#
325802 |
|
14-Nov-2017 |
des |
MFH (r325010): don't bother verifying a password that we know is too long.
Reported by: jkim@ Security: CVE-2016-6210
|
#
300456 |
|
23-May-2016 |
truckman |
MFC r299948
Set retval in the empty password case to avoid a path through the code that fails to set retval before falling through to the final return().
Reported by: emaste Reported by: Coverity CID: 1018711
|
#
300453 |
|
23-May-2016 |
truckman |
MFC r299926
Hoist the getpwnam() call outside the first if/else block in pam_sm_chauthtok(). Set user = getlogin() inside the true branch so that it is initialized for the following PAM_LOG() call. This is how it is done in pam_sm_authenticate().
Reported by: Coverity CID: 272498
|
#
256281 |
|
10-Oct-2013 |
gjb |
Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
249177 |
|
05-Apr-2013 |
jkim |
Fix declaration vs. definition inconsistency. No functional change.
|
#
239100 |
|
06-Aug-2012 |
dim |
Fix an instance in pam_krb5(8), where the variable 'user' could be used uninitialized.
Found by: clang 3.2 Reviewed by: des MFC after: 1 week
|
#
227105 |
|
05-Nov-2011 |
ed |
Remove an unused variable from pam_unix.
This variable was added in r82352 back in 2001, but even then it didn't have any use. Because it's not marked static, the C compiler won't complain about it.
Discussed with: des
|
#
215680 |
|
22-Nov-2010 |
des |
Add <time.h> for ctime(), which we accidentally picked up through <sys/time.h>.
Submitted by: Garrett Cooper <yanegomi@gmail.com> MFC after: 3 days
|
#
203377 |
|
02-Feb-2010 |
des |
Respect passwordtime from login.conf if set.
PR: bin/93473 Submitted by: Björn König <bkoenig@cs.tu-berlin.de> MFC after: 1 week
|
#
174837 |
|
21-Dec-2007 |
des |
Adjust for OpenPAM Hydrangea.
|
#
167940 |
|
27-Mar-2007 |
yar |
In account management, verify whether the account has been locked with `pw lock', so that it's impossible to log into a locked account using an alternative authentication mechanism, such as an ssh key. This change affects only accounts locked with pw(8), i.e., having a `*LOCKED*' prefix in their password hash field, so people still can use a different pattern to disable password authentication only.
Mention all account management criteria in the manpage.
Approved by: maintainer (timeout) PR: bin/71147 MFC after: 1 month
|
#
147780 |
|
05-Jul-2005 |
des |
Use the correct login class when setting a new password.
PR: 65557, 72949 Submitted by: Stephen P. Cravey <clists@gotbrains.org> Approved by: re (scottl) MFC after: 2 weeks
|
#
146196 |
|
13-May-2005 |
ume |
NI_WITHSCOPEID cleanup
Reviewed by: des
|
#
125650 |
|
10-Feb-2004 |
des |
Fix numerous constness and aliasing issues.
|
#
123448 |
|
11-Dec-2003 |
des |
Fix strict aliasing breakage in PAM modules (except pam_krb5, which needs more work than the others). This should make most modules build with -O2.
|
#
116394 |
|
15-Jun-2003 |
mbr |
Fix the master yppasswd routines, so they really work for root on ypmaster. yppasswd_local() did use YPPASSWDPROG instead of MASTER_YPPASSWDPROG, and the domain was not set, resulting in a coredump during xdr-encode.
Reviewed by: des
|
#
115470 |
|
31-May-2003 |
des |
Update copyright dates.
|
#
115465 |
|
31-May-2003 |
des |
Remove all instances of pam_std_option()
|
#
114265 |
|
29-Apr-2003 |
des |
Make sure rhostip is always initialized.
PR: bin/51508 Submitted by: Peter Grimshaw <peter@tesseract.demon.co.uk>
|
#
114264 |
|
29-Apr-2003 |
des |
Treat an empty PAM_RHOST the same as a NULL one.
PR: bin/51508
|
#
113969 |
|
24-Apr-2003 |
des |
Forced commit to note that the previous commit was made in response to
PR: bin/51245
|
#
113968 |
|
24-Apr-2003 |
des |
Remove a bogus null password check which assumed that a user with an empty password must necessarily have an empty pwd->pw_passwd. Also add a check that prevents users from setting a blank password unless the nullok option was specified. Root is still allowed to give anyone a blank password.
|
#
97147 |
|
22-May-2002 |
jmallett |
Free old_pwd only in the code path where it has been allocated.
Reviewed by: des
|
#
96201 |
|
07-May-2002 |
des |
Use libutil and libypclnt for all passwd manipulation and NIS needs.
Sponsored by: DARPA, NAI Labs
|
#
95516 |
|
26-Apr-2002 |
des |
Don't ask root for the old password, except in the NIS case.
Sponsored by: DARPA, NAI Labs
|
#
95477 |
|
25-Apr-2002 |
des |
Fix a really dumb bug (missing curly braces around the body of an if statement) that caused pam_sm_chauthtok() to always fail silently.
|
#
94805 |
|
15-Apr-2002 |
des |
Revert previous commit, it is incorrect.
|
#
94804 |
|
15-Apr-2002 |
obrien |
Properly spell rpcsvc/ypclnt.h and fix the build.
|
#
94717 |
|
15-Apr-2002 |
des |
Prompt for new password during update phase, not during preliminary phase.
Sponsored by: DARPA, NAI Labs
|
#
94715 |
|
15-Apr-2002 |
des |
Dike out most of the NIS code and replace it with calls to libypclnt. Rework pam_sm_chauthtok() so it (mostly?) works. The standard pw stuff still needs to move into a library somewhere.
Sponsored by: DARPA, NAI Labs
|
#
94564 |
|
12-Apr-2002 |
des |
Major cleanup:
- add __unused where appropriate - PAM_RETURN -> return since OpenPAM already logs the return value. - make PAM_LOG use openpam_log() - make PAM_VERBOSE_ERROR use openpam_get_option() and check flags for PAM_SILENT - remove dummy functions since OpenPAM handles missing service functions - fix various warnings
Sponsored by: DARPA, NAI Labs
|
#
94203 |
|
08-Apr-2002 |
ru |
Align for const poisoning in -lutil.
|
#
94153 |
|
07-Apr-2002 |
des |
Reorganize pam_sm_authenticate() to reduce code duplication.
Sponsored by: DARPA, NAI Labs
|
#
94148 |
|
07-Apr-2002 |
des |
Fix bug in previous commit that passed the wrong default value to login_getcapstr(3). Also fix a longer-standing bug (login_close(3) frees the string returned by login_getcapstr(3)) by reorganizing the code a little, and use login_getpwclass(3) instead of login_getclass(3) if we already have a struct pwd.
Sponsored by: DARPA, NAI Labs
|
#
93984 |
|
06-Apr-2002 |
des |
Aggressive cleanup of warnings + authtok-related code in preparation for PAMifying passwd(1).
Sponsored by: DARPA, NAI Labs.
|
#
93972 |
|
06-Apr-2002 |
des |
Fix some style issues, a const warning, and abuse of PAM_ABORT.
Sponsored by: DARPA, NAI Labs
|
#
92579 |
|
18-Mar-2002 |
cjc |
Fix world breakage introduced by my recent modifications to chpass(8). The relations between libc, libpam, chpass, passwd, and vipw are a mess and probably should be cleaned up.
Submitted by: Peter Pentchev <roam@ringlet.net>
|
#
92297 |
|
14-Mar-2002 |
des |
NAI DBA update.
|
#
92274 |
|
14-Mar-2002 |
markm |
Remove the use of random(3), and encapsulate the salt-generation in its own function. The use of arc4random(3) is hopeless overkill here, but that does not hurt anything.
Requested by: ache
|
#
91714 |
|
05-Mar-2002 |
des |
Switch to OpenPAM. Bump library version. Modules are now versioned, so applications linked with Linux-PAM will still work. Remove pam_get_pass(); OpenPAM has pam_get_authtok(). Remove pam_prompt(); OpenPAM has pam_{,v}{error,info,prompt}(). Remove pam_set_item(3) man page as OpenPAM has its own.
Sponsored by: DARPA, NAI Labs
|
#
90429 |
|
09-Feb-2002 |
des |
This file needs <syslog.h>.
Sponsored by: DARPA, NAI Labs
|
#
90229 |
|
05-Feb-2002 |
des |
#include cleanup.
Sponsored by: DARPA, NAI Labs
|
#
90155 |
|
03-Feb-2002 |
markm |
Add the other half of the salt-generating code. No functional difference except that the salt is slightly harder to build dictionaries against, and the code does not use srandom[dev]().
|
#
90154 |
|
03-Feb-2002 |
markm |
Forced commit.
Previous commit included a large improvement to the salt generation to help obfuscate information that is otherwise leaked. No real risks involved, but this feels better, and does not use srandom[dev]().
|
#
90145 |
|
03-Feb-2002 |
markm |
WARNS=n fixes (and some stylistic issues).
|
#
89993 |
|
30-Jan-2002 |
des |
With asbestos longjohns on, integrate most of the checks normally done by login(1) (password & account expiry, hosts.access etc.) into pam_unix(8).
Sponsored by: DARPA, NAI Labs
|
#
89569 |
|
19-Jan-2002 |
des |
Really back out ache's commits. These files are now precisely as they were twentyfour hours ago, except for RCS ids.
|
#
89567 |
|
19-Jan-2002 |
ache |
Back out recent changes
|
#
89554 |
|
19-Jan-2002 |
ache |
Back out second right-now-expired password check in pam_sm_chauthtok, old expired password assumed there
|
#
89538 |
|
19-Jan-2002 |
ache |
Add yet one expired-right-now password check, in pam_sm_chauthtok
srandomdev() can't be used in libraries, replace srandomdev()+random() by arc4random()
|
#
89529 |
|
19-Jan-2002 |
ache |
Add missing check for right-now-expired password
|
#
85485 |
|
25-Oct-2001 |
sobomax |
Don't put an extra space after password prompts, because it violates POLA, makes FreeBSD inconsistent with previous releases and "other unices" as well as with some internal password-asking services (e.g. ftp) within the same release.
|
#
84218 |
|
30-Sep-2001 |
dillon |
Add __FBSDID()s to libpam
|
#
82358 |
|
26-Aug-2001 |
markm |
Forced commit.
Previous commit improved use of login_cap database. This can probably be further improved.
|
#
82352 |
|
26-Aug-2001 |
markm |
Big module makeover; improve logging, standardise variable names, introduce ability to change passwords for both "usual" Unix methods and NIS.
|
#
79476 |
|
09-Jul-2001 |
markm |
Clean up (and in some cases write) the PAM mudules, using o The new options-processing API o The new DEBUG-logging API
Add man(1) pages for ALL modules. MDOC-Police welcome to check this.
Audit, clean up while I'm here.
|
#
77718 |
|
04-Jun-2001 |
markm |
Add the "nullok" option that causes this module to succeed if the Unix password is empty/null.
|
#
77142 |
|
24-May-2001 |
markm |
Add the "auth_as_self" option to the pam_unix module (there is no reason not to add it to others later). This causes the pam_unix module to check the user's _own_ password, not the password of the account that the user is authenticating into. This will allow eg: WHEELSU type behaviour from su(1).
|
#
46665 |
|
07-May-1999 |
jdp |
Revive the pam_deny and pam_permit modules from Linux-PAM. They are simple enough to be trusted.
Add account management functionality to the pam_unix module.
These changes should make it possible to use PAM in some ports.
Submitted by: Max Khon <fjoe@iclub.nsu.ru>
|
#
45387 |
|
06-Apr-1999 |
jdp |
Fix bug that prevented accounts with empty passwords from logging in.
Submitted by: Paul Traina <pst@juniper.net>
|
#
42917 |
|
20-Jan-1999 |
jdp |
Make it possible to use PAM in statically-linked applications.
|
#
41228 |
|
17-Nov-1998 |
jdp |
This commit was generated by cvs2svn to compensate for changes in r41227, which included commits to RCS files with non-trunk default branches.
|
#
41227 |
|
17-Nov-1998 |
jdp |
Build structure for contribified Linux-PAM, plus some home-grown modules for FreeBSD's standard authentication methods. Although the Linux-PAM modules are present in the contrib tree, we don't use any of them.
The main library "libpam" is composed of sources taken from three places. First are the standard Linux-PAM libpam sources from the contrib tree. Second are the Linux-PAM "libpam_misc" sources, also from the contrib tree. In Linux these form a separate library. But as Mike Smith pointed out to me, that seems pointless, so I have combined them into the libpam library. Third are some additional sources from the "src/lib/libpam" tree with some common functions that make it easier to write modules. Those I wrote myself.
This work has been donated to FreeBSD by Juniper Networks, Inc.
|