From: Frank Brehm Date: Mon, 16 Jan 2012 14:27:57 +0000 (+0100) Subject: During emerge world X-Git-Url: https://git.uhu-banane.net/?a=commitdiff_plain;h=ce3d9f2abf5b3107a65709a44f9b9c19ffd55e0e;p=config%2Fbruni%2Fetc.git During emerge world --- diff --git a/.etckeeper b/.etckeeper index aeb86b46..fd7d9414 100755 --- a/.etckeeper +++ b/.etckeeper @@ -162,8 +162,12 @@ maybe chmod 0644 './config-archive/etc/etckeeper/etckeeper.conf.dist.new' maybe chmod 0644 './config-archive/etc/man.conf' maybe chmod 0644 './config-archive/etc/man.conf.dist' maybe chmod 0755 './config-archive/etc/pam.d' +maybe chmod 0644 './config-archive/etc/pam.d/system-auth' +maybe chmod 0644 './config-archive/etc/pam.d/system-auth.dist' maybe chmod 0644 './config-archive/etc/pam.d/system-login' maybe chmod 0644 './config-archive/etc/pam.d/system-login.dist' +maybe chmod 0644 './config-archive/etc/pam.d/system-services' +maybe chmod 0644 './config-archive/etc/pam.d/system-services.dist' maybe chmod 0755 './config-archive/etc/portage' maybe chmod 0755 './config-archive/etc/portage/savedconfig' maybe chmod 0755 './config-archive/etc/portage/savedconfig/sys-apps' @@ -171,8 +175,9 @@ maybe chmod 0644 './config-archive/etc/portage/savedconfig/sys-apps/busybox-1.19 maybe chmod 0644 './config-archive/etc/portage/savedconfig/sys-apps/busybox-1.19.3-r1.dist' maybe chmod 0755 './config-archive/etc/ssh' maybe chmod 0644 './config-archive/etc/ssh/ssh_config' -maybe chmod 0644 './config-archive/etc/ssh/ssh_config.dist.new' +maybe chmod 0644 './config-archive/etc/ssh/ssh_config.dist' maybe chmod 0600 './config-archive/etc/ssh/sshd_config' +maybe chmod 0600 './config-archive/etc/ssh/sshd_config.1' maybe chmod 0600 './config-archive/etc/ssh/sshd_config.dist' maybe chmod 0440 './config-archive/etc/sudoers' maybe chmod 0440 './config-archive/etc/sudoers.dist.new' @@ -696,8 +701,6 @@ maybe chown ldap './openldap/ssl/ldap.pem' maybe chgrp ldap './openldap/ssl/ldap.pem' maybe chmod 0400 './openldap/ssl/ldap.pem' maybe chmod 0755 './pam.d' -maybe chmod 0644 './pam.d/._cfg0000_system-auth' -maybe chmod 0644 './pam.d/._cfg0000_system-services' maybe chmod 0644 './pam.d/chage' maybe chmod 0644 './pam.d/chfn' maybe chmod 0644 './pam.d/chgpasswd' @@ -869,8 +872,6 @@ maybe chmod 0755 './sound/events' maybe chmod 0644 './sound/events/gnome-2.soundlist' maybe chmod 0644 './sound/events/gtk-events-2.soundlist' maybe chmod 0755 './ssh' -maybe chmod 0644 './ssh/._cfg0000_ssh_config' -maybe chmod 0600 './ssh/._cfg0000_sshd_config' maybe chmod 0755 './ssh/ca' maybe chmod 0644 './ssh/moduli' maybe chmod 0644 './ssh/ssh_config' diff --git a/config-archive/etc/pam.d/system-auth b/config-archive/etc/pam.d/system-auth new file mode 100644 index 00000000..bb9fcdb6 --- /dev/null +++ b/config-archive/etc/pam.d/system-auth @@ -0,0 +1,15 @@ +auth required pam_env.so +auth required pam_unix.so try_first_pass likeauth nullok +auth optional pam_permit.so + +account required pam_unix.so +account optional pam_permit.so + +password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 +password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow +password optional pam_permit.so + +session required pam_limits.so +session required pam_env.so +session required pam_unix.so +session optional pam_permit.so diff --git a/config-archive/etc/pam.d/system-auth.dist b/config-archive/etc/pam.d/system-auth.dist new file mode 100644 index 00000000..1a285d68 --- /dev/null +++ b/config-archive/etc/pam.d/system-auth.dist @@ -0,0 +1,22 @@ +auth required pam_env.so +auth sufficient pam_ssh.so +auth [success=1 default=ignore] pam_krb5.so ignore_root try_first_pass +auth required pam_unix.so try_first_pass likeauth nullok +auth optional pam_permit.so + +account [success=1 default=ignore] pam_krb5.so ignore_root try_first_pass +account required pam_unix.so +account optional pam_permit.so + +password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 +password [success=1 default=ignore] pam_krb5.so ignore_root try_first_pass +password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow +password optional pam_permit.so + +session optional pam_ssh.so +session required pam_limits.so +session required pam_env.so +session optional pam_mktemp.so +session [success=1 default=ignore] pam_krb5.so ignore_root try_first_pass +session required pam_unix.so +session optional pam_permit.so diff --git a/config-archive/etc/pam.d/system-services b/config-archive/etc/pam.d/system-services new file mode 100644 index 00000000..a964f33b --- /dev/null +++ b/config-archive/etc/pam.d/system-services @@ -0,0 +1,7 @@ +auth sufficient pam_permit.so +account include system-auth +session optional pam_loginuid.so +session required pam_limits.so +session required pam_env.so +session required pam_unix.so +session optional pam_permit.so diff --git a/config-archive/etc/pam.d/system-services.dist b/config-archive/etc/pam.d/system-services.dist new file mode 100644 index 00000000..982364cf --- /dev/null +++ b/config-archive/etc/pam.d/system-services.dist @@ -0,0 +1,9 @@ +auth sufficient pam_permit.so +account include system-auth +session optional pam_loginuid.so +session required pam_limits.so +session required pam_env.so +session optional pam_mktemp.so +session [success=1 default=ignore] pam_krb5.so ignore_root try_first_pass +session required pam_unix.so +session optional pam_permit.so diff --git a/config-archive/etc/ssh/ssh_config.dist b/config-archive/etc/ssh/ssh_config.dist new file mode 100644 index 00000000..b632c25c --- /dev/null +++ b/config-archive/etc/ssh/ssh_config.dist @@ -0,0 +1,58 @@ +# $OpenBSD$ + +# This is the ssh client system-wide configuration file. See +# ssh_config(5) for more information. This file provides defaults for +# users, and the values can be changed in per-user configuration files +# or on the command line. + +# Configuration data is parsed as follows: +# 1. command line options +# 2. user-specific file +# 3. system-wide file +# Any configuration value is only changed the first time it is set. +# Thus, host-specific definitions should be at the beginning of the +# configuration file, and defaults at the end. + +# Site-wide defaults for some commonly used options. For a comprehensive +# list of available options, their meanings and defaults, please see the +# ssh_config(5) man page. + +# Host * +# ForwardAgent no +# ForwardX11 no +# RhostsRSAAuthentication no +# RSAAuthentication yes +# PasswordAuthentication yes +# HostbasedAuthentication no +# GSSAPIAuthentication no +# GSSAPIDelegateCredentials no +# BatchMode no +# CheckHostIP yes +# AddressFamily any +# ConnectTimeout 0 +# StrictHostKeyChecking ask +# IdentityFile ~/.ssh/identity +# IdentityFile ~/.ssh/id_rsa +# IdentityFile ~/.ssh/id_dsa +# Port 22 +# Protocol 2,1 +# Cipher 3des +# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc +# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 +# EscapeChar ~ +# AllowedCertPurpose sslserver +# MandatoryCRL no +# CACertificateFile /etc/ssh/ca/ca-bundle.crt +# CACertificatePath /etc/ssh/ca/crt +# CARevocationFile /etc/ssh/ca/ca-bundle.crl +# CARevocationPath /etc/ssh/ca/crl +# UserCACertificateFile ~/.ssh/ca-bundle.crt +# UserCACertificatePath ~/.ssh/crt +# UserCARevocationFile ~/.ssh/ca-bundle.crl +# UserCARevocationPath ~/.ssh/crl +# VAType none +# Tunnel no +# TunnelDevice any:any +# PermitLocalCommand no +# VisualHostKey no +# ProxyCommand ssh -q -W %h:%p gateway.example.com diff --git a/config-archive/etc/ssh/ssh_config.dist.new b/config-archive/etc/ssh/ssh_config.dist.new deleted file mode 100644 index 18936740..00000000 --- a/config-archive/etc/ssh/ssh_config.dist.new +++ /dev/null @@ -1,47 +0,0 @@ -# $OpenBSD: ssh_config,v 1.26 2010/01/11 01:39:46 dtucker Exp $ - -# This is the ssh client system-wide configuration file. See -# ssh_config(5) for more information. This file provides defaults for -# users, and the values can be changed in per-user configuration files -# or on the command line. - -# Configuration data is parsed as follows: -# 1. command line options -# 2. user-specific file -# 3. system-wide file -# Any configuration value is only changed the first time it is set. -# Thus, host-specific definitions should be at the beginning of the -# configuration file, and defaults at the end. - -# Site-wide defaults for some commonly used options. For a comprehensive -# list of available options, their meanings and defaults, please see the -# ssh_config(5) man page. - -# Host * -# ForwardAgent no -# ForwardX11 no -# RhostsRSAAuthentication no -# RSAAuthentication yes -# PasswordAuthentication yes -# HostbasedAuthentication no -# GSSAPIAuthentication no -# GSSAPIDelegateCredentials no -# BatchMode no -# CheckHostIP yes -# AddressFamily any -# ConnectTimeout 0 -# StrictHostKeyChecking ask -# IdentityFile ~/.ssh/identity -# IdentityFile ~/.ssh/id_rsa -# IdentityFile ~/.ssh/id_dsa -# Port 22 -# Protocol 2,1 -# Cipher 3des -# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc -# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 -# EscapeChar ~ -# Tunnel no -# TunnelDevice any:any -# PermitLocalCommand no -# VisualHostKey no -# ProxyCommand ssh -q -W %h:%p gateway.example.com diff --git a/config-archive/etc/ssh/sshd_config b/config-archive/etc/ssh/sshd_config index f3c6c252..9f5583ea 100644 --- a/config-archive/etc/ssh/sshd_config +++ b/config-archive/etc/ssh/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD$ +# $OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -175,8 +175,24 @@ PrintLastLog no # no default banner path #Banner none +# here are the new patched ldap related tokens +# entries in your LDAP must have posixAccount & ldapPublicKey objectclass +#UseLPK yes +#LpkLdapConf /etc/ldap.conf +#LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/ +#LpkUserDN ou=users,dc=phear,dc=org +#LpkGroupDN ou=groups,dc=phear,dc=org +#LpkBindDN cn=Manager,dc=phear,dc=org +#LpkBindPw secret +#LpkServerGroup mail +#LpkFilter (hostAccess=master.phear.org) +#LpkForceTLS no +#LpkSearchTimelimit 3 +#LpkBindTimelimit 3 +#LpkPubKeyAttr sshPublicKey + # override default of no subsystems -Subsystem sftp /usr/lib/misc/sftp-server +Subsystem sftp /usr/lib64/misc/sftp-server # the following are HPN related configuration options # tcp receive buffer polling. disable in non autotuning kernels diff --git a/config-archive/etc/ssh/sshd_config.1 b/config-archive/etc/ssh/sshd_config.1 new file mode 100644 index 00000000..f3c6c252 --- /dev/null +++ b/config-archive/etc/ssh/sshd_config.1 @@ -0,0 +1,199 @@ +# $OpenBSD$ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +# The default requires explicit activation of protocol 1 +#Protocol 2 + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key + +# "key type names" for X.509 certificates with RSA key +# Note first defined is used in signature operations! +#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5 +#X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1 + +# "key type names" for X.509 certificates with DSA key +# Note first defined is used in signature operations! +#X509KeyAlgorithm x509v3-sign-dss,dss-asn1 +#X509KeyAlgorithm x509v3-sign-dss,dss-raw + +# The intended use for the X509 client certificate. Without this option +# no chain verification will be done. Currently accepted uses are case +# insensitive: +# - "sslclient", "SSL client", "SSL_client" or "client" +# - "any", "Any Purpose", "Any_Purpose" or "AnyPurpose" +# - "skip" or ""(empty): don`t check purpose. +#AllowedCertPurpose sslclient + +# Specifies whether self-issued(self-signed) X.509 certificate can be +# allowed only by entry in AutorizedKeysFile that contain matching +# public key or certificate blob. +#KeyAllowSelfIssued no + +# Specifies whether CRL must present in store for all certificates in +# certificate chain with atribute "cRLDistributionPoints" +#MandatoryCRL no + +# A file with multiple certificates of certificate signers +# in PEM format concatenated together. +#CACertificateFile /etc/ssh/ca/ca-bundle.crt + +# A directory with certificates of certificate signers. +# The certificates should have name of the form: [HASH].[NUMBER] +# or have symbolic links to them of this form. +#CACertificatePath /etc/ssh/ca/crt + +# A file with multiple CRL of certificate signers +# in PEM format concatenated together. +#CARevocationFile /etc/ssh/ca/ca-bundle.crl + +# A directory with CRL of certificate signers. +# The CRL should have name of the form: [HASH].r[NUMBER] +# or have symbolic links to them of this form. +#CARevocationPath /etc/ssh/ca/crl + +# LDAP protocol version. +# Example: +# CAldapVersion 2 + +# Note because of OpenSSH options parser limitation +# use %3D instead of = ! +# LDAP initialization may require URL to be escaped, i.e. +# use %2C instead of ,(comma). Escaped URL don't depend from +# LDAP initialization method. +# Example: +# CAldapURL ldap://localhost:389/dc%3Dexample%2Cdc%3Dcom + +# SSH can use "Online Certificate Status Protocol"(OCSP) +# to validate certificate. Set VAType to +# - none : do not use OCSP to validate certificates; +# - ocspcert: validate only certificates that specify `OCSP +# Service Locator' URL; +# - ocspspec: use specified in the configuration 'OCSP Responder' +# to validate all certificates. +#VAType none + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 + +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin no +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#RSAAuthentication yes +#PubkeyAuthentication yes +#AuthorizedKeysFile .ssh/authorized_keys + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#RhostsRSAAuthentication no +# similar for protocol version 2 +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +PrintMotd no +PrintLastLog no +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10 +#PermitTunnel no +#ChrootDirectory none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/lib/misc/sftp-server + +# the following are HPN related configuration options +# tcp receive buffer polling. disable in non autotuning kernels +#TcpRcvBufPoll yes + +# allow the use of the none cipher +#NoneEnabled no + +# disable hpn performance boosts. +#HPNDisabled no + +# buffer size for hpn to non-hpn connections +#HPNBufferSize 2048 + + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# ForceCommand cvs server diff --git a/config-archive/etc/ssh/sshd_config.dist b/config-archive/etc/ssh/sshd_config.dist index abf35679..562d7620 100644 --- a/config-archive/etc/ssh/sshd_config.dist +++ b/config-archive/etc/ssh/sshd_config.dist @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $ +# $OpenBSD$ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -25,6 +25,72 @@ #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key +# "key type names" for X.509 certificates with RSA key +# Note first defined is used in signature operations! +#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5 +#X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1 + +# "key type names" for X.509 certificates with DSA key +# Note first defined is used in signature operations! +#X509KeyAlgorithm x509v3-sign-dss,dss-asn1 +#X509KeyAlgorithm x509v3-sign-dss,dss-raw + +# The intended use for the X509 client certificate. Without this option +# no chain verification will be done. Currently accepted uses are case +# insensitive: +# - "sslclient", "SSL client", "SSL_client" or "client" +# - "any", "Any Purpose", "Any_Purpose" or "AnyPurpose" +# - "skip" or ""(empty): don`t check purpose. +#AllowedCertPurpose sslclient + +# Specifies whether self-issued(self-signed) X.509 certificate can be +# allowed only by entry in AutorizedKeysFile that contain matching +# public key or certificate blob. +#KeyAllowSelfIssued no + +# Specifies whether CRL must present in store for all certificates in +# certificate chain with atribute "cRLDistributionPoints" +#MandatoryCRL no + +# A file with multiple certificates of certificate signers +# in PEM format concatenated together. +#CACertificateFile /etc/ssh/ca/ca-bundle.crt + +# A directory with certificates of certificate signers. +# The certificates should have name of the form: [HASH].[NUMBER] +# or have symbolic links to them of this form. +#CACertificatePath /etc/ssh/ca/crt + +# A file with multiple CRL of certificate signers +# in PEM format concatenated together. +#CARevocationFile /etc/ssh/ca/ca-bundle.crl + +# A directory with CRL of certificate signers. +# The CRL should have name of the form: [HASH].r[NUMBER] +# or have symbolic links to them of this form. +#CARevocationPath /etc/ssh/ca/crl + +# LDAP protocol version. +# Example: +# CAldapVersion 2 + +# Note because of OpenSSH options parser limitation +# use %3D instead of = ! +# LDAP initialization may require URL to be escaped, i.e. +# use %2C instead of ,(comma). Escaped URL don't depend from +# LDAP initialization method. +# Example: +# CAldapURL ldap://localhost:389/dc%3Dexample%2Cdc%3Dcom + +# SSH can use "Online Certificate Status Protocol"(OCSP) +# to validate certificate. Set VAType to +# - none : do not use OCSP to validate certificates; +# - ocspcert: validate only certificates that specify `OCSP +# Service Locator' URL; +# - ocspspec: use specified in the configuration 'OCSP Responder' +# to validate all certificates. +#VAType none + # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 @@ -108,22 +174,6 @@ PrintLastLog no # no default banner path #Banner none -# here are the new patched ldap related tokens -# entries in your LDAP must have posixAccount & ldapPublicKey objectclass -#UseLPK yes -#LpkLdapConf /etc/ldap.conf -#LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/ -#LpkUserDN ou=users,dc=phear,dc=org -#LpkGroupDN ou=groups,dc=phear,dc=org -#LpkBindDN cn=Manager,dc=phear,dc=org -#LpkBindPw secret -#LpkServerGroup mail -#LpkFilter (hostAccess=master.phear.org) -#LpkForceTLS no -#LpkSearchTimelimit 3 -#LpkBindTimelimit 3 -#LpkPubKeyAttr sshPublicKey - # override default of no subsystems Subsystem sftp /usr/lib64/misc/sftp-server diff --git a/pam.d/._cfg0000_system-auth b/pam.d/._cfg0000_system-auth deleted file mode 100644 index 1a285d68..00000000 --- a/pam.d/._cfg0000_system-auth +++ /dev/null @@ -1,22 +0,0 @@ -auth required pam_env.so -auth sufficient pam_ssh.so -auth [success=1 default=ignore] pam_krb5.so ignore_root try_first_pass -auth required pam_unix.so try_first_pass likeauth nullok -auth optional pam_permit.so - -account [success=1 default=ignore] pam_krb5.so ignore_root try_first_pass -account required pam_unix.so -account optional pam_permit.so - -password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 -password [success=1 default=ignore] pam_krb5.so ignore_root try_first_pass -password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow -password optional pam_permit.so - -session optional pam_ssh.so -session required pam_limits.so -session required pam_env.so -session optional pam_mktemp.so -session [success=1 default=ignore] pam_krb5.so ignore_root try_first_pass -session required pam_unix.so -session optional pam_permit.so diff --git a/pam.d/._cfg0000_system-services b/pam.d/._cfg0000_system-services deleted file mode 100644 index 982364cf..00000000 --- a/pam.d/._cfg0000_system-services +++ /dev/null @@ -1,9 +0,0 @@ -auth sufficient pam_permit.so -account include system-auth -session optional pam_loginuid.so -session required pam_limits.so -session required pam_env.so -session optional pam_mktemp.so -session [success=1 default=ignore] pam_krb5.so ignore_root try_first_pass -session required pam_unix.so -session optional pam_permit.so diff --git a/pam.d/system-auth b/pam.d/system-auth index bb9fcdb6..1a285d68 100644 --- a/pam.d/system-auth +++ b/pam.d/system-auth @@ -1,15 +1,22 @@ auth required pam_env.so +auth sufficient pam_ssh.so +auth [success=1 default=ignore] pam_krb5.so ignore_root try_first_pass auth required pam_unix.so try_first_pass likeauth nullok auth optional pam_permit.so +account [success=1 default=ignore] pam_krb5.so ignore_root try_first_pass account required pam_unix.so account optional pam_permit.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 +password [success=1 default=ignore] pam_krb5.so ignore_root try_first_pass password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow password optional pam_permit.so +session optional pam_ssh.so session required pam_limits.so session required pam_env.so +session optional pam_mktemp.so +session [success=1 default=ignore] pam_krb5.so ignore_root try_first_pass session required pam_unix.so session optional pam_permit.so diff --git a/pam.d/system-services b/pam.d/system-services index a964f33b..982364cf 100644 --- a/pam.d/system-services +++ b/pam.d/system-services @@ -3,5 +3,7 @@ account include system-auth session optional pam_loginuid.so session required pam_limits.so session required pam_env.so +session optional pam_mktemp.so +session [success=1 default=ignore] pam_krb5.so ignore_root try_first_pass session required pam_unix.so session optional pam_permit.so diff --git a/ssh/._cfg0000_ssh_config b/ssh/._cfg0000_ssh_config deleted file mode 100644 index b632c25c..00000000 --- a/ssh/._cfg0000_ssh_config +++ /dev/null @@ -1,58 +0,0 @@ -# $OpenBSD$ - -# This is the ssh client system-wide configuration file. See -# ssh_config(5) for more information. This file provides defaults for -# users, and the values can be changed in per-user configuration files -# or on the command line. - -# Configuration data is parsed as follows: -# 1. command line options -# 2. user-specific file -# 3. system-wide file -# Any configuration value is only changed the first time it is set. -# Thus, host-specific definitions should be at the beginning of the -# configuration file, and defaults at the end. - -# Site-wide defaults for some commonly used options. For a comprehensive -# list of available options, their meanings and defaults, please see the -# ssh_config(5) man page. - -# Host * -# ForwardAgent no -# ForwardX11 no -# RhostsRSAAuthentication no -# RSAAuthentication yes -# PasswordAuthentication yes -# HostbasedAuthentication no -# GSSAPIAuthentication no -# GSSAPIDelegateCredentials no -# BatchMode no -# CheckHostIP yes -# AddressFamily any -# ConnectTimeout 0 -# StrictHostKeyChecking ask -# IdentityFile ~/.ssh/identity -# IdentityFile ~/.ssh/id_rsa -# IdentityFile ~/.ssh/id_dsa -# Port 22 -# Protocol 2,1 -# Cipher 3des -# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc -# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 -# EscapeChar ~ -# AllowedCertPurpose sslserver -# MandatoryCRL no -# CACertificateFile /etc/ssh/ca/ca-bundle.crt -# CACertificatePath /etc/ssh/ca/crt -# CARevocationFile /etc/ssh/ca/ca-bundle.crl -# CARevocationPath /etc/ssh/ca/crl -# UserCACertificateFile ~/.ssh/ca-bundle.crt -# UserCACertificatePath ~/.ssh/crt -# UserCARevocationFile ~/.ssh/ca-bundle.crl -# UserCARevocationPath ~/.ssh/crl -# VAType none -# Tunnel no -# TunnelDevice any:any -# PermitLocalCommand no -# VisualHostKey no -# ProxyCommand ssh -q -W %h:%p gateway.example.com diff --git a/ssh/._cfg0000_sshd_config b/ssh/._cfg0000_sshd_config deleted file mode 100644 index 562d7620..00000000 --- a/ssh/._cfg0000_sshd_config +++ /dev/null @@ -1,198 +0,0 @@ -# $OpenBSD$ - -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a -# default value. - -#Port 22 -#AddressFamily any -#ListenAddress 0.0.0.0 -#ListenAddress :: - -# The default requires explicit activation of protocol 1 -#Protocol 2 - -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 -#HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key -#HostKey /etc/ssh/ssh_host_ecdsa_key - -# "key type names" for X.509 certificates with RSA key -# Note first defined is used in signature operations! -#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5 -#X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1 - -# "key type names" for X.509 certificates with DSA key -# Note first defined is used in signature operations! -#X509KeyAlgorithm x509v3-sign-dss,dss-asn1 -#X509KeyAlgorithm x509v3-sign-dss,dss-raw - -# The intended use for the X509 client certificate. Without this option -# no chain verification will be done. Currently accepted uses are case -# insensitive: -# - "sslclient", "SSL client", "SSL_client" or "client" -# - "any", "Any Purpose", "Any_Purpose" or "AnyPurpose" -# - "skip" or ""(empty): don`t check purpose. -#AllowedCertPurpose sslclient - -# Specifies whether self-issued(self-signed) X.509 certificate can be -# allowed only by entry in AutorizedKeysFile that contain matching -# public key or certificate blob. -#KeyAllowSelfIssued no - -# Specifies whether CRL must present in store for all certificates in -# certificate chain with atribute "cRLDistributionPoints" -#MandatoryCRL no - -# A file with multiple certificates of certificate signers -# in PEM format concatenated together. -#CACertificateFile /etc/ssh/ca/ca-bundle.crt - -# A directory with certificates of certificate signers. -# The certificates should have name of the form: [HASH].[NUMBER] -# or have symbolic links to them of this form. -#CACertificatePath /etc/ssh/ca/crt - -# A file with multiple CRL of certificate signers -# in PEM format concatenated together. -#CARevocationFile /etc/ssh/ca/ca-bundle.crl - -# A directory with CRL of certificate signers. -# The CRL should have name of the form: [HASH].r[NUMBER] -# or have symbolic links to them of this form. -#CARevocationPath /etc/ssh/ca/crl - -# LDAP protocol version. -# Example: -# CAldapVersion 2 - -# Note because of OpenSSH options parser limitation -# use %3D instead of = ! -# LDAP initialization may require URL to be escaped, i.e. -# use %2C instead of ,(comma). Escaped URL don't depend from -# LDAP initialization method. -# Example: -# CAldapURL ldap://localhost:389/dc%3Dexample%2Cdc%3Dcom - -# SSH can use "Online Certificate Status Protocol"(OCSP) -# to validate certificate. Set VAType to -# - none : do not use OCSP to validate certificates; -# - ocspcert: validate only certificates that specify `OCSP -# Service Locator' URL; -# - ocspspec: use specified in the configuration 'OCSP Responder' -# to validate all certificates. -#VAType none - -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 1024 - -# Logging -# obsoletes QuietMode and FascistLogging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -#PermitRootLogin yes -#StrictModes yes -#MaxAuthTries 6 -#MaxSessions 10 - -#RSAAuthentication yes -#PubkeyAuthentication yes -#AuthorizedKeysFile .ssh/authorized_keys - -# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! -PasswordAuthentication no -#PermitEmptyPasswords no - -# Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes - -# Kerberos options -#KerberosAuthentication no -#KerberosOrLocalPasswd yes -#KerberosTicketCleanup yes -#KerberosGetAFSToken no - -# GSSAPI options -#GSSAPIAuthentication no -#GSSAPICleanupCredentials yes - -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and -# PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass -# the setting of "PermitRootLogin without-password". -# If you just want the PAM account and session checks to run without -# PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. -UsePAM yes - -#AllowAgentForwarding yes -#AllowTcpForwarding yes -#GatewayPorts no -#X11Forwarding no -#X11DisplayOffset 10 -#X11UseLocalhost yes -PrintMotd no -PrintLastLog no -#TCPKeepAlive yes -#UseLogin no -#UsePrivilegeSeparation yes -#PermitUserEnvironment no -#Compression delayed -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS yes -#PidFile /var/run/sshd.pid -#MaxStartups 10 -#PermitTunnel no -#ChrootDirectory none - -# no default banner path -#Banner none - -# override default of no subsystems -Subsystem sftp /usr/lib64/misc/sftp-server - -# the following are HPN related configuration options -# tcp receive buffer polling. disable in non autotuning kernels -#TcpRcvBufPoll yes - -# allow the use of the none cipher -#NoneEnabled no - -# disable hpn performance boosts. -#HPNDisabled no - -# buffer size for hpn to non-hpn connections -#HPNBufferSize 2048 - - -# Example of overriding settings on a per-user basis -#Match User anoncvs -# X11Forwarding no -# AllowTcpForwarding no -# ForceCommand cvs server diff --git a/ssh/ssh_config b/ssh/ssh_config index cc30b7b7..b632c25c 100644 --- a/ssh/ssh_config +++ b/ssh/ssh_config @@ -18,8 +18,8 @@ # ssh_config(5) man page. # Host * - ForwardAgent yes - ForwardX11 yes +# ForwardAgent no +# ForwardX11 no # RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes diff --git a/ssh/sshd_config b/ssh/sshd_config index 9f5583ea..176bf48d 100644 --- a/ssh/sshd_config +++ b/ssh/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $ +# $OpenBSD$ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -175,22 +175,6 @@ PrintLastLog no # no default banner path #Banner none -# here are the new patched ldap related tokens -# entries in your LDAP must have posixAccount & ldapPublicKey objectclass -#UseLPK yes -#LpkLdapConf /etc/ldap.conf -#LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/ -#LpkUserDN ou=users,dc=phear,dc=org -#LpkGroupDN ou=groups,dc=phear,dc=org -#LpkBindDN cn=Manager,dc=phear,dc=org -#LpkBindPw secret -#LpkServerGroup mail -#LpkFilter (hostAccess=master.phear.org) -#LpkForceTLS no -#LpkSearchTimelimit 3 -#LpkBindTimelimit 3 -#LpkPubKeyAttr sshPublicKey - # override default of no subsystems Subsystem sftp /usr/lib64/misc/sftp-server diff --git a/texmf/ls-R b/texmf/ls-R index 91aa9546..0b09ad0a 100644 --- a/texmf/ls-R +++ b/texmf/ls-R @@ -21,6 +21,7 @@ config ./dvips.d: ./fmtutil.d: +format.jadetex.cnf format.texlive-basic.cnf format.texlive-context.cnf format.texlive-formatsextra.cnf @@ -60,6 +61,7 @@ texdoc.cnf 10standardpaths.cnf 15options.cnf 20sizes.cnf +80jadetex.cnf ./updmap.d: 00updmap.cfg diff --git a/texmf/web2c/fmtutil.cnf b/texmf/web2c/fmtutil.cnf index f364dada..c17f34b4 100644 --- a/texmf/web2c/fmtutil.cnf +++ b/texmf/web2c/fmtutil.cnf @@ -1,3 +1,6 @@ +# JadeTeX +jadetex pdftex language.dat -translate-file=cp227.tcx &latex jadetex.ini +pdfjadetex pdftex language.dat -translate-file=cp227.tcx &pdflatex pdfjadetex.ini # Generated for texlive-basic by texlive-module.eclass dviluatex luatex language.def,language.dat.lua dviluatex.ini luatex luatex language.def,language.dat.lua luatex.ini diff --git a/texmf/web2c/texmf.cnf b/texmf/web2c/texmf.cnf index 61a19825..54043435 100644 --- a/texmf/web2c/texmf.cnf +++ b/texmf/web2c/texmf.cnf @@ -717,3 +717,40 @@ max_strings.pbibtex = 35307 line_length.gftype = 500 max_rows.gftype = 8191 max_cols.gftype = 8191 +% -- jadetex configuration params added by texmf-update -- +% latex settings +main_memory.latex = 1100000 +param_size.latex = 1500 +stack_size.latex = 1500 +hash_extra.latex = 15000 +string_vacancies.latex = 45000 +pool_free.latex = 47500 +nest_size.latex = 500 +save_size.latex = 5000 +pool_size.latex = 500000 +max_strings.latex = 55000 +font_mem_size.latex= 400000 + +% jadetex & pdfjadetex +main_memory.jadetex = 1500000 +param_size.jadetex = 1500 +stack_size.jadetex = 1500 +hash_extra.jadetex = 50000 +string_vacancies.jadetex = 45000 +pool_free.jadetex = 47500 +nest_size.jadetex = 500 +save_size.jadetex = 5000 +pool_size.jadetex = 500000 +max_strings.jadetex = 55000 + +main_memory.pdfjadetex = 2500000 +param_size.pdfjadetex = 1500 +stack_size.pdfjadetex = 1500 +hash_extra.pdfjadetex = 50000 +string_vacancies.pdfjadetex = 45000 +pool_free.pdfjadetex = 47500 +nest_size.pdfjadetex = 500 +save_size.pdfjadetex = 5000 +pool_size.pdfjadetex = 500000 +max_strings.pdfjadetex = 55000 +% -- jadetex configuration ends here --