summaryrefslogtreecommitdiffstats
path: root/lib/libpam
Commit message (Collapse)AuthorAgeFilesLines
* Fail rather than segfault if neither PAM_TTY nor PAM_RHOST is set.des2014-09-081-7/+10
| | | | | PR: 83099 MFC after: 3 days
* According to opie code and even direct mention in opie(4) challenge bufferache2014-08-121-1/+1
| | | | | | | size must be OPIE_CHALLENGE_MAX + 1, not OPIE_CHALLENGE_MAX Reviewed by: des MFC after: 1 week
* Rework privatelib/internallibbapt2014-08-061-1/+1
| | | | | | | | | | | | | | Make sure everything linking to a privatelib and/or an internallib does it directly from the OBJDIR rather than DESTDIR. Add src.libnames.mk so bsd.libnames.mk is not polluted by libraries not existsing in final installation Introduce the LD* variable which is what ld(1) is expecting (via LDADD) to link to internal/privatelib Directly link to the .so in case of private library to avoid having to complexify LDFLAGS. Phabric: https://phabric.freebsd.org/D553 Reviewed by: imp, emaste
* Remove useless getpwnam() call.des2014-07-261-3/+1
| | | | | Submitted by: Arthur Mesh <amesh@juniper.net> MFC after: 1 week
* Add support for the "account" facility.des2014-07-192-5/+25
| | | | | PR: 115164 MFC after: 1 week
* Check if the specified group is the user's primary group beforedes2014-07-191-6/+4
| | | | | | | | | | | iterating over the (possibly empty) list of members. Otherwise, we get a false negative when the target group has no members listed in /etc/group. This went mostly unnoticed because root is explicitly listed as a member of wheel, so the bug is never triggered in the most common use case, which is su(8). PR: 109416 MFC after: 1 week
* mdoc: remove superfluous paragraph macros.joel2014-06-231-1/+0
|
* use .Mt to mark up email addresses consistently (part3)bapt2014-06-234-8/+8
| | | | | PR: 191174 Submitted by: Franco Fichtner <franco at lastsummer.de>
* Use src.opts.mk in preference to bsd.own.mk except where we need stuffimp2014-05-062-1/+2
| | | | from the latter.
* Spell NO_PROFILE= as MK_PROFILE=no.imp2014-04-252-2/+2
|
* Kill last remaining NO_INSTALLLIB in tree by converting it over toimp2014-04-251-1/+1
| | | | MK_INSTALLIB=no.
* multiple: Remove 3rd clause from BSD license where approved by theeadler2014-03-142-10/+2
| | | | | | | | | regents and renumber. This patch skips files in contrib/ and crypto/ Acked by: imp Discussed with: emaste
* Catch up with OpenPAM Nummularia.pluknet2013-11-211-1/+1
| | | | | | | This fixes libpam for build32 target to dlopen() pam libraries in /usr/lib32. Reviewed by: des (a while ago) MFC after: 1 week
* Make libldns and libssh private.des2013-09-081-0/+1
| | | | Approved by: re (blanket)
* Update to OpenPAM Nummularia.des2013-09-071-1/+6
|\
| * Vendor import of OpenPAM Nummularia..des2013-09-0784-424/+1225
| |
* | MFV (r255364): move the code around in preparation for Nummularia.des2013-09-071-1/+1
|\ \ | |/
| * Prepare for OpenPAM Nummularia by reorganizing to match its new directorydes2013-09-0776-0/+8843
| | | | structure.
* Make the PAM password strength checking module WARNS=2 safe.will2013-08-271-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | lib/libpam/modules/pam_passwdqc/Makefile: Bump WARNS to 2. contrib/pam_modules/pam_passwdqc/pam_passwdqc.c: Bump _XOPEN_SOURCE and _XOPEN_VERSION from 500 to 600 so that vsnprint() is declared. Use the two new union types (pam_conv_item_t and pam_text_item_t) to resolve strict aliasing violations caused by casts to comply with the pam_get_item() API taking a "const void **" for all item types. Warnings are generated for casts that create "type puns" (pointers of conflicting sized types that are set to access the same memory location) since these pointers may be used in ways that violate C's strict aliasing rules. Casts to a new type must be performed through a union in order to be compliant, and access must be performed through only one of the union's data types during the lifetime of the union instance. Handle strict-aliasing warnings through pointer assignments, which drastically simplifies this change. Correct a CLANG "printf-like function with more arguments than format" error. Submitted by: gibbs Sponsored by: Spectra Logic
* GC unused source file.des2013-08-161-178/+0
|
* Backport upstream r684 (OPENPAM_DEBUG enables debugging macros but doesdes2013-04-141-3/+1
| | | | not turn debugging on by default) and add OPENPAM_DEBUG to CFLAGS.
* Fix declaration vs. definition inconsistency. No functional change.jkim2013-04-051-3/+3
|
* remove duplicate semicolons where possible.eadler2012-10-221-1/+1
| | | | | Approved by: cperciva MFC after: 1 week
* Remove unnecessary #include.des2012-09-281-1/+0
|
* Bump date missed in r202756eadler2012-09-141-1/+1
| | | | | | | PR: docs/171624 Submitted by: bdrewery Approved by: gabor MFC after: 3 days
* Fix an instance in pam_krb5(8), where the variable 'user' could be useddim2012-08-061-2/+2
| | | | | | | | uninitialized. Found by: clang 3.2 Reviewed by: des MFC after: 1 week
* Fix two instances in pam_krb5(8), where the variable 'princ_name' coulddim2012-08-061-4/+4
| | | | | | | | be used uninitialized. Found by: clang 3.2 Reviewed by: des MFC after: 1 week
* Add an option for pam_krb5 to allow it to authenticate users which don't havedfr2012-08-051-4/+7
| | | | | | | | a local account. PR: 76678 Submitted by: daved at tamu.edu MFC after: 2 weeks
* Update to OpenPAM Micrampelis.des2012-05-261-2/+15
|
* Passing NULL as a key casues a segfault when loading SSH 1 keys. Usedes2012-05-261-1/+1
| | | | an empty string instead.
* Fixes to man8 groff mandoc style, usage mistakes, or typos.wblock2012-05-241-2/+2
| | | | | | | PR: 168016 Submitted by: Nobuyuki Koganemaru Approved by: gjb MFC after: 3 days
* Fix error messages containing the executed command namedumbbell2012-04-121-31/+77
| | | | | | | | | | | | Before, we took the first argument to pam_exec(8). With the addition of options in front of the command, this could be wrong. Now, options are parsed before calling _pam_exec() and messages contain the proper command name. While here, fix a warning. Sponsored by: Yakaz (http://www.yakaz.com)
* Remove trailing whitespace per mdoc lint warningeadler2012-03-291-1/+1
| | | | | | | Disussed with: gavin No objection from: doc Approved by: joel MFC after: 3 days
* Use program exit status as pam_exec return code (optional)dumbbell2012-03-262-38/+362
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | pam_exec(8) now accepts a new option "return_prog_exit_status". When set, the program exit status is used as the pam_exec return code. It allows the program to tell why the step failed (eg. user unknown). However, if it exits with a code not allowed by the calling PAM service module function (see $PAM_SM_FUNC below), a warning is logged and PAM_SERVICE_ERR is returned. The following changes are related to this new feature but they apply no matter if the "return_prog_exit_status" option is set or not. The environment passed to the program is extended: o $PAM_SM_FUNC contains the name of the PAM service module function (eg. pam_sm_authenticate). o All valid PAM return codes' numerical values are available through variables named after the return code name. For instance, $PAM_SUCCESS, $PAM_USER_UNKNOWN or $PAM_PERM_DENIED. pam_exec return code better reflects what went on: o If the program exits with !0, the return code is now PAM_PERM_DENIED, not PAM_SYSTEM_ERR. o If the program fails because of a signal (WIFSIGNALED) or doesn't terminate normally (!WIFEXITED), the return code is now PAM_SERVICE_ERR, not PAM_SYSTEM_ERR. o If a syscall in pam_exec fails, the return code remains PAM_SYSTEM_ERR. waitpid(2) is called in a loop. If it returns because of EINTR, do it again. Before, it would return PAM_SYSTEM_ERR without waiting for the child to exit. Several log messages now include the PAM service module function name. The man page is updated accordingly. Reviewed by: gleb@, des@ Sponsored by: Yakaz (http://www.yakaz.com) MFC after: 2 weeks
* - Avoid using deprecated heimdal functions in pam_krb5.stas2012-03-242-69/+102
|
* - Avoid use of deprecated KRB5 functions.stas2012-03-222-15/+25
|
* - Update FreeBSD Heimdal distribution to version 1.5.1. This also bringsstas2012-03-222-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | several new kerberos related libraries and applications to FreeBSD: o kgetcred(1) allows one to manually get a ticket for a particular service. o kf(1) securily forwards ticket to another host through an authenticated and encrypted stream. o kcc(1) is an umbrella program around klist(1), kswitch(1), kgetcred(1) and other user kerberos operations. klist and kswitch are just symlinks to kcc(1) now. o kswitch(1) allows you to easily switch between kerberos credentials if you're running KCM. o hxtool(1) is a certificate management tool to use with PKINIT. o string2key(1) maps a password into key. o kdigest(8) is a userland tool to access the KDC's digest interface. o kimpersonate(8) creates a "fake" ticket for a service. We also now install manpages for some lirbaries that were not installed before, libheimntlm and libhx509. - The new HEIMDAL version no longer supports Kerberos 4. All users are recommended to switch to Kerberos 5. - Weak ciphers are now disabled by default. To enable DES support (used by telnet(8)), use "allow_weak_crypto" option in krb5.conf. - libtelnet, pam_ksu and pam_krb5 are now compiled with error on warnings disabled due to the function they use (krb5_get_err_text(3)) being deprecated. I plan to work on this next. - Heimdal's KDC now require sqlite to operate. We use the bundled version and install it as libheimsqlite. If some other FreeBSD components will require it in the future we can rename it to libbsdsqlite and use for these components as well. - This is not a latest Heimdal version, the new one was released while I was working on the update. I will update it to 1.5.2 soon, as it fixes some important bugs and security issues.
* Rev 228065 (change bsd.own.mk -> bsd.init.mk) broke pam_unix.so by causingpeter2012-01-181-2/+2
| | | | | | | | | | | | the LDADD/DPADD to lose the -lpam, and causing openpam_dynamic() to fail due to "openpam_get_options" being undefined. This would cause obscure console log messages like: openpam_dynamic(): No error: 0 openpam_load_module(): no pam_unix.so found and other helpful messages which are no help in diagnosing the problem. Fortunately this change was not mfc'ed to 9.x, it isn't broken there.
* Upgrade to OpenPAM Lycopsida.des2011-12-181-0/+5
|
* .include <bsd.init.mk> instead of <bsd.own.mk>fjoe2011-11-281-3/+1
| | | | The former allows common settings from ../Makefile.inc to be used.
* Revert r227841 and part of r227798. We still build libpam in two passes,des2011-11-241-1/+10
| | | | | | but we use STATIC_CFLAGS instead of our own private .c.o rule. MFC after: 3 weeks
* Simplify the libpam build by removing the shared modules' dependencydes2011-11-212-13/+3
| | | | | | | on the shared library. The modules are loaded by the library, so we know it'll be there when we need it. MFC after: 3 weeks
* key_load_private() ignores the passphrase argument if the private keydes2011-11-201-7/+18
| | | | | | | | | | | | is unencrypted. This defeats the nullok check, because it means a non-null passphrase will successfully unlock the key. To address this, try at first to load the key without a passphrase. If this succeeds and the user provided a non-empty passphrase *or* nullok is false, reject the key. MFC after: 1 week Noticed by: Guy Helmer <guy.helmer@palisadesystems.com>
* Ensure pam_lastlog removes the /dev/ component of the TTY name.ed2011-11-071-0/+5
| | | | | | | | | | Some consumers of PAM remove the /dev/ component (i.e. login), while others don't (i.e. su). We must ensure that the /dev/ component is removed to ensure that the utmpx entries properly work with tools such as w(1). Discussed with: des MFC after: 1 week
* Remove an unused variable from pam_unix.ed2011-11-051-2/+0
| | | | | | | | This variable was added in r82352 back in 2001, but even then it didn't have any use. Because it's not marked static, the C compiler won't complain about it. Discussed with: des
* Note that pam_unix(8) does not respect PAM_CHANGE_EXPIRED_AUTHTOK.des2011-11-021-0/+6
|
* Revert the previous commit and add a comment explaining why it was wrong.des2011-10-221-2/+14
|
* openpam_static.c isn't auto-generated.des2011-10-221-5/+2
|
* Load the ECDSA key if there is one.des2011-10-072-2/+7
| | | | MFC after: 1 week
* Mention the name of the module in warning messages.des2011-03-121-2/+2
|
OpenPOWER on IntegriCloud