Module Name: src
Committed By: riastradh
Date: Tue Jun 20 22:00:00 UTC 2023
Modified Files:
src/etc/pam.d: display_manager ftpd sshd su system
Log Message:
pam: Disable pam_krb5, pam_ksu by default.
These are not useful unless you also set up /etc/krb5.conf and a
keytab for the host from the Kerberos KDC. But having them enabled
by default means that creating /etc/krb5.conf just to enable use of
Kerberos for _client-side_ single sign-on creates usability issues.
As proposed on tech-security:
https://mail-index.netbsd.org/tech-security/2023/06/16/msg001160.html
To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/etc/pam.d/display_manager
cvs rdiff -u -r1.7 -r1.8 src/etc/pam.d/ftpd
cvs rdiff -u -r1.9 -r1.10 src/etc/pam.d/sshd
cvs rdiff -u -r1.8 -r1.9 src/etc/pam.d/su src/etc/pam.d/system
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/etc/pam.d/display_manager
diff -u src/etc/pam.d/display_manager:1.5 src/etc/pam.d/display_manager:1.6
--- src/etc/pam.d/display_manager:1.5 Sat Nov 13 19:19:40 2010
+++ src/etc/pam.d/display_manager Tue Jun 20 22:00:00 2023
@@ -1,4 +1,4 @@
-# $NetBSD: display_manager,v 1.5 2010/11/13 19:19:40 christos Exp $
+# $NetBSD: display_manager,v 1.6 2023/06/20 22:00:00 riastradh Exp $
#
# PAM configuration for the display manager services. Specific display
# manager service configurations can include this one.
@@ -7,14 +7,14 @@
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_skey.so no_warn try_first_pass
-auth sufficient pam_krb5.so no_warn try_first_pass
+#auth sufficient pam_krb5.so no_warn try_first_pass
auth optional pam_afslog.so no_warn try_first_pass
# pam_ssh has potential security risks. See pam_ssh(8).
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
-account required pam_krb5.so
+#account required pam_krb5.so
account required pam_unix.so
# session
Index: src/etc/pam.d/ftpd
diff -u src/etc/pam.d/ftpd:1.7 src/etc/pam.d/ftpd:1.8
--- src/etc/pam.d/ftpd:1.7 Wed Mar 26 11:31:17 2008
+++ src/etc/pam.d/ftpd Tue Jun 20 22:00:00 2023
@@ -1,4 +1,4 @@
-# $NetBSD: ftpd,v 1.7 2008/03/26 11:31:17 lukem Exp $
+# $NetBSD: ftpd,v 1.8 2023/06/20 22:00:00 riastradh Exp $
#
# PAM configuration for the "ftpd" service
#
@@ -8,14 +8,14 @@
# pam_unix.
auth required pam_nologin.so no_warn
auth sufficient pam_skey.so no_warn try_first_pass
-auth sufficient pam_krb5.so no_warn try_first_pass
+#auth sufficient pam_krb5.so no_warn try_first_pass
auth optional pam_afslog.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
# Even though this is identical to "system", we open code it here because
# we open code the auth stack.
-account required pam_krb5.so
+#account required pam_krb5.so
account required pam_unix.so
# session
Index: src/etc/pam.d/sshd
diff -u src/etc/pam.d/sshd:1.9 src/etc/pam.d/sshd:1.10
--- src/etc/pam.d/sshd:1.9 Wed Mar 26 11:31:17 2008
+++ src/etc/pam.d/sshd Tue Jun 20 22:00:00 2023
@@ -1,4 +1,4 @@
-# $NetBSD: sshd,v 1.9 2008/03/26 11:31:17 lukem Exp $
+# $NetBSD: sshd,v 1.10 2023/06/20 22:00:00 riastradh Exp $
#
# PAM configuration for the "sshd" service
#
@@ -6,14 +6,14 @@
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_skey.so no_warn try_first_pass
-auth sufficient pam_krb5.so no_warn try_first_pass
+#auth sufficient pam_krb5.so no_warn try_first_pass
auth optional pam_afslog.so no_warn try_first_pass
# pam_ssh has potential security risks. See pam_ssh(8).
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
-account required pam_krb5.so
+#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
@@ -23,5 +23,5 @@ account required pam_unix.so
session required pam_permit.so
# password
-password sufficient pam_krb5.so no_warn try_first_pass
+#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
Index: src/etc/pam.d/su
diff -u src/etc/pam.d/su:1.8 src/etc/pam.d/su:1.9
--- src/etc/pam.d/su:1.8 Tue Mar 3 00:47:33 2020
+++ src/etc/pam.d/su Tue Jun 20 22:00:00 2023
@@ -1,4 +1,4 @@
-# $NetBSD: su,v 1.8 2020/03/03 00:47:33 christos Exp $
+# $NetBSD: su,v 1.9 2023/06/20 22:00:00 riastradh Exp $
#
# PAM configuration for the "su" service
#
@@ -8,7 +8,7 @@ auth sufficient pam_rootok.so no_warn
auth sufficient pam_self.so no_warn
auth sufficient pam_skey.so no_warn try_first_pass
#auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue
-auth sufficient pam_ksu.so no_warn try_first_pass
+#auth sufficient pam_ksu.so no_warn try_first_pass
#auth sufficient pam_group.so no_warn group=rootauth root_only authenticate
auth requisite pam_group.so no_warn group=wheel root_only fail_safe
auth required pam_unix.so no_warn try_first_pass nullok
Index: src/etc/pam.d/system
diff -u src/etc/pam.d/system:1.8 src/etc/pam.d/system:1.9
--- src/etc/pam.d/system:1.8 Wed Mar 26 11:31:17 2008
+++ src/etc/pam.d/system Tue Jun 20 22:00:00 2023
@@ -1,21 +1,21 @@
-# $NetBSD: system,v 1.8 2008/03/26 11:31:17 lukem Exp $
+# $NetBSD: system,v 1.9 2023/06/20 22:00:00 riastradh Exp $
#
# System-wide defaults
#
# auth
auth sufficient pam_skey.so no_warn try_first_pass
-auth sufficient pam_krb5.so no_warn try_first_pass
+#auth sufficient pam_krb5.so no_warn try_first_pass
auth optional pam_afslog.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
# account
-account required pam_krb5.so
+#account required pam_krb5.so
account required pam_unix.so
# session
session required pam_lastlog.so no_fail no_nested
# password
-password sufficient pam_krb5.so no_warn try_first_pass
+#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
