Commit Graph

56 Commits

Author SHA1 Message Date
des
41880f4325 Add a system policy, and have the login and su policies include it rather
than duplicate it.  This requires OpenPAM Dianthus, which was committed two
weeks ago; installing these files on a system running a world older than
June 1st, 2003 will cause login(1) and su(1) to fail.
2003-06-14 12:35:05 +00:00
des
fb023b686e Try to describe the control flags a little better. 2003-06-01 00:34:38 +00:00
markm
a2678ea957 The PAM module pam_krb5 does not have "session" capabilities.
Don't give examples of such use, this is bogus.
2003-04-30 21:57:54 +00:00
des
85e31bc1f4 Add nullok to the pam_unix line. 2003-04-24 12:22:42 +00:00
ru
183c65a97c Use the canonical form of installing links.
Also, make "ftp" and "ftpd" hard links.

Not objected to by:	des
2003-03-14 09:01:22 +00:00
markm
ecc5f917a3 Initiate KerberosIV de-orbit burn. Disconnect the /etc configs. 2003-03-08 09:50:11 +00:00
des
a9b8975387 Add the allow_local option to all pam_opieaccess entries. 2003-02-16 13:02:39 +00:00
des
8c8f33d988 Add the want_agent option to the commented-out "session" pam_ssh entry. 2003-02-16 13:02:03 +00:00
des
d4d4a833ae Major cleanup & homogenization. 2003-02-10 00:50:03 +00:00
des
439e079c7b No idea what this is for, and it doesn't make much sense. If a port needs
it, it can install its own copy in /usr/local/etc/pam.d/.
2003-02-10 00:49:44 +00:00
des
ca9add3762 There's no reason to have two identical policies for FTP servers, so
make ftp a symlink to ftpd.
2003-02-10 00:47:46 +00:00
des
3a6d7496df Use pam_group(8) instead of pam_wheel(8). 2003-02-06 14:33:23 +00:00
des
1b6009d788 Don't enable pam_krb5 by default - most people don't have it since most
people don't build with MAKE_KERBEROS5 defined.  Provide commented-out
usage examples instead, like we do everywhere else.

Pointy hat to:	des
2003-02-03 14:45:02 +00:00
des
13a23e2886 Enable pam_krb5 for sshd. I've had this in my tree for ages. 2003-02-02 18:41:26 +00:00
des
81fe169630 Since OpenSSH drops privileges before calling pam_open_session(3),
pam_lastlog(8) can't possibly work, so let OpenSSH handle lastlog.

Approved by:	re (rwatson)
2002-12-03 15:48:11 +00:00
rwatson
7185b416e6 Exempt the "wheel group requirement" by default when su'ing to root if
the wheel group has no explicit members listed in /etc/group.  This adds
the "exempt_if_empty" flag to pam_wheel in the default configuration;
in some environments, it may be appropriate to remove this flag, however,
this default is the same as pre-pam_wheel.

Reviewed by:	markm
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-18 02:39:21 +00:00
des
5c93810aed Silence pam_lastlog for now. 2002-07-07 10:00:43 +00:00
des
3dfd2c1e9b We don't use this any more.
Sponsored by:	DARPA, NAI Labs
2002-06-19 20:01:25 +00:00
des
2645a88fb1 Enable OPIE for sshd and telnetd. I thought I'd done this a long time
ago...

Sponsored by:	DARPA, NAI Labs
2002-06-19 20:00:43 +00:00
des
0be56e68fc Use pam_lastlog(8)'s new no_fail option.
Sponsored by:	DARPA, NAI Labs
2002-05-08 00:33:02 +00:00
des
e94fae922c Add a PAM policy for rexecd(8).
Sponsored by:	DARPA, NAI Labs
2002-05-02 05:05:28 +00:00
des
6f813d5f2f xdm plays horrid tricks with PAM, and dumps core if it's allowed to call
pam_lastlog, so add a dummy session chain to avoid using the one from
pam.d/other.  I assume gdm does something similar, so give it a dummy
session chain as well.

Sponsored by:	DARPA, NAI Labs.
2002-05-02 05:00:40 +00:00
des
70fd7e0ff2 Add no_warn to pam_lastlog. This should prevent xdm from dumping core
when linked with Linux-PAM.
2002-04-29 15:22:00 +00:00
des
3e36ee6341 Don't list pam_unix in the session chain, since it does not provide any
session management services.

Sponsored by:	DARPA, NAI Labs
2002-04-18 17:40:27 +00:00
ru
d28f5d490f Fixed bugs in previous revision:
Added NOOBJ if anyone even attempts to "make obj" here.
Revert to installing files with mode 644 except README.
Make this overall look like a BSD-style Makefile rather
than roll-your-own (this is not a bug).

For the record.  Previous revision also fixed the breakage
introduced by the sys.mk,v 1.60 commit: bsd.own.mk is no
longer automatically included from sys.mk.

Reported by:	jhay
2002-04-18 10:58:14 +00:00
des
6139bb3c53 Use ${FILES} and <bsd.prog.mk> rather than roll-your-own. 2002-04-18 10:07:36 +00:00
des
b9658dfaf2 Add PAM policy for the "passwd" service, including a sample config line
for pam_passwdqc.

Sponsored by:	DARPA, NAI Labs
2002-04-15 03:01:32 +00:00
des
7b3eec9c1b Add pam_lastlog(8) here since I removed lastlog support from sshd.
Sponsored by:	DARPA, NAI Labs
2002-04-15 02:46:24 +00:00
des
af95c9711d Use pam_rhosts(8). 2002-04-12 23:20:30 +00:00
des
843d3c8e1c If used, pam_ssh should be marked "sufficient", not "required".
Sponsored by:	DARPA, NAI Labs
2002-04-08 09:52:47 +00:00
ru
065ea04bd8 Switch over to using pam_login_access(8) module in sshd(8).
(Fixes static compilation.  Reduces diffs to OpenSSH.)

Reviewed by:	bde
2002-03-26 12:52:28 +00:00
des
3d4000737f Add missing "nullok" option to pam_unix. 2002-02-08 23:27:22 +00:00
des
8b7b73f838 Add pam_self(8) so users can login(1) as themselves without authentication,
pam_login_access(8) and pam_securetty(8) to enforce various checks
previously done by login(1) but now handled by PAM, and pam_lastlog(8) to
record login sessions in utmp / wtmp / lastlog.

Sponsored by:	DARPA, NAI Labs
2002-01-30 19:13:23 +00:00
des
be6e4b351f Use pam_self(8) to allow users to su(1) to themselves without authentication.
Sponsored by:	DARPA, NAI Labs
2002-01-30 19:04:39 +00:00
des
2de07ddf80 Enable OPIE by default, using the no_fake_prompts option to hide it from
users who don't wish to use it.  If the admin is worried about leaking
information about which users exist and which have OPIE enabled, the
no_fake_prompts option can simply be removed.

Also insert the appropriate pam_opieaccess lines after pam_opie to break
the chain in case the user is logging in from an untrusted host, or has a
.opiealways file.  The entire opieaccess / opiealways concept is slightly
unpammish, but admins familiar with OPIE will expect it to work.

Reviewed by:	ache, markm
Sponsored by:	DARPA, NAI Labs
2002-01-21 18:51:24 +00:00
des
6f44d9644f Really back out ache's commits. These files are now precisely as they were
twentyfour hours ago, except for RCS ids.
2002-01-19 18:29:50 +00:00
ache
d90ac373d0 Back out recent changes 2002-01-19 18:03:11 +00:00
ache
49430c7614 Turn on pam_opie by default. It should not affect non-OPIE users. 2002-01-19 10:31:32 +00:00
ache
5dc61eda4c Turn on pam_opie by default. It not affect non-OPIE users 2002-01-19 09:06:45 +00:00
ache
e3c12ab5a7 Previous commit was incomplete, use
"[default=ignore success=done cred_err=die]"
options instead of "required"
2002-01-19 08:39:35 +00:00
ache
58c12a40f2 Remove explaining comment and pam_unix commented out, now pam_unix can be
chained with pam_opie
2002-01-19 07:32:47 +00:00
ache
7d37cdbb25 Change comment since fallback provided now not by ftpd but by pam_opie 2002-01-19 03:35:39 +00:00
des
7eccb0369d Unmunge the version preservation code and obfuscate it so CVS won't munge
it all over again.
2002-01-12 23:08:59 +00:00
des
ae62dc6f66 Back out previous commit, which erroneously removed essential comments. I
definitely need coffee.

Apologies to:	ache
2002-01-12 14:22:22 +00:00
des
4b2d1d07d7 Update copyright 2002-01-12 14:17:19 +00:00
des
f37394be47 Sync with pam.conf revision 1.25. 2002-01-12 13:50:33 +00:00
des
965d591c45 Preserve FreeBSD version strings in target files. 2002-01-12 13:50:08 +00:00
ache
fb48ea88e7 Improve pam_unix/opie related ftpd comment even more 2002-01-02 09:51:33 +00:00
ache
90fd0cf3b4 Clarify comment about pam_unix fallback for ftpd 2002-01-01 13:38:01 +00:00
ache
7288636d78 Turn on pam_opie.so for ftpd by default
It not affect non-OPIE users
2002-01-01 13:27:11 +00:00