diff options
Diffstat (limited to 'contrib/libpam/doc/modules')
31 files changed, 1151 insertions, 96 deletions
diff --git a/contrib/libpam/doc/modules/README b/contrib/libpam/doc/modules/README index b97b2cd501b96..b6587f508c258 100644 --- a/contrib/libpam/doc/modules/README +++ b/contrib/libpam/doc/modules/README @@ -1,4 +1,4 @@ -$Id: README,v 1.2 1996/11/17 17:20:28 morgan Exp $ +$Id: README,v 1.1.1.1 2000/06/20 22:10:58 agmorgan Exp $ This directory contains a number of sgml sub-files. One for each documented module. They contain a description of each module and give diff --git a/contrib/libpam/doc/modules/module.sgml-template b/contrib/libpam/doc/modules/module.sgml-template index 53cd809f338dc..3fffc754b0472 100644 --- a/contrib/libpam/doc/modules/module.sgml-template +++ b/contrib/libpam/doc/modules/module.sgml-template @@ -1,9 +1,9 @@ <!-- - $Id: module.sgml-template,v 1.1 1996/11/30 20:59:32 morgan Exp $ + $Id: module.sgml-template,v 1.2 2001/02/11 07:52:56 agmorgan Exp $ This template file was written by Andrew G. Morgan - <morgan@parc.power.net> + <morgan@kernel.org> [ Text that should be deleted/replaced, is enclosed within diff --git a/contrib/libpam/doc/modules/pam_access.sgml b/contrib/libpam/doc/modules/pam_access.sgml new file mode 100644 index 0000000000000..00c7ea169d002 --- /dev/null +++ b/contrib/libpam/doc/modules/pam_access.sgml @@ -0,0 +1,108 @@ +<!-- + + pam_access module docs added by Tim Berger <timb@transmeta.com> + +--> + +<sect1> The access module + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> + +<tt>pam_access</tt> + + +<tag><bf>Author[s]:</bf></tag> + +Alexei Nogin <alexei@nogin.dnttm.ru> + +<tag><bf>Maintainer:</bf></tag> + +Author + +<tag><bf>Management groups provided:</bf></tag> + +account + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> + +<tag><bf>System dependencies:</bf></tag> +Requires a configuration file. By default +<tt>/etc/security/access.conf</tt> is used but this can be overridden. + +<tag><bf>Network aware:</bf></tag> + +Through <tt/PAM_TTY/ if set, otherwise attempts getting tty name of +the stdin file descriptor with <tt/ttyname()/. Standard +gethostname(), <tt/yp_get_default_domain()/, <tt/gethostbyname()/ +calls. <bf/NIS/ is used for netgroup support. + +</descrip> + +<sect2>Overview of module + +<p> +Provides logdaemon style login access control. + +<sect2> Account component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> + +<tt>accessfile=<it>/path/to/file.conf</it></tt> + +<tag><bf>Description:</bf></tag> + +This module provides logdaemon style login access control based on +login names and on host (or domain) names, internet addresses (or +network numbers), or on terminal line names in case of non-networked +logins. Diagnostics are reported through <tt/syslog(3)/. Wietse +Venema's <tt/login_access.c/ from <em/logdaemon-5.6/ is used with +several changes by A. Nogin. + +<p> +The behavior of this module can be modified with the following +arguments: +<itemize> + +<item><tt>accessfile=/path/to/file.conf</tt> - +indicate an alternative <em/access/ configuration file to override +the default. This can be useful when different services need different +access lists. + +</itemize> + +<tag><bf>Examples/suggested usage:</bf></tag> + +Use of module is recommended, for example, on administrative machines +such as <bf/NIS/ servers and mail servers where you need several accounts +active but don't want them all to have login capability. + +For <tt>/etc/pam.d</tt> style configurations where your modules live +in <tt>/lib/security</tt>, start by adding the following line to +<tt>/etc/pam.d/login</tt>, <tt>/etc/pam.d/rlogin</tt>, +<tt>/etc/pam.d/rsh</tt> and <tt>/etc/pam.d/ftp</tt>: + +<tscreen> +<verb> +account required /lib/security/pam_access.so +</verb> +</tscreen> + +Note that use of this module is not effective unless your system ignores +<tt>.rhosts</tt> files. See the the pam_rhosts_auth documentation. + +A sample <tt>access.conf</tt> configuration file is included with the +distribution. + +</descrip> diff --git a/contrib/libpam/doc/modules/pam_chroot.sgml b/contrib/libpam/doc/modules/pam_chroot.sgml index 7f8c4a39b6428..2366880eabfc2 100644 --- a/contrib/libpam/doc/modules/pam_chroot.sgml +++ b/contrib/libpam/doc/modules/pam_chroot.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_chroot.sgml,v 1.1 1996/11/30 20:59:32 morgan Exp $ + $Id: pam_chroot.sgml,v 1.1.1.1 2000/06/20 22:10:59 agmorgan Exp $ This file was written by Bruce Campbell <brucec@humbug.org.au> --> diff --git a/contrib/libpam/doc/modules/pam_cracklib.sgml b/contrib/libpam/doc/modules/pam_cracklib.sgml index 4700c2a04f03a..810b261e83e9b 100644 --- a/contrib/libpam/doc/modules/pam_cracklib.sgml +++ b/contrib/libpam/doc/modules/pam_cracklib.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_cracklib.sgml,v 1.2 1997/02/15 18:25:44 morgan Exp morgan $ + $Id: pam_cracklib.sgml,v 1.3 2000/12/04 15:23:15 baggins Exp $ This file was written by Andrew G. Morgan <morgan@parc.power.net> long password amendments are from Philip W. Dalrymple III <pwd@mdtsoft.com> @@ -48,10 +48,6 @@ Requires the system library <tt/libcrack/ and a system dictionary: <p> This module can be plugged into the <tt/password/ stack of a given application to provide some plug-in strength-checking for passwords. -(XXX - note this does not necessarily work with the pam_unix module, -although it is known to work with the pam_pwdb replacement for the -unix module -- see example and pam_pwdb write up for more -information). <p> This module works in the following manner: it first calls the @@ -70,23 +66,35 @@ Is the new password the the old one with only a change of case? <item> <bf/Similar/ - -Is the new password too much like the old one? This is controlled -by one argument, <tt/difok/ which is a number of characters that if -different between the old and new are enough to accept the new +Is the new password too much like the old one? This is primarily +controlled by one argument, <tt/difok/ which is a number of characters +that if different between the old and new are enough to accept the new password, this defaults to 10 or 1/2 the size of the new password whichever is smaller. -<item <bf/Simple/ - +To avoid the lockup associated with trying to change a long and +complicated password, <tt/difignore/ is available. This argument can +be used to specify the minimum length a new password needs to be +before the <tt/difok/ value is ignored. The default value for +<tt/difignore/ is 23. + + +<item> <bf/Simple/ - Is the new password too small? This is controlled by 5 arguments <tt/minlen/, <tt/dcredit/, <tt/ucredit/, <tt/lcredit/, and <tt/ocredit/. See the section on the arguments for the details of how these work and there defaults. -<item <bf/Rotated/ - +<item> <bf/Rotated/ - Is the new password a rotated version of the old password? +<item> <bf/Already used/ - + +Was the password used in the past? Previously used passwords are to +be found in /etc/security/opasswd. + </itemize> <p> @@ -113,6 +121,7 @@ share most of these characters with the old password. <tt/debug/; <tt/type=XXX/; <tt/retry=N/; <tt/difok=N/; <tt/minlen=N/; <tt/dcredit=N/; <tt/ucredit=N/; <tt/lcredit=N/; <tt/ocredit=N/; +<tt/use_authtok/; <tag><bf>Description:</bf></tag> @@ -204,14 +213,16 @@ character will count +1 towards meeting the current <tt/minlen/ value. The default for <tt/ocredit/ is 1 which is the recommended value for <tt/minlen/ less than 10. +<item> <tt/use_authtok/ - + +This argument is used to <em/force/ the module to not prompt the user +for a new password but use the one provided by the previously stacked +<tt/password/ module. + </itemize> <tag><bf>Examples/suggested usage:</bf></tag> -(At the time of writing, this module can only be stacked before the -<tt/pam_pwdb/ module. Cracklib strength checking may be compiled by -default into the <tt/pam_unix/ module.) - <p> For an example of the use of this module, we show how it may be stacked with the password component of <tt/pam_pwdb/: diff --git a/contrib/libpam/doc/modules/pam_deny.sgml b/contrib/libpam/doc/modules/pam_deny.sgml index 99f367156fe58..9fd0ea4358cd5 100644 --- a/contrib/libpam/doc/modules/pam_deny.sgml +++ b/contrib/libpam/doc/modules/pam_deny.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_deny.sgml,v 1.3 1997/02/15 18:25:44 morgan Exp morgan $ + $Id: pam_deny.sgml,v 1.1.1.1 2000/06/20 22:11:00 agmorgan Exp $ This file was written by Andrew G. Morgan <morgan@parc.power.net> --> diff --git a/contrib/libpam/doc/modules/pam_env.sgml b/contrib/libpam/doc/modules/pam_env.sgml index a62f4576f1326..a6361cacc76ad 100644 --- a/contrib/libpam/doc/modules/pam_env.sgml +++ b/contrib/libpam/doc/modules/pam_env.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_env.sgml,v 1.1 1997/04/05 06:50:42 morgan Exp $ + $Id: pam_env.sgml,v 1.2 2001/03/19 01:46:41 agmorgan Exp $ This file was written by Dave Kinchlea <kinch@kinch.ark.com> Ed. AGM @@ -50,7 +50,8 @@ is the use of previously set environment variables as well as <descrip> <tag><bf>Recognized arguments:</bf></tag> -<tt/debug/; <tt/conffile=/<em/configuration-file-name/ +<tt/debug/; <tt/conffile=/<em/configuration-file-name/; +<tt/envfile/=<em/env-file-name/; <tt/readenv/=<em/0|1/ <tag><bf>Description:</bf></tag> This module allows you to (un)set arbitrary environment variables @@ -60,9 +61,9 @@ and/or <em/PAM_ITEM/s. <p> All is controlled via a configuration file (by default, <tt>/etc/security/pam_env.conf</tt> but can be overriden with -<tt>connfile</tt> argument). Each line starts with the variable name, +<tt>conffile</tt> argument). Each line starts with the variable name, there are then two possible options for each variable <bf>DEFAULT</bf> -and <bf>OVERRIDE</bf>. <bf>DEFAULT</bf> allows and administrator to +and <bf>OVERRIDE</bf>. <bf>DEFAULT</bf> allows an administrator to set the value of the variable to some default value, if none is supplied then the empty string is assumed. The <bf>OVERRIDE</bf> option tells pam_env that it should enter in its value (overriding the @@ -88,6 +89,12 @@ space is needed <bf>the full value must be delimited by the quotes and embedded or escaped quotes are not supported</bf>. <p> +This module can also parse a file with simple <tt>KEY=VAL</tt> pairs +on seperate lines (<tt>/etc/environment</tt> by default). You can +change the default file to parse, with the <em/envfile/ flag and turn +it on or off by setting the <em/readenv/ flag to 1 or 0 respectively. + +<p> The behavior of this module can be modified with one of the following flags: @@ -102,6 +109,15 @@ flags: the configuration file. This option overrides the default. You must supply a complete path + file name. +<item><tt/envfile=/<em/filename/ +- by default the file <tt>/etc/environment</tt> is used to load KEY=VAL +pairs directly into the env. This option overrides the default. You must +supply a complete path + file name. + +<item><tt/readenv=/<em/0|1/ +- turns on or off the reading of the file specified by envfile (0 is off, +1 is on). By default this option is on. + </itemize> <tag><bf>Examples/suggested usage:</bf></tag> diff --git a/contrib/libpam/doc/modules/pam_filter.sgml b/contrib/libpam/doc/modules/pam_filter.sgml index 99f06ef01b64d..a339be4e0e37a 100644 --- a/contrib/libpam/doc/modules/pam_filter.sgml +++ b/contrib/libpam/doc/modules/pam_filter.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_filter.sgml,v 1.2 1997/02/15 18:25:44 morgan Exp $ + $Id: pam_filter.sgml,v 1.2 2001/03/19 01:46:41 agmorgan Exp $ This file was written by Andrew G. Morgan <morgan@parc.power.net> --> @@ -100,8 +100,8 @@ the filter might expect. <p> Permitted values for <tt/X/ are <tt/1/ and <tt/2/. These indicate the -precise time the that filter is to be run. To explain this concept it -will be useful to have read the Linux-PAM Module developer's +precise time that the filter is to be run. To understand this concept +it will be useful to have read the Linux-PAM Module developer's guide. Basically, for each management group there are up to two ways of calling the module's functions. diff --git a/contrib/libpam/doc/modules/pam_ftp.sgml b/contrib/libpam/doc/modules/pam_ftp.sgml index ca2e065d0122a..81a2868dfed09 100644 --- a/contrib/libpam/doc/modules/pam_ftp.sgml +++ b/contrib/libpam/doc/modules/pam_ftp.sgml @@ -1,7 +1,7 @@ <!-- - $Id: pam_ftp.sgml,v 1.1 1996/11/30 20:59:32 morgan Exp $ + $Id: pam_ftp.sgml,v 1.2 2001/03/19 01:46:41 agmorgan Exp $ - This file was written by Andrew G. Morgan <morgan@parc.power.net> + This file was written by Andrew G. Morgan <morgan@linux.kernel.org> --> <sect1>Anonymous access module @@ -15,7 +15,7 @@ <tt/pam_ftp.so/ <tag><bf>Author:</bf></tag> -Andrew G. Morgan <morgan@parc.power.net> +Andrew G. Morgan <morgan@linux.kernel.org> <tag><bf>Maintainer:</bf></tag> Author. @@ -56,7 +56,7 @@ mode of access. This module intercepts the user's name and password. If the name is ``<tt/ftp/'' or ``<tt/anonymous/'', the user's password is broken up -at the `<tt/@/' delimiter into a <tt/PAM_RUSER/ and a <tt/PAM_RHOST/ +at the `<tt/@/' delimiter into a <tt/PAM_RUSER/ and a <tt/PAM_RHOST/ part; these pam-items being set accordingly. The username is set to ``<tt/ftp/''. In this case the module succeeds. Alternatively, the module sets the <tt/PAM_AUTHTOK/ item with the entered password and diff --git a/contrib/libpam/doc/modules/pam_group.sgml b/contrib/libpam/doc/modules/pam_group.sgml index 360edee06afb6..517da4e9e2a74 100644 --- a/contrib/libpam/doc/modules/pam_group.sgml +++ b/contrib/libpam/doc/modules/pam_group.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_group.sgml,v 1.2 1997/01/04 20:50:10 morgan Exp $ + $Id: pam_group.sgml,v 1.1.1.1 2000/06/20 22:11:01 agmorgan Exp $ This file was written by Andrew G. Morgan <morgan@parc.power.net> --> diff --git a/contrib/libpam/doc/modules/pam_issue.sgml b/contrib/libpam/doc/modules/pam_issue.sgml new file mode 100644 index 0000000000000..1f617e3b870ec --- /dev/null +++ b/contrib/libpam/doc/modules/pam_issue.sgml @@ -0,0 +1,120 @@ +<!-- + +Ben Collins <bcollins@debian.org> + +--> + +<sect1>Add issue file to user prompt + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +<tt/pam_issue/ + +<tag><bf>Author:</bf></tag> +Ben Collins <bcollins@debian.org> + +<tag><bf>Maintainer:</bf></tag> +Author + +<tag><bf>Management groups provided:</bf></tag> +Authentication (pam_sm_authenticate) + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> + +<tag><bf>System dependencies:</bf></tag> + +<tag><bf>Network aware:</bf></tag> + +</descrip> + +<sect2>Overview of module + +<p> +This module prepends the issue file (<em>/etc/issue</em> by default) when +prompting for a username. + +<sect2>Authentication component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +<tt/issue=issue-file-name/; <tt/noesc/; + +<tag><bf>Description:</bf></tag> +This module allows you to prepend an issue file to the username prompt. It +also by default parses escape codes in the issue file similar to some +common getty's (using \x format). +<p> +Recognized escapes: +<itemize> + +<item><tt/d/ +- current date + +<item><tt/s/ +- operating system name + +<item><tt/l/ +- name of this tty + +<item><tt/m/ +- architecture of this system (i686, sparc, powerpc, ...) + +<item><tt/n/ +- hostname of this system + +<item><tt/o/ +- domainname of this system + +<item><tt/r/ +- release number of the operation system (eg. 2.2.12) + +<item><tt/t/ +- current time + +<item><tt/u/ +- number of users currently logged in + +<item><tt/U/ +- same as <tt/u/, except it is suffixed with "user" or "users" (eg. "1 +user" or "10 users" + +<item><tt/v/ +- version/build-date of the operating system (eg. "#3 Mon Aug 23 14:38:16 +EDT 1999" on Linux). + +</itemize> + +<p> +The behavior of this module can be modified with one of the following +flags: + +<p> +<itemize> + +<item><tt/issue/ +- the file to output if not using the default + +<item><tt/noesc/ +- turns off escape code parsing + +</itemize> + +<tag><bf>Examples/suggested usage:</bf></tag> + +login auth pam_issue.so issue=/etc/issue + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/contrib/libpam/doc/modules/pam_krb4.sgml b/contrib/libpam/doc/modules/pam_krb4.sgml index edb87d1a05844..51a46522890cb 100644 --- a/contrib/libpam/doc/modules/pam_krb4.sgml +++ b/contrib/libpam/doc/modules/pam_krb4.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_krb4.sgml,v 1.1 1996/11/30 20:59:32 morgan Exp $ + $Id: pam_krb4.sgml,v 1.1.1.1 2000/06/20 22:11:01 agmorgan Exp $ This file was written by Derrick J. Brashear <shadow@DEMENTIA.ORG> --> diff --git a/contrib/libpam/doc/modules/pam_lastlog.sgml b/contrib/libpam/doc/modules/pam_lastlog.sgml index 8c0e662c3cf93..451bfaa2fda6f 100644 --- a/contrib/libpam/doc/modules/pam_lastlog.sgml +++ b/contrib/libpam/doc/modules/pam_lastlog.sgml @@ -1,7 +1,7 @@ <!-- - $Id: pam_mail.sgml,v 1.2 1997/02/15 18:25:44 morgan Exp $ + $Id: pam_lastlog.sgml,v 1.2 2001/02/17 01:55:38 agmorgan Exp $ - This file was written by Andrew G. Morgan <morgan@parc.power.net> + This file was written by Andrew G. Morgan <morgan@kernel.org> --> <sect1>The last login module @@ -15,7 +15,7 @@ <tt/pam_lastlog/ <tag><bf>Author:</bf></tag> -Andrew G. Morgan <morgan@parc.power.net> +Andrew G. Morgan <morgan@kernel.org> <tag><bf>Maintainer:</bf></tag> Author @@ -30,7 +30,7 @@ auth <tag><bf>Clean code base:</bf></tag> <tag><bf>System dependencies:</bf></tag> -uses information contained in the <tt>/var/log/wtmp</tt> file. +uses information contained in the <tt>/var/log/lastlog</tt> file. <tag><bf>Network aware:</bf></tag> @@ -39,14 +39,14 @@ uses information contained in the <tt>/var/log/wtmp</tt> file. <sect2>Overview of module <p> -This session module maintains the <tt>/var/log/wtmp</tt> file. Adding +This session module maintains the <tt>/var/log/lastlog</tt> file. Adding an open entry when called via the <tt>pam_open_seesion()</tt> function and completing it when <tt>pam_close_session()</tt> is called. This module can also display a line of information about the last login of the user. If an application already performs these tasks, it is not necessary to use this module. -<sect2>Authentication component +<sect2>Session component <p> <descrip> @@ -61,7 +61,7 @@ necessary to use this module. This module can be used to provide a ``Last login on ...'' message. when the user logs into the system from what ever application uses the PAM libraries. In addition, the module maintains the -<tt>/var/log/wtmp</tt> file. +<tt>/var/log/lastlog</tt> file. <p> The behavior of this module can be modified with one of the following @@ -85,10 +85,10 @@ attempt. <item><tt/silent/ - neglect to inform the user about any previous login: just update -the <tt>/var/log/wtmp</tt> file. +the <tt>/var/log/lastlog</tt> file. <item><tt/never/ -- if the <tt>/var/log/wtmp</tt> file does not contain any old entries +- if the <tt>/var/log/lastlog</tt> file does not contain any old entries for the user, indicate that the user has never previously logged in with a ``welcome..." message. @@ -98,13 +98,13 @@ with a ``welcome..." message. This module can be used to indicate that the user has new mail when they <em/login/ to the system. Here is a sample entry for your -<tt>/etc/pam.conf</tt> file: +<tt>/etc/pam.d/XXX</tt> file: <tscreen> <verb> # -# do we have any mail? +# When were we last here? # -login session optional pam_lastlog.so +session optional pam_lastlog.so </verb> </tscreen> diff --git a/contrib/libpam/doc/modules/pam_limits.sgml b/contrib/libpam/doc/modules/pam_limits.sgml index 6b98ea64fcbd1..c4bdb4df503e7 100644 --- a/contrib/libpam/doc/modules/pam_limits.sgml +++ b/contrib/libpam/doc/modules/pam_limits.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_limits.sgml,v 1.2 1997/02/15 18:25:44 morgan Exp $ + $Id: pam_limits.sgml,v 1.4 2001/03/29 04:21:16 agmorgan Exp $ This file was written by Andrew G. Morgan <morgan@parc.power.net> from information compiled by Cristian Gafton (author of module) @@ -74,6 +74,12 @@ verbose logging to <tt/syslog(3)/. <item><tt>conf=/path/to/file.conf</tt> - indicate an alternative <em/limits/ configuration file to the default. +<item><tt/change_uid/ - +change real uid to the user for who the limits are set up. Use this +option if you have problems like login not forking a shell for user +who has no processes. Be warned that something else may break when +you do this. + </itemize> <tag><bf>Examples/suggested usage:</bf></tag> @@ -103,7 +109,7 @@ The fields listed above should be filled as follows...<newline> </itemize> <p> -<tt><type></tt> can have the two values: +<tt><type></tt> can have the three values: <itemize> <item> <tt/hard/ for enforcing <em/hard/ resource limits. These limits @@ -116,6 +122,9 @@ by any pre-exisiting <em/hard/ limits. The values specified with this token can be thought of as <em/default/ values, for normal system usage. +<item> <tt/-/ for enforcing both <em/soft/ and <em/hard/ limits +together. + </itemize> <p> @@ -132,15 +141,22 @@ usage. <item><tt/nproc/ - max number of processes <item><tt/as/ - address space limit <item><tt/maxlogins/ - max number of logins for this user. +<item><tt/priority/ - the priority to run user process with </itemize> <p> -To completely disable limits for a user (or a group), a single dash -(-) will do (Example: ``<tt/bin -/'', ``<tt/@admin -/''). Please -remember that individual limits have priority over group limits, so if -you impose no limits for <tt/admin/ group, but one of the members in this -group have a limits line, the user will have its limits set according -to this line. +Note, if you specify a type of ``-'' but neglect to supply the +<tt/item/ and <tt/value/ fields then the module will never enforce any +limits on the corresponding user/group-members etc. . Note, the first +entry of the form which applies to the authenticating user will +override all other entries in the limits configuration file. In such +cases, the <tt/pam_limits/ module will always return <tt/PAM_SUCCESS/. + +<p> +In general, individual limits have priority over group limits, so if +you impose no limits for <tt/admin/ group, but one of the members in +this group have a limits line, the user will have its limits set +according to this line. <p> Also, please note that all limit settings are set <em/per login/. @@ -173,11 +189,11 @@ ftp hard nproc 0 </tscreen> Note, the use of <tt/soft/ and <tt/hard/ limits for the same resource (see <tt/@faculty/) -- this establishes the <em/default/ and permitted -<em/extreme/ level of resources that the user can can obtain in a -given service-session. +<em/extreme/ level of resources that the user can obtain in a given +service-session. <p> -For the services that need resources limits (login for example) put a +For the services that need resources limits (login for example) put the following line in <tt>/etc/pam.conf</tt> as the last line for that service (usually after the pam_unix session line: <tscreen> diff --git a/contrib/libpam/doc/modules/pam_listfile.sgml b/contrib/libpam/doc/modules/pam_listfile.sgml index fe4a0d27cc2ef..1284d1b6ab75d 100644 --- a/contrib/libpam/doc/modules/pam_listfile.sgml +++ b/contrib/libpam/doc/modules/pam_listfile.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_listfile.sgml,v 1.3 1997/02/15 18:25:44 morgan Exp $ + $Id: pam_listfile.sgml,v 1.2 2001/03/19 01:46:41 agmorgan Exp $ This file was written by Michael K. Johnson <johnsonm@redhat.com> --> @@ -111,8 +111,8 @@ Note, users listed in <tt>/etc/ftpusers</tt> file are (counterintuitively) <bf/not/ allowed access to the ftp service. <p> -To allow login access only for certain users, you can use an -pam.conf entry like this: +To allow login access only for certain users, you can use a +<tt/pam.conf/ entry like this: <tscreen> <verb> # diff --git a/contrib/libpam/doc/modules/pam_mail.sgml b/contrib/libpam/doc/modules/pam_mail.sgml index 9a99f2064c369..65937a9f8dda8 100644 --- a/contrib/libpam/doc/modules/pam_mail.sgml +++ b/contrib/libpam/doc/modules/pam_mail.sgml @@ -1,7 +1,7 @@ <!-- - $Id: pam_mail.sgml,v 1.2 1997/02/15 18:25:44 morgan Exp $ + $Id: pam_mail.sgml,v 1.3 2001/03/19 01:46:41 agmorgan Exp $ - This file was written by Andrew G. Morgan <morgan@parc.power.net> + This file was written by Andrew G. Morgan <morgan@linux.kernel.org> --> <sect1>The mail module @@ -15,13 +15,14 @@ <tt/pam_mail/ <tag><bf>Author:</bf></tag> -Andrew G. Morgan <morgan@parc.power.net> +Andrew G. Morgan <morgan@linux.kernel.org> <tag><bf>Maintainer:</bf></tag> Author <tag><bf>Management groups provided:</bf></tag> -auth +Authentication (credential) +Session (open) <tag><bf>Cryptographically sensitive:</bf></tag> @@ -42,14 +43,15 @@ Default mail directory <tt>/var/spool/mail/</tt> This module looks at the user's mail directory and indicates whether the user has any mail in it. -<sect2>Authentication component +<sect2>Session component <p> <descrip> <tag><bf>Recognized arguments:</bf></tag> -<tt/debug/; <tt/dir=/<em/direcory-name/; <tt/nopen/; <tt/close/; -<tt/noenv/; <tt/empty/ +<tt/debug/; <tt/dir=/<em/directory-name/; <tt/nopen/; <tt/close/; +<tt/noenv/; <tt/empty/; <tt/hash=/<em/hashcount/; <tt/standard/; +<tt/quiet/; <tag><bf>Description:</bf></tag> @@ -60,12 +62,6 @@ user's mail folder. This module also sets the <bf/Linux-PAM/ environment variable, <tt/MAIL/, to the user's mail directory. <p> -Although the module supplies functions for the authentication -management group of functions, it cannot be used to authenticate a -user; its authentication function instructs <tt/libpam/ to simply -ignore it when authenticating the user. - -<p> The behavior of this module can be modified with one of the following flags: @@ -97,6 +93,17 @@ the user's credentials are revoked. - indicate that the user's mail directory is empty if this is found to be the case. +<item><tt/hash=/<em/hashcount/ +- mail directory hash depth. For example, a <em/hashcount/ of 2 would +make the mailfile be <tt>/var/spool/mail/u/s/user</tt>. + +<item><tt/standard/ +- old style "You have..." format which doesn't show the mail spool being used. + this also implies "empty" + +<item><tt/quiet/ +- only report when there is new mail. + </itemize> <tag><bf>Examples/suggested usage:</bf></tag> @@ -109,16 +116,27 @@ they <em/login/ to the system. Here is a sample entry for your # # do we have any mail? # -login auth optional pam_mail.so +login session optional pam_mail.so </verb> </tscreen> <p> +Note, if the mail spool file (be it <tt>/var/spool/mail/$USER</tt> or +a pathname given with the <tt>dir=</tt> parameter) is a directory then +<tt>pam_mail</tt> assumes it is in the <it>Qmail Maildir</it> format. + +<p> Note, some applications may perform this function themselves. In such cases, this module is not necessary. </descrip> +<sect2>Authentication component + +<p> +Then authentication companent works the same as the session component, +except that everything is done during the <tt>pam_setcred()</tt> phase. + <!-- End of sgml insert for this module. --> diff --git a/contrib/libpam/doc/modules/pam_mkhomedir.sgml b/contrib/libpam/doc/modules/pam_mkhomedir.sgml new file mode 100644 index 0000000000000..075e16f9fc05d --- /dev/null +++ b/contrib/libpam/doc/modules/pam_mkhomedir.sgml @@ -0,0 +1,83 @@ +<!-- + +Ben Collins <bcollins@debian.org> + +--> + +<sect1>Create home directories on initial login + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +<tt/pam_mkhomedir/ + +<tag><bf>Author:</bf></tag> +Jason Gunthorpe <jgg@ualberta.ca> + +<tag><bf>Maintainer:</bf></tag> +Ben Collins <bcollins@debian.org> + +<tag><bf>Management groups provided:</bf></tag> +Session + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> + +<tag><bf>System dependencies:</bf></tag> + +<tag><bf>Network aware:</bf></tag> + +</descrip> + +<sect2>Overview of module + +<p> +Creates home directories on the fly for authenticated users. + +<sect2>Session component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +<tt/debug/; <tt/skel=skeleton-dir/; <tt/umask=octal-umask/; + +<tag><bf>Description:</bf></tag> +This module is useful for distributed systems where the user account is +managed in a central database (such as NIS, NIS+, or LDAP) and accessed +through miltiple systems. It frees the administrator from having to create +a default home directory on each of the systems by creating it upon the +first succesfully authenticated login of that user. The skeleton directory +(usually /etc/skel/) is used to copy default files and also set's a umask +for the creation. + +<p> +The behavior of this module can be modified with one of the following +flags: + +<p> +<itemize> + +<item><tt/skel/ +- The skeleton directory for default files to copy to the new home directory. + +<item><tt/umask/ +- An octal for of the same format as you would pass to the shells umask command. + +</itemize> + +<tag><bf>Examples/suggested usage:</bf></tag> + +session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/contrib/libpam/doc/modules/pam_motd.sgml b/contrib/libpam/doc/modules/pam_motd.sgml new file mode 100644 index 0000000000000..8ddc63924e785 --- /dev/null +++ b/contrib/libpam/doc/modules/pam_motd.sgml @@ -0,0 +1,77 @@ +<!-- + +Ben Collins <bcollins@debian.org> + +--> + +<sect1>Output the motd file + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +<tt/pam_motd/ + +<tag><bf>Author:</bf></tag> +Ben Collins <bcollins@debian.org> + +<tag><bf>Maintainer:</bf></tag> +Author + +<tag><bf>Management groups provided:</bf></tag> +Session (open) + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> + +<tag><bf>System dependencies:</bf></tag> + +<tag><bf>Network aware:</bf></tag> + +</descrip> + +<sect2>Overview of module + +<p> +This module outputs the motd file (<em>/etc/motd</em> by default) upon +successful login. + +<sect2>Session component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +<tt/debug/; <tt/motd=motd-file-name/; + +<tag><bf>Description:</bf></tag> +This module allows you to have arbitrary motd's (message of the day) +output after a succesful login. By default this file is <em>/etc/motd</em>, +but is configurable to any file. + +<p> +The behavior of this module can be modified with one of the following +flags: + +<p> +<itemize> + +<item><tt/motd/ +- the file to output if not using the default. + +</itemize> + +<tag><bf>Examples/suggested usage:</bf></tag> + +login session pam_motd.so motd=/etc/motd + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/contrib/libpam/doc/modules/pam_nologin.sgml b/contrib/libpam/doc/modules/pam_nologin.sgml index de4b32a8efbd0..963fa4282b4f8 100644 --- a/contrib/libpam/doc/modules/pam_nologin.sgml +++ b/contrib/libpam/doc/modules/pam_nologin.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_nologin.sgml,v 1.2 1997/01/04 21:56:55 morgan Exp $ + $Id: pam_nologin.sgml,v 1.1.1.1 2000/06/20 22:11:02 agmorgan Exp $ This file was written by Michael K. Johnson <johnsonm@redhat.com> --> diff --git a/contrib/libpam/doc/modules/pam_permit.sgml b/contrib/libpam/doc/modules/pam_permit.sgml index 84df9fc1754f8..2588110ddcd40 100644 --- a/contrib/libpam/doc/modules/pam_permit.sgml +++ b/contrib/libpam/doc/modules/pam_permit.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_permit.sgml,v 1.2 1997/02/15 18:20:12 morgan Exp $ + $Id: pam_permit.sgml,v 1.1.1.1 2000/06/20 22:11:02 agmorgan Exp $ This file was written by Andrew G. Morgan <morgan@parc.power.net> --> diff --git a/contrib/libpam/doc/modules/pam_pwdb.sgml b/contrib/libpam/doc/modules/pam_pwdb.sgml index c9f7bff1124a4..625572064bb2d 100644 --- a/contrib/libpam/doc/modules/pam_pwdb.sgml +++ b/contrib/libpam/doc/modules/pam_pwdb.sgml @@ -1,7 +1,7 @@ <!-- - $Id: pam_pwdb.sgml,v 1.3 1997/04/05 06:50:42 morgan Exp morgan $ + $Id: pam_pwdb.sgml,v 1.2 2001/03/19 01:46:41 agmorgan Exp $ - This file was written by Andrew G. Morgan <morgan@parc.power.net> + This file was written by Andrew G. Morgan <morgan@kernel.org> --> <sect1>The Password-Database module @@ -16,7 +16,7 @@ pam_pwdb <tag><bf>Author:</bf></tag> Cristian Gafton <gafton@redhat.com> <newline> -and Andrew G. Morgan <morgan@parc.power.net> +and Andrew G. Morgan <morgan@kernel.org> <tag><bf>Maintainer:</bf></tag> Authors. @@ -44,8 +44,8 @@ This module is a pluggable replacement for the <tt/pam_unix_../ modules. It uses the generic interface of the <em/Password Database/ library <tt><htmlurl -url="http://parc.power.net/morgan/libpwdb/index.html" -name="http://parc.power.net/morgan/libpwdb/index.html"></tt>. +url="http://linux.kernel.org/morgan/libpwdb/index.html" +name="http://linux.kernel.org/morgan/libpwdb/index.html"></tt>. <sect2>Account component @@ -101,7 +101,8 @@ login account required pam_pwdb.so <tt/use_first_pass/; <tt/try_first_pass/; <tt/nullok/; -<tt/nodelay/ +<tt/nodelay/; +<tt/likeauth/ <tag><bf>Description:</bf></tag> @@ -141,6 +142,12 @@ it. It is called transparently on behalf of the user by the authenticating component of this module. In this way it is possible for applications like <em>xlock</em> to work without being setuid-root. +<p> +The <tt>likeauth</tt> argument makes the module return the same value +when called as a credential setting module and an authentication +module. This will help libpam take a sane path through the auth +component of your configuration file. + <tag><bf>Examples/suggested usage:</bf></tag> The correct functionality of this module is dictated by having an diff --git a/contrib/libpam/doc/modules/pam_radius.sgml b/contrib/libpam/doc/modules/pam_radius.sgml index 4d5f39ab3422c..8ebfa0a83592f 100644 --- a/contrib/libpam/doc/modules/pam_radius.sgml +++ b/contrib/libpam/doc/modules/pam_radius.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_radius.sgml,v 1.2 1997/02/15 18:25:44 morgan Exp $ + $Id: pam_radius.sgml,v 1.2 2001/03/19 01:46:41 agmorgan Exp $ This file was written by Cristian Gafton <gafton@redhat.com> --> @@ -44,7 +44,7 @@ yes; this is a network module (independent of application). <p> This module is intended to provide the session service for users -autheticated with a RADIUS server. At the present stage, the only +authenticated with a RADIUS server. At the present stage, the only option supported is the use of the RADIUS server as an accounting server. @@ -60,7 +60,7 @@ server. <tag><bf>Description:</bf></tag> This module is intended to provide the session service for users -autheticated with a RADIUS server. At the present stage, the only +authenticated with a RADIUS server. At the present stage, the only option supported is the use of the RADIUS server as an <em/accounting/ server. diff --git a/contrib/libpam/doc/modules/pam_rhosts.sgml b/contrib/libpam/doc/modules/pam_rhosts.sgml index 91001022a2b0b..520dd4271b88b 100644 --- a/contrib/libpam/doc/modules/pam_rhosts.sgml +++ b/contrib/libpam/doc/modules/pam_rhosts.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_rhosts.sgml,v 1.4 1997/04/05 06:50:42 morgan Exp $ + $Id: pam_rhosts.sgml,v 1.1.1.1 2000/06/20 22:11:04 agmorgan Exp $ This file was written by Andrew G. Morgan <morgan@parc.power.net> --> @@ -81,7 +81,8 @@ of independently probing the network connection for such information. <p> In the case of <tt/root/-access, the <tt>/etc/host.equiv</tt> file is -<em/ignored/. Instead, the superuser must have a correctly configured +<em/ignored/ unless the <tt>hosts_equiv_rootok</tt> option +should be used. Instead, the superuser must have a correctly configured personal configuration file. <p> @@ -103,6 +104,12 @@ fix this!) ignore the contents of the <tt>/etc/hosts.equiv</tt> file. <item> +<tt/hosts_equiv_rootok/ - +allow the use of <tt>/etc/hosts.equiv</tt> for superuser. Without this +option <tt>/etc/hosts.equiv</tt> is not consulted for the superuser account. +This option has no effect if the <tt>no_hosts_equiv</tt> option is used. + +<item> <tt/no_rhosts/ - ignore the contents of all user's personal configuration file <tt>~/.rhosts</tt>. diff --git a/contrib/libpam/doc/modules/pam_rootok.sgml b/contrib/libpam/doc/modules/pam_rootok.sgml index ff6aa86e34daa..f7a7259c7652c 100644 --- a/contrib/libpam/doc/modules/pam_rootok.sgml +++ b/contrib/libpam/doc/modules/pam_rootok.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_rootok.sgml,v 1.2 1997/02/15 18:25:44 morgan Exp $ + $Id: pam_rootok.sgml,v 1.1.1.1 2000/06/20 22:11:04 agmorgan Exp $ This file was written by Andrew G. Morgan <morgan@parc.power.net> --> diff --git a/contrib/libpam/doc/modules/pam_securetty.sgml b/contrib/libpam/doc/modules/pam_securetty.sgml index 276ae90435c21..fc89af23460a3 100644 --- a/contrib/libpam/doc/modules/pam_securetty.sgml +++ b/contrib/libpam/doc/modules/pam_securetty.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_securetty.sgml,v 1.1 1996/11/30 20:59:32 morgan Exp $ + $Id: pam_securetty.sgml,v 1.1.1.1 2000/06/20 22:11:04 agmorgan Exp $ This file was written by Michael K. Johnson <johnsonm@redhat.com> --> diff --git a/contrib/libpam/doc/modules/pam_tally.sgml b/contrib/libpam/doc/modules/pam_tally.sgml new file mode 100644 index 0000000000000..aca41bbde0f06 --- /dev/null +++ b/contrib/libpam/doc/modules/pam_tally.sgml @@ -0,0 +1,191 @@ +<!-- + + $Id: pam_tally.sgml,v 1.1 2001/02/11 07:52:56 agmorgan Exp $ + + This template file was written by Andrew G. Morgan <morgan@kernel.org> + adapted from text provided by Tim Baverstock. +--> + +<sect1>The login counter (tallying) module + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +pam_tally + +<tag><bf>Author[s]:</bf></tag> +Tim Baverstock + +<tag><bf>Maintainer:</bf></tag> + +<tag><bf>Management groups provided:</bf></tag> +auth; account + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> + +<tag><bf>System dependencies:</bf></tag> +A faillog file (default location /var/log/faillog) + +<tag><bf>Network aware:</bf></tag> + +</descrip> + +<sect2>Overview of module + +<p> +This module maintains a count of attempted accesses, can reset count +on success, can deny access if too many attempts fail. + +<p> +pam_tally comes in two parts: <tt>pam_tally.so</tt> and +<tt>pam_tally</tt>. The former is the PAM module and the latter, a +stand-alone program. <tt>pam_tally</tt> is an (optional) application +which can be used to interrogate and manipulate the counter file. It +can display users' counts, set individual counts, or clear all +counts. Setting artificially high counts may be useful for blocking +users without changing their passwords. For example, one might find it +useful to clear all counts every midnight from a cron job. + +<p> +The counts file is organized as a binary-word array, indexed by +uid. You can probably make sense of it with <tt>od</tt>, if you don't +want to use the supplied appliction. + +<p> +Note, there are some outstanding issues with this module: +<tt>pam_tally</tt> is very dependant on <tt>getpw*()</tt> - a database +of usernames would be much more flexible; the `keep a count of current +logins' bit has been <tt>#ifdef</tt>'d out and you can only reset the +counter on successful authentication, for now. + +<sect3>Generic options accepted by both components +<p> +<itemize> +<item> <tt>onerr=</tt>(<tt>succeed</tt>|<tt>fail</tt>): + if something weird happens, such as unable to open the file, how + should the module react? +<item> <tt>file=</tt><em>/where/to/keep/counts</em>: + specify the file location for the counts. + The default location is <tt>/var/log/faillog</tt>. +</itemize> + +<sect2>Authentication component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +<tt>onerr=</tt>(<tt>succeed</tt>|<tt>fail</tt>); +<tt>file=</tt>/where/to/keep/counts; +<tt>no_magic_root</tt> + +<tag><bf>Description:</bf></tag> + +<p> +The authentication component of this module increments the attempted +login counter. + +<p> +<tag><bf>Examples/suggested usage:</bf></tag> + +<p> +The module argument <tt>no_magic_root</tt> is used to indicate that if +the module is invoked by a user with uid=0, then the counter is +incremented. The sys-admin should use this for daemon-launched +services, like <tt>telnet</tt>/<tt>rsh</tt>/<tt>login</tt>. For user +launched services, like <tt>su</tt>, this argument should be omitted. + +<p> +By way of more explanation, when a process already running as root +tries to access some service, the access is <em>magic</em>, and +bypasses <tt>pam_tally</tt>'s checks: this is handy for <tt>su</tt>ing +from root into an account otherwise blocked. However, for services +like <tt>telnet</tt> or <tt>login</tt>, which always effectively run +from the root account, root (ie everyone) shouldn't be granted this +magic status, and the flag `no_magic_root' should be set in this +situation, as noted in the summary above. + +</descrip> + +<sect2>Account component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +<tt>onerr=</tt>(<tt>succeed</tt>|<tt>fail</tt>); +<tt>file=</tt>/where/to/keep/counts; +<tt>deny=</tt><em>n</em>; +<tt>no_magic_root</tt>; +<tt>even_deny_root_account</tt>; +<tt>reset</tt>; +<tt>no_reset</tt>; +<tt>per_user</tt>; +<tt>no_lock_time</tt> + +<tag><bf>Description:</bf></tag> + +<p> +The account component can deny access and/or reset the attempts +counter. It also checks to make sure that the counts file is a plain +file and not world writable. + +<tag><bf>Examples/suggested usage:</bf></tag> + +<p> +The <tt>deny=</tt><em>n</em> option is used to deny access if tally +for this user exceeds <em>n</em>. The presence of +<tt>deny=</tt><em>n</em> changes the default for +<tt>reset</tt>/<tt>no_reset</tt> to <tt>reset</tt>, unless the user +trying to gain access is root and the <tt>no_magic_root</tt> option +has NOT been specified. + +<p> +The <tt>no_magic_root</tt> option ensures that access attempts by root +DON'T ignore deny. Use this for daemon-based stuff, like +<tt>telnet</tt>/<tt>rsh</tt>/<tt>login</tt>. + +<p> +The <tt>even_deny_root_account</tt> option is used to ensure that the +root account can become unavailable. <bf>Note</bf> that magic root +trying to gain root bypasses this, but normal users can be locked out. + +<p> +The <tt>reset</tt> option instructs the module to reset count to 0 on +successful entry, even for magic root. The <tt>no_reset</tt> option is +used to instruct the module to not reset the count on successful +entry. This is the default unless <tt>deny</tt> exists and the user +attempting access is NOT magic root. + +<p> +If <tt>/var/log/faillog</tt> contains a non-zero <tt>.fail_max</tt> +field for this user then the <tt>per_user</tt> module argument will +ensure that the module uses this value and not the global +<tt>deny=</tt><em>n</em> parameter. + +<p> +The <tt>no_lock_time</tt> option is for ensuring that the module does +not use the <tt>.fail_locktime</tt> field in /var/log/faillog for this +user. + +<p> +Normally, failed attempts to access root will <bf>NOT</bf> cause the +root account to become blocked, to prevent denial-of-service: if your +users aren't given shell accounts and root may only login via +<tt>su</tt> or at the machine console (not +<tt>telnet</tt>/<tt>rsh</tt>, etc), this is safe. If you really want +root to be blocked for some given service, use +<tt>even_deny_root_account</tt>. + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/contrib/libpam/doc/modules/pam_time.sgml b/contrib/libpam/doc/modules/pam_time.sgml index 0b3cddfcb44ad..8889c4501dea2 100644 --- a/contrib/libpam/doc/modules/pam_time.sgml +++ b/contrib/libpam/doc/modules/pam_time.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_time.sgml,v 1.2 1997/02/15 18:25:44 morgan Exp $ + $Id: pam_time.sgml,v 1.2 2001/03/19 01:46:41 agmorgan Exp $ This file was written by Andrew G. Morgan <morgan@parc.power.net> --> @@ -142,7 +142,7 @@ Some examples of rules that can be placed in the <tt>/etc/security/time.conf</tt> configuration file are the following: <descrip> -<tag><tt>login ; tty* & ; !ttyp* ; !root ; !Al0000-2400</tt></tag> +<tag><tt>login ; tty* & !ttyp* ; !root ; !Al0000-2400</tt></tag> all users except for <tt/root/ are denied access to console-login at all times. diff --git a/contrib/libpam/doc/modules/pam_unix.sgml b/contrib/libpam/doc/modules/pam_unix.sgml new file mode 100644 index 0000000000000..71cb07e32863b --- /dev/null +++ b/contrib/libpam/doc/modules/pam_unix.sgml @@ -0,0 +1,288 @@ +<!-- + This file was written by Andrew G. Morgan <morgan@linux.kernel.org> + + Converted from the pam_pwdb.sgml file for pam_unix by Ben Collins <bcollins@debian.org> +--> + +<sect1>The Unix Password module + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +pam_unix + +<tag><bf>Author:</bf></tag> + +<tag><bf>Maintainer:</bf></tag> + +<tag><bf>Management groups provided:</bf></tag> +account; authentication; password; session + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> + +<tag><bf>System dependencies:</bf></tag> + +<tag><bf>Network aware:</bf></tag> + +</descrip> + +<sect2>Overview of module + +<p> +This is the standard Unix authentication module. It uses standard calls +from the system's libraries to retrieve and set account information as +well as authentication. Usually this is obtained from the /etc/passwd +and the /etc/shadow file as well if shadow is enabled. + +<sect2>Account component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +<tt/debug/; <tt/audit/ + +<tag><bf>Description:</bf></tag> + +The <tt/debug/ argument makes the accounting functions of this module +<tt/syslog(3)/ more information on its actions. (Remaining arguments +supported by the other functions of this module are silently ignored, +but others are logged as errors through <tt/syslog(3)/). The <tt/audit/ +argument causes even more logging. + +Based on the following <tt/shadow/ elements: +<tt/expire/; +<tt/last_change/; +<tt/max_change/; +<tt/min_change/; +<tt/warn_change/, +this module performs the task of establishing the status of the user's +account and password. In the case of the latter, it may offer advice +to the user on changing their password or, through the +<tt/PAM_AUTHTOKEN_REQD/ return, delay giving service to the user until +they have established a new password. The entries listed above are +documented in the <em/GNU Libc/ info documents. Should the user's record +not contain one or more of these entries, the corresponding <em/shadow/ +check is not performed. + +<tag><bf>Examples/suggested usage:</bf></tag> + +In its accounting mode, this module can be inserted as follows: +<tscreen> +<verb> +# +# Ensure users account and password are still active +# +login account required pam_unix.so +</verb> +</tscreen> + +</descrip> + +<sect2>Authentication component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +<tt/debug/; +<tt/audit/; +<tt/use_first_pass/; +<tt/try_first_pass/; +<tt/nullok/; +<tt/nodelay/ + +<tag><bf>Description:</bf></tag> + +The <tt/debug/ argument makes the authentication functions of this +module <tt/syslog(3)/ more information on its actions. The <tt/audit/ +causes even more information to be logged. + +<p> +The default action of this module is to not permit the user access to +a service if their <em/official/ password is blank. The <tt/nullok/ +argument overrides this default. + +<p> +When given the argument <tt/try_first_pass/, before prompting the user +for their password, the module first tries the previous stacked +<tt/auth/-module's password in case that satisfies this module as +well. The argument <tt/use_first_pass/ forces the module to use such a +recalled password and will never prompt the user - if no password is +available or the password is not appropriate, the user will be denied +access. + +<p> +The argument, <tt>nodelay</tt>, can be used to discourage the +authentication component from requesting a delay should the +authentication as a whole fail. The default action is for the module +to request a delay-on-failure of the order of one second. + +<p> +Remaining arguments, supported by the other functions of this module, +are silently ignored. Other arguments are logged as errors through +<tt/syslog(3)/. + +<p> +A helper binary, <tt>unix_chkpwd</tt>, is provided to check the user's +password when it is stored in a read protected database. This binary +is very simple and will only check the password of the user invoking +it. It is called transparently on behalf of the user by the +authenticating component of this module. In this way it is possible +for applications like <em>xlock</em> to work without being setuid-root. + +<tag><bf>Examples/suggested usage:</bf></tag> + +The correct functionality of this module is dictated by having an +appropriate <tt>/etc/nsswitch.conf</tt> file, the user +databases specified there dictate the source of the authenticated +user's record. +<p> +In its authentication mode, this module can be inserted as follows: +<tscreen> +<verb> +# +# Authenticate the user +# +login auth required pam_unix.so +</verb> +</tscreen> + +</descrip> + +<sect2>Password component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +<tt/debug/; +<tt/audit/; +<tt/nullok/; +<tt/not_set_pass/; +<tt/use_authtok/; +<tt/try_first_pass/; +<tt/use_first_pass/; +<tt/md5/; +<tt/bigcrypt/; +<tt/shadow/; +<tt/nis/; +<tt/remember/ + +<tag><bf>Description:</bf></tag> + +This part of the <tt/pam_unix/ module performs the task of updating +the user's password. + +<p> +In the case of conventional unix databases (which store the password +encrypted) the <tt/md5/ argument is used to do the encryption with the +MD5 function as opposed to the <em/conventional/ <tt/crypt(3)/ call. +As an alternative to this, the <tt/bigcrypt/ argument can be used to +encrypt more than the first 8 characters of a password with DEC's +(Digital Equipment Cooperation) `C2' extension to the standard UNIX +<tt/crypt()/ algorithm. + +<p> +The <tt/nullok/ argument is used to permit the changing of a password +<em/from/ an empty one. Without this argument, empty passwords are +treated as account-locking ones. + +<p> +The argument <tt/use_first_pass/ is used to lock the choice of old and +new passwords to that dictated by the previously stacked <tt/password/ +module. The <tt/try_first_pass/ argument is used to avoid the user +having to re-enter an old password when <tt/pam_unix/ follows a module +that possibly shared the user's old password - if this old password is +not correct the user will be prompted for the correct one. The +argument <tt/use_authtok/ is used to <em/force/ this module to set the +new password to the one provided by the previously stacked +<tt/password/ module (this is used in an example of the stacking of +the <em/Cracklib/ module documented above). + +<p> +The <tt/not_set_pass/ argument is used to inform the module that it is +not to pay attention to/make available the old or new passwords from/to +other (stacked) password modules. + +<p> +The <tt/debug/ argument makes the password functions of this module +<tt/syslog(3)/ more information on its actions. Other arguments may be +logged as erroneous to <tt/syslog(3)/. The <tt/audit/ argument causes +even more information to be logged. + +<p> +With the <tt/nis/ argument, <tt/pam_unix/ will attempt to use NIS RPC +for setting new passwords. + +<p> +The <tt/remember/ argument takes one value. This is the number of most +recent passwords to save for each user. These are saved in +<tt>/etc/security/opasswd</tt> in order to force password change history +and keep the user from alternating between the same password too frequently. + +<tag><bf>Examples/suggested usage:</bf></tag> + +Standard usage: +<tscreen> +<verb> +# +# Change the users password +# +passwd password required pam_unix.so +</verb> +</tscreen> + +<p> +An example of the stacking of this module with respect to the +pluggable password checking module, <tt/pam_cracklib/: +<tscreen> +<verb> +# +# Change the users password +# +passwd password required pam_cracklib.so retry=3 minlen=6 difok=3 +passwd password required pam_unix.so use_authtok nullok md5 +</verb> +</tscreen> + +</descrip> + +<sect2>Session component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> + +<tag><bf>Description:</bf></tag> + +No arguments are recognized by this module component. Its action is +simply to log the username and the service-type to +<tt/syslog(3)/. Messages are logged at the beginning and end of the +user's session. + +<tag><bf>Examples/suggested usage:</bf></tag> + +The use of the session modules is straightforward: +<tscreen> +<verb> +# +# session opening and closing +# +login session required pam_unix.so +</verb> +</tscreen> + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/contrib/libpam/doc/modules/pam_userdb.sgml b/contrib/libpam/doc/modules/pam_userdb.sgml new file mode 100644 index 0000000000000..bdbf80b821d09 --- /dev/null +++ b/contrib/libpam/doc/modules/pam_userdb.sgml @@ -0,0 +1,112 @@ +<!-- + This file was written by Cristian Gafton <gafton@redhat.com> +--> + +<sect1>The userdb module + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +<tt/pam_userdb/ + +<tag><bf>Author:</bf></tag> +Cristian Gafton <gafton@redhat.com> + +<tag><bf>Maintainer:</bf></tag> +Author. + +<tag><bf>Management groups provided:</bf></tag> +authentication + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> + +<tag><bf>System dependencies:</bf></tag> +Requires Berkeley DB. + +<tag><bf>Network aware:</bf></tag> + +</descrip> + +<sect2>Overview of module + +<p> +Look up users in a .db database and verify their password against +what is contained in that database. + +<sect2>Authentication component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +<tt/debug/; +<tt/icase/; +<tt/dump/; +<tt/db=XXXX/; + +<tag><bf>Description:</bf></tag> + +This module is used to verify a username/password pair against values stored in +a Berkeley DB database. The database is indexed by the username, and the data +fields corresponding to the username keys are the passwords, in unencrypted form, +so caution must be exercised over the access rights to the DB database itself.. + +The module will read the password from the user using the conversation mechanism. If +you are using this module on top of another authetication module (like <tt/pam_pwdb/;) +then you should tell that module to read the entered password from the PAM_AUTHTOK field, which is set by this module. + +<p> +The action of the module may be modified from this default by one or +more of the following flags in the <tt>/etc/pam.d/<service></tt> file. +<itemize> +<item> +<tt/debug/ - +Supply more debugging information to <tt/syslog(3)/. + +<item> +<tt/icase/ - +Perform the password comparisons case insensitive. + +<item> +<tt/dump/ - +dump all the entries in the database to the log (eek, +don't do this by default!) + +<item> +<tt/db=XXXX/ - +use the database found on pathname XXXX. Note that Berkeley DB usually adds the +needed filename extension for you, so you should use something like <tt>/etc/foodata</tt> +instead of <tt>/etc/foodata.db</tt>. + +</itemize> + +<tag><bf>Examples/suggested usage:</bf></tag> + +This is a normal ftp configuration file (usually placed as <tt>/etc/pam.d/ftp</tt> +on most systems) that will accept for login users whose username/password pairs are +provided in the <tt>/tmp/dbtest.db</tt> file: + +<tscreen> +<verb> +#%PAM-1.0 +auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed +auth sufficient pam_userdb.so icase db=/tmp/dbtest +auth required pam_pwdb.so shadow nullok try_first_pass +auth required pam_shells.so +account required pam_pwdb.so +session required pam_pwdb.so +</verb> +</tscreen> + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/contrib/libpam/doc/modules/pam_warn.sgml b/contrib/libpam/doc/modules/pam_warn.sgml index 6e81f187f6945..af01740c2f98e 100644 --- a/contrib/libpam/doc/modules/pam_warn.sgml +++ b/contrib/libpam/doc/modules/pam_warn.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_warn.sgml,v 1.1 1996/11/30 20:59:32 morgan Exp $ + $Id: pam_warn.sgml,v 1.1.1.1 2000/06/20 22:11:05 agmorgan Exp $ This file was written by Andrew G. Morgan <morgan@parc.power.net> --> diff --git a/contrib/libpam/doc/modules/pam_wheel.sgml b/contrib/libpam/doc/modules/pam_wheel.sgml index 9139695fec84c..bf19a9bab8086 100644 --- a/contrib/libpam/doc/modules/pam_wheel.sgml +++ b/contrib/libpam/doc/modules/pam_wheel.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_wheel.sgml,v 1.3 1997/02/15 18:25:44 morgan Exp morgan $ + $Id: pam_wheel.sgml,v 1.1.1.1 2000/06/20 22:11:05 agmorgan Exp $ This file was written by Andrew G. Morgan <morgan@parc.power.net> from notes provided by Cristian Gafton. @@ -56,10 +56,11 @@ Only permit root access to members of the wheel (<tt/gid=0/) group. <tag><bf>Description:</bf></tag> -This module is used to enforce the so-called wheel group. By default, -it permits root access to the system if the applicant user is a member -of the <tt/wheel/ group (better described as the group with group-id -<tt/0/). +This module is used to enforce the so-called <em/wheel/ group. By +default, it permits root access to the system if the applicant user is +a member of the <tt/wheel/ group (first, the module checks for the +existence of a '<tt/wheel/' group. Otherwise the module defines the +group with group-id <tt/0/ to be the <em/wheel/ group). <p> The action of the module may be modified from this default by one or @@ -70,7 +71,7 @@ more of the following flags in the <tt>/etc/pam.conf</tt> file. Supply more debugging information to <tt/syslog(3)/. <item> -<tt/use_id/ - +<tt/use_uid/ - This option modifies the behavior of the module by using the current <tt/uid/ of the process and not the <tt/getlogin(3)/ name of the user. This option is useful for being able to jump from one account to |