summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
authorThorsten Kukuk <kukuk@thkukuk.de>2006-06-28 07:22:40 +0000
committerThorsten Kukuk <kukuk@thkukuk.de>2006-06-28 07:22:40 +0000
commit62101bd49ce2f8b797d361c87762853c56d2481a (patch)
tree2a615da258847840fda55fb761714db4fd5ba83f /modules
parent421783d65ea2b7d80923378b8ef3c566ca63583c (diff)
Relevant BUGIDs:
Purpose of commit: new feature/big release cleanup Commit summary: --------------- Big cleanup to get 0.99.5.0 release done: 2006-06-28 Thorsten Kukuk <kukuk@thkukuk.de> * bump version number to 0.99.5.0 * modules/pam_rhosts/pam_rhosts.c: New module, replaces pam_rhosts_auth.so. * modules/pam_rhosts/pam_rhosts.8.xml: New. * modules/pam_rhosts/pam_rhosts.8: New, generated from XML source. * modules/pam_rhosts/tst-pam_rhosts: New. * modules/pam_rhosts/Makefile.am: Add pam_rhosts, generate manual page and README. * modules/pam_rhosts/README.xml: New. * modules/pam_rhosts/reADME: Regenerated from XML source. * doc/man/pam_sm_acct_mgmt.3.xml: Adjust syntax for module writers guide. * doc/man/pam_sm_authenticate.3.xml: Likewise. * doc/man/pam_sm_chauthtok.3.xml: Likewise. * doc/man/pam_sm_close_session.3.xml: Likewise. * doc/man/pam_sm_open_session.3.xml: Likewise. * doc/man/pam_sm_setcred.3.xml: Likewise. * po/POTFILES.in: Add new source files. * libpam/pam_static_modules.h: Add new modules. * modules/pam_keyinit.c: Add _pam_keyinit_modstruct.
Diffstat (limited to 'modules')
-rw-r--r--modules/pam_debug/pam_debug.84
-rw-r--r--modules/pam_keyinit/.cvsignore6
-rw-r--r--modules/pam_keyinit/pam_keyinit.c16
-rw-r--r--modules/pam_namespace/.cvsignore6
-rw-r--r--modules/pam_namespace/Makefile.am3
-rw-r--r--modules/pam_namespace/README93
-rw-r--r--modules/pam_namespace/README.xml139
-rw-r--r--modules/pam_namespace/pam_namespace.8161
-rw-r--r--modules/pam_rhosts/Makefile.am17
-rw-r--r--modules/pam_rhosts/README81
-rw-r--r--modules/pam_rhosts/README.xml41
-rw-r--r--modules/pam_rhosts/pam_rhosts.898
-rw-r--r--modules/pam_rhosts/pam_rhosts.8.xml171
-rw-r--r--modules/pam_rhosts/pam_rhosts.c155
-rwxr-xr-xmodules/pam_rhosts/tst-pam_rhosts2
-rwxr-xr-xmodules/pam_rhosts/tst-pam_rhosts_auth2
-rw-r--r--modules/pam_rootok/pam_rootok.84
17 files changed, 810 insertions, 189 deletions
diff --git a/modules/pam_debug/pam_debug.8 b/modules/pam_debug/pam_debug.8
index 5bce51e3..ae4a1407 100644
--- a/modules/pam_debug/pam_debug.8
+++ b/modules/pam_debug/pam_debug.8
@@ -1,11 +1,11 @@
.\" Title: pam_debug
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\" Date: 06/17/2006
+.\" Date: 06/23/2006
.\" Manual: Linux\-PAM Manual
.\" Source: Linux\-PAM Manual
.\"
-.TH "PAM_DEBUG" "8" "06/17/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_DEBUG" "8" "06/23/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
diff --git a/modules/pam_keyinit/.cvsignore b/modules/pam_keyinit/.cvsignore
new file mode 100644
index 00000000..9fb98574
--- /dev/null
+++ b/modules/pam_keyinit/.cvsignore
@@ -0,0 +1,6 @@
+*.la
+*.lo
+.deps
+.libs
+Makefile
+Makefile.in
diff --git a/modules/pam_keyinit/pam_keyinit.c b/modules/pam_keyinit/pam_keyinit.c
index 363adb58..47b2c0f5 100644
--- a/modules/pam_keyinit/pam_keyinit.c
+++ b/modules/pam_keyinit/pam_keyinit.c
@@ -207,3 +207,19 @@ int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED,
return PAM_SUCCESS;
}
+
+#ifdef PAM_STATIC
+
+/* static module data */
+
+struct pam_module _pam_keyinit_modstruct = {
+ "pam_keyinit",
+ NULL,
+ NULL,
+ NULL,
+ pam_sm_open_session,
+ pam_sm_close_session,
+ NULL
+};
+#endif
+
diff --git a/modules/pam_namespace/.cvsignore b/modules/pam_namespace/.cvsignore
new file mode 100644
index 00000000..9fb98574
--- /dev/null
+++ b/modules/pam_namespace/.cvsignore
@@ -0,0 +1,6 @@
+*.la
+*.lo
+.deps
+.libs
+Makefile
+Makefile.in
diff --git a/modules/pam_namespace/Makefile.am b/modules/pam_namespace/Makefile.am
index 5d6dc018..38eb50ec 100644
--- a/modules/pam_namespace/Makefile.am
+++ b/modules/pam_namespace/Makefile.am
@@ -8,9 +8,10 @@ MAN8 = pam_namespace.8
man_MANS = $(MAN5) $(MAN8)
-XMLS = namespace.conf.5.xml pam_namespace.8.xml
+XMLS = README.xml namespace.conf.5.xml pam_namespace.8.xml
if ENABLE_REGENERATE_MAN
+noinst_DATA = README
-include $(top_srcdir)/Make.xml.rules
endif
diff --git a/modules/pam_namespace/README b/modules/pam_namespace/README
index 7edfe55e..c47ba232 100644
--- a/modules/pam_namespace/README
+++ b/modules/pam_namespace/README
@@ -1,3 +1,7 @@
+pam_namespace — PAM module for configuring namespace for a session
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
pam_namespace module:
Setup a private namespace with polyinstantiated directories.
@@ -24,25 +28,25 @@ Where:
This field cannot be blank.
<instance_prefix> - is the string prefix used to build the pathname for the
- instantiation of <polydir>. The directory security context, or
- optionally its md5sum string (32 hex characters), is appended to
+ instantiation of <polydir>. The directory security context, or
+ optionally its md5sum string (32 hex characters), is appended to
the prefix to generate the final instance directory path.
This directory is created if it did not exist already, and is then
- bind mounted on the <polydir> to provide an instance of <polydir>
- based on the <method> column. The special string $HOME is replaced with
- the user's home directory, and $USER with the username.
- This field cannot be blank.
+ bind mounted on the <polydir> to provide an instance of <polydir>
+ based on the <method> column. The special string $HOME is replaced with
+ the user's home directory, and $USER with the username.
+ This field cannot be blank.
<method> - is the method used for polyinstantiation. It can take 3 different
- values; "user" for polyinstantiation based on user name, "context"
- for polyinstantiation based on process security context, and "both"
- for polyinstantiation based on both user name and security context.
- Methods "context" and "both" are only available with SELinux. This
- field cannot be blank.
+ values; "user" for polyinstantiation based on user name, "context"
+ for polyinstantiation based on process security context, and "both"
+ for polyinstantiation based on both user name and security context.
+ Methods "context" and "both" are only available with SELinux. This
+ field cannot be blank.
<list_of_uids> - is a comma separated list of user names for whom the
- polyinstantiation is not performed. If left blank, polyinstantiation
- will be performed for all users.
+ polyinstantiation is not performed. If left blank, polyinstantiation
+ will be performed for all users.
EXAMPLE /etc/security/namespace.conf configuration file:
=======================================================
@@ -68,55 +72,58 @@ EXAMPLE /etc/security/namespace.conf configuration file:
# caution, as it will reduce security and isolation achieved by
# polyinstantiation.
#
-/tmp /tmp-inst/ both root,adm
-/var/tmp /var/tmp/tmp-inst/ both root,adm
+/tmp /tmp-inst/ both root,adm
+/var/tmp /var/tmp/tmp-inst/ both root,adm
$HOME $HOME/$USER.inst/inst- context
ARGUMENTS RECOGNIZED:
debug
- Verbose logging by syslog
+ Verbose logging by syslog
unmnt_remnt
- For programs such as su and newrole, the login session has
- already setup a polyinstantiated namespace. For these programs,
- polyinstantiation is performed based on new user id or security
- context, however the command first needs to undo the
- polyinstantiation performed by login. This argument instructs
- the command to first undo previous polyinstantiation before
- proceeding with new polyinstantiation based on new id/context.
+ For programs such as su and newrole, the login session has
+ already setup a polyinstantiated namespace. For these programs,
+ polyinstantiation is performed based on new user id or security
+ context, however the command first needs to undo the
+ polyinstantiation performed by login. This argument instructs
+ the command to first undo previous polyinstantiation before
+ proceeding with new polyinstantiation based on new id/context.
unmnt_only
- For trusted programs that want to undo any existing bind mounts
- and process instance directories on their own, this argument
- allows them to unmount currently mounted instance directories.
+ For trusted programs that want to undo any existing bind mounts
+ and process instance directories on their own, this argument
+ allows them to unmount currently mounted instance directories.
require_selinux
- If selinux is not enabled, return failure.
+ If selinux is not enabled, return failure.
gen_hash
- Instead of using the security context string for the instance
- name, generate and use its md5 hash.
+ Instead of using the security context string for the instance
+ name, generate and use its md5 hash.
ignore_config_error
- If a line in the configuration file corresponding to a
- polyinstantiated directory contains format error, skip that
- line process the next line. Without this option, pam will return
- an error to the calling program resulting in termination
- of the session.
+ If a line in the configuration file corresponding to a
+ polyinstantiated directory contains format error, skip that
+ line process the next line. Without this option, pam will return
+ an error to the calling program resulting in termination
+ of the session.
ignore_instance_parent_mode
- Instance parent directories by default are expected to have
- the restrictive mode of 000. Using this option, an administrator
- can choose to ignore the mode of the instance parent.
+ Instance parent directories by default are expected to have
+ the restrictive mode of 000. Using this option, an administrator
+ can choose to ignore the mode of the instance parent.
MODULE SERVICES PROVIDED:
- session open_session and close_session
+ session open_session and close_session
USAGE:
- For the <service>s you need polyinstantiation (login for example)
- put the following line in /etc/pam.d/<service> as the last line for
- session group:
+ For the <service>s you need polyinstantiation (login for example)
+ put the following line in /etc/pam.d/<service> as the last line for
+ session group:
+
+ session required pam_namespace.so [arguments]
+
+ This module also depends on pam_selinux.so setting the context.
+
- session required pam_namespace.so [arguments]
- This module also depends on pam_selinux.so setting the context.
diff --git a/modules/pam_namespace/README.xml b/modules/pam_namespace/README.xml
new file mode 100644
index 00000000..98ab7532
--- /dev/null
+++ b/modules/pam_namespace/README.xml
@@ -0,0 +1,139 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.docbook.org/xml/4.4/docbookx.dtd">
+<article>
+ <articleinfo>
+ <title>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_namespace.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_namespace-name"]/*)'/>
+ </title>
+ </articleinfo>
+ <section>
+ <programlisting><![CDATA[
+
+pam_namespace module:
+Setup a private namespace with polyinstantiated directories.
+
+THEORY OF OPERATION:
+The pam namespace module consults /etc/security/namespace.conf
+configuration file and sets up a private namespace with polyinstantiated
+directories for a session managed by PAM. A skeleton namespace.conf
+installed by default provides example for polyinstantiating /tmp, /var/tmp
+and users' home directory.
+
+If an executable script /etc/security/namespace.init exists, it
+is used to initialize the namespace every time a new instance directory
+is setup. The script receives the polyinstantiated directory path
+and the instance directory path as its arguments.
+
+Each line in namespace.conf describes a limit for a user in the form:
+
+<polydir> <instance_prefix> <method> <list_of_uids>
+
+Where:
+<polydir> - is the absolute pathname of the directory to polyinstantiate
+ Special entry $HOME is supported to designate user's home directory.
+ This field cannot be blank.
+
+<instance_prefix> - is the string prefix used to build the pathname for the
+ instantiation of <polydir>. The directory security context, or
+ optionally its md5sum string (32 hex characters), is appended to
+ the prefix to generate the final instance directory path.
+ This directory is created if it did not exist already, and is then
+ bind mounted on the <polydir> to provide an instance of <polydir>
+ based on the <method> column. The special string $HOME is replaced with
+ the user's home directory, and $USER with the username.
+ This field cannot be blank.
+
+<method> - is the method used for polyinstantiation. It can take 3 different
+ values; "user" for polyinstantiation based on user name, "context"
+ for polyinstantiation based on process security context, and "both"
+ for polyinstantiation based on both user name and security context.
+ Methods "context" and "both" are only available with SELinux. This
+ field cannot be blank.
+
+<list_of_uids> - is a comma separated list of user names for whom the
+ polyinstantiation is not performed. If left blank, polyinstantiation
+ will be performed for all users.
+
+EXAMPLE /etc/security/namespace.conf configuration file:
+=======================================================
+# Following three lines will polyinstantiate /tmp, /var/tmp and user's home
+# directories. /tmp and /var/tmp will be polyinstantiated based on both
+# security context as well as user name, whereas home directory will
+# be polyinstantiated based on security context only. Polyinstantiation
+# will not be performed for user root and adm for directories /tmp and
+# /var/tmp, whereas home directories will be polyinstantiated for all
+# users. The user name and/or context is appended to the instance prefix.
+#
+# Note that instance directories do not have to reside inside the
+# polyinstantiated directory. In the examples below, instances of /tmp
+# will be created in /tmp-inst directory, where as instances of /var/tmp
+# and users home directories will reside within the directories that
+# are being polyinstantiated.
+#
+# Instance parent directories must exist for the polyinstantiation
+# mechanism to work. By default, they should be created with the mode
+# of 000. pam_namespace module will enforce this mode unless it
+# is explicitly called with an argument to ignore the mode of the
+# instance parent. System administrators should use this argument with
+# caution, as it will reduce security and isolation achieved by
+# polyinstantiation.
+#
+/tmp /tmp-inst/ both root,adm
+/var/tmp /var/tmp/tmp-inst/ both root,adm
+$HOME $HOME/$USER.inst/inst- context
+
+ARGUMENTS RECOGNIZED:
+ debug
+ Verbose logging by syslog
+
+ unmnt_remnt
+ For programs such as su and newrole, the login session has
+ already setup a polyinstantiated namespace. For these programs,
+ polyinstantiation is performed based on new user id or security
+ context, however the command first needs to undo the
+ polyinstantiation performed by login. This argument instructs
+ the command to first undo previous polyinstantiation before
+ proceeding with new polyinstantiation based on new id/context.
+
+ unmnt_only
+ For trusted programs that want to undo any existing bind mounts
+ and process instance directories on their own, this argument
+ allows them to unmount currently mounted instance directories.
+
+ require_selinux
+ If selinux is not enabled, return failure.
+
+ gen_hash
+ Instead of using the security context string for the instance
+ name, generate and use its md5 hash.
+
+ ignore_config_error
+ If a line in the configuration file corresponding to a
+ polyinstantiated directory contains format error, skip that
+ line process the next line. Without this option, pam will return
+ an error to the calling program resulting in termination
+ of the session.
+
+ ignore_instance_parent_mode
+ Instance parent directories by default are expected to have
+ the restrictive mode of 000. Using this option, an administrator
+ can choose to ignore the mode of the instance parent.
+
+MODULE SERVICES PROVIDED:
+ session open_session and close_session
+
+USAGE:
+ For the <service>s you need polyinstantiation (login for example)
+ put the following line in /etc/pam.d/<service> as the last line for
+ session group:
+
+ session required pam_namespace.so [arguments]
+
+ This module also depends on pam_selinux.so setting the context.
+]]>
+ </programlisting>
+ </section>
+</article>
+
diff --git a/modules/pam_namespace/pam_namespace.8 b/modules/pam_namespace/pam_namespace.8
index 88594304..126cfc88 100644
--- a/modules/pam_namespace/pam_namespace.8
+++ b/modules/pam_namespace/pam_namespace.8
@@ -1,141 +1,110 @@
-.\"Generated by db2man.xsl. Don't modify this, modify the source.
-.de Sh \" Subsection
-.br
-.if t .Sp
-.ne 5
-.PP
-\fB\\$1\fR
-.PP
-..
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
-.TH "PAM_NAMESPACE" 8 "" "" ""
-.SH NAME
+.\" Title: pam_namespace
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Date: 06/27/2006
+.\" Manual: Linux\-PAM Manual
+.\" Source: Linux\-PAM Manual
+.\"
+.TH "PAM_NAMESPACE" "8" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
pam_namespace \- PAM module for configuring namespace for a session
.SH "SYNOPSIS"
-.ad l
-.hy 0
.HP 17
-\fBpam_namespace\&.so\fR [debug] [unmnt_remnt] [unmnt_only] [require_selinux] [gen_hash] [ignore_config_error] [ignore_instance_parent_mode]
-.ad
-.hy
-
+\fBpam_namespace.so\fR [debug] [unmnt_remnt] [unmnt_only] [require_selinux] [gen_hash] [ignore_config_error] [ignore_instance_parent_mode]
.SH "DESCRIPTION"
-
.PP
-The pam_namespace PAM module sets up a private namespace for a session with polyinstantiated directories\&. A polyinstantiated directory provides a different instance of itself based on user name, or when using SELinux, user name, security context or both\&. If an executable script \fI/etc/security/namespace\&.init\fR exists, it is used to initialize the namespace every time a new instance directory is setup\&. The script receives the polyinstantiated directory path and the instance directory path as its arguments\&.
-
+The pam_namespace PAM module sets up a private namespace for a session with polyinstantiated directories. A polyinstantiated directory provides a different instance of itself based on user name, or when using SELinux, user name, security context or both. If an executable script
+\fI/etc/security/namespace.init\fR
+exists, it is used to initialize the namespace every time a new instance directory is setup. The script receives the polyinstantiated directory path and the instance directory path as its arguments.
.PP
-The pam_namespace module disassociates the session namespace from the parent namespace\&. Any mounts/unmounts performed in the parent namespace, such as mounting of devices, are not reflected in the session namespace\&. To propagate selected mount/unmount events from the parent namespace into the disassociated session namespace, an administrator may use the special shared\-subtree feature\&. For additional information on shared\-subtree feature, please refer to the mount(8) man page and the shared\-subtree description at http://lwn\&.net/Articles/159077 and http://lwn\&.net/Articles/159092\&.
-
+The pam_namespace module disassociates the session namespace from the parent namespace. Any mounts/unmounts performed in the parent namespace, such as mounting of devices, are not reflected in the session namespace. To propagate selected mount/unmount events from the parent namespace into the disassociated session namespace, an administrator may use the special shared\-subtree feature. For additional information on shared\-subtree feature, please refer to the mount(8) man page and the shared\-subtree description at http://lwn.net/Articles/159077 and http://lwn.net/Articles/159092.
.SH "OPTIONS"
-
-.TP
+.TP 3n
\fBdebug\fR
A lot of debug information is logged using syslog
-
-.TP
+.TP 3n
\fBunmnt_remnt\fR
-For programs such as su and newrole, the login session has already setup a polyinstantiated namespace\&. For these programs, polyinstantiation is performed based on new user id or security context, however the command first needs to undo the polyinstantiation performed by login\&. This argument instructs the command to first undo previous polyinstantiation before proceeding with new polyinstantiation based on new id/context
-
-.TP
+For programs such as su and newrole, the login session has already setup a polyinstantiated namespace. For these programs, polyinstantiation is performed based on new user id or security context, however the command first needs to undo the polyinstantiation performed by login. This argument instructs the command to first undo previous polyinstantiation before proceeding with new polyinstantiation based on new id/context
+.TP 3n
\fBunmnt_only\fR
For trusted programs that want to undo any existing bind mounts and process instance directories on their own, this argument allows them to unmount currently mounted instance directories
-
-.TP
+.TP 3n
\fBrequire_selinux\fR
If selinux is not enabled, return failure
-
-.TP
+.TP 3n
\fBgen_hash\fR
-Instead of using the security context string for the instance name, generate and use its md5 hash\&.
-
-.TP
+Instead of using the security context string for the instance name, generate and use its md5 hash.
+.TP 3n
\fBignore_config_error\fR
-If a line in the configuration file corresponding to a polyinstantiated directory contains format error, skip that line process the next line\&. Without this option, pam will return an error to the calling program resulting in termination of the session\&.
-
-.TP
+If a line in the configuration file corresponding to a polyinstantiated directory contains format error, skip that line process the next line. Without this option, pam will return an error to the calling program resulting in termination of the session.
+.TP 3n
\fBignore_instance_parent_mode\fR
-Instance parent directories by default are expected to have the restrictive mode of 000\&. Using this option, an administrator can choose to ignore the mode of the instance parent\&. This option should be used with caution as it will reduce security and isolation goals of the polyinstantiation mechanism\&.
-
+Instance parent directories by default are expected to have the restrictive mode of 000. Using this option, an administrator can choose to ignore the mode of the instance parent. This option should be used with caution as it will reduce security and isolation goals of the polyinstantiation mechanism.
.SH "MODULE SERVICES PROVIDED"
-
.PP
-The \fBsession\fR service is supported\&.
-
+The
+\fBsession\fR
+service is supported.
.SH "RETURN VALUES"
-
-.TP
+.TP 3n
PAM_SUCCESS
-Namespace setup was successful\&.
-
-.TP
+Namespace setup was successful.
+.TP 3n
PAM_SERVICE_ERR
-Unexpected system error occurred while setting up namespace\&.
-
-.TP
+Unexpected system error occurred while setting up namespace.
+.TP 3n
PAM_SESSION_ERR
-Unexpected namespace configuration error occurred\&.
-
+Unexpected namespace configuration error occurred.
.SH "FILES"
-
-.TP
-\fI/etc/security/namespace\&.conf\fR
+.TP 3n
+\fI/etc/security/namespace.conf\fR
Configuration file
-
.SH "EXAMPLES"
-
.PP
-For the <service>s you need polyinstantiation (login for example) put the following line in /etc/pam\&.d/<service> as the last line for session group:
-
+For the <service>s you need polyinstantiation (login for example) put the following line in /etc/pam.d/<service> as the last line for session group:
.PP
-session required pam_namespace\&.so [arguments]
-
+session required pam_namespace.so [arguments]
.PP
To use polyinstantiation with graphical display manager gdm, insert the following line, before exit 0, in /etc/gdm/PostSession/Default:
-
.PP
/usr/sbin/gdm\-safe\-restart
-
.PP
-This allows gdm to restart after each session and appropriately adjust namespaces of display manager and the X server\&. If polyinstantiation of /tmp is desired along with the graphical environment, then additional configuration changes are needed to address the interaction of X server and font server namespaces with their use of /tmp to create communication sockets\&. Please use the initialization script \fI/etc/security/namespace\&.init\fR to ensure that the X server and its clients can appropriately access the communication socket X0\&. Please refer to the sample instructions provided in the comment section of the instance initialization script \fI/etc/security/namespace\&.init\fR\&. In addition, perform the following changes to use graphical environment with polyinstantiation of /tmp:
-
+This allows gdm to restart after each session and appropriately adjust namespaces of display manager and the X server. If polyinstantiation of /tmp is desired along with the graphical environment, then additional configuration changes are needed to address the interaction of X server and font server namespaces with their use of /tmp to create communication sockets. Please use the initialization script
+\fI/etc/security/namespace.init\fR
+to ensure that the X server and its clients can appropriately access the communication socket X0. Please refer to the sample instructions provided in the comment section of the instance initialization script
+\fI/etc/security/namespace.init\fR. In addition, perform the following changes to use graphical environment with polyinstantiation of /tmp:
.PP
-
+.sp
+.RS 3n
.nf
-
- 1\&. Disable the use of font server by commenting out "FontPath"
- line in /etc/X11/xorg\&.conf\&. If you do want to use the font server
+ 1. Disable the use of font server by commenting out "FontPath"
+ line in /etc/X11/xorg.conf. If you do want to use the font server
then you will have to augment the instance initialization
- script to appropriately provide /tmp/\&.font\-unix from the
- polyinstantiated /tmp\&.
- 2\&. Ensure that the gdm service is setup to use pam_namespace,
- as described above, by modifying /etc/pam\&.d/gdm\&.
- 3\&. Ensure that the display manager is configured to restart X server
- with each new session\&. This default setup can be verified by
- making sure that /usr/share/gdm/defaults\&.conf contains
+ script to appropriately provide /tmp/.font\-unix from the
+ polyinstantiated /tmp.
+ 2. Ensure that the gdm service is setup to use pam_namespace,
+ as described above, by modifying /etc/pam.d/gdm.
+ 3. Ensure that the display manager is configured to restart X server
+ with each new session. This default setup can be verified by
+ making sure that /usr/share/gdm/defaults.conf contains
"AlwaysRestartServer=true", and it is not overridden by
- /etc/gdm/custom\&.conf\&.
+ /etc/gdm/custom.conf.
.fi
-
-
+.RE
+.sp
.SH "SEE ALSO"
-
.PP
- \fBnamespace\&.conf\fR(5), \fBpam\&.d\fR(8), \fBmount\fR(8), \fBpam\fR(8)\&.
+\fBnamespace.conf\fR(5),
+\fBpam.d\fR(8),
+\fBmount\fR(8),
+\fBpam\fR(8).
.SH "AUTHORS"
-
.PP
-The namespace setup scheme was designed by Stephen Smalley, Janak Desai and Chad Sellers\&. The pam_namespace PAM module was developed by Janak Desai <janak@us\&.ibm\&.com>, Chad Sellers <csellers@tresys\&.com> and Steve Grubb <sgrubb@redhat\&.com>\&.
-
+The namespace setup scheme was designed by Stephen Smalley, Janak Desai and Chad Sellers. The pam_namespace PAM module was developed by Janak Desai <janak@us.ibm.com>, Chad Sellers <csellers@tresys.com> and Steve Grubb <sgrubb@redhat.com>.
diff --git a/modules/pam_rhosts/Makefile.am b/modules/pam_rhosts/Makefile.am
index 5c8cc188..d4ca7578 100644
--- a/modules/pam_rhosts/Makefile.am
+++ b/modules/pam_rhosts/Makefile.am
@@ -4,9 +4,13 @@
CLEANFILES = *~
-EXTRA_DIST = README tst-pam_rhosts
+EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_rhosts_auth tst-pam_rhosts
-TESTS = tst-pam_rhosts
+TESTS = tst-pam_rhosts_auth tst-pam_rhosts
+
+man_MANS = pam_rhosts.8
+
+XMLS = README.xml pam_rhosts.8.xml
securelibdir = $(SECUREDIR)
secureconfdir = $(SCONFIGDIR)
@@ -18,4 +22,11 @@ if HAVE_VERSIONING
AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
endif
-securelib_LTLIBRARIES = pam_rhosts_auth.la
+securelib_LTLIBRARIES = pam_rhosts_auth.la pam_rhosts.la
+
+if ENABLE_REGENERATE_MAN
+noinst_DATA = README
+README: pam_rhosts.8.xml
+-include $(top_srcdir)/Make.xml.rules
+endif
+
diff --git a/modules/pam_rhosts/README b/modules/pam_rhosts/README
index d2e93d1d..b1911785 100644
--- a/modules/pam_rhosts/README
+++ b/modules/pam_rhosts/README
@@ -1,57 +1,56 @@
-arguments recognized:
+pam_rhosts — The rhosts PAM module
-"no_hosts_equiv"
-"no_rhosts"
-"debug"
-"nowarn"
-"suppress"
-"promiscuous"
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-.rhosts/hosts.equiv format:
+DESCRIPTION
-There are positive entries, when one is matched authentication
-succeeds and terminates. There are negative entries, when one is
-matched authentication fails and terminates. Thus order is
-significant.
+This module performs the standard network authentication for services, as used
+by traditional implementations of rlogin and rsh etc.
-Entry hosts.equiv .rhosts
-<host> All users on <host> are ok Same username from <host> is ok
-<host> <user> <user> from <host> is ok ditto
--<host> No users from <host> are ok ditto
-<host> -<user> <user> from <host> is not ok ditto
+The authentication mechanism of this module is based on the contents of two
+files; /etc/hosts.equiv (or and ~/.rhosts. Firstly, hosts listed in the former
+file are treated as equivalent to the localhost. Secondly, entries in the
+user's own copy of the latter file is used to map "remote-host remote-user"
+pairs to that user's account on the current host. Access is granted to the user
+if their host is present in /etc/hosts.equiv and their remote account is
+identical to their local one, or if their remote account has an entry in their
+personal configuration file.
-<host> can be ip (IPv4) numbers.
+The module authenticates a remote user (internally specified by the item
+PAM_RUSER connecting from the remote host (internally specified by the item
+PAM_RHOST). Accordingly, for applications to be compatible this authentication
+module they must set these items prior to calling pam_authenticate(). The
+module is not capable of independently probing the network connection for such
+information.
-Netgroups may be used in either host or user fields, and then applies
-to all hosts, or users, in the netgroup. The syntax is
+OPTIONS
- +@<ng>
+debug
-The entries
+ Print debug information.
- <host> +@<ng>
- +@<ng> +@<ng>
- +@<ng> <user>
+silent
-means exactly what you think it does. Negative entries are of the
-form
+ Don't print informative messages.
- -@<ng>
+superuser=account
-When the "promiscuous" option is given the special character + may be
-used as a wildcard in any field.
+ Handle account as root.
- + Allow anyone from any host to connect. DANGEROUS.
- + + Ditto.
- + <user> Allow the user to connect from anywhere. DANGEROUS.
- <host> + Allow any user from the host. Dangerous.
-
-These, perhaps more useful, forms of the + form is also disallowed
-unless "promiscuous" is specified:
+EXAMPLES
- + -<user> Disallow the user from any host
- + -@<ng> Disallow all members of the netgroup from any host
+To grant a remote user access by /etc/hosts.equiv or .rhosts for rsh add the
+following lines to /etc/pam.d/rsh:
-When "promiscuous" is not specified a '+' is handled as a negative
-match.
+#%PAM-1.0
+#
+auth required pam_rhosts.so
+auth required pam_nologin.so
+auth required pam_env.so
+auth required pam_unix.so
+
+
+AUTHOR
+
+pam_rhosts was written by Thorsten Kukuk <kukuk@thkukuk.de>
diff --git a/modules/pam_rhosts/README.xml b/modules/pam_rhosts/README.xml
new file mode 100644
index 00000000..5d3307e7
--- /dev/null
+++ b/modules/pam_rhosts/README.xml
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+"http://www.docbook.org/xml/4.3/docbookx.dtd"
+[
+<!--
+<!ENTITY pamaccess SYSTEM "pam_rhosts.8.xml">
+-->
+]>
+
+<article>
+
+ <articleinfo>
+
+ <title>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_rhosts.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_rhosts-name"]/*)'/>
+ </title>
+
+ </articleinfo>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-description"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-options"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-examples"]/*)'/>
+ </section>
+
+ <section>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+ href="pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-author"]/*)'/>
+ </section>
+
+</article>
diff --git a/modules/pam_rhosts/pam_rhosts.8 b/modules/pam_rhosts/pam_rhosts.8
new file mode 100644
index 00000000..0d7f4a16
--- /dev/null
+++ b/modules/pam_rhosts/pam_rhosts.8
@@ -0,0 +1,98 @@
+.\" Title: pam_rhosts
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Date: 06/28/2006
+.\" Manual: Linux\-PAM Manual
+.\" Source: Linux\-PAM Manual
+.\"
+.TH "PAM_RHOSTS" "8" "06/28/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_rhosts \- The rhosts PAM module
+.SH "SYNOPSIS"
+.HP 14
+\fBpam_rhosts.so\fR
+.SH "DESCRIPTION"
+.PP
+This module performs the standard network authentication for services, as used by traditional implementations of
+\fBrlogin\fR
+and
+\fBrsh\fR
+etc.
+.PP
+The authentication mechanism of this module is based on the contents of two files;
+\fI/etc/hosts.equiv\fR
+(or and
+\fI~/.rhosts\fR. Firstly, hosts listed in the former file are treated as equivalent to the localhost. Secondly, entries in the user's own copy of the latter file is used to map "\fIremote\-host remote\-user\fR" pairs to that user's account on the current host. Access is granted to the user if their host is present in
+\fI/etc/hosts.equiv\fR
+and their remote account is identical to their local one, or if their remote account has an entry in their personal configuration file.
+.PP
+The module authenticates a remote user (internally specified by the item
+\fIPAM_RUSER\fR
+connecting from the remote host (internally specified by the item
+\fBPAM_RHOST\fR). Accordingly, for applications to be compatible this authentication module they must set these items prior to calling
+\fBpam_authenticate()\fR. The module is not capable of independently probing the network connection for such information.
+.SH "OPTIONS"
+.TP 3n
+\fBdebug\fR
+Print debug information.
+.TP 3n
+\fBsilent\fR
+Don't print informative messages.
+.TP 3n
+\fBsuperuser=\fR\fB\fIaccount\fR\fR
+Handle
+\fIaccount\fR
+as root.
+.SH "MODULE SERVICES PROVIDED"
+.PP
+Only the
+\fBauth\fR
+service is supported.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_AUTH_ERR
+The remote host, remote user name or the local user name couldn't be determined or access was denied by
+\fI.rhosts\fR
+file.
+.TP 3n
+PAM_USER_UNKNOWN
+User is not known to system.
+.SH "EXAMPLES"
+.PP
+To grant a remote user access by
+\fI/etc/hosts.equiv\fR
+or
+\fI.rhosts\fR
+for
+\fBrsh\fR
+add the following lines to
+\fI/etc/pam.d/rsh\fR:
+.sp
+.RS 3n
+.nf
+#%PAM\-1.0
+#
+auth required pam_rhosts.so
+auth required pam_nologin.so
+auth required pam_env.so
+auth required pam_unix.so
+
+.fi
+.RE
+.sp
+.SH "SEE ALSO"
+.PP
+
+\fBrootok\fR(3),
+\fBhosts.equiv\fR(5),
+\fBrhosts\fR(5),
+\fBpam.conf\fR(5),
+\fBpam.d\fR(8),
+\fBpam\fR(8)
+.SH "AUTHOR"
+.PP
+pam_rhosts was written by Thorsten Kukuk <kukuk@thkukuk.de>
diff --git a/modules/pam_rhosts/pam_rhosts.8.xml b/modules/pam_rhosts/pam_rhosts.8.xml
new file mode 100644
index 00000000..e559f315
--- /dev/null
+++ b/modules/pam_rhosts/pam_rhosts.8.xml
@@ -0,0 +1,171 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+
+<refentry id="pam_rhosts">
+
+ <refmeta>
+ <refentrytitle>pam_rhosts</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+ </refmeta>
+
+ <refnamediv id="pam_rhosts-name">
+ <refname>pam_rhosts</refname>
+ <refpurpose>The rhosts PAM module</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis id="pam_rhosts-cmdsynopsis">
+ <command>pam_rhosts.so</command>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id="pam_rhosts-description">
+
+ <title>DESCRIPTION</title>
+
+ <para>
+ This module performs the standard network authentication for services,
+ as used by traditional implementations of <command>rlogin</command>
+ and <command>rsh</command> etc.
+ </para>
+ <para>
+ The authentication mechanism of this module is based on the contents
+ of two files; <filename>/etc/hosts.equiv</filename> (or
+ and <filename>~/.rhosts</filename>. Firstly, hosts listed in the
+ former file are treated as equivalent to the localhost. Secondly,
+ entries in the user's own copy of the latter file is used to map
+ "<emphasis>remote-host remote-user</emphasis>" pairs to that user's
+ account on the current host. Access is granted to the user if their
+ host is present in <filename>/etc/hosts.equiv</filename> and their
+ remote account is identical to their local one, or if their remote
+ account has an entry in their personal configuration file.
+ </para>
+ <para>
+ The module authenticates a remote user (internally specified by the
+ item <parameter>PAM_RUSER</parameter> connecting from the remote
+ host (internally specified by the item <command>PAM_RHOST</command>).
+ Accordingly, for applications to be compatible this authentication
+ module they must set these items prior to calling
+ <function>pam_authenticate()</function>. The module is not capable
+ of independently probing the network connection for such information.
+ </para>
+ </refsect1>
+
+ <refsect1 id="pam_rhosts-options">
+ <title>OPTIONS</title>
+ <variablelist>
+ <varlistentry>
+ <term>
+ <option>debug</option>
+ </term>
+ <listitem>
+ <para>
+ Print debug information.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>silent</option>
+ </term>
+ <listitem>
+ <para>
+ Don't print informative messages.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>superuser=<replaceable>account</replaceable></option>
+ </term>
+ <listitem>
+ <para>
+ Handle <replaceable>account</replaceable> as root.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id="pam_rhosts-services">
+ <title>MODULE SERVICES PROVIDED</title>
+ <para>
+ Only the <option>auth</option> service is supported.
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_rhosts-return_values'>
+ <title>RETURN VALUES</title>
+ <variablelist>
+ <varlistentry>
+ <term>PAM_AUTH_ERR</term>
+ <listitem>
+ <para>
+ The remote host, remote user name or the local user name
+ couldn't be determined or access was denied by
+ <filename>.rhosts</filename> file.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_USER_UNKNOWN</term>
+ <listitem>
+ <para>
+ User is not known to system.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='pam_rhosts-examples'>
+ <title>EXAMPLES</title>
+ <para>
+ To grant a remote user access by <filename>/etc/hosts.equiv</filename>
+ or <filename>.rhosts</filename> for <command>rsh</command> add the
+ following lines to <filename>/etc/pam.d/rsh</filename>:
+ <programlisting>
+#%PAM-1.0
+#
+auth required pam_rhosts.so
+auth required pam_nologin.so
+auth required pam_env.so
+auth required pam_unix.so
+ </programlisting>
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_rhosts-see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>rootok</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>hosts.equiv</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>rhosts</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_rhosts-author'>
+ <title>AUTHOR</title>
+ <para>
+ pam_rhosts was written by Thorsten Kukuk &lt;kukuk@thkukuk.de&gt;
+ </para>
+ </refsect1>
+
+</refentry>
diff --git a/modules/pam_rhosts/pam_rhosts.c b/modules/pam_rhosts/pam_rhosts.c
new file mode 100644
index 00000000..8e120614
--- /dev/null
+++ b/modules/pam_rhosts/pam_rhosts.c
@@ -0,0 +1,155 @@
+/*
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, and the entire permission notice in its entirety,
+ * including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ * products derived from this software without specific prior
+ * written permission.
+ *
+ * ALTERNATIVELY, this product may be distributed under the terms of
+ * the GNU Public License, in which case the provisions of the GPL are
+ * required INSTEAD OF the above restrictions. (This clause is
+ * necessary due to a potential bad interaction between the GPL and
+ * the restrictions contained in a BSD-style copyright.)
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "config.h"
+
+#include <pwd.h>
+#include <netdb.h>
+#include <string.h>
+#include <syslog.h>
+
+#define PAM_SM_AUTH /* only defines this management group */
+
+#include <security/pam_modules.h>
+#include <security/pam_modutil.h>
+#include <security/pam_ext.h>
+
+PAM_EXTERN
+int pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc,
+ const char **argv)
+{
+ const char *luser = NULL;
+ const char *ruser = NULL, *rhost = NULL;
+ const char *opt_superuser = NULL;
+ const void *c_void;
+ int opt_debug = 0;
+ int opt_silent;
+ int as_root;
+ int retval;
+
+ opt_silent = flags & PAM_SILENT;
+
+ while (argc-- > 0) {
+ if (strcmp(*argv, "debug") == 0)
+ opt_debug = 1;
+ else if (strcmp (*argv, "silent") == 0 || strcmp(*argv, "suppress") == 0)
+ opt_silent = 1;
+ else if (strncmp(*argv, "superuser=", sizeof("superuser=")-1) == 0)
+ opt_superuser = *argv+sizeof("superuser=")-1;
+ else
+ pam_syslog(pamh, LOG_WARNING, "unrecognized option '%s'", *argv);
+
+ ++argv;
+ }
+
+ retval = pam_get_item (pamh, PAM_RHOST, &c_void);
+ if (retval != PAM_SUCCESS) {
+ pam_syslog(pamh, LOG_ERR, "could not get the remote host name");
+ return retval;
+ }
+ rhost = c_void;
+
+ retval = pam_get_item(pamh, PAM_RUSER, &c_void);
+ ruser = c_void;
+ if (retval != PAM_SUCCESS) {
+ pam_syslog(pamh, LOG_ERR, "could not get the remote username");
+ return retval;
+ }
+
+ retval = pam_get_user(pamh, &luser, NULL);
+ if (retval != PAM_SUCCESS) {
+ pam_syslog(pamh, LOG_ERR, "could not determine name of local user");
+ return retval;
+ }
+
+ if (rhost == NULL || ruser == NULL || luser == NULL)
+ return PAM_AUTH_ERR;
+
+ if (opt_superuser && strcmp(opt_superuser, luser) == 0)
+ as_root = 1;
+ else {
+ struct passwd *lpwd;
+
+ lpwd = pam_modutil_getpwnam(pamh, luser);
+ if (lpwd == NULL) {
+ if (opt_debug)
+ /* don't print by default, could be the users password */
+ pam_syslog(pamh, LOG_DEBUG,
+ "user '%s' unknown to this system", luser);
+ return PAM_USER_UNKNOWN;
+
+ }
+ as_root = (lpwd->pw_uid == 0);
+ }
+
+#ifdef HAVE_RUSEROK_AF
+ retval = ruserok_af (rhost, as_root, ruser, luser, PF_UNSPEC);
+#else
+ retval = ruserok (rhost, as_root, ruser, luser);
+#endif
+ if (retval != 0) {
+ if (!opt_silent || opt_debug)
+ pam_syslog(pamh, LOG_WARNING, "denied access to %s@%s as %s",
+ ruser, rhost, luser);
+ return PAM_AUTH_ERR;
+ } else {
+ if (!opt_silent || opt_debug)
+ pam_syslog(pamh, LOG_NOTICE, "allowed access to %s@%s as %s",
+ ruser, rhost, luser);
+ return PAM_SUCCESS;
+ }
+}
+
+
+PAM_EXTERN int
+pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED,
+ int argc UNUSED, const char **argv UNUSED)
+{
+ return PAM_SUCCESS;
+}
+
+
+#ifdef PAM_STATIC
+
+/* static module data */
+
+struct pam_module _pam_rhosts_modstruct = {
+ "pam_rhosts",
+ pam_sm_authenticate,
+ pam_sm_setcred,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+};
+
+#endif
diff --git a/modules/pam_rhosts/tst-pam_rhosts b/modules/pam_rhosts/tst-pam_rhosts
index 6b14ec51..65e85a98 100755
--- a/modules/pam_rhosts/tst-pam_rhosts
+++ b/modules/pam_rhosts/tst-pam_rhosts
@@ -1,2 +1,2 @@
#!/bin/sh
-../../tests/tst-dlopen .libs/pam_rhosts_auth.so
+../../tests/tst-dlopen .libs/pam_rhosts.so
diff --git a/modules/pam_rhosts/tst-pam_rhosts_auth b/modules/pam_rhosts/tst-pam_rhosts_auth
new file mode 100755
index 00000000..6b14ec51
--- /dev/null
+++ b/modules/pam_rhosts/tst-pam_rhosts_auth
@@ -0,0 +1,2 @@
+#!/bin/sh
+../../tests/tst-dlopen .libs/pam_rhosts_auth.so
diff --git a/modules/pam_rootok/pam_rootok.8 b/modules/pam_rootok/pam_rootok.8
index b1436f79..79618050 100644
--- a/modules/pam_rootok/pam_rootok.8
+++ b/modules/pam_rootok/pam_rootok.8
@@ -1,11 +1,11 @@
.\" Title: pam_rootok
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\" Date: 06/04/2006
+.\" Date: 06/23/2006
.\" Manual: Linux\-PAM Manual
.\" Source: Linux\-PAM Manual
.\"
-.TH "PAM_ROOTOK" "8" "06/04/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_ROOTOK" "8" "06/23/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)