upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-04-20 21:59:20 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
253105 commits 29 branches 224 tags 2.1 GiB
Commit graph

511 commits

Author SHA1 Message Date
Ruslan Ermilov
862b46f607 Markup, grammar, punctuation. 2004-07-01 18:20:57 +00:00
Alexander Kabaev
2758535974 Revert the last change. There are more 64bit platforms than amd64, and 
they break due to diferent alignment restrictions.
 2004-06-25 12:32:45 +00:00
Alexander Kabaev
0cb04d0b33 Remove the use of cast as lvalue. 2004-06-25 01:54:26 +00:00
Mark Murray
16fc3635f7 Make NULL a (void*)0 whereever possible, and fix the warnings(-Werror) 
that this provokes. "Wherever possible" means "In the kernel OR NOT
C++" (implying C).

There are places where (void *) pointers are not valid, such as for
function pointers, but in the special case of (void *)0, agreement
settles on it being OK.

Most of the fixes were NULL where an integer zero was needed; many
of the fixes were NULL where ascii <nul> ('\0') was needed, and a
few were just "other".

Tested on: i386 sparc64
 2004-03-05 08:10:19 +00:00
Colin Percival
d623b765cf style cleanup: Remove duplicate $FreeBSD$ tags. 
These files had tags after the copyright notice,
inside the comment block (incorrect, removed),
and outside the comment block (correct).

Approved by:	rwatson (mentor)
 2004-02-10 20:42:33 +00:00
Dag-Erling Smørgrav
af9b407414 Fix numerous constness and aliasing issues. 2004-02-10 10:13:21 +00:00
Ruslan Ermilov
751378136d Put libraries in the link order. 
Reported by:	lorder(1) (modified to work with libraries)
 2004-02-04 10:23:09 +00:00
Ruslan Ermilov
1e73d261f5 This module doesn't use libgssapi (and it looks never did). 2004-02-04 09:41:47 +00:00
Dag-Erling Smørgrav
3a59e89e73 Implement pam_sm_close_session(). 
PR:		bin/61657
Submitted by:	Joe R. Doupnik <jrd@cc.usu.edu>
 2004-01-26 19:28:37 +00:00
Ruslan Ermilov
bb96dfc53a Deal better with the crypto version of the PAM library that goes 
on the release media -- only put what is different in the crypto
version compared to the base version.  This reduces PAM entries
in /usr/lib in the "crypto" distribution to:

	libpam.a
	libpam.so@
	libpam.so.2
	pam_krb5.so@
	pam_krb5.so.2
	pam_ksu.so@
	pam_ksu.so.2
	pam_ssh.so@
	pam_ssh.so.2

The libpam.so* is still redundant (it is identical to the "base"
version), but we can't set DISTRIBUTION differently for libpam.a
and libpam.so.

(The removal of libpam.so* from the crypto distribution could be
addressed by the release/scripts/crypto-make.sh script, but then
we'd also need to remove redundant PAM headers, and I'm not sure
this is worth a hassle.)
 2004-01-18 14:58:07 +00:00
Jens Schweikhardt
898fc4a340 Remove crossref to pam.conf(5) which never existed. 2004-01-17 09:46:49 +00:00
Dag-Erling Smørgrav
33b7c0d94c Fix a strict aliasing issue. Also remove an unnecessary pam_get_item() 
call (pam_get_authtok() will return the previous token if try_first_pass
or use_first_pass is specified).  Incidentally fix an ugly bug where the
buffer holding the prompt was freed immediately before use, instead of
after.
 2003-12-11 15:51:03 +00:00
Dag-Erling Smørgrav
4911b12cba More strict aliasing fixes. 
Submitted by:	Andreas Hauser <andy-freebsd@splashground.de>
 2003-12-11 15:48:09 +00:00
Dag-Erling Smørgrav
91e938693e Fix strict aliasing breakage in PAM modules (except pam_krb5, which needs 
more work than the others).  This should make most modules build with -O2.
 2003-12-11 13:55:16 +00:00
Maxim Sobolev
cd28f89c12 Fix on sparc64. 
Reported by:	rwatson/tinderbox
MFC after:	2 weeks
 2003-11-12 23:36:17 +00:00
Maxim Sobolev
f142677b46 Add a new configuration variable - nas_ipaddr, which if set allows to 
set NAS-IP-Address attribute in requests generated by the pam_radius
module. This attribute is mandatory for some Radius servers out there.

Reviewed by:	des
MFC after:	2 weeks
 2003-11-12 17:47:23 +00:00
Ken Smith
921e5ca770 - fix to UID test description, non-zero -> zero 
PR:		docs/57799
Reviewed by:	des
Approved by:	blackend (mentor)
 2003-10-17 17:03:38 +00:00
Dag-Erling Smørgrav
24db258f35 Ignore ECHILD from waitpid(2) (our child may have been reaped by the 
calling process's SIGCHLD handler)

PR:		bin/45669
 2003-09-19 11:33:03 +00:00
Dag-Erling Smørgrav
3a256117dc Revert previous commit after fixing libpam. 2003-07-21 19:56:28 +00:00
Dag-Erling Smørgrav
015d0cd6e2 Add a __DECONST() to unbreak the build. 2003-07-15 14:36:36 +00:00
Martin Blapp
dd01398df6 Fix the master yppasswd routines, so they really work 
for root on ypmaster. yppasswd_local() did use YPPASSWDPROG
instead of MASTER_YPPASSWDPROG, and the domain was not set,
resulting in a coredump during xdr-encode.

Reviewed by:	des
 2003-06-15 10:37:22 +00:00
Dag-Erling Smørgrav
008c1ace7b Retire pam_wheel(8) (which has been disconnected for quite a while) and 
pam_ftp(8).
 2003-06-01 11:50:35 +00:00
Dag-Erling Smørgrav
4d6991c692 Update copyright dates. 2003-05-31 17:19:03 +00:00
Dag-Erling Smørgrav
545aa47101 Remove all instances of pam_std_option() 2003-05-31 16:55:07 +00:00
Dag-Erling Smørgrav
d462d3923b Introduce pam_guest(8) which will replace pam_ftp(8). 2003-05-31 16:52:58 +00:00
Ruslan Ermilov
734ac3b543 mdoc(7) fixes. 
Approved by:	re (blanket)
 2003-05-24 19:53:08 +00:00
Dag-Erling Smørgrav
7691f66abf Retire the useless NOSECURE knob. 
Approved by:	re (scottl)
 2003-05-19 15:52:01 +00:00
Mark Murray
dbf104e68d Turn MAKE_KERBEROS5 into NO_KERBEROS by negating the logic. Some extra 
cleanups were necessary in release/Makefile, and the tinderbox code
was syntax checked, not run checked.
 2003-05-05 07:58:44 +00:00
Dag-Erling Smørgrav
8f3031025b Make sure rhostip is always initialized. 
PR:		bin/51508
Submitted by:	Peter Grimshaw <peter@tesseract.demon.co.uk>
 2003-04-30 00:49:42 +00:00
Dag-Erling Smørgrav
ccd703cfe4 Treat an empty PAM_RHOST the same as a NULL one. 
PR:		bin/51508
 2003-04-30 00:44:05 +00:00
Dag-Erling Smørgrav
3edc7b4e0b Set $HOME to the correct directory (within the chroot tree). 2003-04-30 00:40:24 +00:00
Dag-Erling Smørgrav
be01d58da1 Remove a bogus null password check which assumed that a user with an empty 
password must necessarily have an empty pwd->pw_passwd.  Also add a check
that prevents users from setting a blank password unless the nullok option
was specified.  Root is still allowed to give anyone a blank password.
 2003-04-24 12:26:25 +00:00
Dag-Erling Smørgrav
a8643c9882 Connect the pam_chroot(8) module to the build. 2003-04-08 16:52:34 +00:00
Dag-Erling Smørgrav
d4e15f10b1 Add a cwd option which specifies where to chdir(2) after the chroot(2). 
When using the /home/./foo scheme, this defaults to the rhs (/foo);
otherwise it defaults to /.
 2003-04-08 16:52:18 +00:00
Dag-Erling Smørgrav
eac956b2d1 Experimental pam_chroot module (not connected to the build) 2003-03-30 22:58:23 +00:00
Dag-Erling Smørgrav
f5bbe11124 This module is not WARNS-clean, due to brokenness in OpenSSL headers. 2003-03-10 09:19:08 +00:00
Dag-Erling Smørgrav
16bb3109e3 Somewhat better wording. 2003-03-10 09:15:26 +00:00
Dag-Erling Smørgrav
02a19b0184 Silence warning caused by OPIE brokenness. 2003-03-10 09:15:08 +00:00
David E. O'Brien
7f03a257ac style.Makefile(5) police 
(I've tried to keep to the spirit of the original formatting)

Reviewed by:	des
 2003-03-09 20:06:38 +00:00
Mark Murray
5d658b151b KerberosIV de-orbit burn continues. Remove the KerberosIV PAM module. 2003-03-08 10:33:20 +00:00
Mark Murray
b4240e6ce9 Comment-only assistance to lint to kill warnings. 2003-03-08 10:30:49 +00:00
Ruslan Ermilov
66abb7a636 mdoc(7) police: Nits. 2003-03-03 11:45:18 +00:00
Ruslan Ermilov
522ccf3f35 mdoc(7) police: markup laundry. 2003-02-23 01:47:49 +00:00
Dag-Erling Smørgrav
859ac7c46f Add an "allow_local" option which forces historical behaviour. 2003-02-16 13:01:03 +00:00
Dag-Erling Smørgrav
b645332a81 Assume "localhost" if no remote host was specified. This is safe from a 
POLA point of view since the stock /etc/opieaccess now allows localhost.
 2003-02-15 23:26:49 +00:00
Dag-Erling Smørgrav
48c12730cd Use pam_get_user(3) instead of pam_get_item(3) where appropriate. 2003-02-10 18:59:20 +00:00
Dag-Erling Smørgrav
d902781908 Complete rewrite of pam_ssh(8). The previous version was becoming hard 
to maintain, and had security issues which would have required a major
rewrite to address anyway.

This implementation currently starts a separate agent for each session
instead of connecting each new session to the agent started by the first
one.  While this would be a Good Thing (and the old pam_ssh(8) tried to
do it), it's hard to get right.  I'll revisit this issue when I've had a
chance to test some modifications to ssh-agent(1).
 2003-02-09 21:20:44 +00:00
Dag-Erling Smørgrav
687200d002 Maybe I was a little too fast? Remove debugging code, and commit the 
Makefile and man page which I'd forgotten to 'cvs add'.

Sponsored by:	DARPA, NAI Labs
 2003-02-06 14:27:48 +00:00
Dag-Erling Smørgrav
7cde604ebd Replace pam_wheel(8) with pam_group(8) which has a cleaner interface. The 
pam_wheel(8) module was written to work in spite of a broken libpam, and
has grown organically since its inception, which is reflected in both its
functionality and implementation.  Rather than clean up pam_wheel(8) and
break backward compatibility, I've chosen to reimplement it under a new,
more generic name.

Sponsored by:	DARPA, NAI Labs
 2003-02-06 14:24:14 +00:00
Dag-Erling Smørgrav
9e2409d3d5 Make sure the message is only printed once. 2003-02-06 14:19:50 +00:00
Dag-Erling Smørgrav
915bae31b7 Don't blame markm for what he didn't do - writing these man pages, for 
instance.  Also bump the date since I made substantial modifications
earlier today.
 2003-02-06 13:47:21 +00:00
Dag-Erling Smørgrav
37def36f9b Update copyright. 2003-02-06 12:56:51 +00:00
Dag-Erling Smørgrav
caeab58cd8 Add support for escape sequences in the arguments (e.g. %u for user name) 
Sponsored by:	DARPA, NAI Labs
 2003-02-06 12:56:39 +00:00
Dag-Erling Smørgrav
a76a4d449d Export the PAM environment to the child process instead of the "normal" 
environment list, which may be unsafe and / or sensitive.

Sponsored by:	DARPA, NAI Labs
 2003-02-06 12:40:58 +00:00
Dag-Erling Smørgrav
aa7f9c67e6 Minimal manual page for pam_kerberosIV(8). 
Sponsored by:	DARPA, NAI Labs
 2003-02-06 10:55:11 +00:00
Dag-Erling Smørgrav
8dad14b11b In pam_sm_acct_mgmt(), retrieve the cached credentials before trying to 
initialize the context.  This way, a failure to initialize the context is
not fatal unless we actually have work to do - because if we don't, we
return PAM_SUCCESS without even trying to initialize the context.
 2003-02-03 09:45:41 +00:00
Dag-Erling Smørgrav
bd12700b18 Whitespace cleanup 2003-02-03 09:43:28 +00:00
Dag-Erling Smørgrav
cb6e9daaa9 OpenPAMify. 2003-02-02 18:43:58 +00:00
Jacques Vidrine
8f857e88c4 Do not return inappropriate error codes in pam_sm_setcred. 2003-01-29 21:20:38 +00:00
Jacques Vidrine
e0bc74123b About September 2001, I consulted with all the previous authors of 
pam_krb5 to consolidate the copyright texts.  The semi-official
pam_krb5 module has been distributed with this new license text ever
since, but I'm just now getting around to updating the text here.
 2003-01-10 13:38:44 +00:00
Jens Schweikhardt
57bd0fc6e8 english(4) police. 2002-12-27 12:15:40 +00:00
Ruslan Ermilov
fb3acdd2a2 mdoc(7) police: removed gratuitous .Pp call. 2002-12-23 15:21:57 +00:00
Dag-Erling Smørgrav
32f0c0487b Merge in most non-style differences from Andrew Korty's pam_ssh 1.7. 2002-12-16 14:33:18 +00:00
Ruslan Ermilov
87e9be3900 mdoc(7) police: .Dt is ALL UPPERCASE. 
Approved by:	re
 2002-12-12 08:19:47 +00:00
Ruslan Ermilov
1798791d24 mdoc(7) police: formatting nits. 
Approved by:	re
 2002-11-29 15:57:50 +00:00
Dag-Erling Smørgrav
bb16bd87d7 Whitespace nits. 
Approved by:	re (bmah)
 2002-11-28 20:11:31 +00:00
Dag-Erling Smørgrav
3fdd8a4036 Add a PAM_MODULE_ENTRY to this module so it'll actually do something. 
Approved by:	re (bmah)
 2002-11-28 20:05:42 +00:00
Peter Wemm
6ceeb6902a utmp.ut_time and lastlog.ll_time are explicitly int32_t rather than 
time_t.  Deal with the possibility that time_t != int32_t.  This boils
down to this sort of thing:
 -   time(&ut.ut_time);
 +   ut.ut_time = time(NULL);
and similar for ctime(3) etc.  I've kept it minimal for the stuff
that may need to be portable (or 3rd party code), but used Matt's time32
stuff for cases where that isn't as much of a concern.

Approved by: re (jhb)
 2002-11-15 22:42:00 +00:00
Ruslan Ermilov
3f66c888ec Make dynamic PAM modules depend on dynamic PAM library. 
Requested by:	des, markm
 2002-11-14 19:24:51 +00:00
Jacques Vidrine
7c2274dc95 The pam_krb5 module stored a reference to a krb5_ccache structure as 
PAM module state (created in pam_sm_authenticate and referenced later
in pam_sm_setcred and pam_sm_acct_mgmt).  However, the krb5_ccache
structure shares some data members with the krb5_context structure
that was used in its creation.  Since a new krb5_context is created
and destroyed at each PAM entry point, this inevitably caused the
krb5_ccache structure to reference free'd memory.

Now instead of storing a pointer to the krb5_ccache structure,
we store the name of the cache (e.g. `MEMORY:0x123CACHE') in
pam_sm_authenticate, and resolve the name in the other entry points.

This bug was uncovered by phkmalloc's free'd memory scrubbing.

Approved by:	re (jhb)
 2002-11-13 17:46:15 +00:00
Jacques Vidrine
88c8bcce6c Use krb5_get_err_text' instead of error_message' so that instead of 
e.g.

   Unknown error: -1765328378

we get

   Client not found in Kerberos database

Another way to accomplish this would have been to leave
`error_message' alone, but to explicitly load the Kerberos com_err
error tables.  However, I don't really like the idea of a PAM module
dorking with global tables.

Approved by:	re (jhb)
 2002-11-13 17:44:29 +00:00
Dag-Erling Smørgrav
a1d214e88b Allow the admin to specify a different NAS identifier than the hostname. 
Submitted by:	Boris Kovalenko <boris@ntmk.ru>
 2002-10-28 10:28:46 +00:00
Robert Watson
195426c211 Introduce 'exempt_if_empty' option to pam_wheel(8), which bypasses the 
group membership requirement if the group has no explicit members listed
in /etc/group.  By default, this group is the wheel group; setting this
flag restores the default BSD behavior from 4.x.

Reviewed by:	markm
Requested by:	various
Sponsored by:	DARPA, Network Associates Laboratories
 2002-10-18 02:37:29 +00:00
Dag-Erling Smørgrav
68e6e4bd40 Since pam_get_authtok(3) doesn't know about our options structure, setting 
the PAM_ECHO_PASS option on-the-fly is a NOP (though it wasn't with the
old pam_get_pass(3) code).  Instead, call pam_prompt(3) directly.  This
actually simplifies the code a bit.

MFC after:	3 days
 2002-07-30 08:32:03 +00:00
Ruslan Ermilov
c101b5f3f3 Tidy up. 2002-06-06 13:55:01 +00:00
Dag-Erling Smørgrav
eb6f605e2f Missed one in previous commit. 
Pointed out by:	nectar
 2002-05-30 20:48:59 +00:00
Ruslan Ermilov
6a63652701 mdoc(7) police: kill whitespace at EOL. 2002-05-30 14:52:00 +00:00
Ruslan Ermilov
5617846748 mdoc(7) police: polish markup. 2002-05-30 14:49:57 +00:00
Ruslan Ermilov
9baa2c98cf mdoc(7) police: tidy up the markup. 2002-05-30 14:32:48 +00:00
Jacques Vidrine
3a27166692 Add pam_ksu(8), a module to do Kerberos 5 authentication and 
$HOME/.k5login authorization for su(1).

Reviewed by:	des (earlier version)
 2002-05-28 20:52:31 +00:00
Dag-Erling Smørgrav
f346f31b43 Add missing include. 2002-05-24 13:20:40 +00:00
Dag-Erling Smørgrav
f65b218085 Just to show that PAM can do almost anything from the ridiculous to the 
obscene, or - as they say in New York - sophisticated, add pam_echo(8) and
pam_exec(8) to our ever-lengthening roster of PAM modules.

Sponsored by:	DARPA, NAI Labs.
 2002-05-23 22:03:06 +00:00
Dag-Erling Smørgrav
2569c273c7 Hide a couple of unguarded error returns behind the no_fail test. 2002-05-23 00:02:59 +00:00
Juli Mallett
816c6c91e2 Free old_pwd only in the code path where it has been allocated. 
Reviewed by:	des
 2002-05-22 23:18:25 +00:00
David E. O'Brien
1dba4170b1 Do not build pam_ssh if NOSECURE is set (NO_OPENSSL is on a subset of NOSECURE) 2002-05-15 20:25:32 +00:00
Ruslan Ermilov
2a53f3fb35 Major cleanup of bsd.lib.mk. 
Get rid of the INTERNALSTATICLIB knob and just use plain INTERNALLIB.
INTERNALLIB now means to build static library only and don't install
anything.  Added a NOINSTALLLIB knob for libpam/modules.  To not
build any library at all, just do not set LIB.
 2002-05-13 10:53:24 +00:00
Dag-Erling Smørgrav
55589c84e2 Don't declare krb5_mcc_ops, it's already declared in <krb5.h> 2002-05-12 07:06:27 +00:00
Dag-Erling Smørgrav
f1d0592537 Use libutil and libypclnt for all passwd manipulation and NIS needs. 
Sponsored by:	DARPA, NAI Labs
 2002-05-08 00:54:29 +00:00
Dag-Erling Smørgrav
89136eab16 Add a no_fail option. 
Sponsored by:	DARPA, NAI Labs
 2002-05-08 00:31:45 +00:00
Dag-Erling Smørgrav
2256d3698a Add pam_ftpusers(8), which enforces /etc/ftpusers. 
Sponsored by:	DARPA, NAI Labs
 2002-05-08 00:30:10 +00:00
Dag-Erling Smørgrav
0f6517b7d8 Don't ask root for the old password, except in the NIS case. 
Sponsored by:	DARPA, NAI Labs
 2002-04-26 19:28:17 +00:00
Dag-Erling Smørgrav
c8c20c5226 Fix a really dumb bug (missing curly braces around the body of an if 
statement) that caused pam_sm_chauthtok() to always fail silently.
 2002-04-26 01:47:48 +00:00
Dag-Erling Smørgrav
750e6876cf Oops, fix an inverted if test. 2002-04-20 16:52:41 +00:00
Dag-Erling Smørgrav
1583027008 Strip /dev/ from tty name, and clean up the "last login" printout. 
Sponsored by:	DARPA, NAI Labs
 2002-04-20 16:44:32 +00:00
Dag-Erling Smørgrav
b1e0b30d83 Add a missing .El and fix a typo. 
Spotted by:	Solar Designer <solar@openwall.com>
Sponsored by:	DARPA, NAI Labs
 2002-04-16 22:38:47 +00:00
Dag-Erling Smørgrav
c82bffaa40 Revert previous commit, it is incorrect. 2002-04-15 22:51:31 +00:00
David E. O'Brien
f01afd3101 Properly spell rpcsvc/ypclnt.h and fix the build. 2002-04-15 22:47:28 +00:00
Dag-Erling Smørgrav
4c8153125a Throw in NO_WERROR to please the peanut gallery. 2002-04-15 13:10:28 +00:00
Dag-Erling Smørgrav
53fd6d26b2 Use PAM_SUCCESS instead of PAM_IGNORE. 2002-04-15 06:26:32 +00:00
Dag-Erling Smørgrav
ab4f115e57 Whitespace nits. 2002-04-15 03:52:22 +00:00
Dag-Erling Smørgrav
f71d08000d Add a manual page based on Solar Designer's README. 
Sponsored by:	DARPA, NAI Labs
 2002-04-15 03:45:14 +00:00
Dag-Erling Smørgrav
a11a75ce7c pam_passwdqc depends on libcrypt. 2002-04-15 03:44:42 +00:00
Dag-Erling Smørgrav
7b733689a3 Prompt for new password during update phase, not during preliminary phase. 
Sponsored by:	DARPA, NAI Labs
 2002-04-15 03:00:14 +00:00
Dag-Erling Smørgrav
ff1bc287ac Dike out most of the NIS code and replace it with calls to libypclnt. 
Rework pam_sm_chauthtok() so it (mostly?) works.
The standard pw stuff still needs to move into a library somewhere.

Sponsored by:	DARPA, NAI Labs
 2002-04-15 02:34:43 +00:00
Dag-Erling Smørgrav
f2b9b94ab4 pam_passwdqc builds now. 2002-04-14 22:31:36 +00:00
Dag-Erling Smørgrav
81a587f467 More recent versions of pam_passwdqc (not yet released) build with very 
few warnings.
 2002-04-14 18:48:57 +00:00
Dag-Erling Smørgrav
24fe7ba0d9 Major cleanup: 
- add __unused where appropriate
  - PAM_RETURN -> return since OpenPAM already logs the return value.
  - make PAM_LOG use openpam_log()
  - make PAM_VERBOSE_ERROR use openpam_get_option() and check flags
    for PAM_SILENT
  - remove dummy functions since OpenPAM handles missing service
    functions
  - fix various warnings

Sponsored by:	DARPA, NAI Labs
 2002-04-12 22:27:25 +00:00
Dag-Erling Smørgrav
95ca4cb3f6 Add a pam_rhosts module, loosely based on code submitted by Danny Braniss. 
Submitted by:	Danny Braniss <danny@cs.huji.ac.il>
Sponsored by:	DARPA, NAI Labs
 2002-04-12 20:10:18 +00:00
Dag-Erling Smørgrav
fd994fa945 Rename the even_root option to allow_root. 
Sponsored by:	DARPA, NAI Labs
 2002-04-12 20:05:27 +00:00
Ruslan Ermilov
90a9863e16 Moved SHLIB_NAME definition into one place. 
Approved by:	des
 2002-04-10 18:07:05 +00:00
Ruslan Ermilov
196f4c26f4 Fixed broken "make depend; make clean; make all" sequence. 
I've looked for this example for a long time, to demonstrate
some people why it's a really BAD idea to use ${.OBJDIR}
instead of ".".  I hope these people are reading this.  :-)

Approved by:	des
 2002-04-10 18:00:32 +00:00
Ruslan Ermilov
e348eb5318 Fix broken `checkdpadd'. 
-lroken is an installable library, there's no need to give an
explicit path to it.  In any case, -L paths should be specified
in LDFLAGS if needed.

Approved by:	des
 2002-04-10 17:53:43 +00:00
Dag-Erling Smørgrav
2270ac91b4 Remove debugging code that was inadvertantly brought in by previous commit. 2002-04-08 12:41:08 +00:00
Dag-Erling Smørgrav
eafd17c552 Use OpenPAM's credential switching functions. 
Sponsored by:	DARPA, NAI Labs
 2002-04-08 12:38:50 +00:00
Ruslan Ermilov
f2f306b622 Align for const poisoning in -lutil. 2002-04-08 11:07:51 +00:00
Dag-Erling Smørgrav
50000f00df Reorganize pam_sm_authenticate() to reduce code duplication. 
Sponsored by:	DARPA, NAI Labs
 2002-04-07 21:18:18 +00:00
Dag-Erling Smørgrav
a8b1e59eb2 Fix bug in previous commit that passed the wrong default value to 
login_getcapstr(3).  Also fix a longer-standing bug (login_close(3)
frees the string returned by login_getcapstr(3)) by reorganizing the
code a little, and use login_getpwclass(3) instead of login_getclass(3)
if we already have a struct pwd.

Sponsored by:	DARPA, NAI Labs
 2002-04-07 20:43:27 +00:00
Dag-Erling Smørgrav
9db21c5fd1 This one needs NO_WERROR too. 2002-04-07 12:53:58 +00:00
Dag-Erling Smørgrav
92c07aa880 Turn on NO_WERROR due to namespace pollution in krb5 headers. 2002-04-07 04:44:16 +00:00
Dag-Erling Smørgrav
111ccd256c Aggressive cleanup of warnings + authtok-related code in preparation for 
PAMifying passwd(1).

Sponsored by:	DARPA, NAI Labs.
 2002-04-06 19:30:04 +00:00
Dag-Erling Smørgrav
18006b1ab8 Disconnect pam_passwdqc for now, it has some issues that need resolving. 2002-04-06 19:25:36 +00:00
Dag-Erling Smørgrav
4004c08e79 Fix some style issues, a const warning, and abuse of PAM_ABORT. 
Sponsored by:	DARPA, NAI Labs
 2002-04-06 14:25:04 +00:00
Dag-Erling Smørgrav
40b93e6278 Remove some duplicate free()s and add some that were missing. 
Submitted by:	tmm
 2002-04-05 20:00:05 +00:00
Dag-Erling Smørgrav
f8334e0084 pam_get_pass() -> pam_get_authtok() 2002-04-05 10:49:45 +00:00
Dag-Erling Smørgrav
8f85b6caad Upgrade to something quite close, but not identical, to version 1.6 of 
Andrew Korty's pam_ssh.  The most notable difference is that this uses
commas rather than colons to separate items in the "keyfiles" option.

Sponsored by:	DARPA, NAI Labs
 2002-04-04 18:45:21 +00:00
Dag-Erling Smørgrav
2b814c7ea1 Add pam_passwdqc to the build. 
Sponsored by:	DARPA, NAI Labs
 2002-04-04 16:08:28 +00:00
Mark Murray
b51066a362 Fix for OPIE 2.4. 2002-03-22 09:20:05 +00:00
Ruslan Ermilov
7d1f1e9ca8 mdoc(7) police: fix SYNOPSIS, sort xrefs, kill extra whitespace. 2002-03-18 15:59:53 +00:00
Ruslan Ermilov
b6b2be6fbe mdoc(7) police: nits. 2002-03-18 15:55:53 +00:00
Ruslan Ermilov
8ce6622380 mdoc(7) police: sort xrefs, kill extra whitespace. 2002-03-18 15:52:28 +00:00
Crist J. Clark
51906f452e Fix world breakage introduced by my recent modifications to 
chpass(8). The relations between libc, libpam, chpass, passwd, and
vipw are a mess and probably should be cleaned up.

Submitted by:	Peter Pentchev <roam@ringlet.net>
 2002-03-18 12:55:28 +00:00
Ruslan Ermilov
a68af001da mdoc(7) police: tiny fixes. 2002-03-15 18:09:32 +00:00
Ruslan Ermilov
3e5aa36e12 mdoc(7) police: expand contractions. 2002-03-15 18:06:25 +00:00
Dag-Erling Smørgrav
f03a4b810a NAI DBA update. 2002-03-14 23:27:59 +00:00
Mark Murray
8c3ea588df Remove the use of random(3), and encapsulate the salt-generation in 
its own function. The use of arc4random(3) is hopeless overkill here,
but that does not hurt anything.

Requested by:	ache
 2002-03-14 16:41:36 +00:00
Maxim Sobolev
f651c1533c Don't ignore system CFLAGS. 2002-03-07 16:56:19 +00:00
Mark Murray
3556489a52 Fix build for OpenPAM. The directories needed tweeking. 2002-03-07 16:03:56 +00:00
Brian Feldman
30da7e6299 Now pam_alreadyloggedin lives in the ports. 2002-03-07 02:23:19 +00:00
Brian Feldman
c53dd30bb3 Add the pam_alreadyloggedin(8) module, which allows for authentication 
based on information that the user is already logged in.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
 2002-03-06 18:21:28 +00:00
Peter Pentchev
8a177c636f Unbreak the pam_krb5 build: cast a couple of const pointers 
to normal char *.  A better fix might be some const'ifying
of the Heimdal code, but this will do to fix the build
for the present.

Approved by:	des
 2002-03-06 16:49:02 +00:00
Dag-Erling Smørgrav
519b6a4c8f Switch to OpenPAM. Bump library version. Modules are now versioned, so 
applications linked with Linux-PAM will still work.
Remove pam_get_pass(); OpenPAM has pam_get_authtok().
Remove pam_prompt(); OpenPAM has pam_{,v}{error,info,prompt}().
Remove pam_set_item(3) man page as OpenPAM has its own.

Sponsored by:	DARPA, NAI Labs
 2002-03-05 21:56:25 +00:00
Dag-Erling Smørgrav
e3cd129613 Add missing dependency on libutil. 2002-03-05 12:52:03 +00:00
Maxim Sobolev
c80f5647cb Create /var/log/lastlog if it doesn't exist. 
Submitted by:	des
 2002-02-20 07:47:06 +00:00
Dag-Erling Smørgrav
7f28386a26 This file needs <syslog.h>. 
Sponsored by:	DARPA, NAI Labs
 2002-02-09 14:12:09 +00:00
Ruslan Ermilov
e47a40e7f7 Now that cross-tools ld(1) has been fixed to look for dynamic 
dependencies in the correct place, record the fact that -lssh
depends on -lcrypto and -lz.

Removed false dependencies on -lz (except ssh(1) and sshd(8)).
Removed false dependencies on -lcrypto and -lutil for scp(1).

Reviewed by:	markm
 2002-02-08 13:42:58 +00:00
Mark Murray
30577d19fa Remove NO_WERROR, now that WARNS=n is gone. 2002-02-06 18:46:48 +00:00
Dag-Erling Smørgrav
04f71c5352 Three times lucky: <stddef.h>, not <sys/param.h> 2002-02-05 08:01:32 +00:00
Dag-Erling Smørgrav
93cf4c1be3 Oops, the correct header to include for NULL is <sys/param.h>. 2002-02-05 07:53:00 +00:00
Dag-Erling Smørgrav
0ae5018b3e #include <sys/types.h> for NULL (hidden by Linux-PAM header pollution) 
Sponsored by:	DARPA, NAI Labs
 2002-02-05 06:20:27 +00:00
Dag-Erling Smørgrav
8c66575de8 #include cleanup. 
Sponsored by:	DARPA, NAI Labs
 2002-02-05 06:08:26 +00:00
Dag-Erling Smørgrav
12b6e9a089 ssh_get_authentication_connection() gets its parameters from environment 
variables, so temporarily switch to the PAM environment before calling it.

Submitted by:	Takanori Saneto <sanewo@ba2.so-net.ne.jp>
 2002-02-04 17:15:44 +00:00
Mark Murray
95641278ef Protect "make buildworld" against -Werror, as this module does not 
build cleanly.
 2002-02-04 16:09:25 +00:00
Mark Murray
21e5d74291 Add the other half of the salt-generating code. No functional 
difference except that the salt is slightly harder to build
dictionaries against, and the code does not use srandom[dev]().
 2002-02-04 00:28:54 +00:00
Mark Murray
ac5699692e WARNS=n fixes (and some stylistic issues). 2002-02-03 15:17:57 +00:00
Dag-Erling Smørgrav
59057a6d6f Remove an unnecessary #include that trips up OpenPAM. The header in question 
is an internal Linux-PAM header which shouldn't be used outside Linux-PAM
itself, and has absolutely zero effect on pam_ftp.

Sponsored by:	DARPA, NAI Labs
MFC after:	1 week
 2002-02-02 17:51:39 +00:00
Dag-Erling Smørgrav
ab50ade43c Post-repocopy cleanup. 
Sponsored by:	DARPA, NAI Labs
 2002-02-01 22:25:07 +00:00
Dag-Erling Smørgrav
2d0a7148b6 Connect the pam_lastlog(8) and pam_login_access(8) modules to the build. 
Sponsored by:	DARPA, NAI Labs
 2002-02-01 08:49:53 +00:00
Dag-Erling Smørgrav
c60ed00a43 Still with asbestos longjohns on, completely PAMify login(1) and remove 
code made redundant by various PAM modules (primarily pam_unix(8)).

Sponsored by:	DARPA, NAI Labs
 2002-01-30 19:10:21 +00:00
Dag-Erling Smørgrav
e9cc7b1d92 With asbestos longjohns on, integrate most of the checks normally done by 
login(1) (password & account expiry, hosts.access etc.) into pam_unix(8).

Sponsored by:	DARPA, NAI Labs
 2002-01-30 19:09:11 +00:00
Dag-Erling Smørgrav
a2d20838b0 Move the code from pam_sm_authenticate() to pam_sm_acct_mgmt(). Simplify 
it a little and try to make it more resilient to various possible failure
conditions.  Change the man page accordingly, and take advantage of this
opportunity to simplify its language.

Sponsored by:	DARPA, NAI Labs
 2002-01-30 19:03:16 +00:00
Mark Murray
c2065008b5 WARNS=4 fixes. Protect with NO_WERROR for the modules that have 
warnings that are hard to fix or that I've been asked to leave alone.
 2002-01-24 18:37:17 +00:00
Dag-Erling Smørgrav
f748a713da PAM modules shouldn't call putenv(); pam_putenv() is sufficient. The 
caller is supposed to check the PAM envlist and export the variables it
contains; if it doesn't, it's broken.

Sponsored by:	DARPA, NAI Labs
 2002-01-24 17:26:27 +00:00
Dag-Erling Smørgrav
9201dc40bf Change the order in which pam_sm_open_session() updates the logs. This 
doesn't really make any difference, except it matches wtmp(5) better.

Don't do anything in pam_sm_close_session(); init(8) will take care of
utmp and wtmp when the tty is released.  Clearing them here would make it
possible to create a ghost session by logging in, running 'login -f $USER'
and exiting the subshell.

Sponsored by:	DARPA, NAI Labs (but the bugs are all mine)
 2002-01-24 17:15:04 +00:00
Dag-Erling Smørgrav
ca355e5451 Correctly interpret PAM_RHOST being unset as an indicator of a local 
login.

Sponsored by:	DARPA, NAI Labs
 2002-01-24 16:18:43 +00:00
Dag-Erling Smørgrav
d233082fbe Correctly interpret PAM_RHOST being unset as an indicator of a local 
login.
 2002-01-24 16:16:01 +00:00
Dag-Erling Smørgrav
e4536f1138 Style nits. 
Sponsored by:	DARPA, NAI Labs
 2002-01-24 16:14:56 +00:00
Dag-Erling Smørgrav
f433d6afed Document the even_root option. 
Sponsored by:	DARPA, NAI Labs
 2002-01-24 13:35:06 +00:00
Dag-Erling Smørgrav
76f95f4dc2 Don't let root through unless the "even_root" option was specified. 
Sponsored by:	DARPA, NAI Labs
 2002-01-24 12:47:42 +00:00
Dag-Erling Smørgrav
16e058b5d6 Add a PAM module that records sessions in utmp/wtmp/lastlog. 
Sponsored by:	DARPA, NAI Labs
 2002-01-24 09:45:17 +00:00
Dag-Erling Smørgrav
c2d5249eaf Fix some pastos. Rather shoddy of me... 
Sponsored by:	DARPA, NAI Labs
 2002-01-24 09:44:22 +00:00
Dag-Erling Smørgrav
53f3167d07 Add a PAM module that provides an account management component for checking 
either PAM_RHOST or PAM_TTY against /etc/login.access.o

This uncovers a problem with PAM_RHOST, in that if we always set it, there
is no way to distinguish between a user logging in locally and a user
logging in using 'ssh localhost'.  This will be fixed by first making sure
that all PAM modules can handle PAM_RHOST being unset (which is currently
not the case), and then modifying su(1) and login(1) to not set it for
local logins.

Sponsored by:	DARPA, NAI Labs
 2002-01-23 17:42:16 +00:00
Dag-Erling Smørgrav
774a10071d Add an AUTHORS section crediting ThinkSec, DARPA and NAI Labs. 
Sponsored by:	DARPA, NAI Labs
 2002-01-23 17:16:00 +00:00
Ruslan Ermilov
0509dca0c3 Add pam_ssh support to the static PAM library, libpam.a: 
- Spam /usr/lib some more by making libssh a standard library.
- Tweak ${LIBPAM} and ${MINUSLPAM}.
- Garbage collect unused libssh_pic.a.
- Add fake -lz dependency to secure/ makefiles needed for
  dynamic linkage with -lssh.

Reviewed by:	des, markm
Approved by:	markm
 2002-01-23 15:54:17 +00:00
Dag-Erling Smørgrav
b6b756b58b Base the comparison on UIDs, not on user names. 
Sponsored by:	DARPA, NAI Labs
 2002-01-23 15:16:01 +00:00
Ruslan Ermilov
fd4ca9e02d Make libssh.so useable (undefined reference to IPv4or6). 
Reviewed by:	des, markm
Approved by:	markm
 2002-01-23 15:06:47 +00:00
Dag-Erling Smørgrav
b0aa095ad0 On second thought, getpwnam() failure should be treated just as if the user 
existed, but had no OPIE key, i.e. PAM_IGNORE.

Pointed out by:	ache
Sponsored by:	DARPA, NAI Labs
 2002-01-21 19:05:45 +00:00
Dag-Erling Smørgrav
b4b56d051a Return PAM_SERVICE_ERR rather than PAM_USER_UNKNOWN if getpwnam() fails, as 
PAM_USER_UNKNOWN will break the chain, revealing to an attacker that the
user does not exist.

Sponsored by:	DARPA, NAI Labs
 2002-01-21 18:53:03 +00:00
Dag-Erling Smørgrav
03adba96a0 Further changes to allow enabling pam_opie(8) by default: 
- Ignore the {try,use}_first_pass options by clearing PAM_AUTHTOK before
   challenging the user.  These options are meaningless for pam_opie(8)
   since the user can't possibly know the right response before she sees
   the challenge.

 - Introduce the no_fake_prompts option.  If this option is set, pam_opie(8)
   will fail - rather than present a bogus challenge - if the target user
   does not have an OPIE key.  With this option, users who haven't set up
   OPIE won't have to wonder what that "weird otp-md5 s**t" means :)

Reviewed by:	ache, markm
Sponsored by:	DARPA, NAI Labs
 2002-01-21 18:46:25 +00:00
Dag-Erling Smørgrav
f460490260 Add a new module, pam_opieaccess(8), which is responsible for checking 
/etc/opieaccess and ~/.opiealways so we can decide what to do after
pam_opie(8) fails.

Sponsored by:	DARPA, NAI Labs
Reviewed by:	ache, markm
 2002-01-21 13:43:53 +00:00
Andrey A. Chernov
186caeedcb snprintf bloat -> strlcpy 
Add getpwnam return check

Approved by:	des, markm
 2002-01-20 20:56:47 +00:00
Andrey A. Chernov
0b836dfaf1 Back out recent changes 2002-01-19 18:03:11 +00:00
Andrey A. Chernov
6874115893 If user not exist in OPIE system, return failure immediately instead 
of producing fake prompts with random numbers which can be detected by
potential intruder in two tries and totally confuse non-OPIE users.
 2002-01-19 10:09:05 +00:00
Andrey A. Chernov
3195cd6712 Back out second right-now-expired password check in pam_sm_chauthtok, 
old expired password assumed there
 2002-01-19 09:23:36 +00:00
Andrey A. Chernov
012400dfcd Previous commit was incomplete, use new error code PAM_CRED_ERR to 
indicate die case, different from PAM_SUCCESS and PAM_AUTH_ERR
 2002-01-19 08:36:47 +00:00
Andrey A. Chernov
d97cc81fa4 Rewrite 'pwok' fallback in the way it can be properly chained with pam_unix 
Replace snprintf %s with strlcpy

Check for NULL returned from getpwnam()
 2002-01-19 07:23:48 +00:00
Andrey A. Chernov
c8e3fac7a1 Add yet one expired-right-now password check, in pam_sm_chauthtok 
srandomdev() can't be used in libraries, replace srandomdev()+random()
by arc4random()
 2002-01-19 04:58:51 +00:00
Andrey A. Chernov
8c70adab72 Set pwok to 1 for non-OPIE users 2002-01-19 03:31:39 +00:00
Andrey A. Chernov
d54c36388e Add missing check for right-now-expired password 2002-01-19 02:45:24 +00:00
Andrey A. Chernov
3f9a326a7a Implement 'pwok', i.e. conditional fallback to unix password 
as supposed by opieaccessfile() and opiealways()
 2002-01-19 02:38:43 +00:00
Ruslan Ermilov
7f432ff831 mdoc(7) police: bump document date. 2001-12-14 13:49:28 +00:00
David Malone
9f5b04e925 Style improvements recommended by Bruce as a follow up to some 
of the recent WARNS commits. The idea is:

1) FreeBSD id tags should follow vendor tags.
2) Vendor tags should not be compiled (though copyrights probably should).
3) There should be no blank line between including cdefs and __FBSDIF.
 2001-12-10 21:13:08 +00:00
Dag-Erling Smørgrav
18a85de04b Back out previous commit. 
Requested by:	ru
 2001-12-09 15:11:55 +00:00
Ruslan Ermilov
945b9f4de9 mdoc(7) police: sort xrefs. 2001-12-08 16:28:20 +00:00
Dag-Erling Smørgrav
bdd601a1e3 Get pam_mod_misc.h from .CURDIR rather than .OBJDIR or /usr/include. 
Sponsored by:	DARPA, NAI Labs
 2001-12-07 11:51:47 +00:00
Dag-Erling Smørgrav
8d3978c115 Add dummy functions for all module types. These dummies return PAM_IGNORE 
rather than PAM_SUCCESS, so you'll get a failure if you list dummies but
no real modules for a particular module chain.

Sponsored by:	DARPA, NAI Labs
 2001-12-05 16:06:35 +00:00
Dag-Erling Smørgrav
d5a8dd3fb5 Connect the man page to the build. 
Sponsored by:	DARPA, NAI Labs
 2001-12-05 16:02:50 +00:00
Dag-Erling Smørgrav
e2c8459e85 Add a pam_self authentication module that succeeds if and only if the local 
and remote user names are the same.

Sponsored by:	DARPA, NAI Labs
 2001-12-05 15:55:14 +00:00
Mark Murray
1a8b24c257 Use __FBSDID(). Also do a bit of cosmetic #if and header-order 
cleaning-up.
 2001-12-02 20:54:57 +00:00
Mark Murray
d2f6cd8fd5 Style fixups. 
Sort function declarations, includes. Make consistent WRT use of _P()
macro (ugh!)

Inspired by:	bde
 2001-12-01 21:12:04 +00:00
Mark Murray
e317b97026 WARNS=2 fixes. 
Reviewed by:	bde (a while back)
 2001-12-01 17:46:46 +00:00
Brian Feldman
7d8cee925b Fix pam_ssh by adding an IPv4or6 (evidently, this was broken by my last 
OpenSSH import) declaration and strdup(3)ing a value which is later
free(3)d, rather than letting the system try to free it invalidly.
 2001-11-29 21:16:11 +00:00
Ruslan Ermilov
60c6736148 mdoc(7) police: fix one pam_unix(8) left-over, sort xrefs. 2001-11-28 09:25:03 +00:00
Dag-Erling Smørgrav
b4a475937b Create a pam_ssh(8) man page, based on a repo-copy of pam_unix(8). 
License modified with original author's permission.

Sponsored by:	DARPA, NAI Labs
 2001-11-27 00:57:50 +00:00
Dag-Erling Smørgrav
d65e5dfa59 Document the local_pass and nis_pass options, add a few xrefs, and reorder 
the SEE ALSO section.  License modified with original author's permission.

Sponsored by:	DARPA, NAI Labs
 2001-11-27 00:53:10 +00:00
Dima Dorfman
a48060a2f7 Spelling police: sucessful -> successful. 2001-11-24 23:41:32 +00:00
Maxim Sobolev
bc3a4bf55d Don't put an extra space after password prompts, because it violates POLA, 
makes FreeBSD inconsistent with previous releases and "other unices" as well
as with some internal password-asking services (e.g. ftp) within the same
release.
 2001-10-25 15:51:50 +00:00
Mark Murray
ce1e0bbc8f Add library exposed by KDE's use if this module. 2001-10-18 20:05:20 +00:00
Matthew Dillon
ceaf33f537 Add __FBSDID()s to libpam 2001-09-30 22:11:06 +00:00
Mark Murray
6e925e8fc7 1) repair the return value in the PAM_RETURN() macro (Side effects!!). 
2) canonicalise the options use in pam_options().

Submitted by:	Gunnar Kreitz <gunnark@chello.se>
PR:		30250
 2001-09-04 17:05:08 +00:00
Mark Murray
a41ad3fca9 Introduce a "noroot_ok" option to make this module ignore authentications 
to a non-superuser if required.
 2001-08-26 18:09:00 +00:00
Mark Murray
f96b705fa7 Introduce better logging, error reporting and use of login_cap data. 2001-08-26 18:05:35 +00:00
Mark Murray
3d55a6c083 Big module makeover; improve logging, standardise variable names, 
introduce ability to change passwords for both "usual" Unix methods
and NIS.
 2001-08-26 17:41:13 +00:00
Mark Murray
ca0bdcdd29 Document the no_warn option. 2001-08-15 20:05:33 +00:00
Mark Murray
b5507a38bc Fix a couple of cross-references to reflect the reality of the module. 2001-08-15 20:03:26 +00:00
Mark Murray
537db85291 Fix: 
/usr/src/lib/libpam/modules/pam_ssh/pam_ssh.c has couple of bugs which cause:

1) xdm dumps core
2) ssh1 private key is not passed to ssh-agent
3) ssh2 RSA key seems not handled properly (just a guess from source)
4) ssh_get_authentication_connectionen() fails to get connection because of
   SSH_AUTH_SOCK not defined.

PR:		29609
Submitted by:	Takanori Saneto <sanewo@ba2.so-net.ne.jp>
 2001-08-11 12:37:55 +00:00
Mark Murray
3938427761 Clean up this module very extensively. Fix the logging, the coding 
standards and the option handling. This module is now much more easy
to maintain as a part of the FreeBSD tree.
 2001-08-10 19:24:34 +00:00
Mark Murray
530ebf8e0a Code clean up; make logging same as other modules and fix warnings. 2001-08-10 19:21:45 +00:00
Mark Murray
34beb374a2 General code clean-up. Sort out warnings, and make the warning and 
logging work the same as other modules.
 2001-08-10 19:18:52 +00:00
Mark Murray
0fa107a3cb Simplify code. Also verbose logging, verbose overridable error reporting. 2001-08-10 19:15:48 +00:00
Mark Murray
65550d9b5a Verbose logging, overridable verbose error reporting. 2001-08-10 19:12:59 +00:00
Mark Murray
b04259a5cf Module clean-up. Verbose logging, Overridable verbose error reporting, 
FreeBSD pam_prompt() usage to simplify conversation function usage.
 2001-08-10 19:10:43 +00:00
Mark Murray
2108fbd748 Verbosely (overridable) report failure to the user. 2001-08-10 19:07:45 +00:00
Mark Murray
ceca323626 Use the FreeBSD pam_prompt() interface to the conversation function 
instead of home-rolling it. Clean up debugging code and tidy the
module.
 2001-08-10 19:05:57 +00:00
Mark Murray
3a9cdcb91f Verbosely report errors to the user (overridable), and make sure 
that the correct failure mode is reported.
 2001-08-10 19:02:21 +00:00
Mark Murray
27b9f9d4a3 Fix broken logic so that this actually works for the superuser. 
Verbosely log (properly).
Verbosely report errors to the user.
 2001-08-10 14:21:58 +00:00
Mark Murray
13cde2748e Fix style/consistency in Makefile and repair static module building. 
Submitted by:	bde(partially)
 2001-08-04 21:51:14 +00:00
Mark Murray
d5e53157cf Don't clobber CFLAGS 
Submitted by:	bde
 2001-08-04 21:49:30 +00:00
Mark Murray
4447e914e8 Fix the bug where this modulke was not checking the priamry GID, only 
the GIDS in /etc/group or NIS's group map.

Tested by:	sheldonh
PR:		29349
 2001-08-04 09:19:31 +00:00
Mark Murray
f950650b78 With the S/KEY removal, this is no longer buildable or necessary. 2001-08-02 19:04:20 +00:00
Mark Murray
c52468e7ef Don't try to make pam_ssh module if NO_OPENSSH is set. 2001-08-02 19:01:02 +00:00
Mark Murray
f5974d336f Repair the get/set UID() stuff so this works in both su(1) and login(1) 
modes.
 2001-08-02 10:35:41 +00:00
Mark Murray
7b22794017 (Re)Add an SSH module for PAM, heavily based on Andrew Korty's module 
from ports.
 2001-07-29 18:31:09 +00:00
Ruslan Ermilov
0fa68d89e8 mdoc(7) police: widen width of the options list. 2001-07-18 14:49:32 +00:00
Mark Murray
0eb9c7b357 Update to the same level of debug-logging as the rest of the 
FreeBSD/PAM modules.
 2001-07-17 07:36:51 +00:00
Mark Murray
3741d46458 Update to the same code as in the pam_krb5.so port. 
According to Peter, the port works - this needs more testing.
 2001-07-17 07:34:36 +00:00
Dima Dorfman
f247324df7 Remove whitespace at EOL. 2001-07-15 08:06:20 +00:00
Mark Murray
f042a54245 Use a better method of getting user credentials to account for 
(legal) UID duplication.

Rename use_uid to auth_as_self for consistency with other modules.
 2001-07-14 08:42:39 +00:00
Mark Murray
6fd676c982 Use a better method to get user credentials to account for (legal) 
duplications of UID's in /etc/*passwd.
 2001-07-14 08:38:24 +00:00
Ruslan Ermilov
e8b02a428d mdoc(7) police: -xwidth has been fold into -width. 2001-07-13 09:09:52 +00:00
Ruslan Ermilov
08ecaa10b2 mdoc(7) police: fixed markup, a little bit. 2001-07-11 08:36:26 +00:00
Ruslan Ermilov
63b81b76ca mdoc(7) police: fixed markup any numerous typos. 2001-07-11 08:35:34 +00:00
Ruslan Ermilov
625003720a mdoc(7) police: removed HISTORY info from the .Os call. 2001-07-10 14:16:33 +00:00
Ruslan Ermilov
a307d59838 mdoc(7) police: removed HISTORY info from the .Os call. 2001-07-10 13:41:46 +00:00
Mark Murray
1642eb1a52 Clean up (and in some cases write) the PAM mudules, using 
o The new options-processing API
o The new DEBUG-logging API

Add man(1) pages for ALL modules. MDOC-Police welcome
to check this.

Audit, clean up while I'm here.
 2001-07-09 18:20:51 +00:00
Ruslan Ermilov
5521ff5a4d mdoc(7) police: sort SEE ALSO xrefs (sort -b -f +2 -3 +1 -2). 2001-07-06 16:46:48 +00:00
Ruslan Ermilov
88de1238eb mdoc(7) police: fixed formatting. 2001-07-06 07:29:59 +00:00
Chris Costello
8b136a6dde Convert to mdoc(7). 2001-06-13 21:52:07 +00:00
Mark Murray
084a46829b Big module cleanup. 
Move common stuff into Makefile.inc, and tidy up all the Makefiles
as a result.

Build new modules.

Put a commented-out dependancy on libpam for the (shared) modules.
I can't bring this in just yet, as the dependancy (modules->libpam)
is reversed for the static case (libpam->modules).
 2001-06-04 19:47:56 +00:00
Mark Murray
bc0105f860 Null file to bring back a file from the dead. This allows the real commit 
to happen remotely. Damn CVS bugs :-(
 2001-06-04 19:25:41 +00:00
Mark Murray
46efbac2ed Add the "nullok" option that causes this module to succeed if the Unix 
password is empty/null.
 2001-06-04 19:16:57 +00:00