os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Cleanup of this file with regards to overlong lines, bad tag indent, and

Browse source 
capitalization in titles as much as possible.
This commit is contained in:
Benedict Reuschling 2018-08-16 14:45:06 +00:00
parent aa6f4dc4d1
commit 58a8720ace
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=52137
1 changed files with 193 additions and 120 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

313
en_US.ISO8859-1/articles/pam/article.xml
View file

@ -34,9 +34,11 @@
- OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- SUCH DAMAGE.
-->
<article xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:lang="en">
<info><title>Pluggable Authentication Modules</title>
<article xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:lang="en">
<info>
<title>Pluggable Authentication Modules</title>
<abstract>
<para>This article describes the underlying principles and
@ -53,7 +55,13 @@
</copyright>
<authorgroup>
<author><personname><firstname>Dag-Erling</firstname><surname>Sm&oslash;rgrav</surname></personname><contrib>Contributed by </contrib></author>
<author>
<personname>
<firstname>Dag-Erling</firstname>
<surname>Sm&oslash;rgrav</surname>
</personname>
<contrib>Contributed by </contrib>
</author>
</authorgroup>
<legalnotice xml:id="pam-legalnotice">
@ -99,7 +107,7 @@
</section>
<section xml:id="pam-terms">
<title xml:id="pam-terms.title">Terms and conventions</title>
<title xml:id="pam-terms.title">Terms and Conventions</title>
<section xml:id="pam-definitions">
<title xml:id="pam-definitions.title">Definitions</title>
@ -248,27 +256,26 @@
</section>
<section xml:id="pam-usage-examples">
<title xml:id="pam-usage-examples.title">Usage examples</title>
<title xml:id="pam-usage-examples.title">Usage Examples</title>
<para>This section aims to illustrate the meanings of some of
the terms defined above by way of a handful of simple
examples.</para>
<section>
<title>Client and server are one</title>
<title>Client and Server Are One</title>
<para>This simple example shows <literal>alice</literal>
&man.su.1;'ing to <literal>root</literal>.</para>
<screen>&prompt.user; <userinput>whoami</userinput>
<screen>&prompt.user; <userinput>whoami</userinput>
alice
&prompt.user; <userinput>ls -l `which su`</userinput>
-r-sr-xr-x 1 root wheel 10744 Dec 6 19:06 /usr/bin/su
&prompt.user; <userinput>su -</userinput>
Password: <userinput>xi3kiune</userinput>
&prompt.root; whoami
root
</screen>
root</screen>
<itemizedlist>
<listitem>
@ -283,7 +290,7 @@ root
</listitem>
<listitem>
<para>The authentication token is
<literal>xi3kiune</literal>.</para>
<literal>xi3kiune</literal>.</para>
</listitem>
<listitem>
<para>The arbitrator is <literal>root</literal>, which is
@ -293,7 +300,7 @@ root
</section>
<section>
<title>Client and server are separate</title>
<title>Client and Server Are Separate</title>
<para>The example below shows <literal>eve</literal> try to
initiate an &man.ssh.1; connection to
@ -301,7 +308,7 @@ root
<literal>bob</literal>, and succeed. Bob should have chosen
a better password!</para>
<screen>&prompt.user; <userinput>whoami</userinput>
<screen>&prompt.user; <userinput>whoami</userinput>
eve
&prompt.user; <userinput>ssh bob@login.example.com</userinput>
bob@login.example.com's password: <userinput>god</userinput>
@ -329,7 +336,7 @@ Welcome to FreeBSD!
</listitem>
<listitem>
<para>The authentication token is
<literal>god</literal>.</para>
<literal>god</literal>.</para>
</listitem>
<listitem>
<para>Although this is not shown in this example, the
@ -339,12 +346,12 @@ Welcome to FreeBSD!
</section>
<section>
<title>Sample policy</title>
<title>Sample Policy</title>
<para>The following is FreeBSD's default policy for
<literal>sshd</literal>:</para>
<programlisting>sshd auth required pam_nologin.so no_warn
<programlisting>sshd auth required pam_nologin.so no_warn
sshd auth required pam_unix.so no_warn try_first_pass
sshd account required pam_login_access.so
sshd account required pam_unix.so
@ -391,7 +398,7 @@ sshd password required pam_permit.so</programlisting>
<section xml:id="pam-facilities-primitives">
<title xml:id="pam-facilities-primitives.title">Facilities and
primitives</title>
Primitives</title>
<para>The PAM API offers six different authentication primitives
grouped in four facilities, which are described below.</para>
@ -519,7 +526,8 @@ sshd password required pam_permit.so</programlisting>
</section>
<section xml:id="pam-module-versioning">
<title xml:id="pam-module-versioning.title">Module Versioning</title>
<title xml:id="pam-module-versioning.title">Module
Versioning</title>
<para>FreeBSD's original PAM implementation, based on
Linux-PAM, did not use version numbers for PAM modules.
@ -537,15 +545,15 @@ sshd password required pam_permit.so</programlisting>
modules.</para>
<para>Although &solaris; PAM modules commonly have a version
number, they are not truly versioned, because the number is a
part of the module name and must be included in the
number, they are not truly versioned, because the number is
a part of the module name and must be included in the
configuration.</para>
</section>
</section>
<section xml:id="pam-chains-policies">
<title xml:id="pam-chains-policies.title">Chains and
policies</title>
Policies</title>
<para>When a server initiates a PAM transaction, the PAM library
tries to load a policy for the service specified in the
@ -577,8 +585,9 @@ sshd password required pam_permit.so</programlisting>
rest of the chain is executed, but the request is
ultimately denied.</para>
<para>This control flag was introduced by Sun in &solaris; 9
(&sunos; 5.9), and is also supported by OpenPAM.</para>
<para>This control flag was introduced by Sun in &solaris;
9 (&sunos; 5.9), and is also supported by
OpenPAM.</para>
</listitem>
</varlistentry>
@ -688,11 +697,11 @@ sshd password required pam_permit.so</programlisting>
</listitem>
<listitem>
<para>The server calls &man.pam.acct.mgmt.3; to verify that the
requested account is available and valid. If the password
is correct but has expired, &man.pam.acct.mgmt.3; will
return <literal>PAM_NEW_AUTHTOK_REQD</literal> instead of
<literal>PAM_SUCCESS</literal>.</para>
<para>The server calls &man.pam.acct.mgmt.3; to verify that
the requested account is available and valid. If the
password is correct but has expired, &man.pam.acct.mgmt.3;
will return <literal>PAM_NEW_AUTHTOK_REQD</literal>
instead of <literal>PAM_SUCCESS</literal>.</para>
</listitem>
<listitem>
@ -741,18 +750,18 @@ sshd password required pam_permit.so</programlisting>
<title xml:id="pam-config.title">PAM Configuration</title>
<section xml:id="pam-config-file">
<title xml:id="pam-config-file.title">PAM policy files</title>
<title xml:id="pam-config-file.title">PAM Policy Files</title>
<section xml:id="pam-config-pam.conf">
<title xml:id="pam-config-pam.conf.title">The
<filename>/etc/pam.conf</filename> file</title>
<filename>/etc/pam.conf</filename></title>
<para>The traditional PAM policy file is
<filename>/etc/pam.conf</filename>. This file contains all
the PAM policies for your system. Each line of the file
describes one step in a chain, as shown below:</para>
<programlisting>login auth required pam_nologin.so no_warn</programlisting>
<programlisting>login auth required pam_nologin.so no_warn</programlisting>
<para>The fields are, in order: service name, facility name,
control flag, module name, and module arguments. Any
@ -772,7 +781,7 @@ sshd password required pam_permit.so</programlisting>
<section xml:id="pam-config-pam.d">
<title xml:id="pam-config-pam.d.title">The
<filename>/etc/pam.d</filename> directory</title>
<filename>/etc/pam.d</filename></title>
<para>OpenPAM and Linux-PAM support an alternate configuration
mechanism, which is the preferred mechanism in FreeBSD. In
@ -796,7 +805,7 @@ sshd password required pam_permit.so</programlisting>
<literal>su</literal> and <literal>sudo</literal> services,
one could do as follows:</para>
<screen>&prompt.root; <userinput>cd /etc/pam.d</userinput>
<screen>&prompt.root; <userinput>cd /etc/pam.d</userinput>
&prompt.root; <userinput>ln -s su sudo</userinput></screen>
<para>This works because the service name is determined from
@ -811,27 +820,28 @@ sshd password required pam_permit.so</programlisting>
</section>
<section xml:id="pam-config-file-order">
<title xml:id="pam-config-file-order.title">The policy search
order</title>
<title xml:id="pam-config-file-order.title">The Policy Search
Order</title>
<para>As we have seen above, PAM policies can be found in a
number of places. What happens if policies for the same
service exist in multiple places?</para>
<para>It is essential to understand that PAM's configuration
system is centered on chains.<!-- XXX --></para>
system is centered on chains.</para>
</section>
</section>
<section xml:id="pam-config-breakdown">
<title xml:id="pam-config-breakdown.title">Breakdown of a
configuration line</title>
Configuration Line</title>
<para>As explained in <xref linkend="pam-config-file"/>, each line in
<filename>/etc/pam.conf</filename> consists of four or more
fields: the service name, the facility name, the control flag,
the module name, and zero or more module arguments.</para>
<para>As explained in <xref linkend="pam-config-file"/>, each
line in <filename>/etc/pam.conf</filename> consists of four or
more fields: the service name, the facility name, the control
flag, the module name, and zero or more module
arguments.</para>
<para>The service name is generally (though not always) the name
of the application the statement applies to. If you are
@ -845,17 +855,18 @@ sshd password required pam_permit.so</programlisting>
facility name.</para>
<para>The facility is one of the four facility keywords
described in <xref linkend="pam-facilities-primitives"/>.</para>
described in <xref
linkend="pam-facilities-primitives"/>.</para>
<para>Likewise, the control flag is one of the four keywords
described in <xref linkend="pam-chains-policies"/>,
describing how to interpret the return code from the module.
Linux-PAM supports an alternate syntax that lets you specify
the action to associate with each possible return code, but
this should be avoided as it is non-standard and closely tied
in with the way Linux-PAM dispatches service calls (which
differs greatly from the way &solaris; and OpenPAM do it.)
Unsurprisingly, OpenPAM does not support this syntax.</para>
described in <xref linkend="pam-chains-policies"/>, describing
how to interpret the return code from the module. Linux-PAM
supports an alternate syntax that lets you specify the action
to associate with each possible return code, but this should
be avoided as it is non-standard and closely tied in with the
way Linux-PAM dispatches service calls (which differs greatly
from the way &solaris; and OpenPAM do it.) Unsurprisingly,
OpenPAM does not support this syntax.</para>
</section>
<section xml:id="pam-policies">
@ -882,7 +893,8 @@ sshd password required pam_permit.so</programlisting>
the following table applies:</para>
<table>
<title>PAM chain execution summary</title>
<title>PAM Chain Execution Summary</title>
<tgroup cols="4">
<colspec colwidth="1*" colname="type"/>
<colspec colwidth="1*" colname="success"/>
@ -891,10 +903,12 @@ sshd password required pam_permit.so</programlisting>
<thead>
<row>
<entry colname="type"/>
<entry colname="success"><literal>PAM_SUCCESS</literal></entry>
<entry colname="ignore"><literal>PAM_IGNORE</literal></entry>
<entry
colname="success"><literal>PAM_SUCCESS</literal></entry>
<entry
colname="ignore"><literal>PAM_IGNORE</literal></entry>
<entry colname="other"><literal>other</literal></entry>
</row>
</row>
</thead>
<tbody>
<row>
@ -903,24 +917,28 @@ sshd password required pam_permit.so</programlisting>
<entry colname="ignore">-</entry>
<entry colname="other">fail = true;</entry>
</row>
<row>
<entry colname="type">required</entry>
<entry colname="success">-</entry>
<entry colname="ignore">-</entry>
<entry colname="other">fail = true;</entry>
</row>
<row>
<entry colname="type">requisite</entry>
<entry colname="success">-</entry>
<entry colname="ignore">-</entry>
<entry colname="other">fail = true; break;</entry>
</row>
<row>
<entry colname="type">sufficient</entry>
<entry colname="success">if (!fail) break;</entry>
<entry colname="ignore">-</entry>
<entry colname="other">-</entry>
</row>
<row>
<entry colname="type">optional</entry>
<entry colname="success">-</entry>
@ -945,22 +963,21 @@ sshd password required pam_permit.so</programlisting>
<literal>PAM_NEW_AUTHTOK_REQD</literal>.</para>
<para>The second exception is that &man.pam.setcred.3; treats
<literal>binding</literal> and
<literal>sufficient</literal> modules as if they were
<literal>required</literal>.</para>
<literal>binding</literal> and <literal>sufficient</literal>
modules as if they were <literal>required</literal>.</para>
<para>The third and final exception is that
&man.pam.chauthtok.3; runs the entire chain twice (once for
preliminary checks and once to actually set the password), and
in the preliminary phase it treats
<literal>binding</literal> and
<literal>sufficient</literal> modules as if they were
in the preliminary phase it treats <literal>binding</literal>
and <literal>sufficient</literal> modules as if they were
<literal>required</literal>.</para>
</section>
</section>
<section xml:id="pam-freebsd-modules">
<title xml:id="pam-freebsd-modules.title">FreeBSD PAM Modules</title>
<title xml:id="pam-freebsd-modules.title">FreeBSD PAM
Modules</title>
<section xml:id="pam-modules-deny">
<title xml:id="pam-modules-deny.title">&man.pam.deny.8;</title>
@ -995,29 +1012,32 @@ sshd password required pam_permit.so</programlisting>
</section>
<section xml:id="pam-modules-ftpusers">
<title xml:id="pam-modules-ftpusers.title">&man.pam.ftpusers.8;</title>
<title
xml:id="pam-modules-ftpusers.title">&man.pam.ftpusers.8;</title>
<para>The &man.pam.ftpusers.8; module</para>
</section>
<section xml:id="pam-modules-group">
<title xml:id="pam-modules-group.title">&man.pam.group.8;</title>
<title
xml:id="pam-modules-group.title">&man.pam.group.8;</title>
<para>The &man.pam.group.8; module accepts or rejects applicants
on the basis of their membership in a particular file group
(normally <literal>wheel</literal> for &man.su.1;). It is
primarily intended for maintaining the traditional behavior
of BSD &man.su.1;, but has many other uses, such as excluding
primarily intended for maintaining the traditional behavior of
BSD &man.su.1;, but has many other uses, such as excluding
certain groups of users from a particular service.</para>
</section>
<section xml:id="pam-modules-guest">
<title xml:id="pam-modules-guest.title">&man.pam.guest.8;</title>
<title
xml:id="pam-modules-guest.title">&man.pam.guest.8;</title>
<para>The &man.pam.guest.8; module allows guest logins using
fixed login names. Various requirements can be placed on the
password, but the default behavior is to allow any password
as long as the login name is that of a guest account. The
password, but the default behavior is to allow any password as
long as the login name is that of a guest account. The
&man.pam.guest.8; module can easily be used to implement
anonymous FTP logins.</para>
</section>
@ -1035,13 +1055,15 @@ sshd password required pam_permit.so</programlisting>
</section>
<section xml:id="pam-modules-lastlog">
<title xml:id="pam-modules-lastlog.title">&man.pam.lastlog.8;</title>
<title
xml:id="pam-modules-lastlog.title">&man.pam.lastlog.8;</title>
<para>The &man.pam.lastlog.8; module</para>
</section>
<section xml:id="pam-modules-login-access">
<title xml:id="pam-modules-login-access.title">&man.pam.login.access.8;</title>
<title
xml:id="pam-modules-login-access.title">&man.pam.login.access.8;</title>
<para>The &man.pam.login.access.8; module provides an
implementation of the account management primitive which
@ -1050,7 +1072,8 @@ sshd password required pam_permit.so</programlisting>
</section>
<section xml:id="pam-modules-nologin">
<title xml:id="pam-modules-nologin.title">&man.pam.nologin.8;</title>
<title
xml:id="pam-modules-nologin.title">&man.pam.nologin.8;</title>
<para>The &man.pam.nologin.8; module refuses non-root logins
when <filename>/var/run/nologin</filename> exists. This file
@ -1066,14 +1089,15 @@ sshd password required pam_permit.so</programlisting>
challenge-response mechanism where the response to each
challenge is a direct function of the challenge and a
passphrase, so the response can be easily computed <quote>just
in time</quote> by anyone possessing the passphrase,
in time</quote> by anyone possessing the passphrase,
eliminating the need for password lists. Moreover, since
&man.opie.4; never reuses a challenge that has been correctly
answered, it is not vulnerable to replay attacks.</para>
</section>
<section xml:id="pam-modules-opieaccess">
<title xml:id="pam-modules-opieaccess.title">&man.pam.opieaccess.8;</title>
<title
xml:id="pam-modules-opieaccess.title">&man.pam.opieaccess.8;</title>
<para>The &man.pam.opieaccess.8; module is a companion module to
&man.pam.opie.8;. Its purpose is to enforce the restrictions
@ -1091,13 +1115,15 @@ sshd password required pam_permit.so</programlisting>
</section>
<section xml:id="pam-modules-passwdqc">
<title xml:id="pam-modules-passwdqc.title">&man.pam.passwdqc.8;</title>
<title
xml:id="pam-modules-passwdqc.title">&man.pam.passwdqc.8;</title>
<para>The &man.pam.passwdqc.8; module</para>
</section>
<section xml:id="pam-modules-permit">
<title xml:id="pam-modules-permit.title">&man.pam.permit.8;</title>
<title
xml:id="pam-modules-permit.title">&man.pam.permit.8;</title>
<para>The &man.pam.permit.8; module is one of the simplest
modules available; it responds to any request with
@ -1107,19 +1133,22 @@ sshd password required pam_permit.so</programlisting>
</section>
<section xml:id="pam-modules-radius">
<title xml:id="pam-modules-radius.title">&man.pam.radius.8;</title>
<title
xml:id="pam-modules-radius.title">&man.pam.radius.8;</title>
<para>The &man.pam.radius.8; module</para>
</section>
<section xml:id="pam-modules-rhosts">
<title xml:id="pam-modules-rhosts.title">&man.pam.rhosts.8;</title>
<title
xml:id="pam-modules-rhosts.title">&man.pam.rhosts.8;</title>
<para>The &man.pam.rhosts.8; module</para>
</section>
<section xml:id="pam-modules-rootok">
<title xml:id="pam-modules-rootok.title">&man.pam.rootok.8;</title>
<title
xml:id="pam-modules-rootok.title">&man.pam.rootok.8;</title>
<para>The &man.pam.rootok.8; module reports success if and only
if the real user id of the process calling it (which is
@ -1130,7 +1159,8 @@ sshd password required pam_permit.so</programlisting>
</section>
<section xml:id="pam-modules-securetty">
<title xml:id="pam-modules-securetty.title">&man.pam.securetty.8;</title>
<title
xml:id="pam-modules-securetty.title">&man.pam.securetty.8;</title>
<para>The &man.pam.securetty.8; module</para>
</section>
@ -1161,7 +1191,8 @@ sshd password required pam_permit.so</programlisting>
</section>
<section xml:id="pam-modules-tacplus">
<title xml:id="pam-modules-tacplus.title">&man.pam.tacplus.8;</title>
<title
xml:id="pam-modules-tacplus.title">&man.pam.tacplus.8;</title>
<para>The &man.pam.tacplus.8; module</para>
</section>
@ -1182,9 +1213,10 @@ sshd password required pam_permit.so</programlisting>
</section>
<section xml:id="pam-appl-prog">
<title xml:id="pam-appl-prog.title">PAM Application Programming</title>
<title xml:id="pam-appl-prog.title">PAM Application
Programming</title>
<para><!--XXX-->This section has not yet been written.</para>
<para>This section has not yet been written.</para>
<!--
@ -1202,26 +1234,28 @@ sshd password required pam_permit.so</programlisting>
</section>
<section xml:id="pam-module-prog">
<title xml:id="pam-module-prog.title">PAM Module Programming</title>
<title xml:id="pam-module-prog.title">PAM Module
Programming</title>
<para><!--XXX-->This section has not yet been written.</para>
<para>This section has not yet been written.</para>
</section>
<appendix xml:id="pam-sample-appl">
<title xml:id="pam-sample-appl.title">Sample PAM Application</title>
<title xml:id="pam-sample-appl.title">Sample PAM
Application</title>
<para>The following is a minimal implementation of &man.su.1;
using PAM. Note that it uses the OpenPAM-specific
&man.openpam.ttyconv.3; conversation function, which is
prototyped in <filename>security/openpam.h</filename>. If you wish
build this application on a system with a different PAM library,
you will have to provide your own conversation function. A
robust conversation function is surprisingly difficult to
implement; the one presented in <xref linkend="pam-sample-conv"/> is a good
starting point, but should not be used in real-world
applications.</para>
prototyped in <filename>security/openpam.h</filename>. If you
wish build this application on a system with a different PAM
library, you will have to provide your own conversation
function. A robust conversation function is surprisingly
difficult to implement; the one presented in <xref
linkend="pam-sample-conv"/> is a good starting point, but
should not be used in real-world applications.</para>
<programlisting><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="su.c" parse="text"/></programlisting>
<programlisting><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="su.c" parse="text"/></programlisting>
</appendix>
<appendix xml:id="pam-sample-module">
@ -1245,50 +1279,71 @@ sshd password required pam_permit.so</programlisting>
simplified version of OpenPAM's &man.openpam.ttyconv.3;. It is
fully functional, and should give the reader a good idea of how
a conversation function should behave, but it is far too simple
for real-world use. Even if you are not using OpenPAM, feel free
to download the source code and adapt &man.openpam.ttyconv.3; to
your uses; we believe it to be as robust as a tty-oriented
conversation function can reasonably get.</para>
for real-world use. Even if you are not using OpenPAM, feel
free to download the source code and adapt
&man.openpam.ttyconv.3; to your uses; we believe it to be as
robust as a tty-oriented conversation function can reasonably
get.</para>
<programlisting><xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="converse.c" parse="text"/></programlisting>
</appendix>
<bibliography xml:id="pam-further">
<info><title xml:id="pam-further.title">Further Reading</title>
<info>
<title xml:id="pam-further.title">Further Reading</title>
<abstract>
<para>This is a list of documents relevant to PAM and related
issues. It is by no means complete.</para>
</abstract>
<abstract>
<para>This is a list of documents relevant to PAM and related
issues. It is by no means complete.</para>
</abstract>
</info>
<bibliodiv>
<title>Papers</title>
<biblioentry>
<citetitle><link xlink:href="http://www.sun.com/software/solaris/pam/pam.external.pdf">
Making Login Services Independent of Authentication
<citetitle><link
xlink:href="http://www.sun.com/software/solaris/pam/pam.external.pdf">
Making Login Services Independent of Authentication
Technologies</link></citetitle>
<authorgroup>
<author><personname><surname>Samar</surname><firstname>Vipin</firstname></personname></author>
<author><personname><surname>Lai</surname><firstname>Charlie</firstname></personname></author>
<author>
<personname>
<surname>Samar</surname>
<firstname>Vipin</firstname>
</personname>
</author>
<author>
<personname>
<surname>Lai</surname>
<firstname>Charlie</firstname>
</personname>
</author>
</authorgroup>
<orgname>Sun Microsystems</orgname>
</biblioentry>
<biblioentry>
<citetitle><link xlink:href="http://www.opengroup.org/pubs/catalog/p702.htm">X/Open
Single Sign-on Preliminary Specification</link></citetitle>
<citetitle><link
xlink:href="http://www.opengroup.org/pubs/catalog/p702.htm">X/Open
Single Sign-on Preliminary
Specification</link></citetitle>
<orgname>The Open Group</orgname>
<biblioid class="isbn">1-85912-144-6</biblioid>
<pubdate>June 1997</pubdate>
</biblioentry>
<biblioentry>
<citetitle><link xlink:href="http://www.kernel.org/pub/linux/libs/pam/pre/doc/current-draft.txt">
Pluggable Authentication Modules</link></citetitle>
<author><personname><surname>Morgan</surname><firstname>Andrew</firstname><othername role="mi">G.</othername></personname></author>
<citetitle><link
xlink:href="http://www.kernel.org/pub/linux/libs/pam/pre/doc/current-draft.txt">
Pluggable Authentication Modules</link></citetitle>
<author>
<personname>
<surname>Morgan</surname>
<firstname>Andrew</firstname>
<othername role="mi">G.</othername>
</personname>
</author>
<pubdate>1999-10-06</pubdate>
</biblioentry>
</bibliodiv>
@ -1297,28 +1352,46 @@ sshd password required pam_permit.so</programlisting>
<title>User Manuals</title>
<biblioentry>
<citetitle><link xlink:href="http://www.sun.com/software/solaris/pam/pam.admin.pdf">PAM
Administration</link></citetitle>
<citetitle><link
xlink:href="http://www.sun.com/software/solaris/pam/pam.admin.pdf">PAM
Administration</link></citetitle>
<orgname>Sun Microsystems</orgname>
</biblioentry>
</bibliodiv>
<bibliodiv>
<title>Related Web pages</title>
<title>Related Web Pages</title>
<biblioentry>
<citetitle><link xlink:href="http://openpam.sourceforge.net/">OpenPAM homepage</link></citetitle>
<author><personname><surname>Sm&oslash;rgrav</surname><firstname>Dag-Erling</firstname></personname></author>
<citetitle><link
xlink:href="http://openpam.sourceforge.net/">OpenPAM
homepage</link></citetitle>
<author>
<personname>
<surname>Sm&oslash;rgrav</surname>
<firstname>Dag-Erling</firstname>
</personname>
</author>
<orgname>ThinkSec AS</orgname>
</biblioentry>
<biblioentry>
<citetitle><link xlink:href="http://www.kernel.org/pub/linux/libs/pam/">Linux-PAM homepage</link></citetitle>
<author><personname><surname>Morgan</surname><firstname>Andrew</firstname><othername role="mi">G.</othername></personname></author>
<citetitle><link
xlink:href="http://www.kernel.org/pub/linux/libs/pam/">Linux-PAM
homepage</link></citetitle>
<author>
<personname>
<surname>Morgan</surname>
<firstname>Andrew</firstname>
<othername role="mi">G.</othername>
</personname>
</author>
</biblioentry>
<biblioentry>
<citetitle><link xlink:href="http://wwws.sun.com/software/solaris/pam/">Solaris PAM homepage</link></citetitle>
<citetitle><link
xlink:href="http://wwws.sun.com/software/solaris/pam/">Solaris
PAM homepage</link></citetitle>
<orgname>Sun Microsystems</orgname>
</biblioentry>
</bibliodiv>