#
359117 |
|
19-Mar-2020 |
cy |
MFC r358070:
This commit makes significant changes to pam_login_access(8) to bring it up to par with the Linux pam_access(8).
Like the Linux pam_access(8) our pam_login_access(8) is a service module for pam(3) that allows a administrator to limit access from specified remote hosts or terminals. Unlike the Linux pam_access, pam_login_access is missing some features which are added by this commit:
Access file can now be specified. The default remains /etc/access.conf. The syntax is consistent with Linux pam_access.
By default usernames are matched. If the username fails to match a match against a group name is attempted. The new nodefgroup module option will only match a username and no attempt to match a group name is made. Group names must be specified in brackets, "()" when nodefgroup is specified. Otherwise the old backward compatible behavior is used. This is consistent with Linux pam_access.
A new field separator module option allows the replacement of the default colon (:) with any other character. This facilitates potential future specification of X displays. This is also consistent with Linux pam_access.
A new list separator module option to replace the default space/comma/tab with another character. This too is consistent with Linux pam_access.
Linux pam_access options not implemented in this commit are the debug and audit options. These will be implemented at a later date.
Reviewed by: bjk, bcr (for manpages) Approved by: des (blanket, implicit) Differential Revision: https://reviews.freebsd.org/D23198
|
#
331722 |
|
29-Mar-2018 |
eadler |
Revert r330897:
This was intended to be a non-functional change. It wasn't. The commit message was thus wrong. In addition it broke arm, and merged crypto related code.
Revert with prejudice.
This revert skips files touched in r316370 since that commit was since MFCed. This revert also skips files that require $FreeBSD$ property changes.
Thank you to those who helped me get out of this mess including but not limited to gonzo, kevans, rgrimes.
Requested by: gjb (re)
|
#
330897 |
|
14-Mar-2018 |
eadler |
Partial merge of the SPDX changes
These changes are incomplete but are making it difficult to determine what other changes can/should be merged.
No objections from: pfg
|
#
302408 |
|
07-Jul-2016 |
gjb |
Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle. Prune svn:mergeinfo from the new branch, as nothing has been merged here.
Additional commits post-branch will follow.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
272348 |
|
01-Oct-2014 |
des |
Consistently cast tty and user to const char * in printf()-like contexts.
|
#
272281 |
|
29-Sep-2014 |
bz |
Hopefully fix build breakage with gcc passing void * instead of char * to "%s" format string after r272280.
PR: 83099 193927 MFC after: 3 days X-MFC with: r272280
|
#
272280 |
|
29-Sep-2014 |
des |
Instead of failing when neither PAM_TTY nor PAM_RHOST are available, call login_access() with "**unknown**" as the second argument. This will allow "ALL" rules to match.
Reported by: Tim Daneliuk <tundra@tundraware.com> Tested by: dim@ PR: 83099 193927 MFC after: 3 days
|
#
271617 |
|
15-Sep-2014 |
des |
r271256 fixed one segfault condition but introduced another due to the wrong operator being used in the tty check.
Reported by: avg@ MFH: 3 days
|
#
271256 |
|
08-Sep-2014 |
des |
Fail rather than segfault if neither PAM_TTY nor PAM_RHOST is set.
PR: 83099 MFC after: 3 days
|
#
125650 |
|
10-Feb-2004 |
des |
Fix numerous constness and aliasing issues.
|
#
123448 |
|
11-Dec-2003 |
des |
Fix strict aliasing breakage in PAM modules (except pam_krb5, which needs more work than the others). This should make most modules build with -O2.
|
#
114264 |
|
29-Apr-2003 |
des |
Treat an empty PAM_RHOST the same as a NULL one.
PR: bin/51508
|
#
94564 |
|
12-Apr-2002 |
des |
Major cleanup:
- add __unused where appropriate - PAM_RETURN -> return since OpenPAM already logs the return value. - make PAM_LOG use openpam_log() - make PAM_VERBOSE_ERROR use openpam_get_option() and check flags for PAM_SILENT - remove dummy functions since OpenPAM handles missing service functions - fix various warnings
Sponsored by: DARPA, NAI Labs
|
#
92297 |
|
14-Mar-2002 |
des |
NAI DBA update.
|
#
90229 |
|
05-Feb-2002 |
des |
#include cleanup.
Sponsored by: DARPA, NAI Labs
|
#
90145 |
|
03-Feb-2002 |
markm |
WARNS=n fixes (and some stylistic issues).
|
#
89760 |
|
24-Jan-2002 |
markm |
WARNS=4 fixes. Protect with NO_WERROR for the modules that have warnings that are hard to fix or that I've been asked to leave alone.
|
#
89744 |
|
24-Jan-2002 |
des |
Correctly interpret PAM_RHOST being unset as an indicator of a local login.
|
#
89727 |
|
24-Jan-2002 |
des |
Fix some pastos. Rather shoddy of me...
Sponsored by: DARPA, NAI Labs
|
#
89707 |
|
23-Jan-2002 |
des |
Add a PAM module that provides an account management component for checking either PAM_RHOST or PAM_TTY against /etc/login.access.o
This uncovers a problem with PAM_RHOST, in that if we always set it, there is no way to distinguish between a user logging in locally and a user logging in using 'ssh localhost'. This will be fixed by first making sure that all PAM modules can handle PAM_RHOST being unset (which is currently not the case), and then modifying su(1) and login(1) to not set it for local logins.
Sponsored by: DARPA, NAI Labs
|