Print this page
5069 Removal of wu-ftpd
Reviewed by: Josef 'Jeff' Sipek <josef.sipek@nexenta.com>
Reviewed by: Garrett D'Amore <garrett@damore.org>
Reviewed by: Milan Jurik <milan.jurik@xylab.cz>
Reviewed by: Igor Kozhukhov <ikozhukhov@gmail.com>
Reviewed by: Gary Mills <gary_mills@fastmail.fm>
Reviewed by: Toomas Soome <tsoome@me.com>
Reviewed by: Adam Stevko <adam.stevko@gmail.com>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man4/pam.conf.4
+++ new/usr/src/man/man4/pam.conf.4
1 1 '\" te
2 2 .\" Copyright (C) 2006, Sun Microsystems, Inc. All Rights Reserved.
3 3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
4 4 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
5 5 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
|
↓ open down ↓ |
5 lines elided |
↑ open up ↑ |
6 6 .TH PAM.CONF 4 "Jun 19, 2006"
7 7 .SH NAME
8 8 pam.conf \- configuration file for pluggable authentication modules
9 9 .SH SYNOPSIS
10 10 .LP
11 11 .nf
12 12 \fB/etc/pam.conf\fR
13 13 .fi
14 14
15 15 .SH DESCRIPTION
16 -.sp
17 16 .LP
18 17 \fBpam.conf\fR is the configuration file for the Pluggable Authentication
19 18 Module architecture, or \fBPAM\fR. A \fBPAM\fR module provides functionality
20 19 for one or more of four possible services: authentication, account management,
21 20 session management, and password management.
22 21 .sp
23 22 .ne 2
24 23 .na
25 24 \fBauthentication service module\fR
26 25 .ad
27 26 .sp .6
28 27 .RS 4n
29 28 Provides functionality to authenticate a user and set up user credentials.
30 29 .RE
31 30
32 31 .sp
33 32 .ne 2
34 33 .na
35 34 \fBaccount management module\fR
36 35 .ad
37 36 .sp .6
38 37 .RS 4n
39 38 Provides functionality to determine if the current user's account is valid.
40 39 This includes checking for password and account expiration, as well as
41 40 verifying access hour restrictions.
42 41 .RE
43 42
44 43 .sp
45 44 .ne 2
46 45 .na
47 46 \fBsession management module\fR
48 47 .ad
49 48 .sp .6
50 49 .RS 4n
51 50 Provides functionality to set up and terminate login sessions.
52 51 .RE
53 52
54 53 .sp
55 54 .ne 2
56 55 .na
57 56 \fBpassword management module\fR
58 57 .ad
|
↓ open down ↓ |
32 lines elided |
↑ open up ↑ |
59 58 .sp .6
60 59 .RS 4n
61 60 Provides functionality to change a user's authentication token or password.
62 61 .RE
63 62
64 63 .sp
65 64 .LP
66 65 Each of the four service modules can be implemented as a shared library object
67 66 which can be referenced in the \fBpam.conf\fR configuration file.
68 67 .SS "Simplified pam.conf Configuration File"
69 -.sp
70 68 .LP
71 69 The \fBpam.conf\fR file contains a listing of services. Each service is paired
72 70 with a corresponding service module. When a service is requested, its
73 71 associated module is invoked. Each entry may be a maximum of 256 characters,
74 72 including the end of line, and has the following format:
75 73 .sp
76 74 .in +2
77 75 .nf
78 76 \fIservice_name module_type control_flag module_path options\fR
79 77 .fi
80 78 .in -2
81 79 .sp
82 80
83 81 .sp
84 82 .LP
85 83 The following is an example of a \fBpam.conf\fR configuration file with support
86 84 for authentication, account management, session management and password
87 85 management modules (See the \fBpam.conf\fR file that is shipped with your
88 86 system for the contents of this file):
89 87 .sp
90 88 .in +2
91 89 .nf
92 90 login auth requisite pam_authtok_get.so.1
93 91 login auth required pam_dhkeys.so.1
94 92 login auth required pam_unix_auth.so.1
95 93 login auth required pam_dial_auth.so.1
96 94
97 95 other account requisite pam_roles.so.1
98 96 other account required pam_unix_account.so.1
99 97
100 98 other session required pam_unix_session.so.1
101 99
102 100 other password required pam_dhkeys.so.1
103 101 other password requisite pam_authtok_get.so.1
104 102 other password requisite pam_authtok_check.so.1
105 103 other password required pam_authtok_store.so.1
106 104 .fi
107 105 .in -2
108 106
109 107 .sp
110 108 .LP
111 109 \fIservice_name\fR denotes the service (for example, \fBlogin\fR,
112 110 \fBdtlogin\fR, or \fBrlogin\fR).
113 111 .sp
114 112 .LP
115 113 The keyword, "\fBother\fR," indicates the module that all other applications
116 114 which have not been specified should use. The "\fBother\fR" keyword can also be
117 115 used if all services of the same \fImodule_type\fR have the same requirements.
118 116 .sp
119 117 .LP
120 118 In the example, since all of the services use the same session module, they
121 119 could have been replaced by a single \fBother\fR line.
122 120 .sp
123 121 .LP
124 122 \fImodule_type\fR denotes the service module type: authentication (\fBauth\fR),
125 123 account management (\fBaccount\fR), session management (\fBsession\fR), or
126 124 password management (\fBpassword\fR).
127 125 .sp
128 126 .LP
129 127 The \fIcontrol_flag\fR field determines the behavior of stacking.
130 128 .sp
131 129 .LP
132 130 The \fImodule_path\fR field specifies the relative pathname to a shared library
133 131 object, or an included \fBPAM\fR configuration file, which implements the
134 132 service functionality. If the pathname is not absolute, shared library objects
135 133 are assumed to be relative to \fB/usr/lib/security/$ISA/\fR, and included
136 134 \fBPAM\fR configuration files are assumed to be relative to
137 135 \fB/usr/lib/security/\fR.
138 136 .sp
139 137 .LP
140 138 The \fBISA\fR token is replaced by an implementation defined directory name
141 139 which defines the path relative to the calling program's instruction set
142 140 architecture.
143 141 .sp
|
↓ open down ↓ |
64 lines elided |
↑ open up ↑ |
144 142 .LP
145 143 The \fIoptions\fR field is used by the \fBPAM\fR framework layer to pass module
146 144 specific options to the modules. It is up to the module to parse and interpret
147 145 the options.
148 146 .sp
149 147 .LP
150 148 This field can be used by the modules to turn on debugging or to pass any
151 149 module specific parameters such as a \fBTIMEOUT\fR value. The options supported
152 150 by the modules are documented in their respective manual pages.
153 151 .SS "Integrating Multiple Authentication Services With Stacking"
154 -.sp
155 152 .LP
156 153 When a \fIservice_name\fR of the same \fImodule_type\fR is defined more than
157 154 once, the service is said to be stacked. Each module referenced in the
158 155 \fImodule_path\fR for that service is then processed in the order that it
159 156 occurs in the configuration file. The \fIcontrol_flag\fR field specifies the
160 157 continuation and failure semantics of the modules, and can contain one of the
161 158 following values:
162 159 .sp
163 160 .ne 2
164 161 .na
165 162 \fB\fBbinding\fR\fR
166 163 .ad
167 164 .RS 14n
168 165 If the service module returns success and no preceding \fBrequired\fR modules
169 166 returned failures, immediately return success without calling any subsequent
170 167 modules. If a failure is returned, treat the failure as a \fBrequired\fR module
171 168 failure, and continue to process the \fBPAM\fR stack.
172 169 .RE
173 170
174 171 .sp
175 172 .ne 2
176 173 .na
177 174 \fB\fBinclude\fR\fR
178 175 .ad
179 176 .RS 14n
180 177 Process the lines from the \fBPAM\fR configuration file that is specified in
181 178 the \fImodule_path\fR at this point in the \fBPAM\fR stack. The ``\fBother\fR''
182 179 keyword is used if the specified service_name is not found. 32 levels of
183 180 included \fBPAM\fR configuration files are supported. Any options are ignored.
184 181 .RE
185 182
186 183 .sp
187 184 .ne 2
188 185 .na
189 186 \fB\fBoptional\fR\fR
190 187 .ad
191 188 .RS 14n
192 189 If the service module returns success, record the success, and continue to
193 190 process the \fBPAM\fR stack. If a failure is returned, and it is the first
194 191 \fBoptional\fR module failure, save the failure code as an \fBoptional\fR
195 192 failure. Continue to process the \fBPAM\fR stack.
196 193 .RE
197 194
198 195 .sp
199 196 .ne 2
200 197 .na
201 198 \fB\fBrequired\fR\fR
202 199 .ad
203 200 .RS 14n
204 201 If the service module returns success, record the success, and continue to
205 202 process the \fBPAM\fR stack. If a failure is returned, and it is the first
206 203 \fBrequired\fR failure, save the failure code as a \fBrequired\fR failure.
207 204 Continue to process the \fBPAM\fR stack.
208 205 .RE
209 206
210 207 .sp
211 208 .ne 2
212 209 .na
213 210 \fB\fBrequisite\fR\fR
214 211 .ad
215 212 .RS 14n
216 213 If the service module returns success, record the success, and continue to
217 214 process the \fBPAM\fR stack. If a failure is returned, immediately return the
218 215 first non-optional failure value recorded without calling any subsequent
219 216 modules. That is, return this failure unless a previous required service module
220 217 failed. If a previous required service module failed, then return the first of
221 218 those values.
222 219 .RE
223 220
224 221 .sp
225 222 .ne 2
226 223 .na
227 224 \fB\fBsufficient\fR\fR
228 225 .ad
229 226 .RS 14n
230 227 If the service module return success and no preceding required modules returned
231 228 failures, immediately return success without calling any subsequent modules. If
232 229 a failure is returned, treat the failure as an optional module failure, and
233 230 continue to process the \fBPAM\fR stack.
234 231 .RE
235 232
236 233 .sp
237 234 .LP
238 235 If the \fBPAM\fR stack runs to completion, that is, neither a \fBrequisite\fR
239 236 module failed, nor a \fBbinding\fR or \fBsufficient\fR module success stops it,
240 237 success is returned if no required modules failed and at least one required,
241 238 requisite, optional module succeeded. If no module succeeded and a required or
242 239 binding module failed, the first of those errors is returned. If no required or
243 240 binding module failed and an optional module failed, the first of the option
244 241 module errors is returned. If no module in the stack succeeded or failed, that
245 242 is, all modules returned an ignore status, a default error based on module
246 243 type, for example, "User account expired," is returned.
247 244 .sp
248 245 .LP
249 246 All errors in \fBpam.conf\fR entries are logged to \fBsyslog\fR as
250 247 \fBLOG_AUTH\fR | \fBLOG_ERR\fR errors. The use of a service with an error noted
251 248 in the \fBpam.conf\fR entry for that service will fail. The system
252 249 administrator will need to correct the noted errors before that service may be
253 250 used. If no services are available or the \fBpam.conf\fR file is missing, the
254 251 system administrator may enter system maintenance mode to correct or restore
255 252 the file.
256 253 .sp
257 254 .LP
258 255 The following is a sample configuration file that stacks the \fBsu\fR,
259 256 \fBlogin\fR, and \fBrlogin\fR services.
260 257 .sp
261 258 .in +2
262 259 .nf
263 260 su auth required pam_inhouse.so.1
264 261 su auth requisite pam_authtok_get.so.1
265 262 su auth required pam_dhkeys.so.1
266 263 su auth required pam_unix_auth.so.1
267 264
268 265 login auth requisite pam_authtok_get.so.1
269 266 login auth required pam_dhkeys.so.1
270 267 login auth required pam_unix_auth.so.1
271 268 login auth required pam_dial_auth.so.1
272 269 login auth optional pam_inhouse.so.1
273 270
274 271 rlogin auth sufficient pam_rhosts_auth.so.1
275 272 rlogin auth requisite pam_authtok_get.so.1
276 273 rlogin auth required pam_dhkeys.so.1
277 274 rlogin auth required pam_unix_auth.so.1
278 275 .fi
279 276 .in -2
280 277
281 278 .sp
282 279 .LP
283 280 In the case of \fBsu\fR, the user is authenticated by the \fBinhouse\fR and
284 281 \fBauthtok_get\fR, \fBdhkeys\fR, and \fBunix_auth\fR authentication modules.
285 282 Because the \fBinhouse\fR and the other authentication modules are
286 283 \fBrequired\fR and \fBrequisite\fR, respectively, an error is returned back to
287 284 the application if any module fails. In addition, if the \fBrequisite\fR
288 285 authentication (\fBpam_authtok_get\fR authentication) fails, the other
289 286 authentication modules are never invoked, and the error is returned immediately
290 287 back to the application.
291 288 .sp
292 289 .LP
293 290 In the case of \fBlogin\fR, the \fBrequired\fR keyword for \fIcontrol_flag\fR
294 291 requires that the user be allowed to login only if the user is authenticated by
295 292 all the service modules. If \fBpam_unix_auth\fR authentication fails, control
296 293 continues to proceed down the stack, and the \fBinhouse\fR authentication
297 294 module is invoked. \fBinhouse\fR authentication is optional by virtue of the
298 295 optional keyword in the \fIcontrol_flag\fR field. The user can still log in
299 296 even if \fBinhouse\fR authentication fails, assuming the modules stacked above
300 297 succeeded.
301 298 .sp
302 299 .LP
303 300 In the case of \fBrlogin\fR, the \fBsufficient\fR keyword for
304 301 \fIcontrol_flag\fR specifies that if the \fBrhosts\fR authentication check
305 302 succeeds, then \fBPAM\fR should return success to \fBrlogin\fR and \fBrlogin\fR
306 303 should not prompt the user for a password. The other authentication modules,
|
↓ open down ↓ |
142 lines elided |
↑ open up ↑ |
307 304 which are in the stack, will only be invoked if the \fBrhosts\fR check fails.
308 305 This gives the system administrator the flexibility to determine if
309 306 \fBrhosts\fR alone is sufficient enough to authenticate a remote user.
310 307 .sp
311 308 .LP
312 309 Some modules return \fBPAM_IGNORE\fR in certain situations. In these cases the
313 310 \fBPAM\fR framework ignores the entire entry in \fBpam.conf\fR regardless of
314 311 whether or not it is \fBbinding\fR, \fBrequisite\fR, \fBrequired\fR,
315 312 \fBoptional\fR, or \fBsufficient\fR.
316 313 .SS "Utilities and Files"
317 -.sp
318 314 .LP
319 315 The specific service names and module types for each service should be
320 316 documented in the man page for that service. For instance, the \fBsshd\fR(1M)
321 317 man page lists all of the \fBPAM\fR service names and module types for the
322 318 \fBsshd\fR command.
323 319 .sp
324 320 .LP
325 321 The \fBPAM\fR configuration file does not dictate either the name or the
326 322 location of the service specific modules. The convention, however, is the
327 323 following:
328 324 .sp
329 325 .ne 2
330 326 .na
331 327 \fB\fBpam_module_name.so.x\fR\fR
332 328 .ad
333 329 .RS 29n
334 330 File that implements various function of specific authentication services. As
335 331 the relative pathname specified, \fB/usr/lib/security/$ISA\fR is prepended to
336 332 it.
337 333 .RE
338 334
339 335 .sp
340 336 .ne 2
341 337 .na
342 338 \fB\fB/etc/pam.conf\fR\fR
343 339 .ad
344 340 .RS 29n
345 341 Configuration file
346 342 .RE
347 343
348 344 .sp
349 345 .ne 2
350 346 .na
351 347 \fB\fB/usr/lib/$ISA/libpam.so.1\fR\fR
352 348 .ad
353 349 .RS 29n
354 350 File that implements the \fBPAM\fR framework library
355 351 .RE
356 352
357 353 .SH EXAMPLES
358 354 .LP
359 355 \fBExample 1 \fRUsing the include control flag
360 356 .sp
361 357 .LP
362 358 The following example collects the common Unix modules into a single file to be
363 359 included as needed in the example of a \fBpam.conf\fR file. The common Unix
364 360 module file is named \fBunix_common\fR and consists of:
365 361
366 362 .sp
367 363 .in +2
368 364 .nf
369 365 OTHER auth requisite pam_authtok_get.so.1
370 366 OTHER auth required pam_dhkeys.so.1
371 367 OTHER auth required pam_unix_auth.so.1
372 368 OTHER auth required pam_unix_cred.so.1
373 369 OTHER account requisite pam_roles.so.1
374 370 OTHER account required pam_unix_account.so.1
375 371 OTHER session required pam_unix_session.so.1
376 372 OTHER password required pam_dhkeys.so.1
377 373 OTHER password requisite pam_authtok_get.so.1
378 374 OTHER password requisite pam_authtok_check.so.1
379 375 OTHER password required pam_authtok_store.so.1
380 376 .fi
381 377 .in -2
382 378 .sp
383 379
384 380 .sp
385 381 .LP
386 382 The \fBpam.conf\fR file and consists of:
387 383
388 384 .sp
389 385 .in +2
390 386 .nf
391 387 # Authentication management
392 388 #
393 389 # login service (explicit because of pam_dial_auth)
394 390 #
395 391 login auth include unix_common
396 392 login auth required pam_dial_auth.so.1
397 393 #
398 394 # rlogin service (explicit because of pam_rhost_auth)
399 395 #
400 396 rlogin auth sufficient pam_rhosts_auth.so.1
401 397 rlogin auth include unix_common
402 398 #
403 399 # Default definitions for Authentication management
404 400 # Used when service name is not explicitly mentioned
405 401 #
406 402 OTHER auth include unix_common
407 403 #
408 404 # Default definition for Account management
409 405 # Used when service name is not explicitly mentioned
410 406 #
411 407 OTHER account include unix_common
412 408 #
413 409 # Default definition for Session management
414 410 # Used when service name is not explicitly mentioned
415 411 #
416 412 OTHER session include unix_common
|
↓ open down ↓ |
89 lines elided |
↑ open up ↑ |
417 413 #
418 414 # Default definition for Password management
419 415 # Used when service name is not explicitly mentioned
420 416 #
421 417 OTHER password include unix_common
422 418 .fi
423 419 .in -2
424 420 .sp
425 421
426 422 .SH ATTRIBUTES
427 -.sp
428 423 .LP
429 424 See \fBattributes\fR(5) for descriptions of the following attributes:
430 425 .sp
431 426
432 427 .sp
433 428 .TS
434 429 box;
435 430 c | c
436 431 l | l .
437 432 ATTRIBUTE TYPE ATTRIBUTE VALUE
438 433 _
439 434 Interface Stability See Below.
440 435 .TE
441 436
442 437 .sp
443 438 .LP
444 439 The format is Stable. The contents has no stability attributes.
445 440 .SH SEE ALSO
446 -.sp
447 441 .LP
448 -\fBlogin\fR(1), \fBpasswd\fR(1), \fBin.ftpd\fR(1M), \fBin.rlogind\fR(1M),
442 +\fBlogin\fR(1), \fBpasswd\fR(1), \fBin.rlogind\fR(1M),
449 443 \fBin.rshd\fR(1M), \fBin.telnetd\fR(1M), \fBin.uucpd\fR(1M), \fBinit\fR(1M),
450 444 \fBrpc.rexd\fR(1M), \fBsac\fR(1M), \fBttymon\fR(1M), \fBsu\fR(1M),
451 445 \fBpam\fR(3PAM), \fBsyslog\fR(3C), \fBlibpam\fR(3LIB), \fBattributes\fR(5),
452 446 \fBenviron\fR(5), \fBpam_authtok_check\fR(5), \fBpam_authtok_get\fR(5),
453 447 \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), \fBpam_krb5\fR(5),
454 448 \fBpam_passwd_auth\fR(5), \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5),
455 449 \fBpam_unix_session\fR(5)
456 450 .SH NOTES
457 -.sp
458 451 .LP
459 452 The \fBpam_unix\fR module is no longer supported. Similar functionality is
460 453 provided by \fBpam_authtok_check\fR(5), \fBpam_authtok_get\fR(5),
461 454 \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), \fBpam_passwd_auth\fR(5),
462 455 \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5), and
463 456 \fBpam_unix_session\fR(5).
464 457 .sp
465 458 .LP
466 459 With the removal of the \fBpam_unix\fR module, the SunOS delivered PAM service
467 460 modules no longer need or support the "\fBuse_first_pass\fR" or
468 461 "\fBtry_first_pass\fR" options. This functionality is provided by stacking
469 462 \fBpam_authtok_get\fR(5) above a module that requires a password.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX