either PAM_RHOST or PAM_TTY against /etc/login.access.o
This uncovers a problem with PAM_RHOST, in that if we always set it, there
is no way to distinguish between a user logging in locally and a user
logging in using 'ssh localhost'. This will be fixed by first making sure
that all PAM modules can handle PAM_RHOST being unset (which is currently
not the case), and then modifying su(1) and login(1) to not set it for
local logins.
Sponsored by: DARPA, NAI Labs
- Spam /usr/lib some more by making libssh a standard library.
- Tweak ${LIBPAM} and ${MINUSLPAM}.
- Garbage collect unused libssh_pic.a.
- Add fake -lz dependency to secure/ makefiles needed for
dynamic linkage with -lssh.
Reviewed by: des, markm
Approved by: markm
- Ignore the {try,use}_first_pass options by clearing PAM_AUTHTOK before
challenging the user. These options are meaningless for pam_opie(8)
since the user can't possibly know the right response before she sees
the challenge.
- Introduce the no_fake_prompts option. If this option is set, pam_opie(8)
will fail - rather than present a bogus challenge - if the target user
does not have an OPIE key. With this option, users who haven't set up
OPIE won't have to wonder what that "weird otp-md5 s**t" means :)
Reviewed by: ache, markm
Sponsored by: DARPA, NAI Labs
of the recent WARNS commits. The idea is:
1) FreeBSD id tags should follow vendor tags.
2) Vendor tags should not be compiled (though copyrights probably should).
3) There should be no blank line between including cdefs and __FBSDIF.
makes FreeBSD inconsistent with previous releases and "other unices" as well
as with some internal password-asking services (e.g. ftp) within the same
release.
/usr/src/lib/libpam/modules/pam_ssh/pam_ssh.c has couple of bugs which cause:
1) xdm dumps core
2) ssh1 private key is not passed to ssh-agent
3) ssh2 RSA key seems not handled properly (just a guess from source)
4) ssh_get_authentication_connectionen() fails to get connection because of
SSH_AUTH_SOCK not defined.
PR: 29609
Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp>
o The new options-processing API
o The new DEBUG-logging API
Add man(1) pages for ALL modules. MDOC-Police welcome
to check this.
Audit, clean up while I'm here.
Move common stuff into Makefile.inc, and tidy up all the Makefiles
as a result.
Build new modules.
Put a commented-out dependancy on libpam for the (shared) modules.
I can't bring this in just yet, as the dependancy (modules->libpam)
is reversed for the static case (libpam->modules).
pam_securetty silently succeeds if the user is on a secure tty
as defined by /etc/ttys.
pam_ftp does "anonymous ftp" style authentication with options for
specifying the anonymous user(s).
reason not to add it to others later). This causes the pam_unix
module to check the user's _own_ password, not the password of the
account that the user is authenticating into. This will allow eg:
WHEELSU type behaviour from su(1).
pam_krb5 is a Kerberos 5 (Heimdal) authentication module.
pam_nologin checks for /etc/nologin and does the "usual stuff"
if it is found, otherwise it silently succeeds.
pam_rootok silently succeeds if the user is root, otherwise
it fails.
pam_wheel silently succeeds if the user is a member of group
"wheel" (or another nominated group), and fails
otherwise.
There is an issue with kerberosIV and kerberos5 - if both are
being built, then static linking fails with duplicate symbols.
This will take a bit of work to sort out in the kerberii.
non-threaded programs. This provides threaded programs with the
needed exception frame symbols.
parts submitted by: Max Khon <fjoe@iclub.nsu.ru>
PR: 23252
non-threaded programs. This provides threaded programs with the
needed exception frame symbols.
parts submitted by: Max Khon <fjoe@iclub.nsu.ru>
PR: 23252
back to the original environ unconditionally. The setting of the
variable to save the previous environ is conditional; it happens when
ENV.e_committed is set. Therefore, don't try to swap the env back
unless the previous env has been initialized.
PR: bin/22670
Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp>
I'm not quite sure about this, I think it should be using -lssh_pic since
it's being linked into a .so, but nothing seems to complain ahd it does
work. (well, it works for using the authorized_keys file, but I have not
figured out how to get it to start a ssh-agent and cache the key for me)
PR: 17191
Submitted by: Adrian Pavlykevych <pam@polynet.lviv.ua>
might it confuse people, but it causes a warning message with
nroff, and no version history mentions a 1.2 version of FreeBSD.
If anything, a ``HISTORY'' section should show which version this
appeared in.
(From the author:)
Primarily, I have added built-in functions for manipulating the
environment, so putenv() is no longer used. XDM and its variants
should now work without modification. Note that the new code uses
the macros in <sys/queue.h>.
Submitted by: Andrew J. Korty <ajk@iu.edu>
"login auth sufficient pam_ssh.so" to your /etc/pam.conf, and
users with a ~/.ssh/identity can login(1) with their SSH key :)
PR: 15158
Submitted by: Andrew J. Korty <ajk@waterspout.com>
Reviewed by: obrien
track.
The $Id$ line is normally at the bottom of the main comment block in the
man page, separated from the rest of the manpage by an empty comment,
like so;
.\" $Id$
.\"
If the immediately preceding comment is a @(#) format ID marker than the
the $Id$ will line up underneath it with no intervening blank lines.
Otherwise, an additional blank line is inserted.
Approved by: bde
simple enough to be trusted.
Add account management functionality to the pam_unix module.
These changes should make it possible to use PAM in some ports.
Submitted by: Max Khon <fjoe@iclub.nsu.ru>
modules for FreeBSD's standard authentication methods. Although
the Linux-PAM modules are present in the contrib tree, we don't
use any of them.
The main library "libpam" is composed of sources taken from three
places. First are the standard Linux-PAM libpam sources from the
contrib tree. Second are the Linux-PAM "libpam_misc" sources, also
from the contrib tree. In Linux these form a separate library.
But as Mike Smith pointed out to me, that seems pointless, so I
have combined them into the libpam library. Third are some additional
sources from the "src/lib/libpam" tree with some common functions
that make it easier to write modules. Those I wrote myself.
This work has been donated to FreeBSD by Juniper Networks, Inc.
1) Don't spit out an error message if Kerberos is installed but not yet
set up.
2) Don't attempt to verify the ticket you got back, as workstations
are not intended to have srvtab files of their own.
Both behaviors can be re-enabled with KLOGIN_PARANOID.
