head 1.10; access; symbols netbsd-10-0-RELEASE:1.9.76.1 netbsd-10-0-RC6:1.9.76.1 netbsd-10-0-RC5:1.9.76.1 netbsd-10-0-RC4:1.9.76.1 netbsd-10-0-RC3:1.9.76.1 netbsd-10-0-RC2:1.9.76.1 netbsd-10-0-RC1:1.9.76.1 netbsd-10:1.9.0.76 netbsd-10-base:1.9 netbsd-9-3-RELEASE:1.9 cjep_sun2x-base1:1.9 cjep_sun2x:1.9.0.74 cjep_sun2x-base:1.9 cjep_staticlib_x-base1:1.9 netbsd-9-2-RELEASE:1.9 cjep_staticlib_x:1.9.0.72 cjep_staticlib_x-base:1.9 netbsd-9-1-RELEASE:1.9 phil-wifi-20200421:1.9 phil-wifi-20200411:1.9 is-mlppp:1.9.0.70 is-mlppp-base:1.9 phil-wifi-20200406:1.9 netbsd-8-2-RELEASE:1.9 netbsd-9-0-RELEASE:1.9 netbsd-9-0-RC2:1.9 netbsd-9-0-RC1:1.9 phil-wifi-20191119:1.9 netbsd-9:1.9.0.68 netbsd-9-base:1.9 phil-wifi-20190609:1.9 netbsd-8-1-RELEASE:1.9 netbsd-8-1-RC1:1.9 pgoyette-compat-merge-20190127:1.9 pgoyette-compat-20190127:1.9 pgoyette-compat-20190118:1.9 pgoyette-compat-1226:1.9 pgoyette-compat-1126:1.9 pgoyette-compat-1020:1.9 pgoyette-compat-0930:1.9 pgoyette-compat-0906:1.9 netbsd-7-2-RELEASE:1.9 pgoyette-compat-0728:1.9 netbsd-8-0-RELEASE:1.9 phil-wifi:1.9.0.66 phil-wifi-base:1.9 pgoyette-compat-0625:1.9 netbsd-8-0-RC2:1.9 pgoyette-compat-0521:1.9 pgoyette-compat-0502:1.9 pgoyette-compat-0422:1.9 netbsd-8-0-RC1:1.9 pgoyette-compat-0415:1.9 pgoyette-compat-0407:1.9 pgoyette-compat-0330:1.9 pgoyette-compat-0322:1.9 pgoyette-compat-0315:1.9 netbsd-7-1-2-RELEASE:1.9 pgoyette-compat:1.9.0.64 pgoyette-compat-base:1.9 netbsd-7-1-1-RELEASE:1.9 matt-nb8-mediatek:1.9.0.62 matt-nb8-mediatek-base:1.9 perseant-stdc-iso10646:1.9.0.60 perseant-stdc-iso10646-base:1.9 netbsd-8:1.9.0.58 netbsd-8-base:1.9 prg-localcount2-base3:1.9 prg-localcount2-base2:1.9 prg-localcount2-base1:1.9 prg-localcount2:1.9.0.56 prg-localcount2-base:1.9 pgoyette-localcount-20170426:1.9 bouyer-socketcan-base1:1.9 pgoyette-localcount-20170320:1.9 netbsd-7-1:1.9.0.54 netbsd-7-1-RELEASE:1.9 netbsd-7-1-RC2:1.9 netbsd-7-nhusb-base-20170116:1.9 bouyer-socketcan:1.9.0.52 bouyer-socketcan-base:1.9 pgoyette-localcount-20170107:1.9 netbsd-7-1-RC1:1.9 pgoyette-localcount-20161104:1.9 netbsd-7-0-2-RELEASE:1.9 localcount-20160914:1.9 netbsd-7-nhusb:1.9.0.50 netbsd-7-nhusb-base:1.9 pgoyette-localcount-20160806:1.9 pgoyette-localcount-20160726:1.9 pgoyette-localcount:1.9.0.48 pgoyette-localcount-base:1.9 netbsd-7-0-1-RELEASE:1.9 netbsd-7-0:1.9.0.46 netbsd-7-0-RELEASE:1.9 netbsd-7-0-RC3:1.9 netbsd-7-0-RC2:1.9 netbsd-7-0-RC1:1.9 netbsd-5-2-3-RELEASE:1.9 netbsd-5-1-5-RELEASE:1.9 netbsd-6-0-6-RELEASE:1.9 netbsd-6-1-5-RELEASE:1.9 netbsd-7:1.9.0.44 netbsd-7-base:1.9 yamt-pagecache-base9:1.9 yamt-pagecache-tag8:1.9 netbsd-6-1-4-RELEASE:1.9 netbsd-6-0-5-RELEASE:1.9 tls-earlyentropy:1.9.0.42 tls-earlyentropy-base:1.9 riastradh-xf86-video-intel-2-7-1-pre-2-21-15:1.9 riastradh-drm2-base3:1.9 netbsd-6-1-3-RELEASE:1.9 netbsd-6-0-4-RELEASE:1.9 netbsd-5-2-2-RELEASE:1.9 netbsd-5-1-4-RELEASE:1.9 netbsd-6-1-2-RELEASE:1.9 netbsd-6-0-3-RELEASE:1.9 netbsd-5-2-1-RELEASE:1.9 netbsd-5-1-3-RELEASE:1.9 netbsd-6-1-1-RELEASE:1.9 riastradh-drm2-base2:1.9 riastradh-drm2-base1:1.9 riastradh-drm2:1.9.0.34 riastradh-drm2-base:1.9 netbsd-6-1:1.9.0.40 netbsd-6-0-2-RELEASE:1.9 netbsd-6-1-RELEASE:1.9 khorben-n900:1.9.0.38 netbsd-6-1-RC4:1.9 netbsd-6-1-RC3:1.9 agc-symver:1.9.0.36 agc-symver-base:1.9 netbsd-6-1-RC2:1.9 netbsd-6-1-RC1:1.9 yamt-pagecache-base8:1.9 netbsd-5-2:1.9.0.32 netbsd-6-0-1-RELEASE:1.9 yamt-pagecache-base7:1.9 netbsd-5-2-RELEASE:1.9 netbsd-5-2-RC1:1.9 matt-nb6-plus-nbase:1.9 yamt-pagecache-base6:1.9 netbsd-6-0:1.9.0.30 netbsd-6-0-RELEASE:1.9 netbsd-6-0-RC2:1.9 tls-maxphys:1.9.0.28 tls-maxphys-base:1.9 matt-nb6-plus:1.9.0.26 matt-nb6-plus-base:1.9 netbsd-6-0-RC1:1.9 yamt-pagecache-base5:1.9 yamt-pagecache-base4:1.9 netbsd-6:1.9.0.24 netbsd-6-base:1.9 netbsd-5-1-2-RELEASE:1.9 netbsd-5-1-1-RELEASE:1.9 yamt-pagecache-base3:1.9 yamt-pagecache-base2:1.9 yamt-pagecache:1.9.0.22 yamt-pagecache-base:1.9 cherry-xenmp:1.9.0.20 cherry-xenmp-base:1.9 bouyer-quota2-nbase:1.9 bouyer-quota2:1.9.0.18 bouyer-quota2-base:1.9 matt-mips64-premerge-20101231:1.9 matt-nb5-mips64-premerge-20101231:1.9 matt-nb5-pq3:1.9.0.16 matt-nb5-pq3-base:1.9 netbsd-5-1:1.9.0.14 netbsd-5-1-RELEASE:1.9 netbsd-5-1-RC4:1.9 matt-nb5-mips64-k15:1.9 netbsd-5-1-RC3:1.9 netbsd-5-1-RC2:1.9 netbsd-5-1-RC1:1.9 netbsd-5-0-2-RELEASE:1.9 matt-nb5-mips64-premerge-20091211:1.9 matt-premerge-20091211:1.9 matt-nb5-mips64-u2-k2-k4-k7-k8-k9:1.9 matt-nb4-mips64-k7-u2a-k9b:1.9 matt-nb5-mips64-u1-k1-k5:1.9 matt-nb5-mips64:1.9.0.12 netbsd-5-0-1-RELEASE:1.9 jym-xensuspend-nbase:1.9 netbsd-5-0:1.9.0.10 netbsd-5-0-RELEASE:1.9 netbsd-5-0-RC4:1.9 netbsd-5-0-RC3:1.9 netbsd-5-0-RC2:1.9 jym-xensuspend:1.9.0.8 jym-xensuspend-base:1.9 netbsd-5-0-RC1:1.9 mjf-devfs2-base2:1.9 netbsd-5:1.9.0.6 netbsd-5-base:1.9 matt-mips64-base2:1.9 matt-mips64:1.8.0.22 netbsd-4-0-1-RELEASE:1.8 wrstuden-revivesa-base-3:1.9 wrstuden-revivesa-base-2:1.9 wrstuden-fixsa-newbase:1.8 wrstuden-revivesa-base-1:1.9 yamt-pf42-base4:1.9 yamt-pf42-base3:1.9 hpcarm-cleanup-nbase:1.9 yamt-pf42-baseX:1.9 yamt-pf42-base2:1.9 wrstuden-revivesa:1.9.0.4 wrstuden-revivesa-base:1.9 yamt-pf42:1.9.0.2 yamt-pf42-base:1.9 mjf-devfs2:1.8.0.20 mjf-devfs2-base:1.9 keiichi-mipv6:1.8.0.18 keiichi-mipv6-base:1.8 mjf-devfs:1.8.0.16 mjf-devfs-base:1.8 matt-armv6-nbase:1.8 matt-armv6-prevmlocking:1.8 wrstuden-fixsa-base-1:1.8 netbsd-4-0:1.8.0.14 netbsd-4-0-RELEASE:1.8 cube-autoconf:1.8.0.12 cube-autoconf-base:1.8 netbsd-4-0-RC5:1.8 netbsd-4-0-RC4:1.8 netbsd-4-0-RC3:1.8 netbsd-4-0-RC2:1.8 netbsd-4-0-RC1:1.8 matt-armv6:1.8.0.10 matt-armv6-base:1.8 matt-mips64-base:1.8 hpcarm-cleanup:1.8.0.8 hpcarm-cleanup-base:1.8 netbsd-3-1-1-RELEASE:1.5.2.2 netbsd-3-0-3-RELEASE:1.5.2.2 wrstuden-fixsa:1.8.0.6 wrstuden-fixsa-base:1.8 abandoned-netbsd-4-base:1.8 abandoned-netbsd-4:1.8.0.2 netbsd-3-1:1.5.2.2.0.4 netbsd-3-1-RELEASE:1.5.2.2 netbsd-3-0-2-RELEASE:1.5.2.2 netbsd-3-1-RC4:1.5.2.2 netbsd-3-1-RC3:1.5.2.2 netbsd-3-1-RC2:1.5.2.2 netbsd-3-1-RC1:1.5.2.2 netbsd-4:1.8.0.4 netbsd-4-base:1.8 netbsd-3-0-1-RELEASE:1.5.2.2 netbsd-3-0:1.5.2.2.0.2 netbsd-3-0-RELEASE:1.5.2.2 netbsd-3-0-RC6:1.5.2.2 netbsd-3-0-RC5:1.5.2.2 netbsd-3-0-RC4:1.5.2.2 netbsd-3-0-RC3:1.5.2.2 netbsd-3-0-RC2:1.5.2.2 netbsd-3-0-RC1:1.5.2.2 netbsd-3:1.5.0.2 netbsd-3-base:1.5 PAM20041212:1.1.1.1 FREEBSD:1.1.1; locks; strict; comment @# @; 1.10 date 2023.06.20.22.00.00; author riastradh; state Exp; branches; next 1.9; commitid xtxNwQ28VDotBJtE; 1.9 date 2008.03.26.11.31.17; author lukem; state Exp; branches 1.9.58.1 1.9.68.1 1.9.76.1; next 1.8; 1.8 date 2005.09.22.01.02.12; author tsarna; state Exp; branches 1.8.20.1; next 1.7; 1.7 date 2005.03.17.01.47.18; author christos; state Exp; branches; next 1.6; 1.6 date 2005.03.17.01.07.51; author christos; state Exp; branches; next 1.5; 1.5 date 2005.03.14.23.41.49; author christos; state Exp; branches 1.5.2.1; next 1.4; 1.4 date 2005.02.27.03.40.14; author thorpej; state Exp; branches; next 1.3; 1.3 date 2005.01.08.08.43.03; author christos; state Exp; branches; next 1.2; 1.2 date 2004.12.12.08.54.34; author christos; state Exp; branches; next 1.1; 1.1 date 2004.12.12.08.48.21; author christos; state Exp; branches 1.1.1.1; next ; 1.9.58.1 date 2023.06.21.21.50.34; author martin; state Exp; branches; next ; commitid wVDGB9zgtrfgwRtE; 1.9.68.1 date 2023.06.21.21.47.51; author martin; state Exp; branches; next ; commitid xOlNplLR3OQkvRtE; 1.9.76.1 date 2023.06.21.21.33.02; author martin; state Exp; branches; next ; commitid JsWtt2vNhylfqRtE; 1.8.20.1 date 2008.04.03.13.54.12; author mjf; state Exp; branches; next ; 1.5.2.1 date 2005.03.19.17.44.59; author tron; state Exp; branches; next 1.5.2.2; 1.5.2.2 date 2005.03.19.17.45.49; author tron; state Exp; branches; next ; 1.1.1.1 date 2004.12.12.08.48.21; author christos; state Exp; branches; next ; desc @@ 1.10 log @pam: Disable pam_krb5, pam_ksu by default. These are not useful unless you also set up /etc/krb5.conf and a keytab for the host from the Kerberos KDC. But having them enabled by default means that creating /etc/krb5.conf just to enable use of Kerberos for _client-side_ single sign-on creates usability issues. As proposed on tech-security: https://mail-index.netbsd.org/tech-security/2023/06/16/msg001160.html @ text @# $NetBSD: sshd,v 1.9 2008/03/26 11:31:17 lukem Exp $ # # PAM configuration for the "sshd" service # # auth auth required pam_nologin.so no_warn auth sufficient pam_skey.so no_warn try_first_pass #auth sufficient pam_krb5.so no_warn try_first_pass auth optional pam_afslog.so no_warn try_first_pass # pam_ssh has potential security risks. See pam_ssh(8). #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session # pam_ssh has potential security risks. See pam_ssh(8). #session optional pam_ssh.so session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass @ 1.9 log @Add pam_skey so that we get behaviour similar to "pre PAM". @ text @d1 1 a1 1 # $NetBSD: sshd,v 1.8 2005/09/22 01:02:12 tsarna Exp $ d9 1 a9 1 auth sufficient pam_krb5.so no_warn try_first_pass d16 1 a16 1 account required pam_krb5.so d26 1 a26 1 password sufficient pam_krb5.so no_warn try_first_pass @ 1.9.58.1 log @Pull up following revision(s) (requested by riastradh in ticket #1843): etc/pam.d/ftpd: revision 1.8 etc/pam.d/su: revision 1.9 etc/pam.d/system: revision 1.9 etc/pam.d/display_manager: revision 1.6 etc/pam.d/sshd: revision 1.10 pam: Disable pam_krb5, pam_ksu by default. These are not useful unless you also set up /etc/krb5.conf and a keytab for the host from the Kerberos KDC. But having them enabled by default means that creating /etc/krb5.conf just to enable use of Kerberos for _client-side_ single sign-on creates usability issues. As proposed on tech-security: https://mail-index.netbsd.org/tech-security/2023/06/16/msg001160.html @ text @d1 1 a1 1 # $NetBSD: sshd,v 1.9 2008/03/26 11:31:17 lukem Exp $ d9 1 a9 1 #auth sufficient pam_krb5.so no_warn try_first_pass d16 1 a16 1 #account required pam_krb5.so d26 1 a26 1 #password sufficient pam_krb5.so no_warn try_first_pass @ 1.9.68.1 log @Pull up following revision(s) (requested by riastradh in ticket #1651): etc/pam.d/ftpd: revision 1.8 etc/pam.d/su: revision 1.9 etc/pam.d/system: revision 1.9 etc/pam.d/display_manager: revision 1.6 etc/pam.d/sshd: revision 1.10 pam: Disable pam_krb5, pam_ksu by default. These are not useful unless you also set up /etc/krb5.conf and a keytab for the host from the Kerberos KDC. But having them enabled by default means that creating /etc/krb5.conf just to enable use of Kerberos for _client-side_ single sign-on creates usability issues. As proposed on tech-security: https://mail-index.netbsd.org/tech-security/2023/06/16/msg001160.html @ text @d1 1 a1 1 # $NetBSD: sshd,v 1.9 2008/03/26 11:31:17 lukem Exp $ d9 1 a9 1 #auth sufficient pam_krb5.so no_warn try_first_pass d16 1 a16 1 #account required pam_krb5.so d26 1 a26 1 #password sufficient pam_krb5.so no_warn try_first_pass @ 1.9.76.1 log @Pull up following revision(s) (requested by riastradh in ticket #205): etc/pam.d/ftpd: revision 1.8 etc/pam.d/su: revision 1.9 etc/pam.d/system: revision 1.9 etc/pam.d/display_manager: revision 1.6 etc/pam.d/sshd: revision 1.10 pam: Disable pam_krb5, pam_ksu by default. These are not useful unless you also set up /etc/krb5.conf and a keytab for the host from the Kerberos KDC. But having them enabled by default means that creating /etc/krb5.conf just to enable use of Kerberos for _client-side_ single sign-on creates usability issues. As proposed on tech-security: https://mail-index.netbsd.org/tech-security/2023/06/16/msg001160.html @ text @d1 1 a1 1 # $NetBSD: sshd,v 1.9 2008/03/26 11:31:17 lukem Exp $ d9 1 a9 1 #auth sufficient pam_krb5.so no_warn try_first_pass d16 1 a16 1 #account required pam_krb5.so d26 1 a26 1 #password sufficient pam_krb5.so no_warn try_first_pass @ 1.8 log @Add pam_afslog. Like pam_krb5, this is a fast, quiet no-op if you aren't actually using it the subsystem. Approved by: gendalia @ text @d1 1 a1 1 # $NetBSD: sshd,v 1.7 2005/03/17 01:47:18 christos Exp $ d8 1 @ 1.8.20.1 log @Sync with HEAD. @ text @d1 1 a1 1 # $NetBSD$ a7 1 auth sufficient pam_skey.so no_warn try_first_pass @ 1.7 log @remove stray l. @ text @d1 1 a1 1 # $NetBSD: sshd,v 1.6 2005/03/17 01:07:51 christos Exp $ d9 1 @ 1.6 log @Remove ,optional accidentally committed. We are not going to do this after all. @ text @d1 1 a1 1 # $NetBSD: sshd,v 1.5 2005/03/14 23:41:49 christos Exp $ d14 1 a14 1 account requiredl pam_krb5.so @ 1.5 log @comment out pam_ssh and mention it has potential security issues. @ text @d1 1 a1 1 # $NetBSD: sshd,v 1.4 2005/02/27 03:40:14 thorpej Exp $ d7 2 a8 2 auth required pam_nologin.so no_warn auth sufficient,optional pam_krb5.so no_warn try_first_pass d10 2 a11 2 #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass d14 3 a16 3 account required,optional pam_krb5.so account required pam_login_access.so account required pam_unix.so d20 2 a21 2 #session optional pam_ssh.so session required pam_permit.so d24 2 a25 2 password sufficient,optional pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass @ 1.5.2.1 log @Pull up revision 1.6 (requested by jwise in ticket #19): Remove ,optional accidentally committed. We are not going to do this after all. @ text @d1 1 a1 1 # $NetBSD$ d7 2 a8 2 auth required pam_nologin.so no_warn auth sufficient pam_krb5.so no_warn try_first_pass d10 2 a11 2 #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass d14 3 a16 3 account requiredl pam_krb5.so account required pam_login_access.so account required pam_unix.so d20 2 a21 2 #session optional pam_ssh.so session required pam_permit.so d24 2 a25 2 password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass @ 1.5.2.2 log @Pull up revision 1.7 (requested by jwise in ticket #19): remove stray l. @ text @d1 1 a1 1 # $NetBSD: sshd,v 1.5.2.1 2005/03/19 17:44:59 tron Exp $ d14 1 a14 1 account required pam_krb5.so @ 1.4 log @Major cleanup of PAM service configuration files. @ text @d1 1 a1 1 # $NetBSD: sshd,v 1.3 2005/01/08 08:43:03 christos Exp $ d7 5 a11 4 auth required pam_nologin.so no_warn auth sufficient pam_krb5.so no_warn try_first_pass auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass d14 3 a16 3 account required pam_krb5.so account required pam_login_access.so account required pam_unix.so d19 3 a21 2 session optional pam_ssh.so session required pam_permit.so d24 2 a25 2 password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass @ 1.3 log @add ssh and krb5 now that they compile @ text @d1 1 a1 2 # $NetBSD: sshd,v 1.2 2004/12/12 08:54:34 christos Exp $ # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ a7 2 #auth sufficient pam_opie.so no_warn no_fake_prompts #auth requisite pam_opieaccess.so no_warn allow_local @ 1.2 log @- Add NetBSD RCSID's - comment out opie since we don't have it. @ text @d1 1 a1 1 # $NetBSD$ d11 2 a12 2 #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass d16 1 a16 1 #account required pam_krb5.so d21 1 a21 1 #session optional pam_ssh.so d25 1 a25 1 #password sufficient pam_krb5.so no_warn try_first_pass @ 1.1 log @Initial revision @ text @d1 1 a1 1 # d9 2 a10 2 auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local @ 1.1.1.1 log @Pam configuration files from FreeBSD; perl script not imported. @ text @@