From cf2fc5ff7b4a8555fda2a5ebe5f6ab0e45c22996 Mon Sep 17 00:00:00 2001 From: Stefan Schubert Date: Tue, 25 Oct 2022 16:29:41 +0200 Subject: doc: Update PAM documentation from DockBook 4 to DocBook 5 Changed files -------------- Make.xml.rules.in: - Using RNG file instead of DTD file for checking XML files. - Taking the correct stylesheet for README files. doc/sag/Makefile.am, doc/adg/Makefile.am, doc/mwg/Makefile.am: - Using RNG file instead of DTD file for checking XML files. configure.ac: - Adding a new option for selecting RNG check file (-enable-docbook-rng) - Switching stylesheets to docbook 5 - Checking DocBook 5 environment instead of DocBook 4 environment *.xml: Update from DockBook 4 to DocBook 5 --- doc/adg/Linux-PAM_ADG.xml | 199 ++++++++++++++------------------ doc/adg/Makefile.am | 6 +- doc/adg/pam_acct_mgmt.xml | 20 ++-- doc/adg/pam_authenticate.xml | 20 ++-- doc/adg/pam_chauthtok.xml | 20 ++-- doc/adg/pam_close_session.xml | 20 ++-- doc/adg/pam_conv.xml | 20 ++-- doc/adg/pam_end.xml | 20 ++-- doc/adg/pam_fail_delay.xml | 20 ++-- doc/adg/pam_get_item.xml | 20 ++-- doc/adg/pam_getenv.xml | 20 ++-- doc/adg/pam_getenvlist.xml | 20 ++-- doc/adg/pam_misc_conv.xml | 15 +-- doc/adg/pam_misc_drop_env.xml | 15 +-- doc/adg/pam_misc_paste_env.xml | 15 +-- doc/adg/pam_misc_setenv.xml | 15 +-- doc/adg/pam_open_session.xml | 20 ++-- doc/adg/pam_putenv.xml | 20 ++-- doc/adg/pam_set_item.xml | 20 ++-- doc/adg/pam_setcred.xml | 20 ++-- doc/adg/pam_start.xml | 20 ++-- doc/adg/pam_strerror.xml | 20 ++-- doc/man/misc_conv.3.xml | 35 +++--- doc/man/pam.3.xml | 40 +++---- doc/man/pam.8.xml | 85 +++++++------- doc/man/pam.conf-desc.xml | 7 +- doc/man/pam.conf-dir.xml | 9 +- doc/man/pam.conf-syntax.xml | 12 +- doc/man/pam.conf.5.xml | 28 ++--- doc/man/pam_acct_mgmt.3.xml | 20 ++-- doc/man/pam_authenticate.3.xml | 20 ++-- doc/man/pam_chauthtok.3.xml | 20 ++-- doc/man/pam_close_session.3.xml | 21 ++-- doc/man/pam_conv.3.xml | 20 ++-- doc/man/pam_end.3.xml | 21 ++-- doc/man/pam_error.3.xml | 23 ++-- doc/man/pam_fail_delay.3.xml | 27 ++--- doc/man/pam_get_authtok.3.xml | 33 +++--- doc/man/pam_get_data.3.xml | 21 ++-- doc/man/pam_get_item.3.xml | 33 ++---- doc/man/pam_get_user.3.xml | 21 ++-- doc/man/pam_getenv.3.xml | 20 ++-- doc/man/pam_getenvlist.3.xml | 20 ++-- doc/man/pam_info.3.xml | 23 ++-- doc/man/pam_item_types_ext.inc.xml | 5 +- doc/man/pam_item_types_std.inc.xml | 5 +- doc/man/pam_misc_drop_env.3.xml | 21 ++-- doc/man/pam_misc_paste_env.3.xml | 21 ++-- doc/man/pam_misc_setenv.3.xml | 21 ++-- doc/man/pam_open_session.3.xml | 21 ++-- doc/man/pam_prompt.3.xml | 23 ++-- doc/man/pam_putenv.3.xml | 20 ++-- doc/man/pam_set_data.3.xml | 21 ++-- doc/man/pam_set_item.3.xml | 33 ++---- doc/man/pam_setcred.3.xml | 21 ++-- doc/man/pam_sm_acct_mgmt.3.xml | 22 ++-- doc/man/pam_sm_authenticate.3.xml | 22 ++-- doc/man/pam_sm_chauthtok.3.xml | 30 +++-- doc/man/pam_sm_close_session.3.xml | 22 ++-- doc/man/pam_sm_open_session.3.xml | 22 ++-- doc/man/pam_sm_setcred.3.xml | 24 ++-- doc/man/pam_start.3.xml | 21 ++-- doc/man/pam_strerror.3.xml | 21 ++-- doc/man/pam_syslog.3.xml | 21 ++-- doc/man/pam_xauth_data.3.xml | 21 ++-- doc/mwg/Linux-PAM_MWG.xml | 178 ++++++++++++---------------- doc/mwg/Makefile.am | 6 +- doc/mwg/pam_conv.xml | 20 ++-- doc/mwg/pam_fail_delay.xml | 20 ++-- doc/mwg/pam_get_data.xml | 20 ++-- doc/mwg/pam_get_item.xml | 20 ++-- doc/mwg/pam_get_user.xml | 20 ++-- doc/mwg/pam_getenv.xml | 20 ++-- doc/mwg/pam_getenvlist.xml | 20 ++-- doc/mwg/pam_putenv.xml | 20 ++-- doc/mwg/pam_set_data.xml | 20 ++-- doc/mwg/pam_set_item.xml | 20 ++-- doc/mwg/pam_sm_acct_mgmt.xml | 20 ++-- doc/mwg/pam_sm_authenticate.xml | 20 ++-- doc/mwg/pam_sm_chauthtok.xml | 20 ++-- doc/mwg/pam_sm_close_session.xml | 20 ++-- doc/mwg/pam_sm_open_session.xml | 20 ++-- doc/mwg/pam_sm_setcred.xml | 20 ++-- doc/mwg/pam_strerror.xml | 20 ++-- doc/sag/Linux-PAM_SAG.xml | 229 ++++++++++++++----------------------- doc/sag/Makefile.am | 7 +- doc/sag/pam_access.xml | 52 ++++----- doc/sag/pam_debug.xml | 42 +++---- doc/sag/pam_deny.xml | 42 +++---- doc/sag/pam_echo.xml | 42 +++---- doc/sag/pam_env.xml | 52 ++++----- doc/sag/pam_exec.xml | 42 +++---- doc/sag/pam_faildelay.xml | 42 +++---- doc/sag/pam_faillock.xml | 47 +++----- doc/sag/pam_filter.xml | 42 +++---- doc/sag/pam_ftp.xml | 42 +++---- doc/sag/pam_group.xml | 52 ++++----- doc/sag/pam_issue.xml | 42 +++---- doc/sag/pam_keyinit.xml | 42 +++---- doc/sag/pam_lastlog.xml | 42 +++---- doc/sag/pam_limits.xml | 52 ++++----- doc/sag/pam_listfile.xml | 42 +++---- doc/sag/pam_localuser.xml | 42 +++---- doc/sag/pam_loginuid.xml | 42 +++---- doc/sag/pam_mail.xml | 42 +++---- doc/sag/pam_mkhomedir.xml | 42 +++---- doc/sag/pam_motd.xml | 42 +++---- doc/sag/pam_namespace.xml | 52 ++++----- doc/sag/pam_nologin.xml | 42 +++---- doc/sag/pam_permit.xml | 42 +++---- doc/sag/pam_pwhistory.xml | 47 +++----- doc/sag/pam_rhosts.xml | 42 +++---- doc/sag/pam_rootok.xml | 42 +++---- doc/sag/pam_securetty.xml | 42 +++---- doc/sag/pam_selinux.xml | 42 +++---- doc/sag/pam_sepermit.xml | 47 +++----- doc/sag/pam_setquota.xml | 42 +++---- doc/sag/pam_shells.xml | 42 +++---- doc/sag/pam_succeed_if.xml | 42 +++---- doc/sag/pam_time.xml | 52 ++++----- doc/sag/pam_timestamp.xml | 52 ++++----- doc/sag/pam_tty_audit.xml | 47 +++----- doc/sag/pam_umask.xml | 42 +++---- doc/sag/pam_unix.xml | 42 +++---- doc/sag/pam_userdb.xml | 42 +++---- doc/sag/pam_warn.xml | 42 +++---- doc/sag/pam_wheel.xml | 42 +++---- doc/sag/pam_xauth.xml | 42 +++---- 128 files changed, 1647 insertions(+), 2549 deletions(-) (limited to 'doc') diff --git a/doc/adg/Linux-PAM_ADG.xml b/doc/adg/Linux-PAM_ADG.xml index 79452e17..169e15cf 100644 --- a/doc/adg/Linux-PAM_ADG.xml +++ b/doc/adg/Linux-PAM_ADG.xml @@ -1,50 +1,39 @@ - - - - + + The Linux-PAM Application Developers' Guide - - Andrew G. - Morgan - morgan@kernel.org - - - Thorsten - Kukuk - kukuk@thkukuk.de - + Andrew G.Morganmorgan@kernel.org + ThorstenKukukkukuk@thkukuk.de Version 1.1.2, 31. August 2010 This manual documents what an application developer needs to know - about the Linux-PAM library. It + about the Linux-PAM library. It describes how an application might use the - Linux-PAM library to authenticate + Linux-PAM library to authenticate users. In addition it contains a description of the functions to be found in libpam_misc library, that can be used in general applications. Finally, it contains some comments on PAM related security issues for the application developer. - + - + Introduction -
+
Description - Linux-PAM + Linux-PAM (Pluggable Authentication Modules for Linux) is a library that enables the local system administrator to choose how individual applications authenticate users. For an overview of the - Linux-PAM library see the + Linux-PAM library see the Linux-PAM System Administrators' Guide. - It is the purpose of the Linux-PAM + It is the purpose of the Linux-PAM project to liberate the development of privilege granting software from the development of secure and appropriate authentication schemes. This is accomplished by providing a documented library of functions @@ -64,11 +53,11 @@
-
+
Synopsis For general applications that wish to use the services provided by - Linux-PAM the following is a summary + Linux-PAM the following is a summary of the relevant linking information: #include <security/pam_appl.h> @@ -92,7 +81,7 @@ cc -o application .... -lpam -lpam_misc
- + Overview Most service-giving applications are restricted. In other words, @@ -108,7 +97,7 @@ cc -o application .... -lpam -lpam_misc authentication-token (password changing) management services. It is important to realize when writing a PAM based application that these services are provided in a manner that is - transparent to the application. That is + transparent to the application. That is to say, when the application is written, no assumptions can be made about how the client will be authenticated. @@ -206,74 +195,58 @@ cc -o application .... -lpam -lpam_misc - + - The public interface to <emphasis remap='B'>Linux-PAM</emphasis> + The public interface to <emphasis remap="B">Linux-PAM</emphasis> Firstly, the relevant include file for the - Linux-PAM library is + Linux-PAM library is <security/pam_appl.h>. It contains the definitions for a number of functions. After listing these functions, we collect some guiding remarks for programmers. -
+
What can be expected by the application - - - - - - - - - - - - - - - + + + + + + + + + + + + + + +
-
+
What is expected of an application - +
-
+
Programming notes Note, all of the authentication service function calls accept the - token PAM_SILENT, which instructs + token PAM_SILENT, which instructs the modules to not send messages to the application. This token can be logically OR'd with any one of the permitted tokens specific to the individual function calls. - PAM_SILENT does not override the + PAM_SILENT does not override the prompting of the user for passwords etc., it only stops informative messages from being generated.
- + - Security issues of <emphasis remap='B'>Linux-PAM</emphasis> + Security issues of <emphasis remap="B">Linux-PAM</emphasis> PAM, from the perspective of an application, is a convenient API for @@ -284,19 +257,19 @@ cc -o application .... -lpam -lpam_misc A poorly (or maliciously) written application can defeat any - Linux-PAM module's authentication + Linux-PAM module's authentication mechanisms by simply ignoring it's return values. It is the applications task and responsibility to grant privileges and access - to services. The Linux-PAM library + to services. The Linux-PAM library simply assumes the responsibility of authenticating the user; ascertaining that the user is who they say they are. Care should be taken to anticipate all of the documented - behavior of the Linux-PAM library + behavior of the Linux-PAM library functions. A failure to do this will most certainly lead to a future security breach. -
+
Care about standard library calls In general, writers of authorization-granting applications should @@ -308,9 +281,9 @@ cc -o application .... -lpam -lpam_misc function is likely to corrupt a pointer previously obtained by the application. The application programmer should either re-call such a 'libc' function after a call to the - Linux-PAM library, or copy the + Linux-PAM library, or copy the structure contents to some safe area of memory before passing - control to the Linux-PAM library. + control to the Linux-PAM library. Two important function classes that fall into this category are @@ -322,12 +295,12 @@ cc -o application .... -lpam -lpam_misc
-
+
Choice of a service name When picking the service-name that corresponds to the first entry in the - Linux-PAM configuration file, + Linux-PAM configuration file, the application programmer should avoid the temptation of choosing something related to argv[0]. It is a trivial matter for any user @@ -352,11 +325,11 @@ cc -o application .... -lpam -lpam_misc and then run ./preferred_name. - By studying the Linux-PAM + By studying the Linux-PAM configuration file(s), an attacker can choose the preferred_name to be that of a service enjoying minimal protection; for example a game which uses - Linux-PAM to restrict access to + Linux-PAM to restrict access to certain hours of the day. If the service-name were to be linked to the filename under which the service was invoked, it is clear that the user is effectively in the position of @@ -370,7 +343,7 @@ cc -o application .... -lpam -lpam_misc
-
+
The conversation function Care should be taken to ensure that the conv() @@ -380,10 +353,10 @@ cc -o application .... -lpam -lpam_misc
-
+
The identity of the user - The Linux-PAM modules will need + The Linux-PAM modules will need to determine the identity of the user who requests a service, and the identity of the user who grants the service. These two users will seldom be the same. Indeed there is generally a third @@ -444,7 +417,7 @@ cc -o application .... -lpam -lpam_misc
-
+
Sufficient resources Care should be taken to ensure that the proper execution of an @@ -465,7 +438,7 @@ cc -o application .... -lpam -lpam_misc
- + A library of miscellaneous helper functions To aid the work of the application developer a library of @@ -479,24 +452,20 @@ cc -o application .... -lpam -lpam_misc library can be defined by including <security/pam_misc.h>. It should be noted that this library is specific to - Linux-PAM and is not referred to in + Linux-PAM and is not referred to in the defining DCE-RFC (see See also) below. -
+
Functions supplied - - - - + + + +
- + Porting legacy applications The point of PAM is that the application is not supposed to @@ -545,7 +514,7 @@ cc -o application .... -lpam -lpam_misc - + Glossary of PAM related terms The following are a list of terms used within this document. @@ -585,17 +554,17 @@ cc -o application .... -lpam -lpam_misc - + An example application - To get a flavor of the way a Linux-PAM + To get a flavor of the way a Linux-PAM application is written we include the following example. It prompts the user for their password and indicates whether their account is valid on the standard output, its return code also indicates the success (0 for success; 1 for failure). - /* This program was contributed by Shane Watts [modifications by AGM and kukuk] @@ -607,9 +576,9 @@ cc -o application .... -lpam -lpam_misc account required pam_unix.so */ -#include -#include -#include +#include <security/pam_appl.h> +#include <security/pam_misc.h> +#include <stdio.h> static struct pam_conv conv = { misc_conv, @@ -626,12 +595,12 @@ int main(int argc, char *argv[]) user = argv[1]; } - if(argc > 2) { + if(argc > 2) { fprintf(stderr, "Usage: check_user [username]\n"); exit(1); } - retval = pam_start("check_user", user, &conv, &pamh); + retval = pam_start("check_user", user, &conv, &pamh); if (retval == PAM_SUCCESS) retval = pam_authenticate(pamh, 0); /* is user really user? */ @@ -655,24 +624,24 @@ int main(int argc, char *argv[]) return ( retval == PAM_SUCCESS ? 0:1 ); /* indicate success */ } -]]> + - + Files - /usr/include/security/pam_appl.h + /usr/include/security/pam_appl.h Header file with interfaces for - Linux-PAM applications. + Linux-PAM applications. - /usr/include/security/pam_misc.h + /usr/include/security/pam_misc.h Header file for useful library functions for making @@ -683,7 +652,7 @@ int main(int argc, char *argv[]) - + See also @@ -706,7 +675,7 @@ int main(int argc, char *argv[]) - + Author/acknowledgments This document was written by Andrew G. Morgan (morgan@kernel.org) @@ -726,14 +695,14 @@ int main(int argc, char *argv[]) Thanks are also due to Sun Microsystems, especially to Vipin Samar and Charlie Lai for their advice. At an early stage in the development of - Linux-PAM, Sun graciously made the + Linux-PAM, Sun graciously made the documentation for their implementation of PAM available. This act greatly accelerated the development of - Linux-PAM. + Linux-PAM. - + Copyright information for this document Copyright (c) 2006 Thorsten Kukuk <kukuk@thkukuk.de> @@ -777,4 +746,4 @@ TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - + \ No newline at end of file diff --git a/doc/adg/Makefile.am b/doc/adg/Makefile.am index b795b1a4..77abdb71 100644 --- a/doc/adg/Makefile.am +++ b/doc/adg/Makefile.am @@ -16,7 +16,7 @@ all: Linux-PAM_ADG.txt html/Linux-PAM_ADG.html Linux-PAM_ADG.pdf Linux-PAM_ADG.pdf: $(XMLS) $(DEP_XMLS) if ENABLE_GENERATE_PDF - $(XMLLINT) --nonet --xinclude --postvalid --noent --noout $< + $(XMLLINT) --nonet --xinclude --relaxng $(DOCBOOK_RNG) --noent --noout $< $(XSLTPROC) --stringparam generate.toc "book toc" \ --stringparam section.autolabel 1 \ --stringparam section.label.includes.component.label 1 \ @@ -28,7 +28,7 @@ else endif Linux-PAM_ADG.txt: $(XMLS) $(DEP_XMLS) - $(XMLLINT) --nonet --xinclude --postvalid --noent --noout $< + $(XMLLINT) --nonet --xinclude --relaxng $(DOCBOOK_RNG) --noent --noout $< $(XSLTPROC) --stringparam generate.toc "book toc" \ --stringparam section.autolabel 1 \ --stringparam section.label.includes.component.label 1 \ @@ -37,7 +37,7 @@ Linux-PAM_ADG.txt: $(XMLS) $(DEP_XMLS) html/Linux-PAM_ADG.html: $(XMLS) $(DEP_XMLS) @test -d html || mkdir -p html - $(XMLLINT) --nonet --xinclude --postvalid --noent --noout $< + $(XMLLINT) --nonet --xinclude --relaxng $(DOCBOOK_RNG) --noent --noout $< $(XSLTPROC) --stringparam base.dir html/ \ --stringparam root.filename Linux-PAM_ADG \ --stringparam use.id.as.filename 1 \ diff --git a/doc/adg/pam_acct_mgmt.xml b/doc/adg/pam_acct_mgmt.xml index 6a3a37d2..afcf2f2f 100644 --- a/doc/adg/pam_acct_mgmt.xml +++ b/doc/adg/pam_acct_mgmt.xml @@ -1,18 +1,12 @@ - - -
+
Account validation management - + -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/adg/pam_authenticate.xml b/doc/adg/pam_authenticate.xml index 2ca9b540..aa36c687 100644 --- a/doc/adg/pam_authenticate.xml +++ b/doc/adg/pam_authenticate.xml @@ -1,18 +1,12 @@ - - -
+
Authenticating the user - + -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/adg/pam_chauthtok.xml b/doc/adg/pam_chauthtok.xml index 1c613da7..e6815dde 100644 --- a/doc/adg/pam_chauthtok.xml +++ b/doc/adg/pam_chauthtok.xml @@ -1,18 +1,12 @@ - - -
+
Updating authentication tokens - + -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/adg/pam_close_session.xml b/doc/adg/pam_close_session.xml index 4b93fc3a..ed83d7a1 100644 --- a/doc/adg/pam_close_session.xml +++ b/doc/adg/pam_close_session.xml @@ -1,18 +1,12 @@ - - -
+
terminating PAM session management - + -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/adg/pam_conv.xml b/doc/adg/pam_conv.xml index 01b75127..b2ba876e 100644 --- a/doc/adg/pam_conv.xml +++ b/doc/adg/pam_conv.xml @@ -1,11 +1,7 @@ - - -
+
The conversation function - + struct pam_message { @@ -24,12 +20,10 @@ struct pam_conv { void *appdata_ptr; }; -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/adg/pam_end.xml b/doc/adg/pam_end.xml index efa328be..5e719255 100644 --- a/doc/adg/pam_end.xml +++ b/doc/adg/pam_end.xml @@ -1,18 +1,12 @@ - - -
+
Termination of PAM transaction - + -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/adg/pam_fail_delay.xml b/doc/adg/pam_fail_delay.xml index 589e1148..d602a1f7 100644 --- a/doc/adg/pam_fail_delay.xml +++ b/doc/adg/pam_fail_delay.xml @@ -1,18 +1,12 @@ - - -
+
Request a delay on failure - + -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/adg/pam_get_item.xml b/doc/adg/pam_get_item.xml index f23c734b..d12cb17d 100644 --- a/doc/adg/pam_get_item.xml +++ b/doc/adg/pam_get_item.xml @@ -1,18 +1,12 @@ - - -
+
Getting PAM items - + -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/adg/pam_getenv.xml b/doc/adg/pam_getenv.xml index 61d69c33..f7b483ed 100644 --- a/doc/adg/pam_getenv.xml +++ b/doc/adg/pam_getenv.xml @@ -1,18 +1,12 @@ - - -
+
Get a PAM environment variable - + -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/adg/pam_getenvlist.xml b/doc/adg/pam_getenvlist.xml index d3c2fcd3..4433c04d 100644 --- a/doc/adg/pam_getenvlist.xml +++ b/doc/adg/pam_getenvlist.xml @@ -1,18 +1,12 @@ - - -
+
Getting the PAM environment - + -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/adg/pam_misc_conv.xml b/doc/adg/pam_misc_conv.xml index 2dc760cc..4f54e11a 100644 --- a/doc/adg/pam_misc_conv.xml +++ b/doc/adg/pam_misc_conv.xml @@ -1,14 +1,9 @@ - - -
+
Text based conversation function - + -
- +
+
-
+
\ No newline at end of file diff --git a/doc/adg/pam_misc_drop_env.xml b/doc/adg/pam_misc_drop_env.xml index 956d4815..cacb770e 100644 --- a/doc/adg/pam_misc_drop_env.xml +++ b/doc/adg/pam_misc_drop_env.xml @@ -1,14 +1,9 @@ - - -
+
Liberating a locally saved environment - + -
- +
+
-
+
\ No newline at end of file diff --git a/doc/adg/pam_misc_paste_env.xml b/doc/adg/pam_misc_paste_env.xml index c6d3856b..8ab2440a 100644 --- a/doc/adg/pam_misc_paste_env.xml +++ b/doc/adg/pam_misc_paste_env.xml @@ -1,14 +1,9 @@ - - -
+
Transcribing an environment to that of PAM - + -
- +
+
-
+
\ No newline at end of file diff --git a/doc/adg/pam_misc_setenv.xml b/doc/adg/pam_misc_setenv.xml index 3b1a32e4..7e8c489b 100644 --- a/doc/adg/pam_misc_setenv.xml +++ b/doc/adg/pam_misc_setenv.xml @@ -1,14 +1,9 @@ - - -
+
BSD like PAM environment variable setting - + -
- +
+
-
+
\ No newline at end of file diff --git a/doc/adg/pam_open_session.xml b/doc/adg/pam_open_session.xml index ba738a55..10afa755 100644 --- a/doc/adg/pam_open_session.xml +++ b/doc/adg/pam_open_session.xml @@ -1,18 +1,12 @@ - - -
+
Start PAM session management - + -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/adg/pam_putenv.xml b/doc/adg/pam_putenv.xml index e55f1a42..6378a15b 100644 --- a/doc/adg/pam_putenv.xml +++ b/doc/adg/pam_putenv.xml @@ -1,18 +1,12 @@ - - -
+
Set or change PAM environment variable - + -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/adg/pam_set_item.xml b/doc/adg/pam_set_item.xml index 41169387..efc4292b 100644 --- a/doc/adg/pam_set_item.xml +++ b/doc/adg/pam_set_item.xml @@ -1,18 +1,12 @@ - - -
+
Setting PAM items - + -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/adg/pam_setcred.xml b/doc/adg/pam_setcred.xml index 1d3d23cd..488028cd 100644 --- a/doc/adg/pam_setcred.xml +++ b/doc/adg/pam_setcred.xml @@ -1,18 +1,12 @@ - - -
+
Setting user credentials - + -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/adg/pam_start.xml b/doc/adg/pam_start.xml index e5ec8481..c7ee4494 100644 --- a/doc/adg/pam_start.xml +++ b/doc/adg/pam_start.xml @@ -1,18 +1,12 @@ - - -
+
Initialization of PAM transaction - + -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/adg/pam_strerror.xml b/doc/adg/pam_strerror.xml index 35b08a27..e4e1c56a 100644 --- a/doc/adg/pam_strerror.xml +++ b/doc/adg/pam_strerror.xml @@ -1,18 +1,12 @@ - - -
+
Strings describing PAM error codes - + -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/man/misc_conv.3.xml b/doc/man/misc_conv.3.xml index d902ba83..92d4acd1 100644 --- a/doc/man/misc_conv.3.xml +++ b/doc/man/misc_conv.3.xml @@ -1,16 +1,13 @@ - - - - + misc_conv 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + misc_conv text based conversation function @@ -18,7 +15,7 @@ - + #include <security/pam_misc.h> int misc_conv @@ -30,7 +27,7 @@ - + DESCRIPTION The misc_conv function is part of @@ -50,7 +47,7 @@ - time_t pam_misc_conv_warn_time; + time_t pam_misc_conv_warn_time; This variable contains the time (as @@ -67,7 +64,7 @@ - const char *pam_misc_conv_warn_line; + const char *pam_misc_conv_warn_line; Used in conjunction with @@ -83,7 +80,7 @@ - time_t pam_misc_conv_die_time; + time_t pam_misc_conv_die_time; This variable contains the time (as @@ -100,7 +97,7 @@ - const char *pam_misc_conv_die_line; + const char *pam_misc_conv_die_line; Used in conjunction with @@ -116,7 +113,7 @@ - int pam_misc_conv_died; + int pam_misc_conv_died; Following a return from the Linux-PAM @@ -136,7 +133,7 @@ - int (*pam_binary_handler_fn)(void *appdata, pamc_bp_t *prompt_p); + int (*pam_binary_handler_fn)(void *appdata, pamc_bp_t *prompt_p); @@ -151,7 +148,7 @@ - int (*pam_binary_handler_free)(void *appdata, pamc_bp_t *delete_me); + int (*pam_binary_handler_free)(void *appdata, pamc_bp_t *delete_me); @@ -164,7 +161,7 @@ - + SEE ALSO @@ -176,7 +173,7 @@ - + STANDARDS The misc_conv function is part of the @@ -185,4 +182,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam.3.xml b/doc/man/pam.3.xml index 0b1efccf..4b828016 100644 --- a/doc/man/pam.3.xml +++ b/doc/man/pam.3.xml @@ -1,20 +1,18 @@ - - - + pam 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam Pluggable Authentication Modules Library - + #include <security/pam_appl.h> #include <security/pam_modules.h> @@ -22,10 +20,10 @@ - + DESCRIPTION - PAM is a system of libraries + PAM is a system of libraries that handle the authentication tasks of applications (services) on the system. The library provides a stable general interface (Application Programming Interface - API) that privilege granting @@ -38,7 +36,7 @@ defer to to perform standard authentication tasks. - + Initialization and Cleanup The @@ -64,7 +62,7 @@ - + Authentication The @@ -85,7 +83,7 @@ - + Account Management The @@ -98,7 +96,7 @@ - + Password Management The @@ -109,7 +107,7 @@ - + Session Management The @@ -124,7 +122,7 @@ - + Conversation The PAM library uses an application-defined callback to allow @@ -141,7 +139,7 @@ - + Data Objects The @@ -176,7 +174,7 @@ - + Environment and Error Management The @@ -202,7 +200,7 @@ - + RETURN VALUES The following return codes are known by PAM: @@ -389,7 +387,7 @@ - SEE ALSO + SEE ALSO pam_acct_mgmt3 @@ -430,10 +428,10 @@ - NOTES + NOTES The libpam interfaces are only thread-safe if each thread within the multithreaded application uses its own PAM handle. - + \ No newline at end of file diff --git a/doc/man/pam.8.xml b/doc/man/pam.8.xml index 8eef665a..20cd19d9 100644 --- a/doc/man/pam.8.xml +++ b/doc/man/pam.8.xml @@ -1,32 +1,29 @@ - - - - + pam 8 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + PAM pam Pluggable Authentication Modules for Linux - + DESCRIPTION This manual is intended to offer a quick introduction to - Linux-PAM. For more information + Linux-PAM. For more information the reader is directed to the - Linux-PAM system administrators' guide. + Linux-PAM system administrators' guide. - Linux-PAM is a system of libraries + Linux-PAM is a system of libraries that handle the authentication tasks of applications (services) on the system. The library provides a stable general interface (Application Programming Interface - API) that privilege granting @@ -43,12 +40,12 @@ system administrator is free to choose how individual service-providing applications will authenticate users. This dynamic configuration is set by the contents of the single - Linux-PAM configuration file + Linux-PAM configuration file /etc/pam.conf. Alternatively, the configuration can be set by individual configuration files located in the /etc/pam.d/ directory. The presence of this - directory will cause Linux-PAM to - ignore /etc/pam.conf. + directory will cause Linux-PAM to + ignore /etc/pam.conf. @@ -64,26 +61,26 @@ From the point of view of the system administrator, for whom this manual is provided, it is not of primary importance to understand the internal behavior of the -Linux-PAM +Linux-PAM library. The important point to recognize is that the configuration file(s) -define +define the connection between applications -(services) +(services) and the pluggable authentication modules -(PAMs) +(PAMs) that perform the actual authentication tasks. -Linux-PAM +Linux-PAM separates the tasks of -authentication +authentication into four independent management groups: -account management; -authentication management; -password management; +account management; +authentication management; +password management; and -session management. +session management. (We highlight the abbreviations used for these groups in the configuration file.) @@ -92,12 +89,12 @@ configuration file.) user's request for a restricted service: -account - +account - provide account verification types of service: has the user's password expired?; is this user permitted access to the requested service? -authentication - +authentication - authenticate a user and set up user credentials. Typically this is via some challenge-response request that the user must satisfy: if you are who you claim to be please enter your password. Not all authentications @@ -105,64 +102,64 @@ are of this type, there exist hardware based authentication schemes (such as the use of smart-cards and biometric devices), with suitable modules, these may be substituted seamlessly for more standard approaches to authentication - such is the flexibility of -Linux-PAM. +Linux-PAM. -password - +password - this group's responsibility is the task of updating authentication mechanisms. Typically, such services are strongly coupled to those of the -auth +auth group. Some authentication mechanisms lend themselves well to being updated with such a function. Standard UN*X password-based access is the obvious example: please enter a replacement password. -session - +session - this group of tasks cover things that should be done prior to a service being given and after it is withdrawn. Such tasks include the maintenance of audit trails and the mounting of the user's home directory. The -session +session management group is important as it provides both an opening and closing hook for modules to affect the services available to a user. - + FILES - /etc/pam.conf + /etc/pam.conf the configuration file - /etc/pam.d + /etc/pam.d - the Linux-PAM configuration + the Linux-PAM configuration directory. Generally, if this directory is present, the /etc/pam.conf file is ignored. - /usr/lib/pam.d + /usr/lib/pam.d - the Linux-PAM vendor configuration + the Linux-PAM vendor configuration directory. Files in /etc/pam.d override files with the same name in this directory. - %vendordir%/pam.d + %vendordir%/pam.d - the Linux-PAM vendor configuration + the Linux-PAM vendor configuration directory. Files in /etc/pam.d and /usr/lib/pam.d override files with the same name in this directory. @@ -172,18 +169,18 @@ closing hook for modules to affect the services available to a user. - + ERRORS Typically errors generated by the - Linux-PAM system of libraries, will + Linux-PAM system of libraries, will be written to syslog3 . - + CONFORMING TO DCE-RFC 86.0, October 1995. @@ -192,7 +189,7 @@ closing hook for modules to affect the services available to a user. - + SEE ALSO @@ -212,4 +209,4 @@ closing hook for modules to affect the services available to a user. - + \ No newline at end of file diff --git a/doc/man/pam.conf-desc.xml b/doc/man/pam.conf-desc.xml index 909dcdbe..5dca89fe 100644 --- a/doc/man/pam.conf-desc.xml +++ b/doc/man/pam.conf-desc.xml @@ -1,7 +1,4 @@ - - -
+
When a PAM aware privilege granting application is started, it activates its attachment to the PAM-API. This @@ -18,4 +15,4 @@ behavior of the PAM-API in the event that individual PAMs fail. -
+
\ No newline at end of file diff --git a/doc/man/pam.conf-dir.xml b/doc/man/pam.conf-dir.xml index 8446cf35..8272337b 100644 --- a/doc/man/pam.conf-dir.xml +++ b/doc/man/pam.conf-dir.xml @@ -1,7 +1,4 @@ - - -
+
More flexible than the single configuration file is it to configure libpam via the contents of the @@ -25,6 +22,6 @@ type control module-path module-arguments The only difference being that the service-name is not present. The service-name is of course the name of the given configuration file. For example, /etc/pam.d/login contains the - configuration for the login service. + configuration for the login service. -
+
\ No newline at end of file diff --git a/doc/man/pam.conf-syntax.xml b/doc/man/pam.conf-syntax.xml index 5112f930..c7d90081 100644 --- a/doc/man/pam.conf-syntax.xml +++ b/doc/man/pam.conf-syntax.xml @@ -1,8 +1,4 @@ - - - -
+
The syntax of the /etc/pam.conf configuration file is as follows. The file is made up of a list @@ -18,7 +14,7 @@ - service type control module-path module-arguments + service type control module-path module-arguments @@ -411,7 +407,7 @@ should use `\]'. In other words: - [..[..\]..] --> ..[..].. + [..[..\]..] --> ..[..].. @@ -424,4 +420,4 @@ . -
+
\ No newline at end of file diff --git a/doc/man/pam.conf.5.xml b/doc/man/pam.conf.5.xml index 68f576af..62a2b410 100644 --- a/doc/man/pam.conf.5.xml +++ b/doc/man/pam.conf.5.xml @@ -1,15 +1,13 @@ - - - + pam.conf 5 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam.conf pam.d PAM configuration files @@ -17,22 +15,16 @@ - + DESCRIPTION - + - + - + - + SEE ALSO @@ -47,4 +39,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_acct_mgmt.3.xml b/doc/man/pam_acct_mgmt.3.xml index 59760d7f..de6a94ab 100644 --- a/doc/man/pam_acct_mgmt.3.xml +++ b/doc/man/pam_acct_mgmt.3.xml @@ -1,14 +1,12 @@ - - - + pam_acct_mgmt 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_acct_mgmt PAM account validation management @@ -16,7 +14,7 @@ - + #include <security/pam_appl.h> int pam_acct_mgmt @@ -27,7 +25,7 @@ - + DESCRIPTION The pam_acct_mgmt function is used to determine @@ -62,7 +60,7 @@ - + RETURN VALUES @@ -122,7 +120,7 @@ - + SEE ALSO @@ -142,4 +140,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_authenticate.3.xml b/doc/man/pam_authenticate.3.xml index c2004eb4..794a5c71 100644 --- a/doc/man/pam_authenticate.3.xml +++ b/doc/man/pam_authenticate.3.xml @@ -1,14 +1,12 @@ - - - + pam_authenticate 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_authenticate account authentication @@ -16,7 +14,7 @@ - + #include <security/pam_appl.h> int pam_authenticate @@ -27,7 +25,7 @@ - + DESCRIPTION The pam_authenticate function is used to @@ -77,7 +75,7 @@ - + RETURN VALUES @@ -146,7 +144,7 @@ - + SEE ALSO @@ -166,4 +164,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_chauthtok.3.xml b/doc/man/pam_chauthtok.3.xml index f42bc68f..e184f45f 100644 --- a/doc/man/pam_chauthtok.3.xml +++ b/doc/man/pam_chauthtok.3.xml @@ -1,14 +1,12 @@ - - - + pam_chauthtok 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_chauthtok updating authentication tokens @@ -16,7 +14,7 @@ - + #include <security/pam_appl.h> int pam_chauthtok @@ -27,7 +25,7 @@ - + DESCRIPTION The pam_chauthtok function is used to change the @@ -64,7 +62,7 @@ - + RETURN VALUES @@ -138,7 +136,7 @@ - + SEE ALSO @@ -161,4 +159,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_close_session.3.xml b/doc/man/pam_close_session.3.xml index db549bda..e1c74ebd 100644 --- a/doc/man/pam_close_session.3.xml +++ b/doc/man/pam_close_session.3.xml @@ -1,16 +1,13 @@ - - - - + pam_close_session 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_close_session terminate PAM session management @@ -18,7 +15,7 @@ - + #include <security/pam_appl.h> int pam_close_session @@ -29,7 +26,7 @@ - + DESCRIPTION The pam_close_session function is used @@ -63,7 +60,7 @@ - + RETURN VALUES @@ -101,7 +98,7 @@ - + SEE ALSO @@ -112,4 +109,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_conv.3.xml b/doc/man/pam_conv.3.xml index 5106ddf7..31834f3c 100644 --- a/doc/man/pam_conv.3.xml +++ b/doc/man/pam_conv.3.xml @@ -1,14 +1,12 @@ - - - + pam_conv 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_conv PAM conversation function @@ -16,7 +14,7 @@ - + #include <security/pam_appl.h> @@ -38,7 +36,7 @@ struct pam_conv { - + DESCRIPTION The PAM library uses an application-defined callback to allow @@ -174,7 +172,7 @@ struct pam_conv { - + RETURN VALUES @@ -205,7 +203,7 @@ struct pam_conv { - + SEE ALSO @@ -225,4 +223,4 @@ struct pam_conv { - + \ No newline at end of file diff --git a/doc/man/pam_end.3.xml b/doc/man/pam_end.3.xml index 5febf85a..b2584e73 100644 --- a/doc/man/pam_end.3.xml +++ b/doc/man/pam_end.3.xml @@ -1,16 +1,13 @@ - - - - + pam_end 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_end termination of PAM transaction @@ -18,7 +15,7 @@ - + #include <security/pam_appl.h> int pam_end @@ -29,7 +26,7 @@ - + DESCRIPTION The pam_end function terminates the PAM @@ -79,7 +76,7 @@ - + RETURN VALUES @@ -102,7 +99,7 @@ - + SEE ALSO @@ -119,4 +116,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_error.3.xml b/doc/man/pam_error.3.xml index de167f2c..0f294c22 100644 --- a/doc/man/pam_error.3.xml +++ b/doc/man/pam_error.3.xml @@ -1,16 +1,13 @@ - - - - + pam_error 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_error pam_verror display error messages to the user @@ -18,7 +15,7 @@ - + #include <security/pam_ext.h> @@ -36,7 +33,7 @@ - + DESCRIPTION The pam_error function prints error messages @@ -51,7 +48,7 @@ variable argument list macros. - + RETURN VALUES @@ -89,7 +86,7 @@ - + SEE ALSO @@ -110,7 +107,7 @@ - + STANDARDS The pam_error and pam_verror @@ -118,4 +115,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_fail_delay.3.xml b/doc/man/pam_fail_delay.3.xml index 53c1f89e..c400736a 100644 --- a/doc/man/pam_fail_delay.3.xml +++ b/doc/man/pam_fail_delay.3.xml @@ -1,16 +1,13 @@ - - - - + pam_fail_delay 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_fail_delay request a delay on failure @@ -18,7 +15,7 @@ - + #include <security/pam_appl.h> int pam_fail_delay @@ -28,7 +25,7 @@ - + DESCRIPTION The pam_fail_delay function provides a @@ -105,7 +102,7 @@ void (*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr); - + RATIONALE It is often possible to attack an authentication scheme by exploiting @@ -129,7 +126,7 @@ void (*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr); - + EXAMPLE For example, a login application may require a failure delay of @@ -161,7 +158,7 @@ module #2: pam_fail_delay (pamh, 4000000); - + RETURN VALUES @@ -183,7 +180,7 @@ module #2: pam_fail_delay (pamh, 4000000); - + SEE ALSO @@ -198,7 +195,7 @@ module #2: pam_fail_delay (pamh, 4000000); - + STANDARDS The pam_fail_delay function is an @@ -206,4 +203,4 @@ module #2: pam_fail_delay (pamh, 4000000); - + \ No newline at end of file diff --git a/doc/man/pam_get_authtok.3.xml b/doc/man/pam_get_authtok.3.xml index 5d50b168..ba6d955e 100644 --- a/doc/man/pam_get_authtok.3.xml +++ b/doc/man/pam_get_authtok.3.xml @@ -1,16 +1,13 @@ - - - - + pam_get_authtok 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_get_authtok pam_get_authtok_verify pam_get_authtok_noverify @@ -19,7 +16,7 @@ - + #include <security/pam_ext.h> @@ -44,7 +41,7 @@ - + DESCRIPTION The pam_get_authtok function returns the @@ -119,7 +116,7 @@ - + OPTIONS pam_get_authtok honours the following module @@ -128,7 +125,7 @@ - + try_first_pass @@ -140,7 +137,7 @@ - + use_first_pass @@ -153,7 +150,7 @@ - + use_authtok @@ -166,7 +163,7 @@ - + authtok_type=XXX @@ -182,7 +179,7 @@ - + RETURN VALUES @@ -228,7 +225,7 @@ - + SEE ALSO @@ -237,7 +234,7 @@ - + STANDARDS The pam_get_authtok function is a Linux-PAM @@ -245,4 +242,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_get_data.3.xml b/doc/man/pam_get_data.3.xml index e84e5a4c..1e71cf3b 100644 --- a/doc/man/pam_get_data.3.xml +++ b/doc/man/pam_get_data.3.xml @@ -1,16 +1,13 @@ - - - - + pam_get_data 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_get_data get module internal data @@ -22,7 +19,7 @@ - + #include <security/pam_modules.h> int pam_get_data @@ -35,7 +32,7 @@ - + DESCRIPTION This function together with the @@ -58,7 +55,7 @@ - + RETURN VALUES @@ -90,7 +87,7 @@ - + SEE ALSO @@ -105,4 +102,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_get_item.3.xml b/doc/man/pam_get_item.3.xml index 1145273c..c30a279f 100644 --- a/doc/man/pam_get_item.3.xml +++ b/doc/man/pam_get_item.3.xml @@ -1,22 +1,13 @@ - - - ---> -]> - - + pam_get_item 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_get_item getting PAM information @@ -28,7 +19,7 @@ - + #include <security/pam_modules.h> int pam_get_item @@ -41,7 +32,7 @@ - + DESCRIPTION The pam_get_item function allows applications @@ -55,16 +46,14 @@ item_type: - + The following additional items are specific to Linux-PAM and should not be used in portable applications: - + If a service module wishes to obtain the name of the user, @@ -80,7 +69,7 @@ - + RETURN VALUES @@ -128,7 +117,7 @@ - + SEE ALSO @@ -140,4 +129,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_get_user.3.xml b/doc/man/pam_get_user.3.xml index 8bb176e4..121b3aa7 100644 --- a/doc/man/pam_get_user.3.xml +++ b/doc/man/pam_get_user.3.xml @@ -1,16 +1,13 @@ - - - - + pam_get_user 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_get_user get user name @@ -22,7 +19,7 @@ - + #include <security/pam_modules.h> int pam_get_user @@ -35,7 +32,7 @@ - + DESCRIPTION The pam_get_user function returns the @@ -87,7 +84,7 @@ - + RETURN VALUES @@ -143,7 +140,7 @@ - + SEE ALSO @@ -161,4 +158,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_getenv.3.xml b/doc/man/pam_getenv.3.xml index 7e8db015..df25863b 100644 --- a/doc/man/pam_getenv.3.xml +++ b/doc/man/pam_getenv.3.xml @@ -1,14 +1,12 @@ - - - + pam_getenv 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_getenv get a PAM environment variable @@ -16,7 +14,7 @@ - + #include <security/pam_appl.h> const char *pam_getenv @@ -27,7 +25,7 @@ - + DESCRIPTION The pam_getenv function searches the @@ -39,7 +37,7 @@ - + RETURN VALUES The pam_getenv function returns NULL @@ -47,7 +45,7 @@ - + SEE ALSO @@ -64,4 +62,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_getenvlist.3.xml b/doc/man/pam_getenvlist.3.xml index 1c29b737..54b1f411 100644 --- a/doc/man/pam_getenvlist.3.xml +++ b/doc/man/pam_getenvlist.3.xml @@ -1,14 +1,12 @@ - - - + pam_getenvlist 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_getenvlist getting the PAM environment @@ -16,7 +14,7 @@ - + #include <security/pam_appl.h> char **pam_getenvlist @@ -26,7 +24,7 @@ - + DESCRIPTION The pam_getenvlist function returns a complete @@ -57,7 +55,7 @@ - + RETURN VALUES The pam_getenvlist function returns NULL @@ -65,7 +63,7 @@ - + SEE ALSO @@ -82,4 +80,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_info.3.xml b/doc/man/pam_info.3.xml index 88e671c7..5155d419 100644 --- a/doc/man/pam_info.3.xml +++ b/doc/man/pam_info.3.xml @@ -1,16 +1,13 @@ - - - - + pam_info 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_info pam_vinfo display messages to the user @@ -18,7 +15,7 @@ - + #include <security/pam_ext.h> @@ -36,7 +33,7 @@ - + DESCRIPTION The pam_info function prints messages @@ -51,7 +48,7 @@ variable argument list macros. - + RETURN VALUES @@ -89,7 +86,7 @@ - + SEE ALSO @@ -98,7 +95,7 @@ - + STANDARDS The pam_info and pam_vinfo @@ -106,4 +103,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_item_types_ext.inc.xml b/doc/man/pam_item_types_ext.inc.xml index d36a5bd1..a5fee9c2 100644 --- a/doc/man/pam_item_types_ext.inc.xml +++ b/doc/man/pam_item_types_ext.inc.xml @@ -1,6 +1,5 @@ - - + PAM_FAIL_DELAY @@ -58,4 +57,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_item_types_std.inc.xml b/doc/man/pam_item_types_std.inc.xml index 81f240b0..9b229486 100644 --- a/doc/man/pam_item_types_std.inc.xml +++ b/doc/man/pam_item_types_std.inc.xml @@ -1,6 +1,5 @@ - - + PAM_SERVICE @@ -135,4 +134,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_misc_drop_env.3.xml b/doc/man/pam_misc_drop_env.3.xml index 1941f589..a7f6cc80 100644 --- a/doc/man/pam_misc_drop_env.3.xml +++ b/doc/man/pam_misc_drop_env.3.xml @@ -1,16 +1,13 @@ - - - - + pam_misc_drop_env 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_misc_drop_env liberating a locally saved environment @@ -18,7 +15,7 @@ - + #include <security/pam_misc.h> int pam_misc_drop_env @@ -27,7 +24,7 @@ - + DESCRIPTION This function is defined to complement the @@ -39,7 +36,7 @@ - + SEE ALSO @@ -51,7 +48,7 @@ - + STANDARDS The pam_misc_drop_env function is part of the @@ -60,4 +57,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_misc_paste_env.3.xml b/doc/man/pam_misc_paste_env.3.xml index d9a282c0..06194a9d 100644 --- a/doc/man/pam_misc_paste_env.3.xml +++ b/doc/man/pam_misc_paste_env.3.xml @@ -1,16 +1,13 @@ - - - - + pam_misc_paste_env 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_misc_paste_env transcribing an environment to that of PAM @@ -18,7 +15,7 @@ - + #include <security/pam_misc.h> int pam_misc_paste_env @@ -28,7 +25,7 @@ - + DESCRIPTION This function takes the supplied list of environment pointers and @@ -37,7 +34,7 @@ - + SEE ALSO @@ -49,7 +46,7 @@ - + STANDARDS The pam_misc_paste_env function is part of the @@ -58,4 +55,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_misc_setenv.3.xml b/doc/man/pam_misc_setenv.3.xml index 7e61a8dd..4414d54d 100644 --- a/doc/man/pam_misc_setenv.3.xml +++ b/doc/man/pam_misc_setenv.3.xml @@ -1,15 +1,12 @@ - - - - + pam_misc_setenv 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_misc_setenv BSD like PAM environment variable setting @@ -17,7 +14,7 @@ - + #include <security/pam_misc.h> int pam_misc_setenv @@ -29,7 +26,7 @@ - + DESCRIPTION This function performs a task equivalent to @@ -44,7 +41,7 @@ - + SEE ALSO @@ -56,7 +53,7 @@ - + STANDARDS The pam_misc_setenv function is part of the @@ -65,4 +62,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_open_session.3.xml b/doc/man/pam_open_session.3.xml index eba0bc01..d37b3e59 100644 --- a/doc/man/pam_open_session.3.xml +++ b/doc/man/pam_open_session.3.xml @@ -1,16 +1,13 @@ - - - - + pam_open_session 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_open_session start PAM session management @@ -18,7 +15,7 @@ - + #include <security/pam_appl.h> int pam_open_session @@ -29,7 +26,7 @@ - + DESCRIPTION The pam_open_session function sets up a @@ -63,7 +60,7 @@ - + RETURN VALUES @@ -101,7 +98,7 @@ - + SEE ALSO @@ -112,4 +109,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_prompt.3.xml b/doc/man/pam_prompt.3.xml index bf0c9bf6..c65a0c90 100644 --- a/doc/man/pam_prompt.3.xml +++ b/doc/man/pam_prompt.3.xml @@ -1,16 +1,13 @@ - - - - + pam_prompt 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_prompt pam_vprompt interface to conversation function @@ -18,7 +15,7 @@ - + #include <security/pam_ext.h> @@ -40,7 +37,7 @@ - + DESCRIPTION The pam_prompt function constructs a message @@ -52,7 +49,7 @@ - + RETURN VALUES @@ -91,7 +88,7 @@ - + SEE ALSO @@ -103,7 +100,7 @@ - + STANDARDS The pam_prompt and pam_vprompt @@ -111,4 +108,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_putenv.3.xml b/doc/man/pam_putenv.3.xml index 2d4afbc5..7267046f 100644 --- a/doc/man/pam_putenv.3.xml +++ b/doc/man/pam_putenv.3.xml @@ -1,14 +1,12 @@ - - - + pam_putenv 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_putenv set or change PAM environment variable @@ -16,7 +14,7 @@ - + #include <security/pam_appl.h> int pam_putenv @@ -27,7 +25,7 @@ - + DESCRIPTION The pam_putenv function is used to @@ -83,7 +81,7 @@ - + RETURN VALUES @@ -129,7 +127,7 @@ - + SEE ALSO @@ -149,4 +147,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_set_data.3.xml b/doc/man/pam_set_data.3.xml index c20068c6..2bcfeb0b 100644 --- a/doc/man/pam_set_data.3.xml +++ b/doc/man/pam_set_data.3.xml @@ -1,16 +1,13 @@ - - - - + pam_set_data 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_set_data set module internal data @@ -22,7 +19,7 @@ - + #include <security/pam_modules.h> int pam_set_data @@ -36,7 +33,7 @@ - + DESCRIPTION The pam_set_data function associates a pointer @@ -123,7 +120,7 @@ - + RETURN VALUES @@ -154,7 +151,7 @@ - + SEE ALSO @@ -169,4 +166,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_set_item.3.xml b/doc/man/pam_set_item.3.xml index 30ab92b9..1dbaeebf 100644 --- a/doc/man/pam_set_item.3.xml +++ b/doc/man/pam_set_item.3.xml @@ -1,22 +1,13 @@ - - - ---> -]> - - + pam_set_item 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_set_item set and update PAM information @@ -28,7 +19,7 @@ - + #include <security/pam_modules.h> int pam_set_item @@ -41,7 +32,7 @@ - + DESCRIPTION The pam_set_item function allows applications @@ -52,16 +43,14 @@ supported: - + The following additional items are specific to Linux-PAM and should not be used in portable applications: - + For all item_types, other than PAM_CONV and @@ -81,7 +70,7 @@ - + RETURN VALUES @@ -121,7 +110,7 @@ - + SEE ALSO @@ -133,4 +122,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_setcred.3.xml b/doc/man/pam_setcred.3.xml index 62922482..09fe30d1 100644 --- a/doc/man/pam_setcred.3.xml +++ b/doc/man/pam_setcred.3.xml @@ -1,16 +1,13 @@ - - - - + pam_setcred 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_setcred establish / delete user credentials @@ -19,7 +16,7 @@ - + #include <security/pam_appl.h> int pam_setcred @@ -30,7 +27,7 @@ - + DESCRIPTION The pam_setcred function is used to establish, @@ -95,7 +92,7 @@ - + RETURN VALUES @@ -160,7 +157,7 @@ - + SEE ALSO @@ -177,4 +174,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_sm_acct_mgmt.3.xml b/doc/man/pam_sm_acct_mgmt.3.xml index b37dc306..822a338a 100644 --- a/doc/man/pam_sm_acct_mgmt.3.xml +++ b/doc/man/pam_sm_acct_mgmt.3.xml @@ -1,14 +1,12 @@ - - - + pam_sm_acct_mgmt 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_sm_acct_mgmt PAM service function for account management @@ -16,7 +14,7 @@ - + #include <security/pam_modules.h> int pam_sm_acct_mgmt @@ -29,7 +27,7 @@ - + DESCRIPTION The pam_sm_acct_mgmt function is the service @@ -64,7 +62,7 @@ PAM_DISALLOW_NULL_AUTHTOK - Return PAM_AUTH_ERR if the + Return PAM_AUTH_ERR if the database of authentication tokens for this authentication mechanism has a NULL entry for the user. @@ -73,7 +71,7 @@ - + RETURN VALUES @@ -131,7 +129,7 @@ - + SEE ALSO @@ -151,4 +149,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_sm_authenticate.3.xml b/doc/man/pam_sm_authenticate.3.xml index ef3a8f15..ec3de2fd 100644 --- a/doc/man/pam_sm_authenticate.3.xml +++ b/doc/man/pam_sm_authenticate.3.xml @@ -1,14 +1,12 @@ - - - + pam_sm_authenticate 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_sm_authenticate PAM service function for user authentication @@ -16,7 +14,7 @@ - + #include <security/pam_modules.h> int pam_sm_authenticate @@ -29,7 +27,7 @@ - + DESCRIPTION The pam_sm_authenticate function is the service @@ -58,7 +56,7 @@ PAM_DISALLOW_NULL_AUTHTOK - Return PAM_AUTH_ERR if the + Return PAM_AUTH_ERR if the database of authentication tokens for this authentication mechanism has a NULL entry for the user. Without this flag, such a NULL token @@ -69,7 +67,7 @@ - + RETURN VALUES @@ -128,7 +126,7 @@ - + SEE ALSO @@ -148,4 +146,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_sm_chauthtok.3.xml b/doc/man/pam_sm_chauthtok.3.xml index 25e17d02..692bc620 100644 --- a/doc/man/pam_sm_chauthtok.3.xml +++ b/doc/man/pam_sm_chauthtok.3.xml @@ -1,14 +1,12 @@ - - - + pam_sm_chauthtok 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_sm_chauthtok PAM service function for authentication token management @@ -16,7 +14,7 @@ - + #include <security/pam_modules.h> int pam_sm_chauthtok @@ -29,7 +27,7 @@ - + DESCRIPTION The pam_sm_chauthtok function is the service @@ -77,7 +75,7 @@ some network it should attempt to verify it can connect to this system on receiving this flag. If a module cannot establish it is ready to update the user's authentication token it should - return PAM_TRY_AGAIN, this + return PAM_TRY_AGAIN, this information will be passed back to the application. @@ -93,7 +91,7 @@ This informs the module that this is the call it should change the authorization tokens. If the flag is logically OR'd with - PAM_CHANGE_EXPIRED_AUTHTOK, the + PAM_CHANGE_EXPIRED_AUTHTOK, the token is only changed if it has actually expired. @@ -101,15 +99,15 @@ The PAM library calls this function twice in succession. The first - time with PAM_PRELIM_CHECK and then, + time with PAM_PRELIM_CHECK and then, if the module does not return - PAM_TRY_AGAIN, subsequently with - PAM_UPDATE_AUTHTOK. It is only on + PAM_TRY_AGAIN, subsequently with + PAM_UPDATE_AUTHTOK. It is only on the second call that the authorization token is (possibly) changed. - + RETURN VALUES @@ -181,7 +179,7 @@ - + SEE ALSO @@ -201,4 +199,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_sm_close_session.3.xml b/doc/man/pam_sm_close_session.3.xml index 6d8278ec..e76693fd 100644 --- a/doc/man/pam_sm_close_session.3.xml +++ b/doc/man/pam_sm_close_session.3.xml @@ -1,14 +1,12 @@ - - - + pam_sm_close_session 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_sm_close_session PAM service function to terminate session management @@ -16,7 +14,7 @@ - + #include <security/pam_modules.h> int pam_sm_close_session @@ -29,7 +27,7 @@ - + DESCRIPTION The pam_sm_close_session function is the service @@ -40,7 +38,7 @@ This function is called to terminate a session. The only valid - value for flags is zero or: + value for flags is zero or: @@ -54,7 +52,7 @@ - + RETURN VALUES @@ -76,7 +74,7 @@ - + SEE ALSO @@ -96,4 +94,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_sm_open_session.3.xml b/doc/man/pam_sm_open_session.3.xml index ead7ca77..392225a4 100644 --- a/doc/man/pam_sm_open_session.3.xml +++ b/doc/man/pam_sm_open_session.3.xml @@ -1,14 +1,12 @@ - - - + pam_sm_open_session 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_sm_open_session PAM service function to start session management @@ -16,7 +14,7 @@ - + #include <security/pam_modules.h> int pam_sm_open_session @@ -29,7 +27,7 @@ - + DESCRIPTION The pam_sm_open_session function is the service @@ -40,7 +38,7 @@ This function is called to commence a session. The only valid - value for flags is zero or: + value for flags is zero or: @@ -54,7 +52,7 @@ - + RETURN VALUES @@ -76,7 +74,7 @@ - + SEE ALSO @@ -96,4 +94,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_sm_setcred.3.xml b/doc/man/pam_sm_setcred.3.xml index bb04a2df..93a69e3e 100644 --- a/doc/man/pam_sm_setcred.3.xml +++ b/doc/man/pam_sm_setcred.3.xml @@ -1,14 +1,12 @@ - - - + pam_sm_setcred 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_sm_setcred PAM service function to alter credentials @@ -16,7 +14,7 @@ - + #include <security/pam_modules.h> int pam_sm_setcred @@ -29,7 +27,7 @@ - + DESCRIPTION The pam_sm_setcred function is the service @@ -92,7 +90,7 @@ - The way the auth stack is + The way the auth stack is navigated in order to evaluate the pam_setcred() function call, independent of the pam_sm_setcred() return codes, is exactly the same way that it was navigated when @@ -102,11 +100,11 @@ libpam evaluates the pam_setcred() function call. Otherwise, the return codes from each module specific pam_sm_setcred() call are treated as - required. + required. - + RETURN VALUES @@ -158,7 +156,7 @@ - + SEE ALSO @@ -181,4 +179,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_start.3.xml b/doc/man/pam_start.3.xml index 1d544e64..470c6cec 100644 --- a/doc/man/pam_start.3.xml +++ b/doc/man/pam_start.3.xml @@ -1,16 +1,13 @@ - - - - + pam_start 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_start pam_start_confdir initialization of PAM transaction @@ -19,7 +16,7 @@ - + #include <security/pam_appl.h> int pam_start @@ -40,7 +37,7 @@ - + DESCRIPTION The pam_start function creates the PAM context @@ -108,7 +105,7 @@ - + RETURN VALUES @@ -147,7 +144,7 @@ - + SEE ALSO @@ -164,4 +161,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_strerror.3.xml b/doc/man/pam_strerror.3.xml index 954e131d..b76cbc4d 100644 --- a/doc/man/pam_strerror.3.xml +++ b/doc/man/pam_strerror.3.xml @@ -1,16 +1,13 @@ - - - - + pam_strerror 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_strerror return string describing PAM error code @@ -18,7 +15,7 @@ - + #include <security/pam_appl.h> const char *pam_strerror @@ -29,7 +26,7 @@ - + DESCRIPTION The pam_strerror function returns a pointer to @@ -40,14 +37,14 @@ modify this string. - + RETURN VALUES This function returns always a pointer to a string. - + SEE ALSO @@ -55,4 +52,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_syslog.3.xml b/doc/man/pam_syslog.3.xml index ca28587e..f5be287f 100644 --- a/doc/man/pam_syslog.3.xml +++ b/doc/man/pam_syslog.3.xml @@ -1,16 +1,13 @@ - - - - + pam_syslog 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_syslog pam_vsyslog send messages to the system logger @@ -18,7 +15,7 @@ - + #include <syslog.h> #include <security/pam_ext.h> @@ -39,7 +36,7 @@ - + DESCRIPTION The pam_syslog function logs messages using @@ -62,7 +59,7 @@ - + SEE ALSO @@ -71,7 +68,7 @@ - + STANDARDS The pam_syslog and pam_vsyslog @@ -79,4 +76,4 @@ - + \ No newline at end of file diff --git a/doc/man/pam_xauth_data.3.xml b/doc/man/pam_xauth_data.3.xml index 505985e4..447a9c2d 100644 --- a/doc/man/pam_xauth_data.3.xml +++ b/doc/man/pam_xauth_data.3.xml @@ -1,16 +1,13 @@ - - - - + pam_xauth_data 3 - Linux-PAM Manual + Linux-PAM + Linux-PAM Manual - + pam_xauth_data structure containing X authentication data @@ -18,7 +15,7 @@ - + #include <security/pam_appl.h> @@ -31,7 +28,7 @@ struct pam_xauth_data { - + DESCRIPTION The pam_xauth_data structure contains X @@ -70,7 +67,7 @@ struct pam_xauth_data { - + SEE ALSO @@ -82,7 +79,7 @@ struct pam_xauth_data { - + STANDARDS The pam_xauth_data structure and @@ -91,4 +88,4 @@ struct pam_xauth_data { - + \ No newline at end of file diff --git a/doc/mwg/Linux-PAM_MWG.xml b/doc/mwg/Linux-PAM_MWG.xml index 3022538c..046c3c48 100644 --- a/doc/mwg/Linux-PAM_MWG.xml +++ b/doc/mwg/Linux-PAM_MWG.xml @@ -1,49 +1,38 @@ - - - - + + The Linux-PAM Module Writers' Guide - - Andrew G. - Morgan - morgan@kernel.org - - - Thorsten - Kukuk - kukuk@thkukuk.de - + Andrew G.Morganmorgan@kernel.org + ThorstenKukukkukuk@thkukuk.de Version 1.1.2, 31. August 2010 This manual documents what a programmer needs to know in order to write a module that conforms to the - Linux-PAM standard.It also + Linux-PAM standard.It also discusses some security issues from the point of view of the module programmer. - + - + Introduction -
+
Description - Linux-PAM (Pluggable Authentication + Linux-PAM (Pluggable Authentication Modules for Linux) is a library that enables the local system administrator to choose how individual applications authenticate users. For an overview of the - Linux-PAM library see the + Linux-PAM library see the Linux-PAM System Administrators' Guide. - A Linux-PAM module is a single + A Linux-PAM module is a single executable binary file that can be loaded by the - Linux-PAM interface library. + Linux-PAM interface library. This PAM library is configured locally with a system file, /etc/pam.conf, to authenticate a user request via the locally available authentication modules. The @@ -54,14 +43,14 @@ dlopen3 . Alternatively, the modules can be statically - linked into the Linux-PAM library; - this is mostly to allow Linux-PAM to + linked into the Linux-PAM library; + this is mostly to allow Linux-PAM to be used on platforms without dynamic linking available, but this is a deprecated functionality. It is the - Linux-PAM interface that is called + Linux-PAM interface that is called by an application and it is the responsibility of the library to locate, load and call the appropriate functions in a - Linux-PAM-module. + Linux-PAM-module. Except for the immediate purpose of interacting with the user @@ -71,7 +60,7 @@
-
+
Synopsis #include <security/pam_modules.h> @@ -82,63 +71,52 @@ gcc -shared -o pam_module.so pam_module.o -lpam
- + What can be expected by the module Here we list the interface that the conventions that all - Linux-PAM modules must adhere to. + Linux-PAM modules must adhere to. -
+
Getting and setting <emphasis>PAM_ITEM</emphasis>s and <emphasis>data</emphasis> First, we cover what the module should expect from the - Linux-PAM library and a - Linux-PAM aware application. + Linux-PAM library and a + Linux-PAM aware application. Essentially this is the libpam.* library. - - - - - - - - - + + + + + + + + +
-
+
Other functions provided by <filename>libpam</filename> - - + +
- + What is expected of a module The module must supply a sub-set of the six functions listed below. Together they define the function of a - Linux-PAM module. Module developers + Linux-PAM module. Module developers are strongly urged to read the comments on security that follow this list. -
+
Overview The six module functions are grouped into four independent @@ -149,7 +127,7 @@ gcc -shared -o pam_module.so pam_module.o -lpam at least one of these groups. A single module may contain the necessary functions for all four groups. -
+
Functional independence The independence of the four groups of service a module can @@ -163,7 +141,7 @@ gcc -shared -o pam_module.so pam_module.o -lpam As an informative example, consider the possibility that an application applies to change a user's authentication token, without having first requested that - Linux-PAM authenticate the + Linux-PAM authenticate the user. In some cases this may be deemed appropriate: when root wants to change the authentication token of some lesser user. In other cases it may not be @@ -176,7 +154,7 @@ gcc -shared -o pam_module.so pam_module.o -lpam this when implementing a given module.
-
+
Minimizing administration problems To avoid system administration problems and the poor @@ -189,7 +167,7 @@ gcc -shared -o pam_module.so pam_module.o -lpam simply return PAM_IGNORE.
-
+
Arguments supplied to the module The flags argument of each of @@ -203,7 +181,7 @@ gcc -shared -o pam_module.so pam_module.o -lpam arguments are taken from the line appropriate to this module---that is, with the service_name matching that of the application---in the configuration file - (see the Linux-PAM + (see the Linux-PAM System Administrators' Guide). Together these two parameters provide the number of arguments and an array of pointers to the individual argument tokens. This will be familiar to C @@ -214,33 +192,27 @@ gcc -shared -o pam_module.so pam_module.o -lpam
-
+
Authentication management - - + +
-
+
Account management - +
-
+
Session management - - + +
-
+
Authentication token management - +
- + Generic optional arguments Here we list the generic arguments that all modules can expect to @@ -276,17 +248,17 @@ gcc -shared -o pam_module.so pam_module.o -lpam - + Programming notes Here we collect some pointers for the module writer to bear in mind - when writing/developing a Linux-PAM + when writing/developing a Linux-PAM compatible module. -
+
Security issues for module creation -
+
Sufficient resources Care should be taken to ensure that the proper execution @@ -299,7 +271,7 @@ gcc -shared -o pam_module.so pam_module.o -lpam consideration.
-
+
Who´s who? Generally, the module may wish to establish the identity of @@ -349,13 +321,13 @@ gcc -shared -o pam_module.so pam_module.o -lpam Z, the user under whose identity the service will be granted. This is the username returned by pam_get_user() and also stored in the - Linux-PAM item, + Linux-PAM item, PAM_USER. - Linux-PAM has a place for + Linux-PAM has a place for an additional user identity that a module may care to make use of. This is the PAM_RUSER item. Generally, network sensitive modules/applications may wish @@ -369,10 +341,10 @@ gcc -shared -o pam_module.so pam_module.o -lpam uid or euid of the running process, it should take care to restore the original values prior to returning control to the - Linux-PAM library. + Linux-PAM library.
-
+
Using the conversation function Prior to calling the conversation function, the module should @@ -389,7 +361,7 @@ gcc -shared -o pam_module.so pam_module.o -lpam indicating failure.
-
+
Authentication tokens To ensure that the authentication tokens are not left lying @@ -403,7 +375,7 @@ gcc -shared -o pam_module.so pam_module.o -lpam general rule the module should overwrite authentication tokens as soon as they are no longer needed. Especially before free()'ing them. The - Linux-PAM library is + Linux-PAM library is required to do this when either of these authentication token items are (re)set. @@ -437,7 +409,7 @@ int cleanup(pam_handle_t *pamh, void *data, int error_status)
-
+
Use of <citerefentry> <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> </citerefentry> @@ -451,7 +423,7 @@ int cleanup(pam_handle_t *pamh, void *data, int error_status) syslog3 with facility-type - LOG_AUTHPRIV. + LOG_AUTHPRIV. With a few exceptions, the level of logging is, at the discretion @@ -501,7 +473,7 @@ int cleanup(pam_handle_t *pamh, void *data, int error_status)
-
+
Modules that require system libraries Writing a module is much like writing an application. You @@ -526,16 +498,16 @@ int cleanup(pam_handle_t *pamh, void *data, int error_status)
- + An example module At some point, we may include a fully commented example of a module in this document. For now, please look at the modules directory of the - Linux-PAM sources. + Linux-PAM sources. - + See also @@ -558,7 +530,7 @@ int cleanup(pam_handle_t *pamh, void *data, int error_status) - + Author/acknowledgments This document was written by Andrew G. Morgan (morgan@kernel.org) @@ -578,14 +550,14 @@ int cleanup(pam_handle_t *pamh, void *data, int error_status) Thanks are also due to Sun Microsystems, especially to Vipin Samar and Charlie Lai for their advice. At an early stage in the development of - Linux-PAM, Sun graciously made the + Linux-PAM, Sun graciously made the documentation for their implementation of PAM available. This act greatly accelerated the development of - Linux-PAM. + Linux-PAM. - + Copyright information for this document Copyright (c) 2006 Thorsten Kukuk <kukuk@thkukuk.de> @@ -629,4 +601,4 @@ TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - + \ No newline at end of file diff --git a/doc/mwg/Makefile.am b/doc/mwg/Makefile.am index 688e6cb3..340249c6 100644 --- a/doc/mwg/Makefile.am +++ b/doc/mwg/Makefile.am @@ -16,7 +16,7 @@ all: Linux-PAM_MWG.txt html/Linux-PAM_MWG.html Linux-PAM_MWG.pdf Linux-PAM_MWG.pdf: $(XMLS) $(DEP_XMLS) if ENABLE_GENERATE_PDF - $(XMLLINT) --nonet --xinclude --postvalid --noent --noout $< + $(XMLLINT) --nonet --xinclude --relaxng $(DOCBOOK_RNG) --noent --noout $< $(XSLTPROC) --stringparam generate.toc "book toc" \ --stringparam section.autolabel 1 \ --stringparam section.label.includes.component.label 1 \ @@ -28,7 +28,7 @@ else endif Linux-PAM_MWG.txt: $(XMLS) $(DEP_XMLS) - $(XMLLINT) --nonet --xinclude --postvalid --noent --noout $< + $(XMLLINT) --nonet --xinclude --relaxng $(DOCBOOK_RNG) --noent --noout $< $(XSLTPROC) --stringparam generate.toc "book toc" \ --stringparam section.autolabel 1 \ --stringparam section.label.includes.component.label 1 \ @@ -37,7 +37,7 @@ Linux-PAM_MWG.txt: $(XMLS) $(DEP_XMLS) html/Linux-PAM_MWG.html: $(XMLS) $(DEP_XMLS) @test -d html || mkdir -p html - $(XMLLINT) --nonet --xinclude --postvalid --noent --noout $< + $(XMLLINT) --nonet --xinclude --relaxng $(DOCBOOK_RNG) --noent --noout $< $(XSLTPROC) --stringparam base.dir html/ \ --stringparam root.filename Linux-PAM_MWG \ --stringparam use.id.as.filename 1 \ diff --git a/doc/mwg/pam_conv.xml b/doc/mwg/pam_conv.xml index a2b470af..2b369503 100644 --- a/doc/mwg/pam_conv.xml +++ b/doc/mwg/pam_conv.xml @@ -1,11 +1,7 @@ - - -
+
The conversation function - + struct pam_message { @@ -24,12 +20,10 @@ struct pam_conv { void *appdata_ptr; }; -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/mwg/pam_fail_delay.xml b/doc/mwg/pam_fail_delay.xml index 589e1148..d602a1f7 100644 --- a/doc/mwg/pam_fail_delay.xml +++ b/doc/mwg/pam_fail_delay.xml @@ -1,18 +1,12 @@ - - -
+
Request a delay on failure - + -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/mwg/pam_get_data.xml b/doc/mwg/pam_get_data.xml index b1afdb3f..e1342d16 100644 --- a/doc/mwg/pam_get_data.xml +++ b/doc/mwg/pam_get_data.xml @@ -1,18 +1,12 @@ - - -
+
Get module internal data - + -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/mwg/pam_get_item.xml b/doc/mwg/pam_get_item.xml index 370a10a1..e0635d21 100644 --- a/doc/mwg/pam_get_item.xml +++ b/doc/mwg/pam_get_item.xml @@ -1,18 +1,12 @@ - - -
+
Getting PAM items - + -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/mwg/pam_get_user.xml b/doc/mwg/pam_get_user.xml index 1cb7fdf3..3b79fe07 100644 --- a/doc/mwg/pam_get_user.xml +++ b/doc/mwg/pam_get_user.xml @@ -1,18 +1,12 @@ - - -
+
Get user name - + -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/mwg/pam_getenv.xml b/doc/mwg/pam_getenv.xml index 61d69c33..f7b483ed 100644 --- a/doc/mwg/pam_getenv.xml +++ b/doc/mwg/pam_getenv.xml @@ -1,18 +1,12 @@ - - -
+
Get a PAM environment variable - + -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/mwg/pam_getenvlist.xml b/doc/mwg/pam_getenvlist.xml index d3c2fcd3..4433c04d 100644 --- a/doc/mwg/pam_getenvlist.xml +++ b/doc/mwg/pam_getenvlist.xml @@ -1,18 +1,12 @@ - - -
+
Getting the PAM environment - + -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/mwg/pam_putenv.xml b/doc/mwg/pam_putenv.xml index e55f1a42..6378a15b 100644 --- a/doc/mwg/pam_putenv.xml +++ b/doc/mwg/pam_putenv.xml @@ -1,18 +1,12 @@ - - -
+
Set or change PAM environment variable - + -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/mwg/pam_set_data.xml b/doc/mwg/pam_set_data.xml index 18b2711b..3fb3b1fe 100644 --- a/doc/mwg/pam_set_data.xml +++ b/doc/mwg/pam_set_data.xml @@ -1,18 +1,12 @@ - - -
+
Set module internal data - + -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/mwg/pam_set_item.xml b/doc/mwg/pam_set_item.xml index 7d19925e..7a8ee8de 100644 --- a/doc/mwg/pam_set_item.xml +++ b/doc/mwg/pam_set_item.xml @@ -1,18 +1,12 @@ - - -
+
Setting PAM items - + -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/mwg/pam_sm_acct_mgmt.xml b/doc/mwg/pam_sm_acct_mgmt.xml index 10b3c9e9..c17a9bf0 100644 --- a/doc/mwg/pam_sm_acct_mgmt.xml +++ b/doc/mwg/pam_sm_acct_mgmt.xml @@ -1,18 +1,12 @@ - - -
+
Service function for account management - + -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/mwg/pam_sm_authenticate.xml b/doc/mwg/pam_sm_authenticate.xml index 54c79af6..138fc1ff 100644 --- a/doc/mwg/pam_sm_authenticate.xml +++ b/doc/mwg/pam_sm_authenticate.xml @@ -1,18 +1,12 @@ - - -
+
Service function for user authentication - + -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/mwg/pam_sm_chauthtok.xml b/doc/mwg/pam_sm_chauthtok.xml index a1364315..546ae662 100644 --- a/doc/mwg/pam_sm_chauthtok.xml +++ b/doc/mwg/pam_sm_chauthtok.xml @@ -1,18 +1,12 @@ - - -
+
Service function to alter authentication token - + -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/mwg/pam_sm_close_session.xml b/doc/mwg/pam_sm_close_session.xml index 9346c506..69140b81 100644 --- a/doc/mwg/pam_sm_close_session.xml +++ b/doc/mwg/pam_sm_close_session.xml @@ -1,18 +1,12 @@ - - -
+
Service function to terminate session management - + -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/mwg/pam_sm_open_session.xml b/doc/mwg/pam_sm_open_session.xml index b8e3fa90..aba28a3e 100644 --- a/doc/mwg/pam_sm_open_session.xml +++ b/doc/mwg/pam_sm_open_session.xml @@ -1,18 +1,12 @@ - - -
+
Service function to start session management - + -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/mwg/pam_sm_setcred.xml b/doc/mwg/pam_sm_setcred.xml index eee8e1d6..36e43c04 100644 --- a/doc/mwg/pam_sm_setcred.xml +++ b/doc/mwg/pam_sm_setcred.xml @@ -1,18 +1,12 @@ - - -
+
Service function to alter credentials - + -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/mwg/pam_strerror.xml b/doc/mwg/pam_strerror.xml index 35b08a27..e4e1c56a 100644 --- a/doc/mwg/pam_strerror.xml +++ b/doc/mwg/pam_strerror.xml @@ -1,18 +1,12 @@ - - -
+
Strings describing PAM error codes - + -
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/Linux-PAM_SAG.xml b/doc/sag/Linux-PAM_SAG.xml index 2adaef7d..952f224b 100644 --- a/doc/sag/Linux-PAM_SAG.xml +++ b/doc/sag/Linux-PAM_SAG.xml @@ -1,36 +1,25 @@ - - - - + + The Linux-PAM System Administrators' Guide - - Andrew G. - Morgan - morgan@kernel.org - - - Thorsten - Kukuk - kukuk@thkukuk.de - + Andrew G.Morganmorgan@kernel.org + ThorstenKukukkukuk@thkukuk.de Version 1.1.2, 31. August 2010 This manual documents what a system-administrator needs to know about - the Linux-PAM library. It covers the + the Linux-PAM library. It covers the correct syntax of the PAM configuration file and discusses strategies for maintaining a secure system. - + - + Introduction - Linux-PAM (Pluggable Authentication + Linux-PAM (Pluggable Authentication Modules for Linux) is a suite of shared libraries that enable the local system administrator to choose how applications authenticate users. @@ -58,7 +47,7 @@ on entries in the /etc/group file. - It is the purpose of the Linux-PAM + It is the purpose of the Linux-PAM project to separate the development of privilege granting software from the development of secure and appropriate authentication schemes. This is accomplished by providing a library of functions that an @@ -76,7 +65,7 @@ - + Some comments on the text Before proceeding to read the rest of this document, it should be @@ -91,7 +80,7 @@ As an example of the above, where it is explicit, the text assumes that PAM loadable object files (the - modules) are to be located in + modules) are to be located in the following directory: /lib/security/ or /lib64/security depending on the architecture. This is generally the location that seems to be compatible with the @@ -103,7 +92,7 @@ - + Overview For the uninitiated, we begin by considering an example. We take an @@ -121,16 +110,16 @@ password and then verifying that it agrees with that located on the system; hence verifying that as far as the system is concerned the user is who they claim to be. This is the task that is delegated - to Linux-PAM. + to Linux-PAM. From the perspective of the application programmer (in this case the person that wrote the login application), - Linux-PAM takes care of this + Linux-PAM takes care of this authentication task -- verifying the identity of the user. - The flexibility of Linux-PAM is + The flexibility of Linux-PAM is that you, the system administrator, have the freedom to stipulate which authentication scheme is to be used. You have the freedom to set the scheme for any/all @@ -152,7 +141,7 @@ authentication can be upgraded to include (long) division! - Linux-PAM deals with four + Linux-PAM deals with four separate types of (management) task. These are: authentication management; account management; @@ -160,15 +149,15 @@ password management. The association of the preferred management scheme with the behavior of an application is made with entries in the relevant - Linux-PAM configuration file. + Linux-PAM configuration file. The management functions are performed by modules specified in the configuration file. The syntax for this file is discussed in the section - below. + below. Here is a figure that describes the overall organization of - Linux-PAM: + Linux-PAM: +----------------+ | application: X | @@ -193,14 +182,14 @@ By way of explanation, the left of the figure represents the application; application X. Such an application interfaces with the - Linux-PAM library and knows none of + Linux-PAM library and knows none of the specifics of its configured authentication method. The - Linux-PAM library (in the center) + Linux-PAM library (in the center) consults the contents of the PAM configuration file and loads the modules that are appropriate for application-X. These modules fall into one of four management groups (lower-center) and are stacked in the order they appear in the configuration file. These modules, when - called by Linux-PAM, perform the + called by Linux-PAM, perform the various authentication tasks for the application. Textual information, required from/or offered to the user, can be exchanged through the use of the application-supplied conversation @@ -216,34 +205,28 @@ - + The Linux-PAM configuration file - -
+ +
Configuration file syntax - +
-
+
Directory based configuration - +
-
+
Example configuration file entries In this section, we give some examples of entries that can - be present in the Linux-PAM + be present in the Linux-PAM configuration file. As a first attempt at configuring your system you could do worse than to implement these. If a system is to be considered secure, it had better have a - reasonably secure 'other entry. + reasonably secure 'other entry. The following is a paranoid setting (which is not a bad place to start!): @@ -311,7 +294,7 @@ session required pam_deny.so On a less sensitive computer, one on which the system administrator wishes to remain ignorant of much of the - power of Linux-PAM, the + power of Linux-PAM, the following selection of lines (in /etc/pam.d/other) is likely to mimic the historically familiar Linux setup. @@ -331,21 +314,21 @@ session required pam_unix.so
- + Security issues -
+
If something goes wrong - Linux-PAM has the potential + Linux-PAM has the potential to seriously change the security of your system. You can choose to have no security or absolute security (no access - permitted). In general, Linux-PAM + permitted). In general, Linux-PAM errs towards the latter. Any number of configuration errors can disable access to your system partially, or completely. The most dramatic problem that is likely to be encountered when - configuring Linux-PAM is that of + configuring Linux-PAM is that of deleting the configuration file(s): /etc/pam.d/* and/or /etc/pam.conf. This will lock you out of @@ -357,11 +340,11 @@ session required pam_unix.so things from there.
-
+
Avoid having a weak `other' configuration It is not a good thing to have a weak default - (other) entry. + (other) entry. This service is the default configuration for all PAM aware applications and if it is weak, your system is likely to be vulnerable to attack. @@ -388,93 +371,57 @@ session required pam_warn.so
- + A reference guide for available modules Here, we collect together the descriptions of the various modules coming with Linux-PAM. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + See also @@ -497,7 +444,7 @@ session required pam_warn.so - + Author/acknowledgments This document was written by Andrew G. Morgan (morgan@kernel.org) @@ -518,14 +465,14 @@ session required pam_warn.so Thanks are also due to Sun Microsystems, especially to Vipin Samar and Charlie Lai for their advice. At an early stage in the development of - Linux-PAM, Sun graciously made the + Linux-PAM, Sun graciously made the documentation for their implementation of PAM available. This act greatly accelerated the development of - Linux-PAM. + Linux-PAM. - + Copyright information for this document Copyright (c) 2006 Thorsten Kukuk <kukuk@thkukuk.de> @@ -569,4 +516,4 @@ TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - + \ No newline at end of file diff --git a/doc/sag/Makefile.am b/doc/sag/Makefile.am index 84fd383f..04c90919 100644 --- a/doc/sag/Makefile.am +++ b/doc/sag/Makefile.am @@ -7,7 +7,6 @@ CLEANFILES = Linux-PAM_SAG.fo *~ EXTRA_DIST = $(XMLS) XMLS = Linux-PAM_SAG.xml $(shell ls $(srcdir)/pam_*.xml) - DEP_XMLS = $(shell ls $(top_srcdir)/modules/pam_*/pam_*.xml) if ENABLE_REGENERATE_MAN @@ -17,7 +16,7 @@ all: Linux-PAM_SAG.txt html/Linux-PAM_SAG.html Linux-PAM_SAG.pdf Linux-PAM_SAG.pdf: $(XMLS) $(DEP_XMLS) if ENABLE_GENERATE_PDF - $(XMLLINT) --nonet --xinclude --postvalid --noent --noout $< + $(XMLLINT) --nonet --xinclude --relaxng $(DOCBOOK_RNG) --noent --noout $< $(XSLTPROC) --stringparam generate.toc "book toc" \ --stringparam section.autolabel 1 \ --stringparam section.label.includes.component.label 1 \ @@ -29,7 +28,7 @@ else endif Linux-PAM_SAG.txt: $(XMLS) $(DEP_XMLS) - $(XMLLINT) --nonet --xinclude --postvalid --noent --noout $< + $(XMLLINT) --nonet --xinclude --relaxng $(DOCBOOK_RNG) --noent --noout $< $(XSLTPROC) --stringparam generate.toc "book toc" \ --stringparam section.autolabel 1 \ --stringparam section.label.includes.component.label 1 \ @@ -38,7 +37,7 @@ Linux-PAM_SAG.txt: $(XMLS) $(DEP_XMLS) html/Linux-PAM_SAG.html: $(XMLS) $(DEP_XMLS) @test -d html || mkdir -p html - $(XMLLINT) --nonet --xinclude --postvalid --noent --noout $< + $(XMLLINT) --nonet --xinclude --relaxng $(DOCBOOK_RNG) --noent --noout $< $(XSLTPROC) --stringparam base.dir html/ \ --stringparam root.filename Linux-PAM_SAG \ --stringparam use.id.as.filename 1 \ diff --git a/doc/sag/pam_access.xml b/doc/sag/pam_access.xml index b9bf39d0..75f14b37 100644 --- a/doc/sag/pam_access.xml +++ b/doc/sag/pam_access.xml @@ -1,42 +1,30 @@ - - -
+
pam_access - logdaemon style login access control - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_debug.xml b/doc/sag/pam_debug.xml index b131954c..0c8aa940 100644 --- a/doc/sag/pam_debug.xml +++ b/doc/sag/pam_debug.xml @@ -1,34 +1,24 @@ - - -
+
pam_debug - debug the PAM stack - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_deny.xml b/doc/sag/pam_deny.xml index 2cb71a03..fdd2aaae 100644 --- a/doc/sag/pam_deny.xml +++ b/doc/sag/pam_deny.xml @@ -1,34 +1,24 @@ - - -
+
pam_deny - locking-out PAM module - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_echo.xml b/doc/sag/pam_echo.xml index b066d4ac..e4de8862 100644 --- a/doc/sag/pam_echo.xml +++ b/doc/sag/pam_echo.xml @@ -1,34 +1,24 @@ - - -
+
pam_echo - print text messages - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_env.xml b/doc/sag/pam_env.xml index 9f6e6331..68b7c4f0 100644 --- a/doc/sag/pam_env.xml +++ b/doc/sag/pam_env.xml @@ -1,42 +1,30 @@ - - -
+
pam_env - set/unset environment variables - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_exec.xml b/doc/sag/pam_exec.xml index 265e7f41..859bb3b9 100644 --- a/doc/sag/pam_exec.xml +++ b/doc/sag/pam_exec.xml @@ -1,34 +1,24 @@ - - -
+
pam_exec - call an external command - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_faildelay.xml b/doc/sag/pam_faildelay.xml index 1d8295e0..96902087 100644 --- a/doc/sag/pam_faildelay.xml +++ b/doc/sag/pam_faildelay.xml @@ -1,34 +1,24 @@ - - -
+
pam_faildelay - change the delay on failure per-application - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_faillock.xml b/doc/sag/pam_faillock.xml index 96940c6b..32777b1d 100644 --- a/doc/sag/pam_faillock.xml +++ b/doc/sag/pam_faillock.xml @@ -1,38 +1,27 @@ - - -
+
pam_faillock - temporarily locking access based on failed authentication attempts during an interval - - + + - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_filter.xml b/doc/sag/pam_filter.xml index 6a4a1ba2..56af28cb 100644 --- a/doc/sag/pam_filter.xml +++ b/doc/sag/pam_filter.xml @@ -1,34 +1,24 @@ - - -
+
pam_filter - filter module - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_ftp.xml b/doc/sag/pam_ftp.xml index b2456265..13fe40a0 100644 --- a/doc/sag/pam_ftp.xml +++ b/doc/sag/pam_ftp.xml @@ -1,34 +1,24 @@ - - -
+
pam_ftp - module for anonymous access - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_group.xml b/doc/sag/pam_group.xml index ce82bf0f..e4efc035 100644 --- a/doc/sag/pam_group.xml +++ b/doc/sag/pam_group.xml @@ -1,42 +1,30 @@ - - -
+
pam_group - module to modify group access - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_issue.xml b/doc/sag/pam_issue.xml index 5033d23f..f56cc463 100644 --- a/doc/sag/pam_issue.xml +++ b/doc/sag/pam_issue.xml @@ -1,34 +1,24 @@ - - -
+
pam_issue - add issue file to user prompt - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_keyinit.xml b/doc/sag/pam_keyinit.xml index 3caa4c27..d8013512 100644 --- a/doc/sag/pam_keyinit.xml +++ b/doc/sag/pam_keyinit.xml @@ -1,34 +1,24 @@ - - -
+
pam_keyinit - display the keyinit file - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_lastlog.xml b/doc/sag/pam_lastlog.xml index c250c018..1c9c6b2c 100644 --- a/doc/sag/pam_lastlog.xml +++ b/doc/sag/pam_lastlog.xml @@ -1,34 +1,24 @@ - - -
+
pam_lastlog - display date of last login - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_limits.xml b/doc/sag/pam_limits.xml index 7f898a40..f03a1e41 100644 --- a/doc/sag/pam_limits.xml +++ b/doc/sag/pam_limits.xml @@ -1,42 +1,30 @@ - - -
+
pam_limits - limit resources - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_listfile.xml b/doc/sag/pam_listfile.xml index db7acdc6..66d7a82e 100644 --- a/doc/sag/pam_listfile.xml +++ b/doc/sag/pam_listfile.xml @@ -1,34 +1,24 @@ - - -
+
pam_listfile - deny or allow services based on an arbitrary file - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_localuser.xml b/doc/sag/pam_localuser.xml index 480ff96e..a3cee75f 100644 --- a/doc/sag/pam_localuser.xml +++ b/doc/sag/pam_localuser.xml @@ -1,34 +1,24 @@ - - -
+
pam_localuser - require users to be listed in /etc/passwd - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_loginuid.xml b/doc/sag/pam_loginuid.xml index 3b442843..fc4a0967 100644 --- a/doc/sag/pam_loginuid.xml +++ b/doc/sag/pam_loginuid.xml @@ -1,34 +1,24 @@ - - -
+
pam_loginuid - record user's login uid to the process attribute - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_mail.xml b/doc/sag/pam_mail.xml index 031f786d..6b76770e 100644 --- a/doc/sag/pam_mail.xml +++ b/doc/sag/pam_mail.xml @@ -1,34 +1,24 @@ - - -
+
pam_mail - inform about available mail - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_mkhomedir.xml b/doc/sag/pam_mkhomedir.xml index dc6a1eb7..141395cd 100644 --- a/doc/sag/pam_mkhomedir.xml +++ b/doc/sag/pam_mkhomedir.xml @@ -1,34 +1,24 @@ - - -
+
pam_mkhomedir - create users home directory - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_motd.xml b/doc/sag/pam_motd.xml index 7a7d2dee..9af77bb5 100644 --- a/doc/sag/pam_motd.xml +++ b/doc/sag/pam_motd.xml @@ -1,34 +1,24 @@ - - -
+
pam_motd - display the motd file - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_namespace.xml b/doc/sag/pam_namespace.xml index 6ece9bc1..e18bc0f7 100644 --- a/doc/sag/pam_namespace.xml +++ b/doc/sag/pam_namespace.xml @@ -1,42 +1,30 @@ - - -
+
pam_namespace - setup a private namespace - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_nologin.xml b/doc/sag/pam_nologin.xml index 0c626b82..f2acf492 100644 --- a/doc/sag/pam_nologin.xml +++ b/doc/sag/pam_nologin.xml @@ -1,34 +1,24 @@ - - -
+
pam_nologin - prevent non-root users from login - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_permit.xml b/doc/sag/pam_permit.xml index 7c200478..52548c0d 100644 --- a/doc/sag/pam_permit.xml +++ b/doc/sag/pam_permit.xml @@ -1,34 +1,24 @@ - - -
+
pam_permit - the promiscuous module - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_pwhistory.xml b/doc/sag/pam_pwhistory.xml index 0677eae3..867a1bca 100644 --- a/doc/sag/pam_pwhistory.xml +++ b/doc/sag/pam_pwhistory.xml @@ -1,38 +1,27 @@ - - -
+
pam_pwhistory - grant access using .pwhistory file - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_rhosts.xml b/doc/sag/pam_rhosts.xml index 680a70c1..f70b1fbf 100644 --- a/doc/sag/pam_rhosts.xml +++ b/doc/sag/pam_rhosts.xml @@ -1,34 +1,24 @@ - - -
+
pam_rhosts - grant access using .rhosts file - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_rootok.xml b/doc/sag/pam_rootok.xml index 59c99ae9..ab4b4438 100644 --- a/doc/sag/pam_rootok.xml +++ b/doc/sag/pam_rootok.xml @@ -1,34 +1,24 @@ - - -
+
pam_rootok - gain only root access - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_securetty.xml b/doc/sag/pam_securetty.xml index 6ed13e59..9bd9fe21 100644 --- a/doc/sag/pam_securetty.xml +++ b/doc/sag/pam_securetty.xml @@ -1,34 +1,24 @@ - - -
+
pam_securetty - limit root login to special devices - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_selinux.xml b/doc/sag/pam_selinux.xml index 9a4f9878..cb64bcfe 100644 --- a/doc/sag/pam_selinux.xml +++ b/doc/sag/pam_selinux.xml @@ -1,34 +1,24 @@ - - -
+
pam_selinux - set the default security context - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_sepermit.xml b/doc/sag/pam_sepermit.xml index 9831a13f..26426615 100644 --- a/doc/sag/pam_sepermit.xml +++ b/doc/sag/pam_sepermit.xml @@ -1,38 +1,27 @@ - - -
+
pam_sepermit - allow/reject access based on SELinux mode - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_setquota.xml b/doc/sag/pam_setquota.xml index 368dfd8e..01d18732 100644 --- a/doc/sag/pam_setquota.xml +++ b/doc/sag/pam_setquota.xml @@ -1,34 +1,24 @@ - - -
+
pam_setquota - set or modify disk quotas on session start - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_shells.xml b/doc/sag/pam_shells.xml index b3b3d327..6765a197 100644 --- a/doc/sag/pam_shells.xml +++ b/doc/sag/pam_shells.xml @@ -1,34 +1,24 @@ - - -
+
pam_shells - check for valid login shell - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_succeed_if.xml b/doc/sag/pam_succeed_if.xml index ce0792d9..7c9f4934 100644 --- a/doc/sag/pam_succeed_if.xml +++ b/doc/sag/pam_succeed_if.xml @@ -1,34 +1,24 @@ - - -
+
pam_succeed_if - test account characteristics - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_time.xml b/doc/sag/pam_time.xml index 74e9e02a..e15d20a0 100644 --- a/doc/sag/pam_time.xml +++ b/doc/sag/pam_time.xml @@ -1,42 +1,30 @@ - - -
+
pam_time - time controlled access - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_timestamp.xml b/doc/sag/pam_timestamp.xml index 833a6bac..dfe87e7d 100644 --- a/doc/sag/pam_timestamp.xml +++ b/doc/sag/pam_timestamp.xml @@ -1,42 +1,30 @@ - - -
+
pam_timestamp - authenticate using cached successful authentication attempts - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_tty_audit.xml b/doc/sag/pam_tty_audit.xml index 86d1cd03..44de8105 100644 --- a/doc/sag/pam_tty_audit.xml +++ b/doc/sag/pam_tty_audit.xml @@ -1,38 +1,27 @@ - - -
+
pam_tty_audit - enable/disable tty auditing - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_umask.xml b/doc/sag/pam_umask.xml index b0535086..2fb200bb 100644 --- a/doc/sag/pam_umask.xml +++ b/doc/sag/pam_umask.xml @@ -1,34 +1,24 @@ - - -
+
pam_umask - set the file mode creation mask - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_unix.xml b/doc/sag/pam_unix.xml index 24bbaec3..bb341224 100644 --- a/doc/sag/pam_unix.xml +++ b/doc/sag/pam_unix.xml @@ -1,34 +1,24 @@ - - -
+
pam_unix - traditional password authentication - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_userdb.xml b/doc/sag/pam_userdb.xml index 47c2c727..3c1bbc17 100644 --- a/doc/sag/pam_userdb.xml +++ b/doc/sag/pam_userdb.xml @@ -1,34 +1,24 @@ - - -
+
pam_userdb - authenticate against a db database - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_warn.xml b/doc/sag/pam_warn.xml index e2e7adba..0f1376be 100644 --- a/doc/sag/pam_warn.xml +++ b/doc/sag/pam_warn.xml @@ -1,34 +1,24 @@ - - -
+
pam_warn - logs all PAM items - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_wheel.xml b/doc/sag/pam_wheel.xml index 5ea011e3..76f02042 100644 --- a/doc/sag/pam_wheel.xml +++ b/doc/sag/pam_wheel.xml @@ -1,34 +1,24 @@ - - -
+
pam_wheel - only permit root access to members of group wheel - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file diff --git a/doc/sag/pam_xauth.xml b/doc/sag/pam_xauth.xml index 9aca9ffa..4c9ba35e 100644 --- a/doc/sag/pam_xauth.xml +++ b/doc/sag/pam_xauth.xml @@ -1,34 +1,24 @@ - - -
+
pam_xauth - forward xauth keys between users - - + + -
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
- +
+
-
+
\ No newline at end of file -- cgit v1.2.3