Dag-Erling Smørgrav
7f28386a26
This file needs <syslog.h>.
...
Sponsored by: DARPA, NAI Labs
2002-02-09 14:12:09 +00:00
Ruslan Ermilov
e47a40e7f7
Now that cross-tools ld(1) has been fixed to look for dynamic
...
dependencies in the correct place, record the fact that -lssh
depends on -lcrypto and -lz.
Removed false dependencies on -lz (except ssh(1) and sshd(8)).
Removed false dependencies on -lcrypto and -lutil for scp(1).
Reviewed by: markm
2002-02-08 13:42:58 +00:00
Mark Murray
30577d19fa
Remove NO_WERROR, now that WARNS=n is gone.
2002-02-06 18:46:48 +00:00
Mark Murray
427e2d5c02
Comment out the WARNS= so as to not trample all over the GCC3 work.
2002-02-06 18:14:59 +00:00
Dag-Erling Smørgrav
04f71c5352
Three times lucky: <stddef.h>, not <sys/param.h>
2002-02-05 08:01:32 +00:00
Dag-Erling Smørgrav
93cf4c1be3
Oops, the correct header to include for NULL is <sys/param.h>.
2002-02-05 07:53:00 +00:00
Dag-Erling Smørgrav
0ae5018b3e
#include <sys/types.h> for NULL (hidden by Linux-PAM header pollution)
...
Sponsored by: DARPA, NAI Labs
2002-02-05 06:20:27 +00:00
Dag-Erling Smørgrav
8c66575de8
#include cleanup.
...
Sponsored by: DARPA, NAI Labs
2002-02-05 06:08:26 +00:00
Mark Murray
34b28989d1
Explicitly declare (gcc internal) functions.
...
Submitted by: ru
2002-02-04 17:59:25 +00:00
Dag-Erling Smørgrav
12b6e9a089
ssh_get_authentication_connection() gets its parameters from environment
...
variables, so temporarily switch to the PAM environment before calling it.
Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp>
2002-02-04 17:15:44 +00:00
Mark Murray
95641278ef
Protect "make buildworld" against -Werror, as this module does not
...
build cleanly.
2002-02-04 16:09:25 +00:00
Mark Murray
21e5d74291
Add the other half of the salt-generating code. No functional
...
difference except that the salt is slightly harder to build
dictionaries against, and the code does not use srandom[dev]().
2002-02-04 00:28:54 +00:00
Mark Murray
63d770d8ea
Turn on fascist warning mode.
2002-02-03 15:51:52 +00:00
Mark Murray
ac5699692e
WARNS=n fixes (and some stylistic issues).
2002-02-03 15:17:57 +00:00
Dag-Erling Smørgrav
59057a6d6f
Remove an unnecessary #include that trips up OpenPAM. The header in question
...
is an internal Linux-PAM header which shouldn't be used outside Linux-PAM
itself, and has absolutely zero effect on pam_ftp.
Sponsored by: DARPA, NAI Labs
MFC after: 1 week
2002-02-02 17:51:39 +00:00
Dag-Erling Smørgrav
ab50ade43c
Post-repocopy cleanup.
...
Sponsored by: DARPA, NAI Labs
2002-02-01 22:25:07 +00:00
Dag-Erling Smørgrav
2d0a7148b6
Connect the pam_lastlog(8) and pam_login_access(8) modules to the build.
...
Sponsored by: DARPA, NAI Labs
2002-02-01 08:49:53 +00:00
Dag-Erling Smørgrav
c60ed00a43
Still with asbestos longjohns on, completely PAMify login(1) and remove
...
code made redundant by various PAM modules (primarily pam_unix(8)).
Sponsored by: DARPA, NAI Labs
2002-01-30 19:10:21 +00:00
Dag-Erling Smørgrav
e9cc7b1d92
With asbestos longjohns on, integrate most of the checks normally done by
...
login(1) (password & account expiry, hosts.access etc.) into pam_unix(8).
Sponsored by: DARPA, NAI Labs
2002-01-30 19:09:11 +00:00
Dag-Erling Smørgrav
a2d20838b0
Move the code from pam_sm_authenticate() to pam_sm_acct_mgmt(). Simplify
...
it a little and try to make it more resilient to various possible failure
conditions. Change the man page accordingly, and take advantage of this
opportunity to simplify its language.
Sponsored by: DARPA, NAI Labs
2002-01-30 19:03:16 +00:00
Mark Murray
c2065008b5
WARNS=4 fixes. Protect with NO_WERROR for the modules that have
...
warnings that are hard to fix or that I've been asked to leave alone.
2002-01-24 18:37:17 +00:00
Dag-Erling Smørgrav
f748a713da
PAM modules shouldn't call putenv(); pam_putenv() is sufficient. The
...
caller is supposed to check the PAM envlist and export the variables it
contains; if it doesn't, it's broken.
Sponsored by: DARPA, NAI Labs
2002-01-24 17:26:27 +00:00
Dag-Erling Smørgrav
9201dc40bf
Change the order in which pam_sm_open_session() updates the logs. This
...
doesn't really make any difference, except it matches wtmp(5) better.
Don't do anything in pam_sm_close_session(); init(8) will take care of
utmp and wtmp when the tty is released. Clearing them here would make it
possible to create a ghost session by logging in, running 'login -f $USER'
and exiting the subshell.
Sponsored by: DARPA, NAI Labs (but the bugs are all mine)
2002-01-24 17:15:04 +00:00
Dag-Erling Smørgrav
ca355e5451
Correctly interpret PAM_RHOST being unset as an indicator of a local
...
login.
Sponsored by: DARPA, NAI Labs
2002-01-24 16:18:43 +00:00
Dag-Erling Smørgrav
d233082fbe
Correctly interpret PAM_RHOST being unset as an indicator of a local
...
login.
2002-01-24 16:16:01 +00:00
Dag-Erling Smørgrav
e4536f1138
Style nits.
...
Sponsored by: DARPA, NAI Labs
2002-01-24 16:14:56 +00:00
Dag-Erling Smørgrav
f433d6afed
Document the even_root option.
...
Sponsored by: DARPA, NAI Labs
2002-01-24 13:35:06 +00:00
Dag-Erling Smørgrav
76f95f4dc2
Don't let root through unless the "even_root" option was specified.
...
Sponsored by: DARPA, NAI Labs
2002-01-24 12:47:42 +00:00
Dag-Erling Smørgrav
16e058b5d6
Add a PAM module that records sessions in utmp/wtmp/lastlog.
...
Sponsored by: DARPA, NAI Labs
2002-01-24 09:45:17 +00:00
Dag-Erling Smørgrav
c2d5249eaf
Fix some pastos. Rather shoddy of me...
...
Sponsored by: DARPA, NAI Labs
2002-01-24 09:44:22 +00:00
Dag-Erling Smørgrav
53f3167d07
Add a PAM module that provides an account management component for checking
...
either PAM_RHOST or PAM_TTY against /etc/login.access.o
This uncovers a problem with PAM_RHOST, in that if we always set it, there
is no way to distinguish between a user logging in locally and a user
logging in using 'ssh localhost'. This will be fixed by first making sure
that all PAM modules can handle PAM_RHOST being unset (which is currently
not the case), and then modifying su(1) and login(1) to not set it for
local logins.
Sponsored by: DARPA, NAI Labs
2002-01-23 17:42:16 +00:00
Dag-Erling Smørgrav
774a10071d
Add an AUTHORS section crediting ThinkSec, DARPA and NAI Labs.
...
Sponsored by: DARPA, NAI Labs
2002-01-23 17:16:00 +00:00
Ruslan Ermilov
0509dca0c3
Add pam_ssh support to the static PAM library, libpam.a:
...
- Spam /usr/lib some more by making libssh a standard library.
- Tweak ${LIBPAM} and ${MINUSLPAM}.
- Garbage collect unused libssh_pic.a.
- Add fake -lz dependency to secure/ makefiles needed for
dynamic linkage with -lssh.
Reviewed by: des, markm
Approved by: markm
2002-01-23 15:54:17 +00:00
Dag-Erling Smørgrav
b6b756b58b
Base the comparison on UIDs, not on user names.
...
Sponsored by: DARPA, NAI Labs
2002-01-23 15:16:01 +00:00
Ruslan Ermilov
fd4ca9e02d
Make libssh.so useable (undefined reference to IPv4or6).
...
Reviewed by: des, markm
Approved by: markm
2002-01-23 15:06:47 +00:00
Dag-Erling Smørgrav
1e22a4f048
Link pam_opieaccess, pam_self and pam_ssh into the static library.
...
Sponsored by: DARPA, NAI Labs
2002-01-21 20:43:01 +00:00
Dag-Erling Smørgrav
b0aa095ad0
On second thought, getpwnam() failure should be treated just as if the user
...
existed, but had no OPIE key, i.e. PAM_IGNORE.
Pointed out by: ache
Sponsored by: DARPA, NAI Labs
2002-01-21 19:05:45 +00:00
Dag-Erling Smørgrav
b4b56d051a
Return PAM_SERVICE_ERR rather than PAM_USER_UNKNOWN if getpwnam() fails, as
...
PAM_USER_UNKNOWN will break the chain, revealing to an attacker that the
user does not exist.
Sponsored by: DARPA, NAI Labs
2002-01-21 18:53:03 +00:00
Dag-Erling Smørgrav
03adba96a0
Further changes to allow enabling pam_opie(8) by default:
...
- Ignore the {try,use}_first_pass options by clearing PAM_AUTHTOK before
challenging the user. These options are meaningless for pam_opie(8)
since the user can't possibly know the right response before she sees
the challenge.
- Introduce the no_fake_prompts option. If this option is set, pam_opie(8)
will fail - rather than present a bogus challenge - if the target user
does not have an OPIE key. With this option, users who haven't set up
OPIE won't have to wonder what that "weird otp-md5 s**t" means :)
Reviewed by: ache, markm
Sponsored by: DARPA, NAI Labs
2002-01-21 18:46:25 +00:00
Dag-Erling Smørgrav
f460490260
Add a new module, pam_opieaccess(8), which is responsible for checking
...
/etc/opieaccess and ~/.opiealways so we can decide what to do after
pam_opie(8) fails.
Sponsored by: DARPA, NAI Labs
Reviewed by: ache, markm
2002-01-21 13:43:53 +00:00
Andrey A. Chernov
186caeedcb
snprintf bloat -> strlcpy
...
Add getpwnam return check
Approved by: des, markm
2002-01-20 20:56:47 +00:00
Andrey A. Chernov
0b836dfaf1
Back out recent changes
2002-01-19 18:03:11 +00:00
Andrey A. Chernov
6874115893
If user not exist in OPIE system, return failure immediately instead
...
of producing fake prompts with random numbers which can be detected by
potential intruder in two tries and totally confuse non-OPIE users.
2002-01-19 10:09:05 +00:00
Andrey A. Chernov
3195cd6712
Back out second right-now-expired password check in pam_sm_chauthtok,
...
old expired password assumed there
2002-01-19 09:23:36 +00:00
Andrey A. Chernov
012400dfcd
Previous commit was incomplete, use new error code PAM_CRED_ERR to
...
indicate die case, different from PAM_SUCCESS and PAM_AUTH_ERR
2002-01-19 08:36:47 +00:00
Andrey A. Chernov
d97cc81fa4
Rewrite 'pwok' fallback in the way it can be properly chained with pam_unix
...
Replace snprintf %s with strlcpy
Check for NULL returned from getpwnam()
2002-01-19 07:23:48 +00:00
Andrey A. Chernov
c8e3fac7a1
Add yet one expired-right-now password check, in pam_sm_chauthtok
...
srandomdev() can't be used in libraries, replace srandomdev()+random()
by arc4random()
2002-01-19 04:58:51 +00:00
Andrey A. Chernov
8c70adab72
Set pwok to 1 for non-OPIE users
2002-01-19 03:31:39 +00:00
Andrey A. Chernov
d54c36388e
Add missing check for right-now-expired password
2002-01-19 02:45:24 +00:00
Andrey A. Chernov
3f9a326a7a
Implement 'pwok', i.e. conditional fallback to unix password
...
as supposed by opieaccessfile() and opiealways()
2002-01-19 02:38:43 +00:00
Bruce Evans
b2035c2b74
Fixed a missing "const".
2001-12-28 20:59:44 +00:00
Ruslan Ermilov
7f432ff831
mdoc(7) police: bump document date.
2001-12-14 13:49:28 +00:00
David Malone
9f5b04e925
Style improvements recommended by Bruce as a follow up to some
...
of the recent WARNS commits. The idea is:
1) FreeBSD id tags should follow vendor tags.
2) Vendor tags should not be compiled (though copyrights probably should).
3) There should be no blank line between including cdefs and __FBSDIF.
2001-12-10 21:13:08 +00:00
Dag-Erling Smørgrav
18a85de04b
Back out previous commit.
...
Requested by: ru
2001-12-09 15:11:55 +00:00
Ruslan Ermilov
945b9f4de9
mdoc(7) police: sort xrefs.
2001-12-08 16:28:20 +00:00
Dag-Erling Smørgrav
bdd601a1e3
Get pam_mod_misc.h from .CURDIR rather than .OBJDIR or /usr/include.
...
Sponsored by: DARPA, NAI Labs
2001-12-07 11:51:47 +00:00
Dag-Erling Smørgrav
47c8f6faec
Now that _pam_init_handlers() works as intended, it seems clear that we
...
do not actually want to define PAM_READ_BOTH_CONFS, so back out previous
commit.
Sponsored by: DARPA, NAI Labs
2001-12-07 00:38:37 +00:00
Dag-Erling Smørgrav
a45af0e2b0
We need pam_client.h from libpamc. This unbreaks world
...
Pointed out by: jhay
Pointy hat to: des
2001-12-06 12:35:18 +00:00
Dag-Erling Smørgrav
87316434d1
Define PAM_READ_BOTH_CONFS. We can now have both /etc/pam.d and
...
/etc/pam.conf.
Sponsored by: DARPA, NAI Labs
2001-12-05 17:06:16 +00:00
Dag-Erling Smørgrav
bda74fe925
Install the correct version of pam_misc.h.
...
Sponsored by: DARPA, NAI Labs
2001-12-05 16:27:41 +00:00
Dag-Erling Smørgrav
8d3978c115
Add dummy functions for all module types. These dummies return PAM_IGNORE
...
rather than PAM_SUCCESS, so you'll get a failure if you list dummies but
no real modules for a particular module chain.
Sponsored by: DARPA, NAI Labs
2001-12-05 16:06:35 +00:00
Dag-Erling Smørgrav
d5a8dd3fb5
Connect the man page to the build.
...
Sponsored by: DARPA, NAI Labs
2001-12-05 16:02:50 +00:00
Dag-Erling Smørgrav
e2c8459e85
Add a pam_self authentication module that succeeds if and only if the local
...
and remote user names are the same.
Sponsored by: DARPA, NAI Labs
2001-12-05 15:55:14 +00:00
Mark Murray
1a8b24c257
Use __FBSDID(). Also do a bit of cosmetic #if and header-order
...
cleaning-up.
2001-12-02 20:54:57 +00:00
Mark Murray
d2f6cd8fd5
Style fixups.
...
Sort function declarations, includes. Make consistent WRT use of _P()
macro (ugh!)
Inspired by: bde
2001-12-01 21:12:04 +00:00
Mark Murray
e317b97026
WARNS=2 fixes.
...
Reviewed by: bde (a while back)
2001-12-01 17:46:46 +00:00
Brian Feldman
7d8cee925b
Fix pam_ssh by adding an IPv4or6 (evidently, this was broken by my last
...
OpenSSH import) declaration and strdup(3)ing a value which is later
free(3)d, rather than letting the system try to free it invalidly.
2001-11-29 21:16:11 +00:00
Dag-Erling Smørgrav
ca7e26e312
Mdoc police.
...
Submitted by: ru
2001-11-28 10:07:21 +00:00
Ruslan Ermilov
60c6736148
mdoc(7) police: fix one pam_unix(8) left-over, sort xrefs.
2001-11-28 09:25:03 +00:00
Dag-Erling Smørgrav
6a13dede6c
Add a pam_set_item(3) man page with an MLINK to pam_get_item(3).
...
PR: docs/32294
Sponsored by: DARPA, NAI Labs
MFC after: 3 days
2001-11-27 15:36:35 +00:00
Dag-Erling Smørgrav
b4a475937b
Create a pam_ssh(8) man page, based on a repo-copy of pam_unix(8).
...
License modified with original author's permission.
Sponsored by: DARPA, NAI Labs
2001-11-27 00:57:50 +00:00
Dag-Erling Smørgrav
d65e5dfa59
Document the local_pass and nis_pass options, add a few xrefs, and reorder
...
the SEE ALSO section. License modified with original author's permission.
Sponsored by: DARPA, NAI Labs
2001-11-27 00:53:10 +00:00
Dima Dorfman
a48060a2f7
Spelling police: sucessful -> successful.
2001-11-24 23:41:32 +00:00
Maxim Sobolev
bc3a4bf55d
Don't put an extra space after password prompts, because it violates POLA,
...
makes FreeBSD inconsistent with previous releases and "other unices" as well
as with some internal password-asking services (e.g. ftp) within the same
release.
2001-10-25 15:51:50 +00:00
Mark Murray
ce1e0bbc8f
Add library exposed by KDE's use if this module.
2001-10-18 20:05:20 +00:00
Matthew Dillon
ceaf33f537
Add __FBSDID()s to libpam
2001-09-30 22:11:06 +00:00
Mark Murray
6e925e8fc7
1) repair the return value in the PAM_RETURN() macro (Side effects!!).
...
2) canonicalise the options use in pam_options().
Submitted by: Gunnar Kreitz <gunnark@chello.se>
PR: 30250
2001-09-04 17:05:08 +00:00
Mark Murray
a41ad3fca9
Introduce a "noroot_ok" option to make this module ignore authentications
...
to a non-superuser if required.
2001-08-26 18:09:00 +00:00
Mark Murray
f96b705fa7
Introduce better logging, error reporting and use of login_cap data.
2001-08-26 18:05:35 +00:00
Mark Murray
76f4a6fd79
Add extra logging detail. This needs a more general solution.
2001-08-26 17:57:44 +00:00
Mark Murray
3d55a6c083
Big module makeover; improve logging, standardise variable names,
...
introduce ability to change passwords for both "usual" Unix methods
and NIS.
2001-08-26 17:41:13 +00:00
Mark Murray
47965f01dd
Add 'try_mapped_pass' standard option.
...
Asked for by: lukeh@PADL.COM
2001-08-20 12:43:19 +00:00
Mark Murray
ca0bdcdd29
Document the no_warn option.
2001-08-15 20:05:33 +00:00
Mark Murray
b5507a38bc
Fix a couple of cross-references to reflect the reality of the module.
2001-08-15 20:03:26 +00:00
Mark Murray
537db85291
Fix:
...
/usr/src/lib/libpam/modules/pam_ssh/pam_ssh.c has couple of bugs which cause:
1) xdm dumps core
2) ssh1 private key is not passed to ssh-agent
3) ssh2 RSA key seems not handled properly (just a guess from source)
4) ssh_get_authentication_connectionen() fails to get connection because of
SSH_AUTH_SOCK not defined.
PR: 29609
Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp>
2001-08-11 12:37:55 +00:00
Mark Murray
3938427761
Clean up this module very extensively. Fix the logging, the coding
...
standards and the option handling. This module is now much more easy
to maintain as a part of the FreeBSD tree.
2001-08-10 19:24:34 +00:00
Mark Murray
530ebf8e0a
Code clean up; make logging same as other modules and fix warnings.
2001-08-10 19:21:45 +00:00
Mark Murray
34beb374a2
General code clean-up. Sort out warnings, and make the warning and
...
logging work the same as other modules.
2001-08-10 19:18:52 +00:00
Mark Murray
0fa107a3cb
Simplify code. Also verbose logging, verbose overridable error reporting.
2001-08-10 19:15:48 +00:00
Mark Murray
65550d9b5a
Verbose logging, overridable verbose error reporting.
2001-08-10 19:12:59 +00:00
Mark Murray
b04259a5cf
Module clean-up. Verbose logging, Overridable verbose error reporting,
...
FreeBSD pam_prompt() usage to simplify conversation function usage.
2001-08-10 19:10:43 +00:00
Mark Murray
2108fbd748
Verbosely (overridable) report failure to the user.
2001-08-10 19:07:45 +00:00
Mark Murray
ceca323626
Use the FreeBSD pam_prompt() interface to the conversation function
...
instead of home-rolling it. Clean up debugging code and tidy the
module.
2001-08-10 19:05:57 +00:00
Mark Murray
3a9cdcb91f
Verbosely report errors to the user (overridable), and make sure
...
that the correct failure mode is reported.
2001-08-10 19:02:21 +00:00
Mark Murray
27b9f9d4a3
Fix broken logic so that this actually works for the superuser.
...
Verbosely log (properly).
Verbosely report errors to the user.
2001-08-10 14:21:58 +00:00
Mark Murray
cfa285d9e4
Rework this to prevent a nasty problem involving different modules'
...
option interacting with each other.
2001-08-10 14:16:47 +00:00
Mark Murray
0b2e8123ef
Declare the new user-error reporting macro.
...
This is a macro to allow use of the __FILE__ and __FUNCTION__
macros.
2001-08-10 14:15:00 +00:00
Mark Murray
a56dfc9b23
Add a routine for providing feedback via the conversation mechanism
...
(usually to stderr) for user-reportable errors.
2001-08-10 14:13:16 +00:00
Mark Murray
13cde2748e
Fix style/consistency in Makefile and repair static module building.
...
Submitted by: bde(partially)
2001-08-04 21:51:14 +00:00
Mark Murray
d5e53157cf
Don't clobber CFLAGS
...
Submitted by: bde
2001-08-04 21:49:30 +00:00
Mark Murray
4447e914e8
Fix the bug where this modulke was not checking the priamry GID, only
...
the GIDS in /etc/group or NIS's group map.
Tested by: sheldonh
PR: 29349
2001-08-04 09:19:31 +00:00
Mark Murray
f950650b78
With the S/KEY removal, this is no longer buildable or necessary.
2001-08-02 19:04:20 +00:00
Mark Murray
c52468e7ef
Don't try to make pam_ssh module if NO_OPENSSH is set.
2001-08-02 19:01:02 +00:00
Mark Murray
f5974d336f
Repair the get/set UID() stuff so this works in both su(1) and login(1)
...
modes.
2001-08-02 10:35:41 +00:00
Mark Murray
af1852503e
Making this major bump was a BAD idea. The API change is internal (to PAM)
...
and it caused problems without solving any.
2001-07-30 09:56:38 +00:00
Mark Murray
7b22794017
(Re)Add an SSH module for PAM, heavily based on Andrew Korty's module
...
from ports.
2001-07-29 18:31:09 +00:00
Ruslan Ermilov
0fa68d89e8
mdoc(7) police: widen width of the options list.
2001-07-18 14:49:32 +00:00
Mark Murray
0eb9c7b357
Update to the same level of debug-logging as the rest of the
...
FreeBSD/PAM modules.
2001-07-17 07:36:51 +00:00
Mark Murray
3741d46458
Update to the same code as in the pam_krb5.so port.
...
According to Peter, the port works - this needs more testing.
2001-07-17 07:34:36 +00:00
Dima Dorfman
f247324df7
Remove whitespace at EOL.
2001-07-15 08:06:20 +00:00
Mark Murray
f042a54245
Use a better method of getting user credentials to account for
...
(legal) UID duplication.
Rename use_uid to auth_as_self for consistency with other modules.
2001-07-14 08:42:39 +00:00
Mark Murray
6fd676c982
Use a better method to get user credentials to account for (legal)
...
duplications of UID's in /etc/*passwd.
2001-07-14 08:38:24 +00:00
Ruslan Ermilov
e8b02a428d
mdoc(7) police: -xwidth has been fold into -width.
2001-07-13 09:09:52 +00:00
Ruslan Ermilov
08ecaa10b2
mdoc(7) police: fixed markup, a little bit.
2001-07-11 08:36:26 +00:00
Ruslan Ermilov
63b81b76ca
mdoc(7) police: fixed markup any numerous typos.
2001-07-11 08:35:34 +00:00
Mark Murray
84f39079c5
Fix a horrible bug introduced by myself where the options collection
...
keeps on growing as the module stack is parsed.
2001-07-10 16:59:30 +00:00
Ruslan Ermilov
625003720a
mdoc(7) police: removed HISTORY info from the .Os call.
2001-07-10 14:16:33 +00:00
Ruslan Ermilov
a307d59838
mdoc(7) police: removed HISTORY info from the .Os call.
2001-07-10 13:41:46 +00:00
Mark Murray
1642eb1a52
Clean up (and in some cases write) the PAM mudules, using
...
o The new options-processing API
o The new DEBUG-logging API
Add man(1) pages for ALL modules. MDOC-Police welcome
to check this.
Audit, clean up while I'm here.
2001-07-09 18:20:51 +00:00
Mark Murray
5d87b61e6f
Bump the major number. The libraries API has changed incompatibly.
2001-07-09 18:16:33 +00:00
Mark Murray
c3a080c527
Almost completely rewrite the PAM module options processing
...
routines, and provide a more extended API for doing this.
Provide an API for debug logging.
Audit and clean up the code.
2001-07-09 18:14:43 +00:00
Ruslan Ermilov
5521ff5a4d
mdoc(7) police: sort SEE ALSO xrefs (sort -b -f +2 -3 +1 -2).
2001-07-06 16:46:48 +00:00
Ruslan Ermilov
88de1238eb
mdoc(7) police: fixed formatting.
2001-07-06 07:29:59 +00:00
Peter Wemm
d6be5f6435
Fix libpam's linker set stuff to use the new API (unbreak world), and get
...
rid of gensetdefs from here as well.
2001-06-14 01:13:30 +00:00
Chris Costello
8b136a6dde
Convert to mdoc(7).
2001-06-13 21:52:07 +00:00
Mark Murray
084a46829b
Big module cleanup.
...
Move common stuff into Makefile.inc, and tidy up all the Makefiles
as a result.
Build new modules.
Put a commented-out dependancy on libpam for the (shared) modules.
I can't bring this in just yet, as the dependancy (modules->libpam)
is reversed for the static case (libpam->modules).
2001-06-04 19:47:56 +00:00
Mark Murray
bc0105f860
Null file to bring back a file from the dead. This allows the real commit
...
to happen remotely. Damn CVS bugs :-(
2001-06-04 19:25:41 +00:00
Mark Murray
46efbac2ed
Add the "nullok" option that causes this module to succeed if the Unix
...
password is empty/null.
2001-06-04 19:16:57 +00:00
Mark Murray
35a2fbdee0
Tidy up the options list (and make it more extendable), and add some
...
extra "standard" options.
2001-06-04 19:12:08 +00:00
Mark Murray
397fa72521
Add some new utility authenticators.
...
pam_securetty silently succeeds if the user is on a secure tty
as defined by /etc/ttys.
pam_ftp does "anonymous ftp" style authentication with options for
specifying the anonymous user(s).
2001-06-04 18:44:47 +00:00
Mark Murray
4448b21cc6
Add the "auth_as_self" option to the pam_unix module (there is no
...
reason not to add it to others later). This causes the pam_unix
module to check the user's _own_ password, not the password of the
account that the user is authenticating into. This will allow eg:
WHEELSU type behaviour from su(1).
2001-05-24 18:35:52 +00:00
Mark Murray
84d6cd8ea1
Bring in a few useful PAM modules.
...
pam_krb5 is a Kerberos 5 (Heimdal) authentication module.
pam_nologin checks for /etc/nologin and does the "usual stuff"
if it is found, otherwise it silently succeeds.
pam_rootok silently succeeds if the user is root, otherwise
it fails.
pam_wheel silently succeeds if the user is a member of group
"wheel" (or another nominated group), and fails
otherwise.
There is an issue with kerberosIV and kerberos5 - if both are
being built, then static linking fails with duplicate symbols.
This will take a bit of work to sort out in the kerberii.
2001-05-14 11:23:58 +00:00
Brian Feldman
d67ad957e9
Finish disconnecting pam_ssh from the build.
2001-05-04 20:40:53 +00:00
Brian Feldman
253fb6ea3a
I've been meaning to take pam_ssh out of the base system for a while now.
...
Finally do it.
2001-05-04 03:53:48 +00:00
Mark Murray
556a280696
Update for (Linux-)PAM 0.75
2001-05-03 10:55:48 +00:00
Ruslan Ermilov
5f95f24bf4
mdoc(7) police: uppercase document title.
2001-04-18 08:25:26 +00:00
Ruslan Ermilov
4a558355e5
MAN[1-9] -> MAN.
2001-03-27 17:27:19 +00:00
John Baldwin
12e275aaee
Use a unified libgcc rather than a seperate one for threaded and
...
non-threaded programs. This provides threaded programs with the
needed exception frame symbols.
parts submitted by: Max Khon <fjoe@iclub.nsu.ru>
PR: 23252
2001-01-06 18:59:46 +00:00
David E. O'Brien
3f6014e672
Use a unified libgcc rather than a seperate one for threaded and
...
non-threaded programs. This provides threaded programs with the
needed exception frame symbols.
parts submitted by: Max Khon <fjoe@iclub.nsu.ru>
PR: 23252
2001-01-06 06:16:31 +00:00
Ruslan Ermilov
4263595653
Prepare for mdoc(7)NG.
2000-12-29 14:08:20 +00:00
Ruslan Ermilov
ed40311694
mdoc(7) police: removed history info from the .Os FreeBSD call.
2000-12-14 11:52:05 +00:00
Brian Feldman
386879a128
Forgot to remove the old line in the last commit.
2000-12-05 02:41:01 +00:00
Brian Feldman
ee510eab3f
In env_destroy(), it is a bad idea to env_swap(self, 0) to switch
...
back to the original environ unconditionally. The setting of the
variable to save the previous environ is conditional; it happens when
ENV.e_committed is set. Therefore, don't try to swap the env back
unless the previous env has been initialized.
PR: bin/22670
Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp>
2000-11-25 02:00:35 +00:00
Bill Fumerola
2a644691bc
Correct an arguement to ssh_add_identity, this matches what is currently
...
in ports/security/openssh/files/pam_ssh.c
PR: 22164
Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp>
Reviewed by: green
Approved by: green
2000-11-25 01:55:42 +00:00
Ruslan Ermilov
725ab6287f
log
2000-11-22 09:23:54 +00:00
Kris Kennaway
4f00f8562d
Update to the version of pam_ssh corresponding to OpenSSH 2.1 (taken
...
from the openssh port)
Submitted by: Hajimu UMEMOTO <ume@mahoroba.org>
2000-05-30 09:03:15 +00:00
Jake Burkholder
e39756439c
Back out the previous change to the queue(3) interface.
...
It was not discussed and should probably not happen.
Requested by: msmith and others
2000-05-26 02:09:24 +00:00
Jake Burkholder
740a1973a6
Change the way that the queue(3) structures are declared; don't assume that
...
the type argument to *_HEAD and *_ENTRY is a struct.
Suggested by: phk
Reviewed by: phk
Approved by: mdodd
2000-05-23 20:41:01 +00:00
Kris Kennaway
acf3af98c9
Connect pam_opie to the build.
2000-04-17 00:19:30 +00:00
Kris Kennaway
01331fc70c
Add pam_opie, a PAM module using the OPIE one-time-password scheme.
...
Submitted by: Jim Bloom <bloom@acm.org>
2000-04-17 00:14:42 +00:00
Kris Kennaway
e31adaffd9
Fix a memory leak.
...
PR: 17360
Submitted by: Andrew J. Korty <ajk@iu.edu>
2000-03-29 08:24:37 +00:00
Bruce Evans
e915afdee4
Fixed missing libraries in DPADD.
...
Fixed some style bugs (some usual ones for DPADD and LDADD, and
misformatting of $FreeBSD$).
2000-03-27 15:24:45 +00:00
Kris Kennaway
bb49f794f5
Buildworld fixes for NO_OPENSSH and NO_OPENSSL
...
Approved by: jkh
2000-03-09 06:29:05 +00:00
Peter Wemm
330bc838ab
Make pam_ssh work. It had an undefined symbol when it was dlopen()ed.
...
I'm not quite sure about this, I think it should be using -lssh_pic since
it's being linked into a .so, but nothing seems to complain ahd it does
work. (well, it works for using the authorized_keys file, but I have not
figured out how to get it to start a ssh-agent and cache the key for me)
PR: 17191
Submitted by: Adrian Pavlykevych <pam@polynet.lviv.ua>
2000-03-06 15:28:30 +00:00
Sheldon Hearn
c6ff3a1bf7
Remove single-space hard sentence breaks. These degrade the quality
...
of the typeset output, tend to make diffs harder to read and provide
bad examples for new-comers to mdoc.
2000-03-02 09:14:21 +00:00
Sheldon Hearn
87faa07bec
Remove single-space hard sentence breaks. These degrade the quality
...
of the typeset output, tend to make diffs harder to read and provide
bad examples for new-comers to mdoc.
2000-03-01 12:20:22 +00:00
Mark Murray
dc9650a4a8
Don't try to build k5 PAM; it ain't ready yet.
2000-02-28 21:00:50 +00:00
Søren Schmidt
b3595df45d
Same fix as in ../modules, dont use the crypto stuff if its not there.
2000-02-26 12:26:25 +00:00
Peter Wemm
49838bb95b
Argh, I can't win today. Spell ${.CURDIR} correctly.
2000-02-26 11:16:08 +00:00
Peter Wemm
b753aec26f
Don't build pam_ssh if the crypto code is missing.
...
Found by: sos
2000-02-26 11:14:17 +00:00
Peter Wemm
2307080405
Redo this with a repo copy from the original file and reset the
...
__PREFIX__ markers.
2000-02-26 09:59:14 +00:00
Mark Murray
d3e3752170
Use libcrypto instead of libdes.
...
Also - OpenSSH blesses us with a module for PAM.
2000-02-24 22:24:37 +00:00
Chris Costello
111b70aa08
Remove the version information from `.Os FreeBSD' here. Not only
...
might it confuse people, but it causes a warning message with
nroff, and no version history mentions a 1.2 version of FreeBSD.
If anything, a ``HISTORY'' section should show which version this
appeared in.
2000-02-14 01:47:54 +00:00
Brian Feldman
0e17bca17c
Upgrade to the pam_ssh module, version 1.1..
...
(From the author:)
Primarily, I have added built-in functions for manipulating the
environment, so putenv() is no longer used. XDM and its variants
should now work without modification. Note that the new code uses
the macros in <sys/queue.h>.
Submitted by: Andrew J. Korty <ajk@iu.edu>
1999-12-28 05:32:54 +00:00
Brian Feldman
b71e3dafa5
Add the PAM SSH RSA key authentication module. For example, you can add,
...
"login auth sufficient pam_ssh.so" to your /etc/pam.conf, and
users with a ~/.ssh/identity can login(1) with their SSH key :)
PR: 15158
Submitted by: Andrew J. Korty <ajk@waterspout.com>
Reviewed by: obrien
1999-11-29 07:09:44 +00:00
Marcel Moolenaar
ee98eb8e13
Don't include Kerberos if NOCRYPT is defined, because it isn't build
...
if NOCRYPT is defined. Likewise, don't include DES if NOSECURE is
defined.
1999-11-14 15:48:29 +00:00
Mark Murray
394b3be19e
Add libcrypt. This previously/coincidentally worked for login,
...
because login was already linked against it, but others have a
problem.
1999-09-30 18:53:34 +00:00
Mark Murray
33f891d293
Common Error libraries are needed here.
1999-09-20 06:23:16 +00:00
Peter Wemm
c3aac50f28
$Id$ -> $FreeBSD$
1999-08-28 01:08:13 +00:00
Peter Wemm
7f3dea244c
$Id$ -> $FreeBSD$
1999-08-28 00:22:10 +00:00
Andrzej Bialecki
da33d9001c
Restore INTERNALLIB.
...
Noticed by: bde,jdp
1999-08-20 18:32:45 +00:00
Andrzej Bialecki
c747c0c757
Add pam_radius.so manual page.
...
Reviewed by: jdp
1999-08-18 19:04:24 +00:00
Nik Clayton
3be5f1f5ce
Add $Id$, to make it simpler for members of the translation teams to
...
track.
The $Id$ line is normally at the bottom of the main comment block in the
man page, separated from the rest of the manpage by an empty comment,
like so;
.\" $Id$
.\"
If the immediately preceding comment is a @(#) format ID marker than the
the $Id$ will line up underneath it with no intervening blank lines.
Otherwise, an additional blank line is inserted.
Approved by: bde
1999-07-12 20:24:20 +00:00
John Polstra
d65b34db7d
Revive the pam_deny and pam_permit modules from Linux-PAM. They are
...
simple enough to be trusted.
Add account management functionality to the pam_unix module.
These changes should make it possible to use PAM in some ports.
Submitted by: Max Khon <fjoe@iclub.nsu.ru>
1999-05-08 01:59:27 +00:00
John Polstra
ce9f8663f9
Fix bug that prevented accounts with empty passwords from logging
...
in.
Submitted by: Paul Traina <pst@juniper.net>
1999-04-06 19:48:53 +00:00
John Polstra
abea79b879
Fix breakage for the static a.out case. The a.out linker doesn't
...
consider a linker set definition to be sufficient reason to pull an
object module from an archive library. This caused undefined
symbols when linking with libpam.a using a.out. I solved it by
linking in the object that references the linker set in the "ld -r"
step.
1999-01-22 12:43:42 +00:00
John Polstra
a397d09e64
Revert my last change, "Rename some globals to reduce namespace
...
pollution." Unfortunately, some of these globals are used by ftpd,
and I broke make world. Pointy hat, please.
1999-01-21 22:02:31 +00:00
John Polstra
4479239b60
Rename some globals to reduce namespace pollution.
1999-01-20 22:50:37 +00:00
John Polstra
9294327d4a
Make it possible to use PAM in statically-linked applications.
1999-01-20 21:55:30 +00:00
John Polstra
9a7030e9fc
Fix an NFS-related installation problem.
...
Submitted by: asami
1999-01-11 16:08:02 +00:00
Matthew Dillon
4bc34f94d6
Obtained from: "Jan B. Koum " <jkb@best.com>
...
Add a reference to pam(8) in the login(1) and login.access(5) manual
pages.
1998-12-01 17:05:08 +00:00
John Polstra
c273f24b99
Install PAM modules into ${SHLIBDIR}, not ${LIBDIR}.
...
Noticed by: bde
1998-11-22 19:33:27 +00:00
John Polstra
9a10bb17e1
Build structure for contribified Linux-PAM, plus some home-grown
...
modules for FreeBSD's standard authentication methods. Although
the Linux-PAM modules are present in the contrib tree, we don't
use any of them.
The main library "libpam" is composed of sources taken from three
places. First are the standard Linux-PAM libpam sources from the
contrib tree. Second are the Linux-PAM "libpam_misc" sources, also
from the contrib tree. In Linux these form a separate library.
But as Mike Smith pointed out to me, that seems pointless, so I
have combined them into the libpam library. Third are some additional
sources from the "src/lib/libpam" tree with some common functions
that make it easier to write modules. Those I wrote myself.
This work has been donated to FreeBSD by Juniper Networks, Inc.
1998-11-18 01:44:37 +00:00
Philippe Charnier
306005e78c
.Sh AUTHOR -> .Sh AUTHORS. Use .An/.Aq.
1998-03-23 07:48:45 +00:00
Mark Murray
7f80a02080
Changes for KTH KerberosIV.
...
Also quieten -Wall a bit.
1997-09-28 08:57:24 +00:00
Philippe Charnier
9c9cb2bffe
= -> ==, strcpy -> strncpy from OpenBSD.
...
update man page. Add usage().
Obtained from: OpenBSD
1997-07-22 07:39:43 +00:00
Masafumi Max NAKANE
d778c2c01b
Fix the man page's title (.Dt).
...
(It has been ``SKEY.ACCESS''.)
1997-06-02 17:24:36 +00:00
Paul Traina
2ed98aa017
Cruft cleanup to eliminate useless warnings
1997-02-02 21:33:37 +00:00
Paul Traina
39ea627d62
Fix some compilation warnings.
1996-09-21 18:01:23 +00:00
Mark Murray
bbff7ca556
#include <kerberosIV/des.h> -> #include <des.h>
1996-02-11 09:18:18 +00:00
Rodney W. Grimes
7799f52a32
Remove trailing whitespace.
1995-05-30 06:41:30 +00:00
Garrett Wollman
2ade60ce3c
In the non-PARANOID case, make sure to set `notickets' to 0 sothat login.c
...
doesn't complain.
1995-01-20 23:07:10 +00:00
Garrett Wollman
758f3a64bd
Modify klogin to:
...
1) Don't spit out an error message if Kerberos is installed but not yet
set up.
2) Don't attempt to verify the ticket you got back, as workstations
are not intended to have srvtab files of their own.
Both behaviors can be re-enabled with KLOGIN_PARANOID.
1995-01-14 22:57:41 +00:00
Guido van Rooij
7c4c6e58ba
Add skey supprot
...
Reviewed by:
Submitted by: guido
1994-08-21 19:26:22 +00:00
Rodney W. Grimes
efd31c5952
Initial revision
1994-05-27 12:32:03 +00:00