Before, we took the first argument to pam_exec(8). With the addition of
options in front of the command, this could be wrong.
Now, options are parsed before calling _pam_exec() and messages contain
the proper command name.
While here, fix a warning.
Sponsored by: Yakaz (http://www.yakaz.com)
pam_exec(8) now accepts a new option "return_prog_exit_status". When
set, the program exit status is used as the pam_exec return code. It
allows the program to tell why the step failed (eg. user unknown).
However, if it exits with a code not allowed by the calling PAM service
module function (see $PAM_SM_FUNC below), a warning is logged and
PAM_SERVICE_ERR is returned.
The following changes are related to this new feature but they apply no
matter if the "return_prog_exit_status" option is set or not.
The environment passed to the program is extended:
o $PAM_SM_FUNC contains the name of the PAM service module function
(eg. pam_sm_authenticate).
o All valid PAM return codes' numerical values are available
through variables named after the return code name. For instance,
$PAM_SUCCESS, $PAM_USER_UNKNOWN or $PAM_PERM_DENIED.
pam_exec return code better reflects what went on:
o If the program exits with !0, the return code is now
PAM_PERM_DENIED, not PAM_SYSTEM_ERR.
o If the program fails because of a signal (WIFSIGNALED) or doesn't
terminate normally (!WIFEXITED), the return code is now
PAM_SERVICE_ERR, not PAM_SYSTEM_ERR.
o If a syscall in pam_exec fails, the return code remains
PAM_SYSTEM_ERR.
waitpid(2) is called in a loop. If it returns because of EINTR, do it
again. Before, it would return PAM_SYSTEM_ERR without waiting for the
child to exit.
Several log messages now include the PAM service module function name.
The man page is updated accordingly.
Reviewed by: gleb@, des@
Sponsored by: Yakaz (http://www.yakaz.com)
MFC after: 2 weeks
several new kerberos related libraries and applications to FreeBSD:
o kgetcred(1) allows one to manually get a ticket for a particular service.
o kf(1) securily forwards ticket to another host through an authenticated
and encrypted stream.
o kcc(1) is an umbrella program around klist(1), kswitch(1), kgetcred(1)
and other user kerberos operations. klist and kswitch are just symlinks
to kcc(1) now.
o kswitch(1) allows you to easily switch between kerberos credentials if
you're running KCM.
o hxtool(1) is a certificate management tool to use with PKINIT.
o string2key(1) maps a password into key.
o kdigest(8) is a userland tool to access the KDC's digest interface.
o kimpersonate(8) creates a "fake" ticket for a service.
We also now install manpages for some lirbaries that were not installed
before, libheimntlm and libhx509.
- The new HEIMDAL version no longer supports Kerberos 4. All users are
recommended to switch to Kerberos 5.
- Weak ciphers are now disabled by default. To enable DES support (used
by telnet(8)), use "allow_weak_crypto" option in krb5.conf.
- libtelnet, pam_ksu and pam_krb5 are now compiled with error on warnings
disabled due to the function they use (krb5_get_err_text(3)) being
deprecated. I plan to work on this next.
- Heimdal's KDC now require sqlite to operate. We use the bundled version
and install it as libheimsqlite. If some other FreeBSD components will
require it in the future we can rename it to libbsdsqlite and use for these
components as well.
- This is not a latest Heimdal version, the new one was released while I was
working on the update. I will update it to 1.5.2 soon, as it fixes some
important bugs and security issues.
the LDADD/DPADD to lose the -lpam, and causing openpam_dynamic() to fail
due to "openpam_get_options" being undefined.
This would cause obscure console log messages like:
openpam_dynamic(): No error: 0
openpam_load_module(): no pam_unix.so found
and other helpful messages which are no help in diagnosing the problem.
Fortunately this change was not mfc'ed to 9.x, it isn't broken there.
is unencrypted. This defeats the nullok check, because it means a
non-null passphrase will successfully unlock the key.
To address this, try at first to load the key without a passphrase.
If this succeeds and the user provided a non-empty passphrase *or*
nullok is false, reject the key.
MFC after: 1 week
Noticed by: Guy Helmer <guy.helmer@palisadesystems.com>
Some consumers of PAM remove the /dev/ component (i.e. login), while
others don't (i.e. su). We must ensure that the /dev/ component is
removed to ensure that the utmpx entries properly work with tools such
as w(1).
Discussed with: des
MFC after: 1 week
This variable was added in r82352 back in 2001, but even then it didn't
have any use. Because it's not marked static, the C compiler won't
complain about it.
Discussed with: des
behavior, where the module checks that the supplicant is a member of the
required group. The latter checks the target user instead. If neither
option was specified, pam_group(8) assumes "ruser" and issues a warning.
I intend to eventually change the default to "luser" to match the
behavior of similarly-named service modules in other operating systems.
MFC after: 1 month
This option is available in the Linux implementation of pam_krb5
and allows to authorize a user not known to the local system.
Ccache is not used as we don't have a secure uid/gid for the cache file.
Usable for authentication of external kerberos users (e.g Active Directory)
via PAM from applications like Cyrus saslauthd, PHP or perl.
PR: bin/146186
Submitted by: myself
Approved by: deplhij (mentor)
MFC after: 2 weeks
By using random values for ut_id, not based on the TTY name, it is
possible to run for example login(1) multiple times on the same TTY,
without overwriting any previous records.
The output of w(1) will then be as follows:
| 12:26PM up 2 days, 2:31, 5 users, load averages: 0.01, 0.03, 0.03
| USER TTY FROM LOGIN@ IDLE WHAT
| ed pts/2 mekker.80386.nl 12:26PM - w
| root pts/2 - 12:26PM - w
| root pts/2 - 12:26PM - w
| root pts/2 - 12:26PM - w
Approved by: des
Similar to libexec/, do the same with lib/. Make WARNS=6 the norm and
lower it when needed.
I'm setting WARNS?=0 for secure/. It seems secure/ includes the
Makefile.inc provided by lib/. I'm not going to touch that directory.
Most of the code there is contributed anyway.
- Only set the fields in the ulog_utmpx structure that are valid for the
command in question. This means that strings like "shutdown" or "~"
are not visible to the user anymore.
- Rename UTXF_* to UTXI_*, indicating the indexation, instead of using
the `antique' filename. If we ever get rid of utmp, it makes little
sense calling it by its old name.