Now pam_nologin(8) will provide an account management function

instead of an authentication function. There are a design reason and a practical reason for that. First, the module belongs in account management because it checks availability of the account and does no authentication. Second, there are existing and potential PAM consumers that skip PAM authentication for good or for bad. E.g., sshd(8) just prefers internal routines for public key auth; OTOH, cron(8) and atrun(8) do implicit authentication when running a job on behalf of its owner, so their inability to use PAM auth is fundamental, but they can benefit from PAM account management. Document this change in the manpage. Modify /etc/pam.d files accordingly, so that pam_nologin.so is listed under the "account" function class. Bump __FreeBSD_version (mostly for ports, as this change should be invisible to C code outside pam_nologin.) PR: bin/112574 Approved by: des, re
2007-06-10 18:57:20 +00:00 · 2007-06-10 18:57:20 +00:00 · 9cd40e64b4
commit 9cd40e64b4
parent 6ceeb2bc16
15 changed files with 45 additions and 32 deletions
--- a/18
+++ b/18
@ -21,6 +21,24 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 7.x IS SLOW:
 	developers choose to disable these features on build machines
 	to maximize performance.

+20070610:
+	The pam_nologin(8) module ceases to provide an authentication
+	function and starts providing an account management function.
+	Consequent changes to /etc/pam.d should be brought in using
+	mergemaster(8).  Third-party files in /usr/local/etc/pam.d may
+	need manual editing as follows.  Locate this line (or similar):
+
+		auth	required	pam_nologin.so	no_warn
+
+	and change it according to this example:
+
+		account	required	pam_nologin.so	no_warn
+
+	That is, the first word needs to be changed from "auth" to
+	"account".  The new line can be moved to the account section
+	within the file for clarity.  Not updating pam.conf(5) files
+	will result in nologin(5) ignored by the respective services.
+
 20070529:
 	The ether_ioctl() function has been synchronized with ioctl(2)
 	and ifnet.if_ioctl.  Due to that, the size of one of its arguments
--- a/etc/pam.d/ftpd
+++ b/etc/pam.d/ftpd
@ -5,7 +5,6 @@
 #

 # auth
-auth		required	pam_nologin.so		no_warn
 auth		sufficient	pam_opie.so		no_warn no_fake_prompts
 auth		requisite	pam_opieaccess.so	no_warn allow_local
 #auth		sufficient	pam_krb5.so		no_warn
@ -13,6 +12,7 @@ auth		requisite	pam_opieaccess.so	no_warn allow_local
 auth		required	pam_unix.so		no_warn try_first_pass

 # account
+account		required	pam_nologin.so
 #account 	required	pam_krb5.so
 account		required	pam_unix.so

--- a/etc/pam.d/gdm
+++ b/etc/pam.d/gdm
@ -5,12 +5,12 @@
 #

 # auth
-auth		required	pam_nologin.so		no_warn
 #auth		sufficient	pam_krb5.so		no_warn try_first_pass
 #auth		sufficient	pam_ssh.so		no_warn try_first_pass
 auth		required	pam_unix.so		no_warn try_first_pass

 # account
+account		required	pam_nologin.so
 #account 	required	pam_krb5.so
 account		required	pam_unix.so

--- a/etc/pam.d/imap
+++ b/etc/pam.d/imap
@ -5,7 +5,9 @@
 #

 # auth
-#auth		required	pam_nologin.so		no_warn
 #auth		sufficient	pam_krb5.so		no_warn try_first_pass
 #auth		sufficient	pam_ssh.so		no_warn try_first_pass
 auth		required	pam_unix.so		no_warn try_first_pass
+
+# account
+#account	required	pam_nologin.so
--- a/etc/pam.d/kde
+++ b/etc/pam.d/kde
@ -5,12 +5,12 @@
 #

 # auth
-auth		required	pam_nologin.so		no_warn
 #auth		sufficient	pam_krb5.so		no_warn try_first_pass
 #auth		sufficient	pam_ssh.so		no_warn try_first_pass
 auth		required	pam_unix.so		no_warn try_first_pass

 # account
+account		required	pam_nologin.so
 #account 	required	pam_krb5.so
 account		required	pam_unix.so

--- a/etc/pam.d/login
+++ b/etc/pam.d/login
@ -5,12 +5,12 @@
 #

 # auth
-auth		required	pam_nologin.so		no_warn
 auth		sufficient	pam_self.so		no_warn
 auth		include		system

 # account
 account		requisite	pam_securetty.so
+account		required	pam_nologin.so
 account		include		system

 # session
--- a/etc/pam.d/other
+++ b/etc/pam.d/other
@ -5,7 +5,6 @@
 #

 # auth
-auth		required	pam_nologin.so		no_warn
 auth		sufficient	pam_opie.so		no_warn no_fake_prompts
 auth		requisite	pam_opieaccess.so	no_warn allow_local
 #auth		sufficient	pam_krb5.so		no_warn try_first_pass
@ -13,6 +12,7 @@ auth		requisite	pam_opieaccess.so	no_warn allow_local
 auth		required	pam_unix.so		no_warn try_first_pass

 # account
+account		required	pam_nologin.so
 #account 	required	pam_krb5.so
 account		required	pam_login_access.so
 account		required	pam_unix.so
--- a/etc/pam.d/pop3
+++ b/etc/pam.d/pop3
@ -5,7 +5,9 @@
 #

 # auth
-#auth		required	pam_nologin.so		no_warn
 #auth		sufficient	pam_krb5.so		no_warn try_first_pass
 #auth		sufficient	pam_ssh.so		no_warn try_first_pass
 auth		required	pam_unix.so		no_warn try_first_pass
+
+# account
+#account	required	pam_nologin.so
--- a/etc/pam.d/rsh
+++ b/etc/pam.d/rsh
@ -5,10 +5,10 @@
 #

 # auth
-auth		required	pam_nologin.so		no_warn
 auth		required	pam_rhosts.so		no_warn

 # account
+account		required	pam_nologin.so
 account		required	pam_unix.so

 # session
--- a/etc/pam.d/sshd
+++ b/etc/pam.d/sshd
@ -5,7 +5,6 @@
 #

 # auth
-auth		required	pam_nologin.so		no_warn
 auth		sufficient	pam_opie.so		no_warn no_fake_prompts
 auth		requisite	pam_opieaccess.so	no_warn allow_local
 #auth		sufficient	pam_krb5.so		no_warn try_first_pass
@ -13,6 +12,7 @@ auth		requisite	pam_opieaccess.so	no_warn allow_local
 auth		required	pam_unix.so		no_warn try_first_pass

 # account
+account		required	pam_nologin.so
 #account 	required	pam_krb5.so
 account		required	pam_login_access.so
 account		required	pam_unix.so
--- a/etc/pam.d/telnetd
+++ b/etc/pam.d/telnetd
@ -5,7 +5,6 @@
 #

 # auth
-auth		required	pam_nologin.so		no_warn
 auth		sufficient	pam_opie.so		no_warn no_fake_prompts
 auth		requisite	pam_opieaccess.so	no_warn allow_local
 #auth		sufficient	pam_krb5.so		no_warn try_first_pass
@ -13,6 +12,7 @@ auth		requisite	pam_opieaccess.so	no_warn allow_local
 auth		required	pam_unix.so		no_warn try_first_pass

 # account
+account		required	pam_nologin.so
 #account 	required	pam_krb5.so
 account		required	pam_login_access.so
 account		required	pam_unix.so
--- a/etc/pam.d/xdm
+++ b/etc/pam.d/xdm
@ -5,12 +5,12 @@
 #

 # auth
-auth		required	pam_nologin.so		no_warn
 #auth		sufficient	pam_krb5.so		no_warn try_first_pass
 #auth		sufficient	pam_ssh.so		no_warn try_first_pass
 auth		required	pam_unix.so		no_warn try_first_pass

 # account
+account		required	pam_nologin.so
 #account 	required	pam_krb5.so
 account		required	pam_unix.so

--- a/lib/libpam/modules/pam_nologin/pam_nologin.8
+++ b/lib/libpam/modules/pam_nologin/pam_nologin.8
@ -24,7 +24,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd July 8, 2001
+.Dd June 10, 2007
 .Dt PAM_NOLOGIN 8
 .Os
 .Sh NAME
@ -37,19 +37,18 @@
 .Pa pam_nologin
 .Op Ar options
 .Sh DESCRIPTION
-The NoLogin authentication service module for PAM,
+The NoLogin service module for PAM,
 .Nm
 provides functionality for only one PAM category:
-authentication.
+account management.
 In terms of the
 .Ar module-type
 parameter, this is the
-.Dq Li auth
+.Dq Li account
 feature.
-It also provides a null function for session management.
-.Ss NoLogin Authentication Module
-The NoLogin authentication component
-.Pq Fn pam_sm_authenticate ,
+.Ss NoLogin Account Management Module
+The NoLogin account management component,
+.Fn pam_sm_acct_mgmt , 
 always returns success for the superuser,
 and returns success for all other users
 if the file
@ -69,7 +68,7 @@ is used instead.
 This usually defaults to
 .Pa /var/run/nologin .
 .Pp
-The following options may be passed to the authentication module:
+The following options may be passed to the module:
 .Bl -tag -width ".Cm no_warn"
 .It Cm debug
 .Xr syslog 3
@ -80,7 +79,7 @@ level.
 suppress warning messages to the user.
 These messages include
 reasons why the user's
-authentication attempt was declined.
+login attempt was declined.
 .El
 .Sh SEE ALSO
 .Xr syslog 3 ,
--- a/lib/libpam/modules/pam_nologin/pam_nologin.c
+++ b/lib/libpam/modules/pam_nologin/pam_nologin.c
@ -46,7 +46,7 @@ __FBSDID("$FreeBSD$");
 #include <stdlib.h>
 #include <unistd.h>

-#define PAM_SM_AUTH
+#define PAM_SM_ACCOUNT

 #include <security/pam_appl.h>
 #include <security/pam_modules.h>
@ -57,7 +57,7 @@ __FBSDID("$FreeBSD$");
 static char nologin_def[] = NOLOGIN;

 PAM_EXTERN int
-pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused,
    int argc __unused, const char *argv[] __unused)
 {
 	login_cap_t *lc;
@ -111,12 +111,4 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
 	return (retval);
 }

-PAM_EXTERN int
-pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
-    int argc __unused, const char *argv[] __unused)
-{
-
-	return (PAM_SUCCESS);
-}
-
 PAM_MODULE_ENTRY("pam_nologin");
--- a/sys/sys/param.h
+++ b/sys/sys/param.h
@ -57,7 +57,7 @@
 *		is created, otherwise 1.
 */
 #undef __FreeBSD_version
-#define __FreeBSD_version 700044	/* Master, propagated to newvers */
+#define __FreeBSD_version 700045	/* Master, propagated to newvers */

 #ifndef LOCORE
 #include <sys/types.h>