diff options
author | Steve Langasek <steve.langasek@ubuntu.com> | 2019-01-03 12:44:11 -0800 |
---|---|---|
committer | Steve Langasek <steve.langasek@ubuntu.com> | 2019-01-03 12:44:11 -0800 |
commit | efd31890b5ed496a5a00c08a262da240e66a4ddc (patch) | |
tree | 22a7aab22b3a491bb58df250d7d6409e0c160bcc /Linux-PAM | |
parent | 067affee9267fa0d1c21835182ba639ba33e820f (diff) |
New upstream version 0.76
Diffstat (limited to 'Linux-PAM')
292 files changed, 52813 insertions, 0 deletions
diff --git a/Linux-PAM/CHANGELOG b/Linux-PAM/CHANGELOG new file mode 100644 index 00000000..f187f0f7 --- /dev/null +++ b/Linux-PAM/CHANGELOG @@ -0,0 +1,1582 @@ + +$Id: CHANGELOG,v 1.1.1.2 2002/09/15 20:08:18 hartmans Exp $ + +----------------------------- + +TODO: + + - sanitize use of md5 throughout distribution.. Make a static + library for helping to develop modules that contains it and other + stuff. Also add sha-1 and ripemd-160 digest algorithms. + - once above is done. remove hacks from the secret@here module etc.. + - remove prototype for gethostname in pam_access.c (Derrick) + - document PAM_INCOMPLETE changes + - verify that the PAM_INCOMPLETE interface is sensible. Can we + catch errors? should we permit item changing etc., between + pam_authenticate re-invocations? + - verify that the PAM_INCOMPLETE interface works (auth seems ok..) + - add PAM_INCOMPLETE support to modules (partially added to pam_pwdb) + - work on RFC. + - do we still need to remove openlog/closelog from modules..? + - auth and acct support in pam_cracklib, "yes, I know the password + you just typed was valid, I just don't think it was very strong..." + - add in the pam_cap and pam_netid modules + +==================================================================== +Note, as of release 0.73, all checkins should be accompanied with a +Bug ID. The bug IDs relate to sourceforge IDs.. (Of course, nothing is +ever that simple. It turns out that at some point in Sourceforge's +history all of the bug ids got bumped by 100000, so pretty much if you +see a bug ID below that begins with a '1' and your attempted query +fails, try adding 100000 to the number and trying again. I believe +this only affects bugs before release 0.76.) + +You can query the related bug description with the following URL: + + http://sourceforge.net/tracker/index.php?func=detail&aid=XXXXXX&group_id=6663&atid=106663 + +Where you should replace XXXXXX with a bug-id. + +For general documentation completion work, I'm doing it all with +respect to specific tasks. Open tasks are listed here: + + http://sourceforge.net/pm/task.php?group_id=6663&group_project_id=2741&func=browse&set=open + +If you have found a bug in Linux-PAM (including a documentation bug, +or a new feature request and/or patch), please consider filing such a +bug report - outstanding bugs are listed here: + + http://sourceforge.net/tracker/?atid=106663&group_id=6663&func=browse + +(to file another bug see the 'submit bug' button on that page). + +==================================================================== + +0.76: please submit patches for this section with actual code/doc + patches! + +* pam_unix: fix for legacy crypt() support when the password entered + was long. (Bug 521314 - agmorgan). +* pam_access no longer include gethostname() prototype complained from + David Lee (Bug 415423 - agmorgan). +* make pam_nologin more secure by default, added two new module + arguments etc. - acting on suggestion from Nico (Bug 419307 - + agmorgan) +* link in libpam to libpam_misc - since the latter uses functions in + the former it makes some sort of sense to do this (although, in the + static library case, I remain to be convinced). (Bug 565470 - + agmorgan). +* absorbed some of the proposed darwin (OS X) changes from Luke Howard + (of PADL software) - hopefully will get the rest (see Rob Braun's + 534205) by 0.77 (Bug 491466 - agmorgan). +* README fix for pam_unix from Nalin (Bug 476971 - agmorgan). +* add support for building pdf files from the documentation - request + from 'lolive' (Bug 471377 - agmorgan). +* documented the equivalent '[..]' expressions for "required" + etc. Request from Ross Patterson (Bug 529078 - agmorgan). +* '[...]' parsing: document it and also fix it to support '\]' escape + sequence. Feature request from Russell Kliese (Bug 517064 - + agmorgan). +* pam_rootok: compilation warning noted by Tony den Haan wrt no + prototype for strcmp() (Bug 557322 - agmorgan). +* documentation: (a few of mine in passing) and app documentation + suggestions regarding PAM environment variables and module + documentation changes regarding the conversation function from Jenn + Vesperman (Bug 527821, 527965 - agmorgan) +* documentation: pam_time.sgml typo fixed, pam_motd exists now, + correct Red Hat comment about config files (Bugs 554274, 554261, + 554182 - agmorgan) +* pam_limits: added '%' domain for maxlogins limiting, now '*' and @group + have the old meaning (every) and '%' the new one (all) + (Bug 533664 - baggins) +* pam_limits: put not so interesting log messages under debug arg + (Bug 533668 - baggins) +* pam_access: added the 'fieldsep=' argument (Bug 547051 - agmorgan), + made a PAM_RHOST of "" equivalent to NULL (Bug 547521 - agmorgan). +* pam_limits: keep well know behaviour of maxlogins default ('*') limit + (Bug 533664 - baggins) +* pam_unix: more from Nalin log password changes (Bug 517743 - agmorgan) +* pam_limits: make it use the priority value specified in config + (bug 530428 - baggins) +* pam_unix: removed broken code in password update code. Report from + Len Lattanzi (Bug 507379 - agmorgan) +* pam_mkhomedir: recurse directories. Patch from Nalin (Bug 476981 - + agmorgan) +* pam_limits can handle negative priority limits now (which can apply + to the superuser too) - based on patch from Nalin. Also cleanup the + error handling that was very sloppy before. Also, courtesy of Berend + De Schouwe get the math right on login counting (Bug 476990, 476987, + 493294 - agmorgan) +* documentation: random typo fixes from Nalin and more stuff from me + (Bug 476949, Tasks 43507, 17426 - agmorgan) +* A Tru64 fix (given other stuff has already resolved this, it + actually just a comment actually) from 'Eddie'. (Bug 418450 - + agmorgan) +* pam_handlers: BSD fix from Dag-Erling Smørgrav and Anton Berezin + (Bug 486063 - agmorgan) +* added the dynamic/* directory to the distribution. If you go in + there after building the rest of the tree, you'll make a pam.so + object that can be used by something like a java runtime with + dlopen. Its not very well tested - caveat emptor. (Bug 232194 - + agmorgan) +* somehow pam_unix has started forcing the user prompt to be "login: ". + This is entirely inapropriate as it overrides PAM_USER_PROMPT. (Bug + 486361 - agmorgan). +* added a static module helper library object includes a few changes + to examples/xsh.c for testing purposes (added a simple shell wrapper + for running xsh with the sandbox libraries), and also modified the + pam_rhosts_auth module to use this new library. (Bug 490938, 409852 + - agmorgan). +* pam_unix: fix 'likeauth' to kill off the memory leak once and for all. + (Bug 483959 - vorlon) +* pam_unix: restore handling of 'likeauth' argument to a known working + state; prettify AUTH_RETURN macro; remove redundant argv checks in + pam_sm_setcred() (Bugs 483959, 113596 - vorlon) +* pam_cracklib: another try at implementing similar() from Harald + Welte and Nalin (Bugs 436053, 476957 - agmorgan) +* pam_access: default access.conf file contained a type (console + instead of LOCAL) fix from Nalin (Bug 476934 - agmorgan) +* pam_unix: fixed bizarre memory leak pointed out by Fernando Trias + (Bug 483959 - agmorgan) +* misc string comparison length checking changes from Nalin. Modules + touched, pam_cracklib, pam_listfile, pam_unix, pam_wheel (Bug 476947 - + agmorgan) +* pam_userdb: require that all of typed password matches that in + database report and fix from Vladimir Pastukhov. (Bug 484252 - agmorgan) +* pam_malloc: revived malloc debugging code, now tied to + --enable-memory-debug and added strdup() support (Bug 485454 - agmorgan) +* pam_tally: Nalin's fix for lastlog corruption (Bug 476985 - agmorgan) +* pam_rhosts: Nalin adds support for '+hostname', and zdd fix + compilation warning. (Bug 476986 - agmorgan) +* pam_motd: Nalin fixed compiler warning. (Bug 476938 - agmorgan) +* pam_pwdb: Solar Designer pointed out that there was a problem with + the compatibility support for md5 password hashing. (Bug 460717, + 476961 - agmorgan) +* pam_issue: Nalin found segfaulting problems if the PAM_USER_PROMPT + is unset, found some similar problems with assumptions about + realloc. (Bug 476983 - agmorgan) +* pam_env: 'weichangyang of hotmail' pointed out a wild string with no + valid '\0' was leading to problems with sshd and suggested fix (Bug + 473034 - agmorgan) +* MANDIR cleanup. It defaults to /usr/share/man, but can be overridden + using the --enable-mandir ./configure option, similarly for DOCDIR + from Nalin (Bug 476940 - agmorgan) +* pam_filter cleanup (including moving the filter directory) Nalin + and Harald Welte (Bugs 436057, 476970 - agmorgan) +* db3 is now recognized as a libdb candidate (Bug 435764 - agmorgan) +* more changes (extracted from redhat version) courtesy of + Harald Welte (Bugs pam_limits=436061, pam_lastlog=436060, + pam_mkhomedir/pam_env=435991 - agmorgan) +* fix for legacy behavior of pam_setcred and pam_close_session in + the case that pam_authenticate and pam_open_session hadn't been + called - bug report from Seongwan Park. (Bug 468724 - agmorgan) +* some BSD updates and fixes from Mark Murray - including a slightly + more robust conversation function and some minimization of gcc + warnings. (Bugs 449203,463984 - agmorgan) +* verified that the setcred stack didn't suffer from the bug I was + nervous about, add a new module pam_debug to help me test this. + fixed a libpam/pam_dispatch.c instrumentation line that I tripped + over when testing. Also restructured pam_warn to help here (Bug + 424315 - agmorgan). +* pam_unix/support.c: sample use of reentrant NSS function. Not yet active, + because modules do not include _pam_aconf_h! (Bug 440107 - vorlon) +* doc/Makefile changes - use $(mandir) [courtesy Harald Welte] (Bug + 435760) and add some rules to make/delete the draft rfc I've been + working on (Task 17426 - agmorgan) +* pam_modules.sgml: sourceforge has changed its CVS viewing software + (Bug 460491 - agmorgan) +* pam_unix_passwd: got rid of an annoying warning (Bug 461089 - agmorgan) +* configure.in, _pam_aconf.h.in: set the stage for fully reentrant PAM + modules, with some infrastructure to detect getxxbyxx_r() functions + (Bug 440107 - vorlon) +* pam_unix: removed superfluous use of static variables in md5 and bigcrypt + routines, bringing us a step closer to thread-safeness. Eliminated + some variable indirection along the way. (Bug 440107 - vorlon) +* pam_tally: remove #include of stdlib.h, which isn't needed by anything + found in this module. Can be readded if we find a real need for it at + a later date. (Bug 436432 - vorlon) +* pam_tally: added an #include (was it really needed?) and made the + pam_tally app install (with more pretty printing and a corrected + Makefile dependency) motivated by a (red hat diff) courtesy of Harald + Welte (Bug 436432 - agmorgan) +* configure.in changes to help support non-Linux environments courtesy + of Scott T. Emery (Bug 422563 - agmorgan) +* made a pam_cracklib enhancement to interpret -ve limits in a + sensible fashion contributed by Werner Puschitz (Bug 413162 - + agmorgan) +* another fix for the latest number of rlimits available to pam_limits + (Bug 424060 - agmorgan) +* removed stale link from pam_pwdb documentation (Bug 433460 - agmorgan) +* pam_appl.sgml change - more discussion of choosing a service name + (Bug 417512 - agmorgan) +* more specific linking requirements for -lndbm for pam_userdb - from + David Lee (Bug 417339 - agmorgan) +* a large number of small changes to make AIX support better (Bug + 416229 - agmorgan) +* $(MAKE) instead of 'make' - from Scott T. Emery (Bug 422144 - + agmorgan) +* c++ header fixes for pam_misc.h and pam_client.h - from Alexandre + Sagala (Bug 420270 - agmorgan) +* pam_access fixes - looks out for trailing '.' - from Carlo Marcelo + Arenas Belon (Bug 419631 - agmorgan) +* don't zero out password strings during pam_unix's password changing + function (Bug 419803 - vorlon) +* propagate some definitions to the _pam_aconf.h file - from David Lee + (Bug 415419 - agmorgan) +* solaris GCC OS_CFLAGS change from David Lee (Bug 415412 - agmorgan) +* added a comment to this CHANGELOG to explain why most of the bugids + used below appear not to be known to sourceforge [try adding 100000 + to the bugid number.] (Bug 414943 - agmorgan) +* bumped version numbers and also added support for SONAME defines + that appear not to have survived the great autoconf experiment (Bug + 414669 - agmorgan). + +0.75: Sat Apr 7 23:10:50 PDT 2001 + + ** WARNING ** + +This release contains backwardly incompatible changes to +libpam. Prior versions were buggy - see bugfix for Bug 129775. + + ** WARNING ** + +* made 0.75 release (Bug 414665 - agmorgan) +* pam_pwdb has been removed from the suggested pam.conf template. I've + replaced it with pam_unix. (Bug 227565 - agmorgan) +* pam_limits - Richard M. Yumul reported that "<domain> -" didn't + work, first fix suggested by Werner Puschitz (Bug 404953 - agmorgan) +* Nicolay Pelov suggested a simple fix for freebsd support (Bug 407282 + - agmorgan) +* Michel D'HOOGE submitted documentation fixes (Bug 408961 - agmorgan) +* fix for module linking directions (Bug 133545 - agmorgan) +* fix for glibc-2.2.2 compilation of pam_issue (Bug 133542 - agmorgan) +* fix pam_userdb to make and link both .o files it needs - converse() + wasn't being linked! (Bug 132880 - agmorgan) +* added some sys-admin documentation for the pam_tally module (Bug + 126210 - agmorgan). +* added a link to module examples from the module writers doc (Bug + 131192 - agmorgan). +* fixed a small security hole (more of a user confusion issue) with + the unix and pwdb password helper binaries. The beef is described in + the bug report, but no uid change was possible so no-one should + think they need to issue a security bulletin over this one! (Bug + 112540 - agmorgan) +* pam_lastlog needs to be linked with -lutil, also removed ambiguity + from sysadmin guide regarding this module being a 'session' module + (Bug 131549 - agmorgan). +* pam_cracklib needs to be linked with -lcrypt (old password checking) + (Bug 131601 - agmorgan). +* fixes for static library builds and also the examples when linked + with the debugging build of the libraries. (Bug 131783 - agmorgan) +* fixed URL for original RFC to a cached kernel.org file. (Bug 131503 + - agmorgan) +* quoted the $CRACKLIB_DICTPATH test in configure.in (Bug 130130 - + agmorgan). +* improved handling of the setcred/close_session and update chauthtok + stack. *Warning* This is a backwardly incompatable change, but 'more + sane' than before. (Bug 129775 - agmorgan) +* bumped the version number, and added some code to assist in making + documentation releases (Bug 129644 - agmorgan). + +0.74: Sun Jan 21 22:36:08 PST 2001 + +* made 0.74 release (Bug 129642 - agmorgan) +* libpam - cleaned up a few non-static functions to be static and added + support for libpam to enforce things like pam_[gs]et_data() and + AUTHTOK rules for using the API. Also documented pam_[gs]et_item() + a little better including return codes (Bugs 129027, 128576 - + agmorgan). +* pam_access - fixed the non-default config file option (Bug 127561 - + agmorgan) +* pam.8 manual page clarified with respect to the default location for + finding modules, also added some text describing the [...] control + syntax. (Bug 127625 - agmorgan) +* md5.h ia64 fixes for pam_unix and pam_pwdb (Bug 127700 - agmorgan) +* removed requirement for c++ from the configure{.in,} files (Bug + 128298 - agmorgan) +* removed subdirectories from man page redirections (124396 - baggins) +* per David Lee, fixed non-POSIX shell command in modules/pam_filter/Makefile + (Bug 126440 - vorlon) +* modify format of pam_unix log messages to include service name + (Bug 126423 - vorlon) +* prevent pam_unix from logging unknown usernames (Bug 126431 - vorlon) +* changed format of pam_unix 'authentication failure' log messages to make + them clearer and more consistent (Bug 126036 - vorlon) +* improved portability of pam_unix by eliminating Linux-specific utmp + defines in PAM_getlogin() (Bug 125704 - vorlon) +* removed static variables from pam_tally (Bug 117434 - agmorgan) +* added copyright message to pam_access module from original logdaemon + sources (Bug 125022 - agmorgan) +* configure.in - removed the GCC -Wtraditional flag (Bug 124923 - agmorgan) +* pam_mail - use PAM_PATH_MAILDIR as the location of mail spool + (Bug 124397 - baggins) +* _pam_aconf.h.in, configure.in - added PAM_PATH_MAILDIR set via + --with-mailspool=dir option (default is _PAM_MAILDIR if defined + in paths.h otherwise /var/spool/mail (Bug 124397 - baggins) +* removed unnecessary CVS Log tags from all over the source + (Bug 124391 - baggins) +* pam_tally - check for PAM_TTY if PAM_RHOST is not set when writing + to faillog (Bug 124394 - baggins) +* use O_NOFOLLOW if available when opening debug log (Bug 124385 - baggins) +* pam_cracklib - removed comments about pam_unix not working with + pam_cracklib, added information about use_authtok parameter + (Bug 124388 - baggins) +* pam_userdb - fixed wrong definition of struct pam_module (was pam_wheel) + (Bug 124386 - baggins) +* fixed example/Makefile include path (Bug 124187, 127563(?) - agmorgan) +* pam_userdb compiles on RH5x. Also removed circular dependency on + configure.in. Also bumped revision number to 0.74. (Bug 124136 - + agmorgan) + +0.73: Sat Dec 2 00:04:04 PST 2000 + +* updated documentaion revisions and added 'make release' support + to the top level Makefile (Bug 124132 - agmorgan). +* documented Qmail support in pam_mail (Bug 109219 - baggins) +* add change_uid option to pam_limits, and set real uid only if + this option is present (Bug 124062 - baggins) +* pam_limits - set real uid to the user for who we set limits. + (Bug 123972 - baggins) +* removed static variables from pam_limits (thread safe now). (Bug + 117450 - agmorgan). +* removed static variable from pam_wheel (module should be thread safe + now). (Bug 112906 - agmorgan) +* added support for '/' symbols in pam_time and pam_group config files + (support for modern terminal devices). Fixed infinite loop problem + with '\\[^\n]' in these files. (Bug 116076 - agmorgan) +* avoid potential SIGPIPE when writing to helper binaries with (Bug + 123399 - agmorgan) +* replaced bogus logic in the pam_cracklib module for determining if + the replacement is too similar to the old password (Bug 115055 - + agmorgan) +* added accessconf=<filename> feature to pam_access - request from + Aldrin Martoq and Meelis Roos (Bugs 111927,117240 - agmorgan) +* fix for pam_limit module not dealing with all limits Adam J. Richter + (Bug 119554 - agmorgan) +* comment fix describing fail_delay callback in _pam_types.h (Bug + 112646 - agmorgan) +* "likeauth" fix for pam_unix and pam_pwdb which (Bug 113596 - agmorgan) +* fix for pam_unix (support.c) to avoid segfault with NULL password + (Bug 113238 - vorlon) +* fix to pam_unix_passwd: try repeatedly to get a lock on the password + file, instead of failing immediately (Bug 108845 - fix vorlon) +* fix to pam_shells: logged information was not formatted correctly + (extra comma) (Bug 111491 - fix vorlon) +* fix for C++ application support (Bug 111645 - fix agmorgan) +* fix for typo in pam_client.h (Bug 111648 - fix agmorgan) +* removal of -lpam from pam_mkhomedir Makefile (Bug 116380 - fix agmorgan) +* autoconf support [Task ID 15788, Bug ID 108297 - agmorgan with help!] + - bugfix for libpamc.h include file [Bug ID 117476 - agmorgan] + - bugfix for pam_filter.h inclusion [Bug ID 117474 - agmorgan] + +0.72: Mon Dec 13 22:41:11 PST 1999 + +* patches from Debian (Ben Collins): pam_ftp supports event driven + conversations now; pwdb_chkpwd cleanup; pam_warn static compile fix; + user_db compiler warnings removed; debian defs file; pam_mail can + now be used as a session module +* ndbm compilation option for user_db module (fix explained by Richard Khoo) +* pam_cracklib bug fix +* packaging fixes & build from scratch stuff (Konst Bulatnikov & Frodo + Looijaard) +* -ldl appended to the libpam.so compilation make rule. (Charles Seeger) +* Red Hat security patch for pam_pwdb forwarded by Debian! (Ben + Collins. Fix provided by Andrey as it caught the problem earlier in the + code.) +* heuristic to prevent leaking filedescriptors to an agent. [This needs + to be better supported perhaps by an additional libpamc API function?] +* pam_userdb segfault fix from (Ben Collins) +* PAM draft spec extras added at request of 'sen_ml' + +0.71: Sun Nov 7 20:21:19 PST 1999 + +* added -lc to linker pass for pam_nologin module (glibc is weird). +* various header changes to lower the number of warnings on glibc + systems (Dan Yefimov) +* merged a bunch of Debian fixes/patches/documentation (Ben Collins) + things touched: libpam (minor); doc/modules/pam_unix.sgml; pam_env + (plus docs); pam_mkhomedir (new module for new home directories on + the fly...); pam_motd (new module); pam_limits (adjust to match + docs); pam_issue (new module + doc) [Some of these were also + submitted by Thorsten Kukuk] +* small hack to lower the number of warnings that pam_client.h was + generating. +* debian and SuSE apparently can use the pam_ftp module, so + removed the obsolete comment about this from the docs. (Thorsten + Kukuk) + +0.70: Fri Oct 8 22:05:30 PDT 1999 + +* bug fix for parsing of value=action tokens in libpam/pam_misc.c was + segfaulting (Jan Rekorajski and independently Matthew Melvin) +* numerous fixes from Thorsten Kukuk (icluding much needed fixes for + bitrot in modules and some documentation) that got included in SuSE 6.2. +* reentrancy issues in pam_unix and pam_cracklib resolved (Jan Rekorajski) +* added hosts_equiv_rootok module option to pam_rhosts module (Tim Berger) +* added comment about 'expose_account' module argument to admin and + module writers' docs (request from Michael K Johnson). +* myriad of bug fixes for libpamc - library now built by default and + works with the biomouse fingerprint scanner agent/module + (distributed separately). + +0.69: Sun Aug 1 20:25:37 PDT 1999 + +* c++ header #ifdef'ing for pam_appl.h (Tuomo Pyhala) +* added pam_userdb module (Cristian Gafton) +* minor documentation changes +* added in revised pam_client library (libpamc). Not installed by + default yet, since the example agent/module combo is not very secure. +* glibc fixes (Thorsten Kukuk, Adam J. Richter) + +0.68: Sun Jul 4 23:04:13 PDT 1999 + +* completely new pam_unix module from Jan Rekorajski and Stephen Langasek +* Jan Rekorajski pam_mail - support for Maildir format mailboxes +* Jan Rekorajski pam_cracklib - support for old password comparison +* Jan Rekorajski bug fix for pam_pwdb setcred reusing auth retval +* Andrey's pam_tally patch (lstat -> fstat) +* Robert Milkowski's additional pam_tally patches to **change format of + /var/log/faillog** to one from shadow-utils, add new option "per_user" + for pam_tally module, failure time logging, support for fail_line + field, and support for fail_locktime field with new option + no_lock_time. +* pam_tally: clean up the tally application too. +* Marcin Korzonek added process priority settings to pam_limits (bonus + points for adding to documentation!) +* Andrey's pam_pwdb patch (cleanup + md5 endian fubar fix) +* more binary prompt preparations (make misc conv more compatible with spec) +* modified callback hook for fail delay to be more useful with event + driven applications (changed function prototype - suspect no one + will notice). Documented this in app developer guide. +* documentation for pam_access from Tim Berger +* syntax fixes for the documentation - a long time since I've built it :*( + added some more names to the CREDITS file. + +0.67: Sat Jun 19 14:01:24 PDT 1999 + +* [dropped libpam_client - libpamc will be in the next release and + conforms to the developing spec in doc/specs/draft-morgan-pam.raw. + Sorry if you are keeping a PAM tree in CVS. CVS is a pain for + directories, but this directory was actually not referenced by + anything so the disruption should be light.] +* updates to pam_tally from Tim +* multiple updates from Stephen Langasek to pam_unix +* pam_filter had some trouble compiling (bug report from Sridhar) +* pam_wheel now attempts to identify the wheel group for the local + system instead of blindly assuming it is gid=0. In the case that + there is no "wheel" group, we default to assuming gid=0 is what was + meant - former behavior. (courtesy of Sridhar) +* NIS+ changes to pam_unix module from Dmitry O Panov +* hopefully, a fix for redefinition of LOG_AUTHPRIV (bug report Luke + Kenneth Casson Leighton) +* fix for minor typo in pam_wheel documentation (Jacek Kopecky) +* slightly more explanation of the [x=y] pam.conf syntax in the sys + admin guide. + +0.66: Mon Dec 28 20:22:23 PST 1998 <morgan@linux.kernel.org> + +* Started using cvs to keep track of changes to Linux-PAM. This will + likely break some of the automated building stuff (RPMs etc..). +* security bug fix to pam_unix and pam_tally from Andrey. +* modules make file is now more automatic. It should be possible to + unpack an external module in the modules directory and have it automatically + added to the build process. Also added a modules/download-all script + that will make such downloading easier. I'm happy to receive patches to + this file, informing the distribution of places from which to enrich itself. +* removed pam_system_log stuff. Thought about it long and hard: a + bad idea. If libc cannot guarantee a thread safe syslog, it needs + to be fixed and compatibility with other PAM libraries was + unnecessarily strained. +* SAG documentation changes: Seth Chaiklin +* rhosts: problems with NIS lookup failures with the root-uid check. + As a work-around, I've partially eliminated the need for the lookup + by supplying two new arguments: no_uid_check, superuser=<username>. + As a general rule this is more pluggable, since this module might be + used as an authentication scheme for a network service that does not + need root privilege... +* authenticate retval -> setcred for pam_pwdb (likeauth arg). +* pam_pwdb event driven support +* non openlog pam_listfile logging +* BUGFIX: close filedescriptor in pam_group and pam_time (Emmanuel Galanos) +* Chris Adams' mailhash change for pam_mail module +* fixed malloc failure check in pam_handlers.c (follow up to comment + by Brad M. Garcia). +* update to _pam_compat.h (Brad M. Garcia) +* support static modules in libpam again (Brad M. Garcia) +* libpam/pam_misc.c for egcs to grok the code (Brad M. Garcia) +* added a solaris-2.5.1 defs file (revived by Derrick J Brashear) +* pam_listfile logs failed attempts +* added a comment (Michael K Johnson pointed it out) about sgml2latex + having a new syntax. I'll make it the change real when I upgrade... +* a little more text to the RFC, spelling fix from William J Buffam. +* minor changes to pam_securetty to accommodate event driven support. + +0.65: Sun Apr 5 22:29:09 PDT 1998 <morgan@linux.kernel.org> + +* added event driven programming extensions to libpam + - added PAM_INCOMPLETE handling to libpam/pam_dispatch.c + - added PAM_CONV_AGAIN which is a new conversation response that + should be mapped to PAM_INCOMPLETE by the module. + - ensured that the pam_get_user() function can resume + - changes to pam_strerror to accommodate above return codes + - clean up _pam_former_state at pam_end() + - ensured that former state is correctly initialized + - added resumption tests to pam_authenticate(), pam_chauthtok() + - added PAM_FAIL_DELAY item for pausing on failure + +* improved _pam_macros.h so that macros can be used as single commands + (Andrey) + +* reimplemented logging to avoid bad interactions with libc. Added + new functions, pam_[,v]system_log() to libpam's API. A programmer + can check for this function's availablility by checking if + HAVE_PAM_SYSTEM_LOG is #defined. + +* removed the reduce conflict from pam_conv1 creation -- I can sleep + again now. :^] + +* made building of static and dynamic libpam separate. This is + towards making it possible to build both under Solaris (for Derrick) + +* made USE_CRACKLIB a condition in unix module (Luke Kenneth Casson Leighton) + +* automated (quiet) config installation (Andrey) + +0.64: Thu Feb 19 23:30:24 PST 1998 Andrew Morgan <morgan@linux.kernel.org> + +* miscellaneous patches for building under Solaris (Derrick J Brashear) + +* removed STATIC support from a number of module Makefiles. Notably, + these modules are those that use libpwdb and caused difficulties + satisfying the build process. (Please submit patches to fix this...;) + +* reomved the union for binary packet conversations from + (_pam_types.h). This is now completely implemented in libpam_client. + +* Andrey's patch for working environment variable handling in + sh_secret module. + +* made the libpam_misc conversation function a bit more flexible with + respect to binary conversations. + +* added top level define (DEBUG_REL) for compiling in the form of + a debugging release. I use this on a Red Hat 4.2 system with little + chance of crashing the system as a whole. (Andrey has another + implementation of this -- with a spec file to match..) + +0.63: Wed Jan 28 22:55:30 PST 1998 Andrew Morgan <morgan@linux.kernel.org> + +* added libpam_client "convention" library. This makes explicit the + use of PAM_BINARY_PROMPT. It is a first cut, so don't take it too + seriously yet. Comments/suggestions for improvements are very + welcome. Note, this library does not compile by default. It will + be enabled when it is judged stable. The library comes with two + module/agent pairs and can be used with ssh using a patch available + from my pre-release directory [where you got this file.] + +* backward compatibility patch for libpam/pam_handlers.c (PAM_IGNORE + was working with neither "requistie" nor "required") and a DEBUG'ing + compile time bug with pam_dispatch.c (Savochkin Andrey Vladimirovich) + +* minor Makefile change from (Savochkin Andrey Vladimirovich) + +* added pam_afsauth, pam_afspass, pam_restrict, and pam_syslog hooks + (Derrick J Brashear) + +* pam_access use of uname(2) problematic (security problem + highlighted by Olaf Kirch). + +* pam_listfile went a bit crazy reading group membersips (problem + highlighted by Olaf Kirch and patched independently by Cristian + Gafton and Savochkin Andrey Vladimirovich) + +* compatibility hooks for solaris and hpux (Derrick J Brashear) + +* 64 bit Linux/alpha bug fixed in pam_rhosts (Andrew D. Isaacson) + +0.62: Wed Jan 14 14:10:55 PST 1998 Andrew Morgan <morgan@linux.kernel.org> + +* Derrick J Brashear's patches: adds the HP stuff missed in the first + patch; adds SunOS support; adds support for the Solaris native ld + instead of requiring gnu ld. + +* last line of .rhosts file need not contain a newline. (Bug reported by + Thompson Freeman.) + +0.61: Thu Jan 8 22:57:44 PST 1998 Andrew Morgan <morgan@linux.kernel.org> + +* complete rewrite of the "control flag" logic. Formerly, we were + limited to four flags: requisite, required, sufficient, optional. + We can now use these keywords _and_ a great deal more besides. + The extra logic was inspired by Vipin Samar, a preliminary patch was + written by Andy Berkheimer, but I "had some ideas of my own" and + that's what I've actually included. The basic idea is to allow the + admin to custom build a control flag with a series of token=value + pairs inside square brackets. Eg., '[default=die success=ok]' which + is pretty close to a synonym for 'requisite'. I'll try to document it + better in the sys-admin guide but I'm pretty sure it is a change for + the better.... If what is in the sys-admin guide is not good enough + for you, just take a look at the source for libpam ;^) + +0.59: Thu Jan 8 22:27:22 PST 1998 Andrew Morgan <morgan@linux.kernel.org> + +* better handling of empty lines in .rhosts file. (Formerly, we asked + the nameserver about them!) Fix from Hugh Daschbach. + +* _broke_some_binary_compatibility_ with previous versions to become + compliant with X/Open's XSSO spec. Specifically, this has been + by changing the prototype for pam_strerror(). + +* altered the convention for the conversation mechanism to agree + with that of Sun. (number of responses 'now=' number of messages + with help from Cristian for finding a bug.. Cristian also found a + nasty speradic segfault bug -- Thanks!) + +* added NIS+ support to pam_unix_* + +* fixed a "regular file checking" problem with the ~/.rhosts sanity + check. Added "privategroup" option to permit group write permission + on the ~/.rhosts file in the case that the group owner has the same + name as the authenticating user. :*) "promiscuous" and "suppress" + were not usable! + +* added glibc compatibility to pam_rhosts_auth (protected __USE_MISC + with #ifndef since my libc already defines it!). + +* Security fix from Savochkin Andrey Vladimirovich with suggested + modification from Olaf Seibert. + +* preC contains mostly code clean-ups and a number of changes to + _pam_macros. + +0.58: whenever + +* pam_getenvlist() has a more robust definition (XSSO) than was previously + thought. It would seem that we no longer need pam_misc_copy_env() + which was there to provide the robustness that pam_getenvlist() + lacked before... + + Accordingly, I have REMOVED the prototype from libpam_misc. (The + function, however, will remain in the library as a wrapper for + legacy apps, but will likely be removed from libpam_misc-1.0.) PLEASE + FIX YOUR APPS *BEFORE* WE GET THERE! + +* Alexy Nogin reported garbage output from pam_env in the case of + a non-existent environment variable. + +* 'fixed' pwdb compilation for pam_wheel. Not very cleanly + done.. Mmmm. Should really clean up the entire source tree... + +* added prototypes for mapping functions + + <**WARNING**> + + various constants have had there names changed. Numerical values have + been retained but be aware some source old modules/applications will + need to be fixed before recompilation. + + </**WARNING**> + +* appended documentation to README for pam_rhosts module (Nicolai + Langfeldt). + +* verified X/Open compatibility of header files - note, where we differ + it is at the level of compilation warnings and the use of 'const char *' + instead of 'char *'. Previously, Sun(X/open) have revised their spec + to be more 'const'-ervative in the light of comments from Linux-PAM + development. + +* Ooops! PAM_AUTHTOKEN_REQD should have been PAM_NEW_AUTHTOK_REQD. + + changed: pam_pwdb(pam_unix_acct) (also bug fix for + _shadow_acct_mgmt_exp() return value), pam_stress, + libpam/pam_dispatch, blank, xsh. + +* New: PAM_AUTHTOK_EXPIRED - password has expired. + +* Ooops! PAM_CRED_ESTABLISH (etc.) should have been PAM_ESTABLISH_CRED + etc... (changed - this may break some people's modules - PLEASE TAKE + NOTE!) + changed: pam_group, pam_mail, blank, xsh; module and appl + docs, pam_setcred manual page. + +* renamed internal _pam_handle structure to be pam_handle as per XSSO. + +* added PAM_RADIO_TYPE (for multiple choice input method). Also + added PAM_BINARY_{MSG,PROMPT} (for interaction out of sight of user + - this could be used for RSA type authentication but is currently + just there for experimental purposes). The _BINARY_ types are now + usable with hooks in the libpam_misc conversation function. Still + have to add PAM_RADIO_TYPE. + +* added pam_access module (Alexei Nogin) + +* added documentation for pam_lastlog. Also modified the module to + not (by default) print "welcome to your new account" when it cannot + find a utmp entry for the user (you can turn this on with the + "never" argument). + +* small correction to the pam_fail_delay manual page. Either the appl or + the modules header file will prototype this function. + +* added "bigcrypt" (DEC's C2) algorithm(0) to pam_pwdb. (Andy Phillips) + +* *BSD tweaking for various #include's etc. (pam_lastlog, pam_rhosts, + pam_wheel, libpam/pam_handlers). (Michael Smith) + +* added configuration directory $SCONFIGED for module specific + configuration files. + +* added two new "linked" man pages (pam.conf(8) and pam.d(8)) + +* included a reasonable default for /etc/pam.conf (which can be + translated to /etc/pam.d/* files with the pam_conv1 binary) + +* fixed the names of the new configuration files in + conf/pam_conv1/pam_conv.y + +* fixed make check. + +* pam_lastlog fixed to handle UID in virgin part of /var/log/lastlog + (bug report from Ronald Wahl). + +* grammar fix in pam_cracklib + +* segfault avoided in pam_pwdb (getting user). Updating of passwords + that are directed to a "new" database are more robust now (bug noted + by Michael K. Johnson). Added "unix" module argument for migrating + passwords from another database to /etc/passwd. (documentation + updated). Removed "bad username []" warning for empty passwords - + on again if you supply the 'debug' module argument. + +* ctrl-D respected in conversation function (libpam_misc) + +* Removed -DPAM_FAIL_DELAY_ON from top-level Makefile. Nothing in + the distribution uses it. I guess this change happened a while + back, basically I'm trying to make the module parts of the + distribution "source compatible" with the RFC definition of PAM. + This implementation of PAM is a superset of that definition. I have + added the following symbols to the Linux-PAM header files: + + PAM_DATA_SILENT (see _pam_types.h) + HAVE_PAM_FAIL_DELAY (see _pam_types.h) + PAM_DATA_REPLACE (see _pam_modules.h) + + Any module (or application) that wants to utilize these features, + should check (#ifdef) for these tokens before using the associated + functionality. (Credit to Michael K. Johnson for pointing out my + earlier omission: not documenting this change :*) + +* first stab at making modules more independent of full library + source. Modules converted: + pam_deny + pam_permit + pam_lastlog + pam_pwdb + +* pam_env.c: #include <errno.h> added to ease GNU libc use. (Michael + K. Johnson) + +* pam_unix_passwd fixes to shadow aging code (Eliot Frank) + +* added README for pam_tally + +0.57: Fri Apr 4 23:00:45 PST 1997 Andrew Morgan <morgan@parc.power.net> + +* added "nodelay" argument to pam_pwdb. This can be used to turn off + the call to pam_fail_delay that takes effect when the user fails to + authenticate themself. + +* added "suppress" argument to pam_rhosts_auth module. This will stop + printing the "rlogin failure message" when the user does not have a + .rhosts file. + +* Extra fixes for FAKEROOT in Makefiles (Savochkin Andrey + Vladimirovich) + +* pam_tally added to tree courtesy of Tim Baverstock + +* pam_rhosts_auth was failing to read NFS mounted .rhosts + files. (Fixed by Peter Allgeyer). Refixed and further enhanced + (netgroups) by Nicolai Langfeldt. [Credit also to G.Wilford for some + changes that were not actually included..] + +* optional (#ifdef PAM_READ_BOTH_CONFS) support for parsing of pam.d/ + AND pam.conf files (Elliot Lee). + +* Added (and signed) Cristian's PGP key. (I've never met him, but I am + convinced the key belongs to the guy that is making the PAM rpms and + also producing libpwdb. Please note, I will not be signing anyone + else's key without a personal introduction..) + +* fixed erroneous syslog warning in pam_listfile (Savochkin Andrey + Vladimirovich, whole file reformatted by Cristian) + +* modified pam_securetty to return PAM_IGNORE in the case that the user's + name is not known to the system (was previously, PAM_USER_UNKNOWN). The + Rationale is that pam_securetty's sole purpose is to prevent superuser + login anywhere other than at the console. It is not its concern that the + user is unknown - only that they are _not_ root. Returning + PAM_IGNORE, however, insures that the pam_securetty can never be used to + "authenticate" a non-existent user. (Cristian Gafton with bug report from + Roger Hu) + +* Modified pam_nologin to display the no-login message when the user + is not known. The return value in this case is still PAM_USER_UNKNOWN. + (Bug report from Cristian Gafton) + +* Added NEED_LCKPWD for pam_unix/ This is used to define the locking + functions and should only be turned on if you don't have them in + your libc. + +* tidied up pam_lastlog and pam_pwdb: removed function that was never used. + +* Note for package maintainers: I have added $(FAKEROOT) to the list of + environment variables. This should help greatly when you build PAM + in a subdirectory. I've gone through the tree and tried to make + everything compatible with it. + +* added pam_env (courtesy of Dave Kinchlea) + +* removed pam_passwd+ from the tree. It has not been maintained in a + long time and running a shell script was basically insecure. I've + indicated where you can pick up the source if you want it. + +* #define HAVE_PAM_FAIL_DELAY . Applications can conditionally compile + with this if they want to see if the facility is available. It is + now always available. (corresponding compilation cleanups..) + +* _pam_sanitize() added to pam_misc. It purges the PAM_AUTHTOK and + PAM_OLDAUTHTOK items. (calls replaced in pam_auth and pam_password) + +* pam_rhosts now knows about the '+' entry. Since I think this is a + dangerous thing, I have required that the sysadmin supply the + "promiscuous" flag for it in the corresponding configuration file + before it will work. + +* FULL_LINUX_PAM_SOURCE_TREE exported from the top level make file. + If you want to build a module, you can test for this to determine if + it should take its directions from above or supply default locations + for installation. Etc. + +0.56: Sat Feb 15 12:21:01 PST 1997 <morgan@parc.power.net> + +* pam_handlers.c can now interpret the pam.d/ service config tree: + - if /etc/pam.d/ exists /etc/pam.conf is IGNORED + (otherwise /etc/pam.conf is treated as before) + - given /etc/pam.d/ + . config files are named (in lower case) by service-name + . config files have same syntax as /etc/pam.conf except + that the "service-name" field is not present. (there + are thus three manditory fields (and arguments are + optional): + + module-type control-flag module-path optional-args... + + ) + +* included conf/pam_conv1 for converting pam.conf to a pam.d/ version + 1.0 directory tree. This program reads a pam.conf file on the + standard input stream and creates ./pam.d/ (in the local directory) + and fills it with ./pam.d/"service-name" files. + + *> Note: It will fail if ./pam.d/ already exists. + + PLEASE REPORT ANY BUGS WITH THIS CONVERSION PROGRAM... It currently + cannot retain comments from the old conf file, so take care to do this + by hand. Also, please email me with the fix that makes the + shift/reduce conflict go away... + +* Added default module path to libpam for modules (see pam_handlers.c) + it makes use of Makfile defined symbol: DEFAULT_MODULE_PATH which is + inhereted from the defs/* variable $(SECUREDIR). Removed module + paths from the sample pam.conf file as they are no longer needed. + +* pam_pwdb can now verify read protected passwords when it is not run + by root. This is via a helper binary that is setuid root. + +* pam_permit now prompts for a username if it is not already determined + +* pam_rhosts now honors "debug" and no longer hardwire's "root" as the + superuser's name. + +* pam_securetty now honors the "debug" flag + +* trouble parsing extra spaces fixed in pam_time and pam_group + +* added Michael K. Johnson's PGP key to the pgp.keys.asc list + +* pam_end->env not being free()'d: fixed + +* manuals relocated to section 3 + +* fixed bug in pam_mail.c, and enhanced to recognize '~' as a prefix + to indicate the $HOME of the user (courtesy David + Kinchlea). *Changed* from a "session" module to an "auth" + module. It cannot be used to authenticate a user, but it can be used + in setting credentials. + +* fixed a stupid bug in pam_warn.. Only PAM_SERVICE was being read :*( + +* pam_radius rewritten to exclusively make use of libpwdb. (minor fix + to Makefile for cleaning up - AGM) + +* pam_limits extended to limit the total number of logins on a system + at any given time. + +* libpam and libpam_misc use $(MAJOR_REL) and $(MINOR_REL) to set their + version numbers [defined in top level makefile] + +* bugfix in sed command in defs/redhat.defs (AGM's fault) + +* The following was related to a possibility of buffer overruns in + the syslogging code: removed fixed length array from syslogging + function in the following modules [capitalized the log identifier + so the sysadmin can "know" these are fixed on the local system], + + pam_ftp, pam_stress, pam_rootok, pam_securetty, + pam_listfile, pam_shells, pam_warn, pam_lastlog + and + pam_unix_passwd (where it was definitely _not_ exploitable) + +0.55: Sat Jan 4 14:43:02 PST 1997, Andrew Morgan <morgan@parc.power.net> + +* added "requisite" control_flag to /etc/pam.conf syntax. [See + Sys. Admin. Guide for explanation] changes to pam_handlers.c + +* completely new handling of garbled pam.conf lines. The modus + operandi now is to assume that any errors in the line are minor. + Errors of this sort should *most definitely* lead to the module + failing, however, just ignoring the line (as was the case + previously) can lead to gaping security holes(! Not foreseen by the + RFC). The "motivation" for the RFC's comments about ignoring garbled + lines is present in spirit in the new code: basically a garbled line + is treated like an instance of the pam_deny.so module. + changes to pam_handlers.c and pam_dispatch.c . + +* patched libpam, to (a) call _pam_init_handlers from pam_start() and + (b) to log a text error if there are no modules defined for a given + service when a call to a module is requested. [pam_start() and + pam_dispatch() were changed]. + +* patched pam_securetty to deal with "/dev/" prefix on PAM_TTY item. + +* reorganized the modules/Makefile to include *ALL* modules. It is now + the responsibility of the modules themselves to test whether they can + be compiled locally or not. + +* modified pam_group to add to the getgroups() list rather than overwrite + it. [In the case of "HAVE_LIBPWDB" we use the pwdb_..() calls to + translate the group names.]. Module now pays attention to + PAM_CRED_.. flag(!) + +* identified and removed bugs in field reading code of pam_time and + (thus) pam_group. + +* Cristian's patches to pam_listfile module, corresponding change to + documentation. + +* I've discovered &ero; for sgml! + Added pam_time documentation to the admin guide. + +* added manual pages: pam.8, pam_start.2(=pam_end.2), + pam_authenticate.2, pam_setcred.2, pam_strerror.2, + pam_open_session.2(=pam_close_session.2) and pam_chauthtok.2 . + +* added new modules: + + - pam_mail (tells the user if they have any new mail + and sets their MAIL env variable) + - pam_lastlog (reports on the last time this user called + this module) + +* new module hooks provided. + +* added a timeout feature to the conversation function in + libpam_misc. Documented it in the application developers' guide. + +* fixed bug in pam_misc_paste_env() function.. + +* slight modifications to wheel and rhosts writeup. + +* more security issues added to module and application guides. + +-- +Things present but not mentioned in previous release (sorry) + +* pam_pwdb module now resets the "last_change" entry before updating a + password. +-- + +Sat Nov 30 19:30:20 PST 1996, Andrew Morgan <morgan@parc.power.net> + +* added environment handling to libpam. involved change to _pam_types.h + also added supplementary functions to libpam_misc + +* added pam_radius - Cristian + +* slight speed up for pam_rhosts + +* significantly enhanced sys-admin documentation (8 p -> 41 p in + PostScript). Added to other documentation too. Mostly the changes + in the other docs concern the new PAM-environment support, there is + also some coverage of libpam_misc in the App. Developers' guide. + +* Cristian's patches to pam_limits and pam_pwdb. Fixing bugs. (MORE added) + +* adopted Cristian's _pam_macros.h file to help with common macros and + debugging stuff, gone through tree tidying up debugging lines to use + this [not complete]. + + - for consistency replaced DROP() with _pam_drop() + +* commented memory debugging in top level makefile + +* added the following modules + + - pam_warn log information to syslog(3) about service application + - pam_ftp if user is 'ftp' then set PAM_RUSER/PAM_RHOST with password + (comment about nologin added to last release's notes) + +* modified the pam_listfile module. It now declares a meaningful static + structure name. + +Sun Nov 10 13:26:39 PST 1996, Andrew Morgan <morgan@parc.power.net> + + **PLEASE *RE*AMEND YOUR PERSONAL LINKS** + + -------> http://parc.power.net/morgan/Linux-PAM/index.html <------- + + **PLEASE *RE*AMEND YOUR PERSONAL LINKS** + +A brief summary of what has changed: + +* many modules have been modified to accomodate fixing the pam_get_user() + change. Please take note if you have a module in this distribution. + +* pam_unix is now the pam_unix that Red Hat has been using and which + should be fairly well debugged. + + - I've added some #ifdef's to make it compile for me, and also + updated it with respect to the libpam-0.53, so have a look at the + .../modules/pam_unix/Makefile to enable cracklib and shadow features + + ** BECAUSE OF THIS, I cannot guarantee this code works as it ** + ** did for Red Hat. Please test and report any problems. ** + +* the pam_unix of .52 (renamed to pam_pwdb) has been enhanced and made + more flexible with by implementing it with respect to the new + "Password Database Library" see + + http://parc.power.net/morgan/libpwdb/index.html + + modules included in this release that require this library to + function are the following: + + - pam_pwdb (ne pam_unix-0.52 + some enhancements) + - pam_wheel + - pam_limits + - pam_nologin + +* Added some optional code for memory debugging. In order to support + this you have to enable MEMORY_DEBUG in the top level makefile and + also #define MEMORY_DEBUG in your applications when they are compiled. + The extra code resides in libpam (compiled if MEMORY_DEBUG is defined) + and the macros for malloc etc. are to be found at the end of + _pam_types.h + +* used above code to locate two memory leaks in pam_unix module and two + in libpam (pam_handlers.h) + +* pam_get_user() now sets the PAM_USER item. After reading the Sun + manual page again, it was clear that it should do this. Various + modules have been assuming this and now I have modified most of them + to account for this change. Additionally, pam_get_user() is now + located in the module include file; modules are supposed to be the + ones that use it(!) [Note, this is explicitly contrary to the Sun + manual page, but in the spirit of the Linux distribution to date.] + +* replaced -D"LINUX" with -D"LINUX_PAM" as this is more explicit and less + likely to be confused with -D"linux". + Also, modified the libpam #include files to behave more like the Sun + ones #ifndef LINUX_PAM. + +* removed <bf/ .. / from documentation titles. This was not giving + politically correct html.. + +----- My vvvvvvvvvvvvvvvvvvv was a long time ago ;*] ----- + +Wed Sep 4 23:57:19 PDT 1996 (Andrew Morgan <morgan@physics.ucla.edu> + +0. Before I begin, Linux-PAM has a new primary distribution site (kindly +donated by Power Net Inc., Los Angeles) + + **PLEASE AMMEND YOUR PERSONAL LINKS** + + -------> http://www.power.net/morgan/Linux-PAM <------- + + **PLEASE AMMEND YOUR PERSONAL LINKS** + +1. I'm hoping to make the next release a bug-fix release... So please find + all the bugs(! ;^) + +2. here are the changes for .52: + +* minor changes to module documentation [Incidently, it is now + available on-line from the WWW page above]. More changes to follow in + the next two releases. PLEASE EMAIL me or the list if there is + anything that isn't clear! + +* completely changed the unix module. Now a single module for all four + management groups (this meant that I could define all functions as + static that were not part of the pam_sm_... scheme. AGM) + + - Shadow support added +PASSWD - Elliot's account management included, and enhanced by Cristian Gafton. + - MD5 password support added by Cristian Gafton. + - maxtries for authentication now enforced. + - Password changing function in pam_unix now works! + Although obviously, I'm not going to *guarantee* it ;^) . + - stole Marek's locking code from the Red Hat unix module. + [ If you like you can #ifdef it in or out ... ] + + You can configure the module more from its Makefile in + 0.52/modules/pam_unix/ + + If you are nervous that it will destroy your /etc/passwd or shadow + files then EDIT the 0.52/modules/pam_unix/pam_unix_pass.-c file. + Here is the warning comment from this file... + +-------------8<----------------- +/* <WARNING> + * + * Uncomment the following #define if you are paranoid, and do not + * want to risk losing your /etc/passwd or shadow files. + * It works for me (AGM) but there are no guarantees. + * + * </WARNING> + */ +/* #define TMP__FILE */ +------------->8----------------- + + *** If anyone has any trouble, please *say*. Your problem will be + fixed in the next release. Also please feel free to scour the + code for race conditions etc... + +[* The above change requires that you purge your /usr/lib/security + directory of the old pam_unix_XXX.so modules: they will NOT be deleted + with a 'make remove'.] + +* the prototype for the cleanup function supplied to pam_set_data used + to return "int". According to Sun it should be "void". CHANGED. + +* added some definitions for the 'error_status' mask values that are + passed to the cleanup function associated with each + module-data-item. These numbers were needed to keep up with changing + a data item (see for example the code in pam_unix/support.-c that + manages the maximum number of retries so far). Will see what Sun says + (current indications are positive); this may be undone before 1.0 is + released. Here are the definitions (from pam_modules.h). + +#define PAM_DATA_SILENT 0x40000000 /* used to suppress messages... */ +#define PAM_DATA_REPLACE 0x20000000 /* used when replacing a data item */ + +* Changed the .../conf/pam.conf file. It now points to the new + pam_unix module for 'su' and 'passwd' [can get these as SimpleApps -- + I use them for testing. A more extensive selection of applications is + available from Red Hat...] + +* corrected a bug in pam_dispatch. Basically, the problem was that if + all the modules were "sufficient" then the return value for this + function was never set. The net effect was that _pam_dispatch_aux + returned success when all the sufficient modules failed. :^( I think + this is the correct fix to a problem that the Red Hat folks had + found... + +sopwith* Removed advisory locking from libpam (thanks for the POSIX patch + goes to Josh Wilmes's, my apologies for not using it in the + end.). Advisory locking did not seem sufficiently secure for libpam. + Thanks to Werner Almesberger for identifying the corresponding "denial + of service attack". :*( + +* related to fix, have introduced a lock file /var/lock/subsys/PAM + that can be used to indicate the system should pay attention to + advisory locking on /etc/pam.conf file. To implement this you need to + define PAM_LOCKING though. (see .52/libpam) + +* modified pam_fail_delay() function. Couldn't find the "not working" + problem indicated by Michael, but modified it to do pseudo-random + delays based on the values indicated by pam_fail_delay() -- the + function "that may eventually go away"... Although Sun is warming to + the idea. + +* new modules include: + + pam_shells - authentication for users with a shell listed in + /etc/shells. Erik Troan <ewt@redhat.com> + + pam_listfile - authentication based on the contents of files. + Set to be more general than the above in the + future. UNTESTED. Elliot Lee <@redhat.com> + [Note, this module compiles with a non-trivial + warning: AGM] + +Thu Aug 8 22:32:15 PDT 1996 (Andrew Morgan <morgan@physics.ucla.edu>) + +* modified makefiles to take more of their installation instructions + from the top level makefile. Desired for integration into the Debian + distribution, and generally a good idea. + +* fixed memory arithmetic in pam_handlers + -- still need to track down why failure to load modules can lead to + authentication succeding.. + +* added tags for new modules (smartcards from Alex -- just a promise + at this stage) and a new module from Elliot Lee; pam_securetty + +* I have not had time to smooth out the wrinkles with it, but Alex's + pam_unix modifications are provided in pam_unix-alex (in the modules + directory) they will not be compiled by 'make all' and I can't even + say if they do compile... I will try to look at them for .52 but, in + the mean time please feel free to study/fix/discuss what is there. + +* pam_rhosts module. Removed code for manually setting the ruser + etc. This was not very secure. + +* [remade .ps docs to be in letter format -- my printer complains + about a4] + +Sunday July, 7 12:45:00 PST 1996 (Andrew Morgan <morgan@physics.ucla.edu>) + +* No longer accompanying the Linux-PAM release with apps installed. + [Will provide what was here in a separate package.. (soon) +lib Also see http://www.redhat.com/pam for some more (in .rpm form...)] + +* renamed libmisc to libpam_misc. It is currently configured to only compile + the static library. For some strange reason (perhaps someone can + investigate) my Linux 2.0.0 kernel with RedHat 3.0.3 system + segfaults when I compile it to be a dynamic library. The segfault + seems to be inside the call to the ** dl_XXX ** function...!? + + There is a simple flag in the libpam_misc/Makefile to turn on dynamic + compiles. + +* Added a little unofficial code for delay support in libpam (will probably + disappear later..) There is some documentation for it in the pam_modules + doc now. That will obviously go too. + +* rewritten pam_time to use *logic* to specify the stringing together of + users/times/terminals etc.. (what was there before was superficially + logical but basically un-predictable!) + +* added pam_group. Its syntax is almost identical to pam_time but it + has another field added; a list of groups to make the user a member + of if they pass the previous tests. It seems to not co-exist too well + with the groups in the /etc/group but I hope to have that fixed by + the next release... + +* minor re-formatting of pam_modules documentation + +* removed ...// since it wasn't being used and didn't look like it + would be! + +GCCSunday 23 22:35:00 PST 1996 (Andrew Morgan <morgan@physics.ucla.edu>) + +* The major change is the addition of a new module: pam_time for + restricting access on terminals at given times for indicated users + it comes with its own configuration file /etc/security/time.conf + and the sample file simply restricts 'you' from satisfying the blank + application if they try to use blank from any tty* + +* Small changes include +- altered pam.conf to demonstrate above new module (try typing username: you) +- very minor changes to the docs (pam_appl and pam_modules) + +Saturday June 2 01:40:00 PST 1996 (Andrew Morgan <morgan@physics.ucla.edu>) + +*** PLEASE READ THE README, it has changed *** + +* NOTE, 'su' exhibits a "system error", when static linking is + used. This is because the pam_unix_... module currently only has + partial static linking support. This is likely to change on Monday + June 3, when Alex makes his latest version availible. I will include + the updated module in next release. + +changes for .42: + +* modified the way in which libpam/pam_modules.h defines prototypes for + the pam_sm_ functions. Now the module must declare which functions it + is to provide *before* the #include <security/pam_modules.h> line. + (for contrasting examples, see the pam_deny and pam_rootok modules) + This removed the ugly hack of defining functions that are never called + to overcome warnings... This seems much tidier. +insterted* updated the TODO list. (changed mailing list address) +* updated README in .../modules to reflect modifications to static + compliation protocol +* modified the pam_modules documentation to describe this. +* corrected last argument of pam_get_item( ... ) in + pam_appl/modules.sgml, to "const void **". +* altered GNU GPL's in the documentation, and various other parts of + the distribution. *Please check* that any code you are responsible for + is corrected. +* Added ./Copyright (please check that it is acceptable) +* updated ./README to make current and indicate the new mailing list + address +* have completely rewritten pam_filter. It now runs modular filter + executables (stored in /usr/sbin/pam_filter/) This should make it + trivial for others to write their own filters.. If you want yours + included in the distribution please email the list/me. +* changes to libpam; there was a silly bug with multiple arguments on a + pam.conf line that was broken with a '\<LF>'. +* 'su' rearranged code (to make better use of PAM) + *Also* now uses POSIX signals--this should help the Alpha port. +* 'passwd' now uses getlogin() to determine who's passwords to change. + +Sunday May 26 9:00:00 PST 1996 (Andrew Morgan <morgan@physics.ucla.edu>) + +* fixed module makefiles to create needed dynamic/static subdirectories + +Saturday May 25 20:30:27.8 PST 1996 (Andrew Morgan <morgan@physics.ucla.edu>) + +* LOTS has changed regarding how the modules/libpam are built. +* Michael's mostly complete changes for static support--see below + (Andrew got a little carried away and automated the static linking + of modules---bugs are likely mine ;( ) +* Thanks mostly to Michael, libpam now compiles without a single warning :^] +* made static modules/library optional. +CFLAGS* added 'make sterile' to top level makefile. This does extraclean and remove +* added Michael and Joseph to documentation credits (and a subsection for + future documentation of static module support in pam_modules.sgml) +* libpam; many changes to makefiles and also automated the inclusion of + static module objects in pam_static.c +* modified modules for automated static/dynamic support. Added static & + dynamic subdirectories, as instructed by Michael +* removed an annoying syslog message from pam_filter: "parent exited.." +* updated todo list (anyone know anything about svgalib/X? we probably should + have some support for these...) + +Friday May 24 16:30:15 EDT 1996 (Michael K. Johnson <johnsonm@redhat.com>) + +* Added first (incomplete) cut at static support. + This includes: + . changes in libpam, including a new file, pam_static.c + . changes to modules including exporting struct of function pointers + . static and dynamic linking can be combined + . right now, the only working combinations are just dynamic + linking and dynamic libpam.so with static modules linked + into libpam.so. That's on the list of things to fix... + . modules are built differently depending on whether they + are static or dynamic. Therefore, there are two directories + under each module directory, one for static, and one for + dynamic modules. +* Fixed random brokenness in the Makefiles. [ foo -nt bar ] is + rather redundant in a makefile, for instance. Also, passing + on the command line is broken because it cannot be + overridden in any way (even adding important parts) in lower-level + makefiles. +* Unfortunately, fixing some of the brokenness meant that I used + GNU-specific stuff. However, I *think* that there was GNU-specific + stuff already. And I think that we should just use the GNU + extensions, because any platform that GNU make doesn't port to + easily will be hard to port to anyway. It also won't be likely +passwd to handle autoconf, which was Ted's suggestion for getting + around limitations in standard make... + For now, I suggest that we just use some simple GNU-specific + extensions. + +Monday May 20 22:00:00 PST 1996 (Andrew Morgan <morgan@physics.ucla.edu>) + +* added some text to pam_modules.sgml +* corrected Marek's name in all documentation +* made pam_stress conform to chauthtok conventions -- ie can now request + old password before proceeding. +* included Alex's latest unix module +* included Al's + password strength checking module +* included pam_rootok module +* fixed too many bugs in libpam.. all subtly related to the argument lists + or use of syslog. Added more debugging lines here too. +* fixed the pam.conf file +* deleted pam_test module. It is pretty old and basically superceeded + by pam_stress + +Friday May 9 1:00:00 PST 1996 (Andrew Morgan <morgan@physics.ucla.edu>) + +* updated documentaion, added Al Longyear to credits and corrected the + spelling of Jeff's name(!). Most changes to pam.sgml (even added a figure!) +* new module pam_rhosts_auth (from Al Longyear) +* new apps rlogind and ftpd (a patch) from Al. +* modified 'passwd' to not call pam_authenticate (note, none of the + modules respect this convention yet!) +* fixed bug in libpam that caused trouble if the last line of a + pam.conf file ends with a module name and no newline character +* also made more compatable with documentation, in that bad lines in + pam.conf are now ignored rather than causing libpam to return an + error to the app. +* libpam now overwrites the AUTHTOKs when returning from + pam_authenticate and pam_chauthtok calls (as per Sun/RFC too) +* libpam is now installed as libpam.so.XXX in a way that ldconfig can + handle! + + +Wednesday May 1 22:00:00 PST 1996 (Andrew Morgan <morgan@physics.ucla.edu>) + +* removed .../test directory, use .../examples from now on. +* added .../apps directory for fully functional applications + - the apps directory contains directories that actually contain the apps. + the idea is to make application compilation conditional on the presence + of the directory. Note, there are entries in the Makefile for + 'login' and 'ftpd' that are ready for installation... Email me if + you want to reserve a directory name for an application you are + working on... +* similar changes to .../modules makefile [entries for pam_skey and + pam_kerberos created---awaiting the directories.] Email me if you + want to register another module... +* minor changes to docs.. Not really worth reprinting them quite yet! + [save the trees] +* added misc_conv to libmisc. it is a generic conversation function + for text based applications. [would be nice to see someone create + an Xlib and/or svgalib version] +* fixed ctrl-z/c bug with pam_filter module [try xsh with the default + pam.conf file] +* added 'required' argument to 'pam_stress' module. +* added a TODO list... other suggestions to the list please. + +Saturday April 7 00:00:00 PST 1996 ( Andrew Morgan <morgan@physics.ucla.edu> ) + +* Alex and Marek please note I have altered _pam_auth_unix a little, to + make it get the passwords with the "proper method" (and also fixed it + to not have as many compiler warnings) +* updated the conf/pam.conf file +* added new example application examples/xsh.c (like blank but invokes + /bin/sh) +* Marc's patches for examples/blank.c (and AGM's too) +* fixed stacking of modules in libpam/pam_handlers.c +* fixed RESETing in libpam/pam_item.c +* added new module modules/pam_filter/ to demonstrate the possibility + of inserting an arbitrary filter between the terminal and the + application that could do customized logging etc... (see use of + bin/xsh as defined in conf/pam.conf) + + +Saturday March 16 19:00:00 PST 1996 ( Andrew Morgan <morgan@physics.ucla.edu> ) + +These notes are for 0.3 I don't think I've left anything important +out, but I will use emacs 'C-x v a' next time! (Thanks Jeff) + + * not much has changed with the functionality of the Linux-PAM lib + .../libpam + - pam_password calls module twice with different arguments + - added const to some of the function arguments + - added PAM_MAX_MES_ to <security/_pam_types.h> + - was a lot over zealous about purging old passwords... + I have removed much of this from source to make it + more compatible with SUN. + - moved some PAM_... tokens to pam_modules.h from _pam_types.h + (no-one should notice) + + * added three modules: pam_permit pam_deny pam_stress + no prizes for guessing what the first two do. The third is + a reasonably complete (functional) module. Is intended for testing + applications with. + + * fixed a few pieces of examples/blank.c so that it works (with + pam_stress) + + * ammended the documentation. Looking better, but suggestions/comments + very welcome! + +Sunday March 10 10:50:00 PST 1996 ( Andrew Morgan <morgan@physics.ucla.edu> ) + +These notes are for Linux-PAM release 0.21. They cover what's changed +since I relased 0.2. + + * am now using RCS + * substantially changed ./README + * fixed bug reading \\\n in pam.conf file + * small changes to documentation + * added `blank' application to ./examples (could be viewed as + a `Linux-PAM aware' application template.) + * oops. now including pam_passwd.o and pam_session.o in pamlib.so + * compute md5 checksums for all the source when making a release + - added `make check' and `make RCScheck' to compute md5 checksums + * create a second tar file with all the RCS files in. + * removed the .html and .txt docs, supplying sgml sources instead. + - see README for info on where to get .ps files + +Thursday March 6 0:44:?? PST 1996 ( Andrew Morgan <morgan@physics.ucla.edu> ) + +These notes are for Linux-PAM release 0.2. They cover what's changed +since Marc Ewing relased 0.1. + +**** Please note. All of the directories in this release have been modified +**** slightly to conform to the new pamlib. A couple of new directories have +**** been added. As well as some documentation. If some of your code +**** was in the previous release. Feel free to update it, but please +**** try to conform to the new headers and Makefiles. + +* Andrew Morgan (morgan@physics.ucla.edu) is making this release + availible, Marc has been busy...! + +* Marc's pam-0.1/lib has been (quietly) enhanced and integrated into + Alex Yurie's collected tree of library and module code + (linux-pam.prop.1.tar.gz). Most of the changes are to do with error + checking. Some more robustness in the reading of the pam.conf file + and the addition of the pam_get_user() function. + +* The pam_*.h files have been reorganized to logically enforce the + separation of modules from applications. [Don't panic! Apart from + changing references of the form + + #include "pam_appl.h" + + to + + #include <security/pam_appl.h> + + The reorganization should be backwardly compatable (ie. a module + written for SUN will be as compatable as it was before with the + previous version ;)~ ] + + (All of the source in this tree now conforms to this scheme...) + + The new reorganization means that modules can be compiled with a + single header, <security/pam_modules.h>, and applications with + <security/pam_appl.h>. + +* I have tried to remove all the compiler warnings from the updated + "pamlib/*.c" files. On my system, (with a slightly modified <dlfcn.h> + email me if it interests you..) there are only two warnings that + remain: they are that ansi does not permit void --> fn ptr + assignment. K&Rv2 doesn't mention this....? As a matter of principle, + if anyone knows how to get rid of that warning... please + tell. Thanks! "-pedantic" + +* you can "make all" as a plain user, but + +* to "make install" you must be root. The include files are placed in + /usr/include/security. The libpam.so library is installed in /usr/lib + and the modules in /usr/lib/security. The two test binaries + are installed in the Linux-PAM-0.2/bin directory and a chance is given to + replace your /etc/pam.conf file with the one in Linux-PAM-0.2/conf. + +* I have included some documentation (pretty preliminary at the +moment) which I have been working on in .../doc . + +I have had a little trouble with the modules, but atleast there are no +segfaults! Please try it out and discuss your results... I actually +hope it all works for you. But, Email any bugs/suggestions to the +Linux-PAM list: linux-pam@mit.edu ..... + +Regards, + +Andrew Morgan +(morgan@physics.ucla.edu) + + +Sat Feb 17 17:30:24 EST 1996 (Alexander O. Yuriev alex@bach.cis.temple.edu) + + * conf directory created with example of pam_conf + * stable code from pam_unix is added to modules/pam_unix + * test/test.c now requests username and password and attempts + to perform authentication + diff --git a/Linux-PAM/Copyright b/Linux-PAM/Copyright new file mode 100644 index 00000000..2f27a2ee --- /dev/null +++ b/Linux-PAM/Copyright @@ -0,0 +1,41 @@ +Unless otherwise *explicitly* stated the following text describes the +licensed conditions under which the contents of this Linux-PAM release +may be distributed: + +------------------------------------------------------------------------- +Redistribution and use in source and binary forms of Linux-PAM, with +or without modification, are permitted provided that the following +conditions are met: + +1. Redistributions of source code must retain any existing copyright + notice, and this entire permission notice in its entirety, + including the disclaimer of warranties. + +2. Redistributions in binary form must reproduce all prior and current + copyright notices, this list of conditions, and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + +3. The name of any author may not be used to endorse or promote + products derived from this software without their specific prior + written permission. + +ALTERNATIVELY, this product may be distributed under the terms of the +GNU General Public License, in which case the provisions of the GNU +GPL are required INSTEAD OF the above restrictions. (This clause is +necessary due to a potential conflict between the GNU GPL and the +restrictions contained in a BSD-style copyright.) + +THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED +WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, +INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS +OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR +TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH +DAMAGE. +------------------------------------------------------------------------- + diff --git a/Linux-PAM/Make.Rules.in b/Linux-PAM/Make.Rules.in new file mode 100644 index 00000000..cb537d16 --- /dev/null +++ b/Linux-PAM/Make.Rules.in @@ -0,0 +1,110 @@ +## +## $Id: Make.Rules.in,v 1.1.1.2 2002/09/15 20:08:19 hartmans Exp $ +## +## @configure_input@ +## + +srcdir = @srcdir@ +top_srcdir = @top_srcdir@ +VPATH = @srcdir@ +prefix = @prefix@ +exec_prefix = @exec_prefix@ + +bindir = @bindir@ +sbindir = @sbindir@ +libexecdir = @libexecdir@ +datadir = @datadir@ +sysconfdir = @sysconfdir@ +sharedstatedir = @sharedstatedir@ +localstatedir = @localstatedir@ +libdir = @libdir@ +infodir = @infodir@ +includedir = @includedir@ + +absolute_srcdir = @LOCALSRCDIR@ +absolute_objdir = @LOCALOBJDIR@ + +# major and minor numbers of this release +MAJOR_REL=@LIBPAM_VERSION_MAJOR@ +MINOR_REL=@LIBPAM_VERSION_MINOR@ + +# The following is the generic set of compiler options for compiling +# Linux-PAM. True, they are a little anal. Pay attention to the comments +# they generate. + +HEADER_DIRS=-I./include -I$(absolute_srcdir)/libpam/include \ + -I$(absolute_objdir) -I$(absolute_srcdir)/libpamc/include +WARNINGS=@WARNINGS@ +OS_CFLAGS=@OS_CFLAGS@ +PIC=@PIC@ + +# Mode to install shared libraries with +SHLIBMODE=@SHLIBMODE@ + +NEED_LINK_LIB_C=@PAM_NEEDS_LIBC@ +HAVE_LCKPWDF=@HAVE_LCKPWDF@ +HAVE_LIBCRACK=@HAVE_LIBCRACK@ +HAVE_LIBCRYPT=@HAVE_LIBCRYPT@ +HAVE_LIBUTIL=@HAVE_LIBUTIL@ +HAVE_NDBM_H=@HAVE_NDBM_H@ +HAVE_LIBNDBM=@HAVE_LIBNDBM@ +HAVE_LIBDB=@HAVE_LIBDB@ +HAVE_LIBFL=@HAVE_LIBFL@ +HAVE_LIBNSL=@HAVE_LIBNSL@ +HAVE_LIBPWDB=@HAVE_LIBPWDB@ + +ifeq (@HAVE_LIBFLEX@,yes) +LINK_LIBLEX=-lfl +else +ifeq (@HAVE_LIBLEX@,yes) +LINK_LIBLEX=-ll +endif +endif + +# documentation support +HAVE_SGML2TXT=@HAVE_SGML2TXT@ +HAVE_SGML2HTML=@HAVE_SGML2HTML@ +HAVE_PS2PDF=@HAVE_PS2PDF@ +PSER=@PSER@ +DOCDIR=@DOCDIR@ +MANDIR=@MANDIR@ + +# configuration settings +WITH_DEBUG=@WITH_DEBUG@ +WITH_MEMORY_DEBUG=@WITH_MEMORY_DEBUG@ +WITH_LIBDEBUG=@WITH_LIBDEBUG@ +WITH_PAMLOCKING=@WITH_PAMLOCKING@ +WITH_LCKPWDF=@WITH_LCKPWDF@ +STATIC_LIBPAM=@STATIC_LIBPAM@ +DYNAMIC_LIBPAM=@DYNAMIC_LIBPAM@ +STATIC=@STATIC@ +DYNAMIC=@DYNAMIC@ + +# Location of libraries when installed on the system +FAKEROOT=@FAKEROOT@ +SECUREDIR=@SECUREDIR@ +SCONFIGD=@SCONFIGDIR@ +SUPLEMENTED=@SUPLEMENTED@ +INCLUDED=@INCLUDEDIR@/security +CRACKLIB_DICTPATH=@CRACKLIB_DICTPATH@ + +# generic build setup +OS=@OS@ +CC=@CC@ +CFLAGS=$(WARNINGS) -D$(OS) $(OS_CFLAGS) $(HEADER_DIRS) @CONF_CFLAGS@ +LD=@LD@ +LD_D=@LD_D@ +LD_L=@LD_L@ +LDCONFIG=@LDCONFIG@ +DYNTYPE=@DYNTYPE@ +USESONAME=@USESONAME@ +NEEDSONAME=@NEEDSONAME@ +SOSWITCH=@SOSWITCH@ +LIBDL=@LIBDL@ +MKDIR=@MKDIR@ +INSTALL=@INSTALL@ +RANLIB=@RANLIB@ +STRIP=@STRIP@ +CC_STATIC=@CC_STATIC@ + +LINKLIBS = $(NEED_LINK_LIB_C) $(LIBDL) diff --git a/Linux-PAM/Makefile b/Linux-PAM/Makefile new file mode 100644 index 00000000..cdc8505a --- /dev/null +++ b/Linux-PAM/Makefile @@ -0,0 +1,78 @@ +## +## $Id: Makefile,v 1.1.1.2 2002/09/15 20:08:19 hartmans Exp $ +## + +## Note, ideally I would prefer it if this top level makefile did +## not get created by autoconf. As I find typing 'make' and relying +## on it to take care of all dependencies much more friendly than +## the multi-stage autoconf+make and also worry about updates to +## configure.in not getting propagated down the tree. (AGM) [I realise +## that this may not prove possible, but at least I tried.. Sigh.] + +DISTNAME=Linux-PAM + +ifeq ($(shell test \! -f Make.Rules || echo yes),yes) + include Make.Rules +endif + +THINGSTOMAKE = modules libpam libpamc libpam_misc doc examples + +all: $(THINGSTOMAKE) + +prep: + rm -f security + ln -sf . security + +clean: + if [ ! -f Make.Rules ]; then touch Make.Rules ; fi + for i in $(THINGSTOMAKE) ; do $(MAKE) -C $$i clean ; done + rm -f security *~ *.orig *.rej Make.Rules #*# + +distclean: clean + rm -f Make.Rules _pam_aconf.h + rm -f config.status config.cache config.log core + +maintainer-clean: distclean + @echo files should be ok for packaging now. + +# NB _pam_aconf.h.in changes will remake this too +Make.Rules: configure Make.Rules.in _pam_aconf.h.in + @echo XXX - not sure how to preserve past configure options.. + @echo XXX - so not attempting to. Feel free to run ./configure + @echo XXX - by hand, with the options you want. + ./configure + +_pam_aconf.h: Make.Rules + +configure: configure.in + @echo + @echo You do not appear to have an up-to-date ./configure file. + @echo Please run autoconf, and then ./configure [..options..] + @echo + @rm -f configure + @exit 1 + +$(THINGSTOMAKE): _pam_aconf.h prep + $(MAKE) -C $@ all + +install: _pam_aconf.h prep + $(MKDIR) $(FAKEROOT)$(INCLUDED) + $(INSTALL) -m 444 security/_pam_aconf.h $(FAKEROOT)$(INCLUDED) + for x in $(THINGSTOMAKE) ; do $(MAKE) -C $$x install ; done + +remove: + rm -f $(FAKEROOT)$(INCLUDED)/_pam_aconf.h + for x in $(THINGSTOMAKE) ; do $(MAKE) -C $$x remove ; done + +release: + @if [ ! -f Make.Rules ]; then echo $(MAKE) Make.Rules first ;exit 1 ;fi + @if [ ! -L ../$(DISTNAME)-$(MAJOR_REL).$(MINOR_REL) ]; then \ + echo generating ../$(DISTNAME)-$(MAJOR_REL).$(MINOR_REL) link ; \ + ln -sf $(DISTNAME) ../$(DISTNAME)-$(MAJOR_REL).$(MINOR_REL) ; \ + echo to ../$(DISTNAME) . ; fi + @diff ../$(DISTNAME)-$(MAJOR_REL).$(MINOR_REL)/Make.Rules Make.Rules + $(MAKE) distclean + cd .. ; tar zvfc $(DISTNAME)-$(MAJOR_REL).$(MINOR_REL).tar.gz \ + --exclude CVS --exclude .cvsignore --exclude '.#*' \ + $(DISTNAME)-$(MAJOR_REL).$(MINOR_REL)/* + diff --git a/Linux-PAM/README b/Linux-PAM/README new file mode 100644 index 00000000..8aab912a --- /dev/null +++ b/Linux-PAM/README @@ -0,0 +1,28 @@ +# +# $Id: README,v 1.1.1.1 2001/04/29 04:16:21 hartmans Exp $ +# + +Hello! + +Thanks for downloading Linux-PAM. + +NOTES: + +How to use it is as follows: + + ./configure --help | less + ./configure <your-options> + make + +Note, if you are worried - don't even think about doing the next line +(most Linux distributions already support PAM out of the box, so if +something goes wrong with installing the code from this version your +box may stop working..) + + make install + +That said, please report problems to me. + +Andrew Morgan +<morgan@kernel.org> +<agmorgan@users.sourceforge.net> diff --git a/Linux-PAM/_pam_aconf.h.in b/Linux-PAM/_pam_aconf.h.in new file mode 100644 index 00000000..14c6f9fd --- /dev/null +++ b/Linux-PAM/_pam_aconf.h.in @@ -0,0 +1,99 @@ +/* + * $Id: _pam_aconf.h.in,v 1.1.1.2 2002/09/15 20:08:20 hartmans Exp $ + * + * + */ + +#ifndef PAM_ACONF_H +#define PAM_ACONF_H + +/* lots of stuff gets written to /tmp/pam-debug.log */ +#undef DEBUG + +/* build libraries with different names (suffixed with 'd') */ +#undef WITH_LIBDEBUG + +/* provide a global locking facility within libpam */ +#undef PAM_LOCKING + +/* GNU systems as a class, all have the feature.h file */ +#undef HAVE_FEATURES_H +#ifdef HAVE_FEATURES_H +# define _SVID_SOURCE +# define _BSD_SOURCE +# define __USE_BSD +# define __USE_SVID +# define __USE_MISC +# define _GNU_SOURCE +# include <features.h> +#endif /* HAVE_FEATURES_H */ + +/* we have libcrack available */ +#undef HAVE_LIBCRACK + +/* we have libcrypt - its not part of libc (do we need both definitions?) */ +#undef HAVE_LIBCRYPT +#undef HAVE_CRYPT_H + +/* we have libndbm and/or libdb */ +#undef HAVE_DB_H +#undef HAVE_NDBM_H + +/* have libfl (Flex) */ +#undef HAVE_LIBFL + +/* have libnsl - instead of libc support */ +#undef HAVE_LIBNSL + +/* have libpwdb - don't expect this to be important for much longer */ +#undef HAVE_LIBPWDB + +/* have gethostname() declared */ +#undef HAVE_GETHOSTNAME + +#undef HAVE_GETTIMEOFDAY +#undef HAVE_MKDIR +#undef HAVE_SELECT +#undef HAVE_STRCSPN +#undef HAVE_STRDUP +#undef HAVE_STRERROR +#undef HAVE_STRSPN +#undef HAVE_STRSTR +#undef HAVE_STRTOL +#undef HAVE_UNAME + +/* Define if reentrant declarations of standard nss functions are available */ +#undef HAVE_GETPWNAM_R +#undef HAVE_GETGRNAM_R + +/* ugly hack to partially support old pam_strerror syntax */ +#undef UGLY_HACK_FOR_PRIOR_BEHAVIOR_SUPPORT + +/* read both confs - read /etc/pam.d and /etc/pam.conf in serial */ +#undef PAM_READ_BOTH_CONFS + +#undef HAVE_PATHS_H +#ifdef HAVE_PATHS_H +#include <paths.h> +#endif +/* location of the mail spool directory */ +#undef PAM_PATH_MAILDIR + +/* where should we include setfsuid's prototype from? If this is not + defined, we get it from unistd.h */ +#undef HAVE_SYS_FSUID_H + +/* track all memory allocations and liberations */ +#undef MEMORY_DEBUG +#ifdef MEMORY_DEBUG +/* + * this is basically a hack - we need to include a semiarbitrary + * number of headers to ensure that we don't get silly prototype/macro + * confusion. + */ +# include <string.h> +# include <stdlib.h> +# include <security/pam_malloc.h> +#endif /* MEMORY_DEBUG */ + +#endif /* PAM_ACONF_H */ diff --git a/Linux-PAM/bin/README b/Linux-PAM/bin/README new file mode 100644 index 00000000..427a871a --- /dev/null +++ b/Linux-PAM/bin/README @@ -0,0 +1,30 @@ +## +# $Id: README,v 1.1.1.1 2001/04/29 04:16:25 hartmans Exp $ +## + +(now we are getting networked apps, be careful to try and test on a +securely isolated system!) + +N=2 <-- blank xsh + +Following a 'make install' (which should be done as root) in the +parent directory this directory will contain $N binaries. The source +for these programs is in ../examples. They are various short programs +to use and otherwise test-drive the Linux-PAM libraries/modules with. + +These programs grant no privileges, but they give an idea of how well +the modules are working. + +blank is new as of Linux-PAM-0.21. If you are writing/modifying an +application it might be a place to start... + +xsh is new as of Linux-PAM-0.31, it is identical to blank, but invokes +/bin/sh if the user is authenticated. + +[other apps are to be found in SimplePAMApps and many more on Red +Hat's server.. http://www.redhat.com/] + +Best wishes + +Andrew +(morgan@parc.power.net) diff --git a/Linux-PAM/conf/Makefile b/Linux-PAM/conf/Makefile new file mode 100644 index 00000000..a668607b --- /dev/null +++ b/Linux-PAM/conf/Makefile @@ -0,0 +1,34 @@ +# +# $Id: Makefile,v 1.1.1.1 2001/04/29 04:16:25 hartmans Exp $ +# +# + +dummy: + @echo "*** This is not a top level Makefile!" + +########################################################## + +all: + $(MAKE) -C pam_conv1 all + +install: $(FAKEROOT)$(CONFIGED)/pam.conf + $(MAKE) -C pam_conv1 install + +$(FAKEROOT)$(CONFIGED)/pam.conf: ./pam.conf + bash -f ./install_conf + +remove: + rm -f $(FAKEROOT)$(CONFIGED)/pam.conf + $(MAKE) -C pam_conv1 remove + +check: + bash -f ./md5itall + +lclean: + rm -f core *~ .ignore_age + +clean: lclean + $(MAKE) -C pam_conv1 clean + +extraclean: lclean + $(MAKE) -C pam_conv1 extraclean diff --git a/Linux-PAM/conf/install b/Linux-PAM/conf/install new file mode 100755 index 00000000..2eae3671 --- /dev/null +++ b/Linux-PAM/conf/install @@ -0,0 +1,178 @@ +#!/bin/sh +# +# [This file was lifted from an X distribution. There was no explicit +# copyright in the file, but the following text was associated with it. +# should anyone from the X Consortium wish to alter the following +# text. Please email <morgan@parc.power.net> Thanks. ] +# +# -------------------------- +# The X Consortium maintains and distributes the X Window System and +# related software and documentation in coordinated releases. A release +# consists of two distinct parts: +# +# 1) Specifications and Sample implementations of X Consortium +# standards, and +# +# 2) software and documentation contributed by the general X Consortium +# community. +# +# The timing and contents of a release are determined by the Consortium +# staff based on the needs and desires of the Members and the advice of +# the Advisory Board, tempered by the resource constraints of the +# Consortium. +# +# Members have access to all X Consortium produced software and +# documentation prior to release to the public. Each Member can receive +# pre-releases and public releases at no charge. In addition, Members +# have access to software and documentation while it is under +# development, and can periodically request snapshots of the development +# system at no charge. +# +# The X Consortium also maintains an electronic mail system for +# reporting problems with X Consortium produced software and +# documentation. Members have access to all bug reports, as well as all +# software patches as they are incrementally developed by the Consortium +# staff between releases. +# +# In general, all materials included in X Consortium releases are +# copyrighted and contain permission notices granting unrestricted use, +# sales and redistribution rights provided that the copyrights and the +# permission notices are left intact. All materials are provided "as +# is," without express or implied warranty. +# -------------------------- +# +# This accepts bsd-style install arguments and makes the appropriate calls +# to the System V install. +# + +flags="" +dst="" +src="" +dostrip="" +owner="" +mode="" + +while [ x$1 != x ]; do + case $1 in + -c) shift + continue;; + + -m) flags="$flags $1 $2 " + mode="$2" + shift + shift + continue;; + + -o) flags="$flags -u $2 " + owner="$2" + shift + shift + continue;; + + -g) flags="$flags $1 $2 " + shift + shift + continue;; + + -s) dostrip="strip" + shift + continue;; + + *) if [ x$src = x ] + then + src=$1 + else + dst=$1 + fi + shift + continue;; + esac +done + +case "$mode" in +"") + ;; +*) + case "$owner" in + "") + flags="$flags -u root" + ;; + esac + ;; +esac + +if [ x$src = x ] +then + echo "$0: no input file specified" + exit 1 +fi + +if [ x$dst = x ] +then + echo "$0: no destination specified" + exit 1 +fi + + +# set up some variable to be used later + +rmcmd="" +srcdir="." + +# if the destination isn't a directory we'll need to copy it first + +if [ ! -d $dst ] +then + dstbase=`basename $dst` + cp $src /tmp/$dstbase + rmcmd="rm -f /tmp/$dstbase" + src=$dstbase + srcdir=/tmp + dst="`echo $dst | sed 's,^\(.*\)/.*$,\1,'`" + if [ x$dst = x ] + then + dst="." + fi +fi + + +# If the src file has a directory, copy it to /tmp to make install happy + +srcbase=`basename $src` + +if [ "$src" != "$srcbase" -a "$src" != "./$srcbase" ] +then + cp $src /tmp/$srcbase + src=$srcbase + srcdir=/tmp + rmcmd="rm -f /tmp/$srcbase" +fi + +# do the actual install + +if [ -f /usr/sbin/install ] +then + installcmd=/usr/sbin/install +elif [ -f /etc/install ] +then + installcmd=/etc/install +else + installcmd=install +fi + +# This rm is commented out because some people want to be able to +# install through symbolic links. Uncomment it if it offends you. +rm -f $dst/$srcbase +(cd $srcdir ; $installcmd -f $dst $flags $src) + +if [ x$dostrip = xstrip ] +then + strip $dst/$srcbase +fi + +# and clean up + +$rmcmd + +exit + diff --git a/Linux-PAM/conf/install_conf b/Linux-PAM/conf/install_conf new file mode 100755 index 00000000..7a2acd98 --- /dev/null +++ b/Linux-PAM/conf/install_conf @@ -0,0 +1,36 @@ +#!/bin/sh + +CONFILE="$FAKEROOT"$CONFIGED/pam.conf +IGNORE_AGE=./.ignore_age +CONF=./pam.conf + +echo + +if [ -f "$IGNORE_AGE" ]; then + echo "you don't want to be bothered with the age of your $CONFILE file" + yes="n" +elif [ ! -f "$CONFILE" ] || [ "$CONF" -nt "$CONFILE" ]; then + if [ -f "$CONFILE" ]; then + echo "\ +An older Linux-PAM configuration file already exists ($CONFILE)" + WRITE=overwrite + fi + echo -n "\ +Do you wish to copy the $CONF file in this distribution +to $CONFILE ? (y/n) [n] " + read yes +else + yes=n +fi + +if [ "$yes" = "y" ]; then + echo " copying $CONF to $CONFILE" + cp $CONF $CONFILE +else + touch "$IGNORE_AGE" + echo " Skipping $CONF installation" +fi + +echo + +exit 0 diff --git a/Linux-PAM/conf/md5itall b/Linux-PAM/conf/md5itall new file mode 100755 index 00000000..2f532b31 --- /dev/null +++ b/Linux-PAM/conf/md5itall @@ -0,0 +1,43 @@ +#!/bin/bash +# +# $Id: md5itall,v 1.1.1.1 2001/04/29 04:16:26 hartmans Exp $ +# +# Created by Andrew G. Morgan (morgan@parc.power.net) +# + +MD5SUM=md5sum +CHKFILE1=./.md5sum +CHKFILE2=./.md5sum-new + +which $MD5SUM > /dev/null +result=$? + +if [ -x "$MD5SUM" ] || [ $result -eq 0 ]; then + rm -f $CHKFILE2 + echo -n "computing md5 checksums." + for x in `cat ../.filelist` ; do + (cd ../.. ; $MD5SUM $x) >> $CHKFILE2 + echo -n "." + done + echo + if [ -f "$CHKFILE1" ]; then + echo "\ +---> Note, since the last \`make check', the following file(s) have changed: +===========================================================================" + diff $CHKFILE1 $CHKFILE2 + if [ $? -eq 0 ]; then + echo "\ +--------------------------- Nothing has changed ---------------------------" + fi + echo "\ +===========================================================================" + fi + rm -f "$CHKFILE1" + mv "$CHKFILE2" "$CHKFILE1" + chmod 400 "$CHKFILE1" +else + echo "\ +Please install \`$MD5SUM'. +[It is used to check the integrity of this distribution] +---> no check done." +fi diff --git a/Linux-PAM/conf/mkdirp b/Linux-PAM/conf/mkdirp new file mode 100755 index 00000000..b0e04b05 --- /dev/null +++ b/Linux-PAM/conf/mkdirp @@ -0,0 +1,50 @@ +#!/bin/sh +# +# this is a wrapper for difficult mkdir programs... +# + +for d in $* +do + if [ ! -d $d ]; then + mkdir -p $d + if [ $? -ne 0 ]; then exit $? ; fi + fi +done + +exit 0 + +########################################################################## +# if your mkdir does not support the -p option delete the above lines and +# use what follows: +-------------------- +#!/bin/sh + +#VERBOSE=yes +Cwd=`pwd` + +for d in $* +do + if [ "`echo $d|cut -c1`" != "/" ]; then + x=`pwd`/$d + else + x=$d + fi + x="`echo $x|sed -e 'yX/X X'`" + cd / + for s in $x + do + if [ -d $s ]; then + if [ -n "$VERBOSE" ]; then echo -n "[$s/]"; fi + cd $s + else + mkdir $s + if [ $? -ne 0 ]; then exit $? ; fi + if [ -n "$VERBOSE" ]; then echo -n "$s/"; fi + cd $s + fi + done + if [ -n "$VERBOSE" ]; then echo ; fi + cd $Cwd +done + +exit 0 diff --git a/Linux-PAM/conf/pam.conf b/Linux-PAM/conf/pam.conf new file mode 100644 index 00000000..395b7ba3 --- /dev/null +++ b/Linux-PAM/conf/pam.conf @@ -0,0 +1,126 @@ +# ---------------------------------------------------------------------------# +# /etc/pam.conf # +# # +# Last modified by Andrew G. Morgan <morgan@kernel.org> # +# ---------------------------------------------------------------------------# +# $Id: pam.conf,v 1.1.1.1 2001/04/29 04:16:26 hartmans Exp $ +# ---------------------------------------------------------------------------# +# serv. module ctrl module [path] ...[args..] # +# name type flag # +# ---------------------------------------------------------------------------# +# +# The PAM configuration file for the `chfn' service +# +chfn auth required pam_unix.so +chfn account required pam_unix.so +chfn password required pam_cracklib.so retry=3 +chfn password required pam_unix.so shadow md5 use_authtok +# +# The PAM configuration file for the `chsh' service +# +chsh auth required pam_unix.so +chsh account required pam_unix.so +chsh password required pam_cracklib.so retry=3 +chsh password required pam_unix.so shadow md5 use_authtok +# +# The PAM configuration file for the `ftp' service +# +ftp auth requisite pam_listfile.so \ + item=user sense=deny file=/etc/ftpusers onerr=succeed +ftp auth requisite pam_shells.so +ftp auth required pam_unix.so +ftp account required pam_unix.so +# +# The PAM configuration file for the `imap' service +# +imap auth required pam_unix.so +imap account required pam_unix.so +# +# The PAM configuration file for the `login' service +# +login auth requisite pam_securetty.so +login auth required pam_unix.so +login auth optional pam_group.so +login account requisite pam_time.so +login account required pam_unix.so +login password required pam_cracklib.so retry=3 +login password required pam_unix.so shadow md5 use_authtok +login session required pam_unix.so +# +# The PAM configuration file for the `netatalk' service +# +netatalk auth required pam_unix.so +netatalk account required pam_unix.so +# +# The PAM configuration file for the `other' service +# +other auth required pam_deny.so +other auth required pam_warn.so +other account required pam_deny.so +other password required pam_deny.so +other password required pam_warn.so +other session required pam_deny.so +# +# The PAM configuration file for the `passwd' service +# +passwd password requisite pam_cracklib.so retry=3 +passwd password required pam_unix.so shadow md5 use_authtok +# +# The PAM configuration file for the `rexec' service +# +rexec auth requisite pam_securetty.so +rexec auth requisite pam_nologin.so +rexec auth sufficient pam_rhosts_auth.so +rexec auth required pam_unix.so +rexec account required pam_unix.so +rexec session required pam_unix.so +rexec session required pam_limits.so +# +# The PAM configuration file for the `rlogin' service +# this application passes control to `login' if it fails +# +rlogin auth requisite pam_securetty.so +rlogin auth requisite pam_nologin.so +rlogin auth required pam_rhosts_auth.so +rlogin account required pam_unix.so +rlogin password required pam_cracklib.so retry=3 +rlogin password required pam_unix.so shadow md5 use_authtok +rlogin session required pam_unix.so +rlogin session required pam_limits.so +# +# The PAM configuration file for the `rsh' service +# +rsh auth requisite pam_securetty.so +rsh auth requisite pam_nologin.so +rsh auth sufficient pam_rhosts_auth.so +rsh auth required pam_unix.so +rsh account required pam_unix.so +rsh session required pam_unix.so +rsh session required pam_limits.so +# +# The PAM configuration file for the `samba' service +# +samba auth required pam_unix.so +samba account required pam_unix.so +# +# The PAM configuration file for the `su' service +# +su auth required pam_wheel.so +su auth sufficient pam_rootok.so +su auth required pam_unix.so +su account required pam_unix.so +su session required pam_unix.so +# +# The PAM configuration file for the `vlock' service +# +vlock auth required pam_unix.so +# +# The PAM configuration file for the `xdm' service +# +xdm auth required pam_unix.so +xdm account required pam_unix.so +# +# The PAM configuration file for the `xlock' service +# +xlock auth required pam_unix.so + diff --git a/Linux-PAM/conf/pam_conv1/Makefile b/Linux-PAM/conf/pam_conv1/Makefile new file mode 100644 index 00000000..f23c8aa6 --- /dev/null +++ b/Linux-PAM/conf/pam_conv1/Makefile @@ -0,0 +1,46 @@ +# +# $Id: Makefile,v 1.1.1.2 2002/09/15 20:08:22 hartmans Exp $ +# + +include ../../Make.Rules + +# +ifeq ($(OS),solaris) + +clean: + @echo not available in Solaris + +all: + @echo not available in Solaris + +install: + @echo not available in Solaris + +else + +all: pam_conv1 + +pam_conv1: pam_conv.tab.c lex.yy.c + $(CC) -o pam_conv1 pam_conv.tab.c $(LINK_LIBLEX) + +pam_conv.tab.c: pam_conv.y lex.yy.c + bison pam_conv.y + +lex.yy.c: pam_conv.lex + flex pam_conv.lex + +lclean: + rm -f core pam_conv1 lex.yy.c pam_conv.tab.c *.o *~ + rm -rf ./pam.d pam_conv.output + +clean: lclean + +install: pam_conv1 + cp -f ./pam_conv1 ../../bin + +endif + +remove: + rm -f ../../bin/pam_conv1 + +extraclean: remove clean diff --git a/Linux-PAM/conf/pam_conv1/README b/Linux-PAM/conf/pam_conv1/README new file mode 100644 index 00000000..3a750d73 --- /dev/null +++ b/Linux-PAM/conf/pam_conv1/README @@ -0,0 +1,10 @@ +$Id: README,v 1.1.1.1 2001/04/29 04:16:26 hartmans Exp $ + +This directory contains a untility to convert pam.conf files to a pam.d/ +tree. The conversion program takes pam.conf from the standard input and +creates the pam.d/ directory in the current directory. + +The program will fail if ./pam.d/ already exists. + +Andrew Morgan, February 1997 + diff --git a/Linux-PAM/conf/pam_conv1/pam_conv.lex b/Linux-PAM/conf/pam_conv1/pam_conv.lex new file mode 100644 index 00000000..addc60ae --- /dev/null +++ b/Linux-PAM/conf/pam_conv1/pam_conv.lex @@ -0,0 +1,42 @@ + +%{ +/* + * $Id: pam_conv.lex,v 1.1.1.1 2001/04/29 04:16:26 hartmans Exp $ + * + * Copyright (c) Andrew G. Morgan 1997 <morgan@parc.power.net> + * + * This file is covered by the Linux-PAM License (which should be + * distributed with this file.) + */ + + const static char lexid[]= + "$Id: pam_conv.lex,v 1.1.1.1 2001/04/29 04:16:26 hartmans Exp $\n" + "Copyright (c) Andrew G. Morgan 1997 <morgan@parc.power.net>\n"; + + extern int current_line; +%} + +%% + +"#"[^\n]* ; /* skip comments (sorry) */ + +"\\\n" { + ++current_line; +} + +([^\n\t ]|[\\][^\n])+ { + return TOK; +} + +[ \t]+ ; /* Ignore */ + +<<EOF>> { + return EOFILE; +} + +[\n] { + ++current_line; + return NL; +} + +%% diff --git a/Linux-PAM/conf/pam_conv1/pam_conv.y b/Linux-PAM/conf/pam_conv1/pam_conv.y new file mode 100644 index 00000000..0cbfa5f8 --- /dev/null +++ b/Linux-PAM/conf/pam_conv1/pam_conv.y @@ -0,0 +1,204 @@ +%{ + +/* + * $Id: pam_conv.y,v 1.1.1.2 2002/09/15 20:08:22 hartmans Exp $ + * + * Copyright (c) Andrew G. Morgan 1997 <morgan@parc.power.net> + * + * This file is covered by the Linux-PAM License (which should be + * distributed with this file.) + */ + + const static char bisonid[]= + "$Id: pam_conv.y,v 1.1.1.2 2002/09/15 20:08:22 hartmans Exp $\n" + "Copyright (c) Andrew G. Morgan 1997-8 <morgan@linux.kernel.org>\n"; + +#include <string.h> +#include <stdio.h> +#include <stdarg.h> +#include <stdlib.h> + + int current_line=1; + extern char *yytext; + +/* XXX - later we'll change this to be the specific conf file(s) */ +#define newpamf stderr + +#define PAM_D "./pam.d" +#define PAM_D_MODE 0755 +#define PAM_D_MAGIC_HEADER \ + "#%PAM-1.0\n" \ + "#[For version 1.0 syntax, the above header is optional]\n" + +#define PAM_D_FILE_FMT PAM_D "/%s" + + const char *old_to_new_ctrl_flag(const char *old); + void yyerror(const char *format, ...); +%} + +%union { + int def; + char *string; +} + +%token NL EOFILE TOK + +%type <string> tok path tokenls + +%start complete + +%% + +complete +: +| complete NL +| complete line +| complete EOFILE { + return 0; +} +; + +line +: tok tok tok path tokenls NL { + char *filename; + FILE *conf; + int i; + + /* make sure we have lower case */ + for (i=0; $1[i]; ++i) { + $1[i] = tolower($1[i]); + } + + /* $1 = service-name */ + yyerror("Appending to " PAM_D "/%s", $1); + + filename = malloc(strlen($1) + sizeof(PAM_D) + 6); + sprintf(filename, PAM_D_FILE_FMT, $1); + conf = fopen(filename, "r"); + if (conf == NULL) { + /* new file */ + conf = fopen(filename, "w"); + if (conf != NULL) { + fprintf(conf, PAM_D_MAGIC_HEADER); + fprintf(conf, + "#\n" + "# The PAM configuration file for the `%s' service\n" + "#\n", $1); + } + } else { + fclose(conf); + conf = fopen(filename, "a"); + } + if (conf == NULL) { + yyerror("trouble opening %s - aborting", filename); + exit(1); + } + free(filename); + + /* $2 = module-type */ + fprintf(conf, "%-10s", $2); + free($2); + + /* $3 = required etc. */ + { + const char *trans; + + trans = old_to_new_ctrl_flag($3); + free($3); + fprintf(conf, " %-10s", trans); + } + + /* $4 = module-path */ + fprintf(conf, " %s", $4); + free($4); + + /* $5 = arguments */ + if ($5 != NULL) { + fprintf(conf, " \\\n\t\t%s", $5); + free($5); + } + + /* end line */ + fprintf(conf, "\n"); + + fclose(conf); +} +| error NL { + yyerror("malformed line"); +} +; + +tokenls +: { + $$=NULL; +} +| tokenls tok { + int len; + + if ($1) { + len = strlen($1) + strlen($2) + 2; + $$ = malloc(len); + sprintf($$,"%s %s",$1,$2); + free($1); + free($2); + } else { + $$ = $2; + } +} +; + +path +: TOK { + /* XXX - this could be used to check if file present */ + $$ = strdup(yytext); +} + +tok +: TOK { + $$ = strdup(yytext); +} + +%% + +#include "lex.yy.c" + +const char *old_to_new_ctrl_flag(const char *old) +{ + static const char *clist[] = { + "requisite", + "required", + "sufficient", + "optional", + NULL, + }; + int i; + + for (i=0; clist[i]; ++i) { + if (strcasecmp(clist[i], old) == 0) { + break; + } + } + + return clist[i]; +} + +void yyerror(const char *format, ...) +{ + va_list args; + + fprintf(stderr, "line %d: ", current_line); + va_start(args, format); + vfprintf(stderr, format, args); + va_end(args); + fprintf(stderr, "\n"); +} + +int main(int argc, char *argv[]) +{ + if (mkdir(PAM_D, PAM_D_MODE) != 0) { + yyerror(PAM_D " already exists.. aborting"); + exit(1); + } + yyparse(); + exit(0); +} diff --git a/Linux-PAM/configure b/Linux-PAM/configure new file mode 100755 index 00000000..270184c7 --- /dev/null +++ b/Linux-PAM/configure @@ -0,0 +1,3887 @@ +#! /bin/sh + +# Guess values for system-dependent variables and create Makefiles. +# Generated automatically using autoconf version 2.13 +# Copyright (C) 1992, 93, 94, 95, 96 Free Software Foundation, Inc. +# +# This configure script is free software; the Free Software Foundation +# gives unlimited permission to copy, distribute and modify it. + +# Defaults: +ac_help= +ac_default_prefix=/usr/local +# Any additions from configure.in: +ac_default_prefix= +ac_help="$ac_help + --enable-debug specify you are building with debugging on" +ac_help="$ac_help + --enable-memory-debug specify you want every malloc etc. call tracked" +ac_help="$ac_help + --enable-libdebug specify you are building debugging libraries" +ac_help="$ac_help + --enable-fakeroot=<path to packaging directory>" +ac_help="$ac_help + --enable-securedir=<path to location of PAMs> [default \$libdir/security]" +ac_help="$ac_help + --enable-sconfigdir=<path to module conf files> [default \$sysconfdir/security]" +ac_help="$ac_help + --enable-suplementedir=<path to module helper binaries> [default \$sbindir]" +ac_help="$ac_help + --enable-includedir=<path to include location> - where to put <security>" +ac_help="$ac_help + --enable-docdir=<path to store documentation in - /usr/share/doc/pam>" +ac_help="$ac_help + --enable-mandir=<path to store manuals in - /usr/share/man>" +ac_help="$ac_help + --enable-pamlocking configure libpam to observe a global authentication lock" +ac_help="$ac_help + --enable-uglyhack configure libpam to try to honor old pam_strerror syntax" +ac_help="$ac_help + --enable-read-both-confs read both /etc/pam.d and /etc/pam.conf files" +ac_help="$ac_help + --enable-static-libpam build a libpam.a library" +ac_help="$ac_help + --disable-dynamic-libpam do not build a shared libpam library" +ac_help="$ac_help + --enable-static-modules do not make the modules dynamically loadable" +ac_help="$ac_help + --disable-lckpwdf do not use the lckpwdf function" +ac_help="$ac_help + --with-mailspool path to mail spool directory + [default _PATH_MAILDIR if defined in paths.h, otherwise /var/spool/mail]" + +# Initialize some variables set by options. +# The variables have the same names as the options, with +# dashes changed to underlines. +build=NONE +cache_file=./config.cache +exec_prefix=NONE +host=NONE +no_create= +nonopt=NONE +no_recursion= +prefix=NONE +program_prefix=NONE +program_suffix=NONE +program_transform_name=s,x,x, +silent= +site= +srcdir= +target=NONE +verbose= +x_includes=NONE +x_libraries=NONE +bindir='${exec_prefix}/bin' +sbindir='${exec_prefix}/sbin' +libexecdir='${exec_prefix}/libexec' +datadir='${prefix}/share' +sysconfdir='${prefix}/etc' +sharedstatedir='${prefix}/com' +localstatedir='${prefix}/var' +libdir='${exec_prefix}/lib' +includedir='${prefix}/include' +oldincludedir='/usr/include' +infodir='${prefix}/info' +mandir='${prefix}/man' + +# Initialize some other variables. +subdirs= +MFLAGS= MAKEFLAGS= +SHELL=${CONFIG_SHELL-/bin/sh} +# Maximum number of lines to put in a shell here document. +ac_max_here_lines=12 + +ac_prev= +for ac_option +do + + # If the previous option needs an argument, assign it. + if test -n "$ac_prev"; then + eval "$ac_prev=\$ac_option" + ac_prev= + continue + fi + + case "$ac_option" in + -*=*) ac_optarg=`echo "$ac_option" | sed 's/[-_a-zA-Z0-9]*=//'` ;; + *) ac_optarg= ;; + esac + + # Accept the important Cygnus configure options, so we can diagnose typos. + + case "$ac_option" in + + -bindir | --bindir | --bindi | --bind | --bin | --bi) + ac_prev=bindir ;; + -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*) + bindir="$ac_optarg" ;; + + -build | --build | --buil | --bui | --bu) + ac_prev=build ;; + -build=* | --build=* | --buil=* | --bui=* | --bu=*) + build="$ac_optarg" ;; + + -cache-file | --cache-file | --cache-fil | --cache-fi \ + | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c) + ac_prev=cache_file ;; + -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \ + | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*) + cache_file="$ac_optarg" ;; + + -datadir | --datadir | --datadi | --datad | --data | --dat | --da) + ac_prev=datadir ;; + -datadir=* | --datadir=* | --datadi=* | --datad=* | --data=* | --dat=* \ + | --da=*) + datadir="$ac_optarg" ;; + + -disable-* | --disable-*) + ac_feature=`echo $ac_option|sed -e 's/-*disable-//'` + # Reject names that are not valid shell variable names. + if test -n "`echo $ac_feature| sed 's/[-a-zA-Z0-9_]//g'`"; then + { echo "configure: error: $ac_feature: invalid feature name" 1>&2; exit 1; } + fi + ac_feature=`echo $ac_feature| sed 's/-/_/g'` + eval "enable_${ac_feature}=no" ;; + + -enable-* | --enable-*) + ac_feature=`echo $ac_option|sed -e 's/-*enable-//' -e 's/=.*//'` + # Reject names that are not valid shell variable names. + if test -n "`echo $ac_feature| sed 's/[-_a-zA-Z0-9]//g'`"; then + { echo "configure: error: $ac_feature: invalid feature name" 1>&2; exit 1; } + fi + ac_feature=`echo $ac_feature| sed 's/-/_/g'` + case "$ac_option" in + *=*) ;; + *) ac_optarg=yes ;; + esac + eval "enable_${ac_feature}='$ac_optarg'" ;; + + -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \ + | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \ + | --exec | --exe | --ex) + ac_prev=exec_prefix ;; + -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \ + | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \ + | --exec=* | --exe=* | --ex=*) + exec_prefix="$ac_optarg" ;; + + -gas | --gas | --ga | --g) + # Obsolete; use --with-gas. + with_gas=yes ;; + + -help | --help | --hel | --he) + # Omit some internal or obsolete options to make the list less imposing. + # This message is too long to be a string in the A/UX 3.1 sh. + cat << EOF +Usage: configure [options] [host] +Options: [defaults in brackets after descriptions] +Configuration: + --cache-file=FILE cache test results in FILE + --help print this message + --no-create do not create output files + --quiet, --silent do not print \`checking...' messages + --version print the version of autoconf that created configure +Directory and file names: + --prefix=PREFIX install architecture-independent files in PREFIX + [$ac_default_prefix] + --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX + [same as prefix] + --bindir=DIR user executables in DIR [EPREFIX/bin] + --sbindir=DIR system admin executables in DIR [EPREFIX/sbin] + --libexecdir=DIR program executables in DIR [EPREFIX/libexec] + --datadir=DIR read-only architecture-independent data in DIR + [PREFIX/share] + --sysconfdir=DIR read-only single-machine data in DIR [PREFIX/etc] + --sharedstatedir=DIR modifiable architecture-independent data in DIR + [PREFIX/com] + --localstatedir=DIR modifiable single-machine data in DIR [PREFIX/var] + --libdir=DIR object code libraries in DIR [EPREFIX/lib] + --includedir=DIR C header files in DIR [PREFIX/include] + --oldincludedir=DIR C header files for non-gcc in DIR [/usr/include] + --infodir=DIR info documentation in DIR [PREFIX/info] + --mandir=DIR man documentation in DIR [PREFIX/man] + --srcdir=DIR find the sources in DIR [configure dir or ..] + --program-prefix=PREFIX prepend PREFIX to installed program names + --program-suffix=SUFFIX append SUFFIX to installed program names + --program-transform-name=PROGRAM + run sed PROGRAM on installed program names +EOF + cat << EOF +Host type: + --build=BUILD configure for building on BUILD [BUILD=HOST] + --host=HOST configure for HOST [guessed] + --target=TARGET configure for TARGET [TARGET=HOST] +Features and packages: + --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) + --enable-FEATURE[=ARG] include FEATURE [ARG=yes] + --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] + --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) + --x-includes=DIR X include files are in DIR + --x-libraries=DIR X library files are in DIR +EOF + if test -n "$ac_help"; then + echo "--enable and --with options recognized:$ac_help" + fi + exit 0 ;; + + -host | --host | --hos | --ho) + ac_prev=host ;; + -host=* | --host=* | --hos=* | --ho=*) + host="$ac_optarg" ;; + + -includedir | --includedir | --includedi | --included | --include \ + | --includ | --inclu | --incl | --inc) + ac_prev=includedir ;; + -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \ + | --includ=* | --inclu=* | --incl=* | --inc=*) + includedir="$ac_optarg" ;; + + -infodir | --infodir | --infodi | --infod | --info | --inf) + ac_prev=infodir ;; + -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*) + infodir="$ac_optarg" ;; + + -libdir | --libdir | --libdi | --libd) + ac_prev=libdir ;; + -libdir=* | --libdir=* | --libdi=* | --libd=*) + libdir="$ac_optarg" ;; + + -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \ + | --libexe | --libex | --libe) + ac_prev=libexecdir ;; + -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \ + | --libexe=* | --libex=* | --libe=*) + libexecdir="$ac_optarg" ;; + + -localstatedir | --localstatedir | --localstatedi | --localstated \ + | --localstate | --localstat | --localsta | --localst \ + | --locals | --local | --loca | --loc | --lo) + ac_prev=localstatedir ;; + -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \ + | --localstate=* | --localstat=* | --localsta=* | --localst=* \ + | --locals=* | --local=* | --loca=* | --loc=* | --lo=*) + localstatedir="$ac_optarg" ;; + + -mandir | --mandir | --mandi | --mand | --man | --ma | --m) + ac_prev=mandir ;; + -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*) + mandir="$ac_optarg" ;; + + -nfp | --nfp | --nf) + # Obsolete; use --without-fp. + with_fp=no ;; + + -no-create | --no-create | --no-creat | --no-crea | --no-cre \ + | --no-cr | --no-c) + no_create=yes ;; + + -no-recursion | --no-recursion | --no-recursio | --no-recursi \ + | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) + no_recursion=yes ;; + + -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \ + | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \ + | --oldin | --oldi | --old | --ol | --o) + ac_prev=oldincludedir ;; + -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \ + | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \ + | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*) + oldincludedir="$ac_optarg" ;; + + -prefix | --prefix | --prefi | --pref | --pre | --pr | --p) + ac_prev=prefix ;; + -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*) + prefix="$ac_optarg" ;; + + -program-prefix | --program-prefix | --program-prefi | --program-pref \ + | --program-pre | --program-pr | --program-p) + ac_prev=program_prefix ;; + -program-prefix=* | --program-prefix=* | --program-prefi=* \ + | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*) + program_prefix="$ac_optarg" ;; + + -program-suffix | --program-suffix | --program-suffi | --program-suff \ + | --program-suf | --program-su | --program-s) + ac_prev=program_suffix ;; + -program-suffix=* | --program-suffix=* | --program-suffi=* \ + | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*) + program_suffix="$ac_optarg" ;; + + -program-transform-name | --program-transform-name \ + | --program-transform-nam | --program-transform-na \ + | --program-transform-n | --program-transform- \ + | --program-transform | --program-transfor \ + | --program-transfo | --program-transf \ + | --program-trans | --program-tran \ + | --progr-tra | --program-tr | --program-t) + ac_prev=program_transform_name ;; + -program-transform-name=* | --program-transform-name=* \ + | --program-transform-nam=* | --program-transform-na=* \ + | --program-transform-n=* | --program-transform-=* \ + | --program-transform=* | --program-transfor=* \ + | --program-transfo=* | --program-transf=* \ + | --program-trans=* | --program-tran=* \ + | --progr-tra=* | --program-tr=* | --program-t=*) + program_transform_name="$ac_optarg" ;; + + -q | -quiet | --quiet | --quie | --qui | --qu | --q \ + | -silent | --silent | --silen | --sile | --sil) + silent=yes ;; + + -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) + ac_prev=sbindir ;; + -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ + | --sbi=* | --sb=*) + sbindir="$ac_optarg" ;; + + -sharedstatedir | --sharedstatedir | --sharedstatedi \ + | --sharedstated | --sharedstate | --sharedstat | --sharedsta \ + | --sharedst | --shareds | --shared | --share | --shar \ + | --sha | --sh) + ac_prev=sharedstatedir ;; + -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \ + | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \ + | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \ + | --sha=* | --sh=*) + sharedstatedir="$ac_optarg" ;; + + -site | --site | --sit) + ac_prev=site ;; + -site=* | --site=* | --sit=*) + site="$ac_optarg" ;; + + -srcdir | --srcdir | --srcdi | --srcd | --src | --sr) + ac_prev=srcdir ;; + -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*) + srcdir="$ac_optarg" ;; + + -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \ + | --syscon | --sysco | --sysc | --sys | --sy) + ac_prev=sysconfdir ;; + -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \ + | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*) + sysconfdir="$ac_optarg" ;; + + -target | --target | --targe | --targ | --tar | --ta | --t) + ac_prev=target ;; + -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*) + target="$ac_optarg" ;; + + -v | -verbose | --verbose | --verbos | --verbo | --verb) + verbose=yes ;; + + -version | --version | --versio | --versi | --vers) + echo "configure generated by autoconf version 2.13" + exit 0 ;; + + -with-* | --with-*) + ac_package=`echo $ac_option|sed -e 's/-*with-//' -e 's/=.*//'` + # Reject names that are not valid shell variable names. + if test -n "`echo $ac_package| sed 's/[-_a-zA-Z0-9]//g'`"; then + { echo "configure: error: $ac_package: invalid package name" 1>&2; exit 1; } + fi + ac_package=`echo $ac_package| sed 's/-/_/g'` + case "$ac_option" in + *=*) ;; + *) ac_optarg=yes ;; + esac + eval "with_${ac_package}='$ac_optarg'" ;; + + -without-* | --without-*) + ac_package=`echo $ac_option|sed -e 's/-*without-//'` + # Reject names that are not valid shell variable names. + if test -n "`echo $ac_package| sed 's/[-a-zA-Z0-9_]//g'`"; then + { echo "configure: error: $ac_package: invalid package name" 1>&2; exit 1; } + fi + ac_package=`echo $ac_package| sed 's/-/_/g'` + eval "with_${ac_package}=no" ;; + + --x) + # Obsolete; use --with-x. + with_x=yes ;; + + -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \ + | --x-incl | --x-inc | --x-in | --x-i) + ac_prev=x_includes ;; + -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \ + | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*) + x_includes="$ac_optarg" ;; + + -x-libraries | --x-libraries | --x-librarie | --x-librari \ + | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l) + ac_prev=x_libraries ;; + -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \ + | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*) + x_libraries="$ac_optarg" ;; + + -*) { echo "configure: error: $ac_option: invalid option; use --help to show usage" 1>&2; exit 1; } + ;; + + *) + if test -n "`echo $ac_option| sed 's/[-a-z0-9.]//g'`"; then + echo "configure: warning: $ac_option: invalid host type" 1>&2 + fi + if test "x$nonopt" != xNONE; then + { echo "configure: error: can only configure for one host and one target at a time" 1>&2; exit 1; } + fi + nonopt="$ac_option" + ;; + + esac +done + +if test -n "$ac_prev"; then + { echo "configure: error: missing argument to --`echo $ac_prev | sed 's/_/-/g'`" 1>&2; exit 1; } +fi + +trap 'rm -fr conftest* confdefs* core core.* *.core $ac_clean_files; exit 1' 1 2 15 + +# File descriptor usage: +# 0 standard input +# 1 file creation +# 2 errors and warnings +# 3 some systems may open it to /dev/tty +# 4 used on the Kubota Titan +# 6 checking for... messages and results +# 5 compiler messages saved in config.log +if test "$silent" = yes; then + exec 6>/dev/null +else + exec 6>&1 +fi +exec 5>./config.log + +echo "\ +This file contains any messages produced by compilers while +running configure, to aid debugging if configure makes a mistake. +" 1>&5 + +# Strip out --no-create and --no-recursion so they do not pile up. +# Also quote any args containing shell metacharacters. +ac_configure_args= +for ac_arg +do + case "$ac_arg" in + -no-create | --no-create | --no-creat | --no-crea | --no-cre \ + | --no-cr | --no-c) ;; + -no-recursion | --no-recursion | --no-recursio | --no-recursi \ + | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) ;; + *" "*|*" "*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?]*) + ac_configure_args="$ac_configure_args '$ac_arg'" ;; + *) ac_configure_args="$ac_configure_args $ac_arg" ;; + esac +done + +# NLS nuisances. +# Only set these to C if already set. These must not be set unconditionally +# because not all systems understand e.g. LANG=C (notably SCO). +# Fixing LC_MESSAGES prevents Solaris sh from translating var values in `set'! +# Non-C LC_CTYPE values break the ctype check. +if test "${LANG+set}" = set; then LANG=C; export LANG; fi +if test "${LC_ALL+set}" = set; then LC_ALL=C; export LC_ALL; fi +if test "${LC_MESSAGES+set}" = set; then LC_MESSAGES=C; export LC_MESSAGES; fi +if test "${LC_CTYPE+set}" = set; then LC_CTYPE=C; export LC_CTYPE; fi + +# confdefs.h avoids OS command line length limits that DEFS can exceed. +rm -rf conftest* confdefs.h +# AIX cpp loses on an empty file, so make sure it contains at least a newline. +echo > confdefs.h + +# A filename unique to this package, relative to the directory that +# configure is in, which we can look for to find out if srcdir is correct. +ac_unique_file=conf/pam_conv1/pam_conv.y + +# Find the source files, if location was not specified. +if test -z "$srcdir"; then + ac_srcdir_defaulted=yes + # Try the directory containing this script, then its parent. + ac_prog=$0 + ac_confdir=`echo $ac_prog|sed 's%/[^/][^/]*$%%'` + test "x$ac_confdir" = "x$ac_prog" && ac_confdir=. + srcdir=$ac_confdir + if test ! -r $srcdir/$ac_unique_file; then + srcdir=.. + fi +else + ac_srcdir_defaulted=no +fi +if test ! -r $srcdir/$ac_unique_file; then + if test "$ac_srcdir_defaulted" = yes; then + { echo "configure: error: can not find sources in $ac_confdir or .." 1>&2; exit 1; } + else + { echo "configure: error: can not find sources in $srcdir" 1>&2; exit 1; } + fi +fi +srcdir=`echo "${srcdir}" | sed 's%\([^/]\)/*$%\1%'` + +# Prefer explicitly selected file to automatically selected ones. +if test -z "$CONFIG_SITE"; then + if test "x$prefix" != xNONE; then + CONFIG_SITE="$prefix/share/config.site $prefix/etc/config.site" + else + CONFIG_SITE="$ac_default_prefix/share/config.site $ac_default_prefix/etc/config.site" + fi +fi +for ac_site_file in $CONFIG_SITE; do + if test -r "$ac_site_file"; then + echo "loading site script $ac_site_file" + . "$ac_site_file" + fi +done + +if test -r "$cache_file"; then + echo "loading cache $cache_file" + . $cache_file +else + echo "creating cache $cache_file" + > $cache_file +fi + +ac_ext=c +# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options. +ac_cpp='$CPP $CPPFLAGS' +ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5' +ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5' +cross_compiling=$ac_cv_prog_cc_cross + +ac_exeext= +ac_objext=o +if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null; then + # Stardent Vistra SVR4 grep lacks -e, says ghazi@caip.rutgers.edu. + if (echo -n testing; echo 1,2,3) | sed s/-n/xn/ | grep xn >/dev/null; then + ac_n= ac_c=' +' ac_t=' ' + else + ac_n=-n ac_c= ac_t= + fi +else + ac_n= ac_c='\c' ac_t= +fi + + + + + + +LIBPAM_VERSION_MAJOR=0 +LIBPAM_VERSION_MINOR=76 + + + +cat >> confdefs.h <<\EOF +#define LIBPAM_VERSION_MAJOR 1 +EOF + +cat >> confdefs.h <<\EOF +#define LIBPAM_VERSION_MINOR 1 +EOF + + + + + +LOCALSRCDIR=`/bin/pwd` ; +LOCALOBJDIR=`/bin/pwd` ; +OS=`uname|sed -e 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/'` + + + +CONF_CFLAGS= ; +MKDIR="mkdir -p" ; + +SHLIBMODE=755 ; + +USESONAME=yes ; +SOSWITCH=-soname ; +NEEDSONAME=no ; +LDCONFIG=/sbin/ldconfig ; + +if test "$OS" = "aix"; then + INSTALL=/usr/ucb/install -c +else + INSTALL=/usr/bin/install +fi + + +# Extract the first word of "gcc", so it can be a program name with args. +set dummy gcc; ac_word=$2 +echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +echo "configure:610: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. +else + IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" + ac_dummy="$PATH" + for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_prog_CC="gcc" + break + fi + done + IFS="$ac_save_ifs" +fi +fi +CC="$ac_cv_prog_CC" +if test -n "$CC"; then + echo "$ac_t""$CC" 1>&6 +else + echo "$ac_t""no" 1>&6 +fi + +if test -z "$CC"; then + # Extract the first word of "cc", so it can be a program name with args. +set dummy cc; ac_word=$2 +echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +echo "configure:640: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. +else + IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" + ac_prog_rejected=no + ac_dummy="$PATH" + for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + if test "$ac_dir/$ac_word" = "/usr/ucb/cc"; then + ac_prog_rejected=yes + continue + fi + ac_cv_prog_CC="cc" + break + fi + done + IFS="$ac_save_ifs" +if test $ac_prog_rejected = yes; then + # We found a bogon in the path, so make sure we never use it. + set dummy $ac_cv_prog_CC + shift + if test $# -gt 0; then + # We chose a different compiler from the bogus one. + # However, it has the same basename, so the bogon will be chosen + # first if we set CC to just the basename; use the full file name. + shift + set dummy "$ac_dir/$ac_word" "$@" + shift + ac_cv_prog_CC="$@" + fi +fi +fi +fi +CC="$ac_cv_prog_CC" +if test -n "$CC"; then + echo "$ac_t""$CC" 1>&6 +else + echo "$ac_t""no" 1>&6 +fi + + if test -z "$CC"; then + case "`uname -s`" in + *win32* | *WIN32*) + # Extract the first word of "cl", so it can be a program name with args. +set dummy cl; ac_word=$2 +echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +echo "configure:691: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. +else + IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" + ac_dummy="$PATH" + for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_prog_CC="cl" + break + fi + done + IFS="$ac_save_ifs" +fi +fi +CC="$ac_cv_prog_CC" +if test -n "$CC"; then + echo "$ac_t""$CC" 1>&6 +else + echo "$ac_t""no" 1>&6 +fi + ;; + esac + fi + test -z "$CC" && { echo "configure: error: no acceptable cc found in \$PATH" 1>&2; exit 1; } +fi + +echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works""... $ac_c" 1>&6 +echo "configure:723: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5 + +ac_ext=c +# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options. +ac_cpp='$CPP $CPPFLAGS' +ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5' +ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5' +cross_compiling=$ac_cv_prog_cc_cross + +cat > conftest.$ac_ext << EOF + +#line 734 "configure" +#include "confdefs.h" + +main(){return(0);} +EOF +if { (eval echo configure:739: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + ac_cv_prog_cc_works=yes + # If we can't run a trivial program, we are probably using a cross compiler. + if (./conftest; exit) 2>/dev/null; then + ac_cv_prog_cc_cross=no + else + ac_cv_prog_cc_cross=yes + fi +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + ac_cv_prog_cc_works=no +fi +rm -fr conftest* +ac_ext=c +# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options. +ac_cpp='$CPP $CPPFLAGS' +ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5' +ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5' +cross_compiling=$ac_cv_prog_cc_cross + +echo "$ac_t""$ac_cv_prog_cc_works" 1>&6 +if test $ac_cv_prog_cc_works = no; then + { echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; } +fi +echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6 +echo "configure:765: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5 +echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6 +cross_compiling=$ac_cv_prog_cc_cross + +echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6 +echo "configure:770: checking whether we are using GNU C" >&5 +if eval "test \"`echo '$''{'ac_cv_prog_gcc'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.c <<EOF +#ifdef __GNUC__ + yes; +#endif +EOF +if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:779: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then + ac_cv_prog_gcc=yes +else + ac_cv_prog_gcc=no +fi +fi + +echo "$ac_t""$ac_cv_prog_gcc" 1>&6 + +if test $ac_cv_prog_gcc = yes; then + GCC=yes +else + GCC= +fi + +ac_test_CFLAGS="${CFLAGS+set}" +ac_save_CFLAGS="$CFLAGS" +CFLAGS= +echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6 +echo "configure:798: checking whether ${CC-cc} accepts -g" >&5 +if eval "test \"`echo '$''{'ac_cv_prog_cc_g'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + echo 'void f(){}' > conftest.c +if test -z "`${CC-cc} -g -c conftest.c 2>&1`"; then + ac_cv_prog_cc_g=yes +else + ac_cv_prog_cc_g=no +fi +rm -f conftest* + +fi + +echo "$ac_t""$ac_cv_prog_cc_g" 1>&6 +if test "$ac_test_CFLAGS" = set; then + CFLAGS="$ac_save_CFLAGS" +elif test $ac_cv_prog_cc_g = yes; then + if test "$GCC" = yes; then + CFLAGS="-g -O2" + else + CFLAGS="-g" + fi +else + if test "$GCC" = yes; then + CFLAGS="-O2" + else + CFLAGS= + fi +fi + +for ac_prog in 'bison -y' byacc +do +# Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +echo "configure:834: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_prog_YACC'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + if test -n "$YACC"; then + ac_cv_prog_YACC="$YACC" # Let the user override the test. +else + IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" + ac_dummy="$PATH" + for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_prog_YACC="$ac_prog" + break + fi + done + IFS="$ac_save_ifs" +fi +fi +YACC="$ac_cv_prog_YACC" +if test -n "$YACC"; then + echo "$ac_t""$YACC" 1>&6 +else + echo "$ac_t""no" 1>&6 +fi + +test -n "$YACC" && break +done +test -n "$YACC" || YACC="yacc" + +# Extract the first word of "flex", so it can be a program name with args. +set dummy flex; ac_word=$2 +echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +echo "configure:867: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_prog_LEX'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + if test -n "$LEX"; then + ac_cv_prog_LEX="$LEX" # Let the user override the test. +else + IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" + ac_dummy="$PATH" + for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_prog_LEX="flex" + break + fi + done + IFS="$ac_save_ifs" + test -z "$ac_cv_prog_LEX" && ac_cv_prog_LEX="lex" +fi +fi +LEX="$ac_cv_prog_LEX" +if test -n "$LEX"; then + echo "$ac_t""$LEX" 1>&6 +else + echo "$ac_t""no" 1>&6 +fi + +if test -z "$LEXLIB" +then + case "$LEX" in + flex*) ac_lib=fl ;; + *) ac_lib=l ;; + esac + echo $ac_n "checking for yywrap in -l$ac_lib""... $ac_c" 1>&6 +echo "configure:901: checking for yywrap in -l$ac_lib" >&5 +ac_lib_var=`echo $ac_lib'_'yywrap | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-l$ac_lib $LIBS" +cat > conftest.$ac_ext <<EOF +#line 909 "configure" +#include "confdefs.h" +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char yywrap(); + +int main() { +yywrap() +; return 0; } +EOF +if { (eval echo configure:920: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + LEXLIB="-l$ac_lib" +else + echo "$ac_t""no" 1>&6 +fi + +fi + +echo $ac_n "checking whether ln -s works""... $ac_c" 1>&6 +echo "configure:943: checking whether ln -s works" >&5 +if eval "test \"`echo '$''{'ac_cv_prog_LN_S'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + rm -f conftestdata +if ln -s X conftestdata 2>/dev/null +then + rm -f conftestdata + ac_cv_prog_LN_S="ln -s" +else + ac_cv_prog_LN_S=ln +fi +fi +LN_S="$ac_cv_prog_LN_S" +if test "$ac_cv_prog_LN_S" = "ln -s"; then + echo "$ac_t""yes" 1>&6 +else + echo "$ac_t""no" 1>&6 +fi + +echo $ac_n "checking whether ${MAKE-make} sets \${MAKE}""... $ac_c" 1>&6 +echo "configure:964: checking whether ${MAKE-make} sets \${MAKE}" >&5 +set dummy ${MAKE-make}; ac_make=`echo "$2" | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_prog_make_${ac_make}_set'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftestmake <<\EOF +all: + @echo 'ac_maketemp="${MAKE}"' +EOF +# GNU make sometimes prints "make[1]: Entering...", which would confuse us. +eval `${MAKE-make} -f conftestmake 2>/dev/null | grep temp=` +if test -n "$ac_maketemp"; then + eval ac_cv_prog_make_${ac_make}_set=yes +else + eval ac_cv_prog_make_${ac_make}_set=no +fi +rm -f conftestmake +fi +if eval "test \"`echo '$ac_cv_prog_make_'${ac_make}_set`\" = yes"; then + echo "$ac_t""yes" 1>&6 + SET_MAKE= +else + echo "$ac_t""no" 1>&6 + SET_MAKE="MAKE=${MAKE-make}" +fi + + + +# Check whether --enable-debug or --disable-debug was given. +if test "${enable_debug+set}" = set; then + enableval="$enable_debug" + WITH_DEBUG=yes ; cat >> confdefs.h <<\EOF +#define DEBUG 1 +EOF + +else + WITH_DEBUG=no +fi + + + +# Check whether --enable-memory-debug or --disable-memory-debug was given. +if test "${enable_memory_debug+set}" = set; then + enableval="$enable_memory_debug" + WITH_MEMORY_DEBUG=yes ; cat >> confdefs.h <<\EOF +#define MEMORY_DEBUG 1 +EOF + +else + WITH_MEMORY_DEBUG=no +fi + + + +# Check whether --enable-libdebug or --disable-libdebug was given. +if test "${enable_libdebug+set}" = set; then + enableval="$enable_libdebug" + WITH_LIBDEBUG=yes ; cat >> confdefs.h <<\EOF +#define WITH_LIBDEBUG 1 +EOF + +else + WITH_LIBDEBUG=no +fi + + + +# Check whether --enable-fakeroot or --disable-fakeroot was given. +if test "${enable_fakeroot+set}" = set; then + enableval="$enable_fakeroot" + FAKEROOT=$enableval +fi + + + +# Check whether --enable-securedir or --disable-securedir was given. +if test "${enable_securedir+set}" = set; then + enableval="$enable_securedir" + SECUREDIR=$enableval +else + SECUREDIR=$libdir/security +fi + + + +# Check whether --enable-sconfigdir or --disable-sconfigdir was given. +if test "${enable_sconfigdir+set}" = set; then + enableval="$enable_sconfigdir" + SCONFIGDIR=$enableval +else + SCONFIGDIR=$sysconfdir/security +fi + + + +# Check whether --enable-suplementedir or --disable-suplementedir was given. +if test "${enable_suplementedir+set}" = set; then + enableval="$enable_suplementedir" + SUPLEMENTED=$enableval +else + SUPLEMENTED=$sbindir +fi + + + +# Check whether --enable-includedir or --disable-includedir was given. +if test "${enable_includedir+set}" = set; then + enableval="$enable_includedir" + INCLUDEDIR=$enableval +else + INCLUDEDIR=/usr/include +fi + + + +# Check whether --enable-docdir or --disable-docdir was given. +if test "${enable_docdir+set}" = set; then + enableval="$enable_docdir" + DOCDIR=$enableval +else + DOCDIR=/usr/share/doc/pam +fi + + + +# Check whether --enable-mandir or --disable-mandir was given. +if test "${enable_mandir+set}" = set; then + enableval="$enable_mandir" + MANDIR=$enableval +else + MANDIR=/usr/share/man +fi + + + +# Check whether --enable-pamlocking or --disable-pamlocking was given. +if test "${enable_pamlocking+set}" = set; then + enableval="$enable_pamlocking" + WITH_PAMLOCKING=yes ; cat >> confdefs.h <<\EOF +#define PAM_LOCKING 1 +EOF + +else + WITH_PAMLOCKING=no +fi + + + +# Check whether --enable-uglyhack or --disable-uglyhack was given. +if test "${enable_uglyhack+set}" = set; then + enableval="$enable_uglyhack" + cat >> confdefs.h <<\EOF +#define UGLY_HACK_FOR_PRIOR_BEHAVIOR_SUPPORT 1 +EOF + +fi + + +# Check whether --enable-read-both-confs or --disable-read-both-confs was given. +if test "${enable_read_both_confs+set}" = set; then + enableval="$enable_read_both_confs" + cat >> confdefs.h <<\EOF +#define PAM_READ_BOTH_CONFS 1 +EOF + +fi + + + +# Check whether --enable-static-libpam or --disable-static-libpam was given. +if test "${enable_static_libpam+set}" = set; then + enableval="$enable_static_libpam" + STATIC_LIBPAM=yes +else + STATIC_LIBPAM=no +fi + + + +# Check whether --enable-dynamic-libpam or --disable-dynamic-libpam was given. +if test "${enable_dynamic_libpam+set}" = set; then + enableval="$enable_dynamic_libpam" + DYNAMIC_LIBPAM=no +else + DYNAMIC_LIBPAM=yes +fi + + + +DYNAMIC=-DPAM_DYNAMIC + + +# Check whether --enable-static-modules or --disable-static-modules was given. +if test "${enable_static_modules+set}" = set; then + enableval="$enable_static_modules" + STATIC=-DPAM_STATIC +fi + + + +# Check whether --enable-lckpwdf or --disable-lckpwdf was given. +if test "${enable_lckpwdf+set}" = set; then + enableval="$enable_lckpwdf" + WITH_LCKPWDF=no +else + WITH_LCKPWDF=yes +fi + + + +echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6 +echo "configure:1175: checking how to run the C preprocessor" >&5 +# On Suns, sometimes $CPP names a directory. +if test -n "$CPP" && test -d "$CPP"; then + CPP= +fi +if test -z "$CPP"; then +if eval "test \"`echo '$''{'ac_cv_prog_CPP'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + # This must be in double quotes, not single quotes, because CPP may get + # substituted into the Makefile and "${CC-cc}" will confuse make. + CPP="${CC-cc} -E" + # On the NeXT, cc -E runs the code through the compiler's parser, + # not just through cpp. + cat > conftest.$ac_ext <<EOF +#line 1190 "configure" +#include "confdefs.h" +#include <assert.h> +Syntax Error +EOF +ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +{ (eval echo configure:1196: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` +if test -z "$ac_err"; then + : +else + echo "$ac_err" >&5 + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + CPP="${CC-cc} -E -traditional-cpp" + cat > conftest.$ac_ext <<EOF +#line 1207 "configure" +#include "confdefs.h" +#include <assert.h> +Syntax Error +EOF +ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +{ (eval echo configure:1213: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` +if test -z "$ac_err"; then + : +else + echo "$ac_err" >&5 + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + CPP="${CC-cc} -nologo -E" + cat > conftest.$ac_ext <<EOF +#line 1224 "configure" +#include "confdefs.h" +#include <assert.h> +Syntax Error +EOF +ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +{ (eval echo configure:1230: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` +if test -z "$ac_err"; then + : +else + echo "$ac_err" >&5 + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + CPP=/lib/cpp +fi +rm -f conftest* +fi +rm -f conftest* +fi +rm -f conftest* + ac_cv_prog_CPP="$CPP" +fi + CPP="$ac_cv_prog_CPP" +else + ac_cv_prog_CPP="$CPP" +fi +echo "$ac_t""$CPP" 1>&6 + +for ac_hdr in paths.h +do +ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` +echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 +echo "configure:1258: checking for $ac_hdr" >&5 +if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext <<EOF +#line 1263 "configure" +#include "confdefs.h" +#include <$ac_hdr> +EOF +ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +{ (eval echo configure:1268: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` +if test -z "$ac_err"; then + rm -rf conftest* + eval "ac_cv_header_$ac_safe=yes" +else + echo "$ac_err" >&5 + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_header_$ac_safe=no" +fi +rm -f conftest* +fi +if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'` + cat >> confdefs.h <<EOF +#define $ac_tr_hdr 1 +EOF + +else + echo "$ac_t""no" 1>&6 +fi +done + +# Check whether --with-mailspool or --without-mailspool was given. +if test "${with_mailspool+set}" = set; then + withval="$with_mailspool" + with_mailspool=${withval} +fi + +if test x$with_mailspool != x ; then + pam_mail_spool="\"$with_mailspool\"" +else + if test "$cross_compiling" = yes; then + pam_mail_spool="\"/var/spool/mail\"" +else + cat > conftest.$ac_ext <<EOF +#line 1307 "configure" +#include "confdefs.h" + +#include <paths.h> +int main() { +#ifdef _PATH_MAILDIR +exit(0); +#else +exit(1); +#endif +} +EOF +if { (eval echo configure:1319: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +then + pam_mail_spool="_PATH_MAILDIR" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -fr conftest* + pam_mail_spool="\"/var/spool/mail\"" +fi +rm -fr conftest* +fi + +fi +cat >> confdefs.h <<EOF +#define PAM_PATH_MAILDIR $pam_mail_spool +EOF + + +echo $ac_n "checking for __libc_sched_setscheduler in -lc""... $ac_c" 1>&6 +echo "configure:1338: checking for __libc_sched_setscheduler in -lc" >&5 +ac_lib_var=`echo c'_'__libc_sched_setscheduler | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lc $LIBS" +cat > conftest.$ac_ext <<EOF +#line 1346 "configure" +#include "confdefs.h" +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char __libc_sched_setscheduler(); + +int main() { +__libc_sched_setscheduler() +; return 0; } +EOF +if { (eval echo configure:1357: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + PAM_NEEDS_LIBC= +else + echo "$ac_t""no" 1>&6 +PAM_NEEDS_LIBC=-lc +fi + + + +echo $ac_n "checking for lckpwdf in -lc""... $ac_c" 1>&6 +echo "configure:1381: checking for lckpwdf in -lc" >&5 +ac_lib_var=`echo c'_'lckpwdf | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lc $LIBS" +cat > conftest.$ac_ext <<EOF +#line 1389 "configure" +#include "confdefs.h" +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char lckpwdf(); + +int main() { +lckpwdf() +; return 0; } +EOF +if { (eval echo configure:1400: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + HAVE_LCKPWDF=yes +else + echo "$ac_t""no" 1>&6 +HAVE_LCKPWDF=no +fi + + + +echo $ac_n "checking for dlopen in -ldl""... $ac_c" 1>&6 +echo "configure:1424: checking for dlopen in -ldl" >&5 +ac_lib_var=`echo dl'_'dlopen | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-ldl $LIBS" +cat > conftest.$ac_ext <<EOF +#line 1432 "configure" +#include "confdefs.h" +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char dlopen(); + +int main() { +dlopen() +; return 0; } +EOF +if { (eval echo configure:1443: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + LIBDL=-ldl +else + echo "$ac_t""no" 1>&6 +fi + + + +echo $ac_n "checking for FascistCheck in -lcrack""... $ac_c" 1>&6 +echo "configure:1466: checking for FascistCheck in -lcrack" >&5 +ac_lib_var=`echo crack'_'FascistCheck | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lcrack $LIBS" +cat > conftest.$ac_ext <<EOF +#line 1474 "configure" +#include "confdefs.h" +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char FascistCheck(); + +int main() { +FascistCheck() +; return 0; } +EOF +if { (eval echo configure:1485: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + HAVE_LIBCRACK=yes ; cat >> confdefs.h <<\EOF +#define HAVE_LIBCRACK 1 +EOF + +else + echo "$ac_t""no" 1>&6 +HAVE_LIBCRACK=no +fi + + + +echo $ac_n "checking for fcrypt in -lcrypt""... $ac_c" 1>&6 +echo "configure:1512: checking for fcrypt in -lcrypt" >&5 +ac_lib_var=`echo crypt'_'fcrypt | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lcrypt $LIBS" +cat > conftest.$ac_ext <<EOF +#line 1520 "configure" +#include "confdefs.h" +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char fcrypt(); + +int main() { +fcrypt() +; return 0; } +EOF +if { (eval echo configure:1531: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + HAVE_LIBCRYPT=yes ; cat >> confdefs.h <<\EOF +#define HAVE_LIBCRYPT 1 +EOF + +else + echo "$ac_t""no" 1>&6 +HAVE_LIBCRYPT=no +fi + + +echo $ac_n "checking for logwtmp in -lutil""... $ac_c" 1>&6 +echo "configure:1557: checking for logwtmp in -lutil" >&5 +ac_lib_var=`echo util'_'logwtmp | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lutil $LIBS" +cat > conftest.$ac_ext <<EOF +#line 1565 "configure" +#include "confdefs.h" +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char logwtmp(); + +int main() { +logwtmp() +; return 0; } +EOF +if { (eval echo configure:1576: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + HAVE_LIBUTIL=yes ; cat >> confdefs.h <<\EOF +#define HAVE_LIBUTIL 1 +EOF + +else + echo "$ac_t""no" 1>&6 +HAVE_LIBUTIL=no +fi + + +echo $ac_n "checking for dbm_store in -lndbm""... $ac_c" 1>&6 +echo "configure:1602: checking for dbm_store in -lndbm" >&5 +ac_lib_var=`echo ndbm'_'dbm_store | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lndbm $LIBS" +cat > conftest.$ac_ext <<EOF +#line 1610 "configure" +#include "confdefs.h" +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char dbm_store(); + +int main() { +dbm_store() +; return 0; } +EOF +if { (eval echo configure:1621: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + HAVE_LIBNDBM=yes ; cat >> confdefs.h <<\EOF +#define HAVE_LIBNDBM 1 +EOF + +else + echo "$ac_t""no" 1>&6 +HAVE_LIBNDBM=no +fi + + +echo $ac_n "checking for dbm_store in -ldb""... $ac_c" 1>&6 +echo "configure:1647: checking for dbm_store in -ldb" >&5 +ac_lib_var=`echo db'_'dbm_store | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-ldb $LIBS" +cat > conftest.$ac_ext <<EOF +#line 1655 "configure" +#include "confdefs.h" +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char dbm_store(); + +int main() { +dbm_store() +; return 0; } +EOF +if { (eval echo configure:1666: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + HAVE_LIBDB=yes ; cat >> confdefs.h <<\EOF +#define HAVE_LIBDB 1 +EOF + +else + echo "$ac_t""no" 1>&6 +HAVE_LIBDB=no +fi + +if test x$HAVE_LIBDB != xyes ; then + echo $ac_n "checking for db_create in -ldb""... $ac_c" 1>&6 +echo "configure:1692: checking for db_create in -ldb" >&5 +ac_lib_var=`echo db'_'db_create | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-ldb $LIBS" +cat > conftest.$ac_ext <<EOF +#line 1700 "configure" +#include "confdefs.h" +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char db_create(); + +int main() { +db_create() +; return 0; } +EOF +if { (eval echo configure:1711: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + HAVE_LIBDB=yes ; cat >> confdefs.h <<\EOF +#define HAVE_LIBDB 1 +EOF + +else + echo "$ac_t""no" 1>&6 +HAVE_LIBDB=no +fi + +fi + +echo $ac_n "checking for yylex in -lfl""... $ac_c" 1>&6 +echo "configure:1738: checking for yylex in -lfl" >&5 +ac_lib_var=`echo fl'_'yylex | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lfl HAVE_LIBFL=no $LIBS" +cat > conftest.$ac_ext <<EOF +#line 1746 "configure" +#include "confdefs.h" +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char yylex(); + +int main() { +yylex() +; return 0; } +EOF +if { (eval echo configure:1757: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + yyterminate +else + echo "$ac_t""no" 1>&6 +HAVE_LIBFL=yes ; cat >> confdefs.h <<\EOF +#define HAVE_LIBFL 1 +EOF + +fi + + +echo $ac_n "checking for yp_maplist in -lnsl""... $ac_c" 1>&6 +echo "configure:1783: checking for yp_maplist in -lnsl" >&5 +ac_lib_var=`echo nsl'_'yp_maplist | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lnsl $LIBS" +cat > conftest.$ac_ext <<EOF +#line 1791 "configure" +#include "confdefs.h" +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char yp_maplist(); + +int main() { +yp_maplist() +; return 0; } +EOF +if { (eval echo configure:1802: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + HAVE_LIBNSL=yes ; cat >> confdefs.h <<\EOF +#define HAVE_LIBNSL 1 +EOF + +else + echo "$ac_t""no" 1>&6 +HAVE_LIBNSL=no +fi + + +echo $ac_n "checking for pwdb_db_name in -lpwdb""... $ac_c" 1>&6 +echo "configure:1828: checking for pwdb_db_name in -lpwdb" >&5 +ac_lib_var=`echo pwdb'_'pwdb_db_name | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lpwdb $LIBS" +cat > conftest.$ac_ext <<EOF +#line 1836 "configure" +#include "confdefs.h" +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char pwdb_db_name(); + +int main() { +pwdb_db_name() +; return 0; } +EOF +if { (eval echo configure:1847: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + HAVE_LIBPWDB=yes ; cat >> confdefs.h <<\EOF +#define HAVE_LIBPWDB 1 +EOF + +else + echo "$ac_t""no" 1>&6 +HAVE_LIBPWDB=no +fi + + +echo $ac_n "checking for yywrap in -lfl""... $ac_c" 1>&6 +echo "configure:1873: checking for yywrap in -lfl" >&5 +ac_lib_var=`echo fl'_'yywrap | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lfl $LIBS" +cat > conftest.$ac_ext <<EOF +#line 1881 "configure" +#include "confdefs.h" +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char yywrap(); + +int main() { +yywrap() +; return 0; } +EOF +if { (eval echo configure:1892: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + HAVE_LIBFLEX=yes ; cat >> confdefs.h <<\EOF +#define HAVE_LIBFLEX 1 +EOF + +else + echo "$ac_t""no" 1>&6 +HAVE_LIBFLEX=no +fi + + +echo $ac_n "checking for yywrap in -ll""... $ac_c" 1>&6 +echo "configure:1918: checking for yywrap in -ll" >&5 +ac_lib_var=`echo l'_'yywrap | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-ll $LIBS" +cat > conftest.$ac_ext <<EOF +#line 1926 "configure" +#include "confdefs.h" +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char yywrap(); + +int main() { +yywrap() +; return 0; } +EOF +if { (eval echo configure:1937: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + HAVE_LIBLEX=yes ; cat >> confdefs.h <<\EOF +#define HAVE_LIBLEX 1 +EOF + +else + echo "$ac_t""no" 1>&6 +HAVE_LIBLEX=no +fi + + + +ac_header_dirent=no +for ac_hdr in dirent.h sys/ndir.h sys/dir.h ndir.h +do +ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` +echo $ac_n "checking for $ac_hdr that defines DIR""... $ac_c" 1>&6 +echo "configure:1968: checking for $ac_hdr that defines DIR" >&5 +if eval "test \"`echo '$''{'ac_cv_header_dirent_$ac_safe'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext <<EOF +#line 1973 "configure" +#include "confdefs.h" +#include <sys/types.h> +#include <$ac_hdr> +int main() { +DIR *dirp = 0; +; return 0; } +EOF +if { (eval echo configure:1981: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + eval "ac_cv_header_dirent_$ac_safe=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_header_dirent_$ac_safe=no" +fi +rm -f conftest* +fi +if eval "test \"`echo '$ac_cv_header_dirent_'$ac_safe`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'` + cat >> confdefs.h <<EOF +#define $ac_tr_hdr 1 +EOF + ac_header_dirent=$ac_hdr; break +else + echo "$ac_t""no" 1>&6 +fi +done +# Two versions of opendir et al. are in -ldir and -lx on SCO Xenix. +if test $ac_header_dirent = dirent.h; then +echo $ac_n "checking for opendir in -ldir""... $ac_c" 1>&6 +echo "configure:2006: checking for opendir in -ldir" >&5 +ac_lib_var=`echo dir'_'opendir | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-ldir $LIBS" +cat > conftest.$ac_ext <<EOF +#line 2014 "configure" +#include "confdefs.h" +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char opendir(); + +int main() { +opendir() +; return 0; } +EOF +if { (eval echo configure:2025: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + LIBS="$LIBS -ldir" +else + echo "$ac_t""no" 1>&6 +fi + +else +echo $ac_n "checking for opendir in -lx""... $ac_c" 1>&6 +echo "configure:2047: checking for opendir in -lx" >&5 +ac_lib_var=`echo x'_'opendir | sed 'y%./+-%__p_%'` +if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-lx $LIBS" +cat > conftest.$ac_ext <<EOF +#line 2055 "configure" +#include "confdefs.h" +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char opendir(); + +int main() { +opendir() +; return 0; } +EOF +if { (eval echo configure:2066: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=no" +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then + echo "$ac_t""yes" 1>&6 + LIBS="$LIBS -lx" +else + echo "$ac_t""no" 1>&6 +fi + +fi + +echo $ac_n "checking for ANSI C header files""... $ac_c" 1>&6 +echo "configure:2089: checking for ANSI C header files" >&5 +if eval "test \"`echo '$''{'ac_cv_header_stdc'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext <<EOF +#line 2094 "configure" +#include "confdefs.h" +#include <stdlib.h> +#include <stdarg.h> +#include <string.h> +#include <float.h> +EOF +ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +{ (eval echo configure:2102: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` +if test -z "$ac_err"; then + rm -rf conftest* + ac_cv_header_stdc=yes +else + echo "$ac_err" >&5 + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + ac_cv_header_stdc=no +fi +rm -f conftest* + +if test $ac_cv_header_stdc = yes; then + # SunOS 4.x string.h does not declare mem*, contrary to ANSI. +cat > conftest.$ac_ext <<EOF +#line 2119 "configure" +#include "confdefs.h" +#include <string.h> +EOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + egrep "memchr" >/dev/null 2>&1; then + : +else + rm -rf conftest* + ac_cv_header_stdc=no +fi +rm -f conftest* + +fi + +if test $ac_cv_header_stdc = yes; then + # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI. +cat > conftest.$ac_ext <<EOF +#line 2137 "configure" +#include "confdefs.h" +#include <stdlib.h> +EOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + egrep "free" >/dev/null 2>&1; then + : +else + rm -rf conftest* + ac_cv_header_stdc=no +fi +rm -f conftest* + +fi + +if test $ac_cv_header_stdc = yes; then + # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi. +if test "$cross_compiling" = yes; then + : +else + cat > conftest.$ac_ext <<EOF +#line 2158 "configure" +#include "confdefs.h" +#include <ctype.h> +#define ISLOWER(c) ('a' <= (c) && (c) <= 'z') +#define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c)) +#define XOR(e, f) (((e) && !(f)) || (!(e) && (f))) +int main () { int i; for (i = 0; i < 256; i++) +if (XOR (islower (i), ISLOWER (i)) || toupper (i) != TOUPPER (i)) exit(2); +exit (0); } + +EOF +if { (eval echo configure:2169: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +then + : +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -fr conftest* + ac_cv_header_stdc=no +fi +rm -fr conftest* +fi + +fi +fi + +echo "$ac_t""$ac_cv_header_stdc" 1>&6 +if test $ac_cv_header_stdc = yes; then + cat >> confdefs.h <<\EOF +#define STDC_HEADERS 1 +EOF + +fi + +echo $ac_n "checking for sys/wait.h that is POSIX.1 compatible""... $ac_c" 1>&6 +echo "configure:2193: checking for sys/wait.h that is POSIX.1 compatible" >&5 +if eval "test \"`echo '$''{'ac_cv_header_sys_wait_h'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext <<EOF +#line 2198 "configure" +#include "confdefs.h" +#include <sys/types.h> +#include <sys/wait.h> +#ifndef WEXITSTATUS +#define WEXITSTATUS(stat_val) ((unsigned)(stat_val) >> 8) +#endif +#ifndef WIFEXITED +#define WIFEXITED(stat_val) (((stat_val) & 255) == 0) +#endif +int main() { +int s; +wait (&s); +s = WIFEXITED (s) ? WEXITSTATUS (s) : 1; +; return 0; } +EOF +if { (eval echo configure:2214: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + ac_cv_header_sys_wait_h=yes +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + ac_cv_header_sys_wait_h=no +fi +rm -f conftest* +fi + +echo "$ac_t""$ac_cv_header_sys_wait_h" 1>&6 +if test $ac_cv_header_sys_wait_h = yes; then + cat >> confdefs.h <<\EOF +#define HAVE_SYS_WAIT_H 1 +EOF + +fi + +for ac_hdr in fcntl.h limits.h malloc.h sys/file.h sys/ioctl.h sys/time.h syslog.h termio.h unistd.h sys/fsuid.h +do +ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` +echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 +echo "configure:2238: checking for $ac_hdr" >&5 +if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext <<EOF +#line 2243 "configure" +#include "confdefs.h" +#include <$ac_hdr> +EOF +ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +{ (eval echo configure:2248: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` +if test -z "$ac_err"; then + rm -rf conftest* + eval "ac_cv_header_$ac_safe=yes" +else + echo "$ac_err" >&5 + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_header_$ac_safe=no" +fi +rm -f conftest* +fi +if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'` + cat >> confdefs.h <<EOF +#define $ac_tr_hdr 1 +EOF + +else + echo "$ac_t""no" 1>&6 +fi +done + + +for ac_hdr in features.h +do +ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` +echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 +echo "configure:2279: checking for $ac_hdr" >&5 +if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext <<EOF +#line 2284 "configure" +#include "confdefs.h" +#include <$ac_hdr> +EOF +ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +{ (eval echo configure:2289: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` +if test -z "$ac_err"; then + rm -rf conftest* + eval "ac_cv_header_$ac_safe=yes" +else + echo "$ac_err" >&5 + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_header_$ac_safe=no" +fi +rm -f conftest* +fi +if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'` + cat >> confdefs.h <<EOF +#define $ac_tr_hdr 1 +EOF + +else + echo "$ac_t""no" 1>&6 +fi +done + + +for ac_hdr in crypt.h +do +ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` +echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 +echo "configure:2320: checking for $ac_hdr" >&5 +if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext <<EOF +#line 2325 "configure" +#include "confdefs.h" +#include <$ac_hdr> +EOF +ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +{ (eval echo configure:2330: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` +if test -z "$ac_err"; then + rm -rf conftest* + eval "ac_cv_header_$ac_safe=yes" +else + echo "$ac_err" >&5 + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_header_$ac_safe=no" +fi +rm -f conftest* +fi +if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'` + cat >> confdefs.h <<EOF +#define $ac_tr_hdr 1 +EOF + +else + echo "$ac_t""no" 1>&6 +fi +done + + +for ac_hdr in ndbm.h db.h +do +ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` +echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 +echo "configure:2361: checking for $ac_hdr" >&5 +if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext <<EOF +#line 2366 "configure" +#include "confdefs.h" +#include <$ac_hdr> +EOF +ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +{ (eval echo configure:2371: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` +if test -z "$ac_err"; then + rm -rf conftest* + eval "ac_cv_header_$ac_safe=yes" +else + echo "$ac_err" >&5 + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_header_$ac_safe=no" +fi +rm -f conftest* +fi +if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'` + cat >> confdefs.h <<EOF +#define $ac_tr_hdr 1 +EOF + +else + echo "$ac_t""no" 1>&6 +fi +done + +HAVE_NDBM_H=$ac_cv_header_ndbm_h + + +for ac_hdr in lastlog.h utmp.h utmpx.h +do +ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` +echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 +echo "configure:2404: checking for $ac_hdr" >&5 +if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext <<EOF +#line 2409 "configure" +#include "confdefs.h" +#include <$ac_hdr> +EOF +ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +{ (eval echo configure:2414: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` +if test -z "$ac_err"; then + rm -rf conftest* + eval "ac_cv_header_$ac_safe=yes" +else + echo "$ac_err" >&5 + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_header_$ac_safe=no" +fi +rm -f conftest* +fi +if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'` + cat >> confdefs.h <<EOF +#define $ac_tr_hdr 1 +EOF + +else + echo "$ac_t""no" 1>&6 +fi +done + + + +echo $ac_n "checking path to cracklib dictionary""... $ac_c" 1>&6 +echo "configure:2443: checking path to cracklib dictionary" >&5 +DICT_DIR_CANDIDATES="/usr/lib /usr/share/dict /usr/share/lib \ + /usr/local/lib /usr/local/share/lib" +DICT_FILE_CANDIDATES="pw_dict cracklib_dict" +CRACKLIB_DICTPATH="" +for d in $DICT_DIR_CANDIDATES ; do + for f in $DICT_FILE_CANDIDATES ; do + if test -r $d/$f.hwm ; then + CRACKLIB_DICTPATH=$d/$f + break 2 + elif test -r $d/dict/$f.hwm ; then + CRACKLIB_DICTPATH=$d/dict/$f + break 2 + fi + done +done +if test -z "$CRACKLIB_DICTPATH" ; then + echo "$ac_t""none found" 1>&6 +else + echo "$ac_t""$CRACKLIB_DICTPATH" 1>&6 +fi + + + +GCC_WARNINGS="-Wall -Wwrite-strings \ + -Wpointer-arith -Wcast-qual -Wcast-align \ + -Wstrict-prototypes -Wmissing-prototypes \ + -Wnested-externs -Winline -Wshadow" + +if test "$GCC" = yes; then + CC=gcc ; +### May need per-OS attention +### Example: -D_POSIX_SOURCE: needed on Linux but harms Solaris. + case $OS in + linux) + OS_CFLAGS="-ansi -D_POSIX_SOURCE -pedantic" + LD_D="gcc -shared -Xlinker -x" + WARNINGS="$GCC_WARNINGS" + PIC="-fPIC" + DYNTYPE=so + LD=ld + LD_L="$LD -x -shared" + RANLIB=ranlib + STRIP=strip + CC_STATIC="-Xlinker -export-dynamic" + ;; + sunos) + OS_CFLAGS="-ansi -pedantic" + LD_D="gcc -shared -Xlinker -x" + WARNINGS="$GCC_WARNINGS" + PIC="-fPIC" + DYNTYPE=so + LD=ld + LD_L="$LD -x -shared" + RANLIB=ranlib + STRIP=strip + CC_STATIC="-Xlinker -export-dynamic" + ;; + aix) + OS_CFLAGS="" + DYNTYPE=lo + LD=ld + LD_L=ld -bexpall -bM:SRE -bnoentry + LD_D="$LD_L" + RANLIB=ranlib + STRIP=strip + ;; + *) + OS_CFLAGS="" + ;; + esac +else +### +### Non-gcc needs attention on per-OS basis +### + case "$OS" in + darwin) +# add some stuff here (see sourceforge bug 534205) +# DOCDIR=/System/Documentation/Administration/Libraries/PAM +# MANDIR=/usr/share/man + ;; + solaris) + ### Support for Solaris-C + OS_CFLAGS="" + WARNINGS="" + PIC="-K pic" + LD=ld + LD_D="cc -z text -G -R." + LD_L="$LD_D" + RANLIB=ranlib + STRIP=strip + CC_STATIC= + ;; + irix*) + OSRELEASE=`uname -r` + if test "$OSRELEASE" = 6.5; then + OS_CFLAGS="" + WARNINGS="-fullwarn" + PIC= #PIC code is default for IRIX + LD="cc -shared" # modules friendly approach + LD_D="cc -shared" + LD_L="ld -G -z redlocsym" + RANLIB=echo + STRIP=strip + CC_STATIC= + else + echo "IRIX prior to 6.5 not allowed for" + exit + fi + ;; + *) echo "Native compiler on $OS is not yet supported" + exit + ;; + esac +fi + + + + + + + + + + + + +echo $ac_n "checking whether byte ordering is bigendian""... $ac_c" 1>&6 +echo "configure:2571: checking whether byte ordering is bigendian" >&5 +if eval "test \"`echo '$''{'ac_cv_c_bigendian'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_cv_c_bigendian=unknown +# See if sys/param.h defines the BYTE_ORDER macro. +cat > conftest.$ac_ext <<EOF +#line 2578 "configure" +#include "confdefs.h" +#include <sys/types.h> +#include <sys/param.h> +int main() { + +#if !BYTE_ORDER || !BIG_ENDIAN || !LITTLE_ENDIAN + bogus endian macros +#endif +; return 0; } +EOF +if { (eval echo configure:2589: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + # It does; now see whether it defined to BIG_ENDIAN or not. +cat > conftest.$ac_ext <<EOF +#line 2593 "configure" +#include "confdefs.h" +#include <sys/types.h> +#include <sys/param.h> +int main() { + +#if BYTE_ORDER != BIG_ENDIAN + not big endian +#endif +; return 0; } +EOF +if { (eval echo configure:2604: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + ac_cv_c_bigendian=yes +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + ac_cv_c_bigendian=no +fi +rm -f conftest* +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 +fi +rm -f conftest* +if test $ac_cv_c_bigendian = unknown; then +if test "$cross_compiling" = yes; then + { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } +else + cat > conftest.$ac_ext <<EOF +#line 2624 "configure" +#include "confdefs.h" +main () { + /* Are we little or big endian? From Harbison&Steele. */ + union + { + long l; + char c[sizeof (long)]; + } u; + u.l = 1; + exit (u.c[sizeof (long) - 1] == 1); +} +EOF +if { (eval echo configure:2637: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +then + ac_cv_c_bigendian=no +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -fr conftest* + ac_cv_c_bigendian=yes +fi +rm -fr conftest* +fi + +fi +fi + +echo "$ac_t""$ac_cv_c_bigendian" 1>&6 +if test $ac_cv_c_bigendian = yes; then + cat >> confdefs.h <<\EOF +#define WORDS_BIGENDIAN 1 +EOF + +fi + +echo $ac_n "checking for working const""... $ac_c" 1>&6 +echo "configure:2661: checking for working const" >&5 +if eval "test \"`echo '$''{'ac_cv_c_const'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext <<EOF +#line 2666 "configure" +#include "confdefs.h" + +int main() { + +/* Ultrix mips cc rejects this. */ +typedef int charset[2]; const charset x; +/* SunOS 4.1.1 cc rejects this. */ +char const *const *ccp; +char **p; +/* NEC SVR4.0.2 mips cc rejects this. */ +struct point {int x, y;}; +static struct point const zero = {0,0}; +/* AIX XL C 1.02.0.0 rejects this. + It does not let you subtract one const X* pointer from another in an arm + of an if-expression whose if-part is not a constant expression */ +const char *g = "string"; +ccp = &g + (g ? g-g : 0); +/* HPUX 7.0 cc rejects these. */ +++ccp; +p = (char**) ccp; +ccp = (char const *const *) p; +{ /* SCO 3.2v4 cc rejects this. */ + char *t; + char const *s = 0 ? (char *) 0 : (char const *) 0; + + *t++ = 0; +} +{ /* Someone thinks the Sun supposedly-ANSI compiler will reject this. */ + int x[] = {25, 17}; + const int *foo = &x[0]; + ++foo; +} +{ /* Sun SC1.0 ANSI compiler rejects this -- but not the above. */ + typedef const int *iptr; + iptr p = 0; + ++p; +} +{ /* AIX XL C 1.02.0.0 rejects this saying + "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */ + struct s { int j; const int *ap[3]; }; + struct s *b; b->j = 5; +} +{ /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */ + const int foo = 10; +} + +; return 0; } +EOF +if { (eval echo configure:2715: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + ac_cv_c_const=yes +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + ac_cv_c_const=no +fi +rm -f conftest* +fi + +echo "$ac_t""$ac_cv_c_const" 1>&6 +if test $ac_cv_c_const = no; then + cat >> confdefs.h <<\EOF +#define const +EOF + +fi + +echo $ac_n "checking for uid_t in sys/types.h""... $ac_c" 1>&6 +echo "configure:2736: checking for uid_t in sys/types.h" >&5 +if eval "test \"`echo '$''{'ac_cv_type_uid_t'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext <<EOF +#line 2741 "configure" +#include "confdefs.h" +#include <sys/types.h> +EOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + egrep "uid_t" >/dev/null 2>&1; then + rm -rf conftest* + ac_cv_type_uid_t=yes +else + rm -rf conftest* + ac_cv_type_uid_t=no +fi +rm -f conftest* + +fi + +echo "$ac_t""$ac_cv_type_uid_t" 1>&6 +if test $ac_cv_type_uid_t = no; then + cat >> confdefs.h <<\EOF +#define uid_t int +EOF + + cat >> confdefs.h <<\EOF +#define gid_t int +EOF + +fi + +echo $ac_n "checking for off_t""... $ac_c" 1>&6 +echo "configure:2770: checking for off_t" >&5 +if eval "test \"`echo '$''{'ac_cv_type_off_t'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext <<EOF +#line 2775 "configure" +#include "confdefs.h" +#include <sys/types.h> +#if STDC_HEADERS +#include <stdlib.h> +#include <stddef.h> +#endif +EOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + egrep "(^|[^a-zA-Z_0-9])off_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then + rm -rf conftest* + ac_cv_type_off_t=yes +else + rm -rf conftest* + ac_cv_type_off_t=no +fi +rm -f conftest* + +fi +echo "$ac_t""$ac_cv_type_off_t" 1>&6 +if test $ac_cv_type_off_t = no; then + cat >> confdefs.h <<\EOF +#define off_t long +EOF + +fi + +echo $ac_n "checking for pid_t""... $ac_c" 1>&6 +echo "configure:2803: checking for pid_t" >&5 +if eval "test \"`echo '$''{'ac_cv_type_pid_t'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext <<EOF +#line 2808 "configure" +#include "confdefs.h" +#include <sys/types.h> +#if STDC_HEADERS +#include <stdlib.h> +#include <stddef.h> +#endif +EOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + egrep "(^|[^a-zA-Z_0-9])pid_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then + rm -rf conftest* + ac_cv_type_pid_t=yes +else + rm -rf conftest* + ac_cv_type_pid_t=no +fi +rm -f conftest* + +fi +echo "$ac_t""$ac_cv_type_pid_t" 1>&6 +if test $ac_cv_type_pid_t = no; then + cat >> confdefs.h <<\EOF +#define pid_t int +EOF + +fi + +echo $ac_n "checking for size_t""... $ac_c" 1>&6 +echo "configure:2836: checking for size_t" >&5 +if eval "test \"`echo '$''{'ac_cv_type_size_t'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext <<EOF +#line 2841 "configure" +#include "confdefs.h" +#include <sys/types.h> +#if STDC_HEADERS +#include <stdlib.h> +#include <stddef.h> +#endif +EOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + egrep "(^|[^a-zA-Z_0-9])size_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then + rm -rf conftest* + ac_cv_type_size_t=yes +else + rm -rf conftest* + ac_cv_type_size_t=no +fi +rm -f conftest* + +fi +echo "$ac_t""$ac_cv_type_size_t" 1>&6 +if test $ac_cv_type_size_t = no; then + cat >> confdefs.h <<\EOF +#define size_t unsigned +EOF + +fi + +echo $ac_n "checking whether time.h and sys/time.h may both be included""... $ac_c" 1>&6 +echo "configure:2869: checking whether time.h and sys/time.h may both be included" >&5 +if eval "test \"`echo '$''{'ac_cv_header_time'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext <<EOF +#line 2874 "configure" +#include "confdefs.h" +#include <sys/types.h> +#include <sys/time.h> +#include <time.h> +int main() { +struct tm *tp; +; return 0; } +EOF +if { (eval echo configure:2883: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + ac_cv_header_time=yes +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + ac_cv_header_time=no +fi +rm -f conftest* +fi + +echo "$ac_t""$ac_cv_header_time" 1>&6 +if test $ac_cv_header_time = yes; then + cat >> confdefs.h <<\EOF +#define TIME_WITH_SYS_TIME 1 +EOF + +fi + +echo $ac_n "checking whether struct tm is in sys/time.h or time.h""... $ac_c" 1>&6 +echo "configure:2904: checking whether struct tm is in sys/time.h or time.h" >&5 +if eval "test \"`echo '$''{'ac_cv_struct_tm'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext <<EOF +#line 2909 "configure" +#include "confdefs.h" +#include <sys/types.h> +#include <time.h> +int main() { +struct tm *tp; tp->tm_sec; +; return 0; } +EOF +if { (eval echo configure:2917: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + ac_cv_struct_tm=time.h +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + ac_cv_struct_tm=sys/time.h +fi +rm -f conftest* +fi + +echo "$ac_t""$ac_cv_struct_tm" 1>&6 +if test $ac_cv_struct_tm = sys/time.h; then + cat >> confdefs.h <<\EOF +#define TM_IN_SYS_TIME 1 +EOF + +fi + + +echo $ac_n "checking type of array argument to getgroups""... $ac_c" 1>&6 +echo "configure:2939: checking type of array argument to getgroups" >&5 +if eval "test \"`echo '$''{'ac_cv_type_getgroups'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + if test "$cross_compiling" = yes; then + ac_cv_type_getgroups=cross +else + cat > conftest.$ac_ext <<EOF +#line 2947 "configure" +#include "confdefs.h" + +/* Thanks to Mike Rendell for this test. */ +#include <sys/types.h> +#define NGID 256 +#undef MAX +#define MAX(x, y) ((x) > (y) ? (x) : (y)) +main() +{ + gid_t gidset[NGID]; + int i, n; + union { gid_t gval; long lval; } val; + + val.lval = -1; + for (i = 0; i < NGID; i++) + gidset[i] = val.gval; + n = getgroups (sizeof (gidset) / MAX (sizeof (int), sizeof (gid_t)) - 1, + gidset); + /* Exit non-zero if getgroups seems to require an array of ints. This + happens when gid_t is short but getgroups modifies an array of ints. */ + exit ((n > 0 && gidset[n] != val.gval) ? 1 : 0); +} + +EOF +if { (eval echo configure:2972: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +then + ac_cv_type_getgroups=gid_t +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -fr conftest* + ac_cv_type_getgroups=int +fi +rm -fr conftest* +fi + +if test $ac_cv_type_getgroups = cross; then + cat > conftest.$ac_ext <<EOF +#line 2986 "configure" +#include "confdefs.h" +#include <unistd.h> +EOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + egrep "getgroups.*int.*gid_t" >/dev/null 2>&1; then + rm -rf conftest* + ac_cv_type_getgroups=gid_t +else + rm -rf conftest* + ac_cv_type_getgroups=int +fi +rm -f conftest* + +fi +fi + +echo "$ac_t""$ac_cv_type_getgroups" 1>&6 +cat >> confdefs.h <<EOF +#define GETGROUPS_T $ac_cv_type_getgroups +EOF + + +if test $ac_cv_prog_gcc = yes; then + echo $ac_n "checking whether ${CC-cc} needs -traditional""... $ac_c" 1>&6 +echo "configure:3011: checking whether ${CC-cc} needs -traditional" >&5 +if eval "test \"`echo '$''{'ac_cv_prog_gcc_traditional'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_pattern="Autoconf.*'x'" + cat > conftest.$ac_ext <<EOF +#line 3017 "configure" +#include "confdefs.h" +#include <sgtty.h> +Autoconf TIOCGETP +EOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + egrep "$ac_pattern" >/dev/null 2>&1; then + rm -rf conftest* + ac_cv_prog_gcc_traditional=yes +else + rm -rf conftest* + ac_cv_prog_gcc_traditional=no +fi +rm -f conftest* + + + if test $ac_cv_prog_gcc_traditional = no; then + cat > conftest.$ac_ext <<EOF +#line 3035 "configure" +#include "confdefs.h" +#include <termio.h> +Autoconf TCGETA +EOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + egrep "$ac_pattern" >/dev/null 2>&1; then + rm -rf conftest* + ac_cv_prog_gcc_traditional=yes +fi +rm -f conftest* + + fi +fi + +echo "$ac_t""$ac_cv_prog_gcc_traditional" 1>&6 + if test $ac_cv_prog_gcc_traditional = yes; then + CC="$CC -traditional" + fi +fi + +echo $ac_n "checking for 8-bit clean memcmp""... $ac_c" 1>&6 +echo "configure:3057: checking for 8-bit clean memcmp" >&5 +if eval "test \"`echo '$''{'ac_cv_func_memcmp_clean'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + if test "$cross_compiling" = yes; then + ac_cv_func_memcmp_clean=no +else + cat > conftest.$ac_ext <<EOF +#line 3065 "configure" +#include "confdefs.h" + +main() +{ + char c0 = 0x40, c1 = 0x80, c2 = 0x81; + exit(memcmp(&c0, &c2, 1) < 0 && memcmp(&c1, &c2, 1) < 0 ? 0 : 1); +} + +EOF +if { (eval echo configure:3075: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +then + ac_cv_func_memcmp_clean=yes +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -fr conftest* + ac_cv_func_memcmp_clean=no +fi +rm -fr conftest* +fi + +fi + +echo "$ac_t""$ac_cv_func_memcmp_clean" 1>&6 +test $ac_cv_func_memcmp_clean = no && LIBOBJS="$LIBOBJS memcmp.${ac_objext}" + +echo $ac_n "checking for vprintf""... $ac_c" 1>&6 +echo "configure:3093: checking for vprintf" >&5 +if eval "test \"`echo '$''{'ac_cv_func_vprintf'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext <<EOF +#line 3098 "configure" +#include "confdefs.h" +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char vprintf(); below. */ +#include <assert.h> +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char vprintf(); + +int main() { + +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_vprintf) || defined (__stub___vprintf) +choke me +#else +vprintf(); +#endif + +; return 0; } +EOF +if { (eval echo configure:3121: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_vprintf=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_func_vprintf=no" +fi +rm -f conftest* +fi + +if eval "test \"`echo '$ac_cv_func_'vprintf`\" = yes"; then + echo "$ac_t""yes" 1>&6 + cat >> confdefs.h <<\EOF +#define HAVE_VPRINTF 1 +EOF + +else + echo "$ac_t""no" 1>&6 +fi + +if test "$ac_cv_func_vprintf" != yes; then +echo $ac_n "checking for _doprnt""... $ac_c" 1>&6 +echo "configure:3145: checking for _doprnt" >&5 +if eval "test \"`echo '$''{'ac_cv_func__doprnt'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext <<EOF +#line 3150 "configure" +#include "confdefs.h" +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char _doprnt(); below. */ +#include <assert.h> +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char _doprnt(); + +int main() { + +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub__doprnt) || defined (__stub____doprnt) +choke me +#else +_doprnt(); +#endif + +; return 0; } +EOF +if { (eval echo configure:3173: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func__doprnt=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_func__doprnt=no" +fi +rm -f conftest* +fi + +if eval "test \"`echo '$ac_cv_func_'_doprnt`\" = yes"; then + echo "$ac_t""yes" 1>&6 + cat >> confdefs.h <<\EOF +#define HAVE_DOPRNT 1 +EOF + +else + echo "$ac_t""no" 1>&6 +fi + +fi + +for ac_func in gethostname gettimeofday mkdir select strcspn strdup strerror strspn strstr strtol uname +do +echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 +echo "configure:3200: checking for $ac_func" >&5 +if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext <<EOF +#line 3205 "configure" +#include "confdefs.h" +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func(); below. */ +#include <assert.h> +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char $ac_func(); + +int main() { + +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_$ac_func) || defined (__stub___$ac_func) +choke me +#else +$ac_func(); +#endif + +; return 0; } +EOF +if { (eval echo configure:3228: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_$ac_func=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_func_$ac_func=no" +fi +rm -f conftest* +fi + +if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'` + cat >> confdefs.h <<EOF +#define $ac_tr_func 1 +EOF + +else + echo "$ac_t""no" 1>&6 +fi +done + + +for ac_func in getpwnam_r getgrnam_r +do +echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 +echo "configure:3256: checking for $ac_func" >&5 +if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + cat > conftest.$ac_ext <<EOF +#line 3261 "configure" +#include "confdefs.h" +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func(); below. */ +#include <assert.h> +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char $ac_func(); + +int main() { + +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_$ac_func) || defined (__stub___$ac_func) +choke me +#else +$ac_func(); +#endif + +; return 0; } +EOF +if { (eval echo configure:3284: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_$ac_func=yes" +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + eval "ac_cv_func_$ac_func=no" +fi +rm -f conftest* +fi + +if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then + echo "$ac_t""yes" 1>&6 + ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'` + cat >> confdefs.h <<EOF +#define $ac_tr_func 1 +EOF + +else + echo "$ac_t""no" 1>&6 +fi +done + + +# Extract the first word of "sgml2txt", so it can be a program name with args. +set dummy sgml2txt; ac_word=$2 +echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +echo "configure:3312: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_prog_HAVE_SGML2TXT'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + if test -n "$HAVE_SGML2TXT"; then + ac_cv_prog_HAVE_SGML2TXT="$HAVE_SGML2TXT" # Let the user override the test. +else + IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" + ac_dummy="$PATH" + for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_prog_HAVE_SGML2TXT="yes" + break + fi + done + IFS="$ac_save_ifs" + test -z "$ac_cv_prog_HAVE_SGML2TXT" && ac_cv_prog_HAVE_SGML2TXT="no" +fi +fi +HAVE_SGML2TXT="$ac_cv_prog_HAVE_SGML2TXT" +if test -n "$HAVE_SGML2TXT"; then + echo "$ac_t""$HAVE_SGML2TXT" 1>&6 +else + echo "$ac_t""no" 1>&6 +fi + +# Extract the first word of "sgml2html", so it can be a program name with args. +set dummy sgml2html; ac_word=$2 +echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +echo "configure:3342: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_prog_HAVE_SGML2HTML'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + if test -n "$HAVE_SGML2HTML"; then + ac_cv_prog_HAVE_SGML2HTML="$HAVE_SGML2HTML" # Let the user override the test. +else + IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" + ac_dummy="$PATH" + for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_prog_HAVE_SGML2HTML="yes" + break + fi + done + IFS="$ac_save_ifs" + test -z "$ac_cv_prog_HAVE_SGML2HTML" && ac_cv_prog_HAVE_SGML2HTML="no" +fi +fi +HAVE_SGML2HTML="$ac_cv_prog_HAVE_SGML2HTML" +if test -n "$HAVE_SGML2HTML"; then + echo "$ac_t""$HAVE_SGML2HTML" 1>&6 +else + echo "$ac_t""no" 1>&6 +fi + +# Extract the first word of "sgml2latex", so it can be a program name with args. +set dummy sgml2latex; ac_word=$2 +echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +echo "configure:3372: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_prog_HAVE_SGML2LATEX'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + if test -n "$HAVE_SGML2LATEX"; then + ac_cv_prog_HAVE_SGML2LATEX="$HAVE_SGML2LATEX" # Let the user override the test. +else + IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" + ac_dummy="$PATH" + for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_prog_HAVE_SGML2LATEX="yes" + break + fi + done + IFS="$ac_save_ifs" + test -z "$ac_cv_prog_HAVE_SGML2LATEX" && ac_cv_prog_HAVE_SGML2LATEX="no" +fi +fi +HAVE_SGML2LATEX="$ac_cv_prog_HAVE_SGML2LATEX" +if test -n "$HAVE_SGML2LATEX"; then + echo "$ac_t""$HAVE_SGML2LATEX" 1>&6 +else + echo "$ac_t""no" 1>&6 +fi + +if test $HAVE_SGML2LATEX = "yes" ; then + if sgml2latex -h | grep -e --paper | grep ' -p ' > /dev/null ; then + PSER="sgml2latex -o ps" + else + PSER="sgml2latex -p" + fi + # Extract the first word of "ps2pdf", so it can be a program name with args. +set dummy ps2pdf; ac_word=$2 +echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +echo "configure:3408: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_prog_HAVE_PS2PDF'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + if test -n "$HAVE_PS2PDF"; then + ac_cv_prog_HAVE_PS2PDF="$HAVE_PS2PDF" # Let the user override the test. +else + IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" + ac_dummy="$PATH" + for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_prog_HAVE_PS2PDF="yes" + break + fi + done + IFS="$ac_save_ifs" + test -z "$ac_cv_prog_HAVE_PS2PDF" && ac_cv_prog_HAVE_PS2PDF="no" +fi +fi +HAVE_PS2PDF="$ac_cv_prog_HAVE_PS2PDF" +if test -n "$HAVE_PS2PDF"; then + echo "$ac_t""$HAVE_PS2PDF" 1>&6 +else + echo "$ac_t""no" 1>&6 +fi + +else + # Extract the first word of "sgml2ps", so it can be a program name with args. +set dummy sgml2ps; ac_word=$2 +echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +echo "configure:3439: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_prog_HAVE_SGML2PS'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + if test -n "$HAVE_SGML2PS"; then + ac_cv_prog_HAVE_SGML2PS="$HAVE_SGML2PS" # Let the user override the test. +else + IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" + ac_dummy="$PATH" + for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_prog_HAVE_SGML2PS="yes" + break + fi + done + IFS="$ac_save_ifs" + test -z "$ac_cv_prog_HAVE_SGML2PS" && ac_cv_prog_HAVE_SGML2PS="no" +fi +fi +HAVE_SGML2PS="$ac_cv_prog_HAVE_SGML2PS" +if test -n "$HAVE_SGML2PS"; then + echo "$ac_t""$HAVE_SGML2PS" 1>&6 +else + echo "$ac_t""no" 1>&6 +fi + + if test $HAVE_SGML2PS = yes ; then + PSER="sgml2ps" + fi +fi + + + +trap '' 1 2 15 +cat > confcache <<\EOF +# This file is a shell script that caches the results of configure +# tests run on this system so they can be shared between configure +# scripts and configure runs. It is not useful on other systems. +# If it contains results you don't want to keep, you may remove or edit it. +# +# By default, configure uses ./config.cache as the cache file, +# creating it if it does not exist already. You can give configure +# the --cache-file=FILE option to use a different cache file; that is +# what configure does when it calls configure scripts in +# subdirectories, so they share the cache. +# Giving --cache-file=/dev/null disables caching, for debugging configure. +# config.status only pays attention to the cache file if you give it the +# --recheck option to rerun configure. +# +EOF +# The following way of writing the cache mishandles newlines in values, +# but we know of no workaround that is simple, portable, and efficient. +# So, don't put newlines in cache variables' values. +# Ultrix sh set writes to stderr and can't be redirected directly, +# and sets the high bit in the cache file unless we assign to the vars. +(set) 2>&1 | + case `(ac_space=' '; set | grep ac_space) 2>&1` in + *ac_space=\ *) + # `set' does not quote correctly, so add quotes (double-quote substitution + # turns \\\\ into \\, and sed turns \\ into \). + sed -n \ + -e "s/'/'\\\\''/g" \ + -e "s/^\\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\\)=\\(.*\\)/\\1=\${\\1='\\2'}/p" + ;; + *) + # `set' quotes correctly as required by POSIX, so do not add quotes. + sed -n -e 's/^\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\)=\(.*\)/\1=${\1=\2}/p' + ;; + esac >> confcache +if cmp -s $cache_file confcache; then + : +else + if test -w $cache_file; then + echo "updating cache $cache_file" + cat confcache > $cache_file + else + echo "not updating unwritable cache $cache_file" + fi +fi +rm -f confcache + +trap 'rm -fr conftest* confdefs* core core.* *.core $ac_clean_files; exit 1' 1 2 15 + +test "x$prefix" = xNONE && prefix=$ac_default_prefix +# Let make expand exec_prefix. +test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' + +# Any assignment to VPATH causes Sun make to only execute +# the first set of double-colon rules, so remove it if not needed. +# If there is a colon in the path, we need to keep it. +if test "x$srcdir" = x.; then + ac_vpsub='/^[ ]*VPATH[ ]*=[^:]*$/d' +fi + +trap 'rm -f $CONFIG_STATUS conftest*; exit 1' 1 2 15 + +DEFS=-DHAVE_CONFIG_H + +# Without the "./", some shells look in PATH for config.status. +: ${CONFIG_STATUS=./config.status} + +echo creating $CONFIG_STATUS +rm -f $CONFIG_STATUS +cat > $CONFIG_STATUS <<EOF +#! /bin/sh +# Generated automatically by configure. +# Run this file to recreate the current configuration. +# This directory was configured as follows, +# on host `(hostname || uname -n) 2>/dev/null | sed 1q`: +# +# $0 $ac_configure_args +# +# Compiler output produced by configure, useful for debugging +# configure, is in ./config.log if it exists. + +ac_cs_usage="Usage: $CONFIG_STATUS [--recheck] [--version] [--help]" +for ac_option +do + case "\$ac_option" in + -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) + echo "running \${CONFIG_SHELL-/bin/sh} $0 $ac_configure_args --no-create --no-recursion" + exec \${CONFIG_SHELL-/bin/sh} $0 $ac_configure_args --no-create --no-recursion ;; + -version | --version | --versio | --versi | --vers | --ver | --ve | --v) + echo "$CONFIG_STATUS generated by autoconf version 2.13" + exit 0 ;; + -help | --help | --hel | --he | --h) + echo "\$ac_cs_usage"; exit 0 ;; + *) echo "\$ac_cs_usage"; exit 1 ;; + esac +done + +ac_given_srcdir=$srcdir + +trap 'rm -fr `echo "Make.Rules _pam_aconf.h" | sed "s/:[^ ]*//g"` conftest*; exit 1' 1 2 15 +EOF +cat >> $CONFIG_STATUS <<EOF + +# Protect against being on the right side of a sed subst in config.status. +sed 's/%@/@@/; s/@%/@@/; s/%g\$/@g/; /@g\$/s/[\\\\&%]/\\\\&/g; + s/@@/%@/; s/@@/@%/; s/@g\$/%g/' > conftest.subs <<\\CEOF +$ac_vpsub +$extrasub +s%@SHELL@%$SHELL%g +s%@CFLAGS@%$CFLAGS%g +s%@CPPFLAGS@%$CPPFLAGS%g +s%@CXXFLAGS@%$CXXFLAGS%g +s%@FFLAGS@%$FFLAGS%g +s%@DEFS@%$DEFS%g +s%@LDFLAGS@%$LDFLAGS%g +s%@LIBS@%$LIBS%g +s%@exec_prefix@%$exec_prefix%g +s%@prefix@%$prefix%g +s%@program_transform_name@%$program_transform_name%g +s%@bindir@%$bindir%g +s%@sbindir@%$sbindir%g +s%@libexecdir@%$libexecdir%g +s%@datadir@%$datadir%g +s%@sysconfdir@%$sysconfdir%g +s%@sharedstatedir@%$sharedstatedir%g +s%@localstatedir@%$localstatedir%g +s%@libdir@%$libdir%g +s%@includedir@%$includedir%g +s%@oldincludedir@%$oldincludedir%g +s%@infodir@%$infodir%g +s%@mandir@%$mandir%g +s%@LIBPAM_VERSION_MAJOR@%$LIBPAM_VERSION_MAJOR%g +s%@LIBPAM_VERSION_MINOR@%$LIBPAM_VERSION_MINOR%g +s%@LOCALSRCDIR@%$LOCALSRCDIR%g +s%@LOCALOBJDIR@%$LOCALOBJDIR%g +s%@OS@%$OS%g +s%@CONF_CFLAGS@%$CONF_CFLAGS%g +s%@MKDIR@%$MKDIR%g +s%@SHLIBMODE@%$SHLIBMODE%g +s%@USESONAME@%$USESONAME%g +s%@SOSWITCH@%$SOSWITCH%g +s%@NEEDSONAME@%$NEEDSONAME%g +s%@LDCONFIG@%$LDCONFIG%g +s%@INSTALL@%$INSTALL%g +s%@CC@%$CC%g +s%@YACC@%$YACC%g +s%@LEX@%$LEX%g +s%@LEXLIB@%$LEXLIB%g +s%@LN_S@%$LN_S%g +s%@SET_MAKE@%$SET_MAKE%g +s%@WITH_DEBUG@%$WITH_DEBUG%g +s%@WITH_MEMORY_DEBUG@%$WITH_MEMORY_DEBUG%g +s%@WITH_LIBDEBUG@%$WITH_LIBDEBUG%g +s%@FAKEROOT@%$FAKEROOT%g +s%@SECUREDIR@%$SECUREDIR%g +s%@SCONFIGDIR@%$SCONFIGDIR%g +s%@SUPLEMENTED@%$SUPLEMENTED%g +s%@INCLUDEDIR@%$INCLUDEDIR%g +s%@DOCDIR@%$DOCDIR%g +s%@MANDIR@%$MANDIR%g +s%@WITH_PAMLOCKING@%$WITH_PAMLOCKING%g +s%@PAM_READ_BOTH_CONFS@%$PAM_READ_BOTH_CONFS%g +s%@STATIC_LIBPAM@%$STATIC_LIBPAM%g +s%@DYNAMIC_LIBPAM@%$DYNAMIC_LIBPAM%g +s%@DYNAMIC@%$DYNAMIC%g +s%@STATIC@%$STATIC%g +s%@WITH_LCKPWDF@%$WITH_LCKPWDF%g +s%@CPP@%$CPP%g +s%@PAM_NEEDS_LIBC@%$PAM_NEEDS_LIBC%g +s%@HAVE_LCKPWDF@%$HAVE_LCKPWDF%g +s%@LIBDL@%$LIBDL%g +s%@HAVE_LIBCRACK@%$HAVE_LIBCRACK%g +s%@HAVE_LIBCRYPT@%$HAVE_LIBCRYPT%g +s%@HAVE_LIBUTIL@%$HAVE_LIBUTIL%g +s%@HAVE_LIBNDBM@%$HAVE_LIBNDBM%g +s%@HAVE_LIBDB@%$HAVE_LIBDB%g +s%@HAVE_LIBFL@%$HAVE_LIBFL%g +s%@HAVE_LIBNSL@%$HAVE_LIBNSL%g +s%@HAVE_LIBPWDB@%$HAVE_LIBPWDB%g +s%@HAVE_LIBFLEX@%$HAVE_LIBFLEX%g +s%@HAVE_LIBLEX@%$HAVE_LIBLEX%g +s%@HAVE_NDBM_H@%$HAVE_NDBM_H%g +s%@CRACKLIB_DICTPATH@%$CRACKLIB_DICTPATH%g +s%@DYNTYPE@%$DYNTYPE%g +s%@OS_CFLAGS@%$OS_CFLAGS%g +s%@WARNINGS@%$WARNINGS%g +s%@PIC@%$PIC%g +s%@LD@%$LD%g +s%@LD_D@%$LD_D%g +s%@LD_L@%$LD_L%g +s%@RANLIB@%$RANLIB%g +s%@STRIP@%$STRIP%g +s%@CC_STATIC@%$CC_STATIC%g +s%@LIBOBJS@%$LIBOBJS%g +s%@HAVE_SGML2TXT@%$HAVE_SGML2TXT%g +s%@HAVE_SGML2HTML@%$HAVE_SGML2HTML%g +s%@HAVE_SGML2LATEX@%$HAVE_SGML2LATEX%g +s%@HAVE_PS2PDF@%$HAVE_PS2PDF%g +s%@HAVE_SGML2PS@%$HAVE_SGML2PS%g +s%@PSER@%$PSER%g +s%@PS2PDF@%$PS2PDF%g + +CEOF +EOF + +cat >> $CONFIG_STATUS <<\EOF + +# Split the substitutions into bite-sized pieces for seds with +# small command number limits, like on Digital OSF/1 and HP-UX. +ac_max_sed_cmds=90 # Maximum number of lines to put in a sed script. +ac_file=1 # Number of current file. +ac_beg=1 # First line for current file. +ac_end=$ac_max_sed_cmds # Line after last line for current file. +ac_more_lines=: +ac_sed_cmds="" +while $ac_more_lines; do + if test $ac_beg -gt 1; then + sed "1,${ac_beg}d; ${ac_end}q" conftest.subs > conftest.s$ac_file + else + sed "${ac_end}q" conftest.subs > conftest.s$ac_file + fi + if test ! -s conftest.s$ac_file; then + ac_more_lines=false + rm -f conftest.s$ac_file + else + if test -z "$ac_sed_cmds"; then + ac_sed_cmds="sed -f conftest.s$ac_file" + else + ac_sed_cmds="$ac_sed_cmds | sed -f conftest.s$ac_file" + fi + ac_file=`expr $ac_file + 1` + ac_beg=$ac_end + ac_end=`expr $ac_end + $ac_max_sed_cmds` + fi +done +if test -z "$ac_sed_cmds"; then + ac_sed_cmds=cat +fi +EOF + +cat >> $CONFIG_STATUS <<EOF + +CONFIG_FILES=\${CONFIG_FILES-"Make.Rules"} +EOF +cat >> $CONFIG_STATUS <<\EOF +for ac_file in .. $CONFIG_FILES; do if test "x$ac_file" != x..; then + # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in". + case "$ac_file" in + *:*) ac_file_in=`echo "$ac_file"|sed 's%[^:]*:%%'` + ac_file=`echo "$ac_file"|sed 's%:.*%%'` ;; + *) ac_file_in="${ac_file}.in" ;; + esac + + # Adjust a relative srcdir, top_srcdir, and INSTALL for subdirectories. + + # Remove last slash and all that follows it. Not all systems have dirname. + ac_dir=`echo $ac_file|sed 's%/[^/][^/]*$%%'` + if test "$ac_dir" != "$ac_file" && test "$ac_dir" != .; then + # The file is in a subdirectory. + test ! -d "$ac_dir" && mkdir "$ac_dir" + ac_dir_suffix="/`echo $ac_dir|sed 's%^\./%%'`" + # A "../" for each directory in $ac_dir_suffix. + ac_dots=`echo $ac_dir_suffix|sed 's%/[^/]*%../%g'` + else + ac_dir_suffix= ac_dots= + fi + + case "$ac_given_srcdir" in + .) srcdir=. + if test -z "$ac_dots"; then top_srcdir=. + else top_srcdir=`echo $ac_dots|sed 's%/$%%'`; fi ;; + /*) srcdir="$ac_given_srcdir$ac_dir_suffix"; top_srcdir="$ac_given_srcdir" ;; + *) # Relative path. + srcdir="$ac_dots$ac_given_srcdir$ac_dir_suffix" + top_srcdir="$ac_dots$ac_given_srcdir" ;; + esac + + + echo creating "$ac_file" + rm -f "$ac_file" + configure_input="Generated automatically from `echo $ac_file_in|sed 's%.*/%%'` by configure." + case "$ac_file" in + *Makefile*) ac_comsub="1i\\ +# $configure_input" ;; + *) ac_comsub= ;; + esac + + ac_file_inputs=`echo $ac_file_in|sed -e "s%^%$ac_given_srcdir/%" -e "s%:% $ac_given_srcdir/%g"` + sed -e "$ac_comsub +s%@configure_input@%$configure_input%g +s%@srcdir@%$srcdir%g +s%@top_srcdir@%$top_srcdir%g +" $ac_file_inputs | (eval "$ac_sed_cmds") > $ac_file +fi; done +rm -f conftest.s* + +# These sed commands are passed to sed as "A NAME B NAME C VALUE D", where +# NAME is the cpp macro being defined and VALUE is the value it is being given. +# +# ac_d sets the value in "#define NAME VALUE" lines. +ac_dA='s%^\([ ]*\)#\([ ]*define[ ][ ]*\)' +ac_dB='\([ ][ ]*\)[^ ]*%\1#\2' +ac_dC='\3' +ac_dD='%g' +# ac_u turns "#undef NAME" with trailing blanks into "#define NAME VALUE". +ac_uA='s%^\([ ]*\)#\([ ]*\)undef\([ ][ ]*\)' +ac_uB='\([ ]\)%\1#\2define\3' +ac_uC=' ' +ac_uD='\4%g' +# ac_e turns "#undef NAME" without trailing blanks into "#define NAME VALUE". +ac_eA='s%^\([ ]*\)#\([ ]*\)undef\([ ][ ]*\)' +ac_eB='$%\1#\2define\3' +ac_eC=' ' +ac_eD='%g' + +if test "${CONFIG_HEADERS+set}" != set; then +EOF +cat >> $CONFIG_STATUS <<EOF + CONFIG_HEADERS="_pam_aconf.h" +EOF +cat >> $CONFIG_STATUS <<\EOF +fi +for ac_file in .. $CONFIG_HEADERS; do if test "x$ac_file" != x..; then + # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in". + case "$ac_file" in + *:*) ac_file_in=`echo "$ac_file"|sed 's%[^:]*:%%'` + ac_file=`echo "$ac_file"|sed 's%:.*%%'` ;; + *) ac_file_in="${ac_file}.in" ;; + esac + + echo creating $ac_file + + rm -f conftest.frag conftest.in conftest.out + ac_file_inputs=`echo $ac_file_in|sed -e "s%^%$ac_given_srcdir/%" -e "s%:% $ac_given_srcdir/%g"` + cat $ac_file_inputs > conftest.in + +EOF + +# Transform confdefs.h into a sed script conftest.vals that substitutes +# the proper values into config.h.in to produce config.h. And first: +# Protect against being on the right side of a sed subst in config.status. +# Protect against being in an unquoted here document in config.status. +rm -f conftest.vals +cat > conftest.hdr <<\EOF +s/[\\&%]/\\&/g +s%[\\$`]%\\&%g +s%#define \([A-Za-z_][A-Za-z0-9_]*\) *\(.*\)%${ac_dA}\1${ac_dB}\1${ac_dC}\2${ac_dD}%gp +s%ac_d%ac_u%gp +s%ac_u%ac_e%gp +EOF +sed -n -f conftest.hdr confdefs.h > conftest.vals +rm -f conftest.hdr + +# This sed command replaces #undef with comments. This is necessary, for +# example, in the case of _POSIX_SOURCE, which is predefined and required +# on some systems where configure will not decide to define it. +cat >> conftest.vals <<\EOF +s%^[ ]*#[ ]*undef[ ][ ]*[a-zA-Z_][a-zA-Z_0-9]*%/* & */% +EOF + +# Break up conftest.vals because some shells have a limit on +# the size of here documents, and old seds have small limits too. + +rm -f conftest.tail +while : +do + ac_lines=`grep -c . conftest.vals` + # grep -c gives empty output for an empty file on some AIX systems. + if test -z "$ac_lines" || test "$ac_lines" -eq 0; then break; fi + # Write a limited-size here document to conftest.frag. + echo ' cat > conftest.frag <<CEOF' >> $CONFIG_STATUS + sed ${ac_max_here_lines}q conftest.vals >> $CONFIG_STATUS + echo 'CEOF + sed -f conftest.frag conftest.in > conftest.out + rm -f conftest.in + mv conftest.out conftest.in +' >> $CONFIG_STATUS + sed 1,${ac_max_here_lines}d conftest.vals > conftest.tail + rm -f conftest.vals + mv conftest.tail conftest.vals +done +rm -f conftest.vals + +cat >> $CONFIG_STATUS <<\EOF + rm -f conftest.frag conftest.h + echo "/* $ac_file. Generated automatically by configure. */" > conftest.h + cat conftest.in >> conftest.h + rm -f conftest.in + if cmp -s $ac_file conftest.h 2>/dev/null; then + echo "$ac_file is unchanged" + rm -f conftest.h + else + # Remove last slash and all that follows it. Not all systems have dirname. + ac_dir=`echo $ac_file|sed 's%/[^/][^/]*$%%'` + if test "$ac_dir" != "$ac_file" && test "$ac_dir" != .; then + # The file is in a subdirectory. + test ! -d "$ac_dir" && mkdir "$ac_dir" + fi + rm -f $ac_file + mv conftest.h $ac_file + fi +fi; done + +EOF +cat >> $CONFIG_STATUS <<EOF + +EOF +cat >> $CONFIG_STATUS <<\EOF + +exit 0 +EOF +chmod +x $CONFIG_STATUS +rm -fr confdefs* $ac_clean_files +test "$no_create" = yes || ${CONFIG_SHELL-/bin/sh} $CONFIG_STATUS || exit 1 + diff --git a/Linux-PAM/configure.in b/Linux-PAM/configure.in new file mode 100644 index 00000000..8da11c85 --- /dev/null +++ b/Linux-PAM/configure.in @@ -0,0 +1,439 @@ +dnl Process this file with autoconf to produce a configure script. +AC_INIT(conf/pam_conv1/pam_conv.y) + +dnl The configuration header file +AC_CONFIG_HEADER(_pam_aconf.h) + +dnl +dnl Release specific +dnl + +LIBPAM_VERSION_MAJOR=0 +LIBPAM_VERSION_MINOR=76 + +AC_SUBST(LIBPAM_VERSION_MAJOR) +AC_SUBST(LIBPAM_VERSION_MINOR) +AC_DEFINE(LIBPAM_VERSION_MAJOR) +AC_DEFINE(LIBPAM_VERSION_MINOR) + +dnl +dnl By default, everything under PAM is installed under the root fs. +dnl + +AC_PREFIX_DEFAULT() + +dnl +dnl Useful info (believed to be portable) - in the future +dnl the LOCALSRCDIR and LOCALOBJDIRs may be different +dnl +LOCALSRCDIR=`/bin/pwd` ; AC_SUBST(LOCALSRCDIR) +LOCALOBJDIR=`/bin/pwd` ; AC_SUBST(LOCALOBJDIR) +OS=`uname|sed -e 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/'` +AC_SUBST(OS) + +dnl +dnl Rules needed for the following (hardcoded Linux defaults for now) +dnl + +CONF_CFLAGS= ; AC_SUBST(CONF_CFLAGS) +MKDIR="mkdir -p" ; AC_SUBST(MKDIR) + +SHLIBMODE=755 ; AC_SUBST(SHLIBMODE) + +dnl These are most likely platform specific - I think HPUX differs +USESONAME=yes ; AC_SUBST(USESONAME) +SOSWITCH=-soname ; AC_SUBST(SOSWITCH) +NEEDSONAME=no ; AC_SUBST(NEEDSONAME) +LDCONFIG=/sbin/ldconfig ; AC_SUBST(LDCONFIG) + +dnl ### Should enable this INSTALL detection. +dnl ### Would need to distribute GNU's config.guess and config.sub +dnl AC_PROG_INSTALL +if test "$OS" = "aix"; then + INSTALL=/usr/ucb/install -c +else + INSTALL=/usr/bin/install +fi +AC_SUBST(INSTALL) + +dnl Checks for programs. +AC_PROG_CC +dnl ### AC_PROG_CXX +AC_PROG_YACC +AC_PROG_LEX +dnl AC_PROG_INSTALL +AC_PROG_LN_S +AC_PROG_MAKE_SET + +dnl +dnl options and defaults +dnl + +dnl lots of debugging information goes to /tmp/pam-debug.log +AC_ARG_ENABLE(debug, +[ --enable-debug specify you are building with debugging on], + WITH_DEBUG=yes ; AC_DEFINE(DEBUG) , WITH_DEBUG=no) +AC_SUBST(WITH_DEBUG) + +AC_ARG_ENABLE(memory-debug, +[ --enable-memory-debug specify you want every malloc etc. call tracked], + WITH_MEMORY_DEBUG=yes ; AC_DEFINE(MEMORY_DEBUG) , WITH_MEMORY_DEBUG=no) +AC_SUBST(WITH_MEMORY_DEBUG) + +dnl build specially named libraries (for debugging purposes) +AC_ARG_ENABLE(libdebug, +[ --enable-libdebug specify you are building debugging libraries], + WITH_LIBDEBUG=yes ; AC_DEFINE(WITH_LIBDEBUG) , WITH_LIBDEBUG=no) +AC_SUBST(WITH_LIBDEBUG) + +dnl packaging convenience +AC_ARG_ENABLE(fakeroot, +[ --enable-fakeroot=<path to packaging directory>], FAKEROOT=$enableval) +AC_SUBST(FAKEROOT) + +AC_ARG_ENABLE(securedir, +[ --enable-securedir=<path to location of PAMs> [default \$libdir/security]], + SECUREDIR=$enableval, SECUREDIR=$libdir/security) +AC_SUBST(SECUREDIR) + +AC_ARG_ENABLE(sconfigdir, +[ --enable-sconfigdir=<path to module conf files> [default \$sysconfdir/security]], + SCONFIGDIR=$enableval, SCONFIGDIR=$sysconfdir/security) +AC_SUBST(SCONFIGDIR) + +AC_ARG_ENABLE(suplementedir, +[ --enable-suplementedir=<path to module helper binaries> [default \$sbindir]], + SUPLEMENTED=$enableval, SUPLEMENTED=$sbindir) +AC_SUBST(SUPLEMENTED) + +AC_ARG_ENABLE(includedir, +[ --enable-includedir=<path to include location> - where to put <security>], + INCLUDEDIR=$enableval, INCLUDEDIR=/usr/include) +AC_SUBST(INCLUDEDIR) + +AC_ARG_ENABLE(docdir, +[ --enable-docdir=<path to store documentation in - /usr/share/doc/pam>], + DOCDIR=$enableval, DOCDIR=/usr/share/doc/pam) +AC_SUBST(DOCDIR) + +AC_ARG_ENABLE(mandir, +[ --enable-mandir=<path to store manuals in - /usr/share/man>], + MANDIR=$enableval, MANDIR=/usr/share/man) +AC_SUBST(MANDIR) + +AC_ARG_ENABLE(pamlocking, +[ --enable-pamlocking configure libpam to observe a global authentication lock], + WITH_PAMLOCKING=yes ; AC_DEFINE(PAM_LOCKING) , WITH_PAMLOCKING=no) +AC_SUBST(WITH_PAMLOCKING) + +AC_ARG_ENABLE(uglyhack, +[ --enable-uglyhack configure libpam to try to honor old pam_strerror syntax], + AC_DEFINE(UGLY_HACK_FOR_PRIOR_BEHAVIOR_SUPPORT)) + +AC_ARG_ENABLE(read-both-confs, +[ --enable-read-both-confs read both /etc/pam.d and /etc/pam.conf files], + AC_DEFINE(PAM_READ_BOTH_CONFS)) +AC_SUBST(PAM_READ_BOTH_CONFS) + +AC_ARG_ENABLE(static-libpam, [ --enable-static-libpam build a libpam.a library], + STATIC_LIBPAM=yes , STATIC_LIBPAM=no) +AC_SUBST(STATIC_LIBPAM) + +AC_ARG_ENABLE(dynamic-libpam, +[ --disable-dynamic-libpam do not build a shared libpam library], + DYNAMIC_LIBPAM=no, DYNAMIC_LIBPAM=yes) +AC_SUBST(DYNAMIC_LIBPAM) + +DYNAMIC=-DPAM_DYNAMIC +AC_SUBST(DYNAMIC) + +AC_ARG_ENABLE(static-modules, +[ --enable-static-modules do not make the modules dynamically loadable], + STATIC=-DPAM_STATIC) +AC_SUBST(STATIC) + +AC_ARG_ENABLE(lckpwdf, +[ --disable-lckpwdf do not use the lckpwdf function], + WITH_LCKPWDF=no, WITH_LCKPWDF=yes) +AC_SUBST(WITH_LCKPWDF) + +AC_CHECK_HEADERS(paths.h) +AC_ARG_WITH(mailspool, +[ --with-mailspool path to mail spool directory + [default _PATH_MAILDIR if defined in paths.h, otherwise /var/spool/mail]], +with_mailspool=${withval}) +if test x$with_mailspool != x ; then + pam_mail_spool="\"$with_mailspool\"" +else + AC_TRY_RUN([ +#include <paths.h> +int main() { +#ifdef _PATH_MAILDIR +exit(0); +#else +exit(1); +#endif +}], pam_mail_spool="_PATH_MAILDIR", +pam_mail_spool="\"/var/spool/mail\"", +pam_mail_spool="\"/var/spool/mail\"") +fi +AC_DEFINE_UNQUOTED(PAM_PATH_MAILDIR, $pam_mail_spool) + +dnl Checks for libraries. +AC_CHECK_LIB(c, __libc_sched_setscheduler, PAM_NEEDS_LIBC=, PAM_NEEDS_LIBC=-lc) +AC_SUBST(PAM_NEEDS_LIBC) + +dnl Checks for the existence of lckpwdf in libc +AC_CHECK_LIB(c, lckpwdf, HAVE_LCKPWDF=yes, HAVE_LCKPWDF=no) +AC_SUBST(HAVE_LCKPWDF) + +dnl Checks for the existence of libdl - on BSD and Tru64 its part of libc +AC_CHECK_LIB(dl, dlopen, LIBDL=-ldl) +AC_SUBST(LIBDL) + +dnl +dnl At least on Solaris, the existing libcrack must be dynamic. +dnl Ought to introduce a check for this. +dnl +AC_CHECK_LIB(crack, FascistCheck, HAVE_LIBCRACK=yes ; AC_DEFINE(HAVE_LIBCRACK), + HAVE_LIBCRACK=no) +AC_SUBST(HAVE_LIBCRACK) + +AC_CHECK_LIB(crypt, fcrypt, HAVE_LIBCRYPT=yes ; AC_DEFINE(HAVE_LIBCRYPT), + HAVE_LIBCRYPT=no) +AC_SUBST(HAVE_LIBCRYPT) +AC_CHECK_LIB(util, logwtmp, HAVE_LIBUTIL=yes ; AC_DEFINE(HAVE_LIBUTIL), + HAVE_LIBUTIL=no) +AC_SUBST(HAVE_LIBUTIL) +AC_CHECK_LIB(ndbm, dbm_store, HAVE_LIBNDBM=yes ; AC_DEFINE(HAVE_LIBNDBM), + HAVE_LIBNDBM=no) +AC_SUBST(HAVE_LIBNDBM) +AC_CHECK_LIB(db, dbm_store, HAVE_LIBDB=yes ; AC_DEFINE(HAVE_LIBDB), + HAVE_LIBDB=no) +if test x$HAVE_LIBDB != xyes ; then + AC_CHECK_LIB(db, db_create, HAVE_LIBDB=yes ; AC_DEFINE(HAVE_LIBDB), + HAVE_LIBDB=no) +fi +AC_SUBST(HAVE_LIBDB) +AC_CHECK_LIB(fl, yylex, yyterminate, HAVE_LIBFL=yes ; AC_DEFINE(HAVE_LIBFL), + HAVE_LIBFL=no) +AC_SUBST(HAVE_LIBFL) +AC_CHECK_LIB(nsl, yp_maplist, HAVE_LIBNSL=yes ; AC_DEFINE(HAVE_LIBNSL), + HAVE_LIBNSL=no) +AC_SUBST(HAVE_LIBNSL) +AC_CHECK_LIB(pwdb, pwdb_db_name, HAVE_LIBPWDB=yes ; AC_DEFINE(HAVE_LIBPWDB), + HAVE_LIBPWDB=no) +AC_SUBST(HAVE_LIBPWDB) +AC_CHECK_LIB(fl, yywrap, HAVE_LIBFLEX=yes ; AC_DEFINE(HAVE_LIBFLEX), + HAVE_LIBFLEX=no) +AC_SUBST(HAVE_LIBFLEX) +AC_CHECK_LIB(l, yywrap, HAVE_LIBLEX=yes ; AC_DEFINE(HAVE_LIBLEX), + HAVE_LIBLEX=no) +AC_SUBST(HAVE_LIBLEX) + +dnl Checks for header files. +AC_HEADER_DIRENT +AC_HEADER_STDC +AC_HEADER_SYS_WAIT +AC_CHECK_HEADERS(fcntl.h limits.h malloc.h sys/file.h sys/ioctl.h sys/time.h syslog.h termio.h unistd.h sys/fsuid.h) + +dnl Linux wants features.h in some of the source files. +AC_CHECK_HEADERS(features.h) + +dnl For module/pam_cracklib +AC_CHECK_HEADERS(crypt.h) + +dnl For module/pam_userdb +AC_CHECK_HEADERS(ndbm.h db.h) +dnl I suspect the following two lines are a hack. +HAVE_NDBM_H=$ac_cv_header_ndbm_h +AC_SUBST(HAVE_NDBM_H) + +dnl For module/pam_lastlog +AC_CHECK_HEADERS(lastlog.h utmp.h utmpx.h) + +dnl This following rule should be made conditional upon HAVE_LIBCRYPT +dnl being found. + +dnl Look for cracklib dictionary +AC_MSG_CHECKING(path to cracklib dictionary) +DICT_DIR_CANDIDATES="/usr/lib /usr/share/dict /usr/share/lib \ + /usr/local/lib /usr/local/share/lib" +DICT_FILE_CANDIDATES="pw_dict cracklib_dict" +CRACKLIB_DICTPATH="" +for d in $DICT_DIR_CANDIDATES ; do + for f in $DICT_FILE_CANDIDATES ; do + if test -r $d/$f.hwm ; then + CRACKLIB_DICTPATH=$d/$f + break 2 + elif test -r $d/dict/$f.hwm ; then + CRACKLIB_DICTPATH=$d/dict/$f + break 2 + fi + done +done +if test -z "$CRACKLIB_DICTPATH" ; then + AC_MSG_RESULT(none found) +else + AC_MSG_RESULT($CRACKLIB_DICTPATH) +fi +AC_SUBST(CRACKLIB_DICTPATH) + +dnl Set FLAGS, linker options etc. depending on C compiler. +dnl gcc is tested and much preferred; others less so, if at all +dnl +dnl If compiling with gcc, linking is also supposed to be done with gcc; +dnl since we use linker-specific arguments, we may not gain anything by +dnl switching LD_L over, but I think we can use LD_D as-is. +dnl +dnl For the moment, gcc is enforced above at "CC=gcc". +dnl +dnl There is an issue over _POSIX_SOURCE _BSD_SOURCE and _GNU_SOURCE . +dnl The original "Linux-PAM" had blanket inclusion. But portability +dnl requires their default absence: if particular OSes require them, +dnl this should be done selectively. + +GCC_WARNINGS="-Wall -Wwrite-strings \ + -Wpointer-arith -Wcast-qual -Wcast-align \ + -Wstrict-prototypes -Wmissing-prototypes \ + -Wnested-externs -Winline -Wshadow" + +if test "$GCC" = yes; then + CC=gcc ; AC_SUBST(CC) +### May need per-OS attention +### Example: -D_POSIX_SOURCE: needed on Linux but harms Solaris. + case $OS in + linux) + OS_CFLAGS="-ansi -D_POSIX_SOURCE -pedantic" + LD_D="gcc -shared -Xlinker -x" + WARNINGS="$GCC_WARNINGS" + PIC="-fPIC" + DYNTYPE=so + LD=ld + LD_L="$LD -x -shared" + RANLIB=ranlib + STRIP=strip + CC_STATIC="-Xlinker -export-dynamic" + ;; + sunos) + OS_CFLAGS="-ansi -pedantic" + LD_D="gcc -shared -Xlinker -x" + WARNINGS="$GCC_WARNINGS" + PIC="-fPIC" + DYNTYPE=so + LD=ld + LD_L="$LD -x -shared" + RANLIB=ranlib + STRIP=strip + CC_STATIC="-Xlinker -export-dynamic" + ;; + aix) + OS_CFLAGS="" + DYNTYPE=lo + LD=ld + LD_L=ld -bexpall -bM:SRE -bnoentry + LD_D="$LD_L" + RANLIB=ranlib + STRIP=strip + ;; + *) + OS_CFLAGS="" + ;; + esac +else +### +### Non-gcc needs attention on per-OS basis +### + case "$OS" in + darwin) +# add some stuff here (see sourceforge bug 534205) +# DOCDIR=/System/Documentation/Administration/Libraries/PAM +# MANDIR=/usr/share/man + ;; + solaris) + ### Support for Solaris-C + OS_CFLAGS="" + WARNINGS="" + PIC="-K pic" + LD=ld + LD_D="cc -z text -G -R." + LD_L="$LD_D" + RANLIB=ranlib + STRIP=strip + CC_STATIC= + ;; + irix*) + OSRELEASE=`uname -r` + if test "$OSRELEASE" = 6.5; then + OS_CFLAGS="" + WARNINGS="-fullwarn" + PIC= #PIC code is default for IRIX + LD="cc -shared" # modules friendly approach + LD_D="cc -shared" + LD_L="ld -G -z redlocsym" + RANLIB=echo + STRIP=strip + CC_STATIC= + else + echo "IRIX prior to 6.5 not allowed for" + exit + fi + ;; + *) echo "Native compiler on $OS is not yet supported" + exit + ;; + esac +fi + +AC_SUBST(DYNTYPE) +AC_SUBST(OS_CFLAGS) +AC_SUBST(WARNINGS) +AC_SUBST(PIC) +AC_SUBST(LD) +AC_SUBST(LD_D) +AC_SUBST(LD_L) +AC_SUBST(RANLIB) +AC_SUBST(STRIP) +AC_SUBST(CC_STATIC) + +dnl Checks for typedefs, structures, and compiler characteristics. +AC_C_BIGENDIAN +AC_C_CONST +AC_TYPE_UID_T +AC_TYPE_OFF_T +AC_TYPE_PID_T +AC_TYPE_SIZE_T +AC_HEADER_TIME +AC_STRUCT_TM + +dnl Checks for library functions. +AC_TYPE_GETGROUPS +AC_PROG_GCC_TRADITIONAL +AC_FUNC_MEMCMP +AC_FUNC_VPRINTF +AC_CHECK_FUNCS(gethostname gettimeofday mkdir select strcspn strdup strerror strspn strstr strtol uname) + +AC_CHECK_FUNCS(getpwnam_r getgrnam_r) + +dnl Checks for programs/utilities +AC_CHECK_PROG(HAVE_SGML2TXT, sgml2txt, yes, no) +AC_CHECK_PROG(HAVE_SGML2HTML, sgml2html, yes, no) +AC_CHECK_PROG(HAVE_SGML2LATEX, sgml2latex, yes, no) +if test $HAVE_SGML2LATEX = "yes" ; then + if sgml2latex -h | grep -e --paper | grep ' -p ' > /dev/null ; then + PSER="sgml2latex -o ps" + else + PSER="sgml2latex -p" + fi + AC_CHECK_PROG(HAVE_PS2PDF, ps2pdf, yes, no) +else + AC_CHECK_PROG(HAVE_SGML2PS, sgml2ps, yes, no) + if test $HAVE_SGML2PS = yes ; then + PSER="sgml2ps" + fi +fi +AC_SUBST(PSER) +AC_SUBST(PS2PDF) + +dnl Files to be created from when we run configure +AC_OUTPUT(Make.Rules) diff --git a/Linux-PAM/defs/debian.defs b/Linux-PAM/defs/debian.defs new file mode 100644 index 00000000..19ba4663 --- /dev/null +++ b/Linux-PAM/defs/debian.defs @@ -0,0 +1,40 @@ +## +# defs for Debian +# Ben Collins <bcollins@debian.org> +## +# this file indicates the compiler and the various hardware/OS dependent +# flags for installation. It also defines the various destinations of +# installed files on the system. +## + +CFLAGS := -O2 -I${shell pwd}/include # -D__NO_STRING_INLINES +ifneq (,$(findstring $(DEB_BUILD_OPTIONS),debug DEBUG Debug)) + CFLAGS += -g +endif + +OS := $(shell dpkg-architecture -qDEB_BUILD_GNU_SYSTEM) +ARCH := $(shell dpkg-architecture -qDEB_BUILD_GNU_CPU) +CC := gcc +INSTALL := install +MKDIR := mkdir -p +ULIBS := +LD := ld +LD_D := gcc -shared -Xlinker -x +LD_L := $(LD) -x -shared +AR := ar -cr +RANLIB := ranlib +PREFIX := +LIBDIR := $(PREFIX)/lib +USESONAME := yes +SOSWITCH := -soname +LINKLIBS := -lc -L${shell pwd}/libpam -L${shell pwd}/libpam_misc +NEEDSONAME := no +LDCONFIG := /sbin/ldconfig +FAKEROOT := +SUPLEMENTED := $(PREFIX)/sbin +SECUREDIR := $(LIBDIR)/security +INCLUDED := /usr/include/security +CONFIGED := /etc +SCONFIGED := /etc/security +EXTRALS := -lnsl -lcrypt +WARNINGS := -Wall diff --git a/Linux-PAM/defs/hpux.defs b/Linux-PAM/defs/hpux.defs new file mode 100644 index 00000000..d8341983 --- /dev/null +++ b/Linux-PAM/defs/hpux.defs @@ -0,0 +1,36 @@ +## +# HPUX defs contributed by Derrick J Brashear <shadow@dementia.org> +## +# this file indicates the compiler and the various hardware/OS dependent +# flags for installation. It also defines the various destinations of +# installed files on the system. +# +# This file is the default version. Please look in .../defs/ for your +# preferred OS/vendor. + +OS=hpux9 +ARCH=hpux +CC=gcc +INSTALL=install +MKDIR=mkdir -p +CFLAGS=-g -DPAM_SHL -DHAVE_UTMP_H +ULIBS= +LD=ld +LD_D=$(LD) -b +LD_L=$(LD) -b +USESONAME=no +NEEDSONAME=no +LDCONFIG=: +AR=ar -cr +RANLIB=ranlib +FAKEROOT= +PREFIX=/usr +SUPLEMENTED=$(PREFIX)/sbin +LIBDIR=$(PREFIX)/lib +SECUREDIR=$(LIBDIR)/security +INCLUDED=/usr/include/security +CONFIGED=/etc +SCONFIGED=/etc/security +DYNLOAD="dld" +DYNTYPE="sl" +SHLIBMODE=755 diff --git a/Linux-PAM/defs/linux.defs b/Linux-PAM/defs/linux.defs new file mode 100644 index 00000000..0e274320 --- /dev/null +++ b/Linux-PAM/defs/linux.defs @@ -0,0 +1,32 @@ +# this file indicates the compiler and the various hardware/OS dependent +# flags for installation. It also defines the various destinations of +# installed files on the system. +# +# This file is the default version. Please look in .../defs/ for your +# preferred OS/vendor. + +OS=linux +ARCH=i386 # should be changed for alpha +CC=gcc +INSTALL=install +MKDIR=mkdir -p +CFLAGS=-O7 -pipe -g +ULIBS=#-lefence +LD=ld +LD_D=gcc -shared -Xlinker -x +LD_L=$(LD) -x -shared +USESONAME=yes +LINKLIBS=-lc +SOSWITCH=-soname +NEEDSONAME=no +LDCONFIG=/sbin/ldconfig +AR=ar -cr +RANLIB=ranlib +FAKEROOT= +PREFIX=/usr +SUPLEMENTED=$(PREFIX)/sbin +LIBDIR=$(PREFIX)/lib +SECUREDIR=$(LIBDIR)/security +INCLUDED=/usr/include/security +CONFIGED=/etc +SCONFIGED=/etc/security diff --git a/Linux-PAM/defs/morgan.defs b/Linux-PAM/defs/morgan.defs new file mode 100644 index 00000000..2b0cf289 --- /dev/null +++ b/Linux-PAM/defs/morgan.defs @@ -0,0 +1,36 @@ +## +# defs for Andrew's debugging version (which is a modified Red Hat +# box) +## +# this file indicates the compiler and the various hardware/OS dependent +# flags for installation. It also defines the various destinations of +# installed files on the system. +# +# This file is the version used for Red Hat Linux. + +OS=linux +ARCH=i386 +CC=gcc +INSTALL=install +MKDIR=mkdir -p +CFLAGS=$(RPM_OPT_FLAGS) -pipe -g +ULIBS= +#-lefence +LD=ld +LD_D=gcc -shared -Xlinker -x +LD_L=$(LD) -x -shared +USESONAME=yes +SOSWITCH=-soname +LINKLIBS=-lc +NEEDSONAME=no +LDCONFIG=/sbin/ldconfig +AR=ar -cr +RANLIB=ranlib +FAKEROOT=$(RPM_BUILD_ROOT) +PREFIX= +SUPLEMENTED=$(PREFIX)/sbin +LIBDIR=$(PREFIX)/lib +SECUREDIR=$(LIBDIR)/security.d +INCLUDED=/usr/include/security +CONFIGED=/etc +SCONFIGED=/etc/security diff --git a/Linux-PAM/defs/redhat.defs b/Linux-PAM/defs/redhat.defs new file mode 100644 index 00000000..a6ed36da --- /dev/null +++ b/Linux-PAM/defs/redhat.defs @@ -0,0 +1,36 @@ +## +# defs for Red Hat Linux +# Michael K. Johnson <johnsonm@redhat.com> +## +# this file indicates the compiler and the various hardware/OS dependent +# flags for installation. It also defines the various destinations of +# installed files on the system. +# +# This file is the version used for Red Hat Linux. + +OS=linux +ARCH=$(shell rpm --showrc | grep '^build arch' | sed 's/^.*: //g') +CC=gcc +INSTALL=install +MKDIR=mkdir -p +CFLAGS=$(RPM_OPT_FLAGS) -pipe -g +ULIBS=#-lefence +LD=ld +LD_D=gcc -shared -Xlinker -x +LD_L=$(LD) -x -shared +USESONAME=yes +SOSWITCH=-soname +LINKLIBS=-lc +NEEDSONAME=no +LDCONFIG=/sbin/ldconfig +AR=ar -cr +RANLIB=ranlib +FAKEROOT=$(RPM_BUILD_ROOT) +PREFIX= +SUPLEMENTED=$(PREFIX)/sbin +LIBDIR=$(PREFIX)/lib +SECUREDIR=$(LIBDIR)/security +INCLUDED=/usr/include/security +CONFIGED=/etc +SCONFIGED=/etc/security +EXTRALS=-lcrypt diff --git a/Linux-PAM/defs/redhat4.defs b/Linux-PAM/defs/redhat4.defs new file mode 100644 index 00000000..219abeb6 --- /dev/null +++ b/Linux-PAM/defs/redhat4.defs @@ -0,0 +1,35 @@ +## +# defs for Red Hat Linux +# Michael K. Johnson <johnsonm@redhat.com> +## +# this file indicates the compiler and the various hardware/OS dependent +# flags for installation. It also defines the various destinations of +# installed files on the system. +# +# This file is the version used for Red Hat Linux. + +OS=linux +ARCH=$(shell rpm --showrc | grep '^build arch' | sed 's/^.*: //g') +CC=gcc +INSTALL=install +MKDIR=mkdir -p +CFLAGS=$(RPM_OPT_FLAGS) -pipe -g +ULIBS=#-lefence +LD=ld +LD_D=gcc -shared -Xlinker -x +LD_L=$(LD) -x -shared +USESONAME=yes +SOSWITCH=-soname +LINKLIBS=-lc +NEEDSONAME=no +LDCONFIG=/sbin/ldconfig +AR=ar -cr +RANLIB=ranlib +FAKEROOT=$(RPM_BUILD_ROOT) +PREFIX= +SUPLEMENTED=$(PREFIX)/sbin +LIBDIR=$(PREFIX)/lib +SECUREDIR=$(LIBDIR)/security +INCLUDED=/usr/include/security +CONFIGED=/etc +SCONFIGED=/etc/security diff --git a/Linux-PAM/defs/solaris-2.1.5.defs b/Linux-PAM/defs/solaris-2.1.5.defs new file mode 100644 index 00000000..4624b604 --- /dev/null +++ b/Linux-PAM/defs/solaris-2.1.5.defs @@ -0,0 +1,45 @@ +## +# Solaris defs contributed by Josh Wilmes <josh@makita.jpl.nasa.gov> +## +# this file indicates the compiler and the various hardware/OS dependent +# flags for installation. It also defines the various destinations of +# installed files on the system. +# +# This file is the default version. Please look in .../defs/ for your +# preferred OS/vendor. + +# Please note that the linker used must be the GNU ld, not the native Sun +# linker. It is fairly common for the gnu linker (/usr/ccs/bin/ld) to be +# configured as the default linker for gcc. To tell gcc to use the +# gnu linker, you need to set the GCC_EXEC_PREFIX environment variable +# to point at the directory where the gnu linker is installed. Here's +# what I do: +# $ mkdir /tmp/foo +# $ ln -s /path/to/gnu/ld /tmp/foo/ld +# $ export GCC_EXEC_PREFIX=/tmp/foo/ +# $ export PATH=/tmp/foo:$PATH + +OS=solaris +ARCH=sun +CC=gcc +INSTALL=install +MKDIR=mkdir -p +CFLAGS=-O7 -pipe -g -D__EXTENSIONS__ -Dsolaris +ULIBS= +LD_D=gcc -shared -Xlinker -x +LD=ld +LD_L=$(LD) -G +USESONAME=yes +SOSWITCH=-h +NEEDSONAME=no +LDCONFIG=/sbin/echo +AR=ar -cr +RANLIB=ranlib +FAKEROOT= +PREFIX=/usr +SUPLEMENTED=$(PREFIX)/sbin +LIBDIR=$(PREFIX)/lib +SECUREDIR=$(LIBDIR)/security +INCLUDED=/usr/include/security +CONFIGED=/etc +SCONFIGED=/etc/security diff --git a/Linux-PAM/defs/solaris.defs b/Linux-PAM/defs/solaris.defs new file mode 100644 index 00000000..f9f26529 --- /dev/null +++ b/Linux-PAM/defs/solaris.defs @@ -0,0 +1,48 @@ +## +# Solaris defs contributed by Josh Wilmes <josh@makita.jpl.nasa.gov> +## +# this file indicates the compiler and the various hardware/OS dependent +# flags for installation. It also defines the various destinations of +# installed files on the system. +# +# This file is the default version. Please look in .../defs/ for your +# preferred OS/vendor. + +# Please note that the linker used must be the GNU ld, not the native Sun +# linker. It is fairly common for the gnu linker (/usr/ccs/bin/ld) to be +# configured as the default linker for gcc. To tell gcc to use the +# gnu linker, you need to set the GCC_EXEC_PREFIX environment variable +# to point at the directory where the gnu linker is installed. Here's +# what I do: +# $ mkdir /tmp/foo +# $ ln -s /path/to/gnu/ld /tmp/foo/ld +# $ export GCC_EXEC_PREFIX=/tmp/foo/ +# $ export PATH=/tmp/foo:$PATH + +OS=solaris +ARCH=sun +CC=cc +INSTALL=install +MKDIR=mkdir -p +WARNINGS = -D_POSIX_SOURCE +PIC=-KPIC +CFLAGS=-g -D__EXTENSIONS__ -Dsolaris +ULIBS= +LD=ld +LD_L=$(LD) -G +LD_D=$(LD_L) +RDYNAMIC= +USESONAME=yes +SOSWITCH=-h +NEEDSONAME=no +LDCONFIG=echo +AR=ar -cr +RANLIB=ranlib +FAKEROOT= +PREFIX=/usr +SUPLEMENTED=$(PREFIX)/sbin +LIBDIR=$(PREFIX)/lib +SECUREDIR=$(LIBDIR)/security +INCLUDED=/usr/include/security +CONFIGED=/etc +SCONFIGED=/etc/security diff --git a/Linux-PAM/defs/sunos.defs b/Linux-PAM/defs/sunos.defs new file mode 100644 index 00000000..158accc5 --- /dev/null +++ b/Linux-PAM/defs/sunos.defs @@ -0,0 +1,37 @@ +## +# SunOS defs contributed by Derrick J Brashear <shadow@dementia.org> +## +# this file indicates the compiler and the various hardware/OS dependent +# flags for installation. It also defines the various destinations of +# installed files on the system. +# +# This file is the SunOS version. Please look in .../defs/ for your +# preferred OS/vendor. + +OS=sunos +ARCH=sun +CC=gcc +INSTALL=install +MKDIR=mkdir -p +CFLAGS=-O2 -pipe -g -D__EXTENSIONS__ +ULIBS= +LD_D=gcc -shared -Xlinker -x +LD=ld +LD_L=$(LD) +USESONAME=no +NEEDSONAME=yes +LDCONFIG=/usr/etc/ldconfig +AR=ar cr +RANLIB=ranlib +FAKEROOT= +PREFIX=/usr +SUPLEMENTED=$(PREFIX)/sbin +LIBDIR=$(PREFIX)/lib +SECUREDIR=$(LIBDIR)/security +INCLUDED=/usr/include/security +CONFIGED=/etc +SCONFIGED=/etc/security +WARNINGS= -ansi -Wall -Wwrite-strings \ + -Wpointer-arith -Wcast-qual -Wcast-align \ + -Wtraditional -Wstrict-prototypes -Wmissing-prototypes \ + -Wnested-externs -Winline -Wshadow diff --git a/Linux-PAM/defs/suse.defs b/Linux-PAM/defs/suse.defs new file mode 100644 index 00000000..1fc6b741 --- /dev/null +++ b/Linux-PAM/defs/suse.defs @@ -0,0 +1,36 @@ +## +# defs for SuSE Linux +# Thorsten Kukuk <kukuk@suse.de> +## +# this file indicates the compiler and the various hardware/OS dependent +# flags for installation. It also defines the various destinations of +# installed files on the system. +# +# This file is the version used for SuSE Linux. + +OS=linux +ARCH=$(shell rpm --showrc | grep 'build arch' | grep -v "compatible" | sed 's/^.*: //g') +CC=gcc +INSTALL=install +MKDIR=mkdir -p +CFLAGS=$(RPM_OPT_FLAGS) -pipe -D_REENTRANT +ULIBS=#-lefence +LD=ld +LD_D=gcc -shared -Xlinker -x +LD_L=$(LD) -x -shared +USESONAME=yes +SOSWITCH=-soname +LINKLIBS=-lc +NEEDSONAME=yes +LDCONFIG=/sbin/ldconfig +AR=ar -cr +RANLIB=ranlib +FAKEROOT=$(RPM_BUILD_ROOT) +PREFIX= +SUPLEMENTED=$(PREFIX)/sbin +LIBDIR=$(PREFIX)/lib +SECUREDIR=$(LIBDIR)/security +INCLUDED=/usr/include/security +CONFIGED=/etc +SCONFIGED=/etc/security +EXTRALS=-lcrypt diff --git a/Linux-PAM/doc/CREDITS b/Linux-PAM/doc/CREDITS new file mode 100644 index 00000000..1b40f7fd --- /dev/null +++ b/Linux-PAM/doc/CREDITS @@ -0,0 +1,49 @@ +<!-- + an sgml list of people to credit for their contributions to Linux-PAM + $Id: CREDITS,v 1.1.1.1 2001/04/29 04:16:27 hartmans Exp $ + --> +Chris Adams, +Peter Allgeyer, +Tim Baverstock, +Tim Berger, +Craig S. Bell, +Derrick J. Brashear, +Ben Buxton, +Seth Chaiklin, +Oliver Crow, +Chris Dent, +Marc Ewing, +Cristian Gafton, +Emmanuel Galanos, +Brad M. Garcia, +Eric Hester, +Michel D'Hooge, +Roger Hu, +Eric Jacksch, +Michael K. Johnson, +David Kinchlea, +Olaf Kirch, +Marcin Korzonek, +Stephen Langasek, +Nicolai Langfeldt, +Elliot Lee, +Luke Kenneth Casson Leighton, +Al Longyear, +Ingo Luetkebohle, +Marek Michalkiewicz, +Robert Milkowski, +Aleph One, +Martin Pool, +Sean Reifschneider, +Jan Rekorajski, +Erik Troan, +Theodore Ts'o, +Jeff Uphoff, +Myles Uyema, +Savochkin Andrey Vladimirovich, +Ronald Wahl, +David Wood, +John Wilmes, +Joseph S. D. Yao +and +Alex O. Yuriev. diff --git a/Linux-PAM/doc/Makefile b/Linux-PAM/doc/Makefile new file mode 100644 index 00000000..20c2a23f --- /dev/null +++ b/Linux-PAM/doc/Makefile @@ -0,0 +1,167 @@ + +### $Id: Makefile,v 1.1.1.2 2002/09/15 20:08:24 hartmans Exp $ + +include ../Make.Rules + +####################################################### + +FILES=pam pam_appl pam_modules +FSRCS=pam.sgml pam_appl.sgml pam_modules.sgml + +TEXTS=txts/pam.txt txts/pam_appl.txt txts/pam_modules.txt +HTMLS=html/pam.html html/pam_appl.html html/pam_modules.html +PSFILES=ps/pam.ps ps/pam_appl.ps ps/pam_modules.ps +PDFFILES=pdf/pam.pdf ps/pam_appl.pdf ps/pam_modules.pdf + +MODULES=$(shell ls modules/*.sgml) + +####################################################### + +dummy: + @echo "Making the documentation..." + @$(MAKE) all + +# note, at this time we don't include pdf files by default, but you +# can type make pdf in this directory and see what happens in the pdf +# subdirectory. + +all: htmls texts postscript + +htmls: $(HTMLS) + +$(HTMLS) : $(FSRCS) +ifeq ($(HAVE_SGML2HTML),yes) + @for i in $(FILES) ; do \ + if [ ! -f "html/$$i.html" ] || [ "$$i.sgml" -nt "html/$$i.html" ]; \ + then \ + cd html ; sgml2html ../$$i ; \ + if [ $$? -ne 0 ]; then exit 1 ; fi ; \ + cd .. ; \ + fi ; \ + done +else + @echo XXX - you do not have the sgml2html binary installed +endif + +texts: $(TEXTS) + +$(TEXTS) : $(FSRCS) +ifeq ($(HAVE_SGML2TXT),yes) + @for i in $(FILES) ; do \ + if [ ! -f "txts/$$i.txt" ] \ + || [ "$$i.sgml" -nt "txts/$$i.txt" ]; then \ + cd txts ; sgml2txt ../$$i ; cd .. ; \ + fi ; \ + done +else + @echo XXX - you do not have the sgml2txt binary installed +endif + +postscript: $(PSFILES) + +$(PSFILES): $(FSRCS) +ifneq ($(PSER),) + @for i in $(FILES) ; do \ + if [ ! -f "ps/$$i.ps" ] || [ "$$i.sgml" -nt "ps/$$i.ps" ]; then \ + cd ps ; $(PSER) ../$$i ; cd .. ; \ + fi ; \ + done +else + @echo XXX - neither sgml2ps nor sgml2latex binaries are installed +endif + +pdf: $(PDFFILES) + +$(PDFFILES) : $(PSFILES) +ifeq ($(HAVE_PS2PDF),yes) + @for i in $(FILES) ; do \ + if [ ! -f "pdf/$$i.pdf" ] || [ "ps/$$i.ps" -nt "ps/$$i.pdf" ]; then \ + ps2pdf ps/$$i.ps pdf/$$i.pdf ; \ + fi ; \ + done +else + @echo XXX - ps2pdf is not installed +endif + +pam.sgml: pam_source.sgml MODULES-SGML CREDITS + @sed -e '/^<!\-\- insert\-file MODULES\-SGML \-\->/r MODULES-SGML' pam_source.sgml | sed -e '/^<!\-\- insert\-file CREDITS \-\->/r CREDITS' > pam.sgml + +MODULES-SGML: $(MODULES) + @echo 'Building module text from files in modules/*.sgml' + @rm -f MODULES-SGML + @echo '<!-- modules included:' > MODULES-SGML + @ls modules/*.sgml >> MODULES-SGML + @echo ' and that is all -->' >> MODULES-SGML + @cat modules/*.sgml >> MODULES-SGML + +extraclean: clean + +remove: + cd man && for file in *.3 ; do \ + rm -f $(FAKEROOT)$(MANDIR)/man3/$$file ; \ + done + cd man && for file in *.8 ; do \ + rm -f $(FAKEROOT)$(MANDIR)/man8/$$file ; \ + done + cd txts && for file in *.txt; do \ + rm -f $(FAKEROOT)$(DOCDIR)/text/$$file ; \ + done + cd ps && for file in *.ps; do \ + rm -f $(FAKEROOT)$(DOCDIR)/ps/$$file ; \ + done + cd html && for file in *.html; do \ + rm -f $(FAKEROOT)$(DOCDIR)/html/$$file ; \ + done + +install: all +ifeq ($(HAVE_SGML2TXT),yes) + mkdir -p $(FAKEROOT)$(DOCDIR)/text + for file in txts/*.txt; do \ + install -m 644 $$file $(FAKEROOT)$(DOCDIR)/text ; \ + done +endif +ifneq ($(PSER),) + mkdir -p $(FAKEROOT)$(DOCDIR)/ps + for file in ps/*.ps; do \ + install -m 644 $$file $(FAKEROOT)$(DOCDIR)/ps ; \ + done + ifeq ($(HAVE_PS2PDF),yes) + mkdir -p $(FAKEROOT)$(DOCDIR)/pdf + for file in pdf/*.pdf; do \ + install -m 644 $$file $(FAKEROOT)$(DOCDIR)/pdf ; \ + done + endif +endif +ifeq ($(HAVE_SGML2HTML),yes) + mkdir -p $(FAKEROOT)$(DOCDIR)/html + for file in html/*.html; do \ + install -m 644 $$file $(FAKEROOT)$(DOCDIR)/html ; \ + done +endif + mkdir -p $(FAKEROOT)$(MANDIR)/man3 + mkdir -p $(FAKEROOT)$(MANDIR)/man8 + for file in man/*.3 ; do \ + install -m 644 $$file $(FAKEROOT)$(MANDIR)/man3 ; \ + done + for file in man/*.8 ; do \ + install -m 644 $$file $(FAKEROOT)$(MANDIR)/man8 ; \ + done + +spec: specs/draft-morgan-pam.raw + cd specs/formatter && $(MAKE) + specs/formatter/padout < specs/draft-morgan-pam.raw > specs/draft-morgan-pam-current.txt + +releasedocs: all spec + tar zvfc Linux-PAM-$(MAJOR_REL).$(MINOR_REL)-docs.tar.gz --exclude CVS html ps txts specs/draft-morgan-pam-current.txt + +clean: + rm -f *~ *.bak + rm -f html/pam*.html + rm -f man/*~ + rm -f $(TEXTS) + rm -f $(PSFILES) ps/missfont.log + rm -f pdf/*.pdf + rm -f MODULES-SGML pam.sgml + rm -f specs/draft-morgan-pam-current.txt + $(MAKE) -C specs/formatter clean + diff --git a/Linux-PAM/doc/NOTES b/Linux-PAM/doc/NOTES new file mode 100644 index 00000000..b0f40d47 --- /dev/null +++ b/Linux-PAM/doc/NOTES @@ -0,0 +1,16 @@ +Things to be added: + +@ modules: +@ application: + + use of + 'user' = user to become, + 'uid' = user requesting service + 'euid' = privilege of current process. + +@ sysadmin: + + included modules: + behavior + non-included modules: + behavior/pointers. diff --git a/Linux-PAM/doc/figs/pam_orient.txt b/Linux-PAM/doc/figs/pam_orient.txt new file mode 100644 index 00000000..a8b745a1 --- /dev/null +++ b/Linux-PAM/doc/figs/pam_orient.txt @@ -0,0 +1,23 @@ + + + + +----------------+ + | application: X | + +----------------+ / +----------+ +================+ + | authentication-[---->--\--] Linux- |--<--| /etc/pam.conf | + | + [----<--/--] PAM | |================| + |[conversation()][--+ \ | | | X auth .. a.so | + +----------------+ | / +-n--n-----+ | X auth .. b.so | + | | | __| | | _____/ + | service user | A | | |____,-----' + | | | V A + +----------------+ +------|-----|---------+ -----+------+ + +---u-----u----+ | | | + | auth.... |--[ a ]--[ b ]--[ c ] + +--------------+ + | acct.... |--[ b ]--[ d ] + +--------------+ + | password |--[ b ]--[ c ] + +--------------+ + | session |--[ e ]--[ c ] + +--------------+
\ No newline at end of file diff --git a/Linux-PAM/doc/html/index.html b/Linux-PAM/doc/html/index.html new file mode 100644 index 00000000..8ab3b9ec --- /dev/null +++ b/Linux-PAM/doc/html/index.html @@ -0,0 +1,21 @@ + +<HTML> +<HEAD> +<TITLE>Linux-PAM - Pluggable Authentication Modules for Linux</TITLE> +</HEAD> +<BODY> + +<p> +Here is the documentation for Linux-PAM. As you will see it is +currently not complete. However, in order of decreasing length: + +<ul> +<li> <a href="pam.html">The System Administrators' Guide</a> +<li> <a href="pam_modules.html">The Module Writers' Manual</a> +<li> <a href="pam_appl.html">The Application developers' Manual</a> +</ul> + +<hr> +<p> +REVISION: <tt>$Id: index.html,v 1.1.1.1 2001/04/29 04:16:52 hartmans Exp $</tt> +</BODY> diff --git a/Linux-PAM/doc/man/pam.8 b/Linux-PAM/doc/man/pam.8 new file mode 100644 index 00000000..f2ef9c1f --- /dev/null +++ b/Linux-PAM/doc/man/pam.8 @@ -0,0 +1,369 @@ +.\" Hey Emacs! This file is -*- nroff -*- source. +.\" $Id: pam.8,v 1.1.1.1 2001/04/29 04:16:52 hartmans Exp $ +.\" Copyright (c) Andrew G. Morgan 1996-7,2001 <morgan@kernel.org> +.TH PAM 8 "2001 Jan 20" "Linux-PAM 0.74" "Linux-PAM Manual" +.SH NAME + +Linux-PAM \- Pluggable Authentication Modules for Linux + +.SH SYNOPSIS +.B /etc/pam.conf +.sp 2 +.SH DESCRIPTION + +This manual is intended to offer a quick introduction to +.BR Linux-PAM ". " +For more information the reader is directed to the +.BR "Linux-PAM system administrators' guide". + +.sp +.BR Linux-PAM +Is a system of libraries that handle the authentication tasks of +applications (services) on the system. The library provides a stable +general interface (Application Programming Interface - API) that +privilege granting programs (such as +.BR login "(1) " +and +.BR su "(1)) " +defer to to perform standard authentication tasks. + +.sp +The principal feature of the PAM approach is that the nature of the +authentication is dynamically configurable. In other words, the +system administrator is free to choose how individual +service-providing applications will authenticate users. This dynamic +configuration is set by the contents of the single +.BR Linux-PAM +configuration file +.BR /etc/pam.conf "." +Alternatively, the configuration can be set by individual +configuration files located in the +.B /etc/pam.d/ +directory. +.IB "The presence of this directory will cause " Linux-PAM " to ignore" +.BI /etc/pam.conf "." + +.sp +From the point of view of the system administrator, for whom this +manual is provided, it is not of primary importance to understand the +internal behavior of the +.BR Linux-PAM +library. The important point to recognize is that the configuration +file(s) +.I define +the connection between applications +.BR "" "(" services ")" +and the pluggable authentication modules +.BR "" "(" PAM "s)" +that perform the actual authentication tasks. + +.sp +.BR Linux-PAM +separates the tasks of +.I authentication +into four independent management groups: +.BR "account" " management; " +.BR "auth" "entication management; " +.BR "password" " management; " +and +.BR "session" " management." +(We highlight the abbreviations used for these groups in the +configuration file.) + +.sp +Simply put, these groups take care of different aspects of a typical +user's request for a restricted service: + +.sp +.BR account " - " +provide account verification types of service: has the user's password +expired?; is this user permitted access to the requested service? + +.br +.BR auth "entication - " +establish the user is who they claim to be. Typically this is via some +challenge-response request that the user must satisfy: if you are who +you claim to be please enter your password. Not all authentications +are of this type, there exist hardware based authentication schemes +(such as the use of smart-cards and biometric devices), with suitable +modules, these may be substituted seamlessly for more standard +approaches to authentication - such is the flexibility of +.BR Linux-PAM "." + +.br +.BR password " - " +this group's responsibility is the task of updating authentication +mechanisms. Typically, such services are strongly coupled to those of +the +.BR auth +group. Some authentication mechanisms lend themselves well to being +updated with such a function. Standard UN*X password-based access is +the obvious example: please enter a replacement password. + +.br +.BR session " - " +this group of tasks cover things that should be done prior to a +service being given and after it is withdrawn. Such tasks include the +maintenance of audit trails and the mounting of the user's home +directory. The +.BR session +management group is important as it provides both an opening and +closing hook for modules to affect the services available to a user. + +.SH The configuration file(s) + +When a +.BR Linux-PAM +aware privilege granting application is started, it activates its +attachment to the PAM-API. This activation performs a number of +tasks, the most important being the reading of the configuration file(s): +.BR /etc/pam.conf "." +Alternatively, this may be the contents of the +.BR /etc/pam.d/ +directory. + +These files list the +.BR PAM "s" +that will do the authentication tasks required by this service, and +the appropriate behavior of the PAM-API in the event that individual +.BR PAM "s " +fail. + +.sp +The syntax of the +.B /etc/pam.conf +configuration file is as follows. The file is made +up of a list of rules, each rule is typically placed on a single line, +but may be extended with an escaped end of line: `\\<LF>'. Comments +are preceded with `#' marks and extend to the next end of line. + +.sp +The format of each rule is a space separated collection of tokens, the +first three being case-insensitive: + +.sp +.br +.BR " service type control module-path module-arguments" + +.sp +The syntax of files contained in the +.B /etc/pam.d/ +directory, are identical except for the absence of any +.I service +field. In this case, the +.I service +is the name of the file in the +.B /etc/pam.d/ +directory. This filename must be in lower case. + +.sp +An important feature of +.BR Linux-PAM ", " +is that a number of rules may be +.I stacked +to combine the services of a number of PAMs for a given authentication +task. + +.sp +The +.BR service +is typically the familiar name of the corresponding application: +.BR login +and +.BR su +are good examples. The +.BR service "-name, " other ", " +is reserved for giving +.I default +rules. Only lines that mention the current service (or in the absence +of such, the +.BR other +entries) will be associated with the given service-application. + +.sp +The +.BR type +is the management group that the rule corresponds to. It is used to +specify which of the management groups the subsequent module is to +be associated with. Valid entries are: +.BR account "; " +.BR auth "; " +.BR password "; " +and +.BR session "." +The meaning of each of these tokens was explained above. + +.sp +The third field, +.BR control ", " +indicates the behavior of the PAM-API should the module fail to +succeed in its authentication task. There are two types of syntax for +this control field: the simple one has a single simple keyword; the +more complicated one involves a square-bracketed selection of +.B value=action +pairs. + +.sp +For the simple (historical) syntax valid +.BR control +values are: +.BR requisite +- failure of such a PAM results in the immediate termination of the +authentication process; +.BR required +- failure of such a PAM will ultimately lead to the PAM-API returning +failure but only after the remaining +.I stacked +modules (for this +.BR service +and +.BR type ")" +have been invoked; +.BR sufficient +- success of such a module is enough to satisfy the authentication +requirements of the stack of modules (if a prior +.BR required +module has failed the success of this one is +.IR ignored "); " +.BR optional +- the success or failure of this module is only important if it is the +only module in the stack associated with this +.BR service "+" type "." + +.sp +For the more complicated syntax valid +.B control +values have the following form: +.sp +.RB [value1=action1 value2=action2 ...] +.sp +Where +.B valueN +corresponds to the return code from the function invoked in the module +for which the line is defined. It is selected from one of these: +.BR success ; +.BR open_err ; +.BR symbol_err ; +.BR service_err ; +.BR system_err ; +.BR buf_err ; +.BR perm_denied ; +.BR auth_err ; +.BR cred_insufficient ; +.BR authinfo_unavail ; +.BR user_unknown ; +.BR maxtries ; +.BR new_authtok_reqd ; +.BR acct_expired ; +.BR session_err ; +.BR cred_unavail ; +.BR cred_expired ; +.BR cred_err ; +.BR no_module_data ; +.BR conv_err ; +.BR authtok_err ; +.BR authtok_recover_err ; +.BR authtok_lock_busy ; +.BR authtok_disable_aging ; +.BR try_again ; +.BR ignore ; +.BR abort ; +.BR authtok_expired ; +.BR module_unknown ; +.BR bad_item "; and" +.BR default . +The last of these, +.BR default , +implies 'all +.BR valueN 's +not mentioned explicitly. Note, the full list of PAM errors is +available in /usr/include/security/_pam_types.h . The +.B actionN +can be: an unsigned integer, +.BR J , +signifying an action of 'jump over the next J modules in the stack'; +or take one of the following forms: +.br +.B ignore +- when used with a stack of modules, the module's return status will +not contribute to the return code the application obtains; +.br +.B bad +- this action indicates that the return code should be thought of as +indicative of the module failing. If this module is the first in the +stack to fail, its status value will be used for that of the whole +stack. +.br +.B die +- equivalent to bad with the side effect of terminating the module +stack and PAM immediately returning to the application. +.br +.B ok +- this tells PAM that the administrator thinks this return code +should contribute directly to the return code of the full stack of +modules. In other words, if the former state of the stack would lead +to a return of +.BR PAM_SUCCESS , +the module's return code will override this value. Note, if the former +state of the stack holds some value that is indicative of a modules +failure, this 'ok' value will not be used to override that value. +.br +.B done +- equivalent to ok with the side effect of terminating the module +stack and PAM immediately returning to the application. +.br +.B reset +- clear all memory of the state of the module stack and start again +with the next stacked module. + +.sp +.BR module-path +- this is either the full filename of the PAM to be used by the +application (it begins with a '/'), or a relative pathname from the +default module location: +.BR /lib/security/ . + +.sp +.BR module-arguments +- these are a space separated list of tokens that can be used to +modify the specific behavior of the given PAM. Such arguments will be +documented for each individual module. + +.SH "FILES" +.BR /etc/pam.conf " - the configuration file" +.br +.BR /etc/pam.d/ " - the" +.BR Linux-PAM +configuration directory. Generally, if this directory is present, the +.B /etc/pam.conf +file is ignored. +.br +.BR /lib/libpam.so.X " - the dynamic library" +.br +.BR /lib/security/*.so " - the PAMs + +.SH ERRORS +Typically errors generated by the +.BR Linux-PAM +system of libraries, will be written to +.BR syslog "(3)." + +.SH "CONFORMING TO" +DCE-RFC 86.0, October 1995. +.br +Contains additional features, but remains backwardly compatible with +this RFC. + +.SH BUGS +.sp 2 +None known. + +.SH "SEE ALSO" + +The three +.BR Linux-PAM +Guides, for +.BR "system administrators" ", " +.BR "module developers" ", " +and +.BR "application developers" ". " diff --git a/Linux-PAM/doc/man/pam.conf.8 b/Linux-PAM/doc/man/pam.conf.8 new file mode 100644 index 00000000..d067b559 --- /dev/null +++ b/Linux-PAM/doc/man/pam.conf.8 @@ -0,0 +1 @@ +.so pam.8 diff --git a/Linux-PAM/doc/man/pam.d.8 b/Linux-PAM/doc/man/pam.d.8 new file mode 100644 index 00000000..d067b559 --- /dev/null +++ b/Linux-PAM/doc/man/pam.d.8 @@ -0,0 +1 @@ +.so pam.8 diff --git a/Linux-PAM/doc/man/pam_authenticate.3 b/Linux-PAM/doc/man/pam_authenticate.3 new file mode 100644 index 00000000..bc1cd5c9 --- /dev/null +++ b/Linux-PAM/doc/man/pam_authenticate.3 @@ -0,0 +1,91 @@ +.\" Hey Emacs! This file is -*- nroff -*- source. +.\" $Id: pam_authenticate.3,v 1.1.1.1 2001/04/29 04:16:53 hartmans Exp $ +.\" Copyright (c) Andrew G. Morgan 1996-7 <morgan@parc.power.net> +.TH PAM_AUTHENTICATE 3 "1996 Dec 9" "Linux-PAM 0.55" "App. Programmers' Manual" +.SH NAME + +pam_authenticate \- authenticate a user + +.SH SYNOPSIS +.B #include <security/pam_appl.h> +.sp +.BI "int pam_authenticate(pam_handle_t " *pamh ", int " flags ");" +.sp 2 +.SH DESCRIPTION +.B pam_authenticate + +.br +Use this function to authenticate an applicant user. It is linked +.I dynamically +to the authentication modules by +.BR Linux-PAM ". " +It is the task of these module to perform such an authentication. The +specific nature of the authentication is not the concern of the +application. + +.br +Following successful completion, the +.BR name +of the authenticated user will be present in the +.BR Linux-PAM +item +.BR PAM_USER ". " +This item may be recovered with a call to +.BR pam_get_item "(3)." + +.br +The application developer should note that the modules may request +that the user enter their username via the conversation mechanism (see +.BR pam_start "(3))." +Should this be the case, the user-prompt string can be set via +the +.BR PAM_USER_PROMPT +item (see +.BR pam_set_item "(3))." + +.SH "RETURN VALUE" +On success +.BR PAM_SUCCESS +is returned. All other returns should be considered +authentication failures and will be +.I delayed +by an amount specified with prior calls to +.BR pam_fail_delay "(3). " +Specific failures that demand special attention are the following: +.TP +.B PAM_ABORT +the application should exit immediately. Of course, +.BR pam_end "(3)" +should be called first. + +.TP +.B PAM_MAXTRIES +the application has tried too many times to authenticate the +user, authentication should not be attempted again. + +.SH ERRORS +May be translated to text with +.BR pam_strerror "(3). " + +.SH "CONFORMING TO" +DCE-RFC 86.0, October 1995. + +.SH BUGS +.sp 2 +none known. + +.SH "SEE ALSO" + +.BR pam_start "(3), " +.BR pam_get_item "(3) " +.BR pam_fail_delay "(3) " +and +.BR pam_strerror "(3). " + +Also, see the three +.BR Linux-PAM +Guides, for +.BR "System administrators" ", " +.BR "module developers" ", " +and +.BR "application developers" ". " diff --git a/Linux-PAM/doc/man/pam_chauthtok.3 b/Linux-PAM/doc/man/pam_chauthtok.3 new file mode 100644 index 00000000..94a8f2d3 --- /dev/null +++ b/Linux-PAM/doc/man/pam_chauthtok.3 @@ -0,0 +1,101 @@ +.\" Hey Emacs! This file is -*- nroff -*- source. +.\" $Id: pam_chauthtok.3,v 1.1.1.1 2001/04/29 04:16:53 hartmans Exp $ +.\" Copyright (c) Andrew G. Morgan 1997 <morgan@parc.power.net> +.TH PAM_CHAUTHTOK 3 "1997 Jan 4" "Linux-PAM 0.55" "App. Programmers' Manual" +.SH NAME + +pam_chauthtok \- updating authentication tokens + +.SH SYNOPSIS +.B #include <security/pam_appl.h> +.sp +.BI "int pam_chauthtok(pam_handle_t " *pamh ", int " flags ");" +.sp 2 +.SH DESCRIPTION +.B pam_chauthtok + +.br +Use this function to rejuvenate the authentication tokens (passwords +etc.) of an applicant user. + +.br +Note, the application should not pre-authenticate the user, as this is +performed (if required) by the +.BR Linux-PAM +framework. + +.br +The +.I flags +argument can +.I optionally +take the value, +.BR PAM_CHANGE_EXPIRED_AUTHTOK "." +In such cases the framework is only required to update those +authentication tokens that have expired. Without this argument, the +framework will attempt to obtain new tokens for all configured +authentication mechanisms. The details of the types and number of such +schemes should not concern the calling application. + +.SH RETURN VALUE +A successful return from this function will be indicated with +.BR PAM_SUCCESS "." + +.br +Specific errors of special interest when calling this function are + +.br +.BR PAM_AUTHTOK_ERROR +- a valid new token was not obtained + +.br +.BR PAM_AUTHTOK_RECOVERY_ERR +- old authentication token was not available + +.br +.BR PAM_AUTHTOK_LOCK_BUSY +- a resource needed to update the token was locked (try again later) + +.br +.BR PAM_AUTHTOK_DISABLE_AGING +- one or more of the authentication modules does not honor +authentication token aging + +.br +.BR PAM_TRY_AGAIN +- one or more authentication mechanism is not prepared to update a +token at this time + +.br +In general other return values may be returned. They should be treated +as indicating failure. + +.SH ERRORS +May be translated to text with +.BR pam_strerror "(3). " + +.SH "CONFORMING TO" +DCE-RFC 86.0, October 1995. + +.SH BUGS +.sp 2 +none known. + +.SH "SEE ALSO" + +.BR pam_start "(3), " +.BR pam_authenticate "(3), " +.BR pam_setcred "(3), " +.BR pam_get_item "(3), " +.BR pam_strerror "(3) " +and +.BR pam "(8)." + +.br +Also, see the three +.BR Linux-PAM +Guides, for +.BR "System administrators" ", " +.BR "module developers" ", " +and +.BR "application developers" ". " diff --git a/Linux-PAM/doc/man/pam_close_session.3 b/Linux-PAM/doc/man/pam_close_session.3 new file mode 100644 index 00000000..d851700c --- /dev/null +++ b/Linux-PAM/doc/man/pam_close_session.3 @@ -0,0 +1 @@ +.so pam_open_session.3 diff --git a/Linux-PAM/doc/man/pam_end.3 b/Linux-PAM/doc/man/pam_end.3 new file mode 100644 index 00000000..de999f24 --- /dev/null +++ b/Linux-PAM/doc/man/pam_end.3 @@ -0,0 +1 @@ +.so pam_start.3 diff --git a/Linux-PAM/doc/man/pam_fail_delay.3 b/Linux-PAM/doc/man/pam_fail_delay.3 new file mode 100644 index 00000000..63cc88b3 --- /dev/null +++ b/Linux-PAM/doc/man/pam_fail_delay.3 @@ -0,0 +1,130 @@ +.\" Hey Emacs! This file is -*- nroff -*- source. +.\" $Id: pam_fail_delay.3,v 1.1.1.1 2001/04/29 04:16:53 hartmans Exp $ +.\" Copyright (c) Andrew G. Morgan 1997 <morgan@parc.power.net> +.TH PAM_FAIL_DELAY 3 "1997 Jan 12" "Linux-PAM 0.56" "Programmers' Manual" +.SH NAME + +pam_fail_delay \- request a delay on failure + +.SH SYNOPSIS +.B #include <security/pam_appl.h> +.br +or, +.br +.B #include <security/pam_modules.h> +.sp +.BI "int pam_fail_delay(pam_handle_t " "*pamh" ", unsigned int " "usec" ");" +.sp 2 +.SH DESCRIPTION +.br +It is often possible to attack an authentication scheme by exploiting +the time it takes the scheme to deny access to an applicant user. In +cases of +.I short +timeouts, it may prove possible to attempt a +.I brute force +dictionary attack -- with an automated process, the attacker tries all +possible passwords to gain access to the system. In other cases, +where individual failures can take measurable amounts of time +(indicating the nature of the failure), an attacker can obtain useful +information about the authentication process. These latter attacks +make use of procedural delays that constitute a +.I covert channel +of useful information. + +.br +To minimize the effectiveness of such attacks, it is desirable to +introduce a random delay in a failed authentication process. +.B Linux-PAM +provides such a facility. The delay occurs upon failure of the +.BR pam_authenticate "(3) " +and +.BR pam_chauthtok "(3) " +functions. It occurs +.I after +all authentication modules have been called, but +.I before +control is returned to the service application. + +.br +The function, +.BR pam_fail_delay "(3)," +is used to specify a required minimum for the length of the +failure-delay; the +.I usec +argument. This function can be called by the service application +and/or the authentication modules, both may have an interest in +delaying a reapplication for service by the user. The length of the +delay is computed at the time it is required. Its length is +pseudo-gausianly distributed about the +.I maximum +requested value; the resultant delay will differ by as much as 25% of +this maximum requested value (both up and down). + +.br +On return from +.BR pam_authenticate "(3) or " pam_chauthtok "(3)," +independent of success or failure, the new requested delay is reset to +its default value: zero. + +.SH EXAMPLE +.br +For example, a +.B login +application may require a failure delay of roughly 3 seconds. It will +contain the following code: +.sp +.br +.B " pam_fail_delay(pamh, 3000000 /* micro-seconds */ );" +.br +.B " pam_authenticate(pamh, 0);" +.sp +.br +if the modules do not request a delay, the failure delay will be +between 2.25 and 3.75 seconds. + +.br +However, the modules, invoked in the authentication process, may +also request delays: +.sp +.br +.RB " (module #1) " "pam_fail_delay(pamh, 2000000);" +.sp +.br +.RB " (module #2) " "pam_fail_delay(pamh, 4000000);" +.sp +.br +in this case, it is the largest requested value that is used to +compute the actual failed delay: here between 3 and 5 seconds. + +.SH "RETURN VALUE" +Following a successful call to +.BR pam_fail_delay "(3), " PAM_SUCCESS +is returned. All other returns should be considered serious failures. + +.SH ERRORS +May be translated to text with +.BR pam_strerror "(3). " + +.SH "CONFORMING TO" +Under consideration by the X/Open group for future inclusion in the +PAM RFC. 1996/1/10 + +.SH BUGS +.sp 2 +none known. + +.SH "SEE ALSO" + +.BR pam_start "(3), " +.BR pam_get_item "(3) " +and +.BR pam_strerror "(3). " + +Also, see the three +.BR Linux-PAM +Guides, for +.BR "System administrators" ", " +.BR "module developers" ", " +and +.BR "application developers" ". " diff --git a/Linux-PAM/doc/man/pam_get_item.3 b/Linux-PAM/doc/man/pam_get_item.3 new file mode 100644 index 00000000..f4f0d462 --- /dev/null +++ b/Linux-PAM/doc/man/pam_get_item.3 @@ -0,0 +1 @@ +.so pam_set_item.3 diff --git a/Linux-PAM/doc/man/pam_open_session.3 b/Linux-PAM/doc/man/pam_open_session.3 new file mode 100644 index 00000000..05ccbb88 --- /dev/null +++ b/Linux-PAM/doc/man/pam_open_session.3 @@ -0,0 +1,99 @@ +.\" Hey Emacs! This file is -*- nroff -*- source. +.\" $Id: pam_open_session.3,v 1.1.1.1 2001/04/29 04:16:53 hartmans Exp $ +.\" Copyright (c) Andrew G. Morgan 1997 <morgan@parc.power.net> +.TH PAM_OPEN_SESSION 3 "1997 Jan 4" "Linux-PAM 0.55" "App. Programmers' Manual" +.SH NAME + +pam_open/close_session \- PAM session management + +.SH SYNOPSIS +.B #include <security/pam_appl.h> +.sp +.BI "int pam_open_session(pam_handle_t " *pamh ", int " flags ");" +.sp +.BI "int pam_close_session(pam_handle_t " *pamh ", int " flags ");" +.sp 2 +.SH DESCRIPTION + +PAM provides management-hooks for the initialization and termination +of a session. + +.TP +.B pam_open_session +.br +Use this function to signal that an authenticated user session has +begun. It should be called only after the user is properly identified +and (where necessary) has been granted their credentials with +.BR pam_authenticate "(3)" +and +.BR pam_setcred "(3)" +respectively. + +.br +Some types of functions associated with session +initialization are logging for the purposes of system-audit and +mounting directories (the user's home directory for example). These +should not concern the application. It should be noted that the +.I effective +uid, +.BR geteuid "(2)," +of the application should be of sufficient privilege to perform such +tasks. + +.TP +.B pam_close_session +.br +Use this function to signal that a user session has +terminated. In general this function may not need to be located in the +same application as the initialization function, +.BR pam_open_session "." + +.br +Typically, this function will undo the actions of +.BR pam_open_session "." +That is, log audit information concerning the end of the user session +or unmount the user's home directory. Apart from having sufficient +privilege the details of the session termination should not concern +the calling application. It is good programming practice, however, to +cease acting on behalf of the user on returning from this call. + +.SH RETURN VALUE +A successful return from the session management functions will be +indicated with +.BR PAM_SUCCESS "." + +.br +The specific error indicating a failure to open or close a session is +.BR PAM_SESSION_ERR "." +In general other return values may be returned. They should be treated +as indicating failure. + +.SH ERRORS +May be translated to text with +.BR pam_strerror "(3). " + +.SH "CONFORMING TO" +OSF-RFC 86.0, October 1995. + +.SH BUGS +.sp 2 +none known. + +.SH "SEE ALSO" + +.BR pam_start "(3), " +.BR pam_authenticate "(3), " +.BR pam_setcred "(3), " +.BR pam_get_item "(3), " +.BR pam_strerror "(3) " +and +.BR pam "(3)." + +.br +Also, see the three +.BR Linux-PAM +Guides, for +.BR "System administrators" ", " +.BR "module developers" ", " +and +.BR "application developers" ". " diff --git a/Linux-PAM/doc/man/pam_set_item.3 b/Linux-PAM/doc/man/pam_set_item.3 new file mode 100644 index 00000000..ad759cfd --- /dev/null +++ b/Linux-PAM/doc/man/pam_set_item.3 @@ -0,0 +1,55 @@ +.\" Hey Emacs! This file is -*- nroff -*- source. +.\" $Id: pam_set_item.3,v 1.1.1.1 2002/09/15 20:08:27 hartmans Exp $ +.\" Copyright (c) Andrew G. Morgan 1996,1997 <morgan@kernel.org> +.TH PAM_SET_ITEM 3 "2001 Jan 21" "Linux-PAM" "App. Programmers' Manual" +.SH NAME + +pam_set_item, pam_get_item \- item manipulation under PAM + +.SH SYNOPSIS +.B #include <security/pam_appl.h> +.br +or +.br +.B #include <secruity/pam_modules.h> +.sp +.BI "int pam_set_item(pam_handle_t " *pamh ", int " item_type ", void " *item ");" +.sp +.BI "int pam_get_item(const pam_handle_t " *pamh ", int " item_type ", const void " **item_p ");" +.sp 2 +.SH DESCRIPTION +.B pam_set_item +.sp +.B pam_set_item + +These functions are currently undocumented in a man page, but see the +end of this man page for more information (the PAM guides). + +On success +.BR PAM_SUCCESS +is returned, all other return values should be treated as errors. + +.SH ERRORS +May be translated to text with +.BR pam_strerror "(3). " + +.SH "CONFORMING TO" +DCE-RFC 86.0, October 1995. + +.SH BUGS +.sp 2 +none known. + +.SH "SEE ALSO" + +.BR pam (8) +and +.BR pam_strerror "(3)." + +Also, see the three +.BR Linux-PAM +Guides, for +.BR "System administrators" ", " +.BR "module developers" ", " +and +.BR "application developers" ". " diff --git a/Linux-PAM/doc/man/pam_setcred.3 b/Linux-PAM/doc/man/pam_setcred.3 new file mode 100644 index 00000000..9681690c --- /dev/null +++ b/Linux-PAM/doc/man/pam_setcred.3 @@ -0,0 +1,79 @@ +.\" Hey Emacs! This file is -*- nroff -*- source. +.\" $Id: pam_setcred.3,v 1.1.1.1 2001/04/29 04:16:53 hartmans Exp $ +.\" Copyright (c) Andrew G. Morgan 1996,1997 <morgan@parc.power.net> +.TH PAM_SETCRED 3 "1997 July 6" "Linux-PAM 0.58" "App. Programmers' Manual" +.SH NAME + +pam_setcred \- set the credentials for the user + +.SH SYNOPSIS +.B #include <security/pam_appl.h> +.sp +.BI "int pam_setcred(pam_handle_t " *pamh ", int " flags ");" +.sp 2 +.SH DESCRIPTION +.B pam_setcred + +This function is used to establish, maintain and delete the +credentials of a user. It should be called after a user has been +authenticated and before a session is opened for the user (with +.BR pam_open_session "(3))." + +It should be noted that credentials come in many forms. Examples +include: group memberships; ticket-files; and Linux-PAM environment +variables. For this reason, it is important that the basic identity +of the user is established, by the application, prior to a call to +this function. For example, the default +.BR Linux-PAM +environment variables should be set and also +.BR initgroups "(2) " +(or equivalent) should have been performed. + +.SH "VALID FLAGS" +.TP +.BR PAM_ESTABLISH_CRED +initialize the credentials for the user. + +.TP +.BR PAM_DELETE_CRED +delete the user's credentials. + +.TP +.BR PAM_REINITIALIZE_CRED +delete and then initialize the user's credentials. + +.TP +.BR PAM_REFRESH_CRED +extend the lifetime of the existing credentials. + +.SH "RETURN VALUE" + +On success +.BR PAM_SUCCESS +is returned, all other return values should be treated as errors. + +.SH ERRORS +May be translated to text with +.BR pam_strerror "(3). " + +.SH "CONFORMING TO" +DCE-RFC 86.0, October 1995. + +.SH BUGS +.sp 2 +none known. + +.SH "SEE ALSO" + +.BR pam_authenticate "(3), " +.BR pam_strerror "(3)" +and +.BR pam_open_session "(3). " + +Also, see the three +.BR Linux-PAM +Guides, for +.BR "System administrators" ", " +.BR "module developers" ", " +and +.BR "application developers" ". " diff --git a/Linux-PAM/doc/man/pam_start.3 b/Linux-PAM/doc/man/pam_start.3 new file mode 100644 index 00000000..159bf201 --- /dev/null +++ b/Linux-PAM/doc/man/pam_start.3 @@ -0,0 +1,98 @@ +.\" Hey Emacs! This file is -*- nroff -*- source. +.\" $Id: pam_start.3,v 1.1.1.1 2001/04/29 04:16:53 hartmans Exp $ +.\" Copyright (c) Andrew G. Morgan 1996-7 <morgan@parc.power.net> +.TH PAM_START 3 "1997 Feb 15" "Linux-PAM 0.56" "Application Programmers' Manual" +.SH NAME + +pam_start, pam_end \- activating Linux-PAM + +.SH SYNOPSIS +.B #include <security/pam_appl.h> +.sp +.BI "int pam_start(const char " *service ", const char " *user ", const struct pam_conv " *conv ", pam_handle_t " **pamh_p ");" +.sp +.BI "int pam_end(pam_handle_t " *pamh ", int " pam_status ");" +.sp 2 +.SH DESCRIPTION +.TP +.B pam_start +Initialize the +.I Linux-PAM +library. Identifying the application with a particular +.IR service +name. The +.IR user "name" +can take the value +.IR NULL ", " +if not known at the time the interface is initialized. The +conversation structure is passed to the library via the +.IR conv +argument. (For a complete description of this and other structures +the reader is directed to the more verbose +.IR Linux-PAM +application developers' guide). Upon successful initialization, an +opaque pointer-handle for future access to the library is returned +through the contents of the +.IR pamh_p +pointer. + +.TP +.B pam_end +Terminate the +.B Linux-PAM +library. The service application associated with the +.IR pamh +handle, is terminated. The argument, +.IR pam_status ", " +passes the value most recently returned to the application from the +library; it indicates the manner in which the library should be +shutdown. Besides carrying a return value, this argument may be +logically OR'd with +.IR PAM_DATA_SILENT +to indicate that the module should not treat the call too +seriously. It is generally used to indicate that the current closing +of the library is in a +.IR fork "(2)ed" +process, and that the parent will take care of cleaning up things that +exist outside of the current process space (files etc.). + +.SH "RETURN VALUE" +.TP +.B pam_start +.TP +.B pam_end +On success, +.BR PAM_SUCCESS +is returned + +.SH ERRORS +May be translated to text with +.BR pam_strerror "(3). " + +.SH "CONFORMING TO" +DCE-RFC 86.0, October 1995. +.sp +Note, the +.BR PAM_DATA_SILENT +flag is pending acceptance with the DCE (as of 1996/12/4). + +.SH BUGS +.sp 2 +None known. + +.SH "SEE ALSO" + +.BR fork "(2), " +.BR pam_authenticate "(3), " +.BR pam_acct_mgmt "(3), " +.BR pam_open_session "(3), " +and +.BR pam_chauthtok "(3)." + +Also, see the three +.BR Linux-PAM +Guides, for +.BR "System administrators" ", " +.BR "module developers" ", " +and +.BR "application developers" ". " diff --git a/Linux-PAM/doc/man/pam_strerror.3 b/Linux-PAM/doc/man/pam_strerror.3 new file mode 100644 index 00000000..84622088 --- /dev/null +++ b/Linux-PAM/doc/man/pam_strerror.3 @@ -0,0 +1,51 @@ +.\" Hey Emacs! This file is -*- nroff -*- source. +.\" ripped off from Rick Faith's getgroups man page +.\" $Id: pam_strerror.3,v 1.1.1.1 2001/04/29 04:16:54 hartmans Exp $ +.\" Copyright (c) Andrew G. Morgan 1996-7 <morgan@linux.kernel.org> +.TH PAM_STRERROR 3 "1999 Oct 4" "Linux-PAM 0.70" "Programmers' Manual" +.SH NAME + +pam_strerror \- return a textual description of a Linux-PAM error + +.SH SYNOPSIS +.B #include <security/pam_appl.h> +.br +or, +.br +.B #include <security/pam_modules.h> +.sp +.BI "const char * pam_strerror( pam_handle_t " "*pamh" ", int " pam_error ");" +.sp 2 +.SH DESCRIPTION +.B pam_strerror + +This function returns some text describing the +.BR Linux-PAM +error associated with the +.B pam_error +argument. + +.SH "RETURN VALUE" + +On success this function returns a description of the indicated +error. Should the function not recognize the error, ``Unknown +Linux-PAM error'' is returned. + +.SH "CONFORMING TO" +DCE-RFC 86.0, October 1995. + +.SH BUGS +.sp 2 +This function should be internationalized. + +.SH "SEE ALSO" + +.BR pam "(8). " + +Also, see the three +.BR Linux-PAM +Guides, for +.BR "System administrators" ", " +.BR "module developers" ", " +and +.BR "application developers" ". " diff --git a/Linux-PAM/doc/man/template-man b/Linux-PAM/doc/man/template-man new file mode 100644 index 00000000..5ba564a0 --- /dev/null +++ b/Linux-PAM/doc/man/template-man @@ -0,0 +1,52 @@ +.\" Hey Emacs! This file is -*- nroff -*- source. +.\" $Id: template-man,v 1.1.1.1 2001/04/29 04:16:54 hartmans Exp $ +.\" Copyright (c) Andrew G. Morgan 1997 <morgan@parc.power.net> +.TH PAM_???? 2 "1997 Jan 4" "Linux-PAM 0.55" "Application Programmers' Manual" +.SH NAME + +function names \- brief summary of function + +.SH SYNOPSIS +.B #include <security/pam_????.h> +.sp +.BI "int pam_???(pam_handle_t " pamh ", int " flags); +.sp 2 +.SH DESCRIPTION +.TP +.B pam_??? +Here goes the +.I explanation +it may be quite +.IR long . +.TP +.SH "RETURN VALUE" +.B pam_??? +On success... +.BR PAM_SUCCESS +is returned +.TP +.SH ERRORS +May be translated to text with +.BR pam_strerror "(2). " + +.SH "CONFORMING TO" +.B pam_??? +DCE-RFC 86.0, October 1995. + +.SH BUGS +.sp 2 +none known. + +.SH "SEE ALSO" + +.BR pam_??? "(2), " +and +.BR pam_??? "(2). " + +Also, see the three +.BR Linux-PAM +Guides, for +.BR "System administrators" ", " +.BR "module developers" ", " +and +.BR "application developers" ". " diff --git a/Linux-PAM/doc/modules/README b/Linux-PAM/doc/modules/README new file mode 100644 index 00000000..b81f1d26 --- /dev/null +++ b/Linux-PAM/doc/modules/README @@ -0,0 +1,13 @@ +$Id: README,v 1.1.1.2 2002/09/15 20:08:28 hartmans Exp $ + +This directory contains a number of sgml sub-files. One for each +documented module. They contain a description of each module and give +some indication of its reliability. + +Additionally, there is a 'module.sgml-template' file which should be +used as a blank form for new module descriptions. + +Please feel free to submit amendments/comments etc. regarding these +files to: + + Andrew G. Morgan <morgan@kernel.org> diff --git a/Linux-PAM/doc/modules/module.sgml-template b/Linux-PAM/doc/modules/module.sgml-template new file mode 100644 index 00000000..36ffe617 --- /dev/null +++ b/Linux-PAM/doc/modules/module.sgml-template @@ -0,0 +1,170 @@ +<!-- + + $Id: module.sgml-template,v 1.1.1.1 2001/04/29 04:16:54 hartmans Exp $ + + This template file was written by Andrew G. Morgan + <morgan@kernel.org> + +[ + Text that should be deleted/replaced, is enclosed within + '[' .. ']' + marks. For example, this text should be deleted! +] + +--> + +<sect1> [*Familiar full name of module*, eg. The "allow all" module.] + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +[ + insert the name of the module + + Blank is not permitted. +] + +<tag><bf>Author[s]:</bf></tag> + +[ + Insert author names here + + Blank is not permitted. If in doubt, put "unknown" if the + author wishes to remain anonymous, put "anonymous". +] + +<tag><bf>Maintainer:</bf></tag> + +[ + Insert names and date-begun of most recent maintainer. +] + +<tag><bf>Management groups provided:</bf></tag> + +[ + list the subset of four management groups supported by the + module. Choose from: account; authentication; password; + session. + + Blank entries are not permitted. Explicitly list all of the + management groups. In the future more may be added to libpam! +] + +<tag><bf>Cryptographically sensitive:</bf></tag> + +[ + Indicate whether this module contains code that can perform + reversible (strong) encryption. This field is primarily to + ensure that people redistributing it are not unwittingly + breaking laws... + + Modules may also require the presence of some local library + that performs the necessary encryption via some standard API. + In this case "uses API" can be included in this field. The + library in question should be added to the system requirements + below. + + Blank = no cryptography is used by module. +] + +<tag><bf>Security rating:</bf></tag> + +[ + Initially, this field should be left blank. If someone takes + it upon themselves to test the strength of the module, it can + later be filled. + + Blank = unknown. +] + +<tag><bf>Clean code base:</bf></tag> + +[ + This will probably be filled by the libpam maintainer. + It can be considered to be a public humiliation list. :*) + + I am of the opinion that "gcc -with_all_those_flags" is + trying to tell us something about whether the program + works as intended. Since there is currently no Security + evaluation procedure for modules IMHO this is not a + completely unreasonable indication (a lower bound anyway) + of the reliability of a module. + + This field would indicate the number and flavor of + warnings that gcc barfs up when trying to compile the + module as part of the tree. Is this too tyrannical? + + Blank = Linux-PAM maintainer has not tested it :) +] + +<tag><bf>System dependencies:</bf></tag> + +[ + here we list config files, dynamic libraries needed, system + resources, kernel options.. etc. + + Blank = nothing more than libc required. +] + +<tag><bf>Network aware:</bf></tag> + +[ + Does the module base its behavior on probing a network + connection? Does it expect to be protected by the + application? + + Blank = Ignorance of network. +] + +</descrip> + +<sect2>Overview of module + +[ + some text describing the intended actions of the module + general comments mainly (specifics in sections + below). +] + +[ + + [ now we have a <sect2> level subsection for each of the + management groups. Include as many as there are groups + listed above in the synopsis ] + +<sect2>[ Account | Authentication | Password | Session ] component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> + +[ + List the supported arguments (leave their description for the + description below. + + Blank = no arguments are read and nothing is logged to syslog + about any arguments that are passed. Note, this + behavior is contrary to the RFC! +] + +<tag><bf>Description:</bf></tag> + +[ + This component of the module performs the task of ... +] + +<tag><bf>Examples/suggested usage:</bf></tag> + +[ + Here we list some doos and don'ts for this module. +] + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/Linux-PAM/doc/modules/pam_access.sgml b/Linux-PAM/doc/modules/pam_access.sgml new file mode 100644 index 00000000..8a910d13 --- /dev/null +++ b/Linux-PAM/doc/modules/pam_access.sgml @@ -0,0 +1,117 @@ +<!-- + + pam_access module docs added by Tim Berger <timb@transmeta.com> + +--> + +<sect1> The access module + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> + +<tt>pam_access</tt> + + +<tag><bf>Author[s]:</bf></tag> + +Alexei Nogin <alexei@nogin.dnttm.ru> + +<tag><bf>Maintainer:</bf></tag> + +<tag><bf>Management groups provided:</bf></tag> + +account + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> + +<tag><bf>System dependencies:</bf></tag> +Requires a configuration file. By default +<tt>/etc/security/access.conf</tt> is used but this can be overridden. + +<tag><bf>Network aware:</bf></tag> + +Through <tt/PAM_TTY/ if set, otherwise attempts getting tty name of +the stdin file descriptor with <tt/ttyname()/. Standard +gethostname(), <tt/yp_get_default_domain()/, <tt/gethostbyname()/ +calls. <bf/NIS/ is used for netgroup support. + +</descrip> + +<sect2>Overview of module + +<p> +Provides logdaemon style login access control. + +<sect2> Account component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> + +<tt>accessfile=<it>/path/to/file.conf</it></tt>; +<tt>fieldsep=<it>separators</it></tt> + +<tag><bf>Description:</bf></tag> + +This module provides logdaemon style login access control based on +login names and on host (or domain) names, internet addresses (or +network numbers), or on terminal line names in case of non-networked +logins. Diagnostics are reported through <tt/syslog(3)/. Wietse +Venema's <tt/login_access.c/ from <em/logdaemon-5.6/ is used with +several changes by A. Nogin. + +<p> +The behavior of this module can be modified with the following +arguments: +<itemize> + +<item><tt>accessfile=/path/to/file.conf</tt> - +indicate an alternative <em/access/ configuration file to override +the default. This can be useful when different services need different +access lists. + +<item><tt>fieldsep=<it>separators</it></tt> - +this option modifies the field separator character that +<tt/pam_access/ will recognize when parsing the access configuration +file. For example: <tt>fieldsep=|</tt> will cause the default `:' +character to be treated as part of a field value and `|' becomes the +field separator. Doing this is useful in conjuction with a system that +wants to use pam_access with X based applications, since the +<tt/PAM_TTY/ item is likely to be of the form "hostname:0" which +includes a `:' character in its value. + +</itemize> + +<tag><bf>Examples/suggested usage:</bf></tag> + +Use of module is recommended, for example, on administrative machines +such as <bf/NIS/ servers and mail servers where you need several accounts +active but don't want them all to have login capability. + +For <tt>/etc/pam.d</tt> style configurations where your modules live +in <tt>/lib/security</tt>, start by adding the following line to +<tt>/etc/pam.d/login</tt>, <tt>/etc/pam.d/rlogin</tt>, +<tt>/etc/pam.d/rsh</tt> and <tt>/etc/pam.d/ftp</tt>: + +<tscreen> +<verb> +account required /lib/security/pam_access.so +</verb> +</tscreen> + +Note that use of this module is not effective unless your system ignores +<tt>.rhosts</tt> files. See the the pam_rhosts_auth documentation. + +A sample <tt>access.conf</tt> configuration file is included with the +distribution. + +</descrip> diff --git a/Linux-PAM/doc/modules/pam_chroot.sgml b/Linux-PAM/doc/modules/pam_chroot.sgml new file mode 100644 index 00000000..2bc3e8af --- /dev/null +++ b/Linux-PAM/doc/modules/pam_chroot.sgml @@ -0,0 +1,86 @@ +<!-- + $Id: pam_chroot.sgml,v 1.1.1.1 2001/04/29 04:16:55 hartmans Exp $ + + This file was written by Bruce Campbell <brucec@humbug.org.au> +--> + +<sect1>Chroot + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +<tt/pam_chroot/ + +<tag><bf>Author:</bf></tag> +Bruce Campbell <brucec@humbug.org.au> + +<tag><bf>Maintainer:</bf></tag> +Author; proposed on 20/11/96 - email for status + +<tag><bf>Management groups provided:</bf></tag> +account; session; authentication + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> +Unwritten. + +<tag><bf>System dependencies:</bf></tag> + +<tag><bf>Network aware:</bf></tag> +Expects localhost. + +</descrip> + +<sect2>Overview of module + +<p> +This module is intended to provide a transparent wrapper around the +average user, one that puts them in a fake file-system (eg, their +'<tt>/</tt>' is really <tt>/some/where/else</tt>). + +<p> +Useful if you have several classes of users, and are slightly paranoid +about security. Can be used to limit who else users can see on the +system, and to limit the selection of programs they can run. + +<sect2>Account component: + +<p> +<em/Need more info here./ + +<sect2>Authentication component: + +<p> +<em/Need more info here./ + +<sect2>Session component: + +<p> +<em/Need more info here./ + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +Arguments and logging levels for the PAM version are being worked on. + +<tag><bf>Description:</bf></tag> + +<tag><bf>Examples/suggested usage:</bf></tag> +Do provide a reasonable list of programs - just tossing 'cat', 'ls', 'rm', +'cp' and 'ed' in there is a bit... +<p> +Don't take it to extremes (eg, you can set up a separate environment for +each user, but its a big waste of your disk space.) + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/Linux-PAM/doc/modules/pam_cracklib.sgml b/Linux-PAM/doc/modules/pam_cracklib.sgml new file mode 100644 index 00000000..de1d5df2 --- /dev/null +++ b/Linux-PAM/doc/modules/pam_cracklib.sgml @@ -0,0 +1,304 @@ +<!-- + $Id: pam_cracklib.sgml,v 1.1.1.2 2002/09/15 20:08:28 hartmans Exp $ + + This file was written by Andrew G. Morgan <morgan@kernel.org> + long password amendments are from Philip W. Dalrymple III <pwd@mdtsoft.com> +--> + +<sect1>Cracklib pluggable password strength-checker + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> + +pam_cracklib + +<tag><bf>Author:</bf></tag> + +Cristian Gafton <gafton@redhat.com> + +<tag><bf>Maintainer:</bf></tag> + +Author. + +<tag><bf>Management groups provided:</bf></tag> + +password + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> + +<tag><bf>System dependencies:</bf></tag> + +Requires the system library <tt/libcrack/ and a system dictionary: +<tt>/usr/lib/cracklib_dict</tt>. + +<tag><bf>Network aware:</bf></tag> + +</descrip> + +<sect2>Overview of module + +<p> +This module can be plugged into the <tt/password/ stack of a given +application to provide some plug-in strength-checking for passwords. + +<p> +This module works in the following manner: it first calls the +<em>Cracklib</em> routine to check the strength of the password; if +crack likes the password, the module does an additional set of +strength checks. These checks are: +<itemize> + +<item> <bf/Palindrome/ - + +Is the new password a palindrome of the old one? + +<item> <bf/Case Change Only/ - + +Is the new password the the old one with only a change of case? + +<item> <bf/Similar/ - + +Is the new password too much like the old one? This is primarily +controlled by one argument, <tt/difok/ which is a number of characters +that if different between the old and new are enough to accept the new +password, this defaults to 10 or 1/2 the size of the new password +whichever is smaller. + +To avoid the lockup associated with trying to change a long and +complicated password, <tt/difignore/ is available. This argument can +be used to specify the minimum length a new password needs to be +before the <tt/difok/ value is ignored. The default value for +<tt/difignore/ is 23. + + +<item> <bf/Simple/ - + +Is the new password too small? This is controlled by 5 arguments +<tt/minlen/, <tt/dcredit/, <tt/ucredit/, <tt/lcredit/, and +<tt/ocredit/. See the section on the arguments for the details of how +these work and there defaults. + +<item> <bf/Rotated/ - + +Is the new password a rotated version of the old password? + +<item> <bf/Already used/ - + +Was the password used in the past? Previously used passwords are to +be found in /etc/security/opasswd. + +</itemize> + +<p> +This module with no arguments will work well for standard unix +password encryption. With md5 encryption, passwords can be longer +than 8 characters and the default settings for this module can make it +hard for the user to choose a satisfactory new password. Notably, the +requirement that the new password contain no more than 1/2 of the +characters in the old password becomes a non-trivial constraint. For +example, an old password of the form "the quick brown fox jumped over +the lazy dogs" would be difficult to change... In addition, the +default action is to allow passwords as small as 5 characters in +length. For a md5 systems it can be a good idea to increase the +required minimum size of a password. One can then allow more credit +for different kinds of characters but accept that the new password may +share most of these characters with the old password. + +<sect2>Password component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> + +<tt/debug/; <tt/type=XXX/; <tt/retry=N/; <tt/difok=N/; <tt/minlen=N/; +<tt/dcredit=N/; <tt/ucredit=N/; <tt/lcredit=N/; <tt/ocredit=N/; +<tt/use_authtok/; + +<tag><bf>Description:</bf></tag> + +The action of this module is to prompt the user for a password and +check its strength against a system dictionary and a set of rules for +identifying poor choices. + +<p> +The default action is to prompt for a single password, check its +strength and then, if it is considered strong, prompt for the password +a second time (to verify that it was typed correctly on the first +occasion). All being well, the password is passed on to subsequent +modules to be installed as the new authentication token. + +<p> +The default action may be modified in a number of ways using the +arguments recognized by the module: +<itemize> + +<item> <tt/debug/ - + +this option makes the module write information to syslog(3) indicating +the behavior of the module (this option does <bf/not/ write password +information to the log file). + +<item> <tt/type=XXX/ - + +the default action is for the module to use the following prompts when +requesting passwords: ``New UNIX password: '' and ``Retype UNIX +password: ''. Using this option you can replace the word UNIX with +<tt/XXX/. + +<item> <tt/retry=N/ - + +the default number of times this module will request a new password +(for strength-checking) from the user is 1. Using this argument this +can be increased to <tt/N/. + +<item> <tt/difok=N/ - + +This argument will change the default of 10 for the number of +characters in the new password that must not be present in the old +password. In addition, if 1/2 of the characters in the new password +are different then the new password will be accepted anyway. + +<item> <tt/minlen=N/ - + +The minimum acceptable size for the new password (plus one if credits +are not disabled which is the default). +In addition to the number of characters in the new password, credit (of ++1 in length) is given for each different kind of character (<em>other, +upper, lower</em> and <em/digit/). The default for this parameter is +9 which is good for a old style UNIX password all of the same type of +character but may be too low to exploit the added security of a md5 +system. Note that there is a pair of length limits in +<em>Cracklib</em> itself, a "way too short" limit of 4 which is hard +coded in and a defined limit (6) that will be checked without +reference to <tt>minlen</tt>. If you want to allow passwords as short +as 5 characters you should either not use this module or recompile +the crack library and then recompile this module. + +<item> <tt/dcredit=N/ - + +(N >= 0) This is the maximum credit for having digits in the new password. If +you have less than or <tt/N/ digits, each digit will count +1 towards +meeting the current <tt/minlen/ value. The default for <tt/dcredit/ +is 1 which is the recommended value for <tt/minlen/ less than 10. +(N < 0) This is the minimum number of digits that must be met for a new +password. + +<item> <tt/ucredit=N/ - + +(N >= 0) This is the maximum credit for having upper case letters in the new +password. If you have less than or <tt/N/ upper case letters each +letter will count +1 towards meeting the current <tt/minlen/ value. +The default for <tt/ucredit/ is 1 which is the recommended value for +<tt/minlen/ less than 10. (N < 0) This is the minimum number of upper +case letters that must be met for a new password. + +<item> <tt/lcredit=N/ - + +(N >= 0) This is the maximum credit for having lower case letters in the new +password. If you have less than or <tt/N/ lower case letters, each +letter will count +1 towards meeting the current <tt/minlen/ value. +The default for <tt/lcredit/ is 1 which is the recommended value for +<tt/minlen/ less than 10. (N < 0) This is the minimum number of lower +case letters that must be met for a new password. + +<item> <tt/ocredit=N/ - + +(N >= 0) This is the maximum credit for having other characters in the new +password. If you have less than or <tt/N/ other characters, each +character will count +1 towards meeting the current <tt/minlen/ value. +The default for <tt/ocredit/ is 1 which is the recommended value for +<tt/minlen/ less than 10. (N < 0) This is the minimum number of other +characters that must be met for a new password. + +<item> <tt/use_authtok/ - + +This argument is used to <em/force/ the module to not prompt the user +for a new password but use the one provided by the previously stacked +<tt/password/ module. + +</itemize> + +<tag><bf>Examples/suggested usage:</bf></tag> + +<p> +For an example of the use of this module, we show how it may be +stacked with the password component of <tt/pam_pwdb/: +<tscreen> +<verb> +# +# These lines stack two password type modules. In this example the +# user is given 3 opportunities to enter a strong password. The +# "use_authtok" argument ensures that the pam_pwdb module does not +# prompt for a password, but instead uses the one provided by +# pam_cracklib. +# +passwd password required pam_cracklib.so retry=3 +passwd password required pam_pwdb.so use_authtok +</verb> +</tscreen> + +<p> +Another example (in the <tt>/etc/pam.d/passwd</tt> format) is for the +case that you want to use md5 password encryption: +<tscreen> +<verb> +#%PAM-1.0 +# +# These lines allow a md5 systems to support passwords of at least 14 +# bytes with extra credit of 2 for digits and 2 for others the new +# password must have at least three bytes that are not present in the +# old password +# +password required pam_cracklib.so \ + difok=3 minlen=15 dcredit= 2 ocredit=2 +password required pam_pwdb.so use_authtok nullok md5 +</verb> +</tscreen> + +<p> +And here is another example in case you don't want to use credits: +<tscreen> +<verb> +#%PAM-1.0 +# +# These lines require the user to select a password with a minimum +# length of 8 and with at least 1 digit number, 1 upper case letter, +# and 1 other character +# +password required pam_cracklib.so \ + dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 +password required pam_pwdb.so use_authtok nullok md5 +</verb> +</tscreen> + +<p> +In this example we simply say that the password must have a minimum +length of 8: +<tscreen> +<verb> +#%PAM-1.0 +# +# These lines require the user to select a password with a mimimum +# length of 8. He gets no credits and he is not forced to use +# digit numbers, upper case letters etc. +# +password required pam_cracklib.so \ + dcredit=0 ucredit=0 ocredit=0 lcredit=0 minlen=8 +password required pam_pwdb.so use_authtok nullok md5 +</verb> +</tscreen> + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/Linux-PAM/doc/modules/pam_deny.sgml b/Linux-PAM/doc/modules/pam_deny.sgml new file mode 100644 index 00000000..d8041d19 --- /dev/null +++ b/Linux-PAM/doc/modules/pam_deny.sgml @@ -0,0 +1,177 @@ +<!-- + $Id: pam_deny.sgml,v 1.1.1.2 2002/09/15 20:08:29 hartmans Exp $ + + This file was written by Andrew G. Morgan <morgan@kernel.org> +--> + +<sect1>The locking-out module + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +pam_deny + +<tag><bf>Author:</bf></tag> +Andrew G. Morgan <morgan@kernel.org> + +<tag><bf>Maintainer:</bf></tag> +current <bf/Linux-PAM/ maintainer + +<tag><bf>Management groups provided:</bf></tag> +account; authentication; password; session + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> +clean. + +<tag><bf>System dependencies:</bf></tag> + +<tag><bf>Network aware:</bf></tag> + +</descrip> + +<sect2>Overview of module + +<p> +This module can be used to deny access. It always indicates a failure +to the application through the PAM framework. As is commented in the +overview section <ref id="overview-section" name="above">, this module +might be suitable for using for default (the <tt/OTHER/) entries. + +<sect2>Account component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> + +<tag><bf>Description:</bf></tag> + +This component does nothing other than return a failure. The +failure type is <tt/PAM_ACCT_EXPIRED/. + +<tag><bf>Examples/suggested usage:</bf></tag> + +Stacking this module with type <tt/account/ will prevent the user from +gaining access to the system via applications that refer to +<bf/Linux-PAM/'s account management function <tt/pam_acct_mgmt()/. + +<p> +The following example would make it impossible to login: +<tscreen> +<verb> +# +# add this line to your other login entries to disable all accounts +# +login account required pam_deny.so +</verb> +</tscreen> + +</descrip> + +<sect2>Authentication component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> + +<tag><bf>Description:</bf></tag> + +This component does nothing other than return a failure. The failure +type is <tt/PAM_AUTH_ERR/ in the case that <tt/pam_authenticate()/ is +called (when the application tries to authenticate the user), and is +<tt/PAM_CRED_UNAVAIL/ when the application calls <tt/pam_setcred()/ +(to establish and set the credentials of the user -- it is unlikely +that this function will ever be called in practice). + +<tag><bf>Examples/suggested usage:</bf></tag> + +To deny access to default applications with this component of the +<tt/pam_deny/ module, you might include the following line in your +<bf/Linux-PAM/ configuration file: +<tscreen> +<verb> +# +# add this line to your existing OTHER entries to prevent +# authentication succeeding with default applications. +# +OTHER auth required pam_deny.so +</verb> +</tscreen> + +</descrip> + +<sect2>Password component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> + +<tag><bf>Description:</bf></tag> + +This component of the module denies the user the opportunity to change +their password. It always responds with <tt/PAM_AUTHTOK_ERR/ when +invoked. + +<tag><bf>Examples/suggested usage:</bf></tag> + +This module should be used to prevent an application from updating the +applicant user's password. For example, to prevent <tt/login/ from +automatically prompting for a new password when the old one has +expired you should include the following line in your configuration +file: +<tscreen> +<verb> +# +# add this line to your other login entries to prevent the login +# application from being able to change the user's password. +# +login password required pam_deny.so +</verb> +</tscreen> + +</descrip> + +<sect2>Session component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> + +<tag><bf>Description:</bf></tag> + +This aspect of the module prevents an application from starting a +session on the host computer. + +<tag><bf>Examples/suggested usage:</bf></tag> + +Together with another session module, that displays a message of the +day perhaps (<tt/pam_motd/ for example), this module can be used to +block a user from starting a shell. We might use the following entries +in the configuration file to inform the user it is system time: +<tscreen> +<verb> +# +# An example to see how to configure login to refuse the user a +# session (politely) +# +login session required pam_motd.so \ + motd=/etc/system_time +login session required pam_deny.so +</verb> +</tscreen> + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/Linux-PAM/doc/modules/pam_env.sgml b/Linux-PAM/doc/modules/pam_env.sgml new file mode 100644 index 00000000..0ca18fe4 --- /dev/null +++ b/Linux-PAM/doc/modules/pam_env.sgml @@ -0,0 +1,141 @@ +<!-- + $Id: pam_env.sgml,v 1.1.1.1 2001/04/29 04:16:54 hartmans Exp $ + + This file was written by Dave Kinchlea <kinch@kinch.ark.com> + Ed. AGM +--> + +<sect1>Set/unset environment variables + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +<tt/pam_env/ + +<tag><bf>Author:</bf></tag> +Dave Kinchlea <kinch@kinch.ark.com> + +<tag><bf>Maintainer:</bf></tag> +Author + +<tag><bf>Management groups provided:</bf></tag> +Authentication (setcred) + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> + +<tag><bf>System dependencies:</bf></tag> +<tt>/etc/security/pam_env.conf</tt> + +<tag><bf>Network aware:</bf></tag> + +</descrip> + +<sect2>Overview of module + +<p> +This module allows the (un)setting of environment variables. Supported +is the use of previously set environment variables as well as +<em>PAM_ITEM</em>s such as <tt>PAM_RHOST</tt>. + +<sect2>Authentication component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +<tt/debug/; <tt/conffile=/<em/configuration-file-name/; +<tt/envfile/=<em/env-file-name/; <tt/readenv/=<em/0|1/ + +<tag><bf>Description:</bf></tag> +This module allows you to (un)set arbitrary environment variables +using fixed strings, the value of previously set environment variables +and/or <em/PAM_ITEM/s. + +<p> +All is controlled via a configuration file (by default, +<tt>/etc/security/pam_env.conf</tt> but can be overriden with +<tt>conffile</tt> argument). Each line starts with the variable name, +there are then two possible options for each variable <bf>DEFAULT</bf> +and <bf>OVERRIDE</bf>. <bf>DEFAULT</bf> allows an administrator to +set the value of the variable to some default value, if none is +supplied then the empty string is assumed. The <bf>OVERRIDE</bf> +option tells pam_env that it should enter in its value (overriding the +default value) if there is one to use. <bf>OVERRIDE</bf> is not used, +<tt>""</tt> is assumed and no override will be done. + +<p> +<tscreen> +<verb> +VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]] +</verb> +</tscreen> + +<p> +(Possibly non-existent) environment variables may be used in values +using the <tt>${string}</tt> syntax and (possibly +non-existent) <em/PAM_ITEM/s may be used in values using the +<tt>@{string}</tt> syntax. Both the <tt>$</tt> +and <tt>@</tt> characters can be backslash-escaped to be used +as literal values (as in <tt>\$</tt>. Double quotes may +be used in values (but not environment variable names) when white +space is needed <bf>the full value must be delimited by the quotes and +embedded or escaped quotes are not supported</bf>. + +<p> +This module can also parse a file with simple <tt>KEY=VAL</tt> pairs +on seperate lines (<tt>/etc/environment</tt> by default). You can +change the default file to parse, with the <em/envfile/ flag and turn +it on or off by setting the <em/readenv/ flag to 1 or 0 respectively. + +<p> +The behavior of this module can be modified with one of the following +flags: + +<p> +<itemize> + +<item><tt/debug/ +- write more information to <tt/syslog(3)/. + +<item><tt/conffile=/<em/filename/ +- by default the file <tt>/etc/security/pam_env.conf</tt> is used as +the configuration file. This option overrides the default. You must +supply a complete path + file name. + +<item><tt/envfile=/<em/filename/ +- by default the file <tt>/etc/environment</tt> is used to load KEY=VAL +pairs directly into the env. This option overrides the default. You must +supply a complete path + file name. + +<item><tt/readenv=/<em/0|1/ +- turns on or off the reading of the file specified by envfile (0 is off, +1 is on). By default this option is on. + +</itemize> + +<tag><bf>Examples/suggested usage:</bf></tag> + +See sample <tt>pam_env.conf</tt> for more information and examples. + +</descrip> + +<!-- +End of sgml insert for this module. +--> + + + + + + + + + + diff --git a/Linux-PAM/doc/modules/pam_filter.sgml b/Linux-PAM/doc/modules/pam_filter.sgml new file mode 100644 index 00000000..1d582abc --- /dev/null +++ b/Linux-PAM/doc/modules/pam_filter.sgml @@ -0,0 +1,150 @@ +<!-- + $Id: pam_filter.sgml,v 1.1.1.2 2002/09/15 20:08:29 hartmans Exp $ + + This file was written by Andrew G. Morgan <morgan@kernel.org> +--> + +<sect1>The filter module + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> + +pam_filter + +<tag><bf>Author:</bf></tag> + +Andrew G. Morgan <morgan@kernel.org> + +<tag><bf>Maintainer:</bf></tag> + +Author. + +<tag><bf>Management groups provided:</bf></tag> + +account; authentication; password; session + +<tag><bf>Cryptographically sensitive:</bf></tag> + +Not yet. + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> + +This module compiles cleanly on Linux based systems. + +<tag><bf>System dependencies:</bf></tag> + +To function it requires <em/filters/ to be installed on the system. + +<tag><bf>Network aware:</bf></tag> + +</descrip> + +<sect2>Overview of module + +<p> +This module was written to offer a plug-in alternative to programs +like ttysnoop (XXX - need a reference). Since writing a filter that +performs this function has not occurred, it is currently only a toy. +The single filter provided with the module simply transposes upper and +lower case letters in the input and output streams. (This can be very +annoying and is not kind to termcap based editors). + +<sect2>Account+Authentication+Password+Session components + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> + +<tt/debug/; <tt/new_term/; <tt/non_term/; <tt/runX/ + +<tag><bf>Description:</bf></tag> + +Each component of the module has the potential to invoke the desired +filter. The filter is always <tt/execv(2)/d with the privilege of the +calling application and <bf/not/ that of the user. For this reason it +cannot usually be killed by the user without closing their session. + +<p> +The behavior of the module can be significantly altered by the +arguments passed to it in the <bf/Linux-PAM/ configuration file: +<itemize> +<item><tt/debug/ - + +this option increases the amount of information logged to +<tt/syslog(3)/ as the module is executed. + +<item><tt/new_term/ - + +the default action of the filter is to set the <tt/PAM_TTY/ item to +indicate the terminal that the user is using to connect to the +application. This argument indicates that the filter should set +<tt/PAM_TTY/ to the filtered pseudo-terminal. + +<item><tt/non_term/ - +don't try to set the <tt/PAM_TTY/ item. + +<item><tt/runX/ - + +in order that the module can invoke a filter it should know when to +invoke it. This argument is required to tell the filter when to do +this. The arguments that follow this one are respectively the full +pathname of the filter to be run and any command line arguments that +the filter might expect. + +<p> +Permitted values for <tt/X/ are <tt/1/ and <tt/2/. These indicate the +precise time that the filter is to be run. To understand this concept +it will be useful to have read the Linux-PAM Module developer's +guide. Basically, for each management group there are up to two ways +of calling the module's functions. + +In the case of the <em/authentication/ and <em/session/ components +there are actually two separate functions. For the case of +authentication, these functions are <tt/_authenticate/ and +<tt/_setcred/ -- here <tt/run1/ means run the filter from the +<tt/_authenticate/ function and <tt/run2/ means run the filter from +<tt/_setcred/. In the case of the session modules, <tt/run1/ implies +that the filter is invoked at the <tt/_open_session/ stage, and +<tt/run2/ for <tt/_close_session/. + +<p> +For the case of the account component. Either <tt/run1/ or <tt/run2/ +may be used. + +<p> +For the case of the password component, <tt/run1/ is used to indicate +that the filter is run on the first occasion <tt/_chauthtok/ is run +(the <tt/PAM_PRELIM_CHECK/ phase) and <tt/run2/ is used to indicate +that the filter is run on the second occasion (the +<tt/PAM_UPDATE_AUTHTOK/ phase). + +</itemize> + +<tag><bf>Examples/suggested usage:</bf></tag> + +At the time of writing there is little real use to be made of this +module. For fun you might try adding the following line to your +login's configuration entries +<tscreen> +<verb> +# +# An example to see how to configure login to transpose upper and +# lower case letters once the user has logged in(!) +# +login session required pam_filter.so \ + run1 /usr/sbin/pam_filter/upperLOWER +</verb> +</tscreen> + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/Linux-PAM/doc/modules/pam_ftp.sgml b/Linux-PAM/doc/modules/pam_ftp.sgml new file mode 100644 index 00000000..3ea43713 --- /dev/null +++ b/Linux-PAM/doc/modules/pam_ftp.sgml @@ -0,0 +1,93 @@ +<!-- + $Id: pam_ftp.sgml,v 1.1.1.2 2002/09/15 20:08:29 hartmans Exp $ + + This file was written by Andrew G. Morgan <morgan@kernel.org> +--> + +<sect1>Anonymous access module + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +<tt/pam_ftp.so/ + +<tag><bf>Author:</bf></tag> +Andrew G. Morgan <morgan@kernel.org> + +<tag><bf>Maintainer:</bf></tag> +Author. + +<tag><bf>Management groups provided:</bf></tag> +authentication + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> + +<tag><bf>System dependencies:</bf></tag> + +<tag><bf>Network aware:</bf></tag> +prompts for email address of user; easily spoofed (XXX - needs work) + +</descrip> + +<sect2>Overview of module + +<p> +The purpose of this module is to provide a pluggable anonymous ftp +mode of access. + +<sect2>Authentication component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +<tt/debug/; +<tt/users=XXX,YYY,.../; +<tt/ignore/ + +<tag><bf>Description:</bf></tag> + +This module intercepts the user's name and password. If the name is +``<tt/ftp/'' or ``<tt/anonymous/'', the user's password is broken up +at the `<tt/@/' delimiter into a <tt/PAM_RUSER/ and a <tt/PAM_RHOST/ +part; these pam-items being set accordingly. The username +(<tt/PAM_USER/) is set to ``<tt/ftp/''. In this case the module +succeeds. Alternatively, the module sets the <tt/PAM_AUTHTOK/ item +with the entered password and fails. + +<p> +The behavior of the module can be modified with the following flags: +<itemize> +<item><tt/debug/ - +log more information to with <tt/syslog(3)/. + +<item><tt/users=XXX,YYY,.../ - +instead of ``<tt/ftp/'' or ``<tt/anonymous/'', provide anonymous login +to the comma separated list of users; ``<tt/XXX,YYY,.../''. Should the +applicant enter one of these usernames the returned username is set to +the first in the list; ``<tt/XXX/''. + +<item><tt/ignore/ - +pay no attention to the email address of the user (if supplied). + +</itemize> + +<tag><bf>Examples/suggested usage:</bf></tag> + +An example of the use of this module is provided in the configuration +file section <ref id="configuration" name="above">. With care, this +module could be used to provide new/temporary account anonymous +login. + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/Linux-PAM/doc/modules/pam_group.sgml b/Linux-PAM/doc/modules/pam_group.sgml new file mode 100644 index 00000000..770933bc --- /dev/null +++ b/Linux-PAM/doc/modules/pam_group.sgml @@ -0,0 +1,108 @@ +<!-- + $Id: pam_group.sgml,v 1.1.1.2 2002/09/15 20:08:30 hartmans Exp $ + + This file was written by Andrew G. Morgan <morgan@kernel.org> +--> + +<sect1>The group access module + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +<tt/pam_group/ + +<tag><bf>Author:</bf></tag> +Andrew G. Morgan <morgan@kernel.org> + +<tag><bf>Maintainer:</bf></tag> +Author. + +<tag><bf>Management groups provided:</bf></tag> +authentication + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> +Sensitive to <em/setgid/ status of file-systems accessible to users. + +<tag><bf>Clean code base:</bf></tag> + +<tag><bf>System dependencies:</bf></tag> +Requires an <tt>/etc/security/group.conf</tt> file. Can be compiled +with or without <tt/libpwdb/. + +<tag><bf>Network aware:</bf></tag> +Only through correctly set <tt/PAM_TTY/ item. + +</descrip> + +<sect2>Overview of module + +<p> +This module provides group-settings based on the user's name and the +terminal they are requesting a given service from. It takes note of +the time of day. + +<sect2>Authentication component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> + +<tag><bf>Description:</bf></tag> + +This module does not authenticate the user, but instead it grants +group memberships (in the credential setting phase of the +authentication module) to the user. Such memberships are based on the +service they are applying for. The group memberships are listed in +text form in the <tt>/etc/security/group.conf</tt> file. + +<tag><bf>Examples/suggested usage:</bf></tag> + +For this module to function correctly there must be a correctly +formatted <tt>/etc/security/groups.conf</tt> file present. The format +of this file is as follows. Group memberships are given based on the +service application satisfying any combination of lines in the +configuration file. Each line (barring comments which are preceded by +`<tt/#/' marks) has the following +syntax: +<tscreen> +<verb> +services ; ttys ; users ; times ; groups +</verb> +</tscreen> +Here the first four fields share the syntax of the <tt>pam_time</tt> +configuration file; <tt>/etc/security/pam_time.conf</tt>, and the last +field, the <tt/groups/ field, is a comma (or space) separated list of +the text-names of a selection of groups. If the users application for +service satisfies the first four fields, the user is granted membership +of the listed groups. + +<p> +As stated in above this module's usefulness relies on the file-systems +accessible to the user. The point being that once granted the +membership of a group, the user may attempt to create a <em/setgid/ +binary with a restricted group ownership. Later, when the user is not +given membership to this group, they can recover group membership with +the precompiled binary. The reason that the file-systems that the user +has access to are so significant, is the fact that when a system is +mounted <em/nosuid/ the user is unable to create or execute such a +binary file. For this module to provide any level of security, all +file-systems that the user has write access to should be mounted +<em/nosuid/. + +<p> +The <tt>pam_group</tt> module fuctions in parallel with the +<tt>/etc/group</tt> file. If the user is granted any groups based on +the behavior of this module, they are granted <em>in addition</em> to +those entries <tt>/etc/group</tt> (or equivalent). + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/Linux-PAM/doc/modules/pam_issue.sgml b/Linux-PAM/doc/modules/pam_issue.sgml new file mode 100644 index 00000000..1f617e3b --- /dev/null +++ b/Linux-PAM/doc/modules/pam_issue.sgml @@ -0,0 +1,120 @@ +<!-- + +Ben Collins <bcollins@debian.org> + +--> + +<sect1>Add issue file to user prompt + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +<tt/pam_issue/ + +<tag><bf>Author:</bf></tag> +Ben Collins <bcollins@debian.org> + +<tag><bf>Maintainer:</bf></tag> +Author + +<tag><bf>Management groups provided:</bf></tag> +Authentication (pam_sm_authenticate) + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> + +<tag><bf>System dependencies:</bf></tag> + +<tag><bf>Network aware:</bf></tag> + +</descrip> + +<sect2>Overview of module + +<p> +This module prepends the issue file (<em>/etc/issue</em> by default) when +prompting for a username. + +<sect2>Authentication component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +<tt/issue=issue-file-name/; <tt/noesc/; + +<tag><bf>Description:</bf></tag> +This module allows you to prepend an issue file to the username prompt. It +also by default parses escape codes in the issue file similar to some +common getty's (using \x format). +<p> +Recognized escapes: +<itemize> + +<item><tt/d/ +- current date + +<item><tt/s/ +- operating system name + +<item><tt/l/ +- name of this tty + +<item><tt/m/ +- architecture of this system (i686, sparc, powerpc, ...) + +<item><tt/n/ +- hostname of this system + +<item><tt/o/ +- domainname of this system + +<item><tt/r/ +- release number of the operation system (eg. 2.2.12) + +<item><tt/t/ +- current time + +<item><tt/u/ +- number of users currently logged in + +<item><tt/U/ +- same as <tt/u/, except it is suffixed with "user" or "users" (eg. "1 +user" or "10 users" + +<item><tt/v/ +- version/build-date of the operating system (eg. "#3 Mon Aug 23 14:38:16 +EDT 1999" on Linux). + +</itemize> + +<p> +The behavior of this module can be modified with one of the following +flags: + +<p> +<itemize> + +<item><tt/issue/ +- the file to output if not using the default + +<item><tt/noesc/ +- turns off escape code parsing + +</itemize> + +<tag><bf>Examples/suggested usage:</bf></tag> + +login auth pam_issue.so issue=/etc/issue + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/Linux-PAM/doc/modules/pam_krb4.sgml b/Linux-PAM/doc/modules/pam_krb4.sgml new file mode 100644 index 00000000..2fc8518e --- /dev/null +++ b/Linux-PAM/doc/modules/pam_krb4.sgml @@ -0,0 +1,126 @@ +<!-- + $Id: pam_krb4.sgml,v 1.1.1.1 2001/04/29 04:16:55 hartmans Exp $ + + This file was written by Derrick J. Brashear <shadow@DEMENTIA.ORG> +--> + +<sect1>The Kerberos 4 module. + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +<tt/pam_krb4/ + +<tag><bf>Author:</bf></tag> +Derrick J. Brashear <shadow@dementia.org> + +<tag><bf>Maintainer:</bf></tag> +Author. + +<tag><bf>Management groups provided:</bf></tag> +authentication; password; session + +<tag><bf>Cryptographically sensitive:</bf></tag> +uses API + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> + +<tag><bf>System dependencies:</bf></tag> +libraries - <tt/libkrb/, <tt/libdes/, <tt/libcom_err/, <tt/libkadm/; +and a set of Kerberos include files. + +<tag><bf>Network aware:</bf></tag> +Gets Kerberos ticket granting ticket via a Kerberos key distribution +center reached via the network. + +</descrip> + +<sect2>Overview of module + +<p> +This module provides an interface for doing Kerberos verification of a +user's password, getting the user a Kerberos ticket granting ticket +for use with the Kerberos ticket granting service, destroying the +user's tickets at logout time, and changing a Kerberos password. + +<sect2> Session component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> + +<tag><bf>Description:</bf></tag> + +This component of the module currently sets the user's <tt/KRBTKFILE/ +environment variable (although there is currently no way to export +this), as well as deleting the user's ticket file upon logout (until +<tt/PAM_CRED_DELETE/ is supported by <em/login/). + +<tag><bf>Examples/suggested usage:</bf></tag> + +This part of the module won't be terribly useful until we can change +the environment from within a <tt/Linux-PAM/ module. + +</descrip> + +<sect2> Password component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +<tt/use_first_pass/; <tt/try_first_pass/ + +<tag><bf>Description:</bf></tag> + +This component of the module changes a user's Kerberos password +by first getting and using the user's old password to get +a session key for the password changing service, then sending +a new password to that service. + +<tag><bf>Examples/suggested usage:</bf></tag> + +This should only be used with a real Kerberos v4 <tt/kadmind/. It +cannot be used with an AFS kaserver unless special provisions are +made. Contact the module author for more information. + +</descrip> + +<sect2> Authentication component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +<tt/use_first_pass/; <tt/try_first_pass/ + +<tag><bf>Description:</bf></tag> + +This component of the module verifies a user's Kerberos password +by requesting a ticket granting ticket from the Kerberos server +and optionally using it to attempt to retrieve the local computer's +host key and verifying using the key file on the local machine if +one exists. + +It also writes out a ticket file for the user to use later, and +deletes the ticket file upon logout (not until <tt/PAM_CRED_DELETE/ +is called from <em/login/). + +<tag><bf>Examples/suggested usage:</bf></tag> + +This module can be used with a real Kerberos server using MIT +v4 Kerberos keys. The module or the system Kerberos libraries +may be modified to support AFS style Kerberos keys. Currently +this is not supported to avoid cryptography constraints. + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/Linux-PAM/doc/modules/pam_lastlog.sgml b/Linux-PAM/doc/modules/pam_lastlog.sgml new file mode 100644 index 00000000..e79723b3 --- /dev/null +++ b/Linux-PAM/doc/modules/pam_lastlog.sgml @@ -0,0 +1,119 @@ +<!-- + $Id: pam_lastlog.sgml,v 1.1.1.1 2001/04/29 04:16:55 hartmans Exp $ + + This file was written by Andrew G. Morgan <morgan@kernel.org> +--> + +<sect1>The last login module + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +<tt/pam_lastlog/ + +<tag><bf>Author:</bf></tag> +Andrew G. Morgan <morgan@kernel.org> + +<tag><bf>Maintainer:</bf></tag> +Author + +<tag><bf>Management groups provided:</bf></tag> +auth + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> + +<tag><bf>System dependencies:</bf></tag> +uses information contained in the <tt>/var/log/lastlog</tt> file. + +<tag><bf>Network aware:</bf></tag> + +</descrip> + +<sect2>Overview of module + +<p> +This session module maintains the <tt>/var/log/lastlog</tt> file. Adding +an open entry when called via the <tt>pam_open_seesion()</tt> function +and completing it when <tt>pam_close_session()</tt> is called. This +module can also display a line of information about the last login of +the user. If an application already performs these tasks, it is not +necessary to use this module. + +<sect2>Session component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +<tt/debug/; <tt/nodate/; <tt/noterm/; <tt/nohost/; <tt/silent/; +<tt/never/ + +<tag><bf>Description:</bf></tag> + +<p> +This module can be used to provide a ``Last login on ...'' +message. when the user logs into the system from what ever application +uses the PAM libraries. In addition, the module maintains the +<tt>/var/log/lastlog</tt> file. + +<p> +The behavior of this module can be modified with one of the following +flags: + +<p> +<itemize> +<item><tt/debug/ +- write more information to <tt/syslog(3)/. + +<item><tt/nodate/ +- neglect to give the date of the last login when displaying +information about the last login on the system. + +<item><tt/noterm/ +- neglect to diplay the terminal name on which the last login was +attempt. + +<item><tt/nohost/ +- neglect to indicate from which host the last login was attempted. + +<item><tt/silent/ +- neglect to inform the user about any previous login: just update +the <tt>/var/log/lastlog</tt> file. + +<item><tt/never/ +- if the <tt>/var/log/lastlog</tt> file does not contain any old entries +for the user, indicate that the user has never previously logged in +with a ``welcome..." message. + +</itemize> + +<tag><bf>Examples/suggested usage:</bf></tag> + +This module can be used to indicate that the user has new mail when +they <em/login/ to the system. Here is a sample entry for your +<tt>/etc/pam.d/XXX</tt> file: +<tscreen> +<verb> +# +# When were we last here? +# +session optional pam_lastlog.so +</verb> +</tscreen> + +<p> +Note, some applications may perform this function themselves. In such +cases, this module is not necessary. + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/Linux-PAM/doc/modules/pam_limits.sgml b/Linux-PAM/doc/modules/pam_limits.sgml new file mode 100644 index 00000000..65ce6d82 --- /dev/null +++ b/Linux-PAM/doc/modules/pam_limits.sgml @@ -0,0 +1,247 @@ +<!-- + $Id: pam_limits.sgml,v 1.1.1.2 2002/09/15 20:08:31 hartmans Exp $ + + This file was written by Andrew G. Morgan <morgan@kernel.org> + from information compiled by Cristian Gafton (author of module) +--> + +<sect1>The resource limits module + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +<tt/pam_limits/ + +<tag><bf>Authors:</bf></tag> +Cristian Gafton <gafton@redhat.com> <newline> +Thanks are also due to Elliot Lee <sopwith@redhat.com> +for his comments on improving this module. + +<tag><bf>Maintainer:</bf></tag> +Cristian Gafton - 1996/11/20 + +<tag><bf>Management groups provided:</bf></tag> +session + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> + +<tag><bf>System dependencies:</bf></tag> +requires an <tt>/etc/security/limits.conf</tt> file and kernel support +for resource limits. Also uses the library, <tt/libpwdb/. + +<tag><bf>Network aware:</bf></tag> + +</descrip> + +<sect2>Overview of module + +<p> +This module, through the <bf/Linux-PAM/ <em/open/-session hook, sets +limits on the system resources that can be obtained in a +user-session. Its actions are dictated more explicitly through the +configuration file discussed below. + +<sect2>Session component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +<tt/debug/; <tt>conf=/path/to/file.conf</tt>; <tt>change_uid</tt>; +<tt>utmp_early</tt> + +<tag><bf>Description:</bf></tag> + +Through the contents of the configuration file, +<tt>/etc/security/limits.conf</tt>, resource limits are placed on +users' sessions. Users of <tt/uid=0/ are not affected by this +restriction. + +<p> +The behavior of this module can be modified with the following +arguments: +<itemize> + +<item><tt/debug/ - +verbose logging to <tt/syslog(3)/. + +<item><tt>conf=/path/to/file.conf</tt> - +indicate an alternative <em/limits/ configuration file to the default. + +<item><tt/change_uid/ - +change real uid to the user for who the limits are set up. Use this +option if you have problems like login not forking a shell for user +who has no processes. Be warned that something else may break when +you do this. + +<item><tt/utmp_early/ - +some broken applications actually allocate a utmp entry for the user +before the user is admitted to the system. If some of the services you +are configuring PAM for do this, you can selectively use this module +argument to compensate for this behavior and at the same time maintain +system-wide consistency with a single limits.conf file. + +</itemize> + +<tag><bf>Examples/suggested usage:</bf></tag> + +In order to use this module the system administrator must first create +a <em/root-only-readable/ file (default is +<tt>/etc/security/limits.conf</tt>). This file describes the resource +limits the superuser wishes to impose on users and groups. No limits +are imposed on <tt/uid=0/ accounts. + +<p> +Each line of the configuration file describes a limit for a user in +the form: +<tscreen> +<verb> +<domain> <type> <item> <value> +</verb> +</tscreen> + +<p> +The fields listed above should be filled as follows...<newline> +<tt><domain></tt> can be: +<itemize> +<item> a username +<item> a groupname, with <tt>@group</tt> syntax +<item> the wild-card <tt/*/, for default entry +<item> the wild-card <tt/%/, for maxlogins limit only, +can also be used with <tt>%group</tt> syntax +</itemize> + +<p> +<tt><type></tt> can have the three values: +<itemize> + +<item> <tt/hard/ for enforcing <em/hard/ resource limits. These limits +are set by the superuser and enforced by the Linux Kernel. The user +cannot raise his requirement of system resources above such values. + +<item> <tt/soft/ for enforcing <em/soft/ resource limits. These limits +are ones that the user can move up or down within the permitted range +by any pre-exisiting <em/hard/ limits. The values specified with this +token can be thought of as <em/default/ values, for normal system +usage. + +<item> <tt/-/ for enforcing both <em/soft/ and <em/hard/ limits +together. + +</itemize> + +<p> +<tt><item></tt> can be one of the following: +<itemize> +<item><tt/core/ - limits the core file size (KB) +<item><tt/data/ - max data size (KB) +<item><tt/fsize/ - maximum filesize (KB) +<item><tt/memlock/ - max locked-in-memory address space (KB) +<item><tt/nofile/ - max number of open files +<item><tt/rss/ - max resident set size (KB) +<item><tt/stack/ - max stack size (KB) +<item><tt/cpu/ - max CPU time (MIN) +<item><tt/nproc/ - max number of processes +<item><tt/as/ - address space limit +<item><tt/maxlogins/ - max number of logins for this user +<item><tt/maxsyslogins/ - max number of logins on system +<item><tt/priority/ - the priority to run user process with (negative +values boost process priority) +<item><tt/locks/ - max locked files (Linux 2.4 and higher) +</itemize> + +<p> +Note, if you specify a type of ``-'' but neglect to supply the +<tt/item/ and <tt/value/ fields then the module will never enforce any +limits on the corresponding user/group-members etc. . Note, the first +entry of the form which applies to the authenticating user will +override all other entries in the limits configuration file. In such +cases, the <tt/pam_limits/ module will always return <tt/PAM_SUCCESS/. + +<p> +In general, individual limits have priority over group limits, so if +you impose no limits for <tt/admin/ group, but one of the members in +this group have a limits line, the user will have its limits set +according to this line. + +<p> +Also, please note that all limit settings are set <em/per login/. +They are not global, nor are they permanent; existing only for the +duration of the session. + +<p> +In the <em/limits/ configuration file, the ``<tt/#/'' character +introduces a comment - after which the rest of the line is ignored. + +<p> +The <tt/pam_limits/ module does its best to report configuration +problems found in its configuration file via <tt/syslog(3)/. + +<p> +The following is an example configuration file: +<tscreen> +<verb> +# EXAMPLE /etc/security/limits.conf file: +# ======================================= +# <domain> <type> <item> <value> +* soft core 0 +* hard rss 10000 +@student hard nproc 20 +@faculty soft nproc 20 +@faculty hard nproc 50 +ftp hard nproc 0 +@student - maxlogins 4 +</verb> +</tscreen> +Note, the use of <tt/soft/ and <tt/hard/ limits for the same resource +(see <tt/@faculty/) -- this establishes the <em/default/ and permitted +<em/extreme/ level of resources that the user can obtain in a given +service-session. + +<p> +Note, that wild-cards <tt/*/ and <tt/%/ have the following meaning when +used for maxlogins limit +<itemize> +<item> <tt/*/ every user +<item> <tt/%/ all users, or entire group when <tt>%group</tt> is specified +</itemize> +See the following examples: +<tscreen> +<verb> +# EXAMPLE /etc/security/limits.conf file: +# <domain> <type> <item> <value> +* - maxlogins 2 +@faculty - maxlogins 4 +% - maxlogins 30 +%student - maxlogins 10 +</verb> +</tscreen> +Explanation: every user can login 2 times, members of the <tt/faculty/ +group can login 4 times, there can be only 30 logins, only 10 from +<tt/students/ group. + +<p> +For the services that need resources limits (login for example) put +the following line in <tt>/etc/pam.conf</tt> as the last line for that +service (usually after the pam_unix session line: +<tscreen> +<verb> +# +# Resource limits imposed on login sessions via pam_limits +# +login session required pam_limits.so +</verb> +</tscreen> + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/Linux-PAM/doc/modules/pam_listfile.sgml b/Linux-PAM/doc/modules/pam_listfile.sgml new file mode 100644 index 00000000..f39d8bc6 --- /dev/null +++ b/Linux-PAM/doc/modules/pam_listfile.sgml @@ -0,0 +1,138 @@ +<!-- + $Id: pam_listfile.sgml,v 1.1.1.1 2001/04/29 04:16:56 hartmans Exp $ + + This file was written by Michael K. Johnson <johnsonm@redhat.com> +--> + +<sect1>The list-file module + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +<tt/pam_listfile/ + +<tag><bf>Author:</bf></tag> +Elliot Lee <tt><sopwith@cuc.edu></tt> + +<tag><bf>Maintainer:</bf></tag> +Red Hat Software:<newline> +Michael K. Johnson <johnsonm@redhat.com> 1996/11/18<newline> +(if unavailable, contact Elliot Lee <sopwith@cuc.edu>). + +<tag><bf>Management groups provided:</bf></tag> +authentication + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> +clean + +<tag><bf>System dependencies:</bf></tag> + +<tag><bf>Network aware:</bf></tag> + +</descrip> + +<sect2>Overview of module + +<p> +The list-file module provides a way to deny or allow services based on +an arbitrary file. + +<sect2>Authentication component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> + +<tt>onerr=succeed|fail</tt>; +<tt>sense=allow|deny</tt>; +<tt>file=</tt><it>filename</it>; +<tt>item=user|tty|rhost|ruser|group|shell</tt> +<tt>apply=user|@group</tt> + +<tag><bf>Description:</bf></tag> + +The module gets the item of the type specified -- <tt>user</tt> specifies +the username, <tt>PAM_USER</tt>; tty specifies the name of the terminal +over which the request has been made, <tt>PAM_TTY</tt>; rhost specifies +the name of the remote host (if any) from which the request was made, +<tt>PAM_RHOST</tt>; and ruser specifies the name of the remote user +(if available) who made the request, <tt>PAM_RUSER</tt> -- and looks for +an instance of that item in the file <it>filename</it>. <it>filename</it> +contains one line per item listed. If the item is found, then if +<tt>sense=allow</tt>, <tt>PAM_SUCCESS</tt> is returned, causing the +authorization request to succeed; else if <tt>sense=deny</tt>, +<tt>PAM_AUTH_ERR</tt> is returned, causing the authorization +request to fail. + +<p> +If an error is encountered (for instance, if <it>filename</it> +does not exist, or a poorly-constructed argument is encountered), +then if <tt>onerr=succeed</tt>, <tt>PAM_SUCCESS</tt> is returned, +otherwise if <tt>onerr=fail</tt>, <tt>PAM_AUTH_ERR</tt> or +<tt>PAM_SERVICE_ERR</tt> (as appropriate) will be returned. + +<p> +An additional argument, <tt>apply=</tt>, can be used to restrict the +application of the above to a specific user +(<tt>apply=</tt><em>username</em>) or a given group +(<tt>apply=@</tt><em>groupname</em>). This added restriction is only +meaningful when used with the <tt/tty/, <tt/rhost/ and <tt/shell/ +<em/items/. + +<p> +Besides this last one, all arguments should be specified; do not count +on any default behavior, as it is subject to change. + +<p> +No credentials are awarded by this module. + +<tag><bf>Examples/suggested usage:</bf></tag> + +Classic ``ftpusers'' authentication can be implemented with this entry +in <tt>/etc/pam.conf</tt>: +<tscreen> +<verb> +# +# deny ftp-access to users listed in the /etc/ftpusers file +# +ftp auth required pam_listfile.so \ + onerr=succeed item=user sense=deny file=/etc/ftpusers +</verb> +</tscreen> +Note, users listed in <tt>/etc/ftpusers</tt> file are +(counterintuitively) <bf/not/ allowed access to the ftp service. + +<p> +To allow login access only for certain users, you can use a +<tt/pam.conf/ entry like this: +<tscreen> +<verb> +# +# permit login to users listed in /etc/loginusers +# +login auth required pam_listfile.so \ + onerr=fail item=user sense=allow file=/etc/loginusers +</verb> +</tscreen> + +<p> +For this example to work, all users who are allowed to use the login +service should be listed in the file <tt>/etc/loginusers</tt>. Unless +you are explicitly trying to lock out root, make sure that when you do +this, you leave a way for root to log in, either by listing root in +<tt>/etc/loginusers</tt>, or by listing a user who is able to <em/su/ +to the root account. + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/Linux-PAM/doc/modules/pam_mail.sgml b/Linux-PAM/doc/modules/pam_mail.sgml new file mode 100644 index 00000000..397df29e --- /dev/null +++ b/Linux-PAM/doc/modules/pam_mail.sgml @@ -0,0 +1,142 @@ +<!-- + $Id: pam_mail.sgml,v 1.1.1.2 2002/09/15 20:08:31 hartmans Exp $ + + This file was written by Andrew G. Morgan <morgan@kernel.org> +--> + +<sect1>The mail module + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +<tt/pam_mail/ + +<tag><bf>Author:</bf></tag> +Andrew G. Morgan <morgan@kernel.org> + +<tag><bf>Maintainer:</bf></tag> +Author + +<tag><bf>Management groups provided:</bf></tag> +Authentication (credential) +Session (open) + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> + +<tag><bf>System dependencies:</bf></tag> +Default mail directory <tt>/var/spool/mail/</tt> + +<tag><bf>Network aware:</bf></tag> + +</descrip> + +<sect2>Overview of module + +<p> +This module looks at the user's mail directory and indicates +whether the user has any mail in it. + +<sect2>Session component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +<tt/debug/; <tt/dir=/<em/directory-name/; <tt/nopen/; <tt/close/; +<tt/noenv/; <tt/empty/; <tt/hash=/<em/hashcount/; <tt/standard/; +<tt/quiet/; + +<tag><bf>Description:</bf></tag> + +This module provides the ``you have new mail'' service to the user. It +can be plugged into any application that has credential hooks. It gives a +single message indicating the <em/newness/ of any mail it finds in the +user's mail folder. This module also sets the <bf/Linux-PAM/ +environment variable, <tt/MAIL/, to the user's mail directory. + +<p> +The behavior of this module can be modified with one of the following +flags: + +<p> +<itemize> +<item><tt/debug/ +- write more information to <tt/syslog(3)/. + +<item><tt/dir=/<em/pathname/ +- look for the users' mail in an alternative directory given by +<em/pathname/. The default location for mail is +<tt>/var/spool/mail</tt>. Note, if the supplied <em/pathname/ is +prefixed by a `<tt/˜/', the directory is interpreted as +indicating a file in the user's home directory. + +<item><tt/nopen/ +- instruct the module to <em/not/ print any mail information when the +user's credentials are acquired. This flag is useful to get the <tt/MAIL/ +environment variable set, but to not display any information about it. + +<item><tt/close/ +- instruct the module to indicate if the user has any mail at the as +the user's credentials are revoked. + +<item><tt/noenv/ +- do not set the <tt/MAIL/ environment variable. + +<item><tt/empty/ +- indicate that the user's mail directory is empty if this is found to +be the case. + +<item><tt/hash=/<em/hashcount/ +- mail directory hash depth. For example, a <em/hashcount/ of 2 would +make the mailfile be <tt>/var/spool/mail/u/s/user</tt>. + +<item><tt/standard/ +- old style "You have..." format which doesn't show the mail spool being used. + this also implies "empty" + +<item><tt/quiet/ +- only report when there is new mail. + +</itemize> + +<tag><bf>Examples/suggested usage:</bf></tag> + +This module can be used to indicate that the user has new mail when +they <em/login/ to the system. Here is a sample entry for your +<tt>/etc/pam.conf</tt> file: +<tscreen> +<verb> +# +# do we have any mail? +# +login session optional pam_mail.so +</verb> +</tscreen> + +<p> +Note, if the mail spool file (be it <tt>/var/spool/mail/$USER</tt> or +a pathname given with the <tt>dir=</tt> parameter) is a directory then +<tt>pam_mail</tt> assumes it is in the <it>Qmail Maildir</it> format. + +<p> +Note, some applications may perform this function themselves. In such +cases, this module is not necessary. + +</descrip> + +<sect2>Authentication component + +<p> +Then authentication companent works the same as the session component, +except that everything is done during the <tt>pam_setcred()</tt> phase. + +<!-- +End of sgml insert for this module. +--> diff --git a/Linux-PAM/doc/modules/pam_mkhomedir.sgml b/Linux-PAM/doc/modules/pam_mkhomedir.sgml new file mode 100644 index 00000000..075e16f9 --- /dev/null +++ b/Linux-PAM/doc/modules/pam_mkhomedir.sgml @@ -0,0 +1,83 @@ +<!-- + +Ben Collins <bcollins@debian.org> + +--> + +<sect1>Create home directories on initial login + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +<tt/pam_mkhomedir/ + +<tag><bf>Author:</bf></tag> +Jason Gunthorpe <jgg@ualberta.ca> + +<tag><bf>Maintainer:</bf></tag> +Ben Collins <bcollins@debian.org> + +<tag><bf>Management groups provided:</bf></tag> +Session + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> + +<tag><bf>System dependencies:</bf></tag> + +<tag><bf>Network aware:</bf></tag> + +</descrip> + +<sect2>Overview of module + +<p> +Creates home directories on the fly for authenticated users. + +<sect2>Session component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +<tt/debug/; <tt/skel=skeleton-dir/; <tt/umask=octal-umask/; + +<tag><bf>Description:</bf></tag> +This module is useful for distributed systems where the user account is +managed in a central database (such as NIS, NIS+, or LDAP) and accessed +through miltiple systems. It frees the administrator from having to create +a default home directory on each of the systems by creating it upon the +first succesfully authenticated login of that user. The skeleton directory +(usually /etc/skel/) is used to copy default files and also set's a umask +for the creation. + +<p> +The behavior of this module can be modified with one of the following +flags: + +<p> +<itemize> + +<item><tt/skel/ +- The skeleton directory for default files to copy to the new home directory. + +<item><tt/umask/ +- An octal for of the same format as you would pass to the shells umask command. + +</itemize> + +<tag><bf>Examples/suggested usage:</bf></tag> + +session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/Linux-PAM/doc/modules/pam_motd.sgml b/Linux-PAM/doc/modules/pam_motd.sgml new file mode 100644 index 00000000..8ddc6392 --- /dev/null +++ b/Linux-PAM/doc/modules/pam_motd.sgml @@ -0,0 +1,77 @@ +<!-- + +Ben Collins <bcollins@debian.org> + +--> + +<sect1>Output the motd file + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +<tt/pam_motd/ + +<tag><bf>Author:</bf></tag> +Ben Collins <bcollins@debian.org> + +<tag><bf>Maintainer:</bf></tag> +Author + +<tag><bf>Management groups provided:</bf></tag> +Session (open) + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> + +<tag><bf>System dependencies:</bf></tag> + +<tag><bf>Network aware:</bf></tag> + +</descrip> + +<sect2>Overview of module + +<p> +This module outputs the motd file (<em>/etc/motd</em> by default) upon +successful login. + +<sect2>Session component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +<tt/debug/; <tt/motd=motd-file-name/; + +<tag><bf>Description:</bf></tag> +This module allows you to have arbitrary motd's (message of the day) +output after a succesful login. By default this file is <em>/etc/motd</em>, +but is configurable to any file. + +<p> +The behavior of this module can be modified with one of the following +flags: + +<p> +<itemize> + +<item><tt/motd/ +- the file to output if not using the default. + +</itemize> + +<tag><bf>Examples/suggested usage:</bf></tag> + +login session pam_motd.so motd=/etc/motd + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/Linux-PAM/doc/modules/pam_nologin.sgml b/Linux-PAM/doc/modules/pam_nologin.sgml new file mode 100644 index 00000000..e2463570 --- /dev/null +++ b/Linux-PAM/doc/modules/pam_nologin.sgml @@ -0,0 +1,81 @@ +<!-- + $Id: pam_nologin.sgml,v 1.1.1.2 2002/09/15 20:08:31 hartmans Exp $ + + This file was written by Michael K. Johnson <johnsonm@redhat.com> +--> + +<sect1>The no-login module + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +<tt/pam_nologin/ + +<tag><bf>Author:</bf></tag> +Written by Michael K. Johnson <johnsonm@redhat.com><newline> + +<tag><bf>Maintainer:</bf></tag> + +<tag><bf>Management groups provided:</bf></tag> +account; authentication + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> + +<tag><bf>System dependencies:</bf></tag> + +<tag><bf>Network aware:</bf></tag> + +</descrip> + +<sect2>Overview of module + +<p> +Provides standard Unix <em/nologin/ authentication. + +<sect2>Authentication component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +successok, file=<<em/filename/> + +<tag><bf>Description:</bf></tag> + +Provides standard Unix <em/nologin/ authentication. If the file +<tt>/etc/nologin</tt> exists, only root is allowed to log in; other +users are turned away with an error message (and the module returns +<tt/PAM_AUTH_ERR/ or <tt/PAM_USER_UNKNOWN/). All users (root or +otherwise) are shown the contents of <tt>/etc/nologin</tt>. + +<p> +If the file <tt>/etc/nologin</tt> does not exist, this module defaults +to returning <tt/PAM_IGNORE/, but the <tt/successok/ module argument +causes it to return <tt/PAM_SUCCESS/ in this case. + +<p> +The administrator can override the default nologin file with the +<tt/file=/<em/pathname/ module argument. + +<tag><bf>Examples/suggested usage:</bf></tag> + +In order to make this module effective, all login methods should be +secured by it. It should be used as a <tt>required</tt> method listed +before any <tt>sufficient</tt> methods in order to get standard Unix +nologin semantics. Note, the use of <tt/successok/ module argument +causes the module to return <tt/PAM_SUCCESS/ and as such would break +such a configuration - failing <tt/sufficient/ modules would lead to a +successful login because the nologin module <em/succeeded/. + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/Linux-PAM/doc/modules/pam_permit.sgml b/Linux-PAM/doc/modules/pam_permit.sgml new file mode 100644 index 00000000..969e6b84 --- /dev/null +++ b/Linux-PAM/doc/modules/pam_permit.sgml @@ -0,0 +1,83 @@ +<!-- + $Id: pam_permit.sgml,v 1.1.1.2 2002/09/15 20:08:31 hartmans Exp $ + + This file was written by Andrew G. Morgan <morgan@kernel.org> +--> + +<sect1>The promiscuous module + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +pam_permit + +<tag><bf>Author:</bf></tag> +Andrew G. Morgan, <morgan@kernel.org> + +<tag><bf>Maintainer:</bf></tag> +Linux-PAM maintainer. + +<tag><bf>Management groups provided:</bf></tag> +account; authentication; password; session + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> +VERY LOW. Use with extreme caution. + +<tag><bf>Clean code base:</bf></tag> +Clean. + +<tag><bf>System dependencies:</bf></tag> + +<tag><bf>Network aware:</bf></tag> + +</descrip> + +<sect2>Overview of module + +<p> +This module is very dangerous. It should be used with extreme +caution. Its action is always to permit access. It does nothing else. + +<sect2>Account+Authentication+Password+Session components + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> + +<tag><bf>Description:</bf></tag> + +No matter what management group, the action of this module is to +simply return <tt/PAM_SUCCESS/ -- operation successful. + +<p> +In the case of authentication, the user's name will be acquired. Many +applications become confused if this name is unknown. + +<tag><bf>Examples/suggested usage:</bf></tag> + +It is seldom a good idea to use this module. However, it does have +some legitimate uses. For example, if the system-administrator wishes +to turn off the account management on a workstation, and at the same +time continue to allow logins, then she might use the following +configuration file entry for login: +<tscreen> +<verb> +# +# add this line to your other login entries to disable account +# management, but continue to permit users to log in... +# +login account required pam_permit.so +</verb> +</tscreen> + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/Linux-PAM/doc/modules/pam_pwdb.sgml b/Linux-PAM/doc/modules/pam_pwdb.sgml new file mode 100644 index 00000000..df0cb329 --- /dev/null +++ b/Linux-PAM/doc/modules/pam_pwdb.sgml @@ -0,0 +1,249 @@ +<!-- + $Id: pam_pwdb.sgml,v 1.1.1.2 2002/09/15 20:08:32 hartmans Exp $ + + This file was written by Andrew G. Morgan <morgan@kernel.org> +--> + +<sect1>The Password-Database module + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +pam_pwdb + +<tag><bf>Author:</bf></tag> +Cristian Gafton <gafton@redhat.com> <newline> +and Andrew G. Morgan <morgan@kernel.org> + +<tag><bf>Maintainer:</bf></tag> +Red Hat. + +<tag><bf>Management groups provided:</bf></tag> +account; authentication; password; session + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> + +<tag><bf>System dependencies:</bf></tag> +Requires properly configured <tt/libpwdb/ + +<tag><bf>Network aware:</bf></tag> + +</descrip> + +<sect2>Overview of module + +<p> +This module is a pluggable replacement for the <tt/pam_unix_../ +modules. It uses the generic interface of the <em/Password Database/ +library <tt>libpwdb</tt>. + +<sect2>Account component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +<tt/debug/ + +<tag><bf>Description:</bf></tag> + +The <tt/debug/ argument makes the accounting functions of this module +<tt/syslog(3)/ more information on its actions. (Remaining arguments +supported by the other functions of this module are silently ignored, +but others are logged as errors through <tt/syslog(3)/). + +Based on the following <tt/pwdb_element/s: +<tt/expire/; +<tt/last_change/; +<tt/max_change/; +<tt/defer_change/; +<tt/warn_change/, +this module performs the task of establishing the status of the user's +account and password. In the case of the latter, it may offer advice +to the user on changing their password or, through the +<tt/PAM_AUTHTOKEN_REQD/ return, delay giving service to the user until +they have established a new password. The entries listed above are +documented in the <em/Password Database Library Guide/ (see pointer +above). Should the user's record not contain one or more of these +entries, the corresponding <em/shadow/ check is not performed. + +<tag><bf>Examples/suggested usage:</bf></tag> + +In its accounting mode, this module can be inserted as follows: +<tscreen> +<verb> +# +# Ensure users account and password are still active +# +login account required pam_pwdb.so +</verb> +</tscreen> + +</descrip> + +<sect2>Authentication component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +<tt/debug/; +<tt/use_first_pass/; +<tt/try_first_pass/; +<tt/nullok/; +<tt/nodelay/; +<tt/likeauth/ + +<tag><bf>Description:</bf></tag> + +The <tt/debug/ argument makes the authentication functions of this +module <tt/syslog(3)/ more information on its actions. + +<p> +The default action of this module is to not permit the user access to +a service if their <em/official/ password is blank. The <tt/nullok/ +argument overrides this default. + +<p> +When given the argument <tt/try_first_pass/, before prompting the user +for their password, the module first tries the previous stacked +<tt/auth/-module's password in case that satisfies this module as +well. The argument <tt/use_first_pass/ forces the module to use such a +recalled password and will never prompt the user - if no password is +available or the password is not appropriate, the user will be denied +access. + +<p> +The argument, <tt>nodelay</tt>, can be used to discourage the +authentication component from requesting a delay should the +authentication as a whole fail. The default action is for the module +to request a delay-on-failure of the order of one second. + +<p> +Remaining arguments, supported by the other functions of this module, +are silently ignored. Other arguments are logged as errors through +<tt/syslog(3)/. + +<p> +A helper binary, <tt>pwdb_chkpwd</tt>, is provided to check the user's +password when it is stored in a read protected database. This binary +is very simple and will only check the password of the user invoking +it. It is called transparently on behalf of the user by the +authenticating component of this module. In this way it is possible +for applications like <em>xlock</em> to work without being setuid-root. + +<p> +The <tt>likeauth</tt> argument makes the module return the same value +when called as a credential setting module and an authentication +module. This will help libpam take a sane path through the auth +component of your configuration file. + +<tag><bf>Examples/suggested usage:</bf></tag> + +The correct functionality of this module is dictated by having an +appropriate <tt>/etc/pwdb.conf</tt> file, the user +databases specified there dictate the source of the authenticated +user's record. + +</descrip> + +<sect2>Password component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +<tt/debug/; <tt/nullok/; <tt/not_set_pass/; <tt/use_authtok/; +<tt/try_first_pass/; <tt/use_first_pass/; <tt/md5/; <tt/bigcrypt/; +<tt/shadow/; <tt/radius/; <tt/unix/ + +<tag><bf>Description:</bf></tag> + +This part of the <tt/pam_pwdb/ module performs the task of updating +the user's password. Thanks to the flexibility of <tt/libpwdb/ this +module is able to move the user's password from one database to +another, perhaps securing the user's database entry in a dynamic +manner (<em/this is very ALPHA code at the moment!/) - this is the +purpose of the <tt/shadow/, <tt/radius/ and <tt/unix/ arguments. + +<p> +In the case of conventional unix databases (which store the password +encrypted) the <tt/md5/ argument is used to do the encryption with the +MD5 function as opposed to the <em/conventional/ <tt/crypt(3)/ call. +As an alternative to this, the <tt/bigcrypt/ argument can be used to +encrypt more than the first 8 characters of a password with DEC's +(Digital Equipment Cooperation) `C2' extension to the standard UNIX +<tt/crypt()/ algorithm. + +<p> +The <tt/nullok/ module is used to permit the changing of a password +<em/from/ an empty one. Without this argument, empty passwords are +treated as account-locking ones. + +<p> +The argument <tt/use_first_pass/ is used to lock the choice of old and +new passwords to that dictated by the previously stacked <tt/password/ +module. The <tt/try_first_pass/ argument is used to avoid the user +having to re-enter an old password when <tt/pam_pwdb/ follows a module +that possibly shared the user's old password - if this old password is +not correct the user will be prompted for the correct one. The +argument <tt/use_authtok/ is used to <em/force/ this module to set the +new password to the one provided by the previously stacked +<tt/password/ module (this is used in an example of the stacking of +the <em/Cracklib/ module documented above). + +<p> +The <tt/not_set_pass/ argument is used to inform the module that it is +not to pay attention to/make available the old or new passwords from/to +other (stacked) password modules. + +<p> +The <tt/debug/ argument makes the password functions of this module +<tt/syslog(3)/ more information on its actions. Other arguments may be +logged as erroneous to <tt/syslog(3)/. + +<tag><bf>Examples/suggested usage:</bf></tag> + +An example of the stacking of this module with respect to the +pluggable password checking module, <tt/pam_cracklib/, is given in +that modules section above. +</descrip> + +<sect2>Session component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> + +<tag><bf>Description:</bf></tag> + +No arguments are recognized by this module component. Its action is +simply to log the username and the service-type to +<tt/syslog(3)/. Messages are logged at the beginning and end of the +user's session. + +<tag><bf>Examples/suggested usage:</bf></tag> + +The use of the session modules is straightforward: +<tscreen> +<verb> +# +# pwdb - unix like session opening and closing +# +login session required pam_pwdb.so +</verb> +</tscreen> + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/Linux-PAM/doc/modules/pam_radius.sgml b/Linux-PAM/doc/modules/pam_radius.sgml new file mode 100644 index 00000000..b452bebd --- /dev/null +++ b/Linux-PAM/doc/modules/pam_radius.sgml @@ -0,0 +1,117 @@ +<!-- + $Id: pam_radius.sgml,v 1.1.1.1 2001/04/29 04:16:57 hartmans Exp $ + + This file was written by Cristian Gafton <gafton@redhat.com> +--> + +<sect1>The RADIUS session module + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +<tt/pam_radius/ + +<tag><bf>Author:</bf></tag> +Cristian Gafton <gafton@redhat.com> + +<tag><bf>Maintainer:</bf></tag> +Author. + +<tag><bf>Management groups provided:</bf></tag> +session + +<tag><bf>Cryptographically sensitive:</bf></tag> +This module does not deal with passwords + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> +gcc reports 1 warning when compiling <tt>/usr/include/rpc/clnt.h</tt>. +Hey, is not my fault ! + +<tag><bf>System dependencies:</bf></tag> + +<tag><bf>Network aware:</bf></tag> + +yes; this is a network module (independent of application). + +</descrip> + +<sect2>Overview of module + +<p> +This module is intended to provide the session service for users +authenticated with a RADIUS server. At the present stage, the only +option supported is the use of the RADIUS server as an accounting +server. + +<sect2>Session component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> + +<tt/debug/ - verbose logging to <tt/syslog(3)/. + +<tag><bf>Description:</bf></tag> + +This module is intended to provide the session service for users +authenticated with a RADIUS server. At the present stage, the only +option supported is the use of the RADIUS server as an <em/accounting/ +server. + +<p> +(There are few things which needs to be cleared out first in +the PAM project until one will be able to use this module and expect +it to magically start pppd in response to a RADIUS server command to +use PPP for this user, or to initiate a telnet connection to another +host, or to hang and call back the user using parameters provided in +the RADIUS server response. Most of these things are better suited for +the radius login application. I hope to make available Real Soon (tm) +patches for the login apps to make it work this way.) + +<p> +When opening a session, this module sends an ``Accounting-Start'' +message to the RADIUS server, which will log/update/whatever a +database for this user. On close, an ``Accounting-Stop'' message is +sent to the RADIUS server. + +<p> +This module has no other prerequisites for making it work. One can +install a RADIUS server just for fun and use it as a centralized +accounting server and forget about wtmp/last/sac etc. . + +<tag><bf>Examples/suggested usage:</bf></tag> + +For the services that need this module (<em/login/ for example) put +the following line in <tt>/etc/pam.conf</tt> as the last line for that +service (usually after the pam_unix session line): +<tscreen> +<verb> +login session required pam_radius.so +</verb> +</tscreen> +Replace <tt/login/ for each service you are using this module. + +<p> +This module make extensive use of the API provided in libpwdb +0.54preB or later. By default, it will read the radius server +configuration (hostname and secret) from <tt>/etc/raddb/server</tt>. +This is a default compiled into libpwdb, and curently there is no way to +modify this default without recompiling libpwdb. I am working on +extending the radius support from libpwdb to provide a possibility +to make this runtime-configurable. + +Also please note that libpwdb will require also the RADIUS +dictionary to be present (<tt>/etc/raddb/dictionary</tt>). + +</descrip> + +<!-- +End of sgml insert for this module. +--> + diff --git a/Linux-PAM/doc/modules/pam_rhosts.sgml b/Linux-PAM/doc/modules/pam_rhosts.sgml new file mode 100644 index 00000000..4b9d1a89 --- /dev/null +++ b/Linux-PAM/doc/modules/pam_rhosts.sgml @@ -0,0 +1,164 @@ +<!-- + $Id: pam_rhosts.sgml,v 1.1.1.2 2002/09/15 20:08:32 hartmans Exp $ + + This file was written by Andrew G. Morgan <morgan@kernel.org> +--> + +<sect1>The rhosts module + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +<tt/pam_rhosts_auth/ + +<tag><bf>Author:</bf></tag> +Al Longyear <longyear@netcom.com> + +<tag><bf>Maintainer:</bf></tag> + +<tag><bf>Management groups provided:</bf></tag> +authentication + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> +Clean. + +<tag><bf>System dependencies:</bf></tag> + +<tag><bf>Network aware:</bf></tag> +Standard <tt/inet_addr()/, <tt/gethostbyname()/ function calls. + +</descrip> + +<sect2>Overview of module + +<p> +This module performs the standard network authentication for services, +as used by traditional implementations of <em/rlogin/ and <em/rsh/ +etc. + +<sect2>Authentication component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +<tt/no_hosts_equiv/; <tt/no_rhosts/; <tt/debug/; <tt/no_warn/; +<tt/privategroup/; <tt/promiscuous/; <tt/suppress/ + +<tag><bf>Description:</bf></tag> + +The authentication mechanism of this module is based on the contents +of two files; <tt>/etc/hosts.equiv</tt> (or <tt/_PATH_HEQUIV/ in +<tt>#include <netdb.h></tt>) and <tt>~/.rhosts</tt>. Firstly, +hosts listed in the former file are treated as equivalent to the +localhost. Secondly, entries in the user's own copy of the latter file +is used to map "<tt/remote-host remote-user/" pairs to that user's +account on the current host. Access is granted to the user if their +host is present in <tt>/etc/hosts.equiv</tt> and their remote account +is identical to their local one, or if their remote account has an +entry in their personal configuration file. + +<p> +Some restrictions are applied to the attributes of the user's personal +configuration file: it must be a regular file (as defined by +<tt/S_ISREG(x)/ of POSIX.1); it must be owned by the <em/superuser/ or +the user; it must not be writable by any user besides its owner. + +<p> +The module authenticates a remote user (internally specified by the +item <tt/PAM_RUSER/) connecting from the remote host (internally +specified by the item <tt/PAM_RHOST/). Accordingly, for applications +to be compatible this authentication module they must set these items +prior to calling <tt/pam_authenticate()/. The module is not capable +of independently probing the network connection for such information. + +<p> +In the case of <tt/root/-access, the <tt>/etc/host.equiv</tt> file is +<em/ignored/ unless the <tt>hosts_equiv_rootok</tt> option +should be used. Instead, the superuser must have a correctly configured +personal configuration file. + +<p> +The behavior of the module is modified by flags: +<itemize> +<item> +<tt/debug/ - +log more information to <tt/syslog(3)/. (XXX - actually, this module +does not do any logging currently, please volunteer to fix this!) + +<item> +<tt/no_warn/ - +do not give verbal warnings to the user about failures etc. (XXX - +this module currently does not issue any warnings, please volunteer to +fix this!) + +<item> +<tt/no_hosts_equiv/ - +ignore the contents of the <tt>/etc/hosts.equiv</tt> file. + +<item> +<tt/hosts_equiv_rootok/ - +allow the use of <tt>/etc/hosts.equiv</tt> for superuser. Without this +option <tt>/etc/hosts.equiv</tt> is not consulted for the superuser account. +This option has no effect if the <tt>no_hosts_equiv</tt> option is used. + +<item> +<tt/no_rhosts/ - +ignore the contents of all user's personal configuration file +<tt>~/.rhosts</tt>. + +<item> +<tt/privategroup/ - +normally, the <tt>~/.rhosts</tt> file must not be writable by anyone +other than its owner. This option overlooks group write access in the +case that the group owner of this file has the same name as the +user being authenticated. To lessen the security problems associated +with this option, the module also checks that the user is the only +member of their private group. + +<item> +<tt/promiscuous/ - +A host entry of `+' will lead to all hosts being granted +access. Without this option, '+' entries will be ignored. Note, that +the <tt/debug/ option will syslog a warning in this latter case. + +<item> +<tt/suppress/ - +This will prevent the module from <tt/syslog(3)/ing a warning message +when this authentication fails. This option is mostly for keeping +logs free of meaningless errors, in particular when the module is used +with the <tt/sufficient/ control flag. + +</itemize> +<tag><bf>Examples/suggested usage:</bf></tag> + +To allow users to login from trusted remote machines, you should try +adding the following line to your <tt>/etc/pam.conf</tt> file +<em/before/ the line that would otherwise prompt the user for a +password: +<tscreen> +<verb> +# +# No passwords required for users from hosts listed above. +# +login auth sufficient pam_rhosts_auth.so no_rhosts +</verb> +</tscreen> +Note, in this example, the system administrator has turned off all +<em/personal/ <em/rhosts/ configuration files. Also note, that this module +can be used to <em/only/ allow remote login from hosts specified in +the <tt>/etc/host.equiv</tt> file, by replacing <tt/sufficient/ in the +above example with <tt/required/. + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/Linux-PAM/doc/modules/pam_rootok.sgml b/Linux-PAM/doc/modules/pam_rootok.sgml new file mode 100644 index 00000000..e882f4d5 --- /dev/null +++ b/Linux-PAM/doc/modules/pam_rootok.sgml @@ -0,0 +1,85 @@ +<!-- + $Id: pam_rootok.sgml,v 1.1.1.2 2002/09/15 20:08:32 hartmans Exp $ + + This file was written by Andrew G. Morgan <morgan@kernel.org> +--> + +<sect1>The root access module + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +pam_rootok + +<tag><bf>Author:</bf></tag> +Andrew G. Morgan <morgan@kernel.org> + +<tag><bf>Maintainer:</bf></tag> +<bf>Linux-PAM</bf> maintainer + +<tag><bf>Management groups provided:</bf></tag> +authentication + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> +Clean. + +<tag><bf>System dependencies:</bf></tag> + +<tag><bf>Network aware:</bf></tag> + +</descrip> + +<sect2>Overview of module + +<p> +This module is for use in situations where the superuser wishes +to gain access to a service without having to enter a password. + +<sect2>Authentication component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +<tt/debug/ + +<tag><bf>Description:</bf></tag> + +This module authenticates the user if their <tt/uid/ is <tt/0/. +Applications that are created <em/setuid/-root generally retain the +<tt/uid/ of the user but run with the authority of an enhanced +<em/effective-/<tt/uid/. It is the real <tt/uid/ that is checked. + +<tag><bf>Examples/suggested usage:</bf></tag> + +In the case of the <tt/su/ application the historical usage is to +permit the superuser to adopt the identity of a lesser user without +the use of a password. To obtain this behavior under <tt/Linux-PAM/ +the following pair of lines are needed for the corresponding entry in +the configuration file: +<tscreen> +<verb> +# +# su authentication. Root is granted access by default. +# +su auth sufficient pam_rootok.so +su auth required pam_unix_auth.so +</verb> +</tscreen> + +<p> +Note. For programs that are run by the superuser (or started when the +system boots) this module should not be used to authenticate users. + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/Linux-PAM/doc/modules/pam_securetty.sgml b/Linux-PAM/doc/modules/pam_securetty.sgml new file mode 100644 index 00000000..f500b8b2 --- /dev/null +++ b/Linux-PAM/doc/modules/pam_securetty.sgml @@ -0,0 +1,72 @@ +<!-- + $Id: pam_securetty.sgml,v 1.1.1.1 2001/04/29 04:16:57 hartmans Exp $ + + This file was written by Michael K. Johnson <johnsonm@redhat.com> +--> + +<sect1>The securetty module + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +<tt/pam_securetty/ + +<tag><bf>Author[s]:</bf></tag> +Elliot Lee <sopwith@cuc.edu> + +<tag><bf>Maintainer:</bf></tag> +Red Hat Software:<newline> +<em/currently/ Michael K. Johnson <johnsonm@redhat.com><newline> +(if unavailable, contact Elliot Lee <sopwith@cuc.edu>). + +<tag><bf>Management groups provided:</bf></tag> +authentication + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> + +<tag><bf>System dependencies:</bf></tag> +<tt>/etc/securetty</tt> file + +<tag><bf>Network aware:</bf></tag> + +Requires the application to fill in the <tt>PAM_TTY</tt> item +correctly in order to act meaningfully. + +</descrip> + +<sect2>Overview of module + +<p> +Provides standard Unix securetty checking. + +<sect2>Authentication component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> + +<tag><bf>Description:</bf></tag> + +Provides standard Unix securetty checking, which causes authentication +for root to fail unless <tt>PAM_TTY</tt> is set to a string listed in +the <tt>/etc/securetty</tt> file. For all other users, it succeeds. + +<tag><bf>Examples/suggested usage:</bf></tag> + +For canonical usage, should be listed as a <tt>required</tt> +authentication method before any <tt>sufficient</tt> authentication +methods. + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/Linux-PAM/doc/modules/pam_tally.sgml b/Linux-PAM/doc/modules/pam_tally.sgml new file mode 100644 index 00000000..a2d03435 --- /dev/null +++ b/Linux-PAM/doc/modules/pam_tally.sgml @@ -0,0 +1,191 @@ +<!-- + + $Id: pam_tally.sgml,v 1.1.1.1 2001/04/29 04:16:57 hartmans Exp $ + + This template file was written by Andrew G. Morgan <morgan@kernel.org> + adapted from text provided by Tim Baverstock. +--> + +<sect1>The login counter (tallying) module + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +pam_tally + +<tag><bf>Author[s]:</bf></tag> +Tim Baverstock + +<tag><bf>Maintainer:</bf></tag> + +<tag><bf>Management groups provided:</bf></tag> +auth; account + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> + +<tag><bf>System dependencies:</bf></tag> +A faillog file (default location /var/log/faillog) + +<tag><bf>Network aware:</bf></tag> + +</descrip> + +<sect2>Overview of module + +<p> +This module maintains a count of attempted accesses, can reset count +on success, can deny access if too many attempts fail. + +<p> +pam_tally comes in two parts: <tt>pam_tally.so</tt> and +<tt>pam_tally</tt>. The former is the PAM module and the latter, a +stand-alone program. <tt>pam_tally</tt> is an (optional) application +which can be used to interrogate and manipulate the counter file. It +can display users' counts, set individual counts, or clear all +counts. Setting artificially high counts may be useful for blocking +users without changing their passwords. For example, one might find it +useful to clear all counts every midnight from a cron job. + +<p> +The counts file is organized as a binary-word array, indexed by +uid. You can probably make sense of it with <tt>od</tt>, if you don't +want to use the supplied appliction. + +<p> +Note, there are some outstanding issues with this module: +<tt>pam_tally</tt> is very dependant on <tt>getpw*()</tt> - a database +of usernames would be much more flexible; the `keep a count of current +logins' bit has been <tt>#ifdef</tt>'d out and you can only reset the +counter on successful authentication, for now. + +<sect3>Generic options accepted by both components +<p> +<itemize> +<item> <tt>onerr=</tt>(<tt>succeed</tt>|<tt>fail</tt>): + if something weird happens, such as unable to open the file, how + should the module react? +<item> <tt>file=</tt><em>/where/to/keep/counts</em>: + specify the file location for the counts. + The default location is <tt>/var/log/faillog</tt>. +</itemize> + +<sect2>Authentication component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +<tt>onerr=</tt>(<tt>succeed</tt>|<tt>fail</tt>); +<tt>file=</tt>/where/to/keep/counts; +<tt>no_magic_root</tt> + +<tag><bf>Description:</bf></tag> + +<p> +The authentication component of this module increments the attempted +login counter. + +<p> +<tag><bf>Examples/suggested usage:</bf></tag> + +<p> +The module argument <tt>no_magic_root</tt> is used to indicate that if +the module is invoked by a user with uid=0, then the counter is +incremented. The sys-admin should use this for daemon-launched +services, like <tt>telnet</tt>/<tt>rsh</tt>/<tt>login</tt>. For user +launched services, like <tt>su</tt>, this argument should be omitted. + +<p> +By way of more explanation, when a process already running as root +tries to access some service, the access is <em>magic</em>, and +bypasses <tt>pam_tally</tt>'s checks: this is handy for <tt>su</tt>ing +from root into an account otherwise blocked. However, for services +like <tt>telnet</tt> or <tt>login</tt>, which always effectively run +from the root account, root (ie everyone) shouldn't be granted this +magic status, and the flag `no_magic_root' should be set in this +situation, as noted in the summary above. + +</descrip> + +<sect2>Account component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +<tt>onerr=</tt>(<tt>succeed</tt>|<tt>fail</tt>); +<tt>file=</tt>/where/to/keep/counts; +<tt>deny=</tt><em>n</em>; +<tt>no_magic_root</tt>; +<tt>even_deny_root_account</tt>; +<tt>reset</tt>; +<tt>no_reset</tt>; +<tt>per_user</tt>; +<tt>no_lock_time</tt> + +<tag><bf>Description:</bf></tag> + +<p> +The account component can deny access and/or reset the attempts +counter. It also checks to make sure that the counts file is a plain +file and not world writable. + +<tag><bf>Examples/suggested usage:</bf></tag> + +<p> +The <tt>deny=</tt><em>n</em> option is used to deny access if tally +for this user exceeds <em>n</em>. The presence of +<tt>deny=</tt><em>n</em> changes the default for +<tt>reset</tt>/<tt>no_reset</tt> to <tt>reset</tt>, unless the user +trying to gain access is root and the <tt>no_magic_root</tt> option +has NOT been specified. + +<p> +The <tt>no_magic_root</tt> option ensures that access attempts by root +DON'T ignore deny. Use this for daemon-based stuff, like +<tt>telnet</tt>/<tt>rsh</tt>/<tt>login</tt>. + +<p> +The <tt>even_deny_root_account</tt> option is used to ensure that the +root account can become unavailable. <bf>Note</bf> that magic root +trying to gain root bypasses this, but normal users can be locked out. + +<p> +The <tt>reset</tt> option instructs the module to reset count to 0 on +successful entry, even for magic root. The <tt>no_reset</tt> option is +used to instruct the module to not reset the count on successful +entry. This is the default unless <tt>deny</tt> exists and the user +attempting access is NOT magic root. + +<p> +If <tt>/var/log/faillog</tt> contains a non-zero <tt>.fail_max</tt> +field for this user then the <tt>per_user</tt> module argument will +ensure that the module uses this value and not the global +<tt>deny=</tt><em>n</em> parameter. + +<p> +The <tt>no_lock_time</tt> option is for ensuring that the module does +not use the <tt>.fail_locktime</tt> field in /var/log/faillog for this +user. + +<p> +Normally, failed attempts to access root will <bf>NOT</bf> cause the +root account to become blocked, to prevent denial-of-service: if your +users aren't given shell accounts and root may only login via +<tt>su</tt> or at the machine console (not +<tt>telnet</tt>/<tt>rsh</tt>, etc), this is safe. If you really want +root to be blocked for some given service, use +<tt>even_deny_root_account</tt>. + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/Linux-PAM/doc/modules/pam_time.sgml b/Linux-PAM/doc/modules/pam_time.sgml new file mode 100644 index 00000000..785f76c2 --- /dev/null +++ b/Linux-PAM/doc/modules/pam_time.sgml @@ -0,0 +1,166 @@ +<!-- + $Id: pam_time.sgml,v 1.1.1.2 2002/09/15 20:08:33 hartmans Exp $ + + This file was written by Andrew G. Morgan <morgan@kernel.org> +--> + +<sect1>Time control + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +<tt/pam_time/ + +<tag><bf>Author:</bf></tag> +Andrew G. Morgan <tt><morgan@kernel.org></tt> + +<tag><bf>Maintainer:</bf></tag> +Author + +<tag><bf>Management groups provided:</bf></tag> +account + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> + +<tag><bf>System dependencies:</bf></tag> +Requires a configuration file <tt>/etc/security/time.conf</tt> + +<tag><bf>Network aware:</bf></tag> +Through the <tt/PAM_TTY/ item only + +</descrip> + +<sect2>Overview of module + +<p> +Running a well regulated system occasionally involves restricting +access to certain services in a selective manner. This module offers +some time control for access to services offered by a system. Its +actions are determined with a configuration file. This module can be +configured to deny access to (individual) users based on their name, +the time of day, the day of week, the service they are applying for +and their terminal from which they are making their request. + +<sect2>Account component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> + +<tag><bf>Description:</bf></tag> + +This module bases its actions on the rules listed in its configuration +file: <tt>/etc/security/time.conf</tt>. Each rule has the following +form, +<tscreen> +<em/services/<tt/;/<em/ttys/<tt/;/<em/users/<tt/;/<em/times/ +</tscreen> +In words, each rule occupies a line, terminated with a newline or the +beginning of a comment; a `<tt/#/'. It contains four fields separated +with semicolons, `<tt/;/'. The fields are as follows: + +<p> +<itemize> +<item><em/services/ - +a logic list of service names that are affected by this rule. + +<item><em/ttys/ - +a logic list of terminal names indicating those terminals covered by +the rule. + +<item><em/user/ - +a logic list of usernames to which this rule applies + +<p> +By a logic list we mean a sequence of tokens (associated with the +appropriate <tt/PAM_/ item), containing no more than one wildcard +character; `<tt/*/', and optionally prefixed with a negation operator; +`<tt/!/'. Such a sequence is concatenated with one of two logical +operators: <tt/&/ (logical AND) and <tt/|/ (logical OR). Two +examples are: <tt>!morgan&!root</tt>, indicating that this rule +does not apply to the user <tt>morgan</tt> nor to <tt>root</tt>; and +<tt>tty*&!ttyp*</tt>, which indicates that the rule applies only +to console terminals but not pseudoterminals. + +<item><em/times/ - a logic list of times at which this rule +applies. The format of each element is a day/time-range. The days are +specified by a sequence of two character entries. For example, +<tt/MoTuSa/, indicates Monday Tuesday and Saturday. Note that +repeated days are <em/unset/; <tt/MoTuMo/ indicates Tuesday, and +<tt/MoWk/ means all weekdays bar Monday. The two character +combinations accepted are, +<tscreen> +<verb> +Mo Tu We Th Fr Sa Su Wk Wd Al +</verb> +</tscreen> +The last two of these being <em/weekend/ days and <em/all 7 days/ of +the week respectively. + +<p> +The time range part is a pair of 24-hour times, <em/HHMM/, separated +by a hyphen -- indicating the start and finish time for the rule. If +the finsish time is smaller than the start time, it is assumed to +apply on the following day. For an example, <tt/Mo1800-0300/ indicates +that the permitted times are Monday night from 6pm to 3am the +following morning. + +</itemize> + +<p> +Note, that the given time restriction is only applied when the first +three fields are satisfied by a user's application for service. + +<p> +For convenience and readability a rule can be extended beyond a single +line with a `<tt>\</tt><em/newline/'. + +<tag><bf>Examples/suggested usage:</bf></tag> + +The use of this module is initiated with an entry in the +<bf/Linux-PAM/ configuration file of the following type: +<tscreen> +<verb> +# +# apply pam_time accounting to login requests +# +login account required pam_time.so +</verb> +</tscreen> +where, here we are applying the module to the <em/login/ application. + +<p> +Some examples of rules that can be placed in the +<tt>/etc/security/time.conf</tt> configuration file are the following: +<descrip> + +<tag><tt>login ; tty* & !ttyp* ; !root ; !Al0000-2400</tt></tag> +all users except for <tt/root/ are denied access to console-login at +all times. + +<tag><tt>games ; * ; !waster ; Wd0000-2400 | Wk1800-0800</tt></tag> +games (configured to use Linux-PAM) are only to be accessed out of +working hours. This rule does not apply to the user <tt/waster/. + +</descrip> + +<p> +Note, currently there is no daemon enforcing the end of a session. +This needs to be remedied. + +<p> +Poorly formatted rules are logged as errors using <tt/syslog(3)/. + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/Linux-PAM/doc/modules/pam_unix.sgml b/Linux-PAM/doc/modules/pam_unix.sgml new file mode 100644 index 00000000..286cd3f8 --- /dev/null +++ b/Linux-PAM/doc/modules/pam_unix.sgml @@ -0,0 +1,288 @@ +<!-- + This file was written by Andrew G. Morgan <morgan@kernel.org> + + Converted from the pam_pwdb.sgml file for pam_unix by Ben Collins <bcollins@debian.org> +--> + +<sect1>The Unix Password module + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +pam_unix + +<tag><bf>Author:</bf></tag> + +<tag><bf>Maintainer:</bf></tag> + +<tag><bf>Management groups provided:</bf></tag> +account; authentication; password; session + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> + +<tag><bf>System dependencies:</bf></tag> + +<tag><bf>Network aware:</bf></tag> + +</descrip> + +<sect2>Overview of module + +<p> +This is the standard Unix authentication module. It uses standard calls +from the system's libraries to retrieve and set account information as +well as authentication. Usually this is obtained from the /etc/passwd +and the /etc/shadow file as well if shadow is enabled. + +<sect2>Account component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +<tt/debug/; <tt/audit/ + +<tag><bf>Description:</bf></tag> + +The <tt/debug/ argument makes the accounting functions of this module +<tt/syslog(3)/ more information on its actions. (Remaining arguments +supported by the other functions of this module are silently ignored, +but others are logged as errors through <tt/syslog(3)/). The <tt/audit/ +argument causes even more logging. + +Based on the following <tt/shadow/ elements: +<tt/expire/; +<tt/last_change/; +<tt/max_change/; +<tt/min_change/; +<tt/warn_change/, +this module performs the task of establishing the status of the user's +account and password. In the case of the latter, it may offer advice +to the user on changing their password or, through the +<tt/PAM_AUTHTOKEN_REQD/ return, delay giving service to the user until +they have established a new password. The entries listed above are +documented in the <em/GNU Libc/ info documents. Should the user's record +not contain one or more of these entries, the corresponding <em/shadow/ +check is not performed. + +<tag><bf>Examples/suggested usage:</bf></tag> + +In its accounting mode, this module can be inserted as follows: +<tscreen> +<verb> +# +# Ensure users account and password are still active +# +login account required pam_unix.so +</verb> +</tscreen> + +</descrip> + +<sect2>Authentication component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +<tt/debug/; +<tt/audit/; +<tt/use_first_pass/; +<tt/try_first_pass/; +<tt/nullok/; +<tt/nodelay/ + +<tag><bf>Description:</bf></tag> + +The <tt/debug/ argument makes the authentication functions of this +module <tt/syslog(3)/ more information on its actions. The <tt/audit/ +causes even more information to be logged. + +<p> +The default action of this module is to not permit the user access to +a service if their <em/official/ password is blank. The <tt/nullok/ +argument overrides this default. + +<p> +When given the argument <tt/try_first_pass/, before prompting the user +for their password, the module first tries the previous stacked +<tt/auth/-module's password in case that satisfies this module as +well. The argument <tt/use_first_pass/ forces the module to use such a +recalled password and will never prompt the user - if no password is +available or the password is not appropriate, the user will be denied +access. + +<p> +The argument, <tt>nodelay</tt>, can be used to discourage the +authentication component from requesting a delay should the +authentication as a whole fail. The default action is for the module +to request a delay-on-failure of the order of one second. + +<p> +Remaining arguments, supported by the other functions of this module, +are silently ignored. Other arguments are logged as errors through +<tt/syslog(3)/. + +<p> +A helper binary, <tt>unix_chkpwd</tt>, is provided to check the user's +password when it is stored in a read protected database. This binary +is very simple and will only check the password of the user invoking +it. It is called transparently on behalf of the user by the +authenticating component of this module. In this way it is possible +for applications like <em>xlock</em> to work without being setuid-root. + +<tag><bf>Examples/suggested usage:</bf></tag> + +The correct functionality of this module is dictated by having an +appropriate <tt>/etc/nsswitch.conf</tt> file, the user +databases specified there dictate the source of the authenticated +user's record. +<p> +In its authentication mode, this module can be inserted as follows: +<tscreen> +<verb> +# +# Authenticate the user +# +login auth required pam_unix.so +</verb> +</tscreen> + +</descrip> + +<sect2>Password component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +<tt/debug/; +<tt/audit/; +<tt/nullok/; +<tt/not_set_pass/; +<tt/use_authtok/; +<tt/try_first_pass/; +<tt/use_first_pass/; +<tt/md5/; +<tt/bigcrypt/; +<tt/shadow/; +<tt/nis/; +<tt/remember/ + +<tag><bf>Description:</bf></tag> + +This part of the <tt/pam_unix/ module performs the task of updating +the user's password. + +<p> +In the case of conventional unix databases (which store the password +encrypted) the <tt/md5/ argument is used to do the encryption with the +MD5 function as opposed to the <em/conventional/ <tt/crypt(3)/ call. +As an alternative to this, the <tt/bigcrypt/ argument can be used to +encrypt more than the first 8 characters of a password with DEC's +(Digital Equipment Cooperation) `C2' extension to the standard UNIX +<tt/crypt()/ algorithm. + +<p> +The <tt/nullok/ argument is used to permit the changing of a password +<em/from/ an empty one. Without this argument, empty passwords are +treated as account-locking ones. + +<p> +The argument <tt/use_first_pass/ is used to lock the choice of old and +new passwords to that dictated by the previously stacked <tt/password/ +module. The <tt/try_first_pass/ argument is used to avoid the user +having to re-enter an old password when <tt/pam_unix/ follows a module +that possibly shared the user's old password - if this old password is +not correct the user will be prompted for the correct one. The +argument <tt/use_authtok/ is used to <em/force/ this module to set the +new password to the one provided by the previously stacked +<tt/password/ module (this is used in an example of the stacking of +the <em/Cracklib/ module documented above). + +<p> +The <tt/not_set_pass/ argument is used to inform the module that it is +not to pay attention to/make available the old or new passwords from/to +other (stacked) password modules. + +<p> +The <tt/debug/ argument makes the password functions of this module +<tt/syslog(3)/ more information on its actions. Other arguments may be +logged as erroneous to <tt/syslog(3)/. The <tt/audit/ argument causes +even more information to be logged. + +<p> +With the <tt/nis/ argument, <tt/pam_unix/ will attempt to use NIS RPC +for setting new passwords. + +<p> +The <tt/remember/ argument takes one value. This is the number of most +recent passwords to save for each user. These are saved in +<tt>/etc/security/opasswd</tt> in order to force password change history +and keep the user from alternating between the same password too frequently. + +<tag><bf>Examples/suggested usage:</bf></tag> + +Standard usage: +<tscreen> +<verb> +# +# Change the users password +# +passwd password required pam_unix.so +</verb> +</tscreen> + +<p> +An example of the stacking of this module with respect to the +pluggable password checking module, <tt/pam_cracklib/: +<tscreen> +<verb> +# +# Change the users password +# +passwd password required pam_cracklib.so retry=3 minlen=6 difok=3 +passwd password required pam_unix.so use_authtok nullok md5 +</verb> +</tscreen> + +</descrip> + +<sect2>Session component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> + +<tag><bf>Description:</bf></tag> + +No arguments are recognized by this module component. Its action is +simply to log the username and the service-type to +<tt/syslog(3)/. Messages are logged at the beginning and end of the +user's session. + +<tag><bf>Examples/suggested usage:</bf></tag> + +The use of the session modules is straightforward: +<tscreen> +<verb> +# +# session opening and closing +# +login session required pam_unix.so +</verb> +</tscreen> + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/Linux-PAM/doc/modules/pam_userdb.sgml b/Linux-PAM/doc/modules/pam_userdb.sgml new file mode 100644 index 00000000..bdbf80b8 --- /dev/null +++ b/Linux-PAM/doc/modules/pam_userdb.sgml @@ -0,0 +1,112 @@ +<!-- + This file was written by Cristian Gafton <gafton@redhat.com> +--> + +<sect1>The userdb module + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +<tt/pam_userdb/ + +<tag><bf>Author:</bf></tag> +Cristian Gafton <gafton@redhat.com> + +<tag><bf>Maintainer:</bf></tag> +Author. + +<tag><bf>Management groups provided:</bf></tag> +authentication + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> + +<tag><bf>System dependencies:</bf></tag> +Requires Berkeley DB. + +<tag><bf>Network aware:</bf></tag> + +</descrip> + +<sect2>Overview of module + +<p> +Look up users in a .db database and verify their password against +what is contained in that database. + +<sect2>Authentication component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +<tt/debug/; +<tt/icase/; +<tt/dump/; +<tt/db=XXXX/; + +<tag><bf>Description:</bf></tag> + +This module is used to verify a username/password pair against values stored in +a Berkeley DB database. The database is indexed by the username, and the data +fields corresponding to the username keys are the passwords, in unencrypted form, +so caution must be exercised over the access rights to the DB database itself.. + +The module will read the password from the user using the conversation mechanism. If +you are using this module on top of another authetication module (like <tt/pam_pwdb/;) +then you should tell that module to read the entered password from the PAM_AUTHTOK field, which is set by this module. + +<p> +The action of the module may be modified from this default by one or +more of the following flags in the <tt>/etc/pam.d/<service></tt> file. +<itemize> +<item> +<tt/debug/ - +Supply more debugging information to <tt/syslog(3)/. + +<item> +<tt/icase/ - +Perform the password comparisons case insensitive. + +<item> +<tt/dump/ - +dump all the entries in the database to the log (eek, +don't do this by default!) + +<item> +<tt/db=XXXX/ - +use the database found on pathname XXXX. Note that Berkeley DB usually adds the +needed filename extension for you, so you should use something like <tt>/etc/foodata</tt> +instead of <tt>/etc/foodata.db</tt>. + +</itemize> + +<tag><bf>Examples/suggested usage:</bf></tag> + +This is a normal ftp configuration file (usually placed as <tt>/etc/pam.d/ftp</tt> +on most systems) that will accept for login users whose username/password pairs are +provided in the <tt>/tmp/dbtest.db</tt> file: + +<tscreen> +<verb> +#%PAM-1.0 +auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed +auth sufficient pam_userdb.so icase db=/tmp/dbtest +auth required pam_pwdb.so shadow nullok try_first_pass +auth required pam_shells.so +account required pam_pwdb.so +session required pam_pwdb.so +</verb> +</tscreen> + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/Linux-PAM/doc/modules/pam_warn.sgml b/Linux-PAM/doc/modules/pam_warn.sgml new file mode 100644 index 00000000..caedf873 --- /dev/null +++ b/Linux-PAM/doc/modules/pam_warn.sgml @@ -0,0 +1,67 @@ +<!-- + $Id: pam_warn.sgml,v 1.1.1.2 2002/09/15 20:08:33 hartmans Exp $ + + This file was written by Andrew G. Morgan <morgan@kernel.org> +--> + +<sect1>Warning logger module + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +<tt/pam_warn/ + +<tag><bf>Author:</bf></tag> +Andrew G. Morgan <morgan@kernel.org> + +<tag><bf>Maintainer:</bf></tag> +Author. + +<tag><bf>Management groups provided:</bf></tag> +authentication; password + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> + +<tag><bf>System dependencies:</bf></tag> + +<tag><bf>Network aware:</bf></tag> +logs information about the remote user and host (if pam-items are known) + +</descrip> + +<sect2>Overview of module + +<p> +This module is principally for logging information about a +proposed authentication or application to update a password. + +<sect2>Authentication+Password component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> + +<tag><bf>Description:</bf></tag> + +Log the service, terminal, user, remote user and remote host to +<tt/syslog(3)/. The items are not probed for, but instead obtained +from the standard pam-items. + +<tag><bf>Examples/suggested usage:</bf></tag> + +an example is provided in the configuration file section <ref +id="configuration" name="above">. + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/Linux-PAM/doc/modules/pam_wheel.sgml b/Linux-PAM/doc/modules/pam_wheel.sgml new file mode 100644 index 00000000..cc064120 --- /dev/null +++ b/Linux-PAM/doc/modules/pam_wheel.sgml @@ -0,0 +1,125 @@ +<!-- + $Id: pam_wheel.sgml,v 1.1.1.2 2002/09/15 20:08:33 hartmans Exp $ + + This file was written by Andrew G. Morgan <morgan@kernel.org> + from notes provided by Cristian Gafton. +--> + +<sect1>The wheel module + +<sect2>Synopsis + +<p> +<descrip> + +<tag><bf>Module Name:</bf></tag> +<tt/pam_wheel/ + +<tag><bf>Author:</bf></tag> +Cristian Gafton <gafton@redhat.com> + +<tag><bf>Maintainer:</bf></tag> +Author. + +<tag><bf>Management groups provided:</bf></tag> +authentication + +<tag><bf>Cryptographically sensitive:</bf></tag> + +<tag><bf>Security rating:</bf></tag> + +<tag><bf>Clean code base:</bf></tag> + +<tag><bf>System dependencies:</bf></tag> +Requires libpwdb. + +<tag><bf>Network aware:</bf></tag> + +</descrip> + +<sect2>Overview of module + +<p> +Only permit root access to members of the wheel (<tt/gid=0/) group. + +<sect2>Authentication component + +<p> +<descrip> + +<tag><bf>Recognized arguments:</bf></tag> +<tt/debug/; +<tt/use_uid/; +<tt/trust/; +<tt/deny/; +<tt/group=XXXX/ + +<tag><bf>Description:</bf></tag> + +This module is used to enforce the so-called <em/wheel/ group. By +default, it permits root access to the system if the applicant user is +a member of the <tt/wheel/ group (first, the module checks for the +existence of a '<tt/wheel/' group. Otherwise the module defines the +group with group-id <tt/0/ to be the <em/wheel/ group). + +<p> +The action of the module may be modified from this default by one or +more of the following flags in the <tt>/etc/pam.conf</tt> file. +<itemize> +<item> +<tt/debug/ - +Supply more debugging information to <tt/syslog(3)/. + +<item> +<tt/use_uid/ - +This option modifies the behavior of the module by using the current +<tt/uid/ of the process and not the <tt/getlogin(3)/ name of the user. +This option is useful for being able to jump from one account to +another, for example with 'su'. + +<item> +<tt/trust/ - +This option instructs the module to return <tt/PAM_SUCCESS/ should it +find the user applying for root privilege is a member of the wheel +group. The default action is to return <tt/PAM_IGNORE/ in this +situation. By using the <tt/trust/ option it is possible to arrange +for <tt/wheel/-group members to become root without typing a +password. <bf/USE WITH CARE/. + +<item> +<tt/deny/ - +This is used to reverse the logic of the module's behavior. +If the user is trying to get <tt/uid=0/ access and is a member of the wheel +group, deny access (for the wheel group, this is perhaps nonsense!): +it is intended for use in conjunction with the <tt/group=/ argument... + +<item> +<tt/group=XXXX/ - +Instead of checking the <tt/gid=0/ group, use the user's <tt/XXXX/ +group membership for the authentication. Here, <tt/XXXX/ is the name +of the group and <bf/not/ its numeric identifier. + +</itemize> + +<tag><bf>Examples/suggested usage:</bf></tag> + +To restrict access to superuser status to the members of the +<tt/wheel/ group, use the following entries in your configuration +file: +<tscreen> +<verb> +# +# root gains access by default (rootok), only wheel members can +# become root (wheel) but Unix authenticate non-root applicants. +# +su auth sufficient pam_rootok.so +su auth required pam_wheel.so +su auth required pam_unix_auth.so +</verb> +</tscreen> + +</descrip> + +<!-- +End of sgml insert for this module. +--> diff --git a/Linux-PAM/doc/pam_appl.sgml b/Linux-PAM/doc/pam_appl.sgml new file mode 100644 index 00000000..f6d35b4e --- /dev/null +++ b/Linux-PAM/doc/pam_appl.sgml @@ -0,0 +1,1782 @@ +<!doctype linuxdoc system> + +<!-- + + $Id: pam_appl.sgml,v 1.1.1.2 2002/09/15 20:08:24 hartmans Exp $ + + Copyright (C) Andrew G. Morgan 1996-2001. All rights reserved. + +Redistribution and use in source (sgml) and binary (derived) forms, +with or without modification, are permitted provided that the +following conditions are met: + +1. Redistributions of source code must retain the above copyright + notice, and the entire permission notice in its entirety, + including the disclaimer of warranties. + +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + +3. The name of the author may not be used to endorse or promote + products derived from this software without specific prior + written permission. + +ALTERNATIVELY, this product may be distributed under the terms of the +GNU General Public License, in which case the provisions of the GNU +GPL are required INSTEAD OF the above restrictions. (This clause is +necessary due to a potential bad interaction between the GNU GPL and +the restrictions contained in a BSD-style copyright.) + +THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED +WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS +OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR +TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH +DAMAGE. + + --> + +<article> + +<title>The Linux-PAM Application Developers' Guide +<author>Andrew G. Morgan, <tt>morgan@kernel.org</tt> +<date>DRAFT v0.76 2001/12/08 +<abstract> +This manual documents what an application developer needs to know +about the <bf>Linux-PAM</bf> library. It describes how an application +might use the <bf>Linux-PAM</bf> library to authenticate users. In +addition it contains a description of the funtions to be found in +<tt/libpam_misc/ library, that can be used in general applications. +Finally, it contains some comments on PAM related security issues for +the application developer. +</abstract> + +<toc> + +<sect>Introduction + +<sect1>Synopsis + +<p> +For general applications that wish to use the services provided by +<bf/Linux-PAM/ the following is a summary of the relevant linking +information: +<tscreen> +<verb> +#include <security/pam_appl.h> + +cc -o application .... -lpam -ldl +</verb> +</tscreen> + +<p> +In addition to <tt/libpam/, there is a library of miscellaneous +functions that make the job of writing <em/PAM-aware/ applications +easier (this library is not covered in the DCE-RFC for PAM and is +specific to the Linux-PAM distribution): +<tscreen> +<verb> +... +#include <security/pam_misc.h> + +cc -o application .... -lpam -lpam_misc -ldl +</verb> +</tscreen> + +<sect1> Description + +<p> +<bf>Linux-PAM</bf> (Pluggable Authentication Modules for Linux) is a +library that enables the local system administrator to choose how +individual applications authenticate users. For an overview of the +<bf>Linux-PAM</bf> library see the <bf/Linux-PAM/ System +Administrators' Guide. + +<p> +It is the purpose of the <bf>Linux-PAM</bf> project to liberate the +development of privilege granting software from the development of +secure and appropriate authentication schemes. This is accomplished +by providing a documented library of functions that an application may +use for all forms of user authentication management. This library +dynamically loads locally configured authentication modules that +actually perform the authentication tasks. + +<p> +From the perspective of an application developer the information +contained in the local configuration of the PAM library should not be +important. Indeed it is intended that an application treat the +functions documented here as a ``black box'' that will deal with all +aspects of user authentication. ``All aspects'' includes user +verification, account management, session initialization/termination +and also the resetting of passwords (<em/authentication tokens/). + +<sect>Overview + +<p> +Most service-giving applications are restricted. In other words, +their service is not available to all and every prospective client. +Instead, the applying client must jump through a number of hoops to +convince the serving application that they are authorized to obtain +service. + +The process of <em/authenticating/ a client is what PAM is designed to +manage. In addition to authentication, PAM provides account +management, credential management, session management and +authentication-token (password changing) management services. It is +important to realize when writing a PAM based application that these +services are provided in a manner that is <bf>transparent</bf> to +the application. That is to say, when the application is written, no +assumptions can be made about <em>how</em> the client will be +authenticated. + +<p> +The process of authentication is performed by the PAM library via a +call to <tt>pam_authenticate()</tt>. The return value of this +function will indicate whether a named client (the <em>user</em>) has +been authenticated. If the PAM library needs to prompt the user for +any information, such as their <em>name</em> or a <em>password</em> +then it will do so. If the PAM library is configured to authenticate +the user using some silent protocol, it will do this too. (This +latter case might be via some hardware interface for example.) + +<p> +It is important to note that the application must leave all decisions +about when to prompt the user at the discretion of the PAM library. + +<p> +The PAM library, however, must work equally well for different styles +of application. Some applications, like the familiar <tt>login</tt> +and <tt>passwd</tt> are terminal based applications, exchanges of +information with the client in these cases is as plain text messages. +Graphically based applications, however, have a more sophisticated +interface. They generally interact with the user via specially +constructed dialogue boxes. Additionally, network based services +require that text messages exchanged with the client are specially +formatted for automated processing: one such example is <tt>ftpd</tt> +which prefixes each exchanged message with a numeric identifier. + +<p> +The presentation of simple requests to a client is thus something very +dependent on the protocol that the serving application will use. In +spite of the fact that PAM demands that it drives the whole +authentication process, it is not possible to leave such protocol +subtleties up to the PAM library. To overcome this potential problem, +the application provides the PAM library with a <em>conversation</em> +function. This function is called from <bf>within</bf> the PAM +library and enables the PAM to directly interact with the client. The +sorts of things that this conversation function must be able to do are +prompt the user with text and/or obtain textual input from the user +for processing by the PAM library. The details of this function are +provided in a later section. + +<p> +For example, the conversation function may be called by the PAM library +with a request to prompt the user for a password. Its job is to +reformat the prompt request into a form that the client will +understand. In the case of <tt>ftpd</tt>, this might involve prefixing +the string with the number <tt>331</tt> and sending the request over +the network to a connected client. The conversation function will +then obtain any reply and, after extracting the typed password, will +return this string of text to the PAM library. Similar concerns need +to be addressed in the case of an X-based graphical server. + +<p> +There are a number of issues that need to be addressed when one is +porting an existing application to become PAM compliant. A section +below has been devoted to this: Porting legacy applications. + +<p> +Besides authentication, PAM provides other forms of management. +Session management is provided with calls to +<tt>pam_open_session()</tt> and <tt>pam_close_session()</tt>. What +these functions actually do is up to the local administrator. But +typically, they could be used to log entry and exit from the system or +for mounting and unmounting the user's home directory. If an +application provides continuous service for a period of time, it +should probably call these functions, first open after the user is +authenticated and then close when the service is terminated. + +<p> +Account management is another area that an application developer +should include with a call to <tt/pam_acct_mgmt()/. This call will +perform checks on the good health of the user's account (has it +expired etc.). One of the things this function may check is whether +the user's authentication token has expired - in such a case the +application may choose to attempt to update it with a call to +<tt/pam_chauthtok()/, although some applications are not suited to +this task (<em>ftp</em> for example) and in this case the application +should deny access to the user. + +<p> +PAM is also capable of setting and deleting the users credentials with +the call <tt>pam_setcred()</tt>. This function should always be +called after the user is authenticated and before service is offered +to the user. By convention, this should be the last call to the PAM +library before the PAM session is opened. What exactly a credential +is, is not well defined. However, some examples are given in the +glossary below. + +<sect>The public interface to <bf>Linux-PAM</bf> + +<p> +Firstly, the relevant include file for the <bf>Linux-PAM</bf> library +is <tt><security/pam_appl.h></tt>. It contains the definitions +for a number of functions. After listing these functions, we collect +some guiding remarks for programmers. + +<sect1>What can be expected by the application + +<p> +Below we document those functions in the <bf/Linux-PAM/ library that +may be called from an application. + +<sect2>Initialization of Linux-PAM +<label id="pam-start-section"> + +<p> +<tscreen> +<verb> +extern int pam_start(const char *service_name, const char *user, + const struct pam_conv *pam_conversation, + pam_handle_t **pamh); +</verb> +</tscreen> + +<p> +This is the first of the <bf>Linux-PAM</bf> functions that must be +called by an application. It initializes the interface and reads the +system configuration file, <tt>/etc/pam.conf</tt> (see the +<bf/Linux-PAM/ System Administrators' Guide). Following a successful +return (<tt/PAM_SUCCESS/) the contents of <tt/*pamh/ is a handle that +provides continuity for successive calls to the <bf/Linux-PAM/ +library. The arguments expected by <tt/pam_start/ are as follows: the +<tt/service_name/ of the program, the <tt/user/name of the individual +to be authenticated, a pointer to an application-supplied +<tt/pam_conv/ structure and a pointer to a <tt/pam_handle_t/ +<em/pointer/. + +<p> +The <tt>pam_conv</tt> structure is discussed more fully in the section +<ref id="the-conversation-function" name="below">. The +<tt>pam_handle_t</tt> is a <em>blind</em> structure and the +application should not attempt to probe it directly for information. +Instead the <bf>Linux-PAM</bf> library provides the functions +<tt>pam_set_item</tt> and <tt>pam_get_item</tt>. These functions are +documented below. + +<sect2>Termination of the library +<label id="pam-end-section"> + +<p> +<tscreen> +<verb> +extern int pam_end(pam_handle_t *pamh, int pam_status); +</verb> +</tscreen> + +<p> +This function is the last function an application should call in the +<bf>Linux-PAM</bf> library. Upon return the handle <tt/pamh/ is no +longer valid and all memory associated with it will be invalid (likely +to cause a segmentation fault if accessed). + +<p> +Under normal conditions the argument <tt/pam_status/ has the value +PAM_SUCCESS, but in the event of an unsuccessful application for +service the appropriate <bf/Linux-PAM/ error-return value should be +used here. Note, <tt/pam_end()/ unconditionally shuts down the +authentication stack associated with the <tt/pamh/ handle. The value +taken by <tt/pam_status/ is used as an argument to the module specific +callback functions, <tt/cleanup()/ (see the <bf/Linux-PAM/ <htmlurl +url="pam_modules.html" name="Module Developers' Guide">). In this way, +the module can be given notification of the pass/fail nature of the +tear-down process, and perform any last minute tasks that are +appropriate to the module before it is unlinked. + +<sect2>Setting PAM items +<label id="pam-set-item-section"> + +<p> +<tscreen> +<verb> +extern int pam_set_item(pam_handle_t *pamh, int item_type, + const void *item); +</verb> +</tscreen> + +<p>This function is used to (re)set the value of one of the following +<bf/item_type/s: + +<p><descrip> +<tag><tt/PAM_SERVICE/</tag> + + The service name (which identifies that PAM stack that + <tt/libpam/ will use to authenticate the program). + +<tag><tt/PAM_USER/</tag> + + The username of the entity under who's identity service will + be given. That is, following authentication, <tt/PAM_USER/ + identifies the local entity that gets to use the + service. Note, this value can be mapped from something (eg., + "<tt/anonymous/") to something else (eg. "<tt/guest119/") by + any module in the PAM stack. As such an application should + consult the value of <tt/PAM_USER/ after each call to a + <tt/pam_*()/ function. + +<tag><tt/PAM_USER_PROMPT/</tag> + + The string used when prompting for a user's name. The default + value for this string is ``Please enter username: ''. + +<tag><tt/PAM_TTY/</tag> + + The terminal name: prefixed by <tt>/dev/</tt> if it is a + device file; for graphical, X-based, applications the value + for this item should be the <tt/$DISPLAY/ variable. + +<tag><tt/PAM_RUSER/</tag> + + The requesting entity: user's username for a locally + requesting user or a remote requesting user - generally an + application or module will attempt to supply the value that is + most strongly authenticated (a local account before a remote + one. The level of trust in this value is embodied in the + actual authentication stack associated with the application, + so it is ultimately at the discretion of the system + administrator. It should generally match the current + <tt/PAM_RHOST/ value. That is, "<tt/PAM_RUSER@PAM_RHOST/" + should always identify the requesting user. In some cases, + <tt/PAM_RUSER/ may be NULL. In such situations, it is unclear + who the requesting entity is. + +<tag><tt/PAM_RHOST/</tag> + + The requesting hostname (the hostname of the machine from + which the <tt/PAM_RUSER/ entity is requesting service). That + is "<tt/PAM_RUSER@PAM_RHOST/" does identify the requesting + user. "<tt/luser@localhost/" or "<tt/evil@evilcom.com/" are + valid "<tt/PAM_RUSER@PAM_RHOST/" examples. In some + applications, <tt/PAM_RHOST/ may be NULL. In such situations, + it is unclear where the authentication request is originating + from. + +<tag><tt/PAM_CONV/</tag> + + The conversation structure (see section <ref + id="the-conversation-function" name="below">). + +<tag><tt/PAM_FAIL_DELAY/</tag> A function pointer to redirect + centrally managed failure delays (see section <ref + id="the-failure-delay-function" name="below">). + +</descrip> + +<p> +For all <tt/item_type/s, other than <tt/PAM_CONV/ and +<tt/PAM_FAIL_DELAY/, <tt/item/ is a pointer to a <tt><NUL></tt> +terminated character string. In the case of <tt/PAM_CONV/, <tt/item/ +points to an initialized <tt/pam_conv/ structure (see section <ref +id="the-conversation-function" name="below">). In the case of +<tt/PAM_FAIL_DELAY/, <tt/item/ is a function pointer: <tt/void +(*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr)/ (see +section <ref id="the-failure-delay-function" name="below">). + +<p> +A successful call to this function returns <tt/PAM_SUCCESS/. However, +the application should expect at least one the following errors: + +<p> +<descrip> +<tag><tt/PAM_SYSTEM_ERR/</tag> + The <tt/pam_handle_t/ passed as a first argument to this + function was invalid. +<tag><tt/PAM_PERM_DENIED/</tag> + An attempt was made to replace the conversation structure with + a <tt/NULL/ value. +<tag><tt/PAM_BUF_ERR/</tag> + The function ran out of memory making a copy of the item. +<tag><tt/PAM_BAD_ITEM/</tag> + The application attempted to set an undefined or inaccessible + item. +</descrip> + +<sect2>Getting PAM items +<label id="pam-get-item-section"> + +<p> +<tscreen> +<verb> +extern int pam_get_item(const pam_handle_t *pamh, int item_type, + const void **item); +</verb> +</tscreen> + +<p> +This function is used to obtain the value of the indicated +<tt/item_type/. Upon successful return, <tt/*item/ contains a pointer +to the value of the corresponding item. Note, this is a pointer to +the <em/actual/ data and should <em/not/ be <tt/free()/'ed or +over-written! + +<p> +A successful call is signaled by a return value of <tt/PAM_SUCCESS/. +However, the application should expect one of the following errors: + +<p> +<descrip> +<tag><tt/PAM_SYSTEM_ERR/</tag> + The <tt/pam_handle_t/ passed as a first argument to this + function was invalid. +<tag><tt/PAM_PERM_DENIED/</tag> + The value of <tt/item/ was <tt/NULL/. +<tag><tt/PAM_BAD_ITEM/</tag> + The application attempted to set an undefined or inaccessible + item. +</descrip> + +<p> +Note, in the case of an error, the contents of <tt/item/ is not +modified - that is, it retains its pre-call value. One should take +care to initialize this value prior to calling +<tt/pam_get_item()/. Since, if its value - despite the +<tt/pam_get_item()/ function failing - is to be used the consequences +are undefined. + +<sect2>Understanding errors +<label id="pam-strerror-section"> + +<p> +<tscreen> +<verb> +extern const char *pam_strerror(pam_handle_t *pamh, int errnum); +</verb> +</tscreen> + +<p> +This function returns some text describing the <bf>Linux-PAM</bf> +error associated with the argument <tt/errnum/. If the error is not +recognized ``<tt/Unknown Linux-PAM error/'' is returned. + +<sect2>Planning for delays +<label id="the-failure-delay-function"> + +<p> +<tscreen> +<verb> +extern int pam_fail_delay(pam_handle_t *pamh, unsigned int micro_sec); +</verb> +</tscreen> + +<p> +This function is offered by <bf/Linux-PAM/ to facilitate time delays +following a failed call to <tt/pam_authenticate()/ and before control +is returned to the application. When using this function the +application programmer should check if it is available with, +<tscreen> +<verb> +#ifdef PAM_FAIL_DELAY + .... +#endif /* PAM_FAIL_DELAY */ +</verb> +</tscreen> + + +<p> +Generally, an application requests that a user is authenticated by +<bf/Linux-PAM/ through a call to <tt/pam_authenticate()/ or +<tt/pam_chauthtok()/. These functions call each of the <em/stacked/ +authentication modules listed in the relevant <bf/Linux-PAM/ +configuration file. As directed by this file, one of more of the +modules may fail causing the <tt/pam_...()/ call to return an error. +It is desirable for there to also be a pause before the application +continues. The principal reason for such a delay is security: a delay +acts to discourage <em/brute force/ dictionary attacks primarily, but +also helps hinder <em/timed/ (covert channel) attacks. + +<p> +The <tt/pam_fail_delay()/ function provides the mechanism by which an +application or module can suggest a minimum delay (of <tt/micro_sec/ +<em/micro-seconds/). <bf/Linux-PAM/ keeps a record of the longest time +requested with this function. Should <tt/pam_authenticate()/ fail, +the failing return to the application is delayed by an amount of time +randomly distributed (by up to 25%) about this longest value. + +<p> +Independent of success, the delay time is reset to its zero default +value when <bf/Linux-PAM/ returns control to the application. + +<p> +For applications written with a single thread that are event driven in +nature, <tt/libpam/ generating this delay may be undesirable. Instead, +the application may want to register the delay in some other way. For +example, in a single threaded server that serves multiple +authentication requests from a single event loop, the application +might want to simply mark a given connection as blocked until an +application timer expires. For this reason, <bf/Linux-PAM/ supplies +the <tt/PAM_FAIL_DELAY/ item. It can be queried and set with +<tt/pam_get_item()/ and <tt/pam_set_item()/ respectively. The value +used to set it should be a function pointer of the following +prototype: + +<tscreen> +<verb> +void (*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr); +</verb> +</tscreen> + +The arguments being the <tt/retval/ return code of the module stack, +the <tt/usec_delay/ micro-second delay that libpam is requesting and +the <tt/appdata_ptr/ that the application has associated with the +current <tt/pamh/ (<tt/pam_handle_t/). This last value was set by the +application when it called <tt/pam_start/ or explicitly with +<tt/pam_set_item(... , PAM_CONV, ...)/. Note, if <tt/PAM_FAIL_DELAY/ +is unset (or set to <tt/NULL/), then <tt/libpam/ will perform any +delay. + +<sect2>Authenticating the user + +<p> +<tscreen> +<verb> +extern int pam_authenticate(pam_handle_t *pamh, int flags); +</verb> +</tscreen> + +<p> +This function serves as an interface to the authentication mechanisms +of the loaded modules. The single <em/optional/ flag, which may be +logically OR'd with <tt/PAM_SILENT/, takes the following value, + +<p><descrip> + +<tag><tt/PAM_DISALLOW_NULL_AUTHTOK/</tag> + Instruct the authentication modules to return +<tt/PAM_AUTH_ERR/ if the user does not have a registered +authorization token---it is set to <tt/NULL/ in the system database. +</descrip> + +<p> +The value returned by this function is one of the following: + +<p><descrip> + +<tag><tt/PAM_AUTH_ERR/</tag> + The user was not authenticated +<tag><tt/PAM_CRED_INSUFFICIENT/</tag> + For some reason the application does not have sufficient +credentials to authenticate the user. +<tag><tt/PAM_AUTHINFO_UNAVAIL/</tag> + The modules were not able to access the authentication +information. This might be due to a network or hardware failure etc. +<tag><tt/PAM_USER_UNKNOWN/</tag> + The supplied username is not known to the authentication +service +<tag><tt/PAM_MAXTRIES/</tag> + One or more of the authentication modules has reached its +limit of tries authenticating the user. Do not try again. + +</descrip> + +<p> +If one or more of the authentication modules fails to load, for +whatever reason, this function will return <tt/PAM_ABORT/. + +<sect2>Setting user credentials +<label id="pam-setcred-section"> + +<p> +<tscreen> +<verb> +extern int pam_setcred(pam_handle_t *pamh, int flags); +</verb> +</tscreen> + +<p> +This function is used to set the module-specific credentials of the +user. It is usually called after the user has been authenticated, +after the account management function has been called but before a +session has been opened for the user. + +<p> +A credential is something that the user possesses. It is some +property, such as a <em>Kerberos</em> ticket, or a supplementary group +membership that make up the uniqueness of a given user. On a Linux +(or UN*X system) the user's <tt>UID</tt> and <tt>GID</tt>'s are +credentials too. However, it has been decided that these properties +(along with the default supplementary groups of which the user is a +member) are credentials that should be set directly by the application +and not by PAM. + +<p> +This function simply calls the <tt/pam_sm_setcred/ functions of each +of the loaded modules. Valid <tt/flags/, any one of which, may be +logically OR'd with <tt/PAM_SILENT/, are: + +<p><descrip> +<tag><tt/PAM_ESTABLISH_CRED/</tag> + Set the credentials for the authentication service, +<tag><tt/PAM_DELETE_CRED/</tag> + Delete the credentials associated with the authentication service, +<tag><tt/PAM_REINITIALIZE_CRED/</tag> + Reinitialize the user credentials, and +<tag><tt/PAM_REFRESH_CRED/</tag> + Extend the lifetime of the user credentials. +</descrip> + +<p> +A successful return is signalled with <tt/PAM_SUCCESS/. Errors that +are especially relevant to this function are the following: + +<p><descrip> +<tag><tt/PAM_CRED_UNAVAIL/</tag> + A module cannot retrieve the user's credentials. +<tag><tt/PAM_CRED_EXPIRED/</tag> + The user's credentials have expired. +<tag><tt/PAM_USER_UNKNOWN/</tag> + The user is not known to an authentication module. +<tag><tt/PAM_CRED_ERR/</tag> + A module was unable to set the credentials of the user. +</descrip> + +<sect2>Account management + +<p> +<tscreen> +<verb> +extern int pam_acct_mgmt(pam_handle_t *pamh, int flags); +</verb> +</tscreen> + +<p> +This function is typically called after the user has been +authenticated. It establishes whether the user's account is healthy. +That is to say, whether the user's account is still active and whether +the user is permitted to gain access to the system at this time. +Valid flags, any one of which, may be logically OR'd with +<tt/PAM_SILENT/, and are the same as those applicable to the +<tt/flags/ argument of <tt/pam_authenticate/. + +<p> +This function simply calls the corresponding functions of each of the +loaded modules, as instructed by the configuration file, +<tt>/etc/pam.conf</tt>. + +<p> +The normal response from this function is <tt/PAM_SUCCESS/, however, +specific failures are indicated by the following error returns: + +<descrip> +<tag><tt/PAM_AUTHTOKEN_REQD/</tag> +The user <bf/is/ valid but their authentication token has +<em/expired/. The correct response to this return-value is to require +that the user satisfies the <tt/pam_chauthtok()/ function before +obtaining service. It may not be possible for some applications to do +this. In such cases, the user should be denied access until such time +as they can update their password. + +<tag><tt/PAM_ACCT_EXPIRED/</tag> + The user is no longer permitted to access the system. +<tag><tt/PAM_AUTH_ERR/</tag> + There was an authentication error. + +<tag><tt/PAM_PERM_DENIED/</tag> + The user is not permitted to gain access at this time. +<tag><tt/PAM_USER_UNKNOWN/</tag> + The user is not known to a module's account management +component. + +</descrip> + +<sect2>Updating authentication tokens +<label id="pam-chauthtok-section"> + +<p> +<tscreen> +<verb> +extern int pam_chauthtok(pam_handle_t *pamh, const int flags); +</verb> +</tscreen> + +<p> +This function is used to change the authentication token for a given +user (as indicated by the state associated with the handle, +<tt/pamh/). The following is a valid but optional flag which may be +logically OR'd with <tt/PAM_SILENT/, + +<descrip> +<tag><tt/PAM_CHANGE_EXPIRED_AUTHTOK/</tag> + This argument indicates to the modules that the users +authentication token (password) should only be changed if it has +expired. +</descrip> + +<p> +Note, if this argument is not passed, the application requires that +<em/all/ authentication tokens are to be changed. + +<p> +<tt/PAM_SUCCESS/ is the only successful return value, valid +error-returns are: + +<descrip> +<tag><tt/PAM_AUTHTOK_ERR/</tag> + A module was unable to obtain the new authentication token. + +<tag><tt/PAM_AUTHTOK_RECOVERY_ERR/</tag> + A module was unable to obtain the old authentication token. + +<tag><tt/PAM_AUTHTOK_LOCK_BUSY/</tag> + One or more of the modules was unable to change the +authentication token since it is currently locked. + +<tag><tt/PAM_AUTHTOK_DISABLE_AGING/</tag> + Authentication token aging has been disabled for at least one +of the modules. + +<tag><tt/PAM_PERM_DENIED/</tag> + Permission denied. + +<tag><tt/PAM_TRY_AGAIN/</tag> + Not all of the modules were in a position to update the +authentication token(s). In such a case none of the user's +authentication tokens are updated. + +<tag><tt/PAM_USER_UNKNOWN/</tag> + The user is not known to the authentication token changing +service. + +</descrip> + +<sect2>Session initialization +<label id="pam-open-session-section"> + +<p> +<tscreen> +<verb> +extern int pam_open_session(pam_handle_t *pamh, int flags); +</verb> +</tscreen> + +<p> +This function is used to indicate that an authenticated session has +begun. It is used to inform the modules that the user is currently in +a session. It should be possible for the <bf>Linux-PAM</bf> library +to open a session and close the same session (see section <ref +id="pam-close-session-section" name="below">) from different +applications. + +<p> +Currently, this function simply calls each of the corresponding +functions of the loaded modules. The only valid flag is +<tt/PAM_SILENT/ and this is, of course, <em/optional/. + +<p> +If any of the <em/required/ loaded modules are unable to open a +session for the user, this function will return <tt/PAM_SESSION_ERR/. + +<sect2>Terminating sessions +<label id="pam-close-session-section"> + +<p> +<tscreen> +<verb> +extern int pam_close_session(pam_handle_t *pamh, int flags); +</verb> +</tscreen> + +<p> +This function is used to indicate that an authenticated session has +ended. It is used to inform the modules that the user is exiting a +session. It should be possible for the <bf>Linux-PAM</bf> library to +open a session and close the same session from different applications. + +<p> +This function simply calls each of the corresponding functions of the +loaded modules in the same order that they were invoked with +<tt/pam_open_session()/. The only valid flag is <tt/PAM_SILENT/ and +this is, of course, <em/optional/. + +<p> +If any of the <em/required/ loaded modules are unable to close a +session for the user, this function will return <tt/PAM_SESSION_ERR/. + +<sect2>Setting PAM environment variables +<label id="pam-putenv-section"> + +<p> +The <tt/libpam/ library associates with each PAM-handle (<tt/pamh/), a +set of <it/PAM environment variables/. These variables are intended to +hold the session environment variables that the user will inherit when +the session is granted and the authenticated user obtains access to +the requested service. For example, when <tt/login/ has finally given +the user a shell, the environment (as viewed with the command +<tt/env/) will be what <tt/libpam/ was maintaining as the PAM +environment for that service application. Note, these variables are not +the environment variables of the <tt/login/ application. This is +principally for two reasons: <tt/login/ may want to have an +environment that cannot be seen or manipulated by a user; and +<tt/login/ (or whatever the serving application is) may be maintaining +a number of parallel sessions, via different <tt/pamh/ values, at the +same time and a single environment may not be appropriately shared +between each of these. The PAM environment may contain variables +seeded by the applicant user's client program, for example, and as +such it is not appropriate for one applicant to interfere with the +environment of another applicant. + +<p> +<tscreen> +<verb> +extern int pam_putenv(pam_handle_t *pamh, const char *name_value); +</verb> +</tscreen> + +<p> +This function attempts to (re)set a <bf/Linux-PAM/ environment +variable. The <tt/name_value/ argument is a single <tt/NUL/ terminated +string of one of the following forms: +<descrip> +<tag>``<tt/NAME=value of variable/''</tag> + +In this case the environment variable of the given <tt/NAME/ is set to +the indicated value: ``<tt/value of variable/''. If this variable is +already known, it is overwritten. Otherwise it is added to the +<bf/Linux-PAM/ environment. + +<tag>``<tt/NAME=/''</tag> + +This function sets the variable to an empty value. It is listed +separately to indicate that this is the correct way to achieve such a +setting. + +<tag>``<tt/NAME/''</tag> + +Without an `<tt/=/' the <tt/pam_putenv()/ function will delete the +corresponding variable from the <bf/Linux-PAM/ environment. + +</descrip> + +<p> +Success is indicated with a return value of <tt/PAM_SUCCESS/. Failure +is indicated by one of the following returns: + +<descrip> +<tag><tt/PAM_PERM_DENIED/</tag> + name given is a <tt/NULL/ pointer + +<tag><tt/PAM_BAD_ITEM/</tag> + variable requested (for deletion) is not currently set + +<tag><tt/PAM_ABORT/</tag> + the <bf/Linux-PAM/ handle, <tt/pamh/, is corrupt + +<tag><tt/PAM_BUF_ERR/</tag> + failed to allocate memory when attempting update + +</descrip> + +<sect2>Getting a PAM environment variable +<label id="pam-getenv-section"> + +<p> +<tscreen> +<verb> +extern const char *pam_getenv(pam_handle_t *pamh, const char *name); +</verb> +</tscreen> + +<p> +Obtain the value of the indicated <bf/Linux-PAM/ environment +variable. On error, internal failure or the unavailability of the +given variable (unspecified), this function simply returns <tt/NULL/. + +<sect2>Getting the PAM environment +<label id="pam-getenvlist-section"> + +<p> +<tscreen> +<verb> +extern const char * const *pam_getenvlist(pam_handle_t *pamh); +</verb> +</tscreen> + +<p> +The PAM environment variables (see section <ref +id="pam-putenv-section" name="above">) are a complete set of enviroment +variables that are associated with a PAM-handle (<tt/pamh/). They +represent the contents of the <it/regular/ environment variables of +the authenticated user when service is granted. + +<p> +Th function, <tt>pam_getenvlist()</tt> returns a pointer to a complete, +<tt/malloc()/'d, copy of the PAM environment. It is a pointer to a +duplicated list of environment variables. It should be noted that +this memory will never be <tt/free()'d/ by <tt/libpam/. Once obtained +by a call to <tt/pam_getenvlist()/, <bf>it is the responsibility of +the calling application</bf> to <tt/free()/ this memory. + +<p> +The format of the memory is a <tt/malloc()/'d array of <tt/char */ +pointers, the last element of which is set to <tt/NULL/. Each of the +non-<tt/NULL/ entries in this array point to a <tt/NUL/ terminated and +<tt/malloc()/'d <tt/char/ string of the form: +<tt/"/<it/name/<tt/=/<it/value/<tt/"/. + +<p> +It is by design, and not a coincidence, that the format and contents +of the returned array matches that required for the third argument of +the <tt/execle(3)/ function call. + +<sect1>What is expected of an application + +<sect2>The conversation function +<label id="the-conversation-function"> + +<p> +An application must provide a ``conversation function''. It is used +for direct communication between a loaded module and the application +and will typically provide a means for the module to prompt the user +for a password etc. . The structure, <tt/pam_conv/, is defined by +including <tt><security/pam_appl.h></tt>; to be, + +<p> +<tscreen> +<verb> +struct pam_conv { + int (*conv)(int num_msg, + const struct pam_message **msg, + struct pam_response **resp, + void *appdata_ptr); + void *appdata_ptr; +}; +</verb> +</tscreen> + +<p> +It is initialized by the application before it is passed to the +library. The <em/contents/ of this structure are attached to the +<tt/*pamh/ handle. The point of this argument is to provide a +mechanism for any loaded module to interact directly with the +application program. This is why it is called a <em/conversation/ +structure. + +<p> +When a module calls the referenced <tt/conv()/ function, the argument +<tt/*appdata_ptr/ is set to the second element of this structure. + +<p> +The other arguments of a call to <tt/conv()/ concern the information +exchanged by module and application. That is to say, <tt/num_msg/ +holds the length of the array of pointers, <tt/msg/. After a +successful return, the pointer <tt/*resp/ points to an array of +<tt/pam_response/ structures, holding the application supplied text. +Note, <tt/*resp/ is an <tt/struct pam_response/ array and <em/not/ an +array of pointers. + +<p> +The message (from the module to the application) passing structure is +defined by <tt><security/pam_appl.h></tt> as: + +<p> +<tscreen> +<verb> +struct pam_message { + int msg_style; + const char *msg; +}; +</verb> +</tscreen> + +<p> +Valid choices for <tt/msg_style/ are: + +<p><descrip> +<tag><tt/PAM_PROMPT_ECHO_OFF/</tag> + Obtain a string without echoing any text +<tag><tt/PAM_PROMPT_ECHO_ON/</tag> + Obtain a string whilst echoing text +<tag><tt/PAM_ERROR_MSG/</tag> + Display an error +<tag><tt/PAM_TEXT_INFO/</tag> + Display some text. +</descrip> + +<p> +The point of having an array of messages is that it becomes possible +to pass a number of things to the application in a single call from +the module. It can also be convenient for the application that related +things come at once: a windows based application can then present a +single form with many messages/prompts on at once. + +<p> +In passing, it is worth noting that there is a descrepency between the +way Linux-PAM handles the <tt/const struct pam_message **msg/ +conversation function argument from the way that Solaris' PAM (and +derivitives, known to include HP/UX, <em/are there others?/) +does. Linux-PAM interprets the <tt/msg/ argument as entirely +equivalent to the following prototype <tt/const struct pam_message +*msg[]/ (which, in spirit, is consistent with the commonly used +prototypes for <tt/argv/ argument to the familiar <tt/main()/ +function: <tt/char **argv/; and <tt/char *argv[]/). Said another way +Linux-PAM interprets the <tt/msg/ argument as a pointer to an array of +<tt/num_meg/ read only 'struct pam_message' <em/pointers/. Solaris' +PAM implementation interprets this argument as a pointer to a pointer +to an array of <tt/num_meg/ <tt/pam_message/ structures. Fortunately, +perhaps, for most module/application developers when <tt/num_msg/ has +a value of one these two definitions are entirely +equivalent. Unfortunately, casually raising this number to two has led +to unanticipated compatibility problems. + +<p> +For what its worth the two known module writer work-arounds for trying +to maintain source level compatibility with both PAM implementations +are: +<itemize> +<item> never call the conversation function with <tt/num_msg/ greater +than one. +<item> set up <tt/msg/ as doubly referenced so both types of +conversation function can find the messages. That is, make +<p><tscreen> +<verb> +msg[n] = & (( *msg )[n]) +</verb> +</tscreen> +</itemize> +<p> +The response (from the application to the module) passing structure is +defined by including <tt><security/pam_appl.h></tt> as: + +<p><tscreen><verb> +struct pam_response { + char *resp; + int resp_retcode; +}; +</verb></tscreen> + +<p> +Currently, there are no definitions for <tt/resp_retcode/ values; the +normal value is <tt/0/. + +<p> +Prior to the 0.59 release of Linux-PAM, the length of the returned +<tt/pam_response/ array was equal to the number of <em/prompts/ (types +<tt/PAM_PROMPT_ECHO_OFF/ and <tt/PAM_PROMPT_ECHO_ON/) in the +<tt/pam_message/ array with which the conversation function was +called. This meant that it was not always necessary for the module to +<tt/free(3)/ the responses if the conversation function was only used +to display some text. + +<p> +Post Linux-PAM-0.59. The number of responses is always equal to the +<tt/num_msg/ conversation function argument. This is slightly easier +to program but does require that the response array is <tt/free(3)/'d +after every call to the conversation function. The index of the +responses corresponds directly to the prompt index in the +<tt/pam_message/ array. + +<p> +The maximum length of the <tt/pam_msg.msg/ and <tt/pam_response.resp/ +character strings is <tt/PAM_MAX_MSG_SIZE/. (This is not enforced by +Linux-PAM.) + +<p> +<tt/PAM_SUCCESS/ is the expected return value of this +function. However, should an error occur the application should not +set <tt/*resp/ but simply return <tt/PAM_CONV_ERR/. + +<p> +Note, if an application wishes to use two conversation functions, it +should activate the second with a call to <tt/pam_set_item()/. + +<p> +<bf>Notes:</bf> New item types are being added to the conversation +protocol. Currently Linux-PAM supports: <tt>PAM_BINARY_PROMPT</tt> +and <tt>PAM_BINARY_MSG</tt>. These two are intended for server-client +hidden information exchange and may be used as an interface for +maching-machine authentication. + +<sect1>Programming notes + +<p> +Note, all of the authentication service function calls accept the +token <tt/PAM_SILENT/, which instructs the modules to not send +messages to the application. This token can be logically OR'd with any +one of the permitted tokens specific to the individual function calls. +<tt/PAM_SILENT/ does not override the prompting of the user for +passwords etc., it only stops informative messages from being +generated. + +<sect>Security issues of <bf>Linux-PAM</bf> + +<p> +PAM, from the perspective of an application, is a convenient API for +authenticating users. PAM modules generally have no increased +privilege over that possessed by the application that is making use of +it. For this reason, the application must take ultimate responsibility +for protecting the environment in which PAM operates. + +<p> +A poorly (or maliciously) written application can defeat any +<bf/Linux-PAM/ module's authentication mechanisms by simply ignoring +it's return values. It is the applications task and responsibility to +grant privileges and access to services. The <bf/Linux-PAM/ library +simply assumes the responsibility of <em/authenticating/ the user; +ascertaining that the user <em/is/ who they say they are. Care should +be taken to anticipate all of the documented behavior of the +<bf/Linux-PAM/ library functions. A failure to do this will most +certainly lead to a future security breach. + +<sect1>Care about standard library calls + +<p> +In general, writers of authorization-granting applications should +assume that each module is likely to call any or <em/all/ `libc' +functions. For `libc' functions that return pointers to +static/dynamically allocated structures (ie. the library allocates the +memory and the user is not expected to `<tt/free()/' it) any module +call to this function is likely to corrupt a pointer previously +obtained by the application. The application programmer should either +re-call such a `libc' function after a call to the <bf/Linux-PAM/ +library, or copy the structure contents to some safe area of memory +before passing control to the <bf/Linux-PAM/ library. + +<p> +Two important function classes that fall into this category are +<tt>getpwnam(3)</tt> and <tt>syslog(3)</tt>. + +<sect1>Choice of a service name + +<p> +When picking the <em/service-name/ that corresponds to the first entry +in the <bf/Linux-PAM/ configuration file, the application programmer +should <bf/avoid/ the temptation of choosing something related to +<tt/argv[0]/. It is a trivial matter for any user to invoke any +application on a system under a different name and this should not be +permitted to cause a security breach. + +<p> +In general, this is always the right advice if the program is setuid, +or otherwise more privileged than the user that invokes it. In some +cases, avoiding this advice is convenient, but as an author of such an +application, you should consider well the ways in which your program +will be installed and used. (Its often the case that programs are not +intended to be setuid, but end up being installed that way for +convenience. If your program falls into this category, don't fall into +the trap of making this mistake.) + +<p> +To invoke some <tt/target/ application by another name, the user may +symbolically link the target application with the desired name. To be +precise all the user need do is, +<tscreen> +<verb> +ln -s /target/application ./preferred_name +</verb> +</tscreen> +and then <em/run/ <tt>./preferred_name</tt> + +<p> +By studying the <bf/Linux-PAM/ configuration file(s), an attacker can +choose the <tt/preferred_name/ to be that of a service enjoying +minimal protection; for example a game which uses <bf/Linux-PAM/ to +restrict access to certain hours of the day. If the service-name were +to be linked to the filename under which the service was invoked, it +is clear that the user is effectively in the position of dictating +which authentication scheme the service uses. Needless to say, this +is not a secure situation. + +<p> +The conclusion is that the application developer should carefully +define the service-name of an application. The safest thing is to make +it a single hard-wired name. + +<sect1>The conversation function + +<p> +Care should be taken to ensure that the <tt/conv()/ function is +robust. Such a function is provided in the library <tt/libpam_misc/ +(see <ref id="libpam-misc-section" name="below">). + +<sect1>The identity of the user + +<p> +The <bf/Linux-PAM/ modules will need to determine the identity of the +user who requests a service, and the identity of the user who grants +the service. These two users will seldom be the same. Indeed there +is generally a third user identity to be considered, the new (assumed) +identity of the user once the service is granted. + +<p> +The need for keeping tabs on these identities is clearly an issue of +security. One convention that is actively used by some modules is +that the identity of the user requesting a service should be the +current <tt/uid/ (userid) of the running process; the identity of the +privilege granting user is the <tt/euid/ (effective userid) of the +running process; the identity of the user, under whose name the +service will be executed, is given by the contents of the +<tt/PAM_USER/ <tt/pam_get_item(3)/. Note, modules can change the +values of <tt/PAM_USER/ and <tt/PAM_RUSER/ during any of the +<tt/pam_*()/ library calls. For this reason, the application should +take care to use the <tt/pam_get_item()/ every time it wishes to +establish who the authenticated user is (or will currently be). + +<p> +For network-serving databases and other applications that provide +their own security model (independent of the OS kernel) the above +scheme is insufficient to identify the requesting user. + +<p> +A more portable solution to storing the identity of the requesting +user is to use the <tt/PAM_RUSER/ <tt/pam_get_item(3)/. The +application should supply this value before attempting to authenticate +the user with <tt/pam_authenticate()/. How well this name can be +trusted will ultimately be at the discretion of the local +administrator (who configures PAM for your application) and a selected +module may attempt to override the value where it can obtain more +reliable data. If an application is unable to determine the identity +of the requesting entity/user, it should not call <tt/pam_set_item(3)/ +to set <tt/PAM_RUSER/. + +<p> +In addition to the <tt/PAM_RUSER/ item, the application should supply +the <tt/PAM_RHOST/ (<em/requesting host/) item. As a general rule, the +following convention for its value can be assumed: <tt/<unset>/ += unknown; <tt/localhost/ = invoked directly from the local system; +<em/other.place.xyz/ = some component of the user's connection +originates from this remote/requesting host. At present, PAM has no +established convention for indicating whether the application supports +a trusted path to communication from this host. + +<sect1>Sufficient resources + +<p> +Care should be taken to ensure that the proper execution of an +application is not compromised by a lack of system resources. If an +application is unable to open sufficient files to perform its service, +it should fail gracefully, or request additional resources. +Specifically, the quantities manipulated by the <tt/setrlimit(2)/ +family of commands should be taken into consideration. + +<p> +This is also true of conversation prompts. The application should not +accept prompts of arbitrary length with out checking for resource +allocation failure and dealing with such extreme conditions gracefully +and in a mannor that preserves the PAM API. Such tolerance may be +especially important when attempting to track a malicious adversary. + +<sect>A library of miscellaneous helper functions +<label id="libpam-misc-section"> + +<p> +To aid the work of the application developer a library of +miscellaneous functions is provided. It is called <tt/libpam_misc/, +and contains functions for allocating memory (securely), a text based +conversation function, and routines for enhancing the standard +PAM-environment variable support. + +<sect1>Requirements + +<p> +The functions, structures and macros, made available by this library +can be defined by including <tt><security/pam_misc.h></tt>. It +should be noted that this library is specific to <bf/Linux-PAM/ and is +not referred to in the defining DCE-RFC (see <ref id="bibliography" +name="the bibliography">) below. + +<sect1>Macros supplied + +<sect2>Safe duplication of strings + +<p> +<tscreen> +<verb> +x_strdup(const char *s) +</verb> +</tscreen> + +<p> +This macro is a replacement for the <tt/xstrdup()/ function that was +present in earlier versions of the library and which clashed horribly +with a number of applications. It returns a duplicate copy of the +<tt/NUL/ terminated string, <tt/s/. <tt/NULL/ is returned if there is +insufficient memory available for the duplicate or if <tt/s/ is +<tt/NULL/ to begin with. + +<sect1>Functions supplied + +<sect2>A text based conversation function + +<p> +<tscreen> +<verb> +extern int misc_conv(int num_msg, const struct pam_message **msgm, + struct pam_response **response, void *appdata_ptr); +</verb> +</tscreen> + +<p> +This is a function that will prompt the user with the appropriate +comments and obtain the appropriate inputs as directed by +authentication modules. + +<p> +In addition to simply slotting into the appropriate <tt/struct +pam_conv/, this function provides some time-out facilities. The +function exports five variables that can be used by an application +programmer to limit the amount of time this conversation function will +spend waiting for the user to type something. + +<p> +The five variables are as follows: +<descrip> +<tag><tt>extern time_t pam_misc_conv_warn_time;</tt></tag> + +This variable contains the <em/time/ (as returned by <tt/time()/) that +the user should be first warned that the clock is ticking. By default +it has the value <tt/0/, which indicates that no such warning will be +given. The application may set its value to sometime in the future, +but this should be done prior to passing control to the <bf/Linux-PAM/ +library. + +<tag><tt>extern const char *pam_misc_conv_warn_line;</tt></tag> + +Used in conjuction with <tt/pam_misc_conv_warn_time/, this variable is +a pointer to the string that will be displayed when it becomes time to +warn the user that the timeout is approaching. Its default value is +``..\a.Time is running out...\n'', but this can be changed +by the application prior to passing control to <bf/Linux-PAM/. + +<tag><tt>extern time_t pam_misc_conv_die_time;</tt></tag> + +This variable contains the <em/time/ (as returned by <tt/time()/) that +the conversation will time out. By default it has the value <tt/0/, +which indicates that the conversation function will not timeout. The +application may set its value to sometime in the future, this should +be done prior to passing control to the <bf/Linux-PAM/ library. + +<tag><tt>extern const char *pam_misc_conv_die_line;</tt></tag> + +Used in conjuction with <tt/pam_misc_conv_die_time/, this variable is +a pointer to the string that will be displayed when the conversation +times out. Its default value is ``..\a.Sorry, your time is +up!\n'', but this can be changed by the application prior to +passing control to <bf/Linux-PAM/. + +<tag><tt>extern int pam_misc_conv_died;</tt></tag> + +Following a return from the <bf/Linux-PAM/ libraray, the value of this +variable indicates whether the conversation has timed out. A value of +<tt/1/ indicates the time-out occurred. + +</descrip> + +<p> +The following two function pointers are available for supporting binary +prompts in the conversation function. They are optimized for the +current incarnation of the <tt/libpamc/ library and are subject to +change. +<descrip> +<tag><tt>extern int (*pam_binary_handler_fn)(void *appdata, pamc_bp_t +*prompt_p);</tt></tag> + +This function pointer is initialized to <tt/NULL/ but can be filled +with a function that provides machine-machine (hidden) message +exchange. It is intended for use with hidden authentication protocols +such as RSA or Diffie-Hellman key exchanges. (This is still under +development.) + +<tag><tt>extern int (*pam_binary_handler_free)(void *appdata, +pamc_bp_t *delete_me);</tt></tag> + +This function pointer is initialized to <tt/PAM_BP_RENEW(delete_me, 0, +0)/, but can be redefined as desired by the application. + +</descrip> + +<sect2>Transcribing an environment to that of Linux-PAM +<p> +<tscreen> +<verb> +extern int pam_misc_paste_env(pam_handle_t *pamh, + const char * const * user_env); +</verb> +</tscreen> + +This function takes the supplied list of environment pointers and +<em/uploads/ its contents to the <bf/Linux-PAM/ environment. Success +is indicated by <tt/PAM_SUCCESS/. + +<sect2>Liberating a locally saved environment +<p> +<tscreen> +<verb> +extern char **pam_misc_drop_env(char **env); +</verb> +</tscreen> + +This function is defined to complement the <tt/pam_getenvlist()/ +function. It liberates the memory associated with <tt/env/, +<em/overwriting/ with <tt/0/ all memory before <tt/free()/ing it. + +<sect2>BSD like Linux-PAM environment variable setting +<p> +<tscreen> +<verb> +extern int pam_misc_setenv(pam_handle_t *pamh, const char *name, + const char *value, int readonly); +</verb> +</tscreen> + +This function performs a task equivalent to <tt/pam_putenv()/, its +syntax is, however, more like the BSD style function; <tt/setenv()/. +The <tt/name/ and <tt/value/ are concatenated with an ``<tt/=/'' to +form a <tt/name_value/ and passed to <tt/pam_putenv()/. If, however, +the <bf/Linux-PAM/ variable is already set, the replacement will only +be applied if the last argument, <tt/readonly/, is zero. + +<sect>Porting legacy applications + +<p> +The following is extracted from an email. I'll tidy it up later. + +<p> +The point of PAM is that the application is not supposed to have any +idea how the attached authentication modules will choose to +authenticate the user. So all they can do is provide a conversation +function that will talk directly to the user(client) on the modules' +behalf. + +<p> +Consider the case that you plug a retinal scanner into the login +program. In this situation the user would be prompted: "please look +into the scanner". No username or password would be needed - all this +information could be deduced from the scan and a database lookup. The +point is that the retinal scanner is an ideal task for a "module". + +<p> +While it is true that a pop-daemon program is designed with the POP +protocol in mind and no-one ever considered attaching a retinal +scanner to it, it is also the case that the "clean" PAM'ification of +such a daemon would allow for the possibility of a scanner module +being be attached to it. The point being that the "standard" +pop-authentication protocol(s) [which will be needed to satisfy +inflexible/legacy clients] would be supported by inserting an +appropriate pam_qpopper module(s). However, having rewritten popd +once in this way any new protocols can be implemented in-situ. + +<p> +One simple test of a ported application would be to insert the +<tt/pam_permit/ module and see if the application demands you type a +password... In such a case, <tt/xlock/ would fail to lock the +terminal - or would at best be a screen-saver, ftp would give password +free access to all etc.. Neither of these is a very secure thing to +do, but they do illustrate how much flexibility PAM puts in the hands +of the local admin. + +<p> +The key issue, in doing things correctly, is identifying what is part +of the authentication procedure (how many passwords etc..) the +exchange protocol (prefixes to prompts etc., numbers like 331 in the +case of ftpd) and what is part of the service that the application +delivers. PAM really needs to have total control in the +authentication "procedure", the conversation function should only +deal with reformatting user prompts and extracting responses from raw +input. + +<sect>Glossary of PAM related terms + +<p> +The following are a list of terms used within this document. + +<p> +<descrip> + +<tag>Authentication token</tag> +Generally, this is a password. However, a user can authenticate +him/herself in a variety of ways. Updating the user's authentication +token thus corresponds to <em>refreshing</em> the object they use to +authenticate themself with the system. The word password is avoided +to keep open the possibility that the authentication involves a +retinal scan or other non-textual mode of challenge/response. + +<tag>Credentials</tag> +Having successfully authenticated the user, PAM is able to establish +certain characteristics/attributes of the user. These are termed +<em>credentials</em>. Examples of which are group memberships to +perform privileged tasks with, and <em>tickets</em> in the form of +environment variables etc. . Some user-credentials, such as the +user's UID and GID (plus default group memberships) are not deemed to +be PAM-credentials. It is the responsibility of the application to +grant these directly. + +</descrip> + +<sect>An example application + +<p> +To get a flavor of the way a <tt/Linux-PAM/ application is written we +include the following example. It prompts the user for their password +and indicates whether their account is valid on the standard output, +its return code also indicates the success (<tt/0/ for success; <tt/1/ +for failure). + +<p> +<tscreen> +<verb> +/* + This program was contributed by Shane Watts + [modifications by AGM] + + You need to add the following (or equivalent) to the /etc/pam.conf file. + # check authorization + check_user auth required /usr/lib/security/pam_unix_auth.so + check_user account required /usr/lib/security/pam_unix_acct.so + */ + +#include <security/pam_appl.h> +#include <security/pam_misc.h> +#include <stdio.h> + +static struct pam_conv conv = { + misc_conv, + NULL +}; + +int main(int argc, char *argv[]) +{ + pam_handle_t *pamh=NULL; + int retval; + const char *user="nobody"; + + if(argc == 2) { + user = argv[1]; + } + + if(argc > 2) { + fprintf(stderr, "Usage: check_user [username]\n"); + exit(1); + } + + retval = pam_start("check_user", user, &ero;conv, &ero;pamh); + + if (retval == PAM_SUCCESS) + retval = pam_authenticate(pamh, 0); /* is user really user? */ + + if (retval == PAM_SUCCESS) + retval = pam_acct_mgmt(pamh, 0); /* permitted access? */ + + /* This is where we have been authorized or not. */ + + if (retval == PAM_SUCCESS) { + fprintf(stdout, "Authenticated\n"); + } else { + fprintf(stdout, "Not Authenticated\n"); + } + + if (pam_end(pamh,retval) != PAM_SUCCESS) { /* close Linux-PAM */ + pamh = NULL; + fprintf(stderr, "check_user: failed to release authenticator\n"); + exit(1); + } + + return ( retval == PAM_SUCCESS ? 0:1 ); /* indicate success */ +} +</verb> +</tscreen> + +<sect>Files + +<p><descrip> + +<tag><tt>/usr/include/security/pam_appl.h</tt></tag> + +header file for <bf/Linux-PAM/ applications interface + +<tag><tt>/usr/include/security/pam_misc.h</tt></tag> + +header file for useful library functions for making applications +easier to write + +<tag><tt>/usr/lib/libpam.so.*</tt></tag> + +the shared library providing applications with access to +<bf/Linux-PAM/. + +<tag><tt>/etc/pam.conf</tt></tag> + +the <bf/Linux-PAM/ configuration file. + +<tag><tt>/usr/lib/security/pam_*.so</tt></tag> + +the primary location for <bf/Linux-PAM/ dynamically loadable object +files; the modules. + +</descrip> + +<sect>See also +<label id="bibliography"> + +<p><itemize> + +<item>The <bf/Linux-PAM/ +<htmlurl url="pam.html" name="System Administrators' Guide">. + +<item>The <bf/Linux-PAM/ +<htmlurl url="pam_modules.html" name="Module Writers' Guide">. + +<item>The V. Samar and R. Schemers (SunSoft), ``UNIFIED LOGIN WITH +PLUGGABLE AUTHENTICATION MODULES'', Open Software Foundation Request +For Comments 86.0, October 1995. + +</itemize> + +<sect>Notes + +<p> +I intend to put development comments here... like ``at the moment +this isn't actually supported''. At release time what ever is in +this section will be placed in the Bugs section below! :) + +<p> +<itemize> + +<item> <tt/pam_strerror()/ should be internationalized.... + +<item> +Note, the <tt/resp_retcode/ of struct <tt/pam_message/, has no +purpose at the moment. Ideas/suggestions welcome! + +<item> more security issues are required.... + +</itemize> + +<sect>Author/acknowledgments + +<p> +This document was written by Andrew G. Morgan +(morgan@kernel.org) with many contributions from +<!-- insert credits here --> +<!-- + an sgml list of people to credit for their contributions to Linux-PAM + $Id: pam_appl.sgml,v 1.1.1.2 2002/09/15 20:08:24 hartmans Exp $ + --> +Chris Adams, +Peter Allgeyer, +Tim Baverstock, +Tim Berger, +Craig S. Bell, +Derrick J. Brashear, +Ben Buxton, +Seth Chaiklin, +Oliver Crow, +Chris Dent, +Marc Ewing, +Cristian Gafton, +Emmanuel Galanos, +Brad M. Garcia, +Eric Hester, +Roger Hu, +Eric Jacksch, +Michael K. Johnson, +David Kinchlea, +Olaf Kirch, +Marcin Korzonek, +Stephen Langasek, +Nicolai Langfeldt, +Elliot Lee, +Luke Kenneth Casson Leighton, +Al Longyear, +Ingo Luetkebohle, +Marek Michalkiewicz, +Robert Milkowski, +Aleph One, +Martin Pool, +Sean Reifschneider, +Jan Rekorajski, +Erik Troan, +Theodore Ts'o, +Jeff Uphoff, +Myles Uyema, +Savochkin Andrey Vladimirovich, +Ronald Wahl, +David Wood, +John Wilmes, +Joseph S. D. Yao +and +Alex O. Yuriev. + +<p> +Thanks are also due to Sun Microsystems, especially to Vipin Samar and +Charlie Lai for their advice. At an early stage in the development of +<bf/Linux-PAM/, Sun graciously made the documentation for their +implementation of PAM available. This act greatly accelerated the +development of <bf/Linux-PAM/. + +<sect>Bugs/omissions + +<p> +This manual is hopelessly unfinished. Only a partial list of people is +credited for all the good work they have done. + +<sect>Copyright information for this document + +<p> +Copyright (c) Andrew G. Morgan 1996-9,2000-1. All rights reserved. +<newline> +Email: <tt><morgan@kernel.org></tt> + +<p> +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + +<p> +<itemize> + +<item> +1. Redistributions of source code must retain the above copyright + notice, and the entire permission notice in its entirety, + including the disclaimer of warranties. + +<item> +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + +<item> +3. The name of the author may not be used to endorse or promote + products derived from this software without specific prior + written permission. + +</itemize> + +<p> +<bf/Alternatively/, this product may be distributed under the terms of +the GNU General Public License (GPL), in which case the provisions of +the GNU GPL are required <bf/instead of/ the above restrictions. +(This clause is necessary due to a potential bad interaction between +the GNU GPL and the restrictions contained in a BSD-style copyright.) + +<p> +THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED +WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS +OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR +TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH +DAMAGE. + +<p> +<tt>$Id: pam_appl.sgml,v 1.1.1.2 2002/09/15 20:08:24 hartmans Exp $</tt> + +</article> diff --git a/Linux-PAM/doc/pam_modules.sgml b/Linux-PAM/doc/pam_modules.sgml new file mode 100644 index 00000000..c67dd448 --- /dev/null +++ b/Linux-PAM/doc/pam_modules.sgml @@ -0,0 +1,1505 @@ +<!doctype linuxdoc system> + +<!-- + + $Id: pam_modules.sgml,v 1.1.1.2 2002/09/15 20:08:25 hartmans Exp $ + + Copyright (c) Andrew G. Morgan 1996-2001. All rights reserved. + + ** some sections, in this document, were contributed by other + ** authors. They carry individual copyrights. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + +1. Redistributions of source code must retain the above copyright + notice, and the entire permission notice in its entirety, + including the disclaimer of warranties. + +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + +3. The name of the author may not be used to endorse or promote + products derived from this software without specific prior + written permission. + +ALTERNATIVELY, this product may be distributed under the terms of the +GNU General Public License, in which case the provisions of the GNU +GPL are required INSTEAD OF the above restrictions. (This clause is +necessary due to a potential bad interaction between the GNU GPL and +the restrictions contained in a BSD-style copyright.) + +THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED +WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS +OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR +TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH +DAMAGE. + + --> + +<article> + +<title>The Linux-PAM Module Writers' Guide +<author>Andrew G. Morgan, <tt>morgan@kernel.org</tt> +<date>DRAFT v0.76 2002/05/09 +<abstract> +This manual documents what a programmer needs to know in order to +write a module that conforms to the <bf/Linux-PAM/ standard. It also +discusses some security issues from the point of view of the module +programmer. +</abstract> + +<toc> + +<sect>Introduction + +<sect1> Synopsis +<p> +<tscreen> +<verb> +#include <security/pam_modules.h> + +gcc -fPIC -c pam_module-name.c +ld -x --shared -o pam_module-name.so pam_module-name.o +</verb> +</tscreen> + +<sect1> Description + +<p> +<bf/Linux-PAM/ (Pluggable Authentication Modules for Linux) is a +library that enables the local system administrator to choose how +individual applications authenticate users. For an overview of the +<bf/Linux-PAM/ library see the <bf/Linux-PAM/ System Administrators' +Guide. + +<p> +A <bf/Linux-PAM/ module is a single executable binary file that can be +loaded by the <bf/Linux-PAM/ interface library. This PAM library is +configured locally with a system file, <tt>/etc/pam.conf</tt>, to +authenticate a user request via the locally available authentication +modules. The modules themselves will usually be located in the +directory <tt>/usr/lib/security</tt> and take the form of dynamically +loadable object files (see dlopen(3)). Alternatively, the modules can +be statically linked into the <bf/Linux-PAM/ library; this is mostly to +allow <bf/Linux-PAM/ to be used on platforms without dynamic linking +available, but the two forms can be used together. It is the +<bf/Linux-PAM/ interface that is called by an application and it is +the responsibility of the library to locate, load and call the +appropriate functions in a <bf/Linux-PAM/-module. + +<p> +Except for the immediate purpose of interacting with the user +(entering a password etc..) the module should never call the +application directly. This exception requires a "conversation +mechanism" which is documented below. + +<sect>What can be expected by the module + +<p> +Here we list the interface that the conventions that all +<bf/Linux-PAM/ modules must adhere to. + +<sect1>Getting and setting <tt/PAM_ITEM/s and <em/data/ + +<p> +First, we cover what the module should expect from the <bf/Linux-PAM/ +library and a <bf/Linux-PAM/ <em/aware/ application. Essesntially this +is the <tt/libpam.*/ library. + +<sect2> +Setting data + +<p> +Synopsis: +<tscreen> +<verb> +extern int pam_set_data(pam_handle_t *pamh, + const char *module_data_name, + void *data, + void (*cleanup)(pam_handle_t *pamh, + void *data, int error_status) ); +</verb> +</tscreen> + +<p> +The modules may be dynamically loadable objects. In general such files +should not contain <tt/static/ variables. This and the subsequent +function provide a mechanism for a module to associate some data with +the handle <tt/pamh/. Typically a module will call the +<tt/pam_set_data()/ function to register some data under a (hopefully) +unique <tt/module_data_name/. The data is available for use by other +modules too but <em/not/ by an application. + +<p> +The function <tt/cleanup()/ is associated with the <tt/data/ and, if +non-<tt/NULL/, it is called when this data is over-written or +following a call to <tt/pam_end()/ (see the Linux-PAM Application +Developers' Guide). + +<p> +The <tt/error_status/ argument is used to indicate to the module the +sort of action it is to take in cleaning this data item. As an +example, Kerberos creates a ticket file during the authentication +phase, this file might be associated with a data item. When +<tt/pam_end()/ is called by the module, the <tt/error_status/ +carries the return value of the <tt/pam_authenticate()/ or other +<tt/libpam/ function as appropriate. Based on this value the Kerberos +module may choose to delete the ticket file (<em/authentication +failure/) or leave it in place. + +<p> +The <tt/error_status/ may have been logically OR'd with either of the +following two values: + +<p> +<descrip> +<tag><tt/PAM_DATA_REPLACE/</tag> + When a data item is being replaced (through a second call to +<tt/pam_set_data()/) this mask is used. Otherwise, the call is assumed +to be from <tt/pam_end()/. + +<tag><tt/PAM_DATA_SILENT/</tag> + Which indicates that the process would prefer to perform the +<tt/cleanup()/ quietly. That is, discourages logging/messages to the +user. + +</descrip> + + +<sect2> +Getting data + +<p> +Synopsis: +<tscreen> +<verb> +extern int pam_get_data(const pam_handle_t *pamh, + const char *module_data_name, + const void **data); +</verb> +</tscreen> + +<p> +This function together with the previous one provides a method of +associating module-specific data with the handle <tt/pamh/. A +successful call to <tt/pam_get_data/ will result in <tt/*data/ +pointing to the data associated with the <tt/module_data_name/. Note, +this data is <em/not/ a copy and should be treated as <em/constant/ +by the module. + +<p> +Note, if there is an entry but it has the value <tt/NULL/, then this +call returns <tt/PAM_NO_MODULE_DATA/. + +<sect2> +Setting items + +<p> +Synopsis: +<tscreen> +<verb> +extern int pam_set_item(pam_handle_t *pamh, + int item_type, + const void *item); +</verb> +</tscreen> + +<p> +This function is used to (re)set the value of one of the +<tt/item_type/s. The reader is urged to read the entry for this +function in the <bf/Linux-PAM/ application developers' manual. + +<p> +In addition to the <tt/item/s listed there, the module can set the +following two <tt/item_type/s: + +<p> +<descrip> +<tag><tt/PAM_AUTHTOK/</tag> + +The authentication token (often a password). This token should be +ignored by all module functions besides <tt/pam_sm_authenticate()/ and +<tt/pam_sm_chauthtok()/. In the former function it is used to pass the +most recent authentication token from one stacked module to +another. In the latter function the token is used for another +purpose. It contains the currently active authentication token. + +<tag><tt/PAM_OLDAUTHTOK/</tag> + +The old authentication token. This token should be ignored by all +module functions except <tt/pam_sm_chauthtok()/. + +</descrip> + +<p> +Both of these items are reset before returning to the application. +When resetting these items, the <bf/Linux-PAM/ library first writes +<tt/0/'s to the current tokens and then <tt/free()/'s the associated +memory. + +<p> +The return values for this function are listed in the +<bf>Linux-PAM</bf> Application Developers' Guide. + +<sect2> +Getting items + +<p> +Synopsis: +<tscreen> +<verb> +extern int pam_get_item(const pam_handle_t *pamh, + int item_type, + const void **item); +</verb> +</tscreen> + +<p> +This function is used to obtain the value of the specified +<tt/item_type/. It is better documented in the <bf/Linux-PAM/ +Application Developers' Guide. However, there are three things worth +stressing here: +<itemize> + +<item> +Generally, if the module wishes to obtain the name of the user, it +should not use this function, but instead perform a call to +<tt/pam_get_user()/ (see section <ref id="pam-get-user" +name="below">). + +<item> +The module is additionally privileged to read the authentication +tokens, <tt/PAM_AUTHTOK/ and <tt/PAM_OLDAUTHTOK/ (see the section +above on <tt/pam_set_data()/). + +<item> +The module should <em/not/ <tt/free()/ or alter the data pointed to by +<tt/*item/ after a successful return from <tt/pam_get_item()/. This +pointer points directly at the data contained within the <tt/*pamh/ +structure. Should a module require that a change is made to the this +<tt/ITEM/ it should make the appropriate call to <tt/pam_set_item()/. +</itemize> + +<sect2>The <em/conversation/ mechanism + +<p> +Following the call <tt>pam_get_item(pamh,PAM_CONV,&item)</tt>, the +pointer <tt/item/ points to a structure containing an a pointer to a +<em/conversation/-function that provides limited but direct access to +the application. The purpose of this function is to allow the module +to prompt the user for their password and pass other information in a +manner consistent with the application. For example, an X-windows +based program might pop up a dialog box to report a login +failure. Just as the application should not be concerned with the +method of authentication, so the module should not dictate the manner +in which input (output) is obtained from (presented to) to the user. + +<p> +<bf>The reader is strongly urged to read the more complete description of +the <tt/pam_conv/ structure, written from the perspective of the +application developer, in the <bf/Linux-PAM/ Application Developers' +Guide.</bf> + +<p> +The return values for this function are listed in the +<bf>Linux-PAM</bf> Application Developers' Guide. + +<p> +The <tt/pam_response/ structure returned after a call to the +<tt/pam_conv/ function must be <tt/free()/'d by the module. Since the +call to the conversation function originates from the module, it is +clear that this <tt/pam_response/ structure could be either statically +or dynamically (using <tt/malloc()/ etc.) allocated within the +application. Repeated calls to the conversation function would likely +overwrite static memory, so it is required that for a successful +return from the conversation function the memory for the response +structure is dynamically allocated by the application with one of the +<tt/malloc()/ family of commands and <em/must/ be <tt/free()/'d by the +module. + +<p> +If the <tt/pam_conv/ mechanism is used to enter authentication tokens, +the module should either pass the result to the <tt/pam_set_item()/ +library function, or copy it itself. In such a case, once the token +has been stored (by one of these methods or another one), the memory +returned by the application should be overwritten with <tt/0/'s, and +then <tt/free()/'d. + +There is a handy macro <tt/_pam_drop_reply()/ to be found in +<tt><security/_pam_macros.h></tt> that can be used to +conveniently cleanup a <tt/pam_response/ structure. (Note, this +include file is specific to the Linux-PAM sources, and whilst it will +work with Sun derived PAM implementations, it is not generally +distributed by Sun.) + +<sect2>Getting the name of a user<label id="pam-get-user"> + +<p> +Synopsis: +<tscreen> +<verb> +extern int pam_get_user(pam_handle_t *pamh, + const char **user, + const char *prompt); +</verb> +</tscreen> + +<p> +This is a <bf/Linux-PAM/ library function that returns the +(prospective) name of the user. To determine the username it does the +following things, in this order: +<itemize> + +<item> checks what <tt/pam_get_item(pamh, PAM_USER, ... );/ would have +returned. If this is not <tt/NULL/ this is what it returns. Otherwise, + +<item> obtains a username from the application via the <tt/pam_conv/ +mechanism, it prompts the user with the first non-<tt/NULL/ string in +the following list: +<itemize> + +<item> The <tt/prompt/ argument passed to the function +<item> What is returned by <tt/pam_get_item(pamh,PAM_USER_PROMPT, ... );/ +<item> The default prompt: ``Please enter username: '' + +</itemize> +</itemize> + +<p> +By whatever means the username is obtained, a pointer to it is +returned as the contents of <tt/*user/. Note, this memory should +<em/not/ be <tt/free()/'d by the module. Instead, it will be liberated +on the next call to <tt/pam_get_user()/, or by <tt/pam_end()/ when the +application ends its interaction with <bf/Linux-PAM/. + +<p> +Also, in addition, it should be noted that this function sets the +<tt/PAM_USER/ item that is associated with the <tt/pam_[gs]et_item()/ +function. + +<p> +The return value of this function is one of the following: +<itemize> + +<item> <tt/PAM_SUCCESS/ - username obtained. + +<item> <tt/PAM_CONV_AGAIN/ - converstation did not complete and the +caller is required to return control to the application, until such +time as the application has completed the conversation process. A +module calling <tt/pam_get_user()/ that obtains this return code, +should return <tt/PAM_INCOMPLETE/ and be prepared (when invoked the +next time) to recall <tt/pam_get_user()/ to fill in the user's name, +and then pick up where it left off as if nothing had happened. This +procedure is needed to support an event-driven application programming +model. + +<item> <tt/PAM_CONV_ERR/ - the conversation method supplied by the +application failed to obtain the username. + +</itemize> + +<sect2>Setting a Linux-PAM environment variable + +<p> +Synopsis: +<tscreen> +<verb> +extern int pam_putenv(pam_handle_t *pamh, const char *name_value); +</verb> +</tscreen> + +<p> +<bf/Linux-PAM/ comes equipped with a series of functions for +maintaining a set of <em/environment/ variables. The environment is +initialized by the call to <tt/pam_start()/ and is <bf/erased/ with a +call to <tt/pam_end()/. This <em/environment/ is associated with the +<tt/pam_handle_t/ pointer returned by the former call. + +<p> +The default environment is all but empty. It contains a single +<tt/NULL/ pointer, which is always required to terminate the +variable-list. The <tt/pam_putenv()/ function can be used to add a +new environment variable, replace an existing one, or delete an old +one. + +<p> +<itemize> +<item>Adding/replacing a variable<newline> + +To add or overwrite a <bf/Linux-PAM/ environment variable the value of +the argument <tt/name_value/, should be of the following form: +<tscreen> +<verb> +name_value="VARIABLE=VALUE OF VARIABLE" +</verb> +</tscreen> +Here, <tt/VARIABLE/ is the environment variable's name and what +follows the `<tt/=/' is its (new) value. (Note, that <tt/"VARIABLE="/ +is a valid value for <tt/name_value/, indicating that the variable is +set to <tt/""/.) + +<item> Deleting a variable<newline> + +To delete a <bf/Linux-PAM/ environment variable the value of +the argument <tt/name_value/, should be of the following form: +<tscreen> +<verb> +name_value="VARIABLE" +</verb> +</tscreen> +Here, <tt/VARIABLE/ is the environment variable's name and the absence +of an `<tt/=/' indicates that the variable should be removed. + +</itemize> + +<p> +In all cases <tt/PAM_SUCCESS/ indicates success. + +<sect2>Getting a Linux-PAM environment variable + +<p> +Synopsis: +<tscreen> +<verb> +extern const char *pam_getenv(pam_handle_t *pamh, const char *name); +</verb> +</tscreen> + +<p> +This function can be used to return the value of the given +variable. If the returned value is <tt/NULL/, the variable is not +known. + +<sect2>Listing the Linux-PAM environment + +<p> +Synopsis: +<tscreen> +<verb> +extern char * const *pam_getenvlist(pam_handle_t *pamh); +</verb> +</tscreen> + +<p> +This function returns a pointer to the entire <bf/Linux-PAM/ +environment array. At first sight the <em/type/ of the returned data +may appear a little confusing. It is basically a <em/read-only/ array +of character pointers, that lists the <tt/NULL/ terminated list of +environment variables set so far. + +<p> +Although, this is not a concern for the module programmer, we mention +here that an application should be careful to copy this entire array +before executing <tt/pam_end()/ otherwise all the variable information +will be lost. (There are functions in <tt/libpam_misc/ for this +purpose: <tt/pam_misc_copy_env()/ and <tt/pam_misc_drop_env()/.) + +<sect1>Other functions provided by <tt/libpam/ + +<sect2>Understanding errors + +<p> +<itemize> + +<item> +<tt>extern const char *pam_strerror(pam_handle_t *pamh, int errnum);</tt> + +<p> +This function returns some text describing the <bf/Linux-PAM/ error +associated with the argument <tt/errnum/. If the error is not +recognized <tt/``Unknown Linux-PAM error''/ is returned. + +</itemize> + +<sect2>Planning for delays + +<p> +<itemize> + +<item> +<tt>extern int pam_fail_delay(pam_handle_t *pamh, unsigned int +micro_sec)</tt> + +<p> +This function is offered by <bf/Linux-PAM/ to facilitate time delays +following a failed call to <tt/pam_authenticate()/ and before control +is returned to the application. When using this function the module +programmer should check if it is available with, +<tscreen> +<verb> +#ifdef PAM_FAIL_DELAY + .... +#endif /* PAM_FAIL_DELAY */ +</verb> +</tscreen> + +<p> +Generally, an application requests that a user is authenticated by +<bf/Linux-PAM/ through a call to <tt/pam_authenticate()/ or +<tt/pam_chauthtok()/. These functions call each of the <em/stacked/ +authentication modules listed in the <bf/Linux-PAM/ configuration +file. As directed by this file, one of more of the modules may fail +causing the <tt/pam_...()/ call to return an error. It is desirable +for there to also be a pause before the application continues. The +principal reason for such a delay is security: a delay acts to +discourage <em/brute force/ dictionary attacks primarily, but also +helps hinder <em/timed/ (cf. covert channel) attacks. + +<p> +The <tt/pam_fail_delay()/ function provides the mechanism by which an +application or module can suggest a minimum delay (of <tt/micro_sec/ +<em/micro-seconds/). <bf/Linux-PAM/ keeps a record of the longest time +requested with this function. Should <tt/pam_authenticate()/ fail, +the failing return to the application is delayed by an amount of time +randomly distributed (by up to 25%) about this longest value. + +<p> +Independent of success, the delay time is reset to its zero default +value when <bf/Linux-PAM/ returns control to the application. + +</itemize> + +<sect>What is expected of a module + +<p> +The module must supply a sub-set of the six functions listed +below. Together they define the function of a <bf/Linux-PAM +module/. Module developers are strongly urged to read the comments on +security that follow this list. + +<sect1> Overview + +<p> +The six module functions are grouped into four independent management +groups. These groups are as follows: <em/authentication/, +<em/account/, <em/session/ and <em/password/. To be properly defined, +a module must define all functions within at least one of these +groups. A single module may contain the necessary functions for +<em/all/ four groups. + +<sect2> Functional independence + +<p> +The independence of the four groups of service a module can offer +means that the module should allow for the possibility that any one of +these four services may legitimately be called in any order. Thus, the +module writer should consider the appropriateness of performing a +service without the prior success of some other part of the module. + +<p> +As an informative example, consider the possibility that an +application applies to change a user's authentication token, without +having first requested that <bf/Linux-PAM/ authenticate the user. In +some cases this may be deemed appropriate: when <tt/root/ wants to +change the authentication token of some lesser user. In other cases it +may not be appropriate: when <tt/joe/ maliciously wants to reset +<tt/alice/'s password; or when anyone other than the user themself +wishes to reset their <em/KERBEROS/ authentication token. A policy for +this action should be defined by any reasonable authentication scheme, +the module writer should consider this when implementing a given +module. + +<sect2> Minimizing administration problems + +<p> +To avoid system administration problems and the poor construction of a +<tt>/etc/pam.conf</tt> file, the module developer may define all +six of the following functions. For those functions that would not be +called, the module should return <tt/PAM_SERVICE_ERR/ and write an +appropriate message to the system log. When this action is deemed +inappropriate, the function would simply return <tt/PAM_IGNORE/. + +<sect2> Arguments supplied to the module + +<p> +The <tt/flags/ argument of each of the following functions can be +logically OR'd with <tt/PAM_SILENT/, which is used to inform the +module to not pass any <em/text/ (errors or warnings) to the +application. + +<p> +The <tt/argc/ and <tt/argv/ arguments are taken from the line +appropriate to this module---that is, with the <em/service_name/ +matching that of the application---in the configuration file (see the +<bf/Linux-PAM/ System Administrators' Guide). Together these two +parameters provide the number of arguments and an array of pointers to +the individual argument tokens. This will be familiar to C programmers +as the ubiquitous method of passing command arguments to the function +<tt/main()/. Note, however, that the first argument (<tt/argv[0]/) is +a true argument and <bf/not/ the name of the module. + +<sect1> Authentication management + +<p> +To be correctly initialized, <tt/PAM_SM_AUTH/ must be <tt/#define/'d +prior to including <tt><security/pam_modules.h></tt>. This will +ensure that the prototypes for static modules are properly declared. + +<p> +<itemize> + +<item> +<tt>PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, +int argc, const char **argv);</tt> + +<p> +This function performs the task of authenticating the user. + +<p> +The <tt/flags/ argument can be a logically OR'd with <tt/PAM_SILENT/ +and optionally take the following value: + +<p><descrip> +<tag><tt/PAM_DISALLOW_NULL_AUTHTOK/</tag> + return <tt/PAM_AUTH_ERR/ if the database of authentication +tokens for this authentication mechanism has a <tt/NULL/ entry for the +user. Without this flag, such a <tt/NULL/ token will lead to a success +without the user being prompted. +</descrip> + +<p> +Besides <tt/PAM_SUCCESS/ return values that can be sent by this +function are one of the following: + +<descrip> + +<tag><tt/PAM_AUTH_ERR/</tag> + The user was not authenticated +<tag><tt/PAM_CRED_INSUFFICIENT/</tag> + For some reason the application does not have sufficient +credentials to authenticate the user. +<tag><tt/PAM_AUTHINFO_UNAVAIL/</tag> + The modules were not able to access the authentication +information. This might be due to a network or hardware failure etc. +<tag><tt/PAM_USER_UNKNOWN/</tag> + The supplied username is not known to the authentication +service +<tag><tt/PAM_MAXTRIES/</tag> + One or more of the authentication modules has reached its +limit of tries authenticating the user. Do not try again. + +</descrip> + +<item> +<tt>PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int +argc, const char **argv);</tt> + +<p> +This function performs the task of altering the credentials of the +user with respect to the corresponding authorization +scheme. Generally, an authentication module may have access to more +information about a user than their authentication token. This +function is used to make such information available to the +application. It should only be called <em/after/ the user has been +authenticated but before a session has been established. + +<p> +Permitted flags, one of which, may be logically OR'd with +<tt/PAM_SILENT/ are, + +<p><descrip> +<tag><tt/PAM_ESTABLISH_CRED/</tag> + Set the credentials for the authentication service, +<tag><tt/PAM_DELETE_CRED/</tag> + Delete the credentials associated with the authentication service, +<tag><tt/PAM_REINITIALIZE_CRED/</tag> + Reinitialize the user credentials, and +<tag><tt/PAM_REFRESH_CRED/</tag> + Extend the lifetime of the user credentials. +</descrip> + +<p> +Prior to <bf/Linux-PAM-0.75/, and due to a deficiency with the way the +<tt/auth/ stack was handled in the case of the setcred stack being +processed, the module was required to attempt to return the same error +code as <tt/pam_sm_authenticate/ did. This was necessary to preserve +the logic followed by libpam as it executes the stack of +<em/authentication/ modules, when the application called either +<tt/pam_authenticate()/ or <tt/pam_setcred()/. Failing to do this, +led to confusion on the part of the System Administrator. + +<p> +For <bf/Linux-PAM-0.75/ and later, libpam handles the credential stack +much more sanely. The way the <tt/auth/ stack is navigated in order to +evaluate the <tt/pam_setcred()/ function call, independent of the +<tt/pam_sm_setcred()/ return codes, is exactly the same way that it +was navigated when evaluating the <tt/pam_authenticate()/ library +call. Typically, if a stack entry was ignored in evaluating +<tt/pam_authenticate()/, it will be ignored when libpam evaluates the +<tt/pam_setcred()/ function call. Otherwise, the return codes from +each module specific <tt/pam_sm_setcred()/ call are treated as +<tt/required/. + +<p> +Besides <tt/PAM_SUCCESS/, the module may return one of the following +errors: + +<p><descrip> +<tag><tt/PAM_CRED_UNAVAIL/</tag> + This module cannot retrieve the user's credentials. +<tag><tt/PAM_CRED_EXPIRED/</tag> + The user's credentials have expired. +<tag><tt/PAM_USER_UNKNOWN/</tag> + The user is not known to this authentication module. +<tag><tt/PAM_CRED_ERR/</tag> + This module was unable to set the credentials of the user. +</descrip> + +<p> +these, non-<tt/PAM_SUCCESS/, return values will typically lead to the +credential stack <em/failing/. The first such error will dominate in +the return value of <tt/pam_setcred()/. + +</itemize> + +<sect1> Account management + +<p> +To be correctly initialized, <tt/PAM_SM_ACCOUNT/ must be +<tt/#define/'d prior to including <tt><security/pam_modules.h></tt>. +This will ensure that the prototype for a static module is properly +declared. + +<p> +<itemize> + +<item> +<tt>PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int +argc, const char **argv);</tt> + +<p> +This function performs the task of establishing whether the user is +permitted to gain access at this time. It should be understood that +the user has previously been validated by an authentication +module. This function checks for other things. Such things might be: +the time of day or the date, the terminal line, remote +hostname, etc. . + +<p> +This function may also determine things like the expiration on +passwords, and respond that the user change it before continuing. + +<p> +Valid flags, which may be logically OR'd with <tt/PAM_SILENT/, are the +same as those applicable to the <tt/flags/ argument of +<tt/pam_sm_authenticate/. + +<p> +This function may return one of the following errors, + +<descrip> + +<tag><tt/PAM_ACCT_EXPIRED/</tag> + The user is no longer permitted access to the system. +<tag><tt/PAM_AUTH_ERR/</tag> + There was an authentication error. +<tag><tt/PAM_AUTHTOKEN_REQD/</tag> + The user's authentication token has expired. Before calling +this function again the application will arrange for a new one to be +given. This will likely result in a call to <tt/pam_sm_chauthtok()/. +<tag><tt/PAM_USER_UNKNOWN/</tag> + The user is not known to the module's account management +component. + +</descrip> + +</itemize> + +<sect1> Session management + +<p> +To be correctly initialized, <tt/PAM_SM_SESSION/ must be +<tt/#define/'d prior to including +<tt><security/pam_modules.h></tt>. This will ensure that the +prototypes for static modules are properly declared. + +<p> +The following two functions are defined to handle the +initialization/termination of a session. For example, at the beginning +of a session the module may wish to log a message with the system +regarding the user. Similarly, at the end of the session the module +would inform the system that the user's session has ended. + +<p> +It should be possible for sessions to be opened by one application and +closed by another. This either requires that the module uses only +information obtained from <tt/pam_get_item()/, or that information +regarding the session is stored in some way by the operating system +(in a file for example). + +<p> +<itemize> + +<item> +<tt>PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int +argc, const char **argv);</tt> + +<p> +This function is called to commence a session. The only valid, but +optional, flag is <tt/PAM_SILENT/. + +<p> +As a return value, <tt/PAM_SUCCESS/ signals success and +<tt/PAM_SESSION_ERR/ failure. + +<item> +<tt>PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, int +argc, const char **argv);</tt> + +<p> +This function is called to terminate a session. The only valid, but +optional, flag is <tt/PAM_SILENT/. + +<p> +As a return value, <tt/PAM_SUCCESS/ signals success and +<tt/PAM_SESSION_ERR/ failure. + +</itemize> + +<sect1> Password management + +<p> +To be correctly initialized, <tt/PAM_SM_PASSWORD/ must be +<tt/#define/'d prior to including <tt><security/pam_modules.h></tt>. +This will ensure that the prototype for a static module is properly +declared. + +<p> +<itemize> + +<item> +<tt>PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int +argc, const char **argv);</tt> + +<p> +This function is used to (re-)set the authentication token of the +user. A valid flag, which may be logically OR'd with <tt/PAM_SILENT/, +can be built from the following list, + +<descrip> +<tag><tt/PAM_CHANGE_EXPIRED_AUTHTOK/</tag> + This argument indicates to the module that the users +authentication token (password) should only be changed if it has +expired. This flag is optional and <em/must/ be combined with one of +the following two flags. Note, however, the following two options are +<em/mutually exclusive/. + +<tag><tt/PAM_PRELIM_CHECK/</tag> + This indicates that the modules are being probed as to their +ready status for altering the user's authentication token. If the +module requires access to another system over some network it should +attempt to verify it can connect to this system on receiving this +flag. If a module cannot establish it is ready to update the user's +authentication token it should return <tt/PAM_TRY_AGAIN/, this +information will be passed back to the application. + +<tag><tt/PAM_UPDATE_AUTHTOK/</tag> + This informs the module that this is the call it should change +the authorization tokens. If the flag is logically OR'd with +<tt/PAM_CHANGE_EXPIRED_AUTHTOK/, the token is only changed if it has +actually expired. + +</descrip> + +<p> +Note, the <bf/Linux-PAM/ library calls this function twice in +succession. The first time with <tt/PAM_PRELIM_CHECK/ and then, if the +module does not return <tt/PAM_TRY_AGAIN/, subsequently with +<tt/PAM_UPDATE_AUTHTOK/. It is only on the second call that the +authorization token is (possibly) changed. + +<p> +<tt/PAM_SUCCESS/ is the only successful return value, valid +error-returns are: + +<descrip> +<tag><tt/PAM_AUTHTOK_ERR/</tag> + The module was unable to obtain the new authentication token. + +<tag><tt/PAM_AUTHTOK_RECOVERY_ERR/</tag> + The module was unable to obtain the old authentication token. + +<tag><tt/PAM_AUTHTOK_LOCK_BUSY/</tag> + Cannot change the authentication token since it is currently +locked. + +<tag><tt/PAM_AUTHTOK_DISABLE_AGING/</tag> + Authentication token aging has been disabled. + +<tag><tt/PAM_PERM_DENIED/</tag> + Permission denied. + +<tag><tt/PAM_TRY_AGAIN/</tag> + Preliminary check was unsuccessful. Signals an immediate return +to the application is desired. + +<tag><tt/PAM_USER_UNKNOWN/</tag> + The user is not known to the authentication token changing +service. + +</descrip> + +</itemize> + +<sect>Generic optional arguments + +<p> +Here we list the generic arguments that all modules can expect to +be passed. They are not mandatory, and their absence should be +accepted without comment by the module. + +<p> +<descrip> +<tag><tt/debug/</tag> + +Use the <tt/syslog(3)/ call to log debugging information to the system +log files. + +<tag><tt/no_warn/</tag> + +Instruct module to not give warning messages to the application. + +<tag><tt/use_first_pass/</tag> + +The module should not prompt the user for a password. Instead, it +should obtain the previously typed password (by a call to +<tt/pam_get_item()/ for the <tt/PAM_AUTHTOK/ item), and use that. If +that doesn't work, then the user will not be authenticated. (This +option is intended for <tt/auth/ and <tt/passwd/ modules only). + +<tag><tt/try_first_pass/</tag> + +The module should attempt authentication with the previously typed +password (by a call to <tt/pam_get_item()/ for the <tt/PAM_AUTHTOK/ +item). If that doesn't work, then the user is prompted for a +password. (This option is intended for <tt/auth/ modules only). + +<tag><tt/use_mapped_pass/</tag> + +<bf/WARNING:/ coding this functionality may cause the module writer to +break <em/local/ encryption laws. For example, in the U.S. there are +restrictions on the export computer code that is capable of strong +encryption. It has not been established whether this option is +affected by this law, but one might reasonably assume that it does +until told otherwise. For this reason, this option is not supported +by any of the modules distributed with <bf/Linux-PAM/. + +The intended function of this argument, however, is that the module +should take the existing authentication token from a previously +invoked module and use it as a key to retrieve the authentication +token for this module. For example, the module might create a strong +hash of the <tt/PAM_AUTHTOK/ item (established by a previously +executed module). Then, with logical-exclusive-or, use the result as a +<em/key/ to safely store/retrieve the authentication token for this +module in/from a local file <em/etc/. . + +<tag><tt/expose_account/</tag> + +<p> +In general the leakage of some information about user accounts is not +a secure policy for modules to adopt. Sometimes information such as +users names or home directories, or preferred shell, can be used to +attack a user's account. In some circumstances, however, this sort of +information is not deemed a threat: displaying a user's full name when +asking them for a password in a secured environment could also be +called being 'friendly'. The <tt/expose_account/ argument is a +standard module argument to encourage a module to be less discrete +about account information as it is deemed appropriate by the local +administrator. + +</descrip> + +<sect>Programming notes + +<p> +Here we collect some pointers for the module writer to bear in mind +when writing/developing a <bf/Linux-PAM/ compatible module. + +<sect1>Security issues for module creation + +<sect2>Sufficient resources + +<p> +Care should be taken to ensure that the proper execution of a module +is not compromised by a lack of system resources. If a module is +unable to open sufficient files to perform its task, it should fail +gracefully, or request additional resources. Specifically, the +quantities manipulated by the <tt/setrlimit(2)/ family of commands +should be taken into consideration. + +<sect2>Who's who? + +<p> +Generally, the module may wish to establish the identity of the user +requesting a service. This may not be the same as the username +returned by <tt/pam_get_user()/. Indeed, that is only going to be the +name of the user under whose identity the service will be given. This +is not necessarily the user that requests the service. + +<p> +In other words, user X runs a program that is setuid-Y, it grants the +user to have the permissions of Z. A specific example of this sort of +service request is the <em/su/ program: user <tt/joe/ executes +<em/su/ to become the user <em/jane/. In this situation X=<tt/joe/, +Y=<tt/root/ and Z=<tt/jane/. Clearly, it is important that the module +does not confuse these different users and grant an inappropriate +level of privilege. + +<p> +The following is the convention to be adhered to when juggling +user-identities. + +<p> +<itemize> +<item>X, the identity of the user invoking the service request. +This is the user identifier; returned by the function <tt/getuid(2)/. + +<item>Y, the privileged identity of the application used to grant the +requested service. This is the <em/effective/ user identifier; +returned by the function <tt/geteuid(2)/. + +<item>Z, the user under whose identity the service will be granted. +This is the username returned by <tt/pam_get_user(2)/ and also stored +in the <bf/Linux-PAM/ item, <tt/PAM_USER/. + +<item><bf/Linux-PAM/ has a place for an additional user identity that +a module may care to make use of. This is the <tt/PAM_RUSER/ item. +Generally, network sensitive modules/applications may wish to set/read +this item to establish the identity of the user requesting a service +from a remote location. + +</itemize> + +<p> +Note, if a module wishes to modify the identity of either the <tt/uid/ +or <tt/euid/ of the running process, it should take care to restore +the original values prior to returning control to the <bf/Linux-PAM/ +library. + +<sect2>Using the conversation function +<p> +Prior to calling the conversation function, the module should reset +the contents of the pointer that will return the applications +response. This is a good idea since the application may fail to fill +the pointer and the module should be in a position to notice! + +<p> +The module should be prepared for a failure from the conversation. The +generic error would be <tt/PAM_CONV_ERR/, but anything other than +<tt/PAM_SUCCESS/ should be treated as indicating failure. + +<sect2>Authentication tokens + +<p> +To ensure that the authentication tokens are not left lying around the +items, <tt/PAM_AUTHTOK/ and <tt/PAM_OLDAUTHTOK/, are not available to +the application: they are defined in +<tt><security/pam_modules.h></tt>. This is ostensibly for +security reasons, but a maliciously programmed application will always +have access to all memory of the process, so it is only superficially +enforced. As a general rule the module should overwrite +authentication tokens as soon as they are no longer needed. +Especially before <tt/free()/'ing them. The <bf/Linux-PAM/ library is +required to do this when either of these authentication token items +are (re)set. + +<p> +Not to dwell too little on this concern; should the module store the +authentication tokens either as (automatic) function variables or +using <tt/pam_[gs]et_data()/ the associated memory should be +over-written explicitly before it is released. In the case of the +latter storage mechanism, the associated <tt/cleanup()/ function +should explicitly overwrite the <tt/*data/ before <tt/free()/'ing it: +for example, + +<tscreen> +<verb> +/* + * An example cleanup() function for releasing memory that was used to + * store a password. + */ + +int cleanup(pam_handle_t *pamh, void *data, int error_status) +{ + char *xx; + + if ((xx = data)) { + while (*xx) + *xx++ = '\0'; + free(data); + } + return PAM_SUCCESS; +} +</verb> +</tscreen> + +<sect1>Use of <tt/syslog(3)/ + +<p> +Only rarely should error information be directed to the user. Usually, +this is to be limited to ``<em/sorry you cannot login now/'' type +messages. Information concerning errors in the configuration file, +<tt>/etc/pam.conf</tt>, or due to some system failure encountered by +the module, should be written to <tt/syslog(3)/ with +<em/facility-type/ <tt/LOG_AUTHPRIV/. + +<p> +With a few exceptions, the level of logging is, at the discretion of +the module developer. Here is the recommended usage of different +logging levels: + +<p> +<itemize> + +<item> |