Problem Report i386/59593
Ivo R. Tonev
ivo at tonev.pro.br
Thu Nov 27 16:11:09 PST 2003
Hi,
su uses a full passord for authentication, but sshd ....
I have created a user account to test the autentication :
enter in /etc/master.passwd of user test aded with adduser ( DES
password ???? adduser have ignored /etc/login.defs ) :
teste:tEkH5r9IwlyAU:1002:1002::0:0:teste:/home/teste:/bin/sh
enter in /etc/master.passwd of user test after change their password
with passwd
teste:$1$61HQ4CwH$zkIyY20/Hu6xUHu7xFCC60:1002:1002::0:0:teste:/home/teste:/bin/sh
enter in /etc/master.passwd of user test aded with /stand/sysinstall
test:$1$NZQtQYhL$ifuEewic6ApWH6wGeKSQl.:1002:1002::0:0:User
&:/home/test:/bin/sh
the problem is the command adduser ???
/etc/login.conf:
========================================================================
# login.conf - login class capabilities database.
#
# Remember to rebuild the database after each change to this file:
#
# cap_mkdb /etc/login.conf
#
# This file controls resource limits, accounting limits and
# default user environment settings.
#
# $FreeBSD: src/etc/login.conf,v 1.34.2.6 2002/07/02 20:06:18 dillon Exp $
#
# Default settings effectively disable resource limits, see the
# examples below for a starting point to enable them.
# defaults
# These settings are used by login(1) by default for classless users
# Note that entries like "cputime" set both "cputime-cur" and "cputime-max"
default:\
:passwd_format=md5:\
:copyright=/etc/COPYRIGHT:\
:welcome=/etc/motd:\
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\
:path=/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin
/usr/local/bin /usr/X11R6/bin ~/bin:\
:nologin=/var/run/nologin:\
:cputime=unlimited:\
:datasize=unlimited:\
:stacksize=unlimited:\
:memorylocked=unlimited:\
:memoryuse=unlimited:\
:filesize=unlimited:\
:coredumpsize=unlimited:\
:openfiles=unlimited:\
:maxproc=unlimited:\
:sbsize=unlimited:\
:vmemoryuse=unlimited:\
:priority=0:\
:ignoretime@:\
:umask=022:
#
# A collection of common class names - forward them all to 'default'
# (login would normally do this anyway, but having a class name
# here suppresses the diagnostic)
#
standard:\
:tc=default:
xuser:\
:tc=default:
staff:\
:tc=default:
daemon:\
:tc=default:
news:\
:tc=default:
dialer:\
:tc=default:
#
# Root can always login
#
# N.B. login_getpwclass(3) will use this entry for the root account,
# in preference to 'default'.
root:\
:ignorenologin:\
:tc=default:
#
# Russian Users Accounts. Setup proper environment variables.
#
russian|Russian Users Accounts:\
:charset=KOI8-R:\
:lang=ru_RU.KOI8-R:\
:tc=default:
######################################################################
######################################################################
##
## Example entries
##
######################################################################
######################################################################
## Example defaults
## These settings are used by login(1) by default for classless users
## Note that entries like "cputime" set both "cputime-cur" and "cputime-max"
#
#default:\
# :cputime=infinity:\
# :datasize-cur=22M:\
# :stacksize-cur=8M:\
# :memorylocked-cur=10M:\
# :memoryuse-cur=30M:\
# :filesize=infinity:\
# :coredumpsize=infinity:\
# :maxproc-cur=64:\
# :openfiles-cur=64:\
# :priority=0:\
# :requirehome@:\
# :umask=022:\
# :tc=auth-defaults:
#
#
##
## standard - standard user defaults
##
#standard:\
# :copyright=/etc/COPYRIGHT:\
# :welcome=/etc/motd:\
# :setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
# :path=~/bin /bin /usr/bin /usr/local/bin:\
# :manpath=/usr/share/man /usr/local/man:\
# :nologin=/var/run/nologin:\
# :cputime=1h30m:\
# :datasize=8M:\
# :vmemoryuse=100M:\
# :stacksize=2M:\
# :memorylocked=4M:\
# :memoryuse=8M:\
# :filesize=8M:\
# :coredumpsize=8M:\
# :openfiles=24:\
# :maxproc=32:\
# :priority=0:\
# :requirehome:\
# :passwordtime=90d:\
# :umask=002:\
# :ignoretime@:\
# :tc=default:
#
#
##
## users of X (needs more resources!)
##
#xuser:\
# :manpath=/usr/share/man /usr/X11R6/man /usr/local/man:\
# :cputime=4h:\
# :datasize=12M:\
# :vmemoryuse=infinity:\
# :stacksize=4M:\
# :filesize=8M:\
# :memoryuse=16M:\
# :openfiles=32:\
# :maxproc=48:\
# :tc=standard:
#
#
##
## Staff users - few restrictions and allow login anytime
##
#staff:\
# :ignorenologin:\
# :ignoretime:\
# :requirehome@:\
# :accounted@:\
# :path=~/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\
# :umask=022:\
# :tc=standard:
#
#
##
## root - fallback for root logins
##
#root:\
# :path=~/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin:\
# :cputime=infinity:\
# :datasize=infinity:\
# :stacksize=infinity:\
# :memorylocked=infinity:\
# :memoryuse=infinity:\
# :filesize=infinity:\
# :coredumpsize=infinity:\
# :openfiles=infinity:\
# :maxproc=infinity:\
# :memoryuse-cur=32M:\
# :maxproc-cur=64:\
# :openfiles-cur=1024:\
# :priority=0:\
# :requirehome@:\
# :umask=022:\
# :tc=auth-root-defaults:
#
#
##
## Settings used by /etc/rc
##
#daemon:\
# :coredumpsize@:\
# :coredumpsize-cur=0:\
# :datasize=infinity:\
# :datasize-cur@:\
# :maxproc=512:\
# :maxproc-cur@:\
# :memoryuse-cur=64M:\
# :memorylocked-cur=64M:\
# :openfiles=1024:\
# :openfiles-cur@:\
# :stacksize=16M:\
# :stacksize-cur@:\
# :tc=default:
#
#
##
## Settings used by news subsystem
##
#news:\
# :path=/usr/local/news/bin /bin /sbin /usr/bin /usr/sbin /usr/local/bin
/usr/local/sbin:\
# :cputime=infinity:\
# :filesize=128M:\
# :datasize-cur=64M:\
# :stacksize-cur=32M:\
# :coredumpsize-cur=0:\
# :maxmemorysize-cur=128M:\
# :memorylocked=32M:\
# :maxproc=128:\
# :openfiles=256:\
# :tc=default:
#
#
##
## The dialer class should be used for a dialup PPP/SLIP accounts
## Welcome messages/news suppressed
##
#dialer:\
# :hushlogin:\
# :requirehome@:\
# :cputime=unlimited:\
# :filesize=2M:\
# :datasize=2M:\
# :stacksize=4M:\
# :coredumpsize=0:\
# :memoryuse=4M:\
# :memorylocked=1M:\
# :maxproc=16:\
# :openfiles=32:\
# :tc=standard:
#
#
##
## Site full-time 24/7 PPP/SLIP connections
## - no time accounting, restricted to access via dialin lines
##
#site:\
# :ignoretime:\
# :passwordtime@:\
# :refreshtime@:\
# :refreshperiod@:\
# :sessionlimit@:\
# :autodelete@:\
# :expireperiod@:\
# :graceexpire@:\
# :gracetime@:\
# :warnexpire@:\
# :warnpassword@:\
# :idletime@:\
# :sessiontime@:\
# :daytime@:\
# :weektime@:\
# :monthtime@:\
# :warntime@:\
# :accounted@:\
# :tc=dialer:\
# :tc=staff:
#
#
##
## Example standard accounting entries for subscriber levels
##
#
#subscriber|Subscribers:\
# :accounted:\
# :refreshtime=180d:\
# :refreshperiod@:\
# :sessionlimit@:\
# :autodelete=30d:\
# :expireperiod=180d:\
# :graceexpire=7d:\
# :gracetime=10m:\
# :warnexpire=7d:\
# :warnpassword=7d:\
# :idletime=30m:\
# :sessiontime=4h:\
# :daytime=6h:\
# :weektime=40h:\
# :monthtime=120h:\
# :warntime=4h:\
# :tc=standard:
#
#
##
## Subscriber accounts. These accounts have their login times
## accounted and have access limits applied.
##
#subppp|PPP Subscriber Accounts:\
# :tc=dialer:\
# :tc=subscriber:
#
#
#subslip|SLIP Subscriber Accounts:\
# :tc=dialer:\
# :tc=subscriber:
#
#
#subshell|Shell Subscriber Accounts:\
# :tc=subscriber:
#
##
## If you want some of the accounts to use traditional UNIX DES based
## password hashes.
##
#des_users:\
# :passwd_format=des:\
# :tc=default:
========================================================================
/etc/pam.conf:
========================================================================
# Configuration file for Pluggable Authentication Modules (PAM).
#
# This file controls the authentication methods that login and other
# utilities use. See pam(8) for a description of its format.
#
# $FreeBSD: src/etc/pam.conf,v 1.6.2.18 2003/02/15 17:20:27 des Exp $
#
# service-name module-type control-flag module-path arguments
#
# module-type:
# auth: prompt for a password to authenticate that the user is
# who they say they are, and set any credentials.
# account: non-authentication based authorization, based on time,
# resources, etc.
# session: housekeeping before and/or after login.
# password: update authentication tokens.
#
# control-flag: How libpam handles success or failure of the module.
# required: success is required, and on failure all remaining
# modules are run.
# requisite: success is required, and on failure no remaining
# modules are run.
# sufficient: success is sufficient, and if no previous required
# module failed, no remaining modules are run.
# optional: ignored unless the other modules return PAM_IGNORE.
#
# arguments:
# Passed to the module; module-specific plus some generic ones:
# debug: syslog debug info.
# no_warn: return no warning messages to the application.
# use_first_pass: try authentication using password from the
# preceding auth module.
# try_first_pass: first try authentication using password from
# the preceding auth module, and if that fails
# prompt for a new password.
# use_mapped_pass: convert cleartext password to a crypto key.
# expose_account: allow printing more info about the user when
# prompting.
#
# Each final entry must say "required" -- otherwise, things don't
# work quite right. If you delete a final entry, be sure to change
# "sufficient" to "required" in the entry before it.
# If the user can authenticate with S/Key, that's sufficient; allow clear
# password. Try kerberos, then try plain unix password.
login auth sufficient pam_skey.so
login auth sufficient pam_opie.so no_fake_prompts
#login auth requisite pam_opieaccess.so
login auth requisite pam_cleartext_pass_ok.so
#login auth sufficient pam_kerberosIV.so try_first_pass
#login auth sufficient pam_krb5.so try_first_pass
login auth required pam_unix.so try_first_pass
login account required pam_unix.so
login password required pam_permit.so
login session required pam_permit.so
# Same requirement for ftpd as login
ftpd auth sufficient pam_skey.so
ftpd auth sufficient pam_opie.so no_fake_prompts
#ftpd auth requisite pam_opieaccess.so
ftpd auth requisite pam_cleartext_pass_ok.so
#ftpd auth sufficient pam_kerberosIV.so try_first_pass
#ftpd auth sufficient pam_krb5.so try_first_pass
ftpd auth required pam_unix.so try_first_pass
# OpenSSH with PAM support requires similar modules. The session one is
# a bit strange, though...
sshd auth sufficient pam_skey.so
sshd auth sufficient pam_opie.so no_fake_prompts
#sshd auth requisite pam_opieaccess.so
#sshd auth sufficient pam_kerberosIV.so try_first_pass
#sshd auth sufficient pam_krb5.so try_first_pass
sshd auth required pam_unix.so try_first_pass
sshd account required pam_unix.so
sshd password required pam_permit.so
sshd session required pam_permit.so
# "telnetd" is for SRA authenticated telnet only. Non-SRA uses 'login'
telnetd auth required pam_unix.so try_first_pass
# Don't break startx
xserver auth required pam_permit.so
# XDM is difficult; it fails or moans unless there are modules for each
# of the four management groups; auth, account, session and password.
xdm auth required pam_unix.so
#xdm auth sufficient pam_kerberosIV.so try_first_pass
#xdm auth sufficient pam_krb5.so try_first_pass
xdm account required pam_unix.so try_first_pass
xdm session required pam_deny.so
xdm password required pam_deny.so
# GDM (GNOME Display Manager)
gdm auth required pam_unix.so
#gdm auth sufficient pam_kerberosIV.so try_first_pass
#gdm auth sufficient pam_krb5.so try_first_pass
gdm account required pam_unix.so try_first_pass
gdm session required pam_permit.so
gdm password required pam_deny.so
# Mail services
imap auth required pam_unix.so try_first_pass
pop3 auth required pam_unix.so try_first_pass
# If we don't match anything else, default to using getpwnam().
other auth sufficient pam_skey.so
other auth required pam_unix.so try_first_pass
other account required pam_unix.so try_first_pass
========================================================================
/etc/adduser.conf
========================================================================
#
# /etc/adduser.conf - automatic generated by adduser(8)
#
# Note: adduser read *and* write this file.
# You may change values, but don't add new things before the
# line ``## DO NOT DELETE THIS LINE!''
#
# verbose = [0-2]
verbose = 1
# regular expression usernames are checked against (see perlre(1))
# usernameregexp = 'regexp'
usernameregexp = '^[a-z0-9_][a-z0-9_-]*$'
# use password for new users
# defaultpasswd = yes | no
defaultpasswd = yes
# copy dotfiles from this dir ("/usr/share/skel" or "no")
dotdir = "/usr/share/skel"
# send this file to new user ("/etc/adduser.message" or "no")
send_message = "/etc/adduser.message"
# config file for adduser ("/etc/adduser.conf")
config = "/etc/adduser.conf"
# logfile ("/var/log/adduser" or "no")
logfile = "/var/log/adduser"
# default HOME directory ("/home")
home = "/home"
# List of directories where shells located
# path = ('/bin', '/usr/bin', '/usr/local/bin')
path = ('/bin', '/usr/bin', '/usr/local/bin')
# common shell list, first element has higher priority
# shellpref = ('bash', 'tcsh', 'ksh', 'csh', 'sh')
shellpref = ('csh', 'sh', 'bash', 'tcsh', 'ksh', 'no', 'date')
# defaultshell if not empty ("bash")
defaultshell = "sh"
# defaultgroup ('USER' for same as username or any other valid group)
defaultgroup = USER
# defaultclass if not empty
defaultclass = ""
# new users get this uid (1000)
uid_start = "1000"
## DO NOT DELETE THIS LINE!
## your own variables, see /etc/adduser.message
## end
========================================================================
root:mail root # uname -a
FreeBSD mail.bsbsolutions.com.br 4.9-RELEASE FreeBSD 4.9-RELEASE #0: Wed
Nov 5 12:22:35 GMT 2003
root at mail.bsbsolutions.com.br:/usr/src/sys/compile/integer-4.9 i386
Ivo R. Tonev
ivo at tonev.pro.br
integer at bsbsolutions.com.br
More information about the freebsd-bugs
mailing list