Commit Graph

76 Commits

Author SHA1 Message Date
ngie
6057fab1ce Honor MK_ACCT with etc/pam.d/atrun
MFC after: 2 weeks
Sponsored by: EMC / Isilon Storage Division
2015-01-26 08:50:12 +00:00
gavin
00a1947ef5 Fix xref, pam(8) -> pam(3)
PR:		193045
Submitted by:	rsimmons0 gmail com
MFC after:	3 days
2014-08-26 22:39:24 +00:00
miwi
970508c310 - FreeBSD ships a KDE PAM module in base, but it's missing support for passwordless login (kde-np),
and it doesn't really belong in base system.

PR:		misc/167261
Submitted by:	avilla@
Approved by:	rwatson (mentor)
MFC after:	3 days
2012-05-30 03:10:22 +00:00
des
4ba6015e46 Forgot to commit this change along with r219563: pam_group(8) now issues
a warning if neither luser nor ruser is specified.  The correct option
for su(1) is ruser.

MFC after:	1 month
2011-03-15 10:13:35 +00:00
des
d887ae0610 tabify
MFC after:	3 weeks
2009-10-05 09:28:54 +00:00
des
9df826fb18 Change the pam_ssh examples: if you use it, you probably want want_agent.
MFC after:	3 weeks
2009-10-05 09:26:22 +00:00
marcus
d36c2a661b Remove gdm as it is no longer needed.
Approved by:	re (kib)
Reminded by:	nork
2009-07-18 16:29:40 +00:00
marcus
8ef8289f8f Remove this file. It is no longer needed as x11/gdm provides its own
version under /usr/local/etc/pam.d.

Approved by:	re (kib)
2009-07-18 06:08:21 +00:00
yar
333d04678d Add PAM support to cron(8). Now cron(8) will skip commands scheduled
by unavailable accounts, e.g., those locked, expired, not allowed in at
the moment by nologin(5), or whatever, depending on cron's pam.conf(5).
This applies to personal crontabs only, /etc/crontab is unaffected.

In other words, now the account management policy will apply to
commands scheduled by users via crontab(1) so that a user can no
longer use cron(8) to set up a delayed backdoor and run commands
during periods when the admin doesn't want him to.

The PAM check is done just before running a command, not when loading
a crontab, because accounts can get locked, expired, and re-enabled
any time with no changes to their crontabs.  E.g., imagine that you
provide a system with payed access, or better a cluster of such
systems with centralized account management via PAM.  When a user
pays for some days of access, you set his expire field respectively.
If the account expires before its owner pays more, its crontab
commands won't run until the next payment is made.  Then it'll be
enough to set the expire field in future for the commands to run
again.  And so on.

Document this change in the cron(8) manpage, which includes adding
a FILES section and touching the document date.

X-Security: should benefit as users have access to cron(8) by default
2007-06-17 17:25:53 +00:00
yar
73c6fd823f Add PAM support to atrun(8). 2007-06-15 12:02:16 +00:00
yar
720e13085b Locked out and expired accounts shouldn't be accessible via remote
mailbox protocols.  Add pam_unix to the `account' function class, too,
for imap and pop3 to actually implement this policy.
2007-06-15 11:33:13 +00:00
yar
867bb09937 Split the FILES list across multiple lines as in rc.d/Makefile
so that the change history stays easily readable as the number
of PAM-aware services grows.
2007-06-15 11:22:10 +00:00
yar
dac62e7ff2 Now pam_nologin(8) will provide an account management function
instead of an authentication function.  There are a design reason
and a practical reason for that.  First, the module belongs in
account management because it checks availability of the account
and does no authentication.  Second, there are existing and potential
PAM consumers that skip PAM authentication for good or for bad.
E.g., sshd(8) just prefers internal routines for public key auth;
OTOH, cron(8) and atrun(8) do implicit authentication when running
a job on behalf of its owner, so their inability to use PAM auth
is fundamental, but they can benefit from PAM account management.

Document this change in the manpage.

Modify /etc/pam.d files accordingly, so that pam_nologin.so is listed
under the "account" function class.

Bump __FreeBSD_version (mostly for ports, as this change should be
invisible to C code outside pam_nologin.)

PR:		bin/112574
Approved by:	des, re
2007-06-10 18:57:20 +00:00
nectar
a23214e059 Remove rexecd(8), a server that implements a particularly insecure
method of executing commands remotely.  There are no rexec clients in
the FreeBSD tree, and the client function rexec(3) is present only in
libcompat.  It has been documented as "obsolete" since 4.3BSD, and its
use has been discouraged in the man page for over 10 years.
2005-06-10 20:52:36 +00:00
des
aef5277078 X logins should be recorded in lastlog / wtmp / utmp. I have no idea why
this wasn't there already...  it makes much more sense this way.

MFC after:	2 weeks
2005-04-28 07:59:09 +00:00
ru
cec60429bb Start the dreaded NOFOO -> NO_FOO conversion.
OK'ed by:	core
2004-12-21 08:47:35 +00:00
ru
5db2b9d5b3 For variables that are only checked with defined(), don't provide
any fake value.
2004-10-24 15:33:08 +00:00
schweikh
91f34482ca Removed whitespace at BOF, EOL & EOF. 2004-06-06 11:46:29 +00:00
des
4c4ff6d191 the default password policy for xdm should be pam_deny, since it is
incapable of holding a meaningful conversation.
2004-02-20 21:59:51 +00:00
des
d88d8b47b6 Don't do session management in su.
PR:		misc/53293
Submitted by:	ru
2003-07-09 18:40:49 +00:00
des
41880f4325 Add a system policy, and have the login and su policies include it rather
than duplicate it.  This requires OpenPAM Dianthus, which was committed two
weeks ago; installing these files on a system running a world older than
June 1st, 2003 will cause login(1) and su(1) to fail.
2003-06-14 12:35:05 +00:00
des
fb023b686e Try to describe the control flags a little better. 2003-06-01 00:34:38 +00:00
markm
a2678ea957 The PAM module pam_krb5 does not have "session" capabilities.
Don't give examples of such use, this is bogus.
2003-04-30 21:57:54 +00:00
des
85e31bc1f4 Add nullok to the pam_unix line. 2003-04-24 12:22:42 +00:00
ru
183c65a97c Use the canonical form of installing links.
Also, make "ftp" and "ftpd" hard links.

Not objected to by:	des
2003-03-14 09:01:22 +00:00
markm
ecc5f917a3 Initiate KerberosIV de-orbit burn. Disconnect the /etc configs. 2003-03-08 09:50:11 +00:00
des
a9b8975387 Add the allow_local option to all pam_opieaccess entries. 2003-02-16 13:02:39 +00:00
des
8c8f33d988 Add the want_agent option to the commented-out "session" pam_ssh entry. 2003-02-16 13:02:03 +00:00
des
d4d4a833ae Major cleanup & homogenization. 2003-02-10 00:50:03 +00:00
des
439e079c7b No idea what this is for, and it doesn't make much sense. If a port needs
it, it can install its own copy in /usr/local/etc/pam.d/.
2003-02-10 00:49:44 +00:00
des
ca9add3762 There's no reason to have two identical policies for FTP servers, so
make ftp a symlink to ftpd.
2003-02-10 00:47:46 +00:00
des
3a6d7496df Use pam_group(8) instead of pam_wheel(8). 2003-02-06 14:33:23 +00:00
des
1b6009d788 Don't enable pam_krb5 by default - most people don't have it since most
people don't build with MAKE_KERBEROS5 defined.  Provide commented-out
usage examples instead, like we do everywhere else.

Pointy hat to:	des
2003-02-03 14:45:02 +00:00
des
13a23e2886 Enable pam_krb5 for sshd. I've had this in my tree for ages. 2003-02-02 18:41:26 +00:00
des
81fe169630 Since OpenSSH drops privileges before calling pam_open_session(3),
pam_lastlog(8) can't possibly work, so let OpenSSH handle lastlog.

Approved by:	re (rwatson)
2002-12-03 15:48:11 +00:00
rwatson
7185b416e6 Exempt the "wheel group requirement" by default when su'ing to root if
the wheel group has no explicit members listed in /etc/group.  This adds
the "exempt_if_empty" flag to pam_wheel in the default configuration;
in some environments, it may be appropriate to remove this flag, however,
this default is the same as pre-pam_wheel.

Reviewed by:	markm
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-18 02:39:21 +00:00
des
5c93810aed Silence pam_lastlog for now. 2002-07-07 10:00:43 +00:00
des
3dfd2c1e9b We don't use this any more.
Sponsored by:	DARPA, NAI Labs
2002-06-19 20:01:25 +00:00
des
2645a88fb1 Enable OPIE for sshd and telnetd. I thought I'd done this a long time
ago...

Sponsored by:	DARPA, NAI Labs
2002-06-19 20:00:43 +00:00
des
0be56e68fc Use pam_lastlog(8)'s new no_fail option.
Sponsored by:	DARPA, NAI Labs
2002-05-08 00:33:02 +00:00
des
e94fae922c Add a PAM policy for rexecd(8).
Sponsored by:	DARPA, NAI Labs
2002-05-02 05:05:28 +00:00
des
6f813d5f2f xdm plays horrid tricks with PAM, and dumps core if it's allowed to call
pam_lastlog, so add a dummy session chain to avoid using the one from
pam.d/other.  I assume gdm does something similar, so give it a dummy
session chain as well.

Sponsored by:	DARPA, NAI Labs.
2002-05-02 05:00:40 +00:00
des
70fd7e0ff2 Add no_warn to pam_lastlog. This should prevent xdm from dumping core
when linked with Linux-PAM.
2002-04-29 15:22:00 +00:00
des
3e36ee6341 Don't list pam_unix in the session chain, since it does not provide any
session management services.

Sponsored by:	DARPA, NAI Labs
2002-04-18 17:40:27 +00:00
ru
d28f5d490f Fixed bugs in previous revision:
Added NOOBJ if anyone even attempts to "make obj" here.
Revert to installing files with mode 644 except README.
Make this overall look like a BSD-style Makefile rather
than roll-your-own (this is not a bug).

For the record.  Previous revision also fixed the breakage
introduced by the sys.mk,v 1.60 commit: bsd.own.mk is no
longer automatically included from sys.mk.

Reported by:	jhay
2002-04-18 10:58:14 +00:00
des
6139bb3c53 Use ${FILES} and <bsd.prog.mk> rather than roll-your-own. 2002-04-18 10:07:36 +00:00
des
b9658dfaf2 Add PAM policy for the "passwd" service, including a sample config line
for pam_passwdqc.

Sponsored by:	DARPA, NAI Labs
2002-04-15 03:01:32 +00:00
des
7b3eec9c1b Add pam_lastlog(8) here since I removed lastlog support from sshd.
Sponsored by:	DARPA, NAI Labs
2002-04-15 02:46:24 +00:00
des
af95c9711d Use pam_rhosts(8). 2002-04-12 23:20:30 +00:00
des
843d3c8e1c If used, pam_ssh should be marked "sufficient", not "required".
Sponsored by:	DARPA, NAI Labs
2002-04-08 09:52:47 +00:00