| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
is an internal Linux-PAM header which shouldn't be used outside Linux-PAM
itself, and has absolutely zero effect on pam_ftp.
Sponsored by: DARPA, NAI Labs
MFC after: 1 week
|
| |
|
|
| |
Sponsored by: DARPA, NAI Labs
|
| |
|
|
| |
Sponsored by: DARPA, NAI Labs
|
| |
|
|
|
|
| |
code made redundant by various PAM modules (primarily pam_unix(8)).
Sponsored by: DARPA, NAI Labs
|
| |
|
|
|
|
| |
login(1) (password & account expiry, hosts.access etc.) into pam_unix(8).
Sponsored by: DARPA, NAI Labs
|
| |
|
|
|
|
|
|
| |
it a little and try to make it more resilient to various possible failure
conditions. Change the man page accordingly, and take advantage of this
opportunity to simplify its language.
Sponsored by: DARPA, NAI Labs
|
| |
|
|
| |
warnings that are hard to fix or that I've been asked to leave alone.
|
| |
|
|
|
|
|
| |
caller is supposed to check the PAM envlist and export the variables it
contains; if it doesn't, it's broken.
Sponsored by: DARPA, NAI Labs
|
| |
|
|
|
|
|
|
|
|
|
| |
doesn't really make any difference, except it matches wtmp(5) better.
Don't do anything in pam_sm_close_session(); init(8) will take care of
utmp and wtmp when the tty is released. Clearing them here would make it
possible to create a ghost session by logging in, running 'login -f $USER'
and exiting the subshell.
Sponsored by: DARPA, NAI Labs (but the bugs are all mine)
|
| |
|
|
|
|
| |
login.
Sponsored by: DARPA, NAI Labs
|
| |
|
|
| |
login.
|
| |
|
|
| |
Sponsored by: DARPA, NAI Labs
|
| |
|
|
| |
Sponsored by: DARPA, NAI Labs
|
| |
|
|
| |
Sponsored by: DARPA, NAI Labs
|
| |
|
|
| |
Sponsored by: DARPA, NAI Labs
|
| |
|
|
| |
Sponsored by: DARPA, NAI Labs
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
either PAM_RHOST or PAM_TTY against /etc/login.access.o
This uncovers a problem with PAM_RHOST, in that if we always set it, there
is no way to distinguish between a user logging in locally and a user
logging in using 'ssh localhost'. This will be fixed by first making sure
that all PAM modules can handle PAM_RHOST being unset (which is currently
not the case), and then modifying su(1) and login(1) to not set it for
local logins.
Sponsored by: DARPA, NAI Labs
|
| |
|
|
| |
Sponsored by: DARPA, NAI Labs
|
| |
|
|
|
|
|
|
|
|
|
| |
- Spam /usr/lib some more by making libssh a standard library.
- Tweak ${LIBPAM} and ${MINUSLPAM}.
- Garbage collect unused libssh_pic.a.
- Add fake -lz dependency to secure/ makefiles needed for
dynamic linkage with -lssh.
Reviewed by: des, markm
Approved by: markm
|
| |
|
|
| |
Sponsored by: DARPA, NAI Labs
|
| |
|
|
|
| |
Reviewed by: des, markm
Approved by: markm
|
| |
|
|
| |
Sponsored by: DARPA, NAI Labs
|
| |
|
|
|
|
|
| |
existed, but had no OPIE key, i.e. PAM_IGNORE.
Pointed out by: ache
Sponsored by: DARPA, NAI Labs
|
| |
|
|
|
|
|
| |
PAM_USER_UNKNOWN will break the chain, revealing to an attacker that the
user does not exist.
Sponsored by: DARPA, NAI Labs
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Ignore the {try,use}_first_pass options by clearing PAM_AUTHTOK before
challenging the user. These options are meaningless for pam_opie(8)
since the user can't possibly know the right response before she sees
the challenge.
- Introduce the no_fake_prompts option. If this option is set, pam_opie(8)
will fail - rather than present a bogus challenge - if the target user
does not have an OPIE key. With this option, users who haven't set up
OPIE won't have to wonder what that "weird otp-md5 s**t" means :)
Reviewed by: ache, markm
Sponsored by: DARPA, NAI Labs
|
| |
|
|
|
|
|
|
| |
/etc/opieaccess and ~/.opiealways so we can decide what to do after
pam_opie(8) fails.
Sponsored by: DARPA, NAI Labs
Reviewed by: ache, markm
|
| |
|
|
|
|
| |
Add getpwnam return check
Approved by: des, markm
|
| | |
|
| |
|
|
|
| |
of producing fake prompts with random numbers which can be detected by
potential intruder in two tries and totally confuse non-OPIE users.
|
| |
|
|
| |
old expired password assumed there
|
| |
|
|
| |
indicate die case, different from PAM_SUCCESS and PAM_AUTH_ERR
|
| |
|
|
|
|
| |
Replace snprintf %s with strlcpy
Check for NULL returned from getpwnam()
|
| |
|
|
|
| |
srandomdev() can't be used in libraries, replace srandomdev()+random()
by arc4random()
|
| | |
|
| | |
|
| |
|
|
| |
as supposed by opieaccessfile() and opiealways()
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
of the recent WARNS commits. The idea is:
1) FreeBSD id tags should follow vendor tags.
2) Vendor tags should not be compiled (though copyrights probably should).
3) There should be no blank line between including cdefs and __FBSDIF.
|
| |
|
|
| |
Requested by: ru
|
| | |
|
| |
|
|
| |
Sponsored by: DARPA, NAI Labs
|
| |
|
|
|
|
|
| |
do not actually want to define PAM_READ_BOTH_CONFS, so back out previous
commit.
Sponsored by: DARPA, NAI Labs
|
| |
|
|
|
| |
Pointed out by: jhay
Pointy hat to: des
|
| |
|
|
|
|
| |
/etc/pam.conf.
Sponsored by: DARPA, NAI Labs
|
| |
|
|
| |
Sponsored by: DARPA, NAI Labs
|
| |
|
|
|
|
|
| |
rather than PAM_SUCCESS, so you'll get a failure if you list dummies but
no real modules for a particular module chain.
Sponsored by: DARPA, NAI Labs
|
| |
|
|
| |
Sponsored by: DARPA, NAI Labs
|
| |
|
|
|
|
| |
and remote user names are the same.
Sponsored by: DARPA, NAI Labs
|
| |
|
|
| |
cleaning-up.
|
