diff options
Diffstat (limited to '')
-rw-r--r-- | modules/pam_securetty/pam_securetty.8 | 125 | ||||
-rw-r--r-- | modules/pam_securetty/pam_securetty.8.xml | 183 |
2 files changed, 308 insertions, 0 deletions
diff --git a/modules/pam_securetty/pam_securetty.8 b/modules/pam_securetty/pam_securetty.8 new file mode 100644 index 0000000..95747fe --- /dev/null +++ b/modules/pam_securetty/pam_securetty.8 @@ -0,0 +1,125 @@ +'\" t +.\" Title: pam_securetty +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> +.\" Date: 05/18/2017 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_SECURETTY" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_securetty \- Limit root login to special devices +.SH "SYNOPSIS" +.HP \w'\fBpam_securetty\&.so\fR\ 'u +\fBpam_securetty\&.so\fR [debug] +.SH "DESCRIPTION" +.PP +pam_securetty is a PAM module that allows root logins only if the user is logging in on a "secure" tty, as defined by the listing in +/etc/securetty\&. pam_securetty also checks to make sure that +/etc/securetty +is a plain file and not world writable\&. It will also allow root logins on the tty specified with +\fBconsole=\fR +switch on the kernel command line and on ttys from the +/sys/class/tty/console/active\&. +.PP +This module has no effect on non\-root users and requires that the application fills in the +\fBPAM_TTY\fR +item correctly\&. +.PP +For canonical usage, should be listed as a +\fBrequired\fR +authentication method before any +\fBsufficient\fR +authentication methods\&. +.SH "OPTIONS" +.PP +\fBdebug\fR +.RS 4 +Print debug information\&. +.RE +.PP +\fBnoconsole\fR +.RS 4 +Do not automatically allow root logins on the kernel console device, as specified on the kernel command line or by the sys file, if it is not also specified in the +/etc/securetty +file\&. +.RE +.SH "MODULE TYPES PROVIDED" +.PP +Only the +\fBauth\fR +module type is provided\&. +.SH "RETURN VALUES" +.PP +PAM_SUCCESS +.RS 4 +The user is allowed to continue authentication\&. Either the user is not root, or the root user is trying to log in on an acceptable device\&. +.RE +.PP +PAM_AUTH_ERR +.RS 4 +Authentication is rejected\&. Either root is attempting to log in via an unacceptable device, or the +/etc/securetty +file is world writable or not a normal file\&. +.RE +.PP +PAM_INCOMPLETE +.RS 4 +An application error occurred\&. pam_securetty was not able to get information it required from the application that called it\&. +.RE +.PP +PAM_SERVICE_ERR +.RS 4 +An error occurred while the module was determining the user\*(Aqs name or tty, or the module could not open +/etc/securetty\&. +.RE +.PP +PAM_USER_UNKNOWN +.RS 4 +The module could not find the user name in the +/etc/passwd +file to verify whether the user had a UID of 0\&. Therefore, the results of running this module are ignored\&. +.RE +.SH "EXAMPLES" +.PP +.if n \{\ +.RS 4 +.\} +.nf +auth required pam_securetty\&.so +auth required pam_unix\&.so + +.fi +.if n \{\ +.RE +.\} +.sp +.SH "SEE ALSO" +.PP +\fBsecuretty\fR(5), +\fBpam.conf\fR(5), +\fBpam.d\fR(5), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_securetty was written by Elliot Lee <sopwith@cuc\&.edu>\&. diff --git a/modules/pam_securetty/pam_securetty.8.xml b/modules/pam_securetty/pam_securetty.8.xml new file mode 100644 index 0000000..48215f5 --- /dev/null +++ b/modules/pam_securetty/pam_securetty.8.xml @@ -0,0 +1,183 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_securetty"> + + <refmeta> + <refentrytitle>pam_securetty</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_securetty-name"> + <refname>pam_securetty</refname> + <refpurpose>Limit root login to special devices</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_securetty-cmdsynopsis"> + <command>pam_securetty.so</command> + <arg choice="opt"> + debug + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_securetty-description"> + + <title>DESCRIPTION</title> + + <para> + pam_securetty is a PAM module that allows root logins only if the + user is logging in on a "secure" tty, as defined by the listing + in <filename>/etc/securetty</filename>. pam_securetty also checks + to make sure that <filename>/etc/securetty</filename> is a plain + file and not world writable. It will also allow root logins on + the tty specified with <option>console=</option> switch on the + kernel command line and on ttys from the + <filename>/sys/class/tty/console/active</filename>. + </para> + <para> + This module has no effect on non-root users and requires that the + application fills in the <emphasis remap='B'>PAM_TTY</emphasis> + item correctly. + </para> + <para> + For canonical usage, should be listed as a + <emphasis remap='B'>required</emphasis> authentication method + before any <emphasis remap='B'>sufficient</emphasis> + authentication methods. + </para> + </refsect1> + + <refsect1 id="pam_securetty-options"> + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Print debug information. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>noconsole</option> + </term> + <listitem> + <para> + Do not automatically allow root logins on the kernel console + device, as specified on the kernel command line or by the sys file, + if it is not also specified in the + <filename>/etc/securetty</filename> file. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_securetty-types"> + <title>MODULE TYPES PROVIDED</title> + <para> + Only the <option>auth</option> module type is provided. + </para> + </refsect1> + + <refsect1 id='pam_securetty-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The user is allowed to continue authentication. + Either the user is not root, or the root user is + trying to log in on an acceptable device. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + Authentication is rejected. Either root is attempting to + log in via an unacceptable device, or the + <filename>/etc/securetty</filename> file is world writable or + not a normal file. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_INCOMPLETE</term> + <listitem> + <para> + An application error occurred. pam_securetty was not able + to get information it required from the application that + called it. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SERVICE_ERR</term> + <listitem> + <para> + An error occurred while the module was determining the + user's name or tty, or the module could not open + <filename>/etc/securetty</filename>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + The module could not find the user name in the + <filename>/etc/passwd</filename> file to verify whether + the user had a UID of 0. Therefore, the results of running + this module are ignored. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_securetty-examples'> + <title>EXAMPLES</title> + <para> + <programlisting> +auth required pam_securetty.so +auth required pam_unix.so + </programlisting> + </para> + </refsect1> + + <refsect1 id='pam_securetty-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>securetty</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_securetty-author'> + <title>AUTHOR</title> + <para> + pam_securetty was written by Elliot Lee <sopwith@cuc.edu>. + </para> + </refsect1> + +</refentry> |