Index: etc/Makefile =================================================================== --- etc/Makefile +++ etc/Makefile @@ -21,7 +21,6 @@ hosts.equiv \ libalias.conf \ libmap.conf \ - login.access \ mac.conf \ netconfig \ networks \ @@ -121,7 +120,6 @@ ${_+_}cd ${.CURDIR}/mtree; ${MAKE} install ${_+_}cd ${SRCTOP}/share/termcap; ${MAKE} etc-termcap ${_+_}cd ${SRCTOP}/usr.sbin/rmt; ${MAKE} etc-rmt - ${_+_}cd ${.CURDIR}/pam.d; ${MAKE} install .if ${MK_UNBOUND} != "no" if [ ! -e ${DESTDIR}/etc/unbound ]; then \ ${INSTALL_SYMLINK} ../var/unbound ${DESTDIR}/etc/unbound; \ Index: etc/login.access =================================================================== --- etc/login.access +++ etc/login.access @@ -1,46 +0,0 @@ -# $FreeBSD$ -# -# Login access control table. -# -# When someone logs in, the table is scanned for the first entry that -# matches the (user, host) combination, or, in case of non-networked -# logins, the first entry that matches the (user, tty) combination. The -# permissions field of that table entry determines whether the login will -# be accepted or refused. -# -# Format of the login access control table is three fields separated by a -# ":" character: -# -# permission : users : origins -# -# The first field should be a "+" (access granted) or "-" (access denied) -# character. The second field should be a list of one or more login names, -# group names, or ALL (always matches). The third field should be a list -# of one or more tty names (for non-networked logins), host names, domain -# names (begin with "."), host addresses, internet network numbers (end -# with "."), ALL (always matches) or LOCAL (matches any string that does -# not contain a "." character). If you run NIS you can use @netgroupname -# in host or user patterns. -# -# The EXCEPT operator makes it possible to write very compact rules. -# -# The group file is searched only when a name does not match that of the -# logged-in user. Only groups are matched in which users are explicitly -# listed: the program does not look at a user's primary group id value. -# -############################################################################## -# -# Disallow console logins to all but a few accounts. -# -#-:ALL EXCEPT wheel shutdown sync:console -# -# Disallow non-local logins to privileged accounts (group wheel). -# -#-:wheel:ALL EXCEPT LOCAL .win.tue.nl -# -# Some accounts are not allowed to login from anywhere: -# -#-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL -# -# All other accounts are allowed to login from anywhere. -# Index: etc/pam.d/Makefile =================================================================== --- etc/pam.d/Makefile +++ etc/pam.d/Makefile @@ -1,48 +0,0 @@ -# $FreeBSD$ - -.include - -NO_OBJ= - -FILESGROUPS= FILES - -FILES= README \ - cron \ - imap \ - login \ - other \ - passwd pop3 \ - sshd su system \ - xdm - -FILESDIR= /etc/pam.d -FILESMODE= 644 - -.if ${MK_AT} != "no" -FILESGROUPS+= AT -AT+= atrun -ATPACKAGE+= at -ATDIR= ${FILESDIR} -ATMODE= ${FILESMODE} -.endif - -.if ${MK_FTP} != "no" -FILESGROUPS+= FTP -FTP+= ftpd -FTPPACKAGE+= ftp -FTPDIR= ${FILESDIR} -FTPMODE= ${FILESMODE} -LINKS= ${FILESDIR}/ftpd ${FILESDIR}/ftp -.endif - -.if ${MK_TELNET} != "no" -FILESGROUPS+= TELNET -TELNET+= telnetd -TELNETPACKAGE+= telnet -TELNETDIR= ${FILESDIR} -TELNETMODE= ${FILESMODE} -.endif - -FILESMODE_README= 444 - -.include Index: etc/pam.d/README =================================================================== --- etc/pam.d/README +++ etc/pam.d/README @@ -1,62 +0,0 @@ - -This directory contains configuration files for the Pluggable -Authentication Modules (PAM) library. - -Each file details the module chain for a single service, and must be -named after that service. If no configuration file is found for a -particular service, the /etc/pam.d/other is used instead. If that -file does not exist, /etc/pam.conf is searched for entries matching -the specified service or, failing that, the "other" service. - -See the pam(3) manual page for an explanation of the workings of the -PAM library and descriptions of the various files and modules. Below -is a summary of the format for the pam.conf and /etc/pam.d/* files. - -Configuration lines take the following form: - -module-type control-flag module-path arguments - -Comments are introduced with a hash mark ('#'). Blank lines and lines -consisting entirely of comments are ignored. - -The meanings of the different fields are as follows: - - module-type: - auth: prompt for a password to authenticate that the user is - who they say they are, and set any credentials. - account: non-authentication based authorization, based on time, - resources, etc. - session: housekeeping before and/or after login. - password: update authentication tokens. - - control-flag: How libpam handles success or failure of the module. - required: success is required; on failure all remaining - modules are run, but the request will be denied. - requisite: success is required, and on failure no remaining - modules are run. - sufficient: success is sufficient, and if no previous required - module failed, no remaining modules are run. - binding: success is sufficient; on failure all remaining - modules are run, but the request will be denied. - optional: ignored unless the other modules return PAM_IGNORE. - - arguments: Module-specific options, plus some generic ones: - debug: syslog debug info. - no_warn: return no warning messages to the application. - Remove this to feed back to the user the - reason(s) they are being rejected. - use_first_pass: try authentication using password from the - preceding auth module. - try_first_pass: first try authentication using password from - the preceding auth module, and if that fails - prompt for a new password. - use_mapped_pass: convert cleartext password to a crypto key. - expose_account: allow printing more info about the user when - prompting. - -Note that having a "sufficient" module as the last entry for a -particular service and module type may result in surprising behaviour. -To get the intended semantics, add a "required" entry listing the -pam_deny module at the end of the chain. - -$FreeBSD$ Index: etc/pam.d/atrun =================================================================== --- etc/pam.d/atrun +++ etc/pam.d/atrun @@ -1,10 +0,0 @@ -# -# $FreeBSD$ -# -# PAM configuration for the "atrun" service -# - -# Note well: enabling pam_nologin for atrun will currently result -# in jobs discarded, not just delayed, during a no-login period. -#account required pam_nologin.so -account required pam_unix.so Index: etc/pam.d/convert.pl =================================================================== --- etc/pam.d/convert.pl +++ etc/pam.d/convert.pl @@ -1,89 +0,0 @@ -#!/usr/bin/perl -w -#- -# SPDX-License-Identifier: BSD-3-Clause -# -# Copyright (c) 2001,2002 Networks Associates Technologies, Inc. -# All rights reserved. -# -# This software was developed for the FreeBSD Project by ThinkSec AS and -# NAI Labs, the Security Research Division of Network Associates, Inc. -# under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the -# DARPA CHATS research program. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# 3. The name of the author may not be used to endorse or promote -# products derived from this software without specific prior written -# permission. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -use strict; -use Fcntl; -use vars qw(%SERVICES); - -MAIN:{ - my $line; - my $service; - my $version; - my $type; - local *FILE; - - while (<>) { - chomp(); - s/\s*$//; - next unless m/^(\#*)(\w+)\s+(auth|account|session|password)\s+(\S.*)$/; - $line = $1.$3; - $line .= "\t" x ((16 - length($line) + 7) / 8); - $line .= $4; - push(@{$SERVICES{$2}->{$3}}, $line); - } - - foreach $service (keys(%SERVICES)) { - $version = '$' . 'FreeBSD' . '$'; - if (sysopen(FILE, $service, O_RDONLY)) { - while () { - next unless (m/(\$[F]reeBSD.*?\$)/); - $version = $1; - last; - } - close(FILE); - } - sysopen(FILE, $service, O_RDWR|O_CREAT|O_TRUNC) - or die("$service: $!\n"); - print(FILE "#\n"); - print(FILE "# $version\n"); - print(FILE "#\n"); - print(FILE "# PAM configuration for the \"$service\" service\n"); - print(FILE "#\n"); - foreach $type (qw(auth account session password)) { - next unless exists($SERVICES{$service}->{$type}); - print(FILE "\n"); - print(FILE "# $type\n"); - print(FILE join("\n", @{$SERVICES{$service}->{$type}}, "")); - } - close(FILE); - warn("$service\n"); - } - - exit(0); -} Index: etc/pam.d/cron =================================================================== --- etc/pam.d/cron +++ etc/pam.d/cron @@ -1,9 +0,0 @@ -# -# $FreeBSD$ -# -# PAM configuration for the "cron" service -# - -# account -account required pam_nologin.so -account required pam_unix.so Index: etc/pam.d/ftpd =================================================================== --- etc/pam.d/ftpd +++ etc/pam.d/ftpd @@ -1,20 +0,0 @@ -# -# $FreeBSD$ -# -# PAM configuration for the "ftpd" service -# - -# auth -auth sufficient pam_opie.so no_warn no_fake_prompts -auth requisite pam_opieaccess.so no_warn allow_local -#auth sufficient pam_krb5.so no_warn -#auth sufficient pam_ssh.so no_warn try_first_pass -auth required pam_unix.so no_warn try_first_pass - -# account -account required pam_nologin.so -#account required pam_krb5.so -account required pam_unix.so - -# session -session required pam_permit.so Index: etc/pam.d/imap =================================================================== --- etc/pam.d/imap +++ etc/pam.d/imap @@ -1,14 +0,0 @@ -# -# $FreeBSD$ -# -# PAM configuration for the "imap" service -# - -# auth -#auth sufficient pam_krb5.so no_warn try_first_pass -#auth sufficient pam_ssh.so no_warn try_first_pass -auth required pam_unix.so no_warn try_first_pass - -# account -#account required pam_nologin.so -account required pam_unix.so Index: etc/pam.d/login =================================================================== --- etc/pam.d/login +++ etc/pam.d/login @@ -1,20 +0,0 @@ -# -# $FreeBSD$ -# -# PAM configuration for the "login" service -# - -# auth -auth sufficient pam_self.so no_warn -auth include system - -# account -account requisite pam_securetty.so -account required pam_nologin.so -account include system - -# session -session include system - -# password -password include system Index: etc/pam.d/other =================================================================== --- etc/pam.d/other +++ etc/pam.d/other @@ -1,25 +0,0 @@ -# -# $FreeBSD$ -# -# PAM configuration for the "other" service -# - -# auth -auth sufficient pam_opie.so no_warn no_fake_prompts -auth requisite pam_opieaccess.so no_warn allow_local -#auth sufficient pam_krb5.so no_warn try_first_pass -#auth sufficient pam_ssh.so no_warn try_first_pass -auth required pam_unix.so no_warn try_first_pass - -# account -account required pam_nologin.so -#account required pam_krb5.so -account required pam_login_access.so -account required pam_unix.so - -# session -#session optional pam_ssh.so want_agent -session required pam_permit.so - -# password -password required pam_permit.so Index: etc/pam.d/passwd =================================================================== --- etc/pam.d/passwd +++ etc/pam.d/passwd @@ -1,11 +0,0 @@ -# -# $FreeBSD$ -# -# PAM configuration for the "passwd" service -# - -# passwd(1) does not use the auth, account or session services. - -# password -#password requisite pam_passwdqc.so enforce=users -password required pam_unix.so no_warn try_first_pass nullok Index: etc/pam.d/pop3 =================================================================== --- etc/pam.d/pop3 +++ etc/pam.d/pop3 @@ -1,14 +0,0 @@ -# -# $FreeBSD$ -# -# PAM configuration for the "pop3" service -# - -# auth -#auth sufficient pam_krb5.so no_warn try_first_pass -#auth sufficient pam_ssh.so no_warn try_first_pass -auth required pam_unix.so no_warn try_first_pass - -# account -#account required pam_nologin.so -account required pam_unix.so Index: etc/pam.d/sshd =================================================================== --- etc/pam.d/sshd +++ etc/pam.d/sshd @@ -1,26 +0,0 @@ -# -# $FreeBSD$ -# -# PAM configuration for the "sshd" service -# - -# auth -auth sufficient pam_opie.so no_warn no_fake_prompts -auth requisite pam_opieaccess.so no_warn allow_local -#auth sufficient pam_krb5.so no_warn try_first_pass -#auth sufficient pam_ssh.so no_warn try_first_pass -auth required pam_unix.so no_warn try_first_pass - -# account -account required pam_nologin.so -#account required pam_krb5.so -account required pam_login_access.so -account required pam_unix.so - -# session -#session optional pam_ssh.so want_agent -session required pam_permit.so - -# password -#password sufficient pam_krb5.so no_warn try_first_pass -password required pam_unix.so no_warn try_first_pass Index: etc/pam.d/su =================================================================== --- etc/pam.d/su +++ etc/pam.d/su @@ -1,17 +0,0 @@ -# -# $FreeBSD$ -# -# PAM configuration for the "su" service -# - -# auth -auth sufficient pam_rootok.so no_warn -auth sufficient pam_self.so no_warn -auth requisite pam_group.so no_warn group=wheel root_only fail_safe ruser -auth include system - -# account -account include system - -# session -session required pam_permit.so Index: etc/pam.d/system =================================================================== --- etc/pam.d/system +++ etc/pam.d/system @@ -1,25 +0,0 @@ -# -# $FreeBSD$ -# -# System-wide defaults -# - -# auth -auth sufficient pam_opie.so no_warn no_fake_prompts -auth requisite pam_opieaccess.so no_warn allow_local -#auth sufficient pam_krb5.so no_warn try_first_pass -#auth sufficient pam_ssh.so no_warn try_first_pass -auth required pam_unix.so no_warn try_first_pass nullok - -# account -#account required pam_krb5.so -account required pam_login_access.so -account required pam_unix.so - -# session -#session optional pam_ssh.so want_agent -session required pam_lastlog.so no_fail - -# password -#password sufficient pam_krb5.so no_warn try_first_pass -password required pam_unix.so no_warn try_first_pass Index: etc/pam.d/telnetd =================================================================== --- etc/pam.d/telnetd +++ etc/pam.d/telnetd @@ -1,26 +0,0 @@ -# -# $FreeBSD$ -# -# PAM configuration for the "telnetd" service -# - -# auth -auth sufficient pam_opie.so no_warn no_fake_prompts -auth requisite pam_opieaccess.so no_warn allow_local -#auth sufficient pam_krb5.so no_warn try_first_pass -#auth sufficient pam_ssh.so no_warn try_first_pass -auth required pam_unix.so no_warn try_first_pass - -# account -account required pam_nologin.so -#account required pam_krb5.so -account required pam_login_access.so -account required pam_unix.so - -# session -#session optional pam_ssh.so want_agent -session required pam_lastlog.so no_fail - -# password -#password sufficient pam_krb5.so no_warn try_first_pass -password required pam_unix.so no_warn try_first_pass Index: etc/pam.d/xdm =================================================================== --- etc/pam.d/xdm +++ etc/pam.d/xdm @@ -1,22 +0,0 @@ -# -# $FreeBSD$ -# -# PAM configuration for the "xdm" service -# - -# auth -#auth sufficient pam_krb5.so no_warn try_first_pass -#auth sufficient pam_ssh.so no_warn try_first_pass -auth required pam_unix.so no_warn try_first_pass - -# account -account required pam_nologin.so -#account required pam_krb5.so -account required pam_unix.so - -# session -#session required pam_ssh.so want_agent -session required pam_lastlog.so no_fail - -# password -password required pam_deny.so Index: lib/libpam/Makefile =================================================================== --- lib/libpam/Makefile +++ lib/libpam/Makefile @@ -25,7 +25,7 @@ # $FreeBSD$ # The modules link in libpam. They build the static modules as well. -SUBDIR+= libpam modules +SUBDIR+= libpam modules pam.d SUBDIR_DEPEND_modules= libpam SUBDIR+= static_libpam SUBDIR_DEPEND_static_libpam= modules Index: lib/libpam/modules/pam_login_access/Makefile =================================================================== --- lib/libpam/modules/pam_login_access/Makefile +++ lib/libpam/modules/pam_login_access/Makefile @@ -24,6 +24,7 @@ # # $FreeBSD$ +CONFS= login.access LIB= pam_login_access SRCS= pam_login_access.c login_access.c MAN= login.access.5 pam_login_access.8 Index: lib/libpam/pam.d/Makefile =================================================================== --- lib/libpam/pam.d/Makefile +++ lib/libpam/pam.d/Makefile @@ -4,9 +4,8 @@ NO_OBJ= -FILESGROUPS= FILES - -FILES= README \ +CONFGROUPS= CONFS +CONFS= README \ cron \ imap \ login \ @@ -15,34 +14,26 @@ sshd su system \ xdm -FILESDIR= /etc/pam.d -FILESMODE= 644 +CONFDIR= /etc/pam.d +CONFSMODE_README= 444 .if ${MK_AT} != "no" -FILESGROUPS+= AT +CONFGROUPS+= AT AT+= atrun ATPACKAGE+= at -ATDIR= ${FILESDIR} -ATMODE= ${FILESMODE} .endif .if ${MK_FTP} != "no" -FILESGROUPS+= FTP +CONFGROUPS+= FTP FTP+= ftpd FTPPACKAGE+= ftp -FTPDIR= ${FILESDIR} -FTPMODE= ${FILESMODE} LINKS= ${FILESDIR}/ftpd ${FILESDIR}/ftp .endif .if ${MK_TELNET} != "no" -FILESGROUPS+= TELNET +CONFGROUPS+= TELNET TELNET+= telnetd TELNETPACKAGE+= telnet -TELNETDIR= ${FILESDIR} -TELNETMODE= ${FILESMODE} .endif -FILESMODE_README= 444 - .include