Now pam_nologin(8) will provide an account management function

instead of an authentication function.  There are a design reason
and a practical reason for that.  First, the module belongs in
account management because it checks availability of the account
and does no authentication.  Second, there are existing and potential
PAM consumers that skip PAM authentication for good or for bad.
E.g., sshd(8) just prefers internal routines for public key auth;
OTOH, cron(8) and atrun(8) do implicit authentication when running
a job on behalf of its owner, so their inability to use PAM auth
is fundamental, but they can benefit from PAM account management.

Document this change in the manpage.

Modify /etc/pam.d files accordingly, so that pam_nologin.so is listed
under the "account" function class.

Bump __FreeBSD_version (mostly for ports, as this change should be
invisible to C code outside pam_nologin.)

PR:		bin/112574
Approved by:	des, re

2 files changed, 11 insertions, 20 deletions

diff --git a/lib/libpam/modules/pam_nologin/pam_nologin.8 b/lib/libpam/modules/pam_nologin/pam_nologin.8
index a2c5990..e38be71 100644
--- a/lib/libpam/modules/pam_nologin/pam_nologin.8
+++ b/lib/libpam/modules/pam_nologin/pam_nologin.8
@@ -24,7 +24,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd July 8, 2001
+.Dd June 10, 2007
 .Dt PAM_NOLOGIN 8
 .Os
 .Sh NAME
@@ -37,19 +37,18 @@
 .Pa pam_nologin
 .Op Ar options
 .Sh DESCRIPTION
-The NoLogin authentication service module for PAM,
+The NoLogin service module for PAM,
 .Nm
 provides functionality for only one PAM category:
-authentication.
+account management.
 In terms of the
 .Ar module-type
 parameter, this is the
-.Dq Li auth
+.Dq Li account
 feature.
-It also provides a null function for session management.
-.Ss NoLogin Authentication Module
-The NoLogin authentication component
-.Pq Fn pam_sm_authenticate ,
+.Ss NoLogin Account Management Module
+The NoLogin account management component,
+.Fn pam_sm_acct_mgmt , 
 always returns success for the superuser,
 and returns success for all other users
 if the file
@@ -69,7 +68,7 @@ is used instead.
 This usually defaults to
 .Pa /var/run/nologin .
 .Pp
-The following options may be passed to the authentication module:
+The following options may be passed to the module:
 .Bl -tag -width ".Cm no_warn"
 .It Cm debug
 .Xr syslog 3
@@ -80,7 +79,7 @@ level.
 suppress warning messages to the user.
 These messages include
 reasons why the user's
-authentication attempt was declined.
+login attempt was declined.
 .El
 .Sh SEE ALSO
 .Xr syslog 3 ,
diff --git a/lib/libpam/modules/pam_nologin/pam_nologin.c b/lib/libpam/modules/pam_nologin/pam_nologin.c
index 2145688..f4b28e5 100644
--- a/lib/libpam/modules/pam_nologin/pam_nologin.c
+++ b/lib/libpam/modules/pam_nologin/pam_nologin.c
@@ -46,7 +46,7 @@ __FBSDID("$FreeBSD$");
 #include <stdlib.h>
 #include <unistd.h>
 
-#define PAM_SM_AUTH
+#define PAM_SM_ACCOUNT
 
 #include <security/pam_appl.h>
 #include <security/pam_modules.h>
@@ -57,7 +57,7 @@ __FBSDID("$FreeBSD$");
 static char nologin_def[] = NOLOGIN;
 
 PAM_EXTERN int
-pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused,
     int argc __unused, const char *argv[] __unused)
 {
 	login_cap_t *lc;
@@ -111,12 +111,4 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
 	return (retval);
 }
 
-PAM_EXTERN int
-pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
-    int argc __unused, const char *argv[] __unused)
-{
-
-	return (PAM_SUCCESS);
-}
-
 PAM_MODULE_ENTRY("pam_nologin");