freebsd-skq/etc/pam.d
Yaroslav Tykhiy 9cd40e64b4 Now pam_nologin(8) will provide an account management function
instead of an authentication function.  There are a design reason
and a practical reason for that.  First, the module belongs in
account management because it checks availability of the account
and does no authentication.  Second, there are existing and potential
PAM consumers that skip PAM authentication for good or for bad.
E.g., sshd(8) just prefers internal routines for public key auth;
OTOH, cron(8) and atrun(8) do implicit authentication when running
a job on behalf of its owner, so their inability to use PAM auth
is fundamental, but they can benefit from PAM account management.

Document this change in the manpage.

Modify /etc/pam.d files accordingly, so that pam_nologin.so is listed
under the "account" function class.

Bump __FreeBSD_version (mostly for ports, as this change should be
invisible to C code outside pam_nologin.)

PR:		bin/112574
Approved by:	des, re
2007-06-10 18:57:20 +00:00
..
convert.pl
ftpd Now pam_nologin(8) will provide an account management function 2007-06-10 18:57:20 +00:00
gdm Now pam_nologin(8) will provide an account management function 2007-06-10 18:57:20 +00:00
imap Now pam_nologin(8) will provide an account management function 2007-06-10 18:57:20 +00:00
kde Now pam_nologin(8) will provide an account management function 2007-06-10 18:57:20 +00:00
login Now pam_nologin(8) will provide an account management function 2007-06-10 18:57:20 +00:00
Makefile Remove rexecd(8), a server that implements a particularly insecure 2005-06-10 20:52:36 +00:00
other Now pam_nologin(8) will provide an account management function 2007-06-10 18:57:20 +00:00
passwd
pop3 Now pam_nologin(8) will provide an account management function 2007-06-10 18:57:20 +00:00
README
rsh Now pam_nologin(8) will provide an account management function 2007-06-10 18:57:20 +00:00
sshd Now pam_nologin(8) will provide an account management function 2007-06-10 18:57:20 +00:00
su
system
telnetd Now pam_nologin(8) will provide an account management function 2007-06-10 18:57:20 +00:00
xdm Now pam_nologin(8) will provide an account management function 2007-06-10 18:57:20 +00:00

This directory contains configuration files for the Pluggable
Authentication Modules (PAM) library.

Each file details the module chain for a single service, and must be
named after that service.  If no configuration file is found for a
particular service, the /etc/pam.d/other is used instead.  If that
file does not exist, /etc/pam.conf is searched for entries matching
the specified service or, failing that, the "other" service.

See the pam(8) manual page for an explanation of the workings of the
PAM library and descriptions of the various files and modules.  Below
is a summary of the format for the pam.conf and /etc/pam.d/* files.

Configuration lines take the following form:

module-type	control-flag	module-path	arguments

Comments are introduced with a hash mark ('#').  Blank lines and lines
consisting entirely of comments are ignored.

The meanings of the different fields are as follows:

 module-type:
   auth:      prompt for a password to authenticate that the user is
              who they say they are, and set any credentials.
   account:   non-authentication based authorization, based on time,
              resources, etc.
   session:   housekeeping before and/or after login.
   password:  update authentication tokens.

 control-flag: How libpam handles success or failure of the module.
   required:   success is required; on failure all remaining
               modules are run, but the request will be denied.
   requisite:  success is required, and on failure no remaining
               modules are run.
   sufficient: success is sufficient, and if no previous required
               module failed, no remaining modules are run.
   binding:    success is sufficient; on failure all remaining
               modules are run, but the request will be denied.
   optional:   ignored unless the other modules return PAM_IGNORE.

 arguments: Module-specific options, plus some generic ones:
   debug:           syslog debug info.
   no_warn:         return no warning messages to the application.
                    Remove this to feed back to the user the
                    reason(s) they are being rejected.
   use_first_pass:  try authentication using password from the
                    preceding auth module.
   try_first_pass:  first try authentication using password from
                    the preceding auth module, and if that fails
                    prompt for a new password.
   use_mapped_pass: convert cleartext password to a crypto key.
   expose_account:  allow printing more info about the user when
                    prompting.

Note that having a "sufficient" module as the last entry for a
particular service and module type may result in surprising behaviour.
To get the intended semantics, add a "required" entry listing the
pam_deny module at the end of the chain.

$FreeBSD$