1 files changed, 241 insertions, 0 deletions

diff --git a/modules/pam_keyinit/pam_keyinit.8.xml b/modules/pam_keyinit/pam_keyinit.8.xml
new file mode 100644
index 00000000..c7dddf54
--- /dev/null
+++ b/modules/pam_keyinit/pam_keyinit.8.xml
@@ -0,0 +1,241 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+	"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+
+<refentry id="pam_keyinit">
+
+  <refmeta>
+    <refentrytitle>pam_keyinit</refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_keyinit-name">
+    <refname>pam_keyinit</refname>
+    <refpurpose>Kernel session keyring initialiser module</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis id="pam_keyinit-cmdsynopsis">
+      <command>pam_keyinit.so</command>
+      <arg choice="opt">
+	debug
+      </arg>
+      <arg choice="opt">
+	force
+      </arg>
+      <arg choice="opt">
+	revoke
+      </arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1 id="pam_keyinit-description">
+    <title>DESCRIPTION</title>
+    <para>
+      The pam_keyinit PAM module ensures that the invoking process has a
+      session keyring other than the user default session keyring.
+    </para>
+    <para>
+      The session component of the module checks to see if the process's
+      session keyring is the user default, and, if it is, creates a new
+      anonymous session keyring with which to replace it.
+    </para>
+    <para>
+      If a new session keyring is created, it will install a link to the user
+      common keyring in the session keyring so that keys common to the user
+      will be automatically accessible through it.
+    </para>
+    <para>
+      The session keyring of the invoking process will thenceforth be inherited
+      by all its children unless they override it.
+    </para>
+    <para>
+      This module is intended primarily for use by login processes.  Be aware
+      that after the session keyring has been replaced, the old session keyring
+      and the keys it contains will no longer be accessible.
+    </para>
+    <para>
+      This module should not, generally, be invoked by programs like
+      <emphasis remap='B'>su</emphasis>, since it is usually desirable for the
+      key set to percolate through to the alternate context.  The keys have
+      their own permissions system to manage this.
+    </para>
+    <para>
+      This module should be included as early as possible in a PAM
+      configuration, so that other PAM modules can attach tokens to the
+      keyring.
+    </para>
+    <para>
+      The keyutils package is used to manipulate keys more directly.  This
+      can be obtained from:
+    </para>
+    <para>
+      <ulink url="http://people.redhat.com/~dhowells/keyutils/">
+	Keyutils
+      </ulink>
+    </para>
+  </refsect1>
+
+  <refsect1 id="pam_keyinit-options">
+    <title>OPTIONS</title>
+    <variablelist>
+      <varlistentry>
+        <term>
+          <option>debug</option>
+        </term>
+        <listitem>
+          <para>
+            Log debug information with <citerefentry>
+	    <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum>
+            </citerefentry>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>
+          <option>force</option>
+        </term>
+        <listitem>
+          <para>
+	    Causes the session keyring of the invoking process to be replaced
+	    unconditionally.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>
+          <option>revoke</option>
+        </term>
+        <listitem>
+          <para>
+	    Causes the session keyring of the invoking process to be revoked
+	    when the invoking process exits if the session keyring was created
+	    for this process in the first place.
+          </para>
+        </listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id="pam_keyinit-services">
+    <title>MODULE SERVICES PROVIDED</title>
+    <para>
+      Only the <emphasis remap='B'>session</emphasis> service is supported.
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_keyinit-return_values'>
+    <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+	<term>PAM_SUCCESS</term>
+	<listitem>
+	  <para>
+	    This module will usually return this value
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PAM_AUTH_ERR</term>
+        <listitem>
+           <para>
+             Authentication failure.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PAM_BUF_ERR</term>
+        <listitem>
+           <para>
+             Memory buffer error.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PAM_IGNORE</term>
+        <listitem>
+          <para>
+            The return value should be ignored by PAM dispatch.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PAM_SERVICE_ERR</term>
+        <listitem>
+          <para>
+	    Cannot determine the user name.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>PAM_SESSION_ERR</term>
+	<listitem>
+	  <para>
+	    This module will return this value if its arguments are invalid or
+	    if a system error such as ENOMEM occurs.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PAM_USER_UNKNOWN</term>
+        <listitem>
+          <para>
+            User not known.
+          </para>
+        </listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id='pam_keyinit-examples'>
+    <title>EXAMPLES</title>
+    <para>
+      Add this line to your login entries to start each login session with its
+      own session keyring:
+      <programlisting>
+session  required  pam_keyinit.so
+      </programlisting>
+    </para>
+    <para>
+      This will prevent keys from one session leaking into another session for
+      the same user.
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_keyinit-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+	<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
+      <citerefentry>
+	<refentrytitle>keyctl</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_keyinit-author'>
+    <title>AUTHOR</title>
+      <para>
+        pam_keyinit was written by David Howells, &lt;dhowells@redhat.com&gt;.
+      </para>
+  </refsect1>
+
+</refentry>