Module Name: src
Committed By: jmmv
Date: Mon Dec 30 21:59:08 UTC 2024
Modified Files:
src/etc/pam.d: Makefile
Added Files:
src/etc/pam.d: display_manager.in ftpd.in sshd.in su.in system.in
Removed Files:
src/etc/pam.d: display_manager ftpd sshd su system
Log Message:
Wipe out pam_skey.so usage when MKSKEY=no
This fixes the ability to log into the system when it has been built
with MKSKEY=no.
I've built a release with the default MKSKEY value (yes) and without,
and confirmed that the former keeps the pam_skey entries in place and
the latter does not.
To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 src/etc/pam.d/Makefile
cvs rdiff -u -r1.6 -r0 src/etc/pam.d/display_manager
cvs rdiff -u -r0 -r1.1 src/etc/pam.d/display_manager.in src/etc/pam.d/ftpd.in \
src/etc/pam.d/sshd.in src/etc/pam.d/su.in src/etc/pam.d/system.in
cvs rdiff -u -r1.8 -r0 src/etc/pam.d/ftpd
cvs rdiff -u -r1.10 -r0 src/etc/pam.d/sshd
cvs rdiff -u -r1.9 -r0 src/etc/pam.d/su src/etc/pam.d/system
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/etc/pam.d/Makefile
diff -u src/etc/pam.d/Makefile:1.11 src/etc/pam.d/Makefile:1.12
--- src/etc/pam.d/Makefile:1.11 Sun Jun 18 20:23:21 2017
+++ src/etc/pam.d/Makefile Mon Dec 30 21:59:08 2024
@@ -1,4 +1,6 @@
-# $NetBSD: Makefile,v 1.11 2017/06/18 20:23:21 christos Exp $
+# $NetBSD: Makefile,v 1.12 2024/12/30 21:59:08 jmmv Exp $
+
+.include <bsd.own.mk>
CONFIGFILES= README cron display_manager ftpd gdm imap kde login other \
passwd pop3 ppp racoon rexecd rsh sshd su system telnetd xdm \
@@ -7,4 +9,16 @@ FILESDIR= /etc/pam.d
FILESMODE= 644
FILESMODE_README=444
+.for f in display_manager ftpd sshd su system
+FILESBUILD_$f= yes
+
+$f: $f.in
+ ${_MKTARGET_CREATE}
+.if ${MKSKEY} != "no"
+ cp $> $@
+.else
+ ${TOOL_SED} -e '/pam_skey/d' < $> > $@
+.endif
+.endfor
+
.include <bsd.prog.mk>
Added files:
Index: src/etc/pam.d/display_manager.in
diff -u /dev/null src/etc/pam.d/display_manager.in:1.1
--- /dev/null Mon Dec 30 21:59:08 2024
+++ src/etc/pam.d/display_manager.in Mon Dec 30 21:59:08 2024
@@ -0,0 +1,24 @@
+# $NetBSD: display_manager.in,v 1.1 2024/12/30 21:59:08 jmmv Exp $
+#
+# PAM configuration for the display manager services. Specific display
+# manager service configurations can include this one.
+#
+
+# auth
+auth required pam_nologin.so no_warn
+auth sufficient pam_skey.so no_warn try_first_pass
+#auth sufficient pam_krb5.so no_warn try_first_pass
+auth optional pam_afslog.so no_warn try_first_pass
+# pam_ssh has potential security risks. See pam_ssh(8).
+#auth sufficient pam_ssh.so no_warn try_first_pass
+auth required pam_unix.so no_warn try_first_pass
+
+# account
+#account required pam_krb5.so
+account required pam_unix.so
+
+# session
+# XXX pam_lastlog.so?
+# pam_ssh has potential security risks. See pam_ssh(8).
+#session optional pam_ssh.so want_agent
+session required pam_permit.so
Index: src/etc/pam.d/ftpd.in
diff -u /dev/null src/etc/pam.d/ftpd.in:1.1
--- /dev/null Mon Dec 30 21:59:08 2024
+++ src/etc/pam.d/ftpd.in Mon Dec 30 21:59:08 2024
@@ -0,0 +1,22 @@
+# $NetBSD: ftpd.in,v 1.1 2024/12/30 21:59:08 jmmv Exp $
+#
+# PAM configuration for the "ftpd" service
+#
+
+# auth
+# This looks very much like "system", but lacks the "nullok" option on
+# pam_unix.
+auth required pam_nologin.so no_warn
+auth sufficient pam_skey.so no_warn try_first_pass
+#auth sufficient pam_krb5.so no_warn try_first_pass
+auth optional pam_afslog.so no_warn try_first_pass
+auth required pam_unix.so no_warn try_first_pass
+
+# account
+# Even though this is identical to "system", we open code it here because
+# we open code the auth stack.
+#account required pam_krb5.so
+account required pam_unix.so
+
+# session
+session required pam_permit.so
Index: src/etc/pam.d/sshd.in
diff -u /dev/null src/etc/pam.d/sshd.in:1.1
--- /dev/null Mon Dec 30 21:59:08 2024
+++ src/etc/pam.d/sshd.in Mon Dec 30 21:59:08 2024
@@ -0,0 +1,27 @@
+# $NetBSD: sshd.in,v 1.1 2024/12/30 21:59:08 jmmv Exp $
+#
+# PAM configuration for the "sshd" service
+#
+
+# auth
+auth required pam_nologin.so no_warn
+auth sufficient pam_skey.so no_warn try_first_pass
+#auth sufficient pam_krb5.so no_warn try_first_pass
+auth optional pam_afslog.so no_warn try_first_pass
+# pam_ssh has potential security risks. See pam_ssh(8).
+#auth sufficient pam_ssh.so no_warn try_first_pass
+auth required pam_unix.so no_warn try_first_pass
+
+# account
+#account required pam_krb5.so
+account required pam_login_access.so
+account required pam_unix.so
+
+# session
+# pam_ssh has potential security risks. See pam_ssh(8).
+#session optional pam_ssh.so
+session required pam_permit.so
+
+# password
+#password sufficient pam_krb5.so no_warn try_first_pass
+password required pam_unix.so no_warn try_first_pass
Index: src/etc/pam.d/su.in
diff -u /dev/null src/etc/pam.d/su.in:1.1
--- /dev/null Mon Dec 30 21:59:08 2024
+++ src/etc/pam.d/su.in Mon Dec 30 21:59:08 2024
@@ -0,0 +1,21 @@
+# $NetBSD: su.in,v 1.1 2024/12/30 21:59:08 jmmv Exp $
+#
+# PAM configuration for the "su" service
+#
+
+# auth
+auth sufficient pam_rootok.so no_warn
+auth sufficient pam_self.so no_warn
+auth sufficient pam_skey.so no_warn try_first_pass
+#auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue
+#auth sufficient pam_ksu.so no_warn try_first_pass
+#auth sufficient pam_group.so no_warn group=rootauth root_only authenticate
+auth requisite pam_group.so no_warn group=wheel root_only fail_safe
+auth required pam_unix.so no_warn try_first_pass nullok
+
+# account
+account required pam_login_access.so
+account include system
+
+# session
+session required pam_permit.so
Index: src/etc/pam.d/system.in
diff -u /dev/null src/etc/pam.d/system.in:1.1
--- /dev/null Mon Dec 30 21:59:08 2024
+++ src/etc/pam.d/system.in Mon Dec 30 21:59:08 2024
@@ -0,0 +1,21 @@
+# $NetBSD: system.in,v 1.1 2024/12/30 21:59:08 jmmv Exp $
+#
+# System-wide defaults
+#
+
+# auth
+auth sufficient pam_skey.so no_warn try_first_pass
+#auth sufficient pam_krb5.so no_warn try_first_pass
+auth optional pam_afslog.so no_warn try_first_pass
+auth required pam_unix.so no_warn try_first_pass nullok
+
+# account
+#account required pam_krb5.so
+account required pam_unix.so
+
+# session
+session required pam_lastlog.so no_fail no_nested
+
+# password
+#password sufficient pam_krb5.so no_warn try_first_pass
+password required pam_unix.so no_warn try_first_pass
