Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/etc/pam.d pam: Disable pam_krb5, pam_ksu by default.
details: https://anonhg.NetBSD.org/src/rev/4fbc97727f37
branches: trunk
changeset: 376495:4fbc97727f37
user: riastradh <riastradh%NetBSD.org@localhost>
date: Tue Jun 20 22:00:00 2023 +0000
description:
pam: Disable pam_krb5, pam_ksu by default.
These are not useful unless you also set up /etc/krb5.conf and a
keytab for the host from the Kerberos KDC. But having them enabled
by default means that creating /etc/krb5.conf just to enable use of
Kerberos for _client-side_ single sign-on creates usability issues.
As proposed on tech-security:
https://mail-index.netbsd.org/tech-security/2023/06/16/msg001160.html
diffstat:
etc/pam.d/display_manager | 6 +++---
etc/pam.d/ftpd | 6 +++---
etc/pam.d/sshd | 8 ++++----
etc/pam.d/su | 4 ++--
etc/pam.d/system | 8 ++++----
5 files changed, 16 insertions(+), 16 deletions(-)
diffs (132 lines):
diff -r a7c715f50577 -r 4fbc97727f37 etc/pam.d/display_manager
--- a/etc/pam.d/display_manager Tue Jun 20 17:23:01 2023 +0000
+++ b/etc/pam.d/display_manager Tue Jun 20 22:00:00 2023 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: display_manager,v 1.5 2010/11/13 19:19:40 christos Exp $
+# $NetBSD: display_manager,v 1.6 2023/06/20 22:00:00 riastradh Exp $
#
# PAM configuration for the display manager services. Specific display
# manager service configurations can include this one.
@@ -7,14 +7,14 @@
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_skey.so no_warn try_first_pass
-auth sufficient pam_krb5.so no_warn try_first_pass
+#auth sufficient pam_krb5.so no_warn try_first_pass
auth optional pam_afslog.so no_warn try_first_pass
# pam_ssh has potential security risks. See pam_ssh(8).
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
-account required pam_krb5.so
+#account required pam_krb5.so
account required pam_unix.so
# session
diff -r a7c715f50577 -r 4fbc97727f37 etc/pam.d/ftpd
--- a/etc/pam.d/ftpd Tue Jun 20 17:23:01 2023 +0000
+++ b/etc/pam.d/ftpd Tue Jun 20 22:00:00 2023 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: ftpd,v 1.7 2008/03/26 11:31:17 lukem Exp $
+# $NetBSD: ftpd,v 1.8 2023/06/20 22:00:00 riastradh Exp $
#
# PAM configuration for the "ftpd" service
#
@@ -8,14 +8,14 @@
# pam_unix.
auth required pam_nologin.so no_warn
auth sufficient pam_skey.so no_warn try_first_pass
-auth sufficient pam_krb5.so no_warn try_first_pass
+#auth sufficient pam_krb5.so no_warn try_first_pass
auth optional pam_afslog.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
# Even though this is identical to "system", we open code it here because
# we open code the auth stack.
-account required pam_krb5.so
+#account required pam_krb5.so
account required pam_unix.so
# session
diff -r a7c715f50577 -r 4fbc97727f37 etc/pam.d/sshd
--- a/etc/pam.d/sshd Tue Jun 20 17:23:01 2023 +0000
+++ b/etc/pam.d/sshd Tue Jun 20 22:00:00 2023 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: sshd,v 1.9 2008/03/26 11:31:17 lukem Exp $
+# $NetBSD: sshd,v 1.10 2023/06/20 22:00:00 riastradh Exp $
#
# PAM configuration for the "sshd" service
#
@@ -6,14 +6,14 @@
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_skey.so no_warn try_first_pass
-auth sufficient pam_krb5.so no_warn try_first_pass
+#auth sufficient pam_krb5.so no_warn try_first_pass
auth optional pam_afslog.so no_warn try_first_pass
# pam_ssh has potential security risks. See pam_ssh(8).
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
# account
-account required pam_krb5.so
+#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
@@ -23,5 +23,5 @@ account required pam_unix.so
session required pam_permit.so
# password
-password sufficient pam_krb5.so no_warn try_first_pass
+#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
diff -r a7c715f50577 -r 4fbc97727f37 etc/pam.d/su
--- a/etc/pam.d/su Tue Jun 20 17:23:01 2023 +0000
+++ b/etc/pam.d/su Tue Jun 20 22:00:00 2023 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: su,v 1.8 2020/03/03 00:47:33 christos Exp $
+# $NetBSD: su,v 1.9 2023/06/20 22:00:00 riastradh Exp $
#
# PAM configuration for the "su" service
#
@@ -8,7 +8,7 @@ auth sufficient pam_rootok.so no_warn
auth sufficient pam_self.so no_warn
auth sufficient pam_skey.so no_warn try_first_pass
#auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue
-auth sufficient pam_ksu.so no_warn try_first_pass
+#auth sufficient pam_ksu.so no_warn try_first_pass
#auth sufficient pam_group.so no_warn group=rootauth root_only authenticate
auth requisite pam_group.so no_warn group=wheel root_only fail_safe
auth required pam_unix.so no_warn try_first_pass nullok
diff -r a7c715f50577 -r 4fbc97727f37 etc/pam.d/system
--- a/etc/pam.d/system Tue Jun 20 17:23:01 2023 +0000
+++ b/etc/pam.d/system Tue Jun 20 22:00:00 2023 +0000
@@ -1,21 +1,21 @@
-# $NetBSD: system,v 1.8 2008/03/26 11:31:17 lukem Exp $
+# $NetBSD: system,v 1.9 2023/06/20 22:00:00 riastradh Exp $
#
# System-wide defaults
#
# auth
auth sufficient pam_skey.so no_warn try_first_pass
-auth sufficient pam_krb5.so no_warn try_first_pass
+#auth sufficient pam_krb5.so no_warn try_first_pass
auth optional pam_afslog.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
# account
-account required pam_krb5.so
+#account required pam_krb5.so
account required pam_unix.so
# session
session required pam_lastlog.so no_fail no_nested
# password
-password sufficient pam_krb5.so no_warn try_first_pass
+#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
Home |
Main Index |
Thread Index |
Old Index