summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorThorsten Kukuk <kukuk@thkukuk.de>2006-02-10 18:33:54 +0000
committerThorsten Kukuk <kukuk@thkukuk.de>2006-02-10 18:33:54 +0000
commit2c388144eb7c68aa31c20c00f6c054c219bf72a2 (patch)
tree0469cc1f27d1696ba062a670ea4f4b625e7e4052 /doc
parent486d687f4c63d5712a850807952383e785e387ba (diff)
Relevant BUGIDs:
Purpose of commit: Commit summary: --------------- Remove pam_pwdb and all references to it. 2006-02-10 Thorsten Kukuk <kukuk@thkukuk.de> * configure.in: Remove pam_pwdb support. * modules/Makefile.am: remove pam_pwdb. * modules/pam_pwdb: Remove complete directory. * libpam/Makefile.am: Remove LIBPWDB references. * libpam/pam_static_modules.h: Remove pam_pwdb references. * doc/modules/pam_pwdb.sgml: Removed. * po/POTFILES.in: Remove modules/pam_pwdb/*.c entries. * doc/pam_source.sgml: Remove references to libpwdb. * doc/modules/pam_limits.sgml: Remove wrong reference to libpwdb. * doc/modules/pam_group.sgml: Likewise. * doc/modules/pam_cracklib.sgml: Replace pam_pwdb with pam_unix. * doc/modules/pam_userdb.sgml: Likewise. * modules/pam_cracklib/pam_cracklib.8.xml: Replace pam_pwdb with pam_unix. * modules/pam_mkhomedir/pam_mkhomedir.c: Likewise. * modules/pam_group/pam_group.c: Remove dead code for libpwdb.
Diffstat (limited to 'doc')
-rw-r--r--doc/modules/pam_cracklib.sgml12
-rw-r--r--doc/modules/pam_group.sgml3
-rw-r--r--doc/modules/pam_limits.sgml2
-rw-r--r--doc/modules/pam_pwdb.sgml257
-rw-r--r--doc/modules/pam_userdb.sgml8
-rw-r--r--doc/pam_source.sgml14
6 files changed, 12 insertions, 284 deletions
diff --git a/doc/modules/pam_cracklib.sgml b/doc/modules/pam_cracklib.sgml
index 008e49f6..2cbfca45 100644
--- a/doc/modules/pam_cracklib.sgml
+++ b/doc/modules/pam_cracklib.sgml
@@ -231,18 +231,18 @@ for a new password but use the one provided by the previously stacked
<p>
For an example of the use of this module, we show how it may be
-stacked with the password component of <tt/pam_pwdb/:
+stacked with the password component of <tt/pam_unix/:
<tscreen>
<verb>
#
# These lines stack two password type modules. In this example the
# user is given 3 opportunities to enter a strong password. The
-# "use_authtok" argument ensures that the pam_pwdb module does not
+# "use_authtok" argument ensures that the pam_unix module does not
# prompt for a password, but instead uses the one provided by
# pam_cracklib.
#
passwd password required pam_cracklib.so retry=3
-passwd password required pam_pwdb.so use_authtok
+passwd password required pam_unix.so use_authtok
</verb>
</tscreen>
@@ -260,7 +260,7 @@ case that you want to use md5 password encryption:
#
password required pam_cracklib.so \
difok=3 minlen=15 dcredit= 2 ocredit=2
-password required pam_pwdb.so use_authtok nullok md5
+password required pam_unix.so use_authtok nullok md5
</verb>
</tscreen>
@@ -276,7 +276,7 @@ And here is another example in case you don't want to use credits:
#
password required pam_cracklib.so \
dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
-password required pam_pwdb.so use_authtok nullok md5
+password required pam_unix.so use_authtok nullok md5
</verb>
</tscreen>
@@ -293,7 +293,7 @@ length of 8:
#
password required pam_cracklib.so \
dcredit=0 ucredit=0 ocredit=0 lcredit=0 minlen=8
-password required pam_pwdb.so use_authtok nullok md5
+password required pam_unix.so use_authtok nullok md5
</verb>
</tscreen>
diff --git a/doc/modules/pam_group.sgml b/doc/modules/pam_group.sgml
index 0d8550d4..c40477c8 100644
--- a/doc/modules/pam_group.sgml
+++ b/doc/modules/pam_group.sgml
@@ -31,8 +31,7 @@ Sensitive to <em/setgid/ status of file-systems accessible to users.
<tag><bf>Clean code base:</bf></tag>
<tag><bf>System dependencies:</bf></tag>
-Requires an <tt>/etc/security/group.conf</tt> file. Can be compiled
-with or without <tt/libpwdb/.
+Requires an <tt>/etc/security/group.conf</tt> file.
<tag><bf>Network aware:</bf></tag>
Only through correctly set <tt/PAM_TTY/ item.
diff --git a/doc/modules/pam_limits.sgml b/doc/modules/pam_limits.sgml
index 44f057c4..3678376a 100644
--- a/doc/modules/pam_limits.sgml
+++ b/doc/modules/pam_limits.sgml
@@ -34,7 +34,7 @@ session
<tag><bf>System dependencies:</bf></tag>
requires an <tt>/etc/security/limits.conf</tt> file and kernel support
-for resource limits. Also uses the library, <tt/libpwdb/.
+for resource limits.
<tag><bf>Network aware:</bf></tag>
diff --git a/doc/modules/pam_pwdb.sgml b/doc/modules/pam_pwdb.sgml
deleted file mode 100644
index 51f4f86d..00000000
--- a/doc/modules/pam_pwdb.sgml
+++ /dev/null
@@ -1,257 +0,0 @@
-<!--
- $Id$
-
- This file was written by Andrew G. Morgan <morgan@kernel.org>
--->
-
-<sect1>The Password-Database module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-pam_pwdb
-
-<tag><bf>Author:</bf></tag>
-Cristian Gafton &lt;gafton@redhat.com&gt; <newline>
-and Andrew G. Morgan &lt;morgan@kernel.org&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Red Hat.
-
-<tag><bf>Management groups provided:</bf></tag>
-account; authentication; password; session
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-Requires properly configured <tt/libpwdb/
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module is a pluggable replacement for the <tt/pam_unix_../
-modules. It uses the generic interface of the <em/Password Database/
-library <tt>libpwdb</tt>.
-
-<sect2>Account component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/
-
-<tag><bf>Description:</bf></tag>
-
-The <tt/debug/ argument makes the accounting functions of this module
-<tt/syslog(3)/ more information on its actions. (Remaining arguments
-supported by the other functions of this module are silently ignored,
-but others are logged as errors through <tt/syslog(3)/).
-
-Based on the following <tt/pwdb_element/s:
-<tt/expire/;
-<tt/last_change/;
-<tt/max_change/;
-<tt/defer_change/;
-<tt/warn_change/,
-this module performs the task of establishing the status of the user's
-account and password. In the case of the latter, it may offer advice
-to the user on changing their password or, through the
-<tt/PAM_AUTHTOKEN_REQD/ return, delay giving service to the user until
-they have established a new password. The entries listed above are
-documented in the <em/Password Database Library Guide/ (see pointer
-above). Should the user's record not contain one or more of these
-entries, the corresponding <em/shadow/ check is not performed.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-In its accounting mode, this module can be inserted as follows:
-<tscreen>
-<verb>
-#
-# Ensure users account and password are still active
-#
-login account required pam_pwdb.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/;
-<tt/use_first_pass/;
-<tt/try_first_pass/;
-<tt/nullok/;
-<tt/nodelay/;
-<tt/likeauth/;
-<tt/noreap/
-
-<tag><bf>Description:</bf></tag>
-
-The <tt/debug/ argument makes the authentication functions of this
-module <tt/syslog(3)/ more information on its actions.
-
-<p>
-The default action of this module is to not permit the user access to
-a service if their <em/official/ password is blank. The <tt/nullok/
-argument overrides this default.
-
-<p>
-When given the argument <tt/try_first_pass/, before prompting the user
-for their password, the module first tries the previous stacked
-<tt/auth/-module's password in case that satisfies this module as
-well. The argument <tt/use_first_pass/ forces the module to use such a
-recalled password and will never prompt the user - if no password is
-available or the password is not appropriate, the user will be denied
-access.
-
-<p>
-The argument, <tt>nodelay</tt>, can be used to discourage the
-authentication component from requesting a delay should the
-authentication as a whole fail. The default action is for the module
-to request a delay-on-failure of the order of one second.
-
-<p>
-Remaining arguments, supported by the other functions of this module,
-are silently ignored. Other arguments are logged as errors through
-<tt/syslog(3)/.
-
-<p>
-A helper binary, <tt>pwdb_chkpwd</tt>, is provided to check the user's
-password when it is stored in a read protected database. This binary
-is very simple and will only check the password of the user invoking
-it. It is called transparently on behalf of the user by the
-authenticating component of this module. In this way it is possible
-for applications like <em>xlock</em> to work without being
-setuid-root. The module, by default, will temporarily turn off
-<tt/SIGCHLD/ handling for the duration of execution of the helper
-binary. This is generally the right thing to do, as many applications
-are not prepared to handle this signal from a child they didn't know
-was <tt/fork()/d. The <tt/noreap/ module argument can be used to
-suppress this temporary shielding and may be needed for use with
-certain applications.
-
-<p>
-The <tt>likeauth</tt> argument makes the module return the same value
-when called as a credential setting module and an authentication
-module. This will help libpam take a sane path through the auth
-component of your configuration file.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-The correct functionality of this module is dictated by having an
-appropriate <tt>/etc/pwdb.conf</tt> file, the user
-databases specified there dictate the source of the authenticated
-user's record.
-
-</descrip>
-
-<sect2>Password component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/; <tt/nullok/; <tt/not_set_pass/; <tt/use_authtok/;
-<tt/try_first_pass/; <tt/use_first_pass/; <tt/md5/; <tt/bigcrypt/;
-<tt/shadow/; <tt/radius/; <tt/unix/
-
-<tag><bf>Description:</bf></tag>
-
-This part of the <tt/pam_pwdb/ module performs the task of updating
-the user's password. Thanks to the flexibility of <tt/libpwdb/ this
-module is able to move the user's password from one database to
-another, perhaps securing the user's database entry in a dynamic
-manner (<em/this is very ALPHA code at the moment!/) - this is the
-purpose of the <tt/shadow/, <tt/radius/ and <tt/unix/ arguments.
-
-<p>
-In the case of conventional unix databases (which store the password
-encrypted) the <tt/md5/ argument is used to do the encryption with the
-MD5 function as opposed to the <em/conventional/ <tt/crypt(3)/ call.
-As an alternative to this, the <tt/bigcrypt/ argument can be used to
-encrypt more than the first 8 characters of a password with DEC's
-(Digital Equipment Cooperation) `C2' extension to the standard UNIX
-<tt/crypt()/ algorithm.
-
-<p>
-The <tt/nullok/ module is used to permit the changing of a password
-<em/from/ an empty one. Without this argument, empty passwords are
-treated as account-locking ones.
-
-<p>
-The argument <tt/use_first_pass/ is used to lock the choice of old and
-new passwords to that dictated by the previously stacked <tt/password/
-module. The <tt/try_first_pass/ argument is used to avoid the user
-having to re-enter an old password when <tt/pam_pwdb/ follows a module
-that possibly shared the user's old password - if this old password is
-not correct the user will be prompted for the correct one. The
-argument <tt/use_authtok/ is used to <em/force/ this module to set the
-new password to the one provided by the previously stacked
-<tt/password/ module (this is used in an example of the stacking of
-the <em/Cracklib/ module documented above).
-
-<p>
-The <tt/not_set_pass/ argument is used to inform the module that it is
-not to pay attention to/make available the old or new passwords from/to
-other (stacked) password modules.
-
-<p>
-The <tt/debug/ argument makes the password functions of this module
-<tt/syslog(3)/ more information on its actions. Other arguments may be
-logged as erroneous to <tt/syslog(3)/.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-An example of the stacking of this module with respect to the
-pluggable password checking module, <tt/pam_cracklib/, is given in
-that modules section above.
-</descrip>
-
-<sect2>Session component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-No arguments are recognized by this module component. Its action is
-simply to log the username and the service-type to
-<tt/syslog(3)/. Messages are logged at the beginning and end of the
-user's session.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-The use of the session modules is straightforward:
-<tscreen>
-<verb>
-#
-# pwdb - unix like session opening and closing
-#
-login session required pam_pwdb.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/doc/modules/pam_userdb.sgml b/doc/modules/pam_userdb.sgml
index facf223e..566e68de 100644
--- a/doc/modules/pam_userdb.sgml
+++ b/doc/modules/pam_userdb.sgml
@@ -61,7 +61,7 @@ fields corresponding to the username keys are the passwords, in unencrypted form
so caution must be exercised over the access rights to the DB database itself..
The module will read the password from the user using the conversation mechanism. If
-you are using this module on top of another authentication module (like <tt/pam_pwdb/;)
+you are using this module on top of another authentication module (like <tt/pam_unix/;)
then you should tell that module to read the entered password from the PAM_AUTHTOK field, which is set by this module.
<p>
@@ -112,10 +112,10 @@ provided in the <tt>/etc/dbtest.db</tt> file:
#%PAM-1.0
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth sufficient pam_userdb.so icase db=/etc/dbtest
-auth required pam_pwdb.so shadow nullok try_first_pass
+auth required pam_unix.so shadow nullok try_first_pass
auth required pam_shells.so
-account required pam_pwdb.so
-session required pam_pwdb.so
+account required pam_unix.so
+session required pam_unix.so
</verb>
</tscreen>
diff --git a/doc/pam_source.sgml b/doc/pam_source.sgml
index 8e641032..bc091ed6 100644
--- a/doc/pam_source.sgml
+++ b/doc/pam_source.sgml
@@ -967,20 +967,6 @@ From here you can go back and get a real configuration
going, hopefully after you've tested it first on a machine
you don't care about screwing up. :/
-Some pointers (to make everything "right" with Red Hat...):
-
- Install the newest pam, pamconfig, and pwdb from the
- redhat current directory, and do it all on the same
- command line with rpm...
-
- rpm -Uvh [maybe --force too] pam-* pamconfig-* pwdb-*
-
- Then make sure you install (or reinstall) the newest
- version of libc, util-linux, wuftp, and NetKit. For
- kicks you might try installing the newest versions of
- the affected x apps, like xlock, but I haven't gotten
- those to work at all yet.
-
</verb>
<sect1>Avoid having a weak `other' configuration