diff options
author | des <des@FreeBSD.org> | 2002-01-21 18:51:24 +0000 |
---|---|---|
committer | des <des@FreeBSD.org> | 2002-01-21 18:51:24 +0000 |
commit | 2de07ddf809f3a6c528e3649a37601574defc6fa (patch) | |
tree | e4b5d29c748772dfacf325ac9643cfc3804fe86c /etc/pam.d/su | |
parent | bc31e1293b0cab9e0ffb32d77be376d89f692b65 (diff) | |
download | FreeBSD-src-2de07ddf809f3a6c528e3649a37601574defc6fa.zip FreeBSD-src-2de07ddf809f3a6c528e3649a37601574defc6fa.tar.gz |
Enable OPIE by default, using the no_fake_prompts option to hide it from
users who don't wish to use it. If the admin is worried about leaking
information about which users exist and which have OPIE enabled, the
no_fake_prompts option can simply be removed.
Also insert the appropriate pam_opieaccess lines after pam_opie to break
the chain in case the user is logging in from an untrusted host, or has a
.opiealways file. The entire opieaccess / opiealways concept is slightly
unpammish, but admins familiar with OPIE will expect it to work.
Reviewed by: ache, markm
Sponsored by: DARPA, NAI Labs
Diffstat (limited to 'etc/pam.d/su')
-rw-r--r-- | etc/pam.d/su | 34 |
1 files changed, 23 insertions, 11 deletions
diff --git a/etc/pam.d/su b/etc/pam.d/su index 8e3a9bc..81aa1b1 100644 --- a/etc/pam.d/su +++ b/etc/pam.d/su @@ -9,33 +9,45 @@ auth sufficient pam_rootok.so no_warn auth requisite pam_wheel.so no_warn auth_as_self noroot_ok #auth sufficient pam_kerberosIV.so no_warn #auth sufficient pam_krb5.so no_warn try_first_pass auth_as_self -#auth required pam_opie.so no_warn +auth sufficient pam_opie.so no_warn no_fake_prompts +auth requisite pam_opieaccess.so no_warn #auth required pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok -#auth sufficient pam_rootok.so no_warn -##auth sufficient pam_kerberosIV.so no_warn -##auth sufficient pam_krb5.so no_warn -#auth required pam_opie.so no_warn auth_as_self -#auth required pam_unix.so no_warn try_first_pass auth_as_self # account #account required pam_kerberosIV.so #account required pam_krb5.so account required pam_unix.so -##account required pam_kerberosIV.so -##account required pam_krb5.so -#account required pam_unix.so # session #session required pam_kerberosIV.so #session required pam_krb5.so #session required pam_ssh.so session required pam_unix.so + +# password +password required pam_permit.so + + +# If you want a "WHEELSU"-type su(1), then comment out the +# above, and uncomment the entries below. +## auth +#auth sufficient pam_rootok.so no_warn +##auth sufficient pam_kerberosIV.so no_warn +##auth sufficient pam_krb5.so no_warn +#auth required pam_opie.so no_warn auth_as_self no_fake_prompts +#auth required pam_unix.so no_warn try_first_pass auth_as_self + +## account +##account required pam_kerberosIV.so +##account required pam_krb5.so +#account required pam_unix.so + +## session ##session required pam_kerberosIV.so ##session required pam_krb5.so ##session required pam_ssh.so #session required pam_unix.so -# password -password required pam_permit.so +## password #password required pam_permit.so |