Commit Graph

384 Commits

Author SHA1 Message Date
ed
09818ac28e Build lib/ with WARNS=6 by default.
Similar to libexec/, do the same with lib/. Make WARNS=6 the norm and
lower it when needed.

I'm setting WARNS?=0 for secure/. It seems secure/ includes the
Makefile.inc provided by lib/. I'm not going to touch that directory.
Most of the code there is contributed anyway.
2010-01-02 09:58:07 +00:00
ed
2062dc2dbf Several refinements to libulog's API.
- Only set the fields in the ulog_utmpx structure that are valid for the
  command in question. This means that strings like "shutdown" or "~"
  are not visible to the user anymore.
- Rename UTXF_* to UTXI_*, indicating the indexation, instead of using
  the `antique' filename. If we ever get rid of utmp, it makes little
  sense calling it by its old name.
2009-12-26 22:36:05 +00:00
ed
caa83cf255 Convert pam_lastlog(8) to libulog.
The information used by the "Last login:"-line is obtained by using
ulog_setutxfile(3) to switch to the lastlog database. Login and logout
are performed using the utility functions ulog_login(3) and
ulog_logout(3).

This also means we must build libulog during bootstrap.

Approved by:	des
2009-12-11 14:15:55 +00:00
des
e00b284b20 Note that nullok should not be used by processes that can't access the
password database.

PR:		bin/126650, misc/140514
MFC after:	1 week
2009-11-13 11:19:26 +00:00
des
ca197bb5b5 pam_ssh needs roaming_dummy to link correctly against libssh. 2009-10-05 18:56:18 +00:00
jon
33cb329cc2 Prevents pam_lastlog from segfaulting on session close when tty is null.
MFC after:	1 month
2009-08-30 05:12:37 +00:00
des
65fed99c3c Rewrap; this was getting painful. Translators can ignore this.
MFC after:	1 week
2009-06-20 10:09:59 +00:00
des
c336f71c8f Reword.
MFC after:	1 week
2009-06-20 10:06:10 +00:00
ed
6cb47f8ff6 Include <stdio.h> for asprintf().
Submitted by:	Pawel Worach
2009-06-14 12:45:48 +00:00
des
123e930ac3 Don't try to auto-detect dynamic linking; it fails on mips. The Makefile
part of the patch is an ugly (and hopefully temporary) hack.

Discussed with:	imp@
2009-02-17 16:35:19 +00:00
dfr
fa73dbbb79 Add new heimdal-1.1 library. 2008-05-15 15:28:18 +00:00
dfr
be0348cb75 Fix conflicts after heimdal-1.1 import and add build infrastructure. Import
all non-style changes made by heimdal to our own libgssapi.
2008-05-07 13:53:12 +00:00
des
6f627a80ed Adjust for OpenPAM Hydrangea. 2007-12-21 12:00:16 +00:00
des
050649d640 Correct documentation of ~/.opiealways
PR:		117512
Submitted by:	Jeremy C. Reed <reed@reedmedia.net>
MFC after:	1 week
2007-10-26 07:50:11 +00:00
ru
db64b4a4bc - Convert NO_INSTALLLIB option to a new syntax: makefiles should
test MK_INSTALLLIB, users can set WITHOUT_INSTALLLIB.  The old
  NO_INSTALLLIB is still supported as several makefiles set it.

- While here, fix an install when instructed not to install libs
  (usr.bin/lex/lib/Makefile).

PR:		bin/114200
Submitted by:	Henrik Brix Andersen
2007-10-20 19:01:50 +00:00
des
c81c3fef7a Apply the same error checks to PAM_TTY in pam_sm_close_session() as in
pam_sm_open_session(), avoiding false negatives when no tty is present.

Submitted by:	Todd C. Miller <millert@courtesan.com>
Approved by:	re (rwatson)
MFC after:	2 weeks
2007-07-22 15:17:29 +00:00
des
54314403b7 Whitespace cleanup
Approved by:	re (rwatson)
2007-07-22 15:14:40 +00:00
yar
25b7a16e23 Use the current user's login class for the decisions about where
the nologin(5) file is located and whether the user may bypass its
restriction.

Add some error checks.

Approved by:	des
PR:		bin/107612
2007-06-14 13:07:06 +00:00
yar
dac62e7ff2 Now pam_nologin(8) will provide an account management function
instead of an authentication function.  There are a design reason
and a practical reason for that.  First, the module belongs in
account management because it checks availability of the account
and does no authentication.  Second, there are existing and potential
PAM consumers that skip PAM authentication for good or for bad.
E.g., sshd(8) just prefers internal routines for public key auth;
OTOH, cron(8) and atrun(8) do implicit authentication when running
a job on behalf of its owner, so their inability to use PAM auth
is fundamental, but they can benefit from PAM account management.

Document this change in the manpage.

Modify /etc/pam.d files accordingly, so that pam_nologin.so is listed
under the "account" function class.

Bump __FreeBSD_version (mostly for ports, as this change should be
invisible to C code outside pam_nologin.)

PR:		bin/112574
Approved by:	des, re
2007-06-10 18:57:20 +00:00
des
678d09f0cf Re-add support for NIS netgroups (heavily modified from patch in PR)
PR:		bin/112955
Submitted by:	A. Blake Cooper <blake@cluebie.net>
MFC after:	3 weeks
2007-05-25 07:50:18 +00:00
yar
e8ee34e142 In account management, verify whether the account has been locked
with `pw lock', so that it's impossible to log into a locked account
using an alternative authentication mechanism, such as an ssh key.
This change affects only accounts locked with pw(8), i.e., having a
`*LOCKED*' prefix in their password hash field, so people still can
use a different pattern to disable password authentication only.

Mention all account management criteria in the manpage.

Approved by:	maintainer (timeout)
PR:		bin/71147
MFC after:	1 month
2007-03-27 09:59:15 +00:00
pjd
14e97fe311 Send not only Access Request, but also Access Challenge with defined
NAS-Identifier and NAS-IP-Address.

Reviewed by:	bz
MFC after:	1 month
2007-01-20 08:52:04 +00:00
des
cd277df0bb childerr needs to be volatile so gcc won't optimize it away.
PR:		bin/85830
MFC after:	1 week
2006-11-10 23:33:25 +00:00
ru
f2378ce746 The pam_unix module also provides password management.
PR:		docs/93491
Submitted by:	Lior Kadosh
MFC after:	3 days
2006-10-12 15:00:17 +00:00
ru
b6d284e093 Fix build. 2006-09-30 20:33:42 +00:00
des
22cf0fa876 Reject user with names that are longer than OPIE is willing to deal with;
otherwise OPIE will happily truncate it.

Spotted by:	ghelmer
MFC after:	2 weeks
2006-09-15 13:42:38 +00:00
joel
e751eb9832 Bump .Dd.
Noticed by:	danger
2006-09-13 18:34:32 +00:00
joel
e532d7ce17 Remove references to the pam(8) manual page. It does not exist.
Requested by:	novel
Discussed with:	brueffer, simon
2006-09-13 17:46:20 +00:00
des
55b6d867ea Additional debugging stuff I had in my tree. 2006-08-11 17:03:33 +00:00
des
456f2593a5 Add a manual dependency on ssh_namespace.h.
Discussed with:	ru
2006-05-13 21:38:16 +00:00
des
148092431d Introduce a namespace munging hack inspired by NetBSD to avoid polluting
the namespace of applications which inadvertantly link in libssh (usually
through pam_ssh)

Suggested by:	lukem@netbsd.org
MFC after:	6 weeks
2006-05-13 13:47:45 +00:00
wkoszek
a9e9a228bd There is no need to pass NULL to the pam_error() as the last argument.
Remove it.

Reviewed by:	des
Approved by:	cognet (mentor)
2006-03-20 16:56:08 +00:00
ru
81f8a2cff8 Fix build until I find a way to handle this case properly. 2006-03-19 08:52:49 +00:00
ru
90b657b795 Revert last delta. 2006-03-19 06:14:30 +00:00
phk
5a9bbe93ee Comment out MK_PROFILE until ru@ can fix this properly 2006-03-19 04:49:11 +00:00
ru
5f8b6d3c5a Convert NO_PROFILE and NO_LIB32 to new style. 2006-03-18 21:37:05 +00:00
ru
388e590f95 Reimplementation of world/kernel build options. For details, see:
http://lists.freebsd.org/pipermail/freebsd-current/2006-March/061725.html

The src.conf(5) manpage is to follow in a few days.

Brought to you by:	imp, jhb, kris, phk, ru (all bugs are mine)
2006-03-17 18:54:44 +00:00
yar
7ba58b694e Add appropriate xrefs.
MFC after:	3 days
2006-03-06 13:15:12 +00:00
yar
f4b4b54f2b Since the whole login.access feature has moved to PAM,
login.access.5 will be installed from the respective PAM
module's src directory.

MFC after:	3 days
2006-03-06 12:31:25 +00:00
yar
4995e053c3 Sync with src/usr.bin/login/login.access.5.
src/usr.bin/login/login.access.5 should be removed from use
because the whole login.access feature has moved to this PAM
module.

MFC after:	3 days
2006-03-06 12:26:43 +00:00
ru
2d942f188d Commenting out WARNS actually brought it up to 4. 2005-09-28 14:36:16 +00:00
des
6e08585cef Comment out WARNS, the OpenSSL headers don't compile cleanly on some platforms. 2005-09-28 06:23:47 +00:00
des
95277118f4 Increase WARNS. 2005-09-26 20:34:09 +00:00
des
343777dab2 Correct the logic for determining whether the user has already entered
a password.  Also, work around some harmless type pun warnings.

MFC after:	3 days
2005-09-26 20:33:53 +00:00
des
01dcf64138 Do not use passphraseless keys for authentication unless the nullok
option was specified.

PR:		bin/81231
Submitted by:	"Daniel O'Connor" <doconnor@gsoft.com.au>
MFC after:	3 days
2005-09-22 05:35:24 +00:00
des
4ee54de329 Narrow the use of user credentials.
Fix one case where openpam_restore_cred() might be called twice in a row.

MFC after:	3 days
2005-09-21 16:08:40 +00:00
cperciva
a257862d4b When (re)allocating space for an array of pointers to char, use
sizeof(*list), not sizeof(**list).  (i.e., sizeof(pointer) rather than
sizeof(char)).

It is possible that this buffer overflow is exploitable, but it was
added after RELENG_5 forked and hasn't been MFCed, so this will not
receive an advisory.

Submitted by:	Vitezslav Novy
MFC after:	1 day
2005-09-19 18:43:11 +00:00
kensmith
174219188d Missed one piece of the cluster's quirk. Need to override WARNS because
if _FREEFALL_CONFIG is set gcc bails since pam_sm_setcred() in pam_krb5.c
no longer uses any of its parameters.

Pointy hat:	kensmith
Approved by:	re (scottl)
2005-07-08 14:53:45 +00:00
kensmith
28b7f562fc This is sort of an MFS. Peter made these changes to the RELENG_*
branches but missed HEAD.  This patch extends his a little bit,
setting it up via the Makefiles so that adding _FREEFALL_CONFIG
to /etc/make.conf is the only thing needed to cluster-ize things
(current setup also requires overriding CFLAGS).

From Peter's commit to the RELENG_* branches:
> Add the freebsd.org custer's source modifications under #ifdefs to aid
> keeping things in sync.  For ksu:
> * install suid-root by default
> * don't fall back to asking for a unix password (ie: be pure kerberos)
> * allow custom user instances for things like www and not just root

The Makefile tweaks will be MFC-ed, the rest is already done.

MFC after:      3 days
Approved by:    re (dwhite)
2005-07-07 14:16:38 +00:00
des
09a62d7510 Use the correct login class when setting a new password.
PR:		65557, 72949
Submitted by:	Stephen P. Cravey <clists@gotbrains.org>
Approved by:	re (scottl)
MFC after:	2 weeks
2005-07-05 18:42:18 +00:00