path: root/doc
diff options
authorAndrew G. Morgan <>2002-06-27 05:43:28 +0000
committerAndrew G. Morgan <>2002-06-27 05:43:28 +0000
commit76a61ebb3b1a2500b6eb457d6725cc8f4568d2d8 (patch)
tree66fcdb70b36e9f077cbd334f2b1026a21e849173 /doc
parent09d18a79f0e11ad5dd90e3007f7ae688bc50693c (diff)
Relevant BUGIDs: 419307
Purpose of commit: new feature/cleanup Commit summary: --------------- made pam_nologin more secure by changing the default behavior and adding some more features. General code clean up in the process.
Diffstat (limited to 'doc')
2 files changed, 19 insertions, 13 deletions
diff --git a/doc/modules/pam_nologin.sgml b/doc/modules/pam_nologin.sgml
index b1aa664b..52cf02a5 100644
--- a/doc/modules/pam_nologin.sgml
+++ b/doc/modules/pam_nologin.sgml
@@ -16,21 +16,17 @@
Written by Michael K. Johnson &lt;;<newline>
-(based on code taken from a module written by Andrew G. Morgan
-Michael K. Johnson &lt;;
<tag><bf>Management groups provided:</bf></tag>
+account; authentication
<tag><bf>Cryptographically sensitive:</bf></tag>
<tag><bf>Security rating:</bf></tag>
<tag><bf>Clean code base:</bf></tag>
-1 warning about dropping const
<tag><bf>System dependencies:</bf></tag>
@@ -49,24 +45,34 @@ Provides standard Unix <em/nologin/ authentication.
<tag><bf>Recognized arguments:</bf></tag>
+successok, file=&lt;<em/filename/&gt;
Provides standard Unix <em/nologin/ authentication. If the file
<tt>/etc/nologin</tt> exists, only root is allowed to log in; other
-users are turned away with an error message. All users (root or
+users are turned away with an error message (and the module returns
+<tt/PAM_AUTH_ERR/ or <tt/PAM_USER_UNKNOWN/). All users (root or
otherwise) are shown the contents of <tt>/etc/nologin</tt>.
-If the file <tt>/etc/nologin</tt> does not exist, this module succeeds
+If the file <tt>/etc/nologin</tt> does not exist, this module defaults
+to returning <tt/PAM_IGNORE/, but the <tt/successok/ module argument
+causes it to return <tt/PAM_SUCCESS/ in this case.
+The administrator can override the default nologin file with the
+<tt/file=/<em/pathname/ module argument.
<tag><bf>Examples/suggested usage:</bf></tag>
-In order to make this module effective, all login methods should
-be secured by it. It should be used as a <tt>required</tt>
-method listed before any <tt>sufficient</tt> methods in order to
-get standard Unix nologin semantics.
+In order to make this module effective, all login methods should be
+secured by it. It should be used as a <tt>required</tt> method listed
+before any <tt>sufficient</tt> methods in order to get standard Unix
+nologin semantics. Note, the use of <tt/successok/ module argument
+causes the module to return <tt/PAM_SUCCESS/ and as such would break
+such a configuration - failing <tt/sufficient/ modules would lead to a
+successful login because the nologin module <em/succeeded/.
diff --git a/doc/pam_source.sgml b/doc/pam_source.sgml
index f2545e6f..2dd5783e 100644
--- a/doc/pam_source.sgml
+++ b/doc/pam_source.sgml
@@ -46,7 +46,7 @@ DAMAGE.
<title>The Linux-PAM System Administrators' Guide
<author>Andrew G. Morgan, <tt></tt>
-<date>DRAFT v0.76 2002/05/27
+<date>DRAFT v0.76 2002/06/26
This manual documents what a system-administrator needs to know about
the <bf>Linux-PAM</bf> library. It covers the correct syntax of the