXT_INFO field for smart card prompting * Mon Jul 17 2006 Jesse Keating 0.5.3-4 - rebuild * Thu Jun 10 2006 Robert Relyea 0.5.3-3 - Updated to 0.5.3 with card_only and NSS support * Mon Apr 20 2006 Robert Relyea < rrelyea at redhat.com > 0:0.5.1.-2.exp - Added screenlocking helper support * Mon Mar 30 2006 Robert Relyea < rrelyea at redhat.com > 0:0.5.1.-1.exp - Added NSS support. * Mon Jan 30 2006 Robert Relyea < rrelyea at redhat.com > 0:0.5.1.-0.demo - include coolkey support - added card_only option. * Thu Sep 7 2005 Juan Antonio Martinez 0:0.4.4-2 - New pkcs11_eventmgr app in "tools" package * Thu Feb 24 2005 Juan Antonio Martinez 0:0.4.4-1 - Fix pcsc-lite dependencies * Thu Feb 15 2005 Juan Antonio Martinez 0:0.4.4-0 - Update to 0.4.4b2 * Sun Sep 12 2004 Ville Skytt辰 - 0:0.3b-0.fdr.1 - Update to 0.3b. - Disable dependency tracking to speed up the build. * Tue May 4 2004 Ville Skytt辰 - 0:0.3-0.fdr.1 - Update to 0.3. - Do not use libcurl by default; rebuild using "--with curl" to use it. * Mon Mar 29 2004 Ville Skytt辰 - 0:0.2-0.fdr.1 - Update to 0.2. - Use libcurl by default; rebuild using "--without curl" to disable. * Wed Jan 21 2004 Ville Skytt辰 - 0:0.1-0.fdr.0.2.beta5 - Add the user_mapping config file. * Mon Jan 19 2004 Ville Skytt辰 - 0:0.1-0.fdr.0.1.beta5 - First build.