1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
5 | %general-entities;
|
---|
6 |
|
---|
7 | <!ENTITY linux-pam-download-http "https://fedorahosted.org/releases/l/i/linux-pam/Linux-PAM-&linux-pam-version;.tar.bz2">
|
---|
8 | <!ENTITY linux-pam-download-ftp " ">
|
---|
9 | <!ENTITY linux-pam-md5sum "927ee5585bdec5256c75117e9348aa47">
|
---|
10 | <!ENTITY linux-pam-size "1.1 MB">
|
---|
11 | <!ENTITY linux-pam-buildsize "28 MB (includes installing the optional documentation)">
|
---|
12 | <!ENTITY linux-pam-time "0.3 SBU">
|
---|
13 |
|
---|
14 | <!ENTITY linux-pam-docs-download "https://fedorahosted.org/releases/l/i/linux-pam/Linux-PAM-&linux-pam-version;-docs.tar.bz2">
|
---|
15 | <!ENTITY linux-pam-docs-md5sum "987e14ddce375ec7ddd2b91fbc2bd46d">
|
---|
16 | <!ENTITY linux-pam-docs-size "487 KB">
|
---|
17 | <!ENTITY debian-pam-docs "http://debian.securedservers.com/kernel/pub/linux/libs/pam">
|
---|
18 | ]>
|
---|
19 |
|
---|
20 | <sect1 id="linux-pam" xreflabel="Linux-PAM-&linux-pam-version;">
|
---|
21 | <?dbhtml filename="linux-pam.html"?>
|
---|
22 |
|
---|
23 | <sect1info>
|
---|
24 | <othername>$LastChangedBy$</othername>
|
---|
25 | <date>$Date$</date>
|
---|
26 | </sect1info>
|
---|
27 |
|
---|
28 | <title>Linux-PAM-&linux-pam-version;</title>
|
---|
29 |
|
---|
30 | <indexterm zone="linux-pam">
|
---|
31 | <primary sortas="a-Linux-PAM">Linux-PAM</primary>
|
---|
32 | </indexterm>
|
---|
33 |
|
---|
34 | <sect2 role="package">
|
---|
35 | <title>Introduction to Linux-PAM</title>
|
---|
36 |
|
---|
37 | <para>The <application>Linux-PAM</application> package contains
|
---|
38 | Pluggable Authentication Modules. This is useful to enable the
|
---|
39 | local system administrator to choose how applications authenticate
|
---|
40 | users.</para>
|
---|
41 |
|
---|
42 | &lfs70_checked;
|
---|
43 |
|
---|
44 | <bridgehead renderas="sect3">Package Information</bridgehead>
|
---|
45 | <itemizedlist spacing="compact">
|
---|
46 | <listitem>
|
---|
47 | <para>Download (HTTP): <ulink url="&linux-pam-download-http;"/></para>
|
---|
48 | </listitem>
|
---|
49 | <listitem>
|
---|
50 | <para>Download (FTP): <ulink url="&linux-pam-download-ftp;"/></para>
|
---|
51 | </listitem>
|
---|
52 | <listitem>
|
---|
53 | <para>Download MD5 sum: &linux-pam-md5sum;</para>
|
---|
54 | </listitem>
|
---|
55 | <listitem>
|
---|
56 | <para>Download size: &linux-pam-size;</para>
|
---|
57 | </listitem>
|
---|
58 | <listitem>
|
---|
59 | <para>Estimated disk space required: &linux-pam-buildsize;</para>
|
---|
60 | </listitem>
|
---|
61 | <listitem>
|
---|
62 | <para>Estimated build time: &linux-pam-time;</para>
|
---|
63 | </listitem>
|
---|
64 | </itemizedlist>
|
---|
65 |
|
---|
66 | <bridgehead renderas="sect3">Additional Downloads</bridgehead>
|
---|
67 | <itemizedlist spacing='compact'>
|
---|
68 | <title>Optional Documentation</title>
|
---|
69 | <listitem>
|
---|
70 | <para>Download (HTTP): <ulink url="&linux-pam-docs-download;"/></para>
|
---|
71 | </listitem>
|
---|
72 | <listitem>
|
---|
73 | <para>Download MD5 sum: &linux-pam-docs-md5sum;</para>
|
---|
74 | </listitem>
|
---|
75 | <listitem>
|
---|
76 | <para>Download size &linux-pam-docs-size;</para>
|
---|
77 | </listitem>
|
---|
78 | </itemizedlist>
|
---|
79 |
|
---|
80 | <bridgehead renderas="sect3">Linux-PAM Dependencies</bridgehead>
|
---|
81 |
|
---|
82 | <bridgehead renderas="sect4">Optional</bridgehead>
|
---|
83 | <para role="optional"><xref linkend="cracklib"/>,
|
---|
84 | <xref linkend="libtirpc"/>, <xref linkend="x-window-system"/>,
|
---|
85 | <xref linkend="db"/> (for the pam_userdb module), and
|
---|
86 | <ulink url="http://www.prelude-ids.org/">Prelude</ulink></para>
|
---|
87 |
|
---|
88 | <bridgehead renderas="sect4">Optional (To {,Re}build the Documentation)</bridgehead>
|
---|
89 | <para role="optional"><xref linkend="libxslt"/>,
|
---|
90 | <xref linkend="DocBook"/>,
|
---|
91 | <xref linkend="docbook-xsl"/>,
|
---|
92 | <xref linkend="w3m"/>, and
|
---|
93 | <xref linkend="fop"/></para>
|
---|
94 |
|
---|
95 | <para condition="html" role="usernotes">User Notes:
|
---|
96 | <ulink url="&blfs-wiki;/linux-pam"/></para>
|
---|
97 | </sect2>
|
---|
98 |
|
---|
99 | <sect2 role="installation">
|
---|
100 | <title>Installation of Linux-PAM</title>
|
---|
101 |
|
---|
102 | <para>If you downloaded the documentation, unpack the tarball by issuing
|
---|
103 | the following command.</para>
|
---|
104 |
|
---|
105 | <screen><userinput>tar -xf ../Linux-PAM-&linux-pam-version;-docs.tar.bz2 --strip-components=1</userinput></screen>
|
---|
106 |
|
---|
107 | <para>Install <application>Linux-PAM</application> by
|
---|
108 | running the following commands:</para>
|
---|
109 |
|
---|
110 | <screen><userinput>./configure --sbindir=/lib/security \
|
---|
111 | --docdir=/usr/share/doc/Linux-PAM-&linux-pam-version; \
|
---|
112 | --disable-nis \
|
---|
113 | --enable-read-both-confs &&
|
---|
114 | make</userinput></screen>
|
---|
115 |
|
---|
116 | <para>To test the results, a configuration file must be created. This file
|
---|
117 | will be removed after the tests have completed. Ensure there are no errors
|
---|
118 | produced by the tests before continuing the installation. First create the
|
---|
119 | configuration file by issuing the following commands as the
|
---|
120 | <systemitem class="username">root</systemitem> user:</para>
|
---|
121 |
|
---|
122 | <screen role="root"><userinput>install -v -m755 -d /etc/pam.d &&
|
---|
123 |
|
---|
124 | cat > /etc/pam.d/other << "EOF"
|
---|
125 | auth required pam_deny.so
|
---|
126 | account required pam_deny.so
|
---|
127 | password required pam_deny.so
|
---|
128 | session required pam_deny.so
|
---|
129 | EOF</userinput></screen>
|
---|
130 |
|
---|
131 | <para>Now run the tests by issuing <command>make check</command>.</para>
|
---|
132 |
|
---|
133 | <para>Remove the configuration file created earlier by issuing the
|
---|
134 | following command as the
|
---|
135 | <systemitem class="username">root</systemitem> user:</para>
|
---|
136 |
|
---|
137 | <screen role="root"><userinput>rm -rfv /etc/pam.d</userinput></screen>
|
---|
138 |
|
---|
139 | <para>Now, as the <systemitem class="username">root</systemitem>
|
---|
140 | user:</para>
|
---|
141 |
|
---|
142 | <screen role="root"><userinput>make install &&
|
---|
143 | chmod -v 4755 /lib/security/unix_chkpwd &&
|
---|
144 | mv -v /lib/security/pam_tally /sbin</userinput></screen>
|
---|
145 | </sect2>
|
---|
146 |
|
---|
147 | <sect2 role="commands">
|
---|
148 | <title>Command Explanations</title>
|
---|
149 |
|
---|
150 | <para><parameter>--sbindir=/lib/security</parameter>: This parameter
|
---|
151 | results in three executables, two of which are not intended to be run from
|
---|
152 | the command line, being installed in the same directory as the PAM modules.
|
---|
153 | The other executable is later moved to the
|
---|
154 | <filename class="directory">/sbin</filename> directory.</para>
|
---|
155 |
|
---|
156 | <para><parameter>--docdir=...</parameter>: This parameter results in
|
---|
157 | the documentation being installed in a versioned directory name.</para>
|
---|
158 |
|
---|
159 | <para><parameter>--disable-nis</parameter>: This option disables building
|
---|
160 | Network Information Service/Yellow Pages support in pam_unix and pam_access.
|
---|
161 | The RPC implementation in glibc (on which NIS/YP depends) is deprecated.
|
---|
162 | However, the same functionality is provided by
|
---|
163 | <application>Libtirpc</application> so if you've installed
|
---|
164 | <xref linkend="libtirpc"/> you can remove the
|
---|
165 | <parameter>--disable-nis</parameter> option.</para>
|
---|
166 |
|
---|
167 | <para><parameter>--enable-read-both-confs</parameter>: This parameter
|
---|
168 | allows the local administrator to choose which configuration file setup to
|
---|
169 | use.</para>
|
---|
170 |
|
---|
171 | <para><command>chmod -v 4755 /lib/security/unix_chkpwd</command>:
|
---|
172 | The <command>unix_chkpwd</command> password-helper program must be setuid
|
---|
173 | so that non-<systemitem class="username">root</systemitem> processes can
|
---|
174 | access the shadow-password file.</para>
|
---|
175 |
|
---|
176 | <para><command>mv -v /lib/security/pam_tally /sbin</command>: The
|
---|
177 | <command>pam_tally</command> program is designed to be run by the system
|
---|
178 | administrator, possibly in single-user mode, so it is moved to the
|
---|
179 | appropriate directory.</para>
|
---|
180 | </sect2>
|
---|
181 |
|
---|
182 | <sect2 role="configuration">
|
---|
183 | <title>Configuring Linux-PAM</title>
|
---|
184 |
|
---|
185 | <sect3 id="pam-config">
|
---|
186 | <title>Config Files</title>
|
---|
187 |
|
---|
188 | <para><filename>/etc/security/*</filename> and
|
---|
189 | <filename>/etc/pam.d/*</filename> or
|
---|
190 | <filename>/etc/pam.conf</filename></para>
|
---|
191 |
|
---|
192 | <indexterm zone="linux-pam pam-config">
|
---|
193 | <primary sortas="e-etc-security">/etc/security/*</primary>
|
---|
194 | </indexterm>
|
---|
195 |
|
---|
196 | <indexterm zone="linux-pam pam-config">
|
---|
197 | <primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
|
---|
198 | </indexterm>
|
---|
199 |
|
---|
200 | <indexterm zone="linux-pam pam-config">
|
---|
201 | <primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
|
---|
202 | </indexterm>
|
---|
203 | </sect3>
|
---|
204 |
|
---|
205 | <sect3>
|
---|
206 | <title>Configuration Information</title>
|
---|
207 |
|
---|
208 | <para>Configuration information is placed in
|
---|
209 | <filename class="directory">/etc/pam.d/</filename> or
|
---|
210 | <filename>/etc/pam.conf</filename> depending on system administrator
|
---|
211 | preference. Below are example files of each type:</para>
|
---|
212 |
|
---|
213 | <screen><literal># Begin /etc/pam.d/other
|
---|
214 |
|
---|
215 | auth required pam_unix.so nullok
|
---|
216 | account required pam_unix.so
|
---|
217 | session required pam_unix.so
|
---|
218 | password required pam_unix.so nullok
|
---|
219 |
|
---|
220 | # End /etc/pam.d/other
|
---|
221 |
|
---|
222 | # Begin /etc/pam.conf
|
---|
223 |
|
---|
224 | other auth required pam_unix.so nullok
|
---|
225 | other account required pam_unix.so
|
---|
226 | other session required pam_unix.so
|
---|
227 | other password required pam_unix.so nullok
|
---|
228 |
|
---|
229 | # End /etc/pam.conf</literal></screen>
|
---|
230 |
|
---|
231 | <para>The <application>PAM</application> man page (<command>man
|
---|
232 | pam</command>) provides a good starting point for descriptions of fields
|
---|
233 | and allowable entries. The <ulink
|
---|
234 | url="&debian-pam-docs;/Linux-PAM-html/Linux-PAM_SAG.html"> Linux-PAM
|
---|
235 | System Administrators' Guide</ulink> is recommended for additional
|
---|
236 | information.</para>
|
---|
237 |
|
---|
238 | <para>Refer to <ulink url="&debian-pam-docs;/modules.html"/> for a list
|
---|
239 | of various third-party modules available.</para>
|
---|
240 |
|
---|
241 | <important>
|
---|
242 | <para>You should now reinstall the <xref linkend="shadow"/>
|
---|
243 | package.</para>
|
---|
244 | </important>
|
---|
245 | </sect3>
|
---|
246 | </sect2>
|
---|
247 |
|
---|
248 | <sect2 role="content">
|
---|
249 | <title>Contents</title>
|
---|
250 |
|
---|
251 | <segmentedlist>
|
---|
252 | <segtitle>Installed Program</segtitle>
|
---|
253 | <segtitle>Installed Libraries</segtitle>
|
---|
254 | <segtitle>Installed Directories</segtitle>
|
---|
255 |
|
---|
256 | <seglistitem>
|
---|
257 | <seg>pam_tally</seg>
|
---|
258 | <seg>libpam.{so,a}, libpamc.{so,a}, libpam_misc.{so,a} and
|
---|
259 | numerous PAM modules</seg>
|
---|
260 | <seg>/etc/security, /lib/security, /usr/include/security,
|
---|
261 | /usr/share/doc/Linux-PAM-&linux-pam-version;,
|
---|
262 | and /var/run/sepermit</seg>
|
---|
263 | </seglistitem>
|
---|
264 | </segmentedlist>
|
---|
265 |
|
---|
266 | <variablelist>
|
---|
267 | <bridgehead renderas="sect3">Short Descriptions</bridgehead>
|
---|
268 | <?dbfo list-presentation="list"?>
|
---|
269 | <?dbhtml list-presentation="table"?>
|
---|
270 |
|
---|
271 | <varlistentry id="pam_tally">
|
---|
272 | <term><command>pam_tally</command></term>
|
---|
273 | <listitem>
|
---|
274 | <para>is used to view or manipulate the <filename>faillog</filename>
|
---|
275 | file.</para>
|
---|
276 | <indexterm zone="linux-pam pam_tally">
|
---|
277 | <primary sortas="b-pam_tally">pam_tally</primary>
|
---|
278 | </indexterm>
|
---|
279 | </listitem>
|
---|
280 | </varlistentry>
|
---|
281 |
|
---|
282 | <varlistentry id="libpam">
|
---|
283 | <term><filename class="libraryfile">libpam.{so,a}</filename></term>
|
---|
284 | <listitem>
|
---|
285 | <para>provides the interfaces between applications and the
|
---|
286 | PAM modules.</para>
|
---|
287 | <indexterm zone="linux-pam libpam">
|
---|
288 | <primary sortas="c-libpam">libpam.{so,a}</primary>
|
---|
289 | </indexterm>
|
---|
290 | </listitem>
|
---|
291 | </varlistentry>
|
---|
292 | </variablelist>
|
---|
293 | </sect2>
|
---|
294 | </sect1>
|
---|