Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-9]: src/etc/pam.d Pull up following revision(s) (requested by ria...
details: https://anonhg.NetBSD.org/src/rev/4812ad04f84a
branches: netbsd-9
changeset: 376539:4812ad04f84a
user: martin <martin%NetBSD.org@localhost>
date: Wed Jun 21 21:47:51 2023 +0000
description:
Pull up following revision(s) (requested by riastradh in ticket #1651):
etc/pam.d/ftpd: revision 1.8
etc/pam.d/su: revision 1.9
etc/pam.d/system: revision 1.9
etc/pam.d/display_manager: revision 1.6
etc/pam.d/sshd: revision 1.10
pam: Disable pam_krb5, pam_ksu by default.
These are not useful unless you also set up /etc/krb5.conf and a
keytab for the host from the Kerberos KDC. But having them enabled
by default means that creating /etc/krb5.conf just to enable use of
Kerberos for _client-side_ single sign-on creates usability issues.
As proposed on tech-security:
https://mail-index.netbsd.org/tech-security/2023/06/16/msg001160.html
diffstat:
etc/pam.d/display_manager | 6 +++---
etc/pam.d/ftpd | 6 +++---
etc/pam.d/sshd | 8 ++++----
etc/pam.d/su | 4 ++--
etc/pam.d/system | 8 ++++----
5 files changed, 16 insertions(+), 16 deletions(-)
diffs (132 lines):
diff -r 82896eaa7a0e -r 4812ad04f84a etc/pam.d/display_manager
--- a/etc/pam.d/display_manager Wed Jun 21 21:24:37 2023 +0000
+++ b/etc/pam.d/display_manager Wed Jun 21 21:47:51 2023 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: display_manager,v 1.5 2010/11/13 19:19:40 christos Exp $
+# $NetBSD: display_manager,v 1.5.50.1 2023/06/21 21:47:51 martin Exp $
#
# PAM configuration for the display manager services. Specific display
# manager service configurations can include this one.
@@ -7,14 +7,14 @@
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_skey.so no_warn try_first_pass
-auth sufficient pam_krb5.so no_warn try_first_pass
+#auth sufficient pam_krb5.so no_warn try_first_pass
auth optional pam_afslog.so no_warn try_first_pass
# pam_ssh has potential security risks. See pam_ssh(8).
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
-account required pam_krb5.so
+#account required pam_krb5.so
account required pam_unix.so
# session
diff -r 82896eaa7a0e -r 4812ad04f84a etc/pam.d/ftpd
--- a/etc/pam.d/ftpd Wed Jun 21 21:24:37 2023 +0000
+++ b/etc/pam.d/ftpd Wed Jun 21 21:47:51 2023 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: ftpd,v 1.7 2008/03/26 11:31:17 lukem Exp $
+# $NetBSD: ftpd,v 1.7.68.1 2023/06/21 21:47:51 martin Exp $
#
# PAM configuration for the "ftpd" service
#
@@ -8,14 +8,14 @@
# pam_unix.
auth required pam_nologin.so no_warn
auth sufficient pam_skey.so no_warn try_first_pass
-auth sufficient pam_krb5.so no_warn try_first_pass
+#auth sufficient pam_krb5.so no_warn try_first_pass
auth optional pam_afslog.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
# Even though this is identical to "system", we open code it here because
# we open code the auth stack.
-account required pam_krb5.so
+#account required pam_krb5.so
account required pam_unix.so
# session
diff -r 82896eaa7a0e -r 4812ad04f84a etc/pam.d/sshd
--- a/etc/pam.d/sshd Wed Jun 21 21:24:37 2023 +0000
+++ b/etc/pam.d/sshd Wed Jun 21 21:47:51 2023 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: sshd,v 1.9 2008/03/26 11:31:17 lukem Exp $
+# $NetBSD: sshd,v 1.9.68.1 2023/06/21 21:47:51 martin Exp $
#
# PAM configuration for the "sshd" service
#
@@ -6,14 +6,14 @@
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_skey.so no_warn try_first_pass
-auth sufficient pam_krb5.so no_warn try_first_pass
+#auth sufficient pam_krb5.so no_warn try_first_pass
auth optional pam_afslog.so no_warn try_first_pass
# pam_ssh has potential security risks. See pam_ssh(8).
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
-account required pam_krb5.so
+#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
@@ -23,5 +23,5 @@ account required pam_unix.so
session required pam_permit.so
# password
-password sufficient pam_krb5.so no_warn try_first_pass
+#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
diff -r 82896eaa7a0e -r 4812ad04f84a etc/pam.d/su
--- a/etc/pam.d/su Wed Jun 21 21:24:37 2023 +0000
+++ b/etc/pam.d/su Wed Jun 21 21:47:51 2023 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: su,v 1.7 2008/03/26 11:31:17 lukem Exp $
+# $NetBSD: su,v 1.7.68.1 2023/06/21 21:47:51 martin Exp $
#
# PAM configuration for the "su" service
#
@@ -7,7 +7,7 @@
auth sufficient pam_rootok.so no_warn
auth sufficient pam_self.so no_warn
auth sufficient pam_skey.so no_warn try_first_pass
-auth sufficient pam_ksu.so no_warn try_first_pass
+#auth sufficient pam_ksu.so no_warn try_first_pass
#auth sufficient pam_group.so no_warn group=rootauth root_only authenticate
auth requisite pam_group.so no_warn group=wheel root_only fail_safe
auth required pam_unix.so no_warn try_first_pass nullok
diff -r 82896eaa7a0e -r 4812ad04f84a etc/pam.d/system
--- a/etc/pam.d/system Wed Jun 21 21:24:37 2023 +0000
+++ b/etc/pam.d/system Wed Jun 21 21:47:51 2023 +0000
@@ -1,21 +1,21 @@
-# $NetBSD: system,v 1.8 2008/03/26 11:31:17 lukem Exp $
+# $NetBSD: system,v 1.8.68.1 2023/06/21 21:47:51 martin Exp $
#
# System-wide defaults
#
# auth
auth sufficient pam_skey.so no_warn try_first_pass
-auth sufficient pam_krb5.so no_warn try_first_pass
+#auth sufficient pam_krb5.so no_warn try_first_pass
auth optional pam_afslog.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
# account
-account required pam_krb5.so
+#account required pam_krb5.so
account required pam_unix.so
# session
session required pam_lastlog.so no_fail no_nested
# password
-password sufficient pam_krb5.so no_warn try_first_pass
+#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
Home |
Main Index |
Thread Index |
Old Index