summaryrefslogtreecommitdiffstats
path: root/lib/libpam/modules
Commit message (Collapse)AuthorAgeFilesLines
* Add new heimdal-1.1 library.dfr2008-05-151-2/+2
|
* Fix conflicts after heimdal-1.1 import and add build infrastructure. Importdfr2008-05-071-2/+2
| | | | all non-style changes made by heimdal to our own libgssapi.
* Adjust for OpenPAM Hydrangea.des2007-12-213-7/+7
|
* Correct documentation of ~/.opiealwaysdes2007-10-261-3/+5
| | | | | | PR: 117512 Submitted by: Jeremy C. Reed <reed@reedmedia.net> MFC after: 1 week
* - Convert NO_INSTALLLIB option to a new syntax: makefiles shouldru2007-10-201-0/+1
| | | | | | | | | | | test MK_INSTALLLIB, users can set WITHOUT_INSTALLLIB. The old NO_INSTALLLIB is still supported as several makefiles set it. - While here, fix an install when instructed not to install libs (usr.bin/lex/lib/Makefile). PR: bin/114200 Submitted by: Henrik Brix Andersen
* Apply the same error checks to PAM_TTY in pam_sm_close_session() as indes2007-07-221-1/+9
| | | | | | | | pam_sm_open_session(), avoiding false negatives when no tty is present. Submitted by: Todd C. Miller <millert@courtesan.com> Approved by: re (rwatson) MFC after: 2 weeks
* Whitespace cleanupdes2007-07-221-6/+6
| | | | Approved by: re (rwatson)
* Use the current user's login class for the decisions about whereyar2007-06-142-45/+59
| | | | | | | | | | the nologin(5) file is located and whether the user may bypass its restriction. Add some error checks. Approved by: des PR: bin/107612
* Now pam_nologin(8) will provide an account management functionyar2007-06-102-20/+11
| | | | | | | | | | | | | | | | | | | | | | | instead of an authentication function. There are a design reason and a practical reason for that. First, the module belongs in account management because it checks availability of the account and does no authentication. Second, there are existing and potential PAM consumers that skip PAM authentication for good or for bad. E.g., sshd(8) just prefers internal routines for public key auth; OTOH, cron(8) and atrun(8) do implicit authentication when running a job on behalf of its owner, so their inability to use PAM auth is fundamental, but they can benefit from PAM account management. Document this change in the manpage. Modify /etc/pam.d files accordingly, so that pam_nologin.so is listed under the "account" function class. Bump __FreeBSD_version (mostly for ports, as this change should be invisible to C code outside pam_nologin.) PR: bin/112574 Approved by: des, re
* Re-add support for NIS netgroups (heavily modified from patch in PR)des2007-05-251-4/+22
| | | | | | PR: bin/112955 Submitted by: A. Blake Cooper <blake@cluebie.net> MFC after: 3 weeks
* In account management, verify whether the account has been lockedyar2007-03-272-3/+22
| | | | | | | | | | | | | | with `pw lock', so that it's impossible to log into a locked account using an alternative authentication mechanism, such as an ssh key. This change affects only accounts locked with pw(8), i.e., having a `*LOCKED*' prefix in their password hash field, so people still can use a different pattern to disable password authentication only. Mention all account management criteria in the manpage. Approved by: maintainer (timeout) PR: bin/71147 MFC after: 1 month
* Send not only Access Request, but also Access Challenge with definedpjd2007-01-201-5/+7
| | | | | | | NAS-Identifier and NAS-IP-Address. Reviewed by: bz MFC after: 1 month
* childerr needs to be volatile so gcc won't optimize it away.des2006-11-101-1/+2
| | | | | PR: bin/85830 MFC after: 1 week
* The pam_unix module also provides password management.ru2006-10-121-7/+8
| | | | | | PR: docs/93491 Submitted by: Lior Kadosh MFC after: 3 days
* Fix build.ru2006-09-301-0/+1
|
* Reject user with names that are longer than OPIE is willing to deal with;des2006-09-151-4/+13
| | | | | | | otherwise OPIE will happily truncate it. Spotted by: ghelmer MFC after: 2 weeks
* Bump .Dd.joel2006-09-131-1/+1
| | | | Noticed by: danger
* Remove references to the pam(8) manual page. It does not exist.joel2006-09-131-1/+0
| | | | | Requested by: novel Discussed with: brueffer, simon
* Additional debugging stuff I had in my tree.des2006-08-111-3/+10
|
* Add a manual dependency on ssh_namespace.h.des2006-05-131-2/+6
| | | | Discussed with: ru
* Introduce a namespace munging hack inspired by NetBSD to avoid pollutingdes2006-05-131-1/+1
| | | | | | | | the namespace of applications which inadvertantly link in libssh (usually through pam_ssh) Suggested by: lukem@netbsd.org MFC after: 6 weeks
* There is no need to pass NULL to the pam_error() as the last argument.wkoszek2006-03-201-1/+1
| | | | | | | Remove it. Reviewed by: des Approved by: cognet (mentor)
* Fix build until I find a way to handle this case properly.ru2006-03-192-1/+2
|
* Revert last delta.ru2006-03-191-1/+1
|
* Comment out MK_PROFILE until ru@ can fix this properlyphk2006-03-191-1/+1
|
* Convert NO_PROFILE and NO_LIB32 to new style.ru2006-03-181-1/+1
|
* Reimplementation of world/kernel build options. For details, see:ru2006-03-172-3/+7
| | | | | | | | http://lists.freebsd.org/pipermail/freebsd-current/2006-March/061725.html The src.conf(5) manpage is to follow in a few days. Brought to you by: imp, jhb, kris, phk, ru (all bugs are mine)
* Add appropriate xrefs.yar2006-03-062-2/+3
| | | | MFC after: 3 days
* Since the whole login.access feature has moved to PAM,yar2006-03-061-1/+1
| | | | | | | login.access.5 will be installed from the respective PAM module's src directory. MFC after: 3 days
* Sync with src/usr.bin/login/login.access.5.yar2006-03-061-5/+1
| | | | | | | | src/usr.bin/login/login.access.5 should be removed from use because the whole login.access feature has moved to this PAM module. MFC after: 3 days
* Commenting out WARNS actually brought it up to 4.ru2005-09-281-1/+1
|
* Comment out WARNS, the OpenSSL headers don't compile cleanly on some platforms.des2005-09-281-1/+1
|
* Increase WARNS.des2005-09-261-1/+1
|
* Correct the logic for determining whether the user has already entereddes2005-09-261-4/+7
| | | | | | a password. Also, work around some harmless type pun warnings. MFC after: 3 days
* Do not use passphraseless keys for authentication unless the nullokdes2005-09-222-2/+13
| | | | | | | | option was specified. PR: bin/81231 Submitted by: "Daniel O'Connor" <doconnor@gsoft.com.au> MFC after: 3 days
* Narrow the use of user credentials.des2005-09-211-14/+10
| | | | | | Fix one case where openpam_restore_cred() might be called twice in a row. MFC after: 3 days
* When (re)allocating space for an array of pointers to char, usecperciva2005-09-191-1/+1
| | | | | | | | | | | | sizeof(*list), not sizeof(**list). (i.e., sizeof(pointer) rather than sizeof(char)). It is possible that this buffer overflow is exploitable, but it was added after RELENG_5 forked and hasn't been MFCed, so this will not receive an advisory. Submitted by: Vitezslav Novy MFC after: 1 day
* Missed one piece of the cluster's quirk. Need to override WARNS becausekensmith2005-07-081-0/+1
| | | | | | | | if _FREEFALL_CONFIG is set gcc bails since pam_sm_setcred() in pam_krb5.c no longer uses any of its parameters. Pointy hat: kensmith Approved by: re (scottl)
* This is sort of an MFS. Peter made these changes to the RELENG_*kensmith2005-07-072-0/+7
| | | | | | | | | | | | | | | | | | | branches but missed HEAD. This patch extends his a little bit, setting it up via the Makefiles so that adding _FREEFALL_CONFIG to /etc/make.conf is the only thing needed to cluster-ize things (current setup also requires overriding CFLAGS). From Peter's commit to the RELENG_* branches: > Add the freebsd.org custer's source modifications under #ifdefs to aid > keeping things in sync. For ksu: > * install suid-root by default > * don't fall back to asking for a unix password (ie: be pure kerberos) > * allow custom user instances for things like www and not just root The Makefile tweaks will be MFC-ed, the rest is already done. MFC after: 3 days Approved by: re (dwhite)
* Use the correct login class when setting a new password.des2005-07-051-1/+1
| | | | | | | PR: 65557, 72949 Submitted by: Stephen P. Cravey <clists@gotbrains.org> Approved by: re (scottl) MFC after: 2 weeks
* Assorted markup fixes.ru2005-06-151-1/+1
| | | | Approved by: re
* Don't use a cast as an lvalue.des2005-06-131-3/+3
| | | | | | | | Add a redundant test to make it painfully obvious to the reader that this code does not support IPv6. Approved by: re (dwhite) MFC after: 1 week
* Use appropriate error codes for each facility instead of just PAM_AUTH_ERR.des2005-06-101-4/+4
| | | | Noticed by: pjd
* Revert the commits that made libssh an INTERNALLIB; they caused too muchdes2005-06-071-2/+1
| | | | | | trouble, especially on amd64. Requested by: ru
* Fix libssh dependency.des2005-06-061-1/+2
|
* NI_WITHSCOPEID cleanupume2005-05-131-1/+1
| | | | Reviewed by: des
* Expand *n't contractions.ru2005-02-131-1/+1
|
* In addition to the PAM environment, export a handful of useful PAM items.des2005-02-012-8/+62
| | | | Suggested by: Ed Maste <emaste@phaedrus.sandvine.ca>
* When "no_ccache" is set as an argument to the pam_krb5 module, don'trwatson2005-01-241-0/+4
| | | | | | | | | copy the acquired TGT from the in-memory cache to the on-disk cache at login. This was documented but un-implemented behavior. MFC after: 1 week PR: bin/64464 Reported and tested by: Eric van Gyzen <vangyzen at stat dot duke dot edu>
* The final argument to verify_krb_v5_tgt() is the debug flag, not therwatson2005-01-231-2/+3
| | | | | | | | | ticket forwardable flag, so key generation of debugging output to "debug" rather than "forwardable". Update copyright. MFC after: 3 days
OpenPOWER on IntegriCloud