Dag-Erling Smørgrav
5d93b6af54
Since OpenSSH drops privileges before calling pam_open_session(3),
...
pam_lastlog(8) can't possibly work, so let OpenSSH handle lastlog.
Approved by: re (rwatson)
2002-12-03 15:48:11 +00:00
Robert Watson
64ac587b8a
Exempt the "wheel group requirement" by default when su'ing to root if
...
the wheel group has no explicit members listed in /etc/group. This adds
the "exempt_if_empty" flag to pam_wheel in the default configuration;
in some environments, it may be appropriate to remove this flag, however,
this default is the same as pre-pam_wheel.
Reviewed by: markm
Sponsored by: DARPA, Network Associates Laboratories
2002-10-18 02:39:21 +00:00
Dag-Erling Smørgrav
cda86084ab
Silence pam_lastlog for now.
2002-07-07 10:00:43 +00:00
Dag-Erling Smørgrav
bc39792308
We don't use this any more.
...
Sponsored by: DARPA, NAI Labs
2002-06-19 20:01:25 +00:00
Dag-Erling Smørgrav
bb151ea158
Enable OPIE for sshd and telnetd. I thought I'd done this a long time
...
ago...
Sponsored by: DARPA, NAI Labs
2002-06-19 20:00:43 +00:00
Dag-Erling Smørgrav
a87cdc1598
Use pam_lastlog(8)'s new no_fail option.
...
Sponsored by: DARPA, NAI Labs
2002-05-08 00:33:02 +00:00
Dag-Erling Smørgrav
05ade9be70
Add a PAM policy for rexecd(8).
...
Sponsored by: DARPA, NAI Labs
2002-05-02 05:05:28 +00:00
Dag-Erling Smørgrav
48988cd4bd
xdm plays horrid tricks with PAM, and dumps core if it's allowed to call
...
pam_lastlog, so add a dummy session chain to avoid using the one from
pam.d/other. I assume gdm does something similar, so give it a dummy
session chain as well.
Sponsored by: DARPA, NAI Labs.
2002-05-02 05:00:40 +00:00
Dag-Erling Smørgrav
4b448ce5d5
Add no_warn to pam_lastlog. This should prevent xdm from dumping core
...
when linked with Linux-PAM.
2002-04-29 15:22:00 +00:00
Dag-Erling Smørgrav
214f3239c0
Don't list pam_unix in the session chain, since it does not provide any
...
session management services.
Sponsored by: DARPA, NAI Labs
2002-04-18 17:40:27 +00:00
Ruslan Ermilov
5b3e868df5
Fixed bugs in previous revision:
...
Added NOOBJ if anyone even attempts to "make obj" here.
Revert to installing files with mode 644 except README.
Make this overall look like a BSD-style Makefile rather
than roll-your-own (this is not a bug).
For the record. Previous revision also fixed the breakage
introduced by the sys.mk,v 1.60 commit: bsd.own.mk is no
longer automatically included from sys.mk.
Reported by: jhay
2002-04-18 10:58:14 +00:00
Dag-Erling Smørgrav
8abb6072c1
Use ${FILES} and <bsd.prog.mk> rather than roll-your-own.
2002-04-18 10:07:36 +00:00
Dag-Erling Smørgrav
a64210378b
Add PAM policy for the "passwd" service, including a sample config line
...
for pam_passwdqc.
Sponsored by: DARPA, NAI Labs
2002-04-15 03:01:32 +00:00
Dag-Erling Smørgrav
ce93a006f1
Add pam_lastlog(8) here since I removed lastlog support from sshd.
...
Sponsored by: DARPA, NAI Labs
2002-04-15 02:46:24 +00:00
Dag-Erling Smørgrav
e5df14bff8
Use pam_rhosts(8).
2002-04-12 23:20:30 +00:00
Dag-Erling Smørgrav
540d48b77c
If used, pam_ssh should be marked "sufficient", not "required".
...
Sponsored by: DARPA, NAI Labs
2002-04-08 09:52:47 +00:00
Ruslan Ermilov
2735cfee64
Switch over to using pam_login_access(8) module in sshd(8).
...
(Fixes static compilation. Reduces diffs to OpenSSH.)
Reviewed by: bde
2002-03-26 12:52:28 +00:00
Dag-Erling Smørgrav
1f3030b053
Add missing "nullok" option to pam_unix.
2002-02-08 23:27:22 +00:00
Dag-Erling Smørgrav
34cab37003
Add pam_self(8) so users can login(1) as themselves without authentication,
...
pam_login_access(8) and pam_securetty(8) to enforce various checks
previously done by login(1) but now handled by PAM, and pam_lastlog(8) to
record login sessions in utmp / wtmp / lastlog.
Sponsored by: DARPA, NAI Labs
2002-01-30 19:13:23 +00:00
Dag-Erling Smørgrav
86f01a8b27
Use pam_self(8) to allow users to su(1) to themselves without authentication.
...
Sponsored by: DARPA, NAI Labs
2002-01-30 19:04:39 +00:00
Dag-Erling Smørgrav
ae739ec469
Enable OPIE by default, using the no_fake_prompts option to hide it from
...
users who don't wish to use it. If the admin is worried about leaking
information about which users exist and which have OPIE enabled, the
no_fake_prompts option can simply be removed.
Also insert the appropriate pam_opieaccess lines after pam_opie to break
the chain in case the user is logging in from an untrusted host, or has a
.opiealways file. The entire opieaccess / opiealways concept is slightly
unpammish, but admins familiar with OPIE will expect it to work.
Reviewed by: ache, markm
Sponsored by: DARPA, NAI Labs
2002-01-21 18:51:24 +00:00
Dag-Erling Smørgrav
819a142080
Really back out ache's commits. These files are now precisely as they were
...
twentyfour hours ago, except for RCS ids.
2002-01-19 18:29:50 +00:00
Andrey A. Chernov
0b836dfaf1
Back out recent changes
2002-01-19 18:03:11 +00:00
Andrey A. Chernov
3bfbfd1770
Turn on pam_opie by default. It should not affect non-OPIE users.
2002-01-19 10:31:32 +00:00
Andrey A. Chernov
a0fc79c334
Turn on pam_opie by default. It not affect non-OPIE users
2002-01-19 09:06:45 +00:00
Andrey A. Chernov
e04359cdac
Previous commit was incomplete, use
...
"[default=ignore success=done cred_err=die]"
options instead of "required"
2002-01-19 08:39:35 +00:00
Andrey A. Chernov
2bda025221
Remove explaining comment and pam_unix commented out, now pam_unix can be
...
chained with pam_opie
2002-01-19 07:32:47 +00:00
Andrey A. Chernov
a3643aa542
Change comment since fallback provided now not by ftpd but by pam_opie
2002-01-19 03:35:39 +00:00
Dag-Erling Smørgrav
4e8b159f5e
Unmunge the version preservation code and obfuscate it so CVS won't munge
...
it all over again.
2002-01-12 23:08:59 +00:00
Dag-Erling Smørgrav
f89a116468
Back out previous commit, which erroneously removed essential comments. I
...
definitely need coffee.
Apologies to: ache
2002-01-12 14:22:22 +00:00
Dag-Erling Smørgrav
ca90ed6b1c
Update copyright
2002-01-12 14:17:19 +00:00
Dag-Erling Smørgrav
84437855b4
Sync with pam.conf revision 1.25.
2002-01-12 13:50:33 +00:00
Dag-Erling Smørgrav
1c6246992a
Preserve FreeBSD version strings in target files.
2002-01-12 13:50:08 +00:00
Andrey A. Chernov
283004853b
Improve pam_unix/opie related ftpd comment even more
2002-01-02 09:51:33 +00:00
Andrey A. Chernov
2ac0b4865e
Clarify comment about pam_unix fallback for ftpd
2002-01-01 13:38:01 +00:00
Andrey A. Chernov
e0d2c39d84
Turn on pam_opie.so for ftpd by default
...
It not affect non-OPIE users
2002-01-01 13:27:11 +00:00
Dag-Erling Smørgrav
9446518a9a
Install pam.d files with mode 0644, not 0755.
2001-12-06 23:28:12 +00:00
Dag-Erling Smørgrav
c5a332f021
Makefile for pam.d configuration files.
...
Sponsored by: DARPA, NAI Labs
2001-12-06 13:16:47 +00:00
Dag-Erling Smørgrav
426ae370f4
Awright, egg on my face. I should have taken more time with this. The
...
conversion script generated the wrong format, so the configuration files
didn't actually work. Good thing I hadn't thrown the switch yet...
Sponsored by: DARPA, NAI Labs (but the f***ups are all mine)
2001-12-05 21:26:00 +00:00
Dag-Erling Smørgrav
23c103b894
pam.d-style configuration, auto-generated from pam.conf.
...
Sponsored by: DARPA, NAI Labs
2001-12-05 21:06:21 +00:00
Dag-Erling Smørgrav
2191f95faf
Short README for /etc/pam.d, mostly extracted from the comments in pam.conf.
2001-12-05 20:59:38 +00:00
Dag-Erling Smørgrav
179281f9bf
Perl script that splits pam.conf into separate files suitable for pam.d.
...
Sponsored by: DARPA, NAI Labs
2001-12-05 20:58:39 +00:00