diff options
author | markm <markm@FreeBSD.org> | 2001-08-30 11:27:36 +0000 |
---|---|---|
committer | markm <markm@FreeBSD.org> | 2001-08-30 11:27:36 +0000 |
commit | a09c0b5da3faec1491ed3e3e6ffd31c256974c73 (patch) | |
tree | 9764b0c770c3e7a139477c48e4bc0278b31d5c70 | |
parent | 0c489177928186c0db9ce676ce6608044d6a849c (diff) | |
download | FreeBSD-src-a09c0b5da3faec1491ed3e3e6ffd31c256974c73.zip FreeBSD-src-a09c0b5da3faec1491ed3e3e6ffd31c256974c73.tar.gz |
Like su(1), make PAM use mandatory. Remove parts of the authentication
logic that are handled by PAM. Fix documentation to reflect this.
-rw-r--r-- | usr.bin/login/Makefile | 12 | ||||
-rw-r--r-- | usr.bin/login/README | 3 | ||||
-rw-r--r-- | usr.bin/login/login.1 | 31 | ||||
-rw-r--r-- | usr.bin/login/login.c | 41 | ||||
-rw-r--r-- | usr.bin/login/pathnames.h | 2 |
5 files changed, 7 insertions, 82 deletions
diff --git a/usr.bin/login/Makefile b/usr.bin/login/Makefile index 970e591..9ed8603 100644 --- a/usr.bin/login/Makefile +++ b/usr.bin/login/Makefile @@ -5,16 +5,10 @@ PROG= login SRCS= login.c login_access.c login_fbtab.c MAN= login.1 login.access.5 -CFLAGS+=-Wall -DLOGIN_ACCESS -DLOGALL +CFLAGS+=-DLOGIN_ACCESS -DLOGALL -DPADD= ${LIBUTIL} ${LIBCRYPT} -LDADD= -lutil -lcrypt - -.if !defined(NOPAM) -CFLAGS+= -DUSE_PAM -DPADD+= ${LIBPAM} -LDADD+= ${MINUSLPAM} -.endif +DPADD= ${LIBUTIL} ${LIBCRYPT} ${LIBPAM} +LDADD= -lutil -lcrypt ${MINUSLPAM} BINMODE=4555 INSTALLFLAGS=-fschg diff --git a/usr.bin/login/README b/usr.bin/login/README index 16322c9..bc228f7 100644 --- a/usr.bin/login/README +++ b/usr.bin/login/README @@ -4,8 +4,7 @@ Wietse Venema's logdaemon package. The following defines can be used: 1) LOGIN_ACCESS to allow access control on a per tty/user combination -2) SKEY to allow the use of s/key one time passwords -3) LOGALL to log all logins +2) LOGALL to log all logins -Guido diff --git a/usr.bin/login/login.1 b/usr.bin/login/login.1 index f6367f7..06956ce 100644 --- a/usr.bin/login/login.1 +++ b/usr.bin/login/login.1 @@ -81,15 +81,6 @@ option disables this behavior. .El .Pp If the file -.Pa /var/run/nologin -exists, -.Nm -displays its contents to the user and exits. -This is used by -.Xr shutdown 8 -to prevent users from logging in when the system is about to go down. -.Pp -If the file .Pa /etc/login.access exists, .Nm @@ -105,15 +96,6 @@ exists, changes the protection and ownership of certain devices specified in this file. .Pp -If the file -.Pa /etc/skeykeys -exists, -.Nm -will offer S/key password validation if the user has an entry in the file. -.Pa /etc/skey.access -controls from which hosts and/or networks the use of S/key passwords are -obligated. -.Pp Immediately after logging a user in, .Nm displays the system copyright notice, the date and time the user last @@ -159,12 +141,6 @@ login access control table login class capabilities database .It Pa /etc/motd message-of-the-day -.It Pa /var/run/nologin -disallows logins -.It Pa /etc/skey.access -skey password control table -.It Pa /etc/skeykeys -skey password database .It Pa /var/run/utmp current logins .It Pa /var/log/lastlog @@ -178,9 +154,8 @@ makes login quieter .It Pa /etc/auth.conf configure authentication services .It Pa /etc/pam.conf -if .Nm -is configured with PAM support, it uses +uses .Pa /etc/pam.conf entries with service name .Dq login @@ -191,16 +166,12 @@ entries with service name .Xr csh 1 , .Xr passwd 1 , .Xr rlogin 1 , -.Xr skey 1 , .Xr getpass 3 , .Xr fbtab 5 , .Xr login.access 5 , .Xr login.conf 5 , -.Xr nologin 5 , -.Xr skey.access 5 , .Xr utmp 5 , .Xr environ 7 , -.Xr nologin 8 , .Xr pam 8 .Sh HISTORY A diff --git a/usr.bin/login/login.c b/usr.bin/login/login.c index 6fd34f5..35a5294 100644 --- a/usr.bin/login/login.c +++ b/usr.bin/login/login.c @@ -78,11 +78,9 @@ static const char rcsid[] = #include <unistd.h> #include <utmp.h> -#ifdef USE_PAM #include <security/pam_appl.h> #include <security/pam_misc.h> #include <sys/wait.h> -#endif /* USE_PAM */ #include "pathnames.h" @@ -92,7 +90,6 @@ static const char rcsid[] = #endif void badlogin __P((char *)); -void checknologin __P((void)); void dolastlog __P((int)); void getloginname __P((void)); void motd __P((char *)); @@ -105,7 +102,6 @@ void timedout __P((int)); int login_access __P((char *, char *)); void login_fbtab __P((char *, uid_t, gid_t)); -#ifdef USE_PAM static int auth_pam __P((void)); static int export_pam_environment __P((void)); static int ok_to_export __P((const char *)); @@ -121,7 +117,7 @@ static char **environ_pam; if ((e = pam_end(pamh, e)) != PAM_SUCCESS) \ syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); \ } -#endif /* USE_PAM */ + static int auth_traditional __P((void)); extern void login __P((struct utmp *)); static void usage __P((void)); @@ -158,7 +154,6 @@ main(argc, argv) struct utmp utmp; int rootok, retries, backoff; int ask, ch, cnt, fflag, hflag, pflag, quietlog, rootlogin, rval; - int changepass; time_t warntime; uid_t uid, euid; gid_t egid; @@ -167,10 +162,8 @@ main(argc, argv) char tname[sizeof(_PATH_TTY) + 10]; char *shell = NULL; login_cap_t *lc = NULL; -#ifdef USE_PAM pid_t pid; int e; -#endif /* USE_PAM */ (void)signal(SIGQUIT, SIG_IGN); (void)signal(SIGINT, SIG_IGN); @@ -343,19 +336,16 @@ main(argc, argv) (void)setpriority(PRIO_PROCESS, 0, -4); -#ifdef USE_PAM /* * Try to authenticate using PAM. If a PAM system error * occurs, perhaps because of a botched configuration, * then fall back to using traditional Unix authentication. */ if ((rval = auth_pam()) == -1) -#endif /* USE_PAM */ rval = auth_traditional(); (void)setpriority(PRIO_PROCESS, 0, 0); -#ifdef USE_PAM /* * PAM authentication may have changed "pwd" to the * entry for the template user. Check again to see if @@ -363,7 +353,6 @@ main(argc, argv) */ if (pwd != NULL && pwd->pw_uid == 0) rootlogin = 1; -#endif /* USE_PAM */ ttycheck: /* @@ -404,10 +393,6 @@ main(argc, argv) */ lc = login_getpwclass(pwd); - /* if user not super-user, check for disabled logins */ - if (!rootlogin) - auth_checknologin(lc); - quietlog = login_getcapbool(lc, "hushlogin", 0); /* Switching needed for NFS with root access disabled */ (void)setegid(pwd->pw_gid); @@ -443,21 +428,6 @@ main(argc, argv) ctime(&pwd->pw_expire)); } - warntime = login_getcaptime(lc, "warnpassword", DEFAULT_WARN, - DEFAULT_WARN); - - changepass = 0; - if (pwd->pw_change) { - if (tp.tv_sec >= pwd->pw_change) { - (void)printf("Sorry -- your password has expired.\n"); - changepass = 1; - syslog(LOG_INFO, "%s Password expired - forcing change", - pwd->pw_name); - } else if (pwd->pw_change - tp.tv_sec < warntime && !quietlog) - (void)printf("Warning: your password expires on %s", - ctime(&pwd->pw_change)); - } - if (lc != NULL) { if (hostname) { struct addrinfo hints, *res; @@ -598,7 +568,6 @@ main(argc, argv) exit(1); } -#ifdef USE_PAM if (pamh) { if ((e = pam_open_session(pamh, 0)) != PAM_SUCCESS) { syslog(LOG_ERR, "pam_open_session: %s", @@ -641,7 +610,6 @@ main(argc, argv) pam_strerror(pamh, e)); } } -#endif /* USE_PAM */ /* * We don't need to be root anymore, so @@ -705,11 +673,6 @@ main(argc, argv) (void)signal(SIGINT, SIG_DFL); (void)signal(SIGTSTP, SIG_IGN); - if (changepass) { - if (system(_PATH_CHPASS) != 0) - sleepexit(1); - } - /* * Login shells have a leading '-' in front of argv[0] */ @@ -751,7 +714,6 @@ auth_traditional() return rval; } -#ifdef USE_PAM /* * Attempt to authenticate the user using PAM. Returns 0 if the user is * authenticated, or 1 if not authenticated. If some sort of PAM system @@ -892,7 +854,6 @@ ok_to_export(s) } return 1; } -#endif /* USE_PAM */ static void usage() diff --git a/usr.bin/login/pathnames.h b/usr.bin/login/pathnames.h index 9154012..333c2ca 100644 --- a/usr.bin/login/pathnames.h +++ b/usr.bin/login/pathnames.h @@ -31,6 +31,7 @@ * SUCH DAMAGE. * * @(#)pathnames.h 8.1 (Berkeley) 6/9/93 + * $FreeBSD$ */ #include <paths.h> @@ -40,4 +41,3 @@ #define _PATH_LOGACCESS "/etc/login.access" #define _PATH_FBTAB "/etc/fbtab" #define _PATH_LOGINDEVPERM "/etc/logindevperm" -#define _PATH_CHPASS "/usr/bin/passwd" |