Deprecate and remove OPIE from PAM.
authorzrj <rimvydas.jasinskas@gmail.com>
Mon, 22 Apr 2019 08:42:16 +0000 (11:42 +0300)
committerzrj <zrj@dragonflybsd.org>
Mon, 22 Apr 2019 19:11:57 +0000 (22:11 +0300)
This will require user intervention to manually disable OPIE usage or
cleanly reinstall pam.d/* (even better if no modifications were done).
Due to very strict used "requisite" requirements any pam_opie loading
error will result in unusable system except for singe user mode.
Add warning for the user. Sooner or later this will need to be done.

While there, disable installing /etc/pam.d/rsh script. It can be removed.

etc/Makefile
etc/pam.d/Makefile
etc/pam.d/ftpd
etc/pam.d/other
etc/pam.d/rsh [deleted file]
etc/pam.d/sshd
etc/pam.d/system
etc/pam.d/telnetd

index 224caf0..2ee2249 100644 (file)
@@ -166,7 +166,7 @@ upgrade_base:       upgrade_check preupgrade remove-obsolete-files
            ${DEFAULTS} ${DESTDIR}/etc/defaults
        cd ${UPGRADE_SRCDIR}/periodic; ${MAKE} install
        mkdir -p ${DESTDIR}/etc/rc.d
-       cd ${UPGRADE_SRCDIR}/rc.d; ${MAKE} install 
+       cd ${UPGRADE_SRCDIR}/rc.d; ${MAKE} install
        cd ${UPGRADE_SRCDIR}/devd; ${MAKE} install
        mkdir -p ${DESTDIR}/etc/autofs
        cd ${UPGRADE_SRCDIR}/autofs; ${MAKE} install
@@ -183,7 +183,7 @@ upgrade_base:       upgrade_check preupgrade remove-obsolete-files
        cd ${UPGRADE_SRCDIR}/pam.d; ${MAKE} install
        sh ${DESTDIR}/etc/pam.d/convert.sh ${DESTDIR}/etc/pam.d ${DESTDIR}/etc/pam.conf
 .else
-.for pamconf in README convert.sh atrun cron passwd rsh su system
+.for pamconf in README convert.sh atrun cron passwd su system
 .if !exists(${DESTDIR}/etc/pam.d/${pamconf})
        ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 644 ${UPGRADE_SRCDIR}/pam.d/${pamconf} ${DESTDIR}/etc/pam.d
 .endif
@@ -245,7 +245,7 @@ upgrade_base:       upgrade_check preupgrade remove-obsolete-files
        chmod 1777 ${DESTDIR}/var/run/sem
 
 # The existence of cleartext_pass_ok means pam config files are out of date.
-       @set - `fgrep cleartext_pass_ok ${DESTDIR}/etc/pam.d/*`; \
+       @set - `fgrep -e cleartext_pass_ok -e pam_opie ${DESTDIR}/etc/pam.d/*`; \
        if [ $$# -gt 0 ] ; \
        then \
                echo "It appears your PAM configuration files need to be updated"; \
@@ -274,7 +274,7 @@ distribution:
        cd ${.CURDIR}/pam.d; ${MAKE} install
        cd ${.CURDIR}/bluetooth; ${MAKE} install
        cd ${.CURDIR}/periodic; ${MAKE} install
-       cd ${.CURDIR}/rc.d; ${MAKE} install 
+       cd ${.CURDIR}/rc.d; ${MAKE} install
        cd ${.CURDIR}/devd; ${MAKE} install
        cd ${.CURDIR}/autofs; ${MAKE} install
        cd ${.CURDIR}/../share/termcap; ${MAKE} etc-termcap
index ab81b9b..dd2a36e 100644 (file)
@@ -10,7 +10,6 @@ FILES=        README \
        other \
        passwd \
        pop3 \
-       rsh \
        sshd \
        su \
        system \
index a705f3f..e33d3d0 100644 (file)
@@ -5,8 +5,6 @@
 #
 
 # auth
-auth           sufficient      pam_opie.so             no_warn no_fake_prompts
-auth           requisite       pam_opieaccess.so       no_warn allow_local
 #auth          sufficient      pam_krb5.so             no_warn
 #auth          sufficient      pam_ssh.so              no_warn try_first_pass
 auth           required        pam_unix.so             no_warn try_first_pass
index f26b272..643f2bd 100644 (file)
@@ -5,8 +5,6 @@
 #
 
 # auth
-auth           sufficient      pam_opie.so             no_warn no_fake_prompts
-auth           requisite       pam_opieaccess.so       no_warn allow_local
 #auth          sufficient      pam_krb5.so             no_warn try_first_pass
 #auth          sufficient      pam_ssh.so              no_warn try_first_pass
 auth           required        pam_unix.so             no_warn try_first_pass
diff --git a/etc/pam.d/rsh b/etc/pam.d/rsh
deleted file mode 100644 (file)
index 74c513b..0000000
+++ /dev/null
@@ -1,18 +0,0 @@
-#
-# $FreeBSD: src/etc/pam.d/rsh,v 1.6 2007/06/10 18:57:20 yar Exp $
-#
-# PAM configuration for the "rsh" service
-#
-
-# auth
-auth           required        pam_rhosts.so           no_warn
-
-# account
-account                required        pam_nologin.so
-account                required        pam_unix.so
-
-# session
-session                required        pam_permit.so
-
-# password
-password       required        pam_deny.so
index 02bafe7..c5b7b2f 100644 (file)
@@ -5,8 +5,6 @@
 #
 
 # auth
-auth           sufficient      pam_opie.so             no_warn no_fake_prompts
-auth           requisite       pam_opieaccess.so       no_warn allow_local
 #auth          sufficient      pam_krb5.so             no_warn try_first_pass
 #auth          sufficient      pam_ssh.so              no_warn try_first_pass
 auth           required        pam_unix.so             no_warn try_first_pass
index 4a41bef..2445c9b 100644 (file)
@@ -5,8 +5,6 @@
 #
 
 # auth
-auth           sufficient      pam_opie.so             no_warn no_fake_prompts
-auth           requisite       pam_opieaccess.so       no_warn allow_local
 #auth          sufficient      pam_krb5.so             no_warn try_first_pass
 #auth          sufficient      pam_ssh.so              no_warn try_first_pass
 auth           required        pam_unix.so             no_warn try_first_pass nullok
index a963efb..b0a1f05 100644 (file)
@@ -5,8 +5,6 @@
 #
 
 # auth
-auth           sufficient      pam_opie.so             no_warn no_fake_prompts
-auth           requisite       pam_opieaccess.so       no_warn allow_local
 #auth          sufficient      pam_krb5.so             no_warn try_first_pass
 #auth          sufficient      pam_ssh.so              no_warn try_first_pass
 auth           required        pam_unix.so             no_warn try_first_pass