| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
the correct userid, instead of random garbage. This bug does not
exist in -stable.
Reviewed by: freebsd-audit
|
|
|
|
|
|
|
|
|
| |
applications linked with Linux-PAM will still work.
Remove pam_get_pass(); OpenPAM has pam_get_authtok().
Remove pam_prompt(); OpenPAM has pam_{,v}{error,info,prompt}().
Remove pam_set_item(3) man page as OpenPAM has its own.
Sponsored by: DARPA, NAI Labs
|
|
|
|
|
|
| |
code made redundant by various PAM modules (primarily pam_unix(8)).
Sponsored by: DARPA, NAI Labs
|
|
|
|
| |
fixed to accept a NULL PAM_RHOST.
|
|
|
|
| |
Sponsored by: DARPA, NAI Labs
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
of the recent WARNS commits. The idea is:
1) FreeBSD id tags should follow vendor tags.
2) Vendor tags should not be compiled (though copyrights probably should).
3) There should be no blank line between including cdefs and __FBSDIF.
|
|
|
|
| |
cleaning-up.
|
| |
|
|
|
|
|
|
|
| |
Sort function declarations, includes. Make consistent WRT use of _P()
macro (ugh!)
Inspired by: bde
|
|
|
|
| |
Reviewed by: bde (a while back)
|
|
|
|
|
|
|
|
|
| |
the 'You have mail.' check. This is useful for sites that rely on
remote mail access, rather than a local mail spool. Due to the
behavior of login_getcapbool(), the negated form is required so as
to have appropriate results.
o This behavior may have to be independently added to sshd due to
redundant implementation.
|
|
|
|
|
|
| |
to test for a home directory don't set up the additional groups, and
as such may limit users conservatively. This does not affect the
eventual credentials selected.
|
|
|
|
| |
logic that are handled by PAM. Fix documentation to reflect this.
|
|
|
|
|
|
|
| |
revision. <utmp.h> structures don't leave room for a NUL character.
Also fix "UNKNOWN" which should have just been UNKNOWN.
Pointed out by: bde
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the uses of it were wrong anyway.
o Always check for NULL returns on strdup(3).
o Fix a possible buffer overflow in strcpy(3).
o Fix a format string vulnerability.
o t->ty_type in stypeof() could be NULL and eventually cause
a segmentation fault in setenv(3), so check for that.
Eyeballed by: kris
Reviewed by: murray
MFC after: 3 days
|
|
|
|
|
|
|
|
| |
However, there's still a bug in login.c
because you copy the environment *before* the call to pam_open_session,
which won't set the necessary variables set by /usr/ports/security/pam_ssh.
Submitted by: Volker Stolz <stolz@hyperion.informatik.rwth-aachen.de>
|
|
|
|
| |
Idea from: Theo de Raadt <deraadt@openbsd.org>
|
|
|
|
| |
Approved by: murray
|
|
|
|
| |
Reviewed by: security-officer
|
| |
|
| |
|
|
|
|
|
|
| |
which makes lgoin more like getty in its ability to be configured.
Submitted by: tlambert (code only)
|
|
|
|
|
|
|
|
|
| |
order.
Reviewed by: -audit (silence)
Approved by: murray
Obtained from: OpenBSD
MFC after: 5 days
|
|
|
|
|
|
|
| |
The PAM_FAIL_CHECK and PAM_END macros in su.c came from the util-linux
package's PAM patches to the BSD login.c
Submitted by: "David J. MacKenzie" <djm@web.us.uu.net>
|
|
|
|
|
|
|
|
| |
modules (via pam_putenv). The following variables will never be set in
this fashion:
SHELL, HOME, LOGNAME, MAIL, CDPATH, IFS, PATH
any variable starting with `LD_'
|
|
|
|
| |
Reviewed by: markm, months ago
|
|
|
|
| |
warning).
|
|
|
|
| |
Requested by: bde
|
|
|
|
|
| |
PR: 17875
Submitted by: Bjoern Fischer <bfischer@Techfak.Uni-Bielefeld.DE>
|
|
|
|
| |
Approved by: jkh
|
|
|
|
| |
Approved by: jkh
|
| |
|
|
|
|
|
| |
chown failures in some places, but instead log them like we do all
other errors.
|
|
|
|
| |
add gid switching before chdir and comment why it needed
|
|
|
|
| |
trimdomain() now works as expected.
|
|
|
|
|
|
|
| |
authentication only). This comes handy when you're tight on space.
Submitted by: mostly John Baldwin <jobaldwi@vt.edu>
Reviewed by: John D. Polstra <jdp@polstra.com>
|
|
|
|
| |
logins get logged.
|
|
|
|
|
|
|
|
| |
Change login to use PAM for authentication. I kept the built-in
passwd/NIS authentication support, to handle cases where the system
is missing its "/etc/pam.conf" file. S/Key and KerberosIV
authentication methods are removed from the login program, but
still available in PAM modules.
|
|
|
|
|
|
| |
it's here to stay.
This code is starting to look almost reasonable again.
|
|
|
|
|
|
|
|
|
| |
not complete, and it hasn't been touched for 18 months. All the
ifdefs obfuscate the code. I discussed the LOGIN_CAP_AUTH support
with its author and he agreed that it is a dead end. I am bringing
PAM into the tree within the next two weeks. It is much more
flexible than LOGIN_CAP_AUTH, and will serve as a superior replacement
for it.
|
| |
|
| |
|
|
|
|
|
| |
PR: 6529
Submitted by: Dan Lukes <dan@obluda.cz>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libc/gen/getpass.c. The old behaviour of blocking SIGINT and not
changing SIGQUIT was restored in rev.1.5 of getpass.c. The change
here completely restores the old behaviour of not supporting killing
login with keyboard signals (only) at the password prompt. There
is no reason to support this, since login can be exited normally
by typing a couple of ^D's. Login certainly shouldn't dump core
in response to user input. Previously, SIGQUIT killed login
immediately but SIGINT killed it only after the password was
entered.
PR: 7444
|
|
|
|
|
|
|
|
| |
if LOGIN_CAP_AUTH was defined. This is kind of silly, because
LOGIN_CAP_AUTH doesn't work anyway, is not defined currently,
probably will never be defined, and IMHO should not be defined.
But I'm sure you'll sleep better tonight, knowing that these bugs
are gone.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Here is a some example for avoiding a confusion.
It asssumes a logged host domain is "spec.co.jp". All
example is longer than UT_HOSTNAMELEN value.
1) turbo.tama.spec.co.jp: 192.19.0.2 -> trubo.tama
2) turbo.tama.foo.co.jp : 192.19.0.2 -> 192.19.0.2
3) specgw.spec.co.jp : 202.32.13.1 -> specgw
Submitted by: Atsushi Murai <amurai@spec.co.jp>
|
| |
|
|
|
|
|
|
|
|
|
| |
is on a NFS partion without root read access. Also, flip euid again for
the duration of the chdir() to the homedir for the same reason.
PR: 5145
Submitted by: Joel.Faedi@esial.u-nancy.fr
Also tested by: A Joseph Koshy <koshy@india.hp.com>
|