diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 14:22:51 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 14:22:51 +0000 |
commit | 9ada0093e92388590c7368600ca4e9e3e376f0d0 (patch) | |
tree | a56fe41110023676d7082028cbaa47ca4b6e6164 /doc/man/pam.8 | |
parent | Initial commit. (diff) | |
download | pam-283bed196467d79d251cf0de1b8e0a1d79f90857.tar.xz pam-283bed196467d79d251cf0de1b8e0a1d79f90857.zip |
Adding upstream version 1.5.2.upstream/1.5.2upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | doc/man/pam.8 | 1 | ||||
-rw-r--r-- | doc/man/pam.8.xml | 216 |
2 files changed, 217 insertions, 0 deletions
diff --git a/doc/man/pam.8 b/doc/man/pam.8 new file mode 100644 index 0000000..da9773b --- /dev/null +++ b/doc/man/pam.8 @@ -0,0 +1 @@ +.so man8/PAM.8 diff --git a/doc/man/pam.8.xml b/doc/man/pam.8.xml new file mode 100644 index 0000000..464af0e --- /dev/null +++ b/doc/man/pam.8.xml @@ -0,0 +1,216 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id='pam8'> + + <refmeta> + <refentrytitle>pam</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id='pam8-name'> + <refname>PAM</refname> + <refname>pam</refname> + <refpurpose>Pluggable Authentication Modules for Linux</refpurpose> + </refnamediv> + + <refsect1 id='pam8-description'> + <title>DESCRIPTION</title> + <para> + This manual is intended to offer a quick introduction to + <emphasis remap='B'>Linux-PAM</emphasis>. For more information + the reader is directed to the + <emphasis remap='B'>Linux-PAM system administrators' guide</emphasis>. + </para> + + <para> + <emphasis remap='B'>Linux-PAM</emphasis> is a system of libraries + that handle the authentication tasks of applications (services) on + the system. The library provides a stable general interface + (Application Programming Interface - API) that privilege granting + programs (such as <citerefentry> + <refentrytitle>login</refentrytitle><manvolnum>1</manvolnum> + </citerefentry> and <citerefentry> + <refentrytitle>su</refentrytitle><manvolnum>1</manvolnum> + </citerefentry>) defer to to perform standard authentication tasks. + </para> + + <para> + The principal feature of the PAM approach is that the nature of the + authentication is dynamically configurable. In other words, the + system administrator is free to choose how individual + service-providing applications will authenticate users. This dynamic + configuration is set by the contents of the single + <emphasis remap='B'>Linux-PAM</emphasis> configuration file + <filename>/etc/pam.conf</filename>. Alternatively, the configuration + can be set by individual configuration files located in the + <filename>/etc/pam.d/</filename> directory. The presence of this + directory will cause <emphasis remap='B'>Linux-PAM</emphasis> to + <emphasis remap='I'>ignore</emphasis> <filename>/etc/pam.conf</filename>. + </para> + + <para> + Vendor-supplied PAM configuration files might be installed in + the system directory <filename>/usr/lib/pam.d/</filename> or + a configurable vendor specific directory instead + of the machine configuration directory <filename>/etc/pam.d/</filename>. + If no machine configuration file is found, the vendor-supplied file + is used. All files in <filename>/etc/pam.d/</filename> override + files with the same name in other directories. + </para> + +<para>From the point of view of the system administrator, for whom this +manual is provided, it is not of primary importance to understand the +internal behavior of the +<emphasis remap='B'>Linux-PAM</emphasis> +library. The important point to recognize is that the configuration +file(s) +<emphasis remap='I'>define</emphasis> +the connection between applications +<emphasis remap='B'></emphasis>(<emphasis remap='B'>services</emphasis>) +and the pluggable authentication modules +<emphasis remap='B'></emphasis>(<emphasis remap='B'>PAM</emphasis>s) +that perform the actual authentication tasks.</para> + + +<para><emphasis remap='B'>Linux-PAM</emphasis> +separates the tasks of +<emphasis remap='I'>authentication</emphasis> +into four independent management groups: +<emphasis remap='B'>account</emphasis> management; +<emphasis remap='B'>auth</emphasis>entication management; +<emphasis remap='B'>password</emphasis> management; +and +<emphasis remap='B'>session</emphasis> management. +(We highlight the abbreviations used for these groups in the +configuration file.)</para> + + +<para>Simply put, these groups take care of different aspects of a typical +user's request for a restricted service:</para> + + +<para><emphasis remap='B'>account</emphasis> - +provide account verification types of service: has the user's password +expired?; is this user permitted access to the requested service?</para> + +<!-- .br --> +<para><emphasis remap='B'>auth</emphasis>entication - +authenticate a user and set up user credentials. Typically this is via +some challenge-response request that the user must satisfy: if you are +who you claim to be please enter your password. Not all authentications +are of this type, there exist hardware based authentication schemes +(such as the use of smart-cards and biometric devices), with suitable +modules, these may be substituted seamlessly for more standard +approaches to authentication - such is the flexibility of +<emphasis remap='B'>Linux-PAM</emphasis>.</para> + +<!-- .br --> +<para><emphasis remap='B'>password</emphasis> - +this group's responsibility is the task of updating authentication +mechanisms. Typically, such services are strongly coupled to those of +the +<emphasis remap='B'>auth</emphasis> +group. Some authentication mechanisms lend themselves well to being +updated with such a function. Standard UN*X password-based access is +the obvious example: please enter a replacement password.</para> + +<!-- .br --> +<para><emphasis remap='B'>session</emphasis> - +this group of tasks cover things that should be done prior to a +service being given and after it is withdrawn. Such tasks include the +maintenance of audit trails and the mounting of the user's home +directory. The +<emphasis remap='B'>session</emphasis> +management group is important as it provides both an opening and +closing hook for modules to affect the services available to a user.</para> + +</refsect1> + + <refsect1 id='pam8-files'> + <title>FILES</title> + <variablelist> + <varlistentry> + <term><filename>/etc/pam.conf</filename></term> + <listitem> + <para>the configuration file</para> + </listitem> + </varlistentry> + <varlistentry> + <term><filename>/etc/pam.d</filename></term> + <listitem> + <para> + the <emphasis remap='B'>Linux-PAM</emphasis> configuration + directory. Generally, if this directory is present, the + <filename>/etc/pam.conf</filename> file is ignored. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><filename>/usr/lib/pam.d</filename></term> + <listitem> + <para> + the <emphasis remap='B'>Linux-PAM</emphasis> vendor configuration + directory. Files in <filename>/etc/pam.d</filename> override + files with the same name in this directory. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term><filename>%vendordir%/pam.d</filename></term> + <listitem> + <para> + the <emphasis remap='B'>Linux-PAM</emphasis> vendor configuration + directory. Files in <filename>/etc/pam.d</filename> and + <filename>/usr/lib/pam.d</filename> override files with the same + name in this directory. Only available if Linux-PAM was compiled + with vendordir enabled. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam8-errors'> + <title>ERRORS</title> + <para> + Typically errors generated by the + <emphasis remap='B'>Linux-PAM</emphasis> system of libraries, will + be written to <citerefentry> + <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + </para> + </refsect1> + + <refsect1 id='pam8-conforming_to'> + <title>CONFORMING TO</title> + <para> + DCE-RFC 86.0, October 1995. + Contains additional features, but remains backwardly compatible + with this RFC. + </para> + </refsect1> + + <refsect1 id='pam8-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_authenticate</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_sm_setcred</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam_strerror</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>PAM</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> +</refentry> |