Index: head/etc/Makefile =================================================================== --- head/etc/Makefile +++ head/etc/Makefile @@ -121,7 +121,6 @@ ${_+_}cd ${.CURDIR}/mtree; ${MAKE} install ${_+_}cd ${SRCTOP}/share/termcap; ${MAKE} etc-termcap ${_+_}cd ${SRCTOP}/usr.sbin/rmt; ${MAKE} etc-rmt - ${_+_}cd ${.CURDIR}/pam.d; ${MAKE} install .if ${MK_UNBOUND} != "no" if [ ! -e ${DESTDIR}/etc/unbound ]; then \ ${INSTALL_SYMLINK} ../var/unbound ${DESTDIR}/etc/unbound; \ Index: head/etc/pam.d/Makefile =================================================================== --- head/etc/pam.d/Makefile +++ head/etc/pam.d/Makefile @@ -1,48 +0,0 @@ -# $FreeBSD$ - -.include - -NO_OBJ= - -FILESGROUPS= FILES - -FILES= README \ - cron \ - imap \ - login \ - other \ - passwd pop3 \ - sshd su system \ - xdm - -FILESDIR= /etc/pam.d -FILESMODE= 644 - -.if ${MK_AT} != "no" -FILESGROUPS+= AT -AT+= atrun -ATPACKAGE+= at -ATDIR= ${FILESDIR} -ATMODE= ${FILESMODE} -.endif - -.if ${MK_FTP} != "no" -FILESGROUPS+= FTP -FTP+= ftpd -FTPPACKAGE+= ftp -FTPDIR= ${FILESDIR} -FTPMODE= ${FILESMODE} -LINKS= ${FILESDIR}/ftpd ${FILESDIR}/ftp -.endif - -.if ${MK_TELNET} != "no" -FILESGROUPS+= TELNET -TELNET+= telnetd -TELNETPACKAGE+= telnet -TELNETDIR= ${FILESDIR} -TELNETMODE= ${FILESMODE} -.endif - -FILESMODE_README= 444 - -.include Index: head/etc/pam.d/README =================================================================== --- head/etc/pam.d/README +++ head/etc/pam.d/README @@ -1,62 +0,0 @@ - -This directory contains configuration files for the Pluggable -Authentication Modules (PAM) library. - -Each file details the module chain for a single service, and must be -named after that service. If no configuration file is found for a -particular service, the /etc/pam.d/other is used instead. If that -file does not exist, /etc/pam.conf is searched for entries matching -the specified service or, failing that, the "other" service. - -See the pam(3) manual page for an explanation of the workings of the -PAM library and descriptions of the various files and modules. Below -is a summary of the format for the pam.conf and /etc/pam.d/* files. - -Configuration lines take the following form: - -module-type control-flag module-path arguments - -Comments are introduced with a hash mark ('#'). Blank lines and lines -consisting entirely of comments are ignored. - -The meanings of the different fields are as follows: - - module-type: - auth: prompt for a password to authenticate that the user is - who they say they are, and set any credentials. - account: non-authentication based authorization, based on time, - resources, etc. - session: housekeeping before and/or after login. - password: update authentication tokens. - - control-flag: How libpam handles success or failure of the module. - required: success is required; on failure all remaining - modules are run, but the request will be denied. - requisite: success is required, and on failure no remaining - modules are run. - sufficient: success is sufficient, and if no previous required - module failed, no remaining modules are run. - binding: success is sufficient; on failure all remaining - modules are run, but the request will be denied. - optional: ignored unless the other modules return PAM_IGNORE. - - arguments: Module-specific options, plus some generic ones: - debug: syslog debug info. - no_warn: return no warning messages to the application. - Remove this to feed back to the user the - reason(s) they are being rejected. - use_first_pass: try authentication using password from the - preceding auth module. - try_first_pass: first try authentication using password from - the preceding auth module, and if that fails - prompt for a new password. - use_mapped_pass: convert cleartext password to a crypto key. - expose_account: allow printing more info about the user when - prompting. - -Note that having a "sufficient" module as the last entry for a -particular service and module type may result in surprising behaviour. -To get the intended semantics, add a "required" entry listing the -pam_deny module at the end of the chain. - -$FreeBSD$ Index: head/etc/pam.d/atrun =================================================================== --- head/etc/pam.d/atrun +++ head/etc/pam.d/atrun @@ -1,10 +0,0 @@ -# -# $FreeBSD$ -# -# PAM configuration for the "atrun" service -# - -# Note well: enabling pam_nologin for atrun will currently result -# in jobs discarded, not just delayed, during a no-login period. -#account required pam_nologin.so -account required pam_unix.so Index: head/etc/pam.d/convert.pl =================================================================== --- head/etc/pam.d/convert.pl +++ head/etc/pam.d/convert.pl @@ -1,89 +0,0 @@ -#!/usr/bin/perl -w -#- -# SPDX-License-Identifier: BSD-3-Clause -# -# Copyright (c) 2001,2002 Networks Associates Technologies, Inc. -# All rights reserved. -# -# This software was developed for the FreeBSD Project by ThinkSec AS and -# NAI Labs, the Security Research Division of Network Associates, Inc. -# under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the -# DARPA CHATS research program. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# 3. The name of the author may not be used to endorse or promote -# products derived from this software without specific prior written -# permission. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -use strict; -use Fcntl; -use vars qw(%SERVICES); - -MAIN:{ - my $line; - my $service; - my $version; - my $type; - local *FILE; - - while (<>) { - chomp(); - s/\s*$//; - next unless m/^(\#*)(\w+)\s+(auth|account|session|password)\s+(\S.*)$/; - $line = $1.$3; - $line .= "\t" x ((16 - length($line) + 7) / 8); - $line .= $4; - push(@{$SERVICES{$2}->{$3}}, $line); - } - - foreach $service (keys(%SERVICES)) { - $version = '$' . 'FreeBSD' . '$'; - if (sysopen(FILE, $service, O_RDONLY)) { - while () { - next unless (m/(\$[F]reeBSD.*?\$)/); - $version = $1; - last; - } - close(FILE); - } - sysopen(FILE, $service, O_RDWR|O_CREAT|O_TRUNC) - or die("$service: $!\n"); - print(FILE "#\n"); - print(FILE "# $version\n"); - print(FILE "#\n"); - print(FILE "# PAM configuration for the \"$service\" service\n"); - print(FILE "#\n"); - foreach $type (qw(auth account session password)) { - next unless exists($SERVICES{$service}->{$type}); - print(FILE "\n"); - print(FILE "# $type\n"); - print(FILE join("\n", @{$SERVICES{$service}->{$type}}, "")); - } - close(FILE); - warn("$service\n"); - } - - exit(0); -} Index: head/etc/pam.d/cron =================================================================== --- head/etc/pam.d/cron +++ head/etc/pam.d/cron @@ -1,9 +0,0 @@ -# -# $FreeBSD$ -# -# PAM configuration for the "cron" service -# - -# account -account required pam_nologin.so -account required pam_unix.so Index: head/etc/pam.d/ftpd =================================================================== --- head/etc/pam.d/ftpd +++ head/etc/pam.d/ftpd @@ -1,20 +0,0 @@ -# -# $FreeBSD$ -# -# PAM configuration for the "ftpd" service -# - -# auth -auth sufficient pam_opie.so no_warn no_fake_prompts -auth requisite pam_opieaccess.so no_warn allow_local -#auth sufficient pam_krb5.so no_warn -#auth sufficient pam_ssh.so no_warn try_first_pass -auth required pam_unix.so no_warn try_first_pass - -# account -account required pam_nologin.so -#account required pam_krb5.so -account required pam_unix.so - -# session -session required pam_permit.so Index: head/etc/pam.d/imap =================================================================== --- head/etc/pam.d/imap +++ head/etc/pam.d/imap @@ -1,14 +0,0 @@ -# -# $FreeBSD$ -# -# PAM configuration for the "imap" service -# - -# auth -#auth sufficient pam_krb5.so no_warn try_first_pass -#auth sufficient pam_ssh.so no_warn try_first_pass -auth required pam_unix.so no_warn try_first_pass - -# account -#account required pam_nologin.so -account required pam_unix.so Index: head/etc/pam.d/login =================================================================== --- head/etc/pam.d/login +++ head/etc/pam.d/login @@ -1,20 +0,0 @@ -# -# $FreeBSD$ -# -# PAM configuration for the "login" service -# - -# auth -auth sufficient pam_self.so no_warn -auth include system - -# account -account requisite pam_securetty.so -account required pam_nologin.so -account include system - -# session -session include system - -# password -password include system Index: head/etc/pam.d/other =================================================================== --- head/etc/pam.d/other +++ head/etc/pam.d/other @@ -1,25 +0,0 @@ -# -# $FreeBSD$ -# -# PAM configuration for the "other" service -# - -# auth -auth sufficient pam_opie.so no_warn no_fake_prompts -auth requisite pam_opieaccess.so no_warn allow_local -#auth sufficient pam_krb5.so no_warn try_first_pass -#auth sufficient pam_ssh.so no_warn try_first_pass -auth required pam_unix.so no_warn try_first_pass - -# account -account required pam_nologin.so -#account required pam_krb5.so -account required pam_login_access.so -account required pam_unix.so - -# session -#session optional pam_ssh.so want_agent -session required pam_permit.so - -# password -password required pam_permit.so Index: head/etc/pam.d/passwd =================================================================== --- head/etc/pam.d/passwd +++ head/etc/pam.d/passwd @@ -1,11 +0,0 @@ -# -# $FreeBSD$ -# -# PAM configuration for the "passwd" service -# - -# passwd(1) does not use the auth, account or session services. - -# password -#password requisite pam_passwdqc.so enforce=users -password required pam_unix.so no_warn try_first_pass nullok Index: head/etc/pam.d/pop3 =================================================================== --- head/etc/pam.d/pop3 +++ head/etc/pam.d/pop3 @@ -1,14 +0,0 @@ -# -# $FreeBSD$ -# -# PAM configuration for the "pop3" service -# - -# auth -#auth sufficient pam_krb5.so no_warn try_first_pass -#auth sufficient pam_ssh.so no_warn try_first_pass -auth required pam_unix.so no_warn try_first_pass - -# account -#account required pam_nologin.so -account required pam_unix.so Index: head/etc/pam.d/sshd =================================================================== --- head/etc/pam.d/sshd +++ head/etc/pam.d/sshd @@ -1,26 +0,0 @@ -# -# $FreeBSD$ -# -# PAM configuration for the "sshd" service -# - -# auth -auth sufficient pam_opie.so no_warn no_fake_prompts -auth requisite pam_opieaccess.so no_warn allow_local -#auth sufficient pam_krb5.so no_warn try_first_pass -#auth sufficient pam_ssh.so no_warn try_first_pass -auth required pam_unix.so no_warn try_first_pass - -# account -account required pam_nologin.so -#account required pam_krb5.so -account required pam_login_access.so -account required pam_unix.so - -# session -#session optional pam_ssh.so want_agent -session required pam_permit.so - -# password -#password sufficient pam_krb5.so no_warn try_first_pass -password required pam_unix.so no_warn try_first_pass Index: head/etc/pam.d/su =================================================================== --- head/etc/pam.d/su +++ head/etc/pam.d/su @@ -1,17 +0,0 @@ -# -# $FreeBSD$ -# -# PAM configuration for the "su" service -# - -# auth -auth sufficient pam_rootok.so no_warn -auth sufficient pam_self.so no_warn -auth requisite pam_group.so no_warn group=wheel root_only fail_safe ruser -auth include system - -# account -account include system - -# session -session required pam_permit.so Index: head/etc/pam.d/system =================================================================== --- head/etc/pam.d/system +++ head/etc/pam.d/system @@ -1,25 +0,0 @@ -# -# $FreeBSD$ -# -# System-wide defaults -# - -# auth -auth sufficient pam_opie.so no_warn no_fake_prompts -auth requisite pam_opieaccess.so no_warn allow_local -#auth sufficient pam_krb5.so no_warn try_first_pass -#auth sufficient pam_ssh.so no_warn try_first_pass -auth required pam_unix.so no_warn try_first_pass nullok - -# account -#account required pam_krb5.so -account required pam_login_access.so -account required pam_unix.so - -# session -#session optional pam_ssh.so want_agent -session required pam_lastlog.so no_fail - -# password -#password sufficient pam_krb5.so no_warn try_first_pass -password required pam_unix.so no_warn try_first_pass Index: head/etc/pam.d/telnetd =================================================================== --- head/etc/pam.d/telnetd +++ head/etc/pam.d/telnetd @@ -1,26 +0,0 @@ -# -# $FreeBSD$ -# -# PAM configuration for the "telnetd" service -# - -# auth -auth sufficient pam_opie.so no_warn no_fake_prompts -auth requisite pam_opieaccess.so no_warn allow_local -#auth sufficient pam_krb5.so no_warn try_first_pass -#auth sufficient pam_ssh.so no_warn try_first_pass -auth required pam_unix.so no_warn try_first_pass - -# account -account required pam_nologin.so -#account required pam_krb5.so -account required pam_login_access.so -account required pam_unix.so - -# session -#session optional pam_ssh.so want_agent -session required pam_lastlog.so no_fail - -# password -#password sufficient pam_krb5.so no_warn try_first_pass -password required pam_unix.so no_warn try_first_pass Index: head/etc/pam.d/xdm =================================================================== --- head/etc/pam.d/xdm +++ head/etc/pam.d/xdm @@ -1,22 +0,0 @@ -# -# $FreeBSD$ -# -# PAM configuration for the "xdm" service -# - -# auth -#auth sufficient pam_krb5.so no_warn try_first_pass -#auth sufficient pam_ssh.so no_warn try_first_pass -auth required pam_unix.so no_warn try_first_pass - -# account -account required pam_nologin.so -#account required pam_krb5.so -account required pam_unix.so - -# session -#session required pam_ssh.so want_agent -session required pam_lastlog.so no_fail - -# password -password required pam_deny.so Index: head/lib/libpam/Makefile =================================================================== --- head/lib/libpam/Makefile +++ head/lib/libpam/Makefile @@ -25,7 +25,7 @@ # $FreeBSD$ # The modules link in libpam. They build the static modules as well. -SUBDIR+= libpam modules +SUBDIR+= libpam modules pam.d SUBDIR_DEPEND_modules= libpam SUBDIR+= static_libpam SUBDIR_DEPEND_static_libpam= modules Index: head/lib/libpam/pam.d/Makefile =================================================================== --- head/lib/libpam/pam.d/Makefile +++ head/lib/libpam/pam.d/Makefile @@ -0,0 +1,39 @@ +# $FreeBSD$ + +.include + +NO_OBJ= + +CONFGROUPS= CONFS +CONFS= README \ + cron \ + imap \ + login \ + other \ + passwd pop3 \ + sshd su system \ + xdm + +CONFDIR= /etc/pam.d +CONFSMODE_README= 444 + +.if ${MK_AT} != "no" +CONFGROUPS+= AT +AT+= atrun +ATPACKAGE+= at +.endif + +.if ${MK_FTP} != "no" +CONFGROUPS+= FTP +FTP+= ftpd +FTPPACKAGE+= ftp +LINKS= ${FILESDIR}/ftpd ${FILESDIR}/ftp +.endif + +.if ${MK_TELNET} != "no" +CONFGROUPS+= TELNET +TELNET+= telnetd +TELNETPACKAGE+= telnet +.endif + +.include Index: head/lib/libpam/pam.d/README =================================================================== --- head/lib/libpam/pam.d/README +++ head/lib/libpam/pam.d/README @@ -0,0 +1,62 @@ + +This directory contains configuration files for the Pluggable +Authentication Modules (PAM) library. + +Each file details the module chain for a single service, and must be +named after that service. If no configuration file is found for a +particular service, the /etc/pam.d/other is used instead. If that +file does not exist, /etc/pam.conf is searched for entries matching +the specified service or, failing that, the "other" service. + +See the pam(3) manual page for an explanation of the workings of the +PAM library and descriptions of the various files and modules. Below +is a summary of the format for the pam.conf and /etc/pam.d/* files. + +Configuration lines take the following form: + +module-type control-flag module-path arguments + +Comments are introduced with a hash mark ('#'). Blank lines and lines +consisting entirely of comments are ignored. + +The meanings of the different fields are as follows: + + module-type: + auth: prompt for a password to authenticate that the user is + who they say they are, and set any credentials. + account: non-authentication based authorization, based on time, + resources, etc. + session: housekeeping before and/or after login. + password: update authentication tokens. + + control-flag: How libpam handles success or failure of the module. + required: success is required; on failure all remaining + modules are run, but the request will be denied. + requisite: success is required, and on failure no remaining + modules are run. + sufficient: success is sufficient, and if no previous required + module failed, no remaining modules are run. + binding: success is sufficient; on failure all remaining + modules are run, but the request will be denied. + optional: ignored unless the other modules return PAM_IGNORE. + + arguments: Module-specific options, plus some generic ones: + debug: syslog debug info. + no_warn: return no warning messages to the application. + Remove this to feed back to the user the + reason(s) they are being rejected. + use_first_pass: try authentication using password from the + preceding auth module. + try_first_pass: first try authentication using password from + the preceding auth module, and if that fails + prompt for a new password. + use_mapped_pass: convert cleartext password to a crypto key. + expose_account: allow printing more info about the user when + prompting. + +Note that having a "sufficient" module as the last entry for a +particular service and module type may result in surprising behaviour. +To get the intended semantics, add a "required" entry listing the +pam_deny module at the end of the chain. + +$FreeBSD$ Index: head/lib/libpam/pam.d/atrun =================================================================== --- head/lib/libpam/pam.d/atrun +++ head/lib/libpam/pam.d/atrun @@ -0,0 +1,10 @@ +# +# $FreeBSD$ +# +# PAM configuration for the "atrun" service +# + +# Note well: enabling pam_nologin for atrun will currently result +# in jobs discarded, not just delayed, during a no-login period. +#account required pam_nologin.so +account required pam_unix.so Index: head/lib/libpam/pam.d/convert.pl =================================================================== --- head/lib/libpam/pam.d/convert.pl +++ head/lib/libpam/pam.d/convert.pl @@ -0,0 +1,89 @@ +#!/usr/bin/perl -w +#- +# SPDX-License-Identifier: BSD-3-Clause +# +# Copyright (c) 2001,2002 Networks Associates Technologies, Inc. +# All rights reserved. +# +# This software was developed for the FreeBSD Project by ThinkSec AS and +# NAI Labs, the Security Research Division of Network Associates, Inc. +# under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the +# DARPA CHATS research program. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# 3. The name of the author may not be used to endorse or promote +# products derived from this software without specific prior written +# permission. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +use strict; +use Fcntl; +use vars qw(%SERVICES); + +MAIN:{ + my $line; + my $service; + my $version; + my $type; + local *FILE; + + while (<>) { + chomp(); + s/\s*$//; + next unless m/^(\#*)(\w+)\s+(auth|account|session|password)\s+(\S.*)$/; + $line = $1.$3; + $line .= "\t" x ((16 - length($line) + 7) / 8); + $line .= $4; + push(@{$SERVICES{$2}->{$3}}, $line); + } + + foreach $service (keys(%SERVICES)) { + $version = '$' . 'FreeBSD' . '$'; + if (sysopen(FILE, $service, O_RDONLY)) { + while () { + next unless (m/(\$[F]reeBSD.*?\$)/); + $version = $1; + last; + } + close(FILE); + } + sysopen(FILE, $service, O_RDWR|O_CREAT|O_TRUNC) + or die("$service: $!\n"); + print(FILE "#\n"); + print(FILE "# $version\n"); + print(FILE "#\n"); + print(FILE "# PAM configuration for the \"$service\" service\n"); + print(FILE "#\n"); + foreach $type (qw(auth account session password)) { + next unless exists($SERVICES{$service}->{$type}); + print(FILE "\n"); + print(FILE "# $type\n"); + print(FILE join("\n", @{$SERVICES{$service}->{$type}}, "")); + } + close(FILE); + warn("$service\n"); + } + + exit(0); +} Index: head/lib/libpam/pam.d/cron =================================================================== --- head/lib/libpam/pam.d/cron +++ head/lib/libpam/pam.d/cron @@ -0,0 +1,9 @@ +# +# $FreeBSD$ +# +# PAM configuration for the "cron" service +# + +# account +account required pam_nologin.so +account required pam_unix.so Index: head/lib/libpam/pam.d/ftpd =================================================================== --- head/lib/libpam/pam.d/ftpd +++ head/lib/libpam/pam.d/ftpd @@ -0,0 +1,20 @@ +# +# $FreeBSD$ +# +# PAM configuration for the "ftpd" service +# + +# auth +auth sufficient pam_opie.so no_warn no_fake_prompts +auth requisite pam_opieaccess.so no_warn allow_local +#auth sufficient pam_krb5.so no_warn +#auth sufficient pam_ssh.so no_warn try_first_pass +auth required pam_unix.so no_warn try_first_pass + +# account +account required pam_nologin.so +#account required pam_krb5.so +account required pam_unix.so + +# session +session required pam_permit.so Index: head/lib/libpam/pam.d/imap =================================================================== --- head/lib/libpam/pam.d/imap +++ head/lib/libpam/pam.d/imap @@ -0,0 +1,14 @@ +# +# $FreeBSD$ +# +# PAM configuration for the "imap" service +# + +# auth +#auth sufficient pam_krb5.so no_warn try_first_pass +#auth sufficient pam_ssh.so no_warn try_first_pass +auth required pam_unix.so no_warn try_first_pass + +# account +#account required pam_nologin.so +account required pam_unix.so Index: head/lib/libpam/pam.d/login =================================================================== --- head/lib/libpam/pam.d/login +++ head/lib/libpam/pam.d/login @@ -0,0 +1,20 @@ +# +# $FreeBSD$ +# +# PAM configuration for the "login" service +# + +# auth +auth sufficient pam_self.so no_warn +auth include system + +# account +account requisite pam_securetty.so +account required pam_nologin.so +account include system + +# session +session include system + +# password +password include system Index: head/lib/libpam/pam.d/other =================================================================== --- head/lib/libpam/pam.d/other +++ head/lib/libpam/pam.d/other @@ -0,0 +1,25 @@ +# +# $FreeBSD$ +# +# PAM configuration for the "other" service +# + +# auth +auth sufficient pam_opie.so no_warn no_fake_prompts +auth requisite pam_opieaccess.so no_warn allow_local +#auth sufficient pam_krb5.so no_warn try_first_pass +#auth sufficient pam_ssh.so no_warn try_first_pass +auth required pam_unix.so no_warn try_first_pass + +# account +account required pam_nologin.so +#account required pam_krb5.so +account required pam_login_access.so +account required pam_unix.so + +# session +#session optional pam_ssh.so want_agent +session required pam_permit.so + +# password +password required pam_permit.so Index: head/lib/libpam/pam.d/passwd =================================================================== --- head/lib/libpam/pam.d/passwd +++ head/lib/libpam/pam.d/passwd @@ -0,0 +1,11 @@ +# +# $FreeBSD$ +# +# PAM configuration for the "passwd" service +# + +# passwd(1) does not use the auth, account or session services. + +# password +#password requisite pam_passwdqc.so enforce=users +password required pam_unix.so no_warn try_first_pass nullok Index: head/lib/libpam/pam.d/pop3 =================================================================== --- head/lib/libpam/pam.d/pop3 +++ head/lib/libpam/pam.d/pop3 @@ -0,0 +1,14 @@ +# +# $FreeBSD$ +# +# PAM configuration for the "pop3" service +# + +# auth +#auth sufficient pam_krb5.so no_warn try_first_pass +#auth sufficient pam_ssh.so no_warn try_first_pass +auth required pam_unix.so no_warn try_first_pass + +# account +#account required pam_nologin.so +account required pam_unix.so Index: head/lib/libpam/pam.d/sshd =================================================================== --- head/lib/libpam/pam.d/sshd +++ head/lib/libpam/pam.d/sshd @@ -0,0 +1,26 @@ +# +# $FreeBSD$ +# +# PAM configuration for the "sshd" service +# + +# auth +auth sufficient pam_opie.so no_warn no_fake_prompts +auth requisite pam_opieaccess.so no_warn allow_local +#auth sufficient pam_krb5.so no_warn try_first_pass +#auth sufficient pam_ssh.so no_warn try_first_pass +auth required pam_unix.so no_warn try_first_pass + +# account +account required pam_nologin.so +#account required pam_krb5.so +account required pam_login_access.so +account required pam_unix.so + +# session +#session optional pam_ssh.so want_agent +session required pam_permit.so + +# password +#password sufficient pam_krb5.so no_warn try_first_pass +password required pam_unix.so no_warn try_first_pass Index: head/lib/libpam/pam.d/su =================================================================== --- head/lib/libpam/pam.d/su +++ head/lib/libpam/pam.d/su @@ -0,0 +1,17 @@ +# +# $FreeBSD$ +# +# PAM configuration for the "su" service +# + +# auth +auth sufficient pam_rootok.so no_warn +auth sufficient pam_self.so no_warn +auth requisite pam_group.so no_warn group=wheel root_only fail_safe ruser +auth include system + +# account +account include system + +# session +session required pam_permit.so Index: head/lib/libpam/pam.d/system =================================================================== --- head/lib/libpam/pam.d/system +++ head/lib/libpam/pam.d/system @@ -0,0 +1,25 @@ +# +# $FreeBSD$ +# +# System-wide defaults +# + +# auth +auth sufficient pam_opie.so no_warn no_fake_prompts +auth requisite pam_opieaccess.so no_warn allow_local +#auth sufficient pam_krb5.so no_warn try_first_pass +#auth sufficient pam_ssh.so no_warn try_first_pass +auth required pam_unix.so no_warn try_first_pass nullok + +# account +#account required pam_krb5.so +account required pam_login_access.so +account required pam_unix.so + +# session +#session optional pam_ssh.so want_agent +session required pam_lastlog.so no_fail + +# password +#password sufficient pam_krb5.so no_warn try_first_pass +password required pam_unix.so no_warn try_first_pass Index: head/lib/libpam/pam.d/telnetd =================================================================== --- head/lib/libpam/pam.d/telnetd +++ head/lib/libpam/pam.d/telnetd @@ -0,0 +1,26 @@ +# +# $FreeBSD$ +# +# PAM configuration for the "telnetd" service +# + +# auth +auth sufficient pam_opie.so no_warn no_fake_prompts +auth requisite pam_opieaccess.so no_warn allow_local +#auth sufficient pam_krb5.so no_warn try_first_pass +#auth sufficient pam_ssh.so no_warn try_first_pass +auth required pam_unix.so no_warn try_first_pass + +# account +account required pam_nologin.so +#account required pam_krb5.so +account required pam_login_access.so +account required pam_unix.so + +# session +#session optional pam_ssh.so want_agent +session required pam_lastlog.so no_fail + +# password +#password sufficient pam_krb5.so no_warn try_first_pass +password required pam_unix.so no_warn try_first_pass Index: head/lib/libpam/pam.d/xdm =================================================================== --- head/lib/libpam/pam.d/xdm +++ head/lib/libpam/pam.d/xdm @@ -0,0 +1,22 @@ +# +# $FreeBSD$ +# +# PAM configuration for the "xdm" service +# + +# auth +#auth sufficient pam_krb5.so no_warn try_first_pass +#auth sufficient pam_ssh.so no_warn try_first_pass +auth required pam_unix.so no_warn try_first_pass + +# account +account required pam_nologin.so +#account required pam_krb5.so +account required pam_unix.so + +# session +#session required pam_ssh.so want_agent +session required pam_lastlog.so no_fail + +# password +password required pam_deny.so