From 0959f2bb54a685807217ea93b53db25a8ce9181e Mon Sep 17 00:00:00 2001
From: Patrick J Volkerding <volkerdi@slackware.com>
Date: Sat, 13 Jun 2020 20:40:31 +0000
Subject: Sat Jun 13 20:40:31 UTC 2020

a/pam-1.4.0-x86_64-1.txz:  Upgraded.
  IMPORTANT NOTE: This update removes the pam_cracklib and pam_tally2 modules.
  None of our current configuration files in /etc/pam.d/ use either of those,
  but if the configuration files on your machine do you'll need to comment out
  or remove those lines, otherwise you may experience login failures.
a/shadow-4.8.1-x86_64-9.txz:  Rebuilt.
  /etc/pam.d/system-auth: prefix lines that call pam_gnome_keyring.so with '-'
  to avoid spamming the logs about failures.
a/sysvinit-scripts-2.1-noarch-32.txz:  Rebuilt.
  rc.S: create /var/run/faillock directory for pam_faillock(8).
a/util-linux-2.35.2-x86_64-2.txz:  Rebuilt.
  /etc/pam.d/login: change the example for locking an account for too many
  failed login attempts to use pam_faillock instead of pam_tally2.
l/imagemagick-7.0.10_19-x86_64-1.txz:  Upgraded.
l/libzip-1.7.1-x86_64-1.txz:  Upgraded.
n/openssh-8.3p1-x86_64-2.txz:  Rebuilt.
  /etc/pam.d/sshd: change the example for locking an account for too many
  failed login attempts to use pam_faillock instead of pam_tally2.
---
 source/n/openssh/openssh.SlackBuild |  2 +-
 source/n/openssh/sshd.pam           | 13 ++++++++-----
 2 files changed, 9 insertions(+), 6 deletions(-)

(limited to 'source/n')

diff --git a/source/n/openssh/openssh.SlackBuild b/source/n/openssh/openssh.SlackBuild
index 3c614d877..3a423c91f 100755
--- a/source/n/openssh/openssh.SlackBuild
+++ b/source/n/openssh/openssh.SlackBuild
@@ -30,7 +30,7 @@ PKG=$TMP/package-openssh
 
 PKGNAM=openssh
 VERSION=${VERSION:-$(echo openssh-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
-BUILD=${BUILD:-1}
+BUILD=${BUILD:-2}
 
 NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "}
 
diff --git a/source/n/openssh/sshd.pam b/source/n/openssh/sshd.pam
index 570412d68..dcf1ff3fd 100644
--- a/source/n/openssh/sshd.pam
+++ b/source/n/openssh/sshd.pam
@@ -4,13 +4,16 @@
 # need to add additional consoles to /etc/securetty if you want to allow
 # root logins on them, such as: ssh, pts/0, :0, etc
 #auth            required        pam_securetty.so
-# To set a limit on failed authentications, the pam_tally2 module
-# can be enabled. See pam_tally2(8) for options.
-#auth            required        pam_tally2.so deny=4 unlock_time=1200
+# When using pam_faillock, print a message to the user if the account is
+# locked. This lets the user know what is going on, but it also potentially
+# gives additional information to attackers:
+#auth            requisite       pam_faillock.so preauth
 auth            include         system-auth
+# To set a limit on failed authentications, the pam_faillock module
+# can be enabled. See pam_faillock(8) for more information.
+#auth            [default=die]   pam_faillock.so authfail
+#auth            sufficient      pam_faillock.so authsucc
 auth            include         postlogin
-# Also uncomment this line to use pam_tally2:
-#account         required        pam_tally2.so
 account         required        pam_nologin.so
 account         include         system-auth
 password        include         system-auth
-- 
cgit v1.2.3-65-gdbad