diff options
Diffstat (limited to 'Linux-PAM/modules/pam_keyinit/pam_keyinit.8')
| -rw-r--r-- | Linux-PAM/modules/pam_keyinit/pam_keyinit.8 | 133 |
1 files changed, 133 insertions, 0 deletions
diff --git a/Linux-PAM/modules/pam_keyinit/pam_keyinit.8 b/Linux-PAM/modules/pam_keyinit/pam_keyinit.8 new file mode 100644 index 00000000..40b1e125 --- /dev/null +++ b/Linux-PAM/modules/pam_keyinit/pam_keyinit.8 @@ -0,0 +1,133 @@ +.\"Generated by db2man.xsl. Don't modify this, modify the source. +.de Sh \" Subsection +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Ip \" List item +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.TH "PAM_KEYINIT" 8 "" "" "" +.SH NAME +pam_keyinit \- Kernel session keyring initialiser module +.SH "SYNOPSIS" +.ad l +.hy 0 +.HP 15 +\fBpam_keyinit\&.so\fR [debug] [force] [revoke] +.ad +.hy + +.SH "DESCRIPTION" + +.PP +The pam_keyinit PAM module ensures that the invoking process has a session keyring other than the user default session keyring\&. + +.PP +The session component of the module checks to see if the process's session keyring is the user default, and, if it is, creates a new anonymous session keyring with which to replace it\&. + +.PP +If a new session keyring is created, it will install a link to the user common keyring in the session keyring so that keys common to the user will be automatically accessible through it\&. + +.PP +The session keyring of the invoking process will thenceforth be inherited by all its children unless they override it\&. + +.PP +This module is intended primarily for use by login processes\&. Be aware that after the session keyring has been replaced, the old session keyring and the keys it contains will no longer be accessible\&. + +.PP +This module should not, generally, be invoked by programs like \fIsu\fR, since it is usually desirable for the key set to percolate through to the alternate context\&. The keys have their own permissions system to manage this\&. + +.PP +This module should be included as early as possible in a PAM configuration, so that other PAM modules can attach tokens to the keyring\&. + +.PP +The keyutils package is used to manipulate keys more directly\&. This included in the Fedora Extras 5+ and Red Hat Enterprise Linux 4 U2+ and can also be obtained from: + +.PP + Keyutils : \fIhttp://people.redhat.com/~dhowells/keyutils/\fR + +.SH "OPTIONS" + +.TP +\fBdebug\fR +Log debug information with \fBsyslog\fR(3)\&. + +.TP +\fBforce\fR +Causes the session keyring of the invoking process to be replaced unconditionally\&. + +.TP +\fBrevoke\fR +Causes the session keyring of the invoking process to be revoked when the invoking process exits if the session keyring was created for this process in the first place\&. + +.SH "MODULE SERVICES PROVIDED" + +.PP +Only the \fIsession\fR service is supported\&. + +.SH "RETURN VALUES" + +.TP +PAM_SUCCESS +This module will usually return this value + +.TP +PAM_AUTH_ERR +Authentication failure\&. + +.TP +PAM_BUF_ERR +Memory buffer error\&. + +.TP +PAM_IGNORE +The return value should be ignored by PAM dispatch\&. + +.TP +PAM_SERVICE_ERR +Cannot determine the user name\&. + +.TP +PAM_SESSION_ERR +This module will return this value if its arguments are invalid or if a system error such as ENOMEM occurs\&. + +.TP +PAM_USER_UNKNOWN +User not known\&. + +.SH "EXAMPLES" + +.PP +Add this line to your login entries to start each login session with its own session keyring: + +.nf + +session required pam_keyinit\&.so + +.fi + + +.PP +This will prevent keys from one session leaking into another session for the same user\&. + +.SH "SEE ALSO" + +.PP + \fBpam\&.conf\fR(5), \fBpam\&.d\fR(8), \fBpam\fR(8) \fBkeyctl\fR(1) + +.SH "AUTHOR" + +.PP +pam_keyinit was written by David Howells, <dhowells@redhat\&.com>\&. + |