[b4b71892] | 1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
[6732c094] | 2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
| 3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
[b4b71892] | 4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
| 5 | %general-entities;
|
---|
| 6 |
|
---|
[1ae6204] | 7 | <!ENTITY linux-pam-download-http "https://fedorahosted.org/releases/l/i/linux-pam/Linux-PAM-&linux-pam-version;.tar.bz2">
|
---|
| 8 | <!ENTITY linux-pam-download-ftp " ">
|
---|
| 9 | <!ENTITY linux-pam-md5sum "927ee5585bdec5256c75117e9348aa47">
|
---|
[a263ccb3] | 10 | <!ENTITY linux-pam-size "1.1 MB">
|
---|
[1ae6204] | 11 | <!ENTITY linux-pam-buildsize "28 MB (includes installing the optional documentation)">
|
---|
| 12 | <!ENTITY linux-pam-time "0.3 SBU">
|
---|
[903f671] | 13 |
|
---|
[1ae6204] | 14 | <!ENTITY linux-pam-docs-download "https://fedorahosted.org/releases/l/i/linux-pam/Linux-PAM-&linux-pam-version;-docs.tar.bz2">
|
---|
| 15 | <!ENTITY linux-pam-docs-md5sum "987e14ddce375ec7ddd2b91fbc2bd46d">
|
---|
| 16 | <!ENTITY linux-pam-docs-size "487 KB">
|
---|
| 17 | <!ENTITY debian-pam-docs "http://debian.securedservers.com/kernel/pub/linux/libs/pam">
|
---|
[b4b71892] | 18 | ]>
|
---|
| 19 |
|
---|
[6603f8b] | 20 | <sect1 id="linux-pam" xreflabel="Linux-PAM-&linux-pam-version;">
|
---|
| 21 | <?dbhtml filename="linux-pam.html"?>
|
---|
[c7eb655] | 22 |
|
---|
| 23 | <sect1info>
|
---|
| 24 | <othername>$LastChangedBy$</othername>
|
---|
| 25 | <date>$Date$</date>
|
---|
| 26 | </sect1info>
|
---|
| 27 |
|
---|
[6603f8b] | 28 | <title>Linux-PAM-&linux-pam-version;</title>
|
---|
[c7eb655] | 29 |
|
---|
[6603f8b] | 30 | <indexterm zone="linux-pam">
|
---|
| 31 | <primary sortas="a-Linux-PAM">Linux-PAM</primary>
|
---|
[c7eb655] | 32 | </indexterm>
|
---|
| 33 |
|
---|
| 34 | <sect2 role="package">
|
---|
| 35 | <title>Introduction to Linux-PAM</title>
|
---|
| 36 |
|
---|
| 37 | <para>The <application>Linux-PAM</application> package contains
|
---|
| 38 | Pluggable Authentication Modules. This is useful to enable the
|
---|
| 39 | local system administrator to choose how applications authenticate
|
---|
| 40 | users.</para>
|
---|
| 41 |
|
---|
[1ae6204] | 42 | &lfs70_checked;
|
---|
[f4797d2] | 43 |
|
---|
[c7eb655] | 44 | <bridgehead renderas="sect3">Package Information</bridgehead>
|
---|
| 45 | <itemizedlist spacing="compact">
|
---|
| 46 | <listitem>
|
---|
[6603f8b] | 47 | <para>Download (HTTP): <ulink url="&linux-pam-download-http;"/></para>
|
---|
[c7eb655] | 48 | </listitem>
|
---|
| 49 | <listitem>
|
---|
[6603f8b] | 50 | <para>Download (FTP): <ulink url="&linux-pam-download-ftp;"/></para>
|
---|
[c7eb655] | 51 | </listitem>
|
---|
| 52 | <listitem>
|
---|
[6603f8b] | 53 | <para>Download MD5 sum: &linux-pam-md5sum;</para>
|
---|
[c7eb655] | 54 | </listitem>
|
---|
| 55 | <listitem>
|
---|
[6603f8b] | 56 | <para>Download size: &linux-pam-size;</para>
|
---|
[c7eb655] | 57 | </listitem>
|
---|
| 58 | <listitem>
|
---|
[6603f8b] | 59 | <para>Estimated disk space required: &linux-pam-buildsize;</para>
|
---|
[c7eb655] | 60 | </listitem>
|
---|
| 61 | <listitem>
|
---|
[6603f8b] | 62 | <para>Estimated build time: &linux-pam-time;</para>
|
---|
[c7eb655] | 63 | </listitem>
|
---|
| 64 | </itemizedlist>
|
---|
| 65 |
|
---|
| 66 | <bridgehead renderas="sect3">Additional Downloads</bridgehead>
|
---|
| 67 | <itemizedlist spacing='compact'>
|
---|
[07f0c976] | 68 | <title>Optional Documentation</title>
|
---|
[c7eb655] | 69 | <listitem>
|
---|
[07f0c976] | 70 | <para>Download (HTTP): <ulink url="&linux-pam-docs-download;"/></para>
|
---|
[903f671] | 71 | </listitem>
|
---|
| 72 | <listitem>
|
---|
[07f0c976] | 73 | <para>Download MD5 sum: &linux-pam-docs-md5sum;</para>
|
---|
[903f671] | 74 | </listitem>
|
---|
| 75 | <listitem>
|
---|
| 76 | <para>Download size &linux-pam-docs-size;</para>
|
---|
[6576f3e] | 77 | </listitem>
|
---|
| 78 | </itemizedlist>
|
---|
| 79 |
|
---|
[c7eb655] | 80 | <bridgehead renderas="sect3">Linux-PAM Dependencies</bridgehead>
|
---|
| 81 |
|
---|
| 82 | <bridgehead renderas="sect4">Optional</bridgehead>
|
---|
[903f671] | 83 | <para role="optional"><xref linkend="cracklib"/>,
|
---|
[de7f20e] | 84 | <xref linkend="x-window-system"/>,
|
---|
| 85 | <xref linkend="db"/> (for the pam_userdb module), and
|
---|
[c03a8bd] | 86 | <ulink url="http://www.prelude-ids.org/">Prelude</ulink></para>
|
---|
| 87 |
|
---|
| 88 | <bridgehead renderas="sect4">Optional (To {,Re}build the Documentation)</bridgehead>
|
---|
| 89 | <para role="optional"><xref linkend="libxslt"/>,
|
---|
| 90 | <xref linkend="DocBook"/>,
|
---|
| 91 | <xref linkend="docbook-xsl"/>,
|
---|
| 92 | <xref linkend="w3m"/>, and
|
---|
| 93 | <xref linkend="fop"/></para>
|
---|
[c7eb655] | 94 |
|
---|
[3597eb6] | 95 | <para condition="html" role="usernotes">User Notes:
|
---|
| 96 | <ulink url="&blfs-wiki;/linux-pam"/></para>
|
---|
| 97 |
|
---|
[c7eb655] | 98 | </sect2>
|
---|
| 99 |
|
---|
| 100 | <sect2 role="installation">
|
---|
| 101 | <title>Installation of Linux-PAM</title>
|
---|
| 102 |
|
---|
[903f671] | 103 | <para>If you downloaded the documentation, unpack the tarball by issuing
|
---|
| 104 | the following command.</para>
|
---|
| 105 |
|
---|
[651ec29] | 106 | <screen><userinput>tar -xf ../Linux-PAM-&linux-pam-version;-docs.tar.bz2 --strip-components=1</userinput></screen>
|
---|
[ccb8b2d] | 107 |
|
---|
[c7eb655] | 108 | <para>Install <application>Linux-PAM</application> by
|
---|
| 109 | running the following commands:</para>
|
---|
| 110 |
|
---|
[903f671] | 111 | <screen><userinput>./configure --sbindir=/lib/security \
|
---|
[c03a8bd] | 112 | --docdir=/usr/share/doc/Linux-PAM-&linux-pam-version; \
|
---|
[dcf7f5bf] | 113 | --disable-nis \
|
---|
[903f671] | 114 | --enable-read-both-confs &&
|
---|
[c7eb655] | 115 | make</userinput></screen>
|
---|
[17fb537e] | 116 |
|
---|
[903f671] | 117 | <para>To test the results, a configuration file must be created. This file
|
---|
| 118 | will be removed after the tests have completed. Ensure there are no errors
|
---|
| 119 | produced by the tests before continuing the installation. First create the
|
---|
| 120 | configuration file by issuing the following commands as the
|
---|
| 121 | <systemitem class="username">root</systemitem> user:</para>
|
---|
| 122 |
|
---|
| 123 | <screen role="root"><userinput>install -v -m755 -d /etc/pam.d &&
|
---|
[c03a8bd] | 124 |
|
---|
[903f671] | 125 | cat > /etc/pam.d/other << "EOF"
|
---|
| 126 | auth required pam_deny.so
|
---|
| 127 | account required pam_deny.so
|
---|
| 128 | password required pam_deny.so
|
---|
| 129 | session required pam_deny.so
|
---|
| 130 | EOF</userinput></screen>
|
---|
[1ad238d8] | 131 |
|
---|
[903f671] | 132 | <para>Now run the tests by issuing <command>make check</command>.</para>
|
---|
| 133 |
|
---|
| 134 | <para>Remove the configuration file created earlier by issuing the
|
---|
| 135 | following command as the
|
---|
| 136 | <systemitem class="username">root</systemitem> user:</para>
|
---|
| 137 |
|
---|
| 138 | <screen role="root"><userinput>rm -rfv /etc/pam.d</userinput></screen>
|
---|
[f691f2b] | 139 |
|
---|
[c7eb655] | 140 | <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
|
---|
[17fb537e] | 141 |
|
---|
[c7eb655] | 142 | <screen role="root"><userinput>make install &&
|
---|
[ee05358] | 143 | chmod -v 4755 /lib/security/unix_chkpwd &&
|
---|
[6869595] | 144 |
|
---|
[ccb8b2d] | 145 | mv -v /lib/security/pam_tally /sbin &&
|
---|
[6869595] | 146 |
|
---|
| 147 | mv -v /lib/libpam{,c,_misc}.la /usr/lib &&
|
---|
| 148 | sed -i 's| /lib| /usr/lib|' /usr/lib/libpam_misc.la &&
|
---|
| 149 |
|
---|
[336d44e3] | 150 | if [ -L /lib/libpam.so ]; then
|
---|
| 151 | for LINK in libpam{,c,_misc}.so; do
|
---|
| 152 | ln -v -sf ../../lib/$(readlink /lib/${LINK}) /usr/lib/${LINK} &&
|
---|
| 153 | rm -v /lib/${LINK}
|
---|
| 154 | done
|
---|
| 155 | fi</userinput></screen>
|
---|
[b4b71892] | 156 |
|
---|
[c7eb655] | 157 | </sect2>
|
---|
[b4b71892] | 158 |
|
---|
[c7eb655] | 159 | <sect2 role="commands">
|
---|
| 160 | <title>Command Explanations</title>
|
---|
[b4b71892] | 161 |
|
---|
[ccb8b2d] | 162 | <para><parameter>--sbindir=/lib/security</parameter>: This parameter
|
---|
[903f671] | 163 | results in three executables, two of which are not intended to be run from
|
---|
| 164 | the command line, being installed in the same directory as the PAM modules.
|
---|
[6869595] | 165 | The other executable is later moved to the
|
---|
[ccb8b2d] | 166 | <filename class='directory'>/sbin</filename> directory.</para>
|
---|
[b4b71892] | 167 |
|
---|
[c03a8bd] | 168 | <para><parameter>--docdir=...</parameter>: This parameter results in
|
---|
[ccb8b2d] | 169 | the documentation being installed in a versioned directory name.</para>
|
---|
[b4b71892] | 170 |
|
---|
[dcf7f5bf] | 171 | <para><parameter>--disable-nis</parameter>: This option disables building
|
---|
| 172 | Network Information Service/Yellow Pages support in pam_unix and pam_access
|
---|
[9d66d2f9] | 173 | as nis is deprecated in glibc.</para>
|
---|
[dcf7f5bf] | 174 |
|
---|
[ccb8b2d] | 175 | <para><parameter>--enable-read-both-confs</parameter>: This parameter
|
---|
| 176 | allows the local administrator to choose which configuration file setup to
|
---|
| 177 | use.</para>
|
---|
[b4b71892] | 178 |
|
---|
[903f671] | 179 | <!-- This appears unnecessary as the xauth module is created even if X
|
---|
| 180 | has not yet been installed.
|
---|
| 181 | <para><parameter>-with-xauth=/usr/X11R6/bin/xauth</parameter>: This
|
---|
[a63de0c] | 182 | parameter forces the build of the pam_xauth module, even if xauth is not
|
---|
| 183 | yet installed. Omit this switch if you have no plans to build
|
---|
| 184 | <application>Xorg</application>, or modify the path if you intend to
|
---|
[903f671] | 185 | install <application>Xorg</application> into a non-standard path.</para> -->
|
---|
[a63de0c] | 186 |
|
---|
[ee05358] | 187 | <para><command>chmod -v 4755 /lib/security/unix_chkpwd</command>:
|
---|
| 188 | The <command>unix_chkpwd</command> password-helper program must be setuid
|
---|
| 189 | so that non-<systemitem class="username">root</systemitem> processes can
|
---|
| 190 | access the shadow-password file.</para>
|
---|
| 191 |
|
---|
[ccb8b2d] | 192 | <para><command>mv -v /lib/security/pam_tally /sbin</command>: The
|
---|
| 193 | <command>pam_tally</command> program is designed to be run by the system
|
---|
| 194 | administrator, possibly in single-user mode, so it is moved to the
|
---|
| 195 | appropriate directory.</para>
|
---|
| 196 |
|
---|
[6869595] | 197 | <para><command>mv -v /lib/libpam{,c,_misc}.la /usr/lib</command>: This
|
---|
| 198 | command moves the <application>Libtool</application> library files to
|
---|
| 199 | <filename class='directory'>/usr/lib</filename> as they are expected to
|
---|
| 200 | reside there.</para>
|
---|
| 201 |
|
---|
| 202 | <para><command>sed -i 's| /lib| /usr/lib|'
|
---|
| 203 | /usr/lib/libpam_misc.la</command>: This command corrects an installation
|
---|
| 204 | reference due to the file being moved in the previous step.</para>
|
---|
| 205 |
|
---|
| 206 | <para><command>for ...; do ...; done</command>: These commands are used
|
---|
[821b3bfc] | 207 | to relocate the <filename class='symlink'>.so</filename> symbolic links
|
---|
| 208 | into the <filename class='directory'>/usr/lib</filename> directory by
|
---|
| 209 | cloning and then removing the existing symlinks. Using
|
---|
| 210 | <command>readlink</command> ensures the new symlinks point at the correct
|
---|
| 211 | library filenames.</para>
|
---|
[aadd9ef] | 212 |
|
---|
[c7eb655] | 213 | </sect2>
|
---|
[b4b71892] | 214 |
|
---|
[c7eb655] | 215 | <sect2 role="configuration">
|
---|
| 216 | <title>Configuring Linux-PAM</title>
|
---|
[b4b71892] | 217 |
|
---|
[c7eb655] | 218 | <sect3 id="pam-config">
|
---|
| 219 | <title>Config Files</title>
|
---|
[b4b71892] | 220 |
|
---|
[c7eb655] | 221 | <para><filename>/etc/security/*</filename> and
|
---|
| 222 | <filename>/etc/pam.d/*</filename> or
|
---|
| 223 | <filename>/etc/pam.conf</filename></para>
|
---|
[b4b71892] | 224 |
|
---|
[6603f8b] | 225 | <indexterm zone="linux-pam pam-config">
|
---|
[c7eb655] | 226 | <primary sortas="e-etc-security">/etc/security/*</primary>
|
---|
| 227 | </indexterm>
|
---|
[b4b71892] | 228 |
|
---|
[6603f8b] | 229 | <indexterm zone="linux-pam pam-config">
|
---|
[c7eb655] | 230 | <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
|
---|
| 231 | </indexterm>
|
---|
| 232 |
|
---|
[6603f8b] | 233 | <indexterm zone="linux-pam pam-config">
|
---|
[c7eb655] | 234 | <primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
|
---|
| 235 | </indexterm>
|
---|
| 236 |
|
---|
| 237 | </sect3>
|
---|
| 238 |
|
---|
| 239 | <sect3>
|
---|
| 240 | <title>Configuration Information</title>
|
---|
| 241 |
|
---|
| 242 | <para>Configuration information is placed in
|
---|
| 243 | <filename class='directory'>/etc/pam.d/</filename> or
|
---|
[ccb8b2d] | 244 | <filename>/etc/pam.conf</filename> depending on system administrator
|
---|
| 245 | preference. Below are example files of each type:</para>
|
---|
[c7eb655] | 246 |
|
---|
| 247 | <screen><literal># Begin /etc/pam.d/other
|
---|
[b4b71892] | 248 |
|
---|
| 249 | auth required pam_unix.so nullok
|
---|
| 250 | account required pam_unix.so
|
---|
| 251 | session required pam_unix.so
|
---|
| 252 | password required pam_unix.so nullok
|
---|
| 253 |
|
---|
| 254 | # End /etc/pam.d/other
|
---|
| 255 |
|
---|
| 256 | # Begin /etc/pam.conf
|
---|
| 257 |
|
---|
| 258 | other auth required pam_unix.so nullok
|
---|
| 259 | other account required pam_unix.so
|
---|
| 260 | other session required pam_unix.so
|
---|
| 261 | other password required pam_unix.so nullok
|
---|
| 262 |
|
---|
[c7eb655] | 263 | # End /etc/pam.conf</literal></screen>
|
---|
| 264 |
|
---|
[1ae6204] | 265 | <para>The <application>PAM</application> man page (<command>man
|
---|
| 266 | pam</command>) provides a good starting point for descriptions of fields
|
---|
| 267 | and allowable entries. The <ulink
|
---|
| 268 | url="&debian-pam-docs;/Linux-PAM-html/Linux-PAM_SAG.html"> Linux-PAM
|
---|
| 269 | System Administrators' Guide</ulink> is recommended for additional
|
---|
| 270 | information.</para>
|
---|
[c7eb655] | 271 |
|
---|
[1ae6204] | 272 | <para>Refer to <ulink url="&debian-pam-docs;/modules.html"/> for a list
|
---|
| 273 | of various third-party modules available.</para>
|
---|
[c7eb655] | 274 |
|
---|
[ccb8b2d] | 275 | <important>
|
---|
[c7eb655] | 276 | <para>You should now reinstall the <xref linkend="shadow"/>
|
---|
| 277 | package.</para>
|
---|
[ccb8b2d] | 278 | </important>
|
---|
[c7eb655] | 279 |
|
---|
| 280 | </sect3>
|
---|
| 281 |
|
---|
| 282 | </sect2>
|
---|
| 283 |
|
---|
| 284 | <sect2 role="content">
|
---|
| 285 | <title>Contents</title>
|
---|
| 286 |
|
---|
| 287 | <segmentedlist>
|
---|
[ccb8b2d] | 288 | <segtitle>Installed Program</segtitle>
|
---|
[c7eb655] | 289 | <segtitle>Installed Libraries</segtitle>
|
---|
| 290 | <segtitle>Installed Directories</segtitle>
|
---|
| 291 |
|
---|
| 292 | <seglistitem>
|
---|
[ccb8b2d] | 293 | <seg>pam_tally</seg>
|
---|
[903f671] | 294 | <seg>libpam.{so,a}, libpamc.{so,a}, libpam_misc.{so,a} and
|
---|
| 295 | numerous PAM modules</seg>
|
---|
[3c9d219] | 296 | <seg>/etc/security, /lib/security, /usr/include/security,
|
---|
| 297 | /usr/share/doc/Linux-PAM-&linux-pam-version;,
|
---|
[903f671] | 298 | and /var/run/sepermit</seg>
|
---|
[c7eb655] | 299 | </seglistitem>
|
---|
| 300 | </segmentedlist>
|
---|
| 301 |
|
---|
| 302 | <variablelist>
|
---|
| 303 | <bridgehead renderas="sect3">Short Descriptions</bridgehead>
|
---|
| 304 | <?dbfo list-presentation="list"?>
|
---|
| 305 | <?dbhtml list-presentation="table"?>
|
---|
| 306 |
|
---|
| 307 | <varlistentry id="pam_tally">
|
---|
| 308 | <term><command>pam_tally</command></term>
|
---|
| 309 | <listitem>
|
---|
| 310 | <para>is used to view or manipulate the <filename>faillog</filename>
|
---|
| 311 | file.</para>
|
---|
[6603f8b] | 312 | <indexterm zone="linux-pam pam_tally">
|
---|
[c7eb655] | 313 | <primary sortas="b-pam_tally">pam_tally</primary>
|
---|
| 314 | </indexterm>
|
---|
| 315 | </listitem>
|
---|
| 316 | </varlistentry>
|
---|
| 317 |
|
---|
| 318 | <varlistentry id="libpam">
|
---|
[3597eb6] | 319 | <term><filename class='libraryfile'>libpam.{so,a}</filename></term>
|
---|
[c7eb655] | 320 | <listitem>
|
---|
| 321 | <para>provides the interfaces between applications and the
|
---|
| 322 | PAM modules.</para>
|
---|
[6603f8b] | 323 | <indexterm zone="linux-pam libpam">
|
---|
[3597eb6] | 324 | <primary sortas="c-libpam">libpam.{so,a}</primary>
|
---|
[c7eb655] | 325 | </indexterm>
|
---|
| 326 | </listitem>
|
---|
| 327 | </varlistentry>
|
---|
| 328 |
|
---|
| 329 | </variablelist>
|
---|
| 330 |
|
---|
| 331 | </sect2>
|
---|
[b4b71892] | 332 |
|
---|
[3c52f859] | 333 | </sect1>
|
---|