Now pam_nologin(8) will provide an account management function

instead of an authentication function.  There are a design reason
and a practical reason for that.  First, the module belongs in
account management because it checks availability of the account
and does no authentication.  Second, there are existing and potential
PAM consumers that skip PAM authentication for good or for bad.
E.g., sshd(8) just prefers internal routines for public key auth;
OTOH, cron(8) and atrun(8) do implicit authentication when running
a job on behalf of its owner, so their inability to use PAM auth
is fundamental, but they can benefit from PAM account management.

Document this change in the manpage.

Modify /etc/pam.d files accordingly, so that pam_nologin.so is listed
under the "account" function class.

Bump __FreeBSD_version (mostly for ports, as this change should be
invisible to C code outside pam_nologin.)

PR:		bin/112574
Approved by:	des, re

15 files changed, 45 insertions, 32 deletions

diff --git a/UPDATING b/UPDATING
index 373958ba49a8..bb1132c322a3 100644
--- a/UPDATING
+++ b/UPDATING
@@ -21,6 +21,24 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 7.x IS SLOW:
 	developers choose to disable these features on build machines
 	to maximize performance.
 
+20070610:
+	The pam_nologin(8) module ceases to provide an authentication
+	function and starts providing an account management function.
+	Consequent changes to /etc/pam.d should be brought in using
+	mergemaster(8).  Third-party files in /usr/local/etc/pam.d may
+	need manual editing as follows.  Locate this line (or similar):
+
+		auth	required	pam_nologin.so	no_warn
+
+	and change it according to this example:
+
+		account	required	pam_nologin.so	no_warn
+
+	That is, the first word needs to be changed from "auth" to
+	"account".  The new line can be moved to the account section
+	within the file for clarity.  Not updating pam.conf(5) files
+	will result in nologin(5) ignored by the respective services.
+
 20070529:
 	The ether_ioctl() function has been synchronized with ioctl(2)
 	and ifnet.if_ioctl.  Due to that, the size of one of its arguments
diff --git a/etc/pam.d/ftpd b/etc/pam.d/ftpd
index d248f00ad86f..632c97333f18 100644
--- a/etc/pam.d/ftpd
+++ b/etc/pam.d/ftpd
@@ -5,7 +5,6 @@
 #
 
 # auth
-auth		required	pam_nologin.so		no_warn
 auth		sufficient	pam_opie.so		no_warn no_fake_prompts
 auth		requisite	pam_opieaccess.so	no_warn allow_local
 #auth		sufficient	pam_krb5.so		no_warn
@@ -13,6 +12,7 @@ auth		requisite	pam_opieaccess.so	no_warn allow_local
 auth		required	pam_unix.so		no_warn try_first_pass
 
 # account
+account		required	pam_nologin.so
 #account 	required	pam_krb5.so
 account		required	pam_unix.so
 
diff --git a/etc/pam.d/gdm b/etc/pam.d/gdm
index 08391e68a949..b588aa7375d3 100644
--- a/etc/pam.d/gdm
+++ b/etc/pam.d/gdm
@@ -5,12 +5,12 @@
 #
 
 # auth
-auth		required	pam_nologin.so		no_warn
 #auth		sufficient	pam_krb5.so		no_warn try_first_pass
 #auth		sufficient	pam_ssh.so		no_warn try_first_pass
 auth		required	pam_unix.so		no_warn try_first_pass
 
 # account
+account		required	pam_nologin.so
 #account 	required	pam_krb5.so
 account		required	pam_unix.so
 
diff --git a/etc/pam.d/imap b/etc/pam.d/imap
index cba8af9f9d87..6254d1491175 100644
--- a/etc/pam.d/imap
+++ b/etc/pam.d/imap
@@ -5,7 +5,9 @@
 #
 
 # auth
-#auth		required	pam_nologin.so		no_warn
 #auth		sufficient	pam_krb5.so		no_warn try_first_pass
 #auth		sufficient	pam_ssh.so		no_warn try_first_pass
 auth		required	pam_unix.so		no_warn try_first_pass
+
+# account
+#account	required	pam_nologin.so
diff --git a/etc/pam.d/kde b/etc/pam.d/kde
index 539018363f11..a384d628940b 100644
--- a/etc/pam.d/kde
+++ b/etc/pam.d/kde
@@ -5,12 +5,12 @@
 #
 
 # auth
-auth		required	pam_nologin.so		no_warn
 #auth		sufficient	pam_krb5.so		no_warn try_first_pass
 #auth		sufficient	pam_ssh.so		no_warn try_first_pass
 auth		required	pam_unix.so		no_warn try_first_pass
 
 # account
+account		required	pam_nologin.so
 #account 	required	pam_krb5.so
 account		required	pam_unix.so
 
diff --git a/etc/pam.d/login b/etc/pam.d/login
index a4c66285adb5..287036d43f59 100644
--- a/etc/pam.d/login
+++ b/etc/pam.d/login
@@ -5,12 +5,12 @@
 #
 
 # auth
-auth		required	pam_nologin.so		no_warn
 auth		sufficient	pam_self.so		no_warn
 auth		include		system
 
 # account
 account		requisite	pam_securetty.so
+account		required	pam_nologin.so
 account		include		system
 
 # session
diff --git a/etc/pam.d/other b/etc/pam.d/other
index e4ddf7ee4a9f..c86239cb56db 100644
--- a/etc/pam.d/other
+++ b/etc/pam.d/other
@@ -5,7 +5,6 @@
 #
 
 # auth
-auth		required	pam_nologin.so		no_warn
 auth		sufficient	pam_opie.so		no_warn no_fake_prompts
 auth		requisite	pam_opieaccess.so	no_warn allow_local
 #auth		sufficient	pam_krb5.so		no_warn try_first_pass
@@ -13,6 +12,7 @@ auth		requisite	pam_opieaccess.so	no_warn allow_local
 auth		required	pam_unix.so		no_warn try_first_pass
 
 # account
+account		required	pam_nologin.so
 #account 	required	pam_krb5.so
 account		required	pam_login_access.so
 account		required	pam_unix.so
diff --git a/etc/pam.d/pop3 b/etc/pam.d/pop3
index 34d6cc055fe9..c5e93cead30c 100644
--- a/etc/pam.d/pop3
+++ b/etc/pam.d/pop3
@@ -5,7 +5,9 @@
 #
 
 # auth
-#auth		required	pam_nologin.so		no_warn
 #auth		sufficient	pam_krb5.so		no_warn try_first_pass
 #auth		sufficient	pam_ssh.so		no_warn try_first_pass
 auth		required	pam_unix.so		no_warn try_first_pass
+
+# account
+#account	required	pam_nologin.so
diff --git a/etc/pam.d/rsh b/etc/pam.d/rsh
index 02c0048eabf1..9e562e0786d4 100644
--- a/etc/pam.d/rsh
+++ b/etc/pam.d/rsh
@@ -5,10 +5,10 @@
 #
 
 # auth
-auth		required	pam_nologin.so		no_warn
 auth		required	pam_rhosts.so		no_warn
 
 # account
+account		required	pam_nologin.so
 account		required	pam_unix.so
 
 # session
diff --git a/etc/pam.d/sshd b/etc/pam.d/sshd
index cf3e0f0acd75..46f536c74a4f 100644
--- a/etc/pam.d/sshd
+++ b/etc/pam.d/sshd
@@ -5,7 +5,6 @@
 #
 
 # auth
-auth		required	pam_nologin.so		no_warn
 auth		sufficient	pam_opie.so		no_warn no_fake_prompts
 auth		requisite	pam_opieaccess.so	no_warn allow_local
 #auth		sufficient	pam_krb5.so		no_warn try_first_pass
@@ -13,6 +12,7 @@ auth		requisite	pam_opieaccess.so	no_warn allow_local
 auth		required	pam_unix.so		no_warn try_first_pass
 
 # account
+account		required	pam_nologin.so
 #account 	required	pam_krb5.so
 account		required	pam_login_access.so
 account		required	pam_unix.so
diff --git a/etc/pam.d/telnetd b/etc/pam.d/telnetd
index 3ebee202accb..535afc293157 100644
--- a/etc/pam.d/telnetd
+++ b/etc/pam.d/telnetd
@@ -5,7 +5,6 @@
 #
 
 # auth
-auth		required	pam_nologin.so		no_warn
 auth		sufficient	pam_opie.so		no_warn no_fake_prompts
 auth		requisite	pam_opieaccess.so	no_warn allow_local
 #auth		sufficient	pam_krb5.so		no_warn try_first_pass
@@ -13,6 +12,7 @@ auth		requisite	pam_opieaccess.so	no_warn allow_local
 auth		required	pam_unix.so		no_warn try_first_pass
 
 # account
+account		required	pam_nologin.so
 #account 	required	pam_krb5.so
 account		required	pam_login_access.so
 account		required	pam_unix.so
diff --git a/etc/pam.d/xdm b/etc/pam.d/xdm
index 0a1c78e148c9..b883de762a40 100644
--- a/etc/pam.d/xdm
+++ b/etc/pam.d/xdm
@@ -5,12 +5,12 @@
 #
 
 # auth
-auth		required	pam_nologin.so		no_warn
 #auth		sufficient	pam_krb5.so		no_warn try_first_pass
 #auth		sufficient	pam_ssh.so		no_warn try_first_pass
 auth		required	pam_unix.so		no_warn try_first_pass
 
 # account
+account		required	pam_nologin.so
 #account 	required	pam_krb5.so
 account		required	pam_unix.so
 
diff --git a/lib/libpam/modules/pam_nologin/pam_nologin.8 b/lib/libpam/modules/pam_nologin/pam_nologin.8
index a2c5990a9c23..e38be712b2d7 100644
--- a/lib/libpam/modules/pam_nologin/pam_nologin.8
+++ b/lib/libpam/modules/pam_nologin/pam_nologin.8
@@ -24,7 +24,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd July 8, 2001
+.Dd June 10, 2007
 .Dt PAM_NOLOGIN 8
 .Os
 .Sh NAME
@@ -37,19 +37,18 @@
 .Pa pam_nologin
 .Op Ar options
 .Sh DESCRIPTION
-The NoLogin authentication service module for PAM,
+The NoLogin service module for PAM,
 .Nm
 provides functionality for only one PAM category:
-authentication.
+account management.
 In terms of the
 .Ar module-type
 parameter, this is the
-.Dq Li auth
+.Dq Li account
 feature.
-It also provides a null function for session management.
-.Ss NoLogin Authentication Module
-The NoLogin authentication component
-.Pq Fn pam_sm_authenticate ,
+.Ss NoLogin Account Management Module
+The NoLogin account management component,
+.Fn pam_sm_acct_mgmt , 
 always returns success for the superuser,
 and returns success for all other users
 if the file
@@ -69,7 +68,7 @@ is used instead.
 This usually defaults to
 .Pa /var/run/nologin .
 .Pp
-The following options may be passed to the authentication module:
+The following options may be passed to the module:
 .Bl -tag -width ".Cm no_warn"
 .It Cm debug
 .Xr syslog 3
@@ -80,7 +79,7 @@ level.
 suppress warning messages to the user.
 These messages include
 reasons why the user's
-authentication attempt was declined.
+login attempt was declined.
 .El
 .Sh SEE ALSO
 .Xr syslog 3 ,
diff --git a/lib/libpam/modules/pam_nologin/pam_nologin.c b/lib/libpam/modules/pam_nologin/pam_nologin.c
index 2145688ab15f..f4b28e547cba 100644
--- a/lib/libpam/modules/pam_nologin/pam_nologin.c
+++ b/lib/libpam/modules/pam_nologin/pam_nologin.c
@@ -46,7 +46,7 @@ __FBSDID("$FreeBSD$");
 #include <stdlib.h>
 #include <unistd.h>
 
-#define PAM_SM_AUTH
+#define PAM_SM_ACCOUNT
 
 #include <security/pam_appl.h>
 #include <security/pam_modules.h>
@@ -57,7 +57,7 @@ __FBSDID("$FreeBSD$");
 static char nologin_def[] = NOLOGIN;
 
 PAM_EXTERN int
-pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused,
     int argc __unused, const char *argv[] __unused)
 {
 	login_cap_t *lc;
@@ -111,12 +111,4 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
 	return (retval);
 }
 
-PAM_EXTERN int
-pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
-    int argc __unused, const char *argv[] __unused)
-{
-
-	return (PAM_SUCCESS);
-}
-
 PAM_MODULE_ENTRY("pam_nologin");
diff --git a/sys/sys/param.h b/sys/sys/param.h
index f5fcaf4e6fa2..42f935bb11e8 100644
--- a/sys/sys/param.h
+++ b/sys/sys/param.h
@@ -57,7 +57,7 @@
  *		is created, otherwise 1.
  */
 #undef __FreeBSD_version
-#define __FreeBSD_version 700044	/* Master, propagated to newvers */
+#define __FreeBSD_version 700045	/* Master, propagated to newvers */
 
 #ifndef LOCORE
 #include <sys/types.h>