D17122.diff
No OneTemporary
Actions

Size

30 KB

Referenced Files

None

Subscribers

None

D17122.diff
View Options

	Index: head/etc/Makefile
	===================================================================
	--- head/etc/Makefile
	+++ head/etc/Makefile
	@@ -121,7 +121,6 @@
	${_+_}cd ${.CURDIR}/mtree; ${MAKE} install
	${_+_}cd ${SRCTOP}/share/termcap; ${MAKE} etc-termcap
	${_+_}cd ${SRCTOP}/usr.sbin/rmt; ${MAKE} etc-rmt
	- ${_+_}cd ${.CURDIR}/pam.d; ${MAKE} install
	.if ${MK_UNBOUND} != "no"
	if [ ! -e ${DESTDIR}/etc/unbound ]; then \
	${INSTALL_SYMLINK} ../var/unbound ${DESTDIR}/etc/unbound; \
	Index: head/etc/pam.d/Makefile
	===================================================================
	--- head/etc/pam.d/Makefile
	+++ head/etc/pam.d/Makefile
	@@ -1,48 +0,0 @@
	-# $FreeBSD$
	-
	-.include <src.opts.mk>
	-
	-NO_OBJ=
	-
	-FILESGROUPS= FILES
	-
	-FILES= README \
	- cron \
	- imap \
	- login \
	- other \
	- passwd pop3 \
	- sshd su system \
	- xdm
	-
	-FILESDIR= /etc/pam.d
	-FILESMODE= 644
	-
	-.if ${MK_AT} != "no"
	-FILESGROUPS+= AT
	-AT+= atrun
	-ATPACKAGE+= at
	-ATDIR= ${FILESDIR}
	-ATMODE= ${FILESMODE}
	-.endif
	-
	-.if ${MK_FTP} != "no"
	-FILESGROUPS+= FTP
	-FTP+= ftpd
	-FTPPACKAGE+= ftp
	-FTPDIR= ${FILESDIR}
	-FTPMODE= ${FILESMODE}
	-LINKS= ${FILESDIR}/ftpd ${FILESDIR}/ftp
	-.endif
	-
	-.if ${MK_TELNET} != "no"
	-FILESGROUPS+= TELNET
	-TELNET+= telnetd
	-TELNETPACKAGE+= telnet
	-TELNETDIR= ${FILESDIR}
	-TELNETMODE= ${FILESMODE}
	-.endif
	-
	-FILESMODE_README= 444
	-
	-.include <bsd.prog.mk>
	Index: head/etc/pam.d/README
	===================================================================
	--- head/etc/pam.d/README
	+++ head/etc/pam.d/README
	@@ -1,62 +0,0 @@
	-
	-This directory contains configuration files for the Pluggable
	-Authentication Modules (PAM) library.
	-
	-Each file details the module chain for a single service, and must be
	-named after that service. If no configuration file is found for a
	-particular service, the /etc/pam.d/other is used instead. If that
	-file does not exist, /etc/pam.conf is searched for entries matching
	-the specified service or, failing that, the "other" service.
	-
	-See the pam(3) manual page for an explanation of the workings of the
	-PAM library and descriptions of the various files and modules. Below
	-is a summary of the format for the pam.conf and /etc/pam.d/* files.
	-
	-Configuration lines take the following form:
	-
	-module-type control-flag module-path arguments
	-
	-Comments are introduced with a hash mark ('#'). Blank lines and lines
	-consisting entirely of comments are ignored.
	-
	-The meanings of the different fields are as follows:
	-
	- module-type:
	- auth: prompt for a password to authenticate that the user is
	- who they say they are, and set any credentials.
	- account: non-authentication based authorization, based on time,
	- resources, etc.
	- session: housekeeping before and/or after login.
	- password: update authentication tokens.
	-
	- control-flag: How libpam handles success or failure of the module.
	- required: success is required; on failure all remaining
	- modules are run, but the request will be denied.
	- requisite: success is required, and on failure no remaining
	- modules are run.
	- sufficient: success is sufficient, and if no previous required
	- module failed, no remaining modules are run.
	- binding: success is sufficient; on failure all remaining
	- modules are run, but the request will be denied.
	- optional: ignored unless the other modules return PAM_IGNORE.
	-
	- arguments: Module-specific options, plus some generic ones:
	- debug: syslog debug info.
	- no_warn: return no warning messages to the application.
	- Remove this to feed back to the user the
	- reason(s) they are being rejected.
	- use_first_pass: try authentication using password from the
	- preceding auth module.
	- try_first_pass: first try authentication using password from
	- the preceding auth module, and if that fails
	- prompt for a new password.
	- use_mapped_pass: convert cleartext password to a crypto key.
	- expose_account: allow printing more info about the user when
	- prompting.
	-
	-Note that having a "sufficient" module as the last entry for a
	-particular service and module type may result in surprising behaviour.
	-To get the intended semantics, add a "required" entry listing the
	-pam_deny module at the end of the chain.
	-
	-$FreeBSD$
	Index: head/etc/pam.d/atrun
	===================================================================
	--- head/etc/pam.d/atrun
	+++ head/etc/pam.d/atrun
	@@ -1,10 +0,0 @@
	-#
	-# $FreeBSD$
	-#
	-# PAM configuration for the "atrun" service
	-#
	-
	-# Note well: enabling pam_nologin for atrun will currently result
	-# in jobs discarded, not just delayed, during a no-login period.
	-#account required pam_nologin.so
	-account required pam_unix.so
	Index: head/etc/pam.d/convert.pl
	===================================================================
	--- head/etc/pam.d/convert.pl
	+++ head/etc/pam.d/convert.pl
	@@ -1,89 +0,0 @@
	-#!/usr/bin/perl -w
	-#-
	-# SPDX-License-Identifier: BSD-3-Clause
	-#
	-# Copyright (c) 2001,2002 Networks Associates Technologies, Inc.
	-# All rights reserved.
	-#
	-# This software was developed for the FreeBSD Project by ThinkSec AS and
	-# NAI Labs, the Security Research Division of Network Associates, Inc.
	-# under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
	-# DARPA CHATS research program.
	-#
	-# Redistribution and use in source and binary forms, with or without
	-# modification, are permitted provided that the following conditions
	-# are met:
	-# 1. Redistributions of source code must retain the above copyright
	-# notice, this list of conditions and the following disclaimer.
	-# 2. Redistributions in binary form must reproduce the above copyright
	-# notice, this list of conditions and the following disclaimer in the
	-# documentation and/or other materials provided with the distribution.
	-# 3. The name of the author may not be used to endorse or promote
	-# products derived from this software without specific prior written
	-# permission.
	-#
	-# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
	-# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	-# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
	-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	-# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	-# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	-# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	-# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	-# SUCH DAMAGE.
	-#
	-# $FreeBSD$
	-#
	-
	-use strict;
	-use Fcntl;
	-use vars qw(%SERVICES);
	-
	-MAIN:{
	- my $line;
	- my $service;
	- my $version;
	- my $type;
	- local *FILE;
	-
	- while (<>) {
	- chomp();
	- s/\s*$//;
	- next unless m/^(\#)(\w+)\s+(auth\|account\|session\|password)\s+(\S.)$/;
	- $line = $1.$3;
	- $line .= "\t" x ((16 - length($line) + 7) / 8);
	- $line .= $4;
	- push(@{$SERVICES{$2}->{$3}}, $line);
	- }
	-
	- foreach $service (keys(%SERVICES)) {
	- $version = '$' . 'FreeBSD' . '$';
	- if (sysopen(FILE, $service, O_RDONLY)) {
	- while (<FILE>) {
	- next unless (m/(\$[F]reeBSD.*?\$)/);
	- $version = $1;
	- last;
	- }
	- close(FILE);
	- }
	- sysopen(FILE, $service, O_RDWR\|O_CREAT\|O_TRUNC)
	- or die("$service: $!\n");
	- print(FILE "#\n");
	- print(FILE "# $version\n");
	- print(FILE "#\n");
	- print(FILE "# PAM configuration for the \"$service\" service\n");
	- print(FILE "#\n");
	- foreach $type (qw(auth account session password)) {
	- next unless exists($SERVICES{$service}->{$type});
	- print(FILE "\n");
	- print(FILE "# $type\n");
	- print(FILE join("\n", @{$SERVICES{$service}->{$type}}, ""));
	- }
	- close(FILE);
	- warn("$service\n");
	- }
	-
	- exit(0);
	-}
	Index: head/etc/pam.d/cron
	===================================================================
	--- head/etc/pam.d/cron
	+++ head/etc/pam.d/cron
	@@ -1,9 +0,0 @@
	-#
	-# $FreeBSD$
	-#
	-# PAM configuration for the "cron" service
	-#
	-
	-# account
	-account required pam_nologin.so
	-account required pam_unix.so
	Index: head/etc/pam.d/ftpd
	===================================================================
	--- head/etc/pam.d/ftpd
	+++ head/etc/pam.d/ftpd
	@@ -1,20 +0,0 @@
	-#
	-# $FreeBSD$
	-#
	-# PAM configuration for the "ftpd" service
	-#
	-
	-# auth
	-auth sufficient pam_opie.so no_warn no_fake_prompts
	-auth requisite pam_opieaccess.so no_warn allow_local
	-#auth sufficient pam_krb5.so no_warn
	-#auth sufficient pam_ssh.so no_warn try_first_pass
	-auth required pam_unix.so no_warn try_first_pass
	-
	-# account
	-account required pam_nologin.so
	-#account required pam_krb5.so
	-account required pam_unix.so
	-
	-# session
	-session required pam_permit.so
	Index: head/etc/pam.d/imap
	===================================================================
	--- head/etc/pam.d/imap
	+++ head/etc/pam.d/imap
	@@ -1,14 +0,0 @@
	-#
	-# $FreeBSD$
	-#
	-# PAM configuration for the "imap" service
	-#
	-
	-# auth
	-#auth sufficient pam_krb5.so no_warn try_first_pass
	-#auth sufficient pam_ssh.so no_warn try_first_pass
	-auth required pam_unix.so no_warn try_first_pass
	-
	-# account
	-#account required pam_nologin.so
	-account required pam_unix.so
	Index: head/etc/pam.d/login
	===================================================================
	--- head/etc/pam.d/login
	+++ head/etc/pam.d/login
	@@ -1,20 +0,0 @@
	-#
	-# $FreeBSD$
	-#
	-# PAM configuration for the "login" service
	-#
	-
	-# auth
	-auth sufficient pam_self.so no_warn
	-auth include system
	-
	-# account
	-account requisite pam_securetty.so
	-account required pam_nologin.so
	-account include system
	-
	-# session
	-session include system
	-
	-# password
	-password include system
	Index: head/etc/pam.d/other
	===================================================================
	--- head/etc/pam.d/other
	+++ head/etc/pam.d/other
	@@ -1,25 +0,0 @@
	-#
	-# $FreeBSD$
	-#
	-# PAM configuration for the "other" service
	-#
	-
	-# auth
	-auth sufficient pam_opie.so no_warn no_fake_prompts
	-auth requisite pam_opieaccess.so no_warn allow_local
	-#auth sufficient pam_krb5.so no_warn try_first_pass
	-#auth sufficient pam_ssh.so no_warn try_first_pass
	-auth required pam_unix.so no_warn try_first_pass
	-
	-# account
	-account required pam_nologin.so
	-#account required pam_krb5.so
	-account required pam_login_access.so
	-account required pam_unix.so
	-
	-# session
	-#session optional pam_ssh.so want_agent
	-session required pam_permit.so
	-
	-# password
	-password required pam_permit.so
	Index: head/etc/pam.d/passwd
	===================================================================
	--- head/etc/pam.d/passwd
	+++ head/etc/pam.d/passwd
	@@ -1,11 +0,0 @@
	-#
	-# $FreeBSD$
	-#
	-# PAM configuration for the "passwd" service
	-#
	-
	-# passwd(1) does not use the auth, account or session services.
	-
	-# password
	-#password requisite pam_passwdqc.so enforce=users
	-password required pam_unix.so no_warn try_first_pass nullok
	Index: head/etc/pam.d/pop3
	===================================================================
	--- head/etc/pam.d/pop3
	+++ head/etc/pam.d/pop3
	@@ -1,14 +0,0 @@
	-#
	-# $FreeBSD$
	-#
	-# PAM configuration for the "pop3" service
	-#
	-
	-# auth
	-#auth sufficient pam_krb5.so no_warn try_first_pass
	-#auth sufficient pam_ssh.so no_warn try_first_pass
	-auth required pam_unix.so no_warn try_first_pass
	-
	-# account
	-#account required pam_nologin.so
	-account required pam_unix.so
	Index: head/etc/pam.d/sshd
	===================================================================
	--- head/etc/pam.d/sshd
	+++ head/etc/pam.d/sshd
	@@ -1,26 +0,0 @@
	-#
	-# $FreeBSD$
	-#
	-# PAM configuration for the "sshd" service
	-#
	-
	-# auth
	-auth sufficient pam_opie.so no_warn no_fake_prompts
	-auth requisite pam_opieaccess.so no_warn allow_local
	-#auth sufficient pam_krb5.so no_warn try_first_pass
	-#auth sufficient pam_ssh.so no_warn try_first_pass
	-auth required pam_unix.so no_warn try_first_pass
	-
	-# account
	-account required pam_nologin.so
	-#account required pam_krb5.so
	-account required pam_login_access.so
	-account required pam_unix.so
	-
	-# session
	-#session optional pam_ssh.so want_agent
	-session required pam_permit.so
	-
	-# password
	-#password sufficient pam_krb5.so no_warn try_first_pass
	-password required pam_unix.so no_warn try_first_pass
	Index: head/etc/pam.d/su
	===================================================================
	--- head/etc/pam.d/su
	+++ head/etc/pam.d/su
	@@ -1,17 +0,0 @@
	-#
	-# $FreeBSD$
	-#
	-# PAM configuration for the "su" service
	-#
	-
	-# auth
	-auth sufficient pam_rootok.so no_warn
	-auth sufficient pam_self.so no_warn
	-auth requisite pam_group.so no_warn group=wheel root_only fail_safe ruser
	-auth include system
	-
	-# account
	-account include system
	-
	-# session
	-session required pam_permit.so
	Index: head/etc/pam.d/system
	===================================================================
	--- head/etc/pam.d/system
	+++ head/etc/pam.d/system
	@@ -1,25 +0,0 @@
	-#
	-# $FreeBSD$
	-#
	-# System-wide defaults
	-#
	-
	-# auth
	-auth sufficient pam_opie.so no_warn no_fake_prompts
	-auth requisite pam_opieaccess.so no_warn allow_local
	-#auth sufficient pam_krb5.so no_warn try_first_pass
	-#auth sufficient pam_ssh.so no_warn try_first_pass
	-auth required pam_unix.so no_warn try_first_pass nullok
	-
	-# account
	-#account required pam_krb5.so
	-account required pam_login_access.so
	-account required pam_unix.so
	-
	-# session
	-#session optional pam_ssh.so want_agent
	-session required pam_lastlog.so no_fail
	-
	-# password
	-#password sufficient pam_krb5.so no_warn try_first_pass
	-password required pam_unix.so no_warn try_first_pass
	Index: head/etc/pam.d/telnetd
	===================================================================
	--- head/etc/pam.d/telnetd
	+++ head/etc/pam.d/telnetd
	@@ -1,26 +0,0 @@
	-#
	-# $FreeBSD$
	-#
	-# PAM configuration for the "telnetd" service
	-#
	-
	-# auth
	-auth sufficient pam_opie.so no_warn no_fake_prompts
	-auth requisite pam_opieaccess.so no_warn allow_local
	-#auth sufficient pam_krb5.so no_warn try_first_pass
	-#auth sufficient pam_ssh.so no_warn try_first_pass
	-auth required pam_unix.so no_warn try_first_pass
	-
	-# account
	-account required pam_nologin.so
	-#account required pam_krb5.so
	-account required pam_login_access.so
	-account required pam_unix.so
	-
	-# session
	-#session optional pam_ssh.so want_agent
	-session required pam_lastlog.so no_fail
	-
	-# password
	-#password sufficient pam_krb5.so no_warn try_first_pass
	-password required pam_unix.so no_warn try_first_pass
	Index: head/etc/pam.d/xdm
	===================================================================
	--- head/etc/pam.d/xdm
	+++ head/etc/pam.d/xdm
	@@ -1,22 +0,0 @@
	-#
	-# $FreeBSD$
	-#
	-# PAM configuration for the "xdm" service
	-#
	-
	-# auth
	-#auth sufficient pam_krb5.so no_warn try_first_pass
	-#auth sufficient pam_ssh.so no_warn try_first_pass
	-auth required pam_unix.so no_warn try_first_pass
	-
	-# account
	-account required pam_nologin.so
	-#account required pam_krb5.so
	-account required pam_unix.so
	-
	-# session
	-#session required pam_ssh.so want_agent
	-session required pam_lastlog.so no_fail
	-
	-# password
	-password required pam_deny.so
	Index: head/lib/libpam/Makefile
	===================================================================
	--- head/lib/libpam/Makefile
	+++ head/lib/libpam/Makefile
	@@ -25,7 +25,7 @@
	# $FreeBSD$

	# The modules link in libpam. They build the static modules as well.
	-SUBDIR+= libpam modules
	+SUBDIR+= libpam modules pam.d
	SUBDIR_DEPEND_modules= libpam
	SUBDIR+= static_libpam
	SUBDIR_DEPEND_static_libpam= modules
	Index: head/lib/libpam/pam.d/Makefile
	===================================================================
	--- head/lib/libpam/pam.d/Makefile
	+++ head/lib/libpam/pam.d/Makefile
	@@ -0,0 +1,39 @@
	+# $FreeBSD$
	+
	+.include <src.opts.mk>
	+
	+NO_OBJ=
	+
	+CONFGROUPS= CONFS
	+CONFS= README \
	+ cron \
	+ imap \
	+ login \
	+ other \
	+ passwd pop3 \
	+ sshd su system \
	+ xdm
	+
	+CONFDIR= /etc/pam.d
	+CONFSMODE_README= 444
	+
	+.if ${MK_AT} != "no"
	+CONFGROUPS+= AT
	+AT+= atrun
	+ATPACKAGE+= at
	+.endif
	+
	+.if ${MK_FTP} != "no"
	+CONFGROUPS+= FTP
	+FTP+= ftpd
	+FTPPACKAGE+= ftp
	+LINKS= ${FILESDIR}/ftpd ${FILESDIR}/ftp
	+.endif
	+
	+.if ${MK_TELNET} != "no"
	+CONFGROUPS+= TELNET
	+TELNET+= telnetd
	+TELNETPACKAGE+= telnet
	+.endif
	+
	+.include <bsd.prog.mk>
	Index: head/lib/libpam/pam.d/README
	===================================================================
	--- head/lib/libpam/pam.d/README
	+++ head/lib/libpam/pam.d/README
	@@ -0,0 +1,62 @@
	+
	+This directory contains configuration files for the Pluggable
	+Authentication Modules (PAM) library.
	+
	+Each file details the module chain for a single service, and must be
	+named after that service. If no configuration file is found for a
	+particular service, the /etc/pam.d/other is used instead. If that
	+file does not exist, /etc/pam.conf is searched for entries matching
	+the specified service or, failing that, the "other" service.
	+
	+See the pam(3) manual page for an explanation of the workings of the
	+PAM library and descriptions of the various files and modules. Below
	+is a summary of the format for the pam.conf and /etc/pam.d/* files.
	+
	+Configuration lines take the following form:
	+
	+module-type control-flag module-path arguments
	+
	+Comments are introduced with a hash mark ('#'). Blank lines and lines
	+consisting entirely of comments are ignored.
	+
	+The meanings of the different fields are as follows:
	+
	+ module-type:
	+ auth: prompt for a password to authenticate that the user is
	+ who they say they are, and set any credentials.
	+ account: non-authentication based authorization, based on time,
	+ resources, etc.
	+ session: housekeeping before and/or after login.
	+ password: update authentication tokens.
	+
	+ control-flag: How libpam handles success or failure of the module.
	+ required: success is required; on failure all remaining
	+ modules are run, but the request will be denied.
	+ requisite: success is required, and on failure no remaining
	+ modules are run.
	+ sufficient: success is sufficient, and if no previous required
	+ module failed, no remaining modules are run.
	+ binding: success is sufficient; on failure all remaining
	+ modules are run, but the request will be denied.
	+ optional: ignored unless the other modules return PAM_IGNORE.
	+
	+ arguments: Module-specific options, plus some generic ones:
	+ debug: syslog debug info.
	+ no_warn: return no warning messages to the application.
	+ Remove this to feed back to the user the
	+ reason(s) they are being rejected.
	+ use_first_pass: try authentication using password from the
	+ preceding auth module.
	+ try_first_pass: first try authentication using password from
	+ the preceding auth module, and if that fails
	+ prompt for a new password.
	+ use_mapped_pass: convert cleartext password to a crypto key.
	+ expose_account: allow printing more info about the user when
	+ prompting.
	+
	+Note that having a "sufficient" module as the last entry for a
	+particular service and module type may result in surprising behaviour.
	+To get the intended semantics, add a "required" entry listing the
	+pam_deny module at the end of the chain.
	+
	+$FreeBSD$
	Index: head/lib/libpam/pam.d/atrun
	===================================================================
	--- head/lib/libpam/pam.d/atrun
	+++ head/lib/libpam/pam.d/atrun
	@@ -0,0 +1,10 @@
	+#
	+# $FreeBSD$
	+#
	+# PAM configuration for the "atrun" service
	+#
	+
	+# Note well: enabling pam_nologin for atrun will currently result
	+# in jobs discarded, not just delayed, during a no-login period.
	+#account required pam_nologin.so
	+account required pam_unix.so
	Index: head/lib/libpam/pam.d/convert.pl
	===================================================================
	--- head/lib/libpam/pam.d/convert.pl
	+++ head/lib/libpam/pam.d/convert.pl
	@@ -0,0 +1,89 @@
	+#!/usr/bin/perl -w
	+#-
	+# SPDX-License-Identifier: BSD-3-Clause
	+#
	+# Copyright (c) 2001,2002 Networks Associates Technologies, Inc.
	+# All rights reserved.
	+#
	+# This software was developed for the FreeBSD Project by ThinkSec AS and
	+# NAI Labs, the Security Research Division of Network Associates, Inc.
	+# under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
	+# DARPA CHATS research program.
	+#
	+# Redistribution and use in source and binary forms, with or without
	+# modification, are permitted provided that the following conditions
	+# are met:
	+# 1. Redistributions of source code must retain the above copyright
	+# notice, this list of conditions and the following disclaimer.
	+# 2. Redistributions in binary form must reproduce the above copyright
	+# notice, this list of conditions and the following disclaimer in the
	+# documentation and/or other materials provided with the distribution.
	+# 3. The name of the author may not be used to endorse or promote
	+# products derived from this software without specific prior written
	+# permission.
	+#
	+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
	+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	+# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
	+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	+# SUCH DAMAGE.
	+#
	+# $FreeBSD$
	+#
	+
	+use strict;
	+use Fcntl;
	+use vars qw(%SERVICES);
	+
	+MAIN:{
	+ my $line;
	+ my $service;
	+ my $version;
	+ my $type;
	+ local *FILE;
	+
	+ while (<>) {
	+ chomp();
	+ s/\s*$//;
	+ next unless m/^(\#)(\w+)\s+(auth\|account\|session\|password)\s+(\S.)$/;
	+ $line = $1.$3;
	+ $line .= "\t" x ((16 - length($line) + 7) / 8);
	+ $line .= $4;
	+ push(@{$SERVICES{$2}->{$3}}, $line);
	+ }
	+
	+ foreach $service (keys(%SERVICES)) {
	+ $version = '$' . 'FreeBSD' . '$';
	+ if (sysopen(FILE, $service, O_RDONLY)) {
	+ while (<FILE>) {
	+ next unless (m/(\$[F]reeBSD.*?\$)/);
	+ $version = $1;
	+ last;
	+ }
	+ close(FILE);
	+ }
	+ sysopen(FILE, $service, O_RDWR\|O_CREAT\|O_TRUNC)
	+ or die("$service: $!\n");
	+ print(FILE "#\n");
	+ print(FILE "# $version\n");
	+ print(FILE "#\n");
	+ print(FILE "# PAM configuration for the \"$service\" service\n");
	+ print(FILE "#\n");
	+ foreach $type (qw(auth account session password)) {
	+ next unless exists($SERVICES{$service}->{$type});
	+ print(FILE "\n");
	+ print(FILE "# $type\n");
	+ print(FILE join("\n", @{$SERVICES{$service}->{$type}}, ""));
	+ }
	+ close(FILE);
	+ warn("$service\n");
	+ }
	+
	+ exit(0);
	+}
	Index: head/lib/libpam/pam.d/cron
	===================================================================
	--- head/lib/libpam/pam.d/cron
	+++ head/lib/libpam/pam.d/cron
	@@ -0,0 +1,9 @@
	+#
	+# $FreeBSD$
	+#
	+# PAM configuration for the "cron" service
	+#
	+
	+# account
	+account required pam_nologin.so
	+account required pam_unix.so
	Index: head/lib/libpam/pam.d/ftpd
	===================================================================
	--- head/lib/libpam/pam.d/ftpd
	+++ head/lib/libpam/pam.d/ftpd
	@@ -0,0 +1,20 @@
	+#
	+# $FreeBSD$
	+#
	+# PAM configuration for the "ftpd" service
	+#
	+
	+# auth
	+auth sufficient pam_opie.so no_warn no_fake_prompts
	+auth requisite pam_opieaccess.so no_warn allow_local
	+#auth sufficient pam_krb5.so no_warn
	+#auth sufficient pam_ssh.so no_warn try_first_pass
	+auth required pam_unix.so no_warn try_first_pass
	+
	+# account
	+account required pam_nologin.so
	+#account required pam_krb5.so
	+account required pam_unix.so
	+
	+# session
	+session required pam_permit.so
	Index: head/lib/libpam/pam.d/imap
	===================================================================
	--- head/lib/libpam/pam.d/imap
	+++ head/lib/libpam/pam.d/imap
	@@ -0,0 +1,14 @@
	+#
	+# $FreeBSD$
	+#
	+# PAM configuration for the "imap" service
	+#
	+
	+# auth
	+#auth sufficient pam_krb5.so no_warn try_first_pass
	+#auth sufficient pam_ssh.so no_warn try_first_pass
	+auth required pam_unix.so no_warn try_first_pass
	+
	+# account
	+#account required pam_nologin.so
	+account required pam_unix.so
	Index: head/lib/libpam/pam.d/login
	===================================================================
	--- head/lib/libpam/pam.d/login
	+++ head/lib/libpam/pam.d/login
	@@ -0,0 +1,20 @@
	+#
	+# $FreeBSD$
	+#
	+# PAM configuration for the "login" service
	+#
	+
	+# auth
	+auth sufficient pam_self.so no_warn
	+auth include system
	+
	+# account
	+account requisite pam_securetty.so
	+account required pam_nologin.so
	+account include system
	+
	+# session
	+session include system
	+
	+# password
	+password include system
	Index: head/lib/libpam/pam.d/other
	===================================================================
	--- head/lib/libpam/pam.d/other
	+++ head/lib/libpam/pam.d/other
	@@ -0,0 +1,25 @@
	+#
	+# $FreeBSD$
	+#
	+# PAM configuration for the "other" service
	+#
	+
	+# auth
	+auth sufficient pam_opie.so no_warn no_fake_prompts
	+auth requisite pam_opieaccess.so no_warn allow_local
	+#auth sufficient pam_krb5.so no_warn try_first_pass
	+#auth sufficient pam_ssh.so no_warn try_first_pass
	+auth required pam_unix.so no_warn try_first_pass
	+
	+# account
	+account required pam_nologin.so
	+#account required pam_krb5.so
	+account required pam_login_access.so
	+account required pam_unix.so
	+
	+# session
	+#session optional pam_ssh.so want_agent
	+session required pam_permit.so
	+
	+# password
	+password required pam_permit.so
	Index: head/lib/libpam/pam.d/passwd
	===================================================================
	--- head/lib/libpam/pam.d/passwd
	+++ head/lib/libpam/pam.d/passwd
	@@ -0,0 +1,11 @@
	+#
	+# $FreeBSD$
	+#
	+# PAM configuration for the "passwd" service
	+#
	+
	+# passwd(1) does not use the auth, account or session services.
	+
	+# password
	+#password requisite pam_passwdqc.so enforce=users
	+password required pam_unix.so no_warn try_first_pass nullok
	Index: head/lib/libpam/pam.d/pop3
	===================================================================
	--- head/lib/libpam/pam.d/pop3
	+++ head/lib/libpam/pam.d/pop3
	@@ -0,0 +1,14 @@
	+#
	+# $FreeBSD$
	+#
	+# PAM configuration for the "pop3" service
	+#
	+
	+# auth
	+#auth sufficient pam_krb5.so no_warn try_first_pass
	+#auth sufficient pam_ssh.so no_warn try_first_pass
	+auth required pam_unix.so no_warn try_first_pass
	+
	+# account
	+#account required pam_nologin.so
	+account required pam_unix.so
	Index: head/lib/libpam/pam.d/sshd
	===================================================================
	--- head/lib/libpam/pam.d/sshd
	+++ head/lib/libpam/pam.d/sshd
	@@ -0,0 +1,26 @@
	+#
	+# $FreeBSD$
	+#
	+# PAM configuration for the "sshd" service
	+#
	+
	+# auth
	+auth sufficient pam_opie.so no_warn no_fake_prompts
	+auth requisite pam_opieaccess.so no_warn allow_local
	+#auth sufficient pam_krb5.so no_warn try_first_pass
	+#auth sufficient pam_ssh.so no_warn try_first_pass
	+auth required pam_unix.so no_warn try_first_pass
	+
	+# account
	+account required pam_nologin.so
	+#account required pam_krb5.so
	+account required pam_login_access.so
	+account required pam_unix.so
	+
	+# session
	+#session optional pam_ssh.so want_agent
	+session required pam_permit.so
	+
	+# password
	+#password sufficient pam_krb5.so no_warn try_first_pass
	+password required pam_unix.so no_warn try_first_pass
	Index: head/lib/libpam/pam.d/su
	===================================================================
	--- head/lib/libpam/pam.d/su
	+++ head/lib/libpam/pam.d/su
	@@ -0,0 +1,17 @@
	+#
	+# $FreeBSD$
	+#
	+# PAM configuration for the "su" service
	+#
	+
	+# auth
	+auth sufficient pam_rootok.so no_warn
	+auth sufficient pam_self.so no_warn
	+auth requisite pam_group.so no_warn group=wheel root_only fail_safe ruser
	+auth include system
	+
	+# account
	+account include system
	+
	+# session
	+session required pam_permit.so
	Index: head/lib/libpam/pam.d/system
	===================================================================
	--- head/lib/libpam/pam.d/system
	+++ head/lib/libpam/pam.d/system
	@@ -0,0 +1,25 @@
	+#
	+# $FreeBSD$
	+#
	+# System-wide defaults
	+#
	+
	+# auth
	+auth sufficient pam_opie.so no_warn no_fake_prompts
	+auth requisite pam_opieaccess.so no_warn allow_local
	+#auth sufficient pam_krb5.so no_warn try_first_pass
	+#auth sufficient pam_ssh.so no_warn try_first_pass
	+auth required pam_unix.so no_warn try_first_pass nullok
	+
	+# account
	+#account required pam_krb5.so
	+account required pam_login_access.so
	+account required pam_unix.so
	+
	+# session
	+#session optional pam_ssh.so want_agent
	+session required pam_lastlog.so no_fail
	+
	+# password
	+#password sufficient pam_krb5.so no_warn try_first_pass
	+password required pam_unix.so no_warn try_first_pass
	Index: head/lib/libpam/pam.d/telnetd
	===================================================================
	--- head/lib/libpam/pam.d/telnetd
	+++ head/lib/libpam/pam.d/telnetd
	@@ -0,0 +1,26 @@
	+#
	+# $FreeBSD$
	+#
	+# PAM configuration for the "telnetd" service
	+#
	+
	+# auth
	+auth sufficient pam_opie.so no_warn no_fake_prompts
	+auth requisite pam_opieaccess.so no_warn allow_local
	+#auth sufficient pam_krb5.so no_warn try_first_pass
	+#auth sufficient pam_ssh.so no_warn try_first_pass
	+auth required pam_unix.so no_warn try_first_pass
	+
	+# account
	+account required pam_nologin.so
	+#account required pam_krb5.so
	+account required pam_login_access.so
	+account required pam_unix.so
	+
	+# session
	+#session optional pam_ssh.so want_agent
	+session required pam_lastlog.so no_fail
	+
	+# password
	+#password sufficient pam_krb5.so no_warn try_first_pass
	+password required pam_unix.so no_warn try_first_pass
	Index: head/lib/libpam/pam.d/xdm
	===================================================================
	--- head/lib/libpam/pam.d/xdm
	+++ head/lib/libpam/pam.d/xdm
	@@ -0,0 +1,22 @@
	+#
	+# $FreeBSD$
	+#
	+# PAM configuration for the "xdm" service
	+#
	+
	+# auth
	+#auth sufficient pam_krb5.so no_warn try_first_pass
	+#auth sufficient pam_ssh.so no_warn try_first_pass
	+auth required pam_unix.so no_warn try_first_pass
	+
	+# account
	+account required pam_nologin.so
	+#account required pam_krb5.so
	+account required pam_unix.so
	+
	+# session
	+#session required pam_ssh.so want_agent
	+session required pam_lastlog.so no_fail
	+
	+# password
	+password required pam_deny.so

File Metadata

Mime Type: text/plain
Expires: Sat, Apr 11, 11:25 PM (1 h, 19 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 31314367
Default Alt Text: D17122.diff (30 KB)

D17122.diffNo OneTemporaryActions

D17122.diffView Options

File Metadata

Event Timeline

D17122.diff
No OneTemporary
Actions

D17122.diff
View Options