Module Name: src
Committed By: martin
Date: Wed Jun 21 21:50:34 UTC 2023
Modified Files:
src/etc/pam.d [netbsd-8]: display_manager ftpd sshd su system
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #1843):
etc/pam.d/ftpd: revision 1.8
etc/pam.d/su: revision 1.9
etc/pam.d/system: revision 1.9
etc/pam.d/display_manager: revision 1.6
etc/pam.d/sshd: revision 1.10
pam: Disable pam_krb5, pam_ksu by default.
These are not useful unless you also set up /etc/krb5.conf and a
keytab for the host from the Kerberos KDC. But having them enabled
by default means that creating /etc/krb5.conf just to enable use of
Kerberos for _client-side_ single sign-on creates usability issues.
As proposed on tech-security:
https://mail-index.netbsd.org/tech-security/2023/06/16/msg001160.html
To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.5.40.1 src/etc/pam.d/display_manager
cvs rdiff -u -r1.7 -r1.7.58.1 src/etc/pam.d/ftpd src/etc/pam.d/su
cvs rdiff -u -r1.9 -r1.9.58.1 src/etc/pam.d/sshd
cvs rdiff -u -r1.8 -r1.8.58.1 src/etc/pam.d/system
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/etc/pam.d/display_manager
diff -u src/etc/pam.d/display_manager:1.5 src/etc/pam.d/display_manager:1.5.40.1
--- src/etc/pam.d/display_manager:1.5 Sat Nov 13 19:19:40 2010
+++ src/etc/pam.d/display_manager Wed Jun 21 21:50:34 2023
@@ -1,4 +1,4 @@
-# $NetBSD: display_manager,v 1.5 2010/11/13 19:19:40 christos Exp $
+# $NetBSD: display_manager,v 1.5.40.1 2023/06/21 21:50:34 martin Exp $
#
# PAM configuration for the display manager services. Specific display
# manager service configurations can include this one.
@@ -7,14 +7,14 @@
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_skey.so no_warn try_first_pass
-auth sufficient pam_krb5.so no_warn try_first_pass
+#auth sufficient pam_krb5.so no_warn try_first_pass
auth optional pam_afslog.so no_warn try_first_pass
# pam_ssh has potential security risks. See pam_ssh(8).
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
-account required pam_krb5.so
+#account required pam_krb5.so
account required pam_unix.so
# session
Index: src/etc/pam.d/ftpd
diff -u src/etc/pam.d/ftpd:1.7 src/etc/pam.d/ftpd:1.7.58.1
--- src/etc/pam.d/ftpd:1.7 Wed Mar 26 11:31:17 2008
+++ src/etc/pam.d/ftpd Wed Jun 21 21:50:34 2023
@@ -1,4 +1,4 @@
-# $NetBSD: ftpd,v 1.7 2008/03/26 11:31:17 lukem Exp $
+# $NetBSD: ftpd,v 1.7.58.1 2023/06/21 21:50:34 martin Exp $
#
# PAM configuration for the "ftpd" service
#
@@ -8,14 +8,14 @@
# pam_unix.
auth required pam_nologin.so no_warn
auth sufficient pam_skey.so no_warn try_first_pass
-auth sufficient pam_krb5.so no_warn try_first_pass
+#auth sufficient pam_krb5.so no_warn try_first_pass
auth optional pam_afslog.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
# Even though this is identical to "system", we open code it here because
# we open code the auth stack.
-account required pam_krb5.so
+#account required pam_krb5.so
account required pam_unix.so
# session
Index: src/etc/pam.d/su
diff -u src/etc/pam.d/su:1.7 src/etc/pam.d/su:1.7.58.1
--- src/etc/pam.d/su:1.7 Wed Mar 26 11:31:17 2008
+++ src/etc/pam.d/su Wed Jun 21 21:50:34 2023
@@ -1,4 +1,4 @@
-# $NetBSD: su,v 1.7 2008/03/26 11:31:17 lukem Exp $
+# $NetBSD: su,v 1.7.58.1 2023/06/21 21:50:34 martin Exp $
#
# PAM configuration for the "su" service
#
@@ -7,7 +7,7 @@
auth sufficient pam_rootok.so no_warn
auth sufficient pam_self.so no_warn
auth sufficient pam_skey.so no_warn try_first_pass
-auth sufficient pam_ksu.so no_warn try_first_pass
+#auth sufficient pam_ksu.so no_warn try_first_pass
#auth sufficient pam_group.so no_warn group=rootauth root_only authenticate
auth requisite pam_group.so no_warn group=wheel root_only fail_safe
auth required pam_unix.so no_warn try_first_pass nullok
Index: src/etc/pam.d/sshd
diff -u src/etc/pam.d/sshd:1.9 src/etc/pam.d/sshd:1.9.58.1
--- src/etc/pam.d/sshd:1.9 Wed Mar 26 11:31:17 2008
+++ src/etc/pam.d/sshd Wed Jun 21 21:50:34 2023
@@ -1,4 +1,4 @@
-# $NetBSD: sshd,v 1.9 2008/03/26 11:31:17 lukem Exp $
+# $NetBSD: sshd,v 1.9.58.1 2023/06/21 21:50:34 martin Exp $
#
# PAM configuration for the "sshd" service
#
@@ -6,14 +6,14 @@
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_skey.so no_warn try_first_pass
-auth sufficient pam_krb5.so no_warn try_first_pass
+#auth sufficient pam_krb5.so no_warn try_first_pass
auth optional pam_afslog.so no_warn try_first_pass
# pam_ssh has potential security risks. See pam_ssh(8).
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
-account required pam_krb5.so
+#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
@@ -23,5 +23,5 @@ account required pam_unix.so
session required pam_permit.so
# password
-password sufficient pam_krb5.so no_warn try_first_pass
+#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
Index: src/etc/pam.d/system
diff -u src/etc/pam.d/system:1.8 src/etc/pam.d/system:1.8.58.1
--- src/etc/pam.d/system:1.8 Wed Mar 26 11:31:17 2008
+++ src/etc/pam.d/system Wed Jun 21 21:50:34 2023
@@ -1,21 +1,21 @@
-# $NetBSD: system,v 1.8 2008/03/26 11:31:17 lukem Exp $
+# $NetBSD: system,v 1.8.58.1 2023/06/21 21:50:34 martin Exp $
#
# System-wide defaults
#
# auth
auth sufficient pam_skey.so no_warn try_first_pass
-auth sufficient pam_krb5.so no_warn try_first_pass
+#auth sufficient pam_krb5.so no_warn try_first_pass
auth optional pam_afslog.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
# account
-account required pam_krb5.so
+#account required pam_krb5.so
account required pam_unix.so
# session
session required pam_lastlog.so no_fail no_nested
# password
-password sufficient pam_krb5.so no_warn try_first_pass
+#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
