diff options
Diffstat (limited to 'doc/pam_source.sgml')
| -rw-r--r-- | doc/pam_source.sgml | 95 |
1 files changed, 48 insertions, 47 deletions
diff --git a/doc/pam_source.sgml b/doc/pam_source.sgml index d24a53a3..160e9293 100644 --- a/doc/pam_source.sgml +++ b/doc/pam_source.sgml @@ -46,7 +46,7 @@ DAMAGE. <title>The Linux-PAM System Administrators' Guide <author>Andrew G. Morgan, <tt>morgan@kernel.org</tt> -<date>DRAFT v0.75 2001/03/18 +<date>DRAFT v0.76 2001/12/08 <abstract> This manual documents what a system-administrator needs to know about the <bf>Linux-PAM</bf> library. It covers the correct syntax of the @@ -103,7 +103,7 @@ locally with a system file, <tt>/etc/pam.conf</tt> (or a series of configuration files located in <tt>/etc/pam.d/</tt>) to authenticate a user request via the locally available authentication modules. The modules themselves will usually be located in the directory -<tt>/usr/lib/security</tt> and take the form of dynamically loadable +<tt>/lib/security</tt> and take the form of dynamically loadable object files (see <tt/dlopen(3)/). <sect>Some comments on the text<label id="text-conventions"> @@ -122,11 +122,12 @@ directly from the text. <p> As an example of the above, where it is explicit, the text assumes that PAM loadable object files (the <em/modules/) are to be located in -the following directory: <tt>/usr/lib/security/</tt>. However, Red Hat -Linux, in agreement with the Linux File System Standard (the FSSTND), -places these files in <tt>/lib/security</tt>. Please be careful to -perform the necessary transcription when using the examples from the -text. +the following directory: <tt>/lib/security/</tt>. This is generally +the location that seems to be compatible with the Linux File System +Standard (the FSSTND). On Solaris, which has its own licensed version +of PAM, and some other implementations of UN*X, these files can be +found in <tt>/usr/lib/security</tt>. Please be careful to perform the +necessary transcription when using the examples from the text. <sect>Overview<label id="overview-section"> @@ -513,10 +514,10 @@ The <tt/actionI/ can be a positive integer or one of the following tokens: <tt/ignore/; <tt/ok/; <tt/done/; <tt/bad/; <tt/die/; and <tt/reset/. A positive integer, <tt/J/, when specified as the action, can be used to indicate that the next <em/J/ modules of the current -type will be skipped. In this way, the administrator can develop a -moderately sophisticated stack of modules with a number of different -paths of execution. Which path is taken can be determined by the -reactions of individual modules. +module-type will be skipped. In this way, the administrator can +develop a moderately sophisticated stack of modules with a number of +different paths of execution. Which path is taken can be determined +by the reactions of individual modules. <p> <itemize> @@ -553,7 +554,7 @@ transport protocol inherent to the client/server application. With the ``<tt/[ ... value=action ... ]/'' control syntax, it is possible for an application to be configured to support binary prompts with compliant clients, but to gracefully fall over into an alternative -authentication mode for older, legacy, applications. Flexible eh? +authentication mode for older, legacy, applications. <tag> <tt/module-path/</tag> @@ -561,8 +562,8 @@ The path-name of the dynamically loadable object file; <em/the pluggable module/ itself. If the first character of the module path is `<tt>/</tt>', it is assumed to be a complete path. If this is not the case, the given module path is appended to the default module path: -<tt>/usr/lib/security</tt> (but see the notes <ref -id="text-conventions" name="above">). +<tt>/lib/security</tt> (but see the notes <ref id="text-conventions" +name="above">). <tag> <tt/args/</tag> @@ -740,10 +741,10 @@ setting (which is not a bad place to start!): # # default; deny access # -OTHER auth required /usr/lib/security/pam_deny.so -OTHER account required /usr/lib/security/pam_deny.so -OTHER password required /usr/lib/security/pam_deny.so -OTHER session required /usr/lib/security/pam_deny.so +OTHER auth required pam_deny.so +OTHER account required pam_deny.so +OTHER password required pam_deny.so +OTHER session required pam_deny.so </verb> </tscreen> Whilst fundamentally a secure default, this is not very sympathetic to @@ -765,8 +766,8 @@ would provide a suitable warning to the administrator. # # default; wake up! This application is not configured # -OTHER auth required /usr/lib/security/pam_warn.so -OTHER password required /usr/lib/security/pam_warn.so +OTHER auth required pam_warn.so +OTHER password required pam_warn.so </verb> </tscreen> Having two ``<tt/OTHER auth/'' lines is an example of stacking. @@ -779,12 +780,12 @@ corresponding default setup would be achieved with the following file: # # default configuration: /etc/pam.d/other # -auth required /usr/lib/security/pam_warn.so -auth required /usr/lib/security/pam_deny.so -account required /usr/lib/security/pam_deny.so -password required /usr/lib/security/pam_warn.so -password required /usr/lib/security/pam_deny.so -session required /usr/lib/security/pam_deny.so +auth required pam_warn.so +auth required pam_deny.so +account required pam_deny.so +password required pam_warn.so +password required pam_deny.so +session required pam_deny.so </verb> </tscreen> This is the only explicit example we give for an <tt>/etc/pam.d/</tt> @@ -799,12 +800,12 @@ mimic the historically familiar Linux setup. <tscreen> <verb> # -# default; standard UNIX access +# default; standard UN*X access # -OTHER auth required /usr/lib/security/pam_unix_auth.so -OTHER account required /usr/lib/security/pam_unix_acct.so -OTHER password required /usr/lib/security/pam_unix_passwd.so -OTHER session required /usr/lib/security/pam_unix_session.so +OTHER auth required pam_unix.so +OTHER account required pam_unix.so +OTHER password required pam_unix.so +OTHER session required pam_unix.so </verb> </tscreen> In general this will provide a starting place for most applications. @@ -821,13 +822,13 @@ may be subject to change or the application will be fixed.) <verb> # # ftpd; add ftp-specifics. These lines enable anonymous ftp over -# standard UNIX access (the listfile entry blocks access to +# standard UN*X access (the listfile entry blocks access to # users listed in /etc/ftpusers) # -ftpd auth sufficient /usr/lib/security/pam_ftp.so -ftpd auth required /usr/lib/security/pam_unix_auth.so use_first_pass -ftpd auth required /usr/lib/security/pam_listfile.so \ - onerr=succeed item=user sense=deny file=/etc/ftpusers +ftpd auth sufficient pam_ftp.so +ftpd auth required pam_unix_auth.so use_first_pass +ftpd auth required pam_listfile.so \ + onerr=succeed item=user sense=deny file=/etc/ftpusers </verb> </tscreen> Note, the second line is necessary since the default entries are @@ -837,15 +838,15 @@ Again, this is an example of authentication module stacking. Note the use of the <tt/sufficient/ control-flag. It says that ``if this module authenticates the user, ignore the subsequent <tt/auth/ modules''. Also note the use of the ``<tt/use_first_pass/'' -module-argument, this instructs the UNIX authentication module that it -is not to prompt for a password but rely one already having been -obtained by the ftp module. +module-argument, this instructs the UN*X authentication module that it +is not to prompt for a password but rely on one already having been +obtained by the <tt/pam_ftp/ module. <sect>Security issues of Linux-PAM <p> -This section will discuss good practices for using Linux-PAM in a -secure manner. <em>It is currently sadly lacking...suggestions are +This section will discuss good practices for using PAM in a secure +manner. <em>It is currently sadly lacking...suggestions are welcome!</em> <sect1>If something goes wrong @@ -906,10 +907,10 @@ Here's how you make your configs nice again: and then use vi to create a file called "other" in this directory. It should contain the following four lines: - auth required pam_unix_auth.so - account required pam_unix_acct.so - password required pam_unix_passwd.so - session required pam_unix_session.so + auth required pam_unix.so + account required pam_unix.so + password required pam_unix.so + session required pam_unix.so Now you have the simplest possible PAM configuration that will work the way you're used to. Everything should @@ -990,7 +991,7 @@ the examples listed below. <p><descrip> -<tag><tt>/usr/lib/libpam.so.*</tt></tag> +<tag><tt>/lib/libpam.so.*</tt></tag> the shared library providing applications with access to <bf/Linux-PAM/. @@ -999,7 +1000,7 @@ the shared library providing applications with access to the <bf/Linux-PAM/ configuration file. -<tag><tt>/usr/lib/security/pam_*.so</tt></tag> +<tag><tt>/lib/security/pam_*.so</tt></tag> the primary location for <bf/Linux-PAM/ dynamically loadable object files; the modules. |