mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-12-29 06:47:21 +01:00
9cd40e64b4
instead of an authentication function. There are a design reason and a practical reason for that. First, the module belongs in account management because it checks availability of the account and does no authentication. Second, there are existing and potential PAM consumers that skip PAM authentication for good or for bad. E.g., sshd(8) just prefers internal routines for public key auth; OTOH, cron(8) and atrun(8) do implicit authentication when running a job on behalf of its owner, so their inability to use PAM auth is fundamental, but they can benefit from PAM account management. Document this change in the manpage. Modify /etc/pam.d files accordingly, so that pam_nologin.so is listed under the "account" function class. Bump __FreeBSD_version (mostly for ports, as this change should be invisible to C code outside pam_nologin.) PR: bin/112574 Approved by: des, re
27 lines
674 B
Plaintext
27 lines
674 B
Plaintext
#
|
|
# $FreeBSD$
|
|
#
|
|
# PAM configuration for the "sshd" service
|
|
#
|
|
|
|
# auth
|
|
auth sufficient pam_opie.so no_warn no_fake_prompts
|
|
auth requisite pam_opieaccess.so no_warn allow_local
|
|
#auth sufficient pam_krb5.so no_warn try_first_pass
|
|
#auth sufficient pam_ssh.so no_warn try_first_pass
|
|
auth required pam_unix.so no_warn try_first_pass
|
|
|
|
# account
|
|
account required pam_nologin.so
|
|
#account required pam_krb5.so
|
|
account required pam_login_access.so
|
|
account required pam_unix.so
|
|
|
|
# session
|
|
#session optional pam_ssh.so
|
|
session required pam_permit.so
|
|
|
|
# password
|
|
#password sufficient pam_krb5.so no_warn try_first_pass
|
|
password required pam_unix.so no_warn try_first_pass
|