head 1.9; access; symbols netbsd-10-0-RELEASE:1.8.76.1 netbsd-10-0-RC6:1.8.76.1 netbsd-10-0-RC5:1.8.76.1 netbsd-10-0-RC4:1.8.76.1 netbsd-10-0-RC3:1.8.76.1 netbsd-10-0-RC2:1.8.76.1 netbsd-10-0-RC1:1.8.76.1 netbsd-10:1.8.0.76 netbsd-10-base:1.8 netbsd-9-3-RELEASE:1.8 cjep_sun2x-base1:1.8 cjep_sun2x:1.8.0.74 cjep_sun2x-base:1.8 cjep_staticlib_x-base1:1.8 netbsd-9-2-RELEASE:1.8 cjep_staticlib_x:1.8.0.72 cjep_staticlib_x-base:1.8 netbsd-9-1-RELEASE:1.8 phil-wifi-20200421:1.8 phil-wifi-20200411:1.8 is-mlppp:1.8.0.70 is-mlppp-base:1.8 phil-wifi-20200406:1.8 netbsd-8-2-RELEASE:1.8 netbsd-9-0-RELEASE:1.8 netbsd-9-0-RC2:1.8 netbsd-9-0-RC1:1.8 phil-wifi-20191119:1.8 netbsd-9:1.8.0.68 netbsd-9-base:1.8 phil-wifi-20190609:1.8 netbsd-8-1-RELEASE:1.8 netbsd-8-1-RC1:1.8 pgoyette-compat-merge-20190127:1.8 pgoyette-compat-20190127:1.8 pgoyette-compat-20190118:1.8 pgoyette-compat-1226:1.8 pgoyette-compat-1126:1.8 pgoyette-compat-1020:1.8 pgoyette-compat-0930:1.8 pgoyette-compat-0906:1.8 netbsd-7-2-RELEASE:1.8 pgoyette-compat-0728:1.8 netbsd-8-0-RELEASE:1.8 phil-wifi:1.8.0.66 phil-wifi-base:1.8 pgoyette-compat-0625:1.8 netbsd-8-0-RC2:1.8 pgoyette-compat-0521:1.8 pgoyette-compat-0502:1.8 pgoyette-compat-0422:1.8 netbsd-8-0-RC1:1.8 pgoyette-compat-0415:1.8 pgoyette-compat-0407:1.8 pgoyette-compat-0330:1.8 pgoyette-compat-0322:1.8 pgoyette-compat-0315:1.8 netbsd-7-1-2-RELEASE:1.8 pgoyette-compat:1.8.0.64 pgoyette-compat-base:1.8 netbsd-7-1-1-RELEASE:1.8 matt-nb8-mediatek:1.8.0.62 matt-nb8-mediatek-base:1.8 perseant-stdc-iso10646:1.8.0.60 perseant-stdc-iso10646-base:1.8 netbsd-8:1.8.0.58 netbsd-8-base:1.8 prg-localcount2-base3:1.8 prg-localcount2-base2:1.8 prg-localcount2-base1:1.8 prg-localcount2:1.8.0.56 prg-localcount2-base:1.8 pgoyette-localcount-20170426:1.8 bouyer-socketcan-base1:1.8 pgoyette-localcount-20170320:1.8 netbsd-7-1:1.8.0.54 netbsd-7-1-RELEASE:1.8 netbsd-7-1-RC2:1.8 netbsd-7-nhusb-base-20170116:1.8 bouyer-socketcan:1.8.0.52 bouyer-socketcan-base:1.8 pgoyette-localcount-20170107:1.8 netbsd-7-1-RC1:1.8 pgoyette-localcount-20161104:1.8 netbsd-7-0-2-RELEASE:1.8 localcount-20160914:1.8 netbsd-7-nhusb:1.8.0.50 netbsd-7-nhusb-base:1.8 pgoyette-localcount-20160806:1.8 pgoyette-localcount-20160726:1.8 pgoyette-localcount:1.8.0.48 pgoyette-localcount-base:1.8 netbsd-7-0-1-RELEASE:1.8 netbsd-7-0:1.8.0.46 netbsd-7-0-RELEASE:1.8 netbsd-7-0-RC3:1.8 netbsd-7-0-RC2:1.8 netbsd-7-0-RC1:1.8 netbsd-5-2-3-RELEASE:1.8 netbsd-5-1-5-RELEASE:1.8 netbsd-6-0-6-RELEASE:1.8 netbsd-6-1-5-RELEASE:1.8 netbsd-7:1.8.0.44 netbsd-7-base:1.8 yamt-pagecache-base9:1.8 yamt-pagecache-tag8:1.8 netbsd-6-1-4-RELEASE:1.8 netbsd-6-0-5-RELEASE:1.8 tls-earlyentropy:1.8.0.42 tls-earlyentropy-base:1.8 riastradh-xf86-video-intel-2-7-1-pre-2-21-15:1.8 riastradh-drm2-base3:1.8 netbsd-6-1-3-RELEASE:1.8 netbsd-6-0-4-RELEASE:1.8 netbsd-5-2-2-RELEASE:1.8 netbsd-5-1-4-RELEASE:1.8 netbsd-6-1-2-RELEASE:1.8 netbsd-6-0-3-RELEASE:1.8 netbsd-5-2-1-RELEASE:1.8 netbsd-5-1-3-RELEASE:1.8 netbsd-6-1-1-RELEASE:1.8 riastradh-drm2-base2:1.8 riastradh-drm2-base1:1.8 riastradh-drm2:1.8.0.34 riastradh-drm2-base:1.8 netbsd-6-1:1.8.0.40 netbsd-6-0-2-RELEASE:1.8 netbsd-6-1-RELEASE:1.8 khorben-n900:1.8.0.38 netbsd-6-1-RC4:1.8 netbsd-6-1-RC3:1.8 agc-symver:1.8.0.36 agc-symver-base:1.8 netbsd-6-1-RC2:1.8 netbsd-6-1-RC1:1.8 yamt-pagecache-base8:1.8 netbsd-5-2:1.8.0.32 netbsd-6-0-1-RELEASE:1.8 yamt-pagecache-base7:1.8 netbsd-5-2-RELEASE:1.8 netbsd-5-2-RC1:1.8 matt-nb6-plus-nbase:1.8 yamt-pagecache-base6:1.8 netbsd-6-0:1.8.0.30 netbsd-6-0-RELEASE:1.8 netbsd-6-0-RC2:1.8 tls-maxphys:1.8.0.28 tls-maxphys-base:1.8 matt-nb6-plus:1.8.0.26 matt-nb6-plus-base:1.8 netbsd-6-0-RC1:1.8 yamt-pagecache-base5:1.8 yamt-pagecache-base4:1.8 netbsd-6:1.8.0.24 netbsd-6-base:1.8 netbsd-5-1-2-RELEASE:1.8 netbsd-5-1-1-RELEASE:1.8 yamt-pagecache-base3:1.8 yamt-pagecache-base2:1.8 yamt-pagecache:1.8.0.22 yamt-pagecache-base:1.8 cherry-xenmp:1.8.0.20 cherry-xenmp-base:1.8 bouyer-quota2-nbase:1.8 bouyer-quota2:1.8.0.18 bouyer-quota2-base:1.8 matt-mips64-premerge-20101231:1.8 matt-nb5-mips64-premerge-20101231:1.8 matt-nb5-pq3:1.8.0.16 matt-nb5-pq3-base:1.8 netbsd-5-1:1.8.0.14 netbsd-5-1-RELEASE:1.8 netbsd-5-1-RC4:1.8 matt-nb5-mips64-k15:1.8 netbsd-5-1-RC3:1.8 netbsd-5-1-RC2:1.8 netbsd-5-1-RC1:1.8 netbsd-5-0-2-RELEASE:1.8 matt-nb5-mips64-premerge-20091211:1.8 matt-premerge-20091211:1.8 matt-nb5-mips64-u2-k2-k4-k7-k8-k9:1.8 matt-nb4-mips64-k7-u2a-k9b:1.8 matt-nb5-mips64-u1-k1-k5:1.8 matt-nb5-mips64:1.8.0.12 netbsd-5-0-1-RELEASE:1.8 jym-xensuspend-nbase:1.8 netbsd-5-0:1.8.0.10 netbsd-5-0-RELEASE:1.8 netbsd-5-0-RC4:1.8 netbsd-5-0-RC3:1.8 netbsd-5-0-RC2:1.8 jym-xensuspend:1.8.0.8 jym-xensuspend-base:1.8 netbsd-5-0-RC1:1.8 mjf-devfs2-base2:1.8 netbsd-5:1.8.0.6 netbsd-5-base:1.8 matt-mips64-base2:1.8 matt-mips64:1.7.0.22 netbsd-4-0-1-RELEASE:1.7 wrstuden-revivesa-base-3:1.8 wrstuden-revivesa-base-2:1.8 wrstuden-fixsa-newbase:1.7 wrstuden-revivesa-base-1:1.8 yamt-pf42-base4:1.8 yamt-pf42-base3:1.8 hpcarm-cleanup-nbase:1.8 yamt-pf42-baseX:1.8 yamt-pf42-base2:1.8 wrstuden-revivesa:1.8.0.4 wrstuden-revivesa-base:1.8 yamt-pf42:1.8.0.2 yamt-pf42-base:1.8 mjf-devfs2:1.7.0.20 mjf-devfs2-base:1.8 keiichi-mipv6:1.7.0.18 keiichi-mipv6-base:1.7 mjf-devfs:1.7.0.16 mjf-devfs-base:1.7 matt-armv6-nbase:1.7 matt-armv6-prevmlocking:1.7 wrstuden-fixsa-base-1:1.7 netbsd-4-0:1.7.0.14 netbsd-4-0-RELEASE:1.7 cube-autoconf:1.7.0.12 cube-autoconf-base:1.7 netbsd-4-0-RC5:1.7 netbsd-4-0-RC4:1.7 netbsd-4-0-RC3:1.7 netbsd-4-0-RC2:1.7 netbsd-4-0-RC1:1.7 matt-armv6:1.7.0.10 matt-armv6-base:1.7 matt-mips64-base:1.7 hpcarm-cleanup:1.7.0.8 hpcarm-cleanup-base:1.7 netbsd-3-1-1-RELEASE:1.6 netbsd-3-0-3-RELEASE:1.6 wrstuden-fixsa:1.7.0.6 wrstuden-fixsa-base:1.7 abandoned-netbsd-4-base:1.7 abandoned-netbsd-4:1.7.0.2 netbsd-3-1:1.6.0.6 netbsd-3-1-RELEASE:1.6 netbsd-3-0-2-RELEASE:1.6 netbsd-3-1-RC4:1.6 netbsd-3-1-RC3:1.6 netbsd-3-1-RC2:1.6 netbsd-3-1-RC1:1.6 netbsd-4:1.7.0.4 netbsd-4-base:1.7 netbsd-3-0-1-RELEASE:1.6 netbsd-3-0:1.6.0.4 netbsd-3-0-RELEASE:1.6 netbsd-3-0-RC6:1.6 netbsd-3-0-RC5:1.6 netbsd-3-0-RC4:1.6 netbsd-3-0-RC3:1.6 netbsd-3-0-RC2:1.6 netbsd-3-0-RC1:1.6 netbsd-3:1.6.0.2 netbsd-3-base:1.6 PAM20041212:1.1.1.1 FREEBSD:1.1.1; locks; strict; comment @# @; 1.9 date 2023.06.20.22.00.00; author riastradh; state Exp; branches; next 1.8; commitid xtxNwQ28VDotBJtE; 1.8 date 2008.03.26.11.31.17; author lukem; state Exp; branches 1.8.58.1 1.8.68.1 1.8.76.1; next 1.7; 1.7 date 2005.09.22.01.02.12; author tsarna; state Exp; branches 1.7.20.1; next 1.6; 1.6 date 2005.03.03.02.12.32; author christos; state Exp; branches; next 1.5; 1.5 date 2005.02.27.03.40.14; author thorpej; state Exp; branches; next 1.4; 1.4 date 2005.01.08.22.42.22; author manu; state Exp; branches; next 1.3; 1.3 date 2005.01.08.08.43.03; author christos; state Exp; branches; next 1.2; 1.2 date 2004.12.12.08.54.34; author christos; state Exp; branches; next 1.1; 1.1 date 2004.12.12.08.48.21; author christos; state Exp; branches 1.1.1.1; next ; 1.8.58.1 date 2023.06.21.21.50.34; author martin; state Exp; branches; next ; commitid wVDGB9zgtrfgwRtE; 1.8.68.1 date 2023.06.21.21.47.51; author martin; state Exp; branches; next ; commitid xOlNplLR3OQkvRtE; 1.8.76.1 date 2023.06.21.21.33.02; author martin; state Exp; branches; next ; commitid JsWtt2vNhylfqRtE; 1.7.20.1 date 2008.04.03.13.54.12; author mjf; state Exp; branches; next ; 1.1.1.1 date 2004.12.12.08.48.21; author christos; state Exp; branches; next ; desc @@ 1.9 log @pam: Disable pam_krb5, pam_ksu by default. These are not useful unless you also set up /etc/krb5.conf and a keytab for the host from the Kerberos KDC. But having them enabled by default means that creating /etc/krb5.conf just to enable use of Kerberos for _client-side_ single sign-on creates usability issues. As proposed on tech-security: https://mail-index.netbsd.org/tech-security/2023/06/16/msg001160.html @ text @# $NetBSD: system,v 1.8 2008/03/26 11:31:17 lukem Exp $ # # System-wide defaults # # auth auth sufficient pam_skey.so no_warn try_first_pass #auth sufficient pam_krb5.so no_warn try_first_pass auth optional pam_afslog.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok # account #account required pam_krb5.so account required pam_unix.so # session session required pam_lastlog.so no_fail no_nested # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass @ 1.8 log @Add pam_skey so that we get behaviour similar to "pre PAM". @ text @d1 1 a1 1 # $NetBSD: system,v 1.7 2005/09/22 01:02:12 tsarna Exp $ d8 1 a8 1 auth sufficient pam_krb5.so no_warn try_first_pass d13 1 a13 1 account required pam_krb5.so d20 1 a20 1 password sufficient pam_krb5.so no_warn try_first_pass @ 1.8.58.1 log @Pull up following revision(s) (requested by riastradh in ticket #1843): etc/pam.d/ftpd: revision 1.8 etc/pam.d/su: revision 1.9 etc/pam.d/system: revision 1.9 etc/pam.d/display_manager: revision 1.6 etc/pam.d/sshd: revision 1.10 pam: Disable pam_krb5, pam_ksu by default. These are not useful unless you also set up /etc/krb5.conf and a keytab for the host from the Kerberos KDC. But having them enabled by default means that creating /etc/krb5.conf just to enable use of Kerberos for _client-side_ single sign-on creates usability issues. As proposed on tech-security: https://mail-index.netbsd.org/tech-security/2023/06/16/msg001160.html @ text @d1 1 a1 1 # $NetBSD: system,v 1.8 2008/03/26 11:31:17 lukem Exp $ d8 1 a8 1 #auth sufficient pam_krb5.so no_warn try_first_pass d13 1 a13 1 #account required pam_krb5.so d20 1 a20 1 #password sufficient pam_krb5.so no_warn try_first_pass @ 1.8.68.1 log @Pull up following revision(s) (requested by riastradh in ticket #1651): etc/pam.d/ftpd: revision 1.8 etc/pam.d/su: revision 1.9 etc/pam.d/system: revision 1.9 etc/pam.d/display_manager: revision 1.6 etc/pam.d/sshd: revision 1.10 pam: Disable pam_krb5, pam_ksu by default. These are not useful unless you also set up /etc/krb5.conf and a keytab for the host from the Kerberos KDC. But having them enabled by default means that creating /etc/krb5.conf just to enable use of Kerberos for _client-side_ single sign-on creates usability issues. As proposed on tech-security: https://mail-index.netbsd.org/tech-security/2023/06/16/msg001160.html @ text @d1 1 a1 1 # $NetBSD: system,v 1.8 2008/03/26 11:31:17 lukem Exp $ d8 1 a8 1 #auth sufficient pam_krb5.so no_warn try_first_pass d13 1 a13 1 #account required pam_krb5.so d20 1 a20 1 #password sufficient pam_krb5.so no_warn try_first_pass @ 1.8.76.1 log @Pull up following revision(s) (requested by riastradh in ticket #205): etc/pam.d/ftpd: revision 1.8 etc/pam.d/su: revision 1.9 etc/pam.d/system: revision 1.9 etc/pam.d/display_manager: revision 1.6 etc/pam.d/sshd: revision 1.10 pam: Disable pam_krb5, pam_ksu by default. These are not useful unless you also set up /etc/krb5.conf and a keytab for the host from the Kerberos KDC. But having them enabled by default means that creating /etc/krb5.conf just to enable use of Kerberos for _client-side_ single sign-on creates usability issues. As proposed on tech-security: https://mail-index.netbsd.org/tech-security/2023/06/16/msg001160.html @ text @d1 1 a1 1 # $NetBSD: system,v 1.8 2008/03/26 11:31:17 lukem Exp $ d8 1 a8 1 #auth sufficient pam_krb5.so no_warn try_first_pass d13 1 a13 1 #account required pam_krb5.so d20 1 a20 1 #password sufficient pam_krb5.so no_warn try_first_pass @ 1.7 log @Add pam_afslog. Like pam_krb5, this is a fast, quiet no-op if you aren't actually using it the subsystem. Approved by: gendalia @ text @d1 1 a1 1 # $NetBSD: system,v 1.6 2005/03/03 02:12:32 christos Exp $ d7 1 @ 1.7.20.1 log @Sync with HEAD. @ text @d1 1 a1 1 # $NetBSD$ a6 1 auth sufficient pam_skey.so no_warn try_first_pass @ 1.6 log @Add a no nested option that avoids updating the {u,w}tmp databases on a nested login. @ text @d1 1 a1 1 # $NetBSD: system,v 1.5 2005/02/27 03:40:14 thorpej Exp $ d8 1 @ 1.5 log @Major cleanup of PAM service configuration files. @ text @d1 1 a1 1 # $NetBSD: system,v 1.4 2005/01/08 22:42:22 manu Exp $ d15 1 a15 1 session required pam_lastlog.so no_fail @ 1.4 log @Remove pam_ssh for system config, it's not always used. @ text @d1 1 a1 2 # $NetBSD: system,v 1.3 2005/01/08 08:43:03 christos Exp $ # $FreeBSD: src/etc/pam.d/system,v 1.1 2003/06/14 12:35:05 des Exp $ a6 2 #auth sufficient pam_opie.so no_warn no_fake_prompts #auth requisite pam_opieaccess.so no_warn allow_local a11 1 account required pam_login_access.so @ 1.3 log @add ssh and krb5 now that they compile @ text @d1 1 a1 1 # $NetBSD: system,v 1.2 2004/12/12 08:54:34 christos Exp $ a10 1 auth sufficient pam_ssh.so no_warn try_first_pass a18 1 session optional pam_ssh.so @ 1.2 log @- Add NetBSD RCSID's - comment out opie since we don't have it. @ text @d1 1 a1 1 # $NetBSD$ d10 2 a11 2 #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass d15 1 a15 1 #account required pam_krb5.so d20 1 a20 1 #session optional pam_ssh.so d24 1 a24 1 #password sufficient pam_krb5.so no_warn try_first_pass @ 1.1 log @Initial revision @ text @d1 1 a1 1 # d8 2 a9 2 auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local @ 1.1.1.1 log @Pam configuration files from FreeBSD; perl script not imported. @ text @@