into su_pam.c, and turn it off by default in the Makefile until it
is tested and actually works. The current pam version does not set ruid
properly anymore.
- don't try to fallback to plain old authentication. It could lead to unix
authentication to be used while the administrator wanted to forbid it.
Moreover, a broken PAM setup can be fixed by just rebooting in single user.
- In order to make the code more readable, make two main(), with and aithout
PAM.
- Outstanding issues that seem impossible to fix:
The -K flag die with PAM.
-c cause PAM credentials to be ignored.
- make fatal proper macros
- fix typos in comments
- fix logical error initializing pam
XXX: Seems to work now, but the whole process is awkward.
Asking for an ssh passphrase and using this to do unix authentication is wrong.
Falling back to the old style auth is awkward. We should really provide a
pam_rootauth module if we want to support that.
and without Kerberos 4 & 5 (MKKERBEROS=no). Previously checkflist
complained of missing files.
* move kerberos- and kerberos 4-only files into new flists,
distrib/sets/lists/*/krb.*
* make the flist generators grok MKKERBEROS{,4} variables
* fix Makefiles which treat MKKERBEROS=no as MKKERBEROS5=no.
9 out of 10 experts agree that it is ludicrous to build w/
KERBEROS4 and w/o KERBEROS5.
* fix header files, also, which treat MKKERBEROS=no as MKKERBEROS5=no.
* omit some Kerberos-only subdirectories from the build as
MKKERBEROS{,4} indicate
(I acknowledge the sentiment that flists are the wrong way to go,
and that the makefiles should produce the metalog directly. That
sounds to me like the right way to go, but I am not prepared to do
revamp all the makefiles. While my approach is expedient, it fits
painlessly within the current build architecture until we are
delivered from flist purgatory, and it does not postpone our
delivery. Fair enough?)
the pointer to /etc/shells is pointing to the second entry. This change
resets the pointer before looping through the file again. FreeBSD does
this as well. Commit approved by christos and thanks to Geoff Adams for
catching and reporting it.
infrastructure and using that infrastructure in programs.
* MKHESIOD, MKKERBEROS, MKSKEY, and MKYP control building
of the infratsructure (libraries, support programs, etc.)
* USE_HESIOD, USE_KERBEROS, USE_SKEY, and USE_YP control
building of support for using the corresponding API
in various libraries/programs that can use it.
As discussed on tech-toolchain.
consider that SUGROUP and ROOTAUTH group contain the names of
users and groups. If user is not found in the list check_ingroup()
recurses on each member until either user is found or end of chain
is reached.
The above allows su's use of the wheel group to be extended to a large
number of users without necessarily putting them in group wheel, and
in a way that will work over NIS that simply extending the line length
limit in getgrent.c cannot.
- by default log to LOG_AUTH (so no need to specify LOG_AUTH at each syslog())
- log all unsuccessful attempts (for whatever reason) to LOG_WARNING
- log all successful attempts to LOG_NOTICE
