pam: Disable pam_krb5, pam_ksu by default.
These are not useful unless you also set up /etc/krb5.conf and a keytab for the host from the Kerberos KDC. But having them enabled by default means that creating /etc/krb5.conf just to enable use of Kerberos for _client-side_ single sign-on creates usability issues. As proposed on tech-security: https://mail-index.netbsd.org/tech-security/2023/06/16/msg001160.html
This commit is contained in:
parent
23582e911e
commit
c4717c3f66
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: display_manager,v 1.5 2010/11/13 19:19:40 christos Exp $
|
||||
# $NetBSD: display_manager,v 1.6 2023/06/20 22:00:00 riastradh Exp $
|
||||
#
|
||||
# PAM configuration for the display manager services. Specific display
|
||||
# manager service configurations can include this one.
|
||||
|
@ -7,14 +7,14 @@
|
|||
# auth
|
||||
auth required pam_nologin.so no_warn
|
||||
auth sufficient pam_skey.so no_warn try_first_pass
|
||||
auth sufficient pam_krb5.so no_warn try_first_pass
|
||||
#auth sufficient pam_krb5.so no_warn try_first_pass
|
||||
auth optional pam_afslog.so no_warn try_first_pass
|
||||
# pam_ssh has potential security risks. See pam_ssh(8).
|
||||
#auth sufficient pam_ssh.so no_warn try_first_pass
|
||||
auth required pam_unix.so no_warn try_first_pass
|
||||
|
||||
# account
|
||||
account required pam_krb5.so
|
||||
#account required pam_krb5.so
|
||||
account required pam_unix.so
|
||||
|
||||
# session
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: ftpd,v 1.7 2008/03/26 11:31:17 lukem Exp $
|
||||
# $NetBSD: ftpd,v 1.8 2023/06/20 22:00:00 riastradh Exp $
|
||||
#
|
||||
# PAM configuration for the "ftpd" service
|
||||
#
|
||||
|
@ -8,14 +8,14 @@
|
|||
# pam_unix.
|
||||
auth required pam_nologin.so no_warn
|
||||
auth sufficient pam_skey.so no_warn try_first_pass
|
||||
auth sufficient pam_krb5.so no_warn try_first_pass
|
||||
#auth sufficient pam_krb5.so no_warn try_first_pass
|
||||
auth optional pam_afslog.so no_warn try_first_pass
|
||||
auth required pam_unix.so no_warn try_first_pass
|
||||
|
||||
# account
|
||||
# Even though this is identical to "system", we open code it here because
|
||||
# we open code the auth stack.
|
||||
account required pam_krb5.so
|
||||
#account required pam_krb5.so
|
||||
account required pam_unix.so
|
||||
|
||||
# session
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: sshd,v 1.9 2008/03/26 11:31:17 lukem Exp $
|
||||
# $NetBSD: sshd,v 1.10 2023/06/20 22:00:00 riastradh Exp $
|
||||
#
|
||||
# PAM configuration for the "sshd" service
|
||||
#
|
||||
|
@ -6,14 +6,14 @@
|
|||
# auth
|
||||
auth required pam_nologin.so no_warn
|
||||
auth sufficient pam_skey.so no_warn try_first_pass
|
||||
auth sufficient pam_krb5.so no_warn try_first_pass
|
||||
#auth sufficient pam_krb5.so no_warn try_first_pass
|
||||
auth optional pam_afslog.so no_warn try_first_pass
|
||||
# pam_ssh has potential security risks. See pam_ssh(8).
|
||||
#auth sufficient pam_ssh.so no_warn try_first_pass
|
||||
auth required pam_unix.so no_warn try_first_pass
|
||||
|
||||
# account
|
||||
account required pam_krb5.so
|
||||
#account required pam_krb5.so
|
||||
account required pam_login_access.so
|
||||
account required pam_unix.so
|
||||
|
||||
|
@ -23,5 +23,5 @@ account required pam_unix.so
|
|||
session required pam_permit.so
|
||||
|
||||
# password
|
||||
password sufficient pam_krb5.so no_warn try_first_pass
|
||||
#password sufficient pam_krb5.so no_warn try_first_pass
|
||||
password required pam_unix.so no_warn try_first_pass
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: su,v 1.8 2020/03/03 00:47:33 christos Exp $
|
||||
# $NetBSD: su,v 1.9 2023/06/20 22:00:00 riastradh Exp $
|
||||
#
|
||||
# PAM configuration for the "su" service
|
||||
#
|
||||
|
@ -8,7 +8,7 @@ auth sufficient pam_rootok.so no_warn
|
|||
auth sufficient pam_self.so no_warn
|
||||
auth sufficient pam_skey.so no_warn try_first_pass
|
||||
#auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue
|
||||
auth sufficient pam_ksu.so no_warn try_first_pass
|
||||
#auth sufficient pam_ksu.so no_warn try_first_pass
|
||||
#auth sufficient pam_group.so no_warn group=rootauth root_only authenticate
|
||||
auth requisite pam_group.so no_warn group=wheel root_only fail_safe
|
||||
auth required pam_unix.so no_warn try_first_pass nullok
|
||||
|
|
|
@ -1,21 +1,21 @@
|
|||
# $NetBSD: system,v 1.8 2008/03/26 11:31:17 lukem Exp $
|
||||
# $NetBSD: system,v 1.9 2023/06/20 22:00:00 riastradh Exp $
|
||||
#
|
||||
# System-wide defaults
|
||||
#
|
||||
|
||||
# auth
|
||||
auth sufficient pam_skey.so no_warn try_first_pass
|
||||
auth sufficient pam_krb5.so no_warn try_first_pass
|
||||
#auth sufficient pam_krb5.so no_warn try_first_pass
|
||||
auth optional pam_afslog.so no_warn try_first_pass
|
||||
auth required pam_unix.so no_warn try_first_pass nullok
|
||||
|
||||
# account
|
||||
account required pam_krb5.so
|
||||
#account required pam_krb5.so
|
||||
account required pam_unix.so
|
||||
|
||||
# session
|
||||
session required pam_lastlog.so no_fail no_nested
|
||||
|
||||
# password
|
||||
password sufficient pam_krb5.so no_warn try_first_pass
|
||||
#password sufficient pam_krb5.so no_warn try_first_pass
|
||||
password required pam_unix.so no_warn try_first_pass
|
||||
|
|
Loading…
Reference in New Issue