aboutsummaryrefslogtreecommitdiff
path: root/lib/libpam
Commit message (Collapse)AuthorAgeFilesLines
* openssh: update to OpenSSH v8.7p1Ed Maste13 days1-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
* pkgbase: Create a FreeBSD-ftp packageEmmanuel Vadot14 days1-0/+1
| | | | | | | | ftp tools aren't that useful nowadays but some might want them. Create a FreeBSD-ftp package so users have a choice to have them or not. Differential Revision: https://reviews.freebsd.org/D31794
* pkgbase: Create a FreeBSD-kerberos packageEmmanuel Vadot14 days2-0/+4
| | | | | | | This allows users to install or not kerberos related utilities and libs. Differential Revision: https://reviews.freebsd.org/D31801
* pkgbase: Create a FreeBSD-telnet packageEmmanuel Vadot14 days1-0/+1
| | | | | | | | | | both telnet and telnetd aren't that useful nowadays but some might want them. Create a FreeBSD-telnet package so users have a choice to have them or not. Differential Revision: https://reviews.freebsd.org/D31791 Reviewed by: emaste
* pam: add option to not prompt for password if it's set to emptyEdward Tomasz Napierala2021-04-033-1/+22
| | | | | | | | | | | Add a new option to pam_unix(8), "emptyok", which makes it not prompt for password, if it's set to an empty one. It is similar to "nullok", which makes it not prompt for password if the hash itself is empty. Reviewed By: markj Sponsored By: NetApp, Inc. Sponsored By: Klara, Inc. Differential Revision: https://reviews.freebsd.org/D27569
* pam_login_access: Fix negative entry matching logicMark Johnston2021-02-241-3/+3
| | | | | | | PR: 252194 Approved by: so Security: CVE-2020-25580 Security: FreeBSD-SA-21:03.pam_login_access
* Don't explicitly specify c99 or gnu99 as the default is now gnu99.Xin LI2020-08-171-1/+0
| | | | | | | MFC after: 2 weeks Notes: svn path=/head/; revision=364292
* Apply tentative fix for clang 11 warning in pam_exec(8):Dimitry Andric2020-08-061-1/+2
| | | | | | | | | lib/libpam/modules/pam_exec/pam_exec.c:222:56: error: format specifies type 'char *' but the argument has type 'const void *' [-Werror,-Wformat] if (asprintf(&envstr, "%s=%s", pam_item_env[i].name, item) < 0) ~~ ^~~~ Notes: svn path=/projects/clang1100-import/; revision=363986
* pkgbase: Move telnetd and ftpd pam file to the utilities packageEmmanuel Vadot2020-03-241-2/+0
| | | | | | | | | | | Both programs are in this package so put the pam.d file in there too. Reported by: emaste Reviewed by: emaste Differential Revision: https://reviews.freebsd.org/D24161 Notes: svn path=/head/; revision=359266
* This commit makes significant changes to pam_login_access(8) to bring itCy Schubert2020-02-185-72/+160
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | up to par with the Linux pam_access(8). Like the Linux pam_access(8) our pam_login_access(8) is a service module for pam(3) that allows a administrator to limit access from specified remote hosts or terminals. Unlike the Linux pam_access, pam_login_access is missing some features which are added by this commit: Access file can now be specified. The default remains /etc/access.conf. The syntax is consistent with Linux pam_access. By default usernames are matched. If the username fails to match a match against a group name is attempted. The new nodefgroup module option will only match a username and no attempt to match a group name is made. Group names must be specified in brackets, "()" when nodefgroup is specified. Otherwise the old backward compatible behavior is used. This is consistent with Linux pam_access. A new field separator module option allows the replacement of the default colon (:) with any other character. This facilitates potential future specification of X displays. This is also consistent with Linux pam_access. A new list separator module option to replace the default space/comma/tab with another character. This too is consistent with Linux pam_access. Linux pam_access options not implemented in this commit are the debug and audit options. These will be implemented at a later date. Reviewed by: bjk, bcr (for manpages) Approved by: des (blanket, implicit) MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D23198 Notes: svn path=/head/; revision=358070
* strchr() returns a pointer not an int.Cy Schubert2020-02-181-1/+1
| | | | | | | | | Reported by: bjk Approved by: des (blanket, implicit) MFC after: 3 days Notes: svn path=/head/; revision=358069
* Add missing SYNOPSIS section.Cy Schubert2020-02-181-1/+3
| | | | | | | | Reported by: ports/textproc/igor MFC after: 3 days Notes: svn path=/head/; revision=358068
* There is no pam(8) man page, it is pam(3).Cy Schubert2020-02-181-2/+2
| | | | | | | | Approved by: des (implicit, blanket) MFC after: 3 days Notes: svn path=/head/; revision=358067
* When pam_login_access(5) fails to match a username it attempts toCy Schubert2020-02-181-3/+35
| | | | | | | | | | | match the primary group a user belongs to. This commit extends the match to secondary groups a user belongs to as well, just as the Linux pam_access(5) does. Approved by: des (implicit, blanket) Notes: svn path=/head/; revision=358066
* The words ALL, LOCAL, and EXCEPT have special meaning and are documentedCy Schubert2020-02-181-4/+4
| | | | | | | | | | | | | | | as in the login.access(5) man page. However strcasecmp() is used to compare for these special strings. Because of this User accounts and groups with the corresponding lowercase names are misintrepreted to have special whereas they should not. This commit fixes this, conforming to the man page and to how the Linux pam_access(8) handles these special words. Approved by: des (implicit, blanket) Notes: svn path=/head/; revision=358065
* Update Makefile.depend filesSimon J. Gerraty2019-12-112-3/+0
| | | | | | | | | | | | | Update a bunch of Makefile.depend files as a result of adding Makefile.depend.options files Reviewed by: bdrewery MFC after: 1 week Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org/D22494 Notes: svn path=/head/; revision=355617
* Add Makefile.depend.optionsSimon J. Gerraty2019-12-111-0/+8
| | | | | | | | | | | | | | | | | | | | Leaf directories that have dependencies impacted by options need a Makefile.depend.options file to avoid churn in Makefile.depend DIRDEPS for cases such as OPENSSL, TCP_WRAPPERS etc can be set in local.dirdeps-options.mk which can add to those set in Makefile.depend.options See share/mk/dirdeps-options.mk Reviewed by: bdrewery MFC after: 1 week Sponsored by: Juniper Networks Differential Revision: https://reviews.freebsd.org/D22469 Notes: svn path=/head/; revision=355616
* pkgbase: Put a lot of binaries and lib in FreeBSD-runtimeEmmanuel Vadot2019-09-051-1/+2
| | | | | | | | | | | | All of them are needed to be able to boot to single user and be able to repair a existing FreeBSD installation so put them directly into FreeBSD-runtime. Reviewed by: bapt, gjb Differential Revision: https://reviews.freebsd.org/D21503 Notes: svn path=/head/; revision=351855
* Changes to the expose_password functionality:Dag-Erling Smørgrav2019-06-302-7/+24
| | | | | | | | | | | | | - Implement use_first_pass, allowing expose_password to be used by other service functions than pam_auth() without prompting a second time. - Don't prompt for a password during pam_setcred(). PR: 238041 MFC after: 3 weeks Notes: svn path=/head/; revision=349556
* Improve the legibility of the login.access.5 man page by separatingCy Schubert2019-05-071-1/+3
| | | | | | | | | each argument into its own paragraph. MFC after: 3 days Notes: svn path=/head/; revision=347234
* Really fix pam install. Don't commit late at night or you make simple mistakes.Brad Davis2018-09-131-1/+1
| | | | | | | | Reported by: dumbbell Approved by: re (gjb), will (mentor) Notes: svn path=/head/; revision=338651
* Fix build after r338621 by avoiding LINKS and installing the link manually.Brad Davis2018-09-131-1/+3
| | | | | | | Approved by: re (rgrimes), will (mentor) Notes: svn path=/head/; revision=338633
* Move all pam related config to lib/libpam/Brad Davis2018-09-1317-1/+430
| | | | | | | | Approved by: re (rgrimes), will (mentor), des Differential Revision: https://reviews.freebsd.org/D17122 Notes: svn path=/head/; revision=338621
* Upgrade to OpenSSH 7.8p1.Dag-Erling Smørgrav2018-09-101-15/+14
| | | | | | | Approved by: re (kib@) Notes: svn path=/head/; revision=338561
* For full Linux-PAM compatibility, add a trailing NUL character whenDag-Erling Smørgrav2018-09-042-2/+4
| | | | | | | | | | | | passing the authentication token to the external program. Approved by: re (kib) Submitted by: Thomas Munro <munro@ip9.org> MFC after: 1 week Differential Revision: D16950 Notes: svn path=/head/; revision=338453
* Add support for Linux-PAM's badly named expose_authtok option.Dag-Erling Smørgrav2018-08-142-9/+77
| | | | | | | | | Submitted by: Thomas Munro <munro@ip9.org> MFC after: 1 week Differential Revision: D16171 Notes: svn path=/head/; revision=337732
* Don't use CCACHE for linking.Bryan Drewery2018-06-271-1/+2
| | | | | | | | MFC after: 2 weeks Sponsored by: Dell EMC Notes: svn path=/head/; revision=335733
* Forward Reply-Message attributes to the user, unless suppressed by theDag-Erling Smørgrav2018-05-162-15/+78
| | | | | | | | | | new no_reply_message option. MFC after: 1 week Sponsored by: The University of Oslo Notes: svn path=/head/; revision=333674
* Upgrade to OpenSSH 7.7p1.Dag-Erling Smørgrav2018-05-111-1/+1
| | | | Notes: svn path=/head/; revision=333490
* lib: further adoption of SPDX licensing ID tags.Pedro F. Giffuni2017-11-2623-0/+46
| | | | | | | | | | | | | | | Mainly focus on files that use BSD 2-Clause license, however the tool I was using mis-identified many licenses so this was mostly a manual - error prone - task. The Software Package Data Exchange (SPDX) group provides a specification to make it easier for automated tools to detect and summarize well known opensource licenses. We are gradually adopting the specification, noting that the tags are considered only advisory and do not, in any way, superceed or replace the license texts. Notes: svn path=/head/; revision=326219
* General further adoption of SPDX licensing ID tags.Pedro F. Giffuni2017-11-201-0/+2
| | | | | | | | | | | | | | | | | Mainly focus on files that use BSD 3-Clause license. The Software Package Data Exchange (SPDX) group provides a specification to make it easier for automated tools to detect and summarize well known opensource licenses. We are gradually adopting the specification, noting that the tags are considered only advisory and do not, in any way, superceed or replace the license texts. Special thanks to Wind River for providing access to "The Duke of Highlander" tool: an older (2014) run over FreeBSD tree was useful as a starting point. Notes: svn path=/head/; revision=326025
* DIRDEPS_BUILD: Update dependencies.Bryan Drewery2017-10-3125-25/+0
| | | | | | | Sponsored by: Dell EMC Isilon Notes: svn path=/head/; revision=325188
* If the user-provided password exceeds the maximum password length, don'tDag-Erling Smørgrav2017-10-261-0/+5
| | | | | | | | | | | | bother passing it to crypt(). It won't succeed and may allow an attacker to confirm that the user exists. Reported by: jkim@ MFC after: 1 week Security: CVE-2016-6210 Notes: svn path=/head/; revision=325010
* Add options to capture stdout and / or stderr and pass the output onDag-Erling Smørgrav2017-03-222-114/+244
| | | | | | | | | | | | | | to the user. There is currently no buffering, so the result may be somewhat unpredictable if the conversation function adds a newline, like openpam_ttyconv() does. Clean up and simplify the environment handling code, which triggered an inexplicable bug on some systems. MFC after: 2 weeks Notes: svn path=/head/; revision=315710
* Revert r314780Pedro F. Giffuni2017-03-121-1/+1
| | | | | | | | | | | | libpam: extra bounds checking through reallocarray(3). It appears to be causing brokenness when reporting PAM_* environment variables. This requires more investigation. Reported by: lstewart Notes: svn path=/head/; revision=315164
* Use LDFLAGS rather than CFLAGS when linking.Brooks Davis2017-03-081-1/+1
| | | | | | | | | | Reviewed by: kan Obtained from: CheriBSD Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D9882 Notes: svn path=/head/; revision=314901
* libpam: extra bounds checking through reallocarray(3).Pedro F. Giffuni2017-03-061-1/+1
| | | | | | | | Reviewed by: des MFC after: 1 week Notes: svn path=/head/; revision=314780
* Revert r314777: wrong log, the change was to libpam.Pedro F. Giffuni2017-03-061-1/+1
| | | | Notes: svn path=/head/; revision=314779
* libfetch: extra bounds checking through reallocarray(3).Pedro F. Giffuni2017-03-061-1/+1
| | | | | | | | Reviewed by: des MFC after: 1 week Notes: svn path=/head/; revision=314777
* Load default options before requesting a ticket.Dag-Erling Smørgrav2017-03-031-0/+2
| | | | | | | | | PR: 213909 Reported by: basarevych@gmail.com MFC after: 1 week Notes: svn path=/head/; revision=314598
* Upgrade to OpenPAM Radula.Dag-Erling Smørgrav2017-02-203-41/+0
|\ | | | | | | Notes: svn path=/head/; revision=313975
| * Vendor import of OpenPAM Radula.vendor/openpam/RADULADag-Erling Smørgrav2017-02-1926-126/+150
| | | | | | | | | | Notes: svn path=/vendor/openpam/dist/; revision=313968 svn path=/vendor/openpam/RADULA/; revision=313969; tag=vendor/openpam/RADULA
| * Merge upstream r825: fix line continuation in whitespaceDag-Erling Smørgrav2014-10-181-8/+24
| | | | | | | | Notes: svn path=/vendor/openpam/dist/; revision=273269
* | Use SRCTOP-relative paths to other directories instead of .CURDIR-relative onesEnji Cooper2017-01-202-3/+3
| | | | | | | | | | | | | | | | | | | | This implifies pathing in make/displayed output MFC after: 3 weeks Sponsored by: Dell EMC Isilon Notes: svn path=/head/; revision=312453
* | Use SRCTOP-relative paths to other directories instead of .CURDIR-relative onesEnji Cooper2017-01-203-4/+4
| | | | | | | | | | | | | | | | | | | | This implifies pathing in make/displayed output MFC after: 3 weeks Sponsored by: Dell EMC Isilon Notes: svn path=/head/; revision=312452
* | Use compiler driver to build relocatable objectAlexander Kabaev2016-12-291-1/+1
| | | | | | | | | | | | | | | | | | This works better with external toolchains where LD will not necessarily defailt to emulation we want. Compiler driver knows better. Notes: svn path=/head/; revision=310789
* | Remove support for SSH1 as it is already disabled in our OpenSSH.Ollivier Robert2016-08-222-4/+1
| | | | | | | | | | | | | | | | Submitted by: vangyzen MFC after: 2 weeks Notes: svn path=/head/; revision=304635
* | Add support for Ed25519 keys.Ollivier Robert2016-08-222-0/+3
| | | | | | | | | | | | | | | | Reported by: mwlucas MFH: 2 weeks Notes: svn path=/head/; revision=304626
* | DIRDEPS_BUILD: Update dependenciesBryan Drewery2016-06-141-1/+0
| | | | | | | | | | | | | | | | Approved by: re (gjb) Sponsored by: EMC / Isilon Storage Division Notes: svn path=/head/; revision=301891
* | Replace _pam_verbose_error() with a macro. This was the last differenceDag-Erling Smørgrav2016-06-084-74/+9
| | | | | | | | | | | | | | | | between our libpam and stock OpenPAM, meaning that it is now possible to replace the base libpam with a hypothetical ports version of OpenPAM. Notes: svn path=/head/; revision=301602