Sync pam configuration files with FreeBSD.
authorPeter Avalos <pavalos@theshell.com>
Sat, 3 Jan 2009 22:30:52 +0000 (17:30 -0500)
committerPeter Avalos <pavalos@theshell.com>
Sun, 4 Jan 2009 03:12:24 +0000 (22:12 -0500)
-Take advantage of pam_nologin for account management.

-Locked out and expired accounts shouldn't be accessible via remote
mailbox protocols.

-xserver doesn't seem to be used.

Makefile_upgrade.inc
etc/pam.d/Makefile
etc/pam.d/gdm
etc/pam.d/imap
etc/pam.d/other
etc/pam.d/pop3
etc/pam.d/sshd
etc/pam.d/telnetd
etc/pam.d/xdm
etc/pam.d/xserver [deleted file]

index ef659fd..9a48f37 100644 (file)
@@ -1046,3 +1046,4 @@ TO_REMOVE+=/usr/share/man/man3/skey_crypt.3.gz
 TO_REMOVE+=/usr/share/man/cat3/skey_crypt.3.gz
 TO_REMOVE+=/usr/share/man/man5/skey.access.5.gz
 TO_REMOVE+=/usr/share/man/cat5/skey.access.5.gz
+TO_REMOVE+=/etc/pam.d/xserver
index 035eb3b..9eb738a 100644 (file)
@@ -12,8 +12,7 @@ FILES=        README \
        su \
        system \
        telnetd \
-       xdm \
-       xserver
+       xdm
 
 FILESDIR= /etc/pam.d
 FILESMODE= 644
index 370cefe..a5311a9 100644 (file)
@@ -1,11 +1,20 @@
 #
+# $FreeBSD: src/etc/pam.d/gdm,v 1.8 2007/06/10 18:57:20 yar Exp $
 # $DragonFly: src/etc/pam.d/gdm,v 1.1 2005/07/22 18:20:43 joerg Exp $
 #
 # PAM configuration for the "gdm" service
 #
 
-account                required        pam_unix.so                     try_first_pass
+# auth
+#auth          sufficient      pam_krb5.so             no_warn try_first_pass
+#auth          sufficient      pam_ssh.so              no_warn try_first_pass
+auth           required        pam_unix.so             no_warn try_first_pass
+
+# account
+account                required        pam_nologin.so
+#account       required        pam_krb5.so
+account                required        pam_unix.so
+
+# session
+#session       optional        pam_ssh.so
 session                required        pam_permit.so
-password       required        pam_deny.so
-auth           required        pam_unix.so
-#auth          sufficient      pam_krb5.so                     try_first_pass
index 50d92ec..cbff259 100644 (file)
@@ -1,7 +1,15 @@
 #
+# $FreeBSD: src/etc/pam.d/imap,v 1.7 2007/06/15 11:33:13 yar Exp $
 # $DragonFly: src/etc/pam.d/imap,v 1.1 2005/07/22 18:20:43 joerg Exp $
 #
 # PAM configuration for the "imap" service
 #
 
-auth           required        pam_unix.so                     try_first_pass
+# auth
+#auth          sufficient      pam_krb5.so             no_warn try_first_pass
+#auth          sufficient      pam_ssh.so              no_warn try_first_pass
+auth           required        pam_unix.so             no_warn try_first_pass
+
+# account
+#account       required        pam_nologin.so
+account                required        pam_unix.so
index 102693b..ab7f9af 100644 (file)
@@ -1,8 +1,26 @@
 #
+# $FreeBSD: src/etc/pam.d/other,v 1.11 2007/06/10 18:57:20 yar Exp $
 # $DragonFly: src/etc/pam.d/other,v 1.1 2005/07/22 18:20:43 joerg Exp $
 #
 # PAM configuration for the "other" service
 #
 
-account                required        pam_unix.so                     try_first_pass
-auth           required        pam_unix.so                     try_first_pass
+# auth
+auth           sufficient      pam_opie.so             no_warn no_fake_prompts
+auth           requisite       pam_opieaccess.so       no_warn allow_local
+#auth          sufficient      pam_krb5.so             no_warn try_first_pass
+#auth          sufficient      pam_ssh.so              no_warn try_first_pass
+auth           required        pam_unix.so             no_warn try_first_pass
+
+# account
+account                required        pam_nologin.so
+#account       required        pam_krb5.so
+account                required        pam_login_access.so
+account                required        pam_unix.so
+
+# session
+#session       optional        pam_ssh.so
+session                required        pam_permit.so
+
+# password
+password       required        pam_permit.so
index d119b3d..be51ed8 100644 (file)
@@ -1,7 +1,15 @@
 #
+# $FreeBSD: src/etc/pam.d/pop3,v 1.7 2007/06/15 11:33:13 yar Exp $
 # $DragonFly: src/etc/pam.d/pop3,v 1.1 2005/07/22 18:20:43 joerg Exp $
 #
 # PAM configuration for the "pop3" service
 #
 
-auth           required        pam_unix.so                     try_first_pass
+# auth
+#auth          sufficient      pam_krb5.so             no_warn try_first_pass
+#auth          sufficient      pam_ssh.so              no_warn try_first_pass
+auth           required        pam_unix.so             no_warn try_first_pass
+
+# account
+#account       required        pam_nologin.so
+account                required        pam_unix.so
index 678ef98..98f82fb 100644 (file)
@@ -1,13 +1,27 @@
 #
+# $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $
 # $DragonFly: src/etc/pam.d/sshd,v 1.1 2005/07/22 18:20:43 joerg Exp $
 #
 # PAM configuration for the "sshd" service
 #
 
+# auth
+auth           sufficient      pam_opie.so             no_warn no_fake_prompts
+auth           requisite       pam_opieaccess.so       no_warn allow_local
+#auth          sufficient      pam_krb5.so             no_warn try_first_pass
+#auth          sufficient      pam_ssh.so              no_warn try_first_pass
+auth           required        pam_unix.so             no_warn try_first_pass
+
+# account
+account                required        pam_nologin.so
+#account       required        pam_krb5.so
+account                required        pam_login_access.so
 account                required        pam_unix.so
+
+# session
+#session       optional        pam_ssh.so
 session                required        pam_permit.so
-password       required        pam_permit.so
-auth           sufficient      pam_opie.so                     no_fake_prompts
-#auth          requisite       pam_opieaccess.so
-#auth          sufficient      pam_krb5.so                     try_first_pass
-auth           required        pam_unix.so                     try_first_pass
+
+# password
+#password      sufficient      pam_krb5.so             no_warn try_first_pass
+password       required        pam_unix.so             no_warn try_first_pass
index ae19aaa..6a77425 100644 (file)
@@ -1,7 +1,27 @@
 #
+# $FreeBSD: src/etc/pam.d/telnetd,v 1.8 2007/06/10 18:57:20 yar Exp $
 # $DragonFly: src/etc/pam.d/telnetd,v 1.1 2005/07/22 18:20:43 joerg Exp $
 #
 # PAM configuration for the "telnetd" service
 #
 
-auth           required        pam_unix.so                     try_first_pass
+# auth
+auth           sufficient      pam_opie.so             no_warn no_fake_prompts
+auth           requisite       pam_opieaccess.so       no_warn allow_local
+#auth          sufficient      pam_krb5.so             no_warn try_first_pass
+#auth          sufficient      pam_ssh.so              no_warn try_first_pass
+auth           required        pam_unix.so             no_warn try_first_pass
+
+# account
+account                required        pam_nologin.so
+#account       required        pam_krb5.so
+account                required        pam_login_access.so
+account                required        pam_unix.so
+
+# session
+#session       optional        pam_ssh.so
+session                required        pam_lastlog.so          no_fail
+
+# password
+#password      sufficient      pam_krb5.so             no_warn try_first_pass
+password       required        pam_unix.so             no_warn try_first_pass
index e3994be..31d1607 100644 (file)
@@ -1,11 +1,23 @@
 #
+# $FreeBSD: src/etc/pam.d/xdm,v 1.11 2007/06/10 18:57:20 yar Exp $
 # $DragonFly: src/etc/pam.d/xdm,v 1.1 2005/07/22 18:20:43 joerg Exp $
 #
 # PAM configuration for the "xdm" service
 #
 
-account                required        pam_unix.so                     try_first_pass
-session                required        pam_deny.so
+# auth
+#auth          sufficient      pam_krb5.so             no_warn try_first_pass
+#auth          sufficient      pam_ssh.so              no_warn try_first_pass
+auth           required        pam_unix.so             no_warn try_first_pass
+
+# account
+account                required        pam_nologin.so
+#account       required        pam_krb5.so
+account                required        pam_unix.so
+
+# session
+#session       required        pam_ssh.so              want_agent
+session                required        pam_lastlog.so          no_fail
+
+# password
 password       required        pam_deny.so
-auth           required        pam_unix.so
-#auth          sufficient      pam_krb5.so                     try_first_pass
diff --git a/etc/pam.d/xserver b/etc/pam.d/xserver
deleted file mode 100644 (file)
index 9085145..0000000
+++ /dev/null
@@ -1,7 +0,0 @@
-#
-# $DragonFly: src/etc/pam.d/xserver,v 1.1 2005/07/22 18:20:43 joerg Exp $
-#
-# PAM configuration for the "xserver" service
-#
-
-auth           required        pam_permit.so