| #
359117 |
|
19-Mar-2020 |
cy |
MFC r358070:
This commit makes significant changes to pam_login_access(8) to bring it
up to par with the Linux pam_access(8).
Like the Linux pam_access(8) our pam_login_access(8) is a service module
for pam(3) that allows a administrator to limit access from specified
remote hosts or terminals. Unlike the Linux pam_access, pam_login_access
is missing some features which are added by this commit:
Access file can now be specified. The default remains /etc/access.conf.
The syntax is consistent with Linux pam_access.
By default usernames are matched. If the username fails to match a match
against a group name is attempted. The new nodefgroup module option will
only match a username and no attempt to match a group name is made.
Group names must be specified in brackets, "()" when nodefgroup is
specified. Otherwise the old backward compatible behavior is used.
This is consistent with Linux pam_access.
A new field separator module option allows the replacement of the default
colon (:) with any other character. This facilitates potential future
specification of X displays. This is also consistent with Linux pam_access.
A new list separator module option to replace the default space/comma/tab
with another character. This too is consistent with Linux pam_access.
Linux pam_access options not implemented in this commit are the debug
and audit options. These will be implemented at a later date.
Reviewed by: bjk, bcr (for manpages)
Approved by: des (blanket, implicit)
Differential Revision: https://reviews.freebsd.org/D23198
|
| #
331722 |
|
29-Mar-2018 |
eadler |
Revert r330897:
This was intended to be a non-functional change. It wasn't. The commit
message was thus wrong. In addition it broke arm, and merged crypto
related code.
Revert with prejudice.
This revert skips files touched in r316370 since that commit was since
MFCed. This revert also skips files that require $FreeBSD$ property
changes.
Thank you to those who helped me get out of this mess including but not
limited to gonzo, kevans, rgrimes.
Requested by: gjb (re)
|
| #
330897 |
|
14-Mar-2018 |
eadler |
Partial merge of the SPDX changes
These changes are incomplete but are making it difficult
to determine what other changes can/should be merged.
No objections from: pfg
|
| #
302408 |
|
07-Jul-2016 |
gjb |
Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle.
Prune svn:mergeinfo from the new branch, as nothing has been merged
here.
Additional commits post-branch will follow.
Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation |
| #
272348 |
|
01-Oct-2014 |
des |
Consistently cast tty and user to const char * in printf()-like contexts.
|
| #
272281 |
|
29-Sep-2014 |
bz |
Hopefully fix build breakage with gcc passing void * instead of char *
to "%s" format string after r272280.
PR: 83099 193927
MFC after: 3 days
X-MFC with: r272280
|
| #
272280 |
|
29-Sep-2014 |
des |
Instead of failing when neither PAM_TTY nor PAM_RHOST are available, call
login_access() with "**unknown**" as the second argument. This will allow
"ALL" rules to match.
Reported by: Tim Daneliuk <tundra@tundraware.com>
Tested by: dim@
PR: 83099 193927
MFC after: 3 days
|
| #
271617 |
|
15-Sep-2014 |
des |
r271256 fixed one segfault condition but introduced another due to the
wrong operator being used in the tty check.
Reported by: avg@
MFH: 3 days
|
| #
271256 |
|
08-Sep-2014 |
des |
Fail rather than segfault if neither PAM_TTY nor PAM_RHOST is set.
PR: 83099
MFC after: 3 days
|
| #
125650 |
|
10-Feb-2004 |
des |
Fix numerous constness and aliasing issues.
|
| #
123448 |
|
11-Dec-2003 |
des |
Fix strict aliasing breakage in PAM modules (except pam_krb5, which needs
more work than the others). This should make most modules build with -O2.
|
| #
114264 |
|
29-Apr-2003 |
des |
Treat an empty PAM_RHOST the same as a NULL one.
PR: bin/51508
|
| #
94564 |
|
12-Apr-2002 |
des |
Major cleanup:
- add __unused where appropriate
- PAM_RETURN -> return since OpenPAM already logs the return value.
- make PAM_LOG use openpam_log()
- make PAM_VERBOSE_ERROR use openpam_get_option() and check flags
for PAM_SILENT
- remove dummy functions since OpenPAM handles missing service
functions
- fix various warnings
Sponsored by: DARPA, NAI Labs
|
| #
92297 |
|
14-Mar-2002 |
des |
NAI DBA update.
|
| #
90229 |
|
05-Feb-2002 |
des |
#include cleanup.
Sponsored by: DARPA, NAI Labs
|
| #
90145 |
|
03-Feb-2002 |
markm |
WARNS=n fixes (and some stylistic issues).
|
| #
89760 |
|
24-Jan-2002 |
markm |
WARNS=4 fixes. Protect with NO_WERROR for the modules that have
warnings that are hard to fix or that I've been asked to leave alone.
|
| #
89744 |
|
24-Jan-2002 |
des |
Correctly interpret PAM_RHOST being unset as an indicator of a local
login.
|
| #
89727 |
|
24-Jan-2002 |
des |
Fix some pastos. Rather shoddy of me...
Sponsored by: DARPA, NAI Labs
|
| #
89707 |
|
23-Jan-2002 |
des |
Add a PAM module that provides an account management component for checking
either PAM_RHOST or PAM_TTY against /etc/login.access.o
This uncovers a problem with PAM_RHOST, in that if we always set it, there
is no way to distinguish between a user logging in locally and a user
logging in using 'ssh localhost'. This will be fixed by first making sure
that all PAM modules can handle PAM_RHOST being unset (which is currently
not the case), and then modifying su(1) and login(1) to not set it for
local logins.
Sponsored by: DARPA, NAI Labs
|