diff options
Diffstat (limited to 'doc')
141 files changed, 0 insertions, 13354 deletions
diff --git a/doc/.cvsignore b/doc/.cvsignore deleted file mode 100644 index 407e0ce1..00000000 --- a/doc/.cvsignore +++ /dev/null @@ -1,4 +0,0 @@ -pam.sgml -MODULES-SGML -Makefile -Makefile.in diff --git a/doc/Makefile.am b/doc/Makefile.am deleted file mode 100644 index 4a300e15..00000000 --- a/doc/Makefile.am +++ /dev/null @@ -1,22 +0,0 @@ -# -# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> -# - -SUBDIRS = man specs sag adg mwg - -CLEANFILES = *~ - -dist_html_DATA = index.html - -####################################################### - -releasedocs: all - $(mkinstalldirs) $(top_builddir)/Linux-PAM-$(VERSION)/doc/specs - cp -av specs/draft-morgan-pam-current.txt \ - $(top_builddir)/Linux-PAM-$(VERSION)/doc/specs/ - cp -av $(srcdir)/specs/rfc86.0.txt \ - $(top_builddir)/Linux-PAM-$(VERSION)/doc/specs/ - make -C sag releasedocs - make -C adg releasedocs - make -C mwg releasedocs - diff --git a/doc/adg/.cvsignore b/doc/adg/.cvsignore deleted file mode 100644 index d9b71235..00000000 --- a/doc/adg/.cvsignore +++ /dev/null @@ -1,7 +0,0 @@ -Makefile -Makefile.in -*~ -html -*.fo -*.pdf -*.txt diff --git a/doc/adg/Linux-PAM_ADG.xml b/doc/adg/Linux-PAM_ADG.xml deleted file mode 100644 index 54df797d..00000000 --- a/doc/adg/Linux-PAM_ADG.xml +++ /dev/null @@ -1,779 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<book id="adg"> - <bookinfo> - <title>The Linux-PAM Application Developers' Guide</title> - <authorgroup> - <author> - <firstname>Andrew G.</firstname> - <surname>Morgan</surname> - <email>morgan@kernel.org</email> - </author> - <author> - <firstname>Thorsten</firstname> - <surname>Kukuk</surname> - <email>kukuk@thkukuk.de</email> - </author> - </authorgroup> - <releaseinfo>Version 0.99.6.0, 5. August 2006</releaseinfo> - <abstract> - <para> - This manual documents what an application developer needs to know - about the <emphasis remap='B'>Linux-PAM</emphasis> library. It - describes how an application might use the - <emphasis remap='B'>Linux-PAM</emphasis> library to authenticate - users. In addition it contains a description of the funtions - to be found in <filename>libpam_misc</filename> library, that can - be used in general applications. Finally, it contains some comments - on PAM related security issues for the application developer. - </para> - </abstract> - </bookinfo> - - <chapter id="adg-introduction"> - <title>Introduction</title> - <section id="adg-introduction-description"> - <title>Description</title> - <para> - <emphasis remap='B'>Linux-PAM</emphasis> - (Pluggable Authentication Modules for Linux) is a library that enables - the local system administrator to choose how individual applications - authenticate users. For an overview of the - <emphasis remap='B'>Linux-PAM</emphasis> library see the - <emphasis>Linux-PAM System Administrators' Guide</emphasis>. - </para> - <para> - It is the purpose of the <emphasis remap='B'>Linux-PAM</emphasis> - project to liberate the development of privilege granting software - from the development of secure and appropriate authentication schemes. - This is accomplished by providing a documented library of functions - that an application may use for all forms of user authentication - management. This library dynamically loads locally configured - authentication modules that actually perform the authentication tasks. - </para> - <para> - From the perspective of an application developer the information - contained in the local configuration of the PAM library should not be - important. Indeed it is intended that an application treat the - functions documented here as a 'black box' that will deal with all - aspects of user authentication. 'All aspects' includes user - verification, account management, session initialization/termination - and also the resetting of passwords - (<emphasis>authentication tokens</emphasis>). - </para> - </section> - - <section id="adg-introduction-synopsis"> - <title>Synopsis</title> - <para> - For general applications that wish to use the services provided by - <emphasis remap='B'>Linux-PAM</emphasis> the following is a summary - of the relevant linking information: - <programlisting> -#include <security/pam_appl.h> - -cc -o application .... -lpam - </programlisting> - </para> - <para> - In addition to <command>libpam</command>, there is a library of - miscellaneous functions that make the job of writing - <emphasis>PAM-aware</emphasis> applications easier (this library is not - covered in the DCE-RFC for PAM and is specific to the Linux-PAM - distribution): - <programlisting> -#include <security/pam_appl.h> -#include <security/pam_misc.h> - -cc -o application .... -lpam -lpam_misc - </programlisting> - </para> - </section> - </chapter> - - <chapter id="adg-overview"> - <title>Overview</title> - <para> - Most service-giving applications are restricted. In other words, - their service is not available to all and every prospective client. - Instead, the applying client must jump through a number of hoops to - convince the serving application that they are authorized to obtain - service. - </para> - <para> - The process of <emphasis>authenticating</emphasis> a client is what - PAM is designed to manage. In addition to authentication, PAM provides - account management, credential management, session management and - authentication-token (password changing) management services. It is - important to realize when writing a PAM based application that these - services are provided in a manner that is - <emphasis remap='B'>transparent</emphasis> to the application. That is - to say, when the application is written, no assumptions can be made - about <emphasis>how</emphasis> the client will be authenticated. - </para> - <para> - The process of authentication is performed by the PAM library via a - call to <function>pam_authenticate()</function>. The return value - of this function will indicate whether a named client (the - <emphasis>user</emphasis>) has been authenticated. If the PAM library - needs to prompt the user for any information, such as their - <emphasis>name</emphasis> or a <emphasis>password</emphasis> - then it will do so. If the PAM library is configured to authenticate - the user using some silent protocol, it will do this too. (This - latter case might be via some hardware interface for example.) - </para> - <para> - It is important to note that the application must leave all decisions - about when to prompt the user at the discretion of the PAM library. - </para> - <para> - The PAM library, however, must work equally well for different styles - of application. Some applications, like the familiar - <command>login</command> and <command>passwd</command> are terminal - based applications, exchanges of information with the client in - these cases is as plain text messages. Graphically based applications, - however, have a more sophisticated interface. They generally interact - with the user via specially constructed dialogue boxes. Additionally, - network based services require that text messages exchanged with the - client are specially formatted for automated processing: one such - example is <command>ftpd</command> which prefixes each exchanged - message with a numeric identifier. - </para> - <para> - The presentation of simple requests to a client is thus something very - dependent on the protocol that the serving application will use. In - spite of the fact that PAM demands that it drives the whole - authentication process, it is not possible to leave such protocol - subtleties up to the PAM library. To overcome this potential problem, - the application provides the PAM library with a - <emphasis>conversation</emphasis> function. This function is called - from <emphasis>within</emphasis> the PAM library and enables the PAM - to directly interact with the client. The sorts of things that this - conversation function must be able to do are prompt the user with - text and/or obtain textual input from the user for processing by the - PAM library. The details of this function are provided in a later - section. - </para> - <para> - For example, the conversation function may be called by the PAM - library with a request to prompt the user for a password. Its job is - to reformat the prompt request into a form that the client will - understand. In the case of <command>ftpd</command>, this might involve - prefixing the string with the number <command>331</command> and sending - the request over the network to a connected client. The conversation - function will then obtain any reply and, after extracting the typed - password, will return this string of text to the PAM library. Similar - concerns need to be addressed in the case of an X-based graphical - server. - </para> - <para> - There are a number of issues that need to be addressed when one is - porting an existing application to become PAM compliant. A section - below has been devoted to this: Porting legacy applications. - </para> - <para> - Besides authentication, PAM provides other forms of management. - Session management is provided with calls to - <function>pam_open_session()</function> and - <function>pam_close_session()</function>. What these functions - actually do is up to the local administrator. But typically, they - could be used to log entry and exit from the system or for mounting - and unmounting the user's home directory. If an application provides - continuous service for a period of time, it should probably call - these functions, first open after the user is authenticated and then - close when the service is terminated. - </para> - <para> - Account management is another area that an application developer - should include with a call to <function>pam_acct_mgmt()</function>. - This call will perform checks on the good health of the user's account - (has it expired etc.). One of the things this function may check is - whether the user's authentication token has expired - in such a case the - application may choose to attempt to update it with a call to - <function>pam_chauthtok()</function>, although some applications - are not suited to this task (<command>ftp</command> for example) - and in this case the application should deny access to the user. - </para> - <para> - PAM is also capable of setting and deleting the users credentials with - the call <function>pam_setcred()</function>. This function should - always be called after the user is authenticated and before service - is offered to the user. By convention, this should be the last call - to the PAM library before the PAM session is opened. What exactly a - credential is, is not well defined. However, some examples are given - in the glossary below. - </para> - </chapter> - - <chapter id="adg-interface"> - <title> - The public interface to <emphasis remap='B'>Linux-PAM</emphasis> - </title> - <para> - Firstly, the relevant include file for the - <emphasis remap='B'>Linux-PAM</emphasis> library is - <function><security/pam_appl.h></function>. - It contains the definitions for a number of functions. After - listing these functions, we collect some guiding remarks for - programmers. - </para> - <section id="adg-interface-by-app-expected"> - <title>What can be expected by the application</title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_start.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_end.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_set_item.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_get_item.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_strerror.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_fail_delay.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_authenticate.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_setcred.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_acct_mgmt.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_chauthtok.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_open_session.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_close_session.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_putenv.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_getenv.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_getenvlist.xml"/> - </section> - <section id="adg-interface-of-app-expected"> - <title>What is expected of an application</title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_conv.xml"/> - </section> - <section id="adg-interface-programming-notes"> - <title>Programming notes</title> - <para> - Note, all of the authentication service function calls accept the - token <emphasis remap='B'>PAM_SILENT</emphasis>, which instructs - the modules to not send messages to the application. This token - can be logically OR'd with any one of the permitted tokens specific - to the individual function calls. - <emphasis remap='B'>PAM_SILENT</emphasis> does not override the - prompting of the user for passwords etc., it only stops informative - messages from being generated. - </para> - </section> - </chapter> - - <chapter id="adg-security"> - <title> - Security issues of <emphasis remap='B'>Linux-PAM</emphasis> - </title> - <para> - PAM, from the perspective of an application, is a convenient API for - authenticating users. PAM modules generally have no increased - privilege over that possessed by the application that is making use of - it. For this reason, the application must take ultimate responsibility - for protecting the environment in which PAM operates. - </para> - <para> - A poorly (or maliciously) written application can defeat any - <emphasis remap='B'>Linux-PAM</emphasis> module's authentication - mechanisms by simply ignoring it's return values. It is the - applications task and responsibility to grant privileges and access - to services. The <emphasis remap='B'>Linux-PAM</emphasis> library - simply assumes the responsibility of <emphasis>authenticating</emphasis> - the user; ascertaining that the user <emphasis>is</emphasis> who they - say they are. Care should be taken to anticipate all of the documented - behavior of the <emphasis remap='B'>Linux-PAM</emphasis> library - functions. A failure to do this will most certainly lead to a future - security breach. - </para> - - <section id="adg-security-library-calls"> - <title>Care about standard library calls</title> - <para> - In general, writers of authorization-granting applications should - assume that each module is likely to call any or - <emphasis>all</emphasis> 'libc' functions. For 'libc' functions - that return pointers to static/dynamically allocated structures - (ie. the library allocates the memory and the user is not expected - to '<function>free()</function>' it) any module call to this - function is likely to corrupt a pointer previously - obtained by the application. The application programmer should - either re-call such a 'libc' function after a call to the - <emphasis remap='B'>Linux-PAM</emphasis> library, or copy the - structure contents to some safe area of memory before passing - control to the <emphasis remap='B'>Linux-PAM</emphasis> library. - </para> - <para> - Two important function classes that fall into this category are - <citerefentry> - <refentrytitle>getpwnam</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> and <citerefentry> - <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>. - </para> - </section> - - <section id="adg-security-service-name"> - <title>Choice of a service name</title> - <para> - When picking the <emphasis>service-name</emphasis> that - corresponds to the first entry in the - <emphasis remap='B'>Linux-PAM</emphasis> configuration file, - the application programmer should <emphasis>avoid</emphasis> - the temptation of choosing something related to - <varname>argv[0]</varname>. It is a trivial matter for any user - to invoke any application on a system under a different name and - this should not be permitted to cause a security breach. - </para> - <para> - In general, this is always the right advice if the program is - setuid, or otherwise more privileged than the user that invokes - it. In some cases, avoiding this advice is convenient, but as an - author of such an application, you should consider well the ways - in which your program will be installed and used. (Its often the - case that programs are not intended to be setuid, but end up - being installed that way for convenience. If your program falls - into this category, don't fall into the trap of making this mistake.) - </para> - <para> - To invoke some <emphasis>target</emphasis> application by - another name, the user may symbolically link the target application - with the desired name. To be precise all the user need do is, - <command>ln -s /target/application ./preferred_name</command> - and then run <command>./preferred_name</command>. - </para> - <para> - By studying the <emphasis remap='B'>Linux-PAM</emphasis> - configuration file(s), an attacker can choose the - <command>preferred_name</command> to be that of a service enjoying - minimal protection; for example a game which uses - <emphasis remap='B'>Linux-PAM</emphasis> to restrict access to - certain hours of the day. If the service-name were to be linked - to the filename under which the service was invoked, it - is clear that the user is effectively in the position of - dictating which authentication scheme the service uses. Needless - to say, this is not a secure situation. - </para> - <para> - The conclusion is that the application developer should carefully - define the service-name of an application. The safest thing is to - make it a single hard-wired name. - </para> - </section> - - <section id="adg-security-conv-function"> - <title>The conversation function</title> - <para> - Care should be taken to ensure that the <function>conv()</function> - function is robust. Such a function is provided in the library - <command>libpam_misc</command> (see - <link linkend="adg-libpam-functions">below</link>). - </para> - </section> - - <section id="adg-security-usre-identity"> - <title>The identity of the user</title> - <para> - The <emphasis remap='B'>Linux-PAM</emphasis> modules will need - to determine the identity of the user who requests a service, - and the identity of the user who grants the service. These two - users will seldom be the same. Indeed there is generally a third - user identity to be considered, the new (assumed) identity of - the user once the service is granted. - </para> - <para> - The need for keeping tabs on these identities is clearly an - issue of security. One convention that is actively used by - some modules is that the identity of the user requesting a - service should be the current <emphasis>UID</emphasis> - (userid) of the running process; the identity of the - privilege granting user is the <emphasis>EUID</emphasis> - (effective userid) of the running process; the identity of - the user, under whose name the service will be executed, is - given by the contents of the <emphasis>PAM_USER</emphasis> - <citerefentry> - <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>. Note, modules can change the values of - <emphasis>PAM_USER</emphasis> and <emphasis>PAM_RUSER</emphasis> - during any of the <function>pam_*()</function> library calls. - For this reason, the application should take care to use the - <function>pam_get_item()</function> every time it wishes to - establish who the authenticated user is (or will currently be). - </para> - <para> - For network-serving databases and other applications that provide - their own security model (independent of the OS kernel) the above - scheme is insufficient to identify the requesting user. - </para> - <para> - A more portable solution to storing the identity of the requesting - user is to use the <emphasis>PAM_RUSER</emphasis> <citerefentry> - <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>. The application should supply this value before - attempting to authenticate the user with - <function>pam_authenticate()</function>. How well this name can be - trusted will ultimately be at the discretion of the local - administrator (who configures PAM for your application) and a - selected module may attempt to override the value where it can - obtain more reliable data. If an application is unable to determine - the identity of the requesting entity/user, it should not call - <citerefentry> - <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> to set <emphasis>PAM_RUSER</emphasis>. - </para> - <para> - In addition to the <emphasis>PAM_RUSER</emphasis> item, the - application should supply the <emphasis>PAM_RHOST</emphasis> - (<emphasis>requesting host</emphasis>) item. As a general rule, - the following convention for its value can be assumed: - NULL = unknown; localhost = invoked directly from the local system; - <emphasis>other.place.xyz</emphasis> = some component of the - user's connection originates from this remote/requesting host. At - present, PAM has no established convention for indicating whether - the application supports a trusted path to communication from - this host. - </para> - </section> - - <section id="adg-security-resources"> - <title>Sufficient resources</title> - <para> - Care should be taken to ensure that the proper execution of an - application is not compromised by a lack of system resources. If an - application is unable to open sufficient files to perform its service, - it should fail gracefully, or request additional resources. - Specifically, the quantities manipulated by the <citerefentry> - <refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum> - </citerefentry> family of commands should be taken into consideration. - </para> - <para> - This is also true of conversation prompts. The application should not - accept prompts of arbitrary length with out checking for resource - allocation failure and dealing with such extreme conditions gracefully - and in a mannor that preserves the PAM API. Such tolerance may be - especially important when attempting to track a malicious adversary. - </para> - </section> - </chapter> - - <chapter id='adg-libpam_misc'> - <title>A library of miscellaneous helper functions</title> - <para> - To aid the work of the application developer a library of - miscellaneous functions is provided. It is called - <command>libpam_miscy</command>, and contains a text based - conversation function, and routines for enhancing the standard - PAM-environment variable support. - </para> - <para> - The functions, structures and macros, made available by this - library can be defined by including - <function><security/pam_misc.h></function>. It should be - noted that this library is specific to - <emphasis remap='B'>Linux-PAM</emphasis> and is not referred to in - the defining DCE-RFC (see <link linkend="adg-see-also">See also</link>) - below. - </para> - <section id='adg-libpam-functions'> - <title>Functions supplied</title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_misc_conv.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_misc_paste_env.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_misc_drop_env.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_misc_setenv.xml"/> - </section> - </chapter> - - <chapter id='adg-porting'> - <title>Porting legacy applications</title> - <para> - The point of PAM is that the application is not supposed to - have any idea how the attached authentication modules will choose - to authenticate the user. So all they can do is provide a conversation - function that will talk directly to the user(client) on the modules' - behalf. - </para> - <para> - Consider the case that you plug a retinal scanner into the login - program. In this situation the user would be prompted: "please look - into the scanner". No username or password would be needed - all this - information could be deduced from the scan and a database lookup. The - point is that the retinal scanner is an ideal task for a "module". - </para> - <para> - While it is true that a pop-daemon program is designed with the POP - protocol in mind and no-one ever considered attaching a retinal - scanner to it, it is also the case that the "clean" PAM'ification of - such a daemon would allow for the possibility of a scanner module - being be attached to it. The point being that the "standard" - pop-authentication protocol(s) [which will be needed to satisfy - inflexible/legacy clients] would be supported by inserting an - appropriate pam_qpopper module(s). However, having rewritten popd - once in this way any new protocols can be implemented in-situ. - </para> - <para> - One simple test of a ported application would be to insert the - <command>pam_permit</command> module and see if the application - demands you type a password... In such a case, <command>xlock</command> - would fail to lock the terminal - or would at best be a screen-saver, - ftp would give password free access to all etc.. Neither of - these is a very secure thing to do, but they do illustrate how - much flexibility PAM puts in the hands of the local admin. - </para> - <para> - The key issue, in doing things correctly, is identifying what is part - of the authentication procedure (how many passwords etc..) the - exchange protocol (prefixes to prompts etc., numbers like 331 in the - case of ftpd) and what is part of the service that the application - delivers. PAM really needs to have total control in the - authentication "procedure", the conversation function should only - deal with reformatting user prompts and extracting responses from raw - input. - </para> - </chapter> - - <chapter id='adg-glossary'> - <title>Glossary of PAM related terms</title> - <para> - The following are a list of terms used within this document. - </para> - <variablelist> - <varlistentry> - <term>Authentication token</term> - <listitem> - <para> - Generally, this is a password. However, a user can authenticate - him/herself in a variety of ways. Updating the user's - authentication token thus corresponds to - <emphasis>refreshing</emphasis> the object they use to - authenticate themself with the system. The word password is - avoided to keep open the possibility that the authentication - involves a retinal scan or other non-textual mode of - challenge/response. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>Credentials</term> - <listitem> - <para> - Having successfully authenticated the user, PAM is able to - establish certain characteristics/attributes of the user. - These are termed <emphasis>credentials</emphasis>. Examples - of which are group memberships to perform privileged tasks - with, and <emphasis>tickets</emphasis> in the form of - environment variables etc. . Some user-credentials, such as - the user's UID and GID (plus default group memberships) are - not deemed to be PAM-credentials. It is the responsibility - of the application to grant these directly. - </para> - </listitem> - </varlistentry> - </variablelist> - </chapter> - - <chapter id='adg-example'> - <title>An example application</title> - <para> - To get a flavor of the way a <emphasis remap='B'>Linux-PAM</emphasis> - application is written we include the following example. It prompts - the user for their password and indicates whether their account - is valid on the standard output, its return code also indicates - the success (<returnvalue>0</returnvalue> for success; - <returnvalue>1</returnvalue> for failure). - </para> - <programlisting><![CDATA[ -/* - This program was contributed by Shane Watts - [modifications by AGM and kukuk] - - You need to add the following (or equivalent) to the - /etc/pam.d/check_user file: - # check authorization - auth required pam_unix.so - account required pam_unix.so - */ - -#include <security/pam_appl.h> -#include <security/pam_misc.h> -#include <stdio.h> - -static struct pam_conv conv = { - misc_conv, - NULL -}; - -int main(int argc, char *argv[]) -{ - pam_handle_t *pamh=NULL; - int retval; - const char *user="nobody"; - - if(argc == 2) { - user = argv[1]; - } - - if(argc > 2) { - fprintf(stderr, "Usage: check_user [username]\n"); - exit(1); - } - - retval = pam_start("check_user", user, &conv, &pamh); - - if (retval == PAM_SUCCESS) - retval = pam_authenticate(pamh, 0); /* is user really user? */ - - if (retval == PAM_SUCCESS) - retval = pam_acct_mgmt(pamh, 0); /* permitted access? */ - - /* This is where we have been authorized or not. */ - - if (retval == PAM_SUCCESS) { - fprintf(stdout, "Authenticated\n"); - } else { - fprintf(stdout, "Not Authenticated\n"); - } - - if (pam_end(pamh,retval) != PAM_SUCCESS) { /* close Linux-PAM */ - pamh = NULL; - fprintf(stderr, "check_user: failed to release authenticator\n"); - exit(1); - } - - return ( retval == PAM_SUCCESS ? 0:1 ); /* indicate success */ -} -]]> - </programlisting> - </chapter> - - <chapter id='adg-files'> - <title>Files</title> - <variablelist> - <varlistentry> - <term><filename>/usr/include/security/pam_appl.h</filename></term> - <listitem> - <para> - Header file with interfaces for - <emphasis remap='B'>Linux-PAM</emphasis> applications. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term><filename>/usr/include/security/pam_misc.h</filename></term> - <listitem> - <para> - Header file for useful library functions for making - applications easier to write. - </para> - </listitem> - </varlistentry> - </variablelist> - </chapter> - - <chapter id="adg-see-also"> - <title>See also</title> - <itemizedlist> - <listitem> - <para> - The Linux-PAM System Administrators' Guide. - </para> - </listitem> - <listitem> - <para> - The Linux-PAM Module Writers' Guide. - </para> - </listitem> - <listitem> - <para> - The V. Samar and R. Schemers (SunSoft), ``UNIFIED LOGIN WITH - PLUGGABLE AUTHENTICATION MODULES'', Open Software Foundation - Request For Comments 86.0, October 1995. - </para> - </listitem> - </itemizedlist> - </chapter> - - <chapter id='adg-author'> - <title>Author/acknowledgments</title> - <para> - This document was written by Andrew G. Morgan (morgan@kernel.org) - with many contributions from - Chris Adams, Peter Allgeyer, Tim Baverstock, Tim Berger, Craig S. Bell, - Derrick J. Brashear, Ben Buxton, Seth Chaiklin, Oliver Crow, Chris Dent, - Marc Ewing, Cristian Gafton, Emmanuel Galanos, Brad M. Garcia, - Eric Hester, Roger Hu, Eric Jacksch, Michael K. Johnson, David Kinchlea, - Olaf Kirch, Marcin Korzonek, Thorsten Kukuk, Stephen Langasek, - Nicolai Langfeldt, Elliot Lee, Luke Kenneth Casson Leighton, - Al Longyear, Ingo Luetkebohle, Marek Michalkiewicz, Robert Milkowski, - Aleph One, Martin Pool, Sean Reifschneider, Jan Rekorajski, Erik Troan, - Theodore Ts'o, Jeff Uphoff, Myles Uyema, Savochkin Andrey Vladimirovich, - Ronald Wahl, David Wood, John Wilmes, Joseph S. D. Yao - and Alex O. Yuriev. - </para> - <para> - Thanks are also due to Sun Microsystems, especially to Vipin Samar and - Charlie Lai for their advice. At an early stage in the development of - <emphasis remap='B'>Linux-PAM</emphasis>, Sun graciously made the - documentation for their implementation of PAM available. This act - greatly accelerated the development of - <emphasis remap='B'>Linux-PAM</emphasis>. - </para> - </chapter> - - <chapter id='adg-copyright'> - <title>Copyright information for this document</title> - <programlisting> -Copyright (c) 2006 Thorsten Kukuk <kukuk@thkukuk.de> -Copyright (c) 1996-2002 Andrew G. Morgan <morgan@kernel.org> - </programlisting> - <para> - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are - met: - </para> - <programlisting> -1. Redistributions of source code must retain the above copyright - notice, and the entire permission notice in its entirety, - including the disclaimer of warranties. - -2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - -3. The name of the author may not be used to endorse or promote - products derived from this software without specific prior - written permission. - </programlisting> - <para> - Alternatively, this product may be distributed under the terms of - the GNU General Public License (GPL), in which case the provisions - of the GNU GPL are required instead of the above restrictions. - (This clause is necessary due to a potential bad interaction between - the GNU GPL and the restrictions contained in a BSD-style copyright.) - </para> - <programlisting> -THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, -BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS -OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR -TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE -USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - </programlisting> - </chapter> -</book> diff --git a/doc/adg/Makefile.am b/doc/adg/Makefile.am deleted file mode 100644 index 03d0c871..00000000 --- a/doc/adg/Makefile.am +++ /dev/null @@ -1,97 +0,0 @@ -# -# Copyright (c) 2006 Thorsten Kukuk <kukuk@thkukuk.de> -# - -CLEANFILES = Linux-PAM_ADG.fo *~ - -EXTRA_DIST = $(XMLS) - -XMLS = Linux-PAM_ADG.xml $(shell ls $(srcdir)/pam_*.xml) -DEP_XMLS = $(shell ls $(top_srcdir)/doc/man/pam_*.xml) - -if ENABLE_REGENERATE_MAN -MAINTAINERCLEANFILES = Linux-PAM_ADG.txt Linux-PAM_ADG.pdf html/*.html - -all: Linux-PAM_ADG.txt html/Linux-PAM_ADG.html Linux-PAM_ADG.pdf - -Linux-PAM_ADG.pdf: $(XMLS) $(DEP_XMLS) -if ENABLE_GENERATE_PDF - $(XMLLINT) --nonet --xinclude --postvalid --noent --noout $< - $(XSLTPROC) --stringparam generate.toc "book toc" \ - --stringparam section.autolabel 1 \ - --stringparam section.label.includes.component.label 1 \ - --stringparam toc.max.depth 3 --xinclude --nonet \ - http://docbook.sourceforge.net/release/xsl/current/fo/docbook.xsl $< > Linux-PAM_ADG.fo - $(FO2PDF) Linux-PAM_ADG.fo $@ -else - echo "No fo2pdf processor installed, skip PDF generation" -endif - -Linux-PAM_ADG.txt: $(XMLS) $(DEP_XMLS) - $(XMLLINT) --nonet --xinclude --postvalid --noent --noout $< - $(XSLTPROC) --stringparam generate.toc "book toc" \ - --stringparam section.autolabel 1 \ - --stringparam section.label.includes.component.label 1 \ - --stringparam toc.max.depth 3 --xinclude --nonet \ - http://docbook.sourceforge.net/release/xsl/current/html/docbook.xsl $< | $(BROWSER) > $@ - -html/Linux-PAM_ADG.html: $(XMLS) $(DEP_XMLS) - @test -d html || mkdir -p html - $(XMLLINT) --nonet --xinclude --postvalid --noent --noout $< - $(XSLTPROC) --stringparam base.dir html/ \ - --stringparam root.filename Linux-PAM_ADG \ - --stringparam use.id.as.filename 1 \ - --stringparam chunk.first.sections 1 \ - --stringparam section.autolabel 1 \ - --stringparam section.label.includes.component.label 1 \ - --stringparam toc.max.depth 3 --xinclude --nonet \ - http://docbook.sourceforge.net/release/xsl/current/html/chunk.xsl $< - -distclean-local: - -rm -rf html Linux-PAM_ADG.txt Linux-PAM_ADG.pdf - -endif - -install-data-local: - $(mkinstalldirs) $(DESTDIR)$(docdir) - $(mkinstalldirs) $(DESTDIR)$(pdfdir) - $(mkinstalldirs) $(DESTDIR)$(htmldir) - test -f html/Linux-PAM_ADG.html || exit 0; \ - $(install_sh_DATA) html/Linux-PAM_ADG.html html/adg-*.html \ - $(DESTDIR)$(htmldir)/ || \ - $(install_sh_DATA) $(srcdir)/html/Linux-PAM_ADG.html \ - $(srcdir)/html/sag-*.html \ - $(DESTDIR)$(htmldir)/ - test -f Linux-PAM_ADG.txt || exit 0; \ - $(install_sh_DATA) Linux-PAM_ADG.txt $(DESTDIR)$(docdir)/ || \ - $(install_sh_DATA) $(srcdir)/Linux-PAM_ADG.txt \ - $(DESTDIR)$(docdir)/ - test -f Linux-PAM_ADG.pdf || exit 0; \ - $(install_sh_DATA) Linux-PAM_ADG.pdf $(DESTDIR)$(pdfdir)/ || \ - $(install_sh_DATA) $(srcdir)/Linux-PAM_ADG.pdf \ - $(DESTDIR)$(pdfdir)/ - -uninstall-local: - -rm $(DESTDIR)$(htmldir)/Linux-PAM_ADG.html - -rm $(DESTDIR)$(htmldir)/adg-*.html - -rm $(DESTDIR)$(docdir)/Linux-PAM_ADG.txt - -rm $(DESTDIR)$(pdfdir)/Linux-PAM_ADG.pdf - -releasedocs: all - $(mkinstalldirs) $(top_builddir)/Linux-PAM-$(VERSION)/doc/adg/html - test -f html/Linux-PAM_ADG.html || exit 0; \ - cp -ap html/Linux-PAM_ADG.html html/adg-*.html \ - $(top_builddir)/Linux-PAM-$(VERSION)/doc/adg/html/ || \ - cp -ap $(srcdir)/html/Linux-PAM_ADG.html \ - $(srcdir)/html/adg-*.html \ - $(top_builddir)/Linux-PAM-$(VERSION)/doc/adg/html/ - test -f Linux-PAM_ADG.txt || exit 0; \ - cp -p Linux-PAM_ADG.txt \ - $(top_builddir)/Linux-PAM-$(VERSION)/doc/adg/ || \ - cp -p $(srcdir)/Linux-PAM_ADG.txt \ - $(top_builddir)/Linux-PAM-$(VERSION)/doc/adg/ - test -f Linux-PAM_ADG.pdf || exit 0; \ - cp -p Linux-PAM_ADG.pdf \ - $(top_builddir)/Linux-PAM-$(VERSION)/doc/adg/ || \ - cp -p $(srcdir)/Linux-PAM_ADG.pdf \ - $(top_builddir)/Linux-PAM-$(VERSION)/doc/adg/ diff --git a/doc/adg/pam_acct_mgmt.xml b/doc/adg/pam_acct_mgmt.xml deleted file mode 100644 index 6a3a37d2..00000000 --- a/doc/adg/pam_acct_mgmt.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='adg-pam_acct_mgmt'> - <title>Account validation management</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_acct_mgmt.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_acct_mgmt-synopsis"]/*)'/> - </funcsynopsis> - <section id='adg-pam_acct_mgmt-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_acct_mgmt.3.xml" xpointer='xpointer(//refsect1[@id = "pam_acct_mgmt-description"]/*)'/> - </section> - <section id='adg-pam_acct_mgmt-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_acct_mgmt.3.xml" xpointer='xpointer(//refsect1[@id = "pam_acct_mgmt-return_values"]/*)'/> - </section> -</section> diff --git a/doc/adg/pam_authenticate.xml b/doc/adg/pam_authenticate.xml deleted file mode 100644 index 2ca9b540..00000000 --- a/doc/adg/pam_authenticate.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='adg-pam_authenticate'> - <title>Authenticating the user</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_authenticate.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_authenticate-synopsis"]/*)'/> - </funcsynopsis> - <section id='adg-pam_authenticate-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_authenticate.3.xml" xpointer='xpointer(//refsect1[@id = "pam_authenticate-description"]/*)'/> - </section> - <section id='adg-pam_authenticate-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_authenticate.3.xml" xpointer='xpointer(//refsect1[@id = "pam_authenticate-return_values"]/*)'/> - </section> -</section> diff --git a/doc/adg/pam_chauthtok.xml b/doc/adg/pam_chauthtok.xml deleted file mode 100644 index 1c613da7..00000000 --- a/doc/adg/pam_chauthtok.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='adg-pam_chauthtok'> - <title>Updating authentication tokens</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_chauthtok.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_chauthtok-synopsis"]/*)'/> - </funcsynopsis> - <section id='adg-pam_chauthtok-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_chauthtok.3.xml" xpointer='xpointer(//refsect1[@id = "pam_chauthtok-description"]/*)'/> - </section> - <section id='adg-pam_chauthtok-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_chauthtok.3.xml" xpointer='xpointer(//refsect1[@id = "pam_chauthtok-return_values"]/*)'/> - </section> -</section> diff --git a/doc/adg/pam_close_session.xml b/doc/adg/pam_close_session.xml deleted file mode 100644 index 4b93fc3a..00000000 --- a/doc/adg/pam_close_session.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='adg-pam_close_session'> - <title>terminating PAM session management</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_close_session.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_close_session-synopsis"]/*)'/> - </funcsynopsis> - <section id='adg-pam_close_session-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_close_session.3.xml" xpointer='xpointer(//refsect1[@id = "pam_close_session-description"]/*)'/> - </section> - <section id='adg-pam_close_session-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_close_session.3.xml" xpointer='xpointer(//refsect1[@id = "pam_close_session-return_values"]/*)'/> - </section> -</section> diff --git a/doc/adg/pam_conv.xml b/doc/adg/pam_conv.xml deleted file mode 100644 index 01b75127..00000000 --- a/doc/adg/pam_conv.xml +++ /dev/null @@ -1,35 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='adg-pam_conv'> - <title>The conversation function</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_conv.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_conv-synopsis"]/*)'/> - </funcsynopsis> - <programlisting> -struct pam_message { - int msg_style; - const char *msg; -}; - -struct pam_response { - char *resp; - int resp_retcode; -}; - -struct pam_conv { - int (*conv)(int num_msg, const struct pam_message **msg, - struct pam_response **resp, void *appdata_ptr); - void *appdata_ptr; -}; - </programlisting> - <section id='adg-pam_conv-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_conv.3.xml" xpointer='xpointer(//refsect1[@id = "pam_conv-description"]/*)'/> - </section> - <section id='adg-pam_conv-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_conv.3.xml" xpointer='xpointer(//refsect1[@id = "pam_conv-return_values"]/*)'/> - </section> -</section> diff --git a/doc/adg/pam_end.xml b/doc/adg/pam_end.xml deleted file mode 100644 index efa328be..00000000 --- a/doc/adg/pam_end.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='adg-pam_end'> - <title>Termination of PAM transaction</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_end.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_end-synopsis"]/*)'/> - </funcsynopsis> - <section id='adg-pam_end-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_end.3.xml" xpointer='xpointer(//refsect1[@id = "pam_end-description"]/*)'/> - </section> - <section id='adg-pam_end-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_end.3.xml" xpointer='xpointer(//refsect1[@id = "pam_end-return_values"]/*)'/> - </section> -</section> diff --git a/doc/adg/pam_fail_delay.xml b/doc/adg/pam_fail_delay.xml deleted file mode 100644 index 589e1148..00000000 --- a/doc/adg/pam_fail_delay.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='adg-pam_fail_delay'> - <title>Request a delay on failure</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_fail_delay.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_fail_delay-synopsis"]/*)'/> - </funcsynopsis> - <section id='adg-pam_fail_delay-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_fail_delay.3.xml" xpointer='xpointer(//refsect1[@id = "pam_fail_delay-description"]/*)'/> - </section> - <section id='adg-pam_fail_delay-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_fail_delay.3.xml" xpointer='xpointer(//refsect1[@id = "pam_fail_delay-return_values"]/*)'/> - </section> -</section> diff --git a/doc/adg/pam_get_item.xml b/doc/adg/pam_get_item.xml deleted file mode 100644 index f23c734b..00000000 --- a/doc/adg/pam_get_item.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='adg-pam_get_item'> - <title>Getting PAM items</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_get_item.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_get_item-synopsis"]/*)'/> - </funcsynopsis> - <section id='adg-pam_get_item-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_get_item.3.xml" xpointer='xpointer(//refsect1[@id = "pam_get_item-description"]/*)'/> - </section> - <section id='adg-pam_get_item-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_get_item.3.xml" xpointer='xpointer(//refsect1[@id = "pam_get_item-return_values"]/*)'/> - </section> -</section> diff --git a/doc/adg/pam_getenv.xml b/doc/adg/pam_getenv.xml deleted file mode 100644 index 61d69c33..00000000 --- a/doc/adg/pam_getenv.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='adg-pam_getenv'> - <title>Get a PAM environment variable</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_getenv.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_getenv-synopsis"]/*)'/> - </funcsynopsis> - <section id='adg-pam_getenv-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_getenv.3.xml" xpointer='xpointer(//refsect1[@id = "pam_getenv-description"]/*)'/> - </section> - <section id='adg-pam_getenv-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_getenv.3.xml" xpointer='xpointer(//refsect1[@id = "pam_getenv-return_values"]/*)'/> - </section> -</section> diff --git a/doc/adg/pam_getenvlist.xml b/doc/adg/pam_getenvlist.xml deleted file mode 100644 index d3c2fcd3..00000000 --- a/doc/adg/pam_getenvlist.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='adg-pam_getenvlist'> - <title>Getting the PAM environment</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_getenvlist.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_getenvlist-synopsis"]/*)'/> - </funcsynopsis> - <section id='adg-pam_getenvlist-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_getenvlist.3.xml" xpointer='xpointer(//refsect1[@id = "pam_getenvlist-description"]/*)'/> - </section> - <section id='adg-pam_getenvlist-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_getenvlist.3.xml" xpointer='xpointer(//refsect1[@id = "pam_getenvlist-return_values"]/*)'/> - </section> -</section> diff --git a/doc/adg/pam_misc_conv.xml b/doc/adg/pam_misc_conv.xml deleted file mode 100644 index 2dc760cc..00000000 --- a/doc/adg/pam_misc_conv.xml +++ /dev/null @@ -1,14 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='adg-misc_conv'> - <title>Text based conversation function</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/misc_conv.3.xml" xpointer='xpointer(//funcsynopsis[@id = "misc_conv-synopsis"]/*)'/> - </funcsynopsis> - <section id='adg-misc_conv-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/misc_conv.3.xml" xpointer='xpointer(//refsect1[@id = "misc_conv-description"]/*)'/> - </section> -</section> diff --git a/doc/adg/pam_misc_drop_env.xml b/doc/adg/pam_misc_drop_env.xml deleted file mode 100644 index 956d4815..00000000 --- a/doc/adg/pam_misc_drop_env.xml +++ /dev/null @@ -1,14 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='adg-pam_misc_drop_env'> - <title>Liberating a locally saved environment</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_misc_drop_env.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_misc_drop_env-synopsis"]/*)'/> - </funcsynopsis> - <section id='adg-pam_misc_drop_env-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_misc_drop_env.3.xml" xpointer='xpointer(//refsect1[@id = "pam_misc_drop_env-description"]/*)'/> - </section> -</section> diff --git a/doc/adg/pam_misc_paste_env.xml b/doc/adg/pam_misc_paste_env.xml deleted file mode 100644 index c6d3856b..00000000 --- a/doc/adg/pam_misc_paste_env.xml +++ /dev/null @@ -1,14 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='adg-pam_misc_paste_env'> - <title>Transcribing an environment to that of PAM</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_misc_paste_env.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_misc_paste_env-synopsis"]/*)'/> - </funcsynopsis> - <section id='adg-pam_misc_paste_env-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_misc_paste_env.3.xml" xpointer='xpointer(//refsect1[@id = "pam_misc_paste_env-description"]/*)'/> - </section> -</section> diff --git a/doc/adg/pam_misc_setenv.xml b/doc/adg/pam_misc_setenv.xml deleted file mode 100644 index 3b1a32e4..00000000 --- a/doc/adg/pam_misc_setenv.xml +++ /dev/null @@ -1,14 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='adg-pam_misc_setenv'> - <title>BSD like PAM environment variable setting</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_misc_setenv.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_misc_setenv-synopsis"]/*)'/> - </funcsynopsis> - <section id='adg-pam_misc_setenv-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_misc_setenv.3.xml" xpointer='xpointer(//refsect1[@id = "pam_misc_setenv-description"]/*)'/> - </section> -</section> diff --git a/doc/adg/pam_open_session.xml b/doc/adg/pam_open_session.xml deleted file mode 100644 index ba738a55..00000000 --- a/doc/adg/pam_open_session.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='adg-pam_open_session'> - <title>Start PAM session management</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_open_session.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_open_session-synopsis"]/*)'/> - </funcsynopsis> - <section id='adg-pam_open_session-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_open_session.3.xml" xpointer='xpointer(//refsect1[@id = "pam_open_session-description"]/*)'/> - </section> - <section id='adg-pam_open_session-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_open_session.3.xml" xpointer='xpointer(//refsect1[@id = "pam_open_session-return_values"]/*)'/> - </section> -</section> diff --git a/doc/adg/pam_putenv.xml b/doc/adg/pam_putenv.xml deleted file mode 100644 index e55f1a42..00000000 --- a/doc/adg/pam_putenv.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='adg-pam_putenv'> - <title>Set or change PAM environment variable</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_putenv.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_putenv-synopsis"]/*)'/> - </funcsynopsis> - <section id='adg-pam_putenv-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_putenv.3.xml" xpointer='xpointer(//refsect1[@id = "pam_putenv-description"]/*)'/> - </section> - <section id='adg-pam_putenv-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_putenv.3.xml" xpointer='xpointer(//refsect1[@id = "pam_putenv-return_values"]/*)'/> - </section> -</section> diff --git a/doc/adg/pam_set_item.xml b/doc/adg/pam_set_item.xml deleted file mode 100644 index 41169387..00000000 --- a/doc/adg/pam_set_item.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='adg-pam_set_item'> - <title>Setting PAM items</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_set_item.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_set_item-synopsis"]/*)'/> - </funcsynopsis> - <section id='adg-pam_set_item-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_set_item.3.xml" xpointer='xpointer(//refsect1[@id = "pam_set_item-description"]/*)'/> - </section> - <section id='adg-pam_set_item-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_set_item.3.xml" xpointer='xpointer(//refsect1[@id = "pam_set_item-return_values"]/*)'/> - </section> -</section> diff --git a/doc/adg/pam_setcred.xml b/doc/adg/pam_setcred.xml deleted file mode 100644 index 1d3d23cd..00000000 --- a/doc/adg/pam_setcred.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='adg-pam_setcred'> - <title>Setting user credentials</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_setcred.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_setcred-synopsis"]/*)'/> - </funcsynopsis> - <section id='adg-pam_setcred-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_setcred.3.xml" xpointer='xpointer(//refsect1[@id = "pam_setcred-description"]/*)'/> - </section> - <section id='adg-pam_setcred-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_setcred.3.xml" xpointer='xpointer(//refsect1[@id = "pam_setcred-return_values"]/*)'/> - </section> -</section> diff --git a/doc/adg/pam_start.xml b/doc/adg/pam_start.xml deleted file mode 100644 index e5ec8481..00000000 --- a/doc/adg/pam_start.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='adg-pam_start'> - <title>Initialization of PAM transaction</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_start.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_start-synopsis"]/*)'/> - </funcsynopsis> - <section id='adg-pam_start-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_start.3.xml" xpointer='xpointer(//refsect1[@id = "pam_start-description"]/*)'/> - </section> - <section id='adg-pam_start-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_start.3.xml" xpointer='xpointer(//refsect1[@id = "pam_start-return_values"]/*)'/> - </section> -</section> diff --git a/doc/adg/pam_strerror.xml b/doc/adg/pam_strerror.xml deleted file mode 100644 index 35b08a27..00000000 --- a/doc/adg/pam_strerror.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='adg-pam_strerror'> - <title>Strings describing PAM error codes</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_strerror.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_strerror-synopsis"]/*)'/> - </funcsynopsis> - <section id='adg-pam_strerror-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_strerror.3.xml" xpointer='xpointer(//refsect1[@id = "pam_strerror-description"]/*)'/> - </section> - <section id='adg-pam_strerror-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_strerror.3.xml" xpointer='xpointer(//refsect1[@id = "pam_strerror-return_values"]/*)'/> - </section> -</section> diff --git a/doc/index.html b/doc/index.html deleted file mode 100644 index 9afc8b79..00000000 --- a/doc/index.html +++ /dev/null @@ -1,21 +0,0 @@ -<html> - <head> - <title>The Linux-PAM Administration and Developer Guides</title> - </head> - <body> - <center> - <h1>The Linux-PAM Guides</h1> - </center> - <hr> - <p> - Here is the documentation for Linux-PAM. As you will see it is - currently not complete. - <p> - <ul> - <li> <a href="Linux-PAM_SAG.html">The System Administrators' Guide</a> - <li> <a href="Linux-PAM_MWG.html">The Module Writers' Guide</a> - <li> <a href="Linux-PAM_ADG.html">The Application Developers' Guide</a> - </ul> - <hr> - </body> -</html>
\ No newline at end of file diff --git a/doc/man/.cvsignore b/doc/man/.cvsignore deleted file mode 100644 index d1987738..00000000 --- a/doc/man/.cvsignore +++ /dev/null @@ -1,46 +0,0 @@ -Makefile -Makefile.in -*~ -misc_conv.3 -pam.3 -pam.8 -PAM.8 -pam_acct_mgmt.3 -pam_authenticate.3 -pam_chauthtok.3 -pam_close_session.3 -pam.conf.5 -pam_conv.3 -pam.d.5 -pam_end.3 -pam_error.3 -pam_fail_delay.3 -pam_get_data.3 -pam_getenv.3 -pam_getenvlist.3 -pam_get_item.3 -pam_get_user.3 -pam_info.3 -pam_misc_drop_env.3 -pam_misc_paste_env.3 -pam_misc_setenv.3 -pam_open_session.3 -pam_prompt.3 -pam_putenv.3 -pam_setcred.3 -pam_set_data.3 -pam_set_item.3 -pam_sm_acct_mgmt.3 -pam_sm_authenticate.3 -pam_sm_chauthtok.3 -pam_sm_close_session.3 -pam_sm_open_session.3 -pam_sm_setcred.3 -pam_start.3 -pam_strerror.3 -pam_syslog.3 -pam_verror.3 -pam_vinfo.3 -pam_vprompt.3 -pam_vsyslog.3 -pam_xauth_data.3 diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am deleted file mode 100644 index 52e5caab..00000000 --- a/doc/man/Makefile.am +++ /dev/null @@ -1,56 +0,0 @@ -# -# Copyright (c) 2006, 2007 Thorsten Kukuk <kukuk@thkukuk.de> -# - -CLEANFILES = *~ -MAINTAINERCLEANFILES = $(MANS) - -EXTRA_DIST = $(MANS) $(XMLS) - -man_MANS = pam.3 PAM.8 pam.8 pam.conf.5 pam.d.5 \ - pam_acct_mgmt.3 pam_authenticate.3 \ - pam_chauthtok.3 pam_close_session.3 pam_conv.3 \ - pam_end.3 pam_error.3 \ - pam_fail_delay.3 pam_xauth_data.3 \ - pam_get_data.3 pam_get_item.3 pam_get_user.3 pam_getenv.3 \ - pam_getenvlist.3 \ - pam_info.3 \ - pam_open_session.3 \ - pam_prompt.3 pam_putenv.3 \ - pam_set_data.3 pam_set_item.3 pam_syslog.3 \ - pam_setcred.3 pam_sm_acct_mgmt.3 pam_sm_authenticate.3 \ - pam_sm_close_session.3 pam_sm_open_session.3 pam_sm_setcred.3 \ - pam_sm_chauthtok.3 pam_start.3 pam_strerror.3 \ - pam_verror.3 pam_vinfo.3 pam_vprompt.3 pam_vsyslog.3 \ - misc_conv.3 pam_misc_paste_env.3 pam_misc_drop_env.3 \ - pam_misc_setenv.3 -XMLS = pam.3.xml pam.8.xml \ - pam_acct_mgmt.3.xml pam_authenticate.3.xml \ - pam_chauthtok.3.xml pam_close_session.3.xml pam_conv.3.xml \ - pam_end.3.xml pam_error.3.xml \ - pam_fail_delay.3.xml pam_xauth_data.3 \ - pam_get_data.3.xml pam_get_item.3.xml pam_get_user.3.xml \ - pam_getenv.3.xml pam_getenvlist.3.xml \ - pam_info.3.xml \ - pam_open_session.3.xml \ - pam_prompt.3.xml pam_putenv.3.xml \ - pam_set_data.3.xml pam_set_item.3.xml pam_syslog.3.xml \ - pam_setcred.3.xml pam_sm_acct_mgmt.3.xml pam_sm_authenticate.3.xml \ - pam_sm_close_session.3.xml pam_sm_open_session.3.xml \ - pam_sm_setcred.3.xml pam_start.3.xml pam_strerror.3.xml \ - pam_sm_chauthtok.3.xml \ - pam_item_types_std.inc.xml pam_item_types_ext.inc.xml \ - pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml \ - misc_conv.3.xml pam_misc_paste_env.3.xml pam_misc_drop_env.3.xml \ - pam_misc_setenv.3.xml - -if ENABLE_REGENERATE_MAN -PAM.8: pam.8 -pam.d.5: pam.conf.5 - test -f $(srcdir)/pam\\.d.5 && mv $(srcdir)/pam\\.d.5 $(srcdir)/pam.d.5 ||: - -pam_get_item.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml -pam_set_data.3: pam_item_types_std.inc.xml pam_item_types_ext.inc.xml -pam.conf.5: pam.conf-desc.xml pam.conf-dir.xml pam.conf-syntax.xml --include $(top_srcdir)/Make.xml.rules -endif diff --git a/doc/man/misc_conv.3.xml b/doc/man/misc_conv.3.xml deleted file mode 100644 index 825dd10c..00000000 --- a/doc/man/misc_conv.3.xml +++ /dev/null @@ -1,188 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id="misc_conv"> - - <refmeta> - <refentrytitle>misc_conv</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="misc_conv-name"> - <refname>misc_conv</refname> - <refpurpose>text based conversation function</refpurpose> - </refnamediv> - -<!-- body begins here --> - - <refsynopsisdiv> - <funcsynopsis id="misc_conv-synopsis"> - <funcsynopsisinfo>#include <security/pam_misc.h></funcsynopsisinfo> - <funcprototype> - <funcdef>void <function>misc_conv</function></funcdef> - <paramdef>int <parameter>num_msg</parameter></paramdef> - <paramdef>const struct pam_message **<parameter>msgm</parameter></paramdef> - <paramdef>struct pam_response **<parameter>response</parameter></paramdef> - <paramdef>void *<parameter>appdata_ptr</parameter></paramdef> - </funcprototype> - </funcsynopsis> - </refsynopsisdiv> - - <refsect1 id='misc_conv-description'> - <title>DESCRIPTION</title> - <para> - The <function>misc_conv</function> function is part of - <command>libpam_misc</command> and not of the standard - <command>libpam</command> library. This function will prompt - the user with the appropriate comments and obtain the appropriate - inputs as directed by authentication modules. - </para> - <para> - In addition to simply slotting into the appropriate <citerefentry> - <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, this function provides some time-out facilities. - The function exports five variables that can be used by an - application programmer to limit the amount of time this conversation - function will spend waiting for the user to type something. The - five variabls are as follows: - </para> - <variablelist> - <varlistentry> - <term><type>time_t</type> <varname>pam_misc_conv_warn_time</varname>;</term> - <listitem> - <para> - This variable contains the <emphasis>time</emphasis> (as - returned by <citerefentry> - <refentrytitle>time</refentrytitle><manvolnum>2</manvolnum> - </citerefentry>) that the user should be first warned that - the clock is ticking. By default it has the value - <returnvalue>0</returnvalue>, which indicates that no such - warning will be given. The application may set its value to - sometime in the future, but this should be done prior to - passing control to the <emphasis>Linux-PAM</emphasis> library. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><type>const char *</type><varname>pam_misc_conv_warn_line</varname>;</term> - <listitem> - <para> - Used in conjuction with - <varname>pam_misc_conv_warn_time</varname>, this variable is - a pointer to the string that will be displayed when it becomes - time to warn the user that the timeout is approaching. Its - default value is a translated version of - <quote>...Time is running out...</quote>, but this can be - changed by the application prior to passing control to - <emphasis>Linux-PAM</emphasis>. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><type>time_t</type> <varname>pam_misc_conv_die_time</varname>;</term> - <listitem> - <para> - This variable contains the <emphasis>time</emphasis> (as - returned by <citerefentry> - <refentrytitle>time</refentrytitle><manvolnum>2</manvolnum> - </citerefentry>) that the will time out. By default it has - the value <returnvalue>0</returnvalue>, which indicates that - the conversation function will not timeout. The application - may set its value to sometime in the future, but this should - be done prior to passing control to the - <emphasis>Linux-PAM</emphasis> library. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><type>const char *</type><varname>pam_misc_conv_die_line</varname>;</term> - <listitem> - <para> - Used in conjuction with - <varname>pam_misc_conv_die_time</varname>, this variable is - a pointer to the string that will be displayed when the - conversation times out. Its default value is a translated - version of - <quote>...Sorry, your time is up!</quote>, but this can be - changed by the application prior to passing control to - <emphasis>Linux-PAM</emphasis>. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term><type>int</type> <varname>pam_misc_conv_died</varname>;</term> - <listitem> - <para> - Following a return from the <emphasis>Linux-PAM</emphasis> - libraray, the value of this variable indicates whether the - conversation has timed out. A value of - <returnvalue>1</returnvalue> indicates the time-out occurred. - </para> - </listitem> - </varlistentry> - </variablelist> - <para> - The following two function pointers are available for supporting - binary prompts in the conversation function. They are optimized - for the current incarnation of the <command>libpamc</command> - library and are subject to change. - </para> - <variablelist> - <varlistentry> - <term> - <type>int</type> <varname>(*pam_binary_handler_fn)</varname>(<type>void *</type><varname>appdata</varname>, <type>pamc_bp_t *</type><varname>prompt_p</varname>); - </term> - <listitem> - <para> - This function pointer is initialized to - <returnvalue>NULL</returnvalue> but can be filled with a - function that provides machine-machine (hidden) message - exchange. It is intended for use with hidden authentication - protocols such as RSA or Diffie-Hellman key exchanges. - (This is still under development.) - </para> - </listitem> - </varlistentry> - <varlistentry> - <term> - <type>int</type> <varname>(*pam_binary_handler_free)</varname>(<type>void *</type><varname>appdata</varname>, <type>pamc_bp_t *</type><varname>delete_me</varname>); - </term> - <listitem> - <para> - This function pointer is initialized to - <function>PAM_BP_RENEW(delete_me, 0, 0)</function>, but can be - redefined as desired by the application. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id='misc_conv-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - </para> - </refsect1> - - <refsect1 id='misc_conv-standards'> - <title>STANDARDS</title> - <para> - The <function>misc_conv</function> function is part of the - <command>libpam_misc</command> Library and not defined in any - standard. - </para> - </refsect1> - -</refentry> diff --git a/doc/man/pam.3.xml b/doc/man/pam.3.xml deleted file mode 100644 index 3cf71b2d..00000000 --- a/doc/man/pam.3.xml +++ /dev/null @@ -1,433 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> -<refentry id='pam3'> - - <refmeta> - <refentrytitle>pam</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id='pam3-name'> - <refname>pam</refname> - <refpurpose>Pluggable Authentication Modules Library</refpurpose> - </refnamediv> - - <refsynopsisdiv id='pam3-synopsis'> - <funcsynopsis> - <funcsynopsisinfo>#include <security/pam_appl.h></funcsynopsisinfo> - <funcsynopsisinfo>#include <security/pam_modules.h></funcsynopsisinfo> - <funcsynopsisinfo>#include <security/pam_ext.h></funcsynopsisinfo> - </funcsynopsis> - </refsynopsisdiv> - - <refsect1 id='pam3-description'> - <title>DESCRIPTION</title> - <para> - <emphasis remap='B'>PAM</emphasis> is a system of libraries - that handle the authentication tasks of applications (services) - on the system. The library provides a stable general interface - (Application Programming Interface - API) that privilege granting - programs (such as - <citerefentry> - <refentrytitle>login</refentrytitle><manvolnum>1</manvolnum> - </citerefentry> and <citerefentry> - <refentrytitle>su</refentrytitle><manvolnum>1</manvolnum> - </citerefentry>) - defer to to perform standard authentication tasks. - </para> - - <refsect2 id='pam3-initialization_and_cleanup'> - <title>Initialization and Cleanup</title> - <para> - The - <citerefentry> - <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> function creates the PAM context and initiates the - PAM transaction. It is the first of the PAM functions that needs to - be called by an application. The transaction state is contained - entirely within the structure identified by this handle, so it is - possible to have multiple transactions in parallel. But it is not - possible to use the same handle for different transactions, a new - one is needed for every new context. - </para> - <para> - The - <citerefentry> - <refentrytitle>pam_end</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> function terminates the PAM transaction and is the last - function an application should call in the PAM context. Upon return - the handle pamh is no longer valid and all memory associated with it - will be invalid. It can be called at any time to terminate a PAM - transaction. - </para> - </refsect2> - - <refsect2 id='pam3-authentication'> - <title>Authentication</title> - <para> - The - <citerefentry> - <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> - function is used to - authenticate the user. The user is required to provide an - authentication token depending upon the authentication service, - usually this is a password, but could also be a finger print. - </para> - <para> - The - <citerefentry> - <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> - function manages the userscredentials. - </para> - </refsect2> - - <refsect2 id='pam3-account_management'> - <title>Account Management</title> - <para> - The - <citerefentry> - <refentrytitle>pam_acct_mgmt</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> function is used to determine if the users account is - valid. It checks for authentication token and account expiration and - verifies access restrictions. It is typically called after the user - has been authenticated. - </para> - </refsect2> - - <refsect2 id='pam3-password_management'> - <title>Password Management</title> - <para> - The - <citerefentry> - <refentrytitle>pam_chauthtok</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> function is used to change the authentication token - for a given user on request or because the token has expired. - </para> - </refsect2> - - <refsect2 id='pam3-session_management'> - <title>Session Management</title> - <para> - The - <citerefentry> - <refentrytitle>pam_open_session</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> function sets up a user session for a previously - successful authenticated user. The session should later be terminated - with a call to - <citerefentry> - <refentrytitle>pam_close_session</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>. - </para> - </refsect2> - - <refsect2 id='pam3-conversation'> - <title>Conversation</title> - <para> - The PAM library uses an application-defined callback to allow - a direct communication between a loaded module and the application. - This callback is specified by the - <emphasis>struct pam_conv</emphasis> passed to - <citerefentry> - <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> at the start of the transaction. See - <citerefentry> - <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> - for details. - </para> - </refsect2> - - <refsect2 id='pam3-data'> - <title>Data Objects</title> - <para> - The - <citerefentry> - <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> - and - <citerefentry> - <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> - functions allows applications and PAM service modules to set and - retrieve PAM informations. - </para> - <para> - The - <citerefentry> - <refentrytitle>pam_get_user</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> - function is the preferred method to obtain the username. - </para> - <para> - The - <citerefentry> - <refentrytitle>pam_set_data</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> - and - <citerefentry> - <refentrytitle>pam_get_data</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> - functions allows PAM service modules to set and retrieve free-form - data from one invocation to another. - </para> - </refsect2> - - <refsect2 id='pam3-miscellaneous'> - <title>Environment and Error Management</title> - <para> - The - <citerefentry> - <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_getenv</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> and - <citerefentry> - <refentrytitle>pam_getenvlist</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> - functions are for maintaining a set of private environment variables. - </para> - - <para> - The - <citerefentry> - <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> function returns a pointer to a string describing the - given PAM error code. - </para> - </refsect2> - </refsect1> - - <refsect1 id='pam3-return_values'> - <title>RETURN VALUES</title> - <para> - The following return codes are known by PAM: - </para> - <variablelist> - <varlistentry> - <term>PAM_ABORT</term> - <listitem> - <para>Critical error, immediate abort.</para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_ACCT_EXPIRED</term> - <listitem> - <para>User account has expired.</para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_AUTHINFO_UNAVAIL</term> - <listitem> - <para> - Authentication service cannot retrieve authentication info. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_AUTHTOK_DISABLE_AGING</term> - <listitem> - <para>Authentication token aging disabled.</para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_AUTHTOK_ERR</term> - <listitem> - <para>Authentication token manipulation error.</para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_AUTHTOK_EXPIRED</term> - <listitem> - <para>Authentication token expired.</para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_AUTHTOK_LOCK_BUSY</term> - <listitem> - <para>Authentication token lock busy.</para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_AUTHTOK_RECOVERY_ERR</term> - <listitem> - <para>Authentication information cannot be recovered.</para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_AUTH_ERR</term> - <listitem> - <para>Authentication failure.</para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_BUF_ERR</term> - <listitem> - <para>Memory buffer error.</para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_CONV_ERR</term> - <listitem> - <para>Conversation failure.</para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_CRED_ERR</term> - <listitem> - <para>Failure setting user credentials.</para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_CRED_EXPIRED</term> - <listitem> - <para>User credentials expired.</para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_CRED_INSUFFICIENT</term> - <listitem> - <para>Insufficient credentials to access authentication data.</para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_CRED_UNAVAIL</term> - <listitem> - <para>Authentication service cannot retrieve user credentials.</para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_IGNORE</term> - <listitem> - <para>The return value should be ignored by PAM dispatch.</para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_MAXTRIES</term> - <listitem> - <para>Have exhausted maximum number of retries for service.</para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_MODULE_UNKNOWN</term> - <listitem> - <para>Module is unknown.</para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_NEW_AUTHTOK_REQD</term> - <listitem> - <para> - Authentication token is no longer valid; new one required. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_NO_MODULE_DATA</term> - <listitem> - <para>No module specific data is present.</para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_OPEN_ERR</term> - <listitem> - <para>Failed to load module.</para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_PERM_DENIED</term> - <listitem> - <para>Permission denied.</para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SERVICE_ERR</term> - <listitem> - <para>Error in service module.</para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SESSION_ERR</term> - <listitem> - <para>Cannot make/remove an entry for the specified session.</para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para>Success.</para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SYMBOL_ERR</term> - <listitem> - <para>Symbol not found.</para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SYSTEM_ERR</term> - <listitem> - <para>System error.</para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_TRY_AGAIN</term> - <listitem> - <para>Failed preliminary check by password service.</para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_USER_UNKNOWN</term> - <listitem> - <para>User not known to the underlying authentication module.</para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id='see_also'><title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam_acct_mgmt</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, <citerefentry> - <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, <citerefentry> - <refentrytitle>pam_chauthtok</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, <citerefentry> - <refentrytitle>pam_close_session</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, <citerefentry> - <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, <citerefentry> - <refentrytitle>pam_end</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, <citerefentry> - <refentrytitle>pam_get_data</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, <citerefentry> - <refentrytitle>pam_getenv</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, <citerefentry> - <refentrytitle>pam_getenvlist</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, <citerefentry> - <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, <citerefentry> - <refentrytitle>pam_get_user</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, <citerefentry> - <refentrytitle>pam_open_session</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, <citerefentry> - <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, <citerefentry> - <refentrytitle>pam_set_data</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, <citerefentry> - <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, <citerefentry> - <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, <citerefentry> - <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, <citerefentry> - <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> - </para> - </refsect1> -</refentry> diff --git a/doc/man/pam.8.xml b/doc/man/pam.8.xml deleted file mode 100644 index 1267f01c..00000000 --- a/doc/man/pam.8.xml +++ /dev/null @@ -1,186 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id='pam8'> - - <refmeta> - <refentrytitle>pam</refentrytitle> - <manvolnum>8</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id='pam8-name'> - <refname>PAM</refname> - <refname>pam</refname> - <refpurpose>Pluggable Authentication Modules for Linux</refpurpose> - </refnamediv> - - <refsect1 id='pam8-description'> - <title>DESCRIPTION</title> - <para> - This manual is intended to offer a quick introduction to - <emphasis remap='B'>Linux-PAM</emphasis>. For more information - the reader is directed to the - <emphasis remap='B'>Linux-PAM system administrators' guide</emphasis>. - </para> - - <para> - <emphasis remap='B'>Linux-PAM</emphasis> is a system of libraries - that handle the authentication tasks of applications (services) on - the system. The library provides a stable general interface - (Application Programming Interface - API) that privilege granting - programs (such as <citerefentry> - <refentrytitle>login</refentrytitle><manvolnum>1</manvolnum> - </citerefentry> and <citerefentry> - <refentrytitle>su</refentrytitle><manvolnum>1</manvolnum> - </citerefentry>) defer to to perform standard authentication tasks. - </para> - - <para> - The principal feature of the PAM approach is that the nature of the - authentication is dynamically configurable. In other words, the - system administrator is free to choose how individual - service-providing applications will authenticate users. This dynamic - configuration is set by the contents of the single - <emphasis remap='B'>Linux-PAM</emphasis> configuration file - <filename>/etc/pam.conf</filename>. Alternatively, the configuration - can be set by individual configuration files located in the - <filename>/etc/pam.d/</filename> directory. The presence of this - directory will cause <emphasis remap='B'>Linux-PAM</emphasis> to - <emphasis remap='I'>ignore</emphasis> - <filename>/etc/pam.conf</filename>. - </para> - - -<para>From the point of view of the system administrator, for whom this -manual is provided, it is not of primary importance to understand the -internal behavior of the -<emphasis remap='B'>Linux-PAM</emphasis> -library. The important point to recognize is that the configuration -file(s) -<emphasis remap='I'>define</emphasis> -the connection between applications -<emphasis remap='B'></emphasis>(<emphasis remap='B'>services</emphasis>) -and the pluggable authentication modules -<emphasis remap='B'></emphasis>(<emphasis remap='B'>PAM</emphasis>s) -that perform the actual authentication tasks.</para> - - -<para><emphasis remap='B'>Linux-PAM</emphasis> -separates the tasks of -<emphasis remap='I'>authentication</emphasis> -into four independent management groups: -<emphasis remap='B'>account</emphasis> management; -<emphasis remap='B'>auth</emphasis>entication management; -<emphasis remap='B'>password</emphasis> management; -and -<emphasis remap='B'>session</emphasis> management. -(We highlight the abbreviations used for these groups in the -configuration file.)</para> - - -<para>Simply put, these groups take care of different aspects of a typical -user's request for a restricted service:</para> - - -<para><emphasis remap='B'>account</emphasis> - -provide account verification types of service: has the user's password -expired?; is this user permitted access to the requested service?</para> - -<!-- .br --> -<para><emphasis remap='B'>auth</emphasis>entication - -authenticate a user and set up user credentials. Typically this is via -some challenge-response request that the user must satisfy: if you are -who you claim to be please enter your password. Not all authentications -are of this type, there exist hardware based authentication schemes -(such as the use of smart-cards and biometric devices), with suitable -modules, these may be substituted seamlessly for more standard -approaches to authentication - such is the flexibility of -<emphasis remap='B'>Linux-PAM</emphasis>.</para> - -<!-- .br --> -<para><emphasis remap='B'>password</emphasis> - -this group's responsibility is the task of updating authentication -mechanisms. Typically, such services are strongly coupled to those of -the -<emphasis remap='B'>auth</emphasis> -group. Some authentication mechanisms lend themselves well to being -updated with such a function. Standard UN*X password-based access is -the obvious example: please enter a replacement password.</para> - -<!-- .br --> -<para><emphasis remap='B'>session</emphasis> - -this group of tasks cover things that should be done prior to a -service being given and after it is withdrawn. Such tasks include the -maintenance of audit trails and the mounting of the user's home -directory. The -<emphasis remap='B'>session</emphasis> -management group is important as it provides both an opening and -closing hook for modules to affect the services available to a user.</para> - -</refsect1> - - <refsect1 id='pam8-files'> - <title>FILES</title> - <variablelist> - <varlistentry> - <term><filename>/etc/pam.conf</filename></term> - <listitem> - <para>the configuration file</para> - </listitem> - </varlistentry> - <varlistentry> - <term><filename>/etc/pam.d</filename></term> - <listitem> - <para> - the <emphasis remap='B'>Linux-PAM</emphasis> configuration - directory. Generally, if this directory is present, the - <filename>/etc/pam.conf</filename> file is ignored. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id='pam8-errors'> - <title>ERRORS</title> - <para> - Typically errors generated by the - <emphasis remap='B'>Linux-PAM</emphasis> system of libraries, will - be written to <citerefentry> - <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>. - </para> - </refsect1> - - <refsect1 id='pam8-conforming_to'> - <title>CONFORMING TO</title> - <para> - DCE-RFC 86.0, October 1995. - Contains additional features, but remains backwardly compatible - with this RFC. - </para> - </refsect1> - - <refsect1 id='pam8-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_sm_setcred</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>PAM</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - </para> - </refsect1> -</refentry> diff --git a/doc/man/pam.conf-desc.xml b/doc/man/pam.conf-desc.xml deleted file mode 100644 index 909dcdbe..00000000 --- a/doc/man/pam.conf-desc.xml +++ /dev/null @@ -1,21 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> -<section id='pam.conf-desc'> - <para> - When a <emphasis>PAM</emphasis> aware privilege granting application - is started, it activates its attachment to the PAM-API. This - activation performs a number of tasks, the most important being the - reading of the configuration file(s): <filename>/etc/pam.conf</filename>. - Alternatively, this may be the contents of the - <filename>/etc/pam.d/</filename> directory. The presence of this - directory will cause Linux-PAM to ignore - <filename>/etc/pam.conf</filename>. - </para> - <para> - These files list the <emphasis>PAM</emphasis>s that will do the - authentication tasks required by this service, and the appropriate - behavior of the PAM-API in the event that individual - <emphasis>PAM</emphasis>s fail. - </para> -</section> diff --git a/doc/man/pam.conf-dir.xml b/doc/man/pam.conf-dir.xml deleted file mode 100644 index 8446cf35..00000000 --- a/doc/man/pam.conf-dir.xml +++ /dev/null @@ -1,30 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> -<section id='pam.conf-dir'> - <para> - More flexible than the single configuration file is it to - configure libpam via the contents of the - <filename>/etc/pam.d/</filename> directory. In this case the - directory is filled with files each of which has a filename - equal to a service-name (in lower-case): it is the personal - configuration file for the named service. - </para> - - <para> - The syntax of each file in /etc/pam.d/ is similar to that of the - <filename>/etc/pam.conf</filename> file and is made up of lines - of the following form: - </para> - - <programlisting> -type control module-path module-arguments - </programlisting> - - <para> - The only difference being that the service-name is not present. The - service-name is of course the name of the given configuration file. - For example, <filename>/etc/pam.d/login</filename> contains the - configuration for the <emphasis remap='B'>login</emphasis> service. - </para> -</section> diff --git a/doc/man/pam.conf-syntax.xml b/doc/man/pam.conf-syntax.xml deleted file mode 100644 index 1460c6f6..00000000 --- a/doc/man/pam.conf-syntax.xml +++ /dev/null @@ -1,393 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<section id='pam.conf-syntax'> - <para> - The syntax of the <filename>/etc/pam.conf</filename> - configuration file is as follows. The file is made up of a list - of rules, each rule is typically placed on a single line, - but may be extended with an escaped end of line: `\<LF>'. - Comments are preceded with `#' marks and extend to the next end of - line. - </para> - - <para> - The format of each rule is a space separated collection of tokens, - the first three being case-insensitive: - </para> - - <para> - <emphasis remap='B'> service type control module-path module-arguments</emphasis> - </para> - - <para> - The syntax of files contained in the <filename>/etc/pam.d/</filename> - directory, are identical except for the absence of any - <emphasis>service</emphasis> field. In this case, the - <emphasis>service</emphasis> is the name of the file in the - <filename>/etc/pam.d/</filename> directory. This filename must be - in lower case. - </para> - - <para> - An important feature of <emphasis>PAM</emphasis>, is that a - number of rules may be <emphasis>stacked</emphasis> to combine - the services of a number of PAMs for a given authentication task. - </para> - - <para> - The <emphasis>service</emphasis> is typically the familiar name of - the corresponding application: <emphasis>login</emphasis> and - <emphasis>su</emphasis> are good examples. The - <emphasis>service</emphasis>-name, <emphasis>other</emphasis>, - is reserved for giving <emphasis>default</emphasis> rules. - Only lines that mention the current service (or in the absence - of such, the <emphasis>other</emphasis> entries) will be associated - with the given service-application. - </para> - - <para> - The <emphasis>type</emphasis> is the management group that the rule - corresponds to. It is used to specify which of the management groups - the subsequent module is to be associated with. Valid entries are: - </para> - <variablelist> - <varlistentry> - <term>account</term> - <listitem> - <para> - this module type performs non-authentication based account - management. It is typically used to restrict/permit access - to a service based on the time of day, currently available - system resources (maximum number of users) or perhaps the - location of the applicant user -- 'root' login only on the - console. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>auth</term> - <listitem> - <para> - this module type provides two aspects of authenticating - the user. Firstly, it establishes that the user is who they - claim to be, by instructing the application to prompt the user - for a password or other means of identification. Secondly, the - module can grant group membership or other privileges through - its credential granting properties. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>password</term> - <listitem> - <para> - this module type is required for updating the authentication - token associated with the user. Typically, there is one module - for each 'challenge/response' based authentication (auth) type. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>session</term> - <listitem> - <para> - this module type is associated with doing things that need to - be done for the user before/after they can be given service. - Such things include the logging of information concerning the - opening/closing of some data exchange with a user, mounting - directories, etc. - </para> - </listitem> - </varlistentry> - </variablelist> - - <para> - The third field, <emphasis>control</emphasis>, indicates the - behavior of the PAM-API should the module fail to succeed in its - authentication task. There are two types of syntax for this control - field: the simple one has a single simple keyword; the more - complicated one involves a square-bracketed selection of - <emphasis>value=action</emphasis> pairs. - </para> - - <para> - For the simple (historical) syntax valid <emphasis>control</emphasis> - values are: - </para> - <variablelist> - <varlistentry> - <term>required</term> - <listitem> - <para> - failure of such a PAM will ultimately lead to the PAM-API - returning failure but only after the remaining - <emphasis>stacked</emphasis> modules (for this - <emphasis>service</emphasis> and <emphasis>type</emphasis>) - have been invoked. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>requisite</term> - <listitem> - <para> - like <emphasis>required</emphasis>, however, in the case that - such a module returns a failure, control is directly returned - to the application. The return value is that associated with - the first required or requisite module to fail. Note, this flag - can be used to protect against the possibility of a user getting - the opportunity to enter a password over an unsafe medium. It is - conceivable that such behavior might inform an attacker of valid - accounts on a system. This possibility should be weighed against - the not insignificant concerns of exposing a sensitive password - in a hostile environment. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>sufficient</term> - <listitem> - <para> - success of such a module is enough to satisfy the - authentication requirements of the stack of modules (if a - prior <emphasis>required</emphasis> module has failed the - success of this one is <emphasis>ignored</emphasis>). A failure - of this module is not deemed as fatal to satisfying the - application that this type has succeeded. If the module succeeds - the PAM framework returns success to the application immediately - without trying any other modules. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>optional</term> - <listitem> - <para> - the success or failure of this module is only important if - it is the only module in the stack associated with this - <emphasis>service</emphasis>+<emphasis>type</emphasis>. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>include</term> - <listitem> - <para> - include all lines of given type from the configuration - file specified as an argument to this control. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>substack</term> - <listitem> - <para> - include all lines of given type from the configuration - file specified as an argument to this control. This differs from - <emphasis>include</emphasis> in that evaluation of the - <emphasis>done</emphasis> and <emphasis>die</emphasis> actions - in a substack does not cause skipping the rest of the complete - module stack, but only of the substack. Jumps in a substack - also can not make evaluation jump out of it, and the whole substack - is counted as one module when the jump is done in a parent stack. - The <emphasis>reset</emphasis> action will reset the state of a - module stack to the state it was in as of beginning of the substack - evaluation. - </para> - </listitem> - </varlistentry> - </variablelist> - - <para> - For the more complicated syntax valid <emphasis>control</emphasis> - values have the following form: - </para> - <programlisting> - [value1=action1 value2=action2 ...] - </programlisting> - - <para> - Where <emphasis>valueN</emphasis> corresponds to the return code - from the function invoked in the module for which the line is - defined. It is selected from one of these: - <emphasis>success</emphasis>, <emphasis>open_err</emphasis>, - <emphasis>symbol_err</emphasis>, <emphasis>service_err</emphasis>, - <emphasis>system_err</emphasis>, <emphasis>buf_err</emphasis>, - <emphasis>perm_denied</emphasis>, <emphasis>auth_err</emphasis>, - <emphasis>cred_insufficient</emphasis>, - <emphasis>authinfo_unavail</emphasis>, - <emphasis>user_unknown</emphasis>, <emphasis>maxtries</emphasis>, - <emphasis>new_authtok_reqd</emphasis>, - <emphasis>acct_expired</emphasis>, <emphasis>session_err</emphasis>, - <emphasis>cred_unavail</emphasis>, <emphasis>cred_expired</emphasis>, - <emphasis>cred_err</emphasis>, <emphasis>no_module_data</emphasis>, - <emphasis>conv_err</emphasis>, <emphasis>authtok_err</emphasis>, - <emphasis>authtok_recover_err</emphasis>, - <emphasis>authtok_lock_busy</emphasis>, - <emphasis>authtok_disable_aging</emphasis>, - <emphasis>try_again</emphasis>, <emphasis>ignore</emphasis>, - <emphasis>abort</emphasis>, <emphasis>authtok_expired</emphasis>, - <emphasis>module_unknown</emphasis>, <emphasis>bad_item</emphasis>, - <emphasis>conv_again</emphasis>, <emphasis>incomplete</emphasis>, - and <emphasis>default</emphasis>. - </para> - <para> - The last of these, <emphasis>default</emphasis>, implies 'all - <emphasis>valueN</emphasis>'s not mentioned explicitly. Note, the - full list of PAM errors is available in - <filename>/usr/include/security/_pam_types.h</filename>. The - <emphasis>actionN</emphasis> can be: an unsigned integer, - <emphasis>n</emphasis>, signifying an action of 'jump over the - next <emphasis>n</emphasis> modules in the stack'; or take one - of the following forms: - </para> - <variablelist> - <varlistentry> - <term>ignore</term> - <listitem> - <para> - when used with a stack of modules, the module's return - status will not contribute to the return code the application - obtains. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>bad</term> - <listitem> - <para> - this action indicates that the return code should be thought - of as indicative of the module failing. If this module is the - first in the stack to fail, its status value will be used for - that of the whole stack. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>die</term> - <listitem> - <para> - equivalent to bad with the side effect of terminating the - module stack and PAM immediately returning to the application. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>ok</term> - <listitem> - <para> - this tells PAM that the administrator thinks this return code - should contribute directly to the return code of the full - stack of modules. In other words, if the former state of the - stack would lead to a return of <emphasis>PAM_SUCCESS</emphasis>, - the module's return code will override this value. Note, if - the former state of the stack holds some value that is - indicative of a modules failure, this 'ok' value will not be - used to override that value. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>done</term> - <listitem> - <para> - equivalent to ok with the side effect of terminating the module - stack and PAM immediately returning to the application. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>reset</term> - <listitem> - <para> - clear all memory of the state of the module stack and - start again with the next stacked module. - </para> - </listitem> - </varlistentry> - </variablelist> - - <para> - Each of the four keywords: required; requisite; sufficient; and - optional, have an equivalent expression in terms of the [...] - syntax. They are as follows: - </para> - <variablelist> - <varlistentry> - <term>required</term> - <listitem> - <para> - [success=ok new_authtok_reqd=ok ignore=ignore default=bad] - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>requisite</term> - <listitem> - <para> - [success=ok new_authtok_reqd=ok ignore=ignore default=die] - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>sufficient</term> - <listitem> - <para> - [success=done new_authtok_reqd=done default=ignore] - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>optional</term> - <listitem> - <para> - [success=ok new_authtok_reqd=ok default=ignore] - </para> - </listitem> - </varlistentry> - </variablelist> - - <para> - <emphasis>module-path</emphasis> is either the full filename - of the PAM to be used by the application (it begins with a '/'), - or a relative pathname from the default module location: - <filename>/lib/security/</filename> or - <filename>/lib64/security/</filename>, depending on the architecture. - </para> - - <para> - <emphasis>module-arguments</emphasis> are a space separated list - of tokens that can be used to modify the specific behavior of the - given PAM. Such arguments will be documented for each individual - module. Note, if you wish to include spaces in an argument, you - should surround that argument with square brackets. - </para> - <programlisting> - squid auth required pam_mysql.so user=passwd_query passwd=mada \ - db=eminence [query=select user_name from internet_service \ - where user_name='%u' and password=PASSWORD('%p') and \ - service='web_proxy'] - </programlisting> - <para> - When using this convention, you can include `[' characters - inside the string, and if you wish to include a `]' character - inside the string that will survive the argument parsing, you - should use `\]'. In other words: - </para> - <programlisting> - [..[..\]..] --> ..[..].. - </programlisting> - - <para> - Any line in (one of) the configuration file(s), that is not formatted - correctly, will generally tend (erring on the side of caution) to make - the authentication process fail. A corresponding error is written to - the system log files with a call to - <citerefentry> - <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>. - </para> - -</section> diff --git a/doc/man/pam.conf.5.xml b/doc/man/pam.conf.5.xml deleted file mode 100644 index 68f576af..00000000 --- a/doc/man/pam.conf.5.xml +++ /dev/null @@ -1,50 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> -<refentry id='pam.conf'> - - <refmeta> - <refentrytitle>pam.conf</refentrytitle> - <manvolnum>5</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id='pam.conf-name'> - <refname>pam.conf</refname> - <refname>pam.d</refname> - <refpurpose>PAM configuration files</refpurpose> - </refnamediv> - -<!-- body begins here --> - - <refsect1 id='pam.conf-description'> - <title>DESCRIPTION</title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam.conf-desc.xml" - xpointer='xpointer(//section[@id = "pam.conf-desc"]/*)' /> - - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam.conf-syntax.xml" - xpointer='xpointer(//section[@id = "pam.conf-syntax"]/*)' /> - - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam.conf-dir.xml" - xpointer='xpointer(//section[@id = "pam.conf-dir"]/*)' /> - </refsect1> - - <refsect1 id='pam.conf-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>PAM</refentrytitle><manvolnum>8</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> - </para> - - </refsect1> -</refentry> diff --git a/doc/man/pam_acct_mgmt.3.xml b/doc/man/pam_acct_mgmt.3.xml deleted file mode 100644 index 72274d1e..00000000 --- a/doc/man/pam_acct_mgmt.3.xml +++ /dev/null @@ -1,145 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> -<refentry id='pam_acct_mgmt'> - <refmeta> - <refentrytitle>pam_acct_mgmt</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_acct_mgmt-name"> - <refname>pam_acct_mgmt</refname> - <refpurpose>PAM account validation management</refpurpose> - </refnamediv> - -<!-- body begins here --> - - <refsynopsisdiv> - <funcsynopsis id='pam_acct_mgmt-synopsis'> - <funcsynopsisinfo>#include <security/pam_appl.h></funcsynopsisinfo> - <funcprototype> - <funcdef>int <function>pam_acct_mgmt</function></funcdef> - <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>int <parameter>flags</parameter></paramdef> - </funcprototype> - </funcsynopsis> - </refsynopsisdiv> - - - <refsect1 id='pam_acct_mgmt-description'> - <title>DESCRIPTION</title> - <para> - The <function>pam_acct_mgmt</function> function is used to determine - if the users account is valid. It checks for authentication token - and account expiration and verifies access restrictions. It is - typically called after the user has been authenticated. - </para> - <para> - The <emphasis>pamh</emphasis> argument is an authentication - handle obtained by a prior call to pam_start(). - The flags argument is the binary or of zero or more of the - following values: - </para> - <variablelist> - <varlistentry> - <term>PAM_SILENT</term> - <listitem> - <para> - Do not emit any messages. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_DISALLOW_NULL_AUTHTOK</term> - <listitem> - <para> - The PAM module service should return PAM_NEW_AUTHTOK_REQD - if the user has a null authentication token. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id="pam_acct_mgmt-return_values"> - <title>RETURN VALUES</title> - <variablelist> - <varlistentry> - <term>PAM_ACCT_EXPIRED</term> - <listitem> - <para> - User account has expired. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_AUTH_ERR</term> - <listitem> - <para> - Authentication failure. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_NEW_AUTHTOK_REQD</term> - <listitem> - <para> - The user account is valid but their authentication token - is <emphasis>expired</emphasis>. The correct response to - this return-value is to require that the user satisfies - the <function>pam_chauthtok()</function> function before - obtaining service. It may not be possible for some - applications to do this. In such cases, the user should be - denied access until such time as they can update their password. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_PERM_DENIED</term> - <listitem> - <para> - Permission denied. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - The authentication token was successfully updated. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_USER_UNKNOWN</term> - <listitem> - <para> - User unknown to password service. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id='pam_acct_mgmt-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_chauthtok</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - </para> - </refsect1> -</refentry> diff --git a/doc/man/pam_authenticate.3.xml b/doc/man/pam_authenticate.3.xml deleted file mode 100644 index 8ddc38c9..00000000 --- a/doc/man/pam_authenticate.3.xml +++ /dev/null @@ -1,169 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> -<refentry id='pam_authenticate'> - <refmeta> - <refentrytitle>pam_authenticate</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_authenticate-name"> - <refname>pam_authenticate</refname> - <refpurpose>account authentication</refpurpose> - </refnamediv> - -<!-- body begins here --> - - <refsynopsisdiv> - <funcsynopsis id='pam_authenticate-synopsis'> - <funcsynopsisinfo>#include <security/pam_appl.h></funcsynopsisinfo> - <funcprototype> - <funcdef>int <function>pam_authenticate</function></funcdef> - <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>int <parameter>flags</parameter></paramdef> - </funcprototype> - </funcsynopsis> - </refsynopsisdiv> - - - <refsect1 id='pam_authenticate-description'> - <title>DESCRIPTION</title> - <para> - The <function>pam_authenticate</function> function is used to - authenticate the user. The user is required to provide an - authentication token depending upon the authentication service, - usually this is a password, but could also be a finger print. - </para> - <para> - The PAM service module may request that the user enter their - username vio the the conversation mechanism (see - <citerefentry> - <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> and - <citerefentry> - <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>). The name of the authenticated user - will be present in the PAM item PAM_USER. This item may be - recovered with a call to - <citerefentry> - <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>. - </para> - <para> - The <emphasis>pamh</emphasis> argument is an authentication - handle obtained by a prior call to pam_start(). - The flags argument is the binary or of zero or more of the - following values: - </para> - <variablelist> - <varlistentry> - <term>PAM_SILENT</term> - <listitem> - <para> - Do not emit any messages. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_DISALLOW_NULL_AUTHTOK</term> - <listitem> - <para> - The PAM module service should return PAM_AUTH_ERR - if the user does not have a registered authentication token. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id="pam_authenticate-return_values"> - <title>RETURN VALUES</title> - <variablelist> - <varlistentry> - <term>PAM_ABORT</term> - <listitem> - <para> - The application should exit immediately after calling - <citerefentry> - <refentrytitle>pam_end</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> first. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_AUTH_ERR</term> - <listitem> - <para> - The user was not authenticated. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_CRED_INSUFFICIENT</term> - <listitem> - <para> - For some reason the application does not have sufficient - credentials to authenticate the user. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_AUTHINFO_UNVAIL</term> - <listitem> - <para> - The modules were not able to access the authentication - information. This might be due to a network or hardware - failure etc. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_MAXTRIES</term> - <listitem> - <para> - One or more of the authentication modules has reached its - limit of tries authenticating the user. Do not try again. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - The user was successfully authenticated. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_USER_UNKNOWN</term> - <listitem> - <para> - User unknown to authentication service. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id='pam_authenticate-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_chauthtok</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - </para> - </refsect1> -</refentry> diff --git a/doc/man/pam_chauthtok.3.xml b/doc/man/pam_chauthtok.3.xml deleted file mode 100644 index 7e20070b..00000000 --- a/doc/man/pam_chauthtok.3.xml +++ /dev/null @@ -1,164 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> -<refentry id='pam_chauthtok'> - <refmeta> - <refentrytitle>pam_chauthtok</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_chauthtok-name"> - <refname>pam_chauthtok</refname> - <refpurpose>updating authentication tokens</refpurpose> - </refnamediv> - -<!-- body begins here --> - - <refsynopsisdiv> - <funcsynopsis id='pam_chauthtok-synopsis'> - <funcsynopsisinfo>#include <security/pam_appl.h></funcsynopsisinfo> - <funcprototype> - <funcdef>int <function>pam_chauthtok</function></funcdef> - <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>int <parameter>flags</parameter></paramdef> - </funcprototype> - </funcsynopsis> - </refsynopsisdiv> - - - <refsect1 id='pam_chauthtok-description'> - <title>DESCRIPTION</title> - <para> - The <function>pam_chauthtok</function> function is used to change the - authentication token for a given user (as indicated by the state - associated with the handle <emphasis>pamh</emphasis>). - </para> - <para> - The <emphasis>pamh</emphasis> argument is an authentication - handle obtained by a prior call to pam_start(). - The flags argument is the binary or of zero or more of the - following values: - </para> - <variablelist> - <varlistentry> - <term>PAM_SILENT</term> - <listitem> - <para> - Do not emit any messages. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_CHANGE_EXPIRED_AUTHTOK</term> - <listitem> - <para> - This argument indicates to the modules that the users - authentication token (password) should only be changed - if it has expired. - If this argument is not passed, the application requires - that all authentication tokens are to be changed. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id="pam_chauthtok-return_values"> - <title>RETURN VALUES</title> - <variablelist> - <varlistentry> - <term>PAM_AUTHTOK_ERR</term> - <listitem> - <para> - A module was unable to obtain the new authentication token. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_AUTHTOK_RECOVERY_ERR</term> - <listitem> - <para> - A module was unable to obtain the old authentication token. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_AUTHTOK_LOCK_BUSY</term> - <listitem> - <para> - One or more of the modules was unable to change the - authentication token since it is currently locked. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_AUTHTOK_DISABLE_AGING</term> - <listitem> - <para> - Authentication token aging has been disabled for at least - one of the modules. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_PERM_DENIED</term> - <listitem> - <para> - Permission denied. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - The authentication token was successfully updated. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_TRY_AGAIN</term> - <listitem> - <para> - Not all of the modules were in a position to update the - authentication token(s). In such a case none of the user's - authentication tokens are updated. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_USER_UNKNOWN</term> - <listitem> - <para> - User unknown to password service. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id='pam_chauthtok-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - </para> - </refsect1> -</refentry> diff --git a/doc/man/pam_close_session.3.xml b/doc/man/pam_close_session.3.xml deleted file mode 100644 index db549bda..00000000 --- a/doc/man/pam_close_session.3.xml +++ /dev/null @@ -1,115 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id='pam_send'> - - <refmeta> - <refentrytitle>pam_close_session</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_close_session-name"> - <refname>pam_close_session</refname> - <refpurpose>terminate PAM session management</refpurpose> - </refnamediv> - -<!-- body begins here --> - - <refsynopsisdiv> - <funcsynopsis id="pam_close_session-synopsis"> - <funcsynopsisinfo>#include <security/pam_appl.h></funcsynopsisinfo> - <funcprototype> - <funcdef>int <function>pam_close_session</function></funcdef> - <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>int <parameter>flags</parameter></paramdef> - </funcprototype> - </funcsynopsis> - </refsynopsisdiv> - - - <refsect1 id="pam_close_session-description"> - <title>DESCRIPTION</title> - <para> - The <function>pam_close_session</function> function is used - to indicate that an authenticated session has ended. - The session should have been created with a call to - <citerefentry> - <refentrytitle>pam_open_session</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>. - </para> - <para> - It should be noted that the effective uid, - <citerefentry> - <refentrytitle>geteuid</refentrytitle><manvolnum>2</manvolnum> - </citerefentry>. of the application should be of sufficient - privilege to perform such tasks as unmounting the - user's home directory for example. - </para> - <para> - The flags argument is the binary or of zero or more of the - following values: - </para> - <variablelist> - <varlistentry> - <term>PAM_SILENT</term> - <listitem> - <para> - Do not emit any messages. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id="pam_close_session-return_values"> - <title>RETURN VALUES</title> - <variablelist> - <varlistentry> - <term>PAM_ABORT</term> - <listitem> - <para> - General failure. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_BUF_ERR</term> - <listitem> - <para> - Memory buffer error. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SESSION_ERR</term> - <listitem> - <para> - Session failure. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - Session was successful terminated. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id="pam_close_session-see_also"> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam_open_session</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> - </para> - </refsect1> -</refentry> diff --git a/doc/man/pam_conv.3.xml b/doc/man/pam_conv.3.xml deleted file mode 100644 index 0098ff94..00000000 --- a/doc/man/pam_conv.3.xml +++ /dev/null @@ -1,228 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> -<refentry id='pam_conv'> - <refmeta> - <refentrytitle>pam_conv</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_conv-name"> - <refname>pam_conv</refname> - <refpurpose>PAM conversation function</refpurpose> - </refnamediv> - -<!-- body begins here --> - - <refsynopsisdiv> - <funcsynopsis id="pam_conv-synopsis"> - <funcsynopsisinfo>#include <security/pam_appl.h></funcsynopsisinfo> - </funcsynopsis> - <programlisting> -struct pam_message { - int msg_style; - const char *msg; -}; - -struct pam_response { - char *resp; - int resp_retcode; -}; - -struct pam_conv { - int (*conv)(int num_msg, const struct pam_message **msg, - struct pam_response **resp, void *appdata_ptr); - void *appdata_ptr; -}; - </programlisting> - </refsynopsisdiv> - - <refsect1 id='pam_conv-description'> - <title>DESCRIPTION</title> - <para> - The PAM library uses an application-defined callback to allow - a direct communication between a loaded module and the application. - This callback is specified by the - <emphasis>struct pam_conv</emphasis> passed to - <citerefentry> - <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> - at the start of the transaction. - </para> - <para> - When a module calls the referenced conv() function, the argument - <emphasis>appdata_ptr</emphasis> is set to the second element of - this structure. - </para> - <para> - The other arguments of a call to conv() concern the information - exchanged by module and application. That is to say, - <emphasis>num_msg</emphasis> holds the length of the array of - pointers, <emphasis>msg</emphasis>. After a successful return, the - pointer <emphasis>resp</emphasis> points to an array of pam_response - structures, holding the application supplied text. The - <emphasis>resp_retcode</emphasis> member of this struct is unused and - should be set to zero. It is the caller's responsibility to release - both, this array and the responses themselves, using - <citerefentry> - <refentrytitle>free</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>. Note, <emphasis>*resp</emphasis> is a - <emphasis>struct pam_response</emphasis> array and not an array of - pointers. - </para> - <para> - The number of responses is always equal to the - <emphasis>num_msg</emphasis> conversation function argument. - This does require that the response array is - <citerefentry> - <refentrytitle>free</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>'d after - every call to the conversation function. The index of the - responses corresponds directly to the prompt index in the - pam_message array. - </para> - <para> - On failure, the conversation function should release any resources - it has allocated, and return one of the predefined PAM error codes. - </para> - <para> - Each message can have one of four types, specified by the - <emphasis>msg_style</emphasis> member of - <emphasis>struct pam_message</emphasis>: - </para> - <variablelist> - <varlistentry> - <term>PAM_PROMPT_ECHO_OFF</term> - <listitem> - <para> - Obtain a string without echoing any text. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_PROMPT_ECHO_ON</term> - <listitem> - <para> - Obtain a string whilst echoing text. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_ERROR_MSG</term> - <listitem> - <para> - Display an error message. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_TEXT_INFO</term> - <listitem> - <para> - Display some text. - </para> - </listitem> - </varlistentry> - </variablelist> - <para> - The point of having an array of messages is that it becomes possible - to pass a number of things to the application in a single call from - the module. It can also be convenient for the application that related - things come at once: a windows based application can then present a - single form with many messages/prompts on at once. - </para> - <para> - In passing, it is worth noting that there is a descrepency between - the way Linux-PAM handles the const struct pam_message **msg - conversation function argument from the way that Solaris' PAM - (and derivitives, known to include HP/UX, are there others?) does. - Linux-PAM interprets the msg argument as entirely equivalent to the - following prototype - const struct pam_message *msg[] (which, in spirit, is consistent with - the commonly used prototypes for argv argument to the familiar main() - function: char **argv; and char *argv[]). Said another way Linux-PAM - interprets the msg argument as a pointer to an array of num_msg read - only 'struct pam_message' pointers. Solaris' PAM implementation - interprets this argument as a pointer to a pointer to an array of - num_msg pam_message structures. Fortunately, perhaps, for most - module/application developers when num_msg has a value of one these - two definitions are entirely equivalent. Unfortunately, casually - raising this number to two has led to unanticipated compatibility - problems. - </para> - <para> - For what its worth the two known module writer work-arounds for trying - to maintain source level compatibility with both PAM implementations - are: - </para> - <itemizedlist> - <listitem> - <para> - never call the conversation function with num_msg greater than one. - </para> - </listitem> - <listitem> - <para> - set up msg as doubly referenced so both types of conversation - function can find the messages. That is, make - </para> - <programlisting> - msg[n] = & (( *msg )[n]) - </programlisting> - </listitem> - </itemizedlist> - </refsect1> - - <refsect1 id="pam_conv-return_values"> - <title>RETURN VALUES</title> - <variablelist> - <varlistentry> - <term>PAM_BUF_ERR</term> - <listitem> - <para> - Memory buffer error. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_CONV_ERR</term> - <listitem> - <para> - Conversation failure. The application should not set - <emphasis>*resp</emphasis>. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - Success. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id='pam_conv-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - </para> - </refsect1> -</refentry> diff --git a/doc/man/pam_end.3.xml b/doc/man/pam_end.3.xml deleted file mode 100644 index 039bb3cd..00000000 --- a/doc/man/pam_end.3.xml +++ /dev/null @@ -1,122 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id='pam_end'> - - <refmeta> - <refentrytitle>pam_end</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_end-name"> - <refname>pam_end</refname> - <refpurpose>termination of PAM transaction</refpurpose> - </refnamediv> - -<!-- body begins here --> - - <refsynopsisdiv> - <funcsynopsis id="pam_end-synopsis"> - <funcsynopsisinfo>#include <security/pam_appl.h></funcsynopsisinfo> - <funcprototype> - <funcdef>int <function>pam_end</function></funcdef> - <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>int <parameter>pam_status</parameter></paramdef> - </funcprototype> - </funcsynopsis> - </refsynopsisdiv> - - - <refsect1 id="pam_end-description"> - <title>DESCRIPTION</title> - <para> - The <function>pam_end</function> function terminates the PAM - transaction and is the last function an application should call - in the PAM context. Upon return the handle <emphasis>pamh</emphasis> - is no longer valid and all memory associated with it will be - invalid. - </para> - <para> - The <emphasis>pam_status</emphasis> argument should be set to - the value returned to the application by the last PAM - library call. - </para> - <para> - The value taken by <emphasis>pam_status</emphasis> is used as - an argument to the module specific callback function, - <function>cleanup()</function> - (See <citerefentry> - <refentrytitle>pam_set_data</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> and - <citerefentry> - <refentrytitle>pam_get_data</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>). In this way the module can be given notification - of the pass/fail nature of the tear-down process, and perform any - last minute tasks that are appropriate to the module before it is - unlinked. This argument can be logically OR'd with - <emphasis>PAM_DATA_SILENT</emphasis> to indicate to indicate that - the module should not treat the call too seriously. It is generally - used to indicate that the current closing of the library is in a - <citerefentry> - <refentrytitle>fork</refentrytitle><manvolnum>2</manvolnum> - </citerefentry>ed - process, and that the parent will take care of cleaning up things - that exist outside of the current process space (files etc.). - </para> - - <para> - This function <emphasis>free</emphasis>'s all memory for items - associated with the - <citerefentry> - <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> and - <citerefentry> - <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> functions. Pointers associated with such objects - are not valid anymore after <function>pam_end</function> was called. - </para> - - </refsect1> - <refsect1 id="pam_end-return_values"> - <title>RETURN VALUES</title> - <variablelist> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - Transaction was successful terminated. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SYSTEM_ERR</term> - <listitem> - <para> - System error, for example a NULL pointer was submitted - as PAM handle or the function was called by a module. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id="pam_end-see_also"> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam_get_data</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_set_data</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> - </para> - </refsect1> -</refentry> diff --git a/doc/man/pam_error.3.xml b/doc/man/pam_error.3.xml deleted file mode 100644 index de167f2c..00000000 --- a/doc/man/pam_error.3.xml +++ /dev/null @@ -1,121 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id="pam_error"> - - <refmeta> - <refentrytitle>pam_error</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_error-name"> - <refname>pam_error</refname> - <refname>pam_verror</refname> - <refpurpose>display error messages to the user</refpurpose> - </refnamediv> - -<!-- body begins here --> - - <refsynopsisdiv id="pam_error-synopsis"> - <funcsynopsis> - <funcsynopsisinfo>#include <security/pam_ext.h></funcsynopsisinfo> - <funcprototype> - <funcdef>int <function>pam_error</function></funcdef> - <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>const char *<parameter>fmt</parameter></paramdef> - <paramdef><parameter>...</parameter></paramdef> - </funcprototype> - <funcprototype> - <funcdef>int <function>pam_verror</function></funcdef> - <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>const char *<parameter>fmt</parameter></paramdef> - <paramdef>va_list <parameter>args</parameter></paramdef> - </funcprototype> - </funcsynopsis> - </refsynopsisdiv> - - <refsect1 id='pam_error-description'> - <title>DESCRIPTION</title> - <para> - The <function>pam_error</function> function prints error messages - through the conversation function to the user. - </para> - <para> - The <function>pam_verror</function> function performs the same - task as <function>pam_error()</function> with the difference - that it takes a set of arguments which have been obtained using - the <citerefentry> - <refentrytitle>stdarg</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> variable argument list macros. - </para> - </refsect1> - <refsect1 id="pam_error-return_values"> - <title>RETURN VALUES</title> - <variablelist> - <varlistentry> - <term>PAM_BUF_ERR</term> - <listitem> - <para> - Memory buffer error. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_CONV_ERR</term> - <listitem> - <para> - Conversation failure. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - Error message was displayed. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SYSTEM_ERR</term> - <listitem> - <para> - System error. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id='pam_error-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam_info</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_vinfo</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_prompt</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_vprompt</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - </para> - </refsect1> - - <refsect1 id='pam_error-standards'> - <title>STANDARDS</title> - <para> - The <function>pam_error</function> and <function>pam_verror</function> - functions are Linux-PAM extensions. - </para> - </refsect1> - -</refentry> diff --git a/doc/man/pam_fail_delay.3.xml b/doc/man/pam_fail_delay.3.xml deleted file mode 100644 index a101cf39..00000000 --- a/doc/man/pam_fail_delay.3.xml +++ /dev/null @@ -1,202 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id="pam_fail_delay"> - - <refmeta> - <refentrytitle>pam_fail_delay</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_fail_delay-name"> - <refname>pam_fail_delay</refname> - <refpurpose>request a delay on failure</refpurpose> - </refnamediv> - -<!-- body begins here --> - - <refsynopsisdiv> - <funcsynopsis id="pam_fail_delay-synopsis"> - <funcsynopsisinfo>#include <security/pam_appl.h></funcsynopsisinfo> - <funcprototype> - <funcdef>int <function>pam_fail_delay</function></funcdef> - <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>unsigned int <parameter>usec</parameter></paramdef> - </funcprototype> - </funcsynopsis> - </refsynopsisdiv> - - <refsect1 id='pam_fail_delay-description'> - <title>DESCRIPTION</title> - <para> - The <function>pam_fail_delay</function> function provides a - mechanism by which an application or module can suggest a minimum - delay of <emphasis>usec</emphasis> micro-seconds. The - function keeps a record of the longest time requested with this - function. Should - <citerefentry> - <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> fail, the failing return to the application is - delayed by an amount of time randomly distributed (by up to 25%) - about this longest value. - </para> - <para> - Independent of success, the delay time is reset to its zero - default value when the PAM service module returns control to - the application. The delay occurs <emphasis>after</emphasis> all - authentication modules have been called, but <emphasis>before</emphasis> - control is returned to the service application. - </para> - <para> - When using this function the programmer should check if it is - available with: - </para> - <programlisting> -#ifdef HAVE_PAM_FAIL_DELAY - .... -#endif /* HAVE_PAM_FAIL_DELAY */ - </programlisting> - - <para> - For applications written with a single thread that are event - driven in nature, generating this delay may be undesirable. - Instead, the application may want to register the delay in some - other way. For example, in a single threaded server that serves - multiple authentication requests from a single event loop, the - application might want to simply mark a given connection as - blocked until an application timer expires. For this reason - the delay function can be changed with the - <emphasis>PAM_FAIL_DELAY</emphasis> item. It can be queried and - set with - <citerefentry> - <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> - and - <citerefentry> - <refentrytitle>pam_set_item </refentrytitle><manvolnum>3</manvolnum> - </citerefentry> respectively. The value used to set it should be - a function pointer of the following prototype: - <programlisting> -void (*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr); - </programlisting> - The arguments being the <emphasis>retval</emphasis> return code - of the module stack, the <emphasis>usec_delay</emphasis> - micro-second delay that libpam is requesting and the - <emphasis>appdata_ptr</emphasis> that the application has associated - with the current <emphasis>pamh</emphasis>. This last value was set - by the application when it called - <citerefentry> - <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> or explicitly with - <citerefentry> - <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>. - Note, if PAM_FAIL_DELAY item is unset (or set to NULL), then no delay - will be performed. - </para> - </refsect1> - - <refsect1 id='pam_fail_delay-rationale'> - <title>RATIONALE</title> - <para> - It is often possible to attack an authentication scheme by exploiting - the time it takes the scheme to deny access to an applicant user. In - cases of <emphasis>short</emphasis> timeouts, it may prove possible - to attempt a <emphasis>brute force</emphasis> dictionary attack -- - with an automated process, the attacker tries all possible passwords - to gain access to the system. In other cases, where individual - failures can take measurable amounts of time (indicating the nature - of the failure), an attacker can obtain useful information about the - authentication process. These latter attacks make use of procedural - delays that constitute a <emphasis>covert channel</emphasis> - of useful information. - </para> - <para> - To minimize the effectiveness of such attacks, it is desirable to - introduce a random delay in a failed authentication process. - Preferable this value should be set by the application or a special - PAM module. Standard PAM modules should not modify the delay - unconditional. - </para> - </refsect1> - - <refsect1 id='pam_fail_delay-example'> - <title>EXAMPLE</title> - <para> - For example, a login application may require a failure delay of - roughly 3 seconds. It will contain the following code: - </para> - <programlisting> - pam_fail_delay (pamh, 3000000 /* micro-seconds */ ); - pam_authenticate (pamh, 0); - </programlisting> - - <para> - if the modules do not request a delay, the failure delay will be - between 2.25 and 3.75 seconds. - </para> - - <para> - However, the modules, invoked in the authentication process, may - also request delays: - </para> - - <programlisting> -module #1: pam_fail_delay (pamh, 2000000); -module #2: pam_fail_delay (pamh, 4000000); - </programlisting> - - <para> - in this case, it is the largest requested value that is used to - compute the actual failed delay: here between 3 and 5 seconds. - </para> - </refsect1> - - <refsect1 id='pam_fail_delay-return_values'> - <title>RETURN VALUES</title> - <variablelist> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - Delay was successful adjusted. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SYSTEM_ERR</term> - <listitem> - <para> - A NULL pointer was submitted as PAM handle. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id='pam_fail_delay-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> - </para> - </refsect1> - - <refsect1 id='pam_fail_delay-standards'> - <title>STANDARDS</title> - <para> - The <function>pam_fail_delay</function> function is an - Linux-PAM extension. - </para> - </refsect1> - -</refentry> diff --git a/doc/man/pam_get_data.3.xml b/doc/man/pam_get_data.3.xml deleted file mode 100644 index e84e5a4c..00000000 --- a/doc/man/pam_get_data.3.xml +++ /dev/null @@ -1,108 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id='pam_get_data'> - - <refmeta> - <refentrytitle>pam_get_data</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id='pam_get_data-name'> - <refname>pam_get_data</refname> - <refpurpose> - get module internal data - </refpurpose> - </refnamediv> - - -<!-- body begins here --> - - <refsynopsisdiv> - - <funcsynopsis id="pam_get_data-synopsis"> - <funcsynopsisinfo>#include <security/pam_modules.h></funcsynopsisinfo> - <funcprototype> - <funcdef>int <function>pam_get_data</function></funcdef> - <paramdef>const pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>const char *<parameter>module_data_name</parameter></paramdef> - <paramdef>const void **<parameter>data</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - </refsynopsisdiv> - - - <refsect1 id="pam_get_data-description"> - <title>DESCRIPTION</title> - <para> - This function together with the - <citerefentry> - <refentrytitle>pam_set_data</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> function - is useful to manage module-specific data meaningful only to - the calling PAM module. - </para> - <para> - The <function>pam_get_data</function> function looks up the - object associated with the (hopefully) unique string - <emphasis>module_data_name</emphasis> in the PAM context - specified by the <emphasis>pamh</emphasis> argument. - A successful call to - <function>pam_get_data</function> will result in - <emphasis>data</emphasis> pointing to the object. Note, - this data is <emphasis>not</emphasis> a copy and should be - treated as <emphasis>constant</emphasis> by the module. - </para> - </refsect1> - - <refsect1 id="pam_get_data-return_values"> - <title>RETURN VALUES</title> - <variablelist> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - Data was successful retrieved. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SYSTEM_ERR</term> - <listitem> - <para> - A NULL pointer was submitted as PAM handle or the - function was called by an application. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_NO_MODULE_DATA</term> - <listitem> - <para> - Module data not found or there is an entry, but it has - the value NULL. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id="pam_get_data-see_also"> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam_end</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_set_data</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> - </para> - </refsect1> - -</refentry> diff --git a/doc/man/pam_get_item.3.xml b/doc/man/pam_get_item.3.xml deleted file mode 100644 index d07862e0..00000000 --- a/doc/man/pam_get_item.3.xml +++ /dev/null @@ -1,143 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" -[ -<!-- -<!ENTITY accessconf SYSTEM "pam_item_types_std.inc.xml"> -<!ENTITY accessconf SYSTEM "pam_item_types_ext.inc.xml"> ---> -]> - -<refentry id='pam_get_item'> - - <refmeta> - <refentrytitle>pam_get_item</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id='pam_get_item-name'> - <refname>pam_get_item</refname> - <refpurpose> - getting PAM informations - </refpurpose> - </refnamediv> - - -<!-- body begins here --> - - <refsynopsisdiv> - - <funcsynopsis id="pam_get_item-synopsis"> - <funcsynopsisinfo>#include <security/pam_modules.h></funcsynopsisinfo> - <funcprototype> - <funcdef>int <function>pam_get_item</function></funcdef> - <paramdef>const pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>int <parameter>item_type</parameter></paramdef> - <paramdef>const void **<parameter>item</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - </refsynopsisdiv> - - - <refsect1 id="pam_get_item-description"> - <title>DESCRIPTION</title> - <para> - The <function>pam_get_item</function> function allows applications - and PAM service modules to access and retrieve PAM informations - of <emphasis>item_type</emphasis>. Upon successful return, - <emphasis>item</emphasis> contains a pointer to the value of the - corresponding item. Note, this is a pointer to the - <emphasis>actual</emphasis> data and should - <emphasis remap="B">not</emphasis> be <emphasis>free()</emphasis>'ed or - over-written! The following values are supported for - <emphasis>item_type</emphasis>: - </para> - - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_item_types_std.inc.xml"/> - - <para> - The following additional items are specific to Linux-PAM and should not be used in - portable applications: - </para> - - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_item_types_ext.inc.xml"/> - - <para> - If a service module wishes to obtain the name of the user, - it should not use this function, but instead perform a call to - <citerefentry> - <refentrytitle>pam_get_user</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>. - </para> - <para> - Only a service module is privileged to read the - authentication tokens, PAM_AUTHTOK and PAM_OLDAUTHTOK. - </para> - - </refsect1> - - <refsect1 id="pam_get_item-return_values"> - <title>RETURN VALUES</title> - <variablelist> - <varlistentry> - <term>PAM_BAD_ITEM</term> - <listitem> - <para> - The application attempted to set an undefined or inaccessible - item. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_BUF_ERR</term> - <listitem> - <para> - Memory buffer error. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_PERM_DENIED</term> - <listitem> - <para> - The value of <emphasis>item</emphasis> was NULL. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - Data was successful updated. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SYSTEM_ERR</term> - <listitem> - <para> - The <emphasis>pam_handle_t</emphasis> passed as first - argument was invalid. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id="pam_get_item-see_also"> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> - </para> - </refsect1> - -</refentry> diff --git a/doc/man/pam_get_user.3.xml b/doc/man/pam_get_user.3.xml deleted file mode 100644 index ff8be694..00000000 --- a/doc/man/pam_get_user.3.xml +++ /dev/null @@ -1,139 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id='pam_get_user'> - - <refmeta> - <refentrytitle>pam_get_user</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id='pam_get_user-name'> - <refname>pam_get_user</refname> - <refpurpose> - get user name - </refpurpose> - </refnamediv> - - -<!-- body begins here --> - - <refsynopsisdiv> - - <funcsynopsis id="pam_get_user-synopsis"> - <funcsynopsisinfo>#include <security/pam_modules.h></funcsynopsisinfo> - <funcprototype> - <funcdef>int <function>pam_get_user</function></funcdef> - <paramdef>const pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>const char **<parameter>user</parameter></paramdef> - <paramdef>const char *<parameter>prompt</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - </refsynopsisdiv> - - - <refsect1 id="pam_get_user-description"> - <title>DESCRIPTION</title> - <para> - The <function>pam_get_user</function> function returns the - name of the user specified by - <citerefentry> - <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>. If no user was specified it what - <function>pam_get_item (pamh, PAM_USER, ... );</function> would - have returned. If this is NULL it obtains the username via the - <citerefentry> - <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> mechanism, it prompts the user with the first - non-NULL string in the following list: - </para> - - <itemizedlist> - <listitem> - <para> - The <emphasis>prompt</emphasis> argument passed to the function. - </para> - </listitem> - <listitem> - <para> - What is returned by pam_get_item (pamh, PAM_USER_PROMPT, ... ); - </para> - </listitem> - <listitem> - <para> - The default prompt: "login: " - </para> - </listitem> - </itemizedlist> - <para> - By whatever means the username is obtained, a pointer to it is - returned as the contents of <emphasis>*user</emphasis>. Note, - this memory should <emphasis remap="B">not</emphasis> be - <emphasis>free()</emphasis>'d or <emphasis>modified</emphasis> - by the module. - </para> - <para> - This function sets the <emphasis>PAM_USER</emphasis> item - associated with the - <citerefentry> - <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> and - <citerefentry> - <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> functions. - </para> - </refsect1> - - <refsect1 id="pam_get_user-return_values"> - <title>RETURN VALUES</title> - <variablelist> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - User name was successful retrieved. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SYSTEM_ERR</term> - <listitem> - <para> - A NULL pointer was submitted. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_CONV_ERR</term> - <listitem> - <para> - The conversation method supplied by the - application failed to obtain the username. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id="pam_get_user-see_also"> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam_end</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> - </para> - </refsect1> - -</refentry> diff --git a/doc/man/pam_getenv.3.xml b/doc/man/pam_getenv.3.xml deleted file mode 100644 index e78aa3c2..00000000 --- a/doc/man/pam_getenv.3.xml +++ /dev/null @@ -1,66 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> -<refentry id='pam_getenv'> - <refmeta> - <refentrytitle>pam_getenv</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_getenv-name"> - <refname>pam_getenv</refname> - <refpurpose>get a PAM environment variable</refpurpose> - </refnamediv> - -<!-- body begins here --> - - <refsynopsisdiv> - <funcsynopsis id='pam_getenv-synopsis'> - <funcsynopsisinfo>#include <security/pam_appl.h></funcsynopsisinfo> - <funcprototype> - <funcdef>const char *<function>pam_getenv</function></funcdef> - <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>const char *<parameter>name</parameter></paramdef> - </funcprototype> - </funcsynopsis> - </refsynopsisdiv> - - - <refsect1 id='pam_getenv-description'> - <title>DESCRIPTION</title> - <para> - The <function>pam_getenv</function> function searches the - PAM environment list as associated with the handle - <emphasis>pamh</emphasis> for a string that matches the string - pointed to by <emphasis>name</emphasis>. The return values are - of the form: "<emphasis>name=value</emphasis>". - </para> - </refsect1> - - <refsect1 id="pam_getenv-return_values"> - <title>RETURN VALUES</title> - <para> - The <function>pam_getenv</function> function returns NULL - on failure. - </para> - </refsect1> - - <refsect1 id='pam_getenv-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_getenvlist</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - </para> - </refsect1> -</refentry> diff --git a/doc/man/pam_getenvlist.3.xml b/doc/man/pam_getenvlist.3.xml deleted file mode 100644 index 1c29b737..00000000 --- a/doc/man/pam_getenvlist.3.xml +++ /dev/null @@ -1,85 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> -<refentry id='pam_getenvlist'> - <refmeta> - <refentrytitle>pam_getenvlist</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_getenvlist-name"> - <refname>pam_getenvlist</refname> - <refpurpose>getting the PAM environment</refpurpose> - </refnamediv> - -<!-- body begins here --> - - <refsynopsisdiv> - <funcsynopsis id='pam_getenvlist-synopsis'> - <funcsynopsisinfo>#include <security/pam_appl.h></funcsynopsisinfo> - <funcprototype> - <funcdef>char **<function>pam_getenvlist</function></funcdef> - <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> - </funcprototype> - </funcsynopsis> - </refsynopsisdiv> - - - <refsect1 id='pam_getenvlist-description'> - <title>DESCRIPTION</title> - <para> - The <function>pam_getenvlist</function> function returns a complete - copy of the PAM environment as associated with the handle - <emphasis>pamh</emphasis>. The PAM environment variables - represent the contents of the regular environment variables of the - authenticated user when service is granted. - </para> - <para> - The format of the memory is a malloc()'d array of char pointers, - the last element of which is set to NULL. Each of the non-NULL - entries in this array point to a NUL terminated and malloc()'d - char string of the form: "<emphasis>name=value</emphasis>". - </para> - <para> - It should be noted that this memory will never be free()'d by - libpam. Once obtained by a call to - <function>pam_getenvlist</function>, it is the responsibility of - the calling application to free() this memory. - </para> - <para> - It is by design, and not a coincidence, that the format and contents - of the returned array matches that required for the third argument of - the - <citerefentry> - <refentrytitle>execle</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> function call. - </para> - </refsect1> - - <refsect1 id="pam_getenvlist-return_values"> - <title>RETURN VALUES</title> - <para> - The <function>pam_getenvlist</function> function returns NULL - on failure. - </para> - </refsect1> - - <refsect1 id='pam_getenvlist-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_getenv</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - </para> - </refsect1> -</refentry> diff --git a/doc/man/pam_info.3.xml b/doc/man/pam_info.3.xml deleted file mode 100644 index 88e671c7..00000000 --- a/doc/man/pam_info.3.xml +++ /dev/null @@ -1,109 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id="pam_info"> - - <refmeta> - <refentrytitle>pam_info</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_info-name"> - <refname>pam_info</refname> - <refname>pam_vinfo</refname> - <refpurpose>display messages to the user</refpurpose> - </refnamediv> - -<!-- body begins here --> - - <refsynopsisdiv id="pam_info-synopsis"> - <funcsynopsis> - <funcsynopsisinfo>#include <security/pam_ext.h></funcsynopsisinfo> - <funcprototype> - <funcdef>int <function>pam_info</function></funcdef> - <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>const char *<parameter>fmt</parameter></paramdef> - <paramdef><parameter>...</parameter></paramdef> - </funcprototype> - <funcprototype> - <funcdef>int <function>pam_vinfo</function></funcdef> - <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>const char *<parameter>fmt</parameter></paramdef> - <paramdef>va_list <parameter>args</parameter></paramdef> - </funcprototype> - </funcsynopsis> - </refsynopsisdiv> - - <refsect1 id='pam_info-description'> - <title>DESCRIPTION</title> - <para> - The <function>pam_info</function> function prints messages - through the conversation function to the user. - </para> - <para> - The <function>pam_vinfo</function> function performs the same - task as <function>pam_info()</function> with the difference - that it takes a set of arguments which have been obtained using - the <citerefentry> - <refentrytitle>stdarg</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> variable argument list macros. - </para> - </refsect1> - <refsect1 id="pam_info-return_values"> - <title>RETURN VALUES</title> - <variablelist> - <varlistentry> - <term>PAM_BUF_ERR</term> - <listitem> - <para> - Memory buffer error. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_CONV_ERR</term> - <listitem> - <para> - Conversation failure. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - Transaction was successful created. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SYSTEM_ERR</term> - <listitem> - <para> - System error. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id='pam_info-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - </para> - </refsect1> - - <refsect1 id='pam_info-standards'> - <title>STANDARDS</title> - <para> - The <function>pam_info</function> and <function>pam_vinfo</function> - functions are Linux-PAM extensions. - </para> - </refsect1> - -</refentry> diff --git a/doc/man/pam_item_types_ext.inc.xml b/doc/man/pam_item_types_ext.inc.xml deleted file mode 100644 index 89f19875..00000000 --- a/doc/man/pam_item_types_ext.inc.xml +++ /dev/null @@ -1,45 +0,0 @@ -<!-- this file is included by pam_set_item and pam_get_item --> - - <variablelist> - <varlistentry> - <term>PAM_FAIL_DELAY</term> - <listitem> - <para> - A function pointer to redirect centrally managed - failure delays. See - <citerefentry> - <refentrytitle>pam_fail_delay</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>PAM_XDISPLAY</term> - <listitem> - <para> - The name of the X display. For graphical, X-based applications the - value for this item should be the <emphasis>$DISPLAY</emphasis> - variable. This value may be used independently of - <emphasis>PAM_TTY</emphasis> for passing the - name of the display. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>PAM_XAUTHDATA</term> - <listitem> - <para> - A pointer to a structure containing the X authentication data - required to make a connection to the display specified by - <emphasis>PAM_XDISPLAY</emphasis>, if such information is - necessary. See - <citerefentry> - <refentrytitle>pam_xauth_data</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>. - </para> - </listitem> - </varlistentry> - - </variablelist> diff --git a/doc/man/pam_item_types_std.inc.xml b/doc/man/pam_item_types_std.inc.xml deleted file mode 100644 index 81f240b0..00000000 --- a/doc/man/pam_item_types_std.inc.xml +++ /dev/null @@ -1,138 +0,0 @@ -<!-- this file is included by pam_set_item and pam_get_item --> - - <variablelist> - <varlistentry> - <term>PAM_SERVICE</term> - <listitem> - <para> - The service name (which identifies that PAM stack that - the PAM functions will use to authenticate the program). - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>PAM_USER</term> - <listitem> - <para> - The username of the entity under whose identity service - will be given. That is, following authentication, - <emphasis>PAM_USER</emphasis> identifies the local entity - that gets to use the service. Note, this value can be mapped - from something (eg., "anonymous") to something else (eg. - "guest119") by any module in the PAM stack. As such an - application should consult the value of - <emphasis>PAM_USER</emphasis> after each call to a PAM function. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>PAM_USER_PROMPT</term> - <listitem> - <para> - The string used when prompting for a user's name. The default - value for this string is a localized version of "login: ". - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>PAM_TTY</term> - <listitem> - <para> - The terminal name: prefixed by <filename>/dev/</filename> if - it is a device file; for graphical, X-based, applications the - value for this item should be the - <emphasis>$DISPLAY</emphasis> variable. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>PAM_RUSER</term> - <listitem> - <para> - The requesting user name: local name for a locally - requesting user or a remote user name for a remote - requesting user. - </para> - <para> - Generally an application or module will attempt to supply - the value that is most strongly authenticated (a local account - before a remote one. The level of trust in this value is - embodied in the actual authentication stack associated with - the application, so it is ultimately at the discretion of the - system administrator. - </para> - <para> - <emphasis>PAM_RUSER@PAM_RHOST</emphasis> should always identify - the requesting user. In some cases, - <emphasis>PAM_RUSER</emphasis> may be NULL. In such situations, - it is unclear who the requesting entity is. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>PAM_RHOST</term> - <listitem> - <para> - The requesting hostname (the hostname of the machine from - which the <emphasis>PAM_RUSER</emphasis> entity is requesting - service). That is <emphasis>PAM_RUSER@PAM_RHOST</emphasis> - does identify the requesting user. In some applications, - <emphasis>PAM_RHOST</emphasis> may be NULL. In such situations, - it is unclear where the authentication request is originating - from. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>PAM_AUTHTOK</term> - <listitem> - <para> - The authentication token (often a password). This token - should be ignored by all module functions besides - <citerefentry> - <refentrytitle>pam_sm_authenticate</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> and - <citerefentry> - <refentrytitle>pam_sm_chauthtok</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>. - In the former function it is used to pass the most recent - authentication token from one stacked module to another. In - the latter function the token is used for another purpose. - It contains the currently active authentication token. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>PAM_OLDAUTHTOK</term> - <listitem> - <para> - The old authentication token. This token should be ignored - by all module functions except - <citerefentry> - <refentrytitle>pam_sm_chauthtok</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>. - </para> - </listitem> - </varlistentry> - - - <varlistentry> - <term>PAM_CONV</term> - <listitem> - <para> - The pam_conv structure. See - <citerefentry> - <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>. - </para> - </listitem> - </varlistentry> - - </variablelist> diff --git a/doc/man/pam_misc_drop_env.3.xml b/doc/man/pam_misc_drop_env.3.xml deleted file mode 100644 index 1941f589..00000000 --- a/doc/man/pam_misc_drop_env.3.xml +++ /dev/null @@ -1,63 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id="pam_misc_drop_env"> - - <refmeta> - <refentrytitle>pam_misc_drop_env</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_misc_drop_env-name"> - <refname>pam_misc_drop_env</refname> - <refpurpose>liberating a locally saved environment</refpurpose> - </refnamediv> - -<!-- body begins here --> - - <refsynopsisdiv> - <funcsynopsis id="pam_misc_drop_env-synopsis"> - <funcsynopsisinfo>#include <security/pam_misc.h></funcsynopsisinfo> - <funcprototype> - <funcdef>int <function>pam_misc_drop_env</function></funcdef> - <paramdef>char **<parameter>env</parameter></paramdef> - </funcprototype> - </funcsynopsis> - </refsynopsisdiv> - - <refsect1 id='pam_misc_drop_env-description'> - <title>DESCRIPTION</title> - <para> - This function is defined to complement the <citerefentry> - <refentrytitle>pam_getenvlist</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> function. It liberates the memory associated - with <parameter>env</parameter>, <emphasis>overwriting</emphasis> - with <emphasis>0</emphasis> all memory before - <function>free()</function>ing it. - </para> - </refsect1> - - <refsect1 id='pam_misc_drop_env-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam_getenvlist</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - </para> - </refsect1> - - <refsect1 id='pam_misc_drop_env-standards'> - <title>STANDARDS</title> - <para> - The <function>pam_misc_drop_env</function> function is part of the - <command>libpam_misc</command> Library and not defined in any - standard. - </para> - </refsect1> - -</refentry> diff --git a/doc/man/pam_misc_paste_env.3.xml b/doc/man/pam_misc_paste_env.3.xml deleted file mode 100644 index d9a282c0..00000000 --- a/doc/man/pam_misc_paste_env.3.xml +++ /dev/null @@ -1,61 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id="pam_misc_paste_env"> - - <refmeta> - <refentrytitle>pam_misc_paste_env</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_misc_paste_env-name"> - <refname>pam_misc_paste_env</refname> - <refpurpose>transcribing an environment to that of PAM</refpurpose> - </refnamediv> - -<!-- body begins here --> - - <refsynopsisdiv> - <funcsynopsis id="pam_misc_paste_env-synopsis"> - <funcsynopsisinfo>#include <security/pam_misc.h></funcsynopsisinfo> - <funcprototype> - <funcdef>int <function>pam_misc_paste_env</function></funcdef> - <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>const char * const *<parameter>user</parameter></paramdef> - </funcprototype> - </funcsynopsis> - </refsynopsisdiv> - - <refsect1 id='pam_misc_paste_env-description'> - <title>DESCRIPTION</title> - <para> - This function takes the supplied list of environment pointers and - <emphasis>uploads</emphasis> its contents to the PAM environment. - Success is indicated by <errorname>PAM_SUCCESS</errorname>. - </para> - </refsect1> - - <refsect1 id='pam_misc_paste_env-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - </para> - </refsect1> - - <refsect1 id='pam_misc_paste_env-standards'> - <title>STANDARDS</title> - <para> - The <function>pam_misc_paste_env</function> function is part of the - <command>libpam_misc</command> Library and not defined in any - standard. - </para> - </refsect1> - -</refentry> diff --git a/doc/man/pam_misc_setenv.3.xml b/doc/man/pam_misc_setenv.3.xml deleted file mode 100644 index fdc8f33d..00000000 --- a/doc/man/pam_misc_setenv.3.xml +++ /dev/null @@ -1,68 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id="pam_misc_setenv"> - - <refmeta> - <refentrytitle>pam_misc_setenv</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - <refnamediv id="pam_misc_setenv-name"> - <refname>pam_misc_setenv</refname> - <refpurpose>BSD like PAM environment variable setting</refpurpose> - </refnamediv> - -<!-- body begins here --> - - <refsynopsisdiv> - <funcsynopsis id="pam_misc_setenv-synopsis"> - <funcsynopsisinfo>#include <security/pam_misc.h></funcsynopsisinfo> - <funcprototype> - <funcdef>int <function>pam_misc_setenv</function></funcdef> - <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>const char *<parameter>name</parameter></paramdef> - <paramdef>const char *<parameter>value</parameter></paramdef> - <paramdef>int<parameter>readonly</parameter></paramdef> - </funcprototype> - </funcsynopsis> - </refsynopsisdiv> - - <refsect1 id='pam_misc_setenv-description'> - <title>DESCRIPTION</title> - <para> - This function performs a task equivalent to <citerefentry> - <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, its syntax is, however, more like the BSD style - function; <function>setenv()</function>. The <parameter>name</parameter> - and <parameter>value</parameter> are concatenated with an '=' to - form a name=value and passed to <function>pam_putenv()</function>. - If, however, the PAM variable is already set, the replacement will - only be applied if the last argument, <parameter>readonly</parameter>, - is zero. - </para> - </refsect1> - - <refsect1 id='pam_misc_setenv-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam_putenv</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - </para> - </refsect1> - - <refsect1 id='pam_misc_setenv-standards'> - <title>STANDARDS</title> - <para> - The <function>pam_misc_setenv</function> function is part of the - <command>libpam_misc</command> Library and not defined in any - standard. - </para> - </refsect1> - -</refentry> diff --git a/doc/man/pam_open_session.3.xml b/doc/man/pam_open_session.3.xml deleted file mode 100644 index eba0bc01..00000000 --- a/doc/man/pam_open_session.3.xml +++ /dev/null @@ -1,115 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id='pam_send'> - - <refmeta> - <refentrytitle>pam_open_session</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_open_session-name"> - <refname>pam_open_session</refname> - <refpurpose>start PAM session management</refpurpose> - </refnamediv> - -<!-- body begins here --> - - <refsynopsisdiv> - <funcsynopsis id="pam_open_session-synopsis"> - <funcsynopsisinfo>#include <security/pam_appl.h></funcsynopsisinfo> - <funcprototype> - <funcdef>int <function>pam_open_session</function></funcdef> - <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>int <parameter>flags</parameter></paramdef> - </funcprototype> - </funcsynopsis> - </refsynopsisdiv> - - - <refsect1 id="pam_open_session-description"> - <title>DESCRIPTION</title> - <para> - The <function>pam_open_session</function> function sets up a - user session for a previously successful authenticated user. - The session should later be terminated with a call to - <citerefentry> - <refentrytitle>pam_close_session</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>. - </para> - <para> - It should be noted that the effective uid, - <citerefentry> - <refentrytitle>geteuid</refentrytitle><manvolnum>2</manvolnum> - </citerefentry>. of the application should be of sufficient - privilege to perform such tasks as creating or mounting the - user's home directory for example. - </para> - <para> - The flags argument is the binary or of zero or more of the - following values: - </para> - <variablelist> - <varlistentry> - <term>PAM_SILENT</term> - <listitem> - <para> - Do not emit any messages. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id="pam_open_session-return_values"> - <title>RETURN VALUES</title> - <variablelist> - <varlistentry> - <term>PAM_ABORT</term> - <listitem> - <para> - General failure. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_BUF_ERR</term> - <listitem> - <para> - Memory buffer error. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SESSION_ERR</term> - <listitem> - <para> - Session failure. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - Session was successful created. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id="pam_open_session-see_also"> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam_close_session</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> - </para> - </refsect1> -</refentry> diff --git a/doc/man/pam_prompt.3.xml b/doc/man/pam_prompt.3.xml deleted file mode 100644 index d0824131..00000000 --- a/doc/man/pam_prompt.3.xml +++ /dev/null @@ -1,110 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id="pam_prompt"> - - <refmeta> - <refentrytitle>pam_prompt</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_prompt-name"> - <refname>pam_prompt</refname> - <refname>pam_vprompt</refname> - <refpurpose>interface to conversation function</refpurpose> - </refnamediv> - -<!-- body begins here --> - - <refsynopsisdiv id="pam_prompt-synopsis"> - <funcsynopsis> - <funcsynopsisinfo>#include <security/pam_ext.h></funcsynopsisinfo> - <funcprototype> - <funcdef>void <function>pam_prompt</function></funcdef> - <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>int <parameter>style</parameter></paramdef> - <paramdef>char **<parameter>response</parameter></paramdef> - <paramdef>const char *<parameter>fmt</parameter></paramdef> - <paramdef><parameter>...</parameter></paramdef> - </funcprototype> - <funcprototype> - <funcdef>void <function>pam_vprompt</function></funcdef> - <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>int <parameter>style</parameter></paramdef> - <paramdef>char **<parameter>response</parameter></paramdef> - <paramdef>const char *<parameter>fmt</parameter></paramdef> - <paramdef>va_list <parameter>args</parameter></paramdef> - </funcprototype> - </funcsynopsis> - </refsynopsisdiv> - - <refsect1 id='pam_prompt-description'> - <title>DESCRIPTION</title> - <para> - The <function>pam_prompt</function> function constructs a message - from the specified format string and arguments and passes it to - </para> - </refsect1> - - <refsect1 id="pam_prompt-return_values"> - <title>RETURN VALUES</title> - <variablelist> - <varlistentry> - <term>PAM_BUF_ERR</term> - <listitem> - <para> - Memory buffer error. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_CONV_ERR</term> - <listitem> - <para> - Conversation failure. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - Transaction was successful created. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SYSTEM_ERR</term> - <listitem> - <para> - System error. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - - <refsect1 id='pam_prompt-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_conv</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> - </para> - </refsect1> - - <refsect1 id='pam_prompt-standards'> - <title>STANDARDS</title> - <para> - The <function>pam_prompt</function> and <function>pam_vprompt</function> - functions are Linux-PAM extensions. - </para> - </refsect1> - -</refentry> diff --git a/doc/man/pam_putenv.3.xml b/doc/man/pam_putenv.3.xml deleted file mode 100644 index 619b218a..00000000 --- a/doc/man/pam_putenv.3.xml +++ /dev/null @@ -1,152 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> -<refentry id='pam_putenv'> - <refmeta> - <refentrytitle>pam_putenv</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_putenv-name"> - <refname>pam_putenv</refname> - <refpurpose>set or change PAM environment variable</refpurpose> - </refnamediv> - -<!-- body begins here --> - - <refsynopsisdiv> - <funcsynopsis id='pam_putenv-synopsis'> - <funcsynopsisinfo>#include <security/pam_appl.h></funcsynopsisinfo> - <funcprototype> - <funcdef>int <function>pam_putenv</function></funcdef> - <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>const char *<parameter>name_value</parameter></paramdef> - </funcprototype> - </funcsynopsis> - </refsynopsisdiv> - - - <refsect1 id='pam_putenv-description'> - <title>DESCRIPTION</title> - <para> - The <function>pam_putenv</function> function is used to - add or change the value of PAM environment variables as - associated with the <emphasis>pamh</emphasis> handle. - </para> - <para> - The <emphasis>pamh</emphasis> argument is an authentication - handle obtained by a prior call to pam_start(). - The <emphasis>name_value</emphasis> argument is a single NUL - terminated string of one of the following forms: - </para> - <variablelist> - <varlistentry> - <term>NAME=value of variable</term> - <listitem> - <para> - In this case the environment variable of the given NAME - is set to the indicated value: - <emphasis>value of variable</emphasis>. If this variable - is already known, it is overwritten. Otherwise it is added - to the PAM environment. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>NAME=</term> - <listitem> - <para> - This function sets the variable to an empty value. It is - listed separately to indicate that this is the correct way - to achieve such a setting. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>NAME</term> - <listitem> - <para> - Without an '=' the <function>pam_putenv</function>() function - will delete the - corresponding variable from the PAM environment. - </para> - </listitem> - </varlistentry> - </variablelist> - <para> - <function>pam_putenv</function>() operates on a copy of - <emphasis>name_value</emphasis>, which means in contrast to - <citerefentry> - <refentrytitle>putenv</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, the application is responsible to free the data. - </para> - </refsect1> - - <refsect1 id="pam_putenv-return_values"> - <title>RETURN VALUES</title> - <variablelist> - <varlistentry> - <term>PAM_PERM_DENIED</term> - <listitem> - <para> - Argument <emphasis>name_value</emphasis> given is a NULL pointer. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_BAD_ITEM</term> - <listitem> - <para> - Variable requested (for deletion) is not currently set. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_ABORT</term> - <listitem> - <para> - The <emphasis>pamh</emphasis> handle is corrupt. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_BUF_ERR</term> - <listitem> - <para> - Memory buffer error. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - The environment variable was successfully updated. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id='pam_putenv-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_getenv</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_getenvlist</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - </para> - </refsect1> -</refentry> diff --git a/doc/man/pam_set_data.3.xml b/doc/man/pam_set_data.3.xml deleted file mode 100644 index d6d224e7..00000000 --- a/doc/man/pam_set_data.3.xml +++ /dev/null @@ -1,172 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id='pam_set_data'> - - <refmeta> - <refentrytitle>pam_set_data</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id='pam_set_data-name'> - <refname>pam_set_data</refname> - <refpurpose> - set module internal data - </refpurpose> - </refnamediv> - - -<!-- body begins here --> - - <refsynopsisdiv> - - <funcsynopsis id="pam_set_data-synopsis"> - <funcsynopsisinfo>#include <security/pam_modules.h></funcsynopsisinfo> - <funcprototype> - <funcdef>int <function>pam_set_data</function></funcdef> - <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>const char *<parameter>module_data_name</parameter></paramdef> - <paramdef>void *<parameter>data</parameter></paramdef> - <paramdef>void <parameter>(*cleanup)(pam_handle_t *pamh, void *data, int error_status)</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - </refsynopsisdiv> - - - <refsect1 id="pam_set_data-description"> - <title>DESCRIPTION</title> - <para> - The <function>pam_set_data</function> function associates a pointer - to an object with the (hopefully) unique string - <emphasis>module_data_name</emphasis> in the PAM context specified - by the <emphasis>pamh</emphasis> argument. - </para> - - <para> - PAM modules may be dynamically loadable objects. In general such files - should not contain <emphasis>static</emphasis> variables. This function - and its counterpart - <citerefentry> - <refentrytitle>pam_get_data</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - provide a mechanism for a module to associate some data with - the handle <emphasis>pamh</emphasis>. Typically a module will call the - <function>pam_set_data</function> function to register some data - under a (hopefully) unique <emphasis>module_data_name</emphasis>. - The data is available for use by other modules too but - <emphasis>not</emphasis> by an application. Since this functions - stores only a pointer to the <emphasis>data</emphasis>, the module - should not modify or free the content of it. - </para> - - <para> - The function <function>cleanup()</function> is associated with the - <emphasis>data</emphasis> and, if non-NULL, it is called when this - data is over-written or following a call to - <citerefentry> - <refentrytitle>pam_end</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>. - </para> - - <para> - The <emphasis>error_status</emphasis> argument is used to indicate - to the module the sort of action it is to take in cleaning this data - item. As an example, Kerberos creates a ticket file during the - authentication phase, this file might be associated with a data item. - When - <citerefentry> - <refentrytitle>pam_end</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> - is called by the module, the <emphasis>error_status</emphasis> - carries the return value of the - <citerefentry> - <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> - or other <emphasis>libpam</emphasis> function as appropriate. Based - on this value the Kerberos module may choose to delete the ticket file - (<emphasis>authentication failure</emphasis>) or leave it in place. - </para> - - <para> - The <emphasis>error_status</emphasis> may have been logically - OR'd with either of the following two values: - </para> - - <variablelist> - <varlistentry> - <term>PAM_DATA_REPLACE</term> - <listitem> - <para> - When a data item is being replaced (through a second call to - <function>pam_set_data</function>) this mask is used. - Otherwise, the call is assumed to be from - <citerefentry> - <refentrytitle>pam_end</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>PAM_DATA_SILENT</term> - <listitem> - <para> - Which indicates that the process would prefer to perform the - <function>cleanup()</function> quietly. That is, discourages - logging/messages to the user. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id="pam_set_data-return_values"> - <title>RETURN VALUES</title> - <variablelist> - <varlistentry> - <term>PAM_BUF_ERR</term> - <listitem> - <para> - Memory buffer error. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - Data was successful stored. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SYSTEM_ERR</term> - <listitem> - <para> - A NULL pointer was submitted as PAM handle or the - function was called by an application. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id="pam_set_data-see_also"> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam_end</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_get_data</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> - </para> - </refsect1> - -</refentry> diff --git a/doc/man/pam_set_item.3.xml b/doc/man/pam_set_item.3.xml deleted file mode 100644 index 39758313..00000000 --- a/doc/man/pam_set_item.3.xml +++ /dev/null @@ -1,136 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" -[ -<!-- -<!ENTITY accessconf SYSTEM "pam_item_types_std.inc.xml"> -<!ENTITY accessconf SYSTEM "pam_item_types_ext.inc.xml"> ---> -]> - -<refentry id='pam_set_item'> - - <refmeta> - <refentrytitle>pam_set_item</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id='pam_set_item-name'> - <refname>pam_set_item</refname> - <refpurpose> - set and update PAM informations - </refpurpose> - </refnamediv> - - -<!-- body begins here --> - - <refsynopsisdiv> - - <funcsynopsis id="pam_set_item-synopsis"> - <funcsynopsisinfo>#include <security/pam_modules.h></funcsynopsisinfo> - <funcprototype> - <funcdef>int <function>pam_set_item</function></funcdef> - <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>int <parameter>item_type</parameter></paramdef> - <paramdef>const void *<parameter>item</parameter></paramdef> - </funcprototype> - </funcsynopsis> - - </refsynopsisdiv> - - - <refsect1 id="pam_set_item-description"> - <title>DESCRIPTION</title> - <para> - The <function>pam_set_item</function> function allows applications - and PAM service modules to access and to update PAM informations - of <emphasis>item_type</emphasis>. For this a copy - of the object pointed to by the <emphasis>item</emphasis> argument - is created. The following <emphasis>item_type</emphasis>s are - supported: - </para> - - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_item_types_std.inc.xml"/> - - <para> - The following additional items are specific to Linux-PAM and should not be used in - portable applications: - </para> - - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_item_types_ext.inc.xml"/> - - <para> - For all <emphasis>item_type</emphasis>s, other than PAM_CONV and - PAM_FAIL_DELAY, <emphasis>item</emphasis> is a pointer to a <NUL> - terminated character string. In the case of PAM_CONV, - <emphasis>item</emphasis> points to an initialized - <emphasis>pam_conv</emphasis> structure. In the case of - PAM_FAIL_DELAY, <emphasis>item</emphasis> is a function pointer: - <function>void (*delay_fn)(int retval, unsigned usec_delay, void *appdata_ptr)</function> - </para> - - <para> - Both, PAM_AUTHTOK and PAM_OLDAUTHTOK, will be reseted before - returning to the application. Which means an application is not - able to access the authentication tokens. - </para> - - </refsect1> - - <refsect1 id="pam_set_item-return_values"> - <title>RETURN VALUES</title> - <variablelist> - <varlistentry> - <term>PAM_BAD_ITEM</term> - <listitem> - <para> - The application attempted to set an undefined or inaccessible - item. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_BUF_ERR</term> - <listitem> - <para> - Memory buffer error. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - Data was successful updated. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SYSTEM_ERR</term> - <listitem> - <para> - The <emphasis>pam_handle_t</emphasis> passed as first - argument was invalid. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id="pam_set_item-see_also"> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> - </para> - </refsect1> - -</refentry> diff --git a/doc/man/pam_setcred.3.xml b/doc/man/pam_setcred.3.xml deleted file mode 100644 index 90e23b5c..00000000 --- a/doc/man/pam_setcred.3.xml +++ /dev/null @@ -1,173 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id="pam_setcred"> - - <refmeta> - <refentrytitle>pam_setcred</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_setcred-name"> - <refname>pam_setcred</refname> - <refpurpose> - establish / delete user credentials - </refpurpose> - </refnamediv> - - <!-- body begins here --> - <refsynopsisdiv> - <funcsynopsis id='pam_setcred-synopsis'> - <funcsynopsisinfo>#include <security/pam_appl.h></funcsynopsisinfo> - <funcprototype> - <funcdef>int <function>pam_setcred</function></funcdef> - <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>int <parameter>flags</parameter></paramdef> - </funcprototype> - </funcsynopsis> - </refsynopsisdiv> - - - <refsect1 id='pam_setcred-description'> - <title>DESCRIPTION</title> - <para> - The <function>pam_setcred</function> function is used to establish, - maintain and delete the credentials of a user. It should be called - after a user has been authenticated and before a session is opened - for the user (with - <citerefentry> - <refentrytitle>pam_open_session</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>). - </para> - - <para> - A credential is something that the user possesses. It is some - property, such as a <emphasis>Kerberos</emphasis> ticket, or a - supplementary group membership that make up the uniqueness of a - given user. On a Linux system the user's <emphasis>UID</emphasis> - and <emphasis>GID</emphasis>'s are credentials too. However, it - has been decided that these properties (along with the default - supplementary groups of which the user is a member) are credentials - that should be set directly by the application and not by PAM. - Such credentials should be established, by the application, prior - to a call to this function. For example, - <citerefentry> - <refentrytitle>initgroups</refentrytitle><manvolnum>2</manvolnum> - </citerefentry> (or equivalent) should have been performed. - </para> - - <para> - Valid <emphasis>flags</emphasis>, any one of which, may be - logically OR'd with <option>PAM_SILENT</option>, are: - </para> - - <variablelist> - <varlistentry> - <term>PAM_ESTABLISH_CRED</term> - <listitem> - <para>Initialize the credentials for the user.</para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_DELETE_CRED</term> - <listitem> - <para>Delete the user's credentials.</para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_REINITIALIZE_CRED</term> - <listitem> - <para>Fully reinitialize the user's credentials.</para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_REFRESH_CRED</term> - <listitem> - <para>Extend the lifetime of the existing credentials.</para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id='pam_setcred-return_values'> - <title>RETURN VALUES</title> - <variablelist> - <varlistentry> - <term>PAM_BUF_ERR</term> - <listitem> - <para> - Memory buffer error. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_CRED_ERR</term> - <listitem> - <para> - Failed to set user credentials. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_CRED_EXPIRED</term> - <listitem> - <para> - User credentials are expired. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_CRED_UNAVAIL</term> - <listitem> - <para> - Failed to retrieve user credentials. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - Data was successful stored. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SYSTEM_ERR</term> - <listitem> - <para> - A NULL pointer was submitted as PAM handle, the - function was called by a module or another system - error occured. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_USER_UNKNOWN</term> - <listitem> - <para> - User is not known to an authentication module. - </para> - </listitem> - </varlistentry> - - </variablelist> - </refsect1> - - <refsect1 id="pam_set_data-see_also"> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_open_session</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> - </para> - </refsect1> -</refentry> diff --git a/doc/man/pam_sm_acct_mgmt.3.xml b/doc/man/pam_sm_acct_mgmt.3.xml deleted file mode 100644 index 35aa28a8..00000000 --- a/doc/man/pam_sm_acct_mgmt.3.xml +++ /dev/null @@ -1,155 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> -<refentry id='pam_sm_acct_mgmt'> - <refmeta> - <refentrytitle>pam_sm_acct_mgmt</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_sm_acct_mgmt-name"> - <refname>pam_sm_acct_mgmt</refname> - <refpurpose>PAM service function for account management</refpurpose> - </refnamediv> - -<!-- body begins here --> - - <refsynopsisdiv> - <funcsynopsis id='pam_sm_acct_mgmt-synopsis'> - <funcsynopsisinfo>#define PAM_SM_ACCOUNT</funcsynopsisinfo> - <funcsynopsisinfo>#include <security/pam_modules.h></funcsynopsisinfo> - <funcprototype> - <funcdef>PAM_EXTERN int <function>pam_sm_acct_mgmt</function></funcdef> - <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>int <parameter>flags</parameter></paramdef> - <paramdef>int <parameter>argc</parameter></paramdef> - <paramdef>const char **<parameter>argv</parameter></paramdef> - </funcprototype> - </funcsynopsis> - </refsynopsisdiv> - - - <refsect1 id='pam_sm_acct_mgmt-description'> - <title>DESCRIPTION</title> - <para> - The <function>pam_sm_acct_mgmt</function> function is the service - module's implementation of the - <citerefentry> - <refentrytitle>pam_acct_mgmt</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> interface. - </para> - <para> - This function performs the task of establishing whether the user is - permitted to gain access at this time. It should be understood that - the user has previously been validated by an authentication - module. This function checks for other things. Such things might be: - the time of day or the date, the terminal line, remote hostname, etc. - This function may also determine things like the expiration on - passwords, and respond that the user change it before continuing. - </para> - <para> - Valid flags, which may be logically OR'd with - <emphasis>PAM_SILENT</emphasis>, are: - </para> - <variablelist> - <varlistentry> - <term>PAM_SILENT</term> - <listitem> - <para> - Do not emit any messages. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_DISALLOW_NULL_AUTHTOK</term> - <listitem> - <para> - Return <emphasis remap='B'>PAM_AUTH_ERR</emphasis> if the - database of authentication tokens for this authentication - mechanism has a <emphasis>NULL</emphasis> entry for the user. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id="pam_sm_acct_mgmt-return_values"> - <title>RETURN VALUES</title> - <variablelist> - <varlistentry> - <term>PAM_ACCT_EXPIRED</term> - <listitem> - <para> - User account has expired. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_AUTH_ERR</term> - <listitem> - <para> - Authentication failure. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_NEW_AUTHTOK_REQD</term> - <listitem> - <para> - The user's authentication token has expired. Before calling - this function again the application will arrange for a new - one to be given. This will likely result in a call to - <function>pam_sm_chauthtok()</function>. - - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_PERM_DENIED</term> - <listitem> - <para> - Permission denied. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - The authentication token was successfully updated. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_USER_UNKNOWN</term> - <listitem> - <para> - User unknown to password service. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id='pam_sm_acct_mgmt-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_acct_mgmt</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_sm_chauthtok</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>PAM</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - </para> - </refsect1> -</refentry> diff --git a/doc/man/pam_sm_authenticate.3.xml b/doc/man/pam_sm_authenticate.3.xml deleted file mode 100644 index 37c77576..00000000 --- a/doc/man/pam_sm_authenticate.3.xml +++ /dev/null @@ -1,152 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> -<refentry id='pam_sm_authenticate'> - <refmeta> - <refentrytitle>pam_sm_authenticate</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_sm_authenticate-name"> - <refname>pam_sm_authenticate</refname> - <refpurpose>PAM service function for user authentication</refpurpose> - </refnamediv> - -<!-- body begins here --> - - <refsynopsisdiv> - <funcsynopsis id='pam_sm_authenticate-synopsis'> - <funcsynopsisinfo>#define PAM_SM_AUTH</funcsynopsisinfo> - <funcsynopsisinfo>#include <security/pam_modules.h></funcsynopsisinfo> - <funcprototype> - <funcdef>PAM_EXTERN int <function>pam_sm_authenticate</function></funcdef> - <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>int <parameter>flags</parameter></paramdef> - <paramdef>int <parameter>argc</parameter></paramdef> - <paramdef>const char **<parameter>argv</parameter></paramdef> - </funcprototype> - </funcsynopsis> - </refsynopsisdiv> - - - <refsect1 id='pam_sm_authenticate-description'> - <title>DESCRIPTION</title> - <para> - The <function>pam_sm_authenticate</function> function is the service - module's implementation of the - <citerefentry> - <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> interface. - </para> - <para> - This function performs the task of authenticating the user. - </para> - <para> - Valid flags, which may be logically OR'd with - <emphasis>PAM_SILENT</emphasis>, are: - </para> - <variablelist> - <varlistentry> - <term>PAM_SILENT</term> - <listitem> - <para> - Do not emit any messages. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_DISALLOW_NULL_AUTHTOK</term> - <listitem> - <para> - Return <emphasis remap='B'>PAM_AUTH_ERR</emphasis> if the - database of authentication tokens for this authentication - mechanism has a <emphasis>NULL</emphasis> entry for the user. - Without this flag, such a <emphasis>NULL</emphasis> token - will lead to a success without the user being prompted. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id="pam_sm_authenticate-return_values"> - <title>RETURN VALUES</title> - <variablelist> - <varlistentry> - <term>PAM_AUTH_ERR</term> - <listitem> - <para> - Authentication failure. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_CRED_INSUFFICIENT</term> - <listitem> - <para> - For some reason the application does not have sufficient - credentials to authenticate the user. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_AUTHINFO_UNAVAIL</term> - <listitem> - <para> - The modules were not able to access the authentication - information. This might be due to a network or hardware - failure etc. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - The authentication token was successfully updated. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_USER_UNKNOWN</term> - <listitem> - <para> - The supplied username is not known to the authentication - service. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_MAXTRIES</term> - <listitem> - <para> - One or more of the authentication modules has reached its - limit of tries authenticating the user. Do not try again. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id='pam_sm_authenticate-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_sm_setcred</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>PAM</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - </para> - </refsect1> -</refentry> diff --git a/doc/man/pam_sm_chauthtok.3.xml b/doc/man/pam_sm_chauthtok.3.xml deleted file mode 100644 index c36a0baf..00000000 --- a/doc/man/pam_sm_chauthtok.3.xml +++ /dev/null @@ -1,200 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> -<refentry id='pam_sm_chauthtok'> - <refmeta> - <refentrytitle>pam_sm_chauthtok</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_sm_chauthtok-name"> - <refname>pam_sm_chauthtok</refname> - <refpurpose>PAM service function for authentication token management</refpurpose> - </refnamediv> - -<!-- body begins here --> - - <refsynopsisdiv> - <funcsynopsis id='pam_sm_chauthtok-synopsis'> - <funcsynopsisinfo>#define PAM_SM_PASSWORD</funcsynopsisinfo> - <funcsynopsisinfo>#include <security/pam_modules.h></funcsynopsisinfo> - <funcprototype> - <funcdef>PAM_EXTERN int <function>pam_sm_chauthtok</function></funcdef> - <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>int <parameter>flags</parameter></paramdef> - <paramdef>int <parameter>argc</parameter></paramdef> - <paramdef>const char **<parameter>argv</parameter></paramdef> - </funcprototype> - </funcsynopsis> - </refsynopsisdiv> - - - <refsect1 id='pam_sm_chauthtok-description'> - <title>DESCRIPTION</title> - <para> - The <function>pam_sm_chauthtok</function> function is the service - module's implementation of the - <citerefentry> - <refentrytitle>pam_chauthtok</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> interface. - </para> - <para> - This function is used to (re-)set the authentication token of the user. - </para> - <para> - Valid flags, which may be logically OR'd with - <emphasis>PAM_SILENT</emphasis>, are: - </para> - <variablelist> - <varlistentry> - <term>PAM_SILENT</term> - <listitem> - <para> - Do not emit any messages. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_CHANGE_EXPIRED_AUTHTOK</term> - <listitem> - <para> - This argument indicates to the module that the users - authentication token (password) should only be changed if - it has expired. This flag is optional and - <emphasis>must</emphasis> be combined with one of the - following two flags. Note, however, the following two options - are <emphasis>mutually exclusive</emphasis>. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_PRELIM_CHECK</term> - <listitem> - <para> - This indicates that the modules are being probed as to - their ready status for altering the user's authentication - token. If the module requires access to another system over - some network it should attempt to verify it can connect to - this system on receiving this flag. If a module cannot establish - it is ready to update the user's authentication token it should - return <emphasis remap='B'>PAM_TRY_AGAIN</emphasis>, this - information will be passed back to the application. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_UPDATE_AUTHTOK</term> - <listitem> - <para> - This informs the module that this is the call it should change - the authorization tokens. If the flag is logically OR'd with - <emphasis remap='B'>PAM_CHANGE_EXPIRED_AUTHTOK</emphasis>, the - token is only changed if it has actually expired. - </para> - </listitem> - </varlistentry> - </variablelist> - <para> - The PAM library calls this function twice in succession. The first - time with <emphasis remap='B'>PAM_PRELIM_CHECK</emphasis> and then, - if the module does not return - <emphasis remap='B'>PAM_TRY_AGAIN</emphasis>, subsequently with - <emphasis remap='B'>PAM_UPDATE_AUTHTOK</emphasis>. It is only on - the second call that the authorization token is (possibly) changed. - </para> - </refsect1> - - <refsect1 id="pam_sm_chauthtok-return_values"> - <title>RETURN VALUES</title> - <variablelist> - <varlistentry> - <term>PAM_AUTHTOK_ERR</term> - <listitem> - <para> - The module was unable to obtain the new authentication token. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_AUTHTOK_RECOVERY_ERR</term> - <listitem> - <para> - The module was unable to obtain the old authentication token. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_AUTHTOK_LOCK_BUSY</term> - <listitem> - <para> - Cannot change the authentication token since it is currently - locked. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_AUTHTOK_DISABLE_AGING</term> - <listitem> - <para> - Authentication token aging has been disabled. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_PERM_DENIED</term> - <listitem> - <para> - Permission denied. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_TRY_AGAIN</term> - <listitem> - <para> - Preliminary check was unsuccessful. Signals an immediate - return to the application is desired. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - The authentication token was successfully updated. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_USER_UNKNOWN</term> - <listitem> - <para> - User unknown to password service. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id='pam_sm_chauthtok-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_chauthtok</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_sm_chauthtok</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>PAM</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - </para> - </refsect1> -</refentry> diff --git a/doc/man/pam_sm_close_session.3.xml b/doc/man/pam_sm_close_session.3.xml deleted file mode 100644 index f2e67185..00000000 --- a/doc/man/pam_sm_close_session.3.xml +++ /dev/null @@ -1,100 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-close.org/docbook/xml/4.1.2/docbookx.dtd"> -<refentry id='pam_sm_close_session'> - <refmeta> - <refentrytitle>pam_sm_close_session</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_sm_close_session-name"> - <refname>pam_sm_close_session</refname> - <refpurpose>PAM service function to terminate session management</refpurpose> - </refnamediv> - -<!-- body begins here --> - - <refsynopsisdiv> - <funcsynopsis id='pam_sm_close_session-synopsis'> - <funcsynopsisinfo>#define PAM_SM_SESSION</funcsynopsisinfo> - <funcsynopsisinfo>#include <security/pam_modules.h></funcsynopsisinfo> - <funcprototype> - <funcdef>PAM_EXTERN int <function>pam_sm_close_session</function></funcdef> - <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>int <parameter>flags</parameter></paramdef> - <paramdef>int <parameter>argc</parameter></paramdef> - <paramdef>const char **<parameter>argv</parameter></paramdef> - </funcprototype> - </funcsynopsis> - </refsynopsisdiv> - - - <refsect1 id='pam_sm_close_session-description'> - <title>DESCRIPTION</title> - <para> - The <function>pam_sm_close_session</function> function is the service - module's implementation of the - <citerefentry> - <refentrytitle>pam_close_session</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> interface. - </para> - <para> - This function is called to terminate a session. The only valid - value for <varname role='parameter'>flags</varname> is zero or: - </para> - <variablelist> - <varlistentry> - <term>PAM_SILENT</term> - <listitem> - <para> - Do not emit any messages. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id="pam_sm_close_session-return_values"> - <title>RETURN VALUES</title> - <variablelist> - <varlistentry> - <term>PAM_SESSION_ERR</term> - <listitem> - <para> - Cannot make/remove an entry for the specified session. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - The session was successfully terminated. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id='pam_sm_close_session-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_close_session</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_sm_close_session</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>PAM</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - </para> - </refsect1> -</refentry> diff --git a/doc/man/pam_sm_open_session.3.xml b/doc/man/pam_sm_open_session.3.xml deleted file mode 100644 index 0851c345..00000000 --- a/doc/man/pam_sm_open_session.3.xml +++ /dev/null @@ -1,100 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> -<refentry id='pam_sm_open_session'> - <refmeta> - <refentrytitle>pam_sm_open_session</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_sm_open_session-name"> - <refname>pam_sm_open_session</refname> - <refpurpose>PAM service function to start session management</refpurpose> - </refnamediv> - -<!-- body begins here --> - - <refsynopsisdiv> - <funcsynopsis id='pam_sm_open_session-synopsis'> - <funcsynopsisinfo>#define PAM_SM_SESSION</funcsynopsisinfo> - <funcsynopsisinfo>#include <security/pam_modules.h></funcsynopsisinfo> - <funcprototype> - <funcdef>PAM_EXTERN int <function>pam_sm_open_session</function></funcdef> - <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>int <parameter>flags</parameter></paramdef> - <paramdef>int <parameter>argc</parameter></paramdef> - <paramdef>const char **<parameter>argv</parameter></paramdef> - </funcprototype> - </funcsynopsis> - </refsynopsisdiv> - - - <refsect1 id='pam_sm_open_session-description'> - <title>DESCRIPTION</title> - <para> - The <function>pam_sm_open_session</function> function is the service - module's implementation of the - <citerefentry> - <refentrytitle>pam_open_session</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> interface. - </para> - <para> - This function is called to commence a session. The only valid - value for <varname role='parameter'>flags</varname> is zero or: - </para> - <variablelist> - <varlistentry> - <term>PAM_SILENT</term> - <listitem> - <para> - Do not emit any messages. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id="pam_sm_open_session-return_values"> - <title>RETURN VALUES</title> - <variablelist> - <varlistentry> - <term>PAM_SESSION_ERR</term> - <listitem> - <para> - Cannot make/remove an entry for the specified session. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - The session was successfully started. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id='pam_sm_open_session-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_open_session</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_sm_close_session</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>PAM</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - </para> - </refsect1> -</refentry> diff --git a/doc/man/pam_sm_setcred.3.xml b/doc/man/pam_sm_setcred.3.xml deleted file mode 100644 index e4809ad7..00000000 --- a/doc/man/pam_sm_setcred.3.xml +++ /dev/null @@ -1,179 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> -<refentry id='pam_sm_setcred'> - <refmeta> - <refentrytitle>pam_sm_setcred</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_sm_setcred-name"> - <refname>pam_sm_setcred</refname> - <refpurpose>PAM service function to alter credentials</refpurpose> - </refnamediv> - -<!-- body begins here --> - - <refsynopsisdiv> - <funcsynopsis id='pam_sm_setcred-synopsis'> - <funcsynopsisinfo>#define PAM_SM_AUTH</funcsynopsisinfo> - <funcsynopsisinfo>#include <security/pam_modules.h></funcsynopsisinfo> - <funcprototype> - <funcdef>PAM_EXTERN int <function>pam_sm_setcred</function></funcdef> - <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>int <parameter>flags</parameter></paramdef> - <paramdef>int <parameter>argc</parameter></paramdef> - <paramdef>const char **<parameter>argv</parameter></paramdef> - </funcprototype> - </funcsynopsis> - </refsynopsisdiv> - - - <refsect1 id='pam_sm_setcred-description'> - <title>DESCRIPTION</title> - <para> - The <function>pam_sm_setcred</function> function is the service - module's implementation of the - <citerefentry> - <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> interface. - </para> - <para> - This function performs the task of altering the credentials of the - user with respect to the corresponding authorization - scheme. Generally, an authentication module may have access to more - information about a user than their authentication token. This - function is used to make such information available to the - application. It should only be called <emphasis>after</emphasis> the - user has been authenticated but before a session has been established. - </para> - <para> - Valid flags, which may be logically OR'd with - <emphasis>PAM_SILENT</emphasis>, are: - </para> - <variablelist> - <varlistentry> - <term>PAM_SILENT</term> - <listitem> - <para> - Do not emit any messages. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_DELETE_CRED</term> - <listitem> - <para> - Delete the credentials associated with the authentication service. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_REINITIALIZE_CRED</term> - <listitem> - <para> - Reinitialize the user credentials. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_REFRESH_CRED</term> - <listitem> - <para> - Extend the lifetime of the user credentials. - </para> - </listitem> - </varlistentry> - </variablelist> - <para> - The way the <emphasis remap='B'>auth</emphasis> stack is - navigated in order to evaluate the <function>pam_setcred</function>() - function call, independent of the <function>pam_sm_setcred</function>() - return codes, is exactly the same way that it was navigated when - evaluating the <function>pam_authenticate</function>() library - call. Typically, if a stack entry was ignored in evaluating - <function>pam_authenticate</function>(), it will be ignored when - libpam evaluates the <function>pam_setcred</function>() function - call. Otherwise, the return codes from each module specific - <function>pam_sm_setcred</function>() call are treated as - <emphasis remap='B'>required</emphasis>. - </para> - </refsect1> - - <refsect1 id="pam_sm_setcred-return_values"> - <title>RETURN VALUES</title> - <variablelist> - <varlistentry> - <term>PAM_CRED_UNAVAIL</term> - <listitem> - <para> - This module cannot retrieve the user's credentials. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_CRED_EXPIRED</term> - <listitem> - <para> - The user's credentials have expired. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_CRED_ERR</term> - <listitem> - <para> - This module was unable to set the credentials of the user. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - The user credential was successfully set. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_USER_UNKNOWN</term> - <listitem> - <para> - The user is not known to this authentication module. - </para> - </listitem> - </varlistentry> - </variablelist> - <para> - These, non-<emphasis>PAM_SUCCESS</emphasis>, return values will - typically lead to the credential stack <emphasis>failing</emphasis>. - The first such error will dominate in the return value of - <function>pam_setcred</function>(). - </para> - </refsect1> - - <refsect1 id='pam_sm_setcred-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_setcred</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_sm_authenticate</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>PAM</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - </para> - </refsect1> -</refentry> diff --git a/doc/man/pam_start.3.xml b/doc/man/pam_start.3.xml deleted file mode 100644 index 9b370f52..00000000 --- a/doc/man/pam_start.3.xml +++ /dev/null @@ -1,147 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id='pam_start'> - - <refmeta> - <refentrytitle>pam_start</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_start-name"> - <refname>pam_start</refname> - <refpurpose>initialization of PAM transaction</refpurpose> - </refnamediv> - -<!-- body begins here --> - - <refsynopsisdiv> - <funcsynopsis id="pam_start-synopsis"> - <funcsynopsisinfo>#include <security/pam_appl.h></funcsynopsisinfo> - <funcprototype> - <funcdef>int <function>pam_start</function></funcdef> - <paramdef>const char *<parameter>service_name</parameter></paramdef> - <paramdef>const char *<parameter>user</parameter></paramdef> - <paramdef>const struct pam_conv *<parameter>pam_conversation</parameter></paramdef> - <paramdef>pam_handle_t **<parameter>pamh</parameter></paramdef> - </funcprototype> - </funcsynopsis> - </refsynopsisdiv> - - - <refsect1 id="pam_start-description"> - <title>DESCRIPTION</title> - <para> - The <function>pam_start</function> function creates the PAM context - and initiates the PAM transaction. It is the first of the PAM - functions that needs to be called by an application. The transaction - state is contained entirely within the structure identified by this - handle, so it is possible to have multiple transactions in parallel. - But it is not possible to use the same handle for different - transactions, a new one is needed for every new context. - </para> - - <para> - The <emphasis>service_name</emphasis> argument specifies the name - of the service to apply and will be stored as PAM_SERVICE item in - the new context. The policy for the service will be read from the - file <filename>/etc/pam.d/service_name</filename> or, if that file - does not exist, from <filename>/etc/pam.conf</filename>. - </para> - - <para> - The <emphasis>user</emphasis> argument can specify the name - of the target user and will be stored as PAM_USER item. If - the argument is NULL, the module has to ask for this item if - necessary. - </para> - - <para> - The <emphasis>pam_conversation</emphasis> argument points to - a <emphasis>struct pam_conv</emphasis> describing the - conversation function to use. An application must provide this - for direct communication between a loaded module and the - application. - </para> - - <para> - Following a successful return (PAM_SUCCESS) the contents of - <emphasis>pamh</emphasis> is a handle that contains the PAM - context for successive calls to the PAM functions. In an error - case is the content of <emphasis>pamh</emphasis> undefined. - </para> - - <para> - The <emphasis>pam_handle_t</emphasis> is a blind structure and - the application should not attempt to probe it directly for - information. Instead the PAM library provides the functions - <citerefentry> - <refentrytitle>pam_set_item</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> and - <citerefentry> - <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>. - The PAM handle cannot be used for mulitiple authentications at the - same time as long as <function>pam_end</function> was not called on - it before. - </para> - </refsect1> - <refsect1 id="pam_start-return_values"> - <title>RETURN VALUES</title> - <variablelist> - <varlistentry> - <term>PAM_ABORT</term> - <listitem> - <para> - General failure. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_BUF_ERR</term> - <listitem> - <para> - Memory buffer error. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SUCCESS</term> - <listitem> - <para> - Transaction was successful created. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>PAM_SYSTEM_ERR</term> - <listitem> - <para> - System error, for example a NULL pointer was submitted - instead of a pointer to data. - </para> - </listitem> - </varlistentry> - </variablelist> - </refsect1> - - <refsect1 id="pam_start-see_also"> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam_get_data</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_set_data</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_end</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> - </para> - </refsect1> -</refentry> diff --git a/doc/man/pam_strerror.3.xml b/doc/man/pam_strerror.3.xml deleted file mode 100644 index 954e131d..00000000 --- a/doc/man/pam_strerror.3.xml +++ /dev/null @@ -1,58 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id='pam_strerror'> - - <refmeta> - <refentrytitle>pam_strerror</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_strerror-name"> - <refname>pam_strerror</refname> - <refpurpose>return string describing PAM error code</refpurpose> - </refnamediv> - -<!-- body begins here --> - - <refsynopsisdiv> - <funcsynopsis id="pam_strerror-synopsis"> - <funcsynopsisinfo>#include <security/pam_appl.h></funcsynopsisinfo> - <funcprototype> - <funcdef>const char *<function>pam_strerror</function></funcdef> - <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>int <parameter>errnum</parameter></paramdef> - </funcprototype> - </funcsynopsis> - </refsynopsisdiv> - - - <refsect1 id="pam_strerror-description"> - <title>DESCRIPTION</title> - <para> - The <function>pam_strerror</function> function returns a pointer to - a string describing the error code passed in the argument - <emphasis>errnum</emphasis>, possibly using the LC_MESSAGES part of - the current locale to select the appropriate language. This string - must not be modified by the application. No library function will - modify this string. - </para> - </refsect1> - <refsect1 id="pam_strerror-return_values"> - <title>RETURN VALUES</title> - <para> - This function returns always a pointer to a string. - </para> - </refsect1> - - <refsect1 id="pam_strerror-see_also"> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - </para> - </refsect1> -</refentry> diff --git a/doc/man/pam_syslog.3.xml b/doc/man/pam_syslog.3.xml deleted file mode 100644 index 7c5b166a..00000000 --- a/doc/man/pam_syslog.3.xml +++ /dev/null @@ -1,82 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id="pam_syslog"> - - <refmeta> - <refentrytitle>pam_syslog</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_syslog-name"> - <refname>pam_syslog</refname> - <refname>pam_vsyslog</refname> - <refpurpose>send messages to the system logger</refpurpose> - </refnamediv> - -<!-- body begins here --> - - <refsynopsisdiv id="pam_syslog-synopsis"> - <funcsynopsis> - <funcsynopsisinfo>#include <syslog.h></funcsynopsisinfo> - <funcsynopsisinfo>#include <security/pam_ext.h></funcsynopsisinfo> - <funcprototype> - <funcdef>void <function>pam_syslog</function></funcdef> - <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>int <parameter>priority</parameter></paramdef> - <paramdef>const char *<parameter>fmt</parameter></paramdef> - <paramdef><parameter>...</parameter></paramdef> - </funcprototype> - <funcprototype> - <funcdef>void <function>pam_vsyslog</function></funcdef> - <paramdef>pam_handle_t *<parameter>pamh</parameter></paramdef> - <paramdef>int <parameter>priority</parameter></paramdef> - <paramdef>const char *<parameter>fmt</parameter></paramdef> - <paramdef>va_list <parameter>args</parameter></paramdef> - </funcprototype> - </funcsynopsis> - </refsynopsisdiv> - - <refsect1 id='pam_syslog-description'> - <title>DESCRIPTION</title> - <para> - The <function>pam_syslog</function> function logs messages using - <citerefentry> - <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> and is intended for internal use by Linux-PAM and - PAM service modules. The <emphasis>priority</emphasis> argument is - formed by ORing the facility and the level values as documented - in the <citerefentry> - <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> manual page. - </para> - <para> - The <function>pam_vsyslog</function> function performs the same - task as <function>pam_syslog()</function> with the difference - that it takes a set of arguments which have been obtained using - the <citerefentry> - <refentrytitle>stdarg</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> variable argument list macros. - </para> - </refsect1> - - <refsect1 id='pam_syslog-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> - </citerefentry> - </para> - </refsect1> - - <refsect1 id='pam_syslog-standards'> - <title>STANDARDS</title> - <para> - The <function>pam_syslog</function> and <function>pam_vsyslog</function> - functions are Linux-PAM extensions. - </para> - </refsect1> - -</refentry> diff --git a/doc/man/pam_xauth_data.3.xml b/doc/man/pam_xauth_data.3.xml deleted file mode 100644 index 0cd6730b..00000000 --- a/doc/man/pam_xauth_data.3.xml +++ /dev/null @@ -1,94 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" - "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> - -<refentry id="pam_xauth_data"> - - <refmeta> - <refentrytitle>pam_xauth_data</refentrytitle> - <manvolnum>3</manvolnum> - <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> - </refmeta> - - <refnamediv id="pam_xauth_data-name"> - <refname>pam_xauth_data</refname> - <refpurpose>structure containing X authentication data</refpurpose> - </refnamediv> - -<!-- body begins here --> - - <refsynopsisdiv> - <funcsynopsis id="pam_xauth_data-synopsis"> - <funcsynopsisinfo>#include <security/pam_appl.h></funcsynopsisinfo> - </funcsynopsis> - <programlisting> -struct pam_xauth_data { - int namelen; - char *name; - int datalen; - char *data; -}; - </programlisting> - </refsynopsisdiv> - - <refsect1 id='pam_xauth_data-description'> - <title>DESCRIPTION</title> - <para> - The <function>pam_xauth_data</function> structure contains X - authentication data used to make a connection to an X display. - Using this mechanism, an application can communicate X - authentication data to PAM service modules. This allows modules to - make a connection to the user's X display in order to label the - user's session on login, display visual feedback or for other - purposes. - </para> - <para> - The <emphasis>name</emphasis> field contains the name of the - authentication method, such as "MIT-MAGIC-COOKIE-1". The - <emphasis>namelen</emphasis> field contains the length of this string, - not including the trailing NUL character. - </para> - <para> - The <emphasis>data</emphasis> field contains the authentication - method-specific data corresponding to the specified name. The - <emphasis>datalen</emphasis> field contains its length in bytes. - </para> - <para> - The X authentication data can be changed with the - <emphasis>PAM_XAUTH_DATA</emphasis> item. It can be queried and - set with - <citerefentry> - <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> - and - <citerefentry> - <refentrytitle>pam_set_item </refentrytitle><manvolnum>3</manvolnum> - </citerefentry> respectively. The value used to set it should be - a pointer to a pam_xauth_data structure. An internal copy of both - the structure itself and its fields is made by PAM when setting the - item. - </para> - </refsect1> - - <refsect1 id='pam_xauth_data-see_also'> - <title>SEE ALSO</title> - <para> - <citerefentry> - <refentrytitle>pam_start</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - <citerefentry> - <refentrytitle>pam_get_item</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>, - </para> - </refsect1> - - <refsect1 id='pam_xauth_data-standards'> - <title>STANDARDS</title> - <para> - The <function>pam_xauth_data</function> structure and - <emphasis>PAM_XAUTH_DATA</emphasis> item are - Linux-PAM extensions. - </para> - </refsect1> - -</refentry> diff --git a/doc/mwg/.cvsignore b/doc/mwg/.cvsignore deleted file mode 100644 index d9b71235..00000000 --- a/doc/mwg/.cvsignore +++ /dev/null @@ -1,7 +0,0 @@ -Makefile -Makefile.in -*~ -html -*.fo -*.pdf -*.txt diff --git a/doc/mwg/Linux-PAM_MWG.xml b/doc/mwg/Linux-PAM_MWG.xml deleted file mode 100644 index a7d97e4e..00000000 --- a/doc/mwg/Linux-PAM_MWG.xml +++ /dev/null @@ -1,656 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<book id="mwg"> - <bookinfo> - <title>The Linux-PAM Module Writers' Guide</title> - <authorgroup> - <author> - <firstname>Andrew G.</firstname> - <surname>Morgan</surname> - <email>morgan@kernel.org</email> - </author> - <author> - <firstname>Thorsten</firstname> - <surname>Kukuk</surname> - <email>kukuk@thkukuk.de</email> - </author> - </authorgroup> - <releaseinfo>Version 0.99.6.0, 5. August 2006</releaseinfo> - <abstract> - <para> - This manual documents what a programmer needs to know in order - to write a module that conforms to the - <emphasis remap='B'>Linux-PAM</emphasis> standard.It also - discusses some security issues from the point of view of the - module programmer. - </para> - </abstract> - </bookinfo> - - <chapter id="mwg-introduction"> - <title>Introduction</title> - <section id="mwg-introduction-description"> - <title>Description</title> - <para> - <emphasis remap='B'>Linux-PAM</emphasis> (Pluggable Authentication - Modules for Linux) is a library that enables the local system - administrator to choose how individual applications authenticate - users. For an overview of the - <emphasis remap='B'>Linux-PAM</emphasis> library see the - <emphasis>Linux-PAM System Administrators' Guide</emphasis>. - </para> - <para> - A <emphasis remap='B'>Linux-PAM</emphasis> module is a single - executable binary file that can be loaded by the - <emphasis remap='B'>Linux-PAM</emphasis> interface library. - This PAM library is configured locally with a system file, - <filename>/etc/pam.conf</filename>, to authenticate a user - request via the locally available authentication modules. The - modules themselves will usually be located in the directory - <filename>/lib/security</filename> (or - <filename>/lib64/security</filename>, depending on the architecture) - and take the form of dynamically loadable object files (see - <citerefentry> - <refentrytitle>dlopen</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>. Alternatively, the modules can be statically - linked into the <emphasis remap='B'>Linux-PAM</emphasis> library; - this is mostly to allow <emphasis remap='B'>Linux-PAM</emphasis> to - be used on platforms without dynamic linking available, but this is - a <emphasis>deprecated</emphasis> functionality. It is the - <emphasis remap='B'>Linux-PAM</emphasis> interface that is called - by an application and it is the responsibility of the library to - locate, load and call the appropriate functions in a - <emphasis remap='B'>Linux-PAM</emphasis>-module. - </para> - <para> - Except for the immediate purpose of interacting with the user - (entering a password etc..) the module should never call the - application directly. This exception requires a "conversation - mechanism" which is documented below. - </para> - </section> - - <section id="mwg-introducton-synopsis"> - <title>Synopsis</title> - <programlisting> -#include <security/pam_modules.h> - -gcc -fPIC -c pam_module.c -gcc -shared -o pam_module.so pam_module.o -lpam - </programlisting> - </section> - </chapter> - - <chapter id="mwg-expected-by-module"> - <title>What can be expected by the module</title> - <para> - Here we list the interface that the conventions that all - <emphasis remap='B'>Linux-PAM</emphasis> modules must adhere to. - </para> - <section id="mwg-expected-by-module-item"> - <title> - Getting and setting <emphasis>PAM_ITEM</emphasis>s and - <emphasis>data</emphasis> - </title> - <para> - First, we cover what the module should expect from the - <emphasis remap='B'>Linux-PAM</emphasis> library and a - <emphasis remap='B'>Linux-PAM</emphasis> aware application. - Essesntially this is the <filename>libpam.*</filename> library. - </para> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_set_data.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_get_data.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_set_item.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_get_item.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_get_user.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_conv.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_putenv.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_getenv.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_getenvlist.xml"/> - </section> - <section id="mwg-expected-by-module-other"> - <title> - Other functions provided by <filename>libpam</filename> - </title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_strerror.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_fail_delay.xml"/> - </section> - </chapter> - - <chapter id="mwg-expected-of-module"> - <title>What is expected of a module</title> - <para> - The module must supply a sub-set of the six functions listed - below. Together they define the function of a - <emphasis remap='B'>Linux-PAM module</emphasis>. Module developers - are strongly urged to read the comments on security that follow - this list. - </para> - <section id="mwg-expected-of-module-overview"> - <title>Overview</title> - <para> - The six module functions are grouped into four independent - management groups. These groups are as follows: - <emphasis>authentication</emphasis>, <emphasis>account</emphasis>, - <emphasis>session</emphasis> and <emphasis>password</emphasis>. - To be properly defined, a module must define all functions within - at least one of these groups. A single module may contain the - necessary functions for <emphasis>all</emphasis> four groups. - </para> - <section id="mwg-expected-of-module-overview-1"> - <title>Functional independence</title> - <para> - The independence of the four groups of service a module can - offer means that the module should allow for the possibility - that any one of these four services may legitimately be called - in any order. Thus, the module writer should consider the - appropriateness of performing a service without the prior - success of some other part of the module. - </para> - <para> - As an informative example, consider the possibility that an - application applies to change a user's authentication token, - without having first requested that - <emphasis remap='B'>Linux-PAM</emphasis> authenticate the - user. In some cases this may be deemed appropriate: when - <command>root</command> wants to change the authentication - token of some lesser user. In other cases it may not be - appropriate: when <command>joe</command> maliciously wants - to reset <command>alice</command>'s password; or when anyone - other than the user themself wishes to reset their - <emphasis>KERBEROS</emphasis> authentication token. A policy - for this action should be defined by any reasonable - authentication scheme, the module writer should consider - this when implementing a given module. - </para> - </section> - <section id="mwg-expected-of-module-overview-2"> - <title>Minimizing administration problems</title> - <para> - To avoid system administration problems and the poor - construction of a <filename>/etc/pam.conf</filename> file, - the module developer may define all six of the following - functions. For those functions that would not be called, - the module should return <errorname>PAM_SERVICE_ERR</errorname> - and write an appropriate message to the system log. When - this action is deemed inappropriate, the function would - simply return <errorname>PAM_IGNORE</errorname>. - </para> - </section> - <section id="mwg-expected-of-module-overview-3"> - <title>Arguments supplied to the module</title> - <para> - The <parameter>flags</parameter> argument of each of - the following functions can be logically OR'd with - <parameter>PAM_SILENT</parameter>, which is used to inform the - module to not pass any <emphasis>text</emphasis> (errors or - warnings) application. - </para> - <para> - The <parameter>argc</parameter> and <parameter>argv</parameter> - arguments are taken from the line appropriate to this - module---that is, with the <emphasis>service_name</emphasis> - matching that of the application---in the configuration file - (see the <emphasis remap='B'>Linux-PAM</emphasis> - System Administrators' Guide). Together these two parameters - provide the number of arguments and an array of pointers to - the individual argument tokens. This will be familiar to C - programmers as the ubiquitous method of passing command arguments - to the function <function>main()</function>. Note, however, that - the first argument (<parameter>argv[0]</parameter>) is a true - argument and <emphasis>not</emphasis> the name of the module. - </para> - </section> - </section> - <section id="mwg-expected-of-module-auth"> - <title>Authentication management</title> - <para> - To be correctly initialized, <parameter>PAM_SM_AUTH</parameter> - must be <command>#define</command>'d prior to including - <function><security/pam_modules.h></function>. This will - ensure that the prototypes for static modules are properly declared. - </para> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_sm_authenticate.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_sm_setcred.xml"/> - </section> - <section id="mwg-expected-of-module-acct"> - <title>Account management</title> - <para> - To be correctly initialized, <parameter>PAM_SM_ACCOUNT</parameter> - must be <command>#define</command>'d prior to including - <function><security/pam_modules.h></function>. This will - ensure that the prototypes for static modules are properly declared. - </para> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_sm_acct_mgmt.xml"/> - </section> - <section id="mwg-expected-of-module-session"> - <title>Session management</title> - <para> - To be correctly initialized, <parameter>PAM_SM_SESSION</parameter> - must be <command>#define</command>'d prior to including - <function><security/pam_modules.h></function>. This will - ensure that the prototypes for static modules are properly declared. - </para> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_sm_open_session.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_sm_close_session.xml"/> - </section> - <section id="mwg-expected-of-module-chauthtok"> - <title>Authentication token management</title> - <para> - To be correctly initialized, <parameter>PAM_SM_PASSWORD</parameter> - must be <command>#define</command>'d prior to including - <function><security/pam_modules.h></function>. This will - ensure that the prototypes for static modules are properly declared. - </para> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_sm_chauthtok.xml"/> - </section> - </chapter> - - <chapter id="mwg-see-options"> - <title>Generic optional arguments</title> - <para> - Here we list the generic arguments that all modules can expect to - be passed. They are not mandatory, and their absence should be - accepted without comment by the module. - </para> - <variablelist> - <varlistentry> - <term>debug</term> - <listitem> - <para> - Use the <citerefentry> - <refentrytitle>pam_syslog</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> call to log debugging information to the system - log files. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>use_first_pass</term> - <listitem> - <para> - The module should not prompt the user for a password. - Instead, it should obtain the previously typed password - (by a call to <function>pam_get_item()</function> for the - <parameter>PAM_AUTHTOK</parameter> item), and use that. If - that doesn't work, then the user will not be authenticated. - (This option is intended for <command>auth</command> and - <command>passwd</command> modules only). - </para> - </listitem> - </varlistentry> - </variablelist> - </chapter> - - <chapter id="mwg-see-programming"> - <title>Programming notes</title> - <para> - Here we collect some pointers for the module writer to bear in mind - when writing/developing a <emphasis remap='B'>Linux-PAM</emphasis> - compatible module. - </para> - - <section id="mwg-see-programming-sec"> - <title>Security issues for module creation</title> - <section id="mwg-see-programming-sec-res"> - <title>Sufficient resources</title> - <para> - Care should be taken to ensure that the proper execution - of a module is not compromised by a lack of system resources. - If a module is unable to open sufficient files to perform its - task, it should fail gracefully, or request additional resources. - Specifically, the quantities manipulated by the <citerefentry> - <refentrytitle>setrlimit</refentrytitle><manvolnum>2</manvolnum> - </citerefentry> family of commands should be taken into - consideration. - </para> - </section> - <section id="mwg-see-programming-sec-who"> - <title>Who´s who?</title> - <para> - Generally, the module may wish to establish the identity of - the user requesting a service. This may not be the same as - the username returned by <function>pam_get_user()</function>. - Indeed, that is only going to be the name of the user under - whose identity the service will be given. This is not - necessarily the user that requests the service. - </para> - <para> - In other words, user X runs a program that is setuid-Y, it - grants the user to have the permissions of Z. A specific example - of this sort of service request is the <command>su</command> - program: user <command>joe</command> executes - <command>su</command> to become the user <command>jane</command>. - In this situation X=<command>joe</command>, Y=<command>root</command> - and Z=<command>jane</command>. Clearly, it is important that - the module does not confuse these different users and grant an - inappropriate level of privilege. - </para> - <para> - The following is the convention to be adhered to when juggling - user-identities. - </para> - <itemizedlist> - <listitem> - <para> - X, the identity of the user invoking the service request. - This is the user identifier; returned by the function - <citerefentry> - <refentrytitle>getuid</refentrytitle><manvolnum>2</manvolnum> - </citerefentry>. - </para> - </listitem> - <listitem> - <para> - Y, the privileged identity of the application used to - grant the requested service. This is the - <emphasis>effective</emphasis> user identifier; - returned by the function <citerefentry> - <refentrytitle>geteuid</refentrytitle><manvolnum>2</manvolnum> - </citerefentry>. - </para> - </listitem> - <listitem> - <para> - Z, the user under whose identity the service will be granted. - This is the username returned by - <function>pam_get_user()</function> and also stored in the - <emphasis remap='B'>Linux-PAM</emphasis> item, - <emphasis>PAM_USER</emphasis>. - </para> - </listitem> - <listitem> - <para> - <emphasis remap='B'>Linux-PAM</emphasis> has a place for - an additional user identity that a module may care to make - use of. This is the <emphasis>PAM_RUSER</emphasis> item. - Generally, network sensitive modules/applications may wish - to set/read this item to establish the identity of the user - requesting a service from a remote location. - </para> - </listitem> - </itemizedlist> - <para> - Note, if a module wishes to modify the identity of either the - <emphasis>uid</emphasis> or <emphasis>euid</emphasis> of the - running process, it should take care to restore the original - values prior to returning control to the - <emphasis remap='B'>Linux-PAM</emphasis> library. - </para> - </section> - <section id="mwg-see-programming-sec-conv"> - <title>Using the conversation function</title> - <para> - Prior to calling the conversation function, the module should - reset the contents of the pointer that will return the applications - response. This is a good idea since the application may fail - to fill the pointer and the module should be in a position to - notice! - </para> - <para> - The module should be prepared for a failure from the - conversation. The generic error would be - <emphasis>PAM_CONV_ERR</emphasis>, but anything other than - <emphasis>PAM_SUCCESS</emphasis> should be treated as - indicating failure. - </para> - </section> - <section id="mwg-see-programming-sec-token"> - <title>Authentication tokens</title> - <para> - To ensure that the authentication tokens are not left lying - around the items, <emphasis>PAM_AUTHTOK</emphasis> and - <emphasis>PAM_OLDAUTHTOK</emphasis>, are not available to - the application: they are defined in - <filename><security/pam_modules.h></filename>. This - is ostensibly for security reasons, but a maliciously - programmed application will always have access to all memory - of the process, so it is only superficially enforced. As a - general rule the module should overwrite authentication tokens - as soon as they are no longer needed. Especially before - <function>free()</function>'ing them. The - <emphasis remap='B'>Linux-PAM</emphasis> library is - required to do this when either of these authentication - token items are (re)set. - </para> - <para> - Not to dwell too little on this concern; should the module - store the authentication tokens either as (automatic) function - variables or using <function>pam_[gs]et_data()</function> the - associated memory should be over-written explicitly before it - is released. In the case of the latter storage mechanism, the - associated <function>cleanup()</function> function should - explicitly overwrite the <varname>*data</varname> before - <function>free()</function>'ing it: for example, - <programlisting> -/* - * An example cleanup() function for releasing memory that was used to - * store a password. - */ - -int cleanup(pam_handle_t *pamh, void *data, int error_status) -{ - char *xx; - - if ((xx = data)) { - while (*xx) - *xx++ = '\0'; - free(data); - } - return PAM_SUCCESS; -} - </programlisting> - </para> - </section> - </section> - <section id="mwg-see-programming-syslog"> - <title>Use of <citerefentry> - <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> - </citerefentry></title> - <para> - Only rarely should error information be directed to the user. - Usually, this is to be limited to - <quote><emphasis>sorry you cannot login now</emphasis></quote> - type messages. Information concerning errors in the configuration - file, <filename>/etc/pam.conf</filename>, or due to some system - failure encountered by the module, should be written to - <citerefentry> - <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> - </citerefentry> with <emphasis>facility-type</emphasis> - <emphasis remap='B'>LOG_AUTHPRIV</emphasis>. - </para> - <para> - With a few exceptions, the level of logging is, at the discretion - of the module developer. Here is the recommended usage of different - logging levels: - </para> - <itemizedlist> - <listitem> - <para> - As a general rule, errors encountered by a module should be - logged at the <emphasis>LOG_ERR</emphasis> level. However, - information regarding an unrecognized argument, passed to a - module from an entry in the <filename>/etc/pam.conf</filename> - file, is <emphasis>required</emphasis> to be logged at the - <emphasis>LOG_ERR</emphasis> level. - </para> - </listitem> - <listitem> - <para> - Debugging information, as activated by the - <command>debug</command> argument to the module in - <filename>/etc/pam.conf</filename>, should be logged - at the <emphasis>LOG_DEBUG</emphasis> level. - </para> - </listitem> - <listitem> - <para> - If a module discovers that its personal configuration - file or some system file it uses for information is - corrupted or somehow unusable, it should indicate this - by logging messages at level, <emphasis>LOG_ALERT</emphasis>. - </para> - </listitem> - <listitem> - <para> - Shortages of system resources, such as a failure to - manipulate a file or <function>malloc()</function> failures - should be logged at level <emphasis>LOG_CRIT</emphasis>. - </para> - </listitem> - <listitem> - <para> - Authentication failures, associated with an incorrectly - typed password should be logged at level, - <emphasis>LOG_NOTICE</emphasis>. - </para> - </listitem> - </itemizedlist> - </section> - <section id="mwg-see-programming-libs"> - <title>Modules that require system libraries</title> - <para> - Writing a module is much like writing an application. You - have to provide the "conventional hooks" for it to work - correctly, like <function>pam_sm_authenticate()</function> - etc., which would correspond to the <function>main()</function> - function in a normal function. - </para> - <para> - Typically, the author may want to link against some standard system - libraries. As when one compiles a normal program, this can be - done for modules too: you simply append the - <parameter>-l</parameter><emphasis>XXX</emphasis> arguments - for the desired libraries when you create the shared module object. - To make sure a module is linked to the - <command>libwhatever.so</command> library - when it is <function>dlopen()</function>ed, try: - <programlisting> -% gcc -shared -o pam_module.so pam_module.o -lwhatever - </programlisting> - </para> - </section> - </chapter> - - <chapter id="mwg-example"> - <title>An example module</title> - <para> - At some point, we may include a fully commented example of a module in - this document. For now, please look at the modules directory of the - <emphasis remap='B'>Linux-PAM</emphasis> sources. - </para> - </chapter> - - <chapter id="mwg-see-also"> - <title>See also</title> - <itemizedlist> - <listitem> - <para> - The Linux-PAM System Administrators' Guide. - </para> - </listitem> - <listitem> - <para> - The Linux-PAM Application Developers' Guide. - </para> - </listitem> - <listitem> - <para> - The V. Samar and R. Schemers (SunSoft), ``UNIFIED LOGIN WITH - PLUGGABLE AUTHENTICATION MODULES'', Open Software Foundation - Request For Comments 86.0, October 1995. - </para> - </listitem> - </itemizedlist> - </chapter> - - <chapter id='mwg-author'> - <title>Author/acknowledgments</title> - <para> - This document was written by Andrew G. Morgan (morgan@kernel.org) - with many contributions from - Chris Adams, Peter Allgeyer, Tim Baverstock, Tim Berger, Craig S. Bell, - Derrick J. Brashear, Ben Buxton, Seth Chaiklin, Oliver Crow, Chris Dent, - Marc Ewing, Cristian Gafton, Emmanuel Galanos, Brad M. Garcia, - Eric Hester, Roger Hu, Eric Jacksch, Michael K. Johnson, David Kinchlea, - Olaf Kirch, Marcin Korzonek, Thorsten Kukuk, Stephen Langasek, - Nicolai Langfeldt, Elliot Lee, Luke Kenneth Casson Leighton, - Al Longyear, Ingo Luetkebohle, Marek Michalkiewicz, Robert Milkowski, - Aleph One, Martin Pool, Sean Reifschneider, Jan Rekorajski, Erik Troan, - Theodore Ts'o, Jeff Uphoff, Myles Uyema, Savochkin Andrey Vladimirovich, - Ronald Wahl, David Wood, John Wilmes, Joseph S. D. Yao - and Alex O. Yuriev. - </para> - <para> - Thanks are also due to Sun Microsystems, especially to Vipin Samar and - Charlie Lai for their advice. At an early stage in the development of - <emphasis remap='B'>Linux-PAM</emphasis>, Sun graciously made the - documentation for their implementation of PAM available. This act - greatly accelerated the development of - <emphasis remap='B'>Linux-PAM</emphasis>. - </para> - </chapter> - - <chapter id='mwg-copyright'> - <title>Copyright information for this document</title> - <programlisting> -Copyright (c) 2006 Thorsten Kukuk <kukuk@thkukuk.de> -Copyright (c) 1996-2002 Andrew G. Morgan <morgan@kernel.org> - </programlisting> - <para> - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are - met: - </para> - <programlisting> -1. Redistributions of source code must retain the above copyright - notice, and the entire permission notice in its entirety, - including the disclaimer of warranties. - -2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - -3. The name of the author may not be used to endorse or promote - products derived from this software without specific prior - written permission. - </programlisting> - <para> - Alternatively, this product may be distributed under the terms of - the GNU General Public License (GPL), in which case the provisions - of the GNU GPL are required instead of the above restrictions. - (This clause is necessary due to a potential bad interaction between - the GNU GPL and the restrictions contained in a BSD-style copyright.) - </para> - <programlisting> -THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, -BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS -OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR -TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE -USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - </programlisting> - </chapter> -</book> diff --git a/doc/mwg/Makefile.am b/doc/mwg/Makefile.am deleted file mode 100644 index 77296189..00000000 --- a/doc/mwg/Makefile.am +++ /dev/null @@ -1,97 +0,0 @@ -# -# Copyright (c) 2006 Thorsten Kukuk <kukuk@thkukuk.de> -# - -CLEANFILES = Linux-PAM_MWG.fo *~ - -EXTRA_DIST = $(XMLS) - -XMLS = Linux-PAM_MWG.xml $(shell ls $(srcdir)/pam_*.xml) -DEP_XMLS = $(shell ls $(top_srcdir)/doc/man/pam_*.xml) - -if ENABLE_REGENERATE_MAN -MAINTAINERCLEANFILES = Linux-PAM_MWG.txt Linux-PAM_MWG.pdf html/*.html - -all: Linux-PAM_MWG.txt html/Linux-PAM_MWG.html Linux-PAM_MWG.pdf - -Linux-PAM_MWG.pdf: $(XMLS) $(DEP_XMLS) -if ENABLE_GENERATE_PDF - $(XMLLINT) --nonet --xinclude --postvalid --noent --noout $< - $(XSLTPROC) --stringparam generate.toc "book toc" \ - --stringparam section.autolabel 1 \ - --stringparam section.label.includes.component.label 1 \ - --stringparam toc.max.depth 3 --xinclude --nonet \ - http://docbook.sourceforge.net/release/xsl/current/fo/docbook.xsl $< > Linux-PAM_MWG.fo - $(FO2PDF) Linux-PAM_MWG.fo $@ -else - echo "No fo2pdf processor installed, skip PDF generation" -endif - -Linux-PAM_MWG.txt: $(XMLS) $(DEP_XMLS) - $(XMLLINT) --nonet --xinclude --postvalid --noent --noout $< - $(XSLTPROC) --stringparam generate.toc "book toc" \ - --stringparam section.autolabel 1 \ - --stringparam section.label.includes.component.label 1 \ - --stringparam toc.max.depth 3 --xinclude --nonet \ - http://docbook.sourceforge.net/release/xsl/current/html/docbook.xsl $< | $(BROWSER) > $@ - -html/Linux-PAM_MWG.html: $(XMLS) $(DEP_XMLS) - @test -d html || mkdir -p html - $(XMLLINT) --nonet --xinclude --postvalid --noent --noout $< - $(XSLTPROC) --stringparam base.dir html/ \ - --stringparam root.filename Linux-PAM_MWG \ - --stringparam use.id.as.filename 1 \ - --stringparam chunk.first.sections 1 \ - --stringparam section.autolabel 1 \ - --stringparam section.label.includes.component.label 1 \ - --stringparam toc.max.depth 3 --xinclude --nonet \ - http://docbook.sourceforge.net/release/xsl/current/html/chunk.xsl $< - -distclean-local: - -rm -rf html Linux-PAM_MWG.txt Linux-PAM_MWG.pdf - -endif - -install-data-local: - $(mkinstalldirs) $(DESTDIR)$(docdir) - $(mkinstalldirs) $(DESTDIR)$(pdfdir) - $(mkinstalldirs) $(DESTDIR)$(htmldir) - test -f html/Linux-PAM_MWG.html || exit 0; \ - $(install_sh_DATA) html/Linux-PAM_MWG.html html/mwg-*.html \ - $(DESTDIR)$(htmldir)/ || \ - $(install_sh_DATA) $(srcdir)/html/Linux-PAM_MWG.html \ - $(srcdir)/html/sag-*.html \ - $(DESTDIR)$(htmldir)/ - test -f Linux-PAM_MWG.txt || exit 0; \ - $(install_sh_DATA) Linux-PAM_MWG.txt $(DESTDIR)$(docdir)/ || \ - $(install_sh_DATA) $(srcdir)/Linux-PAM_MWG.txt \ - $(DESTDIR)$(docdir)/ - test -f Linux-PAM_MWG.pdf || exit 0; \ - $(install_sh_DATA) Linux-PAM_MWG.pdf $(DESTDIR)$(pdfdir)/ || \ - $(install_sh_DATA) $(srcdir)/Linux-PAM_MWG.pdf \ - $(DESTDIR)$(pdfdir)/ - -uninstall-local: - -rm $(DESTDIR)$(htmldir)/Linux-PAM_MWG.html - -rm $(DESTDIR)$(htmldir)/mwg-*.html - -rm $(DESTDIR)$(docdir)/Linux-PAM_MWG.txt - -rm $(DESTDIR)$(pdfdir)/Linux-PAM_MWG.pdf - -releasedocs: all - $(mkinstalldirs) $(top_builddir)/Linux-PAM-$(VERSION)/doc/mwg/html - test -f html/Linux-PAM_MWG.html || exit 0; \ - cp -ap html/Linux-PAM_MWG.html html/mwg-*.html \ - $(top_builddir)/Linux-PAM-$(VERSION)/doc/mwg/html/ || \ - cp -ap $(srcdir)/html/Linux-PAM_MWG.html \ - $(srcdir)/html/mwg-*.html \ - $(top_builddir)/Linux-PAM-$(VERSION)/doc/mwg/html/ - test -f Linux-PAM_MWG.txt || exit 0; \ - cp -p Linux-PAM_MWG.txt \ - $(top_builddir)/Linux-PAM-$(VERSION)/doc/mwg/ || \ - cp -p $(srcdir)/Linux-PAM_MWG.txt \ - $(top_builddir)/Linux-PAM-$(VERSION)/doc/mwg/ - test -f Linux-PAM_MWG.pdf || exit 0; \ - cp -p Linux-PAM_MWG.pdf \ - $(top_builddir)/Linux-PAM-$(VERSION)/doc/mwg/ || \ - cp -p $(srcdir)/Linux-PAM_MWG.pdf \ - $(top_builddir)/Linux-PAM-$(VERSION)/doc/mwg/ diff --git a/doc/mwg/pam_conv.xml b/doc/mwg/pam_conv.xml deleted file mode 100644 index a2b470af..00000000 --- a/doc/mwg/pam_conv.xml +++ /dev/null @@ -1,35 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='mwg-pam_conv'> - <title>The conversation function</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_conv.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_conv-synopsis"]/*)'/> - </funcsynopsis> - <programlisting> -struct pam_message { - int msg_style; - const char *msg; -}; - -struct pam_response { - char *resp; - int resp_retcode; -}; - -struct pam_conv { - int (*conv)(int num_msg, const struct pam_message **msg, - struct pam_response **resp, void *appdata_ptr); - void *appdata_ptr; -}; - </programlisting> - <section id='mwg-pam_conv-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_conv.3.xml" xpointer='xpointer(//refsect1[@id = "pam_conv-description"]/*)'/> - </section> - <section id='mwg-pam_conv-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_conv.3.xml" xpointer='xpointer(//refsect1[@id = "pam_conv-return_values"]/*)'/> - </section> -</section> diff --git a/doc/mwg/pam_fail_delay.xml b/doc/mwg/pam_fail_delay.xml deleted file mode 100644 index 589e1148..00000000 --- a/doc/mwg/pam_fail_delay.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='adg-pam_fail_delay'> - <title>Request a delay on failure</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_fail_delay.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_fail_delay-synopsis"]/*)'/> - </funcsynopsis> - <section id='adg-pam_fail_delay-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_fail_delay.3.xml" xpointer='xpointer(//refsect1[@id = "pam_fail_delay-description"]/*)'/> - </section> - <section id='adg-pam_fail_delay-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_fail_delay.3.xml" xpointer='xpointer(//refsect1[@id = "pam_fail_delay-return_values"]/*)'/> - </section> -</section> diff --git a/doc/mwg/pam_get_data.xml b/doc/mwg/pam_get_data.xml deleted file mode 100644 index b1afdb3f..00000000 --- a/doc/mwg/pam_get_data.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='mwg-pam_get_data'> - <title>Get module internal data</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_get_data.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_get_data-synopsis"]/*)'/> - </funcsynopsis> - <section id='mwg-pam_get_data-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_get_data.3.xml" xpointer='xpointer(//refsect1[@id = "pam_get_data-description"]/*)'/> - </section> - <section id='mwg-pam_get_data-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_get_data.3.xml" xpointer='xpointer(//refsect1[@id = "pam_get_data-return_values"]/*)'/> - </section> -</section> diff --git a/doc/mwg/pam_get_item.xml b/doc/mwg/pam_get_item.xml deleted file mode 100644 index 370a10a1..00000000 --- a/doc/mwg/pam_get_item.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='mwg-pam_get_item'> - <title>Getting PAM items</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_get_item.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_get_item-synopsis"]/*)'/> - </funcsynopsis> - <section id='mwg-pam_get_item-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_get_item.3.xml" xpointer='xpointer(//refsect1[@id = "pam_get_item-description"]/*)'/> - </section> - <section id='mwg-pam_get_item-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_get_item.3.xml" xpointer='xpointer(//refsect1[@id = "pam_get_item-return_values"]/*)'/> - </section> -</section> diff --git a/doc/mwg/pam_get_user.xml b/doc/mwg/pam_get_user.xml deleted file mode 100644 index 1cb7fdf3..00000000 --- a/doc/mwg/pam_get_user.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='mwg-pam_get_user'> - <title>Get user name</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_get_user.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_get_user-synopsis"]/*)'/> - </funcsynopsis> - <section id='mwg-pam_get_user-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_get_user.3.xml" xpointer='xpointer(//refsect1[@id = "pam_get_user-description"]/*)'/> - </section> - <section id='mwg-pam_get_user-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_get_user.3.xml" xpointer='xpointer(//refsect1[@id = "pam_get_user-return_values"]/*)'/> - </section> -</section> diff --git a/doc/mwg/pam_getenv.xml b/doc/mwg/pam_getenv.xml deleted file mode 100644 index 61d69c33..00000000 --- a/doc/mwg/pam_getenv.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='adg-pam_getenv'> - <title>Get a PAM environment variable</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_getenv.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_getenv-synopsis"]/*)'/> - </funcsynopsis> - <section id='adg-pam_getenv-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_getenv.3.xml" xpointer='xpointer(//refsect1[@id = "pam_getenv-description"]/*)'/> - </section> - <section id='adg-pam_getenv-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_getenv.3.xml" xpointer='xpointer(//refsect1[@id = "pam_getenv-return_values"]/*)'/> - </section> -</section> diff --git a/doc/mwg/pam_getenvlist.xml b/doc/mwg/pam_getenvlist.xml deleted file mode 100644 index d3c2fcd3..00000000 --- a/doc/mwg/pam_getenvlist.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='adg-pam_getenvlist'> - <title>Getting the PAM environment</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_getenvlist.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_getenvlist-synopsis"]/*)'/> - </funcsynopsis> - <section id='adg-pam_getenvlist-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_getenvlist.3.xml" xpointer='xpointer(//refsect1[@id = "pam_getenvlist-description"]/*)'/> - </section> - <section id='adg-pam_getenvlist-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_getenvlist.3.xml" xpointer='xpointer(//refsect1[@id = "pam_getenvlist-return_values"]/*)'/> - </section> -</section> diff --git a/doc/mwg/pam_putenv.xml b/doc/mwg/pam_putenv.xml deleted file mode 100644 index e55f1a42..00000000 --- a/doc/mwg/pam_putenv.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='adg-pam_putenv'> - <title>Set or change PAM environment variable</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_putenv.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_putenv-synopsis"]/*)'/> - </funcsynopsis> - <section id='adg-pam_putenv-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_putenv.3.xml" xpointer='xpointer(//refsect1[@id = "pam_putenv-description"]/*)'/> - </section> - <section id='adg-pam_putenv-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_putenv.3.xml" xpointer='xpointer(//refsect1[@id = "pam_putenv-return_values"]/*)'/> - </section> -</section> diff --git a/doc/mwg/pam_set_data.xml b/doc/mwg/pam_set_data.xml deleted file mode 100644 index 18b2711b..00000000 --- a/doc/mwg/pam_set_data.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='mwg-pam_set_data'> - <title>Set module internal data</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_set_data.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_set_data-synopsis"]/*)'/> - </funcsynopsis> - <section id='mwg-pam_set_data-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_set_data.3.xml" xpointer='xpointer(//refsect1[@id = "pam_set_data-description"]/*)'/> - </section> - <section id='mwg-pam_set_data-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_set_data.3.xml" xpointer='xpointer(//refsect1[@id = "pam_set_data-return_values"]/*)'/> - </section> -</section> diff --git a/doc/mwg/pam_set_item.xml b/doc/mwg/pam_set_item.xml deleted file mode 100644 index 7d19925e..00000000 --- a/doc/mwg/pam_set_item.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='mwg-pam_set_item'> - <title>Setting PAM items</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_set_item.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_set_item-synopsis"]/*)'/> - </funcsynopsis> - <section id='mwg-pam_set_item-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_set_item.3.xml" xpointer='xpointer(//refsect1[@id = "pam_set_item-description"]/*)'/> - </section> - <section id='mwg-pam_set_item-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_set_item.3.xml" xpointer='xpointer(//refsect1[@id = "pam_set_item-return_values"]/*)'/> - </section> -</section> diff --git a/doc/mwg/pam_sm_acct_mgmt.xml b/doc/mwg/pam_sm_acct_mgmt.xml deleted file mode 100644 index 10b3c9e9..00000000 --- a/doc/mwg/pam_sm_acct_mgmt.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='mwg-pam_sm_acct_mgmt'> - <title>Service function for account management</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_sm_acct_mgmt.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_sm_acct_mgmt-synopsis"]/*)'/> - </funcsynopsis> - <section id='mwg-pam_sm_acct_mgmt-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_sm_acct_mgmt.3.xml" xpointer='xpointer(//refsect1[@id = "pam_sm_acct_mgmt-description"]/*)'/> - </section> - <section id='mwg-pam_sm_acct_mgmt-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_sm_acct_mgmt.3.xml" xpointer='xpointer(//refsect1[@id = "pam_sm_acct_mgmt-return_values"]/*)'/> - </section> -</section> diff --git a/doc/mwg/pam_sm_authenticate.xml b/doc/mwg/pam_sm_authenticate.xml deleted file mode 100644 index 54c79af6..00000000 --- a/doc/mwg/pam_sm_authenticate.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='mwg-pam_sm_authenticate'> - <title>Service function for user authentication</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_sm_authenticate.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_sm_authenticate-synopsis"]/*)'/> - </funcsynopsis> - <section id='mwg-pam_sm_authenticate-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_sm_authenticate.3.xml" xpointer='xpointer(//refsect1[@id = "pam_sm_authenticate-description"]/*)'/> - </section> - <section id='mwg-pam_sm_authenticate-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_sm_authenticate.3.xml" xpointer='xpointer(//refsect1[@id = "pam_sm_authenticate-return_values"]/*)'/> - </section> -</section> diff --git a/doc/mwg/pam_sm_chauthtok.xml b/doc/mwg/pam_sm_chauthtok.xml deleted file mode 100644 index a1364315..00000000 --- a/doc/mwg/pam_sm_chauthtok.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='mwg-pam_sm_chauthtok'> - <title>Service function to alter authentication token</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_sm_chauthtok.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_sm_chauthtok-synopsis"]/*)'/> - </funcsynopsis> - <section id='mwg-pam_sm_chauthtok-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_sm_chauthtok.3.xml" xpointer='xpointer(//refsect1[@id = "pam_sm_chauthtok-description"]/*)'/> - </section> - <section id='mwg-pam_sm_chauthtok-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_sm_chauthtok.3.xml" xpointer='xpointer(//refsect1[@id = "pam_sm_chauthtok-return_values"]/*)'/> - </section> -</section> diff --git a/doc/mwg/pam_sm_close_session.xml b/doc/mwg/pam_sm_close_session.xml deleted file mode 100644 index 9346c506..00000000 --- a/doc/mwg/pam_sm_close_session.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-close.org/docbook/xml/4.4/docbookx.dtd"> -<section id='mwg-pam_sm_close_session'> - <title>Service function to terminate session management</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_sm_close_session.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_sm_close_session-synopsis"]/*)'/> - </funcsynopsis> - <section id='mwg-pam_sm_close_session-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_sm_close_session.3.xml" xpointer='xpointer(//refsect1[@id = "pam_sm_close_session-description"]/*)'/> - </section> - <section id='mwg-pam_sm_close_session-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_sm_close_session.3.xml" xpointer='xpointer(//refsect1[@id = "pam_sm_close_session-return_values"]/*)'/> - </section> -</section> diff --git a/doc/mwg/pam_sm_open_session.xml b/doc/mwg/pam_sm_open_session.xml deleted file mode 100644 index b8e3fa90..00000000 --- a/doc/mwg/pam_sm_open_session.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='mwg-pam_sm_open_session'> - <title>Service function to start session management</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_sm_open_session.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_sm_open_session-synopsis"]/*)'/> - </funcsynopsis> - <section id='mwg-pam_sm_open_session-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_sm_open_session.3.xml" xpointer='xpointer(//refsect1[@id = "pam_sm_open_session-description"]/*)'/> - </section> - <section id='mwg-pam_sm_open_session-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_sm_open_session.3.xml" xpointer='xpointer(//refsect1[@id = "pam_sm_open_session-return_values"]/*)'/> - </section> -</section> diff --git a/doc/mwg/pam_sm_setcred.xml b/doc/mwg/pam_sm_setcred.xml deleted file mode 100644 index eee8e1d6..00000000 --- a/doc/mwg/pam_sm_setcred.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='mwg-pam_sm_setcred'> - <title>Service function to alter credentials</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_sm_setcred.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_sm_setcred-synopsis"]/*)'/> - </funcsynopsis> - <section id='mwg-pam_sm_setcred-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_sm_setcred.3.xml" xpointer='xpointer(//refsect1[@id = "pam_sm_setcred-description"]/*)'/> - </section> - <section id='mwg-pam_sm_setcred-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_sm_setcred.3.xml" xpointer='xpointer(//refsect1[@id = "pam_sm_setcred-return_values"]/*)'/> - </section> -</section> diff --git a/doc/mwg/pam_strerror.xml b/doc/mwg/pam_strerror.xml deleted file mode 100644 index 35b08a27..00000000 --- a/doc/mwg/pam_strerror.xml +++ /dev/null @@ -1,18 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='adg-pam_strerror'> - <title>Strings describing PAM error codes</title> - <funcsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_strerror.3.xml" xpointer='xpointer(//funcsynopsis[@id = "pam_strerror-synopsis"]/*)'/> - </funcsynopsis> - <section id='adg-pam_strerror-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_strerror.3.xml" xpointer='xpointer(//refsect1[@id = "pam_strerror-description"]/*)'/> - </section> - <section id='adg-pam_strerror-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam_strerror.3.xml" xpointer='xpointer(//refsect1[@id = "pam_strerror-return_values"]/*)'/> - </section> -</section> diff --git a/doc/sag/.cvsignore b/doc/sag/.cvsignore deleted file mode 100644 index d9b71235..00000000 --- a/doc/sag/.cvsignore +++ /dev/null @@ -1,7 +0,0 @@ -Makefile -Makefile.in -*~ -html -*.fo -*.pdf -*.txt diff --git a/doc/sag/Linux-PAM_SAG.xml b/doc/sag/Linux-PAM_SAG.xml deleted file mode 100644 index 84dece31..00000000 --- a/doc/sag/Linux-PAM_SAG.xml +++ /dev/null @@ -1,570 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<book id="sag"> - <bookinfo> - <title>The Linux-PAM System Administrators' Guide</title> - <authorgroup> - <author> - <firstname>Andrew G.</firstname> - <surname>Morgan</surname> - <email>morgan@kernel.org</email> - </author> - <author> - <firstname>Thorsten</firstname> - <surname>Kukuk</surname> - <email>kukuk@thkukuk.de</email> - </author> - </authorgroup> - <releaseinfo>Version 0.99.7.0, 16. January 2007</releaseinfo> - <abstract> - <para> - This manual documents what a system-administrator needs to know about - the <emphasis remap='B'>Linux-PAM</emphasis> library. It covers the - correct syntax of the PAM configuration file and discusses strategies - for maintaining a secure system. - </para> - </abstract> - </bookinfo> - - <chapter id='sag-introductoin'> - <title>Introduction</title> - <para> - <emphasis remap='B'>Linux-PAM</emphasis> (Pluggable Authentication - Modules for Linux) is a suite of shared libraries that enable the - local system administrator to choose how applications authenticate users. - </para> - <para> - In other words, without (rewriting and) recompiling a PAM-aware - application, it is possible to switch between the authentication - mechanism(s) it uses. Indeed, one may entirely upgrade the local - authentication system without touching the applications themselves. - </para> - <para> - Historically an application that has required a given user to be - authenticated, has had to be compiled to use a specific authentication - mechanism. For example, in the case of traditional UN*X systems, the - identity of the user is verified by the user entering a correct - password. This password, after being prefixed by a two character - ``salt'', is encrypted (with crypt(3)). The user is then authenticated - if this encrypted password is identical to the second field of the - user's entry in the system password database (the - <filename>/etc/passwd</filename> file). On such systems, most if - not all forms of privileges are granted based on this single - authentication scheme. Privilege comes in the form of a personal - user-identifier (UID) and membership of various groups. Services and - applications are available based on the personal and group identity - of the user. Traditionally, group membership has been assigned based - on entries in the <filename>/etc/group</filename> file. - </para> - <para> - It is the purpose of the <emphasis remap='B'>Linux-PAM</emphasis> - project to separate the development of privilege granting software - from the development of secure and appropriate authentication schemes. - This is accomplished by providing a library of functions that an - application may use to request that a user be authenticated. This - PAM library is configured locally with a system file, - <filename>/etc/pam.conf</filename> (or a series of configuration - files located in <filename>/etc/pam.d/</filename>) to authenticate a - user request via the locally available authentication modules. The - modules themselves will usually be located in the directory - <filename>/lib/security</filename> or - <filename>/lib64/security</filename> and take the form of dynamically - loadable object files (see <citerefentry> - <refentrytitle>dlopen</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>). - </para> - </chapter> - - <chapter id="sag-text-conventions"> - <title>Some comments on the text</title> - <para> - Before proceeding to read the rest of this document, it should be - noted that the text assumes that certain files are placed in certain - directories. Where they have been specified, the conventions we adopt - here for locating these files are those of the relevant RFC (RFC-86.0, - see <link linkend="sag-see-also">bibliography"</link>). If you are - using a distribution of Linux (or some other operating system) that - supports PAM but chooses to distribute these files in a diferent way - you should be careful when copying examples directly from the text. - </para> - <para> - As an example of the above, where it is explicit, the text assumes - that PAM loadable object files (the - <emphasis remap='B'>modules</emphasis>) are to be located in - the following directory: <filename>/lib/security/</filename> or - <filename>/lib64/security</filename> depending on the architecture. - This is generally the location that seems to be compatible with the - Filesystem Hierarchy Standard (FHS). On Solaris, which has its own - licensed version of PAM, and some other implementations of UN*X, - these files can be found in <filename>/usr/lib/security</filename>. - Please be careful to perform the necessary transcription when using - the examples from the text. - </para> - </chapter> - - <chapter id="sag-overview"> - <title>Overview</title> - <para> - For the uninitiated, we begin by considering an example. We take an - application that grants some service to users; - <command>login</command> is one such program. - <command>Login</command> does two things, it first establishes that - the requesting user is whom they claim to be and second provides - them with the requested service: in the case of - <command>login</command> the service is a command shell - (bash, tcsh, zsh, etc.) running with the identity of the user. - </para> - <para> - Traditionally, the former step is achieved by the - <command>login</command> application prompting the user for a - password and then verifying that it agrees with that located on - the system; hence verifying that as far as the system is concerned - the user is who they claim to be. This is the task that is delegated - to <emphasis remap='B'>Linux-PAM</emphasis>. - </para> - <para> - From the perspective of the application programmer (in this case - the person that wrote the <command>login</command> application), - <emphasis remap='B'>Linux-PAM</emphasis> takes care of this - authentication task -- verifying the identity of the user. - </para> - <para> - The flexibility of <emphasis remap='B'>Linux-PAM</emphasis> is - that <emphasis>you</emphasis>, the system administrator, have - the freedom to stipulate which authentication scheme is to be - used. You have the freedom to set the scheme for any/all - PAM-aware applications on your Linux system. That is, you can - authenticate from anything as naive as - <emphasis>simple trust</emphasis> (<command>pam_permit</command>) - to something as paranoid as a combination of a retinal scan, a - voice print and a one-time password! - </para> - <para> - To illustrate the flexibility you face, consider the following - situation: a system administrator (parent) wishes to improve the - mathematical ability of her users (children). She can configure - their favorite ``Shoot 'em up game'' (PAM-aware of course) to - authenticate them with a request for the product of a couple of - random numbers less than 12. It is clear that if the game is any - good they will soon learn their - <emphasis>multiplication tables</emphasis>. As they mature, the - authentication can be upgraded to include (long) division! - </para> - <para> - <emphasis remap='B'>Linux-PAM</emphasis> deals with four - separate types of (management) task. These are: - <emphasis>authentication management</emphasis>; - <emphasis>account management</emphasis>; - <emphasis>session management</emphasis>; and - <emphasis>password management</emphasis>. - The association of the preferred management scheme with the behavior - of an application is made with entries in the relevant - <emphasis remap='B'>Linux-PAM</emphasis> configuration file. - The management functions are performed by <emphasis>modules</emphasis> - specified in the configuration file. The syntax for this - file is discussed in the section - <link linkend="sag-configuration">below</link>. - </para> - <para> - Here is a figure that describes the overall organization of - <emphasis remap='B'>Linux-PAM</emphasis>: - <programlisting> - +----------------+ - | application: X | - +----------------+ / +----------+ +================+ - | authentication-[---->--\--] Linux- |--<--| PAM config file| - | + [----<--/--] PAM | |================| - |[conversation()][--+ \ | | | X auth .. a.so | - +----------------+ | / +-n--n-----+ | X auth .. b.so | - | | | __| | | _____/ - | service user | A | | |____,-----' - | | | V A - +----------------+ +------|-----|---------+ -----+------+ - +---u-----u----+ | | | - | auth.... |--[ a ]--[ b ]--[ c ] - +--------------+ - | acct.... |--[ b ]--[ d ] - +--------------+ - | password |--[ b ]--[ c ] - +--------------+ - | session |--[ e ]--[ c ] - +--------------+ - </programlisting> - By way of explanation, the left of the figure represents the - application; application X. Such an application interfaces with the - <emphasis remap='B'>Linux-PAM</emphasis> library and knows none of - the specifics of its configured authentication method. The - <emphasis remap='B'>Linux-PAM</emphasis> library (in the center) - consults the contents of the PAM configuration file and loads the - modules that are appropriate for application-X. These modules fall - into one of four management groups (lower-center) and are stacked in - the order they appear in the configuration file. These modules, when - called by <emphasis remap='B'>Linux-PAM</emphasis>, perform the - various authentication tasks for the application. Textual information, - required from/or offered to the user, can be exchanged through the - use of the application-supplied <emphasis>conversation</emphasis> - function. - </para> - <para> - If a program is going to use PAM, then it has to have PAM - functions explicitly coded into the program. If you have - access to the source code you can add the appropriate PAM - functions. If you do not have accessto the source code, and - the binary does not have the PAM functions included, then - it is not possible to use PAM. - </para> - </chapter> - - <chapter id="sag-configuration"> - <title>The Linux-PAM configuration file</title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam.conf-desc.xml" - xpointer='xpointer(//section[@id = "pam.conf-desc"]/*)' /> - <section id='sag-configuration-file'> - <title>Configuration file syntax</title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam.conf-syntax.xml" - xpointer='xpointer(//section[@id = "pam.conf-syntax"]/*)' /> - </section> - <section id='sag-configuratin-dirctory'> - <title>Directory based configuration</title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../man/pam.conf-dir.xml" - xpointer='xpointer(//section[@id = "pam.conf-dir"]/*)' /> - </section> - <section id='sag-configuration-example'> - <title>Example configuration file entries</title> - <para> - In this section, we give some examples of entries that can - be present in the <emphasis remap='B'>Linux-PAM</emphasis> - configuration file. As a first attempt at configuring your - system you could do worse than to implement these. - </para> - <para> - If a system is to be considered secure, it had better have a - reasonably secure '<emphasis remap='B'>other</emphasis> entry. - The following is a paranoid setting (which is not a bad place - to start!): - </para> - <programlisting> -# -# default; deny access -# -other auth required pam_deny.so -other account required pam_deny.so -other password required pam_deny.so -other session required pam_deny.so - </programlisting> - <para> - Whilst fundamentally a secure default, this is not very - sympathetic to a misconfigured system. For example, such - a system is vulnerable to locking everyone out should the - rest of the file become badly written. - </para> - <para> - The module <command>pam_deny</command> (documented in a - <link linkend="sag-pam_deny">later section</link>) is not very - sophisticated. For example, it logs no information when it - is invoked so unless the users of a system contact the - administrator when failing to execute a service application, - the administrator may go for a long while in ignorance of the - fact that his system is misconfigured. - </para> - <para> - The addition of the following line before those in the above - example would provide a suitable warning to the administrator. - </para> - <programlisting> -# -# default; wake up! This application is not configured -# -other auth required pam_warn.so -other password required pam_warn.so - </programlisting> - <para> - Having two '<command>other auth</command>' lines is an - example of stacking. - </para> - <para> - On a system that uses the <filename>/etc/pam.d/</filename> - configuration, the corresponding default setup would be - achieved with the following file: - </para> - <programlisting> -# -# default configuration: /etc/pam.d/other -# -auth required pam_warn.so -auth required pam_deny.so -account required pam_deny.so -password required pam_warn.so -password required pam_deny.so -session required pam_deny.so - </programlisting> - <para> - This is the only explicit example we give for an - <filename>/etc/pam.d/</filename> file. In general, it - should be clear how to transpose the remaining examples - to this configuration scheme. - </para> - <para> - On a less sensitive computer, one on which the system - administrator wishes to remain ignorant of much of the - power of <emphasis remap='B'>Linux-PAM</emphasis>, the - following selection of lines (in - <filename>/etc/pam.d/other</filename>) is likely to - mimic the historically familiar Linux setup. - </para> - <programlisting> -# -# default; standard UN*X access -# -auth required pam_unix.so -account required pam_unix.so -password required pam_unix.so -session required pam_unix.so - </programlisting> - <para> - In general this will provide a starting place for most applications. - </para> - </section> - </chapter> - - <chapter id='sag-security-issues'> - <title>Security issues</title> - <section id='sag-scurity-issues-wrong'> - <title>If something goes wrong</title> - <para> - <emphasis remap='B'>Linux-PAM</emphasis> has the potential - to seriously change the security of your system. You can - choose to have no security or absolute security (no access - permitted). In general, <emphasis remap='B'>Linux-PAM</emphasis> - errs towards the latter. Any number of configuration errors - can dissable access to your system partially, or completely. - </para> - <para> - The most dramatic problem that is likely to be encountered when - configuring <emphasis remap='B'>Linux-PAM</emphasis> is that of - <emphasis>deleting</emphasis> the configuration file(s): - <filename>/etc/pam.d/*</filename> and/or - <filename>/etc/pam.conf</filename>. This will lock you out of - your own system! - </para> - <para> - To recover, your best bet is to restore the system from a - backup or boot the system into a rescue system and correct - things from there. - </para> - </section> - <section id='sag-security-issues-other'> - <title>Avoid having a weak `other' configuration</title> - <para> - It is not a good thing to have a weak default - (<emphasis remap='B'>other</emphasis>) entry. - This service is the default configuration for all PAM aware - applications and if it is weak, your system is likely to be - vulnerable to attack. - </para> - <para> - Here is a sample "other" configuration file. The - <command>pam_deny</command> module will deny access and the - <command>pam_warn</command> module will send a syslog message - to <emphasis>auth.notice</emphasis>: - </para> - <programlisting> -# -# The PAM configuration file for the `other' service -# -auth required pam_deny.so -auth required pam_warn.so -account required pam_deny.so -account required pam_warn.so -password required pam_deny.so -password required pam_warn.so -session required pam_deny.so -session required pam_warn.so - </programlisting> - </section> - </chapter> - - <chapter id='sag-module-reference'> - <title>A reference guide for available modules</title> - <para> - Here, we collect together the descriptions of the various modules - coming with Linux-PAM. - </para> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_access.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_cracklib.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_debug.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_deny.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_echo.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_env.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_exec.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_faildelay.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_filter.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_ftp.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_group.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_issue.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_keyinit.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_lastlog.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_limits.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_listfile.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_localuser.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_loginuid.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_mail.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_mkhomedir.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_motd.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_namespace.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_nologin.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_permit.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_rhosts.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_rootok.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_securetty.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_selinux.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_shells.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_succeed_if.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_tally.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_time.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_umask.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_unix.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_userdb.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_warn.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_wheel.xml"/> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_xauth.xml"/> - </chapter> - - <chapter id="sag-see-also"> - <title>See also</title> - <itemizedlist> - <listitem> - <para> - The Linux-PAM Application Writers' Guide. - </para> - </listitem> - <listitem> - <para> - The Linux-PAM Module Writers' Guide. - </para> - </listitem> - <listitem> - <para> - The V. Samar and R. Schemers (SunSoft), ``UNIFIED LOGIN WITH - PLUGGABLE AUTHENTICATION MODULES'', Open Software Foundation - Request For Comments 86.0, October 1995. - </para> - </listitem> - </itemizedlist> - </chapter> - - <chapter id='sag-author'> - <title>Author/acknowledgments</title> - <para> - This document was written by Andrew G. Morgan (morgan@kernel.org) - with many contributions from - Chris Adams, Peter Allgeyer, Tim Baverstock, Tim Berger, - Craig S. Bell, Derrick J. Brashear, Ben Buxton, Seth Chaiklin, - Oliver Crow, Chris Dent, Marc Ewing, Cristian Gafton, - Emmanuel Galanos, Brad M. Garcia, Eric Hester, Michel D'Hooge, - Roger Hu, Eric Jacksch, Michael K. Johnson, David Kinchlea, - Olaf Kirch, Marcin Korzonek, Thorsten Kukuk, Stephen Langasek, - Nicolai Langfeldt, Elliot Lee, Luke Kenneth Casson Leighton, - Al Longyear, Ingo Luetkebohle, Marek Michalkiewicz, - Robert Milkowski, Aleph One, Martin Pool, Sean Reifschneider, - Jan Rekorajski, Erik Troan, Theodore Ts'o, Jeff Uphoff, Myles Uyema, - Savochkin Andrey Vladimirovich, Ronald Wahl, David Wood, John Wilmes, - Joseph S. D. Yao and Alex O. Yuriev. - </para> - <para> - Thanks are also due to Sun Microsystems, especially to Vipin Samar and - Charlie Lai for their advice. At an early stage in the development of - <emphasis remap='B'>Linux-PAM</emphasis>, Sun graciously made the - documentation for their implementation of PAM available. This act - greatly accelerated the development of - <emphasis remap='B'>Linux-PAM</emphasis>. - </para> - </chapter> - - <chapter id='sag-copyright'> - <title>Copyright information for this document</title> - <programlisting> -Copyright (c) 2006 Thorsten Kukuk <kukuk@thkukuk.de> -Copyright (c) 1996-2002 Andrew G. Morgan <morgan@kernel.org> - </programlisting> - <para> - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are - met: - </para> - <programlisting> -1. Redistributions of source code must retain the above copyright - notice, and the entire permission notice in its entirety, - including the disclaimer of warranties. - -2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - -3. The name of the author may not be used to endorse or promote - products derived from this software without specific prior - written permission. - </programlisting> - <para> - Alternatively, this product may be distributed under the terms of - the GNU General Public License (GPL), in which case the provisions - of the GNU GPL are required instead of the above restrictions. - (This clause is necessary due to a potential bad interaction between - the GNU GPL and the restrictions contained in a BSD-style copyright.) - </para> - <programlisting> -THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, -BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS -OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR -TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE -USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH - </programlisting> - </chapter> -</book> diff --git a/doc/sag/Makefile.am b/doc/sag/Makefile.am deleted file mode 100644 index 26b5f5b8..00000000 --- a/doc/sag/Makefile.am +++ /dev/null @@ -1,97 +0,0 @@ -# -# Copyright (c) 2006 Thorsten Kukuk <kukuk@thkukuk.de> -# - -CLEANFILES = Linux-PAM_SAG.fo *~ - -EXTRA_DIST = $(XMLS) - -XMLS = Linux-PAM_SAG.xml $(shell ls $(srcdir)/pam_*.xml) - -DEP_XMLS = $(shell ls $(top_srcdir)/modules/pam_*/pam_*.xml) - -if ENABLE_REGENERATE_MAN -MAINTAINERCLEANFILES = Linux-PAM_SAG.txt Linux-PAM_SAG.pdf html/*.html - -all: Linux-PAM_SAG.txt html/Linux-PAM_SAG.html Linux-PAM_SAG.pdf - -Linux-PAM_SAG.pdf: $(XMLS) $(DEP_XMLS) -if ENABLE_GENERATE_PDF - $(XMLLINT) --nonet --xinclude --postvalid --noent --noout $< - $(XSLTPROC) --stringparam generate.toc "book toc" \ - --stringparam section.autolabel 1 \ - --stringparam section.label.includes.component.label 1 \ - --stringparam toc.max.depth 2 --xinclude --nonet \ - http://docbook.sourceforge.net/release/xsl/current/fo/docbook.xsl $< > Linux-PAM_SAG.fo - $(FO2PDF) Linux-PAM_SAG.fo $@ -else - echo "No fo2pdf processor installed, skip PDF generation" -endif - -Linux-PAM_SAG.txt: $(XMLS) $(DEP_XMLS) - $(XMLLINT) --nonet --xinclude --postvalid --noent --noout $< - $(XSLTPROC) --stringparam generate.toc "book toc" \ - --stringparam section.autolabel 1 \ - --stringparam section.label.includes.component.label 1 \ - --stringparam toc.max.depth 2 --xinclude --nonet \ - http://docbook.sourceforge.net/release/xsl/current/html/docbook.xsl $< | $(BROWSER) > $@ - -html/Linux-PAM_SAG.html: $(XMLS) $(DEP_XMLS) - @test -d html || mkdir -p html - $(XMLLINT) --nonet --xinclude --postvalid --noent --noout $< - $(XSLTPROC) --stringparam base.dir html/ \ - --stringparam root.filename Linux-PAM_SAG \ - --stringparam use.id.as.filename 1 \ - --stringparam chunk.first.sections 1 \ - --stringparam section.autolabel 1 \ - --stringparam section.label.includes.component.label 1 \ - --stringparam toc.max.depth 2 --xinclude --nonet \ - http://docbook.sourceforge.net/release/xsl/current/html/chunk.xsl $< - -distclean-local: - -rm -rf html Linux-PAM_SAG.txt Linux-PAM_SAG.pdf -endif - -install-data-local: - $(mkinstalldirs) $(DESTDIR)$(docdir) - $(mkinstalldirs) $(DESTDIR)$(pdfdir) - $(mkinstalldirs) $(DESTDIR)$(htmldir) - test -f html/Linux-PAM_SAG.html || exit 0; \ - $(install_sh_DATA) html/Linux-PAM_SAG.html html/sag-*.html \ - $(DESTDIR)$(htmldir)/ || \ - $(install_sh_DATA) $(srcdir)/html/Linux-PAM_SAG.html \ - $(srcdir)/html/sag-*.html \ - $(DESTDIR)$(htmldir)/ - test -f Linux-PAM_SAG.txt || exit 0; \ - $(install_sh_DATA) Linux-PAM_SAG.txt $(DESTDIR)$(docdir)/ || \ - $(install_sh_DATA) $(srcdir)/Linux-PAM_SAG.txt \ - $(DESTDIR)$(docdir)/ - test -f Linux-PAM_SAG.pdf || exit 0; \ - $(install_sh_DATA) Linux-PAM_SAG.pdf $(DESTDIR)$(pdfdir)/ || \ - $(install_sh_DATA) $(srcdir)/Linux-PAM_SAG.pdf \ - $(DESTDIR)$(pdfdir)/ - -uninstall-local: - -rm $(DESTDIR)$(htmldir)/Linux-PAM_SAG.html - -rm $(DESTDIR)$(htmldir)/sag-*.html - -rm $(DESTDIR)$(docdir)/Linux-PAM_SAG.txt - -rm $(DESTDIR)$(pdfdir)/Linux-PAM_SAG.pdf - -releasedocs: all - $(mkinstalldirs) $(top_builddir)/Linux-PAM-$(VERSION)/doc/sag/html - test -f html/Linux-PAM_SAG.html || exit 0; \ - cp -ap html/Linux-PAM_SAG.html html/sag-*.html \ - $(top_builddir)/Linux-PAM-$(VERSION)/doc/sag/html/ || \ - cp -ap $(srcdir)/html/Linux-PAM_SAG.html \ - $(srcdir)/html/sag-*.html \ - $(top_builddir)/Linux-PAM-$(VERSION)/doc/sag/html/ - test -f Linux-PAM_SAG.txt || exit 0; \ - cp -p Linux-PAM_SAG.txt \ - $(top_builddir)/Linux-PAM-$(VERSION)/doc/sag/ || \ - cp -p $(srcdir)/Linux-PAM_SAG.txt \ - $(top_builddir)/Linux-PAM-$(VERSION)/doc/sag/ - test -f Linux-PAM_SAG.pdf || exit 0; \ - cp -p Linux-PAM_SAG.pdf \ - $(top_builddir)/Linux-PAM-$(VERSION)/doc/sag/ || \ - cp -p $(srcdir)/Linux-PAM_SAG.pdf \ - $(top_builddir)/Linux-PAM-$(VERSION)/doc/sag/ diff --git a/doc/sag/pam_access.xml b/doc/sag/pam_access.xml deleted file mode 100644 index 9e2837ca..00000000 --- a/doc/sag/pam_access.xml +++ /dev/null @@ -1,42 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_access'> - <title>pam_access - logdaemon style login access control</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_access/pam_access.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_access-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_access-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_access/pam_access.8.xml" xpointer='xpointer(//refsect1[@id = "pam_access-description"]/*)'/> - </section> - <section id='sag-access.conf-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_access/access.conf.5.xml" xpointer='xpointer(//refsect1[@id = "access.conf-description"]/*)'/> - </section> - <section id='sag-pam_access-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_access/pam_access.8.xml" xpointer='xpointer(//refsect1[@id = "pam_access-options"]/*)'/> - </section> - <section id='sag-pam_access-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_access/pam_access.8.xml" xpointer='xpointer(//refsect1[@id = "pam_access-services"]/*)'/> - </section> - <section id='sag-pam_access-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_access/pam_access.8.xml" xpointer='xpointer(//refsect1[@id = "pam_access-return_values"]/*)'/> - </section> - <section id='sag-pam_access-files'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_access/pam_access.8.xml" xpointer='xpointer(//refsect1[@id = "pam_access-files"]/*)'/> - </section> - <section id='sag-access.conf-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_access/access.conf.5.xml" xpointer='xpointer(//refsect1[@id = "access.conf-examples"]/*)'/> - </section> - <section id='sag-pam_access-authors'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_access/pam_access.8.xml" xpointer='xpointer(//refsect1[@id = "pam_access-authors"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_cracklib.xml b/doc/sag/pam_cracklib.xml deleted file mode 100644 index 58f0edb0..00000000 --- a/doc/sag/pam_cracklib.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_cracklib'> - <title>pam_cracklib - checks the password against dictionary words</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_cracklib/pam_cracklib.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_cracklib-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_cracklib-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_cracklib/pam_cracklib.8.xml" xpointer='xpointer(//refsect1[@id = "pam_cracklib-description"]/*)'/> - </section> - <section id='sag-pam_cracklib-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_cracklib/pam_cracklib.8.xml" xpointer='xpointer(//refsect1[@id = "pam_cracklib-options"]/*)'/> - </section> - <section id='sag-pam_cracklib-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_cracklib/pam_cracklib.8.xml" xpointer='xpointer(//refsect1[@id = "pam_cracklib-services"]/*)'/> - </section> - <section id='sag-pam_cracklib-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_cracklib/pam_cracklib.8.xml" xpointer='xpointer(//refsect1[@id = "pam_cracklib-return_values"]/*)'/> - </section> - <section id='sag-pam_cracklib-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_cracklib/pam_cracklib.8.xml" xpointer='xpointer(//refsect1[@id = "pam_cracklib-examples"]/*)'/> - </section> - <section id='sag-pam_cracklib-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_cracklib/pam_cracklib.8.xml" xpointer='xpointer(//refsect1[@id = "pam_cracklib-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_debug.xml b/doc/sag/pam_debug.xml deleted file mode 100644 index 6ec398b8..00000000 --- a/doc/sag/pam_debug.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_debug'> - <title>pam_debug - debug the PAM stack</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_debug/pam_debug.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_debug-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_debug-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_debug/pam_debug.8.xml" xpointer='xpointer(//refsect1[@id = "pam_debug-description"]/*)'/> - </section> - <section id='sag-pam_debug-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_debug/pam_debug.8.xml" xpointer='xpointer(//refsect1[@id = "pam_debug-options"]/*)'/> - </section> - <section id='sag-pam_debug-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_debug/pam_debug.8.xml" xpointer='xpointer(//refsect1[@id = "pam_debug-services"]/*)'/> - </section> - <section id='sag-pam_debug-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_debug/pam_debug.8.xml" xpointer='xpointer(//refsect1[@id = "pam_debug-return_values"]/*)'/> - </section> - <section id='sag-pam_debug-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_debug/pam_debug.8.xml" xpointer='xpointer(//refsect1[@id = "pam_debug-examples"]/*)'/> - </section> - <section id='sag-pam_debug-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_debug/pam_debug.8.xml" xpointer='xpointer(//refsect1[@id = "pam_debug-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_deny.xml b/doc/sag/pam_deny.xml deleted file mode 100644 index eaaada3b..00000000 --- a/doc/sag/pam_deny.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_deny'> - <title>pam_deny - locking-out PAM module</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_deny/pam_deny.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_deny-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_deny-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_deny/pam_deny.8.xml" xpointer='xpointer(//refsect1[@id = "pam_deny-description"]/*)'/> - </section> - <section id='sag-pam_deny-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_deny/pam_deny.8.xml" xpointer='xpointer(//refsect1[@id = "pam_deny-options"]/*)'/> - </section> - <section id='sag-pam_deny-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_deny/pam_deny.8.xml" xpointer='xpointer(//refsect1[@id = "pam_deny-services"]/*)'/> - </section> - <section id='sag-pam_deny-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_deny/pam_deny.8.xml" xpointer='xpointer(//refsect1[@id = "pam_deny-return_values"]/*)'/> - </section> - <section id='sag-pam_deny-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_deny/pam_deny.8.xml" xpointer='xpointer(//refsect1[@id = "pam_deny-examples"]/*)'/> - </section> - <section id='sag-pam_deny-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_deny/pam_deny.8.xml" xpointer='xpointer(//refsect1[@id = "pam_deny-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_echo.xml b/doc/sag/pam_echo.xml deleted file mode 100644 index 95baa0aa..00000000 --- a/doc/sag/pam_echo.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_echo'> - <title>pam_echo - print text messages</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_echo/pam_echo.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_echo-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_echo-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_echo/pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-description"]/*)'/> - </section> - <section id='sag-pam_echo-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_echo/pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-options"]/*)'/> - </section> - <section id='sag-pam_echo-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_echo/pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-services"]/*)'/> - </section> - <section id='sag-pam_echo-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_echo/pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-return_values"]/*)'/> - </section> - <section id='sag-pam_echo-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_echo/pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-examples"]/*)'/> - </section> - <section id='sag-pam_echo-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_echo/pam_echo.8.xml" xpointer='xpointer(//refsect1[@id = "pam_echo-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_env.xml b/doc/sag/pam_env.xml deleted file mode 100644 index d1c561e0..00000000 --- a/doc/sag/pam_env.xml +++ /dev/null @@ -1,42 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_env'> - <title>pam_env - set/unset environment variables</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_env/pam_env.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_env-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_env-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_env/pam_env.8.xml" xpointer='xpointer(//refsect1[@id = "pam_env-description"]/*)'/> - </section> - <section id='sag-pam_env.conf-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_env/pam_env.conf.5.xml" xpointer='xpointer(//refsect1[@id = "pam_env.conf-description"]/*)'/> - </section> - <section id='sag-pam_env-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_env/pam_env.8.xml" xpointer='xpointer(//refsect1[@id = "pam_env-options"]/*)'/> - </section> - <section id='sag-pam_env-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_env/pam_env.8.xml" xpointer='xpointer(//refsect1[@id = "pam_env-services"]/*)'/> - </section> - <section id='sag-pam_env-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_env/pam_env.8.xml" xpointer='xpointer(//refsect1[@id = "pam_env-return_values"]/*)'/> - </section> - <section id='sag-pam_env-files'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_env/pam_env.8.xml" xpointer='xpointer(//refsect1[@id = "pam_env-files"]/*)'/> - </section> - <section id='sag-pam_env.conf-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_env/pam_env.conf.5.xml" xpointer='xpointer(//refsect1[@id = "pam_env.conf-examples"]/*)'/> - </section> - <section id='sag-pam_env-authors'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_env/pam_env.8.xml" xpointer='xpointer(//refsect1[@id = "pam_env-authors"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_exec.xml b/doc/sag/pam_exec.xml deleted file mode 100644 index 38245ed8..00000000 --- a/doc/sag/pam_exec.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_exec'> - <title>pam_exec - call an external command</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_exec/pam_exec.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_exec-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_exec-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_exec/pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-description"]/*)'/> - </section> - <section id='sag-pam_exec-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_exec/pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-options"]/*)'/> - </section> - <section id='sag-pam_exec-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_exec/pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-services"]/*)'/> - </section> - <section id='sag-pam_exec-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_exec/pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-return_values"]/*)'/> - </section> - <section id='sag-pam_exec-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_exec/pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-examples"]/*)'/> - </section> - <section id='sag-pam_exec-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_exec/pam_exec.8.xml" xpointer='xpointer(//refsect1[@id = "pam_exec-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_faildelay.xml b/doc/sag/pam_faildelay.xml deleted file mode 100644 index 312fee8e..00000000 --- a/doc/sag/pam_faildelay.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_faildelay'> - <title>pam_faildelay - change the delay on failure per-application</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_faildelay/pam_faildelay.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_faildelay-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_faildelay-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_faildelay/pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-description"]/*)'/> - </section> - <section id='sag-pam_faildelay-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_faildelay/pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-options"]/*)'/> - </section> - <section id='sag-pam_faildelay-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_faildelay/pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-services"]/*)'/> - </section> - <section id='sag-pam_faildelay-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_faildelay/pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-return_values"]/*)'/> - </section> - <section id='sag-pam_faildelay-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_faildelay/pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-examples"]/*)'/> - </section> - <section id='sag-pam_faildelay-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_faildelay/pam_faildelay.8.xml" xpointer='xpointer(//refsect1[@id = "pam_faildelay-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_filter.xml b/doc/sag/pam_filter.xml deleted file mode 100644 index 4248704d..00000000 --- a/doc/sag/pam_filter.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_filter'> - <title>pam_filter - filter module</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_filter/pam_filter.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_filter-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_filter-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_filter/pam_filter.8.xml" xpointer='xpointer(//refsect1[@id = "pam_filter-description"]/*)'/> - </section> - <section id='sag-pam_filter-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_filter/pam_filter.8.xml" xpointer='xpointer(//refsect1[@id = "pam_filter-options"]/*)'/> - </section> - <section id='sag-pam_filter-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_filter/pam_filter.8.xml" xpointer='xpointer(//refsect1[@id = "pam_filter-services"]/*)'/> - </section> - <section id='sag-pam_filter-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_filter/pam_filter.8.xml" xpointer='xpointer(//refsect1[@id = "pam_filter-return_values"]/*)'/> - </section> - <section id='sag-pam_filter-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_filter/pam_filter.8.xml" xpointer='xpointer(//refsect1[@id = "pam_filter-examples"]/*)'/> - </section> - <section id='sag-pam_filter-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_filter/pam_filter.8.xml" xpointer='xpointer(//refsect1[@id = "pam_filter-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_ftp.xml b/doc/sag/pam_ftp.xml deleted file mode 100644 index c53139ca..00000000 --- a/doc/sag/pam_ftp.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_ftp'> - <title>pam_ftp - module for anonymous access</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_ftp/pam_ftp.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_ftp-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_ftp-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_ftp/pam_ftp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_ftp-description"]/*)'/> - </section> - <section id='sag-pam_ftp-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_ftp/pam_ftp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_ftp-options"]/*)'/> - </section> - <section id='sag-pam_ftp-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_ftp/pam_ftp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_ftp-services"]/*)'/> - </section> - <section id='sag-pam_ftp-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_ftp/pam_ftp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_ftp-return_values"]/*)'/> - </section> - <section id='sag-pam_ftp-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_ftp/pam_ftp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_ftp-examples"]/*)'/> - </section> - <section id='sag-pam_ftp-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_ftp/pam_ftp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_ftp-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_group.xml b/doc/sag/pam_group.xml deleted file mode 100644 index f83ccc58..00000000 --- a/doc/sag/pam_group.xml +++ /dev/null @@ -1,42 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_group'> - <title>pam_group - module to modify group access</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_group/pam_group.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_group-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_group-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_group/pam_group.8.xml" xpointer='xpointer(//refsect1[@id = "pam_group-description"]/*)'/> - </section> - <section id='sag-group.conf-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_group/group.conf.5.xml" xpointer='xpointer(//refsect1[@id = "group.conf-description"]/*)'/> - </section> - <section id='sag-pam_group-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_group/pam_group.8.xml" xpointer='xpointer(//refsect1[@id = "pam_group-options"]/*)'/> - </section> - <section id='sag-pam_group-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_group/pam_group.8.xml" xpointer='xpointer(//refsect1[@id = "pam_group-services"]/*)'/> - </section> - <section id='sag-pam_group-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_group/pam_group.8.xml" xpointer='xpointer(//refsect1[@id = "pam_group-return_values"]/*)'/> - </section> - <section id='sag-pam_group-files'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_group/pam_group.8.xml" xpointer='xpointer(//refsect1[@id = "pam_group-files"]/*)'/> - </section> - <section id='sag-group.conf-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_group/group.conf.5.xml" xpointer='xpointer(//refsect1[@id = "group.conf-examples"]/*)'/> - </section> - <section id='sag-pam_group-authors'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_group/pam_group.8.xml" xpointer='xpointer(//refsect1[@id = "pam_group-authors"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_issue.xml b/doc/sag/pam_issue.xml deleted file mode 100644 index f9283de6..00000000 --- a/doc/sag/pam_issue.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_issue'> - <title>pam_issue - add issue file to user prompt</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_issue/pam_issue.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_issue-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_issue-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_issue/pam_issue.8.xml" xpointer='xpointer(//refsect1[@id = "pam_issue-description"]/*)'/> - </section> - <section id='sag-pam_issue-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_issue/pam_issue.8.xml" xpointer='xpointer(//refsect1[@id = "pam_issue-options"]/*)'/> - </section> - <section id='sag-pam_issue-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_issue/pam_issue.8.xml" xpointer='xpointer(//refsect1[@id = "pam_issue-services"]/*)'/> - </section> - <section id='sag-pam_issue-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_issue/pam_issue.8.xml" xpointer='xpointer(//refsect1[@id = "pam_issue-return_values"]/*)'/> - </section> - <section id='sag-pam_issue-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_issue/pam_issue.8.xml" xpointer='xpointer(//refsect1[@id = "pam_issue-examples"]/*)'/> - </section> - <section id='sag-pam_issue-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_issue/pam_issue.8.xml" xpointer='xpointer(//refsect1[@id = "pam_issue-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_keyinit.xml b/doc/sag/pam_keyinit.xml deleted file mode 100644 index 4925900b..00000000 --- a/doc/sag/pam_keyinit.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_keyinit'> - <title>pam_keyinit - display the keyinit file</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_keyinit/pam_keyinit.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_keyinit-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_keyinit-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_keyinit/pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-description"]/*)'/> - </section> - <section id='sag-pam_keyinit-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_keyinit/pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-options"]/*)'/> - </section> - <section id='sag-pam_keyinit-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_keyinit/pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-services"]/*)'/> - </section> - <section id='sag-pam_keyinit-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_keyinit/pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-return_values"]/*)'/> - </section> - <section id='sag-pam_keyinit-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_keyinit/pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-examples"]/*)'/> - </section> - <section id='sag-pam_keyinit-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_keyinit/pam_keyinit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_keyinit-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_lastlog.xml b/doc/sag/pam_lastlog.xml deleted file mode 100644 index a8012b1c..00000000 --- a/doc/sag/pam_lastlog.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_lastlog'> - <title>pam_lastlog - display date of last login</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_lastlog/pam_lastlog.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_lastlog-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_lastlog-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_lastlog/pam_lastlog.8.xml" xpointer='xpointer(//refsect1[@id = "pam_lastlog-description"]/*)'/> - </section> - <section id='sag-pam_lastlog-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_lastlog/pam_lastlog.8.xml" xpointer='xpointer(//refsect1[@id = "pam_lastlog-options"]/*)'/> - </section> - <section id='sag-pam_lastlog-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_lastlog/pam_lastlog.8.xml" xpointer='xpointer(//refsect1[@id = "pam_lastlog-services"]/*)'/> - </section> - <section id='sag-pam_lastlog-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_lastlog/pam_lastlog.8.xml" xpointer='xpointer(//refsect1[@id = "pam_lastlog-return_values"]/*)'/> - </section> - <section id='sag-pam_lastlog-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_lastlog/pam_lastlog.8.xml" xpointer='xpointer(//refsect1[@id = "pam_lastlog-examples"]/*)'/> - </section> - <section id='sag-pam_lastlog-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_lastlog/pam_lastlog.8.xml" xpointer='xpointer(//refsect1[@id = "pam_lastlog-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_limits.xml b/doc/sag/pam_limits.xml deleted file mode 100644 index 25e14e1c..00000000 --- a/doc/sag/pam_limits.xml +++ /dev/null @@ -1,42 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_limits'> - <title>pam_limits - limit resources</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_limits/pam_limits.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_limits-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_limits-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_limits/pam_limits.8.xml" xpointer='xpointer(//refsect1[@id = "pam_limits-description"]/*)'/> - </section> - <section id='sag-limits.conf-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_limits/limits.conf.5.xml" xpointer='xpointer(//refsect1[@id = "limits.conf-description"]/*)'/> - </section> - <section id='sag-pam_limits-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_limits/pam_limits.8.xml" xpointer='xpointer(//refsect1[@id = "pam_limits-options"]/*)'/> - </section> - <section id='sag-pam_limits-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_limits/pam_limits.8.xml" xpointer='xpointer(//refsect1[@id = "pam_limits-services"]/*)'/> - </section> - <section id='sag-pam_limits-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_limits/pam_limits.8.xml" xpointer='xpointer(//refsect1[@id = "pam_limits-return_values"]/*)'/> - </section> - <section id='sag-pam_limits-files'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_limits/pam_limits.8.xml" xpointer='xpointer(//refsect1[@id = "pam_limits-files"]/*)'/> - </section> - <section id='sag-limits.conf-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_limits/limits.conf.5.xml" xpointer='xpointer(//refsect1[@id = "limits.conf-examples"]/*)'/> - </section> - <section id='sag-pam_limits-authors'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_limits/pam_limits.8.xml" xpointer='xpointer(//refsect1[@id = "pam_limits-authors"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_listfile.xml b/doc/sag/pam_listfile.xml deleted file mode 100644 index fe3f6b0c..00000000 --- a/doc/sag/pam_listfile.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_listfile'> - <title>pam_listfile - deny or allow services based on an arbitrary file</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_listfile/pam_listfile.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_listfile-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_listfile-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_listfile/pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-description"]/*)'/> - </section> - <section id='sag-pam_listfile-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_listfile/pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-options"]/*)'/> - </section> - <section id='sag-pam_listfile-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_listfile/pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-services"]/*)'/> - </section> - <section id='sag-pam_listfile-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_listfile/pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-return_values"]/*)'/> - </section> - <section id='sag-pam_listfile-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_listfile/pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-examples"]/*)'/> - </section> - <section id='sag-pam_listfile-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_listfile/pam_listfile.8.xml" xpointer='xpointer(//refsect1[@id = "pam_listfile-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_localuser.xml b/doc/sag/pam_localuser.xml deleted file mode 100644 index 0f13d368..00000000 --- a/doc/sag/pam_localuser.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_localuser'> - <title>pam_localuser - require users to be listed in /etc/passwd</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_localuser/pam_localuser.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_localuser-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_localuser-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_localuser/pam_localuser.8.xml" xpointer='xpointer(//refsect1[@id = "pam_localuser-description"]/*)'/> - </section> - <section id='sag-pam_localuser-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_localuser/pam_localuser.8.xml" xpointer='xpointer(//refsect1[@id = "pam_localuser-options"]/*)'/> - </section> - <section id='sag-pam_localuser-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_localuser/pam_localuser.8.xml" xpointer='xpointer(//refsect1[@id = "pam_localuser-services"]/*)'/> - </section> - <section id='sag-pam_localuser-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_localuser/pam_localuser.8.xml" xpointer='xpointer(//refsect1[@id = "pam_localuser-return_values"]/*)'/> - </section> - <section id='sag-pam_localuser-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_localuser/pam_localuser.8.xml" xpointer='xpointer(//refsect1[@id = "pam_localuser-examples"]/*)'/> - </section> - <section id='sag-pam_localuser-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_localuser/pam_localuser.8.xml" xpointer='xpointer(//refsect1[@id = "pam_localuser-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_loginuid.xml b/doc/sag/pam_loginuid.xml deleted file mode 100644 index 6166d99f..00000000 --- a/doc/sag/pam_loginuid.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_loginuid'> - <title>pam_loginuid - record user's login uid to the process attribute</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_loginuid/pam_loginuid.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_loginuid-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_loginuid-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_loginuid/pam_loginuid.8.xml" xpointer='xpointer(//refsect1[@id = "pam_loginuid-description"]/*)'/> - </section> - <section id='sag-pam_loginuid-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_loginuid/pam_loginuid.8.xml" xpointer='xpointer(//refsect1[@id = "pam_loginuid-options"]/*)'/> - </section> - <section id='sag-pam_loginuid-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_loginuid/pam_loginuid.8.xml" xpointer='xpointer(//refsect1[@id = "pam_loginuid-services"]/*)'/> - </section> - <section id='sag-pam_loginuid-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_loginuid/pam_loginuid.8.xml" xpointer='xpointer(//refsect1[@id = "pam_loginuid-return_values"]/*)'/> - </section> - <section id='sag-pam_loginuid-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_loginuid/pam_loginuid.8.xml" xpointer='xpointer(//refsect1[@id = "pam_loginuid-examples"]/*)'/> - </section> - <section id='sag-pam_loginuid-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_loginuid/pam_loginuid.8.xml" xpointer='xpointer(//refsect1[@id = "pam_loginuid-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_mail.xml b/doc/sag/pam_mail.xml deleted file mode 100644 index 879c8940..00000000 --- a/doc/sag/pam_mail.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_mail'> - <title>pam_mail - inform about available mail</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_mail/pam_mail.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_mail-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_mail-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_mail/pam_mail.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mail-description"]/*)'/> - </section> - <section id='sag-pam_mail-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_mail/pam_mail.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mail-options"]/*)'/> - </section> - <section id='sag-pam_mail-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_mail/pam_mail.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mail-services"]/*)'/> - </section> - <section id='sag-pam_mail-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_mail/pam_mail.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mail-return_values"]/*)'/> - </section> - <section id='sag-pam_mail-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_mail/pam_mail.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mail-examples"]/*)'/> - </section> - <section id='sag-pam_mail-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_mail/pam_mail.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mail-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_mkhomedir.xml b/doc/sag/pam_mkhomedir.xml deleted file mode 100644 index a1465439..00000000 --- a/doc/sag/pam_mkhomedir.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_mkhomedir'> - <title>pam_mkhomedir - create users home directory</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_mkhomedir/pam_mkhomedir.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_mkhomedir-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_mkhomedir-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_mkhomedir/pam_mkhomedir.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mkhomedir-description"]/*)'/> - </section> - <section id='sag-pam_mkhomedir-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_mkhomedir/pam_mkhomedir.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mkhomedir-options"]/*)'/> - </section> - <section id='sag-pam_mkhomedir-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_mkhomedir/pam_mkhomedir.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mkhomedir-services"]/*)'/> - </section> - <section id='sag-pam_mkhomedir-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_mkhomedir/pam_mkhomedir.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mkhomedir-return_values"]/*)'/> - </section> - <section id='sag-pam_mkhomedir-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_mkhomedir/pam_mkhomedir.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mkhomedir-examples"]/*)'/> - </section> - <section id='sag-pam_mkhomedir-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_mkhomedir/pam_mkhomedir.8.xml" xpointer='xpointer(//refsect1[@id = "pam_mkhomedir-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_motd.xml b/doc/sag/pam_motd.xml deleted file mode 100644 index 847a047c..00000000 --- a/doc/sag/pam_motd.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_motd'> - <title>pam_motd - display the motd file</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_motd/pam_motd.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_motd-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_motd-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_motd/pam_motd.8.xml" xpointer='xpointer(//refsect1[@id = "pam_motd-description"]/*)'/> - </section> - <section id='sag-pam_motd-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_motd/pam_motd.8.xml" xpointer='xpointer(//refsect1[@id = "pam_motd-options"]/*)'/> - </section> - <section id='sag-pam_motd-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_motd/pam_motd.8.xml" xpointer='xpointer(//refsect1[@id = "pam_motd-services"]/*)'/> - </section> - <section id='sag-pam_motd-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_motd/pam_motd.8.xml" xpointer='xpointer(//refsect1[@id = "pam_motd-return_values"]/*)'/> - </section> - <section id='sag-pam_motd-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_motd/pam_motd.8.xml" xpointer='xpointer(//refsect1[@id = "pam_motd-examples"]/*)'/> - </section> - <section id='sag-pam_motd-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_motd/pam_motd.8.xml" xpointer='xpointer(//refsect1[@id = "pam_motd-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_namespace.xml b/doc/sag/pam_namespace.xml deleted file mode 100644 index 6a4f59e7..00000000 --- a/doc/sag/pam_namespace.xml +++ /dev/null @@ -1,42 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_namespace'> - <title>pam_namespace - setup a private namespace</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_namespace/pam_namespace.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_namespace-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_namespace-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_namespace/pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-description"]/*)'/> - </section> - <section id='sag-namespace.conf-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_namespace/namespace.conf.5.xml" xpointer='xpointer(//refsect1[@id = "namespace.conf-description"]/*)'/> - </section> - <section id='sag-pam_namespace-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_namespace/pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-options"]/*)'/> - </section> - <section id='sag-pam_namespace-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_namespace/pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-services"]/*)'/> - </section> - <section id='sag-pam_namespace-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_namespace/pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-return_values"]/*)'/> - </section> - <section id='sag-pam_namespace-files'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_namespace/pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-files"]/*)'/> - </section> - <section id='sag-namespace.conf-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_namespace/namespace.conf.5.xml" xpointer='xpointer(//refsect1[@id = "namespace.conf-examples"]/*)'/> - </section> - <section id='sag-pam_namespace-authors'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_namespace/pam_namespace.8.xml" xpointer='xpointer(//refsect1[@id = "pam_namespace-authors"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_nologin.xml b/doc/sag/pam_nologin.xml deleted file mode 100644 index b05652f5..00000000 --- a/doc/sag/pam_nologin.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_nologin'> - <title>pam_nologin - prevent non-root users from login</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_nologin/pam_nologin.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_nologin-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_nologin-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_nologin/pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-description"]/*)'/> - </section> - <section id='sag-pam_nologin-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_nologin/pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-options"]/*)'/> - </section> - <section id='sag-pam_nologin-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_nologin/pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-services"]/*)'/> - </section> - <section id='sag-pam_nologin-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_nologin/pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-return_values"]/*)'/> - </section> - <section id='sag-pam_nologin-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_nologin/pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-examples"]/*)'/> - </section> - <section id='sag-pam_nologin-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_nologin/pam_nologin.8.xml" xpointer='xpointer(//refsect1[@id = "pam_nologin-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_permit.xml b/doc/sag/pam_permit.xml deleted file mode 100644 index 82febe01..00000000 --- a/doc/sag/pam_permit.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_permit'> - <title>pam_permit - the promiscuous module</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_permit/pam_permit.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_permit-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_permit-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_permit/pam_permit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_permit-description"]/*)'/> - </section> - <section id='sag-pam_permit-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_permit/pam_permit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_permit-options"]/*)'/> - </section> - <section id='sag-pam_permit-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_permit/pam_permit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_permit-services"]/*)'/> - </section> - <section id='sag-pam_permit-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_permit/pam_permit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_permit-return_values"]/*)'/> - </section> - <section id='sag-pam_permit-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_permit/pam_permit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_permit-examples"]/*)'/> - </section> - <section id='sag-pam_permit-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_permit/pam_permit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_permit-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_rhosts.xml b/doc/sag/pam_rhosts.xml deleted file mode 100644 index 10ae9361..00000000 --- a/doc/sag/pam_rhosts.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_rhosts'> - <title>pam_rhosts - grant access using .rhosts file</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_rhosts/pam_rhosts.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_rhosts-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_rhosts-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_rhosts/pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-description"]/*)'/> - </section> - <section id='sag-pam_rhosts-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_rhosts/pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-options"]/*)'/> - </section> - <section id='sag-pam_rhosts-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_rhosts/pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-services"]/*)'/> - </section> - <section id='sag-pam_rhosts-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_rhosts/pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-return_values"]/*)'/> - </section> - <section id='sag-pam_rhosts-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_rhosts/pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-examples"]/*)'/> - </section> - <section id='sag-pam_rhosts-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_rhosts/pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_rootok.xml b/doc/sag/pam_rootok.xml deleted file mode 100644 index 6907bd89..00000000 --- a/doc/sag/pam_rootok.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_rootok'> - <title>pam_rootok - gain only root access</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_rootok/pam_rootok.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_rootok-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_rootok-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_rootok/pam_rootok.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rootok-description"]/*)'/> - </section> - <section id='sag-pam_rootok-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_rootok/pam_rootok.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rootok-options"]/*)'/> - </section> - <section id='sag-pam_rootok-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_rootok/pam_rootok.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rootok-services"]/*)'/> - </section> - <section id='sag-pam_rootok-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_rootok/pam_rootok.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rootok-return_values"]/*)'/> - </section> - <section id='sag-pam_rootok-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_rootok/pam_rootok.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rootok-examples"]/*)'/> - </section> - <section id='sag-pam_rootok-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_rootok/pam_rootok.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rootok-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_securetty.xml b/doc/sag/pam_securetty.xml deleted file mode 100644 index 061546cc..00000000 --- a/doc/sag/pam_securetty.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_securetty'> - <title>pam_securetty - limit root login to special devices</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_securetty/pam_securetty.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_securetty-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_securetty-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_securetty/pam_securetty.8.xml" xpointer='xpointer(//refsect1[@id = "pam_securetty-description"]/*)'/> - </section> - <section id='sag-pam_securetty-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_securetty/pam_securetty.8.xml" xpointer='xpointer(//refsect1[@id = "pam_securetty-options"]/*)'/> - </section> - <section id='sag-pam_securetty-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_securetty/pam_securetty.8.xml" xpointer='xpointer(//refsect1[@id = "pam_securetty-services"]/*)'/> - </section> - <section id='sag-pam_securetty-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_securetty/pam_securetty.8.xml" xpointer='xpointer(//refsect1[@id = "pam_securetty-return_values"]/*)'/> - </section> - <section id='sag-pam_securetty-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_securetty/pam_securetty.8.xml" xpointer='xpointer(//refsect1[@id = "pam_securetty-examples"]/*)'/> - </section> - <section id='sag-pam_securetty-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_securetty/pam_securetty.8.xml" xpointer='xpointer(//refsect1[@id = "pam_securetty-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_selinux.xml b/doc/sag/pam_selinux.xml deleted file mode 100644 index a0fb293b..00000000 --- a/doc/sag/pam_selinux.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_selinux'> - <title>pam_selinux - set the default security context</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_selinux/pam_selinux.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_selinux-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_selinux-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_selinux/pam_selinux.8.xml" xpointer='xpointer(//refsect1[@id = "pam_selinux-description"]/*)'/> - </section> - <section id='sag-pam_selinux-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_selinux/pam_selinux.8.xml" xpointer='xpointer(//refsect1[@id = "pam_selinux-options"]/*)'/> - </section> - <section id='sag-pam_selinux-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_selinux/pam_selinux.8.xml" xpointer='xpointer(//refsect1[@id = "pam_selinux-services"]/*)'/> - </section> - <section id='sag-pam_selinux-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_selinux/pam_selinux.8.xml" xpointer='xpointer(//refsect1[@id = "pam_selinux-return_values"]/*)'/> - </section> - <section id='sag-pam_selinux-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_selinux/pam_selinux.8.xml" xpointer='xpointer(//refsect1[@id = "pam_selinux-examples"]/*)'/> - </section> - <section id='sag-pam_selinux-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_selinux/pam_selinux.8.xml" xpointer='xpointer(//refsect1[@id = "pam_selinux-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_sepermit.xml b/doc/sag/pam_sepermit.xml deleted file mode 100644 index 6ef9e0f8..00000000 --- a/doc/sag/pam_sepermit.xml +++ /dev/null @@ -1,38 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_sepermit'> - <title>pam_sepermit - allow/reject access based on SELinux mode</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_sepermit/pam_sepermit.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_sepermit-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_sepermit-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_sepermit/pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-description"]/*)'/> - </section> - <section id='sag-pam_sepermit-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_sepermit/pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-options"]/*)'/> - </section> - <section id='sag-pam_sepermit-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_sepermit/pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-services"]/*)'/> - </section> - <section id='sag-pam_sepermit-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_sepermit/pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-return_values"]/*)'/> - </section> - <section id='sag-pam_sepermit-files'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_sepermit/pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-files"]/*)'/> - </section> - <section id='sag-pam_sepermit-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_sepermit/pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-examples"]/*)'/> - </section> - <section id='sag-pam_sepermit-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_sepermit/pam_sepermit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_sepermit-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_shells.xml b/doc/sag/pam_shells.xml deleted file mode 100644 index 87bc6fdb..00000000 --- a/doc/sag/pam_shells.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_shells'> - <title>pam_shells - check for valid login shell</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_shells/pam_shells.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_shells-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_shells-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_shells/pam_shells.8.xml" xpointer='xpointer(//refsect1[@id = "pam_shells-description"]/*)'/> - </section> - <section id='sag-pam_shells-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_shells/pam_shells.8.xml" xpointer='xpointer(//refsect1[@id = "pam_shells-options"]/*)'/> - </section> - <section id='sag-pam_shells-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_shells/pam_shells.8.xml" xpointer='xpointer(//refsect1[@id = "pam_shells-services"]/*)'/> - </section> - <section id='sag-pam_shells-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_shells/pam_shells.8.xml" xpointer='xpointer(//refsect1[@id = "pam_shells-return_values"]/*)'/> - </section> - <section id='sag-pam_shells-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_shells/pam_shells.8.xml" xpointer='xpointer(//refsect1[@id = "pam_shells-examples"]/*)'/> - </section> - <section id='sag-pam_shells-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_shells/pam_shells.8.xml" xpointer='xpointer(//refsect1[@id = "pam_shells-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_succeed_if.xml b/doc/sag/pam_succeed_if.xml deleted file mode 100644 index 0d7304a4..00000000 --- a/doc/sag/pam_succeed_if.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_succeed_if'> - <title>pam_succeed_if - test account characteristics</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_succeed_if/pam_succeed_if.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_succeed_if-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_succeed_if-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_succeed_if/pam_succeed_if.8.xml" xpointer='xpointer(//refsect1[@id = "pam_succeed_if-description"]/*)'/> - </section> - <section id='sag-pam_succeed_if-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_succeed_if/pam_succeed_if.8.xml" xpointer='xpointer(//refsect1[@id = "pam_succeed_if-options"]/*)'/> - </section> - <section id='sag-pam_succeed_if-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_succeed_if/pam_succeed_if.8.xml" xpointer='xpointer(//refsect1[@id = "pam_succeed_if-services"]/*)'/> - </section> - <section id='sag-pam_succeed_if-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_succeed_if/pam_succeed_if.8.xml" xpointer='xpointer(//refsect1[@id = "pam_succeed_if-return_values"]/*)'/> - </section> - <section id='sag-pam_succeed_if-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_succeed_if/pam_succeed_if.8.xml" xpointer='xpointer(//refsect1[@id = "pam_succeed_if-examples"]/*)'/> - </section> - <section id='sag-pam_succeed_if-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_succeed_if/pam_succeed_if.8.xml" xpointer='xpointer(//refsect1[@id = "pam_succeed_if-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_tally.xml b/doc/sag/pam_tally.xml deleted file mode 100644 index df34a511..00000000 --- a/doc/sag/pam_tally.xml +++ /dev/null @@ -1,38 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_tally'> - <title>pam_tally - login counter (tallying) module</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_tally/pam_tally.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_tally-cmdsynopsis1"]/*)'/> - </cmdsynopsis> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_tally/pam_tally.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_tally-cmdsynopsis2"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_tally-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_tally/pam_tally.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally-description"]/*)'/> - </section> - <section id='sag-pam_tally-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_tally/pam_tally.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally-options"]/*)'/> - </section> - <section id='sag-pam_tally-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_tally/pam_tally.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally-services"]/*)'/> - </section> - <section id='sag-pam_tally-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_tally/pam_tally.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally-return_values"]/*)'/> - </section> - <section id='sag-pam_tally-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_tally/pam_tally.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally-examples"]/*)'/> - </section> - <section id='sag-pam_tally-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_tally/pam_tally.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tally-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_time.xml b/doc/sag/pam_time.xml deleted file mode 100644 index c53ebcab..00000000 --- a/doc/sag/pam_time.xml +++ /dev/null @@ -1,42 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_time'> - <title>pam_time - time controled access</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_time/pam_time.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_time-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_time-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_time/pam_time.8.xml" xpointer='xpointer(//refsect1[@id = "pam_time-description"]/*)'/> - </section> - <section id='sag-time.conf-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_time/time.conf.5.xml" xpointer='xpointer(//refsect1[@id = "time.conf-description"]/*)'/> - </section> - <section id='sag-pam_time-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_time/pam_time.8.xml" xpointer='xpointer(//refsect1[@id = "pam_time-options"]/*)'/> - </section> - <section id='sag-pam_time-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_time/pam_time.8.xml" xpointer='xpointer(//refsect1[@id = "pam_time-services"]/*)'/> - </section> - <section id='sag-pam_time-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_time/pam_time.8.xml" xpointer='xpointer(//refsect1[@id = "pam_time-return_values"]/*)'/> - </section> - <section id='sag-pam_time-files'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_time/pam_time.8.xml" xpointer='xpointer(//refsect1[@id = "pam_time-files"]/*)'/> - </section> - <section id='sag-time.conf-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_time/time.conf.5.xml" xpointer='xpointer(//refsect1[@id = "time.conf-examples"]/*)'/> - </section> - <section id='sag-pam_time-authors'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_time/pam_time.8.xml" xpointer='xpointer(//refsect1[@id = "pam_time-authors"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_tty_audit.xml b/doc/sag/pam_tty_audit.xml deleted file mode 100644 index 55e73862..00000000 --- a/doc/sag/pam_tty_audit.xml +++ /dev/null @@ -1,38 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_tty_audit'> - <title>pam_tty_audit - enable/disable tty auditing</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_tty_audit/pam_tty_audit.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_tty_audit-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_tty_audit-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_tty_audit/pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-description"]/*)'/> - </section> - <section id='sag-pam_tty_audit-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_tty_audit/pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-options"]/*)'/> - </section> - <section id='sag-pam_tty_audit-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_tty_audit/pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-services"]/*)'/> - </section> - <section id='sag-pam_tty_audit-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_tty_audit/pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-return_values"]/*)'/> - </section> - <section id='sag-pam_tty_audit-notes'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_tty_audit/pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-notes"]/*)'/> - </section> - <section id='sag-pam_tty_audit-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_tty_audit/pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-examples"]/*)'/> - </section> - <section id='sag-pam_tty_audit-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_tty_audit/pam_tty_audit.8.xml" xpointer='xpointer(//refsect1[@id = "pam_tty_audit-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_umask.xml b/doc/sag/pam_umask.xml deleted file mode 100644 index af68f647..00000000 --- a/doc/sag/pam_umask.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_umask'> - <title>pam_umask - set the file mode creation mask</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_umask/pam_umask.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_umask-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_umask-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_umask/pam_umask.8.xml" xpointer='xpointer(//refsect1[@id = "pam_umask-description"]/*)'/> - </section> - <section id='sag-pam_umask-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_umask/pam_umask.8.xml" xpointer='xpointer(//refsect1[@id = "pam_umask-options"]/*)'/> - </section> - <section id='sag-pam_umask-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_umask/pam_umask.8.xml" xpointer='xpointer(//refsect1[@id = "pam_umask-services"]/*)'/> - </section> - <section id='sag-pam_umask-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_umask/pam_umask.8.xml" xpointer='xpointer(//refsect1[@id = "pam_umask-return_values"]/*)'/> - </section> - <section id='sag-pam_umask-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_umask/pam_umask.8.xml" xpointer='xpointer(//refsect1[@id = "pam_umask-examples"]/*)'/> - </section> - <section id='sag-pam_umask-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_umask/pam_umask.8.xml" xpointer='xpointer(//refsect1[@id = "pam_umask-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_unix.xml b/doc/sag/pam_unix.xml deleted file mode 100644 index 57b2f9d2..00000000 --- a/doc/sag/pam_unix.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_unix'> - <title>pam_unix - traditional password authentication</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_unix/pam_unix.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_unix-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_unix-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_unix/pam_unix.8.xml" xpointer='xpointer(//refsect1[@id = "pam_unix-description"]/*)'/> - </section> - <section id='sag-pam_unix-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_unix/pam_unix.8.xml" xpointer='xpointer(//refsect1[@id = "pam_unix-options"]/*)'/> - </section> - <section id='sag-pam_unix-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_unix/pam_unix.8.xml" xpointer='xpointer(//refsect1[@id = "pam_unix-services"]/*)'/> - </section> - <section id='sag-pam_unix-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_unix/pam_unix.8.xml" xpointer='xpointer(//refsect1[@id = "pam_unix-return_values"]/*)'/> - </section> - <section id='sag-pam_unix-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_unix/pam_unix.8.xml" xpointer='xpointer(//refsect1[@id = "pam_unix-examples"]/*)'/> - </section> - <section id='sag-pam_unix-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_unix/pam_unix.8.xml" xpointer='xpointer(//refsect1[@id = "pam_unix-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_userdb.xml b/doc/sag/pam_userdb.xml deleted file mode 100644 index ae934cf6..00000000 --- a/doc/sag/pam_userdb.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_userdb'> - <title>pam_userdb - authenticate against a db database</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_userdb/pam_userdb.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_userdb-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_userdb-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_userdb/pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-description"]/*)'/> - </section> - <section id='sag-pam_userdb-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_userdb/pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-options"]/*)'/> - </section> - <section id='sag-pam_userdb-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_userdb/pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-services"]/*)'/> - </section> - <section id='sag-pam_userdb-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_userdb/pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-return_values"]/*)'/> - </section> - <section id='sag-pam_userdb-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_userdb/pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-examples"]/*)'/> - </section> - <section id='sag-pam_userdb-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_userdb/pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_warn.xml b/doc/sag/pam_warn.xml deleted file mode 100644 index 3d42a757..00000000 --- a/doc/sag/pam_warn.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_warn'> - <title>pam_warn - logs all PAM items</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_warn/pam_warn.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_warn-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_warn-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_warn/pam_warn.8.xml" xpointer='xpointer(//refsect1[@id = "pam_warn-description"]/*)'/> - </section> - <section id='sag-pam_warn-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_warn/pam_warn.8.xml" xpointer='xpointer(//refsect1[@id = "pam_warn-options"]/*)'/> - </section> - <section id='sag-pam_warn-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_warn/pam_warn.8.xml" xpointer='xpointer(//refsect1[@id = "pam_warn-services"]/*)'/> - </section> - <section id='sag-pam_warn-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_warn/pam_warn.8.xml" xpointer='xpointer(//refsect1[@id = "pam_warn-return_values"]/*)'/> - </section> - <section id='sag-pam_warn-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_warn/pam_warn.8.xml" xpointer='xpointer(//refsect1[@id = "pam_warn-examples"]/*)'/> - </section> - <section id='sag-pam_warn-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_warn/pam_warn.8.xml" xpointer='xpointer(//refsect1[@id = "pam_warn-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_wheel.xml b/doc/sag/pam_wheel.xml deleted file mode 100644 index 69175124..00000000 --- a/doc/sag/pam_wheel.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_wheel'> - <title>pam_wheel - only permit root access to members of group wheel</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_wheel/pam_wheel.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_wheel-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_wheel-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_wheel/pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-description"]/*)'/> - </section> - <section id='sag-pam_wheel-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_wheel/pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-options"]/*)'/> - </section> - <section id='sag-pam_wheel-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_wheel/pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-services"]/*)'/> - </section> - <section id='sag-pam_wheel-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_wheel/pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-return_values"]/*)'/> - </section> - <section id='sag-pam_wheel-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_wheel/pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-examples"]/*)'/> - </section> - <section id='sag-pam_wheel-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_wheel/pam_wheel.8.xml" xpointer='xpointer(//refsect1[@id = "pam_wheel-author"]/*)'/> - </section> -</section> diff --git a/doc/sag/pam_xauth.xml b/doc/sag/pam_xauth.xml deleted file mode 100644 index 84ca5ddb..00000000 --- a/doc/sag/pam_xauth.xml +++ /dev/null @@ -1,34 +0,0 @@ -<?xml version='1.0' encoding='UTF-8'?> -<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" - "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> -<section id='sag-pam_xauth'> - <title>pam_xauth - forward xauth keys between users</title> - <cmdsynopsis> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_xauth/pam_xauth.8.xml" xpointer='xpointer(//cmdsynopsis[@id = "pam_xauth-cmdsynopsis"]/*)'/> - </cmdsynopsis> - <section id='sag-pam_xauth-description'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_xauth/pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-description"]/*)'/> - </section> - <section id='sag-pam_xauth-options'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_xauth/pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-options"]/*)'/> - </section> - <section id='sag-pam_xauth-services'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_xauth/pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-services"]/*)'/> - </section> - <section id='sag-pam_xauth-return_values'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_xauth/pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-return_values"]/*)'/> - </section> - <section id='sag-pam_xauth-examples'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_xauth/pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-examples"]/*)'/> - </section> - <section id='sag-pam_xauth-author'> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="../../modules/pam_xauth/pam_xauth.8.xml" xpointer='xpointer(//refsect1[@id = "pam_xauth-author"]/*)'/> - </section> -</section> diff --git a/doc/specs/.cvsignore b/doc/specs/.cvsignore deleted file mode 100644 index 0e7cbe2f..00000000 --- a/doc/specs/.cvsignore +++ /dev/null @@ -1,12 +0,0 @@ -draft-morgan-pam-*.txt -Makefile -Makefile.in -parse.c -lex.yy.c -.deps -.libs -padout -parse_l.c -parse_y.c -parse_y.h - diff --git a/doc/specs/Makefile.am b/doc/specs/Makefile.am deleted file mode 100644 index 595c09bf..00000000 --- a/doc/specs/Makefile.am +++ /dev/null @@ -1,22 +0,0 @@ -# -# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@suse.de> -# - -CLEANFILES = draft-morgan-pam-current.txt *~ - -EXTRA_DIST = draft-morgan-pam.raw std-agent-id.raw rfc86.0.txt - -draft-morgan-pam-current.txt: padout draft-morgan-pam.raw - ./padout < $(srcdir)/draft-morgan-pam.raw > draft-morgan-pam-current.txt - -AM_YFLAGS = -d - -BUILT_SOURCES = parse_y.h - -noinst_PROGRAMS = padout - -padout_SOURCES = parse_l.l parse_y.y - -padout_LDADD = @LEXLIB@ - -doc_DATA = draft-morgan-pam-current.txt rfc86.0.txt diff --git a/doc/specs/draft-morgan-pam.raw b/doc/specs/draft-morgan-pam.raw deleted file mode 100644 index 45109f45..00000000 --- a/doc/specs/draft-morgan-pam.raw +++ /dev/null @@ -1,764 +0,0 @@ -Open-PAM working group ## A.G. Morgan -Internet Draft: ## Dec 8, 2001 -Document: draft-morgan-pam-08.txt ## -Expires: June 8, 2002 ## -Obsoletes: draft-morgan-pam-07.txt## - -## Pluggable Authentication Modules (PAM) ## - -#$ Status of this memo - -This document is a draft specification. Its contents are subject to -change with revision. The latest version of this draft may be obtained -from here: - - http://www.kernel.org/pub/linux/libs/pam/pre/doc/ - -As - - Linux-PAM-'version'-docs.tar.gz - -It is also contained in the Linux-PAM tar ball. - -#$ Abstract - -This document is concerned with the definition of a general -infrastructure for module based authentication. The infrastructure is -named Pluggable Authentication Modules (PAM for short). - -#$ Introduction - -Computers are tools. They provide services to people and other -computers (collectively we shall call these _users_ entities). In -order to provide convenient, reliable and individual service to -different entities, it is common for entities to be labelled. Having -defined a label as referring to a some specific entity, the label is -used for the purpose of protecting and allocating data resources. - -All modern operating systems have a notion of labelled entities and -all modern operating systems face a common problem: how to -authenticate the association of a predefined label with applicant -entities. - -There are as many authentication methods as one might care to count. -None of them are perfect and none of them are invulnerable. In -general, any given authentication method becomes weaker over time. It -is common then for new authentication methods to be developed in -response to newly discovered weaknesses in the old authentication -methods. - -The problem with inventing new authentication methods is the fact that -old applications do not support them. This contributes to an inertia -that discourages the overhaul of weakly protected systems. Another -problem is that individuals (people) are frequently powerless to layer -the protective authentication around their systems. They are forced -to rely on single (lowest common denominator) authentication schemes -even in situations where this is far from appropriate. - -PAM, as discussed in this document, is a generalization of the -approach first introduced in [#$R#{OSF_RFC_PAM}]. In short, it is a -general framework of interfaces that abstract the process of -authentication. With PAM, a service provider can custom protect -individual services to the level that they deem is appropriate. - -PAM has nothing explicit to say about transport layer encryption. -Within the context of this document encryption and/or compression of -data exchanges are application specific (strictly between client and -server) and orthogonal to the process of authentication. - -#$ Definitions - -Here we pose the authentication problem as one of configuring defined -interfaces between two entities. - -#$$#{players} Players in the authentication process - -PAM reserves the following words to specify unique entities in the -authentication process: - - applicant - the entity (user) initiating an application for service - [PAM associates the PAM_RUSER _item_ with this requesting user]. - - arbitrator - the entity (user) under whose identity the service application - is negotiated and with whose authority service is granted. - - user - the entity (user) whose identity is being authenticated - [PAM associates the PAM_USER _item_ with this identity]. - - server - the application that provides service, or acts as an - authenticated gateway to the requested service. This - application is completely responsible for the server end of - the transport layer connecting the server to the client. - PAM makes no assumptions about how data is encapsulated for - exchanges between the server and the client, only that full - octet sequences can be freely exchanged without corruption. - - client - application providing the direct/primary interface to - applicant. This application is completely responsible - for the client end of the transport layer connecting the - server to the client. PAM makes no assumptions about how data - is encapsulated for exchanges between the server and the - client, only that full octet sequences can be freely - exchanged without corruption. - - module - authentication binary that provides server-side support for - some (arbitrary) authentication method. - - agent - authentication binary that provides client-side support for - some (arbitrary) authentication method. - -Here is a diagram to help orient the reader: - -## +-------+ +--------+ ## -## . . . . .| agent | .| module | ## -## . +-------+ .+--------+ ## -## V | . | ## -## . | V | ## -## +---------+ +-------+ . +------+ ## -## | | |libpamc| . |libpam| ## -## | | +-------+ . +------+ ## -## |applicant| | . | ## -## | | +--------+ +----------+ ## -## | |---| client |-----------| server | ## -## +---------+ +--------+ +----------+ ## - -Solid lines connecting the boxes represent two-way interaction. The -dotted-directed lines indicate an optional connection beteween the -plugin module (agent) and the server (applicant). In the case of the -module, this represents the module invoking the 'conversation' -callback function provided to libpam by the server application when it -inititializes the libpam library. In the case of the agent, this may -be some out-of-PAM API interaction (for example directly displaying a -dialog box under X). - -#$$ Defined Data Types - -In this draft, we define two composite data types, the text string and -the binary prompt. They are the data types used to communicate -authentication requests and responses. - -#$$$#{text_string} text string - -The text string is a simple sequence of non-NUL (NUL = 0x00) -octets. Terminated with a single NUL (0x00) octet. The character set -employed in the octet sequence may be negotiated out of band, but -defaults to utf-8. - -## --------------------------- ## -## [ character data | NUL ] ## -## [ octet sequence | 0x00 ] ## -## --------------------------- ## - -Within the rest of this text, PAM text strings are delimited with a -pair of double quotes. Example, "this" = {'t';'h';'i';'s';0x00}. - -#$$$#{binary_prompt} binary prompt - -A binary prompt consists of a stream of octets arranged as follows: - -## ---------------------------------------- ## -## [ u32 | u8 | (length-5 octets) ] ## -## [ length | control | data ] ## -## ---------------------------------------- ## - -That is, a 32-bit unsigned integer in network byte order, a single -unsigned byte of control information and a sequence of octets of -length (length-5). The composition of the _data_ is context dependent -but is generally not a concern for either the server or the client. It -is very much the concern of modules and agents. - -For purposes of interoperability, we define the following control -characters as legal. - -## value symbol description ## -## ------------------------------------------------- ## -## 0x01 PAM_BPC_OK - continuation packet ## -## 0x02 PAM_BPC_SELECT - initialization packet ## -## 0x03 PAM_BPC_DONE - termination packet ## -## 0x04 PAM_BPC_FAIL - unable to execute ## - -The following control characters are only legal for exchanges between -an agent and a client (it is the responsibility of the client to -enforce this rule in the face of a rogue server): - -## 0x41 PAM_BPC_GETENV - obtain client env.var ## -## 0x42 PAM_BPC_PUTENV - set client env.var ## -## 0x43 PAM_BPC_TEXT - display message ## -## 0x44 PAM_BPC_ERROR - display error message ## -## 0x45 PAM_BPC_PROMPT - echo'd text prompt ## -## 0x46 PAM_BPC_PASS - non-echo'd text prompt ## -## 0x46 PAM_BPC_STATUS - ping all active clients## -## 0x47 PAM_BPC_ABORT - please abort session ## - -Note, length is always equal to the total length of the binary -prompt and represented by a network ordered unsigned 32 bit integer. - -#$$$$#{agent_ids} PAM_BPC_SELECT binary prompts - -Binary prompts of control type PAM_BPC_SELECT have a defined -data part. It is composed of three elements: - - {agent_id;'/';data} - -The agent_id is a sequence of characters satisfying the following -regexp: - - /^[a-z0-9\_]+(@[a-z0-9\_.]+)?$/ - -and has a specific form for each independent agent. - -o Agent_ids that do not contain an at-sign (@) are to be considered as - representing some authentication mode that is a "public - standard" see reference [#$R#{PAM_STD_AGENTIDS}]. Registered names - MUST NOT contain an at-sign (@). - -o Anyone can define additional agents by using names in the format - name@domainname, e.g. "ouragent@example.com". The part following - the at-sign MUST be a valid fully qualified internet domain name - [RFC-1034] controlled by the person or organization defining the - name. (Said another way, if you control the email address that - your agent has as an identifier, they you are entitled to use - this identifier.) It is up to each domain how it manages its local - namespace. - -The '/' character is a mandatory delimiter, indicating the end of the -agent_id. The trailing data is of a format specific to the agent with -the given agent_id. - - -#$$ Special cases - -In a previous section (#{players}) we identified the most general -selection of authentication participants. In the case of network -authentication, it is straightforward to ascribe identities to the -defined participants. However, there are also special (less general) -cases that we recognize here. - -The primary authentication step, when a user is directly introduced -into a computer system (log's on to a workstation) is a special case. -In this situation, the client and the server are generally one -application. Before authenticating such a user, the applicant is -formally unknown: PAM_RUSER is NULL. - -Some client-server implementations (telnet for example) provide -effective full tty connections. In these cases, the four simple text -string prompting cases (see below) can be handled as in the primary -login step. In other words, the server absorbs most of the overhead of -propagating authentication messages. In these cases, there needs to be -special client/server support for handling binary prompts. - -In some circumstances, a legacy network transfer protocol can carry -authentication information. In such cases, a desire to support legacy -clients (with no client-side support for PAM) will neccessitate the -'hardcoding' of an agent protocol into the server application. Whilst -against the spirit of PAM, this special casing can be managed by the -server's 'conversation function' (see below). The guiding principle -when implementing such support is for the application developer to -relegate the authentication process to the PAM module -- simply -performing a transcription of data from binary-prompt to legacy -network 'packet' and visa-versa for propagating replies back to the -driving PAM module. A common case of this is with network protocols -that define an initialization packet of "user+password". In such cases -one should attempt to support the "userpass" agent-id and its defined -protocol. - -#$ Defined interfaces for information flow - -Here, we discuss the information exchange interfaces between the -players in the authentication process. It should be understood that -the server side is responsible for driving the authentication of the -applicant. Notably, every request received by the client from the -server must be matched with a single response from the client to the -server. - -#$$#{applicant_client} Applicant <-> client - -Once the client is invoked, requests to the applicant entity are -initiated by the client application. General clients are able to make -the following requests directly to an applicant: - - echo text string - echo error text string - prompt with text string for echo'd text string input - prompt with text string for concealed text string input - -the nature of the interface provided by the client for the benefit of -the applicant entity is client specific and not defined by PAM. - -#$$#{client_agent} Client <-> agent - -In general, authentication schemes require more modes of exchange than -the four defined in the previous section (#{applicant_client}). This -provides a role for client-loadable agents. The client and agent -exchange binary-messages that can have one of the following forms: - - client -> agent - binary prompt agent expecting binary prompt reply to client - - agent -> client - binary prompt reply from agent to clients binary prompt - -Following the acceptance of a binary prompt by the agent, the agent -may attempt to exchange information with the client before returning -its binary prompt reply. Permitted exchanges are binary prompts of the -following types: - - agent -> client - set environment variable (A) - get environment variable (B) - echo text string (C) - echo error text string (D) - prompt for echo'd text string input (E) - prompt for concealed text string input (F) - -In response to these prompts, the client must legitimately respond -with a corresponding binary prompt reply. We list a complete set of -example exchanges, including each type of legitimate response (passes -and a single fail): - -## Type | Agent request | Client response ## -## --------------------------------------------------------------- ## -## (A) | {13;PAM_BPC_PUTENV;"FOO=BAR"} | {5;PAM_BPC_OK;} ## -## | {10;PAM_BPC_PUTENV;"FOO="} | {5;PAM_BPC_OK;} ## -## | {9;PAM_BPC_PUTENV;"FOO"} (*) | {5;PAM_BPC_OK;} ## -## | {9;PAM_BPC_PUTENV;"BAR"} (*) | {5;PAM_BPC_FAIL;} ## -## --------------------------------------------------------------- ## -## (B) | {10;PAM_BPC_GETENV;"TERM"} | {11;PAM_BPC_OK;"vt100"} ## -## | {9;PAM_BPC_GETENV;"FOO"} | {5;PAM_BPC_FAIL;} ## -## --------------------------------------------------------------- ## -## (C) | {12;PAM_BPC_TEXT;"hello!"} | {5;PAM_BPC_OK;} ## -## | {12;PAM_BPC_TEXT;"hello!"} | {5;PAM_BPC_FAIL;} ## -## --------------------------------------------------------------- ## -## (D) | {11;PAM_BPC_ERROR;"ouch!"} | {5;PAM_BPC_OK;} ## -## | {11;PAM_BPC_ERROR;"ouch!"} | {5;PAM_BPC_FAIL;} ## -## --------------------------------------------------------------- ## -## (E) | {13;PAM_BPC_PROMPT;"login: "} | {9;PAM_BPC_OK;"joe"} ## -## | {13;PAM_BPC_PROMPT;"login: "} | {6;PAM_BPC_OK;""} ## -## | {13;PAM_BPC_PROMPT;"login: "} | {5;PAM_BPC_FAIL;} ## -## --------------------------------------------------------------- ## -## (F) | {16;PAM_BPC_PASS;"password: "} | {9;PAM_BPC_OK;"XYZ"} ## -## | {16;PAM_BPC_PASS;"password: "} | {6;PAM_BPC_OK;""} ## -## | {16;PAM_BPC_PASS;"password: "} | {5;PAM_BPC_FAIL;} ## - -(*) Used to attempt the removal of a pre-existing environment -variable. - -#$$ Client <-> server - -Once the client has established a connection with the server (the -nature of the transport protocol is not specified by PAM), the server -is responsible for driving the authentication process. - -General servers can request the following from the client: - - (to be forwarded by the client to the applicant) - echo text string - echo error text string - prompt for echo'd text string response - prompt for concealed text string response - - (to be forwarded by the client to the appropriate agent) - binary prompt for a binary prompt response - -Client side agents are required to process binary prompts. The -agents' binary prompt responses are returned to the server. - -#$$ Server <-> module - -Modules drive the authentication process. The server provides a -conversation function with which it encapsulates module-generated -requests and exchanges them with the client. Every message sent by a -module should be acknowledged. - -General conversation functions can support the following five -conversation requests: - - echo text string - echo error string - prompt for echo'd text string response - prompt for concealed text string response - binary prompt for binary prompt response - -The server is responsible for redirecting these requests to the -client. - -#$ C API for application interfaces (client and server) - -#$$ Applicant <-> client - -No API is defined for this interface. The interface is considered to -be specific to the client application. Example applications include -terminal login, (X)windows login, machine file transfer applications. - -All that is important is that the client application is able to -present the applicant with textual output and to receive textual -input from the applicant. The forms of textual exchange are listed -in an earlier section (#{applicant_client}). Other methods of -data input/output are better suited to being handled via an -authentication agent. - -#$$ Client <-> agent - -The client makes use of a general API for communicating with -agents. The client is not required to communicate directly with -available agents, instead a layer of abstraction (in the form of a -library: libpamc) takes care of loading and maintaining communication -with all requested agents. This layer of abstraction will choose which -agents to interact with based on the content of binary prompts it -receives that have the control type PAM_BPC_SELECT. - -#$$$ Client <-> libpamc - -#$$$$ Compilation information - -The C-header file provided for client-agent abstraction is included -with the following source line: - - \#include <security/pam_client.h> - -The library providing the corresponding client-agent abstraction -functions is, libpamc. - - cc .... -lpamc - -#$$$$ Initializing libpamc - -The libpamc library is initialized with a call to the following -function: - - pamc_handle_t pamc_start(void); - -This function is responsible for configuring the library and -registering the location of available agents. The location of the -available agents on the system is implementation specific. - -pamc_start() function returns NULL on failure. Otherwise, the return -value is a pointer to an opaque data type which provides a handle to -the libpamc library. On systems where threading is available, the -libpamc libraray is thread safe provided a single (pamc_handler_t *) -is used by each thread. - -#$$$$ Client (Applicant) selection of agents - -For the purpose of applicant and client review of available agents, -the following function is provided. - - char **pamc_list_agents(pamc_handle_t pch); - -This returns a list of pointers to the agent_id's of the agents which -are available on the system. The list is terminated by a NULL pointer. -It is the clients responsibility to free this memory area by calling -free() on each agent id and the block of agent_id pointers in the -result. - -PAM represents a server-driven authentication model, so by default -any available agent may be invoked in the authentication process. - -#$$$$$ Client demands agent - -If the client requires that a specific authentication agent is -satisfied during the authentication process, then the client should -call the following function, immediately after obtaining a -pamc_handle_t from pamc_start(). - - int pamc_load(pamc_handle_t pch, const char *agent_id); - -agent_id is a PAM text string (see section #{agent_ids}) and is not -suffixed with a '/' delimiter. The return value for this function is: - - PAM_BPC_TRUE - agent located and loaded. - PAM_BPC_FALSE - agent is not available. - -Note, although the agent is loaded, no data is fed to it. The agent's -opportunity to inform the client that it does not trust the server is -when the agent is shutdown. - -#$$$$$ Client marks agent as unusable - -The applicant might prefer that a named agent is marked as not -available. To do this, the client would invoke the following function -immediately after obtaining a pamc_handle_t from pam_start(). - - int pamc_disable(pamc_handle_t pch, const char *agent_id); - -here agent_id is a PAM text string containing an agent_id (section -#{agent_ids}). - -The return value for this function is: - - PAM_BPC_TRUE - agent is disabled. This is the response - independent of whether the agent is locally - available. - - PAM_BPC_FALSE - agent cannot be disabled (this may be because - it has already been invoked). - -#$$$$ Allocating and manipulating binary prompts - -All conversation between an client and an agent takes place with -respect to binary prompts. A binary prompt (see section #{binary_prompt}), is -obtained, resized and deleted via the following C-macro: - - CREATION of a binary prompt with control X1 and data length Y1: - - pamc_bp_t prompt = NULL; - PAM_BP_RENEW(&prompt, X1, Y1); - - REPLACEMENT of a binary prompt with a control X2 and data length Y2: - - PAM_BP_RENEW(&prompt, X2, Y2); - - DELETION of a binary prompt (the referenced prompt is scrubbed): - - PAM_BP_RENEW(&prompt, 0, 0); - -Note, the PAM_BP_RENEW macro always overwrites any prompt that you -call it with, deleting and liberating the old contents in a secure -fashion. Also note that PAM_BP_RENEW, when returning a prompt of data -size Y1>0, will always append a '\0' byte to the end of the prompt (at -data offset Y1). It is thus, by definition, acceptable to treat the -data contents of a binary packet as a text string (see #{text_string}). - - FILLING a binary prompt from a memory pointer U1 from offset O1 of - length L1: - - PAM_BP_FILL(prompt, O1, L1, U1); - - the CONTROL type for the packet can be obtained as follows: - - control = PAM_PB_CONTROL(prompt); - - the LENGTH of a data within the prompt (_excluding_ its header - information) can be obtained as follows: - - length = PAM_BP_LENGTH(prompt); - - the total SIZE of the prompt (_including_ its header information) - can be obtained as follows: - - size = PAM_BP_SIZE(prompt); - - EXTRACTING data from a binary prompt from offset O2 of length L2 to - a memory pointer U2: - - PAM_BP_EXTRACT(prompt, O2, L2, U2); - - If you require direct access to the raw prompt DATA, you should use - the following macro: - - __u8 *raw_data = PAM_BP_DATA(prompt); - -#$$$$ Client<->agent conversations - -All exchanges of binary prompts with agents are handled with the -single function: - - int pamc_converse(pamc_handle_t *pch, pamc_bp_t *prompt_p); - -The return value for pamc_converse(...) is PAM_BPC_TRUE when there is -a response packet and PAM_BPC_FALSE when the client is unable to -handle the request represented by the original prompt. In this latter -case, *prompt_p is set to NULL. - -This function takes a binary prompt and returns a replacement binary -prompt that is either a request from an agent to be acted upon by the -client or the 'result' which should be forwarded to the server. In the -former case, the following macro will return 1 (PAM_BPC_TRUE) and in -all other cases, 0 (PAM_BPC_FALSE): - - PAM_BPC_FOR_CLIENT(/* pamc_bp_t */ prompt) - -Note, all non-NULL binary prompts returned by pamc_converse(...), are -terminated with a '\0', even when the full length of the prompt (as -returned by the agent) does not contain this delimiter. This is a -defined property of the PAM_BP_RENEW macro, and can be relied upon. - -Important security note: in certain implementations, agents are -implemented by executable binaries, which are transparently loaded and -managed by the PAM client library. To ensure there is never a leakage -of elevated privilege to an unprivileged agent, the client application -should go to some effort to lower its level of privilege. It remains -the responsibility of the applicant and the client to ensure that it -is not compromised by a rogue agent. - -#$$$$ Status of agents - - int pamc_status(pamc_handle_t *pch, pamc_bp_t *prompt_p); - -At any time, the client may ping all active agents for their status -(with a PAM_BPC_STATUS binary prompt). If any agent replies with -PAM_BPC_ABORT, the client is responsible for terminating the -connection to the server and then terminating all agents with a call -to pamc_end(). In such cases, the return value of pamc_status() is -PAM_BPC_FALSE. - -If the return status of pamc_status() is PAM_BPC_TRUE and *prompt_p is -non-NULL, then an agent is requesting access to a server module. - -XXX - how this information gets propagated to the server, and - ultimately to the server's module is yet to be determined. - -#$$$$ Termination of agents - -When closing the authentication session and severing the connection -between a client and a selection of agents, the following function is -used: - - int pamc_end(pamc_handle_t *pch); - -Following a call to pamc_end, the pamc_handle_t will be invalid. - -The return value for this function is one of the following: - - PAM_BPC_TRUE - all invoked agents are content with - authentication (the server is _not_ judged - _un_trustworthy by any agent) - - PAM_BPC_FALSE - one or more agents were unsatisfied at - being terminated. In general, the client - should terminate its connection to the - server and indicate to the applicant that - the server is untrusted. - -#$$$ libpamc <-> agents - -The agents are manipulated from within libpamc. Each agent is an -executable in its own right. This permits the agent to have access to -sensitive data not accessible directly from the client. The mode of -communication between libpamc and an agent is through a pair of -pipes. The agent reads binary prompts (section #{binary_prompt}) -through its standard input file descriptor and writes response (to the -server) binary prompts and instruction binary prompts (instructions -for the client) through its standard output file descriptor. - -#$$ Client <-> server - -This interface is concerned with the exchange of text and binary -prompts between the client application and the server application. No -API is provided for this as it is considered specific to the transport -protocol shared by the client and the server. - -#$$ Server <-> modules - -The server makes use of a general API for communicating with -modules. The client is not required to communicate directly with -available modules. By abstracting the authentication interface, it -becomes possible for the local administrator to make a run time -decision about the authentication method adopted by the server. - -#$$$ Functions and definitions available to servers and modules - -[This section will document the following functions - - pam_set_item() - pam_get_item() - pam_fail_delay(pam_handle_t *pamh, unsigned int micro_sec) - pam_get_env(pam_handle_t *pamh, const char *varname) - pam_strerror(pam_handle_t *pamh, int pam_errno) - -Event driven support (XXX work in progress) - - pam_register_event() - app or module associates an event poller/handler - pam_select_event() - query for any outstanding event and act on any -] - -#$$$ Server <-> libpam - -[This section will document the following pam_ calls: - - pam_start - pam_end - pam_authenticate (*) - pam_setcred - pam_acct_mgmt - pam_open_session - pam_close_session - pam_chauthtok (*) - -The asterisked functions may return PAM_INCOMPLETE. In such cases, the -application should be aware that the conversation function was called -and that it returned PAM_CONV_AGAIN to a module. The correct action -for the application to take in response to receiving PAM_INCOMPLETE, -is to acquire the replies so that the next time the conversation -function is called it will be able to provide the desired -responses. And then recall pam_authenticate (pam_chauthtok) with the -same arguments. Libpam will arrange that the module stack is resumed -from the module that returned before. This functionality is required -for programs whose user interface is maintained by an event loop. ] - -#$$$ libpam <-> modules - -[This section will document the following pam_ and pam_sm_ calls: - -functions provided by libpam - - pam_set_data - pam_get_data - -functions provided to libpam by each module - - groups: - AUTHENTICATION - pam_sm_authenticate - pam_sm_setcred - ACCOUNT - pam_sm_acct_mgmt - SESSION - pam_sm_open_session - pam_sm_close_session - AUTHENTICATION TOKEN MANAGEMENT - pam_sm_chauthtok -] - -#$$$ The conversation function - -The server application, as part of its initialization of libpam, -provides a conversation function for use by modules and libpam. The -purpose of the conversation function is to enable direct communication -to the applicant ultimately via the client and selected agents. - -[ this section will contain a definition for the conversation - function, the conversation structure (appdata etc), and legitimate - return codes for the application supplied function. - - PAM_SUCCESS - ok conversation completed - PAM_CONV_ERR - conversation failed - PAM_CONV_AGAIN - application needs control to complete conv - PAM_CONV_RECONSIDER - application believes module should check if - it still needs to converse for this info - ] - -#$ Security considerations - -This document is devoted to standardizing authentication -infrastructure: everything in this document has implications for -security. - -#$ Contact - -The email list for discussing issues related to this document is -<pam-list@redhat.com>. - -#$ References - -[#{OSF_RFC_PAM}] OSF RFC 86.0, "Unified Login with Pluggable Authentication - Modules (PAM)", October 1995 - -[#{PAM_STD_AGENTIDS}] Definitions for standard agents, "REGISTERED - AGENTS AND THEIR AGENT-ID'S", to be found here: - -## http://www.kernel.org/pub/linux/libs/pam/pre/doc/std-agent-ids.txt ## - -#$ Author's Address - -Andrew G. Morgan -Email: morgan@kernel.org - -## $Id$ ## diff --git a/doc/specs/formatter/.cvsignore b/doc/specs/formatter/.cvsignore deleted file mode 100644 index ea34fc5f..00000000 --- a/doc/specs/formatter/.cvsignore +++ /dev/null @@ -1,5 +0,0 @@ -lex.yy.c -parse.tab.c -padout -Makefile -Makefile.in diff --git a/doc/specs/parse_l.l b/doc/specs/parse_l.l deleted file mode 100644 index 7cab424c..00000000 --- a/doc/specs/parse_l.l +++ /dev/null @@ -1,21 +0,0 @@ -%{ -#ifdef HAVE_CONFIG_H -# include <config.h> -#endif - -#include <stdio.h> - -#include "parse_y.h" -%} - -%% - -\#[\$]+[a-zA-Z]*(\=[0-9]+)? return NEW_COUNTER; -\#\{[a-zA-Z][a-zA-Z0-9\_]*\} return LABEL; -\# return NO_INDENT; -\#\# return RIGHT; -\\\# return HASH; -[^\n] return CHAR; -[\n] return NEWLINE; - -%% diff --git a/doc/specs/parse_y.y b/doc/specs/parse_y.y deleted file mode 100644 index 87fc54ea..00000000 --- a/doc/specs/parse_y.y +++ /dev/null @@ -1,297 +0,0 @@ - -%{ -#ifdef HAVE_CONFIG_H -# include <config.h> -#endif - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#define MAXLINE 1000 -#define INDENT_STRING " " -#define PAPER_WIDTH 74 - - int indent=0; - int line=1; - char *last_label=NULL; - - extern int yylex(void); - extern char *yytext; - extern void yyerror(const char *x); - extern char *get_label(const char *label); - extern void set_label(const char *label, const char *target); - char *new_counter(const char *key); -%} - -%union { - int def; - char *string; -} - -%token NEW_COUNTER LABEL HASH CHAR NEWLINE NO_INDENT RIGHT -%type <string> stuff text - -%start doc - -%% - -doc: -| doc NEWLINE { - printf("\n"); - ++line; -} -| doc stuff NEWLINE { - if (strlen($2) > (PAPER_WIDTH-(indent ? strlen(INDENT_STRING):0))) { - yyerror("line too long"); - } - printf("%s%s\n", indent ? INDENT_STRING:"", $2); - free($2); - indent = 1; - ++line; -} -| doc stuff RIGHT stuff NEWLINE { - char fixed[PAPER_WIDTH+1]; - int len; - - len = PAPER_WIDTH-(strlen($2)+strlen($4)); - - if (len >= 0) { - memset(fixed, ' ', len); - fixed[len] = '\0'; - } else { - yyerror("line too wide"); - fixed[0] = '\0'; - } - printf("%s%s%s\n", $2, fixed, $4); - free($2); - free($4); - indent = 1; - ++line; -} -| doc stuff RIGHT stuff RIGHT stuff NEWLINE { - char fixed[PAPER_WIDTH+1]; - int len, l; - - len = PAPER_WIDTH-(strlen($2)+strlen($4)); - - if (len < 0) { - len = 0; - yyerror("line too wide"); - } - - l = len/2; - memset(fixed, ' ', l); - fixed[l] = '\0'; - printf("%s%s%s", $2, fixed, $4); - free($2); - free($4); - - l = (len+1)/2; - memset(fixed, ' ', l); - fixed[l] = '\0'; - printf("%s%s\n", fixed, $6); - free($6); - - indent = 1; - ++line; -} -| doc stuff RIGHT stuff RIGHT stuff NEWLINE { - char fixed[PAPER_WIDTH+1]; - int len, l; - - len = PAPER_WIDTH-(strlen($2)+strlen($4)); - - if (len < 0) { - len = 0; - yyerror("line too wide"); - } - - l = len/2; - memset(fixed, ' ', l); - fixed[l] = '\0'; - printf("%s%s%s", $2, fixed, $4); - free($2); - free($4); - - l = (len+1)/2; - memset(fixed, ' ', l); - fixed[l] = '\0'; - printf("%s%s\n", fixed, $6); - free($6); - - indent = 1; - ++line; -} -; - -stuff: { - $$ = strdup(""); -} -| stuff text { - $$ = malloc(strlen($1)+strlen($2)+1); - sprintf($$,"%s%s", $1, $2); - free($1); - free($2); -} -; - -text: CHAR { - $$ = strdup(yytext); -} -| text CHAR { - $$ = malloc(strlen($1)+2); - sprintf($$,"%s%s", $1, yytext); - free($1); -} -| NO_INDENT { - $$ = strdup(""); - indent = 0; -} -| HASH { - $$ = strdup("#"); -} -| LABEL { - if (($$ = get_label(yytext)) == NULL) { - set_label(yytext, last_label); - $$ = strdup(""); - } -} -| NEW_COUNTER { - $$ = new_counter(yytext); -} -; - -%% - -typedef struct node_s { - struct node_s *left, *right; - const char *key; - char *value; -} *node_t; - -node_t label_root = NULL; -node_t counter_root = NULL; - -static const char *find_key(node_t root, const char *key) -{ - while (root) { - int cmp = strcmp(key, root->key); - - if (cmp > 0) { - root = root->right; - } else if (cmp) { - root = root->left; - } else { - return root->value; - } - } - return NULL; -} - -static node_t set_key(node_t root, const char *key, const char *value) -{ - if (root) { - int cmp = strcmp(key, root->key); - if (cmp > 0) { - root->right = set_key(root->right, key, value); - } else if (cmp) { - root->left = set_key(root->left, key, value); - } else { - free(root->value); - root->value = strdup(value); - } - } else { - root = malloc(sizeof(struct node_s)); - root->right = root->left = NULL; - root->key = strdup(key); - root->value = strdup(value); - } - return root; -} - -void yyerror(const char *x) -{ - fprintf(stderr, "line %d: %s\n", line, x); -} - -char *get_label(const char *label) -{ - const char *found = find_key(label_root, label); - - if (found) { - return strdup(found); - } - return NULL; -} - -void set_label(const char *label, const char *target) -{ - if (target == NULL) { - yyerror("no hanging value for label"); - target = "<??" ">"; /* avoid trigraph warning */ - } - label_root = set_key(label_root, label, target); -} - -char *new_counter(const char *key) -{ - int i=0, j, ndollars = 0; - const char *old; - char *new; - - if (key[i++] != '#') { - yyerror("bad index"); - return strdup("<???" ">"); /* avoid trigraph warning */ - } - - while (key[i] == '$') { - ++ndollars; - ++i; - } - - key += i; - old = find_key(counter_root, key); - new = malloc(20*ndollars); - - if (old) { - for (j=0; ndollars > 1 && old[j]; ) { - if (old[j++] == '.' && --ndollars <= 0) { - break; - } - } - if (j) { - strncpy(new, old, j); - } - if (old[j]) { - i = atoi(old+j); - } else { - new[j++] = '.'; - i = 0; - } - } else { - j=0; - while (--ndollars > 0) { - new[j++] = '0'; - new[j++] = '.'; - } - i = 0; - } - new[j] = '\0'; - sprintf(new+j, "%d", ++i); - - counter_root = set_key(counter_root, key, new); - - if (last_label) { - free(last_label); - } - last_label = strdup(new); - - return new; -} - -int -main(void) -{ - return yyparse(); -} diff --git a/doc/specs/rfc86.0.txt b/doc/specs/rfc86.0.txt deleted file mode 100644 index 6dd5e6ea..00000000 --- a/doc/specs/rfc86.0.txt +++ /dev/null @@ -1,1851 +0,0 @@ - - - - - - - - - Open Software Foundation V. Samar (SunSoft) - Request For Comments: 86.0 R. Schemers (SunSoft) - October 1995 - - - - UNIFIED LOGIN WITH - PLUGGABLE AUTHENTICATION MODULES (PAM) - - - 1. INTRODUCTION - - Since low-level authentication mechanisms constantly evolve, it is - important to shield the high-level consumers of these mechanisms - (system-entry services and users) from such low-level changes. With - the Pluggable Authentication Module (PAM) framework, we can provide - pluggability for a variety of system-entry services -- not just - system authentication _per se_, but also for account, session and - password management. PAM's ability to _stack_ authentication modules - can be used to integrate `login' with different authentication - mechanisms such as RSA, DCE, and Kerberos, and thus unify login - mechanisms. The PAM framework can also provide easy integration of - smart cards into the system. - - Modular design and pluggability have become important for users who - want ease of use. In the PC hardware arena, no one wants to set the - interrupt vector numbers or resolve the addressing conflict between - various devices. In the software arena, people also want to be able - to replace components easily for easy customization, maintenance, and - upgrades. - - Authentication software deserves special attention because - authentication forms a very critical component of any secure computer - system. The authentication infrastructure and its components may - have to be modified or replaced either because some deficiencies have - been found in the current algorithms, or because sites want to - enforce a different security policy than what was provided by the - system vendor. The replacement and modification should be done in - such a way that the user is not affected by these changes. - - The solution has to address not just how the applications use the new - authentication mechanisms in a generic fashion, but also how the user - will be authenticated to these mechanisms in a generic way. The - former is addressed by GSS-API [Linn 93], while this RFC addresses - the later; these two efforts are complementary to each other. - - Since most system-entry services (for example, `login', `dtlogin', - `rlogin', `ftp', `rsh') may want to be independent of the specific - authentication mechanisms used by the machine, it is important that - there be a framework for _plugging_ in various mechanisms. This - requires that the system applications use a standard API to interact - - - - Samar, Schemers Page 1 - - - - - - - - OSF-RFC 86.0 PAM October 1995 - - - - with the authentication services. If these system-entry services - remain independent of the actual mechanism used on that machine, the - system administrator can install suitable authentication modules - without requiring changes to these applications. - - For any security system to be successful, it has to be easy to use. - In the case of authentication, the single most important ease-of-use - characteristic is that the user should not be required to learn about - various ways of authentication and remember multiple passwords. - Ideally, there should be one all-encompassing authentication system - where there is only one password, but for heterogeneous sites, - multiple authentication mechanisms have to co-exist. The problem of - integrating multiple authentication mechanisms such as Kerberos - [Steiner 88], RSA [Rivest 78], and Diffie-Hellman [Diffie 76, Taylor - 88], is also referred to as _integrated login_, or _unified login_ - problem. Even if the user has to use multiple authentication - mechanisms, the user should not be forced to type multiple passwords. - Furthermore, the user should be able to use the new network identity - without taking any further actions. The key here is in modular - integration of the network authentication technologies with `login' - and other system-entry services. - - In this RFC we discuss the architecture and design of pluggable - authentication modules. This design gives the capability to use - field-replaceable authentication modules along with unified login - capability. It thus provides for both _pluggability_ and _ease-of- - use_. - - The RFC is organized as follows. We first motivate the need for a - generic way to authenticate the user by various system-entry services - within the operating system. We describe the goals and constraints - of the design. This leads to the architecture, description of the - interfaces, and _stacking_ of modules to get unified login - functionality. We then describe our experience with the design, and - end with a description of future work. - - - 2. OVERVIEW OF IDENTIFICATION AND AUTHENTICATION MECHANISMS - - An identification and authentication ("I&A") mechanism is used to - establish a user's identity the system (i.e., to a local machine's - operating system) and to other principals on the network. On a - typical UNIX system, there are various ports of entry into the - system, such as `login', `dtlogin', `rlogin', `ftp', `rsh', `su', and - `telnet'. In all cases, the user has to be identified and - authenticated before granting appropriate access rights to the user. - The user identification and authentication for all these entry points - needs to be coordinated to ensure a secure system. - - In most of the current UNIX systems, the login mechanism is based - upon verification of the password using the modified DES algorithm. - - - - Samar, Schemers Page 2 - - - - - - - - OSF-RFC 86.0 PAM October 1995 - - - - The security of the implementation assumes that the password cannot - be guessed, and that the password does not go over the wire in the - clear. These assumptions, however, are not universally valid. - Various programs are now available freely on the Internet that can - run dictionary attack against the encrypted password. Further, some - of the network services (for example, `rlogin', `ftp', `telnet') send - the password over in clear, and there are "sniffer" programs freely - available to steal these passwords. The classical assumptions may be - acceptable on a trusted network, but in an open environment there is - a need to use more restrictive and stronger authentication - mechanisms. Examples of such mechanisms include Kerberos, RSA, - Diffie-Hellman, one-time password [Skey 94], and challenge-response - based smart card authentication systems. Since this list will - continue to evolve, it is important that the system-entry services do - not have hard-coded dependencies on any of these authentication - mechanisms. - - - 3. DESIGN GOALS - - The goals of the PAM framework are as follows: - - (a) The system administrator should be able to choose the default - authentication mechanism for the machine. This can range from - a simple password-based mechanism to a biometric or a smart - card based system. - - (b) It should be possible to configure the user authentication - mechanism on a per application basis. For example, a site may - require S/Key password authentication for `telnet' access, - while allowing machine `login' sessions with just UNIX password - authentication. - - (c) The framework should support the display requirements of the - applications. For example, for a graphical login session such - as `dtlogin', the user name and the password may have to be - entered in a new window. For networking system-entry - applications such as `ftp' and `telnet', the user name and - password has to be transmitted over the network to the client - machine. - - (d) It should be possible to configure multiple authentication - protocols for each of those applications. For example, one may - want the users to get authenticated by both Kerberos and RSA - authentication systems. - - (e) The system administrator should be able to _stack_ multiple - user authentication mechanisms such that the user is - authenticated with all authentication protocols without - retyping the password. - - - - - Samar, Schemers Page 3 - - - - - - - - OSF-RFC 86.0 PAM October 1995 - - - - (f) The architecture should allow for multiple passwords if - necessary to achieve higher security for users with specific - security requirements. - - (g) The system-entry services should not be required to change when - the underlying mechanism changes. This can be very useful for - third-party developers because they often do not have the - source code for these services. - - (h) The architecture should provide for a _pluggable_ model for - system authentication, as well as for other related tasks such - as password, account, and session management. - - (i) For backward-compatibility reasons, the PAM API should support - the authentication requirements of the current system-entry - services. - - There are certain issues that the PAM framework does not specifically - address: - - (a) We focus only on providing a generic scheme through which users - use passwords to establish their identities to the machine. - Once the identity is established, how the identity is - communicated to other interested parties is outside the scope - of this design. There are efforts underway at IETF [Linn 93] - to develop a Generic Security Services Application Interface - (GSSAPI) that can be used by applications for secure and - authenticated communication without knowing the underlying - mechanism. - - (b) The _single-signon_ problem of securely transferring the - identity of the caller to a remote site is not addressed. For - example, the problem of delegating credentials from the - `rlogin' client to the other machine without typing the - password is not addressed by our work. We also do not address - the problem of sending the passwords over the network in the - clear. - - (c) We do not address the source of information obtained from the - "`getXbyY()'" family of calls (e.g., `getpwnam()'). Different - operating systems address this problem differently. For - example, Solaris uses the name service switch (NSS) to - determine the source of information for the "`getXbyY()'" - calls. It is expected that data which is stored in multiple - sources (such as passwd entries in NIS+ and the DCE registry) - is kept in sync using the appropriate commands (such as - `passwd_export'). - - - - - - - - Samar, Schemers Page 4 - - - - - - - - OSF-RFC 86.0 PAM October 1995 - - - - 4. OVERVIEW OF THE PAM FRAMEWORK - - We propose that the goals listed above can be met through a framework - in which authentication modules can be _plugged_ independently of the - application. We call this the _Pluggable Authentication Modules_ - (PAM) framework. - - The core components of the PAM framework are the authentication - library API (the front end) and the authentication mechanism-specific - modules (the back end), connected through the Service Provider - Interface (SPI). Applications write to the PAM API, while the - authentication-system providers write to the PAM SPI and supply the - back end modules that are independent of the application. - - ftp telnet login (Applications) - | | | - | | | - +--------+--------+ - | - +-----+-----+ - | PAM API | <-- pam.conf file - +-----+-----+ - | - +--------+--------+ - UNIX Kerberos Smart Cards (Mechanisms) - - Figure 1: The Basic PAM Architecture - - Figure 1 illustrates the relationship between the application, the - PAM library, and the authentication modules. Three applications - (`login', `telnet' and `ftp') are shown which use the PAM - authentication interfaces. When an application makes a call to the - PAM API, it loads the appropriate authentication module as determined - by the configuration file, `pam.conf'. The request is forwarded to - the underlying authentication module (for example, UNIX password, - Kerberos, smart cards) to perform the specified operation. The PAM - layer then returns the response from the authentication module to the - application. - - PAM unifies system authentication and access control for the system, - and allows plugging of associated authentication modules through well - defined interfaces. The plugging can be defined through various - means, one of which uses a configuration file, such as the one in - Table 1. For each of the system applications, the file specifies the - authentication module that should be loaded. In the example below, - `login' uses the UNIX password module, while `ftp' and `telnet' use - the S/Key module. - - - - - - - - Samar, Schemers Page 5 - - - - - - - - OSF-RFC 86.0 PAM October 1995 - - - - Table 1: A Simplified View of a Sample PAM Configuration File. - - service module_path - ------- ----------- - login pam_unix.so - ftp pam_skey.so - telnet pam_skey.so - - Authentication configuration is only one aspect of this interface. - Other critical components include account management, session - management, and password management. For example, the `login' - program may want to verify not only the password but also whether the - account has aged or expired. Generic interfaces also need to be - provided so that the password can be changed according to the - requirements of the module. Furthermore, the application may want to - log information about the current session as determined by the - module. - - Not all applications or services may need all of the above - components, and not each authentication module may need to provide - support for all of the interfaces. For example, while `login' may - need access to all four components, `su' may need access to just the - authentication component. Some applications may use some specific - authentication and password management modules but share the account - and session management modules with others. - - This reasoning leads to a partitioning of the entire set of - interfaces into four areas of functionality: (1) authentication, (2) - account, (3) session, and (4) password. The concept of PAM was - extended to these functional areas by implementing each of them as a - separate pluggable module. - - Breaking the functionality into four modules helps the module - providers because they can use the system-provided libraries for the - modules that they are not changing. For example, if a supplier wants - to provide a better version of Kerberos, they can just provide that - new authentication and password module, and reuse the existing ones - for account and session. - - 4.1. Module Description - - More details on specific API's are described in Appendix A. A brief - description of four modules follows: - - (a) Authentication management: This set includes the - `pam_authenticate()' function to authenticate the user, and the - `pam_setcred()' interface to set, refresh or destroy the user - credentials. - - (b) Account management: This set includes the `pam_acct_mgmt()' - function to check whether the authenticated user should be - - - - Samar, Schemers Page 6 - - - - - - - - OSF-RFC 86.0 PAM October 1995 - - - - given access to his/her account. This function can implement - account expiration and access hour restrictions. - - (c) Session management: This set includes the `pam_open_session()' - and `pam_close_session()' functions for session management and - accounting. For example, the system may want to store the - total time for the session. - - (d) Password management: This set includes a function, - `pam_chauthtok()', to change the password. - - - 5. FRAMEWORK INTERFACES - - The PAM framework further provides a set of administrative interfaces - to support the above modules and to provide for application-module - communication. There is no corresponding service provider interface - (SPI) for such functions. - - 5.1. Administrative Interfaces - - Each set of PAM transactions starts with `pam_start()' and ends with - the `pam_end()' function. The interfaces `pam_get_item()' and - `pam_set_item()' are used to read and write the state information - associated with the PAM transaction. - - If there is any error with any of the PAM interfaces, the error - message can be printed with `pam_strerror()'. - - 5.2. Application-Module Communication - - During application initialization, certain data such as the user name - is saved in the PAM framework layer through `pam_start()' so that it - can be used by the underlying modules. The application can also pass - opaque data to the module which the modules will pass back while - communicating with the user. - - 5.3. User-Module Communication - - The `pam_start()' function also passes conversation function that has - to be used by the underlying modules to read and write module - specific authentication information. For example, these functions - can be used to prompt the user for the password in a way determined - by the application. PAM can thus be used by graphical, non- - graphical, or networked applications. - - - - - - - - - - Samar, Schemers Page 7 - - - - - - - - OSF-RFC 86.0 PAM October 1995 - - - - 5.4. Inter-Module Communication - - Though the modules are independent, they can share certain common - information about the authentication session such as user name, - service name, password, and conversation function through the - `pam_get_item()' and `pam_set_item()' interfaces. These API's can - also be used by the application to change the state information after - having called `pam_start()' once. - - 5.5. Module State Information - - The PAM service modules may want to keep certain module-specific - state information about the session. The interfaces `pam_get_data()' - and `pam_set_data()' can be used by the service modules to access and - update module-specific information as needed from the PAM handle. - The modules can also attach a cleanup function with the data. The - cleanup function is executed when `pam_end()' is called to indicate - the end of the current authentication activity. - - Since the PAM modules are loaded upon demand, there is no direct - module initialization support in the PAM framework. If there are - certain initialization tasks that the PAM service modules have to do, - they should be done upon the first invocation. However, if there are - certain clean-up tasks to be done when the authentication session - ends, the modules should use `pam_set_data()' to specify the clean-up - functions, which would be called when `pam_end()' is called by the - application. - - - 6. MODULE CONFIGURATION MANAGEMENT - - Table 2 shows an example of a configuration file `pam.conf' with - support for authentication, session, account, and password management - modules. `login' has three entries: one each for authentication - processing, session management and account management. Each entry - specifies the module name that should be loaded for the given module - type. In this example, the `ftp' service uses the authentication and - session modules. Note that all services here share the same session - management module, while having different authentication modules. - - - - - - - - - - - - - - - - Samar, Schemers Page 8 - - - - - - - - OSF-RFC 86.0 PAM October 1995 - - - - Table 2: Configuration File (pam.conf) with Different Modules - and Control Flow - - service module_type control_flag module_path options - ------- ----------- ------------ ----------- ------- - login auth required pam_unix_auth.so nowarn - login session required pam_unix_session.so - login account required pam_unix_account.so - ftp auth required pam_skey_auth.so debug - ftp session required pam_unix_session.so - telnet session required pam_unix_session.so - login password required pam_unix_passwd.so - passwd password required pam_unix_passwd.so - OTHER auth required pam_unix_auth.so - OTHER session required pam_unix_session.so - OTHER account required pam_unix_account.so - - The first field, _service_, denotes the service (for example, - `login', `passwd', `rlogin'). The name `OTHER' indicates the module - used by all other applications that have not been specified in this - file. This name can also be used if all services have the same - requirements. In the example, since all the services use the same - session module, we could have replaced those lines with a single - `OTHER' line. - - The second field, _module_type_, indicates the type of the PAM - functional module. It can be one of `auth', `account', `session', or - `password' modules. - - The third field, _control_flag_ determines the behavior of stacking - multiple modules by specifying whether any particular module is - _required_, _sufficient_, or _optional_. The next section describes - stacking in more detail. - - The fourth field, _module_path_, specifies the location of the - module. The PAM framework loads this module upon demand to invoke - the required function. - - The fifth field, _options_, is used by the PAM framework layer to - pass module specific options to the modules. It is up to the module - to parse and interpret the options. This field can be used by the - modules to turn on debugging or to pass any module specific - parameters such as a timeout value. It is also used to support - unified login as described below. The options field can be used by - the system administrator to fine-tune the PAM modules. - - If any of the fields are invalid, or if a module is not found, that - line is ignored and the error is logged as a critical error via - `syslog(3)'. If no entries are found for the given module type, then - the PAM framework returns an error to the application. - - - - - Samar, Schemers Page 9 - - - - - - - - OSF-RFC 86.0 PAM October 1995 - - - - 7. INTEGRATING MULTIPLE AUTHENTICATION SERVICES WITH STACKING - - In the world of heterogeneous systems, the system administrator often - has to deal with the problem of integrating multiple authentication - mechanisms. The user is often required to know about the - authentication command of the new authentication module (for example, - `kinit', `dce_login') after logging into the system. This is not - user-friendly because it forces people to remember to type the new - command and enter the new password. This functionality should be - invisible instead of burdening the user with it. - - There are two problems to be addressed here: - - (a) Supporting multiple authentication mechanisms. - - (b) Providing unified login in the presence of multiple mechanisms. - - In the previous section, we described how one could replace the - default authentication module with any other module of choice. Now - we demonstrate how the same model can be extended to provide support - for multiple modules. - - 7.1. Design for Stacked Modules - - One possibility was to provide hard-coded rules in `login' or other - applications requiring authentication services [Adamson 95]. But - this becomes very specific to the particular combination of - authentication protocols, and also requires the source code of the - application. Digital's Security Integration Architecture [SIA 95] - addresses this problem by specifying the same list of authentication - modules for all applications. Since requirements for various - applications can vary, it is essential that the configuration be on a - per-application basis. - - To support multiple authentication mechanisms, the PAM framework was - extended to support _stacking_. When any API is called, the back - ends for the stacked modules are invoked in the order listed, and the - result returned to the caller. In Figure 2, the authentication - service of `login' is stacked and the user is authenticated by UNIX, - Kerberos, and RSA authentication mechanisms. Note that in this - example, there is no stacking for session or account management - modules. - - - - - - - - - - - - - Samar, Schemers Page 10 - - - - - - - - OSF-RFC 86.0 PAM October 1995 - - - - login - | - +--------+--------+ - | | | - session auth account - | | | - +--+--+ +--+--+ +--+--+ - | PAM | | PAM | | PAM | - +--+--+ +--+--+ +--+--+ - | | | - UNIX UNIX UNIX - session auth account - | - Kerberos - auth - | - RSA - auth - - Figure 2: Stacking With the PAM Architecture - - Stacking is specified through additional entries in the configuration - file shown earlier. As shown in Table 2, for each application (such - as `login') the configuration file can specify multiple mechanisms - that have to be invoked in the specified order. When mechanisms - fail, the _control_flag_ decides which error should be returned to - the application. Since the user should not know which authentication - module failed when a bad password was typed, the PAM framework - continues to call other authentication modules on the stack even on - failure. The semantics of the control flag are as follows: - - (a) `required': With this flag, the module failure results in the - PAM framework returning the error to the caller _after_ - executing all other modules on the stack. For the function to - be able to return success to the application all `required' - modules have to report success. This flag is normally set when - authentication by this module is a _must_. - - (b) `optional': With this flag, the PAM framework ignores the - module failure and continues with the processing of the next - module in sequence. This flag is used when the user is allowed - to login even if that particular module has failed. - - (c) `sufficient': With this flag, if the module succeeds the PAM - framework returns success to the application immediately - without trying any other modules. For failure cases, the - _sufficient_ modules are treated as `optional'. - - Table 3 shows a sample configuration file that stacks the `login' - command. Here the user is authenticated by UNIX, Kerberos, and RSA - authentication services. The `required' key word for _control_flag_ - - - - Samar, Schemers Page 11 - - - - - - - - OSF-RFC 86.0 PAM October 1995 - - - - enforces that the user is allowed to login only if he/she is - authenticated by _both_ UNIX and Kerberos services. RSA - authentication is optional by virtue of the `optional' key word in - the _control_flag_ field. The user can still log in even if RSA - authentication fails. - - Table 3: PAM Configuration File with Support for Stacking - - service module_type control_flag module_path options - ------- ----------- ------------ ----------- ------- - login auth required pam_unix.so debug - login auth required pam_kerb.so use_mapped_pass - login auth optional pam_rsa.so use_first_pass - - Table 4 illustrates the use of the sufficient flag for the `rlogin' - service. The Berkeley `rlogin' protocol specifies that if the remote - host is trusted (as specified in the `/etc/hosts.equiv' file or in - the `.rhosts' file in the home directory of the user), then the - `rlogin' daemon should not require the user to type the password. If - this is not the case, then the user is required to type the password. - Instead of hard coding this policy in the `rlogin' daemon, this can - be expressed with the `pam.conf' file in Table 4. The PAM module - `pam_rhosts_auth.so.1' implements the `.rhosts' policy described - above. If a site administrator wants to enable remote login with - only passwords, then the first line should be deleted. - - Table 4: PAM Configuration File for the rlogin service - - service module_type control_flag module_path options - ------- ----------- ------------ ----------- ------- - rlogin auth sufficient pam_rhosts_auth.so - rlogin auth required pam_unix.so - - 7.2. Password-Mapping - - Multiple authentication mechanisms on a machine can lead to multiple - passwords that users have to remember. One attractive solution from - the ease-of-use viewpoint is to use the same password for all - mechanisms. This, however, can also weaken the security because if - that password were to be compromised in any of the multiple - mechanisms, all mechanisms would be compromised at the same time. - Furthermore, different authentication mechanisms may have their own - distinctive password requirements in regards to its length, allowed - characters, time interval between updates, aging, locking, and so - forth. These requirements make it problematic to use the same - password for multiple authentication mechanisms. - - The solution we propose, while not precluding use of the same - password for every mechanism, allows for a different password for - each mechanism through what we call _password-mapping_. This - basically means using the user's _primary_ password to encrypt the - - - - Samar, Schemers Page 12 - - - - - - - - OSF-RFC 86.0 PAM October 1995 - - - - user's other (_secondary_) passwords, and storing these encrypted - passwords in a place where they are available to the user. Once the - primary password is verified, the authentication modules would obtain - the other passwords for their own mechanisms by decrypting the - mechanism-specific encrypted password with the primary password, and - passing it to the authentication service. The security of this - design for password-mapping assumes that the primary password is the - user's strongest password, in terms of its unguessability (length, - type and mix of characters used, etc.). - - If there is any error in password-mapping, or if the mapping does not - exist, the user will be prompted for the password by each - authentication module. - - To support password-mapping, the PAM framework saves the primary - password and provides it to stacked authentication modules. The - password is cleared out before the `pam_authenticate' function - returns. - - How the password is encrypted depends completely on the module - implementation. The encrypted secondary password (also called a - "mapped password") can be stored in a trusted or untrusted place, - such as a smart card, a local file, or a directory service. If the - encrypted passwords are stored in an untrusted publicly accessible - place, this does provide an intruder with opportunities for potential - dictionary attack. - - Though password-mapping is voluntary, it is recommended that all - module providers add support for the following four mapping options: - - (a) `use_first_pass': Use the same password used by the first - mechanism that asked for a password. The module should not ask - for the password if the user cannot be authenticated by the - first password. This option is normally used when the system - administrator wants to enforce the same password across - multiple modules. - - (b) `try_first_pass': This is the same as `use_first_pass', except - that if the primary password is not valid, it should prompt the - user for the password. - - (c) `use_mapped_pass': Use the password-mapping scheme to get the - actual password for this module. One possible implementation - is to get the mapped-password using the XFN API [XFN 94], and - decrypt it with the primary password to get the module-specific - password. The module should not ask for the password if the - user cannot be authenticated by the first password. The XFN - API allows user-defined attributes (such as _mapped-password_) - to be stored in the _user-context_. Using the XFN API is - particularly attractive because support for the XFN may be - found on many systems in the future. - - - - Samar, Schemers Page 13 - - - - - - - - OSF-RFC 86.0 PAM October 1995 - - - - (d) `try_mapped_pass': This is the same as `use_mapped_pass', - except that if the primary password is not valid, it should - prompt the user for the password. - - When passwords get updated, the PAM framework stores both the old as - well as the new password to be able to inform other dependent - authentication modules about the change. Other modules can use this - information to update the encrypted password without forcing the user - to type the sequence of passwords again. The PAM framework clears - out the passwords before returning to the application. - - Table 3 illustrates how the same password can be used by `login' for - authenticating to the standard UNIX login, Kerberos and RSA services. - Once the user has been authenticated to the primary authentication - service (UNIX `login' in this example) with the primary password, the - option `use_mapped_pass' indicates to the Kerberos module that it - should use the primary password to decrypt the stored Kerberos - password and then use the Kerberos password to get the ticket for the - ticket-granting-service. After that succeeds, the option - `use_first_pass' indicates to the RSA module that instead of - prompting the user for a password, it should use the primary password - typed earlier for authenticating the user. Note that in this - scenario, the user has to enter the password just once. - - Note that if a one-time password scheme (e.g., S/Key) is used, - password mapping cannot apply. - - 7.3. Implications of Stacking on the PAM Design - - Because of the stacking capability of PAM, we have designed the PAM - API's to not return any data to the application, except status. If - this were not the case, it would be difficult for the PAM framework - to decide which module should return data to the application. When - there is any error, the application does not know which of the - modules failed. This behavior enables (even requires) the - application to be completely independent from the modules. - - Another design decision we have made is that PAM gives only the user - name to all the underlying PAM modules, hence it is the - responsibility of the PAM modules to convert the name to their own - internal format. For example, the Kerberos module may have to - convert the UNIX user name to a Kerberos principal name. - - Stacking also forces the modules to be designed such that they can - occur anywhere in the stack without any side-effects. - - Since modules such as the authentication and the password module are - very closely related, it is important they be configured in the same - order and with compatible options. - - - - - - Samar, Schemers Page 14 - - - - - - - - OSF-RFC 86.0 PAM October 1995 - - - - 8. INTEGRATION WITH SMART CARDS - - Many networking authentication protocols require possession of a long - key to establish the user identity. For ease-of-use reasons, that - long key is normally encrypted with the user's password so that the - user is not required to memorize it. However, weak passwords can be - compromised through a dictionary attack and thus undermine the - stronger network authentication mechanism. Furthermore, the - encrypted data is normally stored in a centrally accessible service - whose availability depends upon the reliability of the associated - service. Solutions have been proposed to use a pass-phrase or one- - time-password, but those are much longer than the regular eight - character passwords traditionally used with UNIX `login'. This makes - the solution user-unfriendly because it requires longer strings to be - remembered and typed. - - For most authentication protocol implementations, the trust boundary - is the local machine. This assumption may not be valid in cases - where the user is mobile and has to use publicly available networked - computers. In such cases, it is required that the clear text of the - key or the password never be made available to the machine. - - Smart cards solve the above problems by reducing password exposure by - supporting a _two factor_ authentication mechanism: the first with - the possession of the card, and the second with the knowledge of the - PIN associated with the card. Not only can the smart cards be a - secure repository of multiple passwords, they can also provide the - encryption and authentication functions such that the long (private) - key is never exposed outside the card. - - The PAM framework allows for integrating smart cards to the system by - providing a smart card specific module for authentication. - Furthermore, the unified login problem is simplified because the - multiple passwords for various authentication mechanisms can be - stored on the smart card itself. This can be enabled by adding a - suitable key-word such as `use_smart_card' in the _options_ field. - - - 9. SECURITY ISSUES - - It is important to understand the impact of PAM on the security of - any system so that the site-administrator can make an informed - decision. - - (a) Sharing of passwords with multiple authentication mechanisms. - - If there are multiple authentication modules, one possibility - is to use the same password for all of them. If the password - for any of the multiple authentication system is compromised, - the user's password in all systems would be compromised. If - this is a concern, then multiple passwords might be considered - - - - Samar, Schemers Page 15 - - - - - - - - OSF-RFC 86.0 PAM October 1995 - - - - at the cost of ease-of-use. - - (b) Password-mapping. - - This technique of encrypting all other passwords with the - primary password assumes that it is lot more difficult to crack - the primary password and that reasonable steps have been taken - to ensure limited availability of the encrypted primary - password. If this is not done, an intruder could target the - primary password as the first point of dictionary attack. If - one of the other modules provide stronger security than the - password based security, the site would be negating the strong - security by using password-mapping. If this is a concern, then - multiple passwords might be considered at the cost of ease-of- - use. If smart cards are used, they obviate the need for - password-mapping completely. - - (c) Security of the configuration file. - - Since the policy file dictates how the user is authenticated, - this file should be protected from unauthorized modifications. - - (d) Stacking various PAM modules. - - The system administrator should fully understand the - implications of stacking various modules that will be installed - on the system and their respective orders and interactions. - The composition of various authentication modules should be - carefully examined. The trusted computing base of the machine - now includes the PAM modules. - - - 10. EXPERIENCE WITH PAM - - The PAM framework was first added in Solaris 2.3 release as a private - internal interface. PAM is currently being used by several system - entry applications such as `login', `passwd', `su', `dtlogin', - `rlogind', `rshd', `telnetd', `ftpd', `in.rexecd', `uucpd', `init', - `sac', and `ttymon'. We have found that PAM provides an excellent - framework to encapsulate the authentication-related tasks for the - entire system. The Solaris 2.3 PAM API's were hence enhanced and - simplified to support stacking. - - PAM modules have been developed for UNIX, DCE, Kerberos, S/Key, - remote user authentication, and dialpass authentication. Other PAM - modules are under development, and integration with smart cards is - being planned. - - Some third parties have used the PAM interface to extend the security - mechanisms offered by the Solaris environment. - - - - - Samar, Schemers Page 16 - - - - - - - - OSF-RFC 86.0 PAM October 1995 - - - - The PAM API has been accepted by Common Desktop Environment (CDE) - vendors as the API to be used for integrating the graphical interface - for login, `dtlogin' with multiple authentication mechanisms. - - - 11. FUTURE WORK - - Amongst the various components of PAM, the password component needs - to be carefully examined to see whether the stacking semantics are - particularly applicable, and how PAM should deal with partial - failures when changing passwords. - - The _control_flag_ of the configuration file can be extended to - include other semantics. For example, if the error is "name service - not available", one may want to retry. It is also possible to offer - semantics of "return success if any of the modules return success". - - In an earlier section, we had mentioned integration of smart cards - with PAM. Though we feel that integration should be straight forward - from the PAM architecture point of view, there may be some issues - with implementation because the interfaces to the smart cards have - not yet been standardized. - - One possible extension to PAM is to allow the passing of module- - specific data between applications and PAM modules. For example, the - `login' program likes to build its new environment from a select list - of variables, yet the DCE module needs the `KRB5CCNAME' variable to - be exported to the child process. For now we have modified the - `login' program to explicitly export the `KRB5CCNAME' variable. - - Administrative tools are needed to help system administrators modify - `pam.conf', and perform sanity checks on it (i.e., a `pam_check' - utility). - - - 12. CONCLUSION - - The PAM framework and the module interfaces provide pluggability for - user authentication, as well as for account, session and password - management. The PAM architecture can be used by `login' and by all - other system-entry services, and thus ensure that all entry points - for the system have been secured. This architecture enables - replacement and modification of authentication modules in the field - to secure the system against the newly found weaknesses without - changing any of the system services. - - The PAM framework can be used to integrate `login' and `dtlogin' with - different authentication mechanisms such as RSA and Kerberos. - Multiple authentication systems can be accessed with the same - password. The PAM framework also provides easy integration of smart - cards into the system. - - - - Samar, Schemers Page 17 - - - - - - - - OSF-RFC 86.0 PAM October 1995 - - - - PAM provides complementary functionality to GSS-API, in that it - provides mechanisms through which the user gets authenticated to any - new system-level authentication service on the machine. GSS-API then - uses the credentials for authenticated and secure communications with - other application-level service entities on the network. - - - 13. ACKNOWLEDGEMENTS - - PAM development has spanned several release cycles at SunSoft. - Shau-Ping Lo, Chuck Hickey, and Alex Choy did the first design and - implementation. Bill Shannon and Don Stephenson helped with the PAM - architecture. Rocky Wu prototyped stacking of multiple modules. - Paul Fronberg, Charlie Lai, and Roland Schemers made very significant - enhancements to the PAM interfaces and took the project to completion - within a very short time. Kathy Slattery wrote the PAM - documentation. John Perry integrated PAM within the CDE framework. - - - APPENDIX A. PAM API'S - - This appendix gives an informal description of the various interfaces - of PAM. Since the goal here is just for the reader to get a working - knowledge about the PAM interfaces, not all flags and options have - been fully defined and explained. The API's described here are - subject to change. - - The PAM Service Provider Interface is very similar to the PAM API, - except for one extra parameter to pass module-specific options to the - underlying modules. - - A.1. Framework Layer API's - - int - pam_start( - char *service_name, - char *user, - struct pam_conv *pam_conversation, - pam_handle_t **pamh - ); - - `pam_start()' is called to initiate an authentication transaction. - `pam_start()' takes as arguments the name of the service, the name of - the user to be authenticated, the address of the conversation - structure. `pamh' is later used as a handle for subsequent calls to - the PAM library. - - The PAM modules do not communicate directly with the user; instead - they rely on the application to perform all such interaction. The - application needs to provide the conversation functions, `conv()', - and associated application data pointers through a `pam_conv' - - - - Samar, Schemers Page 18 - - - - - - - - OSF-RFC 86.0 PAM October 1995 - - - - structure when it initiates an authentication transaction. The - module uses the `conv()' function to prompt the user for data, - display error messages, or text information. - - int - pam_end( - pam_handle_t *pamh, - int pam_status - ); - - `pam_end()' is called to terminate the PAM transaction as specified - by `pamh', and to free any storage area allocated by the PAM modules - with `pam_set_item()'. - - int - pam_set_item( - pam_handle_t *pamh, - int item_type, - void *item - ); - - int - pam_get_item( - pam_handle_t *pamh, - int item_type, - void **item); - - `pam_get_item()' and `pam_set_item()' allow the parameters specified - in the initial call to `pam_start()' to be read and updated. This is - useful when a particular parameter is not available when - `pam_start()' is called or must be modified after the initial call to - `pam_start()'. `pam_set_item()' is passed a pointer to the object, - `item', and its type, `item_type'. `pam_get_item()' is passed the - address of the pointer, `item', which is assigned the address of the - requested object. - - The `item_type' is one of the following: - - Table 5: Possible Values for Item_type - - Item Name Description - --------- ----------- - PAM_SERVICE The service name - PAM_USER The user name - PAM_TTY The tty name - PAM_RHOST The remote host name - PAM_CONV The pam_conv structure - PAM_AUTHTOK The authentication token (password) - PAM_OLDAUTHTOK The old authentication token - PAM_RUSER The remote user name - - - - - Samar, Schemers Page 19 - - - - - - - - OSF-RFC 86.0 PAM October 1995 - - - - Note that the values of `PAM_AUTHTOK' and `PAM_OLDAUTHTOK' are only - available to PAM modules and not to the applications. They are - explicitly cleared out by the framework before returning to the - application. - - char * - pam_strerror( - int errnum - ); - - `pam_strerror()' maps the error number to a PAM error message string, - and returns a pointer to that string. - - int - pam_set_data( - pam_handle_t *pamh, - char *module_data_name, - char *data, - (*cleanup)(pam_handle_t *pamh, char *data, - int error_status) - ); - - The `pam_set_data()' function stores module specific data within the - PAM handle. The `module_data_name' uniquely specifies the name to - which some data and cleanup callback function can be attached. The - cleanup function is called when `pam_end()' is invoked. - - int - pam_get_data( - pam_handle_t *pamh, - char *module_data_name, - void **datap - ); - - The `pam_get_data()' function obtains module-specific data from the - PAM handle stored previously by the `pam_get_data()' function. The - `module_data_name' uniquely specifies the name for which data has to - be obtained. This function is normally used to retrieve module - specific state information. - - A.2. Authentication API's - - int - pam_authenticate( - pam_handle_t *pamh, - int flags - ); - - The `pam_authenticate()' function is called to verify the identity of - the current user. The user is usually required to enter a password - or similar authentication token, depending upon the authentication - - - - Samar, Schemers Page 20 - - - - - - - - OSF-RFC 86.0 PAM October 1995 - - - - module configured with the system. The user in question is specified - by a prior call to `pam_start()', and is referenced by the - authentication handle, `pamh'. - - int - pam_setcred( - pam_handle_t *pamh, - int flags - ); - - The `pam_setcred()' function is called to set the credentials of the - current process associated with the authentication handle, `pamh'. - The actions that can be denoted through `flags' include credential - initialization, refresh, reinitialization and deletion. - - A.3. Account Management API - - int - pam_acct_mgmt( - pam_handle_t *pamh, - int flags - ); - - The function `pam_acct_mgmt()' is called to determine whether the - current user's account and password are valid. This typically - includes checking for password and account expiration, valid login - times, etc. The user in question is specified by a prior call to - `pam_start()', and is referenced by the authentication handle, - `pamh'. - - A.4. Session Management API's - - int - pam_open_session( - pam_handle_t *pamh, - int flags - ); - - `pam_open_session()' is called to inform the session modules that a - new session has been initialized. All programs which use PAM should - invoke `pam_open_session()' when beginning a new session. - - int - pam_close_session( - pam_handle_t *pamh, - int flags - ); - - Upon termination of this session, the `pam_close_session()' function - should be invoked to inform the underlying modules that the session - has terminated. - - - - Samar, Schemers Page 21 - - - - - - - - OSF-RFC 86.0 PAM October 1995 - - - - A.5. Password Management API's - - int - pam_chauthtok( - pam_handle_t *pamh, - int flags - ); - - `pam_chauthtok()' is called to change the authentication token - associated with the user referenced by the authentication handle - `pamh'. After the call, the authentication token of the user will be - changed in accordance with the authentication module configured on - the system. - - - APPENDIX B. SAMPLE PAM APPLICATION - - This appendix shows a sample `login' application which uses the PAM - API's. It is not meant to be a fully functional login program, as - some functionality has been left out in order to emphasize the use of - PAM API's. - - #include <security/pam_appl.h> - - static int login_conv(int num_msg, struct pam_message **msg, - struct pam_response **response, void *appdata_ptr); - - static struct pam_conv pam_conv = {login_conv, NULL}; - - static pam_handle_t *pamh; /* Authentication handle */ - - void - main(int argc, char *argv[], char **renvp) - { - - /* - * Call pam_start to initiate a PAM authentication operation - */ - - if ((pam_start("login", user_name, &pam_conv, &pamh)) - != PAM_SUCCESS) - login_exit(1); - - pam_set_item(pamh, PAM_TTY, ttyn); - pam_set_item(pamh, PAM_RHOST, remote_host); - - while (!authenticated && retry < MAX_RETRIES) { - status = pam_authenticate(pamh, 0); - authenticated = (status == PAM_SUCCESS); - } - - - - - Samar, Schemers Page 22 - - - - - - - - OSF-RFC 86.0 PAM October 1995 - - - - if (status != PAM_SUCCESS) { - fprintf(stderr,"error: %s\n", pam_strerror(status)); - login_exit(1); - } - - /* now check if the authenticated user is allowed to login. */ - - if ((status = pam_acct_mgmt(pamh, 0)) != PAM_SUCCESS) { - if (status == PAM_AUTHTOK_EXPIRED) { - status = pam_chauthtok(pamh, 0); - if (status != PAM_SUCCESS) - login_exit(1); - } else { - login_exit(1); - } - } - - /* - * call pam_open_session to open the authenticated session - * pam_close_session gets called by the process that - * cleans up the utmp entry (i.e., init) - */ - if (status = pam_open_session(pamh, 0) != PAM_SUCCESS) { - login_exit(status); - } - - /* set up the process credentials */ - setgid(pwd->pw_gid); - - /* - * Initialize the supplementary group access list. - * This should be done before pam_setcred because - * the PAM modules might add groups during the pam_setcred call - */ - initgroups(user_name, pwd->pw_gid); - - status = pam_setcred(pamh, PAM_ESTABLISH_CRED); - if (status != PAM_SUCCESS) { - login_exit(status); - } - - /* set the real (and effective) UID */ - setuid(pwd->pw_uid); - - pam_end(pamh, PAM_SUCCESS); /* Done using PAM */ - - /* - * Add DCE/Kerberos cred name, if any. - * XXX - The module specific stuff should be removed from login - * program eventually. This is better placed in DCE module and - * will be once PAM has routines for "exporting" environment - - - - Samar, Schemers Page 23 - - - - - - - - OSF-RFC 86.0 PAM October 1995 - - - - * variables. - */ - krb5p = getenv("KRB5CCNAME"); - if (krb5p != NULL) { - ENVSTRNCAT(krb5ccname, krb5p); - envinit[basicenv++] = krb5ccname; - } - environ = envinit; /* Switch to the new environment. */ - exec_the_shell(); - - /* All done */ - } - - /* - * login_exit - Call exit() and terminate. - * This function is here for PAM so cleanup can - * be done before the process exits. - */ - static void - login_exit(int exit_code) - { - if (pamh) - pam_end(pamh, PAM_ABORT); - exit(exit_code); - /*NOTREACHED*/ - } - - /* - * login_conv(): - * This is the conv (conversation) function called from - * a PAM authentication module to print error messages - * or garner information from the user. - */ - - static int - login_conv(int num_msg, struct pam_message **msg, - struct pam_response **response, void *appdata_ptr) - { - - while (num_msg--) { - switch (m->msg_style) { - - case PAM_PROMPT_ECHO_OFF: - r->resp = strdup(getpass(m->msg)); - break; - - case PAM_PROMPT_ECHO_ON: - (void) fputs(m->msg, stdout); - r->resp = malloc(PAM_MAX_RESP_SIZE); - fgets(r->resp, PAM_MAX_RESP_SIZE, stdin); - /* add code here to remove \n from fputs */ - - - - Samar, Schemers Page 24 - - - - - - - - OSF-RFC 86.0 PAM October 1995 - - - - break; - - case PAM_ERROR_MSG: - (void) fputs(m->msg, stderr); - break; - - case PAM_TEXT_INFO: - (void) fputs(m->msg, stdout); - break; - - default: - /* add code here to log error message, etc */ - break; - } - } - return (PAM_SUCCESS); - } - - - APPENDIX C. DCE MODULE - - This appendix describes a sample implementation of a DCE PAM module. - In order to simplify the description, we do not address the issues - raised by password-mapping or stacking. The intent is to show which - DCE calls are being made by the DCE module. - - The `pam_sm_*()' functions implement the PAM SPI functions which are - called from the PAM API functions. - - C.1. DCE Authentication Management - - The algorithm for authenticating with DCE (not including error - checking, prompting for passwords, etc.) is as follows: - - pam_sm_authenticate() - { - sec_login_setup_identity(...); - pam_set_data(...); - sec_login_valid_and_cert_ident(...); - } - - pam_sm_setcred() - { - pam_get_data(...); - sec_login_set_context(...); - } - - The `pam_sm_authenticate()' function for DCE uses the - `pam_set_data()' and `pam_get_data()' functions to keep state (like - the `sec_login_handle_t' context) between calls. The following - cleanup function is also registered and gets called when `pam_end()' - - - - Samar, Schemers Page 25 - - - - - - - - OSF-RFC 86.0 PAM October 1995 - - - - is called: - - dce_cleanup() - { - if (/* PAM_SUCCESS and - sec_login_valid_and_cert_ident success */) { - sec_login_release_context(...); - } else { - sec_login_purge_context(...); - } - } - - If everything was successful we release the login context, but leave - the credentials file intact. If the status passed to `pam_end()' was - not `PAM_SUCCESS' (i.e., a required module failed) we purge the login - context which also removes the credentials file. - - C.2. DCE Account Management - - The algorithm for DCE account management is as follows: - - pam_sm_acct_mgmt() - { - pam_get_data(...); - sec_login_inquire_net_info(...); - /* check for expired password and account */ - sec_login_free_net_info(...); - } - - The `sec_login_inquire_net_info()' function is called to obtain - information about when the user's account and/or password are going - to expire. A warning message is displayed (using the conversation - function) if the user's account or password is going to expire in the - near future, or has expired. These warning messages can be disabled - using the `nowarn' option in the `pam.conf' file. - - C.3. DCE Session Management - - The DCE session management functions are currently empty. They could - be modified to optionally remove the DCE credentials file upon - logout, etc. - - C.4. DCE Password Management - - The algorithm for DCE password management is as follows: - - - - - - - - - - Samar, Schemers Page 26 - - - - - - - - OSF-RFC 86.0 PAM October 1995 - - - - pam_sm_chauthtok - { - sec_rgy_site_open(...); - sec_rgy_acct_lookup(...); - sec_rgy_acct_passwd(...); - sec_rgy_site_close(...); - } - - The `sec_rgy_acct_passwd()' function is called to change the user's - password in the DCE registry. - - - REFERENCES - - [Adamson 95] W. A. Adamson, J. Rees, and P. Honeyman, "Joining - Security Realms: A Single Login for Netware and - Kerberos", CITI Technical Report 95-1, Center for - Information Technology Integration, University of - Michigan, Ann Arbor, MI, February 1995. - - [Diffie 76] W. Diffie and M. E. Hellman, "New Directions in - Cryptography", IEEE Transactions on Information - Theory, November 1976. - - [Linn 93] J. Linn, "Generic Security Service Application - Programming Interface", Internet RFC 1508, 1509, 1993. - - [Rivest 78] R. L. Rivest, A. Shamir, and L. Adleman., "A Method - for Obtaining Digital Signatures and Pubic-key - Cryptosystems", Communications of the ACM, 21(2), - 1978. - - [SIA 95] "Digital UNIX Security", Digital Equipment - Corporation, Order Number AA-Q0R2C-TE, July 1995. - - [Skey 94] N. M. Haller, "The S/Key One-Time Password System", - ISOC Symposium on Network and Distributed Security, - 1994. - - [Steiner 88] J.G. Steiner, B. C. Neuman, and J. I. Schiller, - "Kerberos, An Authentication Service for Open Network - Systems", in Proceedings of the Winter USENIX - Conference, Dallas, Jan 1988. - - [Taylor 88] B. Taylor and D. Goldberg, "Secure Networking in the - Sun Environment", Sun Microsystems Technical Paper, - 1988. - - [XFN 94] "Federated Naming: the XFN Specifications", X/Open - Preliminary Specification, X/Open Document #P403, - ISBN:1-85912-045-8, X/Open Co. Ltd., July 1994. - - - - Samar, Schemers Page 27 - - - - - - - - OSF-RFC 86.0 PAM October 1995 - - - - AUTHOR'S ADDRESS - - Vipin Samar Internet email: vipin@eng.sun.com - SunSoft, Inc. Telephone: +1-415-336-1002 - 2550 Garcia Avenue - Mountain View, CA 94043 - USA - - Roland J. Schemers III Internet email: schemers@eng.sun.com - SunSoft, Inc. Telephone: +1-415-336-1035 - 2550 Garcia Avenue - Mountain View, CA 94043 - USA - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Samar, Schemers Page 28 - - - - - - diff --git a/doc/specs/std-agent-id.raw b/doc/specs/std-agent-id.raw deleted file mode 100644 index d5fbdd56..00000000 --- a/doc/specs/std-agent-id.raw +++ /dev/null @@ -1,95 +0,0 @@ -PAM working group ## A.G. Morgan - -## $Id$ ## - -## Pluggable Authentication Modules ## - -## REGISTERED AGENTS AND THEIR AGENT-ID'S ## - -#$ Purpose of this document - -#$$#{definition} Definition of an agent-id - -The most complete version of a "PAM agent-id" is contained in this -reference [#$R#{PAM_RFC2}]. A copy of a recent definition is -reproduced here for convenience. The reader is recommended to consult -reference [#{PAM_RFC2}] for definitions of other terms that are -used in this document. - -## -------------- ## - -The agent_id is a sequence of characters satisfying the following -regexp: - - /^[a-z0-9\_]+(@[a-z0-9\_.]+)?$/ - -and has a specific form for each independent agent. - -o Agent_ids that do not contain an at-sign (@) are to be considered as - representing some authentication mode that is a "public - standard". Registered names MUST NOT contain an at-sign (@). - -o Anyone can define additional agents by using names in the format - name@domainname, e.g. "ouragent@example.com". The part following - the at-sign MUST be a valid fully qualified internet domain name - [RFC-1034] controlled by the person or organization defining the - name. (Said another way, if you control the email address that - your agent has as an identifier, they you are entitled to use - this identifier.) It is up to each domain how it manages its local - namespace. - -## -------------- ## - -#$ Registered agent-id's - -The structure of this section is a single subsection for each -registered agent-id. This section includes a full definition of binary -prompts accepted by the agent and example responses of said -agent. Using the defining section alone, it should be possible for a -third party to create a conforming agent and modules that can -interoperate with other implementations of these objects. - -*$ "userpass" - the user+password agent - -Many legacy authentication systems are hardcoded to support one and -only one authentication method. Namely, - - username: joe - password: <secret> - -Indeed, this authentication method is often embedded into parts of the -transport protocol. The "user+password" agent with PAM agent-id: - - "userpass" - -Is intended to support this legacy authentication scheme. The protocol -for binary prompt exchange with this 'standard agent' is as follows: - -Case 1: module does not know the username, but expects the agent to - obtain this information and also the user's password: - - module: {LENGTH;PAM_BP_SELECT;userpass;'/'} - agent: {} - -Case 2: module has suggested username, but would like agent to confirm - it and gather password: - - module: {} - agent: {} - -Case 3: module knows username and will not permit the agent to change it: - - module: {} - agent: {} - -#$ References - -[#{PAM_RFC2}] Internet draft, "Pluggable Authentication Modules - (PAM)", available here: - -# http://linux.kernel.org/pub/linux/libs/pam/pre/doc/current-draft.txt # - -#$ Author's Address - -Andrew G. Morgan -Email: morgan@kernel.org |