summaryrefslogtreecommitdiff
path: root/modules/pam_listfile
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_listfile')
-rw-r--r--modules/pam_listfile/.cvsignore2
-rw-r--r--modules/pam_listfile/README101
-rw-r--r--modules/pam_listfile/pam_listfile.8189
3 files changed, 2 insertions, 290 deletions
diff --git a/modules/pam_listfile/.cvsignore b/modules/pam_listfile/.cvsignore
index 9fb98574..f54f6f27 100644
--- a/modules/pam_listfile/.cvsignore
+++ b/modules/pam_listfile/.cvsignore
@@ -4,3 +4,5 @@
.libs
Makefile
Makefile.in
+README
+pam_listfile.8
diff --git a/modules/pam_listfile/README b/modules/pam_listfile/README
deleted file mode 100644
index 7fe7051b..00000000
--- a/modules/pam_listfile/README
+++ /dev/null
@@ -1,101 +0,0 @@
-pam_listfile — deny or allow services based on an arbitrary file
-
-━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-
-DESCRIPTION
-
-pam_listfile is a PAM module which provides a way to deny or allow services
-based on an arbitrary file.
-
-The module gets the item of the type specified -- user specifies the username,
-PAM_USER; tty specifies the name of the terminal over which the request has
-been made, PAM_TTY; rhost specifies the name of the remote host (if any) from
-which the request was made, PAM_RHOST; and ruser specifies the name of the
-remote user (if available) who made the request, PAM_RUSER -- and looks for an
-instance of that item in the file=filename. filename contains one line per item
-listed. If the item is found, then if sense=allow, PAM_SUCCESS is returned,
-causing the authorization request to succeed; else if sense=deny, PAM_AUTH_ERR
-is returned, causing the authorization request to fail.
-
-If an error is encountered (for instance, if filename does not exist, or a
-poorly-constructed argument is encountered), then if onerr=succeed, PAM_SUCCESS
-is returned, otherwise if onerr=fail, PAM_AUTH_ERR or PAM_SERVICE_ERR (as
-appropriate) will be returned.
-
-An additional argument, apply=, can be used to restrict the application of the
-above to a specific user (apply=username) or a given group (apply=@groupname).
-This added restriction is only meaningful when used with the tty, rhost and
-shell items.
-
-Besides this last one, all arguments should be specified; do not count on any
-default behavior.
-
-No credentials are awarded by this module.
-
-OPTIONS
-
-item=[tty|user|rhost|ruser|group|shell]
-
- What is listed in the file and should be checked for.
-
-sense=[allow|deny]
-
- Action to take if found in file, if the item is NOT found in the file, then
- the opposite action is requested.
-
-file=/path/filename
-
- File containing one item per line. The file needs to be a plain file and
- not world writeable.
-
-onerr=[succeed|fail]
-
- What to do if something weird happens like being unable to open the file.
-
-apply=[user|@group]
-
- Restrict the user class for which the restriction apply. Note that with
- item=[user|ruser|group] this does not make sense, but for item=[tty|rhost|
- shell] it have a meaning.
-
-quiet
-
- Do not treat service refusals or missing list files as errors that need to
- be logged.
-
-EXAMPLES
-
-Classic 'ftpusers' authentication can be implemented with this entry in /etc/
-pam.d/ftpd:
-
-#
-# deny ftp-access to users listed in the /etc/ftpusers file
-#
-auth required pam_listfile.so \
- onerr=succeed item=user sense=deny file=/etc/ftpusers
-
-
-Note, users listed in /etc/ftpusers file are (counterintuitively) not allowed
-access to the ftp service.
-
-To allow login access only for certain users, you can use a /etc/pam.d/login
-entry like this:
-
-#
-# permit login to users listed in /etc/loginusers
-#
-auth required pam_listfile.so \
- onerr=fail item=user sense=allow file=/etc/loginusers
-
-
-For this example to work, all users who are allowed to use the login service
-should be listed in the file /etc/loginusers. Unless you are explicitly trying
-to lock out root, make sure that when you do this, you leave a way for root to
-log in, either by listing root in /etc/loginusers, or by listing a user who is
-able to su to the root account.
-
-AUTHOR
-
-pam_listfile was written by Michael K. Johnson <johnsonm@redhat.com> and Elliot
-Lee <sopwith@cuc.edu>.
-
diff --git a/modules/pam_listfile/pam_listfile.8 b/modules/pam_listfile/pam_listfile.8
deleted file mode 100644
index f7425653..00000000
--- a/modules/pam_listfile/pam_listfile.8
+++ /dev/null
@@ -1,189 +0,0 @@
-.\" Title: pam_listfile
-.\" Author:
-.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/>
-.\" Date: 11/06/2007
-.\" Manual: Linux-PAM Manual
-.\" Source: Linux-PAM Manual
-.\"
-.TH "PAM_LISTFILE" "8" "11/06/2007" "Linux-PAM Manual" "Linux\-PAM Manual"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-pam_listfile - deny or allow services based on an arbitrary file
-.SH "SYNOPSIS"
-.HP 16
-\fBpam_listfile\.so\fR item=[tty|user|rhost|ruser|group|shell] sense=[allow|deny] file=\fI/path/filename\fR onerr=[succeed|fail] [apply=[\fIuser\fR|\fI@group\fR]] [quiet]
-.SH "DESCRIPTION"
-.PP
-pam_listfile is a PAM module which provides a way to deny or allow services based on an arbitrary file\.
-.PP
-The module gets the
-\fBitem\fR
-of the type specified \-\-
-\fIuser\fR
-specifies the username,
-\fIPAM_USER\fR; tty specifies the name of the terminal over which the request has been made,
-\fIPAM_TTY\fR; rhost specifies the name of the remote host (if any) from which the request was made,
-\fIPAM_RHOST\fR; and ruser specifies the name of the remote user (if available) who made the request,
-\fIPAM_RUSER\fR
-\-\- and looks for an instance of that item in the
-\fBfile=\fR\fB\fIfilename\fR\fR\.
-\fIfilename\fR
-contains one line per item listed\. If the item is found, then if
-\fBsense=\fR\fB\fIallow\fR\fR,
-\fIPAM_SUCCESS\fR
-is returned, causing the authorization request to succeed; else if
-\fBsense=\fR\fB\fIdeny\fR\fR,
-\fIPAM_AUTH_ERR\fR
-is returned, causing the authorization request to fail\.
-.PP
-If an error is encountered (for instance, if
-\fIfilename\fR
-does not exist, or a poorly\-constructed argument is encountered), then if
-\fIonerr=succeed\fR,
-\fIPAM_SUCCESS\fR
-is returned, otherwise if
-\fIonerr=fail\fR,
-\fIPAM_AUTH_ERR\fR
-or
-\fIPAM_SERVICE_ERR\fR
-(as appropriate) will be returned\.
-.PP
-An additional argument,
-\fBapply=\fR, can be used to restrict the application of the above to a specific user (\fBapply=\fR\fB\fIusername\fR\fR) or a given group (\fBapply=\fR\fB\fI@groupname\fR\fR)\. This added restriction is only meaningful when used with the
-\fItty\fR,
-\fIrhost\fR
-and
-\fIshell\fR
-items\.
-.PP
-Besides this last one, all arguments should be specified; do not count on any default behavior\.
-.PP
-No credentials are awarded by this module\.
-.SH "OPTIONS"
-.PP
-.PP
-\fBitem=[tty|user|rhost|ruser|group|shell]\fR
-.RS 4
-What is listed in the file and should be checked for\.
-.RE
-.PP
-\fBsense=[allow|deny]\fR
-.RS 4
-Action to take if found in file, if the item is NOT found in the file, then the opposite action is requested\.
-.RE
-.PP
-\fBfile=\fR\fB\fI/path/filename\fR\fR
-.RS 4
-File containing one item per line\. The file needs to be a plain file and not world writeable\.
-.RE
-.PP
-\fBonerr=[succeed|fail]\fR
-.RS 4
-What to do if something weird happens like being unable to open the file\.
-.RE
-.PP
-\fBapply=[\fR\fB\fIuser\fR\fR\fB|\fR\fB\fI@group\fR\fR\fB]\fR
-.RS 4
-Restrict the user class for which the restriction apply\. Note that with
-\fBitem=[user|ruser|group]\fR
-this does not make sense, but for
-\fBitem=[tty|rhost|shell]\fR
-it have a meaning\.
-.RE
-.PP
-\fBquiet\fR
-.RS 4
-Do not treat service refusals or missing list files as errors that need to be logged\.
-.RE
-.SH "MODULE SERVICES PROVIDED"
-.PP
-The services
-\fBauth\fR,
-\fBaccount\fR,
-\fBpassword\fR
-and
-\fBsession\fR
-are supported\.
-.SH "RETURN VALUES"
-.PP
-.PP
-PAM_AUTH_ERR
-.RS 4
-Authentication failure\.
-.RE
-.PP
-PAM_BUF_ERR
-.RS 4
-Memory buffer error\.
-.RE
-.PP
-PAM_IGNORE
-.RS 4
-The rule does not apply to the
-\fBapply\fR
-option\.
-.RE
-.PP
-PAM_SERVICE_ERR
-.RS 4
-Error in service module\.
-.RE
-.PP
-PAM_SUCCESS
-.RS 4
-Success\.
-.RE
-.SH "EXAMPLES"
-.PP
-Classic \'ftpusers\' authentication can be implemented with this entry in
-\fI/etc/pam\.d/ftpd\fR:
-.sp
-.RS 4
-.nf
-#
-# deny ftp\-access to users listed in the /etc/ftpusers file
-#
-auth required pam_listfile\.so \e
- onerr=succeed item=user sense=deny file=/etc/ftpusers
-
-.fi
-.RE
-.sp
-Note, users listed in
-\fI/etc/ftpusers\fR
-file are (counterintuitively)
-\fInot\fR
-allowed access to the ftp service\.
-.PP
-To allow login access only for certain users, you can use a
-\fI/etc/pam\.d/login\fR
-entry like this:
-.sp
-.RS 4
-.nf
-#
-# permit login to users listed in /etc/loginusers
-#
-auth required pam_listfile\.so \e
- onerr=fail item=user sense=allow file=/etc/loginusers
-
-.fi
-.RE
-.sp
-For this example to work, all users who are allowed to use the login service should be listed in the file
-\fI/etc/loginusers\fR\. Unless you are explicitly trying to lock out root, make sure that when you do this, you leave a way for root to log in, either by listing root in
-\fI/etc/loginusers\fR, or by listing a user who is able to
-\fIsu\fR
-to the root account\.
-.SH "SEE ALSO"
-.PP
-
-\fBpam.conf\fR(5),
-\fBpam.d\fR(8),
-\fBpam\fR(8)
-.SH "AUTHOR"
-.PP
-pam_listfile was written by Michael K\. Johnson <johnsonm@redhat\.com> and Elliot Lee <sopwith@cuc\.edu>\.
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-19 10:00:41 +0000