d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
69,345 Commits 4 Branches 49 Tags
Commit Graph

162 Commits

Author SHA1 Message Date
des
ce9baa2c50 Link pam_opieaccess, pam_self and pam_ssh into the static library. 
Sponsored by:	DARPA, NAI Labs
 2002-01-21 20:43:01 +00:00
des
ac843e8b75 On second thought, getpwnam() failure should be treated just as if the user 
existed, but had no OPIE key, i.e. PAM_IGNORE.

Pointed out by:	ache
Sponsored by:	DARPA, NAI Labs
 2002-01-21 19:05:45 +00:00
des
aeaf48654b Return PAM_SERVICE_ERR rather than PAM_USER_UNKNOWN if getpwnam() fails, as 
PAM_USER_UNKNOWN will break the chain, revealing to an attacker that the
user does not exist.

Sponsored by:	DARPA, NAI Labs
 2002-01-21 18:53:03 +00:00
des
bc31e1293b Further changes to allow enabling pam_opie(8) by default: 
- Ignore the {try,use}_first_pass options by clearing PAM_AUTHTOK before
   challenging the user.  These options are meaningless for pam_opie(8)
   since the user can't possibly know the right response before she sees
   the challenge.

 - Introduce the no_fake_prompts option.  If this option is set, pam_opie(8)
   will fail - rather than present a bogus challenge - if the target user
   does not have an OPIE key.  With this option, users who haven't set up
   OPIE won't have to wonder what that "weird otp-md5 s**t" means :)

Reviewed by:	ache, markm
Sponsored by:	DARPA, NAI Labs
 2002-01-21 18:46:25 +00:00
des
14be282b68 Add a new module, pam_opieaccess(8), which is responsible for checking 
/etc/opieaccess and ~/.opiealways so we can decide what to do after
pam_opie(8) fails.

Sponsored by:	DARPA, NAI Labs
Reviewed by:	ache, markm
 2002-01-21 13:43:53 +00:00
ache
b7343f3a64 snprintf bloat -> strlcpy 
Add getpwnam return check

Approved by:	des, markm
 2002-01-20 20:56:47 +00:00
ache
d90ac373d0 Back out recent changes 2002-01-19 18:03:11 +00:00
ache
f9d407de0b If user not exist in OPIE system, return failure immediately instead 
of producing fake prompts with random numbers which can be detected by
potential intruder in two tries and totally confuse non-OPIE users.
 2002-01-19 10:09:05 +00:00
ache
0262fc4b8f Back out second right-now-expired password check in pam_sm_chauthtok, 
old expired password assumed there
 2002-01-19 09:23:36 +00:00
ache
b0127287cc Previous commit was incomplete, use new error code PAM_CRED_ERR to 
indicate die case, different from PAM_SUCCESS and PAM_AUTH_ERR
 2002-01-19 08:36:47 +00:00
ache
4d1c54018e Rewrite 'pwok' fallback in the way it can be properly chained with pam_unix 
Replace snprintf %s with strlcpy

Check for NULL returned from getpwnam()
 2002-01-19 07:23:48 +00:00
ache
35ada60969 Add yet one expired-right-now password check, in pam_sm_chauthtok 
srandomdev() can't be used in libraries, replace srandomdev()+random()
by arc4random()
 2002-01-19 04:58:51 +00:00
ache
30b45f48f0 Set pwok to 1 for non-OPIE users 2002-01-19 03:31:39 +00:00
ache
a38e044747 Add missing check for right-now-expired password 2002-01-19 02:45:24 +00:00
ache
3d4ab3ebc5 Implement 'pwok', i.e. conditional fallback to unix password 
as supposed by opieaccessfile() and opiealways()
 2002-01-19 02:38:43 +00:00
bde
086017e65e Fixed a missing "const". 2001-12-28 20:59:44 +00:00
ru
ac5af7de06 mdoc(7) police: bump document date. 2001-12-14 13:49:28 +00:00
dwmalone
d9613ea383 Style improvements recommended by Bruce as a follow up to some 
of the recent WARNS commits. The idea is:

1) FreeBSD id tags should follow vendor tags.
2) Vendor tags should not be compiled (though copyrights probably should).
3) There should be no blank line between including cdefs and __FBSDIF.
 2001-12-10 21:13:08 +00:00
des
e82cc88ed6 Back out previous commit. 
Requested by:	ru
 2001-12-09 15:11:55 +00:00
ru
fe50e52a4a mdoc(7) police: sort xrefs. 2001-12-08 16:28:20 +00:00
des
2625a82abe Get pam_mod_misc.h from .CURDIR rather than .OBJDIR or /usr/include. 
Sponsored by:	DARPA, NAI Labs
 2001-12-07 11:51:47 +00:00
des
dd9dc87190 Now that _pam_init_handlers() works as intended, it seems clear that we 
do not actually want to define PAM_READ_BOTH_CONFS, so back out previous
commit.

Sponsored by:	DARPA, NAI Labs
 2001-12-07 00:38:37 +00:00
des
3b065c66cc We need pam_client.h from libpamc. This unbreaks world 
Pointed out by:	jhay
Pointy hat to:	des
 2001-12-06 12:35:18 +00:00
des
651dd64d0d Define PAM_READ_BOTH_CONFS. We can now have both /etc/pam.d and 
/etc/pam.conf.

Sponsored by:	DARPA, NAI Labs
 2001-12-05 17:06:16 +00:00
des
ffe026d003 Install the correct version of pam_misc.h. 
Sponsored by:	DARPA, NAI Labs
 2001-12-05 16:27:41 +00:00
des
354c4b52cc Add dummy functions for all module types. These dummies return PAM_IGNORE 
rather than PAM_SUCCESS, so you'll get a failure if you list dummies but
no real modules for a particular module chain.

Sponsored by:	DARPA, NAI Labs
 2001-12-05 16:06:35 +00:00
des
00b1257dba Connect the man page to the build. 
Sponsored by:	DARPA, NAI Labs
 2001-12-05 16:02:50 +00:00
des
01dcdd1f9a Add a pam_self authentication module that succeeds if and only if the local 
and remote user names are the same.

Sponsored by:	DARPA, NAI Labs
 2001-12-05 15:55:14 +00:00
markm
08eb6fed71 Use __FBSDID(). Also do a bit of cosmetic #if and header-order 
cleaning-up.
 2001-12-02 20:54:57 +00:00
markm
8a79fc4a5a Style fixups. 
Sort function declarations, includes. Make consistent WRT use of _P()
macro (ugh!)

Inspired by:	bde
 2001-12-01 21:12:04 +00:00
markm
144609e331 WARNS=2 fixes. 
Reviewed by:	bde (a while back)
 2001-12-01 17:46:46 +00:00
green
09990be998 Fix pam_ssh by adding an IPv4or6 (evidently, this was broken by my last 
OpenSSH import) declaration and strdup(3)ing a value which is later
free(3)d, rather than letting the system try to free it invalidly.
 2001-11-29 21:16:11 +00:00
des
6828ec1515 Mdoc police. 
Submitted by:	ru
 2001-11-28 10:07:21 +00:00
ru
18923a02f5 mdoc(7) police: fix one pam_unix(8) left-over, sort xrefs. 2001-11-28 09:25:03 +00:00
des
63b6483616 Add a pam_set_item(3) man page with an MLINK to pam_get_item(3). 
PR:		docs/32294
Sponsored by:	DARPA, NAI Labs
MFC after:	3 days
 2001-11-27 15:36:35 +00:00
des
22cc45b784 Create a pam_ssh(8) man page, based on a repo-copy of pam_unix(8). 
License modified with original author's permission.

Sponsored by:	DARPA, NAI Labs
 2001-11-27 00:57:50 +00:00
des
d387396266 Document the local_pass and nis_pass options, add a few xrefs, and reorder 
the SEE ALSO section.  License modified with original author's permission.

Sponsored by:	DARPA, NAI Labs
 2001-11-27 00:53:10 +00:00
dd
5dd8a71701 Spelling police: sucessful -> successful. 2001-11-24 23:41:32 +00:00
sobomax
064436f6e8 Don't put an extra space after password prompts, because it violates POLA, 
makes FreeBSD inconsistent with previous releases and "other unices" as well
as with some internal password-asking services (e.g. ftp) within the same
release.
 2001-10-25 15:51:50 +00:00
markm
3a691e0043 Add library exposed by KDE's use if this module. 2001-10-18 20:05:20 +00:00
dillon
fcad02973f Add __FBSDID()s to libpam 2001-09-30 22:11:06 +00:00
markm
75cc8b4799 1) repair the return value in the PAM_RETURN() macro (Side effects!!). 
2) canonicalise the options use in pam_options().

Submitted by:	Gunnar Kreitz <gunnark@chello.se>
PR:		30250
 2001-09-04 17:05:08 +00:00
markm
9e62e18a59 Introduce a "noroot_ok" option to make this module ignore authentications 
to a non-superuser if required.
 2001-08-26 18:09:00 +00:00
markm
c98dbe0779 Introduce better logging, error reporting and use of login_cap data. 2001-08-26 18:05:35 +00:00
markm
27a8adb330 Add extra logging detail. This needs a more general solution. 2001-08-26 17:57:44 +00:00
markm
67fcc4111a Big module makeover; improve logging, standardise variable names, 
introduce ability to change passwords for both "usual" Unix methods
and NIS.
 2001-08-26 17:41:13 +00:00
markm
ac30099bce Add 'try_mapped_pass' standard option. 
Asked for by:	lukeh@PADL.COM
 2001-08-20 12:43:19 +00:00
markm
78c5ea3c24 Document the no_warn option. 2001-08-15 20:05:33 +00:00
markm
0261d9dad2 Fix a couple of cross-references to reflect the reality of the module. 2001-08-15 20:03:26 +00:00
markm
384d536a12 Fix: 
/usr/src/lib/libpam/modules/pam_ssh/pam_ssh.c has couple of bugs which cause:

1) xdm dumps core
2) ssh1 private key is not passed to ssh-agent
3) ssh2 RSA key seems not handled properly (just a guess from source)
4) ssh_get_authentication_connectionen() fails to get connection because of
   SSH_AUTH_SOCK not defined.

PR:		29609
Submitted by:	Takanori Saneto <sanewo@ba2.so-net.ne.jp>
 2001-08-11 12:37:55 +00:00