d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
123,259 Commits 4 Branches 49 Tags 2 GiB
255936645e
Commit Graph

413 Commits

Author SHA1 Message Date
des
c135cf25dc Add openpam_nullconv.c to SRCS. 2002-05-02 04:42:59 +00:00
des
a6e173ee33 Don't ask root for the old password, except in the NIS case. 
Sponsored by:	DARPA, NAI Labs
 2002-04-26 19:28:17 +00:00
des
522debf4fd Fix a really dumb bug (missing curly braces around the body of an if 
statement) that caused pam_sm_chauthtok() to always fail silently.
 2002-04-26 01:47:48 +00:00
des
13a8751373 Oops, fix an inverted if test. 2002-04-20 16:52:41 +00:00
des
dc33f36d34 Strip /dev/ from tty name, and clean up the "last login" printout. 
Sponsored by:	DARPA, NAI Labs
 2002-04-20 16:44:32 +00:00
ru
67f99d8b8c Revert previous change. bsd.dep.mk,v 1.31 had a bug that was fixed 
in revision 1.32 and made this change OBE.
 2002-04-17 05:46:41 +00:00
des
283ac5768b Add a missing .El and fix a typo. 
Spotted by:	Solar Designer <solar@openwall.com>
Sponsored by:	DARPA, NAI Labs
 2002-04-16 22:38:47 +00:00
ru
bc595cdde6 Reflect change in share/mk/bsd.dep.mk,v 1.31. 2002-04-16 12:52:22 +00:00
des
b41d43d579 Revert previous commit, it is incorrect. 2002-04-15 22:51:31 +00:00
obrien
f46bf6f79a Properly spell rpcsvc/ypclnt.h and fix the build. 2002-04-15 22:47:28 +00:00
des
1a41b2c911 Throw in NO_WERROR to please the peanut gallery. 2002-04-15 13:10:28 +00:00
des
ade0386724 Use PAM_SUCCESS instead of PAM_IGNORE. 2002-04-15 06:26:32 +00:00
des
2eefb07eae Whitespace nits. 2002-04-15 03:52:22 +00:00
des
60c7199162 Add a manual page based on Solar Designer's README. 
Sponsored by:	DARPA, NAI Labs
 2002-04-15 03:45:14 +00:00
des
8ac6182da3 pam_passwdqc depends on libcrypt. 2002-04-15 03:44:42 +00:00
des
887c2ed009 Prompt for new password during update phase, not during preliminary phase. 
Sponsored by:	DARPA, NAI Labs
 2002-04-15 03:00:14 +00:00
des
ee50be8376 Dike out most of the NIS code and replace it with calls to libypclnt. 
Rework pam_sm_chauthtok() so it (mostly?) works.
The standard pw stuff still needs to move into a library somewhere.

Sponsored by:	DARPA, NAI Labs
 2002-04-15 02:34:43 +00:00
des
934fb9469d pam_passwdqc builds now. 2002-04-14 22:31:36 +00:00
des
de25faf452 More recent versions of pam_passwdqc (not yet released) build with very 
few warnings.
 2002-04-14 18:48:57 +00:00
des
8a86f9fc45 New files in OpenPAM Cineraria. 
Sponsored by:	DARPA, NAI Labs
 2002-04-14 18:30:27 +00:00
des
3850ee9d70 Cosmetic nit. 2002-04-14 18:30:03 +00:00
des
0559ebe0fd Cast a ptrdiff_t to int before using it as a printf field width. 2002-04-14 16:44:04 +00:00
des
ec61ca3f2c Change || into && (braino in previous commit). Also append \n to the 
error message.
 2002-04-13 06:14:30 +00:00
des
a8ed917937 Major cleanup: 
- add __unused where appropriate
  - PAM_RETURN -> return since OpenPAM already logs the return value.
  - make PAM_LOG use openpam_log()
  - make PAM_VERBOSE_ERROR use openpam_get_option() and check flags
    for PAM_SILENT
  - remove dummy functions since OpenPAM handles missing service
    functions
  - fix various warnings

Sponsored by:	DARPA, NAI Labs
 2002-04-12 22:27:25 +00:00
des
bee5210d96 Add a pam_rhosts module, loosely based on code submitted by Danny Braniss. 
Submitted by:	Danny Braniss <danny@cs.huji.ac.il>
Sponsored by:	DARPA, NAI Labs
 2002-04-12 20:10:18 +00:00
des
ca8afeff70 Rename the even_root option to allow_root. 
Sponsored by:	DARPA, NAI Labs
 2002-04-12 20:05:27 +00:00
ru
79d726fd79 Reimplement the hack to put pam_static.o into .depend with some magic. 2002-04-11 12:21:16 +00:00
ru
aab0c4649e Moved SHLIB_NAME definition into one place. 
Approved by:	des
 2002-04-10 18:07:05 +00:00
ru
fe715089ee Fixed broken "make depend; make clean; make all" sequence. 
I've looked for this example for a long time, to demonstrate
some people why it's a really BAD idea to use ${.OBJDIR}
instead of ".".  I hope these people are reading this.  :-)

Approved by:	des
 2002-04-10 18:00:32 +00:00
ru
a7461c1086 Fix broken `checkdpadd'. 
-lroken is an installable library, there's no need to give an
explicit path to it.  In any case, -L paths should be specified
in LDFLAGS if needed.

Approved by:	des
 2002-04-10 17:53:43 +00:00
ru
06b9707e4e Don't override standard _EXTRADEPEND actions, add to them. 
Fix CLEANFILES.
Collapse openpam_static_modules.o generation.
 2002-04-10 17:46:59 +00:00
des
1f9601f664 Remove debugging code that was inadvertantly brought in by previous commit. 2002-04-08 12:41:08 +00:00
des
9cd6ec4ad1 Use OpenPAM's credential switching functions. 
Sponsored by:	DARPA, NAI Labs
 2002-04-08 12:38:50 +00:00
des
23313aa020 Add new files and man pages from OpenPAM Cinchona. 
Sponsored by:	DARPA, NAI Labs
 2002-04-08 12:34:53 +00:00
des
74ba30d1ef Remove commented-out WARNS thingy. 2002-04-08 12:33:48 +00:00
ru
54bcb55671 Align for const poisoning in -lutil. 2002-04-08 11:07:51 +00:00
des
a3ac60a8cb Reorganize pam_sm_authenticate() to reduce code duplication. 
Sponsored by:	DARPA, NAI Labs
 2002-04-07 21:18:18 +00:00
des
71240839dd Fix bug in previous commit that passed the wrong default value to 
login_getcapstr(3).  Also fix a longer-standing bug (login_close(3)
frees the string returned by login_getcapstr(3)) by reorganizing the
code a little, and use login_getpwclass(3) instead of login_getclass(3)
if we already have a struct pwd.

Sponsored by:	DARPA, NAI Labs
 2002-04-07 20:43:27 +00:00
des
ffe3791d9f This one needs NO_WERROR too. 2002-04-07 12:53:58 +00:00
des
9c4d69ea42 Turn on NO_WERROR due to namespace pollution in krb5 headers. 2002-04-07 04:44:16 +00:00
des
ce173531cb Aggressive cleanup of warnings + authtok-related code in preparation for 
PAMifying passwd(1).

Sponsored by:	DARPA, NAI Labs.
 2002-04-06 19:30:04 +00:00
des
4172a237d2 Disconnect pam_passwdqc for now, it has some issues that need resolving. 2002-04-06 19:25:36 +00:00
des
78c249929b Fix some style issues, a const warning, and abuse of PAM_ABORT. 
Sponsored by:	DARPA, NAI Labs
 2002-04-06 14:25:04 +00:00
des
d34172f018 Remove some duplicate free()s and add some that were missing. 
Submitted by:	tmm
 2002-04-05 20:00:05 +00:00
des
b4638d93bf pam_get_pass() -> pam_get_authtok() 2002-04-05 10:49:45 +00:00
des
b57ec45f38 Upgrade to something quite close, but not identical, to version 1.6 of 
Andrew Korty's pam_ssh.  The most notable difference is that this uses
commas rather than colons to separate items in the "keyfiles" option.

Sponsored by:	DARPA, NAI Labs
 2002-04-04 18:45:21 +00:00
des
4189a2f933 Add pam_passwdqc to the build. 
Sponsored by:	DARPA, NAI Labs
 2002-04-04 16:08:28 +00:00
markm
962bcb4df1 Fix for OPIE 2.4. 2002-03-22 09:20:05 +00:00
ru
750b21097f mdoc(7) police: fix SYNOPSIS, sort xrefs, kill extra whitespace. 2002-03-18 15:59:53 +00:00
ru
9380002871 mdoc(7) police: nits. 2002-03-18 15:55:53 +00:00
ru
645af89f24 mdoc(7) police: sort xrefs, kill extra whitespace. 2002-03-18 15:52:28 +00:00
cjc
51b661db90 Fix world breakage introduced by my recent modifications to 
chpass(8). The relations between libc, libpam, chpass, passwd, and
vipw are a mess and probably should be cleaned up.

Submitted by:	Peter Pentchev <roam@ringlet.net>
 2002-03-18 12:55:28 +00:00
ru
e1cb7e39d6 mdoc(7) police: tiny fixes. 2002-03-15 18:09:32 +00:00
ru
1e3222d346 mdoc(7) police: expand contractions. 2002-03-15 18:06:25 +00:00
des
7f7038bdcf NAI DBA update. 2002-03-14 23:27:59 +00:00
markm
02184350e0 Remove the use of random(3), and encapsulate the salt-generation in 
its own function. The use of arc4random(3) is hopeless overkill here,
but that does not hurt anything.

Requested by:	ache
 2002-03-14 16:41:36 +00:00
sobomax
c3acf5c512 Don't ignore system CFLAGS. 2002-03-07 16:56:19 +00:00
markm
74f043c943 Fix build for OpenPAM. The directories needed tweeking. 2002-03-07 16:03:56 +00:00
des
2196bcec63 This file is not needed any more 2002-03-07 12:03:50 +00:00
green
ccf626b89e Now pam_alreadyloggedin lives in the ports. 2002-03-07 02:23:19 +00:00
green
846b72e968 Add the pam_alreadyloggedin(8) module, which allows for authentication 
based on information that the user is already logged in.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
 2002-03-06 18:21:28 +00:00
roam
dc23c1a5c5 Unbreak the pam_krb5 build: cast a couple of const pointers 
to normal char *.  A better fix might be some const'ifying
of the Heimdal code, but this will do to fix the build
for the present.

Approved by:	des
 2002-03-06 16:49:02 +00:00
des
d9b8621133 Add forgotten NOPROFILE that broke world. 2002-03-06 12:11:05 +00:00
des
c0bbe50538 Switch to OpenPAM. Bump library version. Modules are now versioned, so 
applications linked with Linux-PAM will still work.
Remove pam_get_pass(); OpenPAM has pam_get_authtok().
Remove pam_prompt(); OpenPAM has pam_{,v}{error,info,prompt}().
Remove pam_set_item(3) man page as OpenPAM has its own.

Sponsored by:	DARPA, NAI Labs
 2002-03-05 21:56:25 +00:00
des
8daae10e98 Add missing dependency on libutil. 2002-03-05 12:52:03 +00:00
sobomax
f41a9d6db5 Create /var/log/lastlog if it doesn't exist. 
Submitted by:	des
 2002-02-20 07:47:06 +00:00
des
863a49b908 This file needs <syslog.h>. 
Sponsored by:	DARPA, NAI Labs
 2002-02-09 14:12:09 +00:00
ru
b2c3dc0715 Now that cross-tools ld(1) has been fixed to look for dynamic 
dependencies in the correct place, record the fact that -lssh
depends on -lcrypto and -lz.

Removed false dependencies on -lz (except ssh(1) and sshd(8)).
Removed false dependencies on -lcrypto and -lutil for scp(1).

Reviewed by:	markm
 2002-02-08 13:42:58 +00:00
markm
b090adde5f Remove NO_WERROR, now that WARNS=n is gone. 2002-02-06 18:46:48 +00:00
markm
35ff607995 Comment out the WARNS= so as to not trample all over the GCC3 work. 2002-02-06 18:14:59 +00:00
des
de2b43dc4e Three times lucky: <stddef.h>, not <sys/param.h> 2002-02-05 08:01:32 +00:00
des
d6eb982a3b Oops, the correct header to include for NULL is <sys/param.h>. 2002-02-05 07:53:00 +00:00
des
71559bdb87 #include <sys/types.h> for NULL (hidden by Linux-PAM header pollution) 
Sponsored by:	DARPA, NAI Labs
 2002-02-05 06:20:27 +00:00
des
4bbf527773 #include cleanup. 
Sponsored by:	DARPA, NAI Labs
 2002-02-05 06:08:26 +00:00
markm
4a0034cf46 Explicitly declare (gcc internal) functions. 
Submitted by:	ru
 2002-02-04 17:59:25 +00:00
des
0b3772b62a ssh_get_authentication_connection() gets its parameters from environment 
variables, so temporarily switch to the PAM environment before calling it.

Submitted by:	Takanori Saneto <sanewo@ba2.so-net.ne.jp>
 2002-02-04 17:15:44 +00:00
markm
4e3ec91692 Protect "make buildworld" against -Werror, as this module does not 
build cleanly.
 2002-02-04 16:09:25 +00:00
markm
01ec73592a Add the other half of the salt-generating code. No functional 
difference except that the salt is slightly harder to build
dictionaries against, and the code does not use srandom[dev]().
 2002-02-04 00:28:54 +00:00
markm
5a8788fb41 Turn on fascist warning mode. 2002-02-03 15:51:52 +00:00
markm
01a4236106 WARNS=n fixes (and some stylistic issues). 2002-02-03 15:17:57 +00:00
des
2ee63fa6aa Remove an unnecessary #include that trips up OpenPAM. The header in question 
is an internal Linux-PAM header which shouldn't be used outside Linux-PAM
itself, and has absolutely zero effect on pam_ftp.

Sponsored by:	DARPA, NAI Labs
MFC after:	1 week
 2002-02-02 17:51:39 +00:00
des
2bbcd38b91 Post-repocopy cleanup. 
Sponsored by:	DARPA, NAI Labs
 2002-02-01 22:25:07 +00:00
des
73dcd2da5c Connect the pam_lastlog(8) and pam_login_access(8) modules to the build. 
Sponsored by:	DARPA, NAI Labs
 2002-02-01 08:49:53 +00:00
des
55cd9bb2e3 Still with asbestos longjohns on, completely PAMify login(1) and remove 
code made redundant by various PAM modules (primarily pam_unix(8)).

Sponsored by:	DARPA, NAI Labs
 2002-01-30 19:10:21 +00:00
des
1caa7bdd9e With asbestos longjohns on, integrate most of the checks normally done by 
login(1) (password & account expiry, hosts.access etc.) into pam_unix(8).

Sponsored by:	DARPA, NAI Labs
 2002-01-30 19:09:11 +00:00
des
246b0c7094 Move the code from pam_sm_authenticate() to pam_sm_acct_mgmt(). Simplify 
it a little and try to make it more resilient to various possible failure
conditions.  Change the man page accordingly, and take advantage of this
opportunity to simplify its language.

Sponsored by:	DARPA, NAI Labs
 2002-01-30 19:03:16 +00:00
markm
b63d9c7a6d WARNS=4 fixes. Protect with NO_WERROR for the modules that have 
warnings that are hard to fix or that I've been asked to leave alone.
 2002-01-24 18:37:17 +00:00
des
89b0bbd187 PAM modules shouldn't call putenv(); pam_putenv() is sufficient. The 
caller is supposed to check the PAM envlist and export the variables it
contains; if it doesn't, it's broken.

Sponsored by:	DARPA, NAI Labs
 2002-01-24 17:26:27 +00:00
des
30cd8777d2 Change the order in which pam_sm_open_session() updates the logs. This 
doesn't really make any difference, except it matches wtmp(5) better.

Don't do anything in pam_sm_close_session(); init(8) will take care of
utmp and wtmp when the tty is released.  Clearing them here would make it
possible to create a ghost session by logging in, running 'login -f $USER'
and exiting the subshell.

Sponsored by:	DARPA, NAI Labs (but the bugs are all mine)
 2002-01-24 17:15:04 +00:00
des
37b85e4ec4 Correctly interpret PAM_RHOST being unset as an indicator of a local 
login.

Sponsored by:	DARPA, NAI Labs
 2002-01-24 16:18:43 +00:00
des
0d0aa3b389 Correctly interpret PAM_RHOST being unset as an indicator of a local 
login.
 2002-01-24 16:16:01 +00:00
des
aba6f8182e Style nits. 
Sponsored by:	DARPA, NAI Labs
 2002-01-24 16:14:56 +00:00
des
0a9534cc78 Document the even_root option. 
Sponsored by:	DARPA, NAI Labs
 2002-01-24 13:35:06 +00:00
des
305ac9f47f Don't let root through unless the "even_root" option was specified. 
Sponsored by:	DARPA, NAI Labs
 2002-01-24 12:47:42 +00:00
des
77b808fd9a Add a PAM module that records sessions in utmp/wtmp/lastlog. 
Sponsored by:	DARPA, NAI Labs
 2002-01-24 09:45:17 +00:00
des
215400cfce Fix some pastos. Rather shoddy of me... 
Sponsored by:	DARPA, NAI Labs
 2002-01-24 09:44:22 +00:00
des
452f2b5db1 Add a PAM module that provides an account management component for checking 
either PAM_RHOST or PAM_TTY against /etc/login.access.o

This uncovers a problem with PAM_RHOST, in that if we always set it, there
is no way to distinguish between a user logging in locally and a user
logging in using 'ssh localhost'.  This will be fixed by first making sure
that all PAM modules can handle PAM_RHOST being unset (which is currently
not the case), and then modifying su(1) and login(1) to not set it for
local logins.

Sponsored by:	DARPA, NAI Labs
 2002-01-23 17:42:16 +00:00
des
b917ad33e0 Add an AUTHORS section crediting ThinkSec, DARPA and NAI Labs. 
Sponsored by:	DARPA, NAI Labs
 2002-01-23 17:16:00 +00:00
ru
c9d8bf8608 Add pam_ssh support to the static PAM library, libpam.a: 
- Spam /usr/lib some more by making libssh a standard library.
- Tweak ${LIBPAM} and ${MINUSLPAM}.
- Garbage collect unused libssh_pic.a.
- Add fake -lz dependency to secure/ makefiles needed for
  dynamic linkage with -lssh.

Reviewed by:	des, markm
Approved by:	markm
 2002-01-23 15:54:17 +00:00
des
e64688fcfb Base the comparison on UIDs, not on user names. 
Sponsored by:	DARPA, NAI Labs
 2002-01-23 15:16:01 +00:00
ru
5307ecb83c Make libssh.so useable (undefined reference to IPv4or6). 
Reviewed by:	des, markm
Approved by:	markm
 2002-01-23 15:06:47 +00:00
des
ce9baa2c50 Link pam_opieaccess, pam_self and pam_ssh into the static library. 
Sponsored by:	DARPA, NAI Labs
 2002-01-21 20:43:01 +00:00
des
ac843e8b75 On second thought, getpwnam() failure should be treated just as if the user 
existed, but had no OPIE key, i.e. PAM_IGNORE.

Pointed out by:	ache
Sponsored by:	DARPA, NAI Labs
 2002-01-21 19:05:45 +00:00
des
aeaf48654b Return PAM_SERVICE_ERR rather than PAM_USER_UNKNOWN if getpwnam() fails, as 
PAM_USER_UNKNOWN will break the chain, revealing to an attacker that the
user does not exist.

Sponsored by:	DARPA, NAI Labs
 2002-01-21 18:53:03 +00:00
des
bc31e1293b Further changes to allow enabling pam_opie(8) by default: 
- Ignore the {try,use}_first_pass options by clearing PAM_AUTHTOK before
   challenging the user.  These options are meaningless for pam_opie(8)
   since the user can't possibly know the right response before she sees
   the challenge.

 - Introduce the no_fake_prompts option.  If this option is set, pam_opie(8)
   will fail - rather than present a bogus challenge - if the target user
   does not have an OPIE key.  With this option, users who haven't set up
   OPIE won't have to wonder what that "weird otp-md5 s**t" means :)

Reviewed by:	ache, markm
Sponsored by:	DARPA, NAI Labs
 2002-01-21 18:46:25 +00:00
des
14be282b68 Add a new module, pam_opieaccess(8), which is responsible for checking 
/etc/opieaccess and ~/.opiealways so we can decide what to do after
pam_opie(8) fails.

Sponsored by:	DARPA, NAI Labs
Reviewed by:	ache, markm
 2002-01-21 13:43:53 +00:00
ache
b7343f3a64 snprintf bloat -> strlcpy 
Add getpwnam return check

Approved by:	des, markm
 2002-01-20 20:56:47 +00:00
ache
d90ac373d0 Back out recent changes 2002-01-19 18:03:11 +00:00
ache
f9d407de0b If user not exist in OPIE system, return failure immediately instead 
of producing fake prompts with random numbers which can be detected by
potential intruder in two tries and totally confuse non-OPIE users.
 2002-01-19 10:09:05 +00:00
ache
0262fc4b8f Back out second right-now-expired password check in pam_sm_chauthtok, 
old expired password assumed there
 2002-01-19 09:23:36 +00:00
ache
b0127287cc Previous commit was incomplete, use new error code PAM_CRED_ERR to 
indicate die case, different from PAM_SUCCESS and PAM_AUTH_ERR
 2002-01-19 08:36:47 +00:00
ache
4d1c54018e Rewrite 'pwok' fallback in the way it can be properly chained with pam_unix 
Replace snprintf %s with strlcpy

Check for NULL returned from getpwnam()
 2002-01-19 07:23:48 +00:00
ache
35ada60969 Add yet one expired-right-now password check, in pam_sm_chauthtok 
srandomdev() can't be used in libraries, replace srandomdev()+random()
by arc4random()
 2002-01-19 04:58:51 +00:00
ache
30b45f48f0 Set pwok to 1 for non-OPIE users 2002-01-19 03:31:39 +00:00
ache
a38e044747 Add missing check for right-now-expired password 2002-01-19 02:45:24 +00:00
ache
3d4ab3ebc5 Implement 'pwok', i.e. conditional fallback to unix password 
as supposed by opieaccessfile() and opiealways()
 2002-01-19 02:38:43 +00:00
bde
086017e65e Fixed a missing "const". 2001-12-28 20:59:44 +00:00
ru
ac5af7de06 mdoc(7) police: bump document date. 2001-12-14 13:49:28 +00:00
dwmalone
d9613ea383 Style improvements recommended by Bruce as a follow up to some 
of the recent WARNS commits. The idea is:

1) FreeBSD id tags should follow vendor tags.
2) Vendor tags should not be compiled (though copyrights probably should).
3) There should be no blank line between including cdefs and __FBSDIF.
 2001-12-10 21:13:08 +00:00
des
e82cc88ed6 Back out previous commit. 
Requested by:	ru
 2001-12-09 15:11:55 +00:00
ru
fe50e52a4a mdoc(7) police: sort xrefs. 2001-12-08 16:28:20 +00:00
des
2625a82abe Get pam_mod_misc.h from .CURDIR rather than .OBJDIR or /usr/include. 
Sponsored by:	DARPA, NAI Labs
 2001-12-07 11:51:47 +00:00
des
dd9dc87190 Now that _pam_init_handlers() works as intended, it seems clear that we 
do not actually want to define PAM_READ_BOTH_CONFS, so back out previous
commit.

Sponsored by:	DARPA, NAI Labs
 2001-12-07 00:38:37 +00:00
des
3b065c66cc We need pam_client.h from libpamc. This unbreaks world 
Pointed out by:	jhay
Pointy hat to:	des
 2001-12-06 12:35:18 +00:00
des
651dd64d0d Define PAM_READ_BOTH_CONFS. We can now have both /etc/pam.d and 
/etc/pam.conf.

Sponsored by:	DARPA, NAI Labs
 2001-12-05 17:06:16 +00:00
des
ffe026d003 Install the correct version of pam_misc.h. 
Sponsored by:	DARPA, NAI Labs
 2001-12-05 16:27:41 +00:00
des
354c4b52cc Add dummy functions for all module types. These dummies return PAM_IGNORE 
rather than PAM_SUCCESS, so you'll get a failure if you list dummies but
no real modules for a particular module chain.

Sponsored by:	DARPA, NAI Labs
 2001-12-05 16:06:35 +00:00
des
00b1257dba Connect the man page to the build. 
Sponsored by:	DARPA, NAI Labs
 2001-12-05 16:02:50 +00:00
des
01dcdd1f9a Add a pam_self authentication module that succeeds if and only if the local 
and remote user names are the same.

Sponsored by:	DARPA, NAI Labs
 2001-12-05 15:55:14 +00:00
markm
08eb6fed71 Use __FBSDID(). Also do a bit of cosmetic #if and header-order 
cleaning-up.
 2001-12-02 20:54:57 +00:00
markm
8a79fc4a5a Style fixups. 
Sort function declarations, includes. Make consistent WRT use of _P()
macro (ugh!)

Inspired by:	bde
 2001-12-01 21:12:04 +00:00
markm
144609e331 WARNS=2 fixes. 
Reviewed by:	bde (a while back)
 2001-12-01 17:46:46 +00:00
green
09990be998 Fix pam_ssh by adding an IPv4or6 (evidently, this was broken by my last 
OpenSSH import) declaration and strdup(3)ing a value which is later
free(3)d, rather than letting the system try to free it invalidly.
 2001-11-29 21:16:11 +00:00
des
6828ec1515 Mdoc police. 
Submitted by:	ru
 2001-11-28 10:07:21 +00:00
ru
18923a02f5 mdoc(7) police: fix one pam_unix(8) left-over, sort xrefs. 2001-11-28 09:25:03 +00:00
des
63b6483616 Add a pam_set_item(3) man page with an MLINK to pam_get_item(3). 
PR:		docs/32294
Sponsored by:	DARPA, NAI Labs
MFC after:	3 days
 2001-11-27 15:36:35 +00:00
des
22cc45b784 Create a pam_ssh(8) man page, based on a repo-copy of pam_unix(8). 
License modified with original author's permission.

Sponsored by:	DARPA, NAI Labs
 2001-11-27 00:57:50 +00:00
des
d387396266 Document the local_pass and nis_pass options, add a few xrefs, and reorder 
the SEE ALSO section.  License modified with original author's permission.

Sponsored by:	DARPA, NAI Labs
 2001-11-27 00:53:10 +00:00
dd
5dd8a71701 Spelling police: sucessful -> successful. 2001-11-24 23:41:32 +00:00
sobomax
064436f6e8 Don't put an extra space after password prompts, because it violates POLA, 
makes FreeBSD inconsistent with previous releases and "other unices" as well
as with some internal password-asking services (e.g. ftp) within the same
release.
 2001-10-25 15:51:50 +00:00
markm
3a691e0043 Add library exposed by KDE's use if this module. 2001-10-18 20:05:20 +00:00
dillon
fcad02973f Add __FBSDID()s to libpam 2001-09-30 22:11:06 +00:00
markm
75cc8b4799 1) repair the return value in the PAM_RETURN() macro (Side effects!!). 
2) canonicalise the options use in pam_options().

Submitted by:	Gunnar Kreitz <gunnark@chello.se>
PR:		30250
 2001-09-04 17:05:08 +00:00
markm
9e62e18a59 Introduce a "noroot_ok" option to make this module ignore authentications 
to a non-superuser if required.
 2001-08-26 18:09:00 +00:00
markm
c98dbe0779 Introduce better logging, error reporting and use of login_cap data. 2001-08-26 18:05:35 +00:00
markm
27a8adb330 Add extra logging detail. This needs a more general solution. 2001-08-26 17:57:44 +00:00
markm
67fcc4111a Big module makeover; improve logging, standardise variable names, 
introduce ability to change passwords for both "usual" Unix methods
and NIS.
 2001-08-26 17:41:13 +00:00
markm
ac30099bce Add 'try_mapped_pass' standard option. 
Asked for by:	lukeh@PADL.COM
 2001-08-20 12:43:19 +00:00
markm
78c5ea3c24 Document the no_warn option. 2001-08-15 20:05:33 +00:00
markm
0261d9dad2 Fix a couple of cross-references to reflect the reality of the module. 2001-08-15 20:03:26 +00:00
markm
384d536a12 Fix: 
/usr/src/lib/libpam/modules/pam_ssh/pam_ssh.c has couple of bugs which cause:

1) xdm dumps core
2) ssh1 private key is not passed to ssh-agent
3) ssh2 RSA key seems not handled properly (just a guess from source)
4) ssh_get_authentication_connectionen() fails to get connection because of
   SSH_AUTH_SOCK not defined.

PR:		29609
Submitted by:	Takanori Saneto <sanewo@ba2.so-net.ne.jp>
 2001-08-11 12:37:55 +00:00
markm
0935831088 Clean up this module very extensively. Fix the logging, the coding 
standards and the option handling. This module is now much more easy
to maintain as a part of the FreeBSD tree.
 2001-08-10 19:24:34 +00:00
markm
d4dc7767d7 Code clean up; make logging same as other modules and fix warnings. 2001-08-10 19:21:45 +00:00
markm
74d9830e38 General code clean-up. Sort out warnings, and make the warning and 
logging work the same as other modules.
 2001-08-10 19:18:52 +00:00
markm
746b322ce6 Simplify code. Also verbose logging, verbose overridable error reporting. 2001-08-10 19:15:48 +00:00
markm
30eda03ef6 Verbose logging, overridable verbose error reporting. 2001-08-10 19:12:59 +00:00
markm
846c7876be Module clean-up. Verbose logging, Overridable verbose error reporting, 
FreeBSD pam_prompt() usage to simplify conversation function usage.
 2001-08-10 19:10:43 +00:00
markm
6d1911d4af Verbosely (overridable) report failure to the user. 2001-08-10 19:07:45 +00:00
markm
d6d9a9d422 Use the FreeBSD pam_prompt() interface to the conversation function 
instead of home-rolling it. Clean up debugging code and tidy the
module.
 2001-08-10 19:05:57 +00:00
markm
cda9e6f687 Verbosely report errors to the user (overridable), and make sure 
that the correct failure mode is reported.
 2001-08-10 19:02:21 +00:00
markm
fef690379a Fix broken logic so that this actually works for the superuser. 
Verbosely log (properly).
Verbosely report errors to the user.
 2001-08-10 14:21:58 +00:00
markm
12c08f0451 Rework this to prevent a nasty problem involving different modules' 
option interacting with each other.
 2001-08-10 14:16:47 +00:00
markm
9768c83960 Declare the new user-error reporting macro. 
This is a macro to allow use of the __FILE__ and __FUNCTION__
macros.
 2001-08-10 14:15:00 +00:00
markm
7b1059217e Add a routine for providing feedback via the conversation mechanism 
(usually to stderr) for user-reportable errors.
 2001-08-10 14:13:16 +00:00
markm
3b25221320 Fix style/consistency in Makefile and repair static module building. 
Submitted by:	bde(partially)
 2001-08-04 21:51:14 +00:00
markm
1f44b5f4e9 Don't clobber CFLAGS 
Submitted by:	bde
 2001-08-04 21:49:30 +00:00
markm
edba6eee5e Fix the bug where this modulke was not checking the priamry GID, only 
the GIDS in /etc/group or NIS's group map.

Tested by:	sheldonh
PR:		29349
 2001-08-04 09:19:31 +00:00
markm
79a9463a45 With the S/KEY removal, this is no longer buildable or necessary. 2001-08-02 19:04:20 +00:00
markm
9bd038a011 Don't try to make pam_ssh module if NO_OPENSSH is set. 2001-08-02 19:01:02 +00:00
markm
78112d8985 Repair the get/set UID() stuff so this works in both su(1) and login(1) 
modes.
 2001-08-02 10:35:41 +00:00
markm
2754e9c466 Making this major bump was a BAD idea. The API change is internal (to PAM) 
and it caused problems without solving any.
 2001-07-30 09:56:38 +00:00
markm
6b3146187f (Re)Add an SSH module for PAM, heavily based on Andrew Korty's module 
from ports.
 2001-07-29 18:31:09 +00:00
ru
b2f5024e3b mdoc(7) police: widen width of the options list. 2001-07-18 14:49:32 +00:00
markm
208d8e13d4 Update to the same level of debug-logging as the rest of the 
FreeBSD/PAM modules.
 2001-07-17 07:36:51 +00:00
markm
b179f8e35f Update to the same code as in the pam_krb5.so port. 
According to Peter, the port works - this needs more testing.
 2001-07-17 07:34:36 +00:00
dd
911ca14c87 Remove whitespace at EOL. 2001-07-15 08:06:20 +00:00
markm
ada1f4d477 Use a better method of getting user credentials to account for 
(legal) UID duplication.

Rename use_uid to auth_as_self for consistency with other modules.
 2001-07-14 08:42:39 +00:00
markm
921b216c2d Use a better method to get user credentials to account for (legal) 
duplications of UID's in /etc/*passwd.
 2001-07-14 08:38:24 +00:00
ru
5001e16d30 mdoc(7) police: -xwidth has been fold into -width. 2001-07-13 09:09:52 +00:00
ru
80f926caa5 mdoc(7) police: fixed markup, a little bit. 2001-07-11 08:36:26 +00:00
ru
36e83f27aa mdoc(7) police: fixed markup any numerous typos. 2001-07-11 08:35:34 +00:00
markm
a8b501863a Fix a horrible bug introduced by myself where the options collection 
keeps on growing as the module stack is parsed.
 2001-07-10 16:59:30 +00:00
ru
36f138439b mdoc(7) police: removed HISTORY info from the .Os call. 2001-07-10 14:16:33 +00:00
ru
317b7d8e37 mdoc(7) police: removed HISTORY info from the .Os call. 2001-07-10 13:41:46 +00:00
markm
88dfad0475 Clean up (and in some cases write) the PAM mudules, using 
o The new options-processing API
o The new DEBUG-logging API

Add man(1) pages for ALL modules. MDOC-Police welcome
to check this.

Audit, clean up while I'm here.
 2001-07-09 18:20:51 +00:00
markm
ff28ba8b35 Bump the major number. The libraries API has changed incompatibly. 2001-07-09 18:16:33 +00:00
markm
1b8cb1cd38 Almost completely rewrite the PAM module options processing 
routines, and provide a more extended API for doing this.

Provide an API for debug logging.

Audit and clean up the code.
 2001-07-09 18:14:43 +00:00
ru
05e503d80a mdoc(7) police: sort SEE ALSO xrefs (sort -b -f +2 -3 +1 -2). 2001-07-06 16:46:48 +00:00
ru
fd9d23bf28 mdoc(7) police: fixed formatting. 2001-07-06 07:29:59 +00:00
peter
dcb4453375 Fix libpam's linker set stuff to use the new API (unbreak world), and get 
rid of gensetdefs from here as well.
 2001-06-14 01:13:30 +00:00
chris
bf91fbcc4d Convert to mdoc(7). 2001-06-13 21:52:07 +00:00
markm
4e8273f82f Big module cleanup. 
Move common stuff into Makefile.inc, and tidy up all the Makefiles
as a result.

Build new modules.

Put a commented-out dependancy on libpam for the (shared) modules.
I can't bring this in just yet, as the dependancy (modules->libpam)
is reversed for the static case (libpam->modules).
 2001-06-04 19:47:56 +00:00
markm
bb5c80b440 Null file to bring back a file from the dead. This allows the real commit 
to happen remotely. Damn CVS bugs :-(
 2001-06-04 19:25:41 +00:00
markm
cafc16591f Add the "nullok" option that causes this module to succeed if the Unix 
password is empty/null.
 2001-06-04 19:16:57 +00:00
markm
c5ba97baf9 Tidy up the options list (and make it more extendable), and add some 
extra "standard" options.
 2001-06-04 19:12:08 +00:00
markm
a28a87bd61 Add some new utility authenticators. 
pam_securetty silently succeeds if the user is on a secure tty
as defined by /etc/ttys.

pam_ftp does "anonymous ftp" style authentication with options for
specifying the anonymous user(s).
 2001-06-04 18:44:47 +00:00
markm
f6fb59fd55 Add the "auth_as_self" option to the pam_unix module (there is no 
reason not to add it to others later). This causes the pam_unix
module to check the user's _own_ password, not the password of the
account that the user is authenticating into. This will allow eg:
WHEELSU type behaviour from su(1).
 2001-05-24 18:35:52 +00:00
markm
8f01d4f9a2 Bring in a few useful PAM modules. 
pam_krb5 is a Kerberos 5 (Heimdal) authentication module.

pam_nologin checks for /etc/nologin and does the "usual stuff"
	if it is found, otherwise it silently succeeds.

pam_rootok silently succeeds if the user is root, otherwise
	it fails.

pam_wheel silently succeeds if the user is a member of group
	"wheel" (or another nominated group), and fails
	otherwise.

There is an issue with kerberosIV and kerberos5 - if both are
being built, then static linking fails with duplicate symbols.
This will take a bit of work to sort out in the kerberii.
 2001-05-14 11:23:58 +00:00
green
95ca151349 Finish disconnecting pam_ssh from the build. 2001-05-04 20:40:53 +00:00
green
5b85c0e3b3 I've been meaning to take pam_ssh out of the base system for a while now. 
Finally do it.
 2001-05-04 03:53:48 +00:00