Remove svn:mergeinfo carried over from stable/9.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Copy stable/9 to releng/9.3 as part of the 9.3-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

MFH (r254407, r254960, r255371): misc cleanup
MFH (r255386): make libssh private
MFH (r255369, r255376, r255393, r262530): import OpenPAM Nummularia

MFH (r249479): OPENPAM_DEBUG enables debugging but does not turn it on

Pull in OpenPAM Micrampelis from head. Also merge a few minor module
changes, most importantly support for ECDSA keys in pam_ssh.

MFC r241844:
remove duplicate semicolons where possible.

Approved by: cperciva (implicit)

MFC r240506:
Bump date missed in r202756

PR: docs/171624
Approved by: cperciva (implicit)

MFC r239100:

Fix an instance in pam_krb5(8), where the variable 'user' could be used
uninitialized.

Found by: clang 3.2
Reviewed by: des

MFC r239099:

Fix two instances in pam_krb5(8), where the variable 'princ_name' could
be used uninitialized.

Found by: clang 3.2
Reviewed by: des

MFH r236106: avoid segfault with SSH 1 keys

MFC r235873, r235967:

Fixes to man8 groff mandoc style, usage mistakes, or typos.

PR: 168016
Submitted by: Nobuyuki Koganemaru
Approved by: gjb (mentor)

MFC r233648:
Remove trailing whitespace per mdoc lint warning

Approved by: cperciva (implicit)

MFH r226625, 226632: document what openpam_static.c is for

MFH r227798, r227933: simplify build by using STATIC_CFLAGS

MFC r233507:
Use program exit status as pam_exec return code (optional)

pam_exec(8) now accepts a new option "return_prog_exit_status". When
set, the program exit status is used as the pam_exec return code. It
allows the program to tell why the step failed (eg. user unknown).
However, if it exits with a code not allowed by the calling PAM service
module function (see $PAM_SM_FUNC below), a warning is logged and
PAM_SERVICE_ERR is returned.

The following changes are related to this new feature but they apply no
matter if the "return_prog_exit_status" option is set or not.

The environment passed to the program is extended:
o $PAM_SM_FUNC contains the name of the PAM service module function
(eg. pam_sm_authenticate).
o All valid PAM return codes' numerical values are available
through variables named after the return code name. For instance,
$PAM_SUCCESS, $PAM_USER_UNKNOWN or $PAM_PERM_DENIED.

pam_exec return code better reflects what went on:
o If the program exits with !0, the return code is now
PAM_PERM_DENIED, not PAM_SYSTEM_ERR.
o If the program fails because of a signal (WIFSIGNALED) or doesn't
terminate normally (!WIFEXITED), the return code is now
PAM_SERVICE_ERR, not PAM_SYSTEM_ERR.
o If a syscall in pam_exec fails, the return code remains
PAM_SYSTEM_ERR.

waitpid(2) is called in a loop. If it returns because of EINTR, do it
again. Before, it would return PAM_SYSTEM_ERR without waiting for the
child to exit.

Several log messages now include the PAM service module function name.

The man page is updated accordingly.

Reviewed by: des@
Sponsored by: Yakaz (http://www.yakaz.com)

MFC r234184:
Fix error messages containing the executed command name

Before, we took the first argument to pam_exec(8). With the addition of
options in front of the command, this could be wrong.

Now, options are parsed before calling _pam_exec() and messages contain
the proper command name.

While here, fix a warning.

Sponsored by: Yakaz (http://www.yakaz.com)

MFC r227314:

Ensure pam_lastlog removes the /dev/ component of the TTY name.

Some consumers of PAM remove the /dev/ component (i.e. login), while
others don't (i.e. su). We must ensure that the /dev/ component is
removed to ensure that the utmpx entries properly work with tools such
as w(1).

MFH r227757: check for null passphrases, since openssl doesn't

Approved by: re (kib)
Security: prevents users with unencrypted ssh keys (prohibited
unless the nullok option is specified) from logging in
by providing a bogus non-null passphrase.

Copy head to stable/9 as part of 9.0-RELEASE release cycle.

Approved by: re (implicit)

Mention the name of the module in warning messages.

Add "ruser" and "luser" options. The former corresponds to the current
behavior, where the module checks that the supplicant is a member of the
required group. The latter checks the target user instead. If neither
option was specified, pam_group(8) assumes "ruser" and issues a warning.
I intend to eventually change the default to "luser" to match the
behavior of similarly-named service modules in other operating systems.

MFC after: 1 month

No newline required.

MFC after: 2 weeks

Add <time.h> for ctime(), which we accidentally picked up through
<sys/time.h>.

Submitted by: Garrett Cooper <yanegomi@gmail.com>
MFC after: 3 days

Bump .Dd date.

Forgotten by: delphij

Code indent according to style(9).

PR: bin/146186
Submitted by: myself
Approved by: delphij (mentor)
MFC after: 2 weeks

Implement the no_user_check option to pam_krb5.

This option is available in the Linux implementation of pam_krb5
and allows to authorize a user not known to the local system.

Ccache is not used as we don't have a secure uid/gid for the cache file.

Usable for authentication of external kerberos users (e.g Active Directory)
via PAM from applications like Cyrus saslauthd, PHP or perl.

PR: bin/146186
Submitted by: myself
Approved by: deplhij (mentor)
MFC after: 2 weeks

Upgrade to OpenSSH 5.4p1.

MFC after: 1 month

Remove redundant WARNS?=6 overrides and inherit the WARNS setting from
the toplevel directory.

This does not change any WARNS level and survives a make universe.

Approved by: ed (co-mentor)

Always assign WARNS using ?=

- fix some nearby style bugs
- include Makefile.inc where it makes sense and reduces duplication

Approved by: ed (co-mentor)

%U was macroized in mdoc(7), escape.

Respect passwordtime from login.conf if set.

PR: bin/93473
Submitted by: Björn König <bkoenig@cs.tu-berlin.de>
MFC after: 1 week

Remove stale references to utmp(5) and its corresponding filenames.

I removed utmp and its manpage, but not other manpages referring to it.

Let pam_lastlog use random ut_id's.

By using random values for ut_id, not based on the TTY name, it is
possible to run for example login(1) multiple times on the same TTY,
without overwriting any previous records.

The output of w(1) will then be as follows:

| 12:26PM up 2 days, 2:31, 5 users, load averages: 0.01, 0.03, 0.03
| USER TTY FROM LOGIN@ IDLE WHAT
| ed pts/2 mekker.80386.nl 12:26PM - w
| root pts/2 - 12:26PM - w
| root pts/2 - 12:26PM - w
| root pts/2 - 12:26PM - w

Approved by: des

Unbreak builds with _FREEFALL_CONFIG=yes, by forcing a lower WARNS
level in that case.

Let pam_lastlog use utmpx instead of libulog's utmpx interface.

It will still use ulog_login(3) and ulog_logout(3), which will remain
present.

Build lib/ with WARNS=6 by default.

Similar to libexec/, do the same with lib/. Make WARNS=6 the norm and
lower it when needed.

I'm setting WARNS?=0 for secure/. It seems secure/ includes the
Makefile.inc provided by lib/. I'm not going to touch that directory.
Most of the code there is contributed anyway.

Several refinements to libulog's API.

- Only set the fields in the ulog_utmpx structure that are valid for the
command in question. This means that strings like "shutdown" or "~"
are not visible to the user anymore.
- Rename UTXF_* to UTXI_*, indicating the indexation, instead of using
the `antique' filename. If we ever get rid of utmp, it makes little
sense calling it by its old name.

Convert pam_lastlog(8) to libulog.

The information used by the "Last login:"-line is obtained by using
ulog_setutxfile(3) to switch to the lastlog database. Login and logout
are performed using the utility functions ulog_login(3) and
ulog_logout(3).

This also means we must build libulog during bootstrap.

Approved by: des

Note that nullok should not be used by processes that can't access the
password database.

PR: bin/126650, misc/140514
MFC after: 1 week

pam_ssh needs roaming_dummy to link correctly against libssh.

Prevents pam_lastlog from segfaulting on session close when tty is null.

MFC after: 1 month

Bump the version of all non-symbol-versioned shared libraries in
preparation for 8.0-RELEASE. Add the previous version of those
libraries to ObsoleteFiles.inc and bump __FreeBSD_Version.

Reviewed by: kib
Approved by: re (rwatson)

Rewrap; this was getting painful. Translators can ignore this.

MFC after: 1 week

Reword.

MFC after: 1 week

Include <stdio.h> for asprintf().

Submitted by: Pawel Worach

Don't try to auto-detect dynamic linking; it fails on mips. The Makefile
part of the patch is an ugly (and hopefully temporary) hack.

Discussed with: imp@

Add new heimdal-1.1 library.

Fix conflicts after heimdal-1.1 import and add build infrastructure. Import
all non-style changes made by heimdal to our own libgssapi.

Adjust for OpenPAM Hydrangea.

Correct documentation of ~/.opiealways

PR: 117512
Submitted by: Jeremy C. Reed <reed@reedmedia.net>
MFC after: 1 week

- Convert NO_INSTALLLIB option to a new syntax: makefiles should
test MK_INSTALLLIB, users can set WITHOUT_INSTALLLIB. The old
NO_INSTALLLIB is still supported as several makefiles set it.

- While here, fix an install when instructed not to install libs
(usr.bin/lex/lib/Makefile).

PR: bin/114200
Submitted by: Henrik Brix Andersen

Apply the same error checks to PAM_TTY in pam_sm_close_session() as in
pam_sm_open_session(), avoiding false negatives when no tty is present.

Submitted by: Todd C. Miller <millert@courtesan.com>
Approved by: re (rwatson)
MFC after: 2 weeks

Whitespace cleanup

Approved by: re (rwatson)

- Bump share library version which were missed in last bump

Reported by: jhb
Discussed with: deischen, des, doubg, harti
Approved by: re (kensmith)

Use the current user's login class for the decisions about where
the nologin(5) file is located and whether the user may bypass its
restriction.

Add some error checks.

Approved by: des
PR: bin/107612

Now pam_nologin(8) will provide an account management function
instead of an authentication function. There are a design reason
and a practical reason for that. First, the module belongs in
account management because it checks availability of the account
and does no authentication. Second, there are existing and potential
PAM consumers that skip PAM authentication for good or for bad.
E.g., sshd(8) just prefers internal routines for public key auth;
OTOH, cron(8) and atrun(8) do implicit authentication when running
a job on behalf of its owner, so their inability to use PAM auth
is fundamental, but they can benefit from PAM account management.

Document this change in the manpage.

Modify /etc/pam.d files accordingly, so that pam_nologin.so is listed
under the "account" function class.

Bump __FreeBSD_version (mostly for ports, as this change should be
invisible to C code outside pam_nologin.)

PR: bin/112574
Approved by: des, re

Re-add support for NIS netgroups (heavily modified from patch in PR)

PR: bin/112955
Submitted by: A. Blake Cooper <blake@cluebie.net>
MFC after: 3 weeks

In account management, verify whether the account has been locked
with `pw lock', so that it's impossible to log into a locked account
using an alternative authentication mechanism, such as an ssh key.
This change affects only accounts locked with pw(8), i.e., having a
`*LOCKED*' prefix in their password hash field, so people still can
use a different pattern to disable password authentication only.

Mention all account management criteria in the manpage.

Approved by: maintainer (timeout)
PR: bin/71147
MFC after: 1 month

Send not only Access Request, but also Access Challenge with defined
NAS-Identifier and NAS-IP-Address.

Reviewed by: bz
MFC after: 1 month

childerr needs to be volatile so gcc won't optimize it away.

PR: bin/85830
MFC after: 1 week

The pam_unix module also provides password management.

PR: docs/93491
Submitted by: Lior Kadosh
MFC after: 3 days

Fix build.

Reject user with names that are longer than OPIE is willing to deal with;
otherwise OPIE will happily truncate it.

Spotted by: ghelmer
MFC after: 2 weeks

Bump .Dd.

Noticed by: danger

Remove references to the pam(8) manual page. It does not exist.

Requested by: novel
Discussed with: brueffer, simon

Additional debugging stuff I had in my tree.

Change the GCC specific __FUNCTION__ to C99's __func__.

OK'ed by: des

Add a manual dependency on ssh_namespace.h.

Discussed with: ru

Introduce a namespace munging hack inspired by NetBSD to avoid polluting
the namespace of applications which inadvertantly link in libssh (usually
through pam_ssh)

Suggested by: lukem@netbsd.org
MFC after: 6 weeks

There is no need to pass NULL to the pam_error() as the last argument.
Remove it.

Reviewed by: des
Approved by: cognet (mentor)

Fix build until I find a way to handle this case properly.

Revert last delta.

Comment out MK_PROFILE until ru@ can fix this properly

Convert NO_PROFILE and NO_LIB32 to new style.

Reimplementation of world/kernel build options. For details, see:

http://lists.freebsd.org/pipermail/freebsd-current/2006-March/061725.html

The src.conf(5) manpage is to follow in a few days.

Brought to you by: imp, jhb, kris, phk, ru (all bugs are mine)

Add appropriate xrefs.

MFC after: 3 days

Since the whole login.access feature has moved to PAM,
login.access.5 will be installed from the respective PAM
module's src directory.

MFC after: 3 days

Sync with src/usr.bin/login/login.access.5.

src/usr.bin/login/login.access.5 should be removed from use
because the whole login.access feature has moved to this PAM
module.

MFC after: 3 days

Commenting out WARNS actually brought it up to 4.

Comment out WARNS, the OpenSSL headers don't compile cleanly on some platforms.

Increase WARNS.

Correct the logic for determining whether the user has already entered
a password. Also, work around some harmless type pun warnings.

MFC after: 3 days

Do not use passphraseless keys for authentication unless the nullok
option was specified.

PR: bin/81231
Submitted by: "Daniel O'Connor" <doconnor@gsoft.com.au>
MFC after: 3 days

Narrow the use of user credentials.
Fix one case where openpam_restore_cred() might be called twice in a row.

MFC after: 3 days

When (re)allocating space for an array of pointers to char, use
sizeof(*list), not sizeof(**list). (i.e., sizeof(pointer) rather than
sizeof(char)).

It is possible that this buffer overflow is exploitable, but it was
added after RELENG_5 forked and hasn't been MFCed, so this will not
receive an advisory.

Submitted by: Vitezslav Novy
MFC after: 1 day

Bump the shared library version number of all libraries that have not
been bumped since RELENG_5.

Reviewed by: ru
Approved by: re (not needed for commit check but in principle...)

Missed one piece of the cluster's quirk. Need to override WARNS because
if _FREEFALL_CONFIG is set gcc bails since pam_sm_setcred() in pam_krb5.c
no longer uses any of its parameters.

Pointy hat: kensmith
Approved by: re (scottl)

This is sort of an MFS. Peter made these changes to the RELENG_*
branches but missed HEAD. This patch extends his a little bit,
setting it up via the Makefiles so that adding _FREEFALL_CONFIG
to /etc/make.conf is the only thing needed to cluster-ize things
(current setup also requires overriding CFLAGS).

From Peter's commit to the RELENG_* branches:
> Add the freebsd.org custer's source modifications under #ifdefs to aid
> keeping things in sync. For ksu:
> * install suid-root by default
> * don't fall back to asking for a unix password (ie: be pure kerberos)
> * allow custom user instances for things like www and not just root

The Makefile tweaks will be MFC-ed, the rest is already done.

MFC after: 3 days
Approved by: re (dwhite)

Use the correct login class when setting a new password.

PR: 65557, 72949
Submitted by: Stephen P. Cravey <clists@gotbrains.org>
Approved by: re (scottl)
MFC after: 2 weeks

Update for OpenPAM Figwort.

Approved by: re (kensmith)

Assorted markup fixes.

Approved by: re

Don't use a cast as an lvalue.
Add a redundant test to make it painfully obvious to the reader that this
code does not support IPv6.

Approved by: re (dwhite)
MFC after: 1 week

Use appropriate error codes for each facility instead of just PAM_AUTH_ERR.

Noticed by: pjd

Revert the commits that made libssh an INTERNALLIB; they caused too much
trouble, especially on amd64.

Requested by: ru

Fix libssh dependency.

NI_WITHSCOPEID cleanup

Reviewed by: des

Expand *n't contractions.

In addition to the PAM environment, export a handful of useful PAM items.

Suggested by: Ed Maste <emaste@phaedrus.sandvine.ca>

Add openpam_free_envlist(3).

When "no_ccache" is set as an argument to the pam_krb5 module, don't
copy the acquired TGT from the in-memory cache to the on-disk cache
at login. This was documented but un-implemented behavior.

MFC after: 1 week
PR: bin/64464
Reported and tested by: Eric van Gyzen <vangyzen at stat dot duke dot edu>

The final argument to verify_krb_v5_tgt() is the debug flag, not the
ticket forwardable flag, so key generation of debugging output to
"debug" rather than "forwardable".

Update copyright.

MFC after: 3 days

Fixed xref.

NOCRYPT -> NO_CRYPT

NOINSTALLLIB -> NO_INSTALLLIB

NODOCCOMPRESS -> NO_DOCCOMPRESS
NOINFO -> NO_INFO
NOINFOCOMPRESS -> NO_INFOCOMPRESS
NOLINT -> NO_LINT
NOPIC -> NO_PIC
NOPROFILE -> NO_PROFILE

Add knob NO_NIS (fka NO_YP_LIBC) and make world compileable when set.
If turned on no NIS support and related programs will be built.

Lost parts rediscovered by: Danny Braniss <danny at cs.huji.ac.il>
PR: bin/68303
No objections: des, gshapiro, nectar
Reviewed by: ru
Approved by: rwatson (mentor)
MFC after: 2 weeks

For variables that are only checked with defined(), don't provide
any fake value.

Join the 21st century: Cryptography is no longer an optional component
of releases. The -DNOCRYPT build option still exists for anyone who
really wants to build non-cryptographic binaries, but the "crypto"
release distribution is now part of "base", and anyone installing from a
release will get cryptographic binaries.

Approved by: re (scottl), markm
Discussed on: freebsd-current, in late April 2004

Downgrade WARNS level for GCC 3.4.2.

Markup nits.

Sort SEE ALSO references (in dictionary order, ignoring case).

Mechanically kill hard sentence breaks.

Deal with unsafe tab characters.

Markup, grammar, punctuation.

Revert the last change. There are more 64bit platforms than amd64, and
they break due to diferent alignment restrictions.

Remove the use of cast as lvalue.

Add -DDEBUG to DEBUG_FLAGS if PAM_DEBUG is defined.

Make NULL a (void*)0 whereever possible, and fix the warnings(-Werror)
that this provokes. "Wherever possible" means "In the kernel OR NOT
C++" (implying C).

There are places where (void *) pointers are not valid, such as for
function pointers, but in the special case of (void *)0, agreement
settles on it being OK.

Most of the fixes were NULL where an integer zero was needed; many
of the fixes were NULL where ascii <nul> ('\0') was needed, and a
few were just "other".

Tested on: i386 sparc64

style cleanup: Remove duplicate $FreeBSD$ tags.

These files had tags after the copyright notice,
inside the comment block (incorrect, removed),
and outside the comment block (correct).

Approved by: rwatson (mentor)

Fix numerous constness and aliasing issues.

Put libraries in the link order.

Reported by: lorder(1) (modified to work with libraries)

This module doesn't use libgssapi (and it looks never did).

Implement pam_sm_close_session().

PR: bin/61657
Submitted by: Joe R. Doupnik <jrd@cc.usu.edu>

Deal better with the crypto version of the PAM library that goes
on the release media -- only put what is different in the crypto
version compared to the base version. This reduces PAM entries
in /usr/lib in the "crypto" distribution to:

libpam.a
libpam.so@
libpam.so.2
pam_krb5.so@
pam_krb5.so.2
pam_ksu.so@
pam_ksu.so.2
pam_ssh.so@
pam_ssh.so.2

The libpam.so* is still redundant (it is identical to the "base"
version), but we can't set DISTRIBUTION differently for libpam.a
and libpam.so.

(The removal of libpam.so* from the crypto distribution could be
addressed by the release/scripts/crypto-make.sh script, but then
we'd also need to remove redundant PAM headers, and I'm not sure
this is worth a hassle.)

DISTRIBUTION is normally single-valued.

Remove crossref to pam.conf(5) which never existed.

bsd.dep.mk,v 1.43 allows us to replace a hack with a solution.

Fix a strict aliasing issue. Also remove an unnecessary pam_get_item()
call (pam_get_authtok() will return the previous token if try_first_pass
or use_first_pass is specified). Incidentally fix an ugly bug where the
buffer holding the prompt was freed immediately before use, instead of
after.

More strict aliasing fixes.

Submitted by: Andreas Hauser <andy-freebsd@splashground.de>

Fix strict aliasing breakage in PAM modules (except pam_krb5, which needs
more work than the others). This should make most modules build with -O2.

Fix on sparc64.

Reported by: rwatson/tinderbox
MFC after: 2 weeks

Add a new configuration variable - nas_ipaddr, which if set allows to
set NAS-IP-Address attribute in requests generated by the pam_radius
module. This attribute is mandatory for some Radius servers out there.

Reviewed by: des
MFC after: 2 weeks

- fix to UID test description, non-zero -> zero

PR: docs/57799
Reviewed by: des
Approved by: blackend (mentor)

Ignore ECHILD from waitpid(2) (our child may have been reaped by the
calling process's SIGCHLD handler)

PR: bin/45669

Revert previous commit after fixing libpam.

Add a __DECONST() to unbreak the build.

Fix the master yppasswd routines, so they really work
for root on ypmaster. yppasswd_local() did use YPPASSWDPROG
instead of MASTER_YPPASSWDPROG, and the domain was not set,
resulting in a coredump during xdr-encode.

Reviewed by: des

Add openpam_readline(3).

Retire pam_wheel(8) (which has been disconnected for quite a while) and
pam_ftp(8).

Don't build pam_std_option().

Update copyright dates.

Remove pam_std_option() and related functions. Add #defines for common
options.

Remove all instances of pam_std_option()

Introduce pam_guest(8) which will replace pam_ftp(8).

mdoc(7) fixes.

Approved by: re (blanket)

Retire the useless NOSECURE knob.

Approved by: re (scottl)

OpenPAM is WANRS6-clean.

Turn MAKE_KERBEROS5 into NO_KERBEROS by negating the logic. Some extra
cleanups were necessary in release/Makefile, and the tinderbox code
was syntax checked, not run checked.

Trasmute moer "krb5" distibutions into "crypto".

Use C99-style varadic macros instead of the non-standard gcc syntax.

Mark libpam as c99- and WARNS5-clean.

Make sure rhostip is always initialized.

PR: bin/51508
Submitted by: Peter Grimshaw <peter@tesseract.demon.co.uk>

Treat an empty PAM_RHOST the same as a NULL one.

PR: bin/51508

Set $HOME to the correct directory (within the chroot tree).

Remove a bogus null password check which assumed that a user with an empty
password must necessarily have an empty pwd->pw_passwd. Also add a check
that prevents users from setting a blank password unless the nullok option
was specified. Root is still allowed to give anyone a blank password.

Connect the pam_chroot(8) module to the build.

Add a cwd option which specifies where to chdir(2) after the chroot(2).
When using the /home/./foo scheme, this defaults to the rhs (/foo);
otherwise it defaults to /.

Experimental pam_chroot module (not connected to the build)

This module is not WARNS-clean, due to brokenness in OpenSSL headers.

Somewhat better wording.

Silence warning caused by OPIE brokenness.

style.Makefile(5) police
(I've tried to keep to the spirit of the original formatting)

Reviewed by: des

KerberosIV de-orbit burn continues. Remove the KerberosIV PAM module.

Comment-only assistance to lint to kill warnings.

mdoc(7) police: Nits.

mdoc(7) police: markup laundry.

Add an "allow_local" option which forces historical behaviour.

Assume "localhost" if no remote host was specified. This is safe from a
POLA point of view since the stock /etc/opieaccess now allows localhost.

Use pam_get_user(3) instead of pam_get_item(3) where appropriate.

Complete rewrite of pam_ssh(8). The previous version was becoming hard
to maintain, and had security issues which would have required a major
rewrite to address anyway.

This implementation currently starts a separate agent for each session
instead of connecting each new session to the agent started by the first
one. While this would be a Good Thing (and the old pam_ssh(8) tried to
do it), it's hard to get right. I'll revisit this issue when I've had a
chance to test some modifications to ssh-agent(1).

Maybe I was a little too fast? Remove debugging code, and commit the
Makefile and man page which I'd forgotten to 'cvs add'.

Sponsored by: DARPA, NAI Labs

Replace pam_wheel(8) with pam_group(8) which has a cleaner interface. The
pam_wheel(8) module was written to work in spite of a broken libpam, and
has grown organically since its inception, which is reflected in both its
functionality and implementation. Rather than clean up pam_wheel(8) and
break backward compatibility, I've chosen to reimplement it under a new,
more generic name.

Sponsored by: DARPA, NAI Labs

Make sure the message is only printed once.

Don't blame markm for what he didn't do - writing these man pages, for
instance. Also bump the date since I made substantial modifications
earlier today.

Update copyright.

Add support for escape sequences in the arguments (e.g. %u for user name)

Sponsored by: DARPA, NAI Labs

Export the PAM environment to the child process instead of the "normal"
environment list, which may be unsafe and / or sensitive.

Sponsored by: DARPA, NAI Labs

Minimal manual page for pam_kerberosIV(8).

Sponsored by: DARPA, NAI Labs

In pam_sm_acct_mgmt(), retrieve the cached credentials before trying to
initialize the context. This way, a failure to initialize the context is
not fatal unless we actually have work to do - because if we don't, we
return PAM_SUCCESS without even trying to initialize the context.

Whitespace cleanup

OpenPAMify.

Do not return inappropriate error codes in pam_sm_setcred.

About September 2001, I consulted with all the previous authors of
pam_krb5 to consolidate the copyright texts. The semi-official
pam_krb5 module has been distributed with this new license text ever
since, but I'm just now getting around to updating the text here.

english(4) police.

mdoc(7) police: removed gratuitous .Pp call.

Merge in most non-style differences from Andrew Korty's pam_ssh 1.7.

mdoc(7) police: .Dt is ALL UPPERCASE.

Approved by: re

mdoc(7) police: formatting nits.

Approved by: re

Whitespace nits.

Approved by: re (bmah)

Add a PAM_MODULE_ENTRY to this module so it'll actually do something.

Approved by: re (bmah)

utmp.ut_time and lastlog.ll_time are explicitly int32_t rather than
time_t. Deal with the possibility that time_t != int32_t. This boils
down to this sort of thing:
- time(&ut.ut_time);
+ ut.ut_time = time(NULL);
and similar for ctime(3) etc. I've kept it minimal for the stuff
that may need to be portable (or 3rd party code), but used Matt's time32
stuff for cases where that isn't as much of a concern.

Approved by: re (jhb)

Make dynamic PAM modules depend on dynamic PAM library.

Requested by: des, markm

The pam_krb5 module stored a reference to a krb5_ccache structure as
PAM module state (created in pam_sm_authenticate and referenced later
in pam_sm_setcred and pam_sm_acct_mgmt). However, the krb5_ccache
structure shares some data members with the krb5_context structure
that was used in its creation. Since a new krb5_context is created
and destroyed at each PAM entry point, this inevitably caused the
krb5_ccache structure to reference free'd memory.

Now instead of storing a pointer to the krb5_ccache structure,
we store the name of the cache (e.g. `MEMORY:0x123CACHE') in
pam_sm_authenticate, and resolve the name in the other entry points.

This bug was uncovered by phkmalloc's free'd memory scrubbing.

Approved by: re (jhb)

Use `krb5_get_err_text' instead of `error_message' so that instead of
e.g.

Unknown error: -1765328378

we get

Client not found in Kerberos database

Another way to accomplish this would have been to leave
`error_message' alone, but to explicitly load the Kerberos com_err
error tables. However, I don't really like the idea of a PAM module
dorking with global tables.

Approved by: re (jhb)

Allow the admin to specify a different NAS identifier than the hostname.

Submitted by: Boris Kovalenko <boris@ntmk.ru>

Introduce 'exempt_if_empty' option to pam_wheel(8), which bypasses the
group membership requirement if the group has no explicit members listed
in /etc/group. By default, this group is the wheel group; setting this
flag restores the default BSD behavior from 4.x.

Reviewed by: markm
Requested by: various
Sponsored by: DARPA, Network Associates Laboratories

Build kerberized versions of the PAM library, and install them
into corresponding distributions during "make release". (This
also cleans the "slib" distribution up from the .o files.)

PR: misc/43825 (inspired by)

Zap now-unused SHLIB_MINOR

Initiate deorbit burn for the i386-only a.out related support. Moves are
under way to move the remnants of the a.out toolchain to ports. As the
comment in src/Makefile said, this stuff is deprecated and one should not
expect this to remain beyond 4.0-REL. It has already lasted WAY beyond
that.

Notable exceptions:
gcc - I have not touched the a.out generation stuff there.
ldd/ldconfig - still have some code to interface with a.out rtld.
old as/ld/etc - I have not removed these yet, pending their move to ports.
some includes - necessary for ldd/ldconfig for now.

Tested on: i386 (extensively), alpha

Since pam_get_authtok(3) doesn't know about our options structure, setting
the PAM_ECHO_PASS option on-the-fly is a NOP (though it wasn't with the
old pam_get_pass(3) code). Instead, call pam_prompt(3) directly. This
actually simplifies the code a bit.

MFC after: 3 days

Install more man pages - I thought I'd committed this ages ago...

Tidy up.

Missed one in previous commit.

Pointed out by: nectar

mdoc(7) police: kill whitespace at EOL.

mdoc(7) police: polish markup.

mdoc(7) police: tidy up the markup.

Add pam_ksu(8), a module to do Kerberos 5 authentication and
$HOME/.k5login authorization for su(1).

Reviewed by: des (earlier version)

Add openpam_nullconv.3.

Add missing include.

Just to show that PAM can do almost anything from the ridiculous to the
obscene, or - as they say in New York - sophisticated, add pam_echo(8) and
pam_exec(8) to our ever-lengthening roster of PAM modules.

Sponsored by: DARPA, NAI Labs.

Hide a couple of unguarded error returns behind the no_fail test.

Free old_pwd only in the code path where it has been allocated.

Reviewed by: des

Do not build pam_ssh if NOSECURE is set (NO_OPENSSL is on a subset of NOSECURE)

Major cleanup of bsd.lib.mk.

Get rid of the INTERNALSTATICLIB knob and just use plain INTERNALLIB.
INTERNALLIB now means to build static library only and don't install
anything. Added a NOINSTALLLIB knob for libpam/modules. To not
build any library at all, just do not set LIB.

Added new bsd.incs.mk which handles installing of header files
via INCS. Implemented INCSLINKS (equivalent to SYMLINKS) to
handle symlinking include files. Allow for multiple groups of
include files to be installed, with the powerful INCSGROUPS knob.
Documentation to follow.

Added standard `includes' and `incsinstall' targets, use them
in Makefile.inc1. Headers from the following makefiles were
not installed before (during `includes' in Makefile.inc1):

kerberos5/lib/libtelnet/Makefile
lib/libbz2/Makefile
lib/libdevinfo/Makefile
lib/libform/Makefile
lib/libisc/Makefile
lib/libmenu/Makefile
lib/libmilter/Makefile
lib/libpanel/Makefile

Replaced all `beforeinstall' targets for installing includes
with the INCS stuff.

Renamed INCDIR to INCSDIR, for consistency with FILES and SCRIPTS,
and for compatibility with NetBSD. Similarly for INCOWN, INCGRP,
and INCMODE.

Consistently use INCLUDEDIR instead of /usr/include.

gnu/lib/libstdc++/Makefile and gnu/lib/libsupc++/Makefile changes
were only lightly tested due to the missing contrib/libstdc++-v3.
I fully tested the pre-WIP_GCC31 version of this patch with the
contrib/libstdc++.295 stuff.

These changes have been tested on i386 with the -DNO_WERROR "make
world" and "make release".

Don't declare krb5_mcc_ops, it's already declared in <krb5.h>

Use libutil and libypclnt for all passwd manipulation and NIS needs.

Sponsored by: DARPA, NAI Labs

Add a no_fail option.

Sponsored by: DARPA, NAI Labs

Add pam_ftpusers(8), which enforces /etc/ftpusers.

Sponsored by: DARPA, NAI Labs

Add openpam_nullconv.c to SRCS.

Don't ask root for the old password, except in the NIS case.

Sponsored by: DARPA, NAI Labs

Fix a really dumb bug (missing curly braces around the body of an if
statement) that caused pam_sm_chauthtok() to always fail silently.

Oops, fix an inverted if test.

Strip /dev/ from tty name, and clean up the "last login" printout.

Sponsored by: DARPA, NAI Labs

Revert previous change. bsd.dep.mk,v 1.31 had a bug that was fixed
in revision 1.32 and made this change OBE.

Add a missing .El and fix a typo.

Spotted by: Solar Designer <solar@openwall.com>
Sponsored by: DARPA, NAI Labs

Reflect change in share/mk/bsd.dep.mk,v 1.31.

Revert previous commit, it is incorrect.

Properly spell rpcsvc/ypclnt.h and fix the build.

Throw in NO_WERROR to please the peanut gallery.

Use PAM_SUCCESS instead of PAM_IGNORE.

Whitespace nits.

Add a manual page based on Solar Designer's README.

Sponsored by: DARPA, NAI Labs

pam_passwdqc depends on libcrypt.

Prompt for new password during update phase, not during preliminary phase.

Sponsored by: DARPA, NAI Labs

Dike out most of the NIS code and replace it with calls to libypclnt.
Rework pam_sm_chauthtok() so it (mostly?) works.
The standard pw stuff still needs to move into a library somewhere.

Sponsored by: DARPA, NAI Labs

pam_passwdqc builds now.

More recent versions of pam_passwdqc (not yet released) build with very
few warnings.

New files in OpenPAM Cineraria.

Sponsored by: DARPA, NAI Labs

Cosmetic nit.

Cast a ptrdiff_t to int before using it as a printf field width.

Change || into && (braino in previous commit). Also append \n to the
error message.

Major cleanup:

- add __unused where appropriate
- PAM_RETURN -> return since OpenPAM already logs the return value.
- make PAM_LOG use openpam_log()
- make PAM_VERBOSE_ERROR use openpam_get_option() and check flags
for PAM_SILENT
- remove dummy functions since OpenPAM handles missing service
functions
- fix various warnings

Sponsored by: DARPA, NAI Labs

Add a pam_rhosts module, loosely based on code submitted by Danny Braniss.

Submitted by: Danny Braniss <danny@cs.huji.ac.il>
Sponsored by: DARPA, NAI Labs

Rename the even_root option to allow_root.

Sponsored by: DARPA, NAI Labs

Reimplement the hack to put pam_static.o into .depend with some magic.

Moved SHLIB_NAME definition into one place.

Approved by: des

Fixed broken "make depend; make clean; make all" sequence.

I've looked for this example for a long time, to demonstrate
some people why it's a really BAD idea to use ${.OBJDIR}
instead of ".". I hope these people are reading this. :-)

Approved by: des

Fix broken `checkdpadd'.

-lroken is an installable library, there's no need to give an
explicit path to it. In any case, -L paths should be specified
in LDFLAGS if needed.

Approved by: des

Don't override standard _EXTRADEPEND actions, add to them.
Fix CLEANFILES.
Collapse openpam_static_modules.o generation.

Remove debugging code that was inadvertantly brought in by previous commit.

Use OpenPAM's credential switching functions.

Sponsored by: DARPA, NAI Labs

Add new files and man pages from OpenPAM Cinchona.

Sponsored by: DARPA, NAI Labs

Remove commented-out WARNS thingy.

Align for const poisoning in -lutil.

Reorganize pam_sm_authenticate() to reduce code duplication.

Sponsored by: DARPA, NAI Labs

Fix bug in previous commit that passed the wrong default value to
login_getcapstr(3). Also fix a longer-standing bug (login_close(3)
frees the string returned by login_getcapstr(3)) by reorganizing the
code a little, and use login_getpwclass(3) instead of login_getclass(3)
if we already have a struct pwd.

Sponsored by: DARPA, NAI Labs

This one needs NO_WERROR too.

Turn on NO_WERROR due to namespace pollution in krb5 headers.

Aggressive cleanup of warnings + authtok-related code in preparation for
PAMifying passwd(1).

Sponsored by: DARPA, NAI Labs.

Disconnect pam_passwdqc for now, it has some issues that need resolving.

Fix some style issues, a const warning, and abuse of PAM_ABORT.

Sponsored by: DARPA, NAI Labs

Remove some duplicate free()s and add some that were missing.

Submitted by: tmm

pam_get_pass() -> pam_get_authtok()

Upgrade to something quite close, but not identical, to version 1.6 of
Andrew Korty's pam_ssh. The most notable difference is that this uses
commas rather than colons to separate items in the "keyfiles" option.

Sponsored by: DARPA, NAI Labs

Add pam_passwdqc to the build.

Sponsored by: DARPA, NAI Labs

Fix for OPIE 2.4.

mdoc(7) police: fix SYNOPSIS, sort xrefs, kill extra whitespace.

mdoc(7) police: nits.

mdoc(7) police: sort xrefs, kill extra whitespace.

Fix world breakage introduced by my recent modifications to
chpass(8). The relations between libc, libpam, chpass, passwd, and
vipw are a mess and probably should be cleaned up.

Submitted by: Peter Pentchev <roam@ringlet.net>

mdoc(7) police: tiny fixes.

mdoc(7) police: expand contractions.

NAI DBA update.

Remove the use of random(3), and encapsulate the salt-generation in
its own function. The use of arc4random(3) is hopeless overkill here,
but that does not hurt anything.

Requested by: ache

Don't ignore system CFLAGS.

Fix build for OpenPAM. The directories needed tweeking.

This file is not needed any more

Now pam_alreadyloggedin lives in the ports.

Add the pam_alreadyloggedin(8) module, which allows for authentication
based on information that the user is already logged in.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs

Unbreak the pam_krb5 build: cast a couple of const pointers
to normal char *. A better fix might be some const'ifying
of the Heimdal code, but this will do to fix the build
for the present.

Approved by: des

Add forgotten NOPROFILE that broke world.

Switch to OpenPAM. Bump library version. Modules are now versioned, so
applications linked with Linux-PAM will still work.
Remove pam_get_pass(); OpenPAM has pam_get_authtok().
Remove pam_prompt(); OpenPAM has pam_{,v}{error,info,prompt}().
Remove pam_set_item(3) man page as OpenPAM has its own.

Sponsored by: DARPA, NAI Labs

Add missing dependency on libutil.

Create /var/log/lastlog if it doesn't exist.

Submitted by: des

This file needs <syslog.h>.

Sponsored by: DARPA, NAI Labs

Now that cross-tools ld(1) has been fixed to look for dynamic
dependencies in the correct place, record the fact that -lssh
depends on -lcrypto and -lz.

Removed false dependencies on -lz (except ssh(1) and sshd(8)).
Removed false dependencies on -lcrypto and -lutil for scp(1).

Reviewed by: markm

Remove NO_WERROR, now that WARNS=n is gone.

Comment out the WARNS= so as to not trample all over the GCC3 work.

Three times lucky: <stddef.h>, not <sys/param.h>

Oops, the correct header to include for NULL is <sys/param.h>.

#include <sys/types.h> for NULL (hidden by Linux-PAM header pollution)

Sponsored by: DARPA, NAI Labs

#include cleanup.

Sponsored by: DARPA, NAI Labs

Explicitly declare (gcc internal) functions.

Submitted by: ru

ssh_get_authentication_connection() gets its parameters from environment
variables, so temporarily switch to the PAM environment before calling it.

Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp>

Protect "make buildworld" against -Werror, as this module does not
build cleanly.

Add the other half of the salt-generating code. No functional
difference except that the salt is slightly harder to build
dictionaries against, and the code does not use srandom[dev]().

Turn on fascist warning mode.

WARNS=n fixes (and some stylistic issues).

Remove an unnecessary #include that trips up OpenPAM. The header in question
is an internal Linux-PAM header which shouldn't be used outside Linux-PAM
itself, and has absolutely zero effect on pam_ftp.

Sponsored by: DARPA, NAI Labs
MFC after: 1 week

Post-repocopy cleanup.

Sponsored by: DARPA, NAI Labs

Connect the pam_lastlog(8) and pam_login_access(8) modules to the build.

Sponsored by: DARPA, NAI Labs

Still with asbestos longjohns on, completely PAMify login(1) and remove
code made redundant by various PAM modules (primarily pam_unix(8)).

Sponsored by: DARPA, NAI Labs

With asbestos longjohns on, integrate most of the checks normally done by
login(1) (password & account expiry, hosts.access etc.) into pam_unix(8).

Sponsored by: DARPA, NAI Labs

Move the code from pam_sm_authenticate() to pam_sm_acct_mgmt(). Simplify
it a little and try to make it more resilient to various possible failure
conditions. Change the man page accordingly, and take advantage of this
opportunity to simplify its language.

Sponsored by: DARPA, NAI Labs

WARNS=4 fixes. Protect with NO_WERROR for the modules that have
warnings that are hard to fix or that I've been asked to leave alone.

PAM modules shouldn't call putenv(); pam_putenv() is sufficient. The
caller is supposed to check the PAM envlist and export the variables it
contains; if it doesn't, it's broken.

Sponsored by: DARPA, NAI Labs

Change the order in which pam_sm_open_session() updates the logs. This
doesn't really make any difference, except it matches wtmp(5) better.

Don't do anything in pam_sm_close_session(); init(8) will take care of
utmp and wtmp when the tty is released. Clearing them here would make it
possible to create a ghost session by logging in, running 'login -f $USER'
and exiting the subshell.

Sponsored by: DARPA, NAI Labs (but the bugs are all mine)

Correctly interpret PAM_RHOST being unset as an indicator of a local
login.

Sponsored by: DARPA, NAI Labs

Correctly interpret PAM_RHOST being unset as an indicator of a local
login.

Style nits.

Sponsored by: DARPA, NAI Labs

Document the even_root option.

Sponsored by: DARPA, NAI Labs

Don't let root through unless the "even_root" option was specified.

Sponsored by: DARPA, NAI Labs

Add a PAM module that records sessions in utmp/wtmp/lastlog.

Sponsored by: DARPA, NAI Labs

Fix some pastos. Rather shoddy of me...

Sponsored by: DARPA, NAI Labs

Add a PAM module that provides an account management component for checking
either PAM_RHOST or PAM_TTY against /etc/login.access.o

This uncovers a problem with PAM_RHOST, in that if we always set it, there
is no way to distinguish between a user logging in locally and a user
logging in using 'ssh localhost'. This will be fixed by first making sure
that all PAM modules can handle PAM_RHOST being unset (which is currently
not the case), and then modifying su(1) and login(1) to not set it for
local logins.

Sponsored by: DARPA, NAI Labs

Add an AUTHORS section crediting ThinkSec, DARPA and NAI Labs.

Sponsored by: DARPA, NAI Labs

Add pam_ssh support to the static PAM library, libpam.a:

- Spam /usr/lib some more by making libssh a standard library.
- Tweak ${LIBPAM} and ${MINUSLPAM}.
- Garbage collect unused libssh_pic.a.
- Add fake -lz dependency to secure/ makefiles needed for
dynamic linkage with -lssh.

Reviewed by: des, markm
Approved by: markm

Base the comparison on UIDs, not on user names.

Sponsored by: DARPA, NAI Labs

Make libssh.so useable (undefined reference to IPv4or6).

Reviewed by: des, markm
Approved by: markm

Link pam_opieaccess, pam_self and pam_ssh into the static library.

Sponsored by: DARPA, NAI Labs

On second thought, getpwnam() failure should be treated just as if the user
existed, but had no OPIE key, i.e. PAM_IGNORE.

Pointed out by: ache
Sponsored by: DARPA, NAI Labs

Return PAM_SERVICE_ERR rather than PAM_USER_UNKNOWN if getpwnam() fails, as
PAM_USER_UNKNOWN will break the chain, revealing to an attacker that the
user does not exist.

Sponsored by: DARPA, NAI Labs

Further changes to allow enabling pam_opie(8) by default:

- Ignore the {try,use}_first_pass options by clearing PAM_AUTHTOK before
challenging the user. These options are meaningless for pam_opie(8)
since the user can't possibly know the right response before she sees
the challenge.

- Introduce the no_fake_prompts option. If this option is set, pam_opie(8)
will fail - rather than present a bogus challenge - if the target user
does not have an OPIE key. With this option, users who haven't set up
OPIE won't have to wonder what that "weird otp-md5 s**t" means :)

Reviewed by: ache, markm
Sponsored by: DARPA, NAI Labs

Add a new module, pam_opieaccess(8), which is responsible for checking
/etc/opieaccess and ~/.opiealways so we can decide what to do after
pam_opie(8) fails.

Sponsored by: DARPA, NAI Labs
Reviewed by: ache, markm

snprintf bloat -> strlcpy
Add getpwnam return check

Approved by: des, markm

Back out recent changes

If user not exist in OPIE system, return failure immediately instead
of producing fake prompts with random numbers which can be detected by
potential intruder in two tries and totally confuse non-OPIE users.

Back out second right-now-expired password check in pam_sm_chauthtok,
old expired password assumed there

Previous commit was incomplete, use new error code PAM_CRED_ERR to
indicate die case, different from PAM_SUCCESS and PAM_AUTH_ERR

Rewrite 'pwok' fallback in the way it can be properly chained with pam_unix

Replace snprintf %s with strlcpy

Check for NULL returned from getpwnam()

Add yet one expired-right-now password check, in pam_sm_chauthtok

srandomdev() can't be used in libraries, replace srandomdev()+random()
by arc4random()

Set pwok to 1 for non-OPIE users

Add missing check for right-now-expired password

Implement 'pwok', i.e. conditional fallback to unix password
as supposed by opieaccessfile() and opiealways()

Fixed a missing "const".

mdoc(7) police: bump document date.

Style improvements recommended by Bruce as a follow up to some
of the recent WARNS commits. The idea is:

1) FreeBSD id tags should follow vendor tags.
2) Vendor tags should not be compiled (though copyrights probably should).
3) There should be no blank line between including cdefs and __FBSDIF.

Back out previous commit.

Requested by: ru

mdoc(7) police: sort xrefs.

Get pam_mod_misc.h from .CURDIR rather than .OBJDIR or /usr/include.

Sponsored by: DARPA, NAI Labs

Now that _pam_init_handlers() works as intended, it seems clear that we
do not actually want to define PAM_READ_BOTH_CONFS, so back out previous
commit.

Sponsored by: DARPA, NAI Labs

We need pam_client.h from libpamc. This unbreaks world

Pointed out by: jhay
Pointy hat to: des

Define PAM_READ_BOTH_CONFS. We can now have both /etc/pam.d and
/etc/pam.conf.

Sponsored by: DARPA, NAI Labs

Install the correct version of pam_misc.h.

Sponsored by: DARPA, NAI Labs

Add dummy functions for all module types. These dummies return PAM_IGNORE
rather than PAM_SUCCESS, so you'll get a failure if you list dummies but
no real modules for a particular module chain.

Sponsored by: DARPA, NAI Labs

Connect the man page to the build.

Sponsored by: DARPA, NAI Labs

Add a pam_self authentication module that succeeds if and only if the local
and remote user names are the same.

Sponsored by: DARPA, NAI Labs

Use __FBSDID(). Also do a bit of cosmetic #if and header-order
cleaning-up.

Style fixups.

Sort function declarations, includes. Make consistent WRT use of _P()
macro (ugh!)

Inspired by: bde

WARNS=2 fixes.

Reviewed by: bde (a while back)

Fix pam_ssh by adding an IPv4or6 (evidently, this was broken by my last
OpenSSH import) declaration and strdup(3)ing a value which is later
free(3)d, rather than letting the system try to free it invalidly.

Mdoc police.

Submitted by: ru

mdoc(7) police: fix one pam_unix(8) left-over, sort xrefs.

Add a pam_set_item(3) man page with an MLINK to pam_get_item(3).

PR: docs/32294
Sponsored by: DARPA, NAI Labs
MFC after: 3 days

Create a pam_ssh(8) man page, based on a repo-copy of pam_unix(8).
License modified with original author's permission.

Sponsored by: DARPA, NAI Labs

Document the local_pass and nis_pass options, add a few xrefs, and reorder
the SEE ALSO section. License modified with original author's permission.

Sponsored by: DARPA, NAI Labs

Spelling police: sucessful -> successful.

Don't put an extra space after password prompts, because it violates POLA,
makes FreeBSD inconsistent with previous releases and "other unices" as well
as with some internal password-asking services (e.g. ftp) within the same
release.

Add library exposed by KDE's use if this module.

Add __FBSDID()s to libpam

1) repair the return value in the PAM_RETURN() macro (Side effects!!).
2) canonicalise the options use in pam_options().

Submitted by: Gunnar Kreitz <gunnark@chello.se>
PR: 30250

Introduce a "noroot_ok" option to make this module ignore authentications
to a non-superuser if required.

Introduce better logging, error reporting and use of login_cap data.

Add extra logging detail. This needs a more general solution.

Big module makeover; improve logging, standardise variable names,
introduce ability to change passwords for both "usual" Unix methods
and NIS.

Add 'try_mapped_pass' standard option.

Asked for by: lukeh@PADL.COM

Document the no_warn option.

Fix a couple of cross-references to reflect the reality of the module.

Fix:

/usr/src/lib/libpam/modules/pam_ssh/pam_ssh.c has couple of bugs which cause:

1) xdm dumps core
2) ssh1 private key is not passed to ssh-agent
3) ssh2 RSA key seems not handled properly (just a guess from source)
4) ssh_get_authentication_connectionen() fails to get connection because of
SSH_AUTH_SOCK not defined.

PR: 29609
Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp>

Clean up this module very extensively. Fix the logging, the coding
standards and the option handling. This module is now much more easy
to maintain as a part of the FreeBSD tree.

Code clean up; make logging same as other modules and fix warnings.

General code clean-up. Sort out warnings, and make the warning and
logging work the same as other modules.

Simplify code. Also verbose logging, verbose overridable error reporting.

Verbose logging, overridable verbose error reporting.

Module clean-up. Verbose logging, Overridable verbose error reporting,
FreeBSD pam_prompt() usage to simplify conversation function usage.

Verbosely (overridable) report failure to the user.

Use the FreeBSD pam_prompt() interface to the conversation function
instead of home-rolling it. Clean up debugging code and tidy the
module.

Verbosely report errors to the user (overridable), and make sure
that the correct failure mode is reported.

Fix broken logic so that this actually works for the superuser.
Verbosely log (properly).
Verbosely report errors to the user.

Rework this to prevent a nasty problem involving different modules'
option interacting with each other.

Declare the new user-error reporting macro.

This is a macro to allow use of the __FILE__ and __FUNCTION__
macros.

Add a routine for providing feedback via the conversation mechanism
(usually to stderr) for user-reportable errors.

Fix style/consistency in Makefile and repair static module building.

Submitted by: bde(partially)

Don't clobber CFLAGS

Submitted by: bde

Fix the bug where this modulke was not checking the priamry GID, only
the GIDS in /etc/group or NIS's group map.

Tested by: sheldonh
PR: 29349

With the S/KEY removal, this is no longer buildable or necessary.

Don't try to make pam_ssh module if NO_OPENSSH is set.

Repair the get/set UID() stuff so this works in both su(1) and login(1)
modes.

Making this major bump was a BAD idea. The API change is internal (to PAM)
and it caused problems without solving any.

(Re)Add an SSH module for PAM, heavily based on Andrew Korty's module
from ports.

mdoc(7) police: widen width of the options list.

Update to the same level of debug-logging as the rest of the
FreeBSD/PAM modules.

Update to the same code as in the pam_krb5.so port.
According to Peter, the port works - this needs more testing.

Remove whitespace at EOL.

Use a better method of getting user credentials to account for
(legal) UID duplication.

Rename use_uid to auth_as_self for consistency with other modules.

Use a better method to get user credentials to account for (legal)
duplications of UID's in /etc/*passwd.

mdoc(7) police: -xwidth has been fold into -width.

mdoc(7) police: fixed markup, a little bit.

mdoc(7) police: fixed markup any numerous typos.

Fix a horrible bug introduced by myself where the options collection
keeps on growing as the module stack is parsed.

mdoc(7) police: removed HISTORY info from the .Os call.

mdoc(7) police: removed HISTORY info from the .Os call.

Clean up (and in some cases write) the PAM mudules, using
o The new options-processing API
o The new DEBUG-logging API

Add man(1) pages for ALL modules. MDOC-Police welcome
to check this.

Audit, clean up while I'm here.

Bump the major number. The libraries API has changed incompatibly.

Almost completely rewrite the PAM module options processing
routines, and provide a more extended API for doing this.

Provide an API for debug logging.

Audit and clean up the code.

mdoc(7) police: sort SEE ALSO xrefs (sort -b -f +2 -3 +1 -2).

mdoc(7) police: fixed formatting.

Fix libpam's linker set stuff to use the new API (unbreak world), and get
rid of gensetdefs from here as well.

Convert to mdoc(7).

Big module cleanup.

Move common stuff into Makefile.inc, and tidy up all the Makefiles
as a result.

Build new modules.

Put a commented-out dependancy on libpam for the (shared) modules.
I can't bring this in just yet, as the dependancy (modules->libpam)
is reversed for the static case (libpam->modules).

Null file to bring back a file from the dead. This allows the real commit
to happen remotely. Damn CVS bugs :-(

Add the "nullok" option that causes this module to succeed if the Unix
password is empty/null.

Tidy up the options list (and make it more extendable), and add some
extra "standard" options.

Add some new utility authenticators.

pam_securetty silently succeeds if the user is on a secure tty
as defined by /etc/ttys.

pam_ftp does "anonymous ftp" style authentication with options for
specifying the anonymous user(s).

Add the "auth_as_self" option to the pam_unix module (there is no
reason not to add it to others later). This causes the pam_unix
module to check the user's _own_ password, not the password of the
account that the user is authenticating into. This will allow eg:
WHEELSU type behaviour from su(1).

Bring in a few useful PAM modules.

pam_krb5 is a Kerberos 5 (Heimdal) authentication module.

pam_nologin checks for /etc/nologin and does the "usual stuff"
if it is found, otherwise it silently succeeds.

pam_rootok silently succeeds if the user is root, otherwise
it fails.

pam_wheel silently succeeds if the user is a member of group
"wheel" (or another nominated group), and fails
otherwise.

There is an issue with kerberosIV and kerberos5 - if both are
being built, then static linking fails with duplicate symbols.
This will take a bit of work to sort out in the kerberii.

Finish disconnecting pam_ssh from the build.

I've been meaning to take pam_ssh out of the base system for a while now.
Finally do it.

Update for (Linux-)PAM 0.75

mdoc(7) police: uppercase document title.

MAN[1-9] -> MAN.

Use a unified libgcc rather than a seperate one for threaded and
non-threaded programs. This provides threaded programs with the
needed exception frame symbols.

parts submitted by: Max Khon <fjoe@iclub.nsu.ru>
PR: 23252

Use a unified libgcc rather than a seperate one for threaded and
non-threaded programs. This provides threaded programs with the
needed exception frame symbols.

parts submitted by: Max Khon <fjoe@iclub.nsu.ru>
PR: 23252

Prepare for mdoc(7)NG.

mdoc(7) police: removed history info from the .Os FreeBSD call.

Forgot to remove the old line in the last commit.

In env_destroy(), it is a bad idea to env_swap(self, 0) to switch
back to the original environ unconditionally. The setting of the
variable to save the previous environ is conditional; it happens when
ENV.e_committed is set. Therefore, don't try to swap the env back
unless the previous env has been initialized.

PR: bin/22670
Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp>

Correct an arguement to ssh_add_identity, this matches what is currently
in ports/security/openssh/files/pam_ssh.c

PR: 22164
Submitted by: Takanori Saneto <sanewo@ba2.so-net.ne.jp>
Reviewed by: green
Approved by: green

log

Update to the version of pam_ssh corresponding to OpenSSH 2.1 (taken
from the openssh port)

Submitted by: Hajimu UMEMOTO <ume@mahoroba.org>

Back out the previous change to the queue(3) interface.
It was not discussed and should probably not happen.

Requested by: msmith and others

Change the way that the queue(3) structures are declared; don't assume that
the type argument to *_HEAD and *_ENTRY is a struct.

Suggested by: phk
Reviewed by: phk
Approved by: mdodd

Connect pam_opie to the build.

Add pam_opie, a PAM module using the OPIE one-time-password scheme.

Submitted by: Jim Bloom <bloom@acm.org>

Fix a memory leak.

PR: 17360
Submitted by: Andrew J. Korty <ajk@iu.edu>

Fixed missing libraries in DPADD.

Fixed some style bugs (some usual ones for DPADD and LDADD, and
misformatting of $FreeBSD$).

Buildworld fixes for NO_OPENSSH and NO_OPENSSL

Approved by: jkh

Make pam_ssh work. It had an undefined symbol when it was dlopen()ed.
I'm not quite sure about this, I think it should be using -lssh_pic since
it's being linked into a .so, but nothing seems to complain ahd it does
work. (well, it works for using the authorized_keys file, but I have not
figured out how to get it to start a ssh-agent and cache the key for me)

PR: 17191
Submitted by: Adrian Pavlykevych <pam@polynet.lviv.ua>

Remove single-space hard sentence breaks. These degrade the quality
of the typeset output, tend to make diffs harder to read and provide
bad examples for new-comers to mdoc.

Remove single-space hard sentence breaks. These degrade the quality
of the typeset output, tend to make diffs harder to read and provide
bad examples for new-comers to mdoc.

Don't try to build k5 PAM; it ain't ready yet.

Same fix as in ../modules, dont use the crypto stuff if its not there.

Argh, I can't win today. Spell ${.CURDIR} correctly.

Don't build pam_ssh if the crypto code is missing.

Found by: sos

Redo this with a repo copy from the original file and reset the
__PREFIX__ markers.

Use libcrypto instead of libdes.

Also - OpenSSH blesses us with a module for PAM.

Remove the version information from `.Os FreeBSD' here. Not only
might it confuse people, but it causes a warning message with
nroff, and no version history mentions a 1.2 version of FreeBSD.

If anything, a ``HISTORY'' section should show which version this
appeared in.

Upgrade to the pam_ssh module, version 1.1..

(From the author:)
Primarily, I have added built-in functions for manipulating the
environment, so putenv() is no longer used. XDM and its variants
should now work without modification. Note that the new code uses
the macros in <sys/queue.h>.

Submitted by: Andrew J. Korty <ajk@iu.edu>

Add the PAM SSH RSA key authentication module. For example, you can add,
"login auth sufficient pam_ssh.so" to your /etc/pam.conf, and
users with a ~/.ssh/identity can login(1) with their SSH key :)

PR: 15158
Submitted by: Andrew J. Korty <ajk@waterspout.com>
Reviewed by: obrien

Don't include Kerberos if NOCRYPT is defined, because it isn't build
if NOCRYPT is defined. Likewise, don't include DES if NOSECURE is
defined.

Add libcrypt. This previously/coincidentally worked for login,
because login was already linked against it, but others have a
problem.

Common Error libraries are needed here.

$Id$ -> $FreeBSD$

$Id$ -> $FreeBSD$

Restore INTERNALLIB.

Noticed by: bde,jdp

Add pam_radius.so manual page.

Reviewed by: jdp

Add $Id$, to make it simpler for members of the translation teams to
track.

The $Id$ line is normally at the bottom of the main comment block in the
man page, separated from the rest of the manpage by an empty comment,
like so;

.\" $Id$
.\"

If the immediately preceding comment is a @(#) format ID marker than the
the $Id$ will line up underneath it with no intervening blank lines.
Otherwise, an additional blank line is inserted.

Approved by: bde

Revive the pam_deny and pam_permit modules from Linux-PAM. They are
simple enough to be trusted.

Add account management functionality to the pam_unix module.

These changes should make it possible to use PAM in some ports.

Submitted by: Max Khon <fjoe@iclub.nsu.ru>

Fix bug that prevented accounts with empty passwords from logging
in.

Submitted by: Paul Traina <pst@juniper.net>

Fix breakage for the static a.out case. The a.out linker doesn't
consider a linker set definition to be sufficient reason to pull an
object module from an archive library. This caused undefined
symbols when linking with libpam.a using a.out. I solved it by
linking in the object that references the linker set in the "ld -r"
step.

Revert my last change, "Rename some globals to reduce namespace
pollution." Unfortunately, some of these globals are used by ftpd,
and I broke make world. Pointy hat, please.

Rename some globals to reduce namespace pollution.

Make it possible to use PAM in statically-linked applications.

Fix an NFS-related installation problem.

Submitted by: asami

Obtained from: "Jan B. Koum " <jkb@best.com>

Add a reference to pam(8) in the login(1) and login.access(5) manual
pages.

Install PAM modules into ${SHLIBDIR}, not ${LIBDIR}.

Noticed by: bde

This commit was generated by cvs2svn to compensate for changes in r41227,
which included commits to RCS files with non-trunk default branches.

Build structure for contribified Linux-PAM, plus some home-grown
modules for FreeBSD's standard authentication methods. Although
the Linux-PAM modules are present in the contrib tree, we don't
use any of them.

The main library "libpam" is composed of sources taken from three
places. First are the standard Linux-PAM libpam sources from the
contrib tree. Second are the Linux-PAM "libpam_misc" sources, also
from the contrib tree. In Linux these form a separate library.
But as Mike Smith pointed out to me, that seems pointless, so I
have combined them into the libpam library. Third are some additional
sources from the "src/lib/libpam" tree with some common functions
that make it easier to write modules. Those I wrote myself.

This work has been donated to FreeBSD by Juniper Networks, Inc.

.Sh AUTHOR -> .Sh AUTHORS. Use .An/.Aq.

Changes for KTH KerberosIV.
Also quieten -Wall a bit.

= -> ==, strcpy -> strncpy from OpenBSD.
update man page. Add usage().
Obtained from: OpenBSD

Fix the man page's title (.Dt).
(It has been ``SKEY.ACCESS''.)

Cruft cleanup to eliminate useless warnings

Fix some compilation warnings.

#include <kerberosIV/des.h> -> #include <des.h>

Remove trailing whitespace.

In the non-PARANOID case, make sure to set `notickets' to 0 sothat login.c
doesn't complain.

Modify klogin to:

1) Don't spit out an error message if Kerberos is installed but not yet
set up.

2) Don't attempt to verify the ticket you got back, as workstations
are not intended to have srvtab files of their own.

Both behaviors can be re-enabled with KLOGIN_PARANOID.

Add skey supprot
Reviewed by:
Submitted by: guido

Initial revision