From c4717c3f66951c6e1a0ee588da56293e876c1a95 Mon Sep 17 00:00:00 2001 From: riastradh Date: Tue, 20 Jun 2023 22:00:00 +0000 Subject: [PATCH] pam: Disable pam_krb5, pam_ksu by default. These are not useful unless you also set up /etc/krb5.conf and a keytab for the host from the Kerberos KDC. But having them enabled by default means that creating /etc/krb5.conf just to enable use of Kerberos for _client-side_ single sign-on creates usability issues. As proposed on tech-security: https://mail-index.netbsd.org/tech-security/2023/06/16/msg001160.html --- etc/pam.d/display_manager | 6 +++--- etc/pam.d/ftpd | 6 +++--- etc/pam.d/sshd | 8 ++++---- etc/pam.d/su | 4 ++-- etc/pam.d/system | 8 ++++---- 5 files changed, 16 insertions(+), 16 deletions(-) diff --git a/etc/pam.d/display_manager b/etc/pam.d/display_manager index 9ded3e12c0d7..4a9bcdef6b46 100644 --- a/etc/pam.d/display_manager +++ b/etc/pam.d/display_manager @@ -1,4 +1,4 @@ -# $NetBSD: display_manager,v 1.5 2010/11/13 19:19:40 christos Exp $ +# $NetBSD: display_manager,v 1.6 2023/06/20 22:00:00 riastradh Exp $ # # PAM configuration for the display manager services. Specific display # manager service configurations can include this one. @@ -7,14 +7,14 @@ # auth auth required pam_nologin.so no_warn auth sufficient pam_skey.so no_warn try_first_pass -auth sufficient pam_krb5.so no_warn try_first_pass +#auth sufficient pam_krb5.so no_warn try_first_pass auth optional pam_afslog.so no_warn try_first_pass # pam_ssh has potential security risks. See pam_ssh(8). #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account -account required pam_krb5.so +#account required pam_krb5.so account required pam_unix.so # session diff --git a/etc/pam.d/ftpd b/etc/pam.d/ftpd index b043fdd6ea5d..1971f3368f59 100644 --- a/etc/pam.d/ftpd +++ b/etc/pam.d/ftpd @@ -1,4 +1,4 @@ -# $NetBSD: ftpd,v 1.7 2008/03/26 11:31:17 lukem Exp $ +# $NetBSD: ftpd,v 1.8 2023/06/20 22:00:00 riastradh Exp $ # # PAM configuration for the "ftpd" service # @@ -8,14 +8,14 @@ # pam_unix. auth required pam_nologin.so no_warn auth sufficient pam_skey.so no_warn try_first_pass -auth sufficient pam_krb5.so no_warn try_first_pass +#auth sufficient pam_krb5.so no_warn try_first_pass auth optional pam_afslog.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account # Even though this is identical to "system", we open code it here because # we open code the auth stack. -account required pam_krb5.so +#account required pam_krb5.so account required pam_unix.so # session diff --git a/etc/pam.d/sshd b/etc/pam.d/sshd index ffbc9d13ec89..aaf206c960bf 100644 --- a/etc/pam.d/sshd +++ b/etc/pam.d/sshd @@ -1,4 +1,4 @@ -# $NetBSD: sshd,v 1.9 2008/03/26 11:31:17 lukem Exp $ +# $NetBSD: sshd,v 1.10 2023/06/20 22:00:00 riastradh Exp $ # # PAM configuration for the "sshd" service # @@ -6,14 +6,14 @@ # auth auth required pam_nologin.so no_warn auth sufficient pam_skey.so no_warn try_first_pass -auth sufficient pam_krb5.so no_warn try_first_pass +#auth sufficient pam_krb5.so no_warn try_first_pass auth optional pam_afslog.so no_warn try_first_pass # pam_ssh has potential security risks. See pam_ssh(8). #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account -account required pam_krb5.so +#account required pam_krb5.so account required pam_login_access.so account required pam_unix.so @@ -23,5 +23,5 @@ account required pam_unix.so session required pam_permit.so # password -password sufficient pam_krb5.so no_warn try_first_pass +#password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass diff --git a/etc/pam.d/su b/etc/pam.d/su index e925f70587cc..a53430f528b5 100644 --- a/etc/pam.d/su +++ b/etc/pam.d/su @@ -1,4 +1,4 @@ -# $NetBSD: su,v 1.8 2020/03/03 00:47:33 christos Exp $ +# $NetBSD: su,v 1.9 2023/06/20 22:00:00 riastradh Exp $ # # PAM configuration for the "su" service # @@ -8,7 +8,7 @@ auth sufficient pam_rootok.so no_warn auth sufficient pam_self.so no_warn auth sufficient pam_skey.so no_warn try_first_pass #auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue -auth sufficient pam_ksu.so no_warn try_first_pass +#auth sufficient pam_ksu.so no_warn try_first_pass #auth sufficient pam_group.so no_warn group=rootauth root_only authenticate auth requisite pam_group.so no_warn group=wheel root_only fail_safe auth required pam_unix.so no_warn try_first_pass nullok diff --git a/etc/pam.d/system b/etc/pam.d/system index e6b81c520c9d..5cb14a9bbc8a 100644 --- a/etc/pam.d/system +++ b/etc/pam.d/system @@ -1,21 +1,21 @@ -# $NetBSD: system,v 1.8 2008/03/26 11:31:17 lukem Exp $ +# $NetBSD: system,v 1.9 2023/06/20 22:00:00 riastradh Exp $ # # System-wide defaults # # auth auth sufficient pam_skey.so no_warn try_first_pass -auth sufficient pam_krb5.so no_warn try_first_pass +#auth sufficient pam_krb5.so no_warn try_first_pass auth optional pam_afslog.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok # account -account required pam_krb5.so +#account required pam_krb5.so account required pam_unix.so # session session required pam_lastlog.so no_fail no_nested # password -password sufficient pam_krb5.so no_warn try_first_pass +#password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass