pam_access patch part 2 of 5
Mike Becher
Mike.Becher at lrz-muenchen.de
Thu Jan 5 12:48:54 UTC 2006
pam_access patch part 2 of 5
patches which enable manual stuff for PAM itself
p05-Linux-PAM-0.99.2.1-modules-pam_access-access.conf.5
p09-Linux-PAM-0.99.2.1-modules-pam_access-login.access.5
p11-Linux-PAM-0.99.2.1-modules-pam_access-pam_access.8
short description:
-----------------
These patches enable:
* convert_hostname feature
* IPv4(/) IPv6 support
* the network(address) / netmask feature
* external helper feature
* manual support
best regards,
mike
-----------------------------------------------------------------------------
Mike Becher Mike.Becher at lrz-muenchen.de
Leibniz-Rechenzentrum der http://www.lrz.de
Bayerischen Akademie der Wissenschaften phone: +49-89-289-28721
Gruppe Hochleistungssysteme fax: +49-89-280-9460
Barer Strasse 21
D-80333 Muenchen
Germany
-----------------------------------------------------------------------------
-------------- next part --------------
diff -u -r -N Linux-PAM-0.99.2.1.orig/modules/pam_access/access.conf.5 Linux-PAM-0.99.2.1/modules/pam_access/access.conf.5
--- Linux-PAM-0.99.2.1.orig/modules/pam_access/access.conf.5 1970-01-01 01:00:00.000000000 +0100
+++ Linux-PAM-0.99.2.1/modules/pam_access/access.conf.5 2006-01-02 17:24:32.000000000 +0100
@@ -0,0 +1,219 @@
+.\" -*- nroff -*-
+.\" @(#)access.conf.5 1.14 2005/12/12 17:57:23 mibe
+.\"
+.TH access.conf 5 "12 December 2005" "Version 1.14" "Reference Manual"
+.SH NAME
+access.conf \- The login access control table file
+.SH DESCRIPTION
+Original
+.BR login.access (5)
+manual was provided by
+.I Guido van Rooij
+which was renamed to
+.BR access.conf (5)
+to reflect relation to default config file.
+The
+.B access.conf
+file specifies (\fIuser\fP, \fIhost\fP), (\fIuser\fP,
+\fInetwork/netmask\fP) or (\fIuser\fP, \fItty\fP) combinations for
+which a login will be either accepted or refused.
+
+When someone logs in, the file \fIaccess.conf\fP is scanned for the
+first entry that matches the (\fIuser\fP, \fIhost\fP) or (\fIuser\fP,
+\fInetwork/netmask\fP) combination, or, in case of non-networked
+logins, the first entry that matches the (\fIuser\fP, \fItty\fP)
+combination. The permissions field of that table entry determines
+whether the login will be accepted or refused.
+
+Each line of the login access control table has three fields separated
+by a
+.B :
+character (colon) and looks like:
+
+.RB "\fIPERMISSION\fP : \fIUSERS\fP : \fIORIGINS\fP"
+
+The first field, the
+.I PERMISSION
+field, can be either a
+.B +
+character (plus) for access granted or a
+.B -
+character (minus) for access denied.
+
+The second field, the
+.I USERS
+field, should be a list of one or more login names, group names, or
+\fBALL\fP (which always matches).
+
+The third field, the
+.I ORIGINS
+field, should be a list of one or more tty names (for non-networked
+logins), host names, domain names (begin with "."), host addresses,
+internet network numbers (end with "."), internet network addresses
+with network mask (where network mask can be a decimal number or an
+internet address also), \fBALL\fP (which always matches) or
+\fBLOCAL\fP (which matches any string that does not contain a "."
+character).
+If you run NIS you can use \fB@\fP\fInetgroupname\fP in host or user patterns.
+
+The \fBEXCEPT\fP operator makes it possible to write very compact rules.
+
+The group file is searched only when a name does not match that of the
+logged-in user.
+Only groups are matched in which users are explicitly listed: the
+program does not look at a user's primary group id value.
+
+The
+.B #
+character at start of line (no space at front) can be used to mark this line as
+a comment line.
+
+.B HINT:
+
+It is a good idea to specify a line like
+
+\fB + : ALL : ALL \fP
+
+or
+
+\fB - : ALL : ALL \fP
+
+as last line in access control files. So it is clear that all users
+that aren't matched by lines before are getting access granted or
+denied. If you don't do this a user gets access to a service if access
+was not explicitly denied for him through a rule.
+
+.SH EXAMPLES
+These are some example lines which might be specified in
+.B access.conf
+file.
+
+User
+.I root
+should be allowed to get access via \fIsu\fP, \fIcron\fP, \fIxdm\fP,
+X11 terminal \fI:0\fP, ..., \fItty5\fP \fItty6\fP.
+
+ + : root : su cron crond xdm :0 tty1 tty2 tty3 tty4 tty5 tty6
+
+User
+.I root
+should be allowed to get access from hosts with IPv4 addresses:
+
+ + : root : 192.168.200.1 192.168.200.4 192.168.200.9
+
+ + : root : 127.0.0.1
+
+User
+.I root
+should get access from network
+.I 192.168.201.
+where the term will be evaluated by string matching. But
+it might be better to use network/netmask instead.
+The same meaning of \fI192.168.201.\fP is \fI192.168.201.0/24\fP
+or \fI192.168.201.0/255.255.255.0\fP .
+
+ + : root : 192.168.201.
+
+User
+.I root
+should be able to have access from hosts
+.I foo1.bar.org
+and
+.I foo2.bar.org
+(uses string matching also).
+
+ + : root : foo1.bar.org foo2.bar.org
+
+User
+.I root
+should be able to have access from domain
+.I foo.bar.org (uses string matching also).
+
+ + : root : .foo.bar.org
+
+User
+.I root
+should be denied to get access from all other sources.
+
+ - : root : ALL
+
+User
+.I foo
+and members of NIS group
+.I nis_group
+should be allowed to get access from all sources.
+This will only work if NIS service is available.
+
+ + : @nis_group foo : ALL
+
+User
+.I xfs
+and
+.I foo
+should be allowed to get acccess via
+.I su .
+
+ + : xfs foo : su
+
+User
+.I john
+should get access from IPv4 net/mask.
+
+ + : john : 127.0.0.0/24
+
+User
+.I john
+should get access from IPv4 as IPv6 net/mask.
+
+ + : john : ::ffff:127.0.0.0/127
+
+User
+.I john
+should get access from IPv6 host address.
+
+ + : john : 2001:4ca0:0:101::1
+
+User
+.I john
+should get access from IPv6 host address (same as above).
+
+ + : john : 2001:4ca0:0:101:0:0:0:1
+
+User
+.I john
+should get access from IPv6 net/mask.
+
+ + : john : 2001:4ca0:0:101::/64
+
+All other users should be denied to get access from all sources.
+
+ - : ALL : ALL
+
+.SH FILES
+Normally the
+.B access.conf
+file resides in
+.I /etc/security
+but this depends on configuration at compilation time. Thats why
+please run
+.BR check_login_access (8)
+to find out which is the default config file for
+.BR pam_access (8) .
+.SH SEE ALSO
+.BR check_login_access (8) ,
+.BR pam_access (8) ,
+.BR pam.d (8) ,
+and
+.BR pam (8) .
+.SH AUTHORS
+Original
+.BR login.access (5)
+manual was provided by
+.I Guido van Rooij
+which was renamed to
+.BR access.conf (5)
+to reflect relation to default config file.
+
+.B Network address / netmask
+description and example text was introduced by
+.I Mike Becher <mike.becher at lrz-muenchen.de>.
-------------- next part --------------
diff -u -r -N Linux-PAM-0.99.2.1.orig/modules/pam_access/login.access.5 Linux-PAM-0.99.2.1/modules/pam_access/login.access.5
--- Linux-PAM-0.99.2.1.orig/modules/pam_access/login.access.5 1970-01-01 01:00:00.000000000 +0100
+++ Linux-PAM-0.99.2.1/modules/pam_access/login.access.5 2006-01-02 17:24:32.000000000 +0100
@@ -0,0 +1 @@
+.so man5/access.conf.5
-------------- next part --------------
diff -u -r -N Linux-PAM-0.99.2.1.orig/modules/pam_access/pam_access.8 Linux-PAM-0.99.2.1/modules/pam_access/pam_access.8
--- Linux-PAM-0.99.2.1.orig/modules/pam_access/pam_access.8 1970-01-01 01:00:00.000000000 +0100
+++ Linux-PAM-0.99.2.1/modules/pam_access/pam_access.8 2006-01-02 20:48:25.000000000 +0100
@@ -0,0 +1,157 @@
+.\" -*- nroff -*-
+.\" @(#)pam_access.8 1.0.4 2006/01/02 17:41:24 mibe
+.\"
+.TH pam_access 8 "2 January 2006" "Version 1.0.4" "Reference Manual"
+.SH NAME
+pam_access - PAM module for logdaemon style login access
+control
+.SH DESCRIPTION
+The
+.B pam_access
+PAM module is mainly for access management. It provides logdaemon
+style login access control based on login names, host or domain names,
+internet addresses or network numbers, or on terminal line names
+in case of non-networked logins.
+
+By default rules for access management are taken from config file
+.B access.conf
+which resides in
+.I /etc/security
+if you don't specify another file. But this depends on configuration
+at compilation time. Thats why please run
+.BR check_login_access (8)
+to find out which is the default config file for
+.BR pam_access (8) .
+
+.SH OPTIONS
+The prefered options with argument are the options with equal sign.
+Options without equal sign are depricated for usage. The following
+options may be passed to the module.
+.TP
+.B accessfile=\fI/path/to/file.conf\fP
+Indicate an alternative \fIaccess.conf\fP style configuration file to
+override the default. This can be useful when different services need
+different access lists.
+.TP
+.B ask_helper_only
+Ask external helper program only if a user should get access to this
+service or not. Access control table will not be evaluated. Option
+\fBhelperfile\fP must be specified also to activate this option.
+.TP
+.B convert_hostname
+If a hostname was specified in config file then try to convert it to IP address.
+.TP
+.B debug
+A lot of debug informations are printed with
+.BR syslog (3).
+.TP
+.B file=\fI/path/to/file.conf\fP
+Same meaning like \fBaccessfile=\fP\fI/path/to/file.conf\fP.
+(for compatibility if someone has used the
+.B pam_login_access
+module)
+.TP
+.B fieldsep=\fIseparators\fP
+This option modifies the field separator character that
+\fBpam_access\fP will recognize when parsing the access configuration
+file. For example: \fBfieldsep=|\fP will cause the default `:'
+character to be treated as part of a field value and `|' becomes the
+field separator. Doing this may be useful in conjuction with a system that
+wants to use pam_access with X based applications, since the
+\fBPAM_TTY\fP item is likely to be of the form "hostname:0" which
+includes a `:' character in its value. But you should not need this.
+.TP
+.B helperfile=\fI/path/to/helper/executable\fP
+If an external helper program was specified it will be asked
+if a user should get access to this service or not. If option
+\fBask_helper_only\fP was not specified this will be done
+after processing of access control table but only if user doesn't get
+access granted yet through evaluation process of access control table.
+Please have a look at \fBverify_access\fP helper script decription in
+section
+.B FILES
+below.
+.TP
+.B listsep=\fIseparators\fP
+This option modifies the list separator character that
+\fBpam_access\fP will recognize when parsing the access configuration
+file. For example: \fBlistsep=,\fP will cause the default ` ' (space) and
+`\\t' (tab) characters to be treated as part of a list element value and `,'
+becomes the only list element separator. Doing this may be useful on a system
+with group information obtained from a Windows domain, where the default
+built-in groups "Domain Users", "Domain Admins" contain a space.
+.TP
+.B onerr=fail\||\|success
+If an internal error occured let module return with failed or success. This means
+for example access is forbidden or access is granted. Access granted is the default
+behavior.
+
+.SH DEPRECATED OPTIONS
+.TP
+.B file \fI/path/to/file.conf\fP
+.TP
+.B onerr fail\||\|success
+
+.SH FILES
+Default configuration file is
+.B access.conf
+which resides in
+.I /etc/security
+but this depends on configuration at compilation time. Please
+run
+.BR check_login_access (8)
+to find out which is the default file for
+.BR pam_access (8) .
+
+A sample
+.B verify_access
+helper script may be included with the distribution. This helper
+script will be called by
+.BR pam_access (8)
+module with the following command line
+
+ /path/to/verify_access user from
+
+where \fIfrom\fP may be a tty, X display, service, remote hostname,
+or remote address. The helper executable should return with \fB0\fP
+(zero) if access to this service is granted and with \fB1\fP (one)
+if access is denied. All other exit codes result in an internal error,
+access will be denied, and a log message will be produced.
+
+.SH SEE ALSO
+.BR access.conf (5) ,
+.BR login.access (5) ,
+.BR check_login_access (8) ,
+.BR pam.d (8) ,
+and
+.BR pam (8) .
+.SH AUTHORS
+The
+.B logdaemon style login access control scheme
+was designed and implemented by
+.I Wietse Venema.
+
+The
+.B pam_access
+PAM module was developed by
+.I Alexei Nogin <alexei at nogin.dnttm.ru>.
+
+The
+.B convert_hostname
+feature was developed and provided by
+.I Thomas Mueller.
+
+The
+.B IPv4(/) IPv6 support
+, the
+.B network(address) / netmask
+feature, and the
+.B external helper
+feature was developed and provided by
+.I Mike Becher <mike.becher at lrz-muenchen.de>.
+Merge of
+.B pam_access
+and
+.BR pam_access (8)
+code was also done by him.
+
More information about the Pam-list
mailing list