makes FreeBSD inconsistent with previous releases and "other unices" as well
as with some internal password-asking services (e.g. ftp) within the same
release.
/usr/src/lib/libpam/modules/pam_ssh/pam_ssh.c has couple of bugs which cause:
1) xdm dumps core
2) ssh1 private key is not passed to ssh-agent
3) ssh2 RSA key seems not handled properly (just a guess from source)
4) ssh_get_authentication_connectionen() fails to get connection because of
SSH_AUTH_SOCK not defined.
PR: 29609
Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp>
o The new options-processing API
o The new DEBUG-logging API
Add man(1) pages for ALL modules. MDOC-Police welcome
to check this.
Audit, clean up while I'm here.
Move common stuff into Makefile.inc, and tidy up all the Makefiles
as a result.
Build new modules.
Put a commented-out dependancy on libpam for the (shared) modules.
I can't bring this in just yet, as the dependancy (modules->libpam)
is reversed for the static case (libpam->modules).
pam_securetty silently succeeds if the user is on a secure tty
as defined by /etc/ttys.
pam_ftp does "anonymous ftp" style authentication with options for
specifying the anonymous user(s).
reason not to add it to others later). This causes the pam_unix
module to check the user's _own_ password, not the password of the
account that the user is authenticating into. This will allow eg:
WHEELSU type behaviour from su(1).
pam_krb5 is a Kerberos 5 (Heimdal) authentication module.
pam_nologin checks for /etc/nologin and does the "usual stuff"
if it is found, otherwise it silently succeeds.
pam_rootok silently succeeds if the user is root, otherwise
it fails.
pam_wheel silently succeeds if the user is a member of group
"wheel" (or another nominated group), and fails
otherwise.
There is an issue with kerberosIV and kerberos5 - if both are
being built, then static linking fails with duplicate symbols.
This will take a bit of work to sort out in the kerberii.
non-threaded programs. This provides threaded programs with the
needed exception frame symbols.
parts submitted by: Max Khon <fjoe@iclub.nsu.ru>
PR: 23252
non-threaded programs. This provides threaded programs with the
needed exception frame symbols.
parts submitted by: Max Khon <fjoe@iclub.nsu.ru>
PR: 23252
back to the original environ unconditionally. The setting of the
variable to save the previous environ is conditional; it happens when
ENV.e_committed is set. Therefore, don't try to swap the env back
unless the previous env has been initialized.
PR: bin/22670
Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp>
I'm not quite sure about this, I think it should be using -lssh_pic since
it's being linked into a .so, but nothing seems to complain ahd it does
work. (well, it works for using the authorized_keys file, but I have not
figured out how to get it to start a ssh-agent and cache the key for me)
PR: 17191
Submitted by: Adrian Pavlykevych <pam@polynet.lviv.ua>
might it confuse people, but it causes a warning message with
nroff, and no version history mentions a 1.2 version of FreeBSD.
If anything, a ``HISTORY'' section should show which version this
appeared in.
(From the author:)
Primarily, I have added built-in functions for manipulating the
environment, so putenv() is no longer used. XDM and its variants
should now work without modification. Note that the new code uses
the macros in <sys/queue.h>.
Submitted by: Andrew J. Korty <ajk@iu.edu>
"login auth sufficient pam_ssh.so" to your /etc/pam.conf, and
users with a ~/.ssh/identity can login(1) with their SSH key :)
PR: 15158
Submitted by: Andrew J. Korty <ajk@waterspout.com>
Reviewed by: obrien
track.
The $Id$ line is normally at the bottom of the main comment block in the
man page, separated from the rest of the manpage by an empty comment,
like so;
.\" $Id$
.\"
If the immediately preceding comment is a @(#) format ID marker than the
the $Id$ will line up underneath it with no intervening blank lines.
Otherwise, an additional blank line is inserted.
Approved by: bde
simple enough to be trusted.
Add account management functionality to the pam_unix module.
These changes should make it possible to use PAM in some ports.
Submitted by: Max Khon <fjoe@iclub.nsu.ru>
consider a linker set definition to be sufficient reason to pull an
object module from an archive library. This caused undefined
symbols when linking with libpam.a using a.out. I solved it by
linking in the object that references the linker set in the "ld -r"
step.
modules for FreeBSD's standard authentication methods. Although
the Linux-PAM modules are present in the contrib tree, we don't
use any of them.
The main library "libpam" is composed of sources taken from three
places. First are the standard Linux-PAM libpam sources from the
contrib tree. Second are the Linux-PAM "libpam_misc" sources, also
from the contrib tree. In Linux these form a separate library.
But as Mike Smith pointed out to me, that seems pointless, so I
have combined them into the libpam library. Third are some additional
sources from the "src/lib/libpam" tree with some common functions
that make it easier to write modules. Those I wrote myself.
This work has been donated to FreeBSD by Juniper Networks, Inc.
modules for FreeBSD's standard authentication methods. Although
the Linux-PAM modules are present in the contrib tree, we don't
use any of them.
The main library "libpam" is composed of sources taken from three
places. First are the standard Linux-PAM libpam sources from the
contrib tree. Second are the Linux-PAM "libpam_misc" sources, also
from the contrib tree. In Linux these form a separate library.
But as Mike Smith pointed out to me, that seems pointless, so I
have combined them into the libpam library. Third are some additional
sources from the "src/lib/libpam" tree with some common functions
that make it easier to write modules. Those I wrote myself.
This work has been donated to FreeBSD by Juniper Networks, Inc.
1) Don't spit out an error message if Kerberos is installed but not yet
set up.
2) Don't attempt to verify the ticket you got back, as workstations
are not intended to have srvtab files of their own.
Both behaviors can be re-enabled with KLOGIN_PARANOID.
