diff options
Diffstat (limited to '')
-rw-r--r-- | modules/pam_keyinit/pam_keyinit.8 | 142 | ||||
-rw-r--r-- | modules/pam_keyinit/pam_keyinit.8.xml | 241 |
2 files changed, 383 insertions, 0 deletions
diff --git a/modules/pam_keyinit/pam_keyinit.8 b/modules/pam_keyinit/pam_keyinit.8 new file mode 100644 index 0000000..4dfbffb --- /dev/null +++ b/modules/pam_keyinit/pam_keyinit.8 @@ -0,0 +1,142 @@ +'\" t +.\" Title: pam_keyinit +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> +.\" Date: 05/18/2017 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_KEYINIT" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_keyinit \- Kernel session keyring initialiser module +.SH "SYNOPSIS" +.HP \w'\fBpam_keyinit\&.so\fR\ 'u +\fBpam_keyinit\&.so\fR [debug] [force] [revoke] +.SH "DESCRIPTION" +.PP +The pam_keyinit PAM module ensures that the invoking process has a session keyring other than the user default session keyring\&. +.PP +The session component of the module checks to see if the process\*(Aqs session keyring is the user default, and, if it is, creates a new anonymous session keyring with which to replace it\&. +.PP +If a new session keyring is created, it will install a link to the user common keyring in the session keyring so that keys common to the user will be automatically accessible through it\&. +.PP +The session keyring of the invoking process will thenceforth be inherited by all its children unless they override it\&. +.PP +This module is intended primarily for use by login processes\&. Be aware that after the session keyring has been replaced, the old session keyring and the keys it contains will no longer be accessible\&. +.PP +This module should not, generally, be invoked by programs like +\fBsu\fR, since it is usually desirable for the key set to percolate through to the alternate context\&. The keys have their own permissions system to manage this\&. +.PP +This module should be included as early as possible in a PAM configuration, so that other PAM modules can attach tokens to the keyring\&. +.PP +The keyutils package is used to manipulate keys more directly\&. This can be obtained from: +.PP +\m[blue]\fBKeyutils\fR\m[]\&\s-2\u[1]\d\s+2 +.SH "OPTIONS" +.PP +\fBdebug\fR +.RS 4 +Log debug information with +\fBsyslog\fR(3)\&. +.RE +.PP +\fBforce\fR +.RS 4 +Causes the session keyring of the invoking process to be replaced unconditionally\&. +.RE +.PP +\fBrevoke\fR +.RS 4 +Causes the session keyring of the invoking process to be revoked when the invoking process exits if the session keyring was created for this process in the first place\&. +.RE +.SH "MODULE TYPES PROVIDED" +.PP +Only the +\fBsession\fR +module type is provided\&. +.SH "RETURN VALUES" +.PP +PAM_SUCCESS +.RS 4 +This module will usually return this value +.RE +.PP +PAM_AUTH_ERR +.RS 4 +Authentication failure\&. +.RE +.PP +PAM_BUF_ERR +.RS 4 +Memory buffer error\&. +.RE +.PP +PAM_IGNORE +.RS 4 +The return value should be ignored by PAM dispatch\&. +.RE +.PP +PAM_SERVICE_ERR +.RS 4 +Cannot determine the user name\&. +.RE +.PP +PAM_SESSION_ERR +.RS 4 +This module will return this value if its arguments are invalid or if a system error such as ENOMEM occurs\&. +.RE +.PP +PAM_USER_UNKNOWN +.RS 4 +User not known\&. +.RE +.SH "EXAMPLES" +.PP +Add this line to your login entries to start each login session with its own session keyring: +.sp +.if n \{\ +.RS 4 +.\} +.nf +session required pam_keyinit\&.so + +.fi +.if n \{\ +.RE +.\} +.PP +This will prevent keys from one session leaking into another session for the same user\&. +.SH "SEE ALSO" +.PP +\fBpam.conf\fR(5), +\fBpam.d\fR(5), +\fBpam\fR(8)\fBkeyctl\fR(1) +.SH "AUTHOR" +.PP +pam_keyinit was written by David Howells, <dhowells@redhat\&.com>\&. +.SH "NOTES" +.IP " 1." 4 +Keyutils +.RS 4 +\%http://people.redhat.com/~dhowells/keyutils/ +.RE diff --git a/modules/pam_keyinit/pam_keyinit.8.xml b/modules/pam_keyinit/pam_keyinit.8.xml new file mode 100644 index 0000000..bcc5096 --- /dev/null +++ b/modules/pam_keyinit/pam_keyinit.8.xml @@ -0,0 +1,241 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_keyinit"> + + <refmeta> + <refentrytitle>pam_keyinit</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_keyinit-name"> + <refname>pam_keyinit</refname> + <refpurpose>Kernel session keyring initialiser module</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_keyinit-cmdsynopsis"> + <command>pam_keyinit.so</command> + <arg choice="opt"> + debug + </arg> + <arg choice="opt"> + force + </arg> + <arg choice="opt"> + revoke + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_keyinit-description"> + <title>DESCRIPTION</title> + <para> + The pam_keyinit PAM module ensures that the invoking process has a + session keyring other than the user default session keyring. + </para> + <para> + The session component of the module checks to see if the process's + session keyring is the user default, and, if it is, creates a new + anonymous session keyring with which to replace it. + </para> + <para> + If a new session keyring is created, it will install a link to the user + common keyring in the session keyring so that keys common to the user + will be automatically accessible through it. + </para> + <para> + The session keyring of the invoking process will thenceforth be inherited + by all its children unless they override it. + </para> + <para> + This module is intended primarily for use by login processes. Be aware + that after the session keyring has been replaced, the old session keyring + and the keys it contains will no longer be accessible. + </para> + <para> + This module should not, generally, be invoked by programs like + <emphasis remap='B'>su</emphasis>, since it is usually desirable for the + key set to percolate through to the alternate context. The keys have + their own permissions system to manage this. + </para> + <para> + This module should be included as early as possible in a PAM + configuration, so that other PAM modules can attach tokens to the + keyring. + </para> + <para> + The keyutils package is used to manipulate keys more directly. This + can be obtained from: + </para> + <para> + <ulink url="http://people.redhat.com/~dhowells/keyutils/"> + Keyutils + </ulink> + </para> + </refsect1> + + <refsect1 id="pam_keyinit-options"> + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Log debug information with <citerefentry> + <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>force</option> + </term> + <listitem> + <para> + Causes the session keyring of the invoking process to be replaced + unconditionally. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>revoke</option> + </term> + <listitem> + <para> + Causes the session keyring of the invoking process to be revoked + when the invoking process exits if the session keyring was created + for this process in the first place. + </para> + </listitem> + </varlistentry> + + </variablelist> + </refsect1> + + <refsect1 id="pam_keyinit-types"> + <title>MODULE TYPES PROVIDED</title> + <para> + Only the <option>session</option> module type is provided. + </para> + </refsect1> + + <refsect1 id='pam_keyinit-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + This module will usually return this value + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + Authentication failure. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory buffer error. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_IGNORE</term> + <listitem> + <para> + The return value should be ignored by PAM dispatch. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_SERVICE_ERR</term> + <listitem> + <para> + Cannot determine the user name. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_SESSION_ERR</term> + <listitem> + <para> + This module will return this value if its arguments are invalid or + if a system error such as ENOMEM occurs. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + User not known. + </para> + </listitem> + </varlistentry> + + </variablelist> + </refsect1> + + <refsect1 id='pam_keyinit-examples'> + <title>EXAMPLES</title> + <para> + Add this line to your login entries to start each login session with its + own session keyring: + <programlisting> +session required pam_keyinit.so + </programlisting> + </para> + <para> + This will prevent keys from one session leaking into another session for + the same user. + </para> + </refsect1> + + <refsect1 id='pam_keyinit-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + <citerefentry> + <refentrytitle>keyctl</refentrytitle><manvolnum>1</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_keyinit-author'> + <title>AUTHOR</title> + <para> + pam_keyinit was written by David Howells, <dhowells@redhat.com>. + </para> + </refsect1> + +</refentry> |