Split monolithic /etc/pam.conf into separate files for each service
authorJoerg Sonnenberger <joerg@dragonflybsd.org>
Fri, 22 Jul 2005 18:20:43 +0000 (18:20 +0000)
committerJoerg Sonnenberger <joerg@dragonflybsd.org>
Fri, 22 Jul 2005 18:20:43 +0000 (18:20 +0000)
under /etc/pam.d. The README was obtained from FreeBSD, the convert.sh
script is inspired by convert.pl, but works with sh and awk only.

If you just want to convert your existing configuration to the new
format, run "sh /etc/pam.d/convert.sh". You can remove /etc/pam.conf
afterwards.

14 files changed:
etc/Makefile
etc/mtree/BSD.root.dist
etc/pam.conf [deleted file]
etc/pam.d/convert.sh [new file with mode: 0644]
etc/pam.d/ftpd [new file with mode: 0644]
etc/pam.d/gdm [new file with mode: 0644]
etc/pam.d/imap [new file with mode: 0644]
etc/pam.d/login [new file with mode: 0644]
etc/pam.d/other [new file with mode: 0644]
etc/pam.d/pop3 [new file with mode: 0644]
etc/pam.d/sshd [new file with mode: 0644]
etc/pam.d/telnetd [new file with mode: 0644]
etc/pam.d/xdm [new file with mode: 0644]
etc/pam.d/xserver [new file with mode: 0644]

index 6cd8f3a..0c3cfd4 100644 (file)
@@ -1,6 +1,6 @@
 #      from: @(#)Makefile      5.11 (Berkeley) 5/21/91
 # $FreeBSD: src/etc/Makefile,v 1.219.2.38 2003/03/04 09:49:00 ru Exp $
-# $DragonFly: src/etc/Makefile,v 1.75 2005/07/07 12:43:36 corecode Exp $
+# $DragonFly: src/etc/Makefile,v 1.76 2005/07/22 18:20:43 joerg Exp $
 
 .if !defined(NO_SENDMAIL)
 SUBDIR=        sendmail
@@ -26,7 +26,7 @@ BIN1= amd.map auth.conf \
        hosts hosts.allow host.conf hosts.equiv hosts.lpd \
        inetd.conf login.access login.conf \
        motd modems networks newsyslog.conf \
-       pam.conf pf.conf phones printcap profile \
+       pf.conf phones printcap profile \
        remote \
        shells sysctl.conf syslog.conf usbd.conf \
        etc.${MACHINE_ARCH}/ttys \
@@ -46,6 +46,8 @@ DIRS+=        secure/usr.bin/openssl
 BIN2=  pccard_ether rc.firewall rc.suspend rc.resume
 
 DEFAULTS= rc.conf make.conf periodic.conf
+PAMD_CONF=     README convert.sh ftpd gdm imap login other pop3 sshd \
+       telnetd xdm xserver
 
 MTREE= BSD.include.dist BSD.local.dist BSD.root.dist BSD.usr.dist \
        BSD.var.dist BSD.x11.dist BSD.x11-4.dist
@@ -344,6 +346,8 @@ distribution:
            pwd_mkdb -p -d ${DESTDIR}/etc ${DESTDIR}/etc/master.passwd
        cd ${.CURDIR}/defaults; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 644 \
            ${DEFAULTS} ${DESTDIR}/etc/defaults
+       cd ${.CURDIR}/pam.d; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 644 \
+           ${PAMD_CONF} ${DESTDIR}/etc/pam.d
        cd ${.CURDIR}/periodic; ${MAKE} install
        cd ${.CURDIR}/rc.d; ${MAKE} install 
        cd ${.CURDIR}/../share/termcap; ${MAKE} etc-termcap
index 82deeb3..043a043 100644 (file)
@@ -1,5 +1,5 @@
 # $FreeBSD: src/etc/mtree/BSD.root.dist,v 1.45.2.4 2002/06/10 15:33:27 obrien Exp $
-# $DragonFly: src/etc/mtree/BSD.root.dist,v 1.6 2005/03/19 14:56:08 joerg Exp $
+# $DragonFly: src/etc/mtree/BSD.root.dist,v 1.7 2005/07/22 18:20:43 joerg Exp $
 #
 # Please see the file src/etc/mtree/README before making changes to this file.
 #
@@ -49,6 +49,8 @@
             weekly
             ..
         ..
+       pam.d
+       ..
         ppp
         ..
        rc.d
diff --git a/etc/pam.conf b/etc/pam.conf
deleted file mode 100644 (file)
index c3a9cb9..0000000
+++ /dev/null
@@ -1,100 +0,0 @@
-# Configuration file for Pluggable Authentication Modules (PAM).
-#
-# This file controls the authentication methods that login and other
-# utilities use.  See pam(8) for a description of its format.
-#
-# $FreeBSD: src/etc/pam.conf,v 1.6.2.18 2003/02/15 17:20:27 des Exp $
-# $DragonFly: src/etc/Attic/pam.conf,v 1.4 2005/07/14 16:40:43 joerg Exp $
-#
-# service-name module-type     control-flag    module-path     arguments
-#
-# module-type:
-#  auth:      prompt for a password to authenticate that the user is
-#             who they say they are, and set any credentials.
-#  account:   non-authentication based authorization, based on time,
-#             resources, etc.
-#  session:   housekeeping before and/or after login.
-#  password:  update authentication tokens.
-#
-# control-flag: How libpam handles success or failure of the module.
-#  required:   success is required, and on failure all remaining
-#              modules are run.
-#  requisite:  success is required, and on failure no remaining
-#              modules are run.
-#  sufficient: success is sufficient, and if no previous required
-#              module failed, no remaining modules are run.
-#  optional:   ignored unless the other modules return PAM_IGNORE.
-#
-# arguments:
-#  Passed to the module; module-specific plus some generic ones:
-#   debug:           syslog debug info.
-#   no_warn:         return no warning messages to the application.
-#   use_first_pass:  try authentication using password from the
-#                    preceding auth module.
-#   try_first_pass:  first try authentication using password from
-#                    the preceding auth module, and if that fails
-#                    prompt for a new password.
-#   use_mapped_pass: convert cleartext password to a crypto key.
-#   expose_account:  allow printing more info about the user when
-#                    prompting.
-#
-# Each final entry must say "required" -- otherwise, things don't
-# work quite right.  If you delete a final entry, be sure to change
-# "sufficient" to "required" in the entry before it.
-
-# If the user can authenticate with S/Key, that's sufficient; allow clear
-# password. Try kerberos, then try plain unix password.
-login  auth    sufficient      pam_opie.so                     no_fake_prompts
-#login auth    requisite       pam_opieaccess.so
-login  auth    requisite       pam_cleartext_pass_ok.so
-#login auth    sufficient      pam_krb5.so                     try_first_pass
-login  auth    required        pam_unix.so                     try_first_pass
-login  account required        pam_unix.so
-login  password required       pam_permit.so
-login  session required        pam_permit.so
-
-# Same requirement for ftpd as login
-ftpd   auth    sufficient      pam_opie.so                     no_fake_prompts
-#ftpd  auth    requisite       pam_opieaccess.so
-ftpd   auth    requisite       pam_cleartext_pass_ok.so
-#ftpd  auth    sufficient      pam_krb5.so                     try_first_pass
-ftpd   auth    required        pam_unix.so                     try_first_pass
-
-# OpenSSH with PAM support requires similar modules.  The session one is
-# a bit strange, though...
-sshd   auth    sufficient      pam_opie.so                     no_fake_prompts
-#sshd  auth    requisite       pam_opieaccess.so
-#sshd  auth    sufficient      pam_krb5.so                     try_first_pass
-sshd   auth    required        pam_unix.so                     try_first_pass
-sshd   account required        pam_unix.so
-sshd   password required       pam_permit.so
-sshd   session required        pam_permit.so
-
-# "telnetd" is for SRA authenticated telnet only. Non-SRA uses 'login'
-telnetd        auth    required        pam_unix.so                     try_first_pass
-
-# Don't break startx
-xserver        auth    required        pam_permit.so
-
-# XDM is difficult; it fails or moans unless there are modules for each
-# of the four management groups; auth, account, session and password.
-xdm    auth    required        pam_unix.so
-#xdm   auth    sufficient      pam_krb5.so                     try_first_pass
-xdm    account required        pam_unix.so                     try_first_pass
-xdm    session required        pam_deny.so
-xdm    password required       pam_deny.so
-
-# GDM (GNOME Display Manager)
-gdm    auth    required        pam_unix.so
-#gdm   auth    sufficient      pam_krb5.so                     try_first_pass
-gdm    account required        pam_unix.so                     try_first_pass
-gdm    session required        pam_permit.so
-gdm    password required       pam_deny.so
-
-# Mail services
-imap   auth    required        pam_unix.so                     try_first_pass
-pop3   auth    required        pam_unix.so                     try_first_pass
-
-# If we don't match anything else, default to using getpwnam().
-other  auth    required        pam_unix.so                     try_first_pass
-other  account required        pam_unix.so                     try_first_pass
diff --git a/etc/pam.d/convert.sh b/etc/pam.d/convert.sh
new file mode 100644 (file)
index 0000000..9c6cd5c
--- /dev/null
@@ -0,0 +1,95 @@
+#! /bin/sh
+# 
+# Copyright (c) 2005 The DragonFly Project.  All rights reserved.
+#
+# This code is derived from software contributed to The DragonFly Project
+# by Joerg Sonnenberger <joerg@bec.de>
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in
+#    the documentation and/or other materials provided with the
+#    distribution.
+# 3. Neither the name of The DragonFly Project nor the names of its
+#    contributors may be used to endorse or promote products derived
+#    from this software without specific, prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+# FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE
+# COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING,
+# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+# AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $DragonFly: src/etc/pam.d/convert.sh,v 1.1 2005/07/22 18:20:43 joerg Exp $
+
+if [ $# -ge 1 ]
+then
+       dir="$1"
+else
+       dir=/etc/pam.d
+fi
+if [ $# = 2 ]
+then
+       file="$2"
+else
+       file=/etc/pam.conf
+fi
+if [ $# -gt 2 ]
+then
+       echo "Usage: $0 [ output directory ] [ input file ]"
+       echo "Default output is /etc/pam.d, default input is /etc/pam.conf"
+       exit 1
+fi
+
+awk '/^([#[:space:]]*)([[:alnum:]_]+)[[:space:]]+(auth|account|session|password)[[:space:]]+([^[:space:]].*)$/ {
+       match($0, /[#[:space:]]*/)
+       prefix = substr($0, 0, RLENGTH)
+       $0 = substr($0, RLENGTH + 1)
+       match($0, /[[:alnum:]_]+/)
+       name = substr($0, 0, RLENGTH)
+       $0 = substr($0, RLENGTH + 1)
+       match($0, /[[:space:]]+/)
+       $0 = substr($0, RLENGTH + 1)
+       match($0, /(auth|account|session|password)/)
+       type = substr($0, 0, RLENGTH)
+       $0 = substr($0, RLENGTH + 1)
+       match($0, /[[:space:]]+/)
+       arg = substr($0, RLENGTH + 1)
+
+       line = prefix type
+       tabs = ((16 - length(line)) / 8)
+       for (i = 0; i < tabs; i++)
+               line = line "\t"
+       if ((name, type) in content)
+               content[name, type] = content[name, type] "\n" line arg
+       else
+               content[name, type] = line arg
+       services[name] = name
+}
+
+END {
+       'fdir=\"$dir\"'
+
+       split("auth account session password", types, " ")
+       for (service in services) {
+               fname = fdir "/" service
+               system("rm -f " fname)
+               print "#\n# $DragonFly: src/etc/pam.d/convert.sh,v 1.1 2005/07/22 18:20:43 joerg Exp $\n#\n# PAM configuration for the \"" service "\" service\n#\n" >> fname
+               for (type in types)
+                       if ((service, types[type]) in content)
+                               print content[service, types[type]] >> fname
+               close(fname)
+       }
+}' < $file
diff --git a/etc/pam.d/ftpd b/etc/pam.d/ftpd
new file mode 100644 (file)
index 0000000..ece3d86
--- /dev/null
@@ -0,0 +1,11 @@
+#
+# $DragonFly: src/etc/pam.d/ftpd,v 1.1 2005/07/22 18:20:43 joerg Exp $
+#
+# PAM configuration for the "ftpd" service
+#
+
+auth           sufficient      pam_opie.so                     no_fake_prompts
+#auth          requisite       pam_opieaccess.so
+auth           requisite       pam_cleartext_pass_ok.so
+#auth          sufficient      pam_krb5.so                     try_first_pass
+auth           required        pam_unix.so                     try_first_pass
diff --git a/etc/pam.d/gdm b/etc/pam.d/gdm
new file mode 100644 (file)
index 0000000..370cefe
--- /dev/null
@@ -0,0 +1,11 @@
+#
+# $DragonFly: src/etc/pam.d/gdm,v 1.1 2005/07/22 18:20:43 joerg Exp $
+#
+# PAM configuration for the "gdm" service
+#
+
+account                required        pam_unix.so                     try_first_pass
+session                required        pam_permit.so
+password       required        pam_deny.so
+auth           required        pam_unix.so
+#auth          sufficient      pam_krb5.so                     try_first_pass
diff --git a/etc/pam.d/imap b/etc/pam.d/imap
new file mode 100644 (file)
index 0000000..50d92ec
--- /dev/null
@@ -0,0 +1,7 @@
+#
+# $DragonFly: src/etc/pam.d/imap,v 1.1 2005/07/22 18:20:43 joerg Exp $
+#
+# PAM configuration for the "imap" service
+#
+
+auth           required        pam_unix.so                     try_first_pass
diff --git a/etc/pam.d/login b/etc/pam.d/login
new file mode 100644 (file)
index 0000000..42b69ee
--- /dev/null
@@ -0,0 +1,14 @@
+#
+# $DragonFly: src/etc/pam.d/login,v 1.1 2005/07/22 18:20:43 joerg Exp $
+#
+# PAM configuration for the "login" service
+#
+
+account                required        pam_unix.so
+session                required        pam_permit.so
+password       required        pam_permit.so
+auth           sufficient      pam_opie.so                     no_fake_prompts
+#auth          requisite       pam_opieaccess.so
+auth           requisite       pam_cleartext_pass_ok.so
+#auth          sufficient      pam_krb5.so                     try_first_pass
+auth           required        pam_unix.so                     try_first_pass
diff --git a/etc/pam.d/other b/etc/pam.d/other
new file mode 100644 (file)
index 0000000..102693b
--- /dev/null
@@ -0,0 +1,8 @@
+#
+# $DragonFly: src/etc/pam.d/other,v 1.1 2005/07/22 18:20:43 joerg Exp $
+#
+# PAM configuration for the "other" service
+#
+
+account                required        pam_unix.so                     try_first_pass
+auth           required        pam_unix.so                     try_first_pass
diff --git a/etc/pam.d/pop3 b/etc/pam.d/pop3
new file mode 100644 (file)
index 0000000..d119b3d
--- /dev/null
@@ -0,0 +1,7 @@
+#
+# $DragonFly: src/etc/pam.d/pop3,v 1.1 2005/07/22 18:20:43 joerg Exp $
+#
+# PAM configuration for the "pop3" service
+#
+
+auth           required        pam_unix.so                     try_first_pass
diff --git a/etc/pam.d/sshd b/etc/pam.d/sshd
new file mode 100644 (file)
index 0000000..678ef98
--- /dev/null
@@ -0,0 +1,13 @@
+#
+# $DragonFly: src/etc/pam.d/sshd,v 1.1 2005/07/22 18:20:43 joerg Exp $
+#
+# PAM configuration for the "sshd" service
+#
+
+account                required        pam_unix.so
+session                required        pam_permit.so
+password       required        pam_permit.so
+auth           sufficient      pam_opie.so                     no_fake_prompts
+#auth          requisite       pam_opieaccess.so
+#auth          sufficient      pam_krb5.so                     try_first_pass
+auth           required        pam_unix.so                     try_first_pass
diff --git a/etc/pam.d/telnetd b/etc/pam.d/telnetd
new file mode 100644 (file)
index 0000000..ae19aaa
--- /dev/null
@@ -0,0 +1,7 @@
+#
+# $DragonFly: src/etc/pam.d/telnetd,v 1.1 2005/07/22 18:20:43 joerg Exp $
+#
+# PAM configuration for the "telnetd" service
+#
+
+auth           required        pam_unix.so                     try_first_pass
diff --git a/etc/pam.d/xdm b/etc/pam.d/xdm
new file mode 100644 (file)
index 0000000..e3994be
--- /dev/null
@@ -0,0 +1,11 @@
+#
+# $DragonFly: src/etc/pam.d/xdm,v 1.1 2005/07/22 18:20:43 joerg Exp $
+#
+# PAM configuration for the "xdm" service
+#
+
+account                required        pam_unix.so                     try_first_pass
+session                required        pam_deny.so
+password       required        pam_deny.so
+auth           required        pam_unix.so
+#auth          sufficient      pam_krb5.so                     try_first_pass
diff --git a/etc/pam.d/xserver b/etc/pam.d/xserver
new file mode 100644 (file)
index 0000000..9085145
--- /dev/null
@@ -0,0 +1,7 @@
+#
+# $DragonFly: src/etc/pam.d/xserver,v 1.1 2005/07/22 18:20:43 joerg Exp $
+#
+# PAM configuration for the "xserver" service
+#
+
+auth           required        pam_permit.so