Quick fix for PAM bug where services that use pam_pwdb are exploitable

if you try to log as a user 4 time with the same wrong password, and on
the 5th time you enter the correct user password, you will be placed
without a HOME directory and as uid 0. Currently only telnet and console
login seem to be affected. Since both use the login pam file which uses
system-auth, system-auth has been updated to use pam_unix instead of
pam_pwdb.

2 files changed, 5 insertions, 4 deletions

diff --git a/sys-apps/shadow/files/digest-shadow-4.0.2-r2 b/sys-apps/shadow/files/digest-shadow-4.0.2-r2
new file mode 100644
index 000000000000..cd747a96a934
--- /dev/null
+++ b/sys-apps/shadow/files/digest-shadow-4.0.2-r2
@@ -0,0 +1 @@
+MD5 5a98215dd9ee6511cbc2c898898d3c14 shadow-4.0.2.tar.gz 966765
diff --git a/sys-apps/shadow/files/pam.d/system-auth b/sys-apps/shadow/files/pam.d/system-auth
index 7fdf7b660894..795f0fe723f0 100644
--- a/sys-apps/shadow/files/pam.d/system-auth
+++ b/sys-apps/shadow/files/pam.d/system-auth
@@ -1,14 +1,14 @@
 #%PAM-1.0
 
 auth       required	/lib/security/pam_env.so
-auth       sufficient	/lib/security/pam_pwdb.so likeauth nullok
+auth       sufficient	/lib/security/pam_unix.so likeauth nullok
 auth       required	/lib/security/pam_deny.so
 
-account    required	/lib/security/pam_pwdb.so
+account    required	/lib/security/pam_unix.so
 
 password   required	/lib/security/pam_cracklib.so retry=3
-password   sufficient	/lib/security/pam_pwdb.so nullok md5 shadow use_authtok
+password   sufficient	/lib/security/pam_unix.so nullok md5 shadow use_authtok
 password   required	/lib/security/pam_deny.so
 
 session    required	/lib/security/pam_limits.so
-session    required	/lib/security/pam_pwdb.so
+session    required	/lib/security/pam_unix.so