From owner-freebsd-current Mon Jan 21 7:34:13 2002 Delivered-To: freebsd-current@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 0977537B404 for ; Mon, 21 Jan 2002 07:33:59 -0800 (PST) Received: by flood.ping.uio.no (Postfix, from userid 2602) id D2558532C; Mon, 21 Jan 2002 16:33:57 +0100 (CET) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Andrey A. Chernov" Cc: mark@grondar.za, current@FreeBSD.ORG Subject: Re: Step6, corresponding /etc/pam.d/* fixes for review References: <20020121142038.GA36519@nagual.pp.ru> From: Dag-Erling Smorgrav Date: 21 Jan 2002 16:33:57 +0100 In-Reply-To: <20020121142038.GA36519@nagual.pp.ru> Message-ID: Lines: 21 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --=-=-= "Andrey A. Chernov" writes: > This fixes reflects pam_opieaccess addition. OK, comments: 1) there's no reason to have pam_opie commented out now, it won't do anything unless OPIE is enabled for the target user. With my patch, any user can use OPIE by simply running opiekey(1), without admin intervention. 2) there are several other PAM config files that refer to pam_opie and need fixing. Patch attached. DES -- Dag-Erling Smorgrav - des@ofug.org --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=pam_d.diff Index: csshd =================================================================== RCS file: /home/ncvs/src/etc/pam.d/csshd,v retrieving revision 1.2 diff -u -r1.2 csshd --- csshd 5 Dec 2001 21:26:00 -0000 1.2 +++ csshd 21 Jan 2002 13:55:24 -0000 @@ -5,4 +5,5 @@ # # auth -auth required pam_opie.so no_warn +auth sufficient pam_opie.so no_warn +auth requisite pam_opieaccess.so no_warn Index: ftp =================================================================== RCS file: /home/ncvs/src/etc/pam.d/ftp,v retrieving revision 1.2 diff -u -r1.2 ftp --- ftp 5 Dec 2001 21:26:00 -0000 1.2 +++ ftp 21 Jan 2002 14:05:45 -0000 @@ -8,7 +8,8 @@ auth required pam_nologin.so no_warn #auth sufficient pam_kerberosIV.so no_warn #auth sufficient pam_krb5.so no_warn -#auth required pam_opie.so no_warn +auth sufficient pam_opie.so no_warn +auth requisite pam_opieaccess.so no_warn #auth required pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass Index: ftpd =================================================================== RCS file: /home/ncvs/src/etc/pam.d/ftpd,v retrieving revision 1.12 diff -u -r1.12 ftpd --- ftpd 19 Jan 2002 18:29:49 -0000 1.12 +++ ftpd 21 Jan 2002 14:05:17 -0000 @@ -9,10 +9,9 @@ #auth sufficient pam_kerberosIV.so no_warn #auth sufficient pam_krb5.so no_warn #auth sufficient pam_ssh.so no_warn try_first_pass -# Uncomment either pam_opie or pam_unix, but not both of them. -# pam_unix can't be simple chained with pam_opie, ftpd provides proper fallback -auth required pam_opie.so no_warn -#auth required pam_unix.so no_warn try_first_pass +auth sufficient pam_opie.so no_warn +auth requisite pam_opieaccess.so no_warn +auth required pam_unix.so no_warn try_first_pass # account #account required pam_kerberosIV.so Index: imap =================================================================== RCS file: /home/ncvs/src/etc/pam.d/imap,v retrieving revision 1.2 diff -u -r1.2 imap --- imap 5 Dec 2001 21:26:00 -0000 1.2 +++ imap 21 Jan 2002 14:04:44 -0000 @@ -6,6 +6,7 @@ # auth #auth required pam_nologin.so no_warn -#auth required pam_opie.so no_warn +#auth sufficient pam_opie.so no_warn +#auth requisite pam_opieaccess.so no_warn #auth required pam_ssh.so no_warn try_first_pass #auth required pam_unix.so no_warn try_first_pass Index: kde =================================================================== RCS file: /home/ncvs/src/etc/pam.d/kde,v retrieving revision 1.2 diff -u -r1.2 kde --- kde 5 Dec 2001 21:26:00 -0000 1.2 +++ kde 21 Jan 2002 14:04:21 -0000 @@ -6,7 +6,8 @@ # auth auth required pam_nologin.so no_warn -#auth sufficient pam_opie.so no_warn +auth sufficient pam_opie.so no_warn +auth requisite pam_opieaccess.so no_warn #auth sufficient pam_kerberosIV.so no_warn try_first_pass #auth sufficient pam_krb5.so no_warn try_first_pass #auth required pam_ssh.so no_warn try_first_pass Index: login =================================================================== RCS file: /home/ncvs/src/etc/pam.d/login,v retrieving revision 1.5 diff -u -r1.5 login --- login 19 Jan 2002 18:29:49 -0000 1.5 +++ login 21 Jan 2002 15:14:37 -0000 @@ -6,7 +6,8 @@ # auth auth required pam_nologin.so no_warn -#auth sufficient pam_opie.so no_warn +auth sufficient pam_opie.so no_warn +auth requisite pam_opieaccess.so no_warn #auth sufficient pam_kerberosIV.so no_warn try_first_pass #auth sufficient pam_krb5.so no_warn try_first_pass #auth required pam_ssh.so no_warn try_first_pass @@ -24,7 +25,6 @@ session required pam_unix.so # password -#password sufficient pam_opie.so no_warn #password sufficient pam_kerberosIV.so no_warn try_first_pass #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass Index: other =================================================================== RCS file: /home/ncvs/src/etc/pam.d/other,v retrieving revision 1.2 diff -u -r1.2 other --- other 5 Dec 2001 21:26:00 -0000 1.2 +++ other 21 Jan 2002 14:03:48 -0000 @@ -6,7 +6,8 @@ # auth auth required pam_nologin.so no_warn -#auth required pam_opie.so no_warn +auth sufficient pam_opie.so no_warn +auth requisite pam_opieaccess.so no_warn auth required pam_unix.so no_warn try_first_pass # account Index: pop3 =================================================================== RCS file: /home/ncvs/src/etc/pam.d/pop3,v retrieving revision 1.2 diff -u -r1.2 pop3 --- pop3 5 Dec 2001 21:26:00 -0000 1.2 +++ pop3 21 Jan 2002 14:03:22 -0000 @@ -6,6 +6,7 @@ # auth #auth required pam_nologin.so no_warn -#auth required pam_opie.so no_warn +#auth sufficient pam_opie.so no_warn +#auth requisite pam_opieaccess.so no_warn #auth required pam_ssh.so no_warn try_first_pass #auth required pam_unix.so no_warn try_first_pass Index: su =================================================================== RCS file: /home/ncvs/src/etc/pam.d/su,v retrieving revision 1.5 diff -u -r1.5 su --- su 19 Jan 2002 18:29:49 -0000 1.5 +++ su 21 Jan 2002 14:00:52 -0000 @@ -12,30 +12,41 @@ #auth required pam_opie.so no_warn #auth required pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok -#auth sufficient pam_rootok.so no_warn -##auth sufficient pam_kerberosIV.so no_warn -##auth sufficient pam_krb5.so no_warn -#auth required pam_opie.so no_warn auth_as_self -#auth required pam_unix.so no_warn try_first_pass auth_as_self # account #account required pam_kerberosIV.so #account required pam_krb5.so account required pam_unix.so -##account required pam_kerberosIV.so -##account required pam_krb5.so -#account required pam_unix.so # session #session required pam_kerberosIV.so #session required pam_krb5.so #session required pam_ssh.so session required pam_unix.so + +# password +password required pam_permit.so + + +# If you want a "WHEELSU"-type su(1), then comment out the +# above, and uncomment the entries below. +## auth +#auth sufficient pam_rootok.so no_warn +##auth sufficient pam_kerberosIV.so no_warn +##auth sufficient pam_krb5.so no_warn +#auth required pam_opie.so no_warn auth_as_self +#auth required pam_unix.so no_warn try_first_pass auth_as_self + +## account +##account required pam_kerberosIV.so +##account required pam_krb5.so +#account required pam_unix.so + +## session ##session required pam_kerberosIV.so ##session required pam_krb5.so ##session required pam_ssh.so #session required pam_unix.so -# password -password required pam_permit.so +## password #password required pam_permit.so --=-=-=-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message