diff options
| author | Steve Langasek <steve.langasek@ubuntu.com> | 2019-01-03 12:47:05 -0800 |
|---|---|---|
| committer | Steve Langasek <steve.langasek@ubuntu.com> | 2019-01-03 12:47:05 -0800 |
| commit | 4c51da22e068907adb7857d50f5109a467c94d7c (patch) | |
| tree | becf5fbae5dfcbe8896355f59042dc8eaefa7f37 /Linux-PAM/doc/modules | |
| parent | efd31890b5ed496a5a00c08a262da240e66a4ddc (diff) | |
| parent | ab9e8ba11f464fc083fc65a0bc695d60ebc86f3e (diff) | |
| download | pam-4c51da22e068907adb7857d50f5109a467c94d7c.tar.gz pam-4c51da22e068907adb7857d50f5109a467c94d7c.tar.bz2 pam-4c51da22e068907adb7857d50f5109a467c94d7c.zip | |
New upstream version 0.79
Diffstat (limited to 'Linux-PAM/doc/modules')
28 files changed, 153 insertions, 105 deletions
diff --git a/Linux-PAM/doc/modules/README b/Linux-PAM/doc/modules/README index b81f1d26..653448f3 100644 --- a/Linux-PAM/doc/modules/README +++ b/Linux-PAM/doc/modules/README @@ -1,4 +1,4 @@ -$Id: README,v 1.1.1.2 2002/09/15 20:08:28 hartmans Exp $ +$Id: README,v 1.2 2001/12/08 18:56:47 agmorgan Exp $ This directory contains a number of sgml sub-files. One for each documented module. They contain a description of each module and give diff --git a/Linux-PAM/doc/modules/module.sgml-template b/Linux-PAM/doc/modules/module.sgml-template index 36ffe617..3fffc754 100644 --- a/Linux-PAM/doc/modules/module.sgml-template +++ b/Linux-PAM/doc/modules/module.sgml-template @@ -1,6 +1,6 @@ <!-- - $Id: module.sgml-template,v 1.1.1.1 2001/04/29 04:16:54 hartmans Exp $ + $Id: module.sgml-template,v 1.2 2001/02/11 07:52:56 agmorgan Exp $ This template file was written by Andrew G. Morgan <morgan@kernel.org> diff --git a/Linux-PAM/doc/modules/pam_chroot.sgml b/Linux-PAM/doc/modules/pam_chroot.sgml index 2bc3e8af..2366880e 100644 --- a/Linux-PAM/doc/modules/pam_chroot.sgml +++ b/Linux-PAM/doc/modules/pam_chroot.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_chroot.sgml,v 1.1.1.1 2001/04/29 04:16:55 hartmans Exp $ + $Id: pam_chroot.sgml,v 1.1.1.1 2000/06/20 22:10:59 agmorgan Exp $ This file was written by Bruce Campbell <brucec@humbug.org.au> --> diff --git a/Linux-PAM/doc/modules/pam_cracklib.sgml b/Linux-PAM/doc/modules/pam_cracklib.sgml index de1d5df2..d6fc0c56 100644 --- a/Linux-PAM/doc/modules/pam_cracklib.sgml +++ b/Linux-PAM/doc/modules/pam_cracklib.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_cracklib.sgml,v 1.1.1.2 2002/09/15 20:08:28 hartmans Exp $ + $Id: pam_cracklib.sgml,v 1.5 2001/12/08 18:56:47 agmorgan Exp $ This file was written by Andrew G. Morgan <morgan@kernel.org> long password amendments are from Philip W. Dalrymple III <pwd@mdtsoft.com> diff --git a/Linux-PAM/doc/modules/pam_deny.sgml b/Linux-PAM/doc/modules/pam_deny.sgml index d8041d19..bf9dfd2b 100644 --- a/Linux-PAM/doc/modules/pam_deny.sgml +++ b/Linux-PAM/doc/modules/pam_deny.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_deny.sgml,v 1.1.1.2 2002/09/15 20:08:29 hartmans Exp $ + $Id: pam_deny.sgml,v 1.3 2002/05/10 04:03:02 agmorgan Exp $ This file was written by Andrew G. Morgan <morgan@kernel.org> --> diff --git a/Linux-PAM/doc/modules/pam_env.sgml b/Linux-PAM/doc/modules/pam_env.sgml index 0ca18fe4..a6361cac 100644 --- a/Linux-PAM/doc/modules/pam_env.sgml +++ b/Linux-PAM/doc/modules/pam_env.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_env.sgml,v 1.1.1.1 2001/04/29 04:16:54 hartmans Exp $ + $Id: pam_env.sgml,v 1.2 2001/03/19 01:46:41 agmorgan Exp $ This file was written by Dave Kinchlea <kinch@kinch.ark.com> Ed. AGM diff --git a/Linux-PAM/doc/modules/pam_filter.sgml b/Linux-PAM/doc/modules/pam_filter.sgml index 1d582abc..e22ad9b6 100644 --- a/Linux-PAM/doc/modules/pam_filter.sgml +++ b/Linux-PAM/doc/modules/pam_filter.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_filter.sgml,v 1.1.1.2 2002/09/15 20:08:29 hartmans Exp $ + $Id: pam_filter.sgml,v 1.3 2001/12/08 18:56:47 agmorgan Exp $ This file was written by Andrew G. Morgan <morgan@kernel.org> --> diff --git a/Linux-PAM/doc/modules/pam_ftp.sgml b/Linux-PAM/doc/modules/pam_ftp.sgml index 3ea43713..cb4c4f33 100644 --- a/Linux-PAM/doc/modules/pam_ftp.sgml +++ b/Linux-PAM/doc/modules/pam_ftp.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_ftp.sgml,v 1.1.1.2 2002/09/15 20:08:29 hartmans Exp $ + $Id: pam_ftp.sgml,v 1.3 2001/12/08 18:56:47 agmorgan Exp $ This file was written by Andrew G. Morgan <morgan@kernel.org> --> diff --git a/Linux-PAM/doc/modules/pam_group.sgml b/Linux-PAM/doc/modules/pam_group.sgml index 770933bc..2d767275 100644 --- a/Linux-PAM/doc/modules/pam_group.sgml +++ b/Linux-PAM/doc/modules/pam_group.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_group.sgml,v 1.1.1.2 2002/09/15 20:08:30 hartmans Exp $ + $Id: pam_group.sgml,v 1.2 2001/12/08 18:56:47 agmorgan Exp $ This file was written by Andrew G. Morgan <morgan@kernel.org> --> diff --git a/Linux-PAM/doc/modules/pam_krb4.sgml b/Linux-PAM/doc/modules/pam_krb4.sgml index 2fc8518e..51a46522 100644 --- a/Linux-PAM/doc/modules/pam_krb4.sgml +++ b/Linux-PAM/doc/modules/pam_krb4.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_krb4.sgml,v 1.1.1.1 2001/04/29 04:16:55 hartmans Exp $ + $Id: pam_krb4.sgml,v 1.1.1.1 2000/06/20 22:11:01 agmorgan Exp $ This file was written by Derrick J. Brashear <shadow@DEMENTIA.ORG> --> diff --git a/Linux-PAM/doc/modules/pam_lastlog.sgml b/Linux-PAM/doc/modules/pam_lastlog.sgml index e79723b3..451bfaa2 100644 --- a/Linux-PAM/doc/modules/pam_lastlog.sgml +++ b/Linux-PAM/doc/modules/pam_lastlog.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_lastlog.sgml,v 1.1.1.1 2001/04/29 04:16:55 hartmans Exp $ + $Id: pam_lastlog.sgml,v 1.2 2001/02/17 01:55:38 agmorgan Exp $ This file was written by Andrew G. Morgan <morgan@kernel.org> --> diff --git a/Linux-PAM/doc/modules/pam_limits.sgml b/Linux-PAM/doc/modules/pam_limits.sgml index 65ce6d82..22674d42 100644 --- a/Linux-PAM/doc/modules/pam_limits.sgml +++ b/Linux-PAM/doc/modules/pam_limits.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_limits.sgml,v 1.1.1.2 2002/09/15 20:08:31 hartmans Exp $ + $Id: pam_limits.sgml,v 1.7 2002/05/09 12:00:35 baggins Exp $ This file was written by Andrew G. Morgan <morgan@kernel.org> from information compiled by Cristian Gafton (author of module) diff --git a/Linux-PAM/doc/modules/pam_listfile.sgml b/Linux-PAM/doc/modules/pam_listfile.sgml index f39d8bc6..1284d1b6 100644 --- a/Linux-PAM/doc/modules/pam_listfile.sgml +++ b/Linux-PAM/doc/modules/pam_listfile.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_listfile.sgml,v 1.1.1.1 2001/04/29 04:16:56 hartmans Exp $ + $Id: pam_listfile.sgml,v 1.2 2001/03/19 01:46:41 agmorgan Exp $ This file was written by Michael K. Johnson <johnsonm@redhat.com> --> diff --git a/Linux-PAM/doc/modules/pam_mail.sgml b/Linux-PAM/doc/modules/pam_mail.sgml index 397df29e..c157659a 100644 --- a/Linux-PAM/doc/modules/pam_mail.sgml +++ b/Linux-PAM/doc/modules/pam_mail.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_mail.sgml,v 1.1.1.2 2002/09/15 20:08:31 hartmans Exp $ + $Id: pam_mail.sgml,v 1.4 2001/12/08 18:56:47 agmorgan Exp $ This file was written by Andrew G. Morgan <morgan@kernel.org> --> diff --git a/Linux-PAM/doc/modules/pam_mkhomedir.sgml b/Linux-PAM/doc/modules/pam_mkhomedir.sgml index 075e16f9..8428565d 100644 --- a/Linux-PAM/doc/modules/pam_mkhomedir.sgml +++ b/Linux-PAM/doc/modules/pam_mkhomedir.sgml @@ -46,7 +46,7 @@ Creates home directories on the fly for authenticated users. <descrip> <tag><bf>Recognized arguments:</bf></tag> -<tt/debug/; <tt/skel=skeleton-dir/; <tt/umask=octal-umask/; +<tt/skel=skeleton-dir/; <tt/umask=octal-umask/; <tag><bf>Description:</bf></tag> This module is useful for distributed systems where the user account is diff --git a/Linux-PAM/doc/modules/pam_nologin.sgml b/Linux-PAM/doc/modules/pam_nologin.sgml index e2463570..241c24f0 100644 --- a/Linux-PAM/doc/modules/pam_nologin.sgml +++ b/Linux-PAM/doc/modules/pam_nologin.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_nologin.sgml,v 1.1.1.2 2002/09/15 20:08:31 hartmans Exp $ + $Id: pam_nologin.sgml,v 1.3 2002/06/27 05:43:28 agmorgan Exp $ This file was written by Michael K. Johnson <johnsonm@redhat.com> --> diff --git a/Linux-PAM/doc/modules/pam_permit.sgml b/Linux-PAM/doc/modules/pam_permit.sgml index 969e6b84..1d6bbce4 100644 --- a/Linux-PAM/doc/modules/pam_permit.sgml +++ b/Linux-PAM/doc/modules/pam_permit.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_permit.sgml,v 1.1.1.2 2002/09/15 20:08:31 hartmans Exp $ + $Id: pam_permit.sgml,v 1.2 2001/12/08 18:56:47 agmorgan Exp $ This file was written by Andrew G. Morgan <morgan@kernel.org> --> diff --git a/Linux-PAM/doc/modules/pam_pwdb.sgml b/Linux-PAM/doc/modules/pam_pwdb.sgml index df0cb329..7b237d2e 100644 --- a/Linux-PAM/doc/modules/pam_pwdb.sgml +++ b/Linux-PAM/doc/modules/pam_pwdb.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_pwdb.sgml,v 1.1.1.2 2002/09/15 20:08:32 hartmans Exp $ + $Id: pam_pwdb.sgml,v 1.4 2002/07/11 05:43:50 agmorgan Exp $ This file was written by Andrew G. Morgan <morgan@kernel.org> --> @@ -99,7 +99,8 @@ login account required pam_pwdb.so <tt/try_first_pass/; <tt/nullok/; <tt/nodelay/; -<tt/likeauth/ +<tt/likeauth/; +<tt/noreap/ <tag><bf>Description:</bf></tag> @@ -137,7 +138,14 @@ password when it is stored in a read protected database. This binary is very simple and will only check the password of the user invoking it. It is called transparently on behalf of the user by the authenticating component of this module. In this way it is possible -for applications like <em>xlock</em> to work without being setuid-root. +for applications like <em>xlock</em> to work without being +setuid-root. The module, by default, will temporarily turn off +<tt/SIGCHLD/ handling for the duration of execution of the helper +binary. This is generally the right thing to do, as many applications +are not prepared to handle this signal from a child they didn't know +was <tt/fork()/d. The <tt/noreap/ module argument can be used to +suppress this temporary shielding and may be needed for use with +certain applications. <p> The <tt>likeauth</tt> argument makes the module return the same value diff --git a/Linux-PAM/doc/modules/pam_radius.sgml b/Linux-PAM/doc/modules/pam_radius.sgml index b452bebd..8ebfa0a8 100644 --- a/Linux-PAM/doc/modules/pam_radius.sgml +++ b/Linux-PAM/doc/modules/pam_radius.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_radius.sgml,v 1.1.1.1 2001/04/29 04:16:57 hartmans Exp $ + $Id: pam_radius.sgml,v 1.2 2001/03/19 01:46:41 agmorgan Exp $ This file was written by Cristian Gafton <gafton@redhat.com> --> diff --git a/Linux-PAM/doc/modules/pam_rhosts.sgml b/Linux-PAM/doc/modules/pam_rhosts.sgml index 4b9d1a89..ded5697b 100644 --- a/Linux-PAM/doc/modules/pam_rhosts.sgml +++ b/Linux-PAM/doc/modules/pam_rhosts.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_rhosts.sgml,v 1.1.1.2 2002/09/15 20:08:32 hartmans Exp $ + $Id: pam_rhosts.sgml,v 1.2 2001/12/08 18:56:47 agmorgan Exp $ This file was written by Andrew G. Morgan <morgan@kernel.org> --> diff --git a/Linux-PAM/doc/modules/pam_rootok.sgml b/Linux-PAM/doc/modules/pam_rootok.sgml index e882f4d5..b5ae6921 100644 --- a/Linux-PAM/doc/modules/pam_rootok.sgml +++ b/Linux-PAM/doc/modules/pam_rootok.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_rootok.sgml,v 1.1.1.2 2002/09/15 20:08:32 hartmans Exp $ + $Id: pam_rootok.sgml,v 1.2 2001/12/08 18:56:47 agmorgan Exp $ This file was written by Andrew G. Morgan <morgan@kernel.org> --> diff --git a/Linux-PAM/doc/modules/pam_securetty.sgml b/Linux-PAM/doc/modules/pam_securetty.sgml index f500b8b2..fc89af23 100644 --- a/Linux-PAM/doc/modules/pam_securetty.sgml +++ b/Linux-PAM/doc/modules/pam_securetty.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_securetty.sgml,v 1.1.1.1 2001/04/29 04:16:57 hartmans Exp $ + $Id: pam_securetty.sgml,v 1.1.1.1 2000/06/20 22:11:04 agmorgan Exp $ This file was written by Michael K. Johnson <johnsonm@redhat.com> --> diff --git a/Linux-PAM/doc/modules/pam_tally.sgml b/Linux-PAM/doc/modules/pam_tally.sgml index a2d03435..ee6fad46 100644 --- a/Linux-PAM/doc/modules/pam_tally.sgml +++ b/Linux-PAM/doc/modules/pam_tally.sgml @@ -1,6 +1,6 @@ <!-- - $Id: pam_tally.sgml,v 1.1.1.1 2001/04/29 04:16:57 hartmans Exp $ + $Id: pam_tally.sgml,v 1.3 2005/01/16 22:12:25 toady Exp $ This template file was written by Andrew G. Morgan <morgan@kernel.org> adapted from text provided by Tim Baverstock. @@ -18,6 +18,7 @@ pam_tally <tag><bf>Author[s]:</bf></tag> Tim Baverstock +Tomas Mraz <tag><bf>Maintainer:</bf></tag> @@ -61,9 +62,7 @@ want to use the supplied appliction. <p> Note, there are some outstanding issues with this module: <tt>pam_tally</tt> is very dependant on <tt>getpw*()</tt> - a database -of usernames would be much more flexible; the `keep a count of current -logins' bit has been <tt>#ifdef</tt>'d out and you can only reset the -counter on successful authentication, for now. +of usernames would be much more flexible <sect3>Generic options accepted by both components <p> @@ -74,6 +73,11 @@ counter on successful authentication, for now. <item> <tt>file=</tt><em>/where/to/keep/counts</em>: specify the file location for the counts. The default location is <tt>/var/log/faillog</tt>. +<item> <tt>audit</tt>: + display the username typed if the user is not found. It may be + useful for scripts, but you should know users often type their + password instead making your system weaker. Activate it only if you + know what you are doing. </itemize> <sect2>Authentication component @@ -84,23 +88,46 @@ counter on successful authentication, for now. <tag><bf>Recognized arguments:</bf></tag> <tt>onerr=</tt>(<tt>succeed</tt>|<tt>fail</tt>); <tt>file=</tt>/where/to/keep/counts; -<tt>no_magic_root</tt> +<tt>deny=</tt><em>n</em>; +<tt>lock_time=</tt><em>n</em>; +<tt>unlock_time=</tt><em>n</em>; +<tt>magic_root</tt>; +<tt>even_deny_root_account</tt>; +<tt>per_user</tt>; +<tt>no_lock_time</tt> +<tt>no_reset</tt>; <tag><bf>Description:</bf></tag> <p> -The authentication component of this module increments the attempted -login counter. +The authentication component first checks if the user should be denied +access and if not it increments attempted login counter. +Then on call to <tt>pam_setcred</tt> it resets the attempts counter +if the user is NOT magic root. <p> <tag><bf>Examples/suggested usage:</bf></tag> <p> -The module argument <tt>no_magic_root</tt> is used to indicate that if -the module is invoked by a user with uid=0, then the counter is -incremented. The sys-admin should use this for daemon-launched -services, like <tt>telnet</tt>/<tt>rsh</tt>/<tt>login</tt>. For user -launched services, like <tt>su</tt>, this argument should be omitted. +The <tt>deny=</tt><em>n</em> option is used to deny access if tally +for this user exceeds <em>n</em>. + +<p> +The <tt>lock_time=</tt><em>n</em> option is used to always deny access +for at least <em>n</em> seconds after a failed attempt. + +<p> +The <tt>unlock_time=</tt><em>n</em> option is used to allow access after +<em>n</em> seconds after the last failed attempt with exceeded tally. +If this option is used the user will be locked out only for the specified +amount of time after he exceeded his maximum allowed attempts. Otherwise +the lock is removed only by a manual intervention of the system administrator. + +<p> +The <tt>magic_root</tt> option is used to indicate that if +the module is invoked by a user with uid=0, then the counter is not +incremented. The sys-admin should use this for user launched services, +like <tt>su</tt>, otherwise this argument should be omitted. <p> By way of more explanation, when a process already running as root @@ -109,9 +136,33 @@ bypasses <tt>pam_tally</tt>'s checks: this is handy for <tt>su</tt>ing from root into an account otherwise blocked. However, for services like <tt>telnet</tt> or <tt>login</tt>, which always effectively run from the root account, root (ie everyone) shouldn't be granted this -magic status, and the flag `no_magic_root' should be set in this +magic status, and the flag `magic_root' should not be set in this situation, as noted in the summary above. +<p> +Normally, failed attempts to access root will <bf>NOT</bf> cause the +root account to become blocked, to prevent denial-of-service: if your +users aren't given shell accounts and root may only login via +<tt>su</tt> or at the machine console (not +<tt>telnet</tt>/<tt>rsh</tt>, etc), this is safe. If you really want +root to be blocked for some given service, use +<tt>even_deny_root_account</tt>. + +<p> +If <tt>/var/log/faillog</tt> contains a non-zero <tt>.fail_max/.fail_locktime</tt> +field for this user then the <tt>per_user</tt> module argument will +ensure that the module uses this value and not the global +<tt>deny/lock_time=</tt><em>n</em> parameter. + +<p> +The <tt>no_lock_time</tt> option is for ensuring that the module does +not use the <tt>.fail_locktime</tt> field in /var/log/faillog for this +user. + +<p> +The <tt>no_reset</tt> option is used to instruct the module to not reset +the count on successful entry. + </descrip> <sect2>Account component @@ -122,67 +173,28 @@ situation, as noted in the summary above. <tag><bf>Recognized arguments:</bf></tag> <tt>onerr=</tt>(<tt>succeed</tt>|<tt>fail</tt>); <tt>file=</tt>/where/to/keep/counts; -<tt>deny=</tt><em>n</em>; -<tt>no_magic_root</tt>; -<tt>even_deny_root_account</tt>; -<tt>reset</tt>; +<tt>magic_root</tt>; <tt>no_reset</tt>; -<tt>per_user</tt>; -<tt>no_lock_time</tt> <tag><bf>Description:</bf></tag> <p> -The account component can deny access and/or reset the attempts -counter. It also checks to make sure that the counts file is a plain -file and not world writable. +The account component resets attempts counter if the user is NOT +magic root. This phase can be used optionaly for services which don't call +pam_setcred correctly or if the reset should be done regardless +of the failure of the account phase of other modules. <tag><bf>Examples/suggested usage:</bf></tag> <p> -The <tt>deny=</tt><em>n</em> option is used to deny access if tally -for this user exceeds <em>n</em>. The presence of -<tt>deny=</tt><em>n</em> changes the default for -<tt>reset</tt>/<tt>no_reset</tt> to <tt>reset</tt>, unless the user -trying to gain access is root and the <tt>no_magic_root</tt> option -has NOT been specified. +The <tt>magic_root</tt> option is used to indicate that if +the module is invoked by a user with uid=0, then the counter is not +decremented/reset. The sys-admin should use this for user launched services, +like <tt>su</tt>, otherwise this argument should be omitted. <p> -The <tt>no_magic_root</tt> option ensures that access attempts by root -DON'T ignore deny. Use this for daemon-based stuff, like -<tt>telnet</tt>/<tt>rsh</tt>/<tt>login</tt>. - -<p> -The <tt>even_deny_root_account</tt> option is used to ensure that the -root account can become unavailable. <bf>Note</bf> that magic root -trying to gain root bypasses this, but normal users can be locked out. - -<p> -The <tt>reset</tt> option instructs the module to reset count to 0 on -successful entry, even for magic root. The <tt>no_reset</tt> option is -used to instruct the module to not reset the count on successful -entry. This is the default unless <tt>deny</tt> exists and the user -attempting access is NOT magic root. - -<p> -If <tt>/var/log/faillog</tt> contains a non-zero <tt>.fail_max</tt> -field for this user then the <tt>per_user</tt> module argument will -ensure that the module uses this value and not the global -<tt>deny=</tt><em>n</em> parameter. - -<p> -The <tt>no_lock_time</tt> option is for ensuring that the module does -not use the <tt>.fail_locktime</tt> field in /var/log/faillog for this -user. - -<p> -Normally, failed attempts to access root will <bf>NOT</bf> cause the -root account to become blocked, to prevent denial-of-service: if your -users aren't given shell accounts and root may only login via -<tt>su</tt> or at the machine console (not -<tt>telnet</tt>/<tt>rsh</tt>, etc), this is safe. If you really want -root to be blocked for some given service, use -<tt>even_deny_root_account</tt>. +The <tt>no_reset</tt> option is used to instruct the module to not reset +the count on successful entry. </descrip> diff --git a/Linux-PAM/doc/modules/pam_time.sgml b/Linux-PAM/doc/modules/pam_time.sgml index 785f76c2..ef761223 100644 --- a/Linux-PAM/doc/modules/pam_time.sgml +++ b/Linux-PAM/doc/modules/pam_time.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_time.sgml,v 1.1.1.2 2002/09/15 20:08:33 hartmans Exp $ + $Id: pam_time.sgml,v 1.4 2002/05/10 04:03:02 agmorgan Exp $ This file was written by Andrew G. Morgan <morgan@kernel.org> --> diff --git a/Linux-PAM/doc/modules/pam_unix.sgml b/Linux-PAM/doc/modules/pam_unix.sgml index 286cd3f8..86c584a8 100644 --- a/Linux-PAM/doc/modules/pam_unix.sgml +++ b/Linux-PAM/doc/modules/pam_unix.sgml @@ -97,7 +97,8 @@ login account required pam_unix.so <tt/use_first_pass/; <tt/try_first_pass/; <tt/nullok/; -<tt/nodelay/ +<tt/nodelay/; +<tt/noreap/ <tag><bf>Description:</bf></tag> @@ -126,17 +127,24 @@ authentication as a whole fail. The default action is for the module to request a delay-on-failure of the order of one second. <p> -Remaining arguments, supported by the other functions of this module, -are silently ignored. Other arguments are logged as errors through -<tt/syslog(3)/. - -<p> A helper binary, <tt>unix_chkpwd</tt>, is provided to check the user's password when it is stored in a read protected database. This binary is very simple and will only check the password of the user invoking it. It is called transparently on behalf of the user by the authenticating component of this module. In this way it is possible -for applications like <em>xlock</em> to work without being setuid-root. +for applications like <em>xlock</em> to work without being +setuid-root. The module, by default, will temporarily turn off +<tt/SIGCHLD/ handling for the duration of execution of the helper +binary. This is generally the right thing to do, as many applications +are not prepared to handle this signal from a child they didn't know +was <tt/fork()/d. The <tt/noreap/ module argument can be used to +suppress this temporary shielding and may be needed for use with +certain applications. + +<p> +Remaining arguments, supported by the other functions of this module, +are silently ignored. Other arguments are logged as errors through +<tt/syslog(3)/. <tag><bf>Examples/suggested usage:</bf></tag> diff --git a/Linux-PAM/doc/modules/pam_userdb.sgml b/Linux-PAM/doc/modules/pam_userdb.sgml index bdbf80b8..155a2668 100644 --- a/Linux-PAM/doc/modules/pam_userdb.sgml +++ b/Linux-PAM/doc/modules/pam_userdb.sgml @@ -50,6 +50,8 @@ what is contained in that database. <tt/icase/; <tt/dump/; <tt/db=XXXX/; +<tt/use_authtok/; +<tt/unknown_ok/; <tag><bf>Description:</bf></tag> @@ -59,7 +61,7 @@ fields corresponding to the username keys are the passwords, in unencrypted form so caution must be exercised over the access rights to the DB database itself.. The module will read the password from the user using the conversation mechanism. If -you are using this module on top of another authetication module (like <tt/pam_pwdb/;) +you are using this module on top of another authentication module (like <tt/pam_pwdb/;) then you should tell that module to read the entered password from the PAM_AUTHTOK field, which is set by this module. <p> @@ -85,6 +87,18 @@ use the database found on pathname XXXX. Note that Berkeley DB usually adds the needed filename extension for you, so you should use something like <tt>/etc/foodata</tt> instead of <tt>/etc/foodata.db</tt>. +<item> <tt/use_authtok/ - +use the authentication token previously obtained by another module that did the +conversation with the application. If this token can not be obtained then +the module will try to converse again. This option can be used for stacking +different modules that need to deal with the authentication tokens. + +<item> +<tt/unknown_ok/ - +do not return error when checking for a user that is not in the database. +This can be used to stack more than one pam_userdb module that will check a +username/password pair in more than a database. + </itemize> <tag><bf>Examples/suggested usage:</bf></tag> diff --git a/Linux-PAM/doc/modules/pam_warn.sgml b/Linux-PAM/doc/modules/pam_warn.sgml index caedf873..b015554d 100644 --- a/Linux-PAM/doc/modules/pam_warn.sgml +++ b/Linux-PAM/doc/modules/pam_warn.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_warn.sgml,v 1.1.1.2 2002/09/15 20:08:33 hartmans Exp $ + $Id: pam_warn.sgml,v 1.2 2001/12/08 18:56:47 agmorgan Exp $ This file was written by Andrew G. Morgan <morgan@kernel.org> --> diff --git a/Linux-PAM/doc/modules/pam_wheel.sgml b/Linux-PAM/doc/modules/pam_wheel.sgml index cc064120..e4dc501a 100644 --- a/Linux-PAM/doc/modules/pam_wheel.sgml +++ b/Linux-PAM/doc/modules/pam_wheel.sgml @@ -1,5 +1,5 @@ <!-- - $Id: pam_wheel.sgml,v 1.1.1.2 2002/09/15 20:08:33 hartmans Exp $ + $Id: pam_wheel.sgml,v 1.3 2002/07/13 05:48:19 agmorgan Exp $ This file was written by Andrew G. Morgan <morgan@kernel.org> from notes provided by Cristian Gafton. @@ -22,7 +22,7 @@ Cristian Gafton <gafton@redhat.com> Author. <tag><bf>Management groups provided:</bf></tag> -authentication +authentication; account <tag><bf>Cryptographically sensitive:</bf></tag> @@ -31,7 +31,6 @@ authentication <tag><bf>Clean code base:</bf></tag> <tag><bf>System dependencies:</bf></tag> -Requires libpwdb. <tag><bf>Network aware:</bf></tag> @@ -42,7 +41,7 @@ Requires libpwdb. <p> Only permit root access to members of the wheel (<tt/gid=0/) group. -<sect2>Authentication component +<sect2>Authentication and Account components <p> <descrip> @@ -56,13 +55,17 @@ Only permit root access to members of the wheel (<tt/gid=0/) group. <tag><bf>Description:</bf></tag> -This module is used to enforce the so-called <em/wheel/ group. By +This module is used to enforce the so-called <em/wheel/ group. By default, it permits root access to the system if the applicant user is a member of the <tt/wheel/ group (first, the module checks for the existence of a '<tt/wheel/' group. Otherwise the module defines the group with group-id <tt/0/ to be the <em/wheel/ group). <p> +The module can be used as either an '<tt/auth/' or an '<tt/account/' +module. + +<p> The action of the module may be modified from this default by one or more of the following flags in the <tt>/etc/pam.conf</tt> file. <itemize> @@ -88,10 +91,13 @@ password. <bf/USE WITH CARE/. <item> <tt/deny/ - -This is used to reverse the logic of the module's behavior. -If the user is trying to get <tt/uid=0/ access and is a member of the wheel +This is used to reverse the logic of the module's behavior. If the +user is trying to get <tt/uid=0/ access and is a member of the wheel group, deny access (for the wheel group, this is perhaps nonsense!): it is intended for use in conjunction with the <tt/group=/ argument... +Conversely, if the user is not in the group, return <tt/PAM_IGNORE/ +(unless <tt/trust/ was also specified, in which case we return +<tt/PAM_SUCCESS/). <item> <tt/group=XXXX/ - @@ -114,7 +120,7 @@ file: # su auth sufficient pam_rootok.so su auth required pam_wheel.so -su auth required pam_unix_auth.so +su auth required pam_unix.so </verb> </tscreen> |