Commit Graph

609 Commits

Author SHA1 Message Date
brd
e099bd35c6 Really fix pam install. Don't commit late at night or you make simple mistakes.
Reported by:	dumbbell
Approved by:	re (gjb), will (mentor)
2018-09-13 16:14:33 +00:00
brd
79c4c92dad Fix build after r338621 by avoiding LINKS and installing the link manually.
Approved by:	re (rgrimes), will (mentor)
2018-09-13 07:48:49 +00:00
brd
ae17e768db Move all pam related config to lib/libpam/
Approved by:	re (rgrimes), will (mentor), des
Differential Revision:	https://reviews.freebsd.org/D17122
2018-09-13 04:08:48 +00:00
des
0a47c58bdd Upgrade to OpenSSH 7.8p1.
Approved by:	re (kib@)
2018-09-10 16:20:12 +00:00
des
38e9280258 For full Linux-PAM compatibility, add a trailing NUL character when
passing the authentication token to the external program.

Approved by:	re (kib)
Submitted by:	Thomas Munro <munro@ip9.org>
MFC after:	1 week
Differential Revision:	D16950
2018-09-04 10:51:41 +00:00
des
90f37b39e4 Add support for Linux-PAM's badly named expose_authtok option.
Submitted by:	Thomas Munro <munro@ip9.org>
MFC after:	1 week
Differential Revision:	D16171
2018-08-14 00:14:17 +00:00
bdrewery
ee7076ae8a Don't use CCACHE for linking.
MFC after:	2 weeks
Sponsored by:	Dell EMC
2018-06-27 19:29:15 +00:00
des
2400a08f71 Forward Reply-Message attributes to the user, unless suppressed by the
new no_reply_message option.

MFC after:	1 week
Sponsored by:	The University of Oslo
2018-05-16 13:47:30 +00:00
des
13e42418d1 Upgrade to OpenSSH 7.7p1. 2018-05-11 13:22:43 +00:00
pfg
260ba0bff1 lib: further adoption of SPDX licensing ID tags.
Mainly focus on files that use BSD 2-Clause license, however the tool I
was using mis-identified many licenses so this was mostly a manual - error
prone - task.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.
2017-11-26 02:00:33 +00:00
pfg
872b698bd4 General further adoption of SPDX licensing ID tags.
Mainly focus on files that use BSD 3-Clause license.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

Special thanks to Wind River for providing access to "The Duke of
Highlander" tool: an older (2014) run over FreeBSD tree was useful as a
starting point.
2017-11-20 19:49:47 +00:00
bdrewery
a598c4b809 DIRDEPS_BUILD: Update dependencies.
Sponsored by:	Dell EMC Isilon
2017-10-31 00:07:04 +00:00
des
e50db1d5c3 If the user-provided password exceeds the maximum password length, don't
bother passing it to crypt().  It won't succeed and may allow an attacker
to confirm that the user exists.

Reported by:	jkim@
MFC after:	1 week
Security:	CVE-2016-6210
2017-10-26 13:23:13 +00:00
des
fc0cdb8504 Add options to capture stdout and / or stderr and pass the output on
to the user.  There is currently no buffering, so the result may be
somewhat unpredictable if the conversation function adds a newline,
like openpam_ttyconv() does.

Clean up and simplify the environment handling code, which triggered
an inexplicable bug on some systems.

MFC after:	2 weeks
2017-03-22 13:16:04 +00:00
pfg
600077215a Revert r314780
libpam: extra bounds checking through reallocarray(3).

It appears to be causing brokenness when reporting PAM_* environment
variables. This requires more investigation.

Reported by:	lstewart
2017-03-12 17:41:51 +00:00
brooks
073c903619 Use LDFLAGS rather than CFLAGS when linking.
Reviewed by:	kan
Obtained from:	CheriBSD
Sponsored by:	DARPA, AFRL
Differential Revision:	https://reviews.freebsd.org/D9882
2017-03-08 08:25:26 +00:00
pfg
b260139167 libpam: extra bounds checking through reallocarray(3).
Reviewed by:	des
MFC after:	1 week
2017-03-06 15:45:46 +00:00
pfg
fca7a24e30 Revert r314777: wrong log, the change was to libpam. 2017-03-06 15:42:03 +00:00
pfg
fa1e43b6f7 libfetch: extra bounds checking through reallocarray(3).
Reviewed by:	des
MFC after:	1 week
2017-03-06 15:37:34 +00:00
des
3edd081b72 Load default options before requesting a ticket.
PR:		213909
Reported by:	basarevych@gmail.com
MFC after:	1 week
2017-03-03 14:06:22 +00:00
des
8b625a3731 Upgrade to OpenPAM Radula. 2017-02-20 00:56:46 +00:00
des
99efd54e27 Vendor import of OpenPAM Radula. 2017-02-19 21:00:46 +00:00
ngie
5079c2aba4 Use SRCTOP-relative paths to other directories instead of .CURDIR-relative ones
This implifies pathing in make/displayed output

MFC after:	3 weeks
Sponsored by:	Dell EMC Isilon
2017-01-20 03:31:50 +00:00
ngie
b41846a985 Use SRCTOP-relative paths to other directories instead of .CURDIR-relative ones
This implifies pathing in make/displayed output

MFC after:	3 weeks
Sponsored by:	Dell EMC Isilon
2017-01-20 03:27:47 +00:00
kan
852f56d00d Use compiler driver to build relocatable object
This works better with external toolchains where LD
will not necessarily defailt to emulation we want.
Compiler driver knows better.
2016-12-29 21:30:52 +00:00
roberto
6a08e2da2b Remove support for SSH1 as it is already disabled in our OpenSSH.
Submitted by:	vangyzen
MFC after:	2 weeks
2016-08-22 20:48:46 +00:00
roberto
d845428503 Add support for Ed25519 keys.
Reported by:	mwlucas
MFH:		2 weeks
2016-08-22 19:27:20 +00:00
bdrewery
62a131ca62 DIRDEPS_BUILD: Update dependencies
Approved by:	re (gjb)
Sponsored by:	EMC / Isilon Storage Division
2016-06-14 16:55:05 +00:00
des
a6268f1983 Replace _pam_verbose_error() with a macro. This was the last difference
between our libpam and stock OpenPAM, meaning that it is now possible to
replace the base libpam with a hypothetical ports version of OpenPAM.
2016-06-08 11:47:19 +00:00
truckman
a5da68befe Set retval in the empty password case to avoid a path through the
code that fails to set retval before falling through to the final
return().

Reported by:	emaste
Reported by:	Coverity
CID:		1018711
MFC after:	1 week
2016-05-16 15:32:02 +00:00
truckman
4490b45732 Hoist the getpwnam() call outside the first if/else block in
pam_sm_chauthtok().  Set user = getlogin() inside the true
branch so that it is initialized for the following PAM_LOG()
call.  This is how it is done in pam_sm_authenticate().

Reported by:	Coverity
CID:		272498
MFC after:	1 week
2016-05-16 08:34:17 +00:00
ngie
92100036c8 Merge ^/user/ngie/release-pkg-fix-tests to unbreak how test files are installed
after r298107

Summary of changes:

- Replace all instances of FILES/TESTS with ${PACKAGE}FILES. This ensures that
  namespacing is kept with FILES appropriately, and that this shouldn't need
  to be repeated if the namespace changes -- only the definition of PACKAGE
  needs to be changed
- Allow PACKAGE to be overridden by callers instead of forcing it to always be
  `tests`. In the event we get to the point where things can be split up
  enough in the base system, it would make more sense to group the tests
  with the blocks they're a part of, e.g. byacc with byacc-tests, etc
- Remove PACKAGE definitions where possible, i.e. where FILES wasn't used
  previously.
- Remove unnecessary TESTSPACKAGE definitions; this has been elided into
  bsd.tests.mk
- Remove unnecessary BINDIRs used previously with ${PACKAGE}FILES;
  ${PACKAGE}FILESDIR is now automatically defined in bsd.test.mk.
- Fix installation of files under data/ subdirectories in lib/libc/tests/hash
  and lib/libc/tests/net/getaddrinfo
- Remove unnecessary .include <bsd.own.mk>s (some opportunistic cleanup)

Document the proposed changes in share/examples/tests/tests/... via examples
so it's clear that ${PACKAGES}FILES is the suggested way forward in terms of
replacing FILES. share/mk/bsd.README didn't seem like the appropriate method
of communicating that info.

MFC after: never probably
X-MFC with: r298107
PR: 209114
Relnotes: yes
Tested with: buildworld, installworld, checkworld; buildworld, packageworld
Sponsored by: EMC / Isilon Storage Division
2016-05-04 23:20:53 +00:00
gjb
6549ef7d12 MFH
Sponsored by:	The FreeBSD Foundation
2016-04-16 02:32:12 +00:00
bdrewery
e085d8f1b8 Build libpam modules in parallel.
MFC after:	2 weeks
Sponsored by:	EMC / Isilon Storage Division
2016-04-14 01:17:37 +00:00
bdrewery
5fca9ae8c1 Simplify building libpam and fix libpam.a not containing the modules since r284345.
The change in r284345 moved the creation of openpam_static_modules.o to
lib/libpam/static_modules but never managed to get them into libpam.a.

Move this logic to lib/libpam/static_libpam and have it create a static
library for libpam.a  The main lib/libpam/libpam will only create a
shared library.  No redundancy in compilation or installation exists
in this solution.

This avoids requiring a pass with -D_NO_LIBPAM_SO_YET.

Sponsored by:	EMC / Isilon Storage Division
2016-04-14 01:17:03 +00:00
gjb
e0e3598ce1 MFH
Sponsored by:	The FreeBSD Foundation
2016-04-11 15:24:59 +00:00
pfg
dc9d6625c3 libpam: replace 0 with NULL for pointers.
Found with devel/coccinelle.

Reviewed by:	des
2016-04-09 18:09:10 +00:00
gjb
086e6f562f MFH
Sponsored by:	The FreeBSD Foundation
2016-03-14 18:54:29 +00:00
bdrewery
2d30f7a0c5 DIRDEPS_BUILD: Update dependencies.
Sponsored by:	EMC / Isilon Storage Division
2016-03-11 23:45:59 +00:00
des
3c7ee78e6c Not ready for level 6 yet due to -Wredundant-decls. 2016-03-11 14:47:14 +00:00
des
e784032209 Define __bounded__ to fix the gcc build. While there, raise WARNS. 2016-03-11 11:38:31 +00:00
des
bb6f58c772 Upgrade to OpenSSH 7.2p2. 2016-03-11 00:15:29 +00:00
gjb
1c7e318a9a MFH
Sponsored by:	The FreeBSD Foundation
2016-03-10 21:16:01 +00:00
bdrewery
aab40fdc3d DIRDEPS_BUILD: Connect MK_TESTS.
Sponsored by:	EMC / Isilon Storage Division
2016-03-09 22:46:01 +00:00
gjb
6b5fdb5e17 Update libalias and libpam packaged files.
Sponsored by:	The FreeBSD Foundation
2016-02-05 01:03:38 +00:00
gjb
a6998ad84f First pass to fix the 'tests' packages.
Sponsored by:	The FreeBSD Foundation
2016-02-02 22:26:49 +00:00
gjb
37e4197e4f MFH
Sponsored by:	The FreeBSD Foundation
2016-01-20 09:50:54 +00:00
jhb
2618e605ee Update for API changes in OpenSSH 6.8p1.
First, the authfd API now uses a direct file descriptor for the control
socket instead of a more abstract AuthenticationConnection structure.
Second, the functions now consistently return an error value.

Reviewed by:	bdrewery
2016-01-20 00:26:50 +00:00
gjb
ccde53b74b MFH r289384-r293170
Sponsored by:	The FreeBSD Foundation
2016-01-04 19:19:48 +00:00
bdrewery
cef87fac20 DIRDEPS_BUILD: Update dependencies.
Sponsored by:	EMC / Isilon Storage Division
2015-12-07 23:53:01 +00:00