1 files changed, 183 insertions, 0 deletions

diff --git a/modules/pam_securetty/pam_securetty.8.xml b/modules/pam_securetty/pam_securetty.8.xml
new file mode 100644
index 0000000..48215f5
--- /dev/null
+++ b/modules/pam_securetty/pam_securetty.8.xml
@@ -0,0 +1,183 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+	"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+
+<refentry id="pam_securetty">
+
+  <refmeta>
+    <refentrytitle>pam_securetty</refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_securetty-name">
+    <refname>pam_securetty</refname>
+    <refpurpose>Limit root login to special devices</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis id="pam_securetty-cmdsynopsis">
+      <command>pam_securetty.so</command>
+      <arg choice="opt">
+        debug
+      </arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1 id="pam_securetty-description">
+
+    <title>DESCRIPTION</title>
+
+    <para>
+      pam_securetty is a PAM module that allows root logins only if the
+      user is logging in on a "secure" tty, as defined by the listing
+      in <filename>/etc/securetty</filename>. pam_securetty also checks
+      to make sure that <filename>/etc/securetty</filename> is a plain
+      file and not world writable. It will also allow root logins on
+      the tty specified with <option>console=</option> switch on the
+      kernel command line and on ttys from the
+      <filename>/sys/class/tty/console/active</filename>.
+    </para>
+    <para>
+      This module has no effect on non-root users and requires that the
+      application fills in the <emphasis remap='B'>PAM_TTY</emphasis>
+      item correctly.
+    </para>
+    <para>
+      For canonical usage, should be listed as a
+      <emphasis remap='B'>required</emphasis> authentication method
+      before any <emphasis remap='B'>sufficient</emphasis>
+      authentication methods.
+    </para>
+  </refsect1>
+
+  <refsect1 id="pam_securetty-options">
+    <title>OPTIONS</title>
+        <variablelist>
+      <varlistentry>
+        <term>
+          <option>debug</option>
+        </term>
+        <listitem>
+          <para>
+            Print debug information.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>
+          <option>noconsole</option>
+        </term>
+        <listitem>
+          <para>
+            Do not automatically allow root logins on the kernel console
+            device, as specified on the kernel command line or by the sys file,
+            if it is not also specified in the
+            <filename>/etc/securetty</filename> file.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id="pam_securetty-types">
+    <title>MODULE TYPES PROVIDED</title>
+    <para>
+      Only the <option>auth</option> module type is provided.
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_securetty-return_values'>
+    <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+        <term>PAM_SUCCESS</term>
+        <listitem>
+          <para>
+            The user is allowed to continue authentication.
+            Either the user is not root, or the root user is
+            trying to log in on an acceptable device.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_AUTH_ERR</term>
+        <listitem>
+          <para>
+            Authentication is rejected. Either root is attempting to
+            log in via an unacceptable device, or the
+            <filename>/etc/securetty</filename> file is world writable or
+            not a normal file.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_INCOMPLETE</term>
+        <listitem>
+          <para>
+            An application error occurred. pam_securetty was not able
+            to get information it required from the application that
+            called it.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_SERVICE_ERR</term>
+        <listitem>
+          <para>
+            An error occurred while the module was determining the
+            user's name or tty, or the module could not open
+            <filename>/etc/securetty</filename>.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_USER_UNKNOWN</term>
+        <listitem>
+          <para>
+            The module could not find the user name in the
+            <filename>/etc/passwd</filename> file to verify whether
+            the user had a UID of 0. Therefore, the results of running
+            this module are ignored.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id='pam_securetty-examples'>
+    <title>EXAMPLES</title>
+    <para>
+      <programlisting>
+auth  required  pam_securetty.so
+auth  required  pam_unix.so
+      </programlisting>
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_securetty-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>securetty</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_securetty-author'>
+    <title>AUTHOR</title>
+      <para>
+        pam_securetty was written by Elliot Lee &lt;sopwith@cuc.edu&gt;.
+      </para>
+  </refsect1>
+
+</refentry>