Path: blob/main/documentation/content/en/articles/pam/_index.po
18096 views
# SOME DESCRIPTIVE TITLE # Copyright (C) YEAR The FreeBSD Project # This file is distributed under the same license as the FreeBSD Documentation package. # FIRST AUTHOR <EMAIL@ADDRESS>, YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: FreeBSD Documentation VERSION\n" "POT-Creation-Date: 2026-02-22 15:58+0000\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Language-Team: LANGUAGE <[email protected]>\n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. type: YAML Front Matter: description #: documentation/content/en/articles/pam/_index.adoc:1 #, no-wrap msgid "A guide to the PAM system and modules under FreeBSD" msgstr "" #. Copyright (c) 2001-2003 Networks Associates Technology, Inc. #. All rights reserved. #. This software was developed for the FreeBSD Project by ThinkSec AS and #. Network Associates Laboratories, the Security Research Division of #. Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 #. ("CBOSS"), as part of the DARPA CHATS research program. #. Redistribution and use in source and binary forms, with or without #. modification, are permitted provided that the following conditions #. are met: #. 1. Redistributions of source code must retain the above copyright #. notice, this list of conditions and the following disclaimer. #. 2. Redistributions in binary form must reproduce the above copyright #. notice, this list of conditions and the following disclaimer in the #. documentation and/or other materials provided with the distribution. #. 3. The name of the author may not be used to endorse or promote #. products derived from this software without specific prior written #. permission. #. THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND #. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE #. IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE #. ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE #. FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL #. DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS #. OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) #. HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT #. LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY #. OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF #. SUCH DAMAGE. #. type: Title = #: documentation/content/en/articles/pam/_index.adoc:1 #: documentation/content/en/articles/pam/_index.adoc:45 #, no-wrap msgid "Pluggable Authentication Modules" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:81 msgid "Abstract" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:83 msgid "" "This article describes the underlying principles and mechanisms of the " "Pluggable Authentication Modules (PAM) library, and explains how to " "configure PAM, how to integrate PAM into applications, and how to write PAM " "modules." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:85 msgid "'''" msgstr "" #. type: Title == #: documentation/content/en/articles/pam/_index.adoc:89 #, no-wrap msgid "Introduction" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:92 msgid "" "The Pluggable Authentication Modules (PAM) library is a generalized API for " "authentication-related services which allows a system administrator to add " "new authentication methods simply by installing new PAM modules, and to " "modify authentication policies by editing configuration files." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:96 msgid "" "PAM was defined and developed in 1995 by Vipin Samar and Charlie Lai of Sun " "Microsystems, and has not changed much since. In 1997, the Open Group " "published the X/Open Single Sign-on (XSSO) preliminary specification, which " "standardized the PAM API and added extensions for single (or rather " "integrated) sign-on. At the time of this writing, this specification has " "not yet been adopted as a standard." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:98 msgid "" "Although this article focuses primarily on FreeBSD 5.x, which uses OpenPAM, " "it should be equally applicable to FreeBSD 4.x, which uses Linux-PAM, and " "other operating systems such as Linux and Solaris(TM)." msgstr "" #. type: Title == #: documentation/content/en/articles/pam/_index.adoc:100 #, no-wrap msgid "Terms and Conventions" msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:103 #, no-wrap msgid "Definitions" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:110 msgid "" "The terminology surrounding PAM is rather confused. Neither Samar and Lai's " "original paper nor the XSSO specification made any attempt at formally " "defining terms for the various actors and entities involved in PAM, and the " "terms that they do use (but do not define) are sometimes misleading and " "ambiguous. The first attempt at establishing a consistent and unambiguous " "terminology was a whitepaper written by Andrew G. Morgan (author of Linux-" "PAM) in 1999. While Morgan's choice of terminology was a huge leap forward, " "it is in this author's opinion by no means perfect. What follows is an " "attempt, heavily inspired by Morgan, to define precise and unambiguous terms " "for all actors and entities involved in PAM." msgstr "" #. type: Labeled list #: documentation/content/en/articles/pam/_index.adoc:111 #, no-wrap msgid "account" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:113 msgid "The set of credentials the applicant is requesting from the arbitrator." msgstr "" #. type: Labeled list #: documentation/content/en/articles/pam/_index.adoc:114 #, no-wrap msgid "applicant" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:116 msgid "The user or entity requesting authentication." msgstr "" #. type: Labeled list #: documentation/content/en/articles/pam/_index.adoc:117 #, no-wrap msgid "arbitrator" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:119 msgid "" "The user or entity who has the privileges necessary to verify the " "applicant's credentials and the authority to grant or deny the request." msgstr "" #. type: Labeled list #: documentation/content/en/articles/pam/_index.adoc:120 #, no-wrap msgid "chain" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:123 msgid "" "A sequence of modules that will be invoked in response to a PAM request. " "The chain includes information about the order in which to invoke the " "modules, what arguments to pass to them, and how to interpret the results." msgstr "" #. type: Labeled list #: documentation/content/en/articles/pam/_index.adoc:124 #, no-wrap msgid "client" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:126 msgid "" "The application responsible for initiating an authentication request on " "behalf of the applicant and for obtaining the necessary authentication " "information from him." msgstr "" #. type: Labeled list #: documentation/content/en/articles/pam/_index.adoc:127 #, no-wrap msgid "facility" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:129 msgid "" "One of the four basic groups of functionality provided by PAM: " "authentication, account management, session management and authentication " "token update." msgstr "" #. type: Labeled list #: documentation/content/en/articles/pam/_index.adoc:130 #, no-wrap msgid "module" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:132 msgid "" "A collection of one or more related functions implementing a particular " "authentication facility, gathered into a single (normally dynamically " "loadable) binary file and identified by a single name." msgstr "" #. type: Labeled list #: documentation/content/en/articles/pam/_index.adoc:133 #, no-wrap msgid "policy" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:136 msgid "" "The complete set of configuration statements describing how to handle PAM " "requests for a particular service. A policy normally consists of four " "chains, one for each facility, though some services do not use all four " "facilities." msgstr "" #. type: Labeled list #: documentation/content/en/articles/pam/_index.adoc:137 #, no-wrap msgid "server" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:139 msgid "" "The application acting on behalf of the arbitrator to converse with the " "client, retrieve authentication information, verify the applicant's " "credentials and grant or deny requests." msgstr "" #. type: Labeled list #: documentation/content/en/articles/pam/_index.adoc:140 #, no-wrap msgid "service" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:143 msgid "" "A class of servers providing similar or related functionality and requiring " "similar authentication. PAM policies are defined on a per-service basis, so " "all servers that claim the same service name will be subject to the same " "policy." msgstr "" #. type: Labeled list #: documentation/content/en/articles/pam/_index.adoc:144 #, no-wrap msgid "session" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:147 msgid "" "The context within which service is rendered to the applicant by the " "server. One of PAM's four facilities, session management, is concerned " "exclusively with setting up and tearing down this context." msgstr "" #. type: Labeled list #: documentation/content/en/articles/pam/_index.adoc:148 #, no-wrap msgid "token" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:150 msgid "" "A chunk of information associated with the account, such as a password or " "passphrase, which the applicant must provide to prove his identity." msgstr "" #. type: Labeled list #: documentation/content/en/articles/pam/_index.adoc:151 #, no-wrap msgid "transaction" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:153 msgid "" "A sequence of requests from the same applicant to the same instance of the " "same server, beginning with authentication and session set-up and ending " "with session tear-down." msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:155 #, no-wrap msgid "Usage Examples" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:158 msgid "" "This section aims to illustrate the meanings of some of the terms defined " "above by way of a handful of simple examples." msgstr "" #. type: Title ==== #: documentation/content/en/articles/pam/_index.adoc:159 #, no-wrap msgid "Client and Server Are One" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:162 msgid "This simple example shows `alice` man:su[1]'ing to `root`." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/pam/_index.adoc:167 #, no-wrap msgid "" "% whoami\n" "alice\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/pam/_index.adoc:170 #, no-wrap msgid "" "% ls -l `which su`\n" "-r-sr-xr-x 1 root wheel 10744 Dec 6 19:06 /usr/bin/su\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/pam/_index.adoc:175 #, no-wrap msgid "" "% su -\n" "Password: xi3kiune\n" "# whoami\n" "root\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:178 msgid "The applicant is `alice`." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:179 msgid "The account is `root`." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:180 msgid "The man:su[1] process is both client and server." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:181 msgid "The authentication token is `xi3kiune`." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:182 msgid "The arbitrator is `root`, which is why man:su[1] is setuid `root`." msgstr "" #. type: Title ==== #: documentation/content/en/articles/pam/_index.adoc:183 #, no-wrap msgid "Client and Server Are Separate" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:187 msgid "" "The example below shows `eve` try to initiate an man:ssh[1] connection to " "`login.example.com`, ask to log in as `bob`, and succeed. Bob should have " "chosen a better password!" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/pam/_index.adoc:192 #, no-wrap msgid "" "% whoami\n" "eve\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/pam/_index.adoc:200 #, no-wrap msgid "" "% ssh [email protected]\n" "[email protected]'s password:\n" "% god\n" "Last login: Thu Oct 11 09:52:57 2001 from 192.168.0.1\n" "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994\n" "\tThe Regents of the University of California. All rights reserved.\n" "FreeBSD 4.4-STABLE (LOGIN) 4: Tue Nov 27 18:10:34 PST 2001\n" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/pam/_index.adoc:203 #, no-wrap msgid "" "Welcome to FreeBSD!\n" "%\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:207 msgid "The applicant is `eve`." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:208 msgid "The client is Eve's man:ssh[1] process." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:209 msgid "The server is the man:sshd[8] process on `login.example.com`" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:210 msgid "The account is `bob`." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:211 msgid "The authentication token is `god`." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:212 msgid "Although this is not shown in this example, the arbitrator is `root`." msgstr "" #. type: Title ==== #: documentation/content/en/articles/pam/_index.adoc:213 #, no-wrap msgid "Sample Policy" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:216 msgid "The following is FreeBSD's default policy for `sshd`:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/pam/_index.adoc:225 #, no-wrap msgid "" "sshd\tauth\t\trequired\tpam_nologin.so\tno_warn\n" "sshd\tauth\t\trequired\tpam_unix.so\tno_warn try_first_pass\n" "sshd\taccount\t\trequired\tpam_login_access.so\n" "sshd\taccount\t\trequired\tpam_unix.so\n" "sshd\tsession\t\trequired\tpam_lastlog.so\tno_fail\n" "sshd\tpassword\trequired\tpam_permit.so\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:228 msgid "" "This policy applies to the `sshd` service (which is not necessarily " "restricted to the man:sshd[8] server.)" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:229 msgid "`auth`, `account`, `session` and `password` are facilities." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:230 msgid "" "[.filename]#pam_nologin.so#, [.filename]#pam_unix.so#, " "[.filename]#pam_login_access.so#, [.filename]#pam_lastlog.so# and " "[.filename]#pam_permit.so# are modules. It is clear from this example that " "[.filename]#pam_unix.so# provides at least two facilities (authentication " "and account management.)" msgstr "" #. type: Title == #: documentation/content/en/articles/pam/_index.adoc:232 #, no-wrap msgid "PAM Essentials" msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:235 #, no-wrap msgid "Facilities and Primitives" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:238 msgid "" "The PAM API offers six different authentication primitives grouped in four " "facilities, which are described below." msgstr "" #. type: Labeled list #: documentation/content/en/articles/pam/_index.adoc:239 #, no-wrap msgid "`auth`" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:242 msgid "" "_Authentication._ This facility concerns itself with authenticating the " "applicant and establishing the account credentials. It provides two " "primitives:" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:244 msgid "" "man:pam_authenticate[3] authenticates the applicant, usually by requesting " "an authentication token and comparing it with a value stored in a database " "or obtained from an authentication server." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:245 msgid "" "man:pam_setcred[3] establishes account credentials such as user ID, group " "membership and resource limits." msgstr "" #. type: Labeled list #: documentation/content/en/articles/pam/_index.adoc:246 #, no-wrap msgid "`account`" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:249 msgid "" "_Account management._ This facility handles non-authentication-related " "issues of account availability, such as access restrictions based on the " "time of day or the server's work load. It provides a single primitive:" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:251 msgid "man:pam_acct_mgmt[3] verifies that the requested account is available." msgstr "" #. type: Labeled list #: documentation/content/en/articles/pam/_index.adoc:252 #, no-wrap msgid "`session`" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:255 msgid "" "_Session management._ This facility handles tasks associated with session " "set-up and tear-down, such as login accounting. It provides two primitives:" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:257 msgid "" "man:pam_open_session[3] performs tasks associated with session set-up: add " "an entry in the [.filename]#utmp# and [.filename]#wtmp# databases, start an " "SSH agent, etc." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:258 msgid "" "man:pam_close_session[3] performs tasks associated with session tear-down: " "add an entry in the [.filename]#utmp# and [.filename]#wtmp# databases, stop " "the SSH agent, etc." msgstr "" #. type: Labeled list #: documentation/content/en/articles/pam/_index.adoc:259 #, no-wrap msgid "`password`" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:262 msgid "" "_Password management._ This facility is used to change the authentication " "token associated with an account, either because it has expired or because " "the user wishes to change it. It provides a single primitive:" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:264 msgid "" "man:pam_chauthtok[3] changes the authentication token, optionally verifying " "that it is sufficiently hard to guess, has not been used previously, etc." msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:266 #, no-wrap msgid "Modules" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:271 msgid "" "Modules are a very central concept in PAM; after all, they are the \"M\" in " "\"PAM\". A PAM module is a self-contained piece of program code that " "implements the primitives in one or more facilities for one particular " "mechanism; possible mechanisms for the authentication facility, for " "instance, include the UNIX(R) password database, NIS, LDAP and Radius." msgstr "" #. type: Title ==== #: documentation/content/en/articles/pam/_index.adoc:273 #, no-wrap msgid "Module Naming" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:278 msgid "" "FreeBSD implements each mechanism in a single module, named " "`pam_mechanism.so` (for instance, `pam_unix.so` for the UNIX(R) mechanism.) " "Other implementations sometimes have separate modules for separate " "facilities, and include the facility name as well as the mechanism name in " "the module name. To name one example, Solaris(TM) has a " "`pam_dial_auth.so.1` module which is commonly used to authenticate dialup " "users." msgstr "" #. type: Title ==== #: documentation/content/en/articles/pam/_index.adoc:280 #, no-wrap msgid "Module Versioning" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:284 msgid "" "FreeBSD's original PAM implementation, based on Linux-PAM, did not use " "version numbers for PAM modules. This would commonly cause problems with " "legacy applications, which might be linked against older versions of the " "system libraries, as there was no way to load a matching version of the " "required modules." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:287 msgid "" "OpenPAM, on the other hand, looks for modules that have the same version " "number as the PAM library (currently 2), and only falls back to an " "unversioned module if no versioned module could be loaded. Thus legacy " "modules can be provided for legacy applications, while allowing new (or " "newly built) applications to take advantage of the most recent modules." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:289 msgid "" "Although Solaris(TM) PAM modules commonly have a version number, they are " "not truly versioned, because the number is a part of the module name and " "must be included in the configuration." msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:291 #, no-wrap msgid "Chains and Policies" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:296 msgid "" "When a server initiates a PAM transaction, the PAM library tries to load a " "policy for the service specified in the man:pam_start[3] call. The policy " "specifies how authentication requests should be processed, and is defined in " "a configuration file. This is the other central concept in PAM: the " "possibility for the admin to tune the system security policy (in the wider " "sense of the word) simply by editing a text file." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:299 msgid "" "A policy consists of four chains, one for each of the four PAM facilities. " "Each chain is a sequence of configuration statements, each specifying a " "module to invoke, some (optional) parameters to pass to the module, and a " "control flag that describes how to interpret the return code from the module." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:302 msgid "" "Understanding the control flags is essential to understanding PAM " "configuration files. There are five different control flags:" msgstr "" #. type: Labeled list #: documentation/content/en/articles/pam/_index.adoc:303 #, no-wrap msgid "`binding`" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:306 msgid "" "If the module succeeds and no earlier module in the chain has failed, the " "chain is immediately terminated and the request is granted. If the module " "fails, the rest of the chain is executed, but the request is ultimately " "denied." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:308 msgid "" "This control flag was introduced by Sun in Solaris(TM) 9 (SunOS(TM) 5.9), " "and is also supported by OpenPAM." msgstr "" #. type: Labeled list #: documentation/content/en/articles/pam/_index.adoc:308 #, no-wrap msgid "`required`" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:311 msgid "" "If the module succeeds, the rest of the chain is executed, and the request " "is granted unless some other module fails. If the module fails, the rest of " "the chain is also executed, but the request is ultimately denied." msgstr "" #. type: Labeled list #: documentation/content/en/articles/pam/_index.adoc:312 #, no-wrap msgid "`requisite`" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:315 msgid "" "If the module succeeds, the rest of the chain is executed, and the request " "is granted unless some other module fails. If the module fails, the chain " "is immediately terminated and the request is denied." msgstr "" #. type: Labeled list #: documentation/content/en/articles/pam/_index.adoc:316 #, no-wrap msgid "`sufficient`" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:319 msgid "" "If the module succeeds and no earlier module in the chain has failed, the " "chain is immediately terminated and the request is granted. If the module " "fails, the module is ignored and the rest of the chain is executed." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:321 msgid "" "As the semantics of this flag may be somewhat confusing, especially when it " "is used for the last module in a chain, it is recommended that the `binding` " "control flag be used instead if the implementation supports it." msgstr "" #. type: Labeled list #: documentation/content/en/articles/pam/_index.adoc:321 #, no-wrap msgid "`optional`" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:324 msgid "" "The module is executed, but its result is ignored. If all modules in a " "chain are marked `optional`, all requests will always be granted." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:327 msgid "" "When a server invokes one of the six PAM primitives, PAM retrieves the chain " "for the facility the primitive belongs to, and invokes each of the modules " "listed in the chain, in the order they are listed, until it reaches the end, " "or determines that no further processing is necessary (either because a " "`binding` or `sufficient` module succeeded, or because a `requisite` module " "failed.) The request is granted if and only if at least one module was " "invoked, and all non-optional modules succeeded." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:331 msgid "" "Note that it is possible, though not very common, to have the same module " "listed several times in the same chain. For instance, a module that looks " "up user names and passwords in a directory server could be invoked multiple " "times with different parameters specifying different directory servers to " "contact. PAM treat different occurrences of the same module in the same " "chain as different, unrelated modules." msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:333 #, no-wrap msgid "Transactions" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:337 msgid "" "The lifecycle of a typical PAM transaction is described below. Note that if " "any of these steps fails, the server should report a suitable error message " "to the client and abort the transaction." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:339 msgid "" "If necessary, the server obtains arbitrator credentials through a mechanism " "independent of PAM-most commonly by virtue of having been started by `root`, " "or of being setuid `root`." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:340 msgid "" "The server calls man:pam_start[3] to initialize the PAM library and specify " "its service name and the target account, and register a suitable " "conversation function." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:341 msgid "" "The server obtains various information relating to the transaction (such as " "the applicant's user name and the name of the host the client runs on) and " "submits it to PAM using man:pam_set_item[3]." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:342 msgid "The server calls man:pam_authenticate[3] to authenticate the applicant." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:343 msgid "" "The server calls man:pam_acct_mgmt[3] to verify that the requested account " "is available and valid. If the password is correct but has expired, " "man:pam_acct_mgmt[3] will return `PAM_NEW_AUTHTOK_REQD` instead of " "`PAM_SUCCESS`." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:344 msgid "" "If the previous step returned `PAM_NEW_AUTHTOK_REQD`, the server now calls " "man:pam_chauthtok[3] to force the client to change the authentication token " "for the requested account." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:345 msgid "" "Now that the applicant has been properly authenticated, the server calls " "man:pam_setcred[3] to establish the credentials of the requested account. It " "is able to do this because it acts on behalf of the arbitrator, and holds " "the arbitrator's credentials." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:346 msgid "" "Once the correct credentials have been established, the server calls " "man:pam_open_session[3] to set up the session." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:347 msgid "" "The server now performs whatever service the client requested-for instance, " "provide the applicant with a shell." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:348 msgid "" "Once the server is done serving the client, it calls " "man:pam_close_session[3] to tear down the session." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:349 msgid "" "Finally, the server calls man:pam_end[3] to notify the PAM library that it " "is done and that it can release whatever resources it has allocated in the " "course of the transaction." msgstr "" #. type: Title == #: documentation/content/en/articles/pam/_index.adoc:351 #, no-wrap msgid "PAM Configuration" msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:354 #, no-wrap msgid "PAM Policy Files" msgstr "" #. type: Title ==== #: documentation/content/en/articles/pam/_index.adoc:357 #, no-wrap msgid "The [.filename]#/etc/pam.conf#" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:362 msgid "" "The traditional PAM policy file is [.filename]#/etc/pam.conf#. This file " "contains all the PAM policies for your system. Each line of the file " "describes one step in a chain, as shown below:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/pam/_index.adoc:366 #, no-wrap msgid "login auth required pam_nologin.so no_warn\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:370 msgid "" "The fields are, in order: service name, facility name, control flag, module " "name, and module arguments. Any additional fields are interpreted as " "additional module arguments." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:374 msgid "" "A separate chain is constructed for each service / facility pair, so while " "the order in which lines for the same service and facility appear is " "significant, the order in which the individual services and facilities are " "listed is not. The examples in the original PAM paper grouped configuration " "lines by facility, and the Solaris(TM) stock [.filename]#pam.conf# still " "does that, but FreeBSD's stock configuration groups configuration lines by " "service. Either way is fine; either way makes equal sense." msgstr "" #. type: Title ==== #: documentation/content/en/articles/pam/_index.adoc:376 #, no-wrap msgid "The [.filename]#/etc/pam.d#" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:381 msgid "" "OpenPAM and Linux-PAM support an alternate configuration mechanism, which is " "the preferred mechanism in FreeBSD. In this scheme, each policy is " "contained in a separate file bearing the name of the service it applies to. " "These files are stored in [.filename]#/etc/pam.d/#." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:384 msgid "" "These per-service policy files have only four fields instead of " "[.filename]#pam.conf#'s five: the service name field is omitted. Thus, " "instead of the sample [.filename]#pam.conf# line from the previous section, " "one would have the following line in [.filename]#/etc/pam.d/login#:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/pam/_index.adoc:388 #, no-wrap msgid "auth required pam_nologin.so no_warn\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:392 msgid "" "As a consequence of this simplified syntax, it is possible to use the same " "policy for multiple services by linking each service name to a same policy " "file. For instance, to use the same policy for the `su` and `sudo` " "services, one could do as follows:" msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/pam/_index.adoc:397 #, no-wrap msgid "" "# cd /etc/pam.d\n" "# ln -s su sudo\n" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:400 msgid "" "This works because the service name is determined from the file name rather " "than specified in the policy file, so the same file can be used for multiple " "differently-named services." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:402 msgid "" "Since each service's policy is stored in a separate file, the " "[.filename]#pam.d# mechanism also makes it very easy to install additional " "policies for third-party software packages." msgstr "" #. type: Title ==== #: documentation/content/en/articles/pam/_index.adoc:404 #, no-wrap msgid "The Policy Search Order" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:408 msgid "" "As we have seen above, PAM policies can be found in a number of places. " "What happens if policies for the same service exist in multiple places?" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:410 msgid "" "It is essential to understand that PAM's configuration system is centered on " "chains." msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:412 #, no-wrap msgid "Breakdown of a Configuration Line" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:415 msgid "" "As explained in crossref:pam[pam-config-file, PAM Policy Files], each line " "in [.filename]#/etc/pam.conf# consists of four or more fields: the service " "name, the facility name, the control flag, the module name, and zero or more " "module arguments." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:418 msgid "" "The service name is generally (though not always) the name of the " "application the statement applies to. If you are unsure, refer to the " "individual application's documentation to determine what service name it " "uses." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:420 msgid "" "Note that if you use [.filename]#/etc/pam.d/# instead of [.filename]#/etc/" "pam.conf#, the service name is specified by the name of the policy file, and " "omitted from the actual configuration lines, which then start with the " "facility name." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:423 msgid "" "The facility is one of the four facility keywords described in " "crossref:pam[pam-facilities-primitives, Facilities and Primitives]." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:428 #, no-wrap msgid "" "Likewise, the control flag is one of the four keywords described in\n" "\tcrossref:pam[pam-chains-policies, Chains and Policies], describing how to interpret the return code from the module. \n" "Linux-PAM supports an alternate syntax that lets you specify the action to associate with each possible return code, but this should be avoided as it is non-standard and closely tied in with the way Linux-PAM dispatches service calls (which differs greatly from the way Solaris(TM) and OpenPAM do it.) \n" "Unsurprisingly, OpenPAM does not support this syntax.\n" msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:430 #, no-wrap msgid "Policies" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:433 msgid "" "To configure PAM correctly, it is essential to understand how policies are " "interpreted." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:436 msgid "" "When an application calls man:pam_start[3], the PAM library loads the policy " "for the specified service and constructs four module chains (one for each " "facility.) If one or more of these chains are empty, the corresponding " "chains from the policy for the `other` service are substituted." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:440 msgid "" "When the application later calls one of the six PAM primitives, the PAM " "library retrieves the chain for the corresponding facility and calls the " "appropriate service function in each module listed in the chain, in the " "order in which they were listed in the configuration. After each call to a " "service function, the module type and the error code returned by the service " "function are used to determine what happens next. With a few exceptions, " "which we discuss below, the following table applies:" msgstr "" #. type: Block title #: documentation/content/en/articles/pam/_index.adoc:441 #, no-wrap msgid "PAM Chain Execution Summary" msgstr "" #. type: Table #: documentation/content/en/articles/pam/_index.adoc:446 #, no-wrap msgid "PAM_SUCCESS" msgstr "" #. type: Table #: documentation/content/en/articles/pam/_index.adoc:447 #, no-wrap msgid "PAM_IGNORE" msgstr "" #. type: Table #: documentation/content/en/articles/pam/_index.adoc:449 #, no-wrap msgid "other" msgstr "" #. type: Table #: documentation/content/en/articles/pam/_index.adoc:450 #, no-wrap msgid "binding" msgstr "" #. type: Table #: documentation/content/en/articles/pam/_index.adoc:451 #: documentation/content/en/articles/pam/_index.adoc:466 #, no-wrap msgid "if (!fail) break;" msgstr "" #. type: Table #: documentation/content/en/articles/pam/_index.adoc:452 #: documentation/content/en/articles/pam/_index.adoc:456 #: documentation/content/en/articles/pam/_index.adoc:457 #: documentation/content/en/articles/pam/_index.adoc:461 #: documentation/content/en/articles/pam/_index.adoc:462 #: documentation/content/en/articles/pam/_index.adoc:467 #: documentation/content/en/articles/pam/_index.adoc:469 #: documentation/content/en/articles/pam/_index.adoc:471 #: documentation/content/en/articles/pam/_index.adoc:472 #: documentation/content/en/articles/pam/_index.adoc:473 #, no-wrap msgid "-" msgstr "" #. type: Table #: documentation/content/en/articles/pam/_index.adoc:454 #: documentation/content/en/articles/pam/_index.adoc:459 #, no-wrap msgid "fail = true;" msgstr "" #. type: Table #: documentation/content/en/articles/pam/_index.adoc:455 #, no-wrap msgid "required" msgstr "" #. type: Table #: documentation/content/en/articles/pam/_index.adoc:460 #, no-wrap msgid "requisite" msgstr "" #. type: Table #: documentation/content/en/articles/pam/_index.adoc:464 #, no-wrap msgid "fail = true; break;" msgstr "" #. type: Table #: documentation/content/en/articles/pam/_index.adoc:465 #, no-wrap msgid "sufficient" msgstr "" #. type: Table #: documentation/content/en/articles/pam/_index.adoc:470 #, no-wrap msgid "optional" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:477 msgid "" "If `fail` is true at the end of a chain, or when a \"break\" is reached, the " "dispatcher returns the error code returned by the first module that failed. " "Otherwise, it returns `PAM_SUCCESS`." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:479 msgid "" "The first exception of note is that the error code `PAM_NEW_AUTHTOK_REQD` is " "treated like a success, except that if no module failed, and at least one " "module returned `PAM_NEW_AUTHTOK_REQD`, the dispatcher will return " "`PAM_NEW_AUTHTOK_REQD`." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:481 msgid "" "The second exception is that man:pam_setcred[3] treats `binding` and " "`sufficient` modules as if they were `required`." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:483 msgid "" "The third and final exception is that man:pam_chauthtok[3] runs the entire " "chain twice (once for preliminary checks and once to actually set the " "password), and in the preliminary phase it treats `binding` and `sufficient` " "modules as if they were `required`." msgstr "" #. type: Title == #: documentation/content/en/articles/pam/_index.adoc:485 #, no-wrap msgid "FreeBSD PAM Modules" msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:488 #, no-wrap msgid "man:pam_deny[8]" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:492 msgid "" "The man:pam_deny[8] module is one of the simplest modules available; it " "responds to any request with `PAM_AUTH_ERR`. It is useful for quickly " "disabling a service (add it to the top of every chain), or for terminating " "chains of `sufficient` modules." msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:494 #, no-wrap msgid "man:pam_echo[8]" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:498 msgid "" "The man:pam_echo[8] module simply passes its arguments to the conversation " "function as a `PAM_TEXT_INFO` message. It is mostly useful for debugging, " "but can also serve to display messages such as \"Unauthorized access will be " "prosecuted\" before starting the authentication procedure." msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:500 #, no-wrap msgid "man:pam_exec[8]" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:504 msgid "" "The man:pam_exec[8] module takes its first argument to be the name of a " "program to execute, and the remaining arguments are passed to that program " "as command-line arguments. One possible application is to use it to run a " "program at login time which mounts the user's home directory." msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:506 #, no-wrap msgid "man:pam_ftpusers[8]" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:509 msgid "The man:pam_ftpusers[8] module" msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:511 #, no-wrap msgid "man:pam_group[8]" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:515 msgid "" "The man:pam_group[8] module accepts or rejects applicants on the basis of " "their membership in a particular file group (normally `wheel` for " "man:su[1]). It is primarily intended for maintaining the traditional " "behavior of BSD man:su[1], but has many other uses, such as excluding " "certain groups of users from a particular service." msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:517 #, no-wrap msgid "man:pam_guest[8]" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:522 msgid "" "The man:pam_guest[8] module allows guest logins using fixed login names. " "Various requirements can be placed on the password, but the default behavior " "is to allow any password as long as the login name is that of a guest " "account. The man:pam_guest[8] module can easily be used to implement " "anonymous FTP logins." msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:524 #, no-wrap msgid "man:pam_krb5[8]" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:527 msgid "The man:pam_krb5[8] module" msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:529 #, no-wrap msgid "man:pam_ksu[8]" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:532 msgid "The man:pam_ksu[8] module" msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:534 #, no-wrap msgid "man:pam_lastlog[8]" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:537 msgid "The man:pam_lastlog[8] module" msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:539 #, no-wrap msgid "man:pam_login_access[8]" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:542 msgid "" "The man:pam_login_access[8] module provides an implementation of the account " "management primitive which enforces the login restrictions specified in the " "man:login.access[5] table." msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:544 #, no-wrap msgid "man:pam_nologin[8]" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:548 msgid "" "The man:pam_nologin[8] module refuses non-root logins when [.filename]#/var/" "run/nologin# exists. This file is normally created by man:shutdown[8] when " "less than five minutes remain until the scheduled shutdown time." msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:550 #, no-wrap msgid "man:pam_passwdqc[8]" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:553 msgid "The man:pam_passwdqc[8] module" msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:555 #, no-wrap msgid "man:pam_permit[8]" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:559 msgid "" "The man:pam_permit[8] module is one of the simplest modules available; it " "responds to any request with `PAM_SUCCESS`. It is useful as a placeholder " "for services where one or more chains would otherwise be empty." msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:561 #, no-wrap msgid "man:pam_radius[8]" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:564 msgid "The man:pam_radius[8] module" msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:566 #, no-wrap msgid "man:pam_rhosts[8]" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:569 msgid "The man:pam_rhosts[8] module" msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:571 #, no-wrap msgid "man:pam_rootok[8]" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:575 msgid "" "The man:pam_rootok[8] module reports success if and only if the real user id " "of the process calling it (which is assumed to be run by the applicant) is " "0. This is useful for non-networked services such as man:su[1] or " "man:passwd[1], to which the `root` should have automatic access." msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:577 #, no-wrap msgid "man:pam_securetty[8]" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:580 msgid "The man:pam_securetty[8] module" msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:582 #, no-wrap msgid "man:pam_self[8]" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:586 msgid "" "The man:pam_self[8] module reports success if and only if the names of the " "applicant matches that of the target account. It is most useful for non-" "networked services such as man:su[1], where the identity of the applicant " "can be easily verified." msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:588 #, no-wrap msgid "man:pam_ssh[8]" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:594 msgid "" "The man:pam_ssh[8] module provides both authentication and session " "services. The authentication service allows users who have passphrase-" "protected SSH secret keys in their [.filename]#~/.ssh# directory to " "authenticate themselves by typing their passphrase. The session service " "starts man:ssh-agent[1] and preloads it with the keys that were decrypted in " "the authentication phase. This feature is particularly useful for local " "logins, whether in X (using man:xdm[8] or another PAM-aware X login manager) " "or at the console." msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:596 #, no-wrap msgid "man:pam_tacplus[8]" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:599 msgid "The man:pam_tacplus[8] module" msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:601 #, no-wrap msgid "man:pam_unix[8]" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:606 msgid "" "The man:pam_unix[8] module implements traditional UNIX(R) password " "authentication, using man:getpwnam[3] to obtain the target account's " "password and compare it with the one provided by the applicant. It also " "provides account management services (enforcing account and password " "expiration times) and password-changing services. This is probably the " "single most useful module, as the great majority of admins will want to " "maintain historical behavior for at least some services." msgstr "" #. type: Title == #: documentation/content/en/articles/pam/_index.adoc:608 #, no-wrap msgid "PAM Application Programming" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:611 #: documentation/content/en/articles/pam/_index.adoc:616 msgid "This section has not yet been written." msgstr "" #. type: Title == #: documentation/content/en/articles/pam/_index.adoc:613 #, no-wrap msgid "PAM Module Programming" msgstr "" #. type: Title == #: documentation/content/en/articles/pam/_index.adoc:621 #, no-wrap msgid "Sample PAM Application" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:628 msgid "" "The following is a minimal implementation of man:su[1] using PAM. Note that " "it uses the OpenPAM-specific man:openpam_ttyconv[3] conversation function, " "which is prototyped in [.filename]#security/openpam.h#. If you wish build " "this application on a system with a different PAM library, you will have to " "provide your own conversation function. A robust conversation function is " "surprisingly difficult to implement; the one presented in crossref:pam[pam-" "sample-conv, Sample PAM Conversation Function] is a good starting point, but " "should not be used in real-world applications." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/pam/_index.adoc:632 #, no-wrap msgid "include::{include-path}su.c[]\n" msgstr "" #. type: Title == #: documentation/content/en/articles/pam/_index.adoc:638 #, no-wrap msgid "Sample PAM Module" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:642 msgid "" "The following is a minimal implementation of man:pam_unix[8], offering only " "authentication services. It should build and run with most PAM " "implementations, but takes advantage of OpenPAM extensions if available: " "note the use of man:pam_get_authtok[3], which enormously simplifies " "prompting the user for a password." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/pam/_index.adoc:646 #, no-wrap msgid "include::{include-path}pam_unix.c[]\n" msgstr "" #. type: Title == #: documentation/content/en/articles/pam/_index.adoc:652 #, no-wrap msgid "Sample PAM Conversation Function" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:657 msgid "" "The conversation function presented below is a greatly simplified version of " "OpenPAM's man:openpam_ttyconv[3]. It is fully functional, and should give " "the reader a good idea of how a conversation function should behave, but it " "is far too simple for real-world use. Even if you are not using OpenPAM, " "feel free to download the source code and adapt man:openpam_ttyconv[3] to " "your uses; we believe it to be as robust as a tty-oriented conversation " "function can reasonably get." msgstr "" #. type: delimited block . 4 #: documentation/content/en/articles/pam/_index.adoc:661 #, no-wrap msgid "include::{include-path}converse.c[]\n" msgstr "" #. type: Title == #: documentation/content/en/articles/pam/_index.adoc:666 #, no-wrap msgid "Further Reading" msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:668 #, no-wrap msgid "Papers" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:671 msgid "" "Making Login Services Independent of Authentication Technologies Vipin " "Samar. Charlie Lai. Sun Microsystems." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:673 msgid "" "_link:https://pubs.opengroup.org/onlinepubs/8329799/toc.htm[X/Open Single " "Sign-on Preliminary Specification]_. The Open Group. 1-85912-144-6. June " "1997." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:675 msgid "" "_link:https://mirrors.kernel.org/pub/linux/libs/pam/pre/doc/draft-morgan-" "pam-07.txt[Pluggable Authentication Modules]_. Andrew G. Morgan. 1999-10-06." msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:676 #, no-wrap msgid "User Manuals" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:679 msgid "" "_link:https://docs.oracle.com/cd/E26505_01/html/E27224/pam-1.html[PAM " "Administration]_. Sun Microsystems." msgstr "" #. type: Title === #: documentation/content/en/articles/pam/_index.adoc:680 #, no-wrap msgid "Related Web Pages" msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:683 msgid "" "_link:https://www.openpam.org/[OpenPAM homepage]_ Dag-Erling Smørgrav. " "ThinkSec AS." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:685 msgid "" "_link:http://www.kernel.org/pub/linux/libs/pam/[Linux-PAM homepage]_ Andrew " "Morgan." msgstr "" #. type: Plain text #: documentation/content/en/articles/pam/_index.adoc:686 msgid "_Solaris PAM homepage_. Sun Microsystems." msgstr ""