Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/netbsd-9]: src/etc/pam.d Pull up following revision(s) (requested by ria...



details:   https://anonhg.NetBSD.org/src/rev/4812ad04f84a
branches:  netbsd-9
changeset: 376539:4812ad04f84a
user:      martin <martin%NetBSD.org@localhost>
date:      Wed Jun 21 21:47:51 2023 +0000

description:
Pull up following revision(s) (requested by riastradh in ticket #1651):

        etc/pam.d/ftpd: revision 1.8
        etc/pam.d/su: revision 1.9
        etc/pam.d/system: revision 1.9
        etc/pam.d/display_manager: revision 1.6
        etc/pam.d/sshd: revision 1.10

pam: Disable pam_krb5, pam_ksu by default.

These are not useful unless you also set up /etc/krb5.conf and a
keytab for the host from the Kerberos KDC.  But having them enabled
by default means that creating /etc/krb5.conf just to enable use of
Kerberos for _client-side_ single sign-on creates usability issues.

As proposed on tech-security:
https://mail-index.netbsd.org/tech-security/2023/06/16/msg001160.html

diffstat:

 etc/pam.d/display_manager |  6 +++---
 etc/pam.d/ftpd            |  6 +++---
 etc/pam.d/sshd            |  8 ++++----
 etc/pam.d/su              |  4 ++--
 etc/pam.d/system          |  8 ++++----
 5 files changed, 16 insertions(+), 16 deletions(-)

diffs (132 lines):

diff -r 82896eaa7a0e -r 4812ad04f84a etc/pam.d/display_manager
--- a/etc/pam.d/display_manager Wed Jun 21 21:24:37 2023 +0000
+++ b/etc/pam.d/display_manager Wed Jun 21 21:47:51 2023 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: display_manager,v 1.5 2010/11/13 19:19:40 christos Exp $
+# $NetBSD: display_manager,v 1.5.50.1 2023/06/21 21:47:51 martin Exp $
 #
 # PAM configuration for the display manager services.  Specific display
 # manager service configurations can include this one.
@@ -7,14 +7,14 @@
 # auth
 auth           required        pam_nologin.so          no_warn
 auth           sufficient      pam_skey.so             no_warn try_first_pass
-auth           sufficient      pam_krb5.so             no_warn try_first_pass
+#auth          sufficient      pam_krb5.so             no_warn try_first_pass
 auth           optional        pam_afslog.so           no_warn try_first_pass
 # pam_ssh has potential security risks.  See pam_ssh(8).
 #auth          sufficient      pam_ssh.so              no_warn try_first_pass
 auth           required        pam_unix.so             no_warn try_first_pass
 
 # account
-account        required        pam_krb5.so
+#account       required        pam_krb5.so
 account                required        pam_unix.so
 
 # session
diff -r 82896eaa7a0e -r 4812ad04f84a etc/pam.d/ftpd
--- a/etc/pam.d/ftpd    Wed Jun 21 21:24:37 2023 +0000
+++ b/etc/pam.d/ftpd    Wed Jun 21 21:47:51 2023 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: ftpd,v 1.7 2008/03/26 11:31:17 lukem Exp $
+# $NetBSD: ftpd,v 1.7.68.1 2023/06/21 21:47:51 martin Exp $
 #
 # PAM configuration for the "ftpd" service
 #
@@ -8,14 +8,14 @@
 # pam_unix.
 auth           required        pam_nologin.so          no_warn
 auth           sufficient      pam_skey.so             no_warn try_first_pass
-auth           sufficient      pam_krb5.so             no_warn try_first_pass
+#auth          sufficient      pam_krb5.so             no_warn try_first_pass
 auth           optional        pam_afslog.so           no_warn try_first_pass
 auth           required        pam_unix.so             no_warn try_first_pass
 
 # account
 # Even though this is identical to "system", we open code it here because
 # we open code the auth stack.
-account                required        pam_krb5.so
+#account       required        pam_krb5.so
 account                required        pam_unix.so
 
 # session
diff -r 82896eaa7a0e -r 4812ad04f84a etc/pam.d/sshd
--- a/etc/pam.d/sshd    Wed Jun 21 21:24:37 2023 +0000
+++ b/etc/pam.d/sshd    Wed Jun 21 21:47:51 2023 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: sshd,v 1.9 2008/03/26 11:31:17 lukem Exp $
+# $NetBSD: sshd,v 1.9.68.1 2023/06/21 21:47:51 martin Exp $
 #
 # PAM configuration for the "sshd" service
 #
@@ -6,14 +6,14 @@
 # auth
 auth           required        pam_nologin.so  no_warn
 auth           sufficient      pam_skey.so     no_warn try_first_pass
-auth           sufficient      pam_krb5.so     no_warn try_first_pass
+#auth          sufficient      pam_krb5.so     no_warn try_first_pass
 auth           optional        pam_afslog.so   no_warn try_first_pass
 # pam_ssh has potential security risks.  See pam_ssh(8).
 #auth          sufficient      pam_ssh.so      no_warn try_first_pass
 auth           required        pam_unix.so     no_warn try_first_pass
 
 # account
-account                required        pam_krb5.so
+#account       required        pam_krb5.so
 account                required        pam_login_access.so
 account                required        pam_unix.so
 
@@ -23,5 +23,5 @@ account               required        pam_unix.so
 session                required        pam_permit.so
 
 # password
-password       sufficient      pam_krb5.so     no_warn try_first_pass
+#password      sufficient      pam_krb5.so     no_warn try_first_pass
 password       required        pam_unix.so     no_warn try_first_pass
diff -r 82896eaa7a0e -r 4812ad04f84a etc/pam.d/su
--- a/etc/pam.d/su      Wed Jun 21 21:24:37 2023 +0000
+++ b/etc/pam.d/su      Wed Jun 21 21:47:51 2023 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: su,v 1.7 2008/03/26 11:31:17 lukem Exp $
+# $NetBSD: su,v 1.7.68.1 2023/06/21 21:47:51 martin Exp $
 #
 # PAM configuration for the "su" service
 #
@@ -7,7 +7,7 @@
 auth           sufficient      pam_rootok.so           no_warn
 auth           sufficient      pam_self.so             no_warn
 auth           sufficient      pam_skey.so             no_warn try_first_pass
-auth           sufficient      pam_ksu.so              no_warn try_first_pass
+#auth          sufficient      pam_ksu.so              no_warn try_first_pass
 #auth          sufficient      pam_group.so            no_warn group=rootauth root_only authenticate
 auth           requisite       pam_group.so            no_warn group=wheel root_only fail_safe
 auth           required        pam_unix.so             no_warn try_first_pass nullok
diff -r 82896eaa7a0e -r 4812ad04f84a etc/pam.d/system
--- a/etc/pam.d/system  Wed Jun 21 21:24:37 2023 +0000
+++ b/etc/pam.d/system  Wed Jun 21 21:47:51 2023 +0000
@@ -1,21 +1,21 @@
-# $NetBSD: system,v 1.8 2008/03/26 11:31:17 lukem Exp $
+# $NetBSD: system,v 1.8.68.1 2023/06/21 21:47:51 martin Exp $
 #
 # System-wide defaults
 #
 
 # auth
 auth           sufficient      pam_skey.so             no_warn try_first_pass
-auth           sufficient      pam_krb5.so             no_warn try_first_pass
+#auth          sufficient      pam_krb5.so             no_warn try_first_pass
 auth           optional        pam_afslog.so           no_warn try_first_pass
 auth           required        pam_unix.so             no_warn try_first_pass nullok
 
 # account
-account        required        pam_krb5.so
+#account       required        pam_krb5.so
 account                required        pam_unix.so
 
 # session
 session                required        pam_lastlog.so          no_fail no_nested
 
 # password
-password       sufficient      pam_krb5.so             no_warn try_first_pass
+#password      sufficient      pam_krb5.so             no_warn try_first_pass
 password       required        pam_unix.so             no_warn try_first_pass



Home | Main Index | Thread Index | Old Index