diff options
-rw-r--r-- | UPDATING | 18 | ||||
-rw-r--r-- | etc/pam.d/ftpd | 2 | ||||
-rw-r--r-- | etc/pam.d/gdm | 2 | ||||
-rw-r--r-- | etc/pam.d/imap | 4 | ||||
-rw-r--r-- | etc/pam.d/kde | 2 | ||||
-rw-r--r-- | etc/pam.d/login | 2 | ||||
-rw-r--r-- | etc/pam.d/other | 2 | ||||
-rw-r--r-- | etc/pam.d/pop3 | 4 | ||||
-rw-r--r-- | etc/pam.d/rsh | 2 | ||||
-rw-r--r-- | etc/pam.d/sshd | 2 | ||||
-rw-r--r-- | etc/pam.d/telnetd | 2 | ||||
-rw-r--r-- | etc/pam.d/xdm | 2 | ||||
-rw-r--r-- | lib/libpam/modules/pam_nologin/pam_nologin.8 | 19 | ||||
-rw-r--r-- | lib/libpam/modules/pam_nologin/pam_nologin.c | 12 | ||||
-rw-r--r-- | sys/sys/param.h | 2 |
15 files changed, 45 insertions, 32 deletions
@@ -21,6 +21,24 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 7.x IS SLOW: developers choose to disable these features on build machines to maximize performance. +20070610: + The pam_nologin(8) module ceases to provide an authentication + function and starts providing an account management function. + Consequent changes to /etc/pam.d should be brought in using + mergemaster(8). Third-party files in /usr/local/etc/pam.d may + need manual editing as follows. Locate this line (or similar): + + auth required pam_nologin.so no_warn + + and change it according to this example: + + account required pam_nologin.so no_warn + + That is, the first word needs to be changed from "auth" to + "account". The new line can be moved to the account section + within the file for clarity. Not updating pam.conf(5) files + will result in nologin(5) ignored by the respective services. + 20070529: The ether_ioctl() function has been synchronized with ioctl(2) and ifnet.if_ioctl. Due to that, the size of one of its arguments diff --git a/etc/pam.d/ftpd b/etc/pam.d/ftpd index d248f00..632c973 100644 --- a/etc/pam.d/ftpd +++ b/etc/pam.d/ftpd @@ -5,7 +5,6 @@ # # auth -auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn @@ -13,6 +12,7 @@ auth requisite pam_opieaccess.so no_warn allow_local auth required pam_unix.so no_warn try_first_pass # account +account required pam_nologin.so #account required pam_krb5.so account required pam_unix.so diff --git a/etc/pam.d/gdm b/etc/pam.d/gdm index 08391e6..b588aa7 100644 --- a/etc/pam.d/gdm +++ b/etc/pam.d/gdm @@ -5,12 +5,12 @@ # # auth -auth required pam_nologin.so no_warn #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account +account required pam_nologin.so #account required pam_krb5.so account required pam_unix.so diff --git a/etc/pam.d/imap b/etc/pam.d/imap index cba8af9..6254d14 100644 --- a/etc/pam.d/imap +++ b/etc/pam.d/imap @@ -5,7 +5,9 @@ # # auth -#auth required pam_nologin.so no_warn #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass + +# account +#account required pam_nologin.so diff --git a/etc/pam.d/kde b/etc/pam.d/kde index 5390183..a384d62 100644 --- a/etc/pam.d/kde +++ b/etc/pam.d/kde @@ -5,12 +5,12 @@ # # auth -auth required pam_nologin.so no_warn #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account +account required pam_nologin.so #account required pam_krb5.so account required pam_unix.so diff --git a/etc/pam.d/login b/etc/pam.d/login index a4c6628..287036d 100644 --- a/etc/pam.d/login +++ b/etc/pam.d/login @@ -5,12 +5,12 @@ # # auth -auth required pam_nologin.so no_warn auth sufficient pam_self.so no_warn auth include system # account account requisite pam_securetty.so +account required pam_nologin.so account include system # session diff --git a/etc/pam.d/other b/etc/pam.d/other index e4ddf7e..c86239c 100644 --- a/etc/pam.d/other +++ b/etc/pam.d/other @@ -5,7 +5,6 @@ # # auth -auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass @@ -13,6 +12,7 @@ auth requisite pam_opieaccess.so no_warn allow_local auth required pam_unix.so no_warn try_first_pass # account +account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so diff --git a/etc/pam.d/pop3 b/etc/pam.d/pop3 index 34d6cc0..c5e93ce 100644 --- a/etc/pam.d/pop3 +++ b/etc/pam.d/pop3 @@ -5,7 +5,9 @@ # # auth -#auth required pam_nologin.so no_warn #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass + +# account +#account required pam_nologin.so diff --git a/etc/pam.d/rsh b/etc/pam.d/rsh index 02c0048..9e562e0 100644 --- a/etc/pam.d/rsh +++ b/etc/pam.d/rsh @@ -5,10 +5,10 @@ # # auth -auth required pam_nologin.so no_warn auth required pam_rhosts.so no_warn # account +account required pam_nologin.so account required pam_unix.so # session diff --git a/etc/pam.d/sshd b/etc/pam.d/sshd index cf3e0f0..46f536c 100644 --- a/etc/pam.d/sshd +++ b/etc/pam.d/sshd @@ -5,7 +5,6 @@ # # auth -auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass @@ -13,6 +12,7 @@ auth requisite pam_opieaccess.so no_warn allow_local auth required pam_unix.so no_warn try_first_pass # account +account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so diff --git a/etc/pam.d/telnetd b/etc/pam.d/telnetd index 3ebee20..535afc2 100644 --- a/etc/pam.d/telnetd +++ b/etc/pam.d/telnetd @@ -5,7 +5,6 @@ # # auth -auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass @@ -13,6 +12,7 @@ auth requisite pam_opieaccess.so no_warn allow_local auth required pam_unix.so no_warn try_first_pass # account +account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so diff --git a/etc/pam.d/xdm b/etc/pam.d/xdm index 0a1c78e..b883de7 100644 --- a/etc/pam.d/xdm +++ b/etc/pam.d/xdm @@ -5,12 +5,12 @@ # # auth -auth required pam_nologin.so no_warn #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account +account required pam_nologin.so #account required pam_krb5.so account required pam_unix.so diff --git a/lib/libpam/modules/pam_nologin/pam_nologin.8 b/lib/libpam/modules/pam_nologin/pam_nologin.8 index a2c5990..e38be71 100644 --- a/lib/libpam/modules/pam_nologin/pam_nologin.8 +++ b/lib/libpam/modules/pam_nologin/pam_nologin.8 @@ -24,7 +24,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 8, 2001 +.Dd June 10, 2007 .Dt PAM_NOLOGIN 8 .Os .Sh NAME @@ -37,19 +37,18 @@ .Pa pam_nologin .Op Ar options .Sh DESCRIPTION -The NoLogin authentication service module for PAM, +The NoLogin service module for PAM, .Nm provides functionality for only one PAM category: -authentication. +account management. In terms of the .Ar module-type parameter, this is the -.Dq Li auth +.Dq Li account feature. -It also provides a null function for session management. -.Ss NoLogin Authentication Module -The NoLogin authentication component -.Pq Fn pam_sm_authenticate , +.Ss NoLogin Account Management Module +The NoLogin account management component, +.Fn pam_sm_acct_mgmt , always returns success for the superuser, and returns success for all other users if the file @@ -69,7 +68,7 @@ is used instead. This usually defaults to .Pa /var/run/nologin . .Pp -The following options may be passed to the authentication module: +The following options may be passed to the module: .Bl -tag -width ".Cm no_warn" .It Cm debug .Xr syslog 3 @@ -80,7 +79,7 @@ level. suppress warning messages to the user. These messages include reasons why the user's -authentication attempt was declined. +login attempt was declined. .El .Sh SEE ALSO .Xr syslog 3 , diff --git a/lib/libpam/modules/pam_nologin/pam_nologin.c b/lib/libpam/modules/pam_nologin/pam_nologin.c index 2145688..f4b28e5 100644 --- a/lib/libpam/modules/pam_nologin/pam_nologin.c +++ b/lib/libpam/modules/pam_nologin/pam_nologin.c @@ -46,7 +46,7 @@ __FBSDID("$FreeBSD$"); #include <stdlib.h> #include <unistd.h> -#define PAM_SM_AUTH +#define PAM_SM_ACCOUNT #include <security/pam_appl.h> #include <security/pam_modules.h> @@ -57,7 +57,7 @@ __FBSDID("$FreeBSD$"); static char nologin_def[] = NOLOGIN; PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, int argc __unused, const char *argv[] __unused) { login_cap_t *lc; @@ -111,12 +111,4 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, return (retval); } -PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, - int argc __unused, const char *argv[] __unused) -{ - - return (PAM_SUCCESS); -} - PAM_MODULE_ENTRY("pam_nologin"); diff --git a/sys/sys/param.h b/sys/sys/param.h index f5fcaf4..42f935b 100644 --- a/sys/sys/param.h +++ b/sys/sys/param.h @@ -57,7 +57,7 @@ * is created, otherwise 1. */ #undef __FreeBSD_version -#define __FreeBSD_version 700044 /* Master, propagated to newvers */ +#define __FreeBSD_version 700045 /* Master, propagated to newvers */ #ifndef LOCORE #include <sys/types.h> |