diff options
Diffstat (limited to 'Linux-PAM/doc/modules/pam_access.sgml')
| -rw-r--r-- | Linux-PAM/doc/modules/pam_access.sgml | 117 |
1 files changed, 117 insertions, 0 deletions
diff --git a/Linux-PAM/doc/modules/pam_access.sgml b/Linux-PAM/doc/modules/pam_access.sgml new file mode 100644 index 00000000..8a910d13 --- /dev/null +++ b/Linux-PAM/doc/modules/pam_access.sgml @@ -0,0 +1,117 @@ +<!-- + + pam_access module docs added by Tim Berger <timb@transmeta.com> + +--> + +<sect1> The access module + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> + +<tt>pam_access</tt> + + +<tag><bf>Author[s]:</bf></tag> + +Alexei Nogin <alexei@nogin.dnttm.ru> + +<tag><bf>Maintainer:</bf></tag> + +<tag><bf>Management groups provided:</bf></tag> + +account + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> + +<tag><bf>System dependencies:</bf></tag> +Requires a configuration file. By default +<tt>/etc/security/access.conf</tt> is used but this can be overridden. + +<tag><bf>Network aware:</bf></tag> + +Through <tt/PAM_TTY/ if set, otherwise attempts getting tty name of +the stdin file descriptor with <tt/ttyname()/. Standard +gethostname(), <tt/yp_get_default_domain()/, <tt/gethostbyname()/ +calls. <bf/NIS/ is used for netgroup support. + +</descrip> + +<sect2>Overview of module + +<p> +Provides logdaemon style login access control. + +<sect2> Account component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> + +<tt>accessfile=<it>/path/to/file.conf</it></tt>; +<tt>fieldsep=<it>separators</it></tt> + +<tag><bf>Description:</bf></tag> + +This module provides logdaemon style login access control based on +login names and on host (or domain) names, internet addresses (or +network numbers), or on terminal line names in case of non-networked +logins. Diagnostics are reported through <tt/syslog(3)/. Wietse +Venema's <tt/login_access.c/ from <em/logdaemon-5.6/ is used with +several changes by A. Nogin. + +<p> +The behavior of this module can be modified with the following +arguments: +<itemize> + +<item><tt>accessfile=/path/to/file.conf</tt> - +indicate an alternative <em/access/ configuration file to override +the default. This can be useful when different services need different +access lists. + +<item><tt>fieldsep=<it>separators</it></tt> - +this option modifies the field separator character that +<tt/pam_access/ will recognize when parsing the access configuration +file. For example: <tt>fieldsep=|</tt> will cause the default `:' +character to be treated as part of a field value and `|' becomes the +field separator. Doing this is useful in conjuction with a system that +wants to use pam_access with X based applications, since the +<tt/PAM_TTY/ item is likely to be of the form "hostname:0" which +includes a `:' character in its value. + +</itemize> + +<tag><bf>Examples/suggested usage:</bf></tag> + +Use of module is recommended, for example, on administrative machines +such as <bf/NIS/ servers and mail servers where you need several accounts +active but don't want them all to have login capability. + +For <tt>/etc/pam.d</tt> style configurations where your modules live +in <tt>/lib/security</tt>, start by adding the following line to +<tt>/etc/pam.d/login</tt>, <tt>/etc/pam.d/rlogin</tt>, +<tt>/etc/pam.d/rsh</tt> and <tt>/etc/pam.d/ftp</tt>: + +<tscreen> +<verb> +account required /lib/security/pam_access.so +</verb> +</tscreen> + +Note that use of this module is not effective unless your system ignores +<tt>.rhosts</tt> files. See the the pam_rhosts_auth documentation. + +A sample <tt>access.conf</tt> configuration file is included with the +distribution. + +</descrip> |