267655 |
20-Jun-2014 |
gjb |
Remove svn:mergeinfo carried over from stable/9.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
267654 |
20-Jun-2014 |
gjb |
Copy stable/9 to releng/9.3 as part of the 9.3-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
|
263421 |
20-Mar-2014 |
des |
MFH (r254407, r254960, r255371): misc cleanup MFH (r255386): make libssh private MFH (r255369, r255376, r255393, r262530): import OpenPAM Nummularia
|
253154 |
10-Jul-2013 |
des |
MFH (r249479): OPENPAM_DEBUG enables debugging but does not turn it on
|
247568 |
01-Mar-2013 |
des |
Pull in OpenPAM Micrampelis from head. Also merge a few minor module changes, most importantly support for ECDSA keys in pam_ssh.
|
242544 |
04-Nov-2012 |
eadler |
MFC r241844: remove duplicate semicolons where possible.
Approved by: cperciva (implicit)
|
240582 |
17-Sep-2012 |
eadler |
MFC r240506: Bump date missed in r202756
PR: docs/171624 Approved by: cperciva (implicit)
|
239521 |
21-Aug-2012 |
dim |
MFC r239100:
Fix an instance in pam_krb5(8), where the variable 'user' could be used uninitialized.
Found by: clang 3.2 Reviewed by: des
|
239520 |
21-Aug-2012 |
dim |
MFC r239099:
Fix two instances in pam_krb5(8), where the variable 'princ_name' could be used uninitialized.
Found by: clang 3.2 Reviewed by: des
|
239453 |
20-Aug-2012 |
des |
MFH r236106: avoid segfault with SSH 1 keys
|
237247 |
19-Jun-2012 |
wblock |
MFC r235873, r235967:
Fixes to man8 groff mandoc style, usage mistakes, or typos.
PR: 168016 Submitted by: Nobuyuki Koganemaru Approved by: gjb (mentor)
|
237216 |
18-Jun-2012 |
eadler |
MFC r233648: Remove trailing whitespace per mdoc lint warning
Approved by: cperciva (implicit)
|
236116 |
26-May-2012 |
des |
MFH r226625, 226632: document what openpam_static.c is for
|
236115 |
26-May-2012 |
des |
MFH r227798, r227933: simplify build by using STATIC_CFLAGS
|
234842 |
30-Apr-2012 |
dumbbell |
MFC r233507: Use program exit status as pam_exec return code (optional)
pam_exec(8) now accepts a new option "return_prog_exit_status". When set, the program exit status is used as the pam_exec return code. It allows the program to tell why the step failed (eg. user unknown). However, if it exits with a code not allowed by the calling PAM service module function (see $PAM_SM_FUNC below), a warning is logged and PAM_SERVICE_ERR is returned.
The following changes are related to this new feature but they apply no matter if the "return_prog_exit_status" option is set or not.
The environment passed to the program is extended: o $PAM_SM_FUNC contains the name of the PAM service module function (eg. pam_sm_authenticate). o All valid PAM return codes' numerical values are available through variables named after the return code name. For instance, $PAM_SUCCESS, $PAM_USER_UNKNOWN or $PAM_PERM_DENIED.
pam_exec return code better reflects what went on: o If the program exits with !0, the return code is now PAM_PERM_DENIED, not PAM_SYSTEM_ERR. o If the program fails because of a signal (WIFSIGNALED) or doesn't terminate normally (!WIFEXITED), the return code is now PAM_SERVICE_ERR, not PAM_SYSTEM_ERR. o If a syscall in pam_exec fails, the return code remains PAM_SYSTEM_ERR.
waitpid(2) is called in a loop. If it returns because of EINTR, do it again. Before, it would return PAM_SYSTEM_ERR without waiting for the child to exit.
Several log messages now include the PAM service module function name.
The man page is updated accordingly.
Reviewed by: des@ Sponsored by: Yakaz (http://www.yakaz.com)
MFC r234184: Fix error messages containing the executed command name
Before, we took the first argument to pam_exec(8). With the addition of options in front of the command, this could be wrong.
Now, options are parsed before calling _pam_exec() and messages contain the proper command name.
While here, fix a warning.
Sponsored by: Yakaz (http://www.yakaz.com)
|
230952 |
03-Feb-2012 |
ed |
MFC r227314:
Ensure pam_lastlog removes the /dev/ component of the TTY name.
Some consumers of PAM remove the /dev/ component (i.e. login), while others don't (i.e. su). We must ensure that the /dev/ component is removed to ensure that the utmpx entries properly work with tools such as w(1).
|
228410 |
11-Dec-2011 |
des |
MFH r227757: check for null passphrases, since openssl doesn't
Approved by: re (kib) Security: prevents users with unencrypted ssh keys (prohibited unless the nullok option is specified) from logging in by providing a bogus non-null passphrase.
|
225736 |
23-Sep-2011 |
kensmith |
Copy head to stable/9 as part of 9.0-RELEASE release cycle.
Approved by: re (implicit)
|
219564 |
12-Mar-2011 |
des |
Mention the name of the module in warning messages.
|
219563 |
12-Mar-2011 |
des |
Add "ruser" and "luser" options. The former corresponds to the current behavior, where the module checks that the supplicant is a member of the required group. The latter checks the target user instead. If neither option was specified, pam_group(8) assumes "ruser" and issues a warning. I intend to eventually change the default to "luser" to match the behavior of similarly-named service modules in other operating systems.
MFC after: 1 month
|
219426 |
09-Mar-2011 |
des |
No newline required.
MFC after: 2 weeks
|
215680 |
22-Nov-2010 |
des |
Add <time.h> for ctime(), which we accidentally picked up through <sys/time.h>.
Submitted by: Garrett Cooper <yanegomi@gmail.com> MFC after: 3 days
|
207561 |
03-May-2010 |
delphij |
Bump .Dd date.
Forgotten by: delphij
|
207555 |
03-May-2010 |
mm |
Code indent according to style(9).
PR: bin/146186 Submitted by: myself Approved by: delphij (mentor) MFC after: 2 weeks
|
207553 |
03-May-2010 |
mm |
Implement the no_user_check option to pam_krb5.
This option is available in the Linux implementation of pam_krb5 and allows to authorize a user not known to the local system.
Ccache is not used as we don't have a secure uid/gid for the cache file.
Usable for authentication of external kerberos users (e.g Active Directory) via PAM from applications like Cyrus saslauthd, PHP or perl.
PR: bin/146186 Submitted by: myself Approved by: deplhij (mentor) MFC after: 2 weeks
|
204917 |
09-Mar-2010 |
des |
Upgrade to OpenSSH 5.4p1.
MFC after: 1 month
|
204596 |
02-Mar-2010 |
uqs |
Remove redundant WARNS?=6 overrides and inherit the WARNS setting from the toplevel directory.
This does not change any WARNS level and survives a make universe.
Approved by: ed (co-mentor)
|
204585 |
02-Mar-2010 |
uqs |
Always assign WARNS using ?=
- fix some nearby style bugs - include Makefile.inc where it makes sense and reduces duplication
Approved by: ed (co-mentor)
|
203958 |
16-Feb-2010 |
ru |
%U was macroized in mdoc(7), escape.
|
203377 |
02-Feb-2010 |
des |
Respect passwordtime from login.conf if set.
PR: bin/93473 Submitted by: Björn König <bkoenig@cs.tu-berlin.de> MFC after: 1 week
|
202756 |
21-Jan-2010 |
ed |
Remove stale references to utmp(5) and its corresponding filenames.
I removed utmp and its manpage, but not other manpages referring to it.
|
202566 |
18-Jan-2010 |
ed |
Let pam_lastlog use random ut_id's.
By using random values for ut_id, not based on the TTY name, it is possible to run for example login(1) multiple times on the same TTY, without overwriting any previous records.
The output of w(1) will then be as follows:
| 12:26PM up 2 days, 2:31, 5 users, load averages: 0.01, 0.03, 0.03 | USER TTY FROM LOGIN@ IDLE WHAT | ed pts/2 mekker.80386.nl 12:26PM - w | root pts/2 - 12:26PM - w | root pts/2 - 12:26PM - w | root pts/2 - 12:26PM - w
Approved by: des
|
202522 |
17-Jan-2010 |
marcel |
Unbreak builds with _FREEFALL_CONFIG=yes, by forcing a lower WARNS level in that case.
|
202211 |
13-Jan-2010 |
ed |
Let pam_lastlog use utmpx instead of libulog's utmpx interface.
It will still use ulog_login(3) and ulog_logout(3), which will remain present.
|
201381 |
02-Jan-2010 |
ed |
Build lib/ with WARNS=6 by default.
Similar to libexec/, do the same with lib/. Make WARNS=6 the norm and lower it when needed.
I'm setting WARNS?=0 for secure/. It seems secure/ includes the Makefile.inc provided by lib/. I'm not going to touch that directory. Most of the code there is contributed anyway.
|
201033 |
26-Dec-2009 |
ed |
Several refinements to libulog's API.
- Only set the fields in the ulog_utmpx structure that are valid for the command in question. This means that strings like "shutdown" or "~" are not visible to the user anymore. - Rename UTXF_* to UTXI_*, indicating the indexation, instead of using the `antique' filename. If we ever get rid of utmp, it makes little sense calling it by its old name.
|
200413 |
11-Dec-2009 |
ed |
Convert pam_lastlog(8) to libulog.
The information used by the "Last login:"-line is obtained by using ulog_setutxfile(3) to switch to the lastlog database. Login and logout are performed using the utility functions ulog_login(3) and ulog_logout(3).
This also means we must build libulog during bootstrap.
Approved by: des
|
199248 |
13-Nov-2009 |
des |
Note that nullok should not be used by processes that can't access the password database.
PR: bin/126650, misc/140514 MFC after: 1 week
|
197786 |
05-Oct-2009 |
des |
pam_ssh needs roaming_dummy to link correctly against libssh.
|
196650 |
30-Aug-2009 |
jon |
Prevents pam_lastlog from segfaulting on session close when tty is null.
MFC after: 1 month
|
195767 |
19-Jul-2009 |
kensmith |
Bump the version of all non-symbol-versioned shared libraries in preparation for 8.0-RELEASE. Add the previous version of those libraries to ObsoleteFiles.inc and bump __FreeBSD_Version.
Reviewed by: kib Approved by: re (rwatson)
|
194529 |
20-Jun-2009 |
des |
Rewrap; this was getting painful. Translators can ignore this.
MFC after: 1 week
|
194528 |
20-Jun-2009 |
des |
Reword.
MFC after: 1 week
|
194188 |
14-Jun-2009 |
ed |
Include <stdio.h> for asprintf().
Submitted by: Pawel Worach
|
188720 |
17-Feb-2009 |
des |
Don't try to auto-detect dynamic linking; it fails on mips. The Makefile part of the patch is an ugly (and hopefully temporary) hack.
Discussed with: imp@
|
179016 |
15-May-2008 |
dfr |
Add new heimdal-1.1 library.
|
178828 |
07-May-2008 |
dfr |
Fix conflicts after heimdal-1.1 import and add build infrastructure. Import all non-style changes made by heimdal to our own libgssapi.
|
174837 |
21-Dec-2007 |
des |
Adjust for OpenPAM Hydrangea.
|
173003 |
26-Oct-2007 |
des |
Correct documentation of ~/.opiealways
PR: 117512 Submitted by: Jeremy C. Reed <reed@reedmedia.net> MFC after: 1 week
|
172832 |
20-Oct-2007 |
ru |
- Convert NO_INSTALLLIB option to a new syntax: makefiles should test MK_INSTALLLIB, users can set WITHOUT_INSTALLLIB. The old NO_INSTALLLIB is still supported as several makefiles set it.
- While here, fix an install when instructed not to install libs (usr.bin/lex/lib/Makefile).
PR: bin/114200 Submitted by: Henrik Brix Andersen
|
171544 |
22-Jul-2007 |
des |
Apply the same error checks to PAM_TTY in pam_sm_close_session() as in pam_sm_open_session(), avoiding false negatives when no tty is present.
Submitted by: Todd C. Miller <millert@courtesan.com> Approved by: re (rwatson) MFC after: 2 weeks
|
171543 |
22-Jul-2007 |
des |
Whitespace cleanup
Approved by: re (rwatson)
|
170925 |
18-Jun-2007 |
rafan |
- Bump share library version which were missed in last bump
Reported by: jhb Discussed with: deischen, des, doubg, harti Approved by: re (kensmith)
|
170725 |
14-Jun-2007 |
yar |
Use the current user's login class for the decisions about where the nologin(5) file is located and whether the user may bypass its restriction.
Add some error checks.
Approved by: des PR: bin/107612
|
170510 |
10-Jun-2007 |
yar |
Now pam_nologin(8) will provide an account management function instead of an authentication function. There are a design reason and a practical reason for that. First, the module belongs in account management because it checks availability of the account and does no authentication. Second, there are existing and potential PAM consumers that skip PAM authentication for good or for bad. E.g., sshd(8) just prefers internal routines for public key auth; OTOH, cron(8) and atrun(8) do implicit authentication when running a job on behalf of its owner, so their inability to use PAM auth is fundamental, but they can benefit from PAM account management.
Document this change in the manpage.
Modify /etc/pam.d files accordingly, so that pam_nologin.so is listed under the "account" function class.
Bump __FreeBSD_version (mostly for ports, as this change should be invisible to C code outside pam_nologin.)
PR: bin/112574 Approved by: des, re
|
169976 |
25-May-2007 |
des |
Re-add support for NIS netgroups (heavily modified from patch in PR)
PR: bin/112955 Submitted by: A. Blake Cooper <blake@cluebie.net> MFC after: 3 weeks
|
167940 |
27-Mar-2007 |
yar |
In account management, verify whether the account has been locked with `pw lock', so that it's impossible to log into a locked account using an alternative authentication mechanism, such as an ssh key. This change affects only accounts locked with pw(8), i.e., having a `*LOCKED*' prefix in their password hash field, so people still can use a different pattern to disable password authentication only.
Mention all account management criteria in the manpage.
Approved by: maintainer (timeout) PR: bin/71147 MFC after: 1 month
|
166136 |
20-Jan-2007 |
pjd |
Send not only Access Request, but also Access Challenge with defined NAS-Identifier and NAS-IP-Address.
Reviewed by: bz MFC after: 1 month
|
164154 |
10-Nov-2006 |
des |
childerr needs to be volatile so gcc won't optimize it away.
PR: bin/85830 MFC after: 1 week
|
163273 |
12-Oct-2006 |
ru |
The pam_unix module also provides password management.
PR: docs/93491 Submitted by: Lior Kadosh MFC after: 3 days
|
162900 |
30-Sep-2006 |
ru |
Fix build.
|
162320 |
15-Sep-2006 |
des |
Reject user with names that are longer than OPIE is willing to deal with; otherwise OPIE will happily truncate it.
Spotted by: ghelmer MFC after: 2 weeks
|
162287 |
13-Sep-2006 |
joel |
Bump .Dd.
Noticed by: danger
|
162286 |
13-Sep-2006 |
joel |
Remove references to the pam(8) manual page. It does not exist.
Requested by: novel Discussed with: brueffer, simon
|
161209 |
11-Aug-2006 |
des |
Additional debugging stuff I had in my tree.
|
160434 |
17-Jul-2006 |
stefanf |
Change the GCC specific __FUNCTION__ to C99's __func__.
OK'ed by: des
|
158529 |
13-May-2006 |
des |
Add a manual dependency on ssh_namespace.h.
Discussed with: ru
|
158519 |
13-May-2006 |
des |
Introduce a namespace munging hack inspired by NetBSD to avoid polluting the namespace of applications which inadvertantly link in libssh (usually through pam_ssh)
Suggested by: lukem@netbsd.org MFC after: 6 weeks
|
156915 |
20-Mar-2006 |
wkoszek |
There is no need to pass NULL to the pam_error() as the last argument. Remove it.
Reviewed by: des Approved by: cognet (mentor)
|
156872 |
19-Mar-2006 |
ru |
Fix build until I find a way to handle this case properly.
|
156870 |
19-Mar-2006 |
ru |
Revert last delta.
|
156867 |
19-Mar-2006 |
phk |
Comment out MK_PROFILE until ru@ can fix this properly
|
156854 |
18-Mar-2006 |
ru |
Convert NO_PROFILE and NO_LIB32 to new style.
|
156813 |
17-Mar-2006 |
ru |
Reimplementation of world/kernel build options. For details, see:
http://lists.freebsd.org/pipermail/freebsd-current/2006-March/061725.html
The src.conf(5) manpage is to follow in a few days.
Brought to you by: imp, jhb, kris, phk, ru (all bugs are mine)
|
156350 |
06-Mar-2006 |
yar |
Add appropriate xrefs.
MFC after: 3 days
|
156344 |
06-Mar-2006 |
yar |
Since the whole login.access feature has moved to PAM, login.access.5 will be installed from the respective PAM module's src directory.
MFC after: 3 days
|
156343 |
06-Mar-2006 |
yar |
Sync with src/usr.bin/login/login.access.5.
src/usr.bin/login/login.access.5 should be removed from use because the whole login.access feature has moved to this PAM module.
MFC after: 3 days
|
150685 |
28-Sep-2005 |
ru |
Commenting out WARNS actually brought it up to 4.
|
150655 |
28-Sep-2005 |
des |
Comment out WARNS, the OpenSSL headers don't compile cleanly on some platforms.
|
150597 |
26-Sep-2005 |
des |
Increase WARNS.
|
150596 |
26-Sep-2005 |
des |
Correct the logic for determining whether the user has already entered a password. Also, work around some harmless type pun warnings.
MFC after: 3 days
|
150455 |
22-Sep-2005 |
des |
Do not use passphraseless keys for authentication unless the nullok option was specified.
PR: bin/81231 Submitted by: "Daniel O'Connor" <doconnor@gsoft.com.au> MFC after: 3 days
|
150426 |
21-Sep-2005 |
des |
Narrow the use of user credentials. Fix one case where openpam_restore_cred() might be called twice in a row.
MFC after: 3 days
|
150339 |
19-Sep-2005 |
cperciva |
When (re)allocating space for an array of pointers to char, use sizeof(*list), not sizeof(**list). (i.e., sizeof(pointer) rather than sizeof(char)).
It is possible that this buffer overflow is exploitable, but it was added after RELENG_5 forked and hasn't been MFCed, so this will not receive an advisory.
Submitted by: Vitezslav Novy MFC after: 1 day
|
148297 |
22-Jul-2005 |
kensmith |
Bump the shared library version number of all libraries that have not been bumped since RELENG_5.
Reviewed by: ru Approved by: re (not needed for commit check but in principle...)
|
147830 |
08-Jul-2005 |
kensmith |
Missed one piece of the cluster's quirk. Need to override WARNS because if _FREEFALL_CONFIG is set gcc bails since pam_sm_setcred() in pam_krb5.c no longer uses any of its parameters.
Pointy hat: kensmith Approved by: re (scottl)
|
147810 |
07-Jul-2005 |
kensmith |
This is sort of an MFS. Peter made these changes to the RELENG_* branches but missed HEAD. This patch extends his a little bit, setting it up via the Makefiles so that adding _FREEFALL_CONFIG to /etc/make.conf is the only thing needed to cluster-ize things (current setup also requires overriding CFLAGS).
From Peter's commit to the RELENG_* branches: > Add the freebsd.org custer's source modifications under #ifdefs to aid > keeping things in sync. For ksu: > * install suid-root by default > * don't fall back to asking for a unix password (ie: be pure kerberos) > * allow custom user instances for things like www and not just root
The Makefile tweaks will be MFC-ed, the rest is already done.
MFC after: 3 days Approved by: re (dwhite)
|
147780 |
05-Jul-2005 |
des |
Use the correct login class when setting a new password.
PR: 65557, 72949 Submitted by: Stephen P. Cravey <clists@gotbrains.org> Approved by: re (scottl) MFC after: 2 weeks
|
147458 |
17-Jun-2005 |
des |
Update for OpenPAM Figwort.
Approved by: re (kensmith)
|
147402 |
15-Jun-2005 |
ru |
Assorted markup fixes.
Approved by: re
|
147350 |
13-Jun-2005 |
des |
Don't use a cast as an lvalue. Add a redundant test to make it painfully obvious to the reader that this code does not support IPv6.
Approved by: re (dwhite) MFC after: 1 week
|
147226 |
10-Jun-2005 |
des |
Use appropriate error codes for each facility instead of just PAM_AUTH_ERR.
Noticed by: pjd
|
147098 |
07-Jun-2005 |
des |
Revert the commits that made libssh an INTERNALLIB; they caused too much trouble, especially on amd64.
Requested by: ru
|
147058 |
06-Jun-2005 |
des |
Fix libssh dependency.
|
146196 |
13-May-2005 |
ume |
NI_WITHSCOPEID cleanup
Reviewed by: des
|
141846 |
13-Feb-2005 |
ru |
Expand *n't contractions.
|
141102 |
01-Feb-2005 |
des |
In addition to the PAM environment, export a handful of useful PAM items.
Suggested by: Ed Maste <emaste@phaedrus.sandvine.ca>
|
141101 |
01-Feb-2005 |
des |
Add openpam_free_envlist(3).
|
140747 |
24-Jan-2005 |
rwatson |
When "no_ccache" is set as an argument to the pam_krb5 module, don't copy the acquired TGT from the in-memory cache to the on-disk cache at login. This was documented but un-implemented behavior.
MFC after: 1 week PR: bin/64464 Reported and tested by: Eric van Gyzen <vangyzen at stat dot duke dot edu>
|
140667 |
23-Jan-2005 |
rwatson |
The final argument to verify_krb_v5_tgt() is the debug flag, not the ticket forwardable flag, so key generation of debugging output to "debug" rather than "forwardable".
Update copyright.
MFC after: 3 days
|
140568 |
21-Jan-2005 |
ru |
Fixed xref.
|
139113 |
21-Dec-2004 |
ru |
NOCRYPT -> NO_CRYPT
|
139110 |
21-Dec-2004 |
ru |
NOINSTALLLIB -> NO_INSTALLLIB
|
139106 |
21-Dec-2004 |
ru |
NODOCCOMPRESS -> NO_DOCCOMPRESS NOINFO -> NO_INFO NOINFOCOMPRESS -> NO_INFOCOMPRESS NOLINT -> NO_LINT NOPIC -> NO_PIC NOPROFILE -> NO_PROFILE
|
137675 |
13-Nov-2004 |
bz |
Add knob NO_NIS (fka NO_YP_LIBC) and make world compileable when set. If turned on no NIS support and related programs will be built.
Lost parts rediscovered by: Danny Braniss <danny at cs.huji.ac.il> PR: bin/68303 No objections: des, gshapiro, nectar Reviewed by: ru Approved by: rwatson (mentor) MFC after: 2 weeks
|
136910 |
24-Oct-2004 |
ru |
For variables that are only checked with defined(), don't provide any fake value.
|
133196 |
06-Aug-2004 |
cperciva |
Join the 21st century: Cryptography is no longer an optional component of releases. The -DNOCRYPT build option still exists for anyone who really wants to build non-cryptographic binaries, but the "crypto" release distribution is now part of "base", and anyone installing from a release will get cryptographic binaries.
Approved by: re (scottl), markm Discussed on: freebsd-current, in late April 2004
|
132759 |
28-Jul-2004 |
kan |
Downgrade WARNS level for GCC 3.4.2.
|
131608 |
05-Jul-2004 |
ru |
Markup nits.
|
131594 |
04-Jul-2004 |
ru |
Sort SEE ALSO references (in dictionary order, ignoring case).
|
131504 |
02-Jul-2004 |
ru |
Mechanically kill hard sentence breaks.
|
131479 |
02-Jul-2004 |
ru |
Deal with unsafe tab characters.
|
131421 |
01-Jul-2004 |
ru |
Markup, grammar, punctuation.
|
131100 |
25-Jun-2004 |
kan |
Revert the last change. There are more 64bit platforms than amd64, and they break due to diferent alignment restrictions.
|
131077 |
25-Jun-2004 |
kan |
Remove the use of cast as lvalue.
|
127023 |
15-Mar-2004 |
des |
Add -DDEBUG to DEBUG_FLAGS if PAM_DEBUG is defined.
|
126643 |
05-Mar-2004 |
markm |
Make NULL a (void*)0 whereever possible, and fix the warnings(-Werror) that this provokes. "Wherever possible" means "In the kernel OR NOT C++" (implying C).
There are places where (void *) pointers are not valid, such as for function pointers, but in the special case of (void *)0, agreement settles on it being OK.
Most of the fixes were NULL where an integer zero was needed; many of the fixes were NULL where ascii <nul> ('\0') was needed, and a few were just "other".
Tested on: i386 sparc64
|
125668 |
10-Feb-2004 |
cperciva |
style cleanup: Remove duplicate $FreeBSD$ tags.
These files had tags after the copyright notice, inside the comment block (incorrect, removed), and outside the comment block (correct).
Approved by: rwatson (mentor)
|
125650 |
10-Feb-2004 |
des |
Fix numerous constness and aliasing issues.
|
125432 |
04-Feb-2004 |
ru |
Put libraries in the link order.
Reported by: lorder(1) (modified to work with libraries)
|
125426 |
04-Feb-2004 |
ru |
This module doesn't use libgssapi (and it looks never did).
|
125046 |
26-Jan-2004 |
des |
Implement pam_sm_close_session().
PR: bin/61657 Submitted by: Joe R. Doupnik <jrd@cc.usu.edu>
|
124675 |
18-Jan-2004 |
ru |
Deal better with the crypto version of the PAM library that goes on the release media -- only put what is different in the crypto version compared to the base version. This reduces PAM entries in /usr/lib in the "crypto" distribution to:
libpam.a libpam.so@ libpam.so.2 pam_krb5.so@ pam_krb5.so.2 pam_ksu.so@ pam_ksu.so.2 pam_ssh.so@ pam_ssh.so.2
The libpam.so* is still redundant (it is identical to the "base" version), but we can't set DISTRIBUTION differently for libpam.a and libpam.so.
(The removal of libpam.so* from the crypto distribution could be addressed by the release/scripts/crypto-make.sh script, but then we'd also need to remove redundant PAM headers, and I'm not sure this is worth a hassle.)
|
124665 |
18-Jan-2004 |
ru |
DISTRIBUTION is normally single-valued.
|
124615 |
17-Jan-2004 |
schweikh |
Remove crossref to pam.conf(5) which never existed.
|
124491 |
13-Jan-2004 |
ru |
bsd.dep.mk,v 1.43 allows us to replace a hack with a solution.
|
123455 |
11-Dec-2003 |
des |
Fix a strict aliasing issue. Also remove an unnecessary pam_get_item() call (pam_get_authtok() will return the previous token if try_first_pass or use_first_pass is specified). Incidentally fix an ugly bug where the buffer holding the prompt was freed immediately before use, instead of after.
|
123454 |
11-Dec-2003 |
des |
More strict aliasing fixes.
Submitted by: Andreas Hauser <andy-freebsd@splashground.de>
|
123448 |
11-Dec-2003 |
des |
Fix strict aliasing breakage in PAM modules (except pam_krb5, which needs more work than the others). This should make most modules build with -O2.
|
122589 |
12-Nov-2003 |
sobomax |
Fix on sparc64.
Reported by: rwatson/tinderbox MFC after: 2 weeks
|
122571 |
12-Nov-2003 |
sobomax |
Add a new configuration variable - nas_ipaddr, which if set allows to set NAS-IP-Address attribute in requests generated by the pam_radius module. This attribute is mandatory for some Radius servers out there.
Reviewed by: des MFC after: 2 weeks
|
121166 |
17-Oct-2003 |
kensmith |
- fix to UID test description, non-zero -> zero
PR: docs/57799 Reviewed by: des Approved by: blackend (mentor)
|
120231 |
19-Sep-2003 |
des |
Ignore ECHILD from waitpid(2) (our child may have been reaped by the calling process's SIGCHLD handler)
PR: bin/45669
|
117841 |
21-Jul-2003 |
des |
Revert previous commit after fixing libpam.
|
117638 |
15-Jul-2003 |
des |
Add a __DECONST() to unbreak the build.
|
116394 |
15-Jun-2003 |
mbr |
Fix the master yppasswd routines, so they really work for root on ypmaster. yppasswd_local() did use YPPASSWDPROG instead of MASTER_YPPASSWDPROG, and the domain was not set, resulting in a coredump during xdr-encode.
Reviewed by: des
|
115622 |
01-Jun-2003 |
des |
Add openpam_readline(3).
|
115617 |
01-Jun-2003 |
des |
Retire pam_wheel(8) (which has been disconnected for quite a while) and pam_ftp(8).
|
115581 |
31-May-2003 |
des |
Don't build pam_std_option().
|
115470 |
31-May-2003 |
des |
Update copyright dates.
|
115466 |
31-May-2003 |
des |
Remove pam_std_option() and related functions. Add #defines for common options.
|
115465 |
31-May-2003 |
des |
Remove all instances of pam_std_option()
|
115462 |
31-May-2003 |
des |
Introduce pam_guest(8) which will replace pam_ftp(8).
|
115288 |
24-May-2003 |
ru |
mdoc(7) fixes.
Approved by: re (blanket)
|
115157 |
19-May-2003 |
des |
Retire the useless NOSECURE knob.
Approved by: re (scottl)
|
114753 |
05-May-2003 |
des |
OpenPAM is WANRS6-clean.
|
114709 |
05-May-2003 |
markm |
Turn MAKE_KERBEROS5 into NO_KERBEROS by negating the logic. Some extra cleanups were necessary in release/Makefile, and the tinderbox code was syntax checked, not run checked.
|
114464 |
01-May-2003 |
markm |
Trasmute moer "krb5" distibutions into "crypto".
|
114428 |
01-May-2003 |
des |
Use C99-style varadic macros instead of the non-standard gcc syntax.
|
114424 |
01-May-2003 |
des |
Mark libpam as c99- and WARNS5-clean.
|
114265 |
30-Apr-2003 |
des |
Make sure rhostip is always initialized.
PR: bin/51508 Submitted by: Peter Grimshaw <peter@tesseract.demon.co.uk>
|
114264 |
30-Apr-2003 |
des |
Treat an empty PAM_RHOST the same as a NULL one.
PR: bin/51508
|
114262 |
30-Apr-2003 |
des |
Set $HOME to the correct directory (within the chroot tree).
|
113968 |
24-Apr-2003 |
des |
Remove a bogus null password check which assumed that a user with an empty password must necessarily have an empty pwd->pw_passwd. Also add a check that prevents users from setting a blank password unless the nullok option was specified. Root is still allowed to give anyone a blank password.
|
113261 |
08-Apr-2003 |
des |
Connect the pam_chroot(8) module to the build.
|
113260 |
08-Apr-2003 |
des |
Add a cwd option which specifies where to chdir(2) after the chroot(2). When using the /home/./foo scheme, this defaults to the rhs (/foo); otherwise it defaults to /.
|
112857 |
30-Mar-2003 |
des |
Experimental pam_chroot module (not connected to the build)
|
112058 |
10-Mar-2003 |
des |
This module is not WARNS-clean, due to brokenness in OpenSSL headers.
|
112057 |
10-Mar-2003 |
des |
Somewhat better wording.
|
112056 |
10-Mar-2003 |
des |
Silence warning caused by OPIE brokenness.
|
112044 |
09-Mar-2003 |
obrien |
style.Makefile(5) police (I've tried to keep to the spirit of the original formatting)
Reviewed by: des
|
111986 |
08-Mar-2003 |
markm |
KerberosIV de-orbit burn continues. Remove the KerberosIV PAM module.
|
111985 |
08-Mar-2003 |
markm |
Comment-only assistance to lint to kill warnings.
|
111811 |
03-Mar-2003 |
ru |
mdoc(7) police: Nits.
|
111285 |
23-Feb-2003 |
ru |
mdoc(7) police: markup laundry.
|
110991 |
16-Feb-2003 |
des |
Add an "allow_local" option which forces historical behaviour.
|
110968 |
15-Feb-2003 |
des |
Assume "localhost" if no remote host was specified. This is safe from a POLA point of view since the stock /etc/opieaccess now allows localhost.
|
110653 |
10-Feb-2003 |
des |
Use pam_get_user(3) instead of pam_get_item(3) where appropriate.
|
110598 |
09-Feb-2003 |
des |
Complete rewrite of pam_ssh(8). The previous version was becoming hard to maintain, and had security issues which would have required a major rewrite to address anyway.
This implementation currently starts a separate agent for each session instead of connecting each new session to the agent started by the first one. While this would be a Good Thing (and the old pam_ssh(8) tried to do it), it's hard to get right. I'll revisit this issue when I've had a chance to test some modifications to ssh-agent(1).
|
110455 |
06-Feb-2003 |
des |
Maybe I was a little too fast? Remove debugging code, and commit the Makefile and man page which I'd forgotten to 'cvs add'.
Sponsored by: DARPA, NAI Labs
|
110453 |
06-Feb-2003 |
des |
Replace pam_wheel(8) with pam_group(8) which has a cleaner interface. The pam_wheel(8) module was written to work in spite of a broken libpam, and has grown organically since its inception, which is reflected in both its functionality and implementation. Rather than clean up pam_wheel(8) and break backward compatibility, I've chosen to reimplement it under a new, more generic name.
Sponsored by: DARPA, NAI Labs
|
110452 |
06-Feb-2003 |
des |
Make sure the message is only printed once.
|
110451 |
06-Feb-2003 |
des |
Don't blame markm for what he didn't do - writing these man pages, for instance. Also bump the date since I made substantial modifications earlier today.
|
110448 |
06-Feb-2003 |
des |
Update copyright.
|
110447 |
06-Feb-2003 |
des |
Add support for escape sequences in the arguments (e.g. %u for user name)
Sponsored by: DARPA, NAI Labs
|
110446 |
06-Feb-2003 |
des |
Export the PAM environment to the child process instead of the "normal" environment list, which may be unsafe and / or sensitive.
Sponsored by: DARPA, NAI Labs
|
110438 |
06-Feb-2003 |
des |
Minimal manual page for pam_kerberosIV(8).
Sponsored by: DARPA, NAI Labs
|
110275 |
03-Feb-2003 |
des |
In pam_sm_acct_mgmt(), retrieve the cached credentials before trying to initialize the context. This way, a failure to initialize the context is not fatal unless we actually have work to do - because if we don't, we return PAM_SUCCESS without even trying to initialize the context.
|
110274 |
03-Feb-2003 |
des |
Whitespace cleanup
|
110240 |
02-Feb-2003 |
des |
OpenPAMify.
|
110056 |
29-Jan-2003 |
nectar |
Do not return inappropriate error codes in pam_sm_setcred.
|
109069 |
10-Jan-2003 |
nectar |
About September 2001, I consulted with all the previous authors of pam_krb5 to consolidate the copyright texts. The semi-official pam_krb5 module has been distributed with this new license text ever since, but I'm just now getting around to updating the text here.
|
108317 |
27-Dec-2002 |
schweikh |
english(4) police.
|
108217 |
23-Dec-2002 |
ru |
mdoc(7) police: removed gratuitous .Pp call.
|
107934 |
16-Dec-2002 |
des |
Merge in most non-style differences from Andrew Korty's pam_ssh 1.7.
|
107771 |
12-Dec-2002 |
ru |
mdoc(7) police: .Dt is ALL UPPERCASE.
Approved by: re
|
107387 |
29-Nov-2002 |
ru |
mdoc(7) police: formatting nits.
Approved by: re
|
107381 |
28-Nov-2002 |
des |
Whitespace nits.
Approved by: re (bmah)
|
107380 |
28-Nov-2002 |
des |
Add a PAM_MODULE_ENTRY to this module so it'll actually do something.
Approved by: re (bmah)
|
106966 |
15-Nov-2002 |
peter |
utmp.ut_time and lastlog.ll_time are explicitly int32_t rather than time_t. Deal with the possibility that time_t != int32_t. This boils down to this sort of thing: - time(&ut.ut_time); + ut.ut_time = time(NULL); and similar for ctime(3) etc. I've kept it minimal for the stuff that may need to be portable (or 3rd party code), but used Matt's time32 stuff for cases where that isn't as much of a concern.
Approved by: re (jhb)
|
106921 |
14-Nov-2002 |
ru |
Make dynamic PAM modules depend on dynamic PAM library.
Requested by: des, markm
|
106864 |
13-Nov-2002 |
nectar |
The pam_krb5 module stored a reference to a krb5_ccache structure as PAM module state (created in pam_sm_authenticate and referenced later in pam_sm_setcred and pam_sm_acct_mgmt). However, the krb5_ccache structure shares some data members with the krb5_context structure that was used in its creation. Since a new krb5_context is created and destroyed at each PAM entry point, this inevitably caused the krb5_ccache structure to reference free'd memory.
Now instead of storing a pointer to the krb5_ccache structure, we store the name of the cache (e.g. `MEMORY:0x123CACHE') in pam_sm_authenticate, and resolve the name in the other entry points.
This bug was uncovered by phkmalloc's free'd memory scrubbing.
Approved by: re (jhb)
|
106862 |
13-Nov-2002 |
nectar |
Use `krb5_get_err_text' instead of `error_message' so that instead of e.g.
Unknown error: -1765328378
we get
Client not found in Kerberos database
Another way to accomplish this would have been to leave `error_message' alone, but to explicitly load the Kerberos com_err error tables. However, I don't really like the idea of a PAM module dorking with global tables.
Approved by: re (jhb)
|
106082 |
28-Oct-2002 |
des |
Allow the admin to specify a different NAS identifier than the hostname.
Submitted by: Boris Kovalenko <boris@ntmk.ru>
|
105373 |
18-Oct-2002 |
rwatson |
Introduce 'exempt_if_empty' option to pam_wheel(8), which bypasses the group membership requirement if the group has no explicit members listed in /etc/group. By default, this group is the wheel group; setting this flag restores the default BSD behavior from 4.x.
Reviewed by: markm Requested by: various Sponsored by: DARPA, Network Associates Laboratories
|
104902 |
11-Oct-2002 |
ru |
Build kerberized versions of the PAM library, and install them into corresponding distributions during "make release". (This also cleans the "slib" distribution up from the .o files.)
PR: misc/43825 (inspired by)
|
104073 |
28-Sep-2002 |
peter |
Zap now-unused SHLIB_MINOR
|
103436 |
17-Sep-2002 |
peter |
Initiate deorbit burn for the i386-only a.out related support. Moves are under way to move the remnants of the a.out toolchain to ports. As the comment in src/Makefile said, this stuff is deprecated and one should not expect this to remain beyond 4.0-REL. It has already lasted WAY beyond that.
Notable exceptions: gcc - I have not touched the a.out generation stuff there. ldd/ldconfig - still have some code to interface with a.out rtld. old as/ld/etc - I have not removed these yet, pending their move to ports. some includes - necessary for ldd/ldconfig for now.
Tested on: i386 (extensively), alpha
|
100917 |
30-Jul-2002 |
des |
Since pam_get_authtok(3) doesn't know about our options structure, setting the PAM_ECHO_PASS option on-the-fly is a NOP (though it wasn't with the old pam_get_pass(3) code). Instead, call pam_prompt(3) directly. This actually simplifies the code a bit.
MFC after: 3 days
|
100584 |
23-Jul-2002 |
des |
Install more man pages - I thought I'd committed this ages ago...
|
97931 |
06-Jun-2002 |
ru |
Tidy up.
|
97625 |
30-May-2002 |
des |
Missed one in previous commit.
Pointed out by: nectar
|
97608 |
30-May-2002 |
ru |
mdoc(7) police: kill whitespace at EOL.
|
97607 |
30-May-2002 |
ru |
mdoc(7) police: polish markup.
|
97606 |
30-May-2002 |
ru |
mdoc(7) police: tidy up the markup.
|
97426 |
28-May-2002 |
nectar |
Add pam_ksu(8), a module to do Kerberos 5 authentication and $HOME/.k5login authorization for su(1).
Reviewed by: des (earlier version)
|
97245 |
24-May-2002 |
des |
Add openpam_nullconv.3.
|
97244 |
24-May-2002 |
des |
Add missing include.
|
97182 |
23-May-2002 |
des |
Just to show that PAM can do almost anything from the ridiculous to the obscene, or - as they say in New York - sophisticated, add pam_echo(8) and pam_exec(8) to our ever-lengthening roster of PAM modules.
Sponsored by: DARPA, NAI Labs.
|
97148 |
23-May-2002 |
des |
Hide a couple of unguarded error returns behind the no_fail test.
|
97147 |
22-May-2002 |
jmallett |
Free old_pwd only in the code path where it has been allocated.
Reviewed by: des
|
96688 |
15-May-2002 |
obrien |
Do not build pam_ssh if NOSECURE is set (NO_OPENSSL is on a subset of NOSECURE)
|
96512 |
13-May-2002 |
ru |
Major cleanup of bsd.lib.mk.
Get rid of the INTERNALSTATICLIB knob and just use plain INTERNALLIB. INTERNALLIB now means to build static library only and don't install anything. Added a NOINSTALLLIB knob for libpam/modules. To not build any library at all, just do not set LIB.
|
96462 |
12-May-2002 |
ru |
Added new bsd.incs.mk which handles installing of header files via INCS. Implemented INCSLINKS (equivalent to SYMLINKS) to handle symlinking include files. Allow for multiple groups of include files to be installed, with the powerful INCSGROUPS knob. Documentation to follow.
Added standard `includes' and `incsinstall' targets, use them in Makefile.inc1. Headers from the following makefiles were not installed before (during `includes' in Makefile.inc1):
kerberos5/lib/libtelnet/Makefile lib/libbz2/Makefile lib/libdevinfo/Makefile lib/libform/Makefile lib/libisc/Makefile lib/libmenu/Makefile lib/libmilter/Makefile lib/libpanel/Makefile
Replaced all `beforeinstall' targets for installing includes with the INCS stuff.
Renamed INCDIR to INCSDIR, for consistency with FILES and SCRIPTS, and for compatibility with NetBSD. Similarly for INCOWN, INCGRP, and INCMODE.
Consistently use INCLUDEDIR instead of /usr/include.
gnu/lib/libstdc++/Makefile and gnu/lib/libsupc++/Makefile changes were only lightly tested due to the missing contrib/libstdc++-v3. I fully tested the pre-WIP_GCC31 version of this patch with the contrib/libstdc++.295 stuff.
These changes have been tested on i386 with the -DNO_WERROR "make world" and "make release".
|
96444 |
12-May-2002 |
des |
Don't declare krb5_mcc_ops, it's already declared in <krb5.h>
|
96201 |
08-May-2002 |
des |
Use libutil and libypclnt for all passwd manipulation and NIS needs.
Sponsored by: DARPA, NAI Labs
|
96192 |
08-May-2002 |
des |
Add a no_fail option.
Sponsored by: DARPA, NAI Labs
|
96191 |
08-May-2002 |
des |
Add pam_ftpusers(8), which enforces /etc/ftpusers.
Sponsored by: DARPA, NAI Labs
|
95911 |
02-May-2002 |
des |
Add openpam_nullconv.c to SRCS.
|
95516 |
26-Apr-2002 |
des |
Don't ask root for the old password, except in the NIS case.
Sponsored by: DARPA, NAI Labs
|
95477 |
26-Apr-2002 |
des |
Fix a really dumb bug (missing curly braces around the body of an if statement) that caused pam_sm_chauthtok() to always fail silently.
|
95136 |
20-Apr-2002 |
des |
Oops, fix an inverted if test.
|
95135 |
20-Apr-2002 |
des |
Strip /dev/ from tty name, and clean up the "last login" printout.
Sponsored by: DARPA, NAI Labs
|
94923 |
17-Apr-2002 |
ru |
Revert previous change. bsd.dep.mk,v 1.31 had a bug that was fixed in revision 1.32 and made this change OBE.
|
94892 |
16-Apr-2002 |
des |
Add a missing .El and fix a typo.
Spotted by: Solar Designer <solar@openwall.com> Sponsored by: DARPA, NAI Labs
|
94842 |
16-Apr-2002 |
ru |
Reflect change in share/mk/bsd.dep.mk,v 1.31.
|
94805 |
15-Apr-2002 |
des |
Revert previous commit, it is incorrect.
|
94804 |
15-Apr-2002 |
obrien |
Properly spell rpcsvc/ypclnt.h and fix the build.
|
94761 |
15-Apr-2002 |
des |
Throw in NO_WERROR to please the peanut gallery.
|
94734 |
15-Apr-2002 |
des |
Use PAM_SUCCESS instead of PAM_IGNORE.
|
94728 |
15-Apr-2002 |
des |
Whitespace nits.
|
94727 |
15-Apr-2002 |
des |
Add a manual page based on Solar Designer's README.
Sponsored by: DARPA, NAI Labs
|
94726 |
15-Apr-2002 |
des |
pam_passwdqc depends on libcrypt.
|
94717 |
15-Apr-2002 |
des |
Prompt for new password during update phase, not during preliminary phase.
Sponsored by: DARPA, NAI Labs
|
94715 |
15-Apr-2002 |
des |
Dike out most of the NIS code and replace it with calls to libypclnt. Rework pam_sm_chauthtok() so it (mostly?) works. The standard pw stuff still needs to move into a library somewhere.
Sponsored by: DARPA, NAI Labs
|
94693 |
14-Apr-2002 |
des |
pam_passwdqc builds now.
|
94675 |
14-Apr-2002 |
des |
More recent versions of pam_passwdqc (not yet released) build with very few warnings.
|
94674 |
14-Apr-2002 |
des |
New files in OpenPAM Cineraria.
Sponsored by: DARPA, NAI Labs
|
94673 |
14-Apr-2002 |
des |
Cosmetic nit.
|
94662 |
14-Apr-2002 |
des |
Cast a ptrdiff_t to int before using it as a printf field width.
|
94574 |
13-Apr-2002 |
des |
Change || into && (braino in previous commit). Also append \n to the error message.
|
94564 |
12-Apr-2002 |
des |
Major cleanup:
- add __unused where appropriate - PAM_RETURN -> return since OpenPAM already logs the return value. - make PAM_LOG use openpam_log() - make PAM_VERBOSE_ERROR use openpam_get_option() and check flags for PAM_SILENT - remove dummy functions since OpenPAM handles missing service functions - fix various warnings
Sponsored by: DARPA, NAI Labs
|
94551 |
12-Apr-2002 |
des |
Add a pam_rhosts module, loosely based on code submitted by Danny Braniss.
Submitted by: Danny Braniss <danny@cs.huji.ac.il> Sponsored by: DARPA, NAI Labs
|
94550 |
12-Apr-2002 |
des |
Rename the even_root option to allow_root.
Sponsored by: DARPA, NAI Labs
|
94428 |
11-Apr-2002 |
ru |
Reimplement the hack to put pam_static.o into .depend with some magic.
|
94372 |
10-Apr-2002 |
ru |
Moved SHLIB_NAME definition into one place.
Approved by: des
|
94371 |
10-Apr-2002 |
ru |
Fixed broken "make depend; make clean; make all" sequence.
I've looked for this example for a long time, to demonstrate some people why it's a really BAD idea to use ${.OBJDIR} instead of ".". I hope these people are reading this. :-)
Approved by: des
|
94370 |
10-Apr-2002 |
ru |
Fix broken `checkdpadd'.
-lroken is an installable library, there's no need to give an explicit path to it. In any case, -L paths should be specified in LDFLAGS if needed.
Approved by: des
|
94369 |
10-Apr-2002 |
ru |
Don't override standard _EXTRADEPEND actions, add to them. Fix CLEANFILES. Collapse openpam_static_modules.o generation.
|
94217 |
08-Apr-2002 |
des |
Remove debugging code that was inadvertantly brought in by previous commit.
|
94216 |
08-Apr-2002 |
des |
Use OpenPAM's credential switching functions.
Sponsored by: DARPA, NAI Labs
|
94212 |
08-Apr-2002 |
des |
Add new files and man pages from OpenPAM Cinchona.
Sponsored by: DARPA, NAI Labs
|
94211 |
08-Apr-2002 |
des |
Remove commented-out WARNS thingy.
|
94203 |
08-Apr-2002 |
ru |
Align for const poisoning in -lutil.
|
94153 |
07-Apr-2002 |
des |
Reorganize pam_sm_authenticate() to reduce code duplication.
Sponsored by: DARPA, NAI Labs
|
94148 |
07-Apr-2002 |
des |
Fix bug in previous commit that passed the wrong default value to login_getcapstr(3). Also fix a longer-standing bug (login_close(3) frees the string returned by login_getcapstr(3)) by reorganizing the code a little, and use login_getpwclass(3) instead of login_getclass(3) if we already have a struct pwd.
Sponsored by: DARPA, NAI Labs
|
94084 |
07-Apr-2002 |
des |
This one needs NO_WERROR too.
|
94027 |
07-Apr-2002 |
des |
Turn on NO_WERROR due to namespace pollution in krb5 headers.
|
93984 |
06-Apr-2002 |
des |
Aggressive cleanup of warnings + authtok-related code in preparation for PAMifying passwd(1).
Sponsored by: DARPA, NAI Labs.
|
93981 |
06-Apr-2002 |
des |
Disconnect pam_passwdqc for now, it has some issues that need resolving.
|
93972 |
06-Apr-2002 |
des |
Fix some style issues, a const warning, and abuse of PAM_ABORT.
Sponsored by: DARPA, NAI Labs
|
93907 |
05-Apr-2002 |
des |
Remove some duplicate free()s and add some that were missing.
Submitted by: tmm
|
93875 |
05-Apr-2002 |
des |
pam_get_pass() -> pam_get_authtok()
|
93804 |
04-Apr-2002 |
des |
Upgrade to something quite close, but not identical, to version 1.6 of Andrew Korty's pam_ssh. The most notable difference is that this uses commas rather than colons to separate items in the "keyfiles" option.
Sponsored by: DARPA, NAI Labs
|
93790 |
04-Apr-2002 |
des |
Add pam_passwdqc to the build.
Sponsored by: DARPA, NAI Labs
|
92939 |
22-Mar-2002 |
markm |
Fix for OPIE 2.4.
|
92593 |
18-Mar-2002 |
ru |
mdoc(7) police: fix SYNOPSIS, sort xrefs, kill extra whitespace.
|
92592 |
18-Mar-2002 |
ru |
mdoc(7) police: nits.
|
92591 |
18-Mar-2002 |
ru |
mdoc(7) police: sort xrefs, kill extra whitespace.
|
92579 |
18-Mar-2002 |
cjc |
Fix world breakage introduced by my recent modifications to chpass(8). The relations between libc, libpam, chpass, passwd, and vipw are a mess and probably should be cleaned up.
Submitted by: Peter Pentchev <roam@ringlet.net>
|
92357 |
15-Mar-2002 |
ru |
mdoc(7) police: tiny fixes.
|
92356 |
15-Mar-2002 |
ru |
mdoc(7) police: expand contractions.
|
92297 |
14-Mar-2002 |
des |
NAI DBA update.
|
92274 |
14-Mar-2002 |
markm |
Remove the use of random(3), and encapsulate the salt-generation in its own function. The use of arc4random(3) is hopeless overkill here, but that does not hurt anything.
Requested by: ache
|
91820 |
07-Mar-2002 |
sobomax |
Don't ignore system CFLAGS.
|
91815 |
07-Mar-2002 |
markm |
Fix build for OpenPAM. The directories needed tweeking.
|
91798 |
07-Mar-2002 |
des |
This file is not needed any more
|
91772 |
07-Mar-2002 |
green |
Now pam_alreadyloggedin lives in the ports.
|
91759 |
06-Mar-2002 |
green |
Add the pam_alreadyloggedin(8) module, which allows for authentication based on information that the user is already logged in.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
91752 |
06-Mar-2002 |
roam |
Unbreak the pam_krb5 build: cast a couple of const pointers to normal char *. A better fix might be some const'ifying of the Heimdal code, but this will do to fix the build for the present.
Approved by: des
|
91742 |
06-Mar-2002 |
des |
Add forgotten NOPROFILE that broke world.
|
91714 |
05-Mar-2002 |
des |
Switch to OpenPAM. Bump library version. Modules are now versioned, so applications linked with Linux-PAM will still work. Remove pam_get_pass(); OpenPAM has pam_get_authtok(). Remove pam_prompt(); OpenPAM has pam_{,v}{error,info,prompt}(). Remove pam_set_item(3) man page as OpenPAM has its own.
Sponsored by: DARPA, NAI Labs
|
91680 |
05-Mar-2002 |
des |
Add missing dependency on libutil.
|
90955 |
20-Feb-2002 |
sobomax |
Create /var/log/lastlog if it doesn't exist.
Submitted by: des
|
90429 |
09-Feb-2002 |
des |
This file needs <syslog.h>.
Sponsored by: DARPA, NAI Labs
|
90405 |
08-Feb-2002 |
ru |
Now that cross-tools ld(1) has been fixed to look for dynamic dependencies in the correct place, record the fact that -lssh depends on -lcrypto and -lz.
Removed false dependencies on -lz (except ssh(1) and sshd(8)). Removed false dependencies on -lcrypto and -lutil for scp(1).
Reviewed by: markm
|
90315 |
06-Feb-2002 |
markm |
Remove NO_WERROR, now that WARNS=n is gone.
|
90314 |
06-Feb-2002 |
markm |
Comment out the WARNS= so as to not trample all over the GCC3 work.
|
90237 |
05-Feb-2002 |
des |
Three times lucky: <stddef.h>, not <sys/param.h>
|
90236 |
05-Feb-2002 |
des |
Oops, the correct header to include for NULL is <sys/param.h>.
|
90230 |
05-Feb-2002 |
des |
#include <sys/types.h> for NULL (hidden by Linux-PAM header pollution)
Sponsored by: DARPA, NAI Labs
|
90229 |
05-Feb-2002 |
des |
#include cleanup.
Sponsored by: DARPA, NAI Labs
|
90203 |
04-Feb-2002 |
markm |
Explicitly declare (gcc internal) functions.
Submitted by: ru
|
90195 |
04-Feb-2002 |
des |
ssh_get_authentication_connection() gets its parameters from environment variables, so temporarily switch to the PAM environment before calling it.
Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp>
|
90188 |
04-Feb-2002 |
markm |
Protect "make buildworld" against -Werror, as this module does not build cleanly.
|
90155 |
04-Feb-2002 |
markm |
Add the other half of the salt-generating code. No functional difference except that the salt is slightly harder to build dictionaries against, and the code does not use srandom[dev]().
|
90147 |
03-Feb-2002 |
markm |
Turn on fascist warning mode.
|
90145 |
03-Feb-2002 |
markm |
WARNS=n fixes (and some stylistic issues).
|
90119 |
02-Feb-2002 |
des |
Remove an unnecessary #include that trips up OpenPAM. The header in question is an internal Linux-PAM header which shouldn't be used outside Linux-PAM itself, and has absolutely zero effect on pam_ftp.
Sponsored by: DARPA, NAI Labs MFC after: 1 week
|
90093 |
01-Feb-2002 |
des |
Post-repocopy cleanup.
Sponsored by: DARPA, NAI Labs
|
90054 |
01-Feb-2002 |
des |
Connect the pam_lastlog(8) and pam_login_access(8) modules to the build.
Sponsored by: DARPA, NAI Labs
|
89994 |
30-Jan-2002 |
des |
Still with asbestos longjohns on, completely PAMify login(1) and remove code made redundant by various PAM modules (primarily pam_unix(8)).
Sponsored by: DARPA, NAI Labs
|
89993 |
30-Jan-2002 |
des |
With asbestos longjohns on, integrate most of the checks normally done by login(1) (password & account expiry, hosts.access etc.) into pam_unix(8).
Sponsored by: DARPA, NAI Labs
|
89991 |
30-Jan-2002 |
des |
Move the code from pam_sm_authenticate() to pam_sm_acct_mgmt(). Simplify it a little and try to make it more resilient to various possible failure conditions. Change the man page accordingly, and take advantage of this opportunity to simplify its language.
Sponsored by: DARPA, NAI Labs
|
89760 |
24-Jan-2002 |
markm |
WARNS=4 fixes. Protect with NO_WERROR for the modules that have warnings that are hard to fix or that I've been asked to leave alone.
|
89753 |
24-Jan-2002 |
des |
PAM modules shouldn't call putenv(); pam_putenv() is sufficient. The caller is supposed to check the PAM envlist and export the variables it contains; if it doesn't, it's broken.
Sponsored by: DARPA, NAI Labs
|
89748 |
24-Jan-2002 |
des |
Change the order in which pam_sm_open_session() updates the logs. This doesn't really make any difference, except it matches wtmp(5) better.
Don't do anything in pam_sm_close_session(); init(8) will take care of utmp and wtmp when the tty is released. Clearing them here would make it possible to create a ghost session by logging in, running 'login -f $USER' and exiting the subshell.
Sponsored by: DARPA, NAI Labs (but the bugs are all mine)
|
89745 |
24-Jan-2002 |
des |
Correctly interpret PAM_RHOST being unset as an indicator of a local login.
Sponsored by: DARPA, NAI Labs
|
89744 |
24-Jan-2002 |
des |
Correctly interpret PAM_RHOST being unset as an indicator of a local login.
|
89743 |
24-Jan-2002 |
des |
Style nits.
Sponsored by: DARPA, NAI Labs
|
89734 |
24-Jan-2002 |
des |
Document the even_root option.
Sponsored by: DARPA, NAI Labs
|
89733 |
24-Jan-2002 |
des |
Don't let root through unless the "even_root" option was specified.
Sponsored by: DARPA, NAI Labs
|
89728 |
24-Jan-2002 |
des |
Add a PAM module that records sessions in utmp/wtmp/lastlog.
Sponsored by: DARPA, NAI Labs
|
89727 |
24-Jan-2002 |
des |
Fix some pastos. Rather shoddy of me...
Sponsored by: DARPA, NAI Labs
|
89707 |
23-Jan-2002 |
des |
Add a PAM module that provides an account management component for checking either PAM_RHOST or PAM_TTY against /etc/login.access.o
This uncovers a problem with PAM_RHOST, in that if we always set it, there is no way to distinguish between a user logging in locally and a user logging in using 'ssh localhost'. This will be fixed by first making sure that all PAM modules can handle PAM_RHOST being unset (which is currently not the case), and then modifying su(1) and login(1) to not set it for local logins.
Sponsored by: DARPA, NAI Labs
|
89706 |
23-Jan-2002 |
des |
Add an AUTHORS section crediting ThinkSec, DARPA and NAI Labs.
Sponsored by: DARPA, NAI Labs
|
89705 |
23-Jan-2002 |
ru |
Add pam_ssh support to the static PAM library, libpam.a:
- Spam /usr/lib some more by making libssh a standard library. - Tweak ${LIBPAM} and ${MINUSLPAM}. - Garbage collect unused libssh_pic.a. - Add fake -lz dependency to secure/ makefiles needed for dynamic linkage with -lssh.
Reviewed by: des, markm Approved by: markm
|
89704 |
23-Jan-2002 |
des |
Base the comparison on UIDs, not on user names.
Sponsored by: DARPA, NAI Labs
|
89703 |
23-Jan-2002 |
ru |
Make libssh.so useable (undefined reference to IPv4or6).
Reviewed by: des, markm Approved by: markm
|
89627 |
21-Jan-2002 |
des |
Link pam_opieaccess, pam_self and pam_ssh into the static library.
Sponsored by: DARPA, NAI Labs
|
89621 |
21-Jan-2002 |
des |
On second thought, getpwnam() failure should be treated just as if the user existed, but had no OPIE key, i.e. PAM_IGNORE.
Pointed out by: ache Sponsored by: DARPA, NAI Labs
|
89620 |
21-Jan-2002 |
des |
Return PAM_SERVICE_ERR rather than PAM_USER_UNKNOWN if getpwnam() fails, as PAM_USER_UNKNOWN will break the chain, revealing to an attacker that the user does not exist.
Sponsored by: DARPA, NAI Labs
|
89618 |
21-Jan-2002 |
des |
Further changes to allow enabling pam_opie(8) by default:
- Ignore the {try,use}_first_pass options by clearing PAM_AUTHTOK before challenging the user. These options are meaningless for pam_opie(8) since the user can't possibly know the right response before she sees the challenge.
- Introduce the no_fake_prompts option. If this option is set, pam_opie(8) will fail - rather than present a bogus challenge - if the target user does not have an OPIE key. With this option, users who haven't set up OPIE won't have to wonder what that "weird otp-md5 s**t" means :)
Reviewed by: ache, markm Sponsored by: DARPA, NAI Labs
|
89613 |
21-Jan-2002 |
des |
Add a new module, pam_opieaccess(8), which is responsible for checking /etc/opieaccess and ~/.opiealways so we can decide what to do after pam_opie(8) fails.
Sponsored by: DARPA, NAI Labs Reviewed by: ache, markm
|
89592 |
20-Jan-2002 |
ache |
snprintf bloat -> strlcpy Add getpwnam return check
Approved by: des, markm
|
89567 |
19-Jan-2002 |
ache |
Back out recent changes
|
89555 |
19-Jan-2002 |
ache |
If user not exist in OPIE system, return failure immediately instead of producing fake prompts with random numbers which can be detected by potential intruder in two tries and totally confuse non-OPIE users.
|
89554 |
19-Jan-2002 |
ache |
Back out second right-now-expired password check in pam_sm_chauthtok, old expired password assumed there
|
89550 |
19-Jan-2002 |
ache |
Previous commit was incomplete, use new error code PAM_CRED_ERR to indicate die case, different from PAM_SUCCESS and PAM_AUTH_ERR
|
89546 |
19-Jan-2002 |
ache |
Rewrite 'pwok' fallback in the way it can be properly chained with pam_unix
Replace snprintf %s with strlcpy
Check for NULL returned from getpwnam()
|
89538 |
19-Jan-2002 |
ache |
Add yet one expired-right-now password check, in pam_sm_chauthtok
srandomdev() can't be used in libraries, replace srandomdev()+random() by arc4random()
|
89531 |
19-Jan-2002 |
ache |
Set pwok to 1 for non-OPIE users
|
89529 |
19-Jan-2002 |
ache |
Add missing check for right-now-expired password
|
89528 |
19-Jan-2002 |
ache |
Implement 'pwok', i.e. conditional fallback to unix password as supposed by opieaccessfile() and opiealways()
|
88592 |
28-Dec-2001 |
bde |
Fixed a missing "const".
|
87880 |
14-Dec-2001 |
ru |
mdoc(7) police: bump document date.
|
87628 |
10-Dec-2001 |
dwmalone |
Style improvements recommended by Bruce as a follow up to some of the recent WARNS commits. The idea is:
1) FreeBSD id tags should follow vendor tags. 2) Vendor tags should not be compiled (though copyrights probably should). 3) There should be no blank line between including cdefs and __FBSDIF.
|
87564 |
09-Dec-2001 |
des |
Back out previous commit.
Requested by: ru
|
87525 |
08-Dec-2001 |
ru |
mdoc(7) police: sort xrefs.
|
87488 |
07-Dec-2001 |
des |
Get pam_mod_misc.h from .CURDIR rather than .OBJDIR or /usr/include.
Sponsored by: DARPA, NAI Labs
|
87470 |
07-Dec-2001 |
des |
Now that _pam_init_handlers() works as intended, it seems clear that we do not actually want to define PAM_READ_BOTH_CONFS, so back out previous commit.
Sponsored by: DARPA, NAI Labs
|
87445 |
06-Dec-2001 |
des |
We need pam_client.h from libpamc. This unbreaks world
Pointed out by: jhay Pointy hat to: des
|
87408 |
05-Dec-2001 |
des |
Define PAM_READ_BOTH_CONFS. We can now have both /etc/pam.d and /etc/pam.conf.
Sponsored by: DARPA, NAI Labs
|
87404 |
05-Dec-2001 |
des |
Install the correct version of pam_misc.h.
Sponsored by: DARPA, NAI Labs
|
87398 |
05-Dec-2001 |
des |
Add dummy functions for all module types. These dummies return PAM_IGNORE rather than PAM_SUCCESS, so you'll get a failure if you list dummies but no real modules for a particular module chain.
Sponsored by: DARPA, NAI Labs
|
87397 |
05-Dec-2001 |
des |
Connect the man page to the build.
Sponsored by: DARPA, NAI Labs
|
87396 |
05-Dec-2001 |
des |
Add a pam_self authentication module that succeeds if and only if the local and remote user names are the same.
Sponsored by: DARPA, NAI Labs
|
87233 |
02-Dec-2001 |
markm |
Use __FBSDID(). Also do a bit of cosmetic #if and header-order cleaning-up.
|
87177 |
01-Dec-2001 |
markm |
Style fixups.
Sort function declarations, includes. Make consistent WRT use of _P() macro (ugh!)
Inspired by: bde
|
87173 |
01-Dec-2001 |
markm |
WARNS=2 fixes.
Reviewed by: bde (a while back)
|
87098 |
29-Nov-2001 |
green |
Fix pam_ssh by adding an IPv4or6 (evidently, this was broken by my last OpenSSH import) declaration and strdup(3)ing a value which is later free(3)d, rather than letting the system try to free it invalidly.
|
87053 |
28-Nov-2001 |
des |
Mdoc police.
Submitted by: ru
|
87049 |
28-Nov-2001 |
ru |
mdoc(7) police: fix one pam_unix(8) left-over, sort xrefs.
|
86982 |
27-Nov-2001 |
des |
Add a pam_set_item(3) man page with an MLINK to pam_get_item(3).
PR: docs/32294 Sponsored by: DARPA, NAI Labs MFC after: 3 days
|
86933 |
27-Nov-2001 |
des |
Create a pam_ssh(8) man page, based on a repo-copy of pam_unix(8). License modified with original author's permission.
Sponsored by: DARPA, NAI Labs
|
86932 |
27-Nov-2001 |
des |
Document the local_pass and nis_pass options, add a few xrefs, and reorder the SEE ALSO section. License modified with original author's permission.
Sponsored by: DARPA, NAI Labs
|
86882 |
24-Nov-2001 |
dd |
Spelling police: sucessful -> successful.
|
85485 |
25-Oct-2001 |
sobomax |
Don't put an extra space after password prompts, because it violates POLA, makes FreeBSD inconsistent with previous releases and "other unices" as well as with some internal password-asking services (e.g. ftp) within the same release.
|
85119 |
18-Oct-2001 |
markm |
Add library exposed by KDE's use if this module.
|
84218 |
30-Sep-2001 |
dillon |
Add __FBSDID()s to libpam
|
82977 |
04-Sep-2001 |
markm |
1) repair the return value in the PAM_RETURN() macro (Side effects!!). 2) canonicalise the options use in pam_options().
Submitted by: Gunnar Kreitz <gunnark@chello.se> PR: 30250
|
82360 |
26-Aug-2001 |
markm |
Introduce a "noroot_ok" option to make this module ignore authentications to a non-superuser if required.
|
82359 |
26-Aug-2001 |
markm |
Introduce better logging, error reporting and use of login_cap data.
|
82357 |
26-Aug-2001 |
markm |
Add extra logging detail. This needs a more general solution.
|
82352 |
26-Aug-2001 |
markm |
Big module makeover; improve logging, standardise variable names, introduce ability to change passwords for both "usual" Unix methods and NIS.
|
81970 |
20-Aug-2001 |
markm |
Add 'try_mapped_pass' standard option.
Asked for by: lukeh@PADL.COM
|
81729 |
15-Aug-2001 |
markm |
Document the no_warn option.
|
81728 |
15-Aug-2001 |
markm |
Fix a couple of cross-references to reflect the reality of the module.
|
81527 |
11-Aug-2001 |
markm |
Fix:
/usr/src/lib/libpam/modules/pam_ssh/pam_ssh.c has couple of bugs which cause:
1) xdm dumps core 2) ssh1 private key is not passed to ssh-agent 3) ssh2 RSA key seems not handled properly (just a guess from source) 4) ssh_get_authentication_connectionen() fails to get connection because of SSH_AUTH_SOCK not defined.
PR: 29609 Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp>
|
81477 |
10-Aug-2001 |
markm |
Clean up this module very extensively. Fix the logging, the coding standards and the option handling. This module is now much more easy to maintain as a part of the FreeBSD tree.
|
81476 |
10-Aug-2001 |
markm |
Code clean up; make logging same as other modules and fix warnings.
|
81475 |
10-Aug-2001 |
markm |
General code clean-up. Sort out warnings, and make the warning and logging work the same as other modules.
|
81474 |
10-Aug-2001 |
markm |
Simplify code. Also verbose logging, verbose overridable error reporting.
|
81473 |
10-Aug-2001 |
markm |
Verbose logging, overridable verbose error reporting.
|
81472 |
10-Aug-2001 |
markm |
Module clean-up. Verbose logging, Overridable verbose error reporting, FreeBSD pam_prompt() usage to simplify conversation function usage.
|
81471 |
10-Aug-2001 |
markm |
Verbosely (overridable) report failure to the user.
|
81470 |
10-Aug-2001 |
markm |
Use the FreeBSD pam_prompt() interface to the conversation function instead of home-rolling it. Clean up debugging code and tidy the module.
|
81469 |
10-Aug-2001 |
markm |
Verbosely report errors to the user (overridable), and make sure that the correct failure mode is reported.
|
81454 |
10-Aug-2001 |
markm |
Fix broken logic so that this actually works for the superuser. Verbosely log (properly). Verbosely report errors to the user.
|
81453 |
10-Aug-2001 |
markm |
Rework this to prevent a nasty problem involving different modules' option interacting with each other.
|
81452 |
10-Aug-2001 |
markm |
Declare the new user-error reporting macro.
This is a macro to allow use of the __FILE__ and __FUNCTION__ macros.
|
81451 |
10-Aug-2001 |
markm |
Add a routine for providing feedback via the conversation mechanism (usually to stderr) for user-reportable errors.
|
81143 |
04-Aug-2001 |
markm |
Fix style/consistency in Makefile and repair static module building.
Submitted by: bde(partially)
|
81142 |
04-Aug-2001 |
markm |
Don't clobber CFLAGS
Submitted by: bde
|
81124 |
04-Aug-2001 |
markm |
Fix the bug where this modulke was not checking the priamry GID, only the GIDS in /etc/group or NIS's group map.
Tested by: sheldonh PR: 29349
|
81064 |
02-Aug-2001 |
markm |
With the S/KEY removal, this is no longer buildable or necessary.
|
81063 |
02-Aug-2001 |
markm |
Don't try to make pam_ssh module if NO_OPENSSH is set.
|
81036 |
02-Aug-2001 |
markm |
Repair the get/set UID() stuff so this works in both su(1) and login(1) modes.
|
80617 |
30-Jul-2001 |
markm |
Making this major bump was a BAD idea. The API change is internal (to PAM) and it caused problems without solving any.
|
80542 |
29-Jul-2001 |
markm |
(Re)Add an SSH module for PAM, heavily based on Andrew Korty's module from ports.
|
79865 |
18-Jul-2001 |
ru |
mdoc(7) police: widen width of the options list.
|
79817 |
17-Jul-2001 |
markm |
Update to the same level of debug-logging as the rest of the FreeBSD/PAM modules.
|
79816 |
17-Jul-2001 |
markm |
Update to the same code as in the pam_krb5.so port. According to Peter, the port works - this needs more testing.
|
79755 |
15-Jul-2001 |
dd |
Remove whitespace at EOL.
|
79714 |
14-Jul-2001 |
markm |
Use a better method of getting user credentials to account for (legal) UID duplication.
Rename use_uid to auth_as_self for consistency with other modules.
|
79713 |
14-Jul-2001 |
markm |
Use a better method to get user credentials to account for (legal) duplications of UID's in /etc/*passwd.
|
79658 |
13-Jul-2001 |
ru |
mdoc(7) police: -xwidth has been fold into -width.
|
79577 |
11-Jul-2001 |
ru |
mdoc(7) police: fixed markup, a little bit.
|
79576 |
11-Jul-2001 |
ru |
mdoc(7) police: fixed markup any numerous typos.
|
79542 |
10-Jul-2001 |
markm |
Fix a horrible bug introduced by myself where the options collection keeps on growing as the module stack is parsed.
|
79535 |
10-Jul-2001 |
ru |
mdoc(7) police: removed HISTORY info from the .Os call.
|
79531 |
10-Jul-2001 |
ru |
mdoc(7) police: removed HISTORY info from the .Os call.
|
79476 |
09-Jul-2001 |
markm |
Clean up (and in some cases write) the PAM mudules, using o The new options-processing API o The new DEBUG-logging API
Add man(1) pages for ALL modules. MDOC-Police welcome to check this.
Audit, clean up while I'm here.
|
79475 |
09-Jul-2001 |
markm |
Bump the major number. The libraries API has changed incompatibly.
|
79474 |
09-Jul-2001 |
markm |
Almost completely rewrite the PAM module options processing routines, and provide a more extended API for doing this.
Provide an API for debug logging.
Audit and clean up the code.
|
79366 |
06-Jul-2001 |
ru |
mdoc(7) police: sort SEE ALSO xrefs (sort -b -f +2 -3 +1 -2).
|
79350 |
06-Jul-2001 |
ru |
mdoc(7) police: fixed formatting.
|
78194 |
14-Jun-2001 |
peter |
Fix libpam's linker set stuff to use the new API (unbreak world), and get rid of gensetdefs from here as well.
|
78188 |
13-Jun-2001 |
chris |
Convert to mdoc(7).
|
77720 |
04-Jun-2001 |
markm |
Big module cleanup.
Move common stuff into Makefile.inc, and tidy up all the Makefiles as a result.
Build new modules.
Put a commented-out dependancy on libpam for the (shared) modules. I can't bring this in just yet, as the dependancy (modules->libpam) is reversed for the static case (libpam->modules).
|
77719 |
04-Jun-2001 |
markm |
Null file to bring back a file from the dead. This allows the real commit to happen remotely. Damn CVS bugs :-(
|
77718 |
04-Jun-2001 |
markm |
Add the "nullok" option that causes this module to succeed if the Unix password is empty/null.
|
77717 |
04-Jun-2001 |
markm |
Tidy up the options list (and make it more extendable), and add some extra "standard" options.
|
77714 |
04-Jun-2001 |
markm |
Add some new utility authenticators.
pam_securetty silently succeeds if the user is on a secure tty as defined by /etc/ttys.
pam_ftp does "anonymous ftp" style authentication with options for specifying the anonymous user(s).
|
77142 |
24-May-2001 |
markm |
Add the "auth_as_self" option to the pam_unix module (there is no reason not to add it to others later). This causes the pam_unix module to check the user's _own_ password, not the password of the account that the user is authenticating into. This will allow eg: WHEELSU type behaviour from su(1).
|
76575 |
14-May-2001 |
markm |
Bring in a few useful PAM modules.
pam_krb5 is a Kerberos 5 (Heimdal) authentication module.
pam_nologin checks for /etc/nologin and does the "usual stuff" if it is found, otherwise it silently succeeds.
pam_rootok silently succeeds if the user is root, otherwise it fails.
pam_wheel silently succeeds if the user is a member of group "wheel" (or another nominated group), and fails otherwise.
There is an issue with kerberosIV and kerberos5 - if both are being built, then static linking fails with duplicate symbols. This will take a bit of work to sort out in the kerberii.
|
76281 |
04-May-2001 |
green |
Finish disconnecting pam_ssh from the build.
|
76258 |
04-May-2001 |
green |
I've been meaning to take pam_ssh out of the base system for a while now. Finally do it.
|
76242 |
03-May-2001 |
markm |
Update for (Linux-)PAM 0.75
|
75650 |
18-Apr-2001 |
ru |
mdoc(7) police: uppercase document title.
|
74870 |
27-Mar-2001 |
ru |
MAN[1-9] -> MAN.
|
70721 |
06-Jan-2001 |
jhb |
Use a unified libgcc rather than a seperate one for threaded and non-threaded programs. This provides threaded programs with the needed exception frame symbols.
parts submitted by: Max Khon <fjoe@iclub.nsu.ru> PR: 23252
|
70703 |
06-Jan-2001 |
obrien |
Use a unified libgcc rather than a seperate one for threaded and non-threaded programs. This provides threaded programs with the needed exception frame symbols.
parts submitted by: Max Khon <fjoe@iclub.nsu.ru> PR: 23252
|
70481 |
29-Dec-2000 |
ru |
Prepare for mdoc(7)NG.
|
70015 |
14-Dec-2000 |
ru |
mdoc(7) police: removed history info from the .Os FreeBSD call.
|
69590 |
05-Dec-2000 |
green |
Forgot to remove the old line in the last commit.
|
69130 |
25-Nov-2000 |
green |
In env_destroy(), it is a bad idea to env_swap(self, 0) to switch back to the original environ unconditionally. The setting of the variable to save the previous environ is conditional; it happens when ENV.e_committed is set. Therefore, don't try to swap the env back unless the previous env has been initialized.
PR: bin/22670 Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp>
|
69129 |
25-Nov-2000 |
billf |
Correct an arguement to ssh_add_identity, this matches what is currently in ports/security/openssh/files/pam_ssh.c
PR: 22164 Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp> Reviewed by: green Approved by: green
|
69026 |
22-Nov-2000 |
ru |
log
|
61087 |
30-May-2000 |
kris |
Update to the version of pam_ssh corresponding to OpenSSH 2.1 (taken from the openssh port)
Submitted by: Hajimu UMEMOTO <ume@mahoroba.org>
|
60938 |
26-May-2000 |
jake |
Back out the previous change to the queue(3) interface. It was not discussed and should probably not happen.
Requested by: msmith and others
|
60833 |
23-May-2000 |
jake |
Change the way that the queue(3) structures are declared; don't assume that the type argument to *_HEAD and *_ENTRY is a struct.
Suggested by: phk Reviewed by: phk Approved by: mdodd
|
59302 |
17-Apr-2000 |
kris |
Connect pam_opie to the build.
|
59301 |
17-Apr-2000 |
kris |
Add pam_opie, a PAM module using the OPIE one-time-password scheme.
Submitted by: Jim Bloom <bloom@acm.org>
|
58772 |
29-Mar-2000 |
kris |
Fix a memory leak.
PR: 17360 Submitted by: Andrew J. Korty <ajk@iu.edu>
|
58673 |
27-Mar-2000 |
bde |
Fixed missing libraries in DPADD.
Fixed some style bugs (some usual ones for DPADD and LDADD, and misformatting of $FreeBSD$).
|
57841 |
09-Mar-2000 |
kris |
Buildworld fixes for NO_OPENSSH and NO_OPENSSL
Approved by: jkh
|
57785 |
06-Mar-2000 |
peter |
Make pam_ssh work. It had an undefined symbol when it was dlopen()ed. I'm not quite sure about this, I think it should be using -lssh_pic since it's being linked into a .so, but nothing seems to complain ahd it does work. (well, it works for using the authorized_keys file, but I have not figured out how to get it to start a ssh-agent and cache the key for me)
PR: 17191 Submitted by: Adrian Pavlykevych <pam@polynet.lviv.ua>
|
57686 |
02-Mar-2000 |
sheldonh |
Remove single-space hard sentence breaks. These degrade the quality of the typeset output, tend to make diffs harder to read and provide bad examples for new-comers to mdoc.
|
57670 |
01-Mar-2000 |
sheldonh |
Remove single-space hard sentence breaks. These degrade the quality of the typeset output, tend to make diffs harder to read and provide bad examples for new-comers to mdoc.
|
57574 |
28-Feb-2000 |
markm |
Don't try to build k5 PAM; it ain't ready yet.
|
57503 |
26-Feb-2000 |
sos |
Same fix as in ../modules, dont use the crypto stuff if its not there.
|
57498 |
26-Feb-2000 |
peter |
Argh, I can't win today. Spell ${.CURDIR} correctly.
|
57497 |
26-Feb-2000 |
peter |
Don't build pam_ssh if the crypto code is missing.
Found by: sos
|
57496 |
26-Feb-2000 |
peter |
Redo this with a repo copy from the original file and reset the __PREFIX__ markers.
|
57455 |
24-Feb-2000 |
markm |
Use libcrypto instead of libdes.
Also - OpenSSH blesses us with a module for PAM.
|
57196 |
14-Feb-2000 |
chris |
Remove the version information from `.Os FreeBSD' here. Not only might it confuse people, but it causes a warning message with nroff, and no version history mentions a 1.2 version of FreeBSD.
If anything, a ``HISTORY'' section should show which version this appeared in.
|
55166 |
28-Dec-1999 |
green |
Upgrade to the pam_ssh module, version 1.1..
(From the author:) Primarily, I have added built-in functions for manipulating the environment, so putenv() is no longer used. XDM and its variants should now work without modification. Note that the new code uses the macros in <sys/queue.h>.
Submitted by: Andrew J. Korty <ajk@iu.edu>
|
53874 |
29-Nov-1999 |
green |
Add the PAM SSH RSA key authentication module. For example, you can add, "login auth sufficient pam_ssh.so" to your /etc/pam.conf, and users with a ~/.ssh/identity can login(1) with their SSH key :)
PR: 15158 Submitted by: Andrew J. Korty <ajk@waterspout.com> Reviewed by: obrien
|
53153 |
14-Nov-1999 |
marcel |
Don't include Kerberos if NOCRYPT is defined, because it isn't build if NOCRYPT is defined. Likewise, don't include DES if NOSECURE is defined.
|
51820 |
30-Sep-1999 |
markm |
Add libcrypt. This previously/coincidentally worked for login, because login was already linked against it, but others have a problem.
|
51445 |
20-Sep-1999 |
markm |
Common Error libraries are needed here.
|
50477 |
28-Aug-1999 |
peter |
$Id$ -> $FreeBSD$
|
50476 |
28-Aug-1999 |
peter |
$Id$ -> $FreeBSD$
|
50090 |
20-Aug-1999 |
abial |
Restore INTERNALLIB.
Noticed by: bde,jdp
|
50017 |
18-Aug-1999 |
abial |
Add pam_radius.so manual page.
Reviewed by: jdp
|
48792 |
12-Jul-1999 |
nik |
Add $Id$, to make it simpler for members of the translation teams to track.
The $Id$ line is normally at the bottom of the main comment block in the man page, separated from the rest of the manpage by an empty comment, like so;
.\" $Id$ .\"
If the immediately preceding comment is a @(#) format ID marker than the the $Id$ will line up underneath it with no intervening blank lines. Otherwise, an additional blank line is inserted.
Approved by: bde
|
46665 |
08-May-1999 |
jdp |
Revive the pam_deny and pam_permit modules from Linux-PAM. They are simple enough to be trusted.
Add account management functionality to the pam_unix module.
These changes should make it possible to use PAM in some ports.
Submitted by: Max Khon <fjoe@iclub.nsu.ru>
|
45387 |
06-Apr-1999 |
jdp |
Fix bug that prevented accounts with empty passwords from logging in.
Submitted by: Paul Traina <pst@juniper.net>
|
43056 |
22-Jan-1999 |
jdp |
Fix breakage for the static a.out case. The a.out linker doesn't consider a linker set definition to be sufficient reason to pull an object module from an archive library. This caused undefined symbols when linking with libpam.a using a.out. I solved it by linking in the object that references the linker set in the "ld -r" step.
|
43015 |
21-Jan-1999 |
jdp |
Revert my last change, "Rename some globals to reduce namespace pollution." Unfortunately, some of these globals are used by ftpd, and I broke make world. Pointy hat, please.
|
42919 |
20-Jan-1999 |
jdp |
Rename some globals to reduce namespace pollution.
|
42917 |
20-Jan-1999 |
jdp |
Make it possible to use PAM in statically-linked applications.
|
42527 |
11-Jan-1999 |
jdp |
Fix an NFS-related installation problem.
Submitted by: asami
|
41437 |
01-Dec-1998 |
dillon |
Obtained from: "Jan B. Koum " <jkb@best.com>
Add a reference to pam(8) in the login(1) and login.access(5) manual pages.
|
41295 |
22-Nov-1998 |
jdp |
Install PAM modules into ${SHLIBDIR}, not ${LIBDIR}.
Noticed by: bde
|
41228 |
18-Nov-1998 |
jdp |
This commit was generated by cvs2svn to compensate for changes in r41227, which included commits to RCS files with non-trunk default branches.
|
41227 |
18-Nov-1998 |
jdp |
Build structure for contribified Linux-PAM, plus some home-grown modules for FreeBSD's standard authentication methods. Although the Linux-PAM modules are present in the contrib tree, we don't use any of them.
The main library "libpam" is composed of sources taken from three places. First are the standard Linux-PAM libpam sources from the contrib tree. Second are the Linux-PAM "libpam_misc" sources, also from the contrib tree. In Linux these form a separate library. But as Mike Smith pointed out to me, that seems pointless, so I have combined them into the libpam library. Third are some additional sources from the "src/lib/libpam" tree with some common functions that make it easier to write modules. Those I wrote myself.
This work has been donated to FreeBSD by Juniper Networks, Inc.
|
34801 |
23-Mar-1998 |
charnier |
.Sh AUTHOR -> .Sh AUTHORS. Use .An/.Aq.
|
29922 |
28-Sep-1997 |
markm |
Changes for KTH KerberosIV. Also quieten -Wall a bit.
|
27605 |
22-Jul-1997 |
charnier |
= -> ==, strcpy -> strncpy from OpenBSD. update man page. Add usage(). Obtained from: OpenBSD
|
26386 |
02-Jun-1997 |
max |
Fix the man page's title (.Dt). (It has been ``SKEY.ACCESS''.)
|
22230 |
02-Feb-1997 |
pst |
Cruft cleanup to eliminate useless warnings
|
18449 |
21-Sep-1996 |
pst |
Fix some compilation warnings.
|
14024 |
11-Feb-1996 |
markm |
#include <kerberosIV/des.h> -> #include <des.h>
|
8874 |
30-May-1995 |
rgrimes |
Remove trailing whitespace.
|
5758 |
20-Jan-1995 |
wollman |
In the non-PARANOID case, make sure to set `notickets' to 0 sothat login.c doesn't complain.
|
5627 |
14-Jan-1995 |
wollman |
Modify klogin to:
1) Don't spit out an error message if Kerberos is installed but not yet set up.
2) Don't attempt to verify the ticket you got back, as workstations are not intended to have srvtab files of their own.
Both behaviors can be re-enabled with KLOGIN_PARANOID.
|
2198 |
21-Aug-1994 |
guido |
Add skey supprot Reviewed by: Submitted by: guido
|
1589 |
27-May-1994 |
rgrimes |
Initial revision
|