Index: head/etc/pam.conf =================================================================== --- head/etc/pam.conf (revision 82360) +++ head/etc/pam.conf (revision 82361) @@ -1,164 +1,186 @@ # Configuration file for Pluggable Authentication Modules (PAM). # # This file controls the authentication methods that login and other # utilities use. See pam(8) for a description of its format. # # $FreeBSD$ # # service-name module-type control-flag module-path arguments # # module-type: # auth: prompt for a password to authenticate that the user is # who they say they are, and set any credentials. # account: non-authentication based authorization, based on time, # resources, etc. # session: housekeeping before and/or after login. # password: update authentication tokens. # # control-flag: How libpam handles success or failure of the module. # required: success is required, and on failure all remaining # modules are run. # requisite: success is required, and on failure no remaining # modules are run. # sufficient: success is sufficient, and if no previous required # module failed, no remaining modules are run. # optional: ignored unless the other modules return PAM_IGNORE. # # arguments: # Passed to the module; module-specific plus some generic ones: # debug: syslog debug info. # no_warn: return no warning messages to the application. # Remove this to feed back to the user the # reason(s) they are being rejected. # use_first_pass: try authentication using password from the # preceding auth module. # try_first_pass: first try authentication using password from # the preceding auth module, and if that fails # prompt for a new password. # use_mapped_pass: convert cleartext password to a crypto key. # expose_account: allow printing more info about the user when # prompting. # # Each final entry must say "required" -- otherwise, things don't # work quite right. If you delete a final entry, be sure to change # "sufficient" to "required" in the entry before it. login auth required pam_nologin.so no_warn +#login auth sufficient pam_opie.so no_warn #login auth sufficient pam_kerberosIV.so no_warn try_first_pass #login auth sufficient pam_krb5.so no_warn try_first_pass -#login auth sufficient pam_opie.so no_warn #login auth required pam_ssh.so no_warn try_first_pass login auth required pam_unix.so no_warn try_first_pass #login account required pam_kerberosIV.so #login account required pam_krb5.so -login account required pam_permit.so +#login account required pam_ssh.so +login account required pam_unix.so #login session required pam_kerberosIV.so #login session required pam_krb5.so -login session required pam_permit.so -login password required pam_permit.so +#login session required pam_ssh.so +login session required pam_unix.so +#login password sufficient pam_opie.so no_warn +#login password sufficient pam_kerberosIV.so no_warn try_first_pass +#login password sufficient pam_krb5.so no_warn try_first_pass +login password required pam_unix.so no_warn try_first_pass rsh auth required pam_nologin.so no_warn rsh auth required pam_permit.so no_warn rsh account required pam_unix.so rsh session required pam_permit.so # "Standard" su(1) policy. su auth sufficient pam_rootok.so no_warn -su auth requisite pam_wheel.so no_warn auth_as_self +su auth requisite pam_wheel.so no_warn auth_as_self noroot_ok #su auth sufficient pam_kerberosIV.so no_warn #su auth sufficient pam_krb5.so no_warn try_first_pass auth_as_self #su auth required pam_opie.so no_warn #su auth required pam_ssh.so no_warn try_first_pass su auth required pam_unix.so no_warn try_first_pass nullok #su account required pam_kerberosIV.so #su account required pam_krb5.so +#su account required pam_ssh.so su account required pam_unix.so #su session required pam_kerberosIV.so #su session required pam_krb5.so +#su session required pam_ssh.so +su session required pam_unix.so su password required pam_permit.so -su session required pam_permit.so # If you want a "WHEELSU"-type su(1), then comment out the # above, and uncomment the below "su" entries. #su auth sufficient pam_rootok.so no_warn ##su auth sufficient pam_kerberosIV.so no_warn ##su auth sufficient pam_krb5.so no_warn #su auth required pam_opie.so no_warn auth_as_self #su auth required pam_unix.so no_warn try_first_pass auth_as_self ##su account required pam_kerberosIV.so ##su account required pam_krb5.so +##su account required pam_ssh.so #su account required pam_unix.so ##su session required pam_kerberosIV.so ##su session required pam_krb5.so +##su session required pam_ssh.so +#su session required pam_unix.so #su password required pam_permit.so -#su session required pam_permit.so # Native ftpd. ftpd auth required pam_nologin.so no_warn #ftpd auth sufficient pam_kerberosIV.so no_warn #ftpd auth sufficient pam_krb5.so no_warn #ftpd auth required pam_opie.so no_warn #ftpd auth required pam_ssh.so no_warn try_first_pass ftpd auth required pam_unix.so no_warn try_first_pass #ftpd account required pam_kerberosIV.so #ftpd account required pam_krb5.so +#ftpd account required pam_ssh.so ftpd account required pam_unix.so #ftpd session required pam_kerberosIV.so #ftpd session required pam_krb5.so +#ftpd session required pam_ssh.so +ftpd session required pam_unix.so # PROftpd. ftp auth required pam_nologin.so no_warn #ftp auth sufficient pam_kerberosIV.so no_warn #ftp auth sufficient pam_krb5.so no_warn #ftp auth required pam_opie.so no_warn #ftp auth required pam_ssh.so no_warn try_first_pass ftp auth required pam_unix.so no_warn try_first_pass #ftp account required pam_kerberosIV.so #ftp account required pam_krb5.so -ftp session required pam_unix.so +#ftp account required pam_ssh.so +ftp account required pam_unix.so #ftp session required pam_kerberosIV.so #ftp session required pam_krb5.so +#ftp session required pam_ssh.so +ftp session required pam_unix.so # OpenSSH sshd auth required pam_nologin.so no_warn sshd auth required pam_unix.so no_warn try_first_pass sshd account required pam_unix.so -sshd password required pam_permit.so sshd session required pam_permit.so +sshd password required pam_permit.so # "csshd" is for challenge-based authentication with sshd (TIS auth, etc.) csshd auth required pam_opie.so no_warn # SRA telnet. Non-SRA telnet uses 'login'. telnetd auth required pam_nologin.so no_warn telnetd auth required pam_unix.so no_warn try_first_pass telnetd account required pam_unix.so # Don't break startx xserver auth required pam_permit.so no_warn -# XDM is difficult; it fails or moans unless there are modules for each -# of the four management groups; auth, account, session and password. +# XDM xdm auth required pam_nologin.so no_warn #xdm auth sufficient pam_kerberosIV.so no_warn try_first_pass #xdm auth sufficient pam_krb5.so no_warn try_first_pass -#xdm auth required pam_ssh.so no_warn try_first_pass +#xdm auth sufficient pam_ssh.so no_warn try_first_pass xdm auth required pam_unix.so no_warn try_first_pass +#xdm account required pam_kerberosIV.so +#xdm account required pam_krb5.so +#xdm account required pam_ssh.so xdm account required pam_unix.so -xdm session required pam_deny.so +#xdm session required pam_kerberosIV.so +#xdm session required pam_krb5.so +#xdm session required pam_ssh.so +xdm session required pam_unix.so xdm password required pam_deny.so # Mail services #imap auth required pam_nologin.so no_warn #imap auth required pam_opie.so no_warn #imap auth required pam_ssh.so no_warn try_first_pass #imap auth required pam_unix.so no_warn try_first_pass #pop3 auth required pam_nologin.so no_warn #pop3 auth required pam_opie.so no_warn #pop3 auth required pam_ssh.so no_warn try_first_pass #pop3 auth required pam_unix.so no_warn try_first_pass # If we don't match anything else, default to using OPIE or getpwnam(). other auth required pam_nologin.so no_warn #other auth required pam_opie.so no_warn other auth required pam_unix.so no_warn try_first_pass other account required pam_unix.so +other session required pam_unix.so +other password required pam_deny.so