| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
Approved by: emaste (mentor)
Fixes: 6e69612d5df1 ("pam: Add pam_xdg module")
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 06986e899972ac3a127ab2ab46196672d0e1e5b2)
Approved by: emaste (mentor)
|
| |
|
|
|
| |
PR: 280994
(cherry picked from commit 6aee1dc48006445b6e062db86c5c3697b04b98f6)
|
| |
|
|
|
|
|
|
|
|
| |
Fix pam_xdg as pam_get_item can return NULL, this happens when pressing
control + C in xdm for example.
MFC after: 1 week
PR: 279268
(cherry picked from commit cca0ce62f367d03ed429bf99e41e6aca8cb7f2ac)
|
| |
|
|
|
|
|
| |
CID: 1534878
Sponsored by: Beckhoff Automation GmbH & Co. KG
(cherry picked from commit 56ec98a04d19fec3750e47d12eb581c139c8b405)
|
| |
|
|
|
|
|
|
|
| |
Otherwise on success it ontain the return value of asprintf.
Sponsored by: Beckhoff Automation GmbH & Co. KG
Fixes: 2d2950c88933 ("pam_xdg: Check asprintf return value")
(cherry picked from commit 5acbe6d1fb552eeaf44955c2780f2e9d4a70cad3)
|
| |
|
|
|
|
|
|
| |
Reported by: Shawn Webb <shawn.webb@hardenedbsd.org>
Sponsored by: Beckhoff Automation GmbH & Co. KG
Fixes: 6e69612d5df1 ("pam: Add pam_xdg module")
(cherry picked from commit 2d2950c889335b24af7a92f3aaf9946de47bb0bc)
|
| |
|
|
|
|
|
| |
Sponsored by: Beckhoff Automation GmbH & Co. KG
Fixes: 6e69612d5df1 ("pam: Add pam_xdg module")
(cherry picked from commit 84329908c522b428e4dc858a9bac769117927cd3)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This ensure that the XDG_RUNTIME_DIR is always created and the environment
variable is present which is a must for any wayland user (at least).
The only "cost" of it is a directory is created and unused.
Reviewed by: des
Differential Revision: https://reviews.freebsd.org/D44012
Sponsored by: Beckhoff Automation GmbH & Co. KG
(cherry picked from commit 6b9e6f12e5bbfe347dba8ff8e1e161f9180a1edd)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a module to setup the XDG directories and environment variables.
For now the only usage is to have a XDG_RUNTIME_DIR environment setup at
user login.
All other environment variable have a default fallback so no need to export
them in this module.
The directory is created according to the XDG Base directory specification.
The default base directory is /var/run/xdg/<username> but can be configured
using the runtime_dir=<dir> module option.
According to the spec the directory *must* not survive a reboot so adding
var_run_enable="YES" to rc.conf is highly recommanded.
Reviewed by: des, pauamma (manpages)
Differential Revision: https://reviews.freebsd.org/D44011
Sponsored by: Beckhoff Automation GmbH & Co. KG
(cherry picked from commit 6e69612d5df1c1d5bd86990ea4d9a170c030b292)
|
| |
|
|
| |
Remove /^\s*\$FreeBSD\$$\n/
|
| |
|
|
| |
Remove /^\.\\"\s*\$FreeBSD\$$\n/
|
| |
|
|
| |
Remove /^\.\\"\n\.\\"\s*\$FreeBSD\$$\n/
|
| |
|
|
| |
Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
|
| |
|
|
| |
Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
|
| |
|
|
| |
Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/
|
| |
|
|
|
| |
Reviewed by: cy
Differential Revision: https://reviews.freebsd.org/D41300
|
| |
|
|
|
|
|
|
| |
The closing parenthesis was in the wrong location, so instead of assigning the return value to krbret and then comparing it to zero, we were assigning the result of the comparison to krbret and then comparing that to zero. This has no practical significance since the value is not used after the loop terminates.
PR: 229719
Reviewed by: cy
Differential Revision: https://reviews.freebsd.org/D41299
|
| |
|
|
|
|
|
|
| |
Include a portion of the patch that was missed in 813847e49e35.
Reported by: markj
Fixes: 813847e49e35
MFC after: 1 day
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
An adversary on the network can log in via ssh as any user by spoofing
the KDC. When the machine has a keytab installed the keytab is used to
verify the service ticket. However, without a keytab there is no way
for pam_krb5 to verify the KDC's response and get a TGT with the
password.
If both the password _and_ the KDC are controlled by an adversary, the
adversary can provide a password that the adversary's spoofed KDC will
return a valid tgt for. Currently, without a keytab, pam_krb5 is
vulnerable to this attack.
Reported by: Taylor R Campbell <riastradh@netbsd.org> via emaste@
Reviewed by: so
Approved by: so
Security: FreeBSD-SA-23:04.pam_krb5
Security: CVE-2023-3326
|
| |
|
|
|
|
| |
MFC after: 1 week
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D40135
|
| |
|
|
|
|
|
|
|
| |
The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.
Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Previously when using NO_ROOT we recorded a METALOG entry for the
pam.d/ftp hard link with a different file mode than the link target
pam.d/ftpd, which is not permitted.
This change is similar to 1dbb9994d4dd for .profile
Sponsored by: The FreeBSD Foundation
|
| |
|
|
| |
Differential Revision: https://reviews.freebsd.org/D36592
|
| |
|
|
|
|
| |
Reviewed by: imp, emaste
Reported by: GCC -Warray-parameter
Differential Revision: https://reviews.freebsd.org/D36759
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The telnetd codebase is unmaintained and has a number of quality
issues. Telnet has been largely supplanted by ssh. If needed, a port is
available (net/freebsd-telnetd), but a more maintained implementation
should be prefered.
While the telnet client suffers from the same issues, it is deemed
to be of lower risk and is required to connect to legacy devices, so
it remains.
Reviewed by: emaste, imp
Differential Revision: https://reviews.freebsd.org/D36620
|
| | |
|
| |
|
|
| |
Differential Revision: https://reviews.freebsd.org/D36593
|
| |
|
|
|
| |
Approved by: cy, des, tcberner (mentor)
Differential Revision: https://reviews.freebsd.org/D34320
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
According to pam_exec(8), the `expose_authtok` option should be ignored
when the service function is `pam_sm_setcred`. Currently `pam_exec` only
prevent prompt for anth token when `expose_authtok` is set on
`pam_sm_setcred`. This subsequently led to segfault when there isn't an
existing auth token available.
Bug reported on this: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263893
After reading https://reviews.freebsd.org/rS349556 I am not sure if the
default behaviour supposed to be simply not prompt for authentication
token, or is it to ignore the option entirely as stated in the man page.
This patch is therefore only adding an additional NULL check on the item
`pam_get_item` provide, and exit with `PAM_SYSTEM_ERR` when such item is
NULL.
MFC after: 1 week
Reviewed by: des, khng
Differential Revision: https://reviews.freebsd.org/D35169
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Release notes are available at https://www.openssh.com/txt/release-8.9
Some highlights:
* ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
restricting forwarding and use of keys added to ssh-agent(1)
* ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid
ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the
default KEXAlgorithms list (after the ECDH methods but before the
prime-group DH ones). The next release of OpenSSH is likely to
make this key exchange the default method.
* sshd(8), portable OpenSSH only: this release removes in-built
support for MD5-hashed passwords. If you require these on your
system then we recommend linking against libxcrypt or similar.
Future deprecation notice
=========================
A near-future release of OpenSSH will switch scp(1) from using the
legacy scp/rcp protocol to using SFTP by default.
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
|
| |
|
|
|
|
|
|
|
| |
Move some needed binaries/libs from FreeBSD-utilities to FreeBSD_runtime.
This is everything needed to boot to multiuser with FreeBSD-rc installed.
MFC after: 2 weeks
Sponsored by: Beckhoff Automation GmbH & Co. KG
Differential Revision: https://reviews.freebsd.org/D33435
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some notable changes, from upstream's release notes:
- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new host key, accept the key
fingerprint as a synonym for "yes".
- ssh-keygen(1): when acting as a CA and signing certificates with an RSA
key, default to using the rsa-sha2-512 signature algorithm.
- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
(RSA/SHA1) algorithm from those accepted for certificate signatures.
- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
support to provide address-space isolation for token middleware
libraries (including the internal one).
- ssh(1): this release enables UpdateHostkeys by default subject to some
conservative preconditions.
- scp(1): this release changes the behaviour of remote to remote copies
(e.g. "scp host-a:/path host-b:") to transfer through the local host
by default.
- scp(1): experimental support for transfers using the SFTP protocol as
a replacement for the venerable SCP/RCP protocol that it has
traditionally used.
Additional integration work is needed to support FIDO/U2F in the base
system.
Deprecation Notice
------------------
OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.
Reviewed by: imp
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D29985
|
| |
|
|
|
|
|
|
| |
ftp tools aren't that useful nowadays but some might want them.
Create a FreeBSD-ftp package so users have a choice to have
them or not.
Differential Revision: https://reviews.freebsd.org/D31794
|
| |
|
|
|
|
|
| |
This allows users to install or not kerberos related utilities
and libs.
Differential Revision: https://reviews.freebsd.org/D31801
|
| |
|
|
|
|
|
|
|
|
| |
both telnet and telnetd aren't that useful nowadays but some
might want them.
Create a FreeBSD-telnet package so users have a choice to have
them or not.
Differential Revision: https://reviews.freebsd.org/D31791
Reviewed by: emaste
|
| |
|
|
|
|
|
|
|
|
|
| |
Add a new option to pam_unix(8), "emptyok", which makes it not prompt
for password, if it's set to an empty one. It is similar to "nullok",
which makes it not prompt for password if the hash itself is empty.
Reviewed By: markj
Sponsored By: NetApp, Inc.
Sponsored By: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D27569
|
| |
|
|
|
|
|
| |
PR: 252194
Approved by: so
Security: CVE-2020-25580
Security: FreeBSD-SA-21:03.pam_login_access
|
| |
|
|
|
|
|
| |
MFC after: 2 weeks
Notes:
svn path=/head/; revision=364292
|
| |
|
|
|
|
|
|
|
| |
lib/libpam/modules/pam_exec/pam_exec.c:222:56: error: format specifies type 'char *' but the argument has type 'const void *' [-Werror,-Wformat]
if (asprintf(&envstr, "%s=%s", pam_item_env[i].name, item) < 0)
~~ ^~~~
Notes:
svn path=/projects/clang1100-import/; revision=363986
|
| |
|
|
|
|
|
|
|
|
|
| |
Both programs are in this package so put the pam.d file in there too.
Reported by: emaste
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D24161
Notes:
svn path=/head/; revision=359266
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
up to par with the Linux pam_access(8).
Like the Linux pam_access(8) our pam_login_access(8) is a service module
for pam(3) that allows a administrator to limit access from specified
remote hosts or terminals. Unlike the Linux pam_access, pam_login_access
is missing some features which are added by this commit:
Access file can now be specified. The default remains /etc/access.conf.
The syntax is consistent with Linux pam_access.
By default usernames are matched. If the username fails to match a match
against a group name is attempted. The new nodefgroup module option will
only match a username and no attempt to match a group name is made.
Group names must be specified in brackets, "()" when nodefgroup is
specified. Otherwise the old backward compatible behavior is used.
This is consistent with Linux pam_access.
A new field separator module option allows the replacement of the default
colon (:) with any other character. This facilitates potential future
specification of X displays. This is also consistent with Linux pam_access.
A new list separator module option to replace the default space/comma/tab
with another character. This too is consistent with Linux pam_access.
Linux pam_access options not implemented in this commit are the debug
and audit options. These will be implemented at a later date.
Reviewed by: bjk, bcr (for manpages)
Approved by: des (blanket, implicit)
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D23198
Notes:
svn path=/head/; revision=358070
|
| |
|
|
|
|
|
|
|
| |
Reported by: bjk
Approved by: des (blanket, implicit)
MFC after: 3 days
Notes:
svn path=/head/; revision=358069
|
| |
|
|
|
|
|
|
| |
Reported by: ports/textproc/igor
MFC after: 3 days
Notes:
svn path=/head/; revision=358068
|
| |
|
|
|
|
|
|
| |
Approved by: des (implicit, blanket)
MFC after: 3 days
Notes:
svn path=/head/; revision=358067
|
| |
|
|
|
|
|
|
|
|
|
| |
match the primary group a user belongs to. This commit extends the
match to secondary groups a user belongs to as well, just as the Linux
pam_access(5) does.
Approved by: des (implicit, blanket)
Notes:
svn path=/head/; revision=358066
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
as in the login.access(5) man page. However strcasecmp() is used to compare
for these special strings. Because of this User accounts and groups with
the corresponding lowercase names are misintrepreted to have special
whereas they should not.
This commit fixes this, conforming to the man page and to how the Linux
pam_access(8) handles these special words.
Approved by: des (implicit, blanket)
Notes:
svn path=/head/; revision=358065
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Update a bunch of Makefile.depend files as
a result of adding Makefile.depend.options files
Reviewed by: bdrewery
MFC after: 1 week
Sponsored by: Juniper Networks
Differential Revision: https://reviews.freebsd.org/D22494
Notes:
svn path=/head/; revision=355617
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Leaf directories that have dependencies impacted
by options need a Makefile.depend.options file
to avoid churn in Makefile.depend
DIRDEPS for cases such as OPENSSL, TCP_WRAPPERS etc
can be set in local.dirdeps-options.mk
which can add to those set in Makefile.depend.options
See share/mk/dirdeps-options.mk
Reviewed by: bdrewery
MFC after: 1 week
Sponsored by: Juniper Networks
Differential Revision: https://reviews.freebsd.org/D22469
Notes:
svn path=/head/; revision=355616
|
| |
|
|
|
|
|
|
|
|
|
|
| |
All of them are needed to be able to boot to single user and be able
to repair a existing FreeBSD installation so put them directly into
FreeBSD-runtime.
Reviewed by: bapt, gjb
Differential Revision: https://reviews.freebsd.org/D21503
Notes:
svn path=/head/; revision=351855
|
