diff options
author | Brad Davis <brd@FreeBSD.org> | 2018-09-13 04:08:48 +0000 |
---|---|---|
committer | Brad Davis <brd@FreeBSD.org> | 2018-09-13 04:08:48 +0000 |
commit | 219cf81b4d9fb7b1651a9e4b85ba77aa92f99fd3 (patch) | |
tree | 3d4228d75b4f0ed7847af2e7f28e4f9d68e10ac0 /lib | |
parent | 19b4f0dca0cf914fa9a60c824f5dfe6be962c703 (diff) | |
download | src-test2-219cf81b4d9fb7b1651a9e4b85ba77aa92f99fd3.tar.gz src-test2-219cf81b4d9fb7b1651a9e4b85ba77aa92f99fd3.zip |
Notes
Diffstat (limited to 'lib')
-rw-r--r-- | lib/libpam/Makefile | 2 | ||||
-rw-r--r-- | lib/libpam/pam.d/Makefile | 39 | ||||
-rw-r--r-- | lib/libpam/pam.d/README | 62 | ||||
-rw-r--r-- | lib/libpam/pam.d/atrun | 10 | ||||
-rw-r--r-- | lib/libpam/pam.d/convert.pl | 89 | ||||
-rw-r--r-- | lib/libpam/pam.d/cron | 9 | ||||
-rw-r--r-- | lib/libpam/pam.d/ftpd | 20 | ||||
-rw-r--r-- | lib/libpam/pam.d/imap | 14 | ||||
-rw-r--r-- | lib/libpam/pam.d/login | 20 | ||||
-rw-r--r-- | lib/libpam/pam.d/other | 25 | ||||
-rw-r--r-- | lib/libpam/pam.d/passwd | 11 | ||||
-rw-r--r-- | lib/libpam/pam.d/pop3 | 14 | ||||
-rw-r--r-- | lib/libpam/pam.d/sshd | 26 | ||||
-rw-r--r-- | lib/libpam/pam.d/su | 17 | ||||
-rw-r--r-- | lib/libpam/pam.d/system | 25 | ||||
-rw-r--r-- | lib/libpam/pam.d/telnetd | 26 | ||||
-rw-r--r-- | lib/libpam/pam.d/xdm | 22 |
17 files changed, 430 insertions, 1 deletions
diff --git a/lib/libpam/Makefile b/lib/libpam/Makefile index fa73b95b140d..95d922880813 100644 --- a/lib/libpam/Makefile +++ b/lib/libpam/Makefile @@ -25,7 +25,7 @@ # $FreeBSD$ # The modules link in libpam. They build the static modules as well. -SUBDIR+= libpam modules +SUBDIR+= libpam modules pam.d SUBDIR_DEPEND_modules= libpam SUBDIR+= static_libpam SUBDIR_DEPEND_static_libpam= modules diff --git a/lib/libpam/pam.d/Makefile b/lib/libpam/pam.d/Makefile new file mode 100644 index 000000000000..86aaacfca3c9 --- /dev/null +++ b/lib/libpam/pam.d/Makefile @@ -0,0 +1,39 @@ +# $FreeBSD$ + +.include <src.opts.mk> + +NO_OBJ= + +CONFGROUPS= CONFS +CONFS= README \ + cron \ + imap \ + login \ + other \ + passwd pop3 \ + sshd su system \ + xdm + +CONFDIR= /etc/pam.d +CONFSMODE_README= 444 + +.if ${MK_AT} != "no" +CONFGROUPS+= AT +AT+= atrun +ATPACKAGE+= at +.endif + +.if ${MK_FTP} != "no" +CONFGROUPS+= FTP +FTP+= ftpd +FTPPACKAGE+= ftp +LINKS= ${FILESDIR}/ftpd ${FILESDIR}/ftp +.endif + +.if ${MK_TELNET} != "no" +CONFGROUPS+= TELNET +TELNET+= telnetd +TELNETPACKAGE+= telnet +.endif + +.include <bsd.prog.mk> diff --git a/lib/libpam/pam.d/README b/lib/libpam/pam.d/README new file mode 100644 index 000000000000..2824c054fe85 --- /dev/null +++ b/lib/libpam/pam.d/README @@ -0,0 +1,62 @@ + +This directory contains configuration files for the Pluggable +Authentication Modules (PAM) library. + +Each file details the module chain for a single service, and must be +named after that service. If no configuration file is found for a +particular service, the /etc/pam.d/other is used instead. If that +file does not exist, /etc/pam.conf is searched for entries matching +the specified service or, failing that, the "other" service. + +See the pam(3) manual page for an explanation of the workings of the +PAM library and descriptions of the various files and modules. Below +is a summary of the format for the pam.conf and /etc/pam.d/* files. + +Configuration lines take the following form: + +module-type control-flag module-path arguments + +Comments are introduced with a hash mark ('#'). Blank lines and lines +consisting entirely of comments are ignored. + +The meanings of the different fields are as follows: + + module-type: + auth: prompt for a password to authenticate that the user is + who they say they are, and set any credentials. + account: non-authentication based authorization, based on time, + resources, etc. + session: housekeeping before and/or after login. + password: update authentication tokens. + + control-flag: How libpam handles success or failure of the module. + required: success is required; on failure all remaining + modules are run, but the request will be denied. + requisite: success is required, and on failure no remaining + modules are run. + sufficient: success is sufficient, and if no previous required + module failed, no remaining modules are run. + binding: success is sufficient; on failure all remaining + modules are run, but the request will be denied. + optional: ignored unless the other modules return PAM_IGNORE. + + arguments: Module-specific options, plus some generic ones: + debug: syslog debug info. + no_warn: return no warning messages to the application. + Remove this to feed back to the user the + reason(s) they are being rejected. + use_first_pass: try authentication using password from the + preceding auth module. + try_first_pass: first try authentication using password from + the preceding auth module, and if that fails + prompt for a new password. + use_mapped_pass: convert cleartext password to a crypto key. + expose_account: allow printing more info about the user when + prompting. + +Note that having a "sufficient" module as the last entry for a +particular service and module type may result in surprising behaviour. +To get the intended semantics, add a "required" entry listing the +pam_deny module at the end of the chain. + +$FreeBSD$ diff --git a/lib/libpam/pam.d/atrun b/lib/libpam/pam.d/atrun new file mode 100644 index 000000000000..6829469c9595 --- /dev/null +++ b/lib/libpam/pam.d/atrun @@ -0,0 +1,10 @@ +# +# $FreeBSD$ +# +# PAM configuration for the "atrun" service +# + +# Note well: enabling pam_nologin for atrun will currently result +# in jobs discarded, not just delayed, during a no-login period. +#account required pam_nologin.so +account required pam_unix.so diff --git a/lib/libpam/pam.d/convert.pl b/lib/libpam/pam.d/convert.pl new file mode 100644 index 000000000000..4686387bb79c --- /dev/null +++ b/lib/libpam/pam.d/convert.pl @@ -0,0 +1,89 @@ +#!/usr/bin/perl -w +#- +# SPDX-License-Identifier: BSD-3-Clause +# +# Copyright (c) 2001,2002 Networks Associates Technologies, Inc. +# All rights reserved. +# +# This software was developed for the FreeBSD Project by ThinkSec AS and +# NAI Labs, the Security Research Division of Network Associates, Inc. +# under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the +# DARPA CHATS research program. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# 3. The name of the author may not be used to endorse or promote +# products derived from this software without specific prior written +# permission. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +use strict; +use Fcntl; +use vars qw(%SERVICES); + +MAIN:{ + my $line; + my $service; + my $version; + my $type; + local *FILE; + + while (<>) { + chomp(); + s/\s*$//; + next unless m/^(\#*)(\w+)\s+(auth|account|session|password)\s+(\S.*)$/; + $line = $1.$3; + $line .= "\t" x ((16 - length($line) + 7) / 8); + $line .= $4; + push(@{$SERVICES{$2}->{$3}}, $line); + } + + foreach $service (keys(%SERVICES)) { + $version = '$' . 'FreeBSD' . '$'; + if (sysopen(FILE, $service, O_RDONLY)) { + while (<FILE>) { + next unless (m/(\$[F]reeBSD.*?\$)/); + $version = $1; + last; + } + close(FILE); + } + sysopen(FILE, $service, O_RDWR|O_CREAT|O_TRUNC) + or die("$service: $!\n"); + print(FILE "#\n"); + print(FILE "# $version\n"); + print(FILE "#\n"); + print(FILE "# PAM configuration for the \"$service\" service\n"); + print(FILE "#\n"); + foreach $type (qw(auth account session password)) { + next unless exists($SERVICES{$service}->{$type}); + print(FILE "\n"); + print(FILE "# $type\n"); + print(FILE join("\n", @{$SERVICES{$service}->{$type}}, "")); + } + close(FILE); + warn("$service\n"); + } + + exit(0); +} diff --git a/lib/libpam/pam.d/cron b/lib/libpam/pam.d/cron new file mode 100644 index 000000000000..55a3d1048c53 --- /dev/null +++ b/lib/libpam/pam.d/cron @@ -0,0 +1,9 @@ +# +# $FreeBSD$ +# +# PAM configuration for the "cron" service +# + +# account +account required pam_nologin.so +account required pam_unix.so diff --git a/lib/libpam/pam.d/ftpd b/lib/libpam/pam.d/ftpd new file mode 100644 index 000000000000..0d0b0766cc21 --- /dev/null +++ b/lib/libpam/pam.d/ftpd @@ -0,0 +1,20 @@ +# +# $FreeBSD$ +# +# PAM configuration for the "ftpd" service +# + +# auth +auth sufficient pam_opie.so no_warn no_fake_prompts +auth requisite pam_opieaccess.so no_warn allow_local +#auth sufficient pam_krb5.so no_warn +#auth sufficient pam_ssh.so no_warn try_first_pass +auth required pam_unix.so no_warn try_first_pass + +# account +account required pam_nologin.so +#account required pam_krb5.so +account required pam_unix.so + +# session +session required pam_permit.so diff --git a/lib/libpam/pam.d/imap b/lib/libpam/pam.d/imap new file mode 100644 index 000000000000..2d5efd0ab72a --- /dev/null +++ b/lib/libpam/pam.d/imap @@ -0,0 +1,14 @@ +# +# $FreeBSD$ +# +# PAM configuration for the "imap" service +# + +# auth +#auth sufficient pam_krb5.so no_warn try_first_pass +#auth sufficient pam_ssh.so no_warn try_first_pass +auth required pam_unix.so no_warn try_first_pass + +# account +#account required pam_nologin.so +account required pam_unix.so diff --git a/lib/libpam/pam.d/login b/lib/libpam/pam.d/login new file mode 100644 index 000000000000..287036d43f59 --- /dev/null +++ b/lib/libpam/pam.d/login @@ -0,0 +1,20 @@ +# +# $FreeBSD$ +# +# PAM configuration for the "login" service +# + +# auth +auth sufficient pam_self.so no_warn +auth include system + +# account +account requisite pam_securetty.so +account required pam_nologin.so +account include system + +# session +session include system + +# password +password include system diff --git a/lib/libpam/pam.d/other b/lib/libpam/pam.d/other new file mode 100644 index 000000000000..110aa00e74df --- /dev/null +++ b/lib/libpam/pam.d/other @@ -0,0 +1,25 @@ +# +# $FreeBSD$ +# +# PAM configuration for the "other" service +# + +# auth +auth sufficient pam_opie.so no_warn no_fake_prompts +auth requisite pam_opieaccess.so no_warn allow_local +#auth sufficient pam_krb5.so no_warn try_first_pass +#auth sufficient pam_ssh.so no_warn try_first_pass +auth required pam_unix.so no_warn try_first_pass + +# account +account required pam_nologin.so +#account required pam_krb5.so +account required pam_login_access.so +account required pam_unix.so + +# session +#session optional pam_ssh.so want_agent +session required pam_permit.so + +# password +password required pam_permit.so diff --git a/lib/libpam/pam.d/passwd b/lib/libpam/pam.d/passwd new file mode 100644 index 000000000000..e65508326ab2 --- /dev/null +++ b/lib/libpam/pam.d/passwd @@ -0,0 +1,11 @@ +# +# $FreeBSD$ +# +# PAM configuration for the "passwd" service +# + +# passwd(1) does not use the auth, account or session services. + +# password +#password requisite pam_passwdqc.so enforce=users +password required pam_unix.so no_warn try_first_pass nullok diff --git a/lib/libpam/pam.d/pop3 b/lib/libpam/pam.d/pop3 new file mode 100644 index 000000000000..c59e39b8bfaa --- /dev/null +++ b/lib/libpam/pam.d/pop3 @@ -0,0 +1,14 @@ +# +# $FreeBSD$ +# +# PAM configuration for the "pop3" service +# + +# auth +#auth sufficient pam_krb5.so no_warn try_first_pass +#auth sufficient pam_ssh.so no_warn try_first_pass +auth required pam_unix.so no_warn try_first_pass + +# account +#account required pam_nologin.so +account required pam_unix.so diff --git a/lib/libpam/pam.d/sshd b/lib/libpam/pam.d/sshd new file mode 100644 index 000000000000..b4707c009f49 --- /dev/null +++ b/lib/libpam/pam.d/sshd @@ -0,0 +1,26 @@ +# +# $FreeBSD$ +# +# PAM configuration for the "sshd" service +# + +# auth +auth sufficient pam_opie.so no_warn no_fake_prompts +auth requisite pam_opieaccess.so no_warn allow_local +#auth sufficient pam_krb5.so no_warn try_first_pass +#auth sufficient pam_ssh.so no_warn try_first_pass +auth required pam_unix.so no_warn try_first_pass + +# account +account required pam_nologin.so +#account required pam_krb5.so +account required pam_login_access.so +account required pam_unix.so + +# session +#session optional pam_ssh.so want_agent +session required pam_permit.so + +# password +#password sufficient pam_krb5.so no_warn try_first_pass +password required pam_unix.so no_warn try_first_pass diff --git a/lib/libpam/pam.d/su b/lib/libpam/pam.d/su new file mode 100644 index 000000000000..88ce8b0ab4f1 --- /dev/null +++ b/lib/libpam/pam.d/su @@ -0,0 +1,17 @@ +# +# $FreeBSD$ +# +# PAM configuration for the "su" service +# + +# auth +auth sufficient pam_rootok.so no_warn +auth sufficient pam_self.so no_warn +auth requisite pam_group.so no_warn group=wheel root_only fail_safe ruser +auth include system + +# account +account include system + +# session +session required pam_permit.so diff --git a/lib/libpam/pam.d/system b/lib/libpam/pam.d/system new file mode 100644 index 000000000000..b8b7101e6b85 --- /dev/null +++ b/lib/libpam/pam.d/system @@ -0,0 +1,25 @@ +# +# $FreeBSD$ +# +# System-wide defaults +# + +# auth +auth sufficient pam_opie.so no_warn no_fake_prompts +auth requisite pam_opieaccess.so no_warn allow_local +#auth sufficient pam_krb5.so no_warn try_first_pass +#auth sufficient pam_ssh.so no_warn try_first_pass +auth required pam_unix.so no_warn try_first_pass nullok + +# account +#account required pam_krb5.so +account required pam_login_access.so +account required pam_unix.so + +# session +#session optional pam_ssh.so want_agent +session required pam_lastlog.so no_fail + +# password +#password sufficient pam_krb5.so no_warn try_first_pass +password required pam_unix.so no_warn try_first_pass diff --git a/lib/libpam/pam.d/telnetd b/lib/libpam/pam.d/telnetd new file mode 100644 index 000000000000..fb2f523d4ad1 --- /dev/null +++ b/lib/libpam/pam.d/telnetd @@ -0,0 +1,26 @@ +# +# $FreeBSD$ +# +# PAM configuration for the "telnetd" service +# + +# auth +auth sufficient pam_opie.so no_warn no_fake_prompts +auth requisite pam_opieaccess.so no_warn allow_local +#auth sufficient pam_krb5.so no_warn try_first_pass +#auth sufficient pam_ssh.so no_warn try_first_pass +auth required pam_unix.so no_warn try_first_pass + +# account +account required pam_nologin.so +#account required pam_krb5.so +account required pam_login_access.so +account required pam_unix.so + +# session +#session optional pam_ssh.so want_agent +session required pam_lastlog.so no_fail + +# password +#password sufficient pam_krb5.so no_warn try_first_pass +password required pam_unix.so no_warn try_first_pass diff --git a/lib/libpam/pam.d/xdm b/lib/libpam/pam.d/xdm new file mode 100644 index 000000000000..2a7db08053f4 --- /dev/null +++ b/lib/libpam/pam.d/xdm @@ -0,0 +1,22 @@ +# +# $FreeBSD$ +# +# PAM configuration for the "xdm" service +# + +# auth +#auth sufficient pam_krb5.so no_warn try_first_pass +#auth sufficient pam_ssh.so no_warn try_first_pass +auth required pam_unix.so no_warn try_first_pass + +# account +account required pam_nologin.so +#account required pam_krb5.so +account required pam_unix.so + +# session +#session required pam_ssh.so want_agent +session required pam_lastlog.so no_fail + +# password +password required pam_deny.so |