d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
90,459 Commits 72 Branches 135 Tags 3.2 GiB
af0f06d5ab
Commit Graph

55 Commits

Author SHA1 Message Date
des
af0f06d5ab Try to describe the control flags a little better. 2003-06-01 00:34:38 +00:00
markm
dc6ac7d338 The PAM module pam_krb5 does not have "session" capabilities. 
Don't give examples of such use, this is bogus.
 2003-04-30 21:57:54 +00:00
des
3c5f7b448b Add nullok to the pam_unix line. 2003-04-24 12:22:42 +00:00
ru
3a620497c0 Use the canonical form of installing links. 
Also, make "ftp" and "ftpd" hard links.

Not objected to by:	des
 2003-03-14 09:01:22 +00:00
markm
1e22e1bfaf Initiate KerberosIV de-orbit burn. Disconnect the /etc configs. 2003-03-08 09:50:11 +00:00
des
d0ae5c8b4f Add the allow_local option to all pam_opieaccess entries. 2003-02-16 13:02:39 +00:00
des
87c987bdea Add the want_agent option to the commented-out "session" pam_ssh entry. 2003-02-16 13:02:03 +00:00
des
0d733a1adf Major cleanup & homogenization. 2003-02-10 00:50:03 +00:00
des
55b6aeb7af No idea what this is for, and it doesn't make much sense. If a port needs 
it, it can install its own copy in /usr/local/etc/pam.d/.
 2003-02-10 00:49:44 +00:00
des
a421016872 There's no reason to have two identical policies for FTP servers, so 
make ftp a symlink to ftpd.
 2003-02-10 00:47:46 +00:00
des
371378b16a Use pam_group(8) instead of pam_wheel(8). 2003-02-06 14:33:23 +00:00
des
06dacd2b63 Don't enable pam_krb5 by default - most people don't have it since most 
people don't build with MAKE_KERBEROS5 defined.  Provide commented-out
usage examples instead, like we do everywhere else.

Pointy hat to:	des
 2003-02-03 14:45:02 +00:00
des
139e32e2e9 Enable pam_krb5 for sshd. I've had this in my tree for ages. 2003-02-02 18:41:26 +00:00
des
fabc8e6b97 Since OpenSSH drops privileges before calling pam_open_session(3), 
pam_lastlog(8) can't possibly work, so let OpenSSH handle lastlog.

Approved by:	re (rwatson)
 2002-12-03 15:48:11 +00:00
rwatson
954853597a Exempt the "wheel group requirement" by default when su'ing to root if 
the wheel group has no explicit members listed in /etc/group.  This adds
the "exempt_if_empty" flag to pam_wheel in the default configuration;
in some environments, it may be appropriate to remove this flag, however,
this default is the same as pre-pam_wheel.

Reviewed by:	markm
Sponsored by:	DARPA, Network Associates Laboratories
 2002-10-18 02:39:21 +00:00
des
bc0315bfdb Silence pam_lastlog for now. 2002-07-07 10:00:43 +00:00
des
c419b7873c We don't use this any more. 
Sponsored by:	DARPA, NAI Labs
 2002-06-19 20:01:25 +00:00
des
0b6f009171 Enable OPIE for sshd and telnetd. I thought I'd done this a long time 
ago...

Sponsored by:	DARPA, NAI Labs
 2002-06-19 20:00:43 +00:00
des
730b4e6a64 Use pam_lastlog(8)'s new no_fail option. 
Sponsored by:	DARPA, NAI Labs
 2002-05-08 00:33:02 +00:00
des
48f1207dbd Add a PAM policy for rexecd(8). 
Sponsored by:	DARPA, NAI Labs
 2002-05-02 05:05:28 +00:00
des
24aeeab445 xdm plays horrid tricks with PAM, and dumps core if it's allowed to call 
pam_lastlog, so add a dummy session chain to avoid using the one from
pam.d/other.  I assume gdm does something similar, so give it a dummy
session chain as well.

Sponsored by:	DARPA, NAI Labs.
 2002-05-02 05:00:40 +00:00
des
eb9b269289 Add no_warn to pam_lastlog. This should prevent xdm from dumping core 
when linked with Linux-PAM.
 2002-04-29 15:22:00 +00:00
des
eaad54c725 Don't list pam_unix in the session chain, since it does not provide any 
session management services.

Sponsored by:	DARPA, NAI Labs
 2002-04-18 17:40:27 +00:00
ru
34ee54afdd Fixed bugs in previous revision: 
Added NOOBJ if anyone even attempts to "make obj" here.
Revert to installing files with mode 644 except README.
Make this overall look like a BSD-style Makefile rather
than roll-your-own (this is not a bug).

For the record.  Previous revision also fixed the breakage
introduced by the sys.mk,v 1.60 commit: bsd.own.mk is no
longer automatically included from sys.mk.

Reported by:	jhay
 2002-04-18 10:58:14 +00:00
des
248181779e Use ${FILES} and <bsd.prog.mk> rather than roll-your-own. 2002-04-18 10:07:36 +00:00
des
7023ef3b38 Add PAM policy for the "passwd" service, including a sample config line 
for pam_passwdqc.

Sponsored by:	DARPA, NAI Labs
 2002-04-15 03:01:32 +00:00
des
865206abfa Add pam_lastlog(8) here since I removed lastlog support from sshd. 
Sponsored by:	DARPA, NAI Labs
 2002-04-15 02:46:24 +00:00
des
5418e961d8 Use pam_rhosts(8). 2002-04-12 23:20:30 +00:00
des
a7fb44f78a If used, pam_ssh should be marked "sufficient", not "required". 
Sponsored by:	DARPA, NAI Labs
 2002-04-08 09:52:47 +00:00
ru
0f415b71a1 Switch over to using pam_login_access(8) module in sshd(8). 
(Fixes static compilation.  Reduces diffs to OpenSSH.)

Reviewed by:	bde
 2002-03-26 12:52:28 +00:00
des
9a8ae53f42 Add missing "nullok" option to pam_unix. 2002-02-08 23:27:22 +00:00
des
9dbb172dca Add pam_self(8) so users can login(1) as themselves without authentication, 
pam_login_access(8) and pam_securetty(8) to enforce various checks
previously done by login(1) but now handled by PAM, and pam_lastlog(8) to
record login sessions in utmp / wtmp / lastlog.

Sponsored by:	DARPA, NAI Labs
 2002-01-30 19:13:23 +00:00
des
c8a2c04257 Use pam_self(8) to allow users to su(1) to themselves without authentication. 
Sponsored by:	DARPA, NAI Labs
 2002-01-30 19:04:39 +00:00
des
66e91eedff Enable OPIE by default, using the no_fake_prompts option to hide it from 
users who don't wish to use it.  If the admin is worried about leaking
information about which users exist and which have OPIE enabled, the
no_fake_prompts option can simply be removed.

Also insert the appropriate pam_opieaccess lines after pam_opie to break
the chain in case the user is logging in from an untrusted host, or has a
.opiealways file.  The entire opieaccess / opiealways concept is slightly
unpammish, but admins familiar with OPIE will expect it to work.

Reviewed by:	ache, markm
Sponsored by:	DARPA, NAI Labs
 2002-01-21 18:51:24 +00:00
des
1a0c96bd43 Really back out ache's commits. These files are now precisely as they were 
twentyfour hours ago, except for RCS ids.
 2002-01-19 18:29:50 +00:00
ache
e50a2ed85f Back out recent changes 2002-01-19 18:03:11 +00:00
ache
117e8056c2 Turn on pam_opie by default. It should not affect non-OPIE users. 2002-01-19 10:31:32 +00:00
ache
23920181ce Turn on pam_opie by default. It not affect non-OPIE users 2002-01-19 09:06:45 +00:00
ache
a1259ef12a Previous commit was incomplete, use 
"[default=ignore success=done cred_err=die]"
options instead of "required"
 2002-01-19 08:39:35 +00:00
ache
8ba7ff4550 Remove explaining comment and pam_unix commented out, now pam_unix can be 
chained with pam_opie
 2002-01-19 07:32:47 +00:00
ache
0cf05a6048 Change comment since fallback provided now not by ftpd but by pam_opie 2002-01-19 03:35:39 +00:00
des
96c7a40981 Unmunge the version preservation code and obfuscate it so CVS won't munge 
it all over again.
 2002-01-12 23:08:59 +00:00
des
50ae6b40a0 Back out previous commit, which erroneously removed essential comments. I 
definitely need coffee.

Apologies to:	ache
 2002-01-12 14:22:22 +00:00
des
874e7d43d8 Update copyright 2002-01-12 14:17:19 +00:00
des
7bbbf7122b Sync with pam.conf revision 1.25. 2002-01-12 13:50:33 +00:00
des
c4e9f0db58 Preserve FreeBSD version strings in target files. 2002-01-12 13:50:08 +00:00
ache
30c517e7ef Improve pam_unix/opie related ftpd comment even more 2002-01-02 09:51:33 +00:00
ache
b7285724c6 Clarify comment about pam_unix fallback for ftpd 2002-01-01 13:38:01 +00:00
ache
f4f268be78 Turn on pam_opie.so for ftpd by default 
It not affect non-OPIE users
 2002-01-01 13:27:11 +00:00
des
f31122a498 Install pam.d files with mode 0644, not 0755. 2001-12-06 23:28:12 +00:00