diff options
| author | Steve Langasek <steve.langasek@ubuntu.com> | 2019-01-03 12:44:11 -0800 |
|---|---|---|
| committer | Steve Langasek <steve.langasek@ubuntu.com> | 2019-01-03 12:44:11 -0800 |
| commit | efd31890b5ed496a5a00c08a262da240e66a4ddc (patch) | |
| tree | 22a7aab22b3a491bb58df250d7d6409e0c160bcc /doc/modules/pam_deny.sgml | |
| parent | 067affee9267fa0d1c21835182ba639ba33e820f (diff) | |
| download | pam-efd31890b5ed496a5a00c08a262da240e66a4ddc.tar.gz pam-efd31890b5ed496a5a00c08a262da240e66a4ddc.tar.bz2 pam-efd31890b5ed496a5a00c08a262da240e66a4ddc.zip | |
New upstream version 0.76
Diffstat (limited to 'doc/modules/pam_deny.sgml')
| -rw-r--r-- | doc/modules/pam_deny.sgml | 177 |
1 files changed, 0 insertions, 177 deletions
diff --git a/doc/modules/pam_deny.sgml b/doc/modules/pam_deny.sgml deleted file mode 100644 index 6953231f..00000000 --- a/doc/modules/pam_deny.sgml +++ /dev/null @@ -1,177 +0,0 @@ -<!-- - $Id$ - - This file was written by Andrew G. Morgan <morgan@kernel.org> ---> - -<sect1>The locking-out module - -<sect2>Synopsis - -<p> -<descrip> - -<tag><bf>Module Name:</bf></tag> -pam_deny - -<tag><bf>Author:</bf></tag> -Andrew G. Morgan <morgan@kernel.org> - -<tag><bf>Maintainer:</bf></tag> -current <bf/Linux-PAM/ maintainer - -<tag><bf>Management groups provided:</bf></tag> -account; authentication; password; session - -<tag><bf>Cryptographically sensitive:</bf></tag> - -<tag><bf>Security rating:</bf></tag> - -<tag><bf>Clean code base:</bf></tag> -clean. - -<tag><bf>System dependencies:</bf></tag> - -<tag><bf>Network aware:</bf></tag> - -</descrip> - -<sect2>Overview of module - -<p> -This module can be used to deny access. It always indicates a failure -to the application through the PAM framework. As is commented in the -overview section <ref id="overview-section" name="above">, this module -might be suitable for using for default (the <tt/OTHER/) entries. - -<sect2>Account component - -<p> -<descrip> - -<tag><bf>Recognized arguments:</bf></tag> - -<tag><bf>Description:</bf></tag> - -This component does nothing other than return a failure. The -failure type is <tt/PAM_ACCT_EXPIRED/. - -<tag><bf>Examples/suggested usage:</bf></tag> - -Stacking this module with type <tt/account/ will prevent the user from -gaining access to the system via applications that refer to -<bf/Linux-PAM/'s account management function <tt/pam_acct_mgmt()/. - -<p> -The following example would make it impossible to login: -<tscreen> -<verb> -# -# add this line to your other login entries to disable all accounts -# -login account required pam_deny.so -</verb> -</tscreen> - -</descrip> - -<sect2>Authentication component - -<p> -<descrip> - -<tag><bf>Recognized arguments:</bf></tag> - -<tag><bf>Description:</bf></tag> - -This component does nothing other than return a failure. The failure -type is <tt/PAM_AUTH_ERR/ in the case that <tt/pam_authenticate()/ is -called (when the application tries to authenticate the user), and is -<tt/PAM_CRED_UNAVAIL/ when the application calls <tt/pam_setcred()/ -(to establish and set the credentials of the user -- it is unlikely -that this function will ever be called in practice). - -<tag><bf>Examples/suggested usage:</bf></tag> - -To deny access to default applications with this component of the -<tt/pam_deny/ module, you might include the following line in your -<bf/Linux-PAM/ configuration file: -<tscreen> -<verb> -# -# add this line to your existing OTHER entries to prevent -# authentication succeeding with default applications. -# -OTHER auth required pam_deny.so -</verb> -</tscreen> - -</descrip> - -<sect2>Password component - -<p> -<descrip> - -<tag><bf>Recognized arguments:</bf></tag> - -<tag><bf>Description:</bf></tag> - -This component of the module denies the user the opportunity to change -their password. It always responds with <tt/PAM_AUTHTOK_ERR/ when -invoked. - -<tag><bf>Examples/suggested usage:</bf></tag> - -This module should be used to prevent an application from updating the -applicant user's password. For example, to prevent <tt/login/ from -automatically prompting for a new password when the old one has -expired you should include the following line in your configuration -file: -<tscreen> -<verb> -# -# add this line to your other login entries to prevent the login -# application from being able to change the user's password. -# -login password required pam_deny.so -</verb> -</tscreen> - -</descrip> - -<sect2>Session component - -<p> -<descrip> - -<tag><bf>Recognized arguments:</bf></tag> - -<tag><bf>Description:</bf></tag> - -This aspect of the module prevents an application from starting a -session on the host computer. - -<tag><bf>Examples/suggested usage:</bf></tag> - -Together with another session module, that displays a message of the -day perhaps (<tt/pam_motd/ for example), this module can be used to -block a user from starting a shell. We might use the following entries -in the configuration file to inform the user it is system time: -<tscreen> -<verb> -# -# An example to see how to configure login to refuse the user a -# session (politely) -# -login session required pam_motd.so \ - motd=/etc/system_time -login session required pam_deny.so -</verb> -</tscreen> - -</descrip> - -<!-- -End of sgml insert for this module. ---> |