Commit Graph

636 Commits

Author SHA1 Message Date
Dag-Erling Smørgrav
0aa2700123 Put OPIE to rest.
Differential Revision: https://reviews.freebsd.org/D36592
2022-10-02 03:37:29 +02:00
John Baldwin
5ceec6c105 pam_unix: Fix mismatch in array bounds for make_salt().
Reviewed by:	imp, emaste
Reported by:	GCC -Warray-parameter
Differential Revision:	https://reviews.freebsd.org/D36759
2022-09-28 14:04:48 -07:00
Brooks Davis
0eea46fb1f Remove telnetd
The telnetd codebase is unmaintained and has a number of quality
issues. Telnet has been largely supplanted by ssh. If needed, a port is
available (net/freebsd-telnetd), but a more maintained implementation
should be prefered.

While the telnet client suffers from the same issues, it is deemed
to be of lower risk and is required to connect to legacy devices, so
it remains.

Reviewed by:	emaste, imp
Differential Revision:	https://reviews.freebsd.org/D36620
2022-09-28 19:53:49 +01:00
Jens Schweikhardt
59a1db5be6 Fix dead refs to pam(8) with pam(3) as well as some other PAM functions. 2022-09-16 19:33:30 +02:00
Dag-Erling Smørgrav
1e8a0a3053 Add deprecation notices for OPIE.
Differential Revision: https://reviews.freebsd.org/D36593
2022-09-15 16:29:00 +02:00
Felix Palmen
6f4d99c654 pam_unix: Remove bogus __unused attribute
Approved by:		cy, des, tcberner (mentor)
Differential Revision:	https://reviews.freebsd.org/D34320
2022-09-05 20:53:22 +02:00
Yan Ka Chiu
b75e0eed34 pam_exec: fix segfault when authtok is null
According to pam_exec(8), the `expose_authtok` option should be ignored
when the service function is `pam_sm_setcred`. Currently `pam_exec` only
prevent prompt for anth token when `expose_authtok` is set on
`pam_sm_setcred`. This subsequently led to segfault when there isn't an
existing auth token available.

Bug reported on this: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263893

After reading https://reviews.freebsd.org/rS349556 I am not sure if the
default behaviour supposed to be simply not prompt for authentication
token, or is it to ignore the option entirely as stated in the man page.

This patch is therefore only adding an additional NULL check on the item
`pam_get_item` provide, and exit with `PAM_SYSTEM_ERR` when such item is
NULL.

MFC after:	1 week
Reviewed by:	des, khng
Differential Revision:	https://reviews.freebsd.org/D35169
2022-05-22 12:36:48 -04:00
Ed Maste
1323ec5712 ssh: update to OpenSSH v8.9p1
Release notes are available at https://www.openssh.com/txt/release-8.9

Some highlights:

 * ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
   restricting forwarding and use of keys added to ssh-agent(1)

 * ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid
   ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the
   default KEXAlgorithms list (after the ECDH methods but before the
   prime-group DH ones). The next release of OpenSSH is likely to
   make this key exchange the default method.

 * sshd(8), portable OpenSSH only: this release removes in-built
   support for MD5-hashed passwords. If you require these on your
   system then we recommend linking against libxcrypt or similar.

Future deprecation notice
=========================

A near-future release of OpenSSH will switch scp(1) from using the
legacy scp/rcp protocol to using SFTP by default.

Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.

MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2022-04-13 16:00:56 -04:00
Emmanuel Vadot
93c4369096 pkgbase: Put more binaries/lib in runtime
Move some needed binaries/libs from FreeBSD-utilities to FreeBSD_runtime.
This is everything needed to boot to multiuser with FreeBSD-rc installed.

MFC after:	2 weeks
Sponsored by:	Beckhoff Automation GmbH & Co. KG
Differential Revision:	https://reviews.freebsd.org/D33435
2021-12-21 10:17:27 +01:00
Ed Maste
19261079b7 openssh: update to OpenSSH v8.7p1
Some notable changes, from upstream's release notes:

- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new host key, accept the key
  fingerprint as a synonym for "yes".
- ssh-keygen(1): when acting as a CA and signing certificates with an RSA
  key, default to using the rsa-sha2-512 signature algorithm.
- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
  (RSA/SHA1) algorithm from those accepted for certificate signatures.
- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
  support to provide address-space isolation for token middleware
  libraries (including the internal one).
- ssh(1): this release enables UpdateHostkeys by default subject to some
  conservative preconditions.
- scp(1): this release changes the behaviour of remote to remote copies
  (e.g. "scp host-a:/path host-b:") to transfer through the local host
  by default.
- scp(1): experimental support for transfers using the SFTP protocol as
  a replacement for the venerable SCP/RCP protocol that it has
  traditionally used.

Additional integration work is needed to support FIDO/U2F in the base
system.

Deprecation Notice
------------------

OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.

Reviewed by:	imp
MFC after:	1 month
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D29985
2021-09-07 21:05:51 -04:00
Emmanuel Vadot
b5be5c35db pkgbase: Create a FreeBSD-ftp package
ftp tools aren't that useful nowadays but some might want them.
Create a FreeBSD-ftp package so users have a choice to have
them or not.

Differential Revision:	https://reviews.freebsd.org/D31794
2021-09-07 10:25:23 +02:00
Emmanuel Vadot
a30235a4c3 pkgbase: Create a FreeBSD-kerberos package
This allows users to install or not kerberos related utilities
and libs.

Differential Revision:	https://reviews.freebsd.org/D31801
2021-09-07 10:23:14 +02:00
Emmanuel Vadot
c7fd29f0f2 pkgbase: Create a FreeBSD-telnet package
both telnet and telnetd aren't that useful nowadays but some
might want them.
Create a FreeBSD-telnet package so users have a choice to have
them or not.

Differential Revision:	https://reviews.freebsd.org/D31791
Reviewed by: emaste
2021-09-07 10:18:11 +02:00
Edward Tomasz Napierala
bfd8b9b826 pam: add option to not prompt for password if it's set to empty
Add a new option to pam_unix(8), "emptyok", which makes it not prompt
for password, if it's set to an empty one.  It is similar to "nullok",
which makes it not prompt for password if the hash itself is empty.

Reviewed By:	markj
Sponsored By:	NetApp, Inc.
Sponsored By:	Klara, Inc.
Differential Revision:	https://reviews.freebsd.org/D27569
2021-04-03 13:05:50 +01:00
Mark Johnston
6ab923cbca pam_login_access: Fix negative entry matching logic
PR:		252194
Approved by:	so
Security:	CVE-2020-25580
Security:	FreeBSD-SA-21:03.pam_login_access
2021-02-23 19:14:05 -05:00
Xin LI
941791759c Don't explicitly specify c99 or gnu99 as the default is now gnu99.
MFC after:	2 weeks
2020-08-17 05:57:02 +00:00
Dimitry Andric
228005931c Apply tentative fix for clang 11 warning in pam_exec(8):
lib/libpam/modules/pam_exec/pam_exec.c:222:56: error: format specifies type 'char *' but the argument has type 'const void *' [-Werror,-Wformat]
               if (asprintf(&envstr, "%s=%s", pam_item_env[i].name, item) < 0)
                                         ~~                         ^~~~
2020-08-06 19:31:52 +00:00
Emmanuel Vadot
9d7c39d873 pkgbase: Move telnetd and ftpd pam file to the utilities package
Both programs are in this package so put the pam.d file in there too.

Reported by:	emaste
Reviewed by:	emaste
Differential Revision:	https://reviews.freebsd.org/D24161
2020-03-24 01:08:06 +00:00
Cy Schubert
e8c4b9d46b This commit makes significant changes to pam_login_access(8) to bring it
up to par with the Linux pam_access(8).

Like the Linux pam_access(8) our pam_login_access(8) is a service module
for pam(3) that allows a administrator to limit access from specified
remote hosts or terminals. Unlike the Linux pam_access, pam_login_access
is missing some features which are added by this commit:

Access file can now be specified. The default remains /etc/access.conf.
The syntax is consistent with Linux pam_access.

By default usernames are matched. If the username fails to match a match
against a group name is attempted. The new nodefgroup module option will
only match a username and no attempt to match a group name is made.
Group names must be specified in brackets, "()" when nodefgroup is
specified. Otherwise the old backward compatible behavior is used.
This is consistent with Linux pam_access.

A new field separator module option allows the replacement of the default
colon (:) with any other character. This facilitates potential future
specification of X displays. This is also consistent with Linux pam_access.

A new list separator module option to replace the default space/comma/tab
with another character. This too is consistent with Linux pam_access.

Linux pam_access options not implemented in this commit are the debug
and audit options. These will be implemented at a later date.

Reviewed by:	bjk, bcr (for manpages)
Approved by:	des (blanket, implicit)
MFC after:	1 month
Differential Revision:	https://reviews.freebsd.org/D23198
2020-02-18 11:27:08 +00:00
Cy Schubert
6f1ed8ae58 strchr() returns a pointer not an int.
Reported by:	bjk
Approved by:	des (blanket, implicit)
MFC after:	3 days
2020-02-18 11:27:05 +00:00
Cy Schubert
9c9372ad3f Add missing SYNOPSIS section.
Reported by:	ports/textproc/igor
MFC after:	3 days
2020-02-18 11:27:02 +00:00
Cy Schubert
88fcc10c94 There is no pam(8) man page, it is pam(3).
Approved by:	des (implicit, blanket)
MFC after:	3 days
2020-02-18 11:26:59 +00:00
Cy Schubert
0d960f7379 When pam_login_access(5) fails to match a username it attempts to
match the primary group a user belongs to. This commit extends the
match to secondary groups a user belongs to as well, just as the Linux
pam_access(5) does.

Approved by:	des (implicit, blanket)
2020-02-18 11:26:56 +00:00
Cy Schubert
f47effabd5 The words ALL, LOCAL, and EXCEPT have special meaning and are documented
as in the login.access(5) man page. However strcasecmp() is used to compare
for these special strings. Because of this User accounts and groups with
the corresponding lowercase names are misintrepreted to have special
whereas they should not.

This commit fixes this, conforming to the man page and to how the Linux
pam_access(8) handles these special words.

Approved by:	des (implicit, blanket)
2020-02-18 11:26:52 +00:00
Simon J. Gerraty
2c9a9dfc18 Update Makefile.depend files
Update a bunch of Makefile.depend files as
a result of adding Makefile.depend.options files

Reviewed by:	 bdrewery
MFC after:	1 week
Sponsored by:   Juniper Networks
Differential Revision:  https://reviews.freebsd.org/D22494
2019-12-11 17:37:53 +00:00
Simon J. Gerraty
5ab1c5846f Add Makefile.depend.options
Leaf directories that have dependencies impacted
by options need a Makefile.depend.options file
to avoid churn in Makefile.depend

DIRDEPS for cases such as OPENSSL, TCP_WRAPPERS etc
can be set in local.dirdeps-options.mk
which can add to those set in Makefile.depend.options

See share/mk/dirdeps-options.mk

Reviewed by:	 bdrewery
MFC after:	1 week
Sponsored by:   Juniper Networks
Differential Revision:  https://reviews.freebsd.org/D22469
2019-12-11 17:37:37 +00:00
Emmanuel Vadot
a7b5a3d486 pkgbase: Put a lot of binaries and lib in FreeBSD-runtime
All of them are needed to be able to boot to single user and be able
to repair a existing FreeBSD installation so put them directly into
FreeBSD-runtime.

Reviewed by:    bapt, gjb
Differential Revision:  https://reviews.freebsd.org/D21503
2019-09-05 14:13:08 +00:00
Dag-Erling Smørgrav
4d34b914d4 Changes to the expose_password functionality:
- Implement use_first_pass, allowing expose_password to be used by other
   service functions than pam_auth() without prompting a second time.

 - Don't prompt for a password during pam_setcred().

PR:		238041
MFC after:	3 weeks
2019-06-30 14:46:15 +00:00
Cy Schubert
08f5bd9d06 Improve the legibility of the login.access.5 man page by separating
each argument into its own paragraph.

MFC after:	3 days
2019-05-07 20:39:39 +00:00
Brad Davis
becaaa9be9 Really fix pam install. Don't commit late at night or you make simple mistakes.
Reported by:	dumbbell
Approved by:	re (gjb), will (mentor)
2018-09-13 16:14:33 +00:00
Brad Davis
aad4d67d9c Fix build after r338621 by avoiding LINKS and installing the link manually.
Approved by:	re (rgrimes), will (mentor)
2018-09-13 07:48:49 +00:00
Brad Davis
219cf81b4d Move all pam related config to lib/libpam/
Approved by:	re (rgrimes), will (mentor), des
Differential Revision:	https://reviews.freebsd.org/D17122
2018-09-13 04:08:48 +00:00
Dag-Erling Smørgrav
190cef3d52 Upgrade to OpenSSH 7.8p1.
Approved by:	re (kib@)
2018-09-10 16:20:12 +00:00
Dag-Erling Smørgrav
e165d7bc39 For full Linux-PAM compatibility, add a trailing NUL character when
passing the authentication token to the external program.

Approved by:	re (kib)
Submitted by:	Thomas Munro <munro@ip9.org>
MFC after:	1 week
Differential Revision:	D16950
2018-09-04 10:51:41 +00:00
Dag-Erling Smørgrav
bb3ba83eee Add support for Linux-PAM's badly named expose_authtok option.
Submitted by:	Thomas Munro <munro@ip9.org>
MFC after:	1 week
Differential Revision:	D16171
2018-08-14 00:14:17 +00:00
Bryan Drewery
96a0acc4ce Don't use CCACHE for linking.
MFC after:	2 weeks
Sponsored by:	Dell EMC
2018-06-27 19:29:15 +00:00
Dag-Erling Smørgrav
716eff476a Forward Reply-Message attributes to the user, unless suppressed by the
new no_reply_message option.

MFC after:	1 week
Sponsored by:	The University of Oslo
2018-05-16 13:47:30 +00:00
Dag-Erling Smørgrav
47dd1d1b61 Upgrade to OpenSSH 7.7p1. 2018-05-11 13:22:43 +00:00
Pedro F. Giffuni
5e53a4f90f lib: further adoption of SPDX licensing ID tags.
Mainly focus on files that use BSD 2-Clause license, however the tool I
was using mis-identified many licenses so this was mostly a manual - error
prone - task.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.
2017-11-26 02:00:33 +00:00
Pedro F. Giffuni
8a16b7a18f General further adoption of SPDX licensing ID tags.
Mainly focus on files that use BSD 3-Clause license.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

Special thanks to Wind River for providing access to "The Duke of
Highlander" tool: an older (2014) run over FreeBSD tree was useful as a
starting point.
2017-11-20 19:49:47 +00:00
Bryan Drewery
ea825d0274 DIRDEPS_BUILD: Update dependencies.
Sponsored by:	Dell EMC Isilon
2017-10-31 00:07:04 +00:00
Dag-Erling Smørgrav
79b67c8d4a If the user-provided password exceeds the maximum password length, don't
bother passing it to crypt().  It won't succeed and may allow an attacker
to confirm that the user exists.

Reported by:	jkim@
MFC after:	1 week
Security:	CVE-2016-6210
2017-10-26 13:23:13 +00:00
Dag-Erling Smørgrav
3869fb7832 Add options to capture stdout and / or stderr and pass the output on
to the user.  There is currently no buffering, so the result may be
somewhat unpredictable if the conversation function adds a newline,
like openpam_ttyconv() does.

Clean up and simplify the environment handling code, which triggered
an inexplicable bug on some systems.

MFC after:	2 weeks
2017-03-22 13:16:04 +00:00
Pedro F. Giffuni
94a1344578 Revert r314780
libpam: extra bounds checking through reallocarray(3).

It appears to be causing brokenness when reporting PAM_* environment
variables. This requires more investigation.

Reported by:	lstewart
2017-03-12 17:41:51 +00:00
Brooks Davis
0b25287b33 Use LDFLAGS rather than CFLAGS when linking.
Reviewed by:	kan
Obtained from:	CheriBSD
Sponsored by:	DARPA, AFRL
Differential Revision:	https://reviews.freebsd.org/D9882
2017-03-08 08:25:26 +00:00
Pedro F. Giffuni
b5120bbada libpam: extra bounds checking through reallocarray(3).
Reviewed by:	des
MFC after:	1 week
2017-03-06 15:45:46 +00:00
Pedro F. Giffuni
fdd2f2ebdd Revert r314777: wrong log, the change was to libpam. 2017-03-06 15:42:03 +00:00
Pedro F. Giffuni
bb7d0109d7 libfetch: extra bounds checking through reallocarray(3).
Reviewed by:	des
MFC after:	1 week
2017-03-06 15:37:34 +00:00
Dag-Erling Smørgrav
886c581471 Load default options before requesting a ticket.
PR:		213909
Reported by:	basarevych@gmail.com
MFC after:	1 week
2017-03-03 14:06:22 +00:00
Dag-Erling Smørgrav
f3b0ac3409 Upgrade to OpenPAM Radula. 2017-02-20 00:56:46 +00:00