Commit Graph

62 Commits

Author SHA1 Message Date
Dag-Erling Smørgrav
394fc87351 X logins should be recorded in lastlog / wtmp / utmp. I have no idea why
this wasn't there already...  it makes much more sense this way.

MFC after:	2 weeks
2005-04-28 07:59:09 +00:00
Ruslan Ermilov
e653b48c80 Start the dreaded NOFOO -> NO_FOO conversion.
OK'ed by:	core
2004-12-21 08:47:35 +00:00
Ruslan Ermilov
a35d88931c For variables that are only checked with defined(), don't provide
any fake value.
2004-10-24 15:33:08 +00:00
Jens Schweikhardt
d8beb0fd3b Removed whitespace at BOF, EOL & EOF. 2004-06-06 11:46:29 +00:00
Dag-Erling Smørgrav
650b9c5eaa the default password policy for xdm should be pam_deny, since it is
incapable of holding a meaningful conversation.
2004-02-20 21:59:51 +00:00
Dag-Erling Smørgrav
4b11e601bf Don't do session management in su.
PR:		misc/53293
Submitted by:	ru
2003-07-09 18:40:49 +00:00
Dag-Erling Smørgrav
c3d7aa730d Add a system policy, and have the login and su policies include it rather
than duplicate it.  This requires OpenPAM Dianthus, which was committed two
weeks ago; installing these files on a system running a world older than
June 1st, 2003 will cause login(1) and su(1) to fail.
2003-06-14 12:35:05 +00:00
Dag-Erling Smørgrav
c25f3cbff7 Try to describe the control flags a little better. 2003-06-01 00:34:38 +00:00
Mark Murray
daf509c612 The PAM module pam_krb5 does not have "session" capabilities.
Don't give examples of such use, this is bogus.
2003-04-30 21:57:54 +00:00
Dag-Erling Smørgrav
b418f48cba Add nullok to the pam_unix line. 2003-04-24 12:22:42 +00:00
Ruslan Ermilov
14ab92b024 Use the canonical form of installing links.
Also, make "ftp" and "ftpd" hard links.

Not objected to by:	des
2003-03-14 09:01:22 +00:00
Mark Murray
38b1858b1b Initiate KerberosIV de-orbit burn. Disconnect the /etc configs. 2003-03-08 09:50:11 +00:00
Dag-Erling Smørgrav
1995e9db8a Add the allow_local option to all pam_opieaccess entries. 2003-02-16 13:02:39 +00:00
Dag-Erling Smørgrav
aaf7fddd4f Add the want_agent option to the commented-out "session" pam_ssh entry. 2003-02-16 13:02:03 +00:00
Dag-Erling Smørgrav
75af7cb8a7 Major cleanup & homogenization. 2003-02-10 00:50:03 +00:00
Dag-Erling Smørgrav
87e55d0799 No idea what this is for, and it doesn't make much sense. If a port needs
it, it can install its own copy in /usr/local/etc/pam.d/.
2003-02-10 00:49:44 +00:00
Dag-Erling Smørgrav
5eb3150c28 There's no reason to have two identical policies for FTP servers, so
make ftp a symlink to ftpd.
2003-02-10 00:47:46 +00:00
Dag-Erling Smørgrav
e7744a70b3 Use pam_group(8) instead of pam_wheel(8). 2003-02-06 14:33:23 +00:00
Dag-Erling Smørgrav
487fffcbf2 Don't enable pam_krb5 by default - most people don't have it since most
people don't build with MAKE_KERBEROS5 defined.  Provide commented-out
usage examples instead, like we do everywhere else.

Pointy hat to:	des
2003-02-03 14:45:02 +00:00
Dag-Erling Smørgrav
f1c2c0a87e Enable pam_krb5 for sshd. I've had this in my tree for ages. 2003-02-02 18:41:26 +00:00
Dag-Erling Smørgrav
5d93b6af54 Since OpenSSH drops privileges before calling pam_open_session(3),
pam_lastlog(8) can't possibly work, so let OpenSSH handle lastlog.

Approved by:	re (rwatson)
2002-12-03 15:48:11 +00:00
Robert Watson
64ac587b8a Exempt the "wheel group requirement" by default when su'ing to root if
the wheel group has no explicit members listed in /etc/group.  This adds
the "exempt_if_empty" flag to pam_wheel in the default configuration;
in some environments, it may be appropriate to remove this flag, however,
this default is the same as pre-pam_wheel.

Reviewed by:	markm
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-18 02:39:21 +00:00
Dag-Erling Smørgrav
cda86084ab Silence pam_lastlog for now. 2002-07-07 10:00:43 +00:00
Dag-Erling Smørgrav
bc39792308 We don't use this any more.
Sponsored by:	DARPA, NAI Labs
2002-06-19 20:01:25 +00:00
Dag-Erling Smørgrav
bb151ea158 Enable OPIE for sshd and telnetd. I thought I'd done this a long time
ago...

Sponsored by:	DARPA, NAI Labs
2002-06-19 20:00:43 +00:00
Dag-Erling Smørgrav
a87cdc1598 Use pam_lastlog(8)'s new no_fail option.
Sponsored by:	DARPA, NAI Labs
2002-05-08 00:33:02 +00:00
Dag-Erling Smørgrav
05ade9be70 Add a PAM policy for rexecd(8).
Sponsored by:	DARPA, NAI Labs
2002-05-02 05:05:28 +00:00
Dag-Erling Smørgrav
48988cd4bd xdm plays horrid tricks with PAM, and dumps core if it's allowed to call
pam_lastlog, so add a dummy session chain to avoid using the one from
pam.d/other.  I assume gdm does something similar, so give it a dummy
session chain as well.

Sponsored by:	DARPA, NAI Labs.
2002-05-02 05:00:40 +00:00
Dag-Erling Smørgrav
4b448ce5d5 Add no_warn to pam_lastlog. This should prevent xdm from dumping core
when linked with Linux-PAM.
2002-04-29 15:22:00 +00:00
Dag-Erling Smørgrav
214f3239c0 Don't list pam_unix in the session chain, since it does not provide any
session management services.

Sponsored by:	DARPA, NAI Labs
2002-04-18 17:40:27 +00:00
Ruslan Ermilov
5b3e868df5 Fixed bugs in previous revision:
Added NOOBJ if anyone even attempts to "make obj" here.
Revert to installing files with mode 644 except README.
Make this overall look like a BSD-style Makefile rather
than roll-your-own (this is not a bug).

For the record.  Previous revision also fixed the breakage
introduced by the sys.mk,v 1.60 commit: bsd.own.mk is no
longer automatically included from sys.mk.

Reported by:	jhay
2002-04-18 10:58:14 +00:00
Dag-Erling Smørgrav
8abb6072c1 Use ${FILES} and <bsd.prog.mk> rather than roll-your-own. 2002-04-18 10:07:36 +00:00
Dag-Erling Smørgrav
a64210378b Add PAM policy for the "passwd" service, including a sample config line
for pam_passwdqc.

Sponsored by:	DARPA, NAI Labs
2002-04-15 03:01:32 +00:00
Dag-Erling Smørgrav
ce93a006f1 Add pam_lastlog(8) here since I removed lastlog support from sshd.
Sponsored by:	DARPA, NAI Labs
2002-04-15 02:46:24 +00:00
Dag-Erling Smørgrav
e5df14bff8 Use pam_rhosts(8). 2002-04-12 23:20:30 +00:00
Dag-Erling Smørgrav
540d48b77c If used, pam_ssh should be marked "sufficient", not "required".
Sponsored by:	DARPA, NAI Labs
2002-04-08 09:52:47 +00:00
Ruslan Ermilov
2735cfee64 Switch over to using pam_login_access(8) module in sshd(8).
(Fixes static compilation.  Reduces diffs to OpenSSH.)

Reviewed by:	bde
2002-03-26 12:52:28 +00:00
Dag-Erling Smørgrav
1f3030b053 Add missing "nullok" option to pam_unix. 2002-02-08 23:27:22 +00:00
Dag-Erling Smørgrav
34cab37003 Add pam_self(8) so users can login(1) as themselves without authentication,
pam_login_access(8) and pam_securetty(8) to enforce various checks
previously done by login(1) but now handled by PAM, and pam_lastlog(8) to
record login sessions in utmp / wtmp / lastlog.

Sponsored by:	DARPA, NAI Labs
2002-01-30 19:13:23 +00:00
Dag-Erling Smørgrav
86f01a8b27 Use pam_self(8) to allow users to su(1) to themselves without authentication.
Sponsored by:	DARPA, NAI Labs
2002-01-30 19:04:39 +00:00
Dag-Erling Smørgrav
ae739ec469 Enable OPIE by default, using the no_fake_prompts option to hide it from
users who don't wish to use it.  If the admin is worried about leaking
information about which users exist and which have OPIE enabled, the
no_fake_prompts option can simply be removed.

Also insert the appropriate pam_opieaccess lines after pam_opie to break
the chain in case the user is logging in from an untrusted host, or has a
.opiealways file.  The entire opieaccess / opiealways concept is slightly
unpammish, but admins familiar with OPIE will expect it to work.

Reviewed by:	ache, markm
Sponsored by:	DARPA, NAI Labs
2002-01-21 18:51:24 +00:00
Dag-Erling Smørgrav
819a142080 Really back out ache's commits. These files are now precisely as they were
twentyfour hours ago, except for RCS ids.
2002-01-19 18:29:50 +00:00
Andrey A. Chernov
0b836dfaf1 Back out recent changes 2002-01-19 18:03:11 +00:00
Andrey A. Chernov
3bfbfd1770 Turn on pam_opie by default. It should not affect non-OPIE users. 2002-01-19 10:31:32 +00:00
Andrey A. Chernov
a0fc79c334 Turn on pam_opie by default. It not affect non-OPIE users 2002-01-19 09:06:45 +00:00
Andrey A. Chernov
e04359cdac Previous commit was incomplete, use
"[default=ignore success=done cred_err=die]"
options instead of "required"
2002-01-19 08:39:35 +00:00
Andrey A. Chernov
2bda025221 Remove explaining comment and pam_unix commented out, now pam_unix can be
chained with pam_opie
2002-01-19 07:32:47 +00:00
Andrey A. Chernov
a3643aa542 Change comment since fallback provided now not by ftpd but by pam_opie 2002-01-19 03:35:39 +00:00
Dag-Erling Smørgrav
4e8b159f5e Unmunge the version preservation code and obfuscate it so CVS won't munge
it all over again.
2002-01-12 23:08:59 +00:00
Dag-Erling Smørgrav
f89a116468 Back out previous commit, which erroneously removed essential comments. I
definitely need coffee.

Apologies to:	ache
2002-01-12 14:22:22 +00:00