From owner-freebsd-bugs@FreeBSD.ORG Thu Nov 27 16:11:09 2003 Return-Path: Delivered-To: freebsd-bugs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1B74916A4CE for ; Thu, 27 Nov 2003 16:11:09 -0800 (PST) Received: from mail.bsbsolutions.com.br (200-096-170-206.bsace7024.e.brasiltelecom.net.br [200.96.170.206]) by mx1.FreeBSD.org (Postfix) with SMTP id 0104243F85 for ; Thu, 27 Nov 2003 16:11:05 -0800 (PST) (envelope-from ivo@tonev.pro.br) Received: (qmail 91145 invoked by uid 0); 27 Nov 2003 21:13:35 -0000 Received: from 200-103-113-033.bsace705.dsl.brasiltelecom.net.br (HELO tonev.pro.br) (bsb@bsbsolutions.com.br@200.103.113.33) by mail.bsbsolutions with SMTP; 27 Nov 2003 21:13:35 -0000 Message-ID: <3FC6E6E7.4040507@tonev.pro.br> Date: Thu, 27 Nov 2003 22:10:47 -0800 From: "Ivo R. Tonev" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-bugs@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Problem Report i386/59593 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Nov 2003 00:11:09 -0000 Hi, su uses a full passord for authentication, but sshd .... I have created a user account to test the autentication : enter in /etc/master.passwd of user test aded with adduser ( DES password ???? adduser have ignored /etc/login.defs ) : teste:tEkH5r9IwlyAU:1002:1002::0:0:teste:/home/teste:/bin/sh enter in /etc/master.passwd of user test after change their password with passwd teste:$1$61HQ4CwH$zkIyY20/Hu6xUHu7xFCC60:1002:1002::0:0:teste:/home/teste:/bin/sh enter in /etc/master.passwd of user test aded with /stand/sysinstall test:$1$NZQtQYhL$ifuEewic6ApWH6wGeKSQl.:1002:1002::0:0:User &:/home/test:/bin/sh the problem is the command adduser ??? /etc/login.conf: ======================================================================== # login.conf - login class capabilities database. # # Remember to rebuild the database after each change to this file: # # cap_mkdb /etc/login.conf # # This file controls resource limits, accounting limits and # default user environment settings. # # $FreeBSD: src/etc/login.conf,v 1.34.2.6 2002/07/02 20:06:18 dillon Exp $ # # Default settings effectively disable resource limits, see the # examples below for a starting point to enable them. # defaults # These settings are used by login(1) by default for classless users # Note that entries like "cputime" set both "cputime-cur" and "cputime-max" default:\ :passwd_format=md5:\ :copyright=/etc/COPYRIGHT:\ :welcome=/etc/motd:\ :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\ :path=/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin /usr/X11R6/bin ~/bin:\ :nologin=/var/run/nologin:\ :cputime=unlimited:\ :datasize=unlimited:\ :stacksize=unlimited:\ :memorylocked=unlimited:\ :memoryuse=unlimited:\ :filesize=unlimited:\ :coredumpsize=unlimited:\ :openfiles=unlimited:\ :maxproc=unlimited:\ :sbsize=unlimited:\ :vmemoryuse=unlimited:\ :priority=0:\ :ignoretime@:\ :umask=022: # # A collection of common class names - forward them all to 'default' # (login would normally do this anyway, but having a class name # here suppresses the diagnostic) # standard:\ :tc=default: xuser:\ :tc=default: staff:\ :tc=default: daemon:\ :tc=default: news:\ :tc=default: dialer:\ :tc=default: # # Root can always login # # N.B. login_getpwclass(3) will use this entry for the root account, # in preference to 'default'. root:\ :ignorenologin:\ :tc=default: # # Russian Users Accounts. Setup proper environment variables. # russian|Russian Users Accounts:\ :charset=KOI8-R:\ :lang=ru_RU.KOI8-R:\ :tc=default: ###################################################################### ###################################################################### ## ## Example entries ## ###################################################################### ###################################################################### ## Example defaults ## These settings are used by login(1) by default for classless users ## Note that entries like "cputime" set both "cputime-cur" and "cputime-max" # #default:\ # :cputime=infinity:\ # :datasize-cur=22M:\ # :stacksize-cur=8M:\ # :memorylocked-cur=10M:\ # :memoryuse-cur=30M:\ # :filesize=infinity:\ # :coredumpsize=infinity:\ # :maxproc-cur=64:\ # :openfiles-cur=64:\ # :priority=0:\ # :requirehome@:\ # :umask=022:\ # :tc=auth-defaults: # # ## ## standard - standard user defaults ## #standard:\ # :copyright=/etc/COPYRIGHT:\ # :welcome=/etc/motd:\ # :setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\ # :path=~/bin /bin /usr/bin /usr/local/bin:\ # :manpath=/usr/share/man /usr/local/man:\ # :nologin=/var/run/nologin:\ # :cputime=1h30m:\ # :datasize=8M:\ # :vmemoryuse=100M:\ # :stacksize=2M:\ # :memorylocked=4M:\ # :memoryuse=8M:\ # :filesize=8M:\ # :coredumpsize=8M:\ # :openfiles=24:\ # :maxproc=32:\ # :priority=0:\ # :requirehome:\ # :passwordtime=90d:\ # :umask=002:\ # :ignoretime@:\ # :tc=default: # # ## ## users of X (needs more resources!) ## #xuser:\ # :manpath=/usr/share/man /usr/X11R6/man /usr/local/man:\ # :cputime=4h:\ # :datasize=12M:\ # :vmemoryuse=infinity:\ # :stacksize=4M:\ # :filesize=8M:\ # :memoryuse=16M:\ # :openfiles=32:\ # :maxproc=48:\ # :tc=standard: # # ## ## Staff users - few restrictions and allow login anytime ## #staff:\ # :ignorenologin:\ # :ignoretime:\ # :requirehome@:\ # :accounted@:\ # :path=~/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\ # :umask=022:\ # :tc=standard: # # ## ## root - fallback for root logins ## #root:\ # :path=~/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\ # :cputime=infinity:\ # :datasize=infinity:\ # :stacksize=infinity:\ # :memorylocked=infinity:\ # :memoryuse=infinity:\ # :filesize=infinity:\ # :coredumpsize=infinity:\ # :openfiles=infinity:\ # :maxproc=infinity:\ # :memoryuse-cur=32M:\ # :maxproc-cur=64:\ # :openfiles-cur=1024:\ # :priority=0:\ # :requirehome@:\ # :umask=022:\ # :tc=auth-root-defaults: # # ## ## Settings used by /etc/rc ## #daemon:\ # :coredumpsize@:\ # :coredumpsize-cur=0:\ # :datasize=infinity:\ # :datasize-cur@:\ # :maxproc=512:\ # :maxproc-cur@:\ # :memoryuse-cur=64M:\ # :memorylocked-cur=64M:\ # :openfiles=1024:\ # :openfiles-cur@:\ # :stacksize=16M:\ # :stacksize-cur@:\ # :tc=default: # # ## ## Settings used by news subsystem ## #news:\ # :path=/usr/local/news/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\ # :cputime=infinity:\ # :filesize=128M:\ # :datasize-cur=64M:\ # :stacksize-cur=32M:\ # :coredumpsize-cur=0:\ # :maxmemorysize-cur=128M:\ # :memorylocked=32M:\ # :maxproc=128:\ # :openfiles=256:\ # :tc=default: # # ## ## The dialer class should be used for a dialup PPP/SLIP accounts ## Welcome messages/news suppressed ## #dialer:\ # :hushlogin:\ # :requirehome@:\ # :cputime=unlimited:\ # :filesize=2M:\ # :datasize=2M:\ # :stacksize=4M:\ # :coredumpsize=0:\ # :memoryuse=4M:\ # :memorylocked=1M:\ # :maxproc=16:\ # :openfiles=32:\ # :tc=standard: # # ## ## Site full-time 24/7 PPP/SLIP connections ## - no time accounting, restricted to access via dialin lines ## #site:\ # :ignoretime:\ # :passwordtime@:\ # :refreshtime@:\ # :refreshperiod@:\ # :sessionlimit@:\ # :autodelete@:\ # :expireperiod@:\ # :graceexpire@:\ # :gracetime@:\ # :warnexpire@:\ # :warnpassword@:\ # :idletime@:\ # :sessiontime@:\ # :daytime@:\ # :weektime@:\ # :monthtime@:\ # :warntime@:\ # :accounted@:\ # :tc=dialer:\ # :tc=staff: # # ## ## Example standard accounting entries for subscriber levels ## # #subscriber|Subscribers:\ # :accounted:\ # :refreshtime=180d:\ # :refreshperiod@:\ # :sessionlimit@:\ # :autodelete=30d:\ # :expireperiod=180d:\ # :graceexpire=7d:\ # :gracetime=10m:\ # :warnexpire=7d:\ # :warnpassword=7d:\ # :idletime=30m:\ # :sessiontime=4h:\ # :daytime=6h:\ # :weektime=40h:\ # :monthtime=120h:\ # :warntime=4h:\ # :tc=standard: # # ## ## Subscriber accounts. These accounts have their login times ## accounted and have access limits applied. ## #subppp|PPP Subscriber Accounts:\ # :tc=dialer:\ # :tc=subscriber: # # #subslip|SLIP Subscriber Accounts:\ # :tc=dialer:\ # :tc=subscriber: # # #subshell|Shell Subscriber Accounts:\ # :tc=subscriber: # ## ## If you want some of the accounts to use traditional UNIX DES based ## password hashes. ## #des_users:\ # :passwd_format=des:\ # :tc=default: ======================================================================== /etc/pam.conf: ======================================================================== # Configuration file for Pluggable Authentication Modules (PAM). # # This file controls the authentication methods that login and other # utilities use. See pam(8) for a description of its format. # # $FreeBSD: src/etc/pam.conf,v 1.6.2.18 2003/02/15 17:20:27 des Exp $ # # service-name module-type control-flag module-path arguments # # module-type: # auth: prompt for a password to authenticate that the user is # who they say they are, and set any credentials. # account: non-authentication based authorization, based on time, # resources, etc. # session: housekeeping before and/or after login. # password: update authentication tokens. # # control-flag: How libpam handles success or failure of the module. # required: success is required, and on failure all remaining # modules are run. # requisite: success is required, and on failure no remaining # modules are run. # sufficient: success is sufficient, and if no previous required # module failed, no remaining modules are run. # optional: ignored unless the other modules return PAM_IGNORE. # # arguments: # Passed to the module; module-specific plus some generic ones: # debug: syslog debug info. # no_warn: return no warning messages to the application. # use_first_pass: try authentication using password from the # preceding auth module. # try_first_pass: first try authentication using password from # the preceding auth module, and if that fails # prompt for a new password. # use_mapped_pass: convert cleartext password to a crypto key. # expose_account: allow printing more info about the user when # prompting. # # Each final entry must say "required" -- otherwise, things don't # work quite right. If you delete a final entry, be sure to change # "sufficient" to "required" in the entry before it. # If the user can authenticate with S/Key, that's sufficient; allow clear # password. Try kerberos, then try plain unix password. login auth sufficient pam_skey.so login auth sufficient pam_opie.so no_fake_prompts #login auth requisite pam_opieaccess.so login auth requisite pam_cleartext_pass_ok.so #login auth sufficient pam_kerberosIV.so try_first_pass #login auth sufficient pam_krb5.so try_first_pass login auth required pam_unix.so try_first_pass login account required pam_unix.so login password required pam_permit.so login session required pam_permit.so # Same requirement for ftpd as login ftpd auth sufficient pam_skey.so ftpd auth sufficient pam_opie.so no_fake_prompts #ftpd auth requisite pam_opieaccess.so ftpd auth requisite pam_cleartext_pass_ok.so #ftpd auth sufficient pam_kerberosIV.so try_first_pass #ftpd auth sufficient pam_krb5.so try_first_pass ftpd auth required pam_unix.so try_first_pass # OpenSSH with PAM support requires similar modules. The session one is # a bit strange, though... sshd auth sufficient pam_skey.so sshd auth sufficient pam_opie.so no_fake_prompts #sshd auth requisite pam_opieaccess.so #sshd auth sufficient pam_kerberosIV.so try_first_pass #sshd auth sufficient pam_krb5.so try_first_pass sshd auth required pam_unix.so try_first_pass sshd account required pam_unix.so sshd password required pam_permit.so sshd session required pam_permit.so # "telnetd" is for SRA authenticated telnet only. Non-SRA uses 'login' telnetd auth required pam_unix.so try_first_pass # Don't break startx xserver auth required pam_permit.so # XDM is difficult; it fails or moans unless there are modules for each # of the four management groups; auth, account, session and password. xdm auth required pam_unix.so #xdm auth sufficient pam_kerberosIV.so try_first_pass #xdm auth sufficient pam_krb5.so try_first_pass xdm account required pam_unix.so try_first_pass xdm session required pam_deny.so xdm password required pam_deny.so # GDM (GNOME Display Manager) gdm auth required pam_unix.so #gdm auth sufficient pam_kerberosIV.so try_first_pass #gdm auth sufficient pam_krb5.so try_first_pass gdm account required pam_unix.so try_first_pass gdm session required pam_permit.so gdm password required pam_deny.so # Mail services imap auth required pam_unix.so try_first_pass pop3 auth required pam_unix.so try_first_pass # If we don't match anything else, default to using getpwnam(). other auth sufficient pam_skey.so other auth required pam_unix.so try_first_pass other account required pam_unix.so try_first_pass ======================================================================== /etc/adduser.conf ======================================================================== # # /etc/adduser.conf - automatic generated by adduser(8) # # Note: adduser read *and* write this file. # You may change values, but don't add new things before the # line ``## DO NOT DELETE THIS LINE!'' # # verbose = [0-2] verbose = 1 # regular expression usernames are checked against (see perlre(1)) # usernameregexp = 'regexp' usernameregexp = '^[a-z0-9_][a-z0-9_-]*$' # use password for new users # defaultpasswd = yes | no defaultpasswd = yes # copy dotfiles from this dir ("/usr/share/skel" or "no") dotdir = "/usr/share/skel" # send this file to new user ("/etc/adduser.message" or "no") send_message = "/etc/adduser.message" # config file for adduser ("/etc/adduser.conf") config = "/etc/adduser.conf" # logfile ("/var/log/adduser" or "no") logfile = "/var/log/adduser" # default HOME directory ("/home") home = "/home" # List of directories where shells located # path = ('/bin', '/usr/bin', '/usr/local/bin') path = ('/bin', '/usr/bin', '/usr/local/bin') # common shell list, first element has higher priority # shellpref = ('bash', 'tcsh', 'ksh', 'csh', 'sh') shellpref = ('csh', 'sh', 'bash', 'tcsh', 'ksh', 'no', 'date') # defaultshell if not empty ("bash") defaultshell = "sh" # defaultgroup ('USER' for same as username or any other valid group) defaultgroup = USER # defaultclass if not empty defaultclass = "" # new users get this uid (1000) uid_start = "1000" ## DO NOT DELETE THIS LINE! ## your own variables, see /etc/adduser.message ## end ======================================================================== root:mail root # uname -a FreeBSD mail.bsbsolutions.com.br 4.9-RELEASE FreeBSD 4.9-RELEASE #0: Wed Nov 5 12:22:35 GMT 2003 root@mail.bsbsolutions.com.br:/usr/src/sys/compile/integer-4.9 i386 Ivo R. Tonev ivo@tonev.pro.br integer@bsbsolutions.com.br