head	1.5;
access;
symbols
	RELENG_5_0_0_RELEASE:1.4
	RELENG_5_0:1.4.0.2
	RELENG_5_0_BP:1.4;
locks; strict;
comment	@# @;


1.5
date	2003.02.10.00.47.46;	author des;	state dead;
branches;
next	1.4;

1.4
date	2002.04.18.17.40.27;	author des;	state Exp;
branches;
next	1.3;

1.3
date	2002.01.21.18.51.24;	author des;	state Exp;
branches;
next	1.2;

1.2
date	2001.12.05.21.26.00;	author des;	state Exp;
branches;
next	1.1;

1.1
date	2001.12.05.21.06.21;	author des;	state Exp;
branches;
next	;


desc
@@


1.5
log
@There's no reason to have two identical policies for FTP servers, so
make ftp a symlink to ftpd.
@
text
@#
# $FreeBSD: src/etc/pam.d/ftp,v 1.4 2002/04/18 17:40:27 des Exp $
#
# PAM configuration for the "ftp" service
#

# auth
auth		required	pam_nologin.so	no_warn
#auth		sufficient	pam_kerberosIV.so	no_warn
#auth		sufficient	pam_krb5.so	no_warn
auth		sufficient	pam_opie.so	no_warn no_fake_prompts
auth		requisite	pam_opieaccess.so	no_warn
#auth		required	pam_ssh.so	no_warn try_first_pass
auth		required	pam_unix.so	no_warn try_first_pass

# account
#account	required	pam_kerberosIV.so
#account	required	pam_krb5.so
account		required	pam_unix.so

# session
#session	required	pam_kerberosIV.so
#session	required	pam_krb5.so
#session	required	pam_ssh.so
@


1.4
log
@Don't list pam_unix in the session chain, since it does not provide any
session management services.

Sponsored by:	DARPA, NAI Labs
@
text
@d2 1
a2 1
# $FreeBSD: src/etc/pam.d/ftp,v 1.3 2002/01/21 18:51:24 des Exp $
@


1.3
log
@Enable OPIE by default, using the no_fake_prompts option to hide it from
users who don't wish to use it.  If the admin is worried about leaking
information about which users exist and which have OPIE enabled, the
no_fake_prompts option can simply be removed.

Also insert the appropriate pam_opieaccess lines after pam_opie to break
the chain in case the user is logging in from an untrusted host, or has a
.opiealways file.  The entire opieaccess / opiealways concept is slightly
unpammish, but admins familiar with OPIE will expect it to work.

Reviewed by:	ache, markm
Sponsored by:	DARPA, NAI Labs
@
text
@d2 1
a2 1
# $FreeBSD: src/etc/pam.d/ftp,v 1.2 2001/12/05 21:26:00 des Exp $
a24 1
session		required	pam_unix.so
@


1.2
log
@Awright, egg on my face.  I should have taken more time with this.  The
conversion script generated the wrong format, so the configuration files
didn't actually work.  Good thing I hadn't thrown the switch yet...

Sponsored by:	DARPA, NAI Labs (but the f***ups are all mine)
@
text
@d2 1
a2 1
# $FreeBSD$
d11 2
a12 1
#auth		required	pam_opie.so	no_warn
@


1.1
log
@pam.d-style configuration, auto-generated from pam.conf.

Sponsored by:	DARPA, NAI Labs
@
text
@d8 6
a13 6
ftp	auth	required	pam_nologin.so	no_warn
#ftp	auth	sufficient	pam_kerberosIV.so	no_warn
#ftp	auth	sufficient	pam_krb5.so	no_warn
#ftp	auth	required	pam_opie.so	no_warn
#ftp	auth	required	pam_ssh.so	no_warn try_first_pass
ftp	auth	required	pam_unix.so	no_warn try_first_pass
d16 3
a18 3
#ftp	account	required	pam_kerberosIV.so
#ftp	account	required	pam_krb5.so
ftp	account	required	pam_unix.so
d21 4
a24 4
#ftp	session	required	pam_kerberosIV.so
#ftp	session	required	pam_krb5.so
#ftp	session	required	pam_ssh.so
ftp	session	required	pam_unix.so
@

