mirror of https://sc.cryxtal.org/crystal/forgejo
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
pr/releasenotes-1.21.11-0
forgejo
pr/gitea-version
test/6543-doctor
v1.20/forgejo
v1.19/crystal
v1.19/forgejo
v1.18/crystal
v1.20/crystal
pr/issue-template-next
forgejo-development
v1.18/forgejo
crystal/ssh-key-fix-test
pr/a11y-bp-fix
pr/swagger-title
archive/2023-02-24/v1.18/crystal
pr/doc-release-notes-1.18.3-2
archive/2023-02-18/v1.18/crystal
crystal/ci-bp-merge
crystal/ci
archive/2023-02-09/v1.18/crystal
main
release/v1.18
v1.20.0-dev
v1.19.0-dev
v1.17.3
v1.17.2
v1.17.1
v1.17.0
v1.17.0-rc2
v1.16.9
v1.17.0-rc1
v1.18.0-dev
v1.16.8
v1.16.7
v1.16.6
v1.16.5
v1.16.4
v1.16.3
v1.16.2
v1.16.1
v1.16.0
v1.15.11
v1.17.0-dev
v1.16.0-rc1
v1.15.10
v1.15.9
v1.15.8
v1.15.7
v1.15.6
v1.15.5
v1.15.4
v1.15.3
v1.15.2
v1.15.1
v1.14.7
v1.15.0
v1.15.0-rc3
v1.14.6
v1.15.0-rc2
v1.14.5
v1.16.0-dev
v1.15.0-rc1
v1.14.4
v1.14.3
v1.14.2
v1.14.1
v1.14.0
v1.13.7
v1.14.0-rc2
v1.13.6
v1.13.5
v1.14.0-rc1
v1.15.0-dev
v1.13.4
v1.13.3
v1.13.2
v1.13.1
v1.13.0
v1.12.6
v1.13.0-rc2
v1.14.0-dev
v1.13.0-rc1
v1.12.5
v1.12.4
v1.12.3
v1.12.2
v1.12.1
v1.11.8
v1.12.0
v1.11.7
v1.12.0-rc2
v1.11.6
v1.12.0-rc1
v1.13.0-dev
v1.11.5
v1.11.4
v1.11.3
v1.10.6
v1.12.0-dev
v1.11.2
v1.10.5
v1.11.1
v1.10.4
v1.11.0
v1.11.0-rc2
v1.10.3
v1.11.0-rc1
v1.10.2
v1.10.1
v1.10.0
v1.9.6
v1.9.5
v1.10.0-rc2
v1.11.0-dev
v1.10.0-rc1
v1.9.4
v1.9.3
v1.9.2
v1.9.0
v1.9.0-rc2
v1.10.0-dev
v1.9.0-rc1
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.8.0-rc3
v1.7.6
v1.8.0-rc2
v1.7.5
v1.8.0-rc1
v1.9.0-dev
v1.7.4
v1.7.3
v1.7.2
v1.7.1
v1.7.0
v1.7.0-rc3
v1.6.4
v1.7.0-rc2
v1.6.3
v1.7.0-rc1
v1.7.0-dev
v1.6.2
v1.6.1
v1.6.0
v1.6.0-rc2
v1.5.3
v1.6.0-rc1
v1.6.0-dev
v1.5.2
v1.5.1
v1.5.0
v1.5.0-rc2
v1.5.0-rc1
v1.5.0-dev
v1.4.3
v1.4.1
v1.4.0
v1.4.0-rc3
v1.4.0-rc2
v1.3.3
v1.4.0-rc1
v1.3.2
v1.3.1
v1.3.0
v1.3.0-rc2
v1.3.0-rc1
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.2.0-rc2
v1.1.4
v1.2.0-rc1
v1.1.3
v1.1.1
v1.1.0
v1.0.2
v0.9.99
v1.0.0
v1.0.1
v1.1.2
v1.18.0-0
v1.18.0-1
v1.18.0-rc0
v1.18.0-rc1
v1.18.0-rc1-1
v1.18.0-rc1-2
v1.18.1-0
v1.18.2-0
v1.18.2-1
v1.18.3-0
v1.18.3-1
v1.18.3-2
v1.18.5-0
v1.19.0-2
v1.19.0-3
v1.19.1-0
v1.19.2-0
v1.19.3-0
v1.19.4-0
v1.2.0-rc3
v1.4.2
v1.9.1
${ noResults }
6543
3e5c844a77
Backport #19040 The PAM module has previously only checked the results of the authentication module. However, in normal PAM practice most users will expect account module authorization to also be checked. Without doing this check in almost every configuration expired accounts and accounts with expired passwords will still be able to login. This is likely to represent a significant gotcha in most configurations and cause most users configurations to be potentially insecure. Therefore we should add in the account authorization check. ## ⚠️ **BREAKING** ⚠️ Users of the PAM module who rely on account modules not being checked will need to change their PAM configuration. However, as it is likely that the vast majority of users of PAM will be expecting account authorization to be checked in addition to authentication we should make this breaking change to make the default behaviour correct for the majority. --- I suggest we backport this despite the BREAKING nature because of the surprising nature of this. Thanks to @ysf for bringing this to our attention. Co-authored-by: zeripath <art27@cantab.net> Co-authored-by: ysf <34326+ysf@users.noreply.github.com> |
3 years ago | |
|---|---|---|
| .. | ||
| openid | Use gitea forked macaron (#7933) | 5 years ago |
| pam | fix pam authorization (#19040) (#19047) | 3 years ago |
| webauthn | Support webauthn (#17957) | 3 years ago |