Jacques Vidrine
8f857e88c4
Do not return inappropriate error codes in pam_sm_setcred.
2003-01-29 21:20:38 +00:00
Jacques Vidrine
e0bc74123b
About September 2001, I consulted with all the previous authors of
...
pam_krb5 to consolidate the copyright texts. The semi-official
pam_krb5 module has been distributed with this new license text ever
since, but I'm just now getting around to updating the text here.
2003-01-10 13:38:44 +00:00
Jens Schweikhardt
57bd0fc6e8
english(4) police.
2002-12-27 12:15:40 +00:00
Ruslan Ermilov
fb3acdd2a2
mdoc(7) police: removed gratuitous .Pp call.
2002-12-23 15:21:57 +00:00
Dag-Erling Smørgrav
32f0c0487b
Merge in most non-style differences from Andrew Korty's pam_ssh 1.7.
2002-12-16 14:33:18 +00:00
Ruslan Ermilov
87e9be3900
mdoc(7) police: .Dt is ALL UPPERCASE.
...
Approved by: re
2002-12-12 08:19:47 +00:00
Ruslan Ermilov
1798791d24
mdoc(7) police: formatting nits.
...
Approved by: re
2002-11-29 15:57:50 +00:00
Dag-Erling Smørgrav
bb16bd87d7
Whitespace nits.
...
Approved by: re (bmah)
2002-11-28 20:11:31 +00:00
Dag-Erling Smørgrav
3fdd8a4036
Add a PAM_MODULE_ENTRY to this module so it'll actually do something.
...
Approved by: re (bmah)
2002-11-28 20:05:42 +00:00
Peter Wemm
6ceeb6902a
utmp.ut_time and lastlog.ll_time are explicitly int32_t rather than
...
time_t. Deal with the possibility that time_t != int32_t. This boils
down to this sort of thing:
- time(&ut.ut_time);
+ ut.ut_time = time(NULL);
and similar for ctime(3) etc. I've kept it minimal for the stuff
that may need to be portable (or 3rd party code), but used Matt's time32
stuff for cases where that isn't as much of a concern.
Approved by: re (jhb)
2002-11-15 22:42:00 +00:00
Ruslan Ermilov
3f66c888ec
Make dynamic PAM modules depend on dynamic PAM library.
...
Requested by: des, markm
2002-11-14 19:24:51 +00:00
Jacques Vidrine
7c2274dc95
The pam_krb5 module stored a reference to a krb5_ccache structure as
...
PAM module state (created in pam_sm_authenticate and referenced later
in pam_sm_setcred and pam_sm_acct_mgmt). However, the krb5_ccache
structure shares some data members with the krb5_context structure
that was used in its creation. Since a new krb5_context is created
and destroyed at each PAM entry point, this inevitably caused the
krb5_ccache structure to reference free'd memory.
Now instead of storing a pointer to the krb5_ccache structure,
we store the name of the cache (e.g. `MEMORY:0x123CACHE') in
pam_sm_authenticate, and resolve the name in the other entry points.
This bug was uncovered by phkmalloc's free'd memory scrubbing.
Approved by: re (jhb)
2002-11-13 17:46:15 +00:00
Jacques Vidrine
88c8bcce6c
Use krb5_get_err_text' instead of
error_message' so that instead of
...
e.g.
Unknown error: -1765328378
we get
Client not found in Kerberos database
Another way to accomplish this would have been to leave
`error_message' alone, but to explicitly load the Kerberos com_err
error tables. However, I don't really like the idea of a PAM module
dorking with global tables.
Approved by: re (jhb)
2002-11-13 17:44:29 +00:00
Dag-Erling Smørgrav
a1d214e88b
Allow the admin to specify a different NAS identifier than the hostname.
...
Submitted by: Boris Kovalenko <boris@ntmk.ru>
2002-10-28 10:28:46 +00:00
Robert Watson
195426c211
Introduce 'exempt_if_empty' option to pam_wheel(8), which bypasses the
...
group membership requirement if the group has no explicit members listed
in /etc/group. By default, this group is the wheel group; setting this
flag restores the default BSD behavior from 4.x.
Reviewed by: markm
Requested by: various
Sponsored by: DARPA, Network Associates Laboratories
2002-10-18 02:37:29 +00:00
Ruslan Ermilov
890b32ee41
Build kerberized versions of the PAM library, and install them
...
into corresponding distributions during "make release". (This
also cleans the "slib" distribution up from the .o files.)
PR: misc/43825 (inspired by)
2002-10-11 14:17:09 +00:00
Peter Wemm
224af215a6
Zap now-unused SHLIB_MINOR
2002-09-28 00:25:32 +00:00
Peter Wemm
66422f5b7a
Initiate deorbit burn for the i386-only a.out related support. Moves are
...
under way to move the remnants of the a.out toolchain to ports. As the
comment in src/Makefile said, this stuff is deprecated and one should not
expect this to remain beyond 4.0-REL. It has already lasted WAY beyond
that.
Notable exceptions:
gcc - I have not touched the a.out generation stuff there.
ldd/ldconfig - still have some code to interface with a.out rtld.
old as/ld/etc - I have not removed these yet, pending their move to ports.
some includes - necessary for ldd/ldconfig for now.
Tested on: i386 (extensively), alpha
2002-09-17 01:49:00 +00:00
Dag-Erling Smørgrav
68e6e4bd40
Since pam_get_authtok(3) doesn't know about our options structure, setting
...
the PAM_ECHO_PASS option on-the-fly is a NOP (though it wasn't with the
old pam_get_pass(3) code). Instead, call pam_prompt(3) directly. This
actually simplifies the code a bit.
MFC after: 3 days
2002-07-30 08:32:03 +00:00
Dag-Erling Smørgrav
99260419d6
Install more man pages - I thought I'd committed this ages ago...
2002-07-23 17:59:46 +00:00
Ruslan Ermilov
c101b5f3f3
Tidy up.
2002-06-06 13:55:01 +00:00
Dag-Erling Smørgrav
eb6f605e2f
Missed one in previous commit.
...
Pointed out by: nectar
2002-05-30 20:48:59 +00:00
Ruslan Ermilov
6a63652701
mdoc(7) police: kill whitespace at EOL.
2002-05-30 14:52:00 +00:00
Ruslan Ermilov
5617846748
mdoc(7) police: polish markup.
2002-05-30 14:49:57 +00:00
Ruslan Ermilov
9baa2c98cf
mdoc(7) police: tidy up the markup.
2002-05-30 14:32:48 +00:00
Jacques Vidrine
3a27166692
Add pam_ksu(8), a module to do Kerberos 5 authentication and
...
$HOME/.k5login authorization for su(1).
Reviewed by: des (earlier version)
2002-05-28 20:52:31 +00:00
Dag-Erling Smørgrav
c096af69cd
Add openpam_nullconv.3.
2002-05-24 13:22:15 +00:00
Dag-Erling Smørgrav
f346f31b43
Add missing include.
2002-05-24 13:20:40 +00:00
Dag-Erling Smørgrav
f65b218085
Just to show that PAM can do almost anything from the ridiculous to the
...
obscene, or - as they say in New York - sophisticated, add pam_echo(8) and
pam_exec(8) to our ever-lengthening roster of PAM modules.
Sponsored by: DARPA, NAI Labs.
2002-05-23 22:03:06 +00:00
Dag-Erling Smørgrav
2569c273c7
Hide a couple of unguarded error returns behind the no_fail test.
2002-05-23 00:02:59 +00:00
Juli Mallett
816c6c91e2
Free old_pwd only in the code path where it has been allocated.
...
Reviewed by: des
2002-05-22 23:18:25 +00:00
David E. O'Brien
1dba4170b1
Do not build pam_ssh if NOSECURE is set (NO_OPENSSL is on a subset of NOSECURE)
2002-05-15 20:25:32 +00:00
Ruslan Ermilov
2a53f3fb35
Major cleanup of bsd.lib.mk.
...
Get rid of the INTERNALSTATICLIB knob and just use plain INTERNALLIB.
INTERNALLIB now means to build static library only and don't install
anything. Added a NOINSTALLLIB knob for libpam/modules. To not
build any library at all, just do not set LIB.
2002-05-13 10:53:24 +00:00
Ruslan Ermilov
c7b111cba8
Added new bsd.incs.mk which handles installing of header files
...
via INCS. Implemented INCSLINKS (equivalent to SYMLINKS) to
handle symlinking include files. Allow for multiple groups of
include files to be installed, with the powerful INCSGROUPS knob.
Documentation to follow.
Added standard `includes' and `incsinstall' targets, use them
in Makefile.inc1. Headers from the following makefiles were
not installed before (during `includes' in Makefile.inc1):
kerberos5/lib/libtelnet/Makefile
lib/libbz2/Makefile
lib/libdevinfo/Makefile
lib/libform/Makefile
lib/libisc/Makefile
lib/libmenu/Makefile
lib/libmilter/Makefile
lib/libpanel/Makefile
Replaced all `beforeinstall' targets for installing includes
with the INCS stuff.
Renamed INCDIR to INCSDIR, for consistency with FILES and SCRIPTS,
and for compatibility with NetBSD. Similarly for INCOWN, INCGRP,
and INCMODE.
Consistently use INCLUDEDIR instead of /usr/include.
gnu/lib/libstdc++/Makefile and gnu/lib/libsupc++/Makefile changes
were only lightly tested due to the missing contrib/libstdc++-v3.
I fully tested the pre-WIP_GCC31 version of this patch with the
contrib/libstdc++.295 stuff.
These changes have been tested on i386 with the -DNO_WERROR "make
world" and "make release".
2002-05-12 16:01:00 +00:00
Dag-Erling Smørgrav
55589c84e2
Don't declare krb5_mcc_ops, it's already declared in <krb5.h>
2002-05-12 07:06:27 +00:00
Dag-Erling Smørgrav
f1d0592537
Use libutil and libypclnt for all passwd manipulation and NIS needs.
...
Sponsored by: DARPA, NAI Labs
2002-05-08 00:54:29 +00:00
Dag-Erling Smørgrav
89136eab16
Add a no_fail option.
...
Sponsored by: DARPA, NAI Labs
2002-05-08 00:31:45 +00:00
Dag-Erling Smørgrav
2256d3698a
Add pam_ftpusers(8), which enforces /etc/ftpusers.
...
Sponsored by: DARPA, NAI Labs
2002-05-08 00:30:10 +00:00
Dag-Erling Smørgrav
597aaec942
Add openpam_nullconv.c to SRCS.
2002-05-02 04:42:59 +00:00
Dag-Erling Smørgrav
0f6517b7d8
Don't ask root for the old password, except in the NIS case.
...
Sponsored by: DARPA, NAI Labs
2002-04-26 19:28:17 +00:00
Dag-Erling Smørgrav
c8c20c5226
Fix a really dumb bug (missing curly braces around the body of an if
...
statement) that caused pam_sm_chauthtok() to always fail silently.
2002-04-26 01:47:48 +00:00
Dag-Erling Smørgrav
750e6876cf
Oops, fix an inverted if test.
2002-04-20 16:52:41 +00:00
Dag-Erling Smørgrav
1583027008
Strip /dev/ from tty name, and clean up the "last login" printout.
...
Sponsored by: DARPA, NAI Labs
2002-04-20 16:44:32 +00:00
Ruslan Ermilov
3cb7acc2cd
Revert previous change. bsd.dep.mk,v 1.31 had a bug that was fixed
...
in revision 1.32 and made this change OBE.
2002-04-17 05:46:41 +00:00
Dag-Erling Smørgrav
b1e0b30d83
Add a missing .El and fix a typo.
...
Spotted by: Solar Designer <solar@openwall.com>
Sponsored by: DARPA, NAI Labs
2002-04-16 22:38:47 +00:00
Ruslan Ermilov
c34f0a19f7
Reflect change in share/mk/bsd.dep.mk,v 1.31.
2002-04-16 12:52:22 +00:00
Dag-Erling Smørgrav
c82bffaa40
Revert previous commit, it is incorrect.
2002-04-15 22:51:31 +00:00
David E. O'Brien
f01afd3101
Properly spell rpcsvc/ypclnt.h and fix the build.
2002-04-15 22:47:28 +00:00
Dag-Erling Smørgrav
4c8153125a
Throw in NO_WERROR to please the peanut gallery.
2002-04-15 13:10:28 +00:00
Dag-Erling Smørgrav
53fd6d26b2
Use PAM_SUCCESS instead of PAM_IGNORE.
2002-04-15 06:26:32 +00:00
Dag-Erling Smørgrav
ab4f115e57
Whitespace nits.
2002-04-15 03:52:22 +00:00
Dag-Erling Smørgrav
f71d08000d
Add a manual page based on Solar Designer's README.
...
Sponsored by: DARPA, NAI Labs
2002-04-15 03:45:14 +00:00
Dag-Erling Smørgrav
a11a75ce7c
pam_passwdqc depends on libcrypt.
2002-04-15 03:44:42 +00:00
Dag-Erling Smørgrav
7b733689a3
Prompt for new password during update phase, not during preliminary phase.
...
Sponsored by: DARPA, NAI Labs
2002-04-15 03:00:14 +00:00
Dag-Erling Smørgrav
ff1bc287ac
Dike out most of the NIS code and replace it with calls to libypclnt.
...
Rework pam_sm_chauthtok() so it (mostly?) works.
The standard pw stuff still needs to move into a library somewhere.
Sponsored by: DARPA, NAI Labs
2002-04-15 02:34:43 +00:00
Dag-Erling Smørgrav
f2b9b94ab4
pam_passwdqc builds now.
2002-04-14 22:31:36 +00:00
Dag-Erling Smørgrav
81a587f467
More recent versions of pam_passwdqc (not yet released) build with very
...
few warnings.
2002-04-14 18:48:57 +00:00
Dag-Erling Smørgrav
a358391f59
New files in OpenPAM Cineraria.
...
Sponsored by: DARPA, NAI Labs
2002-04-14 18:30:27 +00:00
Dag-Erling Smørgrav
db4b82edde
Cosmetic nit.
2002-04-14 18:30:03 +00:00
Dag-Erling Smørgrav
b6bd548cdc
Cast a ptrdiff_t to int before using it as a printf field width.
2002-04-14 16:44:04 +00:00
Dag-Erling Smørgrav
2f6ee8eb7e
Change || into && (braino in previous commit). Also append \n to the
...
error message.
2002-04-13 06:14:30 +00:00
Dag-Erling Smørgrav
24fe7ba0d9
Major cleanup:
...
- add __unused where appropriate
- PAM_RETURN -> return since OpenPAM already logs the return value.
- make PAM_LOG use openpam_log()
- make PAM_VERBOSE_ERROR use openpam_get_option() and check flags
for PAM_SILENT
- remove dummy functions since OpenPAM handles missing service
functions
- fix various warnings
Sponsored by: DARPA, NAI Labs
2002-04-12 22:27:25 +00:00
Dag-Erling Smørgrav
95ca4cb3f6
Add a pam_rhosts module, loosely based on code submitted by Danny Braniss.
...
Submitted by: Danny Braniss <danny@cs.huji.ac.il>
Sponsored by: DARPA, NAI Labs
2002-04-12 20:10:18 +00:00
Dag-Erling Smørgrav
fd994fa945
Rename the even_root option to allow_root.
...
Sponsored by: DARPA, NAI Labs
2002-04-12 20:05:27 +00:00
Ruslan Ermilov
a60a1ea33b
Reimplement the hack to put pam_static.o into .depend with some magic.
2002-04-11 12:21:16 +00:00
Ruslan Ermilov
90a9863e16
Moved SHLIB_NAME definition into one place.
...
Approved by: des
2002-04-10 18:07:05 +00:00
Ruslan Ermilov
196f4c26f4
Fixed broken "make depend; make clean; make all" sequence.
...
I've looked for this example for a long time, to demonstrate
some people why it's a really BAD idea to use ${.OBJDIR}
instead of ".". I hope these people are reading this. :-)
Approved by: des
2002-04-10 18:00:32 +00:00
Ruslan Ermilov
e348eb5318
Fix broken `checkdpadd'.
...
-lroken is an installable library, there's no need to give an
explicit path to it. In any case, -L paths should be specified
in LDFLAGS if needed.
Approved by: des
2002-04-10 17:53:43 +00:00
Ruslan Ermilov
f5ef4bac45
Don't override standard _EXTRADEPEND actions, add to them.
...
Fix CLEANFILES.
Collapse openpam_static_modules.o generation.
2002-04-10 17:46:59 +00:00
Dag-Erling Smørgrav
2270ac91b4
Remove debugging code that was inadvertantly brought in by previous commit.
2002-04-08 12:41:08 +00:00
Dag-Erling Smørgrav
eafd17c552
Use OpenPAM's credential switching functions.
...
Sponsored by: DARPA, NAI Labs
2002-04-08 12:38:50 +00:00
Dag-Erling Smørgrav
f6363a1814
Add new files and man pages from OpenPAM Cinchona.
...
Sponsored by: DARPA, NAI Labs
2002-04-08 12:34:53 +00:00
Dag-Erling Smørgrav
2bca1ead9a
Remove commented-out WARNS thingy.
2002-04-08 12:33:48 +00:00
Ruslan Ermilov
f2f306b622
Align for const poisoning in -lutil.
2002-04-08 11:07:51 +00:00
Dag-Erling Smørgrav
50000f00df
Reorganize pam_sm_authenticate() to reduce code duplication.
...
Sponsored by: DARPA, NAI Labs
2002-04-07 21:18:18 +00:00
Dag-Erling Smørgrav
a8b1e59eb2
Fix bug in previous commit that passed the wrong default value to
...
login_getcapstr(3). Also fix a longer-standing bug (login_close(3)
frees the string returned by login_getcapstr(3)) by reorganizing the
code a little, and use login_getpwclass(3) instead of login_getclass(3)
if we already have a struct pwd.
Sponsored by: DARPA, NAI Labs
2002-04-07 20:43:27 +00:00
Dag-Erling Smørgrav
9db21c5fd1
This one needs NO_WERROR too.
2002-04-07 12:53:58 +00:00
Dag-Erling Smørgrav
92c07aa880
Turn on NO_WERROR due to namespace pollution in krb5 headers.
2002-04-07 04:44:16 +00:00
Dag-Erling Smørgrav
111ccd256c
Aggressive cleanup of warnings + authtok-related code in preparation for
...
PAMifying passwd(1).
Sponsored by: DARPA, NAI Labs.
2002-04-06 19:30:04 +00:00
Dag-Erling Smørgrav
18006b1ab8
Disconnect pam_passwdqc for now, it has some issues that need resolving.
2002-04-06 19:25:36 +00:00
Dag-Erling Smørgrav
4004c08e79
Fix some style issues, a const warning, and abuse of PAM_ABORT.
...
Sponsored by: DARPA, NAI Labs
2002-04-06 14:25:04 +00:00
Dag-Erling Smørgrav
40b93e6278
Remove some duplicate free()s and add some that were missing.
...
Submitted by: tmm
2002-04-05 20:00:05 +00:00
Dag-Erling Smørgrav
f8334e0084
pam_get_pass() -> pam_get_authtok()
2002-04-05 10:49:45 +00:00
Dag-Erling Smørgrav
8f85b6caad
Upgrade to something quite close, but not identical, to version 1.6 of
...
Andrew Korty's pam_ssh. The most notable difference is that this uses
commas rather than colons to separate items in the "keyfiles" option.
Sponsored by: DARPA, NAI Labs
2002-04-04 18:45:21 +00:00
Dag-Erling Smørgrav
2b814c7ea1
Add pam_passwdqc to the build.
...
Sponsored by: DARPA, NAI Labs
2002-04-04 16:08:28 +00:00
Mark Murray
b51066a362
Fix for OPIE 2.4.
2002-03-22 09:20:05 +00:00
Ruslan Ermilov
7d1f1e9ca8
mdoc(7) police: fix SYNOPSIS, sort xrefs, kill extra whitespace.
2002-03-18 15:59:53 +00:00
Ruslan Ermilov
b6b2be6fbe
mdoc(7) police: nits.
2002-03-18 15:55:53 +00:00
Ruslan Ermilov
8ce6622380
mdoc(7) police: sort xrefs, kill extra whitespace.
2002-03-18 15:52:28 +00:00
Crist J. Clark
51906f452e
Fix world breakage introduced by my recent modifications to
...
chpass(8). The relations between libc, libpam, chpass, passwd, and
vipw are a mess and probably should be cleaned up.
Submitted by: Peter Pentchev <roam@ringlet.net>
2002-03-18 12:55:28 +00:00
Ruslan Ermilov
a68af001da
mdoc(7) police: tiny fixes.
2002-03-15 18:09:32 +00:00
Ruslan Ermilov
3e5aa36e12
mdoc(7) police: expand contractions.
2002-03-15 18:06:25 +00:00
Dag-Erling Smørgrav
f03a4b810a
NAI DBA update.
2002-03-14 23:27:59 +00:00
Mark Murray
8c3ea588df
Remove the use of random(3), and encapsulate the salt-generation in
...
its own function. The use of arc4random(3) is hopeless overkill here,
but that does not hurt anything.
Requested by: ache
2002-03-14 16:41:36 +00:00
Maxim Sobolev
f651c1533c
Don't ignore system CFLAGS.
2002-03-07 16:56:19 +00:00
Mark Murray
3556489a52
Fix build for OpenPAM. The directories needed tweeking.
2002-03-07 16:03:56 +00:00
Dag-Erling Smørgrav
38ca451d39
This file is not needed any more
2002-03-07 12:03:50 +00:00
Brian Feldman
30da7e6299
Now pam_alreadyloggedin lives in the ports.
2002-03-07 02:23:19 +00:00
Brian Feldman
c53dd30bb3
Add the pam_alreadyloggedin(8) module, which allows for authentication
...
based on information that the user is already logged in.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
2002-03-06 18:21:28 +00:00
Peter Pentchev
8a177c636f
Unbreak the pam_krb5 build: cast a couple of const pointers
...
to normal char *. A better fix might be some const'ifying
of the Heimdal code, but this will do to fix the build
for the present.
Approved by: des
2002-03-06 16:49:02 +00:00
Dag-Erling Smørgrav
e0dd4a7813
Add forgotten NOPROFILE that broke world.
2002-03-06 12:11:05 +00:00
Dag-Erling Smørgrav
519b6a4c8f
Switch to OpenPAM. Bump library version. Modules are now versioned, so
...
applications linked with Linux-PAM will still work.
Remove pam_get_pass(); OpenPAM has pam_get_authtok().
Remove pam_prompt(); OpenPAM has pam_{,v}{error,info,prompt}().
Remove pam_set_item(3) man page as OpenPAM has its own.
Sponsored by: DARPA, NAI Labs
2002-03-05 21:56:25 +00:00
Dag-Erling Smørgrav
e3cd129613
Add missing dependency on libutil.
2002-03-05 12:52:03 +00:00
Maxim Sobolev
c80f5647cb
Create /var/log/lastlog if it doesn't exist.
...
Submitted by: des
2002-02-20 07:47:06 +00:00
Dag-Erling Smørgrav
7f28386a26
This file needs <syslog.h>.
...
Sponsored by: DARPA, NAI Labs
2002-02-09 14:12:09 +00:00
Ruslan Ermilov
e47a40e7f7
Now that cross-tools ld(1) has been fixed to look for dynamic
...
dependencies in the correct place, record the fact that -lssh
depends on -lcrypto and -lz.
Removed false dependencies on -lz (except ssh(1) and sshd(8)).
Removed false dependencies on -lcrypto and -lutil for scp(1).
Reviewed by: markm
2002-02-08 13:42:58 +00:00
Mark Murray
30577d19fa
Remove NO_WERROR, now that WARNS=n is gone.
2002-02-06 18:46:48 +00:00
Mark Murray
427e2d5c02
Comment out the WARNS= so as to not trample all over the GCC3 work.
2002-02-06 18:14:59 +00:00
Dag-Erling Smørgrav
04f71c5352
Three times lucky: <stddef.h>, not <sys/param.h>
2002-02-05 08:01:32 +00:00
Dag-Erling Smørgrav
93cf4c1be3
Oops, the correct header to include for NULL is <sys/param.h>.
2002-02-05 07:53:00 +00:00
Dag-Erling Smørgrav
0ae5018b3e
#include <sys/types.h> for NULL (hidden by Linux-PAM header pollution)
...
Sponsored by: DARPA, NAI Labs
2002-02-05 06:20:27 +00:00
Dag-Erling Smørgrav
8c66575de8
#include cleanup.
...
Sponsored by: DARPA, NAI Labs
2002-02-05 06:08:26 +00:00
Mark Murray
34b28989d1
Explicitly declare (gcc internal) functions.
...
Submitted by: ru
2002-02-04 17:59:25 +00:00
Dag-Erling Smørgrav
12b6e9a089
ssh_get_authentication_connection() gets its parameters from environment
...
variables, so temporarily switch to the PAM environment before calling it.
Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp>
2002-02-04 17:15:44 +00:00
Mark Murray
95641278ef
Protect "make buildworld" against -Werror, as this module does not
...
build cleanly.
2002-02-04 16:09:25 +00:00
Mark Murray
21e5d74291
Add the other half of the salt-generating code. No functional
...
difference except that the salt is slightly harder to build
dictionaries against, and the code does not use srandom[dev]().
2002-02-04 00:28:54 +00:00
Mark Murray
63d770d8ea
Turn on fascist warning mode.
2002-02-03 15:51:52 +00:00
Mark Murray
ac5699692e
WARNS=n fixes (and some stylistic issues).
2002-02-03 15:17:57 +00:00
Dag-Erling Smørgrav
59057a6d6f
Remove an unnecessary #include that trips up OpenPAM. The header in question
...
is an internal Linux-PAM header which shouldn't be used outside Linux-PAM
itself, and has absolutely zero effect on pam_ftp.
Sponsored by: DARPA, NAI Labs
MFC after: 1 week
2002-02-02 17:51:39 +00:00
Dag-Erling Smørgrav
ab50ade43c
Post-repocopy cleanup.
...
Sponsored by: DARPA, NAI Labs
2002-02-01 22:25:07 +00:00
Dag-Erling Smørgrav
2d0a7148b6
Connect the pam_lastlog(8) and pam_login_access(8) modules to the build.
...
Sponsored by: DARPA, NAI Labs
2002-02-01 08:49:53 +00:00
Dag-Erling Smørgrav
c60ed00a43
Still with asbestos longjohns on, completely PAMify login(1) and remove
...
code made redundant by various PAM modules (primarily pam_unix(8)).
Sponsored by: DARPA, NAI Labs
2002-01-30 19:10:21 +00:00
Dag-Erling Smørgrav
e9cc7b1d92
With asbestos longjohns on, integrate most of the checks normally done by
...
login(1) (password & account expiry, hosts.access etc.) into pam_unix(8).
Sponsored by: DARPA, NAI Labs
2002-01-30 19:09:11 +00:00
Dag-Erling Smørgrav
a2d20838b0
Move the code from pam_sm_authenticate() to pam_sm_acct_mgmt(). Simplify
...
it a little and try to make it more resilient to various possible failure
conditions. Change the man page accordingly, and take advantage of this
opportunity to simplify its language.
Sponsored by: DARPA, NAI Labs
2002-01-30 19:03:16 +00:00
Mark Murray
c2065008b5
WARNS=4 fixes. Protect with NO_WERROR for the modules that have
...
warnings that are hard to fix or that I've been asked to leave alone.
2002-01-24 18:37:17 +00:00
Dag-Erling Smørgrav
f748a713da
PAM modules shouldn't call putenv(); pam_putenv() is sufficient. The
...
caller is supposed to check the PAM envlist and export the variables it
contains; if it doesn't, it's broken.
Sponsored by: DARPA, NAI Labs
2002-01-24 17:26:27 +00:00
Dag-Erling Smørgrav
9201dc40bf
Change the order in which pam_sm_open_session() updates the logs. This
...
doesn't really make any difference, except it matches wtmp(5) better.
Don't do anything in pam_sm_close_session(); init(8) will take care of
utmp and wtmp when the tty is released. Clearing them here would make it
possible to create a ghost session by logging in, running 'login -f $USER'
and exiting the subshell.
Sponsored by: DARPA, NAI Labs (but the bugs are all mine)
2002-01-24 17:15:04 +00:00
Dag-Erling Smørgrav
ca355e5451
Correctly interpret PAM_RHOST being unset as an indicator of a local
...
login.
Sponsored by: DARPA, NAI Labs
2002-01-24 16:18:43 +00:00
Dag-Erling Smørgrav
d233082fbe
Correctly interpret PAM_RHOST being unset as an indicator of a local
...
login.
2002-01-24 16:16:01 +00:00
Dag-Erling Smørgrav
e4536f1138
Style nits.
...
Sponsored by: DARPA, NAI Labs
2002-01-24 16:14:56 +00:00
Dag-Erling Smørgrav
f433d6afed
Document the even_root option.
...
Sponsored by: DARPA, NAI Labs
2002-01-24 13:35:06 +00:00
Dag-Erling Smørgrav
76f95f4dc2
Don't let root through unless the "even_root" option was specified.
...
Sponsored by: DARPA, NAI Labs
2002-01-24 12:47:42 +00:00
Dag-Erling Smørgrav
16e058b5d6
Add a PAM module that records sessions in utmp/wtmp/lastlog.
...
Sponsored by: DARPA, NAI Labs
2002-01-24 09:45:17 +00:00
Dag-Erling Smørgrav
c2d5249eaf
Fix some pastos. Rather shoddy of me...
...
Sponsored by: DARPA, NAI Labs
2002-01-24 09:44:22 +00:00
Dag-Erling Smørgrav
53f3167d07
Add a PAM module that provides an account management component for checking
...
either PAM_RHOST or PAM_TTY against /etc/login.access.o
This uncovers a problem with PAM_RHOST, in that if we always set it, there
is no way to distinguish between a user logging in locally and a user
logging in using 'ssh localhost'. This will be fixed by first making sure
that all PAM modules can handle PAM_RHOST being unset (which is currently
not the case), and then modifying su(1) and login(1) to not set it for
local logins.
Sponsored by: DARPA, NAI Labs
2002-01-23 17:42:16 +00:00
Dag-Erling Smørgrav
774a10071d
Add an AUTHORS section crediting ThinkSec, DARPA and NAI Labs.
...
Sponsored by: DARPA, NAI Labs
2002-01-23 17:16:00 +00:00
Ruslan Ermilov
0509dca0c3
Add pam_ssh support to the static PAM library, libpam.a:
...
- Spam /usr/lib some more by making libssh a standard library.
- Tweak ${LIBPAM} and ${MINUSLPAM}.
- Garbage collect unused libssh_pic.a.
- Add fake -lz dependency to secure/ makefiles needed for
dynamic linkage with -lssh.
Reviewed by: des, markm
Approved by: markm
2002-01-23 15:54:17 +00:00
Dag-Erling Smørgrav
b6b756b58b
Base the comparison on UIDs, not on user names.
...
Sponsored by: DARPA, NAI Labs
2002-01-23 15:16:01 +00:00
Ruslan Ermilov
fd4ca9e02d
Make libssh.so useable (undefined reference to IPv4or6).
...
Reviewed by: des, markm
Approved by: markm
2002-01-23 15:06:47 +00:00
Dag-Erling Smørgrav
1e22a4f048
Link pam_opieaccess, pam_self and pam_ssh into the static library.
...
Sponsored by: DARPA, NAI Labs
2002-01-21 20:43:01 +00:00
Dag-Erling Smørgrav
b0aa095ad0
On second thought, getpwnam() failure should be treated just as if the user
...
existed, but had no OPIE key, i.e. PAM_IGNORE.
Pointed out by: ache
Sponsored by: DARPA, NAI Labs
2002-01-21 19:05:45 +00:00
Dag-Erling Smørgrav
b4b56d051a
Return PAM_SERVICE_ERR rather than PAM_USER_UNKNOWN if getpwnam() fails, as
...
PAM_USER_UNKNOWN will break the chain, revealing to an attacker that the
user does not exist.
Sponsored by: DARPA, NAI Labs
2002-01-21 18:53:03 +00:00
Dag-Erling Smørgrav
03adba96a0
Further changes to allow enabling pam_opie(8) by default:
...
- Ignore the {try,use}_first_pass options by clearing PAM_AUTHTOK before
challenging the user. These options are meaningless for pam_opie(8)
since the user can't possibly know the right response before she sees
the challenge.
- Introduce the no_fake_prompts option. If this option is set, pam_opie(8)
will fail - rather than present a bogus challenge - if the target user
does not have an OPIE key. With this option, users who haven't set up
OPIE won't have to wonder what that "weird otp-md5 s**t" means :)
Reviewed by: ache, markm
Sponsored by: DARPA, NAI Labs
2002-01-21 18:46:25 +00:00
Dag-Erling Smørgrav
f460490260
Add a new module, pam_opieaccess(8), which is responsible for checking
...
/etc/opieaccess and ~/.opiealways so we can decide what to do after
pam_opie(8) fails.
Sponsored by: DARPA, NAI Labs
Reviewed by: ache, markm
2002-01-21 13:43:53 +00:00
Andrey A. Chernov
186caeedcb
snprintf bloat -> strlcpy
...
Add getpwnam return check
Approved by: des, markm
2002-01-20 20:56:47 +00:00
Andrey A. Chernov
0b836dfaf1
Back out recent changes
2002-01-19 18:03:11 +00:00
Andrey A. Chernov
6874115893
If user not exist in OPIE system, return failure immediately instead
...
of producing fake prompts with random numbers which can be detected by
potential intruder in two tries and totally confuse non-OPIE users.
2002-01-19 10:09:05 +00:00
Andrey A. Chernov
3195cd6712
Back out second right-now-expired password check in pam_sm_chauthtok,
...
old expired password assumed there
2002-01-19 09:23:36 +00:00
Andrey A. Chernov
012400dfcd
Previous commit was incomplete, use new error code PAM_CRED_ERR to
...
indicate die case, different from PAM_SUCCESS and PAM_AUTH_ERR
2002-01-19 08:36:47 +00:00
Andrey A. Chernov
d97cc81fa4
Rewrite 'pwok' fallback in the way it can be properly chained with pam_unix
...
Replace snprintf %s with strlcpy
Check for NULL returned from getpwnam()
2002-01-19 07:23:48 +00:00
Andrey A. Chernov
c8e3fac7a1
Add yet one expired-right-now password check, in pam_sm_chauthtok
...
srandomdev() can't be used in libraries, replace srandomdev()+random()
by arc4random()
2002-01-19 04:58:51 +00:00
Andrey A. Chernov
8c70adab72
Set pwok to 1 for non-OPIE users
2002-01-19 03:31:39 +00:00
Andrey A. Chernov
d54c36388e
Add missing check for right-now-expired password
2002-01-19 02:45:24 +00:00
Andrey A. Chernov
3f9a326a7a
Implement 'pwok', i.e. conditional fallback to unix password
...
as supposed by opieaccessfile() and opiealways()
2002-01-19 02:38:43 +00:00
Bruce Evans
b2035c2b74
Fixed a missing "const".
2001-12-28 20:59:44 +00:00
Ruslan Ermilov
7f432ff831
mdoc(7) police: bump document date.
2001-12-14 13:49:28 +00:00
David Malone
9f5b04e925
Style improvements recommended by Bruce as a follow up to some
...
of the recent WARNS commits. The idea is:
1) FreeBSD id tags should follow vendor tags.
2) Vendor tags should not be compiled (though copyrights probably should).
3) There should be no blank line between including cdefs and __FBSDIF.
2001-12-10 21:13:08 +00:00
Dag-Erling Smørgrav
18a85de04b
Back out previous commit.
...
Requested by: ru
2001-12-09 15:11:55 +00:00
Ruslan Ermilov
945b9f4de9
mdoc(7) police: sort xrefs.
2001-12-08 16:28:20 +00:00
Dag-Erling Smørgrav
bdd601a1e3
Get pam_mod_misc.h from .CURDIR rather than .OBJDIR or /usr/include.
...
Sponsored by: DARPA, NAI Labs
2001-12-07 11:51:47 +00:00
Dag-Erling Smørgrav
47c8f6faec
Now that _pam_init_handlers() works as intended, it seems clear that we
...
do not actually want to define PAM_READ_BOTH_CONFS, so back out previous
commit.
Sponsored by: DARPA, NAI Labs
2001-12-07 00:38:37 +00:00
Dag-Erling Smørgrav
a45af0e2b0
We need pam_client.h from libpamc. This unbreaks world
...
Pointed out by: jhay
Pointy hat to: des
2001-12-06 12:35:18 +00:00
Dag-Erling Smørgrav
87316434d1
Define PAM_READ_BOTH_CONFS. We can now have both /etc/pam.d and
...
/etc/pam.conf.
Sponsored by: DARPA, NAI Labs
2001-12-05 17:06:16 +00:00
Dag-Erling Smørgrav
bda74fe925
Install the correct version of pam_misc.h.
...
Sponsored by: DARPA, NAI Labs
2001-12-05 16:27:41 +00:00
Dag-Erling Smørgrav
8d3978c115
Add dummy functions for all module types. These dummies return PAM_IGNORE
...
rather than PAM_SUCCESS, so you'll get a failure if you list dummies but
no real modules for a particular module chain.
Sponsored by: DARPA, NAI Labs
2001-12-05 16:06:35 +00:00
Dag-Erling Smørgrav
d5a8dd3fb5
Connect the man page to the build.
...
Sponsored by: DARPA, NAI Labs
2001-12-05 16:02:50 +00:00
Dag-Erling Smørgrav
e2c8459e85
Add a pam_self authentication module that succeeds if and only if the local
...
and remote user names are the same.
Sponsored by: DARPA, NAI Labs
2001-12-05 15:55:14 +00:00
Mark Murray
1a8b24c257
Use __FBSDID(). Also do a bit of cosmetic #if and header-order
...
cleaning-up.
2001-12-02 20:54:57 +00:00
Mark Murray
d2f6cd8fd5
Style fixups.
...
Sort function declarations, includes. Make consistent WRT use of _P()
macro (ugh!)
Inspired by: bde
2001-12-01 21:12:04 +00:00
Mark Murray
e317b97026
WARNS=2 fixes.
...
Reviewed by: bde (a while back)
2001-12-01 17:46:46 +00:00
Brian Feldman
7d8cee925b
Fix pam_ssh by adding an IPv4or6 (evidently, this was broken by my last
...
OpenSSH import) declaration and strdup(3)ing a value which is later
free(3)d, rather than letting the system try to free it invalidly.
2001-11-29 21:16:11 +00:00
Dag-Erling Smørgrav
ca7e26e312
Mdoc police.
...
Submitted by: ru
2001-11-28 10:07:21 +00:00
Ruslan Ermilov
60c6736148
mdoc(7) police: fix one pam_unix(8) left-over, sort xrefs.
2001-11-28 09:25:03 +00:00
Dag-Erling Smørgrav
6a13dede6c
Add a pam_set_item(3) man page with an MLINK to pam_get_item(3).
...
PR: docs/32294
Sponsored by: DARPA, NAI Labs
MFC after: 3 days
2001-11-27 15:36:35 +00:00
Dag-Erling Smørgrav
b4a475937b
Create a pam_ssh(8) man page, based on a repo-copy of pam_unix(8).
...
License modified with original author's permission.
Sponsored by: DARPA, NAI Labs
2001-11-27 00:57:50 +00:00
Dag-Erling Smørgrav
d65e5dfa59
Document the local_pass and nis_pass options, add a few xrefs, and reorder
...
the SEE ALSO section. License modified with original author's permission.
Sponsored by: DARPA, NAI Labs
2001-11-27 00:53:10 +00:00
Dima Dorfman
a48060a2f7
Spelling police: sucessful -> successful.
2001-11-24 23:41:32 +00:00
Maxim Sobolev
bc3a4bf55d
Don't put an extra space after password prompts, because it violates POLA,
...
makes FreeBSD inconsistent with previous releases and "other unices" as well
as with some internal password-asking services (e.g. ftp) within the same
release.
2001-10-25 15:51:50 +00:00
Mark Murray
ce1e0bbc8f
Add library exposed by KDE's use if this module.
2001-10-18 20:05:20 +00:00
Matthew Dillon
ceaf33f537
Add __FBSDID()s to libpam
2001-09-30 22:11:06 +00:00
Mark Murray
6e925e8fc7
1) repair the return value in the PAM_RETURN() macro (Side effects!!).
...
2) canonicalise the options use in pam_options().
Submitted by: Gunnar Kreitz <gunnark@chello.se>
PR: 30250
2001-09-04 17:05:08 +00:00
Mark Murray
a41ad3fca9
Introduce a "noroot_ok" option to make this module ignore authentications
...
to a non-superuser if required.
2001-08-26 18:09:00 +00:00
Mark Murray
f96b705fa7
Introduce better logging, error reporting and use of login_cap data.
2001-08-26 18:05:35 +00:00
Mark Murray
76f4a6fd79
Add extra logging detail. This needs a more general solution.
2001-08-26 17:57:44 +00:00
Mark Murray
3d55a6c083
Big module makeover; improve logging, standardise variable names,
...
introduce ability to change passwords for both "usual" Unix methods
and NIS.
2001-08-26 17:41:13 +00:00
Mark Murray
47965f01dd
Add 'try_mapped_pass' standard option.
...
Asked for by: lukeh@PADL.COM
2001-08-20 12:43:19 +00:00
Mark Murray
ca0bdcdd29
Document the no_warn option.
2001-08-15 20:05:33 +00:00
Mark Murray
b5507a38bc
Fix a couple of cross-references to reflect the reality of the module.
2001-08-15 20:03:26 +00:00
Mark Murray
537db85291
Fix:
...
/usr/src/lib/libpam/modules/pam_ssh/pam_ssh.c has couple of bugs which cause:
1) xdm dumps core
2) ssh1 private key is not passed to ssh-agent
3) ssh2 RSA key seems not handled properly (just a guess from source)
4) ssh_get_authentication_connectionen() fails to get connection because of
SSH_AUTH_SOCK not defined.
PR: 29609
Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp>
2001-08-11 12:37:55 +00:00
Mark Murray
3938427761
Clean up this module very extensively. Fix the logging, the coding
...
standards and the option handling. This module is now much more easy
to maintain as a part of the FreeBSD tree.
2001-08-10 19:24:34 +00:00
Mark Murray
530ebf8e0a
Code clean up; make logging same as other modules and fix warnings.
2001-08-10 19:21:45 +00:00
Mark Murray
34beb374a2
General code clean-up. Sort out warnings, and make the warning and
...
logging work the same as other modules.
2001-08-10 19:18:52 +00:00
Mark Murray
0fa107a3cb
Simplify code. Also verbose logging, verbose overridable error reporting.
2001-08-10 19:15:48 +00:00
Mark Murray
65550d9b5a
Verbose logging, overridable verbose error reporting.
2001-08-10 19:12:59 +00:00
Mark Murray
b04259a5cf
Module clean-up. Verbose logging, Overridable verbose error reporting,
...
FreeBSD pam_prompt() usage to simplify conversation function usage.
2001-08-10 19:10:43 +00:00
Mark Murray
2108fbd748
Verbosely (overridable) report failure to the user.
2001-08-10 19:07:45 +00:00
Mark Murray
ceca323626
Use the FreeBSD pam_prompt() interface to the conversation function
...
instead of home-rolling it. Clean up debugging code and tidy the
module.
2001-08-10 19:05:57 +00:00
Mark Murray
3a9cdcb91f
Verbosely report errors to the user (overridable), and make sure
...
that the correct failure mode is reported.
2001-08-10 19:02:21 +00:00
Mark Murray
27b9f9d4a3
Fix broken logic so that this actually works for the superuser.
...
Verbosely log (properly).
Verbosely report errors to the user.
2001-08-10 14:21:58 +00:00
Mark Murray
cfa285d9e4
Rework this to prevent a nasty problem involving different modules'
...
option interacting with each other.
2001-08-10 14:16:47 +00:00