summaryrefslogtreecommitdiff
path: root/modules/pam_keyinit/pam_keyinit.8
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_keyinit/pam_keyinit.8')
-rw-r--r--modules/pam_keyinit/pam_keyinit.8150
1 files changed, 150 insertions, 0 deletions
diff --git a/modules/pam_keyinit/pam_keyinit.8 b/modules/pam_keyinit/pam_keyinit.8
new file mode 100644
index 00000000..814008c3
--- /dev/null
+++ b/modules/pam_keyinit/pam_keyinit.8
@@ -0,0 +1,150 @@
+'\" t
+.\" Title: pam_keyinit
+.\" Author: [see the "AUTHOR" section]
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
+.\" Date: 06/08/2020
+.\" Manual: Linux-PAM Manual
+.\" Source: Linux-PAM Manual
+.\" Language: English
+.\"
+.TH "PAM_KEYINIT" "8" "06/08/2020" "Linux-PAM Manual" "Linux\-PAM Manual"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+pam_keyinit \- Kernel session keyring initialiser module
+.SH "SYNOPSIS"
+.HP \w'\fBpam_keyinit\&.so\fR\ 'u
+\fBpam_keyinit\&.so\fR [debug] [force] [revoke]
+.SH "DESCRIPTION"
+.PP
+The pam_keyinit PAM module ensures that the invoking process has a session keyring other than the user default session keyring\&.
+.PP
+The module checks to see if the process\*(Aqs session keyring is the
+\fBuser-session-keyring\fR(7), and, if it is, creates a new
+\fBsession-keyring\fR(7)
+with which to replace it\&. If a new session keyring is created, it will install a link to the
+\fBuser-keyring\fR(7)
+in the session keyring so that keys common to the user will be automatically accessible through it\&. The session keyring of the invoking process will thenceforth be inherited by all its children unless they override it\&.
+.PP
+In order to allow other PAM modules to attach tokens to the keyring, this module provides both an
+\fIauth\fR
+(limited to
+\fBpam_setcred\fR(3)
+and a
+\fIsession\fR
+component\&. The session keyring is created in the module called\&. Moreover this module should be included as early as possible in a PAM configuration\&.
+.PP
+This module is intended primarily for use by login processes\&. Be aware that after the session keyring has been replaced, the old session keyring and the keys it contains will no longer be accessible\&.
+.PP
+This module should not, generally, be invoked by programs like
+\fBsu\fR, since it is usually desirable for the key set to percolate through to the alternate context\&. The keys have their own permissions system to manage this\&.
+.PP
+The keyutils package is used to manipulate keys more directly\&. This can be obtained from:
+.PP
+\m[blue]\fBKeyutils\fR\m[]\&\s-2\u[1]\d\s+2
+.SH "OPTIONS"
+.PP
+\fBdebug\fR
+.RS 4
+Log debug information with
+\fBsyslog\fR(3)\&.
+.RE
+.PP
+\fBforce\fR
+.RS 4
+Causes the session keyring of the invoking process to be replaced unconditionally\&.
+.RE
+.PP
+\fBrevoke\fR
+.RS 4
+Causes the session keyring of the invoking process to be revoked when the invoking process exits if the session keyring was created for this process in the first place\&.
+.RE
+.SH "MODULE TYPES PROVIDED"
+.PP
+Only the
+\fBsession\fR
+module type is provided\&.
+.SH "RETURN VALUES"
+.PP
+PAM_SUCCESS
+.RS 4
+This module will usually return this value
+.RE
+.PP
+PAM_AUTH_ERR
+.RS 4
+Authentication failure\&.
+.RE
+.PP
+PAM_BUF_ERR
+.RS 4
+Memory buffer error\&.
+.RE
+.PP
+PAM_IGNORE
+.RS 4
+The return value should be ignored by PAM dispatch\&.
+.RE
+.PP
+PAM_SERVICE_ERR
+.RS 4
+Cannot determine the user name\&.
+.RE
+.PP
+PAM_SESSION_ERR
+.RS 4
+This module will return this value if its arguments are invalid or if a system error such as ENOMEM occurs\&.
+.RE
+.PP
+PAM_USER_UNKNOWN
+.RS 4
+User not known\&.
+.RE
+.SH "EXAMPLES"
+.PP
+Add this line to your login entries to start each login session with its own session keyring:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+session required pam_keyinit\&.so
+
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+This will prevent keys from one session leaking into another session for the same user\&.
+.SH "SEE ALSO"
+.PP
+\fBpam.conf\fR(5),
+\fBpam.d\fR(5),
+\fBpam\fR(8),
+\fBkeyctl\fR(1)
+.SH "AUTHOR"
+.PP
+pam_keyinit was written by David Howells, <dhowells@redhat\&.com>\&.
+.SH "NOTES"
+.IP " 1." 4
+Keyutils
+.RS 4
+\%http://people.redhat.com/~dhowells/keyutils/
+.RE