| [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] |
pam_access patch part 2 of 5
patches which enable manual stuff for PAM itself
p05-Linux-PAM-0.99.2.1-modules-pam_access-access.conf.5
p09-Linux-PAM-0.99.2.1-modules-pam_access-login.access.5
p11-Linux-PAM-0.99.2.1-modules-pam_access-pam_access.8
short description:
-----------------
These patches enable:
* convert_hostname feature
* IPv4(/) IPv6 support
* the network(address) / netmask feature
* external helper feature
* manual support
best regards,
mike
-----------------------------------------------------------------------------
Mike Becher Mike.Becher@xxxxxxxxxxxxxxx
Leibniz-Rechenzentrum der http://www.lrz.de
Bayerischen Akademie der Wissenschaften phone: +49-89-289-28721
Gruppe Hochleistungssysteme fax: +49-89-280-9460
Barer Strasse 21
D-80333 Muenchen
Germany
-----------------------------------------------------------------------------diff -u -r -N Linux-PAM-0.99.2.1.orig/modules/pam_access/access.conf.5 Linux-PAM-0.99.2.1/modules/pam_access/access.conf.5 --- Linux-PAM-0.99.2.1.orig/modules/pam_access/access.conf.5 1970-01-01 01:00:00.000000000 +0100 +++ Linux-PAM-0.99.2.1/modules/pam_access/access.conf.5 2006-01-02 17:24:32.000000000 +0100 @@ -0,0 +1,219 @@ +.\" -*- nroff -*- +.\" @(#)access.conf.5 1.14 2005/12/12 17:57:23 mibe +.\" +.TH access.conf 5 "12 December 2005" "Version 1.14" "Reference Manual" +.SH NAME +access.conf \- The login access control table file +.SH DESCRIPTION +Original +.BR login.access (5) +manual was provided by +.I Guido van Rooij +which was renamed to +.BR access.conf (5) +to reflect relation to default config file. +The +.B access.conf +file specifies (\fIuser\fP, \fIhost\fP), (\fIuser\fP, +\fInetwork/netmask\fP) or (\fIuser\fP, \fItty\fP) combinations for +which a login will be either accepted or refused. + +When someone logs in, the file \fIaccess.conf\fP is scanned for the +first entry that matches the (\fIuser\fP, \fIhost\fP) or (\fIuser\fP, +\fInetwork/netmask\fP) combination, or, in case of non-networked +logins, the first entry that matches the (\fIuser\fP, \fItty\fP) +combination. The permissions field of that table entry determines +whether the login will be accepted or refused. + +Each line of the login access control table has three fields separated +by a +.B : +character (colon) and looks like: + +.RB "\fIPERMISSION\fP : \fIUSERS\fP : \fIORIGINS\fP" + +The first field, the +.I PERMISSION +field, can be either a +.B + +character (plus) for access granted or a +.B - +character (minus) for access denied. + +The second field, the +.I USERS +field, should be a list of one or more login names, group names, or +\fBALL\fP (which always matches). + +The third field, the +.I ORIGINS +field, should be a list of one or more tty names (for non-networked +logins), host names, domain names (begin with "."), host addresses, +internet network numbers (end with "."), internet network addresses +with network mask (where network mask can be a decimal number or an +internet address also), \fBALL\fP (which always matches) or +\fBLOCAL\fP (which matches any string that does not contain a "." +character). +If you run NIS you can use \fB@\fP\fInetgroupname\fP in host or user patterns. + +The \fBEXCEPT\fP operator makes it possible to write very compact rules. + +The group file is searched only when a name does not match that of the +logged-in user. +Only groups are matched in which users are explicitly listed: the +program does not look at a user's primary group id value. + +The +.B # +character at start of line (no space at front) can be used to mark this line as +a comment line. + +.B HINT: + +It is a good idea to specify a line like + +\fB + : ALL : ALL \fP + +or + +\fB - : ALL : ALL \fP + +as last line in access control files. So it is clear that all users +that aren't matched by lines before are getting access granted or +denied. If you don't do this a user gets access to a service if access +was not explicitly denied for him through a rule. + +.SH EXAMPLES +These are some example lines which might be specified in +.B access.conf +file. + +User +.I root +should be allowed to get access via \fIsu\fP, \fIcron\fP, \fIxdm\fP, +X11 terminal \fI:0\fP, ..., \fItty5\fP \fItty6\fP. + + + : root : su cron crond xdm :0 tty1 tty2 tty3 tty4 tty5 tty6 + +User +.I root +should be allowed to get access from hosts with IPv4 addresses: + + + : root : 192.168.200.1 192.168.200.4 192.168.200.9 + + + : root : 127.0.0.1 + +User +.I root +should get access from network +.I 192.168.201. +where the term will be evaluated by string matching. But +it might be better to use network/netmask instead. +The same meaning of \fI192.168.201.\fP is \fI192.168.201.0/24\fP +or \fI192.168.201.0/255.255.255.0\fP . + + + : root : 192.168.201. + +User +.I root +should be able to have access from hosts +.I foo1.bar.org +and +.I foo2.bar.org +(uses string matching also). + + + : root : foo1.bar.org foo2.bar.org + +User +.I root +should be able to have access from domain +.I foo.bar.org (uses string matching also). + + + : root : .foo.bar.org + +User +.I root +should be denied to get access from all other sources. + + - : root : ALL + +User +.I foo +and members of NIS group +.I nis_group +should be allowed to get access from all sources. +This will only work if NIS service is available. + + + : @nis_group foo : ALL + +User +.I xfs +and +.I foo +should be allowed to get acccess via +.I su . + + + : xfs foo : su + +User +.I john +should get access from IPv4 net/mask. + + + : john : 127.0.0.0/24 + +User +.I john +should get access from IPv4 as IPv6 net/mask. + + + : john : ::ffff:127.0.0.0/127 + +User +.I john +should get access from IPv6 host address. + + + : john : 2001:4ca0:0:101::1 + +User +.I john +should get access from IPv6 host address (same as above). + + + : john : 2001:4ca0:0:101:0:0:0:1 + +User +.I john +should get access from IPv6 net/mask. + + + : john : 2001:4ca0:0:101::/64 + +All other users should be denied to get access from all sources. + + - : ALL : ALL + +.SH FILES +Normally the +.B access.conf +file resides in +.I /etc/security +but this depends on configuration at compilation time. Thats why +please run +.BR check_login_access (8) +to find out which is the default config file for +.BR pam_access (8) . +.SH SEE ALSO +.BR check_login_access (8) , +.BR pam_access (8) , +.BR pam.d (8) , +and +.BR pam (8) . +.SH AUTHORS +Original +.BR login.access (5) +manual was provided by +.I Guido van Rooij +which was renamed to +.BR access.conf (5) +to reflect relation to default config file. + +.B Network address / netmask +description and example text was introduced by +.I Mike Becher <mike.becher@xxxxxxxxxxxxxxx>.
diff -u -r -N Linux-PAM-0.99.2.1.orig/modules/pam_access/login.access.5 Linux-PAM-0.99.2.1/modules/pam_access/login.access.5 --- Linux-PAM-0.99.2.1.orig/modules/pam_access/login.access.5 1970-01-01 01:00:00.000000000 +0100 +++ Linux-PAM-0.99.2.1/modules/pam_access/login.access.5 2006-01-02 17:24:32.000000000 +0100 @@ -0,0 +1 @@ +.so man5/access.conf.5
diff -u -r -N Linux-PAM-0.99.2.1.orig/modules/pam_access/pam_access.8 Linux-PAM-0.99.2.1/modules/pam_access/pam_access.8 --- Linux-PAM-0.99.2.1.orig/modules/pam_access/pam_access.8 1970-01-01 01:00:00.000000000 +0100 +++ Linux-PAM-0.99.2.1/modules/pam_access/pam_access.8 2006-01-02 20:48:25.000000000 +0100 @@ -0,0 +1,157 @@ +.\" -*- nroff -*- +.\" @(#)pam_access.8 1.0.4 2006/01/02 17:41:24 mibe +.\" +.TH pam_access 8 "2 January 2006" "Version 1.0.4" "Reference Manual" +.SH NAME +pam_access - PAM module for logdaemon style login access +control +.SH DESCRIPTION +The +.B pam_access +PAM module is mainly for access management. It provides logdaemon +style login access control based on login names, host or domain names, +internet addresses or network numbers, or on terminal line names +in case of non-networked logins. + +By default rules for access management are taken from config file +.B access.conf +which resides in +.I /etc/security +if you don't specify another file. But this depends on configuration +at compilation time. Thats why please run +.BR check_login_access (8) +to find out which is the default config file for +.BR pam_access (8) . + +.SH OPTIONS +The prefered options with argument are the options with equal sign. +Options without equal sign are depricated for usage. The following +options may be passed to the module. +.TP +.B accessfile=\fI/path/to/file.conf\fP +Indicate an alternative \fIaccess.conf\fP style configuration file to +override the default. This can be useful when different services need +different access lists. +.TP +.B ask_helper_only +Ask external helper program only if a user should get access to this +service or not. Access control table will not be evaluated. Option +\fBhelperfile\fP must be specified also to activate this option. +.TP +.B convert_hostname +If a hostname was specified in config file then try to convert it to IP address. +.TP +.B debug +A lot of debug informations are printed with +.BR syslog (3). +.TP +.B file=\fI/path/to/file.conf\fP +Same meaning like \fBaccessfile=\fP\fI/path/to/file.conf\fP. +(for compatibility if someone has used the +.B pam_login_access +module) +.TP +.B fieldsep=\fIseparators\fP +This option modifies the field separator character that +\fBpam_access\fP will recognize when parsing the access configuration +file. For example: \fBfieldsep=|\fP will cause the default `:' +character to be treated as part of a field value and `|' becomes the +field separator. Doing this may be useful in conjuction with a system that +wants to use pam_access with X based applications, since the +\fBPAM_TTY\fP item is likely to be of the form "hostname:0" which +includes a `:' character in its value. But you should not need this. +.TP +.B helperfile=\fI/path/to/helper/executable\fP +If an external helper program was specified it will be asked +if a user should get access to this service or not. If option +\fBask_helper_only\fP was not specified this will be done +after processing of access control table but only if user doesn't get +access granted yet through evaluation process of access control table. +Please have a look at \fBverify_access\fP helper script decription in +section +.B FILES +below. +.TP +.B listsep=\fIseparators\fP +This option modifies the list separator character that +\fBpam_access\fP will recognize when parsing the access configuration +file. For example: \fBlistsep=,\fP will cause the default ` ' (space) and +`\\t' (tab) characters to be treated as part of a list element value and `,' +becomes the only list element separator. Doing this may be useful on a system +with group information obtained from a Windows domain, where the default +built-in groups "Domain Users", "Domain Admins" contain a space. +.TP +.B onerr=fail\||\|success +If an internal error occured let module return with failed or success. This means +for example access is forbidden or access is granted. Access granted is the default +behavior. + +.SH DEPRECATED OPTIONS +.TP +.B file \fI/path/to/file.conf\fP +.TP +.B onerr fail\||\|success + +.SH FILES +Default configuration file is +.B access.conf +which resides in +.I /etc/security +but this depends on configuration at compilation time. Please +run +.BR check_login_access (8) +to find out which is the default file for +.BR pam_access (8) . + +A sample +.B verify_access +helper script may be included with the distribution. This helper +script will be called by +.BR pam_access (8) +module with the following command line + + /path/to/verify_access user from + +where \fIfrom\fP may be a tty, X display, service, remote hostname, +or remote address. The helper executable should return with \fB0\fP +(zero) if access to this service is granted and with \fB1\fP (one) +if access is denied. All other exit codes result in an internal error, +access will be denied, and a log message will be produced. + +.SH SEE ALSO +.BR access.conf (5) , +.BR login.access (5) , +.BR check_login_access (8) , +.BR pam.d (8) , +and +.BR pam (8) . +.SH AUTHORS +The +.B logdaemon style login access control scheme +was designed and implemented by +.I Wietse Venema. + +The +.B pam_access +PAM module was developed by +.I Alexei Nogin <alexei@xxxxxxxxxxxxxx>. + +The +.B convert_hostname +feature was developed and provided by +.I Thomas Mueller. + +The +.B IPv4(/) IPv6 support +, the +.B network(address) / netmask +feature, and the +.B external helper +feature was developed and provided by +.I Mike Becher <mike.becher@xxxxxxxxxxxxxxx>. +Merge of +.B pam_access +and +.BR pam_access (8) +code was also done by him. +
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
[Home] [Kernel List] [Red Hat Install] [Linux for the blind] [Red Hat Watch List] [Gimp] [Kerberos: The Definitive Guide]
| &nsp; | |