aboutsummaryrefslogtreecommitdiff
path: root/lib/libpam/pam.d
diff options
context:
space:
mode:
authorBrad Davis <brd@FreeBSD.org>2018-09-13 04:08:48 +0000
committerBrad Davis <brd@FreeBSD.org>2018-09-13 04:08:48 +0000
commit219cf81b4d9fb7b1651a9e4b85ba77aa92f99fd3 (patch)
tree3d4228d75b4f0ed7847af2e7f28e4f9d68e10ac0 /lib/libpam/pam.d
parent19b4f0dca0cf914fa9a60c824f5dfe6be962c703 (diff)
downloadsrc-219cf81b4d9fb7b1651a9e4b85ba77aa92f99fd3.tar.gz
src-219cf81b4d9fb7b1651a9e4b85ba77aa92f99fd3.zip
Move all pam related config to lib/libpam/
Approved by: re (rgrimes), will (mentor), des Differential Revision: https://reviews.freebsd.org/D17122
Notes
Notes: svn path=/head/; revision=338621
Diffstat (limited to 'lib/libpam/pam.d')
-rw-r--r--lib/libpam/pam.d/Makefile39
-rw-r--r--lib/libpam/pam.d/README62
-rw-r--r--lib/libpam/pam.d/atrun10
-rw-r--r--lib/libpam/pam.d/convert.pl89
-rw-r--r--lib/libpam/pam.d/cron9
-rw-r--r--lib/libpam/pam.d/ftpd20
-rw-r--r--lib/libpam/pam.d/imap14
-rw-r--r--lib/libpam/pam.d/login20
-rw-r--r--lib/libpam/pam.d/other25
-rw-r--r--lib/libpam/pam.d/passwd11
-rw-r--r--lib/libpam/pam.d/pop314
-rw-r--r--lib/libpam/pam.d/sshd26
-rw-r--r--lib/libpam/pam.d/su17
-rw-r--r--lib/libpam/pam.d/system25
-rw-r--r--lib/libpam/pam.d/telnetd26
-rw-r--r--lib/libpam/pam.d/xdm22
16 files changed, 429 insertions, 0 deletions
diff --git a/lib/libpam/pam.d/Makefile b/lib/libpam/pam.d/Makefile
new file mode 100644
index 000000000000..86aaacfca3c9
--- /dev/null
+++ b/lib/libpam/pam.d/Makefile
@@ -0,0 +1,39 @@
+# $FreeBSD$
+
+.include <src.opts.mk>
+
+NO_OBJ=
+
+CONFGROUPS= CONFS
+CONFS= README \
+ cron \
+ imap \
+ login \
+ other \
+ passwd pop3 \
+ sshd su system \
+ xdm
+
+CONFDIR= /etc/pam.d
+CONFSMODE_README= 444
+
+.if ${MK_AT} != "no"
+CONFGROUPS+= AT
+AT+= atrun
+ATPACKAGE+= at
+.endif
+
+.if ${MK_FTP} != "no"
+CONFGROUPS+= FTP
+FTP+= ftpd
+FTPPACKAGE+= ftp
+LINKS= ${FILESDIR}/ftpd ${FILESDIR}/ftp
+.endif
+
+.if ${MK_TELNET} != "no"
+CONFGROUPS+= TELNET
+TELNET+= telnetd
+TELNETPACKAGE+= telnet
+.endif
+
+.include <bsd.prog.mk>
diff --git a/lib/libpam/pam.d/README b/lib/libpam/pam.d/README
new file mode 100644
index 000000000000..2824c054fe85
--- /dev/null
+++ b/lib/libpam/pam.d/README
@@ -0,0 +1,62 @@
+
+This directory contains configuration files for the Pluggable
+Authentication Modules (PAM) library.
+
+Each file details the module chain for a single service, and must be
+named after that service. If no configuration file is found for a
+particular service, the /etc/pam.d/other is used instead. If that
+file does not exist, /etc/pam.conf is searched for entries matching
+the specified service or, failing that, the "other" service.
+
+See the pam(3) manual page for an explanation of the workings of the
+PAM library and descriptions of the various files and modules. Below
+is a summary of the format for the pam.conf and /etc/pam.d/* files.
+
+Configuration lines take the following form:
+
+module-type control-flag module-path arguments
+
+Comments are introduced with a hash mark ('#'). Blank lines and lines
+consisting entirely of comments are ignored.
+
+The meanings of the different fields are as follows:
+
+ module-type:
+ auth: prompt for a password to authenticate that the user is
+ who they say they are, and set any credentials.
+ account: non-authentication based authorization, based on time,
+ resources, etc.
+ session: housekeeping before and/or after login.
+ password: update authentication tokens.
+
+ control-flag: How libpam handles success or failure of the module.
+ required: success is required; on failure all remaining
+ modules are run, but the request will be denied.
+ requisite: success is required, and on failure no remaining
+ modules are run.
+ sufficient: success is sufficient, and if no previous required
+ module failed, no remaining modules are run.
+ binding: success is sufficient; on failure all remaining
+ modules are run, but the request will be denied.
+ optional: ignored unless the other modules return PAM_IGNORE.
+
+ arguments: Module-specific options, plus some generic ones:
+ debug: syslog debug info.
+ no_warn: return no warning messages to the application.
+ Remove this to feed back to the user the
+ reason(s) they are being rejected.
+ use_first_pass: try authentication using password from the
+ preceding auth module.
+ try_first_pass: first try authentication using password from
+ the preceding auth module, and if that fails
+ prompt for a new password.
+ use_mapped_pass: convert cleartext password to a crypto key.
+ expose_account: allow printing more info about the user when
+ prompting.
+
+Note that having a "sufficient" module as the last entry for a
+particular service and module type may result in surprising behaviour.
+To get the intended semantics, add a "required" entry listing the
+pam_deny module at the end of the chain.
+
+$FreeBSD$
diff --git a/lib/libpam/pam.d/atrun b/lib/libpam/pam.d/atrun
new file mode 100644
index 000000000000..6829469c9595
--- /dev/null
+++ b/lib/libpam/pam.d/atrun
@@ -0,0 +1,10 @@
+#
+# $FreeBSD$
+#
+# PAM configuration for the "atrun" service
+#
+
+# Note well: enabling pam_nologin for atrun will currently result
+# in jobs discarded, not just delayed, during a no-login period.
+#account required pam_nologin.so
+account required pam_unix.so
diff --git a/lib/libpam/pam.d/convert.pl b/lib/libpam/pam.d/convert.pl
new file mode 100644
index 000000000000..4686387bb79c
--- /dev/null
+++ b/lib/libpam/pam.d/convert.pl
@@ -0,0 +1,89 @@
+#!/usr/bin/perl -w
+#-
+# SPDX-License-Identifier: BSD-3-Clause
+#
+# Copyright (c) 2001,2002 Networks Associates Technologies, Inc.
+# All rights reserved.
+#
+# This software was developed for the FreeBSD Project by ThinkSec AS and
+# NAI Labs, the Security Research Division of Network Associates, Inc.
+# under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
+# DARPA CHATS research program.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+# 3. The name of the author may not be used to endorse or promote
+# products derived from this software without specific prior written
+# permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD$
+#
+
+use strict;
+use Fcntl;
+use vars qw(%SERVICES);
+
+MAIN:{
+ my $line;
+ my $service;
+ my $version;
+ my $type;
+ local *FILE;
+
+ while (<>) {
+ chomp();
+ s/\s*$//;
+ next unless m/^(\#*)(\w+)\s+(auth|account|session|password)\s+(\S.*)$/;
+ $line = $1.$3;
+ $line .= "\t" x ((16 - length($line) + 7) / 8);
+ $line .= $4;
+ push(@{$SERVICES{$2}->{$3}}, $line);
+ }
+
+ foreach $service (keys(%SERVICES)) {
+ $version = '$' . 'FreeBSD' . '$';
+ if (sysopen(FILE, $service, O_RDONLY)) {
+ while (<FILE>) {
+ next unless (m/(\$[F]reeBSD.*?\$)/);
+ $version = $1;
+ last;
+ }
+ close(FILE);
+ }
+ sysopen(FILE, $service, O_RDWR|O_CREAT|O_TRUNC)
+ or die("$service: $!\n");
+ print(FILE "#\n");
+ print(FILE "# $version\n");
+ print(FILE "#\n");
+ print(FILE "# PAM configuration for the \"$service\" service\n");
+ print(FILE "#\n");
+ foreach $type (qw(auth account session password)) {
+ next unless exists($SERVICES{$service}->{$type});
+ print(FILE "\n");
+ print(FILE "# $type\n");
+ print(FILE join("\n", @{$SERVICES{$service}->{$type}}, ""));
+ }
+ close(FILE);
+ warn("$service\n");
+ }
+
+ exit(0);
+}
diff --git a/lib/libpam/pam.d/cron b/lib/libpam/pam.d/cron
new file mode 100644
index 000000000000..55a3d1048c53
--- /dev/null
+++ b/lib/libpam/pam.d/cron
@@ -0,0 +1,9 @@
+#
+# $FreeBSD$
+#
+# PAM configuration for the "cron" service
+#
+
+# account
+account required pam_nologin.so
+account required pam_unix.so
diff --git a/lib/libpam/pam.d/ftpd b/lib/libpam/pam.d/ftpd
new file mode 100644
index 000000000000..0d0b0766cc21
--- /dev/null
+++ b/lib/libpam/pam.d/ftpd
@@ -0,0 +1,20 @@
+#
+# $FreeBSD$
+#
+# PAM configuration for the "ftpd" service
+#
+
+# auth
+auth sufficient pam_opie.so no_warn no_fake_prompts
+auth requisite pam_opieaccess.so no_warn allow_local
+#auth sufficient pam_krb5.so no_warn
+#auth sufficient pam_ssh.so no_warn try_first_pass
+auth required pam_unix.so no_warn try_first_pass
+
+# account
+account required pam_nologin.so
+#account required pam_krb5.so
+account required pam_unix.so
+
+# session
+session required pam_permit.so
diff --git a/lib/libpam/pam.d/imap b/lib/libpam/pam.d/imap
new file mode 100644
index 000000000000..2d5efd0ab72a
--- /dev/null
+++ b/lib/libpam/pam.d/imap
@@ -0,0 +1,14 @@
+#
+# $FreeBSD$
+#
+# PAM configuration for the "imap" service
+#
+
+# auth
+#auth sufficient pam_krb5.so no_warn try_first_pass
+#auth sufficient pam_ssh.so no_warn try_first_pass
+auth required pam_unix.so no_warn try_first_pass
+
+# account
+#account required pam_nologin.so
+account required pam_unix.so
diff --git a/lib/libpam/pam.d/login b/lib/libpam/pam.d/login
new file mode 100644
index 000000000000..287036d43f59
--- /dev/null
+++ b/lib/libpam/pam.d/login
@@ -0,0 +1,20 @@
+#
+# $FreeBSD$
+#
+# PAM configuration for the "login" service
+#
+
+# auth
+auth sufficient pam_self.so no_warn
+auth include system
+
+# account
+account requisite pam_securetty.so
+account required pam_nologin.so
+account include system
+
+# session
+session include system
+
+# password
+password include system
diff --git a/lib/libpam/pam.d/other b/lib/libpam/pam.d/other
new file mode 100644
index 000000000000..110aa00e74df
--- /dev/null
+++ b/lib/libpam/pam.d/other
@@ -0,0 +1,25 @@
+#
+# $FreeBSD$
+#
+# PAM configuration for the "other" service
+#
+
+# auth
+auth sufficient pam_opie.so no_warn no_fake_prompts
+auth requisite pam_opieaccess.so no_warn allow_local
+#auth sufficient pam_krb5.so no_warn try_first_pass
+#auth sufficient pam_ssh.so no_warn try_first_pass
+auth required pam_unix.so no_warn try_first_pass
+
+# account
+account required pam_nologin.so
+#account required pam_krb5.so
+account required pam_login_access.so
+account required pam_unix.so
+
+# session
+#session optional pam_ssh.so want_agent
+session required pam_permit.so
+
+# password
+password required pam_permit.so
diff --git a/lib/libpam/pam.d/passwd b/lib/libpam/pam.d/passwd
new file mode 100644
index 000000000000..e65508326ab2
--- /dev/null
+++ b/lib/libpam/pam.d/passwd
@@ -0,0 +1,11 @@
+#
+# $FreeBSD$
+#
+# PAM configuration for the "passwd" service
+#
+
+# passwd(1) does not use the auth, account or session services.
+
+# password
+#password requisite pam_passwdqc.so enforce=users
+password required pam_unix.so no_warn try_first_pass nullok
diff --git a/lib/libpam/pam.d/pop3 b/lib/libpam/pam.d/pop3
new file mode 100644
index 000000000000..c59e39b8bfaa
--- /dev/null
+++ b/lib/libpam/pam.d/pop3
@@ -0,0 +1,14 @@
+#
+# $FreeBSD$
+#
+# PAM configuration for the "pop3" service
+#
+
+# auth
+#auth sufficient pam_krb5.so no_warn try_first_pass
+#auth sufficient pam_ssh.so no_warn try_first_pass
+auth required pam_unix.so no_warn try_first_pass
+
+# account
+#account required pam_nologin.so
+account required pam_unix.so
diff --git a/lib/libpam/pam.d/sshd b/lib/libpam/pam.d/sshd
new file mode 100644
index 000000000000..b4707c009f49
--- /dev/null
+++ b/lib/libpam/pam.d/sshd
@@ -0,0 +1,26 @@
+#
+# $FreeBSD$
+#
+# PAM configuration for the "sshd" service
+#
+
+# auth
+auth sufficient pam_opie.so no_warn no_fake_prompts
+auth requisite pam_opieaccess.so no_warn allow_local
+#auth sufficient pam_krb5.so no_warn try_first_pass
+#auth sufficient pam_ssh.so no_warn try_first_pass
+auth required pam_unix.so no_warn try_first_pass
+
+# account
+account required pam_nologin.so
+#account required pam_krb5.so
+account required pam_login_access.so
+account required pam_unix.so
+
+# session
+#session optional pam_ssh.so want_agent
+session required pam_permit.so
+
+# password
+#password sufficient pam_krb5.so no_warn try_first_pass
+password required pam_unix.so no_warn try_first_pass
diff --git a/lib/libpam/pam.d/su b/lib/libpam/pam.d/su
new file mode 100644
index 000000000000..88ce8b0ab4f1
--- /dev/null
+++ b/lib/libpam/pam.d/su
@@ -0,0 +1,17 @@
+#
+# $FreeBSD$
+#
+# PAM configuration for the "su" service
+#
+
+# auth
+auth sufficient pam_rootok.so no_warn
+auth sufficient pam_self.so no_warn
+auth requisite pam_group.so no_warn group=wheel root_only fail_safe ruser
+auth include system
+
+# account
+account include system
+
+# session
+session required pam_permit.so
diff --git a/lib/libpam/pam.d/system b/lib/libpam/pam.d/system
new file mode 100644
index 000000000000..b8b7101e6b85
--- /dev/null
+++ b/lib/libpam/pam.d/system
@@ -0,0 +1,25 @@
+#
+# $FreeBSD$
+#
+# System-wide defaults
+#
+
+# auth
+auth sufficient pam_opie.so no_warn no_fake_prompts
+auth requisite pam_opieaccess.so no_warn allow_local
+#auth sufficient pam_krb5.so no_warn try_first_pass
+#auth sufficient pam_ssh.so no_warn try_first_pass
+auth required pam_unix.so no_warn try_first_pass nullok
+
+# account
+#account required pam_krb5.so
+account required pam_login_access.so
+account required pam_unix.so
+
+# session
+#session optional pam_ssh.so want_agent
+session required pam_lastlog.so no_fail
+
+# password
+#password sufficient pam_krb5.so no_warn try_first_pass
+password required pam_unix.so no_warn try_first_pass
diff --git a/lib/libpam/pam.d/telnetd b/lib/libpam/pam.d/telnetd
new file mode 100644
index 000000000000..fb2f523d4ad1
--- /dev/null
+++ b/lib/libpam/pam.d/telnetd
@@ -0,0 +1,26 @@
+#
+# $FreeBSD$
+#
+# PAM configuration for the "telnetd" service
+#
+
+# auth
+auth sufficient pam_opie.so no_warn no_fake_prompts
+auth requisite pam_opieaccess.so no_warn allow_local
+#auth sufficient pam_krb5.so no_warn try_first_pass
+#auth sufficient pam_ssh.so no_warn try_first_pass
+auth required pam_unix.so no_warn try_first_pass
+
+# account
+account required pam_nologin.so
+#account required pam_krb5.so
+account required pam_login_access.so
+account required pam_unix.so
+
+# session
+#session optional pam_ssh.so want_agent
+session required pam_lastlog.so no_fail
+
+# password
+#password sufficient pam_krb5.so no_warn try_first_pass
+password required pam_unix.so no_warn try_first_pass
diff --git a/lib/libpam/pam.d/xdm b/lib/libpam/pam.d/xdm
new file mode 100644
index 000000000000..2a7db08053f4
--- /dev/null
+++ b/lib/libpam/pam.d/xdm
@@ -0,0 +1,22 @@
+#
+# $FreeBSD$
+#
+# PAM configuration for the "xdm" service
+#
+
+# auth
+#auth sufficient pam_krb5.so no_warn try_first_pass
+#auth sufficient pam_ssh.so no_warn try_first_pass
+auth required pam_unix.so no_warn try_first_pass
+
+# account
+account required pam_nologin.so
+#account required pam_krb5.so
+account required pam_unix.so
+
+# session
+#session required pam_ssh.so want_agent
+session required pam_lastlog.so no_fail
+
+# password
+password required pam_deny.so