1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-25 11:37:56 +00:00
Commit Graph

518 Commits

Author SHA1 Message Date
Dag-Erling Smørgrav
1628e293fd Consistently cast tty and user to const char * in printf()-like contexts. 2014-10-01 07:15:02 +00:00
Bjoern A. Zeeb
5e24ef8793 Hopefully fix build breakage with gcc passing void * instead of char *
to "%s" format string after r272280.

PR:		83099 193927
MFC after:	3 days
X-MFC with:	r272280
2014-09-29 10:36:14 +00:00
Dag-Erling Smørgrav
4c37ae3065 Instead of failing when neither PAM_TTY nor PAM_RHOST are available, call
login_access() with "**unknown**" as the second argument.  This will allow
"ALL" rules to match.

Reported by:	Tim Daneliuk <tundra@tundraware.com>
Tested by:	dim@
PR:		83099 193927
MFC after:	3 days
2014-09-29 08:57:36 +00:00
Dag-Erling Smørgrav
d64f404488 Upgrade to OpenPAM Ourouparia. 2014-09-15 13:40:09 +00:00
Dag-Erling Smørgrav
4c1d902bb2 r271256 fixed one segfault condition but introduced another due to the
wrong operator being used in the tty check.

Reported by:	avg@
MFH:		3 days
2014-09-15 11:32:08 +00:00
Dag-Erling Smørgrav
adf180b55c Vendor import of OpenPAM Ourouparia. 2014-09-15 09:40:30 +00:00
Dag-Erling Smørgrav
067268edfc Fail rather than segfault if neither PAM_TTY nor PAM_RHOST is set.
PR:		83099
MFC after:	3 days
2014-09-08 09:19:01 +00:00
Andrey A. Chernov
412d134acc According to opie code and even direct mention in opie(4) challenge buffer
size must be OPIE_CHALLENGE_MAX + 1, not OPIE_CHALLENGE_MAX

Reviewed by:    des
MFC after:      1 week
2014-08-12 13:28:46 +00:00
Baptiste Daroussin
d029c3aa25 Rework privatelib/internallib
Make sure everything linking to a privatelib and/or an internallib does it directly
from the OBJDIR rather than DESTDIR.
Add src.libnames.mk so bsd.libnames.mk is not polluted by libraries not existsing
in final installation
Introduce the LD* variable which is what ld(1) is expecting (via LDADD) to link to
internal/privatelib
Directly link to the .so in case of private library to avoid having to complexify
LDFLAGS.

Phabric:	https://phabric.freebsd.org/D553
Reviewed by:	imp, emaste
2014-08-06 22:17:26 +00:00
Dag-Erling Smørgrav
3cc381b09f Remove useless getpwnam() call.
Submitted by:	Arthur Mesh <amesh@juniper.net>
MFC after:	1 week
2014-07-26 07:40:31 +00:00
Dag-Erling Smørgrav
16722cb2c1 Add support for the "account" facility.
PR:		115164
MFC after:	1 week
2014-07-19 21:04:21 +00:00
Dag-Erling Smørgrav
ec5622ad86 Check if the specified group is the user's primary group before
iterating over the (possibly empty) list of members.  Otherwise, we
get a false negative when the target group has no members listed in
/etc/group.  This went mostly unnoticed because root is explicitly
listed as a member of wheel, so the bug is never triggered in the most
common use case, which is su(8).

PR:		109416
MFC after:	1 week
2014-07-19 20:55:13 +00:00
Joel Dahl
df2d82e003 mdoc: remove superfluous paragraph macros. 2014-06-23 18:40:21 +00:00
Baptiste Daroussin
2b7af31cf5 use .Mt to mark up email addresses consistently (part3)
PR:		191174
Submitted by:	Franco Fichtner  <franco at lastsummer.de>
2014-06-23 08:23:05 +00:00
Warner Losh
c6063d0da8 Use src.opts.mk in preference to bsd.own.mk except where we need stuff
from the latter.
2014-05-06 04:22:01 +00:00
Warner Losh
98407b8bc2 Spell NO_PROFILE= as MK_PROFILE=no. 2014-04-25 19:25:26 +00:00
Warner Losh
7ebd341f25 Kill last remaining NO_INSTALLLIB in tree by converting it over to
MK_INSTALLIB=no.
2014-04-25 19:25:13 +00:00
Eitan Adler
dda5b39711 multiple: Remove 3rd clause from BSD license where approved by the
regents and renumber.

This patch skips files in contrib/ and crypto/

Acked by:	imp
Discussed with:	emaste
2014-03-14 03:07:51 +00:00
Dag-Erling Smørgrav
299a95c6b1 Merge upstream r763: fix is_upper() predicate. 2014-02-26 17:06:54 +00:00
Sergey Kandaurov
481da845ce Catch up with OpenPAM Nummularia.
This fixes libpam for build32 target to dlopen() pam libraries in /usr/lib32.

Reviewed by:	des (a while ago)
MFC after:	1 week
2013-11-21 20:43:43 +00:00
Dag-Erling Smørgrav
0b2766bd4e Make libldns and libssh private.
Approved by:	re (blanket)
2013-09-08 10:04:26 +00:00
Dag-Erling Smørgrav
ce77a8d692 Update to OpenPAM Nummularia. 2013-09-07 19:43:39 +00:00
Dag-Erling Smørgrav
424a96e698 Merge upstream r743: caught_signal should be static. 2013-09-07 19:27:58 +00:00
Dag-Erling Smørgrav
f7e6344d4a MFV (r255364): move the code around in preparation for Nummularia. 2013-09-07 18:46:35 +00:00
Dag-Erling Smørgrav
ff67676447 Vendor import of OpenPAM Nummularia.. 2013-09-07 16:15:30 +00:00
Dag-Erling Smørgrav
2dd970c2a1 Prepare for OpenPAM Nummularia by reorganizing to match its new directory
structure.
2013-09-07 16:10:15 +00:00
Will Andrews
caf6fbd81a Make the PAM password strength checking module WARNS=2 safe.
lib/libpam/modules/pam_passwdqc/Makefile:
	Bump WARNS to 2.

contrib/pam_modules/pam_passwdqc/pam_passwdqc.c:
	Bump  _XOPEN_SOURCE and _XOPEN_VERSION from 500 to 600
	so that vsnprint() is declared.

	Use the two new union types (pam_conv_item_t and
	pam_text_item_t) to resolve strict aliasing violations
	caused by casts to comply with the pam_get_item() API taking
	a "const void **" for all item types.  Warnings are
	generated for casts that create "type puns" (pointers of
	conflicting sized types that are set to access the same
	memory location) since these pointers may be used in ways
	that violate C's strict aliasing rules.  Casts to a new
	type must be performed through a union in order to be
	compliant, and access must be performed through only one
	of the union's data types during the lifetime of the union
	instance.  Handle strict-aliasing warnings through pointer
	assignments, which drastically simplifies this change.

	Correct a CLANG "printf-like function with more arguments
	than format" error.

Submitted by:	gibbs
Sponsored by:	Spectra Logic
2013-08-27 15:50:26 +00:00
Dag-Erling Smørgrav
d06cb0764e GC unused source file. 2013-08-16 10:53:36 +00:00
Dag-Erling Smørgrav
fb69d3e351 Backport upstream r684 (OPENPAM_DEBUG enables debugging macros but does
not turn debugging on by default) and add OPENPAM_DEBUG to CFLAGS.
2013-04-14 16:49:27 +00:00
Jung-uk Kim
068f3d2f84 Fix declaration vs. definition inconsistency. No functional change. 2013-04-05 23:41:34 +00:00
Eitan Adler
db702c59cf remove duplicate semicolons where possible.
Approved by:	cperciva
MFC after:	1 week
2012-10-22 03:00:37 +00:00
Dag-Erling Smørgrav
a612142b11 Remove unnecessary #include. 2012-09-28 12:29:25 +00:00
Eitan Adler
eae8be706e Bump date missed in r202756
PR:		docs/171624
Submitted by:	bdrewery
Approved by:	gabor
MFC after:	3 days
2012-09-14 17:50:42 +00:00
Dimitry Andric
1843e23c48 Fix an instance in pam_krb5(8), where the variable 'user' could be used
uninitialized.

Found by:	clang 3.2
Reviewed by:	des
MFC after:	1 week
2012-08-06 18:44:59 +00:00
Dimitry Andric
2251b30757 Fix two instances in pam_krb5(8), where the variable 'princ_name' could
be used uninitialized.

Found by:	clang 3.2
Reviewed by:	des
MFC after:	1 week
2012-08-06 18:40:14 +00:00
Doug Rabson
957487515e Add an option for pam_krb5 to allow it to authenticate users which don't have
a local account.

PR:		76678
Submitted by:	daved at tamu.edu
MFC after:	2 weeks
2012-08-05 13:40:35 +00:00
Dag-Erling Smørgrav
2f3ed61901 Update to OpenPAM Micrampelis. 2012-05-26 17:10:16 +00:00
Dag-Erling Smørgrav
8d6900eab8 Passing NULL as a key casues a segfault when loading SSH 1 keys. Use
an empty string instead.
2012-05-26 17:03:45 +00:00
Warren Block
344c81a166 Fixes to man8 groff mandoc style, usage mistakes, or typos.
PR:		168016
Submitted by:	Nobuyuki Koganemaru
Approved by:	gjb
MFC after:	3 days
2012-05-24 02:24:03 +00:00
Jean-Sébastien Pédron
3902d8a991 Fix error messages containing the executed command name
Before, we took the first argument to pam_exec(8). With the addition of
options in front of the command, this could be wrong.

Now, options are parsed before calling _pam_exec() and messages contain
the proper command name.

While here, fix a warning.

Sponsored by:	Yakaz (http://www.yakaz.com)
2012-04-12 14:02:59 +00:00
Eitan Adler
50d675f7a9 Remove trailing whitespace per mdoc lint warning
Disussed with:	gavin
No objection from:	doc
Approved by:	joel
MFC after:	3 days
2012-03-29 05:02:12 +00:00
Jean-Sébastien Pédron
7e3d5c1fca Use program exit status as pam_exec return code (optional)
pam_exec(8) now accepts a new option "return_prog_exit_status". When
set, the program exit status is used as the pam_exec return code. It
allows the program to tell why the step failed (eg. user unknown).
However, if it exits with a code not allowed by the calling PAM service
module function (see $PAM_SM_FUNC below), a warning is logged and
PAM_SERVICE_ERR is returned.

The following changes are related to this new feature but they apply no
matter if the "return_prog_exit_status" option is set or not.

The environment passed to the program is extended:
    o  $PAM_SM_FUNC contains the name of the PAM service module function
       (eg. pam_sm_authenticate).
    o  All valid PAM return codes' numerical values are available
       through variables named after the return code name. For instance,
       $PAM_SUCCESS, $PAM_USER_UNKNOWN or $PAM_PERM_DENIED.

pam_exec return code better reflects what went on:
    o  If the program exits with !0, the return code is now
       PAM_PERM_DENIED, not PAM_SYSTEM_ERR.
    o  If the program fails because of a signal (WIFSIGNALED) or doesn't
       terminate normally (!WIFEXITED), the return code is now
       PAM_SERVICE_ERR, not PAM_SYSTEM_ERR.
    o  If a syscall in pam_exec fails, the return code remains
       PAM_SYSTEM_ERR.

waitpid(2) is called in a loop. If it returns because of EINTR, do it
again. Before, it would return PAM_SYSTEM_ERR without waiting for the
child to exit.

Several log messages now include the PAM service module function name.

The man page is updated accordingly.

Reviewed by:	gleb@, des@
Sponsored by:	Yakaz (http://www.yakaz.com)
MFC after:	2 weeks
2012-03-26 12:18:15 +00:00
Stanislav Sedov
26ec46c8d6 - Avoid using deprecated heimdal functions in pam_krb5. 2012-03-24 01:02:03 +00:00
Stanislav Sedov
bbbc13f8cf - Avoid use of deprecated KRB5 functions. 2012-03-22 11:18:14 +00:00
Stanislav Sedov
ae77177087 - Update FreeBSD Heimdal distribution to version 1.5.1. This also brings
several new kerberos related libraries and applications to FreeBSD:
  o kgetcred(1) allows one to manually get a ticket for a particular service.
  o kf(1) securily forwards ticket to another host through an authenticated
    and encrypted stream.
  o kcc(1) is an umbrella program around klist(1), kswitch(1), kgetcred(1)
    and other user kerberos operations. klist and kswitch are just symlinks
    to kcc(1) now.
  o kswitch(1) allows you to easily switch between kerberos credentials if
    you're running KCM.
  o hxtool(1) is a certificate management tool to use with PKINIT.
  o string2key(1) maps a password into key.
  o kdigest(8) is a userland tool to access the KDC's digest interface.
  o kimpersonate(8) creates a "fake" ticket for a service.

  We also now install manpages for some lirbaries that were not installed
  before, libheimntlm and libhx509.

- The new HEIMDAL version no longer supports Kerberos 4.  All users are
  recommended to switch to Kerberos 5.

- Weak ciphers are now disabled by default.  To enable DES support (used
  by telnet(8)), use "allow_weak_crypto" option in krb5.conf.

- libtelnet, pam_ksu and pam_krb5 are now compiled with error on warnings
  disabled due to the function they use (krb5_get_err_text(3)) being
  deprecated.  I plan to work on this next.

- Heimdal's KDC now require sqlite to operate.  We use the bundled version
  and install it as libheimsqlite.  If some other FreeBSD components will
  require it in the future we can rename it to libbsdsqlite and use for these
  components as well.

- This is not a latest Heimdal version, the new one was released while I was
  working on the update.  I will update it to 1.5.2 soon, as it fixes some
  important bugs and security issues.
2012-03-22 08:48:42 +00:00
Peter Wemm
925c02f9dd Rev 228065 (change bsd.own.mk -> bsd.init.mk) broke pam_unix.so by causing
the LDADD/DPADD to lose the -lpam, and causing openpam_dynamic() to fail
due to "openpam_get_options" being undefined.

This would cause obscure console log messages like:
  openpam_dynamic(): No error: 0
  openpam_load_module(): no pam_unix.so found
and other helpful messages which are no help in diagnosing the problem.

Fortunately this change was not mfc'ed to 9.x, it isn't broken there.
2012-01-18 18:26:56 +00:00
Dag-Erling Smørgrav
7f106882fe Upgrade to OpenPAM Lycopsida. 2011-12-18 17:22:45 +00:00
Max Khon
106235a4b8 .include <bsd.init.mk> instead of <bsd.own.mk>
The former allows common settings from ../Makefile.inc to be used.
2011-11-28 14:01:17 +00:00
Dag-Erling Smørgrav
dcf83bf794 Revert r227841 and part of r227798. We still build libpam in two passes,
but we use STATIC_CFLAGS instead of our own private .c.o rule.

MFC after:	3 weeks
2011-11-24 13:18:58 +00:00
Dag-Erling Smørgrav
e03e3b699e Simplify the libpam build by removing the shared modules' dependency
on the shared library.  The modules are loaded by the library, so we
know it'll be there when we need it.

MFC after:	3 weeks
2011-11-21 16:40:39 +00:00