Fix Debian build process

debian/changelog

@@ -1,3 +1,32 @@
+libpam-tacplus (1.7.0-1) unstable; urgency=medium
+
+* libtac: Refactored the complex and overengineered TACACS+ session id generation,
+  replacing it with getrandom(2).
+* libtac: gnulib now provides implementation of missing functions.
+* libtac: Removed legacy MD5 code and replaced it with gnulib.
+* libtac: Legacy data structures such as attribute lists were replaced with gnulib structures.
+* libtac: CHAP implementation used a fixed challenge in contradiction with the RFC 1994
+  requirement. This was replaced with a pseudo-random challenge generated using getrandom(2).
+* libtac: ABI version set to 5:0:0. From now on, this is the only way to version the library.
+  The legacy static variables tac_ver_ were removed as confusing.
+* pam_tacplus: Calling process PID is now used as the task_id attribute in TACACS+
+  accounting session. This replaces an overengineered cryptographically random tasks identifiers.
+* libtac: Fix CVE-2016-20014. Closes: #1009966
+
+ -- Pawel Krawczyk <pawel.krawczyk@hush.com>  Sat, 31 Oct 2022 22:44:00 +0100
+
+libpam-tacplus (1.6.2-1) unstable; urgency=medium
+
+  * Fix CVE-2020-27743.
+  * Allow selection of source addresses.
+  * Support for DSCP marking packets.
+  * Make most network requests timeout aware.
+  * Fix Debian build scripts.
+  * OpenSSL licensing clarifications.
+  * Use more neutral terminology.
+
+ -- Pawel Krawczyk <pawel.krawczyk@hush.com>  Tue, 27 Oct 08:39:57 2020 +0000
+
 libpam-tacplus (1.4.1-1) unstable; urgency=low
 
   * Added a simple TACACS+ command-line client (tacc)

debian/control

@@ -2,7 +2,7 @@ Source: libpam-tacplus
 Section: admin
 Priority: extra
 Maintainer: Jeroen Nijhof <jeroen@jeroennijhof.nl>
-Build-Depends: debhelper (>= 9), libpam-dev, dh-autoreconf, autoconf-archive
+Build-Depends: debhelper (>= 9), libpam-dev, dh-autoreconf, autoconf-archive, gnulib, libtool
 Standards-Version: 3.9.5
 Homepage: https://github.com/jeroennijhof/pam_tacplus
 

debian/rules

@@ -1,21 +1,23 @@
 #!/usr/bin/make -f
 # -*- makefile -*-
-# Sample debian/rules that uses debhelper.
-# This file was originally written by Joey Hess and Craig Small.
-# As a special exception, when this file is copied by dh-make into a
-# dh-make output file, you may use that output file without restriction.
-# This special exception was added by Craig Small in version 0.37 of dh-make.
+
 # Uncomment this to turn on verbose mode.
 #export DH_VERBOSE=1
-SHELL := sh -e
+
+# see FEATURE AREAS in dpkg-buildflags(1)
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
 
 %:
-	dh  $@ --with autoreconf
+	dh  $@
 
 override_dh_clean:
 	rm -f config.status config.log
+	rm -f m4/* lib/*.c lib/*.h lib/Makefile.gnulib
 	dh_clean
 
+override_dh_update_autotools_config:
+	gnulib-tool --makefile-name=Makefile.gnulib --libtool --import fcntl crypto/md5 array-list list xlist getrandom realloc-posix explicit_bzero xalloc getopt-gnu
+
 override_dh_auto_configure:
 	dh_auto_configure -- --enable-pamdir=/lib/$(DEB_HOST_MULTIARCH)/security --docdir=/usr/share/doc/libpam-tacplus
 
@@ -24,10 +26,5 @@ override_dh_install:
 	cp debian/tacplus debian/libpam-tacplus/usr/share/pam-configs/
 	dh_install
 
+# check-local target requires a running tac_plus server
 override_dh_auto_test:
-	mkdir -p /etc/pam.d
-	sudo cp test/test /etc/pam.d/test
-	sudo mkdir -p /etc/tacacs+/
-	sudo cp test/tac_plus.conf /etc/tacacs+
-	dh_auto_test
-	sudo rm -rf /etc/pam.d/test /etc/tacacs+/tac_plus.conf