summaryrefslogtreecommitdiffstats
path: root/modules/pam_securetty/pam_securetty.8
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--modules/pam_securetty/pam_securetty.8140
-rw-r--r--modules/pam_securetty/pam_securetty.8.xml202
2 files changed, 342 insertions, 0 deletions
diff --git a/modules/pam_securetty/pam_securetty.8 b/modules/pam_securetty/pam_securetty.8
new file mode 100644
index 0000000..a808aea
--- /dev/null
+++ b/modules/pam_securetty/pam_securetty.8
@@ -0,0 +1,140 @@
+'\" t
+.\" Title: pam_securetty
+.\" Author: [see the "AUTHOR" section]
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
+.\" Date: 09/03/2021
+.\" Manual: Linux-PAM Manual
+.\" Source: Linux-PAM Manual
+.\" Language: English
+.\"
+.TH "PAM_SECURETTY" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+pam_securetty \- Limit root login to special devices
+.SH "SYNOPSIS"
+.HP \w'\fBpam_securetty\&.so\fR\ 'u
+\fBpam_securetty\&.so\fR [debug]
+.SH "DESCRIPTION"
+.PP
+pam_securetty is a PAM module that allows root logins only if the user is logging in on a "secure" tty, as defined by the listing in the
+securetty
+file\&. pam_securetty checks at first, if
+/etc/securetty
+exists\&. If not and it was built with vendordir support, it will use
+<vendordir>/securetty\&. pam_securetty also checks that the
+securetty
+files are plain files and not world writable\&. It will also allow root logins on the tty specified with
+\fBconsole=\fR
+switch on the kernel command line and on ttys from the
+/sys/class/tty/console/active\&.
+.PP
+This module has no effect on non\-root users and requires that the application fills in the
+\fBPAM_TTY\fR
+item correctly\&.
+.PP
+For canonical usage, should be listed as a
+\fBrequired\fR
+authentication method before any
+\fBsufficient\fR
+authentication methods\&.
+.SH "OPTIONS"
+.PP
+\fBdebug\fR
+.RS 4
+Print debug information\&.
+.RE
+.PP
+\fBnoconsole\fR
+.RS 4
+Do not automatically allow root logins on the kernel console device, as specified on the kernel command line or by the sys file, if it is not also specified in the
+securetty
+file\&.
+.RE
+.SH "MODULE TYPES PROVIDED"
+.PP
+Only the
+\fBauth\fR
+module type is provided\&.
+.SH "RETURN VALUES"
+.PP
+PAM_SUCCESS
+.RS 4
+The user is allowed to continue authentication\&. Either the user is not root, or the root user is trying to log in on an acceptable device\&.
+.RE
+.PP
+PAM_AUTH_ERR
+.RS 4
+Authentication is rejected\&. Either root is attempting to log in via an unacceptable device, or the
+securetty
+file is world writable or not a normal file\&.
+.RE
+.PP
+PAM_BUF_ERR
+.RS 4
+Memory buffer error\&.
+.RE
+.PP
+PAM_CONV_ERR
+.RS 4
+The conversation method supplied by the application failed to obtain the username\&.
+.RE
+.PP
+PAM_INCOMPLETE
+.RS 4
+The conversation method supplied by the application returned PAM_CONV_AGAIN\&.
+.RE
+.PP
+PAM_SERVICE_ERR
+.RS 4
+An error occurred while the module was determining the user\*(Aqs name or tty, or the module could not open the
+securetty
+file\&.
+.RE
+.PP
+PAM_USER_UNKNOWN
+.RS 4
+The module could not find the user name in the
+/etc/passwd
+file to verify whether the user had a UID of 0\&. Therefore, the results of running this module are ignored\&.
+.RE
+.SH "EXAMPLES"
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
+auth required pam_securetty\&.so
+auth required pam_unix\&.so
+
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+.SH "SEE ALSO"
+.PP
+\fBsecuretty\fR(5),
+\fBpam.conf\fR(5),
+\fBpam.d\fR(5),
+\fBpam\fR(8)
+.SH "AUTHOR"
+.PP
+pam_securetty was written by Elliot Lee <sopwith@cuc\&.edu>\&.
diff --git a/modules/pam_securetty/pam_securetty.8.xml b/modules/pam_securetty/pam_securetty.8.xml
new file mode 100644
index 0000000..e49d572
--- /dev/null
+++ b/modules/pam_securetty/pam_securetty.8.xml
@@ -0,0 +1,202 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+
+<refentry id="pam_securetty">
+
+ <refmeta>
+ <refentrytitle>pam_securetty</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+ </refmeta>
+
+ <refnamediv id="pam_securetty-name">
+ <refname>pam_securetty</refname>
+ <refpurpose>Limit root login to special devices</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis id="pam_securetty-cmdsynopsis">
+ <command>pam_securetty.so</command>
+ <arg choice="opt">
+ debug
+ </arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id="pam_securetty-description">
+
+ <title>DESCRIPTION</title>
+
+ <para>
+ pam_securetty is a PAM module that allows root logins only if the
+ user is logging in on a "secure" tty, as defined by the listing
+ in the <filename>securetty</filename> file. pam_securetty checks at
+ first, if <filename>/etc/securetty</filename> exists. If not and
+ it was built with vendordir support, it will use
+ <filename>%vendordir%/securetty</filename>. pam_securetty also
+ checks that the <filename>securetty</filename> files are plain
+ files and not world writable. It will also allow root logins on
+ the tty specified with <option>console=</option> switch on the
+ kernel command line and on ttys from the
+ <filename>/sys/class/tty/console/active</filename>.
+ </para>
+ <para>
+ This module has no effect on non-root users and requires that the
+ application fills in the <emphasis remap='B'>PAM_TTY</emphasis>
+ item correctly.
+ </para>
+ <para>
+ For canonical usage, should be listed as a
+ <emphasis remap='B'>required</emphasis> authentication method
+ before any <emphasis remap='B'>sufficient</emphasis>
+ authentication methods.
+ </para>
+ </refsect1>
+
+ <refsect1 id="pam_securetty-options">
+ <title>OPTIONS</title>
+ <variablelist>
+ <varlistentry>
+ <term>
+ <option>debug</option>
+ </term>
+ <listitem>
+ <para>
+ Print debug information.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>noconsole</option>
+ </term>
+ <listitem>
+ <para>
+ Do not automatically allow root logins on the kernel console
+ device, as specified on the kernel command line or by the sys file,
+ if it is not also specified in the
+ <filename>securetty</filename> file.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id="pam_securetty-types">
+ <title>MODULE TYPES PROVIDED</title>
+ <para>
+ Only the <option>auth</option> module type is provided.
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_securetty-return_values'>
+ <title>RETURN VALUES</title>
+ <variablelist>
+ <varlistentry>
+ <term>PAM_SUCCESS</term>
+ <listitem>
+ <para>
+ The user is allowed to continue authentication.
+ Either the user is not root, or the root user is
+ trying to log in on an acceptable device.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_AUTH_ERR</term>
+ <listitem>
+ <para>
+ Authentication is rejected. Either root is attempting to
+ log in via an unacceptable device, or the
+ <filename>securetty</filename> file is world writable or
+ not a normal file.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_BUF_ERR</term>
+ <listitem>
+ <para>
+ Memory buffer error.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_CONV_ERR</term>
+ <listitem>
+ <para>
+ The conversation method supplied by the application
+ failed to obtain the username.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_INCOMPLETE</term>
+ <listitem>
+ <para>
+ The conversation method supplied by the application
+ returned PAM_CONV_AGAIN.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_SERVICE_ERR</term>
+ <listitem>
+ <para>
+ An error occurred while the module was determining the
+ user's name or tty, or the module could not open
+ the <filename>securetty</filename> file.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PAM_USER_UNKNOWN</term>
+ <listitem>
+ <para>
+ The module could not find the user name in the
+ <filename>/etc/passwd</filename> file to verify whether
+ the user had a UID of 0. Therefore, the results of running
+ this module are ignored.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='pam_securetty-examples'>
+ <title>EXAMPLES</title>
+ <para>
+ <programlisting>
+auth required pam_securetty.so
+auth required pam_unix.so
+ </programlisting>
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_securetty-see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>securetty</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_securetty-author'>
+ <title>AUTHOR</title>
+ <para>
+ pam_securetty was written by Elliot Lee &lt;sopwith@cuc.edu&gt;.
+ </para>
+ </refsect1>
+
+</refentry>
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-13 23:57:49 +0000