Copy stable/10@r272459 to releng/10.1 as part of
the 10.1-RELEASE process.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Now pam_nologin(8) will provide an account management function
instead of an authentication function. There are a design reason
and a practical reason for that. First, the module belongs in
account management because it checks availability of the account
and does no authentication. Second, there are existing and potential
PAM consumers that skip PAM authentication for good or for bad.
E.g., sshd(8) just prefers internal routines for public key auth;
OTOH, cron(8) and atrun(8) do implicit authentication when running
a job on behalf of its owner, so their inability to use PAM auth
is fundamental, but they can benefit from PAM account management.

Document this change in the manpage.

Modify /etc/pam.d files accordingly, so that pam_nologin.so is listed
under the "account" function class.

Bump __FreeBSD_version (mostly for ports, as this change should be
invisible to C code outside pam_nologin.)

PR: bin/112574
Approved by: des, re

Add a system policy, and have the login and su policies include it rather
than duplicate it. This requires OpenPAM Dianthus, which was committed two
weeks ago; installing these files on a system running a world older than
June 1st, 2003 will cause login(1) and su(1) to fail.

The PAM module pam_krb5 does not have "session" capabilities.
Don't give examples of such use, this is bogus.

Initiate KerberosIV de-orbit burn. Disconnect the /etc configs.

Add the allow_local option to all pam_opieaccess entries.

Major cleanup & homogenization.

Use pam_lastlog(8)'s new no_fail option.

Sponsored by: DARPA, NAI Labs

Don't list pam_unix in the session chain, since it does not provide any
session management services.

Sponsored by: DARPA, NAI Labs

If used, pam_ssh should be marked "sufficient", not "required".

Sponsored by: DARPA, NAI Labs

Add missing "nullok" option to pam_unix.

Add pam_self(8) so users can login(1) as themselves without authentication,
pam_login_access(8) and pam_securetty(8) to enforce various checks
previously done by login(1) but now handled by PAM, and pam_lastlog(8) to
record login sessions in utmp / wtmp / lastlog.

Sponsored by: DARPA, NAI Labs

Enable OPIE by default, using the no_fake_prompts option to hide it from
users who don't wish to use it. If the admin is worried about leaking
information about which users exist and which have OPIE enabled, the
no_fake_prompts option can simply be removed.

Also insert the appropriate pam_opieaccess lines after pam_opie to break
the chain in case the user is logging in from an untrusted host, or has a
.opiealways file. The entire opieaccess / opiealways concept is slightly
unpammish, but admins familiar with OPIE will expect it to work.

Reviewed by: ache, markm
Sponsored by: DARPA, NAI Labs

Really back out ache's commits. These files are now precisely as they were
twentyfour hours ago, except for RCS ids.

Back out recent changes

Turn on pam_opie by default. It not affect non-OPIE users

Awright, egg on my face. I should have taken more time with this. The
conversion script generated the wrong format, so the configuration files
didn't actually work. Good thing I hadn't thrown the switch yet...

Sponsored by: DARPA, NAI Labs (but the f***ups are all mine)

pam.d-style configuration, auto-generated from pam.conf.

Sponsored by: DARPA, NAI Labs