From 454ade95b7c6ee01587bf215944bfb6c5980d42f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dag-Erling=20Sm=C3=B8rgrav?= <des@FreeBSD.org>
Date: Thu, 6 Feb 2003 11:50:55 +0000
Subject: [PATCH] Reword parts of the "Policies" section (old uncommitted diff)
 Start writing the "FreeBSD PAM Modules" section, which will provide short
 descriptions of each of the PAM modules we ship in the base system, along
 with recommendations about their use.

Note to translators: more to come in the very near future, so you may
wish to hold back on this one for a while.

Sponsored by:	DARPA, NAI Labs
---
 en_US.ISO8859-1/articles/pam/article.sgml | 209 +++++++++++++++++++++-
 1 file changed, 201 insertions(+), 8 deletions(-)

diff --git a/en_US.ISO8859-1/articles/pam/article.sgml b/en_US.ISO8859-1/articles/pam/article.sgml
index 574730912f..65240eb7df 100644
--- a/en_US.ISO8859-1/articles/pam/article.sgml
+++ b/en_US.ISO8859-1/articles/pam/article.sgml
@@ -4,7 +4,7 @@
 ]>
 
 <!--
-  - Copyright (c) 2001,2002 Networks Associates Technology, Inc.
+  - Copyright (c) 2001-2003 Networks Associates Technology, Inc.
   - All rights reserved.
   -
   - This software was developed for the FreeBSD Project by ThinkSec AS and
@@ -835,14 +835,14 @@ sshd	password	required	pam_permit.so</programlisting>
       <title id="pam-policies.title">Policies</title>
 
       <para>To configure PAM correctly, it is essential to understand
-	how chains are executed.</para>
+	how policies are interpreted.</para>
 
       <para>When an application calls &man.pam.start.3;, the PAM
-	library loads the configuration for the specified service and
-	constructs four module chains (one for each facility.)  If the
-	configuration does not specify any modules for one or more
-	facilities, the configuration for the <literal>other</literal>
-	service is used instead for these facilities.</para>
+	library loads the policy for the specified service and
+	constructs four module chains (one for each facility.)  If one
+	or more of these chains are empty, the corresponding chains
+	from the policy for the <literal>other</literal> service are
+	substituted.</para>
 
       <para>When the application later calls one of the six PAM
 	primitives, the PAM library retrieves the chain for the
@@ -927,7 +927,200 @@ sshd	password	required	pam_permit.so</programlisting>
   <section id="pam-freebsd-modules">
     <title id="pam-freebsd-modules.title">FreeBSD PAM Modules</title>
 
-    <para><!--XXX-->This section has not yet been written.</para>
+    <section id="pam-modules-deny">
+      <title id="pam-modules-deny.title">&man.pam.deny.8;</title>
+
+      <para>The &man.pam.deny.8; module is one of the simplest modules
+	available; it resonds <literal>PAM_AUTH_ERR</literal> to all
+	requests.  It is useful for quickly disabling a service (add
+	it to the top of every chain), or for terminating chains of
+	<literal>sufficient</literal> modules.</para>
+    </section>
+
+    <section id="pam-modules-echo">
+      <title id="pam-modules-echo.title">&man.pam.echo.8;</title>
+
+      <para>The &man.pam.echo.8; module</para>
+    </section>
+
+    <section id="pam-modules-exec">
+      <title id="pam-modules-exec.title">&man.pam.exec.8;</title>
+
+      <para>The &man.pam.exec.8; module</para>
+    </section>
+
+    <section id="pam-modules-ftp">
+      <title id="pam-modules-ftp.title">&man.pam.ftp.8;</title>
+
+      <para>The &man.pam.ftp.8; module</para>
+    </section>
+
+    <section id="pam-modules-ftpusers">
+      <title id="pam-modules-ftpusers.title">&man.pam.ftpusers.8;</title>
+
+      <para>The &man.pam.ftpusers.8; module</para>
+    </section>
+
+    <section id="pam-modules-kerberosIV">
+      <title id="pam-modules-kerberosIV.title">&man.pam.kerberosIV.8;</title>
+
+      <para>The &man.pam.kerberosIV.8; module</para>
+    </section>
+
+    <section id="pam-modules-krb5">
+      <title id="pam-modules-krb5.title">&man.pam.krb5.8;</title>
+
+      <para>The &man.pam.krb5.8; module</para>
+    </section>
+
+    <section id="pam-modules-ksu">
+      <title id="pam-modules-ksu.title">&man.pam.ksu.8;</title>
+
+      <para>The &man.pam.ksu.8; module</para>
+    </section>
+
+    <section id="pam-modules-lastlog">
+      <title id="pam-modules-lastlog.title">&man.pam.lastlog.8;</title>
+
+      <para>The &man.pam.lastlog.8; module</para>
+    </section>
+
+    <section id="pam-modules-login-access">
+      <title id="pam-modules-login-access.title">&man.pam.login.access.8;</title>
+
+      <para>The &man.pam.login.access.8; module</para>
+    </section>
+
+    <section id="pam-modules-nologin">
+      <title id="pam-modules-nologin.title">&man.pam.nologin.8;</title>
+
+      <para>The &man.pam.nologin.8; module</para>
+    </section>
+
+    <section id="pam-modules-opie">
+      <title id="pam-modules-opie.title">&man.pam.opie.8;</title>
+
+      <para>The &man.pam.opie.8; module implements the &man.opie.4;
+	authentication method.  The &man.opie.4; system is a
+	challenge-response mechanism where the response to each
+	challenge is a direct function of the challenge and a
+	passphrase, so the response can be easily computed <quote>just
+	in time</quote> by anyone possessing the passphrase,
+	eliminating the need for password lists.  Moreover, since
+	&man.opie.4; never reuses a challenge that has been correctly
+	answered, it is not vulnerable to replay attacks.</para>
+    </section>
+
+    <section id="pam-modules-opieaccess">
+      <title id="pam-modules-opieaccess.title">&man.pam.opieaccess.8;</title>
+
+      <para>The &man.pam.opieaccess.8; module is a companion module to
+	&man.pam.opie.8;.  Its purpose is to enforce the restrictions
+	codified in &man.opieaccess.5;, which regulate the conditions
+	under which a user who would normally authenticate herself
+	using &man.opie.4; is allowed to use alternate methods.  This
+	is most often used to prohibit the use of password
+	authentication from untrusted hosts.</para>
+
+      <para>In order to be effective, the &man.pam.opieaccess.8;
+	module must be listed as <literal>required</literal>
+	immediately after a <literal>sufficient</literal> entry for
+	&man.pam.opie.8;, and before any other modules, in the
+	<literal>auth</literal> chain.</para>
+    </section>
+
+    <section id="pam-modules-passwdqc">
+      <title id="pam-modules-passwdqc.title">&man.pam.passwdqc.8;</title>
+
+      <para>The &man.pam.passwdqc.8; module</para>
+    </section>
+
+    <section id="pam-modules-permit">
+      <title id="pam-modules-permit.title">&man.pam.permit.8;</title>
+
+      <para>The &man.pam.permit.8; module is one of the simplest
+	modules available; it responds <literal>PAM_SUCCESS</literal>
+	to all requests.  It is useful as a placeholder for services
+	where one or more chains would otherwise be empty.</para>
+    </section>
+
+    <section id="pam-modules-radius">
+      <title id="pam-modules-radius.title">&man.pam.radius.8;</title>
+
+      <para>The &man.pam.radius.8; module</para>
+    </section>
+
+    <section id="pam-modules-rhosts">
+      <title id="pam-modules-rhosts.title">&man.pam.rhosts.8;</title>
+
+      <para>The &man.pam.rhosts.8; module</para>
+    </section>
+
+    <section id="pam-modules-rootok">
+      <title id="pam-modules-rootok.title">&man.pam.rootok.8;</title>
+
+      <para>The &man.pam.rootok.8; module reports success if and only
+	if the real user id of the process calling it (which is
+	assumed to be run by the applicant) is 0.  This is useful for
+	non-networked services such as &man.su.1; or &man.passwd.1;,
+	to which the <literal>root</literal> should have automatic
+	access.</para>
+    </section>
+
+    <section id="pam-modules-securetty">
+      <title id="pam-modules-securetty.title">&man.pam.securetty.8;</title>
+
+      <para>The &man.pam.securetty.8; module</para>
+    </section>
+
+    <section id="pam-modules-self">
+      <title id="pam-modules-self.title">&man.pam.self.8;</title>
+
+      <para>The &man.pam.self.8; module reports success if and only if
+	the names of the applicant matches that of the target account.
+	It is most useful for non-networked services such as
+	&man.su.1;, where the identity of the applicant can be easily
+	verified.</para>
+    </section>
+
+    <section id="pam-modules-ssh">
+      <title id="pam-modules-ssh.title">&man.pam.ssh.8;</title>
+
+      <para>The &man.pam.ssh.8; module</para>
+    </section>
+
+    <section id="pam-modules-tacplus">
+      <title id="pam-modules-tacplus.title">&man.pam.tacplus.8;</title>
+
+      <para>The &man.pam.tacplus.8; module</para>
+    </section>
+
+    <section id="pam-modules-unix">
+      <title id="pam-modules-unix.title">&man.pam.unix.8;</title>
+
+      <para>The &man.pam.unix.8; module implements traditional Unix
+	password authentication, using &man.getpwnam.3; to obtain the
+	target account's password and compare it with the one provided
+	by the applicant.  It also provides account management
+	services (enforcing account and password expiration times) and
+	password-changing services.  This is probably the single most
+	useful module, as the great majority of admins will want to
+	maintain historical behaviour for at least some
+	services.</para>
+    </section>
+
+    <section id="pam-modules-wheel">
+      <title id="pam-modules-wheel.title">&man.pam.wheel.8;</title>
+
+      <para>The &man.pam.wheel.8; module rejects applicant which are
+	not members of the <literal>wheel</literal> group, or some
+	other file group specified in the module options.  It is
+	primarily intended for maintaining the traditional behaviour
+	of BSD &man.su.1;.  Linux and SysV-derived Unices generally do
+	not enforce <literal>wheel</literal> membership, so some
+	admins may wish to disable this for consistency with other
+	systems in their network.</para>
+    </section>
   </section>
 
   <section id="pam-appl-prog">