Commit Graph

11 Commits

Author SHA1 Message Date
Yaroslav Tykhiy
9cd40e64b4 Now pam_nologin(8) will provide an account management function
instead of an authentication function.  There are a design reason
and a practical reason for that.  First, the module belongs in
account management because it checks availability of the account
and does no authentication.  Second, there are existing and potential
PAM consumers that skip PAM authentication for good or for bad.
E.g., sshd(8) just prefers internal routines for public key auth;
OTOH, cron(8) and atrun(8) do implicit authentication when running
a job on behalf of its owner, so their inability to use PAM auth
is fundamental, but they can benefit from PAM account management.

Document this change in the manpage.

Modify /etc/pam.d files accordingly, so that pam_nologin.so is listed
under the "account" function class.

Bump __FreeBSD_version (mostly for ports, as this change should be
invisible to C code outside pam_nologin.)

PR:		bin/112574
Approved by:	des, re
2007-06-10 18:57:20 +00:00
Dag-Erling Smørgrav
394fc87351 X logins should be recorded in lastlog / wtmp / utmp. I have no idea why
this wasn't there already...  it makes much more sense this way.

MFC after:	2 weeks
2005-04-28 07:59:09 +00:00
Dag-Erling Smørgrav
650b9c5eaa the default password policy for xdm should be pam_deny, since it is
incapable of holding a meaningful conversation.
2004-02-20 21:59:51 +00:00
Mark Murray
daf509c612 The PAM module pam_krb5 does not have "session" capabilities.
Don't give examples of such use, this is bogus.
2003-04-30 21:57:54 +00:00
Mark Murray
38b1858b1b Initiate KerberosIV de-orbit burn. Disconnect the /etc configs. 2003-03-08 09:50:11 +00:00
Dag-Erling Smørgrav
aaf7fddd4f Add the want_agent option to the commented-out "session" pam_ssh entry. 2003-02-16 13:02:03 +00:00
Dag-Erling Smørgrav
75af7cb8a7 Major cleanup & homogenization. 2003-02-10 00:50:03 +00:00
Dag-Erling Smørgrav
48988cd4bd xdm plays horrid tricks with PAM, and dumps core if it's allowed to call
pam_lastlog, so add a dummy session chain to avoid using the one from
pam.d/other.  I assume gdm does something similar, so give it a dummy
session chain as well.

Sponsored by:	DARPA, NAI Labs.
2002-05-02 05:00:40 +00:00
Dag-Erling Smørgrav
214f3239c0 Don't list pam_unix in the session chain, since it does not provide any
session management services.

Sponsored by:	DARPA, NAI Labs
2002-04-18 17:40:27 +00:00
Dag-Erling Smørgrav
426ae370f4 Awright, egg on my face. I should have taken more time with this. The
conversion script generated the wrong format, so the configuration files
didn't actually work.  Good thing I hadn't thrown the switch yet...

Sponsored by:	DARPA, NAI Labs (but the f***ups are all mine)
2001-12-05 21:26:00 +00:00
Dag-Erling Smørgrav
23c103b894 pam.d-style configuration, auto-generated from pam.conf.
Sponsored by:	DARPA, NAI Labs
2001-12-05 21:06:21 +00:00