Now pam_nologin(8) will provide an account management function

instead of an authentication function.  There are a design reason
and a practical reason for that.  First, the module belongs in
account management because it checks availability of the account
and does no authentication.  Second, there are existing and potential
PAM consumers that skip PAM authentication for good or for bad.
E.g., sshd(8) just prefers internal routines for public key auth;
OTOH, cron(8) and atrun(8) do implicit authentication when running
a job on behalf of its owner, so their inability to use PAM auth
is fundamental, but they can benefit from PAM account management.

Document this change in the manpage.

Modify /etc/pam.d files accordingly, so that pam_nologin.so is listed
under the "account" function class.

Bump __FreeBSD_version (mostly for ports, as this change should be
invisible to C code outside pam_nologin.)

PR:		bin/112574
Approved by:	des, re

1 files changed, 1 insertions, 1 deletions

diff --git a/etc/pam.d/other b/etc/pam.d/other
index e4ddf7e..c86239c 100644
--- a/etc/pam.d/other
+++ b/etc/pam.d/other
@@ -5,7 +5,6 @@
 #
 
 # auth
-auth		required	pam_nologin.so		no_warn
 auth		sufficient	pam_opie.so		no_warn no_fake_prompts
 auth		requisite	pam_opieaccess.so	no_warn allow_local
 #auth		sufficient	pam_krb5.so		no_warn try_first_pass
@@ -13,6 +12,7 @@ auth		requisite	pam_opieaccess.so	no_warn allow_local
 auth		required	pam_unix.so		no_warn try_first_pass
 
 # account
+account		required	pam_nologin.so
 #account 	required	pam_krb5.so
 account		required	pam_login_access.so
 account		required	pam_unix.so