Like su(1), make PAM use mandatory. Remove parts of the authentication

logic that are handled by PAM. Fix documentation to reflect this.
2001-08-30 11:27:36 +00:00 · 2001-08-30 11:27:36 +00:00 · 142277ce04
commit 142277ce04
parent 2b51efa03a
5 changed files with 7 additions and 82 deletions
--- a/usr.bin/login/Makefile
+++ b/usr.bin/login/Makefile
@ -5,16 +5,10 @@ PROG=	login
 SRCS=	login.c login_access.c login_fbtab.c
 MAN=	login.1 login.access.5

-CFLAGS+=-Wall -DLOGIN_ACCESS -DLOGALL
+CFLAGS+=-DLOGIN_ACCESS -DLOGALL

-DPADD=	${LIBUTIL} ${LIBCRYPT}
-LDADD=	-lutil -lcrypt
-
-.if !defined(NOPAM)
-CFLAGS+= -DUSE_PAM
-DPADD+=	${LIBPAM}
-LDADD+=	${MINUSLPAM}
-.endif
+DPADD=	${LIBUTIL} ${LIBCRYPT} ${LIBPAM}
+LDADD=	-lutil -lcrypt ${MINUSLPAM}

 BINMODE=4555
 INSTALLFLAGS=-fschg
--- a/usr.bin/login/README
+++ b/usr.bin/login/README
@ -4,8 +4,7 @@ Wietse Venema's logdaemon package.

 The following defines can be used:
 1) LOGIN_ACCESS to allow access control on a per tty/user combination
-2) SKEY to allow the use of s/key one time passwords
-3) LOGALL to log all logins
+2) LOGALL to log all logins

 -Guido

--- a/usr.bin/login/login.1
+++ b/usr.bin/login/login.1
@ -81,15 +81,6 @@ option disables this behavior.
 .El
 .Pp
 If the file
-.Pa /var/run/nologin
-exists,
-.Nm
-displays its contents to the user and exits.
-This is used by
-.Xr shutdown  8
-to prevent users from logging in when the system is about to go down.
-.Pp
-If the file
 .Pa /etc/login.access
 exists,
 .Nm
@ -105,15 +96,6 @@ exists,
 changes the protection and ownership of certain devices specified in this
 file.
 .Pp
-If the file
-.Pa /etc/skeykeys
-exists,
-.Nm
-will offer S/key password validation if the user has an entry in the file.
-.Pa /etc/skey.access
-controls from which hosts and/or networks the use of S/key passwords are
-obligated.
-.Pp
 Immediately after logging a user in,
 .Nm
 displays the system copyright notice, the date and time the user last
@ -159,12 +141,6 @@ login access control table
 login class capabilities database
 .It Pa /etc/motd
 message-of-the-day
-.It Pa /var/run/nologin
-disallows logins
-.It Pa /etc/skey.access
-skey password control table
-.It Pa /etc/skeykeys
-skey password database
 .It Pa /var/run/utmp
 current logins
 .It Pa /var/log/lastlog
@ -178,9 +154,8 @@ makes login quieter
 .It Pa /etc/auth.conf
 configure authentication services
 .It Pa /etc/pam.conf
-if
 .Nm
-is configured with PAM support, it uses
+uses
 .Pa /etc/pam.conf
 entries with service name
 .Dq login
@ -191,16 +166,12 @@ entries with service name
 .Xr csh 1 ,
 .Xr passwd 1 ,
 .Xr rlogin 1 ,
-.Xr skey 1 ,
 .Xr getpass 3 ,
 .Xr fbtab 5 ,
 .Xr login.access 5 ,
 .Xr login.conf 5 ,
-.Xr nologin 5 ,
-.Xr skey.access 5 ,
 .Xr utmp 5 ,
 .Xr environ 7 ,
-.Xr nologin 8 ,
 .Xr pam 8
 .Sh HISTORY
 A
--- a/usr.bin/login/login.c
+++ b/usr.bin/login/login.c
@ -78,11 +78,9 @@ static const char rcsid[] =
 #include <unistd.h>
 #include <utmp.h>

-#ifdef USE_PAM
 #include <security/pam_appl.h>
 #include <security/pam_misc.h>
 #include <sys/wait.h>
-#endif /* USE_PAM */

 #include "pathnames.h"

@ -92,7 +90,6 @@ static const char rcsid[] =
 #endif

 void	 badlogin __P((char *));
-void	 checknologin __P((void));
 void	 dolastlog __P((int));
 void	 getloginname __P((void));
 void	 motd __P((char *));
@ -105,7 +102,6 @@ void	 timedout __P((int));
 int	 login_access __P((char *, char *));
 void     login_fbtab __P((char *, uid_t, gid_t));

-#ifdef USE_PAM
 static int auth_pam __P((void));
 static int export_pam_environment __P((void));
 static int ok_to_export __P((const char *));
@ -121,7 +117,7 @@ static char **environ_pam;
 	if ((e = pam_end(pamh, e)) != PAM_SUCCESS) \
 		syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); \
 }
-#endif /* USE_PAM */
+
 static int auth_traditional __P((void));
 extern void login __P((struct utmp *));
 static void usage __P((void));
@ -158,7 +154,6 @@ main(argc, argv)
 	struct utmp utmp;
 	int rootok, retries, backoff;
 	int ask, ch, cnt, fflag, hflag, pflag, quietlog, rootlogin, rval;
-	int changepass;
 	time_t warntime;
 	uid_t uid, euid;
 	gid_t egid;
@ -167,10 +162,8 @@ main(argc, argv)
 	char tname[sizeof(_PATH_TTY) + 10];
 	char *shell = NULL;
 	login_cap_t *lc = NULL;
-#ifdef USE_PAM
 	pid_t pid;
 	int e;
-#endif /* USE_PAM */

 	(void)signal(SIGQUIT, SIG_IGN);
 	(void)signal(SIGINT, SIG_IGN);
@ -343,19 +336,16 @@ main(argc, argv)

 		(void)setpriority(PRIO_PROCESS, 0, -4);

-#ifdef USE_PAM
 		/*
 		 * Try to authenticate using PAM.  If a PAM system error
 		 * occurs, perhaps because of a botched configuration,
 		 * then fall back to using traditional Unix authentication.
 		 */
 		if ((rval = auth_pam()) == -1)
-#endif /* USE_PAM */
 			rval = auth_traditional();

 		(void)setpriority(PRIO_PROCESS, 0, 0);

-#ifdef USE_PAM
 		/*
 		 * PAM authentication may have changed "pwd" to the
 		 * entry for the template user.  Check again to see if
@ -363,7 +353,6 @@ main(argc, argv)
 		 */
 		if (pwd != NULL && pwd->pw_uid == 0)
 			rootlogin = 1;
-#endif /* USE_PAM */

 	ttycheck:
 		/*
@ -404,10 +393,6 @@ main(argc, argv)
 	 */
 	lc = login_getpwclass(pwd);

-	/* if user not super-user, check for disabled logins */
-	if (!rootlogin)
-		auth_checknologin(lc);
-
 	quietlog = login_getcapbool(lc, "hushlogin", 0);
 	/* Switching needed for NFS with root access disabled */
 	(void)setegid(pwd->pw_gid);
@ -443,21 +428,6 @@ main(argc, argv)
 			    ctime(&pwd->pw_expire));
 	}

-	warntime = login_getcaptime(lc, "warnpassword", DEFAULT_WARN,
-	    DEFAULT_WARN);
-
-	changepass = 0;
-	if (pwd->pw_change) {
-		if (tp.tv_sec >= pwd->pw_change) {
-			(void)printf("Sorry -- your password has expired.\n");
-			changepass = 1;
-			syslog(LOG_INFO, "%s Password expired - forcing change",
-			    pwd->pw_name);
-		} else if (pwd->pw_change - tp.tv_sec < warntime && !quietlog)
-			(void)printf("Warning: your password expires on %s",
-			    ctime(&pwd->pw_change));
-	}
-
 	if (lc != NULL) {
 		if (hostname) {
 			struct addrinfo hints, *res;
@ -598,7 +568,6 @@ main(argc, argv)
 		exit(1);
 	}

-#ifdef USE_PAM
 	if (pamh) {
 		if ((e = pam_open_session(pamh, 0)) != PAM_SUCCESS) {
 			syslog(LOG_ERR, "pam_open_session: %s",
@ -641,7 +610,6 @@ main(argc, argv)
 				    pam_strerror(pamh, e));
 		}
 	}
-#endif /* USE_PAM */

 	/*
 	 * We don't need to be root anymore, so
@ -705,11 +673,6 @@ main(argc, argv)
 	(void)signal(SIGINT, SIG_DFL);
 	(void)signal(SIGTSTP, SIG_IGN);

-	if (changepass) {
-		if (system(_PATH_CHPASS) != 0)
-			sleepexit(1);
-	}
-
 	/*
 	 * Login shells have a leading '-' in front of argv[0]
 	 */
@ -751,7 +714,6 @@ auth_traditional()
 	return rval;
 }

-#ifdef USE_PAM
 /*
 * Attempt to authenticate the user using PAM.  Returns 0 if the user is
 * authenticated, or 1 if not authenticated.  If some sort of PAM system
@ -892,7 +854,6 @@ ok_to_export(s)
 	}
 	return 1;
 }
-#endif /* USE_PAM */

 static void
 usage()
--- a/usr.bin/login/pathnames.h
+++ b/usr.bin/login/pathnames.h
@ -31,6 +31,7 @@
 * SUCH DAMAGE.
 *
 *	@(#)pathnames.h	8.1 (Berkeley) 6/9/93
+ * $FreeBSD$
 */

 #include <paths.h>
@ -40,4 +41,3 @@
 #define _PATH_LOGACCESS		"/etc/login.access"
 #define _PATH_FBTAB		"/etc/fbtab"
 #define _PATH_LOGINDEVPERM	"/etc/logindevperm"
-#define _PATH_CHPASS		"/usr/bin/passwd"