diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/files/pambase-20120417-sssd.patch b/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/files/pambase-20120417-sssd.patch index 436131d29a..c6b9bf477e 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/files/pambase-20120417-sssd.patch +++ b/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/files/pambase-20120417-sssd.patch @@ -1,7 +1,7 @@ -diff -ur pambase-20140313.orig/system-auth.in pambase-20140313/system-auth.in ---- pambase-20140313.orig/system-auth.in 2014-03-13 07:13:15.000000000 -0700 -+++ pambase-20140313/system-auth.in 2016-05-02 12:57:35.437730031 -0700 -@@ -7,7 +7,8 @@ +diff -ur pambase-20120417.orig/system-auth.in pambase-20120417/system-auth.in +--- pambase-20120417.orig/system-auth.in 2016-05-15 21:01:29.705547981 -0700 ++++ pambase-20120417/system-auth.in 2016-05-15 21:03:08.134220108 -0700 +@@ -7,14 +7,16 @@ #if HAVE_KRB5 auth KRB5_CONTROL pam_krb5.so KRB5_PARAMS #endif @@ -9,17 +9,18 @@ diff -ur pambase-20140313.orig/system-auth.in pambase-20140313/system-auth.in +auth sufficient pam_sss.so use_first_pass +auth sufficient pam_unix.so try_first_pass LIKEAUTH nullok DEBUG /* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */ - auth optional pam_permit.so +-auth optional pam_permit.so ++auth required pam_deny.so -@@ -16,6 +17,7 @@ + #if HAVE_KRB5 + account KRB5_CONTROL pam_krb5.so KRB5_PARAMS #endif account required pam_unix.so DEBUG - /* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */ +account sufficient pam_sss.so + /* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */ account optional pam_permit.so - #if HAVE_CRACKLIB -@@ -27,7 +29,8 @@ +@@ -27,9 +29,10 @@ #if HAVE_KRB5 password KRB5_CONTROL pam_krb5.so KRB5_PARAMS #endif @@ -27,11 +28,14 @@ diff -ur pambase-20140313.orig/system-auth.in pambase-20140313/system-auth.in +password sufficient pam_unix.so try_first_pass UNIX_AUTHTOK nullok UNIX_EXTENDED_ENCRYPTION DEBUG +password sufficient pam_sss.so use_authtok /* This is needed to make sure that the Kerberos skip-on-success won't cause a bad jump. */ - password optional pam_permit.so +-password optional pam_permit.so ++password required pam_deny.so -diff -ur pambase-20140313.orig/system-session.inc pambase-20140313/system-session.inc ---- pambase-20140313.orig/system-session.inc 2014-03-13 07:13:15.000000000 -0700 -+++ pambase-20140313/system-session.inc 2016-05-02 12:57:59.723883487 -0700 + #if HAVE_PAM_SSH + session optional pam_ssh.so +diff -ur pambase-20120417.orig/system-session.inc pambase-20120417/system-session.inc +--- pambase-20120417.orig/system-session.inc 2012-03-20 11:10:47.000000000 -0700 ++++ pambase-20120417/system-session.inc 2016-05-15 21:02:00.151753215 -0700 @@ -23,3 +23,4 @@ #endif diff --git a/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/pambase-20120417-r5.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/pambase-20120417-r6.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/pambase-20120417-r5.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-auth/pambase/pambase-20120417-r6.ebuild