From 5089c5210c045dae235f922cb33ab527fb456cfe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dag-Erling=20Sm=C3=B8rgrav?= Date: Tue, 11 Dec 2001 11:08:10 +0000 Subject: [PATCH] Checkpoint commit. --- en_US.ISO8859-1/articles/pam/article.sgml | 273 ++++++++++++++++++++-- 1 file changed, 249 insertions(+), 24 deletions(-) diff --git a/en_US.ISO8859-1/articles/pam/article.sgml b/en_US.ISO8859-1/articles/pam/article.sgml index fe80a172eb..8fb95496e2 100644 --- a/en_US.ISO8859-1/articles/pam/article.sgml +++ b/en_US.ISO8859-1/articles/pam/article.sgml @@ -33,7 +33,7 @@ FreeBSD Entities//EN"> %freebsd; - Introduction + Introduction The Pluggable Authentication Modules (PAM) library is a generalized API for authentication-related services which allows @@ -62,11 +62,15 @@ FreeBSD Entities//EN"> %freebsd; UNIX and The Open Group are trademarks or registered trademarks of The Open Group. + + All other brand or product names mentioned in this + document may be trademarks or registered trademarks of their + respective owners. - Terms and conventions + Terms and conventions Definitions @@ -186,17 +190,17 @@ FreeBSD Entities//EN"> %freebsd; - target + account - The user or entity whose credentials the applicant - is requesting. + The set of credentials the applicant is requesting + from the arbitrator. token - A chunk of information associated with the target, + A chunk of information associated with the account, such as a password or passphrase, which the applicant must provide to prove his identity. @@ -233,7 +237,8 @@ alice -r-sr-xr-x 1 root wheel 10744 Dec 6 19:06 /usr/bin/su &prompt.user; su - Password: xi3kiune -&prompt.root; +&prompt.root; whoami +root @@ -241,7 +246,7 @@ Password: xi3kiune The applicant is alice. - The target is root. + The account is root. The &man.su.1; process is both client and @@ -261,7 +266,7 @@ Password: xi3kiune Client and server are separate - The example below shows alice try to + The example below shows eve try to initiate an &man.ssh.1; connection to login.example.com, ask to log in as bob, and succeed. Bob should have chosen @@ -291,7 +296,7 @@ Welcome to FreeBSD! login.example.com - The target is bob. + The account is bob. The authentication token is @@ -310,11 +315,11 @@ Welcome to FreeBSD! The following is FreeBSD's default policy for sshd: -sshd auth required pam_nologin.so no_warn +sshd auth required pam_nologin.so no_warn sshd auth required pam_unix.so no_warn try_first_pass sshd account required pam_unix.so sshd session required pam_permit.so -sshd password required pam_permit.so +sshd password required pam_permit.so @@ -349,40 +354,260 @@ sshd password required pam_permit.so - PAM Essentials + PAM Essentials - This section describes the central concepts of PAM. + + Facilities and primitives + + The PAM API offers six different authentication primitives + grouped in four facilities, which are described below. + + + + auth + + Authentication. This facility + concerns itself with authenticating the applicant and + establishing the account credentials. It provides two + primitives: + + + + pam_authenticate + authenticates the applicant, usually by requesting + an authentication token and comparing it with a + value stored in a database or obtained from an + authentication server. + + + + pam_setcred establishes + account credentials such as user ID, group + membership and resource limits. + + + + + + + account + + Account management. This + facility handles non-authentication-related issues of + account availability, such as access restrictions based + on the time of day or the server's work load. It + provides a single primitive: + + + + pam_acct_mgmt verifies that + the requested account is available. + + + + + + + session + + Session management. This + facility handles tasks associated with session set-up + and tear-down, such as login accounting. It provides + two primitives: + + + + pam_open_session performs + tasks associated with session set-up: add an entry + in the utmp and + wtmp databases, start an SSH + agent, etc. + + + + pam_close_session performs + tasks associated with session tear-down: add an + entry in the utmp and + wtmp databases, stop the SSH + agent, etc. + + + + + + + password + + Password management. This + facility is used to change the authentication token + associated with an account, either because it has + expired or because the user wishes to change it. It + provides a single primitive: + + + + pam_chauthtok changes the + authentication token, optionally verifying that it + is sufficiently hard to guess, has not been used + previously, etc. + + + + + + + + + + Modules + + Modules are a very central concept in PAM; after all, + they're the M in PAM. A PAM + module is a self-contained piece of program code that + implements the primitives in one or more facilities for one + particular mechanism; possible mechanisms for the + authentication facility, for instance, include the UNIX + password database, NIS, LDAP and Radius. + + FreeBSD groups all facilities for the same mechanism in + one module called pam_mechanism.so. The + original PAM implementation, on the other hand, had separate + modules for each facility, called + pam_mechanism_facility.so. + + + + Chains and policies + + Explain chains and policies + + + + Transactions + + Describe a transaction from start to finish + - PAM Configuration + PAM Configuration - This section describes how to configure PAM on - FreeBSD. + + Location of configuration files + + The traditional PAM configuration file is + /etc/pam.conf. This file contains all + the PAM policies for your system. Each line of the file + describes one step in a chain, as shown below: + +login auth required pam_nologin.so no_warn + + The fields are, in order: service name, facility name, + control flag, module name, and module arguments. Any + additional fields are interpreted as additional module + arguments. + + A separate chain is constructed for each service / + facility pair, so while the order in which lines for the same + service and facility appear is significant, the order in which + the individual services and facilities are listed is + not—except that entries for the other + service, which serves as a fall-back, should come last. The + examples in the original PAM paper grouped configuration lines + by facility, and Solaris' stock pam.conf + still does that, but Linux-PAM (and hence FreeBSD) groups + configuration lines by service. Either way is fine; either + way makes equal sense. + + Linux-PAM offers an alternate configuration mechanism, + where policies are contained in separate files, named for the + service they apply to, in /etc/pam.d/, + with only four fields instead of five—the service name + field is omitted. In FreeBSD 5.0, starting from mid-December + 2001, this is the preferred mechanism. Note, however, that if + /etc/pam.conf exists, and contains + configuration statements for services which do not have a + specific policy in /etc/pam.d/, it will + be used as a fall-back for these services. + + The great advantage of /etc/pam.d/ + over /etc/pam.conf is that it is possible + to use the same policy for multiple services by linking each + service name to a same policy file. For instance, to use the + same policy for the su and + sudo services, one could do as + follows: + +&prompt.root; cd /etc/pam.d +&prompt.root; ln -s su sudo + + This works because the service name is determined from the + file name rather than specified in the policy file, so the + same file can be used for arbitrary services. + + One other advantage is that third-party software can + easily install policies for their services without the need to + edit /etc/pam.conf. + + Whether you use /etc/pam.conf or + /etc/pam.d/, the policy for the special + service other is used as a fall-back for + any service that does not have its own policy. + + + + Breakdown of a configuration line + + As explained in the previous section, each line in + /etc/pam.conf consists of four or more + fields: the service name, the facility name, the control flag, + the module name, and zero or more module arguments. + + The service name is generally (though not always) the name + of the application the statement applies to. If you're + unsure, refer to the individual application's documentation to + determine what service name it uses. + + Note that if you use /etc/pam.d/ + instead of /etc/pam.conf, the service + name is specified by the name of the policy file, and omitted + from the actual configuration lines, which then start with the + facility name. + + The facility is one of the four facility keywords + described in the chapter. + + + + Policies + + + - PAM Modules + PAM Modules - This section briefly documents the various PAM modules that + This chapter briefly documents the various PAM modules that exist in FreeBSD. - PAM Application Programming + PAM Application Programming - This section describes how to integrate PAM into your + This chapter describes how to integrate PAM into your application. - PAM Module Programming + PAM Module Programming - This section describes how to write PAM modules. + This chapter describes how to write PAM modules. - Further Reading + Further Reading This is a list of documents relevant to PAM and related issues. It is by no means complete.