From 58f651f69ef7e6d60bc732101035ce5fee553e8f Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Wed, 28 Jun 2006 17:03:11 +0000 Subject: [PATCH] Relevant BUGIDs: Purpose of commit: cleanup Commit summary: --------------- Remove doc/modules directory --- ChangeLog | 2 + doc/modules/README | 11 -- doc/modules/module.sgml-template | 170 ----------------- doc/modules/pam_access.sgml | 127 ------------- doc/modules/pam_cracklib.sgml | 304 ------------------------------- doc/modules/pam_deny.sgml | 177 ------------------ doc/modules/pam_env.sgml | 141 -------------- doc/modules/pam_filter.sgml | 150 --------------- doc/modules/pam_ftp.sgml | 93 ---------- doc/modules/pam_group.sgml | 107 ----------- doc/modules/pam_issue.sgml | 120 ------------ doc/modules/pam_lastlog.sgml | 119 ------------ doc/modules/pam_limits.sgml | 247 ------------------------- doc/modules/pam_listfile.sgml | 138 -------------- doc/modules/pam_mail.sgml | 142 --------------- doc/modules/pam_mkhomedir.sgml | 83 --------- doc/modules/pam_motd.sgml | 77 -------- doc/modules/pam_nologin.sgml | 81 -------- doc/modules/pam_permit.sgml | 83 --------- doc/modules/pam_rhosts.sgml | 164 ----------------- doc/modules/pam_rootok.sgml | 85 --------- doc/modules/pam_securetty.sgml | 72 -------- doc/modules/pam_tally.sgml | 203 --------------------- doc/modules/pam_time.sgml | 166 ----------------- doc/modules/pam_unix.sgml | 296 ------------------------------ doc/modules/pam_userdb.sgml | 126 ------------- doc/modules/pam_warn.sgml | 67 ------- doc/modules/pam_wheel.sgml | 131 ------------- 28 files changed, 2 insertions(+), 3680 deletions(-) delete mode 100644 doc/modules/README delete mode 100644 doc/modules/module.sgml-template delete mode 100644 doc/modules/pam_access.sgml delete mode 100644 doc/modules/pam_cracklib.sgml delete mode 100644 doc/modules/pam_deny.sgml delete mode 100644 doc/modules/pam_env.sgml delete mode 100644 doc/modules/pam_filter.sgml delete mode 100644 doc/modules/pam_ftp.sgml delete mode 100644 doc/modules/pam_group.sgml delete mode 100644 doc/modules/pam_issue.sgml delete mode 100644 doc/modules/pam_lastlog.sgml delete mode 100644 doc/modules/pam_limits.sgml delete mode 100644 doc/modules/pam_listfile.sgml delete mode 100644 doc/modules/pam_mail.sgml delete mode 100644 doc/modules/pam_mkhomedir.sgml delete mode 100644 doc/modules/pam_motd.sgml delete mode 100644 doc/modules/pam_nologin.sgml delete mode 100644 doc/modules/pam_permit.sgml delete mode 100644 doc/modules/pam_rhosts.sgml delete mode 100644 doc/modules/pam_rootok.sgml delete mode 100644 doc/modules/pam_securetty.sgml delete mode 100644 doc/modules/pam_tally.sgml delete mode 100644 doc/modules/pam_time.sgml delete mode 100644 doc/modules/pam_unix.sgml delete mode 100644 doc/modules/pam_userdb.sgml delete mode 100644 doc/modules/pam_warn.sgml delete mode 100644 doc/modules/pam_wheel.sgml diff --git a/ChangeLog b/ChangeLog index 0e46613f..dfbb23f3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -29,6 +29,8 @@ * doc/Makefile.am: Remove references to sgml, add sag, adg and mwg directories. + * doc/modules: Remove directory. + 2006-06-28 Thorsten Kukuk * release version 0.99.5.0 diff --git a/doc/modules/README b/doc/modules/README deleted file mode 100644 index 6d348559..00000000 --- a/doc/modules/README +++ /dev/null @@ -1,11 +0,0 @@ - -This directory contains a number of sgml sub-files. One for each -documented module. They contain a description of each module and give -some indication of its reliability. - -Additionally, there is a 'module.sgml-template' file which should be -used as a blank form for new module descriptions. - -Please feel free to submit amendments/comments etc. regarding these -files to the Linux-PAM mailing list: - diff --git a/doc/modules/module.sgml-template b/doc/modules/module.sgml-template deleted file mode 100644 index 16a93c79..00000000 --- a/doc/modules/module.sgml-template +++ /dev/null @@ -1,170 +0,0 @@ - - - [*Familiar full name of module*, eg. The "allow all" module.] - -Synopsis - -

- - -Module Name: -[ - insert the name of the module - - Blank is not permitted. -] - -Author[s]: - -[ - Insert author names here - - Blank is not permitted. If in doubt, put "unknown" if the - author wishes to remain anonymous, put "anonymous". -] - -Maintainer: - -[ - Insert names and date-begun of most recent maintainer. -] - -Management groups provided: - -[ - list the subset of four management groups supported by the - module. Choose from: account; authentication; password; - session. - - Blank entries are not permitted. Explicitly list all of the - management groups. In the future more may be added to libpam! -] - -Cryptographically sensitive: - -[ - Indicate whether this module contains code that can perform - reversible (strong) encryption. This field is primarily to - ensure that people redistributing it are not unwittingly - breaking laws... - - Modules may also require the presence of some local library - that performs the necessary encryption via some standard API. - In this case "uses API" can be included in this field. The - library in question should be added to the system requirements - below. - - Blank = no cryptography is used by module. -] - -Security rating: - -[ - Initially, this field should be left blank. If someone takes - it upon themselves to test the strength of the module, it can - later be filled. - - Blank = unknown. -] - -Clean code base: - -[ - This will probably be filled by the libpam maintainer. - It can be considered to be a public humiliation list. :*) - - I am of the opinion that "gcc -with_all_those_flags" is - trying to tell us something about whether the program - works as intended. Since there is currently no Security - evaluation procedure for modules IMHO this is not a - completely unreasonable indication (a lower bound anyway) - of the reliability of a module. - - This field would indicate the number and flavor of - warnings that gcc barfs up when trying to compile the - module as part of the tree. Is this too tyrannical? - - Blank = Linux-PAM maintainer has not tested it :) -] - -System dependencies: - -[ - here we list config files, dynamic libraries needed, system - resources, kernel options.. etc. - - Blank = nothing more than libc required. -] - -Network aware: - -[ - Does the module base its behavior on probing a network - connection? Does it expect to be protected by the - application? - - Blank = Ignorance of network. -] - - - -Overview of module - -[ - some text describing the intended actions of the module - general comments mainly (specifics in sections - below). -] - -[ - - [ now we have a level subsection for each of the - management groups. Include as many as there are groups - listed above in the synopsis ] - -[ Account | Authentication | Password | Session ] component - -

- - -Recognized arguments: - -[ - List the supported arguments (leave their description for the - description below. - - Blank = no arguments are read and nothing is logged to syslog - about any arguments that are passed. Note, this - behavior is contrary to the RFC! -] - -Description: - -[ - This component of the module performs the task of ... -] - -Examples/suggested usage: - -[ - Here we list some doos and don'ts for this module. -] - - - - diff --git a/doc/modules/pam_access.sgml b/doc/modules/pam_access.sgml deleted file mode 100644 index 52f10342..00000000 --- a/doc/modules/pam_access.sgml +++ /dev/null @@ -1,127 +0,0 @@ - - - The access module - -Synopsis - -

- - -Module Name: - -pam_access - - -Author[s]: - -Alexei Nogin <alexei@nogin.dnttm.ru> - -Maintainer: - -Management groups provided: - -account - -Cryptographically sensitive: - -Security rating: - -Clean code base: - -System dependencies: -Requires a configuration file. By default -/etc/security/access.conf is used but this can be overridden. - -Network aware: - -Through - -Overview of module - -

-Provides logdaemon style login access control. - - Account component - -

- - -Recognized arguments: - -accessfile=/path/to/file.conf; -fieldsep=separators -listsep=separators - -Description: - -This module provides logdaemon style login access control based on -login names and on host (or domain) names, internet addresses (or -network numbers), or on terminal line names in case of non-networked -logins. Diagnostics are reported through -The behavior of this module can be modified with the following -arguments: - - -accessfile=/path/to/file.conf - -indicate an alternative fieldsep=separators - -this option modifies the field separator character that -fieldsep=| will cause the default `:' -character to be treated as part of a field value and `|' becomes the -field separator. Doing this is useful in conjuction with a system that -wants to use pam_access with X based applications, since the -listsep=separators - -this option modifies the list separator character that -listsep=, will cause the default ` ' and `\t' -characters to be treated as part of a list element value and `,' becomes the -only list element separator. Doing this is useful on a system with -group information obtained from a Windows domain, where the default built-in -groups "Domain Users", "Domain Admins" contain a space. - - - -Examples/suggested usage: - -Use of module is recommended, for example, on administrative machines -such as /etc/pam.d style configurations where your modules live -in /lib/security, start by adding the following line to -/etc/pam.d/login, /etc/pam.d/rlogin, -/etc/pam.d/rsh and /etc/pam.d/ftp: - - - -account required /lib/security/pam_access.so - - - -Note that use of this module is not effective unless your system ignores -.rhosts files. See the the pam_rhosts_auth documentation. - -A sample access.conf configuration file is included with the -distribution. - - diff --git a/doc/modules/pam_cracklib.sgml b/doc/modules/pam_cracklib.sgml deleted file mode 100644 index 2cbfca45..00000000 --- a/doc/modules/pam_cracklib.sgml +++ /dev/null @@ -1,304 +0,0 @@ - - -Cracklib pluggable password strength-checker - -Synopsis - -

- - -Module Name: - -pam_cracklib - -Author: - -Cristian Gafton <gafton@redhat.com> - -Maintainer: - -Author. - -Management groups provided: - -password - -Cryptographically sensitive: - -Security rating: - -Clean code base: - -System dependencies: - -Requires the system library /usr/lib/cracklib_dict. - -Network aware: - - - -Overview of module - -

-This module can be plugged into the -This module works in the following manner: it first calls the -Cracklib routine to check the strength of the password; if -crack likes the password, the module does an additional set of -strength checks. These checks are: - - - - -

-This module with no arguments will work well for standard unix -password encryption. With md5 encryption, passwords can be longer -than 8 characters and the default settings for this module can make it -hard for the user to choose a satisfactory new password. Notably, the -requirement that the new password contain no more than 1/2 of the -characters in the old password becomes a non-trivial constraint. For -example, an old password of the form "the quick brown fox jumped over -the lazy dogs" would be difficult to change... In addition, the -default action is to allow passwords as small as 5 characters in -length. For a md5 systems it can be a good idea to increase the -required minimum size of a password. One can then allow more credit -for different kinds of characters but accept that the new password may -share most of these characters with the old password. - -Password component - -

- - -Recognized arguments: - -Description: - -The action of this module is to prompt the user for a password and -check its strength against a system dictionary and a set of rules for -identifying poor choices. - -

-The default action is to prompt for a single password, check its -strength and then, if it is considered strong, prompt for the password -a second time (to verify that it was typed correctly on the first -occasion). All being well, the password is passed on to subsequent -modules to be installed as the new authentication token. - -

-The default action may be modified in a number of ways using the -arguments recognized by the module: - - - other, -upper, lower and Cracklib itself, a "way too short" limit of 4 which is hard -coded in and a defined limit (6) that will be checked without -reference to minlen. If you want to allow passwords as short -as 5 characters you should either not use this module or recompile -the crack library and then recompile this module. - - = 0) This is the maximum credit for having digits in the new password. If -you have less than or = 0) This is the maximum credit for having upper case letters in the new -password. If you have less than or = 0) This is the maximum credit for having lower case letters in the new -password. If you have less than or = 0) This is the maximum credit for having other characters in the new -password. If you have less than or - -Examples/suggested usage: - -

-For an example of the use of this module, we show how it may be -stacked with the password component of - -# -# These lines stack two password type modules. In this example the -# user is given 3 opportunities to enter a strong password. The -# "use_authtok" argument ensures that the pam_unix module does not -# prompt for a password, but instead uses the one provided by -# pam_cracklib. -# -passwd password required pam_cracklib.so retry=3 -passwd password required pam_unix.so use_authtok - - - -

-Another example (in the /etc/pam.d/passwd format) is for the -case that you want to use md5 password encryption: - - -#%PAM-1.0 -# -# These lines allow a md5 systems to support passwords of at least 14 -# bytes with extra credit of 2 for digits and 2 for others the new -# password must have at least three bytes that are not present in the -# old password -# -password required pam_cracklib.so \ - difok=3 minlen=15 dcredit= 2 ocredit=2 -password required pam_unix.so use_authtok nullok md5 - - - -

-And here is another example in case you don't want to use credits: - - -#%PAM-1.0 -# -# These lines require the user to select a password with a minimum -# length of 8 and with at least 1 digit number, 1 upper case letter, -# and 1 other character -# -password required pam_cracklib.so \ - dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 -password required pam_unix.so use_authtok nullok md5 - - - -

-In this example we simply say that the password must have a minimum -length of 8: - - -#%PAM-1.0 -# -# These lines require the user to select a password with a mimimum -# length of 8. He gets no credits and he is not forced to use -# digit numbers, upper case letters etc. -# -password required pam_cracklib.so \ - dcredit=0 ucredit=0 ocredit=0 lcredit=0 minlen=8 -password required pam_unix.so use_authtok nullok md5 - - - - - - diff --git a/doc/modules/pam_deny.sgml b/doc/modules/pam_deny.sgml deleted file mode 100644 index 6953231f..00000000 --- a/doc/modules/pam_deny.sgml +++ /dev/null @@ -1,177 +0,0 @@ - - -The locking-out module - -Synopsis - -

- - -Module Name: -pam_deny - -Author: -Andrew G. Morgan <morgan@kernel.org> - -Maintainer: -current Management groups provided: -account; authentication; password; session - -Cryptographically sensitive: - -Security rating: - -Clean code base: -clean. - -System dependencies: - -Network aware: - - - -Overview of module - -

-This module can be used to deny access. It always indicates a failure -to the application through the PAM framework. As is commented in the -overview section , this module -might be suitable for using for default (the Account component - -

- - -Recognized arguments: - -Description: - -This component does nothing other than return a failure. The -failure type is Examples/suggested usage: - -Stacking this module with type -The following example would make it impossible to login: - - -# -# add this line to your other login entries to disable all accounts -# -login account required pam_deny.so - - - - - -Authentication component - -

- - -Recognized arguments: - -Description: - -This component does nothing other than return a failure. The failure -type is Examples/suggested usage: - -To deny access to default applications with this component of the - - -# -# add this line to your existing OTHER entries to prevent -# authentication succeeding with default applications. -# -OTHER auth required pam_deny.so - - - - - -Password component - -

- - -Recognized arguments: - -Description: - -This component of the module denies the user the opportunity to change -their password. It always responds with Examples/suggested usage: - -This module should be used to prevent an application from updating the -applicant user's password. For example, to prevent - -# -# add this line to your other login entries to prevent the login -# application from being able to change the user's password. -# -login password required pam_deny.so - - - - - -Session component - -

- - -Recognized arguments: - -Description: - -This aspect of the module prevents an application from starting a -session on the host computer. - -Examples/suggested usage: - -Together with another session module, that displays a message of the -day perhaps ( - -# -# An example to see how to configure login to refuse the user a -# session (politely) -# -login session required pam_motd.so \ - motd=/etc/system_time -login session required pam_deny.so - - - - - - diff --git a/doc/modules/pam_env.sgml b/doc/modules/pam_env.sgml deleted file mode 100644 index d795d591..00000000 --- a/doc/modules/pam_env.sgml +++ /dev/null @@ -1,141 +0,0 @@ - - -Set/unset environment variables - -Synopsis - -

- - -Module Name: -Author: -Dave Kinchlea <kinch@kinch.ark.com> - -Maintainer: -Author - -Management groups provided: -Authentication (setcred) - -Cryptographically sensitive: - -Security rating: - -Clean code base: - -System dependencies: -/etc/security/pam_env.conf - -Network aware: - - - -Overview of module - -

-This module allows the (un)setting of environment variables. Supported -is the use of previously set environment variables as well as -PAM_ITEMs such as PAM_RHOST. - -Authentication component - -

- - -Recognized arguments: -Description: -This module allows you to (un)set arbitrary environment variables -using fixed strings, the value of previously set environment variables -and/or -All is controlled via a configuration file (by default, -/etc/security/pam_env.conf but can be overriden with -conffile argument). Each line starts with the variable name, -there are then two possible options for each variable DEFAULT -and OVERRIDE. DEFAULT allows an administrator to -set the value of the variable to some default value, if none is -supplied then the empty string is assumed. The OVERRIDE -option tells pam_env that it should enter in its value (overriding the -default value) if there is one to use. OVERRIDE is not used, -"" is assumed and no override will be done. - -

- - -VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]] - - - -

-(Possibly non-existent) environment variables may be used in values -using the ${string} syntax and (possibly -non-existent) @{string} syntax. Both the $ -and @ characters can be backslash-escaped to be used -as literal values (as in \$. Double quotes may -be used in values (but not environment variable names) when white -space is needed the full value must be delimited by the quotes and -embedded or escaped quotes are not supported. - -

-This module can also parse a file with simple KEY=VAL pairs -on seperate lines (/etc/environment by default). You can -change the default file to parse, with the -The behavior of this module can be modified with one of the following -flags: - -

- - -/etc/security/pam_env.conf is used as -the configuration file. This option overrides the default. You must -supply a complete path + file name. - -/etc/environment is used to load KEY=VAL -pairs directly into the env. This option overrides the default. You must -supply a complete path + file name. - - - -Examples/suggested usage: - -See sample pam_env.conf for more information and examples. - - - - - - - - - - - - - - diff --git a/doc/modules/pam_filter.sgml b/doc/modules/pam_filter.sgml deleted file mode 100644 index 4d3b4e84..00000000 --- a/doc/modules/pam_filter.sgml +++ /dev/null @@ -1,150 +0,0 @@ - - -The filter module - -Synopsis - -

- - -Module Name: - -pam_filter - -Author: - -Andrew G. Morgan <morgan@kernel.org> - -Maintainer: - -Author. - -Management groups provided: - -account; authentication; password; session - -Cryptographically sensitive: - -Not yet. - -Security rating: - -Clean code base: - -This module compiles cleanly on Linux based systems. - -System dependencies: - -To function it requires Network aware: - - - -Overview of module - -

-This module was written to offer a plug-in alternative to programs -like ttysnoop (XXX - need a reference). Since writing a filter that -performs this function has not occurred, it is currently only a toy. -The single filter provided with the module simply transposes upper and -lower case letters in the input and output streams. (This can be very -annoying and is not kind to termcap based editors). - -Account+Authentication+Password+Session components - -

- - -Recognized arguments: - -Description: - -Each component of the module has the potential to invoke the desired -filter. The filter is always -The behavior of the module can be significantly altered by the -arguments passed to it in the - -Permitted values for -For the case of the account component. Either -For the case of the password component, - -Examples/suggested usage: - -At the time of writing there is little real use to be made of this -module. For fun you might try adding the following line to your -login's configuration entries - - -# -# An example to see how to configure login to transpose upper and -# lower case letters once the user has logged in(!) -# -login session required pam_filter.so \ - run1 /usr/sbin/pam_filter/upperLOWER - - - - - - diff --git a/doc/modules/pam_ftp.sgml b/doc/modules/pam_ftp.sgml deleted file mode 100644 index a9444733..00000000 --- a/doc/modules/pam_ftp.sgml +++ /dev/null @@ -1,93 +0,0 @@ - - -Anonymous access module - -Synopsis - -

- - -Module Name: -Author: -Andrew G. Morgan <morgan@kernel.org> - -Maintainer: -Author. - -Management groups provided: -authentication - -Cryptographically sensitive: - -Security rating: - -Clean code base: - -System dependencies: - -Network aware: -prompts for email address of user; easily spoofed (XXX - needs work) - - - -Overview of module - -

-The purpose of this module is to provide a pluggable anonymous ftp -mode of access. - -Authentication component - -

- - -Recognized arguments: -Description: - -This module intercepts the user's name and password. If the name is -`` -The behavior of the module can be modified with the following flags: - - - -Examples/suggested usage: - -An example of the use of this module is provided in the configuration -file section . With care, this -module could be used to provide new/temporary account anonymous -login. - - - - diff --git a/doc/modules/pam_group.sgml b/doc/modules/pam_group.sgml deleted file mode 100644 index c40477c8..00000000 --- a/doc/modules/pam_group.sgml +++ /dev/null @@ -1,107 +0,0 @@ - - -The group access module - -Synopsis - -

- - -Module Name: -Author: -Andrew G. Morgan <morgan@kernel.org> - -Maintainer: -Author. - -Management groups provided: -authentication - -Cryptographically sensitive: - -Security rating: -Sensitive to Clean code base: - -System dependencies: -Requires an /etc/security/group.conf file. - -Network aware: -Only through correctly set - -Overview of module - -

-This module provides group-settings based on the user's name and the -terminal they are requesting a given service from. It takes note of -the time of day. - -Authentication component - -

- - -Recognized arguments: - -Description: - -This module does not authenticate the user, but instead it grants -group memberships (in the credential setting phase of the -authentication module) to the user. Such memberships are based on the -service they are applying for. The group memberships are listed in -text form in the /etc/security/group.conf file. - -Examples/suggested usage: - -For this module to function correctly there must be a correctly -formatted /etc/security/groups.conf file present. The format -of this file is as follows. Group memberships are given based on the -service application satisfying any combination of lines in the -configuration file. Each line (barring comments which are preceded by -` - -services ; ttys ; users ; times ; groups - - -Here the first four fields share the syntax of the pam_time -configuration file; /etc/security/pam_time.conf, and the last -field, the -As stated in above this module's usefulness relies on the file-systems -accessible to the user. The point being that once granted the -membership of a group, the user may attempt to create a -The pam_group module fuctions in parallel with the -/etc/group file. If the user is granted any groups based on -the behavior of this module, they are granted in addition to -those entries /etc/group (or equivalent). - - - - diff --git a/doc/modules/pam_issue.sgml b/doc/modules/pam_issue.sgml deleted file mode 100644 index 1f617e3b..00000000 --- a/doc/modules/pam_issue.sgml +++ /dev/null @@ -1,120 +0,0 @@ - - -Add issue file to user prompt - -Synopsis - -

- - -Module Name: -Author: -Ben Collins <bcollins@debian.org> - -Maintainer: -Author - -Management groups provided: -Authentication (pam_sm_authenticate) - -Cryptographically sensitive: - -Security rating: - -Clean code base: - -System dependencies: - -Network aware: - - - -Overview of module - -

-This module prepends the issue file (/etc/issue by default) when -prompting for a username. - -Authentication component - -

- - -Recognized arguments: -Description: -This module allows you to prepend an issue file to the username prompt. It -also by default parses escape codes in the issue file similar to some -common getty's (using \x format). -

-Recognized escapes: - - - - -

-The behavior of this module can be modified with one of the following -flags: - -

- - - - -Examples/suggested usage: - -login auth pam_issue.so issue=/etc/issue - - - - diff --git a/doc/modules/pam_lastlog.sgml b/doc/modules/pam_lastlog.sgml deleted file mode 100644 index a00f76b1..00000000 --- a/doc/modules/pam_lastlog.sgml +++ /dev/null @@ -1,119 +0,0 @@ - - -The last login module - -Synopsis - -

- - -Module Name: -Author: -Andrew G. Morgan <morgan@kernel.org> - -Maintainer: -Author - -Management groups provided: -auth - -Cryptographically sensitive: - -Security rating: - -Clean code base: - -System dependencies: -uses information contained in the /var/log/lastlog file. - -Network aware: - - - -Overview of module - -

-This session module maintains the /var/log/lastlog file. Adding -an open entry when called via the pam_open_seesion() function -and completing it when pam_close_session() is called. This -module can also display a line of information about the last login of -the user. If an application already performs these tasks, it is not -necessary to use this module. - -Session component - -

- - -Recognized arguments: -Description: - -

-This module can be used to provide a ``Last login on ...'' -message. when the user logs into the system from what ever application -uses the PAM libraries. In addition, the module maintains the -/var/log/lastlog file. - -

-The behavior of this module can be modified with one of the following -flags: - -

- -/var/log/lastlog file. - -/var/log/lastlog file does not contain any old entries -for the user, indicate that the user has never previously logged in -with a ``welcome..." message. - - - -Examples/suggested usage: - -This module can be used to indicate that the user has new mail when -they /etc/pam.d/XXX file: - - -# -# When were we last here? -# -session optional pam_lastlog.so - - - -

-Note, some applications may perform this function themselves. In such -cases, this module is not necessary. - - - - diff --git a/doc/modules/pam_limits.sgml b/doc/modules/pam_limits.sgml deleted file mode 100644 index 3678376a..00000000 --- a/doc/modules/pam_limits.sgml +++ /dev/null @@ -1,247 +0,0 @@ - - -The resource limits module - -Synopsis - -

- - -Module Name: -Authors: -Cristian Gafton <gafton@redhat.com> -Thanks are also due to Elliot Lee <sopwith@redhat.com> -for his comments on improving this module. - -Maintainer: -Cristian Gafton - 1996/11/20 - -Management groups provided: -session - -Cryptographically sensitive: - -Security rating: - -Clean code base: - -System dependencies: -requires an /etc/security/limits.conf file and kernel support -for resource limits. - -Network aware: - - - -Overview of module - -

-This module, through the Session component - -

- - -Recognized arguments: -conf=/path/to/file.conf; change_uid; -utmp_early - -Description: - -Through the contents of the configuration file, -/etc/security/limits.conf, resource limits are placed on -users' sessions. Users of -The behavior of this module can be modified with the following -arguments: - - -conf=/path/to/file.conf - -indicate an alternative - -Examples/suggested usage: - -In order to use this module the system administrator must first create -a /etc/security/limits.conf). This file describes the resource -limits the superuser wishes to impose on users and groups. No limits -are imposed on -Each line of the configuration file describes a limit for a user in -the form: - - - - - - -

-The fields listed above should be filled as follows... -<domain> can be: - - a username - a groupname, with @group syntax - the wild-card the wild-card %group syntax - - -

-<type> can have the three values: - - - - -

-<item> can be one of the following: - - - -

-Note, if you specify a type of ``-'' but neglect to supply the - -In general, individual limits have priority over group limits, so if -you impose no limits for -Also, please note that all limit settings are set -In the -The -The following is an example configuration file: - - -# EXAMPLE /etc/security/limits.conf file: -# ======================================= -# -* soft core 0 -* hard rss 10000 -@student hard nproc 20 -@faculty soft nproc 20 -@faculty hard nproc 50 -ftp hard nproc 0 -@student - maxlogins 4 - - -Note, the use of -Note, that wild-cards - %group is specified - -See the following examples: - - -# EXAMPLE /etc/security/limits.conf file: -# -* - maxlogins 2 -@faculty - maxlogins 4 -% - maxlogins 30 -%student - maxlogins 10 - - -Explanation: every user can login 2 times, members of the -For the services that need resources limits (login for example) put -the following line in /etc/pam.conf as the last line for that -service (usually after the pam_unix session line: - - -# -# Resource limits imposed on login sessions via pam_limits -# -login session required pam_limits.so - - - - - - diff --git a/doc/modules/pam_listfile.sgml b/doc/modules/pam_listfile.sgml deleted file mode 100644 index 3754f57e..00000000 --- a/doc/modules/pam_listfile.sgml +++ /dev/null @@ -1,138 +0,0 @@ - - -The list-file module - -Synopsis - -

- - -Module Name: -Author: -Elliot Lee <sopwith@cuc.edu> - -Maintainer: -Red Hat Software: -Michael K. Johnson <johnsonm@redhat.com> 1996/11/18 -(if unavailable, contact Elliot Lee <sopwith@cuc.edu>). - -Management groups provided: -authentication - -Cryptographically sensitive: - -Security rating: - -Clean code base: -clean - -System dependencies: - -Network aware: - - - -Overview of module - -

-The list-file module provides a way to deny or allow services based on -an arbitrary file. - -Authentication component - -

- - -Recognized arguments: - -onerr=succeed|fail; -sense=allow|deny; -file=filename; -item=user|tty|rhost|ruser|group|shell -apply=user|@group - -Description: - -The module gets the item of the type specified -- user specifies -the username, PAM_USER; tty specifies the name of the terminal -over which the request has been made, PAM_TTY; rhost specifies -the name of the remote host (if any) from which the request was made, -PAM_RHOST; and ruser specifies the name of the remote user -(if available) who made the request, PAM_RUSER -- and looks for -an instance of that item in the file filename. filename -contains one line per item listed. If the item is found, then if -sense=allow, PAM_SUCCESS is returned, causing the -authorization request to succeed; else if sense=deny, -PAM_AUTH_ERR is returned, causing the authorization -request to fail. - -

-If an error is encountered (for instance, if filename -does not exist, or a poorly-constructed argument is encountered), -then if onerr=succeed, PAM_SUCCESS is returned, -otherwise if onerr=fail, PAM_AUTH_ERR or -PAM_SERVICE_ERR (as appropriate) will be returned. - -

-An additional argument, apply=, can be used to restrict the -application of the above to a specific user -(apply=username) or a given group -(apply=@groupname). This added restriction is only -meaningful when used with the -Besides this last one, all arguments should be specified; do not count -on any default behavior, as it is subject to change. - -

-No credentials are awarded by this module. - -Examples/suggested usage: - -Classic ``ftpusers'' authentication can be implemented with this entry -in /etc/pam.conf: - - -# -# deny ftp-access to users listed in the /etc/ftpusers file -# -ftp auth required pam_listfile.so \ - onerr=succeed item=user sense=deny file=/etc/ftpusers - - -Note, users listed in /etc/ftpusers file are -(counterintuitively) -To allow login access only for certain users, you can use a - - -# -# permit login to users listed in /etc/loginusers -# -login auth required pam_listfile.so \ - onerr=fail item=user sense=allow file=/etc/loginusers - - - -

-For this example to work, all users who are allowed to use the login -service should be listed in the file /etc/loginusers. Unless -you are explicitly trying to lock out root, make sure that when you do -this, you leave a way for root to log in, either by listing root in -/etc/loginusers, or by listing a user who is able to - - diff --git a/doc/modules/pam_mail.sgml b/doc/modules/pam_mail.sgml deleted file mode 100644 index 78ae95dc..00000000 --- a/doc/modules/pam_mail.sgml +++ /dev/null @@ -1,142 +0,0 @@ - - -The mail module - -Synopsis - -

- - -Module Name: -Author: -Andrew G. Morgan <morgan@kernel.org> - -Maintainer: -Author - -Management groups provided: -Authentication (credential) -Session (open) - -Cryptographically sensitive: - -Security rating: - -Clean code base: - -System dependencies: -Default mail directory /var/spool/mail/ - -Network aware: - - - -Overview of module - -

-This module looks at the user's mail directory and indicates -whether the user has any mail in it. - -Session component - -

- - -Recognized arguments: -Description: - -This module provides the ``you have new mail'' service to the user. It -can be plugged into any application that has credential hooks. It gives a -single message indicating the -The behavior of this module can be modified with one of the following -flags: - -

- -/var/spool/mail. Note, if the supplied /var/spool/mail/u/s/user. - - - -Examples/suggested usage: - -This module can be used to indicate that the user has new mail when -they /etc/pam.conf file: - - -# -# do we have any mail? -# -login session optional pam_mail.so - - - -

-Note, if the mail spool file (be it /var/spool/mail/$USER or -a pathname given with the dir= parameter) is a directory then -pam_mail assumes it is in the Qmail Maildir format. - -

-Note, some applications may perform this function themselves. In such -cases, this module is not necessary. - - - -Authentication component - -

-Then authentication companent works the same as the session component, -except that everything is done during the pam_setcred() phase. - - diff --git a/doc/modules/pam_mkhomedir.sgml b/doc/modules/pam_mkhomedir.sgml deleted file mode 100644 index 8428565d..00000000 --- a/doc/modules/pam_mkhomedir.sgml +++ /dev/null @@ -1,83 +0,0 @@ - - -Create home directories on initial login - -Synopsis - -

- - -Module Name: -Author: -Jason Gunthorpe <jgg@ualberta.ca> - -Maintainer: -Ben Collins <bcollins@debian.org> - -Management groups provided: -Session - -Cryptographically sensitive: - -Security rating: - -Clean code base: - -System dependencies: - -Network aware: - - - -Overview of module - -

-Creates home directories on the fly for authenticated users. - -Session component - -

- - -Recognized arguments: -Description: -This module is useful for distributed systems where the user account is -managed in a central database (such as NIS, NIS+, or LDAP) and accessed -through miltiple systems. It frees the administrator from having to create -a default home directory on each of the systems by creating it upon the -first succesfully authenticated login of that user. The skeleton directory -(usually /etc/skel/) is used to copy default files and also set's a umask -for the creation. - -

-The behavior of this module can be modified with one of the following -flags: - -

- - - - -Examples/suggested usage: - -session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 - - - - diff --git a/doc/modules/pam_motd.sgml b/doc/modules/pam_motd.sgml deleted file mode 100644 index 8ddc6392..00000000 --- a/doc/modules/pam_motd.sgml +++ /dev/null @@ -1,77 +0,0 @@ - - -Output the motd file - -Synopsis - -

- - -Module Name: -Author: -Ben Collins <bcollins@debian.org> - -Maintainer: -Author - -Management groups provided: -Session (open) - -Cryptographically sensitive: - -Security rating: - -Clean code base: - -System dependencies: - -Network aware: - - - -Overview of module - -

-This module outputs the motd file (/etc/motd by default) upon -successful login. - -Session component - -

- - -Recognized arguments: -Description: -This module allows you to have arbitrary motd's (message of the day) -output after a succesful login. By default this file is /etc/motd, -but is configurable to any file. - -

-The behavior of this module can be modified with one of the following -flags: - -

- - - - -Examples/suggested usage: - -login session pam_motd.so motd=/etc/motd - - - - diff --git a/doc/modules/pam_nologin.sgml b/doc/modules/pam_nologin.sgml deleted file mode 100644 index 52cf02a5..00000000 --- a/doc/modules/pam_nologin.sgml +++ /dev/null @@ -1,81 +0,0 @@ - - -The no-login module - -Synopsis - -

- - -Module Name: -Author: -Written by Michael K. Johnson <johnsonm@redhat.com> - -Maintainer: - -Management groups provided: -account; authentication - -Cryptographically sensitive: - -Security rating: - -Clean code base: - -System dependencies: - -Network aware: - - - -Overview of module - -

-Provides standard Unix Authentication component - -

- - -Recognized arguments: -successok, file=<Description: - -Provides standard Unix /etc/nologin exists, only root is allowed to log in; other -users are turned away with an error message (and the module returns -/etc/nologin. - -

-If the file /etc/nologin does not exist, this module defaults -to returning -The administrator can override the default nologin file with the -Examples/suggested usage: - -In order to make this module effective, all login methods should be -secured by it. It should be used as a required method listed -before any sufficient methods in order to get standard Unix -nologin semantics. Note, the use of - - diff --git a/doc/modules/pam_permit.sgml b/doc/modules/pam_permit.sgml deleted file mode 100644 index fe616ac3..00000000 --- a/doc/modules/pam_permit.sgml +++ /dev/null @@ -1,83 +0,0 @@ - - -The promiscuous module - -Synopsis - -

- - -Module Name: -pam_permit - -Author: -Andrew G. Morgan, <morgan@kernel.org> - -Maintainer: -Linux-PAM maintainer. - -Management groups provided: -account; authentication; password; session - -Cryptographically sensitive: - -Security rating: -VERY LOW. Use with extreme caution. - -Clean code base: -Clean. - -System dependencies: - -Network aware: - - - -Overview of module - -

-This module is very dangerous. It should be used with extreme -caution. Its action is always to permit access. It does nothing else. - -Account+Authentication+Password+Session components - -

- - -Recognized arguments: - -Description: - -No matter what management group, the action of this module is to -simply return -In the case of authentication, the user's name will be acquired. Many -applications become confused if this name is unknown. - -Examples/suggested usage: - -It is seldom a good idea to use this module. However, it does have -some legitimate uses. For example, if the system-administrator wishes -to turn off the account management on a workstation, and at the same -time continue to allow logins, then she might use the following -configuration file entry for login: - - -# -# add this line to your other login entries to disable account -# management, but continue to permit users to log in... -# -login account required pam_permit.so - - - - - - diff --git a/doc/modules/pam_rhosts.sgml b/doc/modules/pam_rhosts.sgml deleted file mode 100644 index 69885047..00000000 --- a/doc/modules/pam_rhosts.sgml +++ /dev/null @@ -1,164 +0,0 @@ - - -The rhosts module - -Synopsis - -

- - -Module Name: -Author: -Al Longyear <longyear@netcom.com> - -Maintainer: - -Management groups provided: -authentication - -Cryptographically sensitive: - -Security rating: - -Clean code base: -Clean. - -System dependencies: - -Network aware: -Standard - -Overview of module - -

-This module performs the standard network authentication for services, -as used by traditional implementations of Authentication component - -

- - -Recognized arguments: -Description: - -The authentication mechanism of this module is based on the contents -of two files; /etc/hosts.equiv (or #include <netdb.h>) and ~/.rhosts. Firstly, -hosts listed in the former file are treated as equivalent to the -localhost. Secondly, entries in the user's own copy of the latter file -is used to map "/etc/hosts.equiv and their remote account -is identical to their local one, or if their remote account has an -entry in their personal configuration file. - -

-Some restrictions are applied to the attributes of the user's personal -configuration file: it must be a regular file (as defined by - -The module authenticates a remote user (internally specified by the -item -In the case of /etc/host.equiv file is -hosts_equiv_rootok option -should be used. Instead, the superuser must have a correctly configured -personal configuration file. - -

-The behavior of the module is modified by flags: - - - - -/etc/hosts.equiv file. - - -/etc/hosts.equiv for superuser. Without this -option /etc/hosts.equiv is not consulted for the superuser account. -This option has no effect if the no_hosts_equiv option is used. - - -~/.rhosts. - - -~/.rhosts file must not be writable by anyone -other than its owner. This option overlooks group write access in the -case that the group owner of this file has the same name as the -user being authenticated. To lessen the security problems associated -with this option, the module also checks that the user is the only -member of their private group. - - - - -Examples/suggested usage: - -To allow users to login from trusted remote machines, you should try -adding the following line to your /etc/pam.conf file - - -# -# No passwords required for users from hosts listed above. -# -login auth sufficient pam_rhosts_auth.so no_rhosts - - -Note, in this example, the system administrator has turned off all -/etc/host.equiv file, by replacing - - diff --git a/doc/modules/pam_rootok.sgml b/doc/modules/pam_rootok.sgml deleted file mode 100644 index f6aa8a07..00000000 --- a/doc/modules/pam_rootok.sgml +++ /dev/null @@ -1,85 +0,0 @@ - - -The root access module - -Synopsis - -

- - -Module Name: -pam_rootok - -Author: -Andrew G. Morgan <morgan@kernel.org> - -Maintainer: -Linux-PAM maintainer - -Management groups provided: -authentication - -Cryptographically sensitive: - -Security rating: - -Clean code base: -Clean. - -System dependencies: - -Network aware: - - - -Overview of module - -

-This module is for use in situations where the superuser wishes -to gain access to a service without having to enter a password. - -Authentication component - -

- - -Recognized arguments: -Description: - -This module authenticates the user if their Examples/suggested usage: - -In the case of the - -# -# su authentication. Root is granted access by default. -# -su auth sufficient pam_rootok.so -su auth required pam_unix_auth.so - - - -

-Note. For programs that are run by the superuser (or started when the -system boots) this module should not be used to authenticate users. - - - - diff --git a/doc/modules/pam_securetty.sgml b/doc/modules/pam_securetty.sgml deleted file mode 100644 index ceb1358c..00000000 --- a/doc/modules/pam_securetty.sgml +++ /dev/null @@ -1,72 +0,0 @@ - - -The securetty module - -Synopsis - -

- - -Module Name: -Author[s]: -Elliot Lee <sopwith@cuc.edu> - -Maintainer: -Red Hat Software: - -(if unavailable, contact Elliot Lee <sopwith@cuc.edu>). - -Management groups provided: -authentication - -Cryptographically sensitive: - -Security rating: - -Clean code base: - -System dependencies: -/etc/securetty file - -Network aware: - -Requires the application to fill in the PAM_TTY item -correctly in order to act meaningfully. - - - -Overview of module - -

-Provides standard Unix securetty checking. - -Authentication component - -

- - -Recognized arguments: - -Description: - -Provides standard Unix securetty checking, which causes authentication -for root to fail unless PAM_TTY is set to a string listed in -the /etc/securetty file. For all other users, it succeeds. - -Examples/suggested usage: - -For canonical usage, should be listed as a required -authentication method before any sufficient authentication -methods. - - - - diff --git a/doc/modules/pam_tally.sgml b/doc/modules/pam_tally.sgml deleted file mode 100644 index afff25ca..00000000 --- a/doc/modules/pam_tally.sgml +++ /dev/null @@ -1,203 +0,0 @@ - - -The login counter (tallying) module - -Synopsis - -

- - -Module Name: -pam_tally - -Author[s]: -Tim Baverstock -Tomas Mraz - -Maintainer: - -Management groups provided: -auth; account - -Cryptographically sensitive: - -Security rating: - -Clean code base: - -System dependencies: -A faillog file (default location /var/log/faillog) - -Network aware: - - - -Overview of module - -

-This module maintains a count of attempted accesses, can reset count -on success, can deny access if too many attempts fail. - -

-pam_tally comes in two parts: pam_tally.so and -pam_tally. The former is the PAM module and the latter, a -stand-alone program. pam_tally is an (optional) application -which can be used to interrogate and manipulate the counter file. It -can display users' counts, set individual counts, or clear all -counts. Setting artificially high counts may be useful for blocking -users without changing their passwords. For example, one might find it -useful to clear all counts every midnight from a cron job. - -

-The counts file is organized as a binary-word array, indexed by -uid. You can probably make sense of it with od, if you don't -want to use the supplied appliction. - -

-Note, there are some outstanding issues with this module: -pam_tally is very dependant on getpw*() - a database -of usernames would be much more flexible - -Generic options accepted by both components -

- - onerr=(succeed|fail): - if something weird happens, such as unable to open the file, how - should the module react? - file=/where/to/keep/counts: - specify the file location for the counts. - The default location is /var/log/faillog. - audit: - display the username typed if the user is not found. It may be - useful for scripts, but you should know users often type their - password instead making your system weaker. Activate it only if you - know what you are doing. - - -Authentication component - -

- - -Recognized arguments: -onerr=(succeed|fail); -file=/where/to/keep/counts; -deny=n; -lock_time=n; -unlock_time=n; -magic_root; -even_deny_root_account; -per_user; -no_lock_time -no_reset; - -Description: - -

-The authentication component first checks if the user should be denied -access and if not it increments attempted login counter. -Then on call to pam_setcred it resets the attempts counter -if the user is NOT magic root. - -

-Examples/suggested usage: - -

-The deny=n option is used to deny access if tally -for this user exceeds n. - -

-The lock_time=n option is used to always deny access -for at least n seconds after a failed attempt. - -

-The unlock_time=n option is used to allow access after -n seconds after the last failed attempt with exceeded tally. -If this option is used the user will be locked out only for the specified -amount of time after he exceeded his maximum allowed attempts. Otherwise -the lock is removed only by a manual intervention of the system administrator. - -

-The magic_root option is used to indicate that if -the module is invoked by a user with uid=0, then the counter is not -incremented. The sys-admin should use this for user launched services, -like su, otherwise this argument should be omitted. - -

-By way of more explanation, when a process already running as root -tries to access some service, the access is magic, and -bypasses pam_tally's checks: this is handy for suing -from root into an account otherwise blocked. However, for services -like telnet or login, which always effectively run -from the root account, root (ie everyone) shouldn't be granted this -magic status, and the flag `magic_root' should not be set in this -situation, as noted in the summary above. - -

-Normally, failed attempts to access root will NOT cause the -root account to become blocked, to prevent denial-of-service: if your -users aren't given shell accounts and root may only login via -su or at the machine console (not -telnet/rsh, etc), this is safe. If you really want -root to be blocked for some given service, use -even_deny_root_account. - -

-If /var/log/faillog contains a non-zero .fail_max/.fail_locktime -field for this user then the per_user module argument will -ensure that the module uses this value and not the global -deny/lock_time=n parameter. - -

-The no_lock_time option is for ensuring that the module does -not use the .fail_locktime field in /var/log/faillog for this -user. - -

-The no_reset option is used to instruct the module to not reset -the count on successful entry. - - - -Account component - -

- - -Recognized arguments: -onerr=(succeed|fail); -file=/where/to/keep/counts; -magic_root; -no_reset; - -Description: - -

-The account component resets attempts counter if the user is NOT -magic root. This phase can be used optionaly for services which don't call -pam_setcred correctly or if the reset should be done regardless -of the failure of the account phase of other modules. - -Examples/suggested usage: - -

-The magic_root option is used to indicate that if -the module is invoked by a user with uid=0, then the counter is not -decremented/reset. The sys-admin should use this for user launched services, -like su, otherwise this argument should be omitted. - -

-The no_reset option is used to instruct the module to not reset -the count on successful entry. - - - - diff --git a/doc/modules/pam_time.sgml b/doc/modules/pam_time.sgml deleted file mode 100644 index 8c5f677f..00000000 --- a/doc/modules/pam_time.sgml +++ /dev/null @@ -1,166 +0,0 @@ - - -Time control - -Synopsis - -

- - -Module Name: -Author: -Andrew G. Morgan <morgan@kernel.org> - -Maintainer: -Author - -Management groups provided: -account - -Cryptographically sensitive: - -Security rating: - -Clean code base: - -System dependencies: -Requires a configuration file /etc/security/time.conf - -Network aware: -Through the - -Overview of module - -

-Running a well regulated system occasionally involves restricting -access to certain services in a selective manner. This module offers -some time control for access to services offered by a system. Its -actions are determined with a configuration file. This module can be -configured to deny access to (individual) users based on their name, -the time of day, the day of week, the service they are applying for -and their terminal from which they are making their request. - -Account component - -

- - -Recognized arguments: - -Description: - -This module bases its actions on the rules listed in its configuration -file: /etc/security/time.conf. Each rule has the following -form, - - -In words, each rule occupies a line, terminated with a newline or the -beginning of a comment; a ` - - -By a logic list we mean a sequence of tokens (associated with the -appropriate !morgan&!root, indicating that this rule -does not apply to the user morgan nor to root; and -tty*&!ttyp*, which indicates that the rule applies only -to console terminals but not pseudoterminals. - - - -Mo Tu We Th Fr Sa Su Wk Wd Al - - -The last two of these being -The time range part is a pair of 24-hour times, - -

-Note, that the given time restriction is only applied when the first -three fields are satisfied by a user's application for service. - -

-For convenience and readability a rule can be extended beyond a single -line with a `\Examples/suggested usage: - -The use of this module is initiated with an entry in the - - -# -# apply pam_time accounting to login requests -# -login account required pam_time.so - - -where, here we are applying the module to the -Some examples of rules that can be placed in the -/etc/security/time.conf configuration file are the following: - - -login ; tty* & !ttyp* ; !root ; !Al0000-2400 -all users except for games ; * ; !waster ; Wd0000-2400 | Wk1800-0800 -games (configured to use Linux-PAM) are only to be accessed out of -working hours. This rule does not apply to the user - -

-Note, currently there is no daemon enforcing the end of a session. -This needs to be remedied. - -

-Poorly formatted rules are logged as errors using - - diff --git a/doc/modules/pam_unix.sgml b/doc/modules/pam_unix.sgml deleted file mode 100644 index 86c584a8..00000000 --- a/doc/modules/pam_unix.sgml +++ /dev/null @@ -1,296 +0,0 @@ - - -The Unix Password module - -Synopsis - -

- - -Module Name: -pam_unix - -Author: - -Maintainer: - -Management groups provided: -account; authentication; password; session - -Cryptographically sensitive: - -Security rating: - -Clean code base: - -System dependencies: - -Network aware: - - - -Overview of module - -

-This is the standard Unix authentication module. It uses standard calls -from the system's libraries to retrieve and set account information as -well as authentication. Usually this is obtained from the /etc/passwd -and the /etc/shadow file as well if shadow is enabled. - -Account component - -

- - -Recognized arguments: -Description: - -The Examples/suggested usage: - -In its accounting mode, this module can be inserted as follows: - - -# -# Ensure users account and password are still active -# -login account required pam_unix.so - - - - - -Authentication component - -

- - -Recognized arguments: -Description: - -The -The default action of this module is to not permit the user access to -a service if their -When given the argument -The argument, nodelay, can be used to discourage the -authentication component from requesting a delay should the -authentication as a whole fail. The default action is for the module -to request a delay-on-failure of the order of one second. - -

-A helper binary, unix_chkpwd, is provided to check the user's -password when it is stored in a read protected database. This binary -is very simple and will only check the password of the user invoking -it. It is called transparently on behalf of the user by the -authenticating component of this module. In this way it is possible -for applications like xlock to work without being -setuid-root. The module, by default, will temporarily turn off - -Remaining arguments, supported by the other functions of this module, -are silently ignored. Other arguments are logged as errors through -Examples/suggested usage: - -The correct functionality of this module is dictated by having an -appropriate /etc/nsswitch.conf file, the user -databases specified there dictate the source of the authenticated -user's record. -

-In its authentication mode, this module can be inserted as follows: - - -# -# Authenticate the user -# -login auth required pam_unix.so - - - - - -Password component - -

- - -Recognized arguments: -Description: - -This part of the -In the case of conventional unix databases (which store the password -encrypted) the -The -The argument -The -The -With the -The /etc/security/opasswd in order to force password change history -and keep the user from alternating between the same password too frequently. - -Examples/suggested usage: - -Standard usage: - - -# -# Change the users password -# -passwd password required pam_unix.so - - - -

-An example of the stacking of this module with respect to the -pluggable password checking module, - -# -# Change the users password -# -passwd password required pam_cracklib.so retry=3 minlen=6 difok=3 -passwd password required pam_unix.so use_authtok nullok md5 - - - - - -Session component - -

- - -Recognized arguments: - -Description: - -No arguments are recognized by this module component. Its action is -simply to log the username and the service-type to -Examples/suggested usage: - -The use of the session modules is straightforward: - - -# -# session opening and closing -# -login session required pam_unix.so - - - - - - diff --git a/doc/modules/pam_userdb.sgml b/doc/modules/pam_userdb.sgml deleted file mode 100644 index 566e68de..00000000 --- a/doc/modules/pam_userdb.sgml +++ /dev/null @@ -1,126 +0,0 @@ - - -The userdb module - -Synopsis - -

- - -Module Name: -Author: -Cristian Gafton <gafton@redhat.com> - -Maintainer: -Author. - -Management groups provided: -authentication - -Cryptographically sensitive: - -Security rating: - -Clean code base: - -System dependencies: -Requires Berkeley DB. - -Network aware: - - - -Overview of module - -

-Look up users in a .db database and verify their password against -what is contained in that database. - -Authentication component - -

- - -Recognized arguments: -Description: - -This module is used to verify a username/password pair against values stored in -a Berkeley DB database. The database is indexed by the username, and the data -fields corresponding to the username keys are the passwords, in unencrypted form, -so caution must be exercised over the access rights to the DB database itself.. - -The module will read the password from the user using the conversation mechanism. If -you are using this module on top of another authentication module (like -The action of the module may be modified from this default by one or -more of the following flags in the /etc/pam.d/<service> file. - - - - - -/etc/foodata -instead of /etc/foodata.db. - - - - -Examples/suggested usage: - -This is a normal ftp configuration file (usually placed as /etc/pam.d/ftp -on most systems) that will accept for login users whose username/password pairs are -provided in the /etc/dbtest.db file: - - - -#%PAM-1.0 -auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed -auth sufficient pam_userdb.so icase db=/etc/dbtest -auth required pam_unix.so shadow nullok try_first_pass -auth required pam_shells.so -account required pam_unix.so -session required pam_unix.so - - - - - - diff --git a/doc/modules/pam_warn.sgml b/doc/modules/pam_warn.sgml deleted file mode 100644 index 4c2e3e18..00000000 --- a/doc/modules/pam_warn.sgml +++ /dev/null @@ -1,67 +0,0 @@ - - -Warning logger module - -Synopsis - -

- - -Module Name: -Author: -Andrew G. Morgan <morgan@kernel.org> - -Maintainer: -Author. - -Management groups provided: -authentication; password - -Cryptographically sensitive: - -Security rating: - -Clean code base: - -System dependencies: - -Network aware: -logs information about the remote user and host (if pam-items are known) - - - -Overview of module - -

-This module is principally for logging information about a -proposed authentication or application to update a password. - -Authentication+Password component - -

- - -Recognized arguments: - -Description: - -Log the service, terminal, user, remote user and remote host to -Examples/suggested usage: - -an example is provided in the configuration file section . - - - - diff --git a/doc/modules/pam_wheel.sgml b/doc/modules/pam_wheel.sgml deleted file mode 100644 index 85841923..00000000 --- a/doc/modules/pam_wheel.sgml +++ /dev/null @@ -1,131 +0,0 @@ - - -The wheel module - -Synopsis - -

- - -Module Name: -Author: -Cristian Gafton <gafton@redhat.com> - -Maintainer: -Author. - -Management groups provided: -authentication; account - -Cryptographically sensitive: - -Security rating: - -Clean code base: - -System dependencies: - -Network aware: - - - -Overview of module - -

-Only permit root access to members of the wheel (Authentication and Account components - -

- - -Recognized arguments: -Description: - -This module is used to enforce the so-called -The module can be used as either an ' -The action of the module may be modified from this default by one or -more of the following flags in the /etc/pam.conf file. - - - - - - - - -Examples/suggested usage: - -To restrict access to superuser status to the members of the - - -# -# root gains access by default (rootok), only wheel members can -# become root (wheel) but Unix authenticate non-root applicants. -# -su auth sufficient pam_rootok.so -su auth required pam_wheel.so -su auth required pam_unix.so - - - - - - -- 2.40.0