new file mode 100644

@@ -0,0 +1,14 @@

+#Begin /etc/pam.d/chage

+

+# always allow root

+auth      sufficient  pam_rootok.so

+

+# include system defaults for auth account and session

+auth      include     system-auth

+account   include     system-account

+session   include     system-session

+

+# Always permit for authentication updates

+password  required    pam_permit.so

+

+# End /etc/pam.d/chage

new file mode 100644

@@ -0,0 +1,13 @@

+#Begin /etc/pam.d/chage

+

+# always allow root

+auth      sufficient  pam_rootok.so

+

+# include system defaults for auth account and session

+auth      include     system-auth

+account   include     system-account

+session   include     system-session

+

+password  include     system-password

+

+# End /etc/pam.d/chage

new file mode 100644

@@ -0,0 +1,45 @@

+# Begin /etc/pam.d/login

+

+# Set failure delay before next prompt to 3 seconds

+auth      optional    pam_faildelay.so  delay=3000000

+

+# Check to make sure that the user is allowed to login

+auth      requisite   pam_nologin.so

+

+# Check to make sure that root is allowed to login

+# Disabled by default. You will need to create /etc/securetty

+# file for this module to function. See man 5 securetty.

+#auth      required    pam_securetty.so

+

+# Additional group memberships - disabled by default

+#auth      optional    pam_group.so

+

+# include the default auth settings

+auth      include     system-auth

+

+# check access for the user

+account   required    pam_access.so

+

+# include the default account settings

+account   include     system-account

+

+# Set default environment variables for the user

+session   required    pam_env.so

+

+# Set resource limits for the user

+session   required    pam_limits.so

+

+# Display date of last login - Disabled by default

+#session   optional    pam_lastlog.so

+

+# Display the message of the day - Disabled by default

+#session   optional    pam_motd.so

+

+# Check user's mail - Disabled by default

+#session   optional    pam_mail.so      standard quiet

+

+# include the default session and password settings

+session   include     system-session

+password  include     system-password

+

+# End /etc/pam.d/login

new file mode 100644

@@ -0,0 +1,12 @@

+# Begin /etc/pam.d/other

+

+auth        required        pam_warn.so

+auth        required        pam_deny.so

+account     required        pam_warn.so

+account     required        pam_deny.so

+password    required        pam_warn.so

+password    required        pam_deny.so

+session     required        pam_warn.so

+session     required        pam_deny.so

+

+# End /etc/pam.d/other

new file mode 100644

@@ -0,0 +1,8 @@

+# Begin /etc/pam.d/passwd

+

+auth      include     system-auth

+account   include     system-account

+session   include     system-session

+password  include     system-password

+

+# End /etc/pam.d/passwd

new file mode 100644

@@ -0,0 +1,9 @@

+# Begin /etc/pam.d/sshd

+

+auth            include         system-auth

+account         include         system-account

+password        include         system-password

+session         include         system-session

+

+# End /etc/pam.d/sshd

+

new file mode 100644

@@ -0,0 +1,16 @@

+# Begin /etc/pam.d/su

+

+# always allow root

+auth      sufficient  pam_rootok.so

+auth      include     system-auth

+

+# include the default account settings

+account   include     system-account

+

+# Set default environment variables for the service user

+session   required    pam_env.so

+

+# include system session defaults

+session   include     system-session

+

+# End /etc/pam.d/su

new file mode 100644

@@ -0,0 +1,5 @@

+# Begin /etc/pam.d/system-account

+

+account   required    pam_unix.so

+

+# End /etc/pam.d/system-account

new file mode 100644

@@ -0,0 +1,5 @@

+# Begin /etc/pam.d/system-auth

+

+auth      required    pam_unix.so

+

+# End /etc/pam.d/system-auth

new file mode 100644

@@ -0,0 +1,8 @@

+# Begin /etc/pam.d/system-password

+

+# use sha512 hash for encryption, use shadow, and try to use any previously

+# defined authentication token (chosen password) set by any prior module

+password  requisite   pam_cracklib.so

+password  required    pam_unix.so       sha512 shadow try_first_pass

+

+# End /etc/pam.d/system-password

new file mode 100644

@@ -0,0 +1,8 @@

+# Begin /etc/pam.d/system-session

+

+session   required    pam_unix.so

+session   required    pam_limits.so

+session   optional    pam_systemd.so

+session   optional    pam_loginuid.so

+

+# End /etc/pam.d/system-session

@@ -1,7 +1,7 @@

 Summary:	Programs for handling passwords in a secure way

 Name:		shadow

 Version:	4.2.1

-Release:	11%{?dist}

+Release:	12%{?dist}

 URL:		http://pkg-shadow.alioth.debian.org/

 License:	BSD

 Group:		Applications/System

@@ -9,8 +9,17 @@ Vendor:		VMware, Inc.

 Distribution:	Photon

 Source0:	http://pkg-shadow.alioth.debian.org/releases/%{name}-%{version}.tar.xz

 %define sha1 shadow=0917cbadd4ce0c7c36670e5ecd37bbed92e6d82d

-Source1:	PAM-Configuration-Files-1.5.tar.gz

-%define sha1 PAM=08052511f985e3b3072c194ac1287e036d9299fb

+Source1:        chage

+Source2:        chpasswd

+Source3:        login

+Source4:        other

+Source5:        passwd

+Source6:        sshd

+Source7:        su

+Source8:        system-account

+Source9:        system-auth

+Source10:       system-password

+Source11:       system-session

 Patch0: chkname-allowcase.patch

 Patch1: shadow-4.2.1-CVE-2016-6252-fix.patch

 Patch2: shadow-4.2.1-CVE-2017-12424.patch

@@ -26,7 +35,6 @@ The Shadow package contains programs for handling passwords

 in a secure way.

 %prep

 %setup -q -n %{name}-%{version}

-%setup -q -T -D -a 1

 %patch0 -p1

 %patch1 -p1

 %patch2 -p1

@@ -79,9 +87,18 @@ done

 sed -i "s/^PASS_MAX_DAYS.*/PASS_MAX_DAYS    90/" %{buildroot}/etc/login.defs

-pushd PAM-Configuration-Files

-install -vm644 * %{buildroot}%{_sysconfdir}/pam.d/

-popd

+install -vm644 %{SOURCE1} %{buildroot}%{_sysconfdir}/pam.d/

+install -vm644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pam.d/

+install -vm644 %{SOURCE3} %{buildroot}%{_sysconfdir}/pam.d/

+install -vm644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/

+install -vm644 %{SOURCE5} %{buildroot}%{_sysconfdir}/pam.d/

+install -vm644 %{SOURCE6} %{buildroot}%{_sysconfdir}/pam.d/

+install -vm644 %{SOURCE7} %{buildroot}%{_sysconfdir}/pam.d/

+install -vm644 %{SOURCE8} %{buildroot}%{_sysconfdir}/pam.d/

+install -vm644 %{SOURCE9} %{buildroot}%{_sysconfdir}/pam.d/

+install -vm644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/

+install -vm644 %{SOURCE11} %{buildroot}%{_sysconfdir}/pam.d/

+

 for PROGRAM in chfn chgpasswd chsh groupadd groupdel \

                groupmems groupmod newusers useradd userdel usermod

 do

@@ -105,6 +122,9 @@ done

 %{_mandir}/*/*

 %config(noreplace) %{_sysconfdir}/pam.d/*

 %changelog

+*   Fri Apr 20 2018 Alexey Makhalov <amakhalov@vmware.com> 4.2.1-12

+-   Move pam.d config file to here for better tracking.

+-   Add pam_loginuid module as optional in a session.

 *   Tue Aug 15 2017 Anish Swaminathan <anishs@vmware.com> 4.2.1-11

 -   Added fix for CVE-2017-12424

 *   Fri Jun 30 2017 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.2.1-10