Commit Graph

523 Commits

Author SHA1 Message Date
bapt
83c8a6a0a4 Convert to LIBADD 2014-11-26 08:09:44 +00:00
bapt
6adce30d28 Convert libraries to use LIBADD
While here reduce a bit overlinking
2014-11-25 11:07:26 +00:00
des
fc4ab4a932 Hook up OpenPAM's own unit tests to the build. 2014-11-05 16:13:42 +00:00
des
efa4fbccbe Consistently cast tty and user to const char * in printf()-like contexts. 2014-10-01 07:15:02 +00:00
bz
3e09082bfd Hopefully fix build breakage with gcc passing void * instead of char *
to "%s" format string after r272280.

PR:		83099 193927
MFC after:	3 days
X-MFC with:	r272280
2014-09-29 10:36:14 +00:00
des
cb586e6a88 Instead of failing when neither PAM_TTY nor PAM_RHOST are available, call
login_access() with "**unknown**" as the second argument.  This will allow
"ALL" rules to match.

Reported by:	Tim Daneliuk <tundra@tundraware.com>
Tested by:	dim@
PR:		83099 193927
MFC after:	3 days
2014-09-29 08:57:36 +00:00
des
ec657b1011 Upgrade to OpenPAM Ourouparia. 2014-09-15 13:40:09 +00:00
des
0dba5e79e3 r271256 fixed one segfault condition but introduced another due to the
wrong operator being used in the tty check.

Reported by:	avg@
MFH:		3 days
2014-09-15 11:32:08 +00:00
des
af5b91d230 Vendor import of OpenPAM Ourouparia. 2014-09-15 09:40:30 +00:00
des
b5f87ea11c Fail rather than segfault if neither PAM_TTY nor PAM_RHOST is set.
PR:		83099
MFC after:	3 days
2014-09-08 09:19:01 +00:00
ache
fab70c1b56 According to opie code and even direct mention in opie(4) challenge buffer
size must be OPIE_CHALLENGE_MAX + 1, not OPIE_CHALLENGE_MAX

Reviewed by:    des
MFC after:      1 week
2014-08-12 13:28:46 +00:00
bapt
8a9380f42c Rework privatelib/internallib
Make sure everything linking to a privatelib and/or an internallib does it directly
from the OBJDIR rather than DESTDIR.
Add src.libnames.mk so bsd.libnames.mk is not polluted by libraries not existsing
in final installation
Introduce the LD* variable which is what ld(1) is expecting (via LDADD) to link to
internal/privatelib
Directly link to the .so in case of private library to avoid having to complexify
LDFLAGS.

Phabric:	https://phabric.freebsd.org/D553
Reviewed by:	imp, emaste
2014-08-06 22:17:26 +00:00
des
a2e36007e3 Remove useless getpwnam() call.
Submitted by:	Arthur Mesh <amesh@juniper.net>
MFC after:	1 week
2014-07-26 07:40:31 +00:00
des
ded724b360 Add support for the "account" facility.
PR:		115164
MFC after:	1 week
2014-07-19 21:04:21 +00:00
des
7993179744 Check if the specified group is the user's primary group before
iterating over the (possibly empty) list of members.  Otherwise, we
get a false negative when the target group has no members listed in
/etc/group.  This went mostly unnoticed because root is explicitly
listed as a member of wheel, so the bug is never triggered in the most
common use case, which is su(8).

PR:		109416
MFC after:	1 week
2014-07-19 20:55:13 +00:00
joel
d94b51f5b9 mdoc: remove superfluous paragraph macros. 2014-06-23 18:40:21 +00:00
bapt
1f77f137dc use .Mt to mark up email addresses consistently (part3)
PR:		191174
Submitted by:	Franco Fichtner  <franco at lastsummer.de>
2014-06-23 08:23:05 +00:00
imp
2118f42afd Use src.opts.mk in preference to bsd.own.mk except where we need stuff
from the latter.
2014-05-06 04:22:01 +00:00
imp
29752a1c14 Spell NO_PROFILE= as MK_PROFILE=no. 2014-04-25 19:25:26 +00:00
imp
6f48f40ec7 Kill last remaining NO_INSTALLLIB in tree by converting it over to
MK_INSTALLIB=no.
2014-04-25 19:25:13 +00:00
eadler
118094e60b multiple: Remove 3rd clause from BSD license where approved by the
regents and renumber.

This patch skips files in contrib/ and crypto/

Acked by:	imp
Discussed with:	emaste
2014-03-14 03:07:51 +00:00
des
4baac54a79 Merge upstream r763: fix is_upper() predicate. 2014-02-26 17:06:54 +00:00
pluknet
87b7831359 Catch up with OpenPAM Nummularia.
This fixes libpam for build32 target to dlopen() pam libraries in /usr/lib32.

Reviewed by:	des (a while ago)
MFC after:	1 week
2013-11-21 20:43:43 +00:00
des
aba57138f9 Make libldns and libssh private.
Approved by:	re (blanket)
2013-09-08 10:04:26 +00:00
des
6a7561b73b Update to OpenPAM Nummularia. 2013-09-07 19:43:39 +00:00
des
28f201e345 Merge upstream r743: caught_signal should be static. 2013-09-07 19:27:58 +00:00
des
e50a38ba7d MFV (r255364): move the code around in preparation for Nummularia. 2013-09-07 18:46:35 +00:00
des
338d7c2adb Vendor import of OpenPAM Nummularia.. 2013-09-07 16:15:30 +00:00
des
e86dd36ab2 Prepare for OpenPAM Nummularia by reorganizing to match its new directory
structure.
2013-09-07 16:10:15 +00:00
will
7c6cb741cf Make the PAM password strength checking module WARNS=2 safe.
lib/libpam/modules/pam_passwdqc/Makefile:
	Bump WARNS to 2.

contrib/pam_modules/pam_passwdqc/pam_passwdqc.c:
	Bump  _XOPEN_SOURCE and _XOPEN_VERSION from 500 to 600
	so that vsnprint() is declared.

	Use the two new union types (pam_conv_item_t and
	pam_text_item_t) to resolve strict aliasing violations
	caused by casts to comply with the pam_get_item() API taking
	a "const void **" for all item types.  Warnings are
	generated for casts that create "type puns" (pointers of
	conflicting sized types that are set to access the same
	memory location) since these pointers may be used in ways
	that violate C's strict aliasing rules.  Casts to a new
	type must be performed through a union in order to be
	compliant, and access must be performed through only one
	of the union's data types during the lifetime of the union
	instance.  Handle strict-aliasing warnings through pointer
	assignments, which drastically simplifies this change.

	Correct a CLANG "printf-like function with more arguments
	than format" error.

Submitted by:	gibbs
Sponsored by:	Spectra Logic
2013-08-27 15:50:26 +00:00
des
5e5b39c47e GC unused source file. 2013-08-16 10:53:36 +00:00
des
4faf138873 Backport upstream r684 (OPENPAM_DEBUG enables debugging macros but does
not turn debugging on by default) and add OPENPAM_DEBUG to CFLAGS.
2013-04-14 16:49:27 +00:00
jkim
5f9930d09f Fix declaration vs. definition inconsistency. No functional change. 2013-04-05 23:41:34 +00:00
eadler
3f7a414911 remove duplicate semicolons where possible.
Approved by:	cperciva
MFC after:	1 week
2012-10-22 03:00:37 +00:00
des
26f1bc7822 Remove unnecessary #include. 2012-09-28 12:29:25 +00:00
eadler
e08a8123c5 Bump date missed in r202756
PR:		docs/171624
Submitted by:	bdrewery
Approved by:	gabor
MFC after:	3 days
2012-09-14 17:50:42 +00:00
dim
e55724fcb2 Fix an instance in pam_krb5(8), where the variable 'user' could be used
uninitialized.

Found by:	clang 3.2
Reviewed by:	des
MFC after:	1 week
2012-08-06 18:44:59 +00:00
dim
74a518dd3c Fix two instances in pam_krb5(8), where the variable 'princ_name' could
be used uninitialized.

Found by:	clang 3.2
Reviewed by:	des
MFC after:	1 week
2012-08-06 18:40:14 +00:00
dfr
6bdab82e0a Add an option for pam_krb5 to allow it to authenticate users which don't have
a local account.

PR:		76678
Submitted by:	daved at tamu.edu
MFC after:	2 weeks
2012-08-05 13:40:35 +00:00
des
e591108b4f Update to OpenPAM Micrampelis. 2012-05-26 17:10:16 +00:00
des
14a6c41ca7 Passing NULL as a key casues a segfault when loading SSH 1 keys. Use
an empty string instead.
2012-05-26 17:03:45 +00:00
wblock
9fa9a2acad Fixes to man8 groff mandoc style, usage mistakes, or typos.
PR:		168016
Submitted by:	Nobuyuki Koganemaru
Approved by:	gjb
MFC after:	3 days
2012-05-24 02:24:03 +00:00
dumbbell
d6a537d930 Fix error messages containing the executed command name
Before, we took the first argument to pam_exec(8). With the addition of
options in front of the command, this could be wrong.

Now, options are parsed before calling _pam_exec() and messages contain
the proper command name.

While here, fix a warning.

Sponsored by:	Yakaz (http://www.yakaz.com)
2012-04-12 14:02:59 +00:00
eadler
1ef5fe44d3 Remove trailing whitespace per mdoc lint warning
Disussed with:	gavin
No objection from:	doc
Approved by:	joel
MFC after:	3 days
2012-03-29 05:02:12 +00:00
dumbbell
43dc3df2a8 Use program exit status as pam_exec return code (optional)
pam_exec(8) now accepts a new option "return_prog_exit_status". When
set, the program exit status is used as the pam_exec return code. It
allows the program to tell why the step failed (eg. user unknown).
However, if it exits with a code not allowed by the calling PAM service
module function (see $PAM_SM_FUNC below), a warning is logged and
PAM_SERVICE_ERR is returned.

The following changes are related to this new feature but they apply no
matter if the "return_prog_exit_status" option is set or not.

The environment passed to the program is extended:
    o  $PAM_SM_FUNC contains the name of the PAM service module function
       (eg. pam_sm_authenticate).
    o  All valid PAM return codes' numerical values are available
       through variables named after the return code name. For instance,
       $PAM_SUCCESS, $PAM_USER_UNKNOWN or $PAM_PERM_DENIED.

pam_exec return code better reflects what went on:
    o  If the program exits with !0, the return code is now
       PAM_PERM_DENIED, not PAM_SYSTEM_ERR.
    o  If the program fails because of a signal (WIFSIGNALED) or doesn't
       terminate normally (!WIFEXITED), the return code is now
       PAM_SERVICE_ERR, not PAM_SYSTEM_ERR.
    o  If a syscall in pam_exec fails, the return code remains
       PAM_SYSTEM_ERR.

waitpid(2) is called in a loop. If it returns because of EINTR, do it
again. Before, it would return PAM_SYSTEM_ERR without waiting for the
child to exit.

Several log messages now include the PAM service module function name.

The man page is updated accordingly.

Reviewed by:	gleb@, des@
Sponsored by:	Yakaz (http://www.yakaz.com)
MFC after:	2 weeks
2012-03-26 12:18:15 +00:00
stas
f53c9505e0 - Avoid using deprecated heimdal functions in pam_krb5. 2012-03-24 01:02:03 +00:00
stas
2d133d4c85 - Avoid use of deprecated KRB5 functions. 2012-03-22 11:18:14 +00:00
stas
e7e0b34988 - Update FreeBSD Heimdal distribution to version 1.5.1. This also brings
several new kerberos related libraries and applications to FreeBSD:
  o kgetcred(1) allows one to manually get a ticket for a particular service.
  o kf(1) securily forwards ticket to another host through an authenticated
    and encrypted stream.
  o kcc(1) is an umbrella program around klist(1), kswitch(1), kgetcred(1)
    and other user kerberos operations. klist and kswitch are just symlinks
    to kcc(1) now.
  o kswitch(1) allows you to easily switch between kerberos credentials if
    you're running KCM.
  o hxtool(1) is a certificate management tool to use with PKINIT.
  o string2key(1) maps a password into key.
  o kdigest(8) is a userland tool to access the KDC's digest interface.
  o kimpersonate(8) creates a "fake" ticket for a service.

  We also now install manpages for some lirbaries that were not installed
  before, libheimntlm and libhx509.

- The new HEIMDAL version no longer supports Kerberos 4.  All users are
  recommended to switch to Kerberos 5.

- Weak ciphers are now disabled by default.  To enable DES support (used
  by telnet(8)), use "allow_weak_crypto" option in krb5.conf.

- libtelnet, pam_ksu and pam_krb5 are now compiled with error on warnings
  disabled due to the function they use (krb5_get_err_text(3)) being
  deprecated.  I plan to work on this next.

- Heimdal's KDC now require sqlite to operate.  We use the bundled version
  and install it as libheimsqlite.  If some other FreeBSD components will
  require it in the future we can rename it to libbsdsqlite and use for these
  components as well.

- This is not a latest Heimdal version, the new one was released while I was
  working on the update.  I will update it to 1.5.2 soon, as it fixes some
  important bugs and security issues.
2012-03-22 08:48:42 +00:00
peter
e5fa065e08 Rev 228065 (change bsd.own.mk -> bsd.init.mk) broke pam_unix.so by causing
the LDADD/DPADD to lose the -lpam, and causing openpam_dynamic() to fail
due to "openpam_get_options" being undefined.

This would cause obscure console log messages like:
  openpam_dynamic(): No error: 0
  openpam_load_module(): no pam_unix.so found
and other helpful messages which are no help in diagnosing the problem.

Fortunately this change was not mfc'ed to 9.x, it isn't broken there.
2012-01-18 18:26:56 +00:00
des
50a0ec7697 Upgrade to OpenPAM Lycopsida. 2011-12-18 17:22:45 +00:00