Commit Graph

500 Commits

Author SHA1 Message Date
des
01dcf64138 Do not use passphraseless keys for authentication unless the nullok
option was specified.

PR:		bin/81231
Submitted by:	"Daniel O'Connor" <doconnor@gsoft.com.au>
MFC after:	3 days
2005-09-22 05:35:24 +00:00
des
4ee54de329 Narrow the use of user credentials.
Fix one case where openpam_restore_cred() might be called twice in a row.

MFC after:	3 days
2005-09-21 16:08:40 +00:00
cperciva
a257862d4b When (re)allocating space for an array of pointers to char, use
sizeof(*list), not sizeof(**list).  (i.e., sizeof(pointer) rather than
sizeof(char)).

It is possible that this buffer overflow is exploitable, but it was
added after RELENG_5 forked and hasn't been MFCed, so this will not
receive an advisory.

Submitted by:	Vitezslav Novy
MFC after:	1 day
2005-09-19 18:43:11 +00:00
kensmith
f97f77429f Bump the shared library version number of all libraries that have not
been bumped since RELENG_5.

Reviewed by:	ru
Approved by:	re (not needed for commit check but in principle...)
2005-07-22 17:19:05 +00:00
kensmith
174219188d Missed one piece of the cluster's quirk. Need to override WARNS because
if _FREEFALL_CONFIG is set gcc bails since pam_sm_setcred() in pam_krb5.c
no longer uses any of its parameters.

Pointy hat:	kensmith
Approved by:	re (scottl)
2005-07-08 14:53:45 +00:00
kensmith
28b7f562fc This is sort of an MFS. Peter made these changes to the RELENG_*
branches but missed HEAD.  This patch extends his a little bit,
setting it up via the Makefiles so that adding _FREEFALL_CONFIG
to /etc/make.conf is the only thing needed to cluster-ize things
(current setup also requires overriding CFLAGS).

From Peter's commit to the RELENG_* branches:
> Add the freebsd.org custer's source modifications under #ifdefs to aid
> keeping things in sync.  For ksu:
> * install suid-root by default
> * don't fall back to asking for a unix password (ie: be pure kerberos)
> * allow custom user instances for things like www and not just root

The Makefile tweaks will be MFC-ed, the rest is already done.

MFC after:      3 days
Approved by:    re (dwhite)
2005-07-07 14:16:38 +00:00
des
09a62d7510 Use the correct login class when setting a new password.
PR:		65557, 72949
Submitted by:	Stephen P. Cravey <clists@gotbrains.org>
Approved by:	re (scottl)
MFC after:	2 weeks
2005-07-05 18:42:18 +00:00
des
4b2f009799 Update for OpenPAM Figwort.
Approved by:	re (kensmith)
2005-06-17 08:14:42 +00:00
ru
38fc91ca96 Assorted markup fixes.
Approved by:	re
2005-06-15 19:04:04 +00:00
des
2b425cf5e2 Don't use a cast as an lvalue.
Add a redundant test to make it painfully obvious to the reader that this
code does not support IPv6.

Approved by:	re (dwhite)
MFC after:	1 week
2005-06-13 21:18:52 +00:00
des
060c66b4a3 Use appropriate error codes for each facility instead of just PAM_AUTH_ERR.
Noticed by:	pjd
2005-06-10 06:16:13 +00:00
des
d78c118916 Revert the commits that made libssh an INTERNALLIB; they caused too much
trouble, especially on amd64.

Requested by:	ru
2005-06-07 09:31:28 +00:00
des
741e51c695 Fix libssh dependency. 2005-06-06 19:01:01 +00:00
ume
a3047efe51 NI_WITHSCOPEID cleanup
Reviewed by:	des
2005-05-13 20:51:09 +00:00
ru
1541af42f1 Expand *n't contractions. 2005-02-13 22:25:33 +00:00
des
b0d098fb3c In addition to the PAM environment, export a handful of useful PAM items.
Suggested by:	Ed Maste <emaste@phaedrus.sandvine.ca>
2005-02-01 10:37:07 +00:00
des
23d6a7f7bd Add openpam_free_envlist(3). 2005-02-01 10:21:07 +00:00
rwatson
3441ac65f8 When "no_ccache" is set as an argument to the pam_krb5 module, don't
copy the acquired TGT from the in-memory cache to the on-disk cache
at login.  This was documented but un-implemented behavior.

MFC after:		1 week
PR:			bin/64464
Reported and tested by:	Eric van Gyzen <vangyzen at stat dot duke dot edu>
2005-01-24 16:49:50 +00:00
rwatson
8cc1e1c0d7 The final argument to verify_krb_v5_tgt() is the debug flag, not the
ticket forwardable flag, so key generation of debugging output to
"debug" rather than "forwardable".

Update copyright.

MFC after:	3 days
2005-01-23 15:57:07 +00:00
ru
3666aefb6a Fixed xref. 2005-01-21 10:48:35 +00:00
ru
f4c44b761b NOCRYPT -> NO_CRYPT 2004-12-21 10:16:04 +00:00
ru
e1caf1330c NOINSTALLLIB -> NO_INSTALLLIB 2004-12-21 09:51:09 +00:00
ru
74176cc161 NODOCCOMPRESS -> NO_DOCCOMPRESS
NOINFO -> NO_INFO
NOINFOCOMPRESS -> NO_INFOCOMPRESS
NOLINT -> NO_LINT
NOPIC -> NO_PIC
NOPROFILE -> NO_PROFILE
2004-12-21 09:33:47 +00:00
bz
4b83c5852a Add knob NO_NIS (fka NO_YP_LIBC) and make world compileable when set.
If turned on  no NIS support and related programs will be built.

Lost parts rediscovered by:	Danny Braniss <danny at cs.huji.ac.il>
PR:		bin/68303
No objections:	des, gshapiro, nectar
Reviewed by:	ru
Approved by:	rwatson (mentor)
MFC after:	2 weeks
2004-11-13 20:40:32 +00:00
ru
5db2b9d5b3 For variables that are only checked with defined(), don't provide
any fake value.
2004-10-24 15:33:08 +00:00
cperciva
e629b37603 Join the 21st century: Cryptography is no longer an optional component
of releases.  The -DNOCRYPT build option still exists for anyone who
really wants to build non-cryptographic binaries, but the "crypto"
release distribution is now part of "base", and anyone installing from a
release will get cryptographic binaries.

Approved by:	re (scottl), markm
Discussed on:	freebsd-current, in late April 2004
2004-08-06 07:27:08 +00:00
kan
425239bf6e Downgrade WARNS level for GCC 3.4.2. 2004-07-28 05:49:15 +00:00
ru
b5e1c67f19 Markup nits. 2004-07-05 06:39:03 +00:00
ru
6651f20e0d Sort SEE ALSO references (in dictionary order, ignoring case). 2004-07-04 20:55:50 +00:00
ru
01548ace15 Mechanically kill hard sentence breaks. 2004-07-02 23:52:20 +00:00
ru
5d2b66a3c7 Deal with unsafe tab characters. 2004-07-02 19:55:26 +00:00
ru
615a6a246a Markup, grammar, punctuation. 2004-07-01 18:20:57 +00:00
kan
211c1eafc9 Revert the last change. There are more 64bit platforms than amd64, and
they break due to diferent alignment restrictions.
2004-06-25 12:32:45 +00:00
kan
e14478e091 Remove the use of cast as lvalue. 2004-06-25 01:54:26 +00:00
des
950b98f1f7 Add -DDEBUG to DEBUG_FLAGS if PAM_DEBUG is defined. 2004-03-15 13:23:20 +00:00
markm
0b0ae8e16e Make NULL a (void*)0 whereever possible, and fix the warnings(-Werror)
that this provokes. "Wherever possible" means "In the kernel OR NOT
C++" (implying C).

There are places where (void *) pointers are not valid, such as for
function pointers, but in the special case of (void *)0, agreement
settles on it being OK.

Most of the fixes were NULL where an integer zero was needed; many
of the fixes were NULL where ascii <nul> ('\0') was needed, and a
few were just "other".

Tested on: i386 sparc64
2004-03-05 08:10:19 +00:00
cperciva
81f9b2b83a style cleanup: Remove duplicate $FreeBSD$ tags.
These files had tags after the copyright notice,
inside the comment block (incorrect, removed),
and outside the comment block (correct).

Approved by:	rwatson (mentor)
2004-02-10 20:42:33 +00:00
des
18879fb0df Fix numerous constness and aliasing issues. 2004-02-10 10:13:21 +00:00
ru
70146d9d56 Put libraries in the link order.
Reported by:	lorder(1) (modified to work with libraries)
2004-02-04 10:23:09 +00:00
ru
78280d4ce2 This module doesn't use libgssapi (and it looks never did). 2004-02-04 09:41:47 +00:00
des
2549da444c Implement pam_sm_close_session().
PR:		bin/61657
Submitted by:	Joe R. Doupnik <jrd@cc.usu.edu>
2004-01-26 19:28:37 +00:00
ru
24ae6823ef Deal better with the crypto version of the PAM library that goes
on the release media -- only put what is different in the crypto
version compared to the base version.  This reduces PAM entries
in /usr/lib in the "crypto" distribution to:

	libpam.a
	libpam.so@
	libpam.so.2
	pam_krb5.so@
	pam_krb5.so.2
	pam_ksu.so@
	pam_ksu.so.2
	pam_ssh.so@
	pam_ssh.so.2

The libpam.so* is still redundant (it is identical to the "base"
version), but we can't set DISTRIBUTION differently for libpam.a
and libpam.so.

(The removal of libpam.so* from the crypto distribution could be
addressed by the release/scripts/crypto-make.sh script, but then
we'd also need to remove redundant PAM headers, and I'm not sure
this is worth a hassle.)
2004-01-18 14:58:07 +00:00
ru
1ec4f4a6cb DISTRIBUTION is normally single-valued. 2004-01-18 09:32:52 +00:00
schweikh
6cbe68d985 Remove crossref to pam.conf(5) which never existed. 2004-01-17 09:46:49 +00:00
ru
7b4183345a bsd.dep.mk,v 1.43 allows us to replace a hack with a solution. 2004-01-13 17:38:42 +00:00
des
3812c7acf5 Fix a strict aliasing issue. Also remove an unnecessary pam_get_item()
call (pam_get_authtok() will return the previous token if try_first_pass
or use_first_pass is specified).  Incidentally fix an ugly bug where the
buffer holding the prompt was freed immediately before use, instead of
after.
2003-12-11 15:51:03 +00:00
des
e64a27f5c0 More strict aliasing fixes.
Submitted by:	Andreas Hauser <andy-freebsd@splashground.de>
2003-12-11 15:48:09 +00:00
des
9c38a55797 Fix strict aliasing breakage in PAM modules (except pam_krb5, which needs
more work than the others).  This should make most modules build with -O2.
2003-12-11 13:55:16 +00:00
sobomax
7c6af783e5 Fix on sparc64.
Reported by:	rwatson/tinderbox
MFC after:	2 weeks
2003-11-12 23:36:17 +00:00
sobomax
c33bd8de41 Add a new configuration variable - nas_ipaddr, which if set allows to
set NAS-IP-Address attribute in requests generated by the pam_radius
module. This attribute is mandatory for some Radius servers out there.

Reviewed by:	des
MFC after:	2 weeks
2003-11-12 17:47:23 +00:00
kensmith
c204cb0df7 - fix to UID test description, non-zero -> zero
PR:		docs/57799
Reviewed by:	des
Approved by:	blackend (mentor)
2003-10-17 17:03:38 +00:00
des
b9a4363200 Ignore ECHILD from waitpid(2) (our child may have been reaped by the
calling process's SIGCHLD handler)

PR:		bin/45669
2003-09-19 11:33:03 +00:00
des
2da157461a Revert previous commit after fixing libpam. 2003-07-21 19:56:28 +00:00
des
86393d5322 Add a __DECONST() to unbreak the build. 2003-07-15 14:36:36 +00:00
mbr
43c169a64d Fix the master yppasswd routines, so they really work
for root on ypmaster. yppasswd_local() did use YPPASSWDPROG
instead of MASTER_YPPASSWDPROG, and the domain was not set,
resulting in a coredump during xdr-encode.

Reviewed by:	des
2003-06-15 10:37:22 +00:00
des
e39f4b709f Add openpam_readline(3). 2003-06-01 12:54:51 +00:00
des
e750473b95 Retire pam_wheel(8) (which has been disconnected for quite a while) and
pam_ftp(8).
2003-06-01 11:50:35 +00:00
des
71e070589a Don't build pam_std_option(). 2003-05-31 23:38:16 +00:00
des
808a5cf7ec Update copyright dates. 2003-05-31 17:19:03 +00:00
des
170ff8a070 Remove pam_std_option() and related functions. Add #defines for common
options.
2003-05-31 16:56:35 +00:00
des
ccae73b84e Remove all instances of pam_std_option() 2003-05-31 16:55:07 +00:00
des
153e03600b Introduce pam_guest(8) which will replace pam_ftp(8). 2003-05-31 16:52:58 +00:00
ru
8bc4d4bba7 mdoc(7) fixes.
Approved by:	re (blanket)
2003-05-24 19:53:08 +00:00
des
e5d2d778eb Retire the useless NOSECURE knob.
Approved by:	re (scottl)
2003-05-19 15:52:01 +00:00
des
af2766553d OpenPAM is WANRS6-clean. 2003-05-05 21:15:35 +00:00
markm
ee63e7dc15 Turn MAKE_KERBEROS5 into NO_KERBEROS by negating the logic. Some extra
cleanups were necessary in release/Makefile, and the tinderbox code
was syntax checked, not run checked.
2003-05-05 07:58:44 +00:00
markm
fad590ab7e Trasmute moer "krb5" distibutions into "crypto". 2003-05-01 21:21:15 +00:00
des
46c06a0c42 Use C99-style varadic macros instead of the non-standard gcc syntax. 2003-05-01 15:08:55 +00:00
des
3beb053fc3 Mark libpam as c99- and WARNS5-clean. 2003-05-01 14:55:06 +00:00
des
31f8a355e2 Make sure rhostip is always initialized.
PR:		bin/51508
Submitted by:	Peter Grimshaw <peter@tesseract.demon.co.uk>
2003-04-30 00:49:42 +00:00
des
4f251ebb97 Treat an empty PAM_RHOST the same as a NULL one.
PR:		bin/51508
2003-04-30 00:44:05 +00:00
des
c3c465c42c Set $HOME to the correct directory (within the chroot tree). 2003-04-30 00:40:24 +00:00
des
9bee0a595d Remove a bogus null password check which assumed that a user with an empty
password must necessarily have an empty pwd->pw_passwd.  Also add a check
that prevents users from setting a blank password unless the nullok option
was specified.  Root is still allowed to give anyone a blank password.
2003-04-24 12:26:25 +00:00
des
0275c44b31 Connect the pam_chroot(8) module to the build. 2003-04-08 16:52:34 +00:00
des
633999b852 Add a cwd option which specifies where to chdir(2) after the chroot(2).
When using the /home/./foo scheme, this defaults to the rhs (/foo);
otherwise it defaults to /.
2003-04-08 16:52:18 +00:00
des
5a582e1e30 Experimental pam_chroot module (not connected to the build) 2003-03-30 22:58:23 +00:00
des
ccfd2047be This module is not WARNS-clean, due to brokenness in OpenSSL headers. 2003-03-10 09:19:08 +00:00
des
f30606f0ce Somewhat better wording. 2003-03-10 09:15:26 +00:00
des
3e06ef8dee Silence warning caused by OPIE brokenness. 2003-03-10 09:15:08 +00:00
obrien
e70feef239 style.Makefile(5) police
(I've tried to keep to the spirit of the original formatting)

Reviewed by:	des
2003-03-09 20:06:38 +00:00
markm
9981c003b1 KerberosIV de-orbit burn continues. Remove the KerberosIV PAM module. 2003-03-08 10:33:20 +00:00
markm
171598b312 Comment-only assistance to lint to kill warnings. 2003-03-08 10:30:49 +00:00
ru
779559752b mdoc(7) police: Nits. 2003-03-03 11:45:18 +00:00
ru
8b5b8ec6a7 mdoc(7) police: markup laundry. 2003-02-23 01:47:49 +00:00
des
d1e778062c Add an "allow_local" option which forces historical behaviour. 2003-02-16 13:01:03 +00:00
des
af39bbe733 Assume "localhost" if no remote host was specified. This is safe from a
POLA point of view since the stock /etc/opieaccess now allows localhost.
2003-02-15 23:26:49 +00:00
des
f91e91de52 Use pam_get_user(3) instead of pam_get_item(3) where appropriate. 2003-02-10 18:59:20 +00:00
des
3dcafca132 Complete rewrite of pam_ssh(8). The previous version was becoming hard
to maintain, and had security issues which would have required a major
rewrite to address anyway.

This implementation currently starts a separate agent for each session
instead of connecting each new session to the agent started by the first
one.  While this would be a Good Thing (and the old pam_ssh(8) tried to
do it), it's hard to get right.  I'll revisit this issue when I've had a
chance to test some modifications to ssh-agent(1).
2003-02-09 21:20:44 +00:00
des
1f26428646 Maybe I was a little too fast? Remove debugging code, and commit the
Makefile and man page which I'd forgotten to 'cvs add'.

Sponsored by:	DARPA, NAI Labs
2003-02-06 14:27:48 +00:00
des
adcc3ecbe9 Replace pam_wheel(8) with pam_group(8) which has a cleaner interface. The
pam_wheel(8) module was written to work in spite of a broken libpam, and
has grown organically since its inception, which is reflected in both its
functionality and implementation.  Rather than clean up pam_wheel(8) and
break backward compatibility, I've chosen to reimplement it under a new,
more generic name.

Sponsored by:	DARPA, NAI Labs
2003-02-06 14:24:14 +00:00
des
3e6b9e7efc Make sure the message is only printed once. 2003-02-06 14:19:50 +00:00
des
ea5370a075 Don't blame markm for what he didn't do - writing these man pages, for
instance.  Also bump the date since I made substantial modifications
earlier today.
2003-02-06 13:47:21 +00:00
des
8e490a4ac5 Update copyright. 2003-02-06 12:56:51 +00:00
des
1859534a54 Add support for escape sequences in the arguments (e.g. %u for user name)
Sponsored by:	DARPA, NAI Labs
2003-02-06 12:56:39 +00:00
des
18387ab2eb Export the PAM environment to the child process instead of the "normal"
environment list, which may be unsafe and / or sensitive.

Sponsored by:	DARPA, NAI Labs
2003-02-06 12:40:58 +00:00
des
7587cbe3ba Minimal manual page for pam_kerberosIV(8).
Sponsored by:	DARPA, NAI Labs
2003-02-06 10:55:11 +00:00
des
2f3f171cbe In pam_sm_acct_mgmt(), retrieve the cached credentials before trying to
initialize the context.  This way, a failure to initialize the context is
not fatal unless we actually have work to do - because if we don't, we
return PAM_SUCCESS without even trying to initialize the context.
2003-02-03 09:45:41 +00:00
des
4e2d7720df Whitespace cleanup 2003-02-03 09:43:28 +00:00
des
43d52f88dc OpenPAMify. 2003-02-02 18:43:58 +00:00
nectar
7ecaf1e74b Do not return inappropriate error codes in pam_sm_setcred. 2003-01-29 21:20:38 +00:00
nectar
44a92fbc06 About September 2001, I consulted with all the previous authors of
pam_krb5 to consolidate the copyright texts.  The semi-official
pam_krb5 module has been distributed with this new license text ever
since, but I'm just now getting around to updating the text here.
2003-01-10 13:38:44 +00:00
schweikh
fec6546e12 english(4) police. 2002-12-27 12:15:40 +00:00
ru
30f31561da mdoc(7) police: removed gratuitous .Pp call. 2002-12-23 15:21:57 +00:00
des
7966ff24b5 Merge in most non-style differences from Andrew Korty's pam_ssh 1.7. 2002-12-16 14:33:18 +00:00
ru
ea54687b0d mdoc(7) police: .Dt is ALL UPPERCASE.
Approved by:	re
2002-12-12 08:19:47 +00:00
ru
3f859aa2ab mdoc(7) police: formatting nits.
Approved by:	re
2002-11-29 15:57:50 +00:00
des
c88eb4583e Whitespace nits.
Approved by:	re (bmah)
2002-11-28 20:11:31 +00:00
des
29b2e3446c Add a PAM_MODULE_ENTRY to this module so it'll actually do something.
Approved by:	re (bmah)
2002-11-28 20:05:42 +00:00
peter
97526c738c utmp.ut_time and lastlog.ll_time are explicitly int32_t rather than
time_t.  Deal with the possibility that time_t != int32_t.  This boils
down to this sort of thing:
 -   time(&ut.ut_time);
 +   ut.ut_time = time(NULL);
and similar for ctime(3) etc.  I've kept it minimal for the stuff
that may need to be portable (or 3rd party code), but used Matt's time32
stuff for cases where that isn't as much of a concern.

Approved by: re (jhb)
2002-11-15 22:42:00 +00:00
ru
6db7cbc3e1 Make dynamic PAM modules depend on dynamic PAM library.
Requested by:	des, markm
2002-11-14 19:24:51 +00:00
nectar
96e5cda4e0 The pam_krb5 module stored a reference to a krb5_ccache structure as
PAM module state (created in pam_sm_authenticate and referenced later
in pam_sm_setcred and pam_sm_acct_mgmt).  However, the krb5_ccache
structure shares some data members with the krb5_context structure
that was used in its creation.  Since a new krb5_context is created
and destroyed at each PAM entry point, this inevitably caused the
krb5_ccache structure to reference free'd memory.

Now instead of storing a pointer to the krb5_ccache structure,
we store the name of the cache (e.g. `MEMORY:0x123CACHE') in
pam_sm_authenticate, and resolve the name in the other entry points.

This bug was uncovered by phkmalloc's free'd memory scrubbing.

Approved by:	re (jhb)
2002-11-13 17:46:15 +00:00
nectar
04eec5ce47 Use krb5_get_err_text' instead of error_message' so that instead of
e.g.

   Unknown error: -1765328378

we get

   Client not found in Kerberos database

Another way to accomplish this would have been to leave
`error_message' alone, but to explicitly load the Kerberos com_err
error tables.  However, I don't really like the idea of a PAM module
dorking with global tables.

Approved by:	re (jhb)
2002-11-13 17:44:29 +00:00
des
0ff879bc38 Allow the admin to specify a different NAS identifier than the hostname.
Submitted by:	Boris Kovalenko <boris@ntmk.ru>
2002-10-28 10:28:46 +00:00
rwatson
8601e0f680 Introduce 'exempt_if_empty' option to pam_wheel(8), which bypasses the
group membership requirement if the group has no explicit members listed
in /etc/group.  By default, this group is the wheel group; setting this
flag restores the default BSD behavior from 4.x.

Reviewed by:	markm
Requested by:	various
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-18 02:37:29 +00:00
ru
b3c0f70717 Build kerberized versions of the PAM library, and install them
into corresponding distributions during "make release".  (This
also cleans the "slib" distribution up from the .o files.)

PR:		misc/43825 (inspired by)
2002-10-11 14:17:09 +00:00
peter
0a7f0ba37e Zap now-unused SHLIB_MINOR 2002-09-28 00:25:32 +00:00
peter
a51c9b6627 Initiate deorbit burn for the i386-only a.out related support. Moves are
under way to move the remnants of the a.out toolchain to ports.  As the
comment in src/Makefile said, this stuff is deprecated and one should not
expect this to remain beyond 4.0-REL.  It has already lasted WAY beyond
that.

Notable exceptions:
gcc - I have not touched the a.out generation stuff there.
ldd/ldconfig - still have some code to interface with a.out rtld.
old as/ld/etc - I have not removed these yet, pending their move to ports.
some includes - necessary for ldd/ldconfig for now.

Tested on: i386 (extensively), alpha
2002-09-17 01:49:00 +00:00
des
98c860bfbd Since pam_get_authtok(3) doesn't know about our options structure, setting
the PAM_ECHO_PASS option on-the-fly is a NOP (though it wasn't with the
old pam_get_pass(3) code).  Instead, call pam_prompt(3) directly.  This
actually simplifies the code a bit.

MFC after:	3 days
2002-07-30 08:32:03 +00:00
des
e3e6667313 Install more man pages - I thought I'd committed this ages ago... 2002-07-23 17:59:46 +00:00
ru
eac60c3d5c Tidy up. 2002-06-06 13:55:01 +00:00
des
da6b7e20d7 Missed one in previous commit.
Pointed out by:	nectar
2002-05-30 20:48:59 +00:00
ru
e540238573 mdoc(7) police: kill whitespace at EOL. 2002-05-30 14:52:00 +00:00
ru
8a216468eb mdoc(7) police: polish markup. 2002-05-30 14:49:57 +00:00
ru
0be8bf82ae mdoc(7) police: tidy up the markup. 2002-05-30 14:32:48 +00:00
nectar
e9b88414b4 Add pam_ksu(8), a module to do Kerberos 5 authentication and
$HOME/.k5login authorization for su(1).

Reviewed by:	des (earlier version)
2002-05-28 20:52:31 +00:00
des
2de71ade06 Add openpam_nullconv.3. 2002-05-24 13:22:15 +00:00
des
418fa5ac12 Add missing include. 2002-05-24 13:20:40 +00:00
des
617cfa745a Just to show that PAM can do almost anything from the ridiculous to the
obscene, or - as they say in New York - sophisticated, add pam_echo(8) and
pam_exec(8) to our ever-lengthening roster of PAM modules.

Sponsored by:	DARPA, NAI Labs.
2002-05-23 22:03:06 +00:00
des
33ce52c25a Hide a couple of unguarded error returns behind the no_fail test. 2002-05-23 00:02:59 +00:00
jmallett
f49de03759 Free old_pwd only in the code path where it has been allocated.
Reviewed by:	des
2002-05-22 23:18:25 +00:00
obrien
1250c0d8e3 Do not build pam_ssh if NOSECURE is set (NO_OPENSSL is on a subset of NOSECURE) 2002-05-15 20:25:32 +00:00
ru
dc9ee40833 Major cleanup of bsd.lib.mk.
Get rid of the INTERNALSTATICLIB knob and just use plain INTERNALLIB.
INTERNALLIB now means to build static library only and don't install
anything.  Added a NOINSTALLLIB knob for libpam/modules.  To not
build any library at all, just do not set LIB.
2002-05-13 10:53:24 +00:00
ru
59049318b6 Added new bsd.incs.mk which handles installing of header files
via INCS.  Implemented INCSLINKS (equivalent to SYMLINKS) to
handle symlinking include files.  Allow for multiple groups of
include files to be installed, with the powerful INCSGROUPS knob.
Documentation to follow.

Added standard `includes' and `incsinstall' targets, use them
in Makefile.inc1.  Headers from the following makefiles were
not installed before (during `includes' in Makefile.inc1):

	kerberos5/lib/libtelnet/Makefile
	lib/libbz2/Makefile
	lib/libdevinfo/Makefile
	lib/libform/Makefile
	lib/libisc/Makefile
	lib/libmenu/Makefile
	lib/libmilter/Makefile
	lib/libpanel/Makefile

Replaced all `beforeinstall' targets for installing includes
with the INCS stuff.

Renamed INCDIR to INCSDIR, for consistency with FILES and SCRIPTS,
and for compatibility with NetBSD.  Similarly for INCOWN, INCGRP,
and INCMODE.

Consistently use INCLUDEDIR instead of /usr/include.

gnu/lib/libstdc++/Makefile and gnu/lib/libsupc++/Makefile changes
were only lightly tested due to the missing contrib/libstdc++-v3.
I fully tested the pre-WIP_GCC31 version of this patch with the
contrib/libstdc++.295 stuff.

These changes have been tested on i386 with the -DNO_WERROR "make
world" and "make release".
2002-05-12 16:01:00 +00:00
des
35b06c061e Don't declare krb5_mcc_ops, it's already declared in <krb5.h> 2002-05-12 07:06:27 +00:00
des
abc14dea11 Use libutil and libypclnt for all passwd manipulation and NIS needs.
Sponsored by:	DARPA, NAI Labs
2002-05-08 00:54:29 +00:00
des
8bc66e6368 Add a no_fail option.
Sponsored by:	DARPA, NAI Labs
2002-05-08 00:31:45 +00:00
des
d70ae92570 Add pam_ftpusers(8), which enforces /etc/ftpusers.
Sponsored by:	DARPA, NAI Labs
2002-05-08 00:30:10 +00:00
des
c135cf25dc Add openpam_nullconv.c to SRCS. 2002-05-02 04:42:59 +00:00
des
a6e173ee33 Don't ask root for the old password, except in the NIS case.
Sponsored by:	DARPA, NAI Labs
2002-04-26 19:28:17 +00:00
des
522debf4fd Fix a really dumb bug (missing curly braces around the body of an if
statement) that caused pam_sm_chauthtok() to always fail silently.
2002-04-26 01:47:48 +00:00
des
13a8751373 Oops, fix an inverted if test. 2002-04-20 16:52:41 +00:00
des
dc33f36d34 Strip /dev/ from tty name, and clean up the "last login" printout.
Sponsored by:	DARPA, NAI Labs
2002-04-20 16:44:32 +00:00
ru
67f99d8b8c Revert previous change. bsd.dep.mk,v 1.31 had a bug that was fixed
in revision 1.32 and made this change OBE.
2002-04-17 05:46:41 +00:00
des
283ac5768b Add a missing .El and fix a typo.
Spotted by:	Solar Designer <solar@openwall.com>
Sponsored by:	DARPA, NAI Labs
2002-04-16 22:38:47 +00:00
ru
bc595cdde6 Reflect change in share/mk/bsd.dep.mk,v 1.31. 2002-04-16 12:52:22 +00:00
des
b41d43d579 Revert previous commit, it is incorrect. 2002-04-15 22:51:31 +00:00
obrien
f46bf6f79a Properly spell rpcsvc/ypclnt.h and fix the build. 2002-04-15 22:47:28 +00:00
des
1a41b2c911 Throw in NO_WERROR to please the peanut gallery. 2002-04-15 13:10:28 +00:00
des
ade0386724 Use PAM_SUCCESS instead of PAM_IGNORE. 2002-04-15 06:26:32 +00:00
des
2eefb07eae Whitespace nits. 2002-04-15 03:52:22 +00:00