Like su(1), make PAM use mandatory. Remove parts of the authentication

logic that are handled by PAM. Fix documentation to reflect this.

5 files changed, 7 insertions, 82 deletions

diff --git a/usr.bin/login/Makefile b/usr.bin/login/Makefile
index 970e591..9ed8603 100644
--- a/usr.bin/login/Makefile
+++ b/usr.bin/login/Makefile
@@ -5,16 +5,10 @@ PROG=	login
 SRCS=	login.c login_access.c login_fbtab.c
 MAN=	login.1 login.access.5
 
-CFLAGS+=-Wall -DLOGIN_ACCESS -DLOGALL
+CFLAGS+=-DLOGIN_ACCESS -DLOGALL
 
-DPADD=	${LIBUTIL} ${LIBCRYPT}
-LDADD=	-lutil -lcrypt
-
-.if !defined(NOPAM)
-CFLAGS+= -DUSE_PAM
-DPADD+=	${LIBPAM}
-LDADD+=	${MINUSLPAM}
-.endif
+DPADD=	${LIBUTIL} ${LIBCRYPT} ${LIBPAM}
+LDADD=	-lutil -lcrypt ${MINUSLPAM}
 
 BINMODE=4555
 INSTALLFLAGS=-fschg
diff --git a/usr.bin/login/README b/usr.bin/login/README
index 16322c9..bc228f7 100644
--- a/usr.bin/login/README
+++ b/usr.bin/login/README
@@ -4,8 +4,7 @@ Wietse Venema's logdaemon package.
 
 The following defines can be used:
 1) LOGIN_ACCESS to allow access control on a per tty/user combination
-2) SKEY to allow the use of s/key one time passwords
-3) LOGALL to log all logins
+2) LOGALL to log all logins
 
 -Guido
 
diff --git a/usr.bin/login/login.1 b/usr.bin/login/login.1
index f6367f7..06956ce 100644
--- a/usr.bin/login/login.1
+++ b/usr.bin/login/login.1
@@ -81,15 +81,6 @@ option disables this behavior.
 .El
 .Pp
 If the file
-.Pa /var/run/nologin
-exists,
-.Nm
-displays its contents to the user and exits.
-This is used by
-.Xr shutdown  8
-to prevent users from logging in when the system is about to go down.
-.Pp
-If the file
 .Pa /etc/login.access
 exists,
 .Nm
@@ -105,15 +96,6 @@ exists,
 changes the protection and ownership of certain devices specified in this
 file.
 .Pp
-If the file
-.Pa /etc/skeykeys
-exists,
-.Nm
-will offer S/key password validation if the user has an entry in the file.
-.Pa /etc/skey.access
-controls from which hosts and/or networks the use of S/key passwords are
-obligated.
-.Pp
 Immediately after logging a user in,
 .Nm
 displays the system copyright notice, the date and time the user last
@@ -159,12 +141,6 @@ login access control table
 login class capabilities database
 .It Pa /etc/motd
 message-of-the-day
-.It Pa /var/run/nologin
-disallows logins
-.It Pa /etc/skey.access
-skey password control table
-.It Pa /etc/skeykeys
-skey password database
 .It Pa /var/run/utmp
 current logins
 .It Pa /var/log/lastlog
@@ -178,9 +154,8 @@ makes login quieter
 .It Pa /etc/auth.conf
 configure authentication services
 .It Pa /etc/pam.conf
-if
 .Nm
-is configured with PAM support, it uses
+uses
 .Pa /etc/pam.conf
 entries with service name
 .Dq login
@@ -191,16 +166,12 @@ entries with service name
 .Xr csh 1 ,
 .Xr passwd 1 ,
 .Xr rlogin 1 ,
-.Xr skey 1 ,
 .Xr getpass 3 ,
 .Xr fbtab 5 ,
 .Xr login.access 5 ,
 .Xr login.conf 5 ,
-.Xr nologin 5 ,
-.Xr skey.access 5 ,
 .Xr utmp 5 ,
 .Xr environ 7 ,
-.Xr nologin 8 ,
 .Xr pam 8
 .Sh HISTORY
 A
diff --git a/usr.bin/login/login.c b/usr.bin/login/login.c
index 6fd34f5..35a5294 100644
--- a/usr.bin/login/login.c
+++ b/usr.bin/login/login.c
@@ -78,11 +78,9 @@ static const char rcsid[] =
 #include <unistd.h>
 #include <utmp.h>
 
-#ifdef USE_PAM
 #include <security/pam_appl.h>
 #include <security/pam_misc.h>
 #include <sys/wait.h>
-#endif /* USE_PAM */
 
 #include "pathnames.h"
 
@@ -92,7 +90,6 @@ static const char rcsid[] =
 #endif
 
 void	 badlogin __P((char *));
-void	 checknologin __P((void));
 void	 dolastlog __P((int));
 void	 getloginname __P((void));
 void	 motd __P((char *));
@@ -105,7 +102,6 @@ void	 timedout __P((int));
 int	 login_access __P((char *, char *));
 void     login_fbtab __P((char *, uid_t, gid_t));
 
-#ifdef USE_PAM
 static int auth_pam __P((void));
 static int export_pam_environment __P((void));
 static int ok_to_export __P((const char *));
@@ -121,7 +117,7 @@ static char **environ_pam;
 	if ((e = pam_end(pamh, e)) != PAM_SUCCESS) \
 		syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); \
 }
-#endif /* USE_PAM */
+
 static int auth_traditional __P((void));
 extern void login __P((struct utmp *));
 static void usage __P((void));
@@ -158,7 +154,6 @@ main(argc, argv)
 	struct utmp utmp;
 	int rootok, retries, backoff;
 	int ask, ch, cnt, fflag, hflag, pflag, quietlog, rootlogin, rval;
-	int changepass;
 	time_t warntime;
 	uid_t uid, euid;
 	gid_t egid;
@@ -167,10 +162,8 @@ main(argc, argv)
 	char tname[sizeof(_PATH_TTY) + 10];
 	char *shell = NULL;
 	login_cap_t *lc = NULL;
-#ifdef USE_PAM
 	pid_t pid;
 	int e;
-#endif /* USE_PAM */
 
 	(void)signal(SIGQUIT, SIG_IGN);
 	(void)signal(SIGINT, SIG_IGN);
@@ -343,19 +336,16 @@ main(argc, argv)
 
 		(void)setpriority(PRIO_PROCESS, 0, -4);
 
-#ifdef USE_PAM
 		/*
 		 * Try to authenticate using PAM.  If a PAM system error
 		 * occurs, perhaps because of a botched configuration,
 		 * then fall back to using traditional Unix authentication.
 		 */
 		if ((rval = auth_pam()) == -1)
-#endif /* USE_PAM */
 			rval = auth_traditional();
 
 		(void)setpriority(PRIO_PROCESS, 0, 0);
 
-#ifdef USE_PAM
 		/*
 		 * PAM authentication may have changed "pwd" to the
 		 * entry for the template user.  Check again to see if
@@ -363,7 +353,6 @@ main(argc, argv)
 		 */
 		if (pwd != NULL && pwd->pw_uid == 0)
 			rootlogin = 1;
-#endif /* USE_PAM */
 
 	ttycheck:
 		/*
@@ -404,10 +393,6 @@ main(argc, argv)
 	 */
 	lc = login_getpwclass(pwd);
 
-	/* if user not super-user, check for disabled logins */
-	if (!rootlogin)
-		auth_checknologin(lc);
-
 	quietlog = login_getcapbool(lc, "hushlogin", 0);
 	/* Switching needed for NFS with root access disabled */
 	(void)setegid(pwd->pw_gid);
@@ -443,21 +428,6 @@ main(argc, argv)
 			    ctime(&pwd->pw_expire));
 	}
 
-	warntime = login_getcaptime(lc, "warnpassword", DEFAULT_WARN,
-	    DEFAULT_WARN);
-
-	changepass = 0;
-	if (pwd->pw_change) {
-		if (tp.tv_sec >= pwd->pw_change) {
-			(void)printf("Sorry -- your password has expired.\n");
-			changepass = 1;
-			syslog(LOG_INFO, "%s Password expired - forcing change",
-			    pwd->pw_name);
-		} else if (pwd->pw_change - tp.tv_sec < warntime && !quietlog)
-			(void)printf("Warning: your password expires on %s",
-			    ctime(&pwd->pw_change));
-	}
-
 	if (lc != NULL) {
 		if (hostname) {
 			struct addrinfo hints, *res;
@@ -598,7 +568,6 @@ main(argc, argv)
 		exit(1);
 	}
 
-#ifdef USE_PAM
 	if (pamh) {
 		if ((e = pam_open_session(pamh, 0)) != PAM_SUCCESS) {
 			syslog(LOG_ERR, "pam_open_session: %s",
@@ -641,7 +610,6 @@ main(argc, argv)
 				    pam_strerror(pamh, e));
 		}
 	}
-#endif /* USE_PAM */
 
 	/*
 	 * We don't need to be root anymore, so
@@ -705,11 +673,6 @@ main(argc, argv)
 	(void)signal(SIGINT, SIG_DFL);
 	(void)signal(SIGTSTP, SIG_IGN);
 
-	if (changepass) {
-		if (system(_PATH_CHPASS) != 0)
-			sleepexit(1);
-	}
-
 	/*
 	 * Login shells have a leading '-' in front of argv[0]
 	 */
@@ -751,7 +714,6 @@ auth_traditional()
 	return rval;
 }
 
-#ifdef USE_PAM
 /*
  * Attempt to authenticate the user using PAM.  Returns 0 if the user is
  * authenticated, or 1 if not authenticated.  If some sort of PAM system
@@ -892,7 +854,6 @@ ok_to_export(s)
 	}
 	return 1;
 }
-#endif /* USE_PAM */
 
 static void
 usage()
diff --git a/usr.bin/login/pathnames.h b/usr.bin/login/pathnames.h
index 9154012..333c2ca 100644
--- a/usr.bin/login/pathnames.h
+++ b/usr.bin/login/pathnames.h
@@ -31,6 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)pathnames.h	8.1 (Berkeley) 6/9/93
+ * $FreeBSD$
  */
 
 #include <paths.h>
@@ -40,4 +41,3 @@
 #define _PATH_LOGACCESS		"/etc/login.access"
 #define _PATH_FBTAB		"/etc/fbtab"
 #define _PATH_LOGINDEVPERM	"/etc/logindevperm"
-#define _PATH_CHPASS		"/usr/bin/passwd"