diff --git a/UPDATING b/UPDATING index 373958ba49a8..bb1132c322a3 100644 --- a/UPDATING +++ b/UPDATING @@ -21,6 +21,24 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 7.x IS SLOW: developers choose to disable these features on build machines to maximize performance. +20070610: + The pam_nologin(8) module ceases to provide an authentication + function and starts providing an account management function. + Consequent changes to /etc/pam.d should be brought in using + mergemaster(8). Third-party files in /usr/local/etc/pam.d may + need manual editing as follows. Locate this line (or similar): + + auth required pam_nologin.so no_warn + + and change it according to this example: + + account required pam_nologin.so no_warn + + That is, the first word needs to be changed from "auth" to + "account". The new line can be moved to the account section + within the file for clarity. Not updating pam.conf(5) files + will result in nologin(5) ignored by the respective services. + 20070529: The ether_ioctl() function has been synchronized with ioctl(2) and ifnet.if_ioctl. Due to that, the size of one of its arguments diff --git a/etc/pam.d/ftpd b/etc/pam.d/ftpd index d248f00ad86f..632c97333f18 100644 --- a/etc/pam.d/ftpd +++ b/etc/pam.d/ftpd @@ -5,7 +5,6 @@ # # auth -auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn @@ -13,6 +12,7 @@ auth requisite pam_opieaccess.so no_warn allow_local auth required pam_unix.so no_warn try_first_pass # account +account required pam_nologin.so #account required pam_krb5.so account required pam_unix.so diff --git a/etc/pam.d/gdm b/etc/pam.d/gdm index 08391e68a949..b588aa7375d3 100644 --- a/etc/pam.d/gdm +++ b/etc/pam.d/gdm @@ -5,12 +5,12 @@ # # auth -auth required pam_nologin.so no_warn #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account +account required pam_nologin.so #account required pam_krb5.so account required pam_unix.so diff --git a/etc/pam.d/imap b/etc/pam.d/imap index cba8af9f9d87..6254d1491175 100644 --- a/etc/pam.d/imap +++ b/etc/pam.d/imap @@ -5,7 +5,9 @@ # # auth -#auth required pam_nologin.so no_warn #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass + +# account +#account required pam_nologin.so diff --git a/etc/pam.d/kde b/etc/pam.d/kde index 539018363f11..a384d628940b 100644 --- a/etc/pam.d/kde +++ b/etc/pam.d/kde @@ -5,12 +5,12 @@ # # auth -auth required pam_nologin.so no_warn #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account +account required pam_nologin.so #account required pam_krb5.so account required pam_unix.so diff --git a/etc/pam.d/login b/etc/pam.d/login index a4c66285adb5..287036d43f59 100644 --- a/etc/pam.d/login +++ b/etc/pam.d/login @@ -5,12 +5,12 @@ # # auth -auth required pam_nologin.so no_warn auth sufficient pam_self.so no_warn auth include system # account account requisite pam_securetty.so +account required pam_nologin.so account include system # session diff --git a/etc/pam.d/other b/etc/pam.d/other index e4ddf7ee4a9f..c86239cb56db 100644 --- a/etc/pam.d/other +++ b/etc/pam.d/other @@ -5,7 +5,6 @@ # # auth -auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass @@ -13,6 +12,7 @@ auth requisite pam_opieaccess.so no_warn allow_local auth required pam_unix.so no_warn try_first_pass # account +account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so diff --git a/etc/pam.d/pop3 b/etc/pam.d/pop3 index 34d6cc055fe9..c5e93cead30c 100644 --- a/etc/pam.d/pop3 +++ b/etc/pam.d/pop3 @@ -5,7 +5,9 @@ # # auth -#auth required pam_nologin.so no_warn #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass + +# account +#account required pam_nologin.so diff --git a/etc/pam.d/rsh b/etc/pam.d/rsh index 02c0048eabf1..9e562e0786d4 100644 --- a/etc/pam.d/rsh +++ b/etc/pam.d/rsh @@ -5,10 +5,10 @@ # # auth -auth required pam_nologin.so no_warn auth required pam_rhosts.so no_warn # account +account required pam_nologin.so account required pam_unix.so # session diff --git a/etc/pam.d/sshd b/etc/pam.d/sshd index cf3e0f0acd75..46f536c74a4f 100644 --- a/etc/pam.d/sshd +++ b/etc/pam.d/sshd @@ -5,7 +5,6 @@ # # auth -auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass @@ -13,6 +12,7 @@ auth requisite pam_opieaccess.so no_warn allow_local auth required pam_unix.so no_warn try_first_pass # account +account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so diff --git a/etc/pam.d/telnetd b/etc/pam.d/telnetd index 3ebee202accb..535afc293157 100644 --- a/etc/pam.d/telnetd +++ b/etc/pam.d/telnetd @@ -5,7 +5,6 @@ # # auth -auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass @@ -13,6 +12,7 @@ auth requisite pam_opieaccess.so no_warn allow_local auth required pam_unix.so no_warn try_first_pass # account +account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so diff --git a/etc/pam.d/xdm b/etc/pam.d/xdm index 0a1c78e148c9..b883de762a40 100644 --- a/etc/pam.d/xdm +++ b/etc/pam.d/xdm @@ -5,12 +5,12 @@ # # auth -auth required pam_nologin.so no_warn #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account +account required pam_nologin.so #account required pam_krb5.so account required pam_unix.so diff --git a/lib/libpam/modules/pam_nologin/pam_nologin.8 b/lib/libpam/modules/pam_nologin/pam_nologin.8 index a2c5990a9c23..e38be712b2d7 100644 --- a/lib/libpam/modules/pam_nologin/pam_nologin.8 +++ b/lib/libpam/modules/pam_nologin/pam_nologin.8 @@ -24,7 +24,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 8, 2001 +.Dd June 10, 2007 .Dt PAM_NOLOGIN 8 .Os .Sh NAME @@ -37,19 +37,18 @@ .Pa pam_nologin .Op Ar options .Sh DESCRIPTION -The NoLogin authentication service module for PAM, +The NoLogin service module for PAM, .Nm provides functionality for only one PAM category: -authentication. +account management. In terms of the .Ar module-type parameter, this is the -.Dq Li auth +.Dq Li account feature. -It also provides a null function for session management. -.Ss NoLogin Authentication Module -The NoLogin authentication component -.Pq Fn pam_sm_authenticate , +.Ss NoLogin Account Management Module +The NoLogin account management component, +.Fn pam_sm_acct_mgmt , always returns success for the superuser, and returns success for all other users if the file @@ -69,7 +68,7 @@ is used instead. This usually defaults to .Pa /var/run/nologin . .Pp -The following options may be passed to the authentication module: +The following options may be passed to the module: .Bl -tag -width ".Cm no_warn" .It Cm debug .Xr syslog 3 @@ -80,7 +79,7 @@ level. suppress warning messages to the user. These messages include reasons why the user's -authentication attempt was declined. +login attempt was declined. .El .Sh SEE ALSO .Xr syslog 3 , diff --git a/lib/libpam/modules/pam_nologin/pam_nologin.c b/lib/libpam/modules/pam_nologin/pam_nologin.c index 2145688ab15f..f4b28e547cba 100644 --- a/lib/libpam/modules/pam_nologin/pam_nologin.c +++ b/lib/libpam/modules/pam_nologin/pam_nologin.c @@ -46,7 +46,7 @@ __FBSDID("$FreeBSD$"); #include #include -#define PAM_SM_AUTH +#define PAM_SM_ACCOUNT #include #include @@ -57,7 +57,7 @@ __FBSDID("$FreeBSD$"); static char nologin_def[] = NOLOGIN; PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, int argc __unused, const char *argv[] __unused) { login_cap_t *lc; @@ -111,12 +111,4 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, return (retval); } -PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, - int argc __unused, const char *argv[] __unused) -{ - - return (PAM_SUCCESS); -} - PAM_MODULE_ENTRY("pam_nologin"); diff --git a/sys/sys/param.h b/sys/sys/param.h index f5fcaf4e6fa2..42f935bb11e8 100644 --- a/sys/sys/param.h +++ b/sys/sys/param.h @@ -57,7 +57,7 @@ * is created, otherwise 1. */ #undef __FreeBSD_version -#define __FreeBSD_version 700044 /* Master, propagated to newvers */ +#define __FreeBSD_version 700045 /* Master, propagated to newvers */ #ifndef LOCORE #include