Yaroslav Tykhiy
cf21ead53b
In account management, verify whether the account has been locked
...
with `pw lock', so that it's impossible to log into a locked account
using an alternative authentication mechanism, such as an ssh key.
This change affects only accounts locked with pw(8), i.e., having a
`*LOCKED*' prefix in their password hash field, so people still can
use a different pattern to disable password authentication only.
Mention all account management criteria in the manpage.
Approved by: maintainer (timeout)
PR: bin/71147
MFC after: 1 month
2007-03-27 09:59:15 +00:00
Pawel Jakub Dawidek
d154a420f7
Send not only Access Request, but also Access Challenge with defined
...
NAS-Identifier and NAS-IP-Address.
Reviewed by: bz
MFC after: 1 month
2007-01-20 08:52:04 +00:00
Dag-Erling Smørgrav
1cede0c9bd
childerr needs to be volatile so gcc won't optimize it away.
...
PR: bin/85830
MFC after: 1 week
2006-11-10 23:33:25 +00:00
Ruslan Ermilov
5429f49079
The pam_unix module also provides password management.
...
PR: docs/93491
Submitted by: Lior Kadosh
MFC after: 3 days
2006-10-12 15:00:17 +00:00
Ruslan Ermilov
cf15fbb46a
Fix build.
2006-09-30 20:33:42 +00:00
Dag-Erling Smørgrav
f63ebe36f6
Reject user with names that are longer than OPIE is willing to deal with;
...
otherwise OPIE will happily truncate it.
Spotted by: ghelmer
MFC after: 2 weeks
2006-09-15 13:42:38 +00:00
Joel Dahl
cec65ede6c
Bump .Dd.
...
Noticed by: danger
2006-09-13 18:34:32 +00:00
Joel Dahl
3e1f331553
Remove references to the pam(8) manual page. It does not exist.
...
Requested by: novel
Discussed with: brueffer, simon
2006-09-13 17:46:20 +00:00
Dag-Erling Smørgrav
f5e30bd1ff
Additional debugging stuff I had in my tree.
2006-08-11 17:03:33 +00:00
Stefan Farfeleder
c67bd97df8
Change the GCC specific __FUNCTION__ to C99's __func__.
...
OK'ed by: des
2006-07-17 11:48:52 +00:00
Dag-Erling Smørgrav
9fd9594daf
Add a manual dependency on ssh_namespace.h.
...
Discussed with: ru
2006-05-13 21:38:16 +00:00
Dag-Erling Smørgrav
ed22e27d8a
Introduce a namespace munging hack inspired by NetBSD to avoid polluting
...
the namespace of applications which inadvertantly link in libssh (usually
through pam_ssh)
Suggested by: lukem@netbsd.org
MFC after: 6 weeks
2006-05-13 13:47:45 +00:00
Wojciech A. Koszek
2ecd560bcc
There is no need to pass NULL to the pam_error() as the last argument.
...
Remove it.
Reviewed by: des
Approved by: cognet (mentor)
2006-03-20 16:56:08 +00:00
Ruslan Ermilov
c365539d86
Fix build until I find a way to handle this case properly.
2006-03-19 08:52:49 +00:00
Ruslan Ermilov
9e7c92716b
Revert last delta.
2006-03-19 06:14:30 +00:00
Poul-Henning Kamp
371b1253c9
Comment out MK_PROFILE until ru@ can fix this properly
2006-03-19 04:49:11 +00:00
Ruslan Ermilov
5740a2b62d
Convert NO_PROFILE and NO_LIB32 to new style.
2006-03-18 21:37:05 +00:00
Ruslan Ermilov
e1fe3dba5c
Reimplementation of world/kernel build options. For details, see:
...
http://lists.freebsd.org/pipermail/freebsd-current/2006-March/061725.html
The src.conf(5) manpage is to follow in a few days.
Brought to you by: imp, jhb, kris, phk, ru (all bugs are mine)
2006-03-17 18:54:44 +00:00
Yaroslav Tykhiy
4df7b351e2
Add appropriate xrefs.
...
MFC after: 3 days
2006-03-06 13:15:12 +00:00
Yaroslav Tykhiy
08284aaa25
Since the whole login.access feature has moved to PAM,
...
login.access.5 will be installed from the respective PAM
module's src directory.
MFC after: 3 days
2006-03-06 12:31:25 +00:00
Yaroslav Tykhiy
5c042d7b07
Sync with src/usr.bin/login/login.access.5.
...
src/usr.bin/login/login.access.5 should be removed from use
because the whole login.access feature has moved to this PAM
module.
MFC after: 3 days
2006-03-06 12:26:43 +00:00
Ruslan Ermilov
ce8bf81ff2
Commenting out WARNS actually brought it up to 4.
2005-09-28 14:36:16 +00:00
Dag-Erling Smørgrav
40e48f9362
Comment out WARNS, the OpenSSL headers don't compile cleanly on some platforms.
2005-09-28 06:23:47 +00:00
Dag-Erling Smørgrav
f8ac10df9f
Increase WARNS.
2005-09-26 20:34:09 +00:00
Dag-Erling Smørgrav
bd43956b81
Correct the logic for determining whether the user has already entered
...
a password. Also, work around some harmless type pun warnings.
MFC after: 3 days
2005-09-26 20:33:53 +00:00
Dag-Erling Smørgrav
c777c69bdc
Do not use passphraseless keys for authentication unless the nullok
...
option was specified.
PR: bin/81231
Submitted by: "Daniel O'Connor" <doconnor@gsoft.com.au>
MFC after: 3 days
2005-09-22 05:35:24 +00:00
Dag-Erling Smørgrav
ea174c52f5
Narrow the use of user credentials.
...
Fix one case where openpam_restore_cred() might be called twice in a row.
MFC after: 3 days
2005-09-21 16:08:40 +00:00
Colin Percival
25284732cd
When (re)allocating space for an array of pointers to char, use
...
sizeof(*list), not sizeof(**list). (i.e., sizeof(pointer) rather than
sizeof(char)).
It is possible that this buffer overflow is exploitable, but it was
added after RELENG_5 forked and hasn't been MFCed, so this will not
receive an advisory.
Submitted by: Vitezslav Novy
MFC after: 1 day
2005-09-19 18:43:11 +00:00
Ken Smith
a84020c2b9
Bump the shared library version number of all libraries that have not
...
been bumped since RELENG_5.
Reviewed by: ru
Approved by: re (not needed for commit check but in principle...)
2005-07-22 17:19:05 +00:00
Ken Smith
5adb21a681
Missed one piece of the cluster's quirk. Need to override WARNS because
...
if _FREEFALL_CONFIG is set gcc bails since pam_sm_setcred() in pam_krb5.c
no longer uses any of its parameters.
Pointy hat: kensmith
Approved by: re (scottl)
2005-07-08 14:53:45 +00:00
Ken Smith
2672e71736
This is sort of an MFS. Peter made these changes to the RELENG_*
...
branches but missed HEAD. This patch extends his a little bit,
setting it up via the Makefiles so that adding _FREEFALL_CONFIG
to /etc/make.conf is the only thing needed to cluster-ize things
(current setup also requires overriding CFLAGS).
From Peter's commit to the RELENG_* branches:
> Add the freebsd.org custer's source modifications under #ifdefs to aid
> keeping things in sync. For ksu:
> * install suid-root by default
> * don't fall back to asking for a unix password (ie: be pure kerberos)
> * allow custom user instances for things like www and not just root
The Makefile tweaks will be MFC-ed, the rest is already done.
MFC after: 3 days
Approved by: re (dwhite)
2005-07-07 14:16:38 +00:00
Dag-Erling Smørgrav
d3cf5f1524
Use the correct login class when setting a new password.
...
PR: 65557, 72949
Submitted by: Stephen P. Cravey <clists@gotbrains.org>
Approved by: re (scottl)
MFC after: 2 weeks
2005-07-05 18:42:18 +00:00
Dag-Erling Smørgrav
0d13f5f0c6
Update for OpenPAM Figwort.
...
Approved by: re (kensmith)
2005-06-17 08:14:42 +00:00
Ruslan Ermilov
f789cb8293
Assorted markup fixes.
...
Approved by: re
2005-06-15 19:04:04 +00:00
Dag-Erling Smørgrav
30d0a60aed
Don't use a cast as an lvalue.
...
Add a redundant test to make it painfully obvious to the reader that this
code does not support IPv6.
Approved by: re (dwhite)
MFC after: 1 week
2005-06-13 21:18:52 +00:00
Dag-Erling Smørgrav
57341fbcf3
Use appropriate error codes for each facility instead of just PAM_AUTH_ERR.
...
Noticed by: pjd
2005-06-10 06:16:13 +00:00
Dag-Erling Smørgrav
40e0db94af
Revert the commits that made libssh an INTERNALLIB; they caused too much
...
trouble, especially on amd64.
Requested by: ru
2005-06-07 09:31:28 +00:00
Dag-Erling Smørgrav
e4c2fedcc7
Fix libssh dependency.
2005-06-06 19:01:01 +00:00
Hajimu UMEMOTO
d928d41c84
NI_WITHSCOPEID cleanup
...
Reviewed by: des
2005-05-13 20:51:09 +00:00
Ruslan Ermilov
0227791b40
Expand *n't contractions.
2005-02-13 22:25:33 +00:00
Dag-Erling Smørgrav
9d97c7ee0a
In addition to the PAM environment, export a handful of useful PAM items.
...
Suggested by: Ed Maste <emaste@phaedrus.sandvine.ca>
2005-02-01 10:37:07 +00:00
Dag-Erling Smørgrav
30984a1288
Add openpam_free_envlist(3).
2005-02-01 10:21:07 +00:00
Robert Watson
ed41980cbb
When "no_ccache" is set as an argument to the pam_krb5 module, don't
...
copy the acquired TGT from the in-memory cache to the on-disk cache
at login. This was documented but un-implemented behavior.
MFC after: 1 week
PR: bin/64464
Reported and tested by: Eric van Gyzen <vangyzen at stat dot duke dot edu>
2005-01-24 16:49:50 +00:00
Robert Watson
16417879f1
The final argument to verify_krb_v5_tgt() is the debug flag, not the
...
ticket forwardable flag, so key generation of debugging output to
"debug" rather than "forwardable".
Update copyright.
MFC after: 3 days
2005-01-23 15:57:07 +00:00
Ruslan Ermilov
3ac17feb8a
Fixed xref.
2005-01-21 10:48:35 +00:00
Ruslan Ermilov
a216173556
NOCRYPT -> NO_CRYPT
2004-12-21 10:16:04 +00:00
Ruslan Ermilov
2c74b2cb07
NOINSTALLLIB -> NO_INSTALLLIB
2004-12-21 09:51:09 +00:00
Ruslan Ermilov
ab7a294721
NODOCCOMPRESS -> NO_DOCCOMPRESS
...
NOINFO -> NO_INFO
NOINFOCOMPRESS -> NO_INFOCOMPRESS
NOLINT -> NO_LINT
NOPIC -> NO_PIC
NOPROFILE -> NO_PROFILE
2004-12-21 09:33:47 +00:00
Bjoern A. Zeeb
6c58990d47
Add knob NO_NIS (fka NO_YP_LIBC) and make world compileable when set.
...
If turned on no NIS support and related programs will be built.
Lost parts rediscovered by: Danny Braniss <danny at cs.huji.ac.il>
PR: bin/68303
No objections: des, gshapiro, nectar
Reviewed by: ru
Approved by: rwatson (mentor)
MFC after: 2 weeks
2004-11-13 20:40:32 +00:00
Ruslan Ermilov
a35d88931c
For variables that are only checked with defined(), don't provide
...
any fake value.
2004-10-24 15:33:08 +00:00