freebsd-dev

Author	SHA1	Message	Date
des	ef2b0ca1b6	the default password policy for xdm should be pam_deny, since it is incapable of holding a meaningful conversation.	2004-02-20 21:59:51 +00:00
des	7f22ba1fe3	Don't do session management in su. PR: misc/53293 Submitted by: ru	2003-07-09 18:40:49 +00:00
des	d01d40fe79	Add a system policy, and have the login and su policies include it rather than duplicate it. This requires OpenPAM Dianthus, which was committed two weeks ago; installing these files on a system running a world older than June 1st, 2003 will cause login(1) and su(1) to fail.	2003-06-14 12:35:05 +00:00
des	af0f06d5ab	Try to describe the control flags a little better.	2003-06-01 00:34:38 +00:00
markm	dc6ac7d338	The PAM module pam_krb5 does not have "session" capabilities. Don't give examples of such use, this is bogus.	2003-04-30 21:57:54 +00:00
des	3c5f7b448b	Add nullok to the pam_unix line.	2003-04-24 12:22:42 +00:00
ru	3a620497c0	Use the canonical form of installing links. Also, make "ftp" and "ftpd" hard links. Not objected to by: des	2003-03-14 09:01:22 +00:00
markm	1e22e1bfaf	Initiate KerberosIV de-orbit burn. Disconnect the /etc configs.	2003-03-08 09:50:11 +00:00
des	d0ae5c8b4f	Add the allow_local option to all pam_opieaccess entries.	2003-02-16 13:02:39 +00:00
des	87c987bdea	Add the want_agent option to the commented-out "session" pam_ssh entry.	2003-02-16 13:02:03 +00:00
des	0d733a1adf	Major cleanup & homogenization.	2003-02-10 00:50:03 +00:00
des	55b6aeb7af	No idea what this is for, and it doesn't make much sense. If a port needs it, it can install its own copy in /usr/local/etc/pam.d/.	2003-02-10 00:49:44 +00:00
des	a421016872	There's no reason to have two identical policies for FTP servers, so make ftp a symlink to ftpd.	2003-02-10 00:47:46 +00:00
des	371378b16a	Use pam_group(8) instead of pam_wheel(8).	2003-02-06 14:33:23 +00:00
des	06dacd2b63	Don't enable pam_krb5 by default - most people don't have it since most people don't build with MAKE_KERBEROS5 defined. Provide commented-out usage examples instead, like we do everywhere else. Pointy hat to: des	2003-02-03 14:45:02 +00:00
des	139e32e2e9	Enable pam_krb5 for sshd. I've had this in my tree for ages.	2003-02-02 18:41:26 +00:00
des	fabc8e6b97	Since OpenSSH drops privileges before calling pam_open_session(3), pam_lastlog(8) can't possibly work, so let OpenSSH handle lastlog. Approved by: re (rwatson)	2002-12-03 15:48:11 +00:00
rwatson	954853597a	Exempt the "wheel group requirement" by default when su'ing to root if the wheel group has no explicit members listed in /etc/group. This adds the "exempt_if_empty" flag to pam_wheel in the default configuration; in some environments, it may be appropriate to remove this flag, however, this default is the same as pre-pam_wheel. Reviewed by: markm Sponsored by: DARPA, Network Associates Laboratories	2002-10-18 02:39:21 +00:00
des	bc0315bfdb	Silence pam_lastlog for now.	2002-07-07 10:00:43 +00:00
des	c419b7873c	We don't use this any more. Sponsored by: DARPA, NAI Labs	2002-06-19 20:01:25 +00:00
des	0b6f009171	Enable OPIE for sshd and telnetd. I thought I'd done this a long time ago... Sponsored by: DARPA, NAI Labs	2002-06-19 20:00:43 +00:00
des	730b4e6a64	Use pam_lastlog(8)'s new no_fail option. Sponsored by: DARPA, NAI Labs	2002-05-08 00:33:02 +00:00
des	48f1207dbd	Add a PAM policy for rexecd(8). Sponsored by: DARPA, NAI Labs	2002-05-02 05:05:28 +00:00
des	24aeeab445	xdm plays horrid tricks with PAM, and dumps core if it's allowed to call pam_lastlog, so add a dummy session chain to avoid using the one from pam.d/other. I assume gdm does something similar, so give it a dummy session chain as well. Sponsored by: DARPA, NAI Labs.	2002-05-02 05:00:40 +00:00
des	eb9b269289	Add no_warn to pam_lastlog. This should prevent xdm from dumping core when linked with Linux-PAM.	2002-04-29 15:22:00 +00:00
des	eaad54c725	Don't list pam_unix in the session chain, since it does not provide any session management services. Sponsored by: DARPA, NAI Labs	2002-04-18 17:40:27 +00:00
ru	34ee54afdd	Fixed bugs in previous revision: Added NOOBJ if anyone even attempts to "make obj" here. Revert to installing files with mode 644 except README. Make this overall look like a BSD-style Makefile rather than roll-your-own (this is not a bug). For the record. Previous revision also fixed the breakage introduced by the sys.mk,v 1.60 commit: bsd.own.mk is no longer automatically included from sys.mk. Reported by: jhay	2002-04-18 10:58:14 +00:00
des	248181779e	Use ${FILES} and <bsd.prog.mk> rather than roll-your-own.	2002-04-18 10:07:36 +00:00
des	7023ef3b38	Add PAM policy for the "passwd" service, including a sample config line for pam_passwdqc. Sponsored by: DARPA, NAI Labs	2002-04-15 03:01:32 +00:00
des	865206abfa	Add pam_lastlog(8) here since I removed lastlog support from sshd. Sponsored by: DARPA, NAI Labs	2002-04-15 02:46:24 +00:00
des	5418e961d8	Use pam_rhosts(8).	2002-04-12 23:20:30 +00:00
des	a7fb44f78a	If used, pam_ssh should be marked "sufficient", not "required". Sponsored by: DARPA, NAI Labs	2002-04-08 09:52:47 +00:00
ru	0f415b71a1	Switch over to using pam_login_access(8) module in sshd(8). (Fixes static compilation. Reduces diffs to OpenSSH.) Reviewed by: bde	2002-03-26 12:52:28 +00:00
des	9a8ae53f42	Add missing "nullok" option to pam_unix.	2002-02-08 23:27:22 +00:00
des	9dbb172dca	Add pam_self(8) so users can login(1) as themselves without authentication, pam_login_access(8) and pam_securetty(8) to enforce various checks previously done by login(1) but now handled by PAM, and pam_lastlog(8) to record login sessions in utmp / wtmp / lastlog. Sponsored by: DARPA, NAI Labs	2002-01-30 19:13:23 +00:00
des	c8a2c04257	Use pam_self(8) to allow users to su(1) to themselves without authentication. Sponsored by: DARPA, NAI Labs	2002-01-30 19:04:39 +00:00
des	66e91eedff	Enable OPIE by default, using the no_fake_prompts option to hide it from users who don't wish to use it. If the admin is worried about leaking information about which users exist and which have OPIE enabled, the no_fake_prompts option can simply be removed. Also insert the appropriate pam_opieaccess lines after pam_opie to break the chain in case the user is logging in from an untrusted host, or has a .opiealways file. The entire opieaccess / opiealways concept is slightly unpammish, but admins familiar with OPIE will expect it to work. Reviewed by: ache, markm Sponsored by: DARPA, NAI Labs	2002-01-21 18:51:24 +00:00
des	1a0c96bd43	Really back out ache's commits. These files are now precisely as they were twentyfour hours ago, except for RCS ids.	2002-01-19 18:29:50 +00:00
ache	e50a2ed85f	Back out recent changes	2002-01-19 18:03:11 +00:00
ache	117e8056c2	Turn on pam_opie by default. It should not affect non-OPIE users.	2002-01-19 10:31:32 +00:00
ache	23920181ce	Turn on pam_opie by default. It not affect non-OPIE users	2002-01-19 09:06:45 +00:00
ache	a1259ef12a	Previous commit was incomplete, use "[default=ignore success=done cred_err=die]" options instead of "required"	2002-01-19 08:39:35 +00:00
ache	8ba7ff4550	Remove explaining comment and pam_unix commented out, now pam_unix can be chained with pam_opie	2002-01-19 07:32:47 +00:00
ache	0cf05a6048	Change comment since fallback provided now not by ftpd but by pam_opie	2002-01-19 03:35:39 +00:00
des	96c7a40981	Unmunge the version preservation code and obfuscate it so CVS won't munge it all over again.	2002-01-12 23:08:59 +00:00
des	50ae6b40a0	Back out previous commit, which erroneously removed essential comments. I definitely need coffee. Apologies to: ache	2002-01-12 14:22:22 +00:00
des	874e7d43d8	Update copyright	2002-01-12 14:17:19 +00:00
des	7bbbf7122b	Sync with pam.conf revision 1.25.	2002-01-12 13:50:33 +00:00
des	c4e9f0db58	Preserve FreeBSD version strings in target files.	2002-01-12 13:50:08 +00:00
ache	30c517e7ef	Improve pam_unix/opie related ftpd comment even more	2002-01-02 09:51:33 +00:00

1 2

58 Commits