aboutsummaryrefslogtreecommitdiff
path: root/etc/pam.d
Commit message (Collapse)AuthorAgeFilesLines
* Create a rcmds package.Glen Barber2016-01-211-1/+8
| | | | | | | Sponsored by: The FreeBSD Foundation Notes: svn path=/projects/release-pkg/; revision=294517
* Append the FILESGROUP rather than overritingBaptiste Daroussin2015-03-151-1/+1
| | | | Notes: svn path=/projects/release-pkg/; revision=280032
* Make at(1) and related tools an individual packageBaptiste Daroussin2015-03-051-1/+7
| | | | Notes: svn path=/projects/release-pkg/; revision=279662
* Honor MK_ACCT with etc/pam.d/atrunEnji Cooper2015-01-261-1/+6
| | | | | | | | MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division Notes: svn path=/head/; revision=277737
* Fix xref, pam(8) -> pam(3)Gavin Atkinson2014-08-261-1/+1
| | | | | | | | | PR: 193045 Submitted by: rsimmons0 gmail com MFC after: 3 days Notes: svn path=/head/; revision=270677
* - FreeBSD ships a KDE PAM module in base, but it's missing support for ↵Martin Wilke2012-05-302-20/+0
| | | | | | | | | | | | | | passwordless login (kde-np), and it doesn't really belong in base system. PR: misc/167261 Submitted by: avilla@ Approved by: rwatson (mentor) MFC after: 3 days Notes: svn path=/head/; revision=236281
* Forgot to commit this change along with r219563: pam_group(8) now issuesDag-Erling Smørgrav2011-03-151-1/+1
| | | | | | | | | | a warning if neither luser nor ruser is specified. The correct option for su(1) is ruser. MFC after: 1 month Notes: svn path=/head/; revision=219663
* tabifyDag-Erling Smørgrav2009-10-057-14/+14
| | | | | | | MFC after: 3 weeks Notes: svn path=/head/; revision=197769
* Change the pam_ssh examples: if you use it, you probably want want_agent.Dag-Erling Smørgrav2009-10-055-5/+5
| | | | | | | MFC after: 3 weeks Notes: svn path=/head/; revision=197768
* Remove gdm as it is no longer needed.Joe Marcus Clarke2009-07-181-1/+0
| | | | | | | | Approved by: re (kib) Reminded by: nork Notes: svn path=/head/; revision=195753
* Remove this file. It is no longer needed as x11/gdm provides its ownJoe Marcus Clarke2009-07-181-19/+0
| | | | | | | | | version under /usr/local/etc/pam.d. Approved by: re (kib) Notes: svn path=/head/; revision=195750
* Add PAM support to cron(8). Now cron(8) will skip commands scheduledYaroslav Tykhiy2007-06-172-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | by unavailable accounts, e.g., those locked, expired, not allowed in at the moment by nologin(5), or whatever, depending on cron's pam.conf(5). This applies to personal crontabs only, /etc/crontab is unaffected. In other words, now the account management policy will apply to commands scheduled by users via crontab(1) so that a user can no longer use cron(8) to set up a delayed backdoor and run commands during periods when the admin doesn't want him to. The PAM check is done just before running a command, not when loading a crontab, because accounts can get locked, expired, and re-enabled any time with no changes to their crontabs. E.g., imagine that you provide a system with payed access, or better a cluster of such systems with centralized account management via PAM. When a user pays for some days of access, you set his expire field respectively. If the account expires before its owner pays more, its crontab commands won't run until the next payment is made. Then it'll be enough to set the expire field in future for the commands to run again. And so on. Document this change in the cron(8) manpage, which includes adding a FILES section and touching the document date. X-Security: should benefit as users have access to cron(8) by default Notes: svn path=/head/; revision=170890
* Add PAM support to atrun(8).Yaroslav Tykhiy2007-06-152-0/+11
| | | | Notes: svn path=/head/; revision=170773
* Locked out and expired accounts shouldn't be accessible via remoteYaroslav Tykhiy2007-06-152-0/+2
| | | | | | | | mailbox protocols. Add pam_unix to the `account' function class, too, for imap and pop3 to actually implement this policy. Notes: svn path=/head/; revision=170771
* Split the FILES list across multiple lines as in rc.d/MakefileYaroslav Tykhiy2007-06-151-2/+14
| | | | | | | | so that the change history stays easily readable as the number of PAM-aware services grows. Notes: svn path=/head/; revision=170770
* Now pam_nologin(8) will provide an account management functionYaroslav Tykhiy2007-06-1011-11/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | instead of an authentication function. There are a design reason and a practical reason for that. First, the module belongs in account management because it checks availability of the account and does no authentication. Second, there are existing and potential PAM consumers that skip PAM authentication for good or for bad. E.g., sshd(8) just prefers internal routines for public key auth; OTOH, cron(8) and atrun(8) do implicit authentication when running a job on behalf of its owner, so their inability to use PAM auth is fundamental, but they can benefit from PAM account management. Document this change in the manpage. Modify /etc/pam.d files accordingly, so that pam_nologin.so is listed under the "account" function class. Bump __FreeBSD_version (mostly for ports, as this change should be invisible to C code outside pam_nologin.) PR: bin/112574 Approved by: des, re Notes: svn path=/head/; revision=170510
* Remove rexecd(8), a server that implements a particularly insecureJacques Vidrine2005-06-102-20/+1
| | | | | | | | | | method of executing commands remotely. There are no rexec clients in the FreeBSD tree, and the client function rexec(3) is present only in libcompat. It has been documented as "obsolete" since 4.3BSD, and its use has been discouraged in the man page for over 10 years. Notes: svn path=/head/; revision=147270
* X logins should be recorded in lastlog / wtmp / utmp. I have no idea whyDag-Erling Smørgrav2005-04-281-1/+1
| | | | | | | | | this wasn't there already... it makes much more sense this way. MFC after: 2 weeks Notes: svn path=/head/; revision=145613
* Start the dreaded NOFOO -> NO_FOO conversion.Ruslan Ermilov2004-12-211-1/+1
| | | | | | | OK'ed by: core Notes: svn path=/head/; revision=139103
* For variables that are only checked with defined(), don't provideRuslan Ermilov2004-10-241-1/+1
| | | | | | | any fake value. Notes: svn path=/head/; revision=136910
* Removed whitespace at BOF, EOL & EOF.Jens Schweikhardt2004-06-062-6/+6
| | | | Notes: svn path=/head/; revision=130151
* the default password policy for xdm should be pam_deny, since it isDag-Erling Smørgrav2004-02-201-0/+3
| | | | | | | incapable of holding a meaningful conversation. Notes: svn path=/head/; revision=126056
* Don't do session management in su.Dag-Erling Smørgrav2003-07-091-1/+1
| | | | | | | | PR: misc/53293 Submitted by: ru Notes: svn path=/head/; revision=117360
* Add a system policy, and have the login and su policies include it ratherDag-Erling Smørgrav2003-06-144-23/+35
| | | | | | | | | than duplicate it. This requires OpenPAM Dianthus, which was committed two weeks ago; installing these files on a system running a world older than June 1st, 2003 will cause login(1) and su(1) to fail. Notes: svn path=/head/; revision=116331
* Try to describe the control flags a little better.Dag-Erling Smørgrav2003-06-011-2/+4
| | | | Notes: svn path=/head/; revision=115584
* The PAM module pam_krb5 does not have "session" capabilities.Mark Murray2003-04-309-9/+0
| | | | | | | Don't give examples of such use, this is bogus. Notes: svn path=/head/; revision=114337
* Add nullok to the pam_unix line.Dag-Erling Smørgrav2003-04-241-1/+1
| | | | Notes: svn path=/head/; revision=113967
* Use the canonical form of installing links.Ruslan Ermilov2003-03-141-3/+1
| | | | | | | | | Also, make "ftp" and "ftpd" hard links. Not objected to by: des Notes: svn path=/head/; revision=112230
* Initiate KerberosIV de-orbit burn. Disconnect the /etc configs.Mark Murray2003-03-0811-32/+0
| | | | Notes: svn path=/head/; revision=111982
* Add the allow_local option to all pam_opieaccess entries.Dag-Erling Smørgrav2003-02-166-6/+6
| | | | Notes: svn path=/head/; revision=110993
* Add the want_agent option to the commented-out "session" pam_ssh entry.Dag-Erling Smørgrav2003-02-161-1/+1
| | | | Notes: svn path=/head/; revision=110992
* Major cleanup & homogenization.Dag-Erling Smørgrav2003-02-1014-131/+150
| | | | Notes: svn path=/head/; revision=110608
* No idea what this is for, and it doesn't make much sense. If a port needsDag-Erling Smørgrav2003-02-101-8/+0
| | | | | | | it, it can install its own copy in /usr/local/etc/pam.d/. Notes: svn path=/head/; revision=110607
* There's no reason to have two identical policies for FTP servers, soDag-Erling Smørgrav2003-02-102-26/+5
| | | | | | | make ftp a symlink to ftpd. Notes: svn path=/head/; revision=110606
* Use pam_group(8) instead of pam_wheel(8).Dag-Erling Smørgrav2003-02-061-1/+1
| | | | Notes: svn path=/head/; revision=110457
* Don't enable pam_krb5 by default - most people don't have it since mostDag-Erling Smørgrav2003-02-031-2/+2
| | | | | | | | | | people don't build with MAKE_KERBEROS5 defined. Provide commented-out usage examples instead, like we do everywhere else. Pointy hat to: des Notes: svn path=/head/; revision=110284
* Enable pam_krb5 for sshd. I've had this in my tree for ages.Dag-Erling Smørgrav2003-02-021-0/+2
| | | | Notes: svn path=/head/; revision=110239
* Since OpenSSH drops privileges before calling pam_open_session(3),Dag-Erling Smørgrav2002-12-031-1/+1
| | | | | | | | | pam_lastlog(8) can't possibly work, so let OpenSSH handle lastlog. Approved by: re (rwatson) Notes: svn path=/head/; revision=107553
* Exempt the "wheel group requirement" by default when su'ing to root ifRobert Watson2002-10-181-1/+1
| | | | | | | | | | | | | the wheel group has no explicit members listed in /etc/group. This adds the "exempt_if_empty" flag to pam_wheel in the default configuration; in some environments, it may be appropriate to remove this flag, however, this default is the same as pre-pam_wheel. Reviewed by: markm Sponsored by: DARPA, Network Associates Laboratories Notes: svn path=/head/; revision=105374
* Silence pam_lastlog for now.Dag-Erling Smørgrav2002-07-071-1/+1
| | | | Notes: svn path=/head/; revision=99523
* We don't use this any more.Dag-Erling Smørgrav2002-06-192-10/+1
| | | | | | | Sponsored by: DARPA, NAI Labs Notes: svn path=/head/; revision=98448
* Enable OPIE for sshd and telnetd. I thought I'd done this a long timeDag-Erling Smørgrav2002-06-192-0/+4
| | | | | | | | | ago... Sponsored by: DARPA, NAI Labs Notes: svn path=/head/; revision=98447
* Use pam_lastlog(8)'s new no_fail option.Dag-Erling Smørgrav2002-05-083-3/+3
| | | | | | | Sponsored by: DARPA, NAI Labs Notes: svn path=/head/; revision=96193
* Add a PAM policy for rexecd(8).Dag-Erling Smørgrav2002-05-022-1/+17
| | | | | | | Sponsored by: DARPA, NAI Labs Notes: svn path=/head/; revision=95914
* xdm plays horrid tricks with PAM, and dumps core if it's allowed to callDag-Erling Smørgrav2002-05-022-0/+2
| | | | | | | | | | | pam_lastlog, so add a dummy session chain to avoid using the one from pam.d/other. I assume gdm does something similar, so give it a dummy session chain as well. Sponsored by: DARPA, NAI Labs. Notes: svn path=/head/; revision=95912
* Add no_warn to pam_lastlog. This should prevent xdm from dumping coreDag-Erling Smørgrav2002-04-291-1/+1
| | | | | | | when linked with Linux-PAM. Notes: svn path=/head/; revision=95729
* Don't list pam_unix in the session chain, since it does not provide anyDag-Erling Smørgrav2002-04-189-11/+1
| | | | | | | | | session management services. Sponsored by: DARPA, NAI Labs Notes: svn path=/head/; revision=95006
* Fixed bugs in previous revision:Ruslan Ermilov2002-04-181-20/+6
| | | | | | | | | | | | | | | | Added NOOBJ if anyone even attempts to "make obj" here. Revert to installing files with mode 644 except README. Make this overall look like a BSD-style Makefile rather than roll-your-own (this is not a bug). For the record. Previous revision also fixed the breakage introduced by the sys.mk,v 1.60 commit: bsd.own.mk is no longer automatically included from sys.mk. Reported by: jhay Notes: svn path=/head/; revision=94989
* Use ${FILES} and <bsd.prog.mk> rather than roll-your-own.Dag-Erling Smørgrav2002-04-181-22/+21
| | | | Notes: svn path=/head/; revision=94988
* Add PAM policy for the "passwd" service, including a sample config lineDag-Erling Smørgrav2002-04-152-0/+12
| | | | | | | | | for pam_passwdqc. Sponsored by: DARPA, NAI Labs Notes: svn path=/head/; revision=94718
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-21 11:56:52 +0000