Initial revision

13 files changed, 984 insertions, 0 deletions

diff --git a/doc/man/pam.8 b/doc/man/pam.8
new file mode 100644
index 00000000..68280737
--- /dev/null
+++ b/doc/man/pam.8
@@ -0,0 +1,279 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\" $Id$
+.\" Copyright (c) Andrew G. Morgan 1996-7 <morgan@linux.kernel.org>
+.TH PAM 8 "1997 Feb 9" "Linux-PAM 0.56" "Linux-PAM Manual"
+.SH NAME
+
+Linux-PAM \- Pluggable Authentication Modules for Linux
+
+.SH SYNOPSIS
+.B /etc/pam.conf
+.sp 2
+.SH DESCRIPTION
+
+This manual is intended to offer a quick introduction to
+.BR Linux-PAM ". "
+For more information the reader is directed to the
+.BR "Linux-PAM system administrators' guide".
+
+.sp
+.BR Linux-PAM
+Is a system of libraries that handle the authentication tasks of
+applications (services) on the system.  The library provides a stable
+general interface (Application Programming Interface - API) that
+privilege granting programs (such as
+.BR login "(1) "
+and
+.BR su "(1)) "
+defer to to perform standard authentication tasks.
+
+.sp
+The principal feature of the PAM approach is that the nature of the
+authentication is dynamically configurable.  In other words, the
+system administrator is free to choose how individual
+service-providing applications will authenticate users. This dynamic
+configuration is set by the contents of the single
+.BR Linux-PAM
+configuration file
+.BR /etc/pam.conf "."
+Alternatively, the configuration can be set by individual
+configuration files located in the
+.B /etc/pam.d/
+directory.
+.IB "The presence of this directory will cause " Linux-PAM " to ignore"
+.BI /etc/pam.conf "."
+
+.sp
+From the point of view of the system administrator, for whom this
+manual is provided, it is not of primary importance to understand the
+internal behavior of the
+.BR Linux-PAM
+library.  The important point to recognize is that the configuration
+file(s)
+.I define
+the connection between applications
+.BR "" "(" services ")"
+and the pluggable authentication modules
+.BR "" "(" PAM "s)"
+that perform the actual authentication tasks.
+
+.sp
+.BR Linux-PAM
+separates the tasks of
+.I authentication
+into four independent management groups:
+.BR "account" " management; "
+.BR "auth" "entication management; "
+.BR "password" " management; "
+and
+.BR "session" " management."
+(We highlight the abbreviations used for these groups in the
+configuration file.)
+
+.sp
+Simply put, these groups take care of different aspects of a typical
+user's request for a restricted service:
+
+.sp
+.BR account " - "
+provide account verification types of service: has the user's password
+expired?; is this user permitted access to the requested service?
+
+.br
+.BR auth "entication - "
+establish the user is who they claim to be. Typically this is via some
+challenge-response request that the user must satisfy: if you are who
+you claim to be please enter your password.  Not all authentications
+are of this type, there exist hardware based authentication schemes
+(such as the use of smart-cards and biometric devices), with suitable
+modules, these may be substituted seamlessly for more standard
+approaches to authentication - such is the flexibility of
+.BR Linux-PAM "."
+
+.br
+.BR password " - "
+this group's responsibility is the task of updating authentication
+mechanisms. Typically, such services are strongly coupled to those of
+the
+.BR auth
+group. Some authentication mechanisms lend themselves well to being
+updated with such a function. Standard UN*X password-based access is
+the obvious example: please enter a replacement password.
+
+.br
+.BR session " - "
+this group of tasks cover things that should be done prior to a
+service being given and after it is withdrawn. Such tasks include the
+maintenance of audit trails and the mounting of the user's home
+directory. The
+.BR session
+management group is important as it provides both an opening and
+closing hook for modules to affect the services available to a user.
+
+.SH The configuration file(s)
+
+When a
+.BR Linux-PAM
+aware privilege granting application is started, it activates its
+attachment to the PAM-API.  This activation performs a number of
+tasks, the most important being the reading of the configuration file(s):
+.BR /etc/pam.conf "."
+Alternatively, this may be the contents of the
+.BR /etc/pam.d/
+directory.
+
+These files list the
+.BR PAM "s"
+that will do the authentication tasks required by this service, and
+the appropriate behavior of the PAM-API in the event that individual
+.BR PAM "s "
+fail.
+
+.sp
+The syntax of the
+.B /etc/pam.conf
+configuration file is as follows. The file is made
+up of a list of rules, each rule is typically placed on a single line,
+but may be extended with an escaped end of line: `\\<LF>'. Comments
+are preceded with `#' marks and extend to the next end of line.
+
+.sp
+The format of each rule is a space separated collection of tokens, the
+first three being case-insensitive:
+
+.sp
+.br
+.BR "   service  type  control  module-path  module-arguments"
+
+.sp
+The syntax of files contained in the
+.B /etc/pam.d/
+directory, are identical except for the absence of any
+.I service 
+field. In this case, the
+.I service
+is the name of the file in the
+.B /etc/pam.d/
+directory. This filename must be in lower case.
+
+.sp
+An important feature of
+.BR Linux-PAM ", "
+is that a number of rules may be
+.I stacked
+to combine the services of a number of PAMs for a given authentication
+task.
+
+.sp
+The
+.BR service
+is typically the familiar name of the corresponding application:
+.BR login
+and 
+.BR su
+are good examples. The
+.BR service "-name, " other ", "
+is reserved for giving
+.I default
+rules.  Only lines that mention the current service (or in the absence
+of such, the
+.BR other
+entries) will be associated with the given service-application.
+
+.sp
+The
+.BR type
+is the management group that the rule corresponds to. It is used to
+specify which of the management groups the subsequent module is to
+be associated with. Valid entries are:
+.BR account "; "
+.BR auth "; "
+.BR password "; "
+and
+.BR session "."
+The meaning of each of these tokens was explained above.
+
+.sp
+The third field,
+.BR control ", "
+indicates the behavior of the PAM-API should the module fail to
+succeed in its authentication task. Valid
+.BR control
+values are:
+.BR requisite
+- failure of such a PAM results in the immediate termination of the
+authentication process;
+.BR required
+- failure of such a PAM will ultimately lead to the PAM-API returning
+failure but only after the remaining
+.I stacked
+modules (for this
+.BR service
+and
+.BR type ")"
+have been invoked;
+.BR sufficient
+- success of such a module is enough to satisfy the authentication
+requirements of the stack of modules (if a prior
+.BR required
+module has failed the success of this one is
+.IR ignored "); "
+.BR optional
+- the success or failure of this module is only important if it is the
+only module in the stack associated with this
+.BR service "+" type "."
+
+.sp
+.BR module-path
+- this is the full filename of the PAM to be used by the application
+
+.sp
+.BR module-arguments
+- these are a space separated list of tokens that can be used to
+modify the specific behavior of the given PAM. Such arguments will be
+documented for each individual module.
+
+.SH "FILES"
+.BR /etc/pam.conf " - the configuration file"
+.br
+.BR /etc/pam.d/ " - the"
+.BR Linux-PAM
+configuration directory. If this directory is present, the
+.B /etc/pam.conf
+file is ignored.
+.br
+.BR /usr/lib/libpam.so.X " - the dynamic library"
+.br
+.BR /usr/lib/security/*.so " - the PAMs
+
+.sp
+Note, to conform to the Linux File-system standard, the libraries and
+modules in your system may be located in
+.BR /lib " and " /lib/security 
+respectively.
+
+.SH ERRORS
+Typically errors generated by the
+.BR Linux-PAM
+system of libraries, will be written to
+.BR syslog "(3)."
+
+.SH "CONFORMING TO"
+DCE-RFC 86.0, October 1995.
+.br
+Contains additional features, currently under consideration by the
+DCE-RFC committee.
+
+.SH BUGS
+.sp 2
+None known.
+
+.SH "SEE ALSO"
+
+The three
+.BR Linux-PAM
+Guides, for
+.BR "System administrators" ", "
+.BR "module developers" ", "
+and
+.BR "application developers" ". "
diff --git a/doc/man/pam.conf.8 b/doc/man/pam.conf.8
new file mode 100644
index 00000000..ea2dd98b
--- /dev/null
+++ b/doc/man/pam.conf.8
@@ -0,0 +1 @@
+.so man8/pam.8
diff --git a/doc/man/pam.d.8 b/doc/man/pam.d.8
new file mode 100644
index 00000000..ea2dd98b
--- /dev/null
+++ b/doc/man/pam.d.8
@@ -0,0 +1 @@
+.so man8/pam.8
diff --git a/doc/man/pam_authenticate.3 b/doc/man/pam_authenticate.3
new file mode 100644
index 00000000..ba1bc52e
--- /dev/null
+++ b/doc/man/pam_authenticate.3
@@ -0,0 +1,91 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\" $Id$
+.\" Copyright (c) Andrew G. Morgan 1996-7 <morgan@parc.power.net>
+.TH PAM_AUTHENTICATE 3 "1996 Dec 9" "Linux-PAM 0.55" "App. Programmers' Manual"
+.SH NAME
+
+pam_authenticate \- authenticate a user
+
+.SH SYNOPSIS
+.B #include <security/pam_appl.h>
+.sp
+.BI "int pam_authenticate(pam_handle_t " *pamh ", int  " flags ");"
+.sp 2
+.SH DESCRIPTION
+.B pam_authenticate
+
+.br
+Use this function to authenticate an applicant user.  It is linked
+.I dynamically
+to the authentication modules by
+.BR Linux-PAM ". "
+It is the task of these module to perform such an authentication.  The
+specific nature of the authentication is not the concern of the
+application.
+
+.br
+Following successful completion, the
+.BR name
+of the authenticated user will be present in the
+.BR Linux-PAM
+item
+.BR PAM_USER ". "
+This item may be recovered with a call to
+.BR pam_get_item "(3)."
+
+.br
+The application developer should note that the modules may request
+that the user enter their username via the conversation mechanism (see
+.BR pam_start "(3))."
+Should this be the case, the user-prompt string can be set via
+the
+.BR PAM_USER_PROMPT
+item (see
+.BR pam_set_item "(3))."
+
+.SH "RETURN VALUE"
+On success
+.BR PAM_SUCCESS
+is returned.  All other returns should be considered
+authentication failures and will be
+.I delayed
+by an amount specified with prior calls to
+.BR pam_fail_delay "(3). "
+Specific failures that demand special attention are the following:
+.TP
+.B PAM_ABORT
+the application should exit immediately. Of course,
+.BR pam_end "(3)"
+should be called first.
+
+.TP
+.B PAM_MAXTRIES
+the application has tried too many times to authenticate the
+user, authentication should not be attempted again.
+
+.SH ERRORS
+May be translated to text with
+.BR pam_strerror "(3). "
+
+.SH "CONFORMING TO"
+DCE-RFC 86.0, October 1995.
+
+.SH BUGS
+.sp 2
+none known.
+
+.SH "SEE ALSO"
+
+.BR pam_start "(3), "
+.BR pam_get_item "(3) "
+.BR pam_fail_delay "(3) "
+and
+.BR pam_strerror "(3). "
+
+Also, see the three
+.BR Linux-PAM
+Guides, for
+.BR "System administrators" ", "
+.BR "module developers" ", "
+and
+.BR "application developers" ". "
diff --git a/doc/man/pam_chauthtok.3 b/doc/man/pam_chauthtok.3
new file mode 100644
index 00000000..63904da3
--- /dev/null
+++ b/doc/man/pam_chauthtok.3
@@ -0,0 +1,101 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\" $Id$
+.\" Copyright (c) Andrew G. Morgan 1997 <morgan@parc.power.net>
+.TH PAM_CHAUTHTOK 3 "1997 Jan 4" "Linux-PAM 0.55" "App. Programmers' Manual"
+.SH NAME
+
+pam_chauthtok \- updating authentication tokens
+
+.SH SYNOPSIS
+.B #include <security/pam_appl.h>
+.sp
+.BI "int pam_chauthtok(pam_handle_t " *pamh ", int  " flags ");"
+.sp 2
+.SH DESCRIPTION
+.B pam_chauthtok
+
+.br
+Use this function to rejuvenate the authentication tokens (passwords
+etc.) of an applicant user.
+
+.br
+Note, the application should not pre-authenticate the user, as this is
+performed (if required) by the
+.BR Linux-PAM
+framework.
+
+.br
+The
+.I flags
+argument can
+.I optionally
+take the value,
+.BR PAM_CHANGE_EXPIRED_AUTHTOK "."
+In such cases the framework is only required to update those
+authentication tokens that have expired. Without this argument, the
+framework will attempt to obtain new tokens for all configured
+authentication mechanisms. The details of the types and number of such
+schemes should not concern the calling application.
+
+.SH RETURN VALUE
+A successful return from this function will be indicated with
+.BR PAM_SUCCESS "."
+
+.br
+Specific errors of special interest when calling this function are
+
+.br
+.BR PAM_AUTHTOK_ERROR
+- a valid new token was not obtained
+
+.br
+.BR PAM_AUTHTOK_RECOVERY_ERR
+- old authentication token was not available
+
+.br
+.BR PAM_AUTHTOK_LOCK_BUSY
+- a resource needed to update the token was locked (try again later)
+
+.br
+.BR PAM_AUTHTOK_DISABLE_AGING
+- one or more of the authentication modules does not honor
+authentication token aging
+
+.br
+.BR PAM_TRY_AGAIN
+- one or more authentication mechanism is not prepared to update a
+token at this time
+
+.br
+In general other return values may be returned. They should be treated
+as indicating failure.
+
+.SH ERRORS
+May be translated to text with
+.BR pam_strerror "(3). "
+
+.SH "CONFORMING TO"
+DCE-RFC 86.0, October 1995.
+
+.SH BUGS
+.sp 2
+none known.
+
+.SH "SEE ALSO"
+
+.BR pam_start "(3), "
+.BR pam_authenticate "(3), "
+.BR pam_setcred "(3), "
+.BR pam_get_item "(3), "
+.BR pam_strerror "(3) "
+and
+.BR pam "(8)."
+
+.br
+Also, see the three
+.BR Linux-PAM
+Guides, for
+.BR "System administrators" ", "
+.BR "module developers" ", "
+and
+.BR "application developers" ". "
diff --git a/doc/man/pam_close_session.3 b/doc/man/pam_close_session.3
new file mode 100644
index 00000000..c809a0e4
--- /dev/null
+++ b/doc/man/pam_close_session.3
@@ -0,0 +1 @@
+.so man3/pam_open_session.3
diff --git a/doc/man/pam_end.3 b/doc/man/pam_end.3
new file mode 100644
index 00000000..06fdabb9
--- /dev/null
+++ b/doc/man/pam_end.3
@@ -0,0 +1 @@
+.so man3/pam_start.3
diff --git a/doc/man/pam_fail_delay.3 b/doc/man/pam_fail_delay.3
new file mode 100644
index 00000000..f6cd238a
--- /dev/null
+++ b/doc/man/pam_fail_delay.3
@@ -0,0 +1,130 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\" $Id$
+.\" Copyright (c) Andrew G. Morgan 1997 <morgan@parc.power.net>
+.TH PAM_FAIL_DELAY 3 "1997 Jan 12" "Linux-PAM 0.56" "Programmers' Manual"
+.SH NAME
+
+pam_fail_delay \- request a delay on failure
+
+.SH SYNOPSIS
+.B #include <security/pam_appl.h>
+.br
+or,
+.br
+.B #include <security/pam_modules.h>
+.sp
+.BI "int pam_fail_delay(pam_handle_t " "*pamh" ", unsigned int " "usec" ");"
+.sp 2
+.SH DESCRIPTION
+.br
+It is often possible to attack an authentication scheme by exploiting
+the time it takes the scheme to deny access to an applicant user.  In
+cases of
+.I short
+timeouts, it may prove possible to attempt a
+.I brute force
+dictionary attack -- with an automated process, the attacker tries all
+possible passwords to gain access to the system.  In other cases,
+where individual failures can take measurable amounts of time
+(indicating the nature of the failure), an attacker can obtain useful
+information about the authentication process.  These latter attacks
+make use of procedural delays that constitute a
+.I covert channel
+of useful information.
+
+.br
+To minimize the effectiveness of such attacks, it is desirable to
+introduce a random delay in a failed authentication process.
+.B Linux-PAM
+provides such a facility.  The delay occurs upon failure of the
+.BR pam_authenticate "(3) "
+and
+.BR pam_chauthtok "(3) "
+functions.  It occurs
+.I after
+all authentication modules have been called, but
+.I before
+control is returned to the service application.
+
+.br
+The function,
+.BR pam_fail_delay "(3),"
+is used to specify a required minimum for the length of the
+failure-delay; the
+.I usec
+argument.  This function can be called by the service application
+and/or the authentication modules, both may have an interest in
+delaying a reapplication for service by the user.  The length of the
+delay is computed at the time it is required.  Its length is
+pseudo-gausianly distributed about the
+.I maximum
+requested value; the resultant delay will differ by as much as 25% of
+this maximum requested value (both up and down).
+
+.br
+On return from
+.BR pam_authenticate "(3) or " pam_chauthtok "(3),"
+independent of success or failure, the new requested delay is reset to
+its default value: zero.
+
+.SH EXAMPLE
+.br
+For example, a
+.B login
+application may require a failure delay of roughly 3 seconds. It will
+contain the following code:
+.sp
+.br
+.B "     pam_fail_delay(pamh, 3000000 /* micro-seconds */ );"
+.br
+.B "     pam_authenticate(pamh, 0);"
+.sp
+.br
+if the modules do not request a delay, the failure delay will be
+between 2.25 and 3.75 seconds.
+
+.br
+However, the modules, invoked in the authentication process, may
+also request delays:
+.sp
+.br
+.RB "  (module #1)   " "pam_fail_delay(pamh, 2000000);"
+.sp
+.br
+.RB "  (module #2)   " "pam_fail_delay(pamh, 4000000);"
+.sp
+.br
+in this case, it is the largest requested value that is used to
+compute the actual failed delay: here between 3 and 5 seconds.
+
+.SH "RETURN VALUE"
+Following a successful call to
+.BR pam_fail_delay "(3), " PAM_SUCCESS
+is returned.  All other returns should be considered serious failures.
+
+.SH ERRORS
+May be translated to text with
+.BR pam_strerror "(3). "
+
+.SH "CONFORMING TO"
+Under consideration by the X/Open group for future inclusion in the
+PAM RFC. 1996/1/10
+
+.SH BUGS
+.sp 2
+none known.
+
+.SH "SEE ALSO"
+
+.BR pam_start "(3), "
+.BR pam_get_item "(3) "
+and
+.BR pam_strerror "(3). "
+
+Also, see the three
+.BR Linux-PAM
+Guides, for
+.BR "System administrators" ", "
+.BR "module developers" ", "
+and
+.BR "application developers" ". "
diff --git a/doc/man/pam_open_session.3 b/doc/man/pam_open_session.3
new file mode 100644
index 00000000..4e63b5c4
--- /dev/null
+++ b/doc/man/pam_open_session.3
@@ -0,0 +1,99 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\" $Id$
+.\" Copyright (c) Andrew G. Morgan 1997 <morgan@parc.power.net>
+.TH PAM_OPEN_SESSION 3 "1997 Jan 4" "Linux-PAM 0.55" "App. Programmers' Manual"
+.SH NAME
+
+pam_open/close_session \- PAM session management
+
+.SH SYNOPSIS
+.B #include <security/pam_appl.h>
+.sp
+.BI "int pam_open_session(pam_handle_t " *pamh ", int  " flags ");"
+.sp
+.BI "int pam_close_session(pam_handle_t " *pamh ", int  " flags ");"
+.sp 2
+.SH DESCRIPTION
+
+PAM provides management-hooks for the initialization and termination
+of a session. 
+
+.TP
+.B pam_open_session
+.br
+Use this function to signal that an authenticated user session has
+begun. It should be called only after the user is properly identified
+and (where necessary) has been granted their credentials with
+.BR pam_authenticate "(3)"
+and
+.BR pam_setcred "(3)"
+respectively.
+
+.br
+Some types of functions associated with session
+initialization are logging for the purposes of system-audit and
+mounting directories (the user's home directory for example). These
+should not concern the application. It should be noted that the
+.I effective
+uid,
+.BR geteuid "(2),"
+of the application should be of sufficient privilege to perform such
+tasks.
+
+.TP
+.B pam_close_session
+.br
+Use this function to signal that a user session has
+terminated. In general this function may not need to be located in the
+same application as the initialization function,
+.BR pam_open_session "."
+
+.br
+Typically, this function will undo the actions of
+.BR pam_open_session "."
+That is, log audit information concerning the end of the user session
+or unmount the user's home directory. Apart from having sufficient
+privilege the details of the session termination should not concern
+the calling application. It is good programming practice, however, to
+cease acting on behalf of the user on returning from this call.
+
+.SH RETURN VALUE
+A successful return from the session management functions will be
+indicated with
+.BR PAM_SUCCESS "."
+
+.br
+The specific error indicating a failure to open or close a session is
+.BR PAM_SESSION_ERR "."
+In general other return values may be returned. They should be treated
+as indicating failure.
+
+.SH ERRORS
+May be translated to text with
+.BR pam_strerror "(3). "
+
+.SH "CONFORMING TO"
+OSF-RFC 86.0, October 1995.
+
+.SH BUGS
+.sp 2
+none known.
+
+.SH "SEE ALSO"
+
+.BR pam_start "(3), "
+.BR pam_authenticate "(3), "
+.BR pam_setcred "(3), "
+.BR pam_get_item "(3), "
+.BR pam_strerror "(3) "
+and
+.BR pam "(3)."
+
+.br
+Also, see the three
+.BR Linux-PAM
+Guides, for
+.BR "System administrators" ", "
+.BR "module developers" ", "
+and
+.BR "application developers" ". "
diff --git a/doc/man/pam_setcred.3 b/doc/man/pam_setcred.3
new file mode 100644
index 00000000..8c00fe71
--- /dev/null
+++ b/doc/man/pam_setcred.3
@@ -0,0 +1,79 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\" $Id$
+.\" Copyright (c) Andrew G. Morgan 1996,1997 <morgan@parc.power.net>
+.TH PAM_SETCRED 3 "1997 July 6" "Linux-PAM 0.58" "App. Programmers' Manual"
+.SH NAME
+
+pam_setcred \- set the credentials for the user
+
+.SH SYNOPSIS
+.B #include <security/pam_appl.h>
+.sp
+.BI "int pam_setcred(pam_handle_t " *pamh ", int  " flags ");"
+.sp 2
+.SH DESCRIPTION
+.B pam_setcred
+
+This function is used to establish, maintain and delete the
+credentials of a user. It should be called after a user has been
+authenticated and before a session is opened for the user (with
+.BR pam_open_session "(3))."
+
+It should be noted that credentials come in many forms. Examples
+include: group memberships; ticket-files; and Linux-PAM environment
+variables.  For this reason, it is important that the basic identity
+of the user is established, by the application, prior to a call to
+this function.  For example, the default
+.BR Linux-PAM
+environment variables should be set and also
+.BR initgroups "(2) "
+(or equivalent) should have been performed.
+
+.SH "VALID FLAGS"
+.TP
+.BR PAM_ESTABLISH_CRED
+initialize the credentials for the user.
+
+.TP
+.BR PAM_DELETE_CRED
+delete the user's credentials.
+
+.TP
+.BR PAM_REINITIALIZE_CRED
+delete and then initialize the user's credentials.
+
+.TP
+.BR PAM_REFRESH_CRED
+extend the lifetime of the existing credentials.
+
+.SH "RETURN VALUE"
+
+On success
+.BR PAM_SUCCESS
+is returned, all other return values should be treated as errors.
+
+.SH ERRORS
+May be translated to text with
+.BR pam_strerror "(3). "
+
+.SH "CONFORMING TO"
+DCE-RFC 86.0, October 1995.
+
+.SH BUGS
+.sp 2
+none known.
+
+.SH "SEE ALSO"
+
+.BR pam_authenticate "(3), "
+.BR pam_strerror "(3)"
+and
+.BR pam_open_session "(3). "
+
+Also, see the three
+.BR Linux-PAM
+Guides, for
+.BR "System administrators" ", "
+.BR "module developers" ", "
+and
+.BR "application developers" ". "
diff --git a/doc/man/pam_start.3 b/doc/man/pam_start.3
new file mode 100644
index 00000000..9c11fd73
--- /dev/null
+++ b/doc/man/pam_start.3
@@ -0,0 +1,98 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\" $Id$
+.\" Copyright (c) Andrew G. Morgan 1996-7 <morgan@parc.power.net>
+.TH PAM_START 3 "1997 Feb 15" "Linux-PAM 0.56" "Application Programmers' Manual"
+.SH NAME
+
+pam_start, pam_end \- activating Linux-PAM
+
+.SH SYNOPSIS
+.B #include <security/pam_appl.h>
+.sp
+.BI "int pam_start(const char " *service ", const char " *user ", const struct pam_conv " *conv ", pam_handle_t " **pamh_p ");"
+.sp
+.BI "int pam_end(pam_handle_t " *pamh ", int " pam_status ");"
+.sp 2
+.SH DESCRIPTION
+.TP
+.B pam_start
+Initialize the
+.I Linux-PAM
+library.  Identifying the application with a particular
+.IR service
+name.  The
+.IR user "name"
+can take the value
+.IR NULL ", "
+if not known at the time the interface is initialized.  The
+conversation structure is passed to the library via the
+.IR conv
+argument.  (For a complete description of this and other structures
+the reader is directed to the more verbose
+.IR Linux-PAM
+application developers' guide).  Upon successful initialization, an
+opaque pointer-handle for future access to the library is returned
+through the contents of the
+.IR pamh_p
+pointer.
+
+.TP
+.B pam_end
+Terminate the
+.B Linux-PAM
+library.  The service application associated with the
+.IR pamh
+handle, is terminated.  The argument,
+.IR pam_status ", "
+passes the value most recently returned to the application from the
+library; it indicates the manner in which the library should be
+shutdown.  Besides carrying a return value, this argument may be
+logically OR'd with
+.IR PAM_DATA_SILENT
+to indicate that the module should not treat the call too
+seriously. It is generally used to indicate that the current closing
+of the library is in a
+.IR fork "(2)ed"
+process, and that the parent will take care of cleaning up things that
+exist outside of the current process space (files etc.).
+
+.SH "RETURN VALUE"
+.TP
+.B pam_start
+.TP
+.B pam_end
+On success,
+.BR PAM_SUCCESS
+is returned
+
+.SH ERRORS
+May be translated to text with
+.BR pam_strerror "(3). "
+
+.SH "CONFORMING TO"
+DCE-RFC 86.0, October 1995.
+.sp
+Note, the 
+.BR PAM_DATA_SILENT
+flag is pending acceptance with the DCE (as of 1996/12/4).
+
+.SH BUGS
+.sp 2
+None known.
+
+.SH "SEE ALSO"
+
+.BR fork "(2), "
+.BR pam_authenticate "(3), "
+.BR pam_acct_mgmt "(3), "
+.BR pam_open_session "(3), "
+and
+.BR pam_chauthtok "(3)."
+
+Also, see the three
+.BR Linux-PAM
+Guides, for
+.BR "System administrators" ", "
+.BR "module developers" ", "
+and
+.BR "application developers" ". "
diff --git a/doc/man/pam_strerror.3 b/doc/man/pam_strerror.3
new file mode 100644
index 00000000..01ee0635
--- /dev/null
+++ b/doc/man/pam_strerror.3
@@ -0,0 +1,51 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\" ripped off from Rick Faith's getgroups man page
+.\" $Id$
+.\" Copyright (c) Andrew G. Morgan 1996-7 <morgan@linux.kernel.org>
+.TH PAM_STRERROR 3 "1999 Oct 4" "Linux-PAM 0.70" "Programmers' Manual"
+.SH NAME
+
+pam_strerror \- return a textual description of a Linux-PAM error
+
+.SH SYNOPSIS
+.B #include <security/pam_appl.h>
+.br
+or,
+.br
+.B #include <security/pam_modules.h>
+.sp
+.BI "const char * pam_strerror( pam_handle_t " "*pamh" ", int " pam_error ");"
+.sp 2
+.SH DESCRIPTION
+.B pam_strerror
+
+This function returns some text describing the
+.BR Linux-PAM
+error associated with the
+.B pam_error
+argument.
+
+.SH "RETURN VALUE"
+
+On success this function returns a description of the indicated
+error.  Should the function not recognize the error, ``Unknown
+Linux-PAM error'' is returned.
+
+.SH "CONFORMING TO"
+DCE-RFC 86.0, October 1995.
+
+.SH BUGS
+.sp 2
+This function should be internationalized.
+
+.SH "SEE ALSO"
+
+.BR pam "(8). "
+
+Also, see the three
+.BR Linux-PAM
+Guides, for
+.BR "System administrators" ", "
+.BR "module developers" ", "
+and
+.BR "application developers" ". "
diff --git a/doc/man/template-man b/doc/man/template-man
new file mode 100644
index 00000000..b8159eb6
--- /dev/null
+++ b/doc/man/template-man
@@ -0,0 +1,52 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\" $Id$
+.\" Copyright (c) Andrew G. Morgan 1997 <morgan@parc.power.net>
+.TH PAM_???? 2 "1997 Jan 4" "Linux-PAM 0.55" "Application Programmers' Manual"
+.SH NAME
+
+function names \- brief summary of function
+
+.SH SYNOPSIS
+.B #include <security/pam_????.h>
+.sp
+.BI "int pam_???(pam_handle_t " pamh ", int  " flags);
+.sp 2
+.SH DESCRIPTION
+.TP
+.B pam_???
+Here goes the
+.I explanation
+it may be quite
+.IR long .
+.TP
+.SH "RETURN VALUE"
+.B pam_???
+On success...
+.BR PAM_SUCCESS
+is returned
+.TP
+.SH ERRORS
+May be translated to text with
+.BR pam_strerror "(2). "
+
+.SH "CONFORMING TO"
+.B pam_???
+DCE-RFC 86.0, October 1995.
+
+.SH BUGS
+.sp 2
+none known.
+
+.SH "SEE ALSO"
+
+.BR pam_??? "(2), "
+and
+.BR pam_??? "(2). "
+
+Also, see the three
+.BR Linux-PAM
+Guides, for
+.BR "System administrators" ", "
+.BR "module developers" ", "
+and
+.BR "application developers" ". "