diff options
| author | Dag-Erling Smørgrav <des@FreeBSD.org> | 2002-01-21 18:51:24 +0000 |
|---|---|---|
| committer | Dag-Erling Smørgrav <des@FreeBSD.org> | 2002-01-21 18:51:24 +0000 |
| commit | ae739ec469bf3a64c0b7a8ffa7901bf9151bf2bc (patch) | |
| tree | e4b5d29c748772dfacf325ac9643cfc3804fe86c | |
| parent | 03adba96a01ce79e95bcd6a03d205b924a0aa0bd (diff) | |
| download | src-ae739ec469bf3a64c0b7a8ffa7901bf9151bf2bc.tar.gz src-ae739ec469bf3a64c0b7a8ffa7901bf9151bf2bc.zip | |
Enable OPIE by default, using the no_fake_prompts option to hide it from
users who don't wish to use it. If the admin is worried about leaking
information about which users exist and which have OPIE enabled, the
no_fake_prompts option can simply be removed.
Also insert the appropriate pam_opieaccess lines after pam_opie to break
the chain in case the user is logging in from an untrusted host, or has a
.opiealways file. The entire opieaccess / opiealways concept is slightly
unpammish, but admins familiar with OPIE will expect it to work.
Reviewed by: ache, markm
Sponsored by: DARPA, NAI Labs
Notes
Notes:
svn path=/head/; revision=89619
| -rw-r--r-- | etc/pam.d/csshd | 3 | ||||
| -rw-r--r-- | etc/pam.d/ftp | 3 | ||||
| -rw-r--r-- | etc/pam.d/ftpd | 7 | ||||
| -rw-r--r-- | etc/pam.d/imap | 3 | ||||
| -rw-r--r-- | etc/pam.d/kde | 3 | ||||
| -rw-r--r-- | etc/pam.d/login | 4 | ||||
| -rw-r--r-- | etc/pam.d/other | 3 | ||||
| -rw-r--r-- | etc/pam.d/pop3 | 3 | ||||
| -rw-r--r-- | etc/pam.d/su | 34 |
9 files changed, 40 insertions, 23 deletions
diff --git a/etc/pam.d/csshd b/etc/pam.d/csshd index 863160eb1f97..3501424f4aec 100644 --- a/etc/pam.d/csshd +++ b/etc/pam.d/csshd @@ -5,4 +5,5 @@ # # auth -auth required pam_opie.so no_warn +auth sufficient pam_opie.so no_warn no_fake_prompts +auth requisite pam_opieaccess.so no_warn diff --git a/etc/pam.d/ftp b/etc/pam.d/ftp index 3a083ef602eb..cdd30f133571 100644 --- a/etc/pam.d/ftp +++ b/etc/pam.d/ftp @@ -8,7 +8,8 @@ auth required pam_nologin.so no_warn #auth sufficient pam_kerberosIV.so no_warn #auth sufficient pam_krb5.so no_warn -#auth required pam_opie.so no_warn +auth sufficient pam_opie.so no_warn no_fake_prompts +auth requisite pam_opieaccess.so no_warn #auth required pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass diff --git a/etc/pam.d/ftpd b/etc/pam.d/ftpd index 471b67b10841..46838ee48f70 100644 --- a/etc/pam.d/ftpd +++ b/etc/pam.d/ftpd @@ -9,10 +9,9 @@ auth required pam_nologin.so no_warn #auth sufficient pam_kerberosIV.so no_warn #auth sufficient pam_krb5.so no_warn #auth sufficient pam_ssh.so no_warn try_first_pass -# Uncomment either pam_opie or pam_unix, but not both of them. -# pam_unix can't be simple chained with pam_opie, ftpd provides proper fallback -auth required pam_opie.so no_warn -#auth required pam_unix.so no_warn try_first_pass +auth sufficient pam_opie.so no_warn no_fake_prompts +auth requisite pam_opieaccess.so no_warn +auth required pam_unix.so no_warn try_first_pass # account #account required pam_kerberosIV.so diff --git a/etc/pam.d/imap b/etc/pam.d/imap index cfacfb8a78f1..eaf53d29a9a9 100644 --- a/etc/pam.d/imap +++ b/etc/pam.d/imap @@ -6,6 +6,7 @@ # auth #auth required pam_nologin.so no_warn -#auth required pam_opie.so no_warn +#auth sufficient pam_opie.so no_warn no_fake_prompts +#auth requisite pam_opieaccess.so no_warn #auth required pam_ssh.so no_warn try_first_pass #auth required pam_unix.so no_warn try_first_pass diff --git a/etc/pam.d/kde b/etc/pam.d/kde index 09564886fa5a..4d23ae8b1781 100644 --- a/etc/pam.d/kde +++ b/etc/pam.d/kde @@ -6,7 +6,8 @@ # auth auth required pam_nologin.so no_warn -#auth sufficient pam_opie.so no_warn +auth sufficient pam_opie.so no_warn no_fake_prompts +auth requisite pam_opieaccess.so no_warn #auth sufficient pam_kerberosIV.so no_warn try_first_pass #auth sufficient pam_krb5.so no_warn try_first_pass #auth required pam_ssh.so no_warn try_first_pass diff --git a/etc/pam.d/login b/etc/pam.d/login index ab7046bc586f..0e2cfa7ab742 100644 --- a/etc/pam.d/login +++ b/etc/pam.d/login @@ -6,7 +6,8 @@ # auth auth required pam_nologin.so no_warn -#auth sufficient pam_opie.so no_warn +auth sufficient pam_opie.so no_warn no_fake_prompts +auth requisite pam_opieaccess.so no_warn #auth sufficient pam_kerberosIV.so no_warn try_first_pass #auth sufficient pam_krb5.so no_warn try_first_pass #auth required pam_ssh.so no_warn try_first_pass @@ -24,7 +25,6 @@ account required pam_unix.so session required pam_unix.so # password -#password sufficient pam_opie.so no_warn #password sufficient pam_kerberosIV.so no_warn try_first_pass #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass diff --git a/etc/pam.d/other b/etc/pam.d/other index f4f758c36d6c..8ef67742264b 100644 --- a/etc/pam.d/other +++ b/etc/pam.d/other @@ -6,7 +6,8 @@ # auth auth required pam_nologin.so no_warn -#auth required pam_opie.so no_warn +auth sufficient pam_opie.so no_warn no_fake_prompts +auth requisite pam_opieaccess.so no_warn auth required pam_unix.so no_warn try_first_pass # account diff --git a/etc/pam.d/pop3 b/etc/pam.d/pop3 index 0cc10fbf185f..3657f12af5d4 100644 --- a/etc/pam.d/pop3 +++ b/etc/pam.d/pop3 @@ -6,6 +6,7 @@ # auth #auth required pam_nologin.so no_warn -#auth required pam_opie.so no_warn +#auth sufficient pam_opie.so no_warn no_fake_prompts +#auth requisite pam_opieaccess.so no_warn #auth required pam_ssh.so no_warn try_first_pass #auth required pam_unix.so no_warn try_first_pass diff --git a/etc/pam.d/su b/etc/pam.d/su index 8e3a9bcb8522..81aa1b138f11 100644 --- a/etc/pam.d/su +++ b/etc/pam.d/su @@ -9,33 +9,45 @@ auth sufficient pam_rootok.so no_warn auth requisite pam_wheel.so no_warn auth_as_self noroot_ok #auth sufficient pam_kerberosIV.so no_warn #auth sufficient pam_krb5.so no_warn try_first_pass auth_as_self -#auth required pam_opie.so no_warn +auth sufficient pam_opie.so no_warn no_fake_prompts +auth requisite pam_opieaccess.so no_warn #auth required pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok -#auth sufficient pam_rootok.so no_warn -##auth sufficient pam_kerberosIV.so no_warn -##auth sufficient pam_krb5.so no_warn -#auth required pam_opie.so no_warn auth_as_self -#auth required pam_unix.so no_warn try_first_pass auth_as_self # account #account required pam_kerberosIV.so #account required pam_krb5.so account required pam_unix.so -##account required pam_kerberosIV.so -##account required pam_krb5.so -#account required pam_unix.so # session #session required pam_kerberosIV.so #session required pam_krb5.so #session required pam_ssh.so session required pam_unix.so + +# password +password required pam_permit.so + + +# If you want a "WHEELSU"-type su(1), then comment out the +# above, and uncomment the entries below. +## auth +#auth sufficient pam_rootok.so no_warn +##auth sufficient pam_kerberosIV.so no_warn +##auth sufficient pam_krb5.so no_warn +#auth required pam_opie.so no_warn auth_as_self no_fake_prompts +#auth required pam_unix.so no_warn try_first_pass auth_as_self + +## account +##account required pam_kerberosIV.so +##account required pam_krb5.so +#account required pam_unix.so + +## session ##session required pam_kerberosIV.so ##session required pam_krb5.so ##session required pam_ssh.so #session required pam_unix.so -# password -password required pam_permit.so +## password #password required pam_permit.so |