summaryrefslogtreecommitdiffstats
path: root/lib/libpam
Commit message (Collapse)AuthorAgeFilesLines
* .include <bsd.init.mk> instead of <bsd.own.mk>fjoe2011-11-281-3/+1
| | | | The former allows common settings from ../Makefile.inc to be used.
* Revert r227841 and part of r227798. We still build libpam in two passes,des2011-11-241-1/+10
| | | | | | but we use STATIC_CFLAGS instead of our own private .c.o rule. MFC after: 3 weeks
* Simplify the libpam build by removing the shared modules' dependencydes2011-11-212-13/+3
| | | | | | | on the shared library. The modules are loaded by the library, so we know it'll be there when we need it. MFC after: 3 weeks
* key_load_private() ignores the passphrase argument if the private keydes2011-11-201-7/+18
| | | | | | | | | | | | is unencrypted. This defeats the nullok check, because it means a non-null passphrase will successfully unlock the key. To address this, try at first to load the key without a passphrase. If this succeeds and the user provided a non-empty passphrase *or* nullok is false, reject the key. MFC after: 1 week Noticed by: Guy Helmer <guy.helmer@palisadesystems.com>
* Ensure pam_lastlog removes the /dev/ component of the TTY name.ed2011-11-071-0/+5
| | | | | | | | | | Some consumers of PAM remove the /dev/ component (i.e. login), while others don't (i.e. su). We must ensure that the /dev/ component is removed to ensure that the utmpx entries properly work with tools such as w(1). Discussed with: des MFC after: 1 week
* Remove an unused variable from pam_unix.ed2011-11-051-2/+0
| | | | | | | | This variable was added in r82352 back in 2001, but even then it didn't have any use. Because it's not marked static, the C compiler won't complain about it. Discussed with: des
* Note that pam_unix(8) does not respect PAM_CHANGE_EXPIRED_AUTHTOK.des2011-11-021-0/+6
|
* Revert the previous commit and add a comment explaining why it was wrong.des2011-10-221-2/+14
|
* openpam_static.c isn't auto-generated.des2011-10-221-5/+2
|
* Load the ECDSA key if there is one.des2011-10-072-2/+7
| | | | MFC after: 1 week
* Mention the name of the module in warning messages.des2011-03-121-2/+2
|
* Add "ruser" and "luser" options. The former corresponds to the currentdes2011-03-122-5/+35
| | | | | | | | | | behavior, where the module checks that the supplicant is a member of the required group. The latter checks the target user instead. If neither option was specified, pam_group(8) assumes "ruser" and issues a warning. I intend to eventually change the default to "luser" to match the behavior of similarly-named service modules in other operating systems. MFC after: 1 month
* No newline required.des2011-03-091-2/+2
| | | | MFC after: 2 weeks
* Add <time.h> for ctime(), which we accidentally picked up throughdes2010-11-221-0/+1
| | | | | | | <sys/time.h>. Submitted by: Garrett Cooper <yanegomi@gmail.com> MFC after: 3 days
* Bump .Dd date.delphij2010-05-031-1/+1
| | | | Forgotten by: delphij
* Code indent according to style(9).mm2010-05-031-23/+23
| | | | | | | PR: bin/146186 Submitted by: myself Approved by: delphij (mentor) MFC after: 2 weeks
* Implement the no_user_check option to pam_krb5.mm2010-05-032-1/+12
| | | | | | | | | | | | | | | This option is available in the Linux implementation of pam_krb5 and allows to authorize a user not known to the local system. Ccache is not used as we don't have a secure uid/gid for the cache file. Usable for authentication of external kerberos users (e.g Active Directory) via PAM from applications like Cyrus saslauthd, PHP or perl. PR: bin/146186 Submitted by: myself Approved by: deplhij (mentor) MFC after: 2 weeks
* Upgrade to OpenSSH 5.4p1.des2010-03-091-0/+3
| | | | MFC after: 1 month
* Remove redundant WARNS?=6 overrides and inherit the WARNS setting fromuqs2010-03-022-1/+2
| | | | | | | | the toplevel directory. This does not change any WARNS level and survives a make universe. Approved by: ed (co-mentor)
* Always assign WARNS using ?=uqs2010-03-021-1/+1
| | | | | | | - fix some nearby style bugs - include Makefile.inc where it makes sense and reduces duplication Approved by: ed (co-mentor)
* %U was macroized in mdoc(7), escape.ru2010-02-161-1/+1
|
* Respect passwordtime from login.conf if set.des2010-02-021-2/+9
| | | | | | PR: bin/93473 Submitted by: Björn König <bkoenig@cs.tu-berlin.de> MFC after: 1 week
* Remove stale references to utmp(5) and its corresponding filenames.ed2010-01-211-7/+2
| | | | I removed utmp and its manpage, but not other manpages referring to it.
* Let pam_lastlog use random ut_id's.ed2010-01-182-14/+42
| | | | | | | | | | | | | | | | | By using random values for ut_id, not based on the TTY name, it is possible to run for example login(1) multiple times on the same TTY, without overwriting any previous records. The output of w(1) will then be as follows: | 12:26PM up 2 days, 2:31, 5 users, load averages: 0.01, 0.03, 0.03 | USER TTY FROM LOGIN@ IDLE WHAT | ed pts/2 mekker.80386.nl 12:26PM - w | root pts/2 - 12:26PM - w | root pts/2 - 12:26PM - w | root pts/2 - 12:26PM - w Approved by: des
* Unbreak builds with _FREEFALL_CONFIG=yes, by forcing a lower WARNSmarcel2010-01-171-0/+1
| | | | level in that case.
* Let pam_lastlog use utmpx instead of libulog's utmpx interface.ed2010-01-131-5/+6
| | | | | It will still use ulog_login(3) and ulog_logout(3), which will remain present.
* Build lib/ with WARNS=6 by default.ed2010-01-025-5/+4
| | | | | | | | | Similar to libexec/, do the same with lib/. Make WARNS=6 the norm and lower it when needed. I'm setting WARNS?=0 for secure/. It seems secure/ includes the Makefile.inc provided by lib/. I'm not going to touch that directory. Most of the code there is contributed anyway.
* Several refinements to libulog's API.ed2009-12-261-1/+1
| | | | | | | | | - Only set the fields in the ulog_utmpx structure that are valid for the command in question. This means that strings like "shutdown" or "~" are not visible to the user anymore. - Rename UTXF_* to UTXI_*, indicating the indexation, instead of using the `antique' filename. If we ever get rid of utmp, it makes little sense calling it by its old name.
* Convert pam_lastlog(8) to libulog.ed2009-12-112-84/+22
| | | | | | | | | | | The information used by the "Last login:"-line is obtained by using ulog_setutxfile(3) to switch to the lastlog database. Login and logout are performed using the utility functions ulog_login(3) and ulog_logout(3). This also means we must build libulog during bootstrap. Approved by: des
* Note that nullok should not be used by processes that can't access thedes2009-11-131-0/+11
| | | | | | | password database. PR: bin/126650, misc/140514 MFC after: 1 week
* pam_ssh needs roaming_dummy to link correctly against libssh.des2009-10-051-0/+3
|
* Prevents pam_lastlog from segfaulting on session close when tty is null.jon2009-08-301-0/+5
| | | | MFC after: 1 month
* Bump the version of all non-symbol-versioned shared libraries inkensmith2009-07-191-1/+1
| | | | | | | | preparation for 8.0-RELEASE. Add the previous version of those libraries to ObsoleteFiles.inc and bump __FreeBSD_Version. Reviewed by: kib Approved by: re (rwatson)
* Rewrap; this was getting painful. Translators can ignore this.des2009-06-201-59/+36
| | | | MFC after: 1 week
* Reword.des2009-06-201-4/+2
| | | | MFC after: 1 week
* Include <stdio.h> for asprintf().ed2009-06-141-0/+1
| | | | Submitted by: Pawel Worach
* Don't try to auto-detect dynamic linking; it fails on mips. The Makefiledes2009-02-171-0/+3
| | | | | | part of the patch is an ugly (and hopefully temporary) hack. Discussed with: imp@
* Add new heimdal-1.1 library.dfr2008-05-151-2/+2
|
* Fix conflicts after heimdal-1.1 import and add build infrastructure. Importdfr2008-05-071-2/+2
| | | | all non-style changes made by heimdal to our own libgssapi.
* Adjust for OpenPAM Hydrangea.des2007-12-214-7/+8
|
* Correct documentation of ~/.opiealwaysdes2007-10-261-3/+5
| | | | | | PR: 117512 Submitted by: Jeremy C. Reed <reed@reedmedia.net> MFC after: 1 week
* - Convert NO_INSTALLLIB option to a new syntax: makefiles shouldru2007-10-201-0/+1
| | | | | | | | | | | test MK_INSTALLLIB, users can set WITHOUT_INSTALLLIB. The old NO_INSTALLLIB is still supported as several makefiles set it. - While here, fix an install when instructed not to install libs (usr.bin/lex/lib/Makefile). PR: bin/114200 Submitted by: Henrik Brix Andersen
* Apply the same error checks to PAM_TTY in pam_sm_close_session() as indes2007-07-221-1/+9
| | | | | | | | pam_sm_open_session(), avoiding false negatives when no tty is present. Submitted by: Todd C. Miller <millert@courtesan.com> Approved by: re (rwatson) MFC after: 2 weeks
* Whitespace cleanupdes2007-07-221-6/+6
| | | | Approved by: re (rwatson)
* - Bump share library version which were missed in last bumprafan2007-06-181-1/+1
| | | | | | Reported by: jhb Discussed with: deischen, des, doubg, harti Approved by: re (kensmith)
* Use the current user's login class for the decisions about whereyar2007-06-142-45/+59
| | | | | | | | | | the nologin(5) file is located and whether the user may bypass its restriction. Add some error checks. Approved by: des PR: bin/107612
* Now pam_nologin(8) will provide an account management functionyar2007-06-102-20/+11
| | | | | | | | | | | | | | | | | | | | | | | instead of an authentication function. There are a design reason and a practical reason for that. First, the module belongs in account management because it checks availability of the account and does no authentication. Second, there are existing and potential PAM consumers that skip PAM authentication for good or for bad. E.g., sshd(8) just prefers internal routines for public key auth; OTOH, cron(8) and atrun(8) do implicit authentication when running a job on behalf of its owner, so their inability to use PAM auth is fundamental, but they can benefit from PAM account management. Document this change in the manpage. Modify /etc/pam.d files accordingly, so that pam_nologin.so is listed under the "account" function class. Bump __FreeBSD_version (mostly for ports, as this change should be invisible to C code outside pam_nologin.) PR: bin/112574 Approved by: des, re
* Re-add support for NIS netgroups (heavily modified from patch in PR)des2007-05-251-4/+22
| | | | | | PR: bin/112955 Submitted by: A. Blake Cooper <blake@cluebie.net> MFC after: 3 weeks
* In account management, verify whether the account has been lockedyar2007-03-272-3/+22
| | | | | | | | | | | | | | with `pw lock', so that it's impossible to log into a locked account using an alternative authentication mechanism, such as an ssh key. This change affects only accounts locked with pw(8), i.e., having a `*LOCKED*' prefix in their password hash field, so people still can use a different pattern to disable password authentication only. Mention all account management criteria in the manpage. Approved by: maintainer (timeout) PR: bin/71147 MFC after: 1 month
* Send not only Access Request, but also Access Challenge with definedpjd2007-01-201-5/+7
| | | | | | | NAS-Identifier and NAS-IP-Address. Reviewed by: bz MFC after: 1 month
OpenPOWER on IntegriCloud