Commit Graph

504 Commits

Author SHA1 Message Date
Simon J. Gerraty
2c9a9dfc18 Update Makefile.depend files
Update a bunch of Makefile.depend files as
a result of adding Makefile.depend.options files

Reviewed by:	 bdrewery
MFC after:	1 week
Sponsored by:   Juniper Networks
Differential Revision:  https://reviews.freebsd.org/D22494
2019-12-11 17:37:53 +00:00
Simon J. Gerraty
5ab1c5846f Add Makefile.depend.options
Leaf directories that have dependencies impacted
by options need a Makefile.depend.options file
to avoid churn in Makefile.depend

DIRDEPS for cases such as OPENSSL, TCP_WRAPPERS etc
can be set in local.dirdeps-options.mk
which can add to those set in Makefile.depend.options

See share/mk/dirdeps-options.mk

Reviewed by:	 bdrewery
MFC after:	1 week
Sponsored by:   Juniper Networks
Differential Revision:  https://reviews.freebsd.org/D22469
2019-12-11 17:37:37 +00:00
Dag-Erling Smørgrav
4d34b914d4 Changes to the expose_password functionality:
- Implement use_first_pass, allowing expose_password to be used by other
   service functions than pam_auth() without prompting a second time.

 - Don't prompt for a password during pam_setcred().

PR:		238041
MFC after:	3 weeks
2019-06-30 14:46:15 +00:00
Cy Schubert
08f5bd9d06 Improve the legibility of the login.access.5 man page by separating
each argument into its own paragraph.

MFC after:	3 days
2019-05-07 20:39:39 +00:00
Dag-Erling Smørgrav
190cef3d52 Upgrade to OpenSSH 7.8p1.
Approved by:	re (kib@)
2018-09-10 16:20:12 +00:00
Dag-Erling Smørgrav
e165d7bc39 For full Linux-PAM compatibility, add a trailing NUL character when
passing the authentication token to the external program.

Approved by:	re (kib)
Submitted by:	Thomas Munro <munro@ip9.org>
MFC after:	1 week
Differential Revision:	D16950
2018-09-04 10:51:41 +00:00
Dag-Erling Smørgrav
bb3ba83eee Add support for Linux-PAM's badly named expose_authtok option.
Submitted by:	Thomas Munro <munro@ip9.org>
MFC after:	1 week
Differential Revision:	D16171
2018-08-14 00:14:17 +00:00
Dag-Erling Smørgrav
716eff476a Forward Reply-Message attributes to the user, unless suppressed by the
new no_reply_message option.

MFC after:	1 week
Sponsored by:	The University of Oslo
2018-05-16 13:47:30 +00:00
Dag-Erling Smørgrav
47dd1d1b61 Upgrade to OpenSSH 7.7p1. 2018-05-11 13:22:43 +00:00
Pedro F. Giffuni
5e53a4f90f lib: further adoption of SPDX licensing ID tags.
Mainly focus on files that use BSD 2-Clause license, however the tool I
was using mis-identified many licenses so this was mostly a manual - error
prone - task.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.
2017-11-26 02:00:33 +00:00
Pedro F. Giffuni
8a16b7a18f General further adoption of SPDX licensing ID tags.
Mainly focus on files that use BSD 3-Clause license.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

Special thanks to Wind River for providing access to "The Duke of
Highlander" tool: an older (2014) run over FreeBSD tree was useful as a
starting point.
2017-11-20 19:49:47 +00:00
Bryan Drewery
ea825d0274 DIRDEPS_BUILD: Update dependencies.
Sponsored by:	Dell EMC Isilon
2017-10-31 00:07:04 +00:00
Dag-Erling Smørgrav
79b67c8d4a If the user-provided password exceeds the maximum password length, don't
bother passing it to crypt().  It won't succeed and may allow an attacker
to confirm that the user exists.

Reported by:	jkim@
MFC after:	1 week
Security:	CVE-2016-6210
2017-10-26 13:23:13 +00:00
Dag-Erling Smørgrav
3869fb7832 Add options to capture stdout and / or stderr and pass the output on
to the user.  There is currently no buffering, so the result may be
somewhat unpredictable if the conversation function adds a newline,
like openpam_ttyconv() does.

Clean up and simplify the environment handling code, which triggered
an inexplicable bug on some systems.

MFC after:	2 weeks
2017-03-22 13:16:04 +00:00
Pedro F. Giffuni
94a1344578 Revert r314780
libpam: extra bounds checking through reallocarray(3).

It appears to be causing brokenness when reporting PAM_* environment
variables. This requires more investigation.

Reported by:	lstewart
2017-03-12 17:41:51 +00:00
Pedro F. Giffuni
b5120bbada libpam: extra bounds checking through reallocarray(3).
Reviewed by:	des
MFC after:	1 week
2017-03-06 15:45:46 +00:00
Pedro F. Giffuni
fdd2f2ebdd Revert r314777: wrong log, the change was to libpam. 2017-03-06 15:42:03 +00:00
Pedro F. Giffuni
bb7d0109d7 libfetch: extra bounds checking through reallocarray(3).
Reviewed by:	des
MFC after:	1 week
2017-03-06 15:37:34 +00:00
Dag-Erling Smørgrav
886c581471 Load default options before requesting a ticket.
PR:		213909
Reported by:	basarevych@gmail.com
MFC after:	1 week
2017-03-03 14:06:22 +00:00
Enji Cooper
c24988fd09 Use SRCTOP-relative paths to other directories instead of .CURDIR-relative ones
This implifies pathing in make/displayed output

MFC after:	3 weeks
Sponsored by:	Dell EMC Isilon
2017-01-20 03:27:47 +00:00
Ollivier Robert
6eb79b4759 Remove support for SSH1 as it is already disabled in our OpenSSH.
Submitted by:	vangyzen
MFC after:	2 weeks
2016-08-22 20:48:46 +00:00
Ollivier Robert
6533da453a Add support for Ed25519 keys.
Reported by:	mwlucas
MFH:		2 weeks
2016-08-22 19:27:20 +00:00
Don Lewis
30f6480075 Set retval in the empty password case to avoid a path through the
code that fails to set retval before falling through to the final
return().

Reported by:	emaste
Reported by:	Coverity
CID:		1018711
MFC after:	1 week
2016-05-16 15:32:02 +00:00
Don Lewis
653d2f366d Hoist the getpwnam() call outside the first if/else block in
pam_sm_chauthtok().  Set user = getlogin() inside the true
branch so that it is initialized for the following PAM_LOG()
call.  This is how it is done in pam_sm_authenticate().

Reported by:	Coverity
CID:		272498
MFC after:	1 week
2016-05-16 08:34:17 +00:00
Glen Barber
0edd2576c0 MFH
Sponsored by:	The FreeBSD Foundation
2016-04-16 02:32:12 +00:00
Bryan Drewery
96a3b88510 Build libpam modules in parallel.
MFC after:	2 weeks
Sponsored by:	EMC / Isilon Storage Division
2016-04-14 01:17:37 +00:00
Bryan Drewery
7cbd0a2953 Simplify building libpam and fix libpam.a not containing the modules since r284345.
The change in r284345 moved the creation of openpam_static_modules.o to
lib/libpam/static_modules but never managed to get them into libpam.a.

Move this logic to lib/libpam/static_libpam and have it create a static
library for libpam.a  The main lib/libpam/libpam will only create a
shared library.  No redundancy in compilation or installation exists
in this solution.

This avoids requiring a pass with -D_NO_LIBPAM_SO_YET.

Sponsored by:	EMC / Isilon Storage Division
2016-04-14 01:17:03 +00:00
Glen Barber
876d357fa7 MFH
Sponsored by:	The FreeBSD Foundation
2016-04-11 15:24:59 +00:00
Pedro F. Giffuni
d18146c299 libpam: replace 0 with NULL for pointers.
Found with devel/coccinelle.

Reviewed by:	des
2016-04-09 18:09:10 +00:00
Glen Barber
538354481e MFH
Sponsored by:	The FreeBSD Foundation
2016-03-14 18:54:29 +00:00
Bryan Drewery
b5fb065156 DIRDEPS_BUILD: Update dependencies.
Sponsored by:	EMC / Isilon Storage Division
2016-03-11 23:45:59 +00:00
Dag-Erling Smørgrav
79dfd995a3 Not ready for level 6 yet due to -Wredundant-decls. 2016-03-11 14:47:14 +00:00
Dag-Erling Smørgrav
e7c246c5f1 Define __bounded__ to fix the gcc build. While there, raise WARNS. 2016-03-11 11:38:31 +00:00
Dag-Erling Smørgrav
acc1a9ef83 Upgrade to OpenSSH 7.2p2. 2016-03-11 00:15:29 +00:00
Glen Barber
59d43d11fe MFH
Sponsored by:	The FreeBSD Foundation
2016-01-20 09:50:54 +00:00
John Baldwin
c560a31571 Update for API changes in OpenSSH 6.8p1.
First, the authfd API now uses a direct file descriptor for the control
socket instead of a more abstract AuthenticationConnection structure.
Second, the functions now consistently return an error value.

Reviewed by:	bdrewery
2016-01-20 00:26:50 +00:00
Glen Barber
b626f5a73a MFH r289384-r293170
Sponsored by:	The FreeBSD Foundation
2016-01-04 19:19:48 +00:00
Bryan Drewery
b2fe867a0f DIRDEPS_BUILD: Update dependencies.
Sponsored by:	EMC / Isilon Storage Division
2015-12-07 23:53:01 +00:00
Bryan Drewery
e42070a701 Replace unneeded manual dependency on header by adding it to SRCS.
bsd.lib.mk and bsd.prog.mk already depend all objs on headers in SRCS if
there is not yet a depend file.  The headers in SRCS are never built or
installed.  After 'make depend' the header was already added as a proper
dependency on the objects where needed.

MFC after:	2 weeks
Sponsored by:	EMC / Isilon Storage Division
2015-12-07 16:08:09 +00:00
Baptiste Daroussin
dad2fb7ece Merge from head 2015-06-15 10:56:01 +00:00
Simon J. Gerraty
ccfb965433 Add META_MODE support.
Off by default, build behaves normally.
WITH_META_MODE we get auto objdir creation, the ability to
start build from anywhere in the tree.

Still need to add real targets under targets/ to build packages.

Differential Revision:       D2796
Reviewed by: brooks imp
2015-06-13 19:20:56 +00:00
Simon J. Gerraty
98e0ffaefb Merge sync of head 2015-05-27 01:19:58 +00:00
Baptiste Daroussin
0bd7d22e03 Move ssh into a dedicated package
Flag config files as "to be merged on upgrade"
2015-03-05 20:25:09 +00:00
Enji Cooper
31a741f473 Conditionalize building radius support into libpam, ppp, etc via
MK_RADIUS_SUPPORT

MFC after: 1 week
Sponsored by: EMC / Isilon Storage Division
2015-02-04 06:53:45 +00:00
Dag-Erling Smørgrav
f8b83996fe If PAM_RHOST is non-NULL, pass it in the Calling-Station-ID attribute of
the RADIUS access request.

MFC after:	1 week
2015-01-16 09:07:31 +00:00
Joel Dahl
4990a1c050 mdoc: improvements to SEE ALSO. 2014-12-27 08:31:52 +00:00
Simon J. Gerraty
838e37378e Need headers staged by libpam 2014-11-30 18:48:17 +00:00
Baptiste Daroussin
6b129086dc Convert libraries to use LIBADD
While here reduce a bit overlinking
2014-11-25 11:07:26 +00:00
Simon J. Gerraty
488c975a1f Updated/new dependencies 2014-11-19 07:10:38 +00:00
Simon J. Gerraty
9268022b74 Merge from head@274682 2014-11-19 01:07:58 +00:00