# $FreeBSD$ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "POT-Creation-Date: 2020-07-26 09:01-0300\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "Language: en_US\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Put one translator per line, in the form NAME , YEAR1, YEAR2 msgctxt "_" msgid "translator-credits" msgstr "" #. (itstool) path: info/title #: article.translate.xml:38 msgid "Pluggable Authentication Modules" msgstr "" #. (itstool) path: abstract/para #: article.translate.xml:41 msgid "" "This article describes the underlying principles and mechanisms of the " "Pluggable Authentication Modules (PAM) library, and explains how to " "configure PAM, how to integrate PAM into applications, and how to write PAM " "modules." msgstr "" #. (itstool) path: info/copyright #: article.translate.xml:47 msgid "" "2001 2002 2003 Networks " "Associates Technology, Inc." msgstr "" #. (itstool) path: authorgroup/author #: article.translate.xml:55 msgid "" " Dag-Erling Smørgrav Contributed by " msgstr "" #. (itstool) path: legalnotice/para #: article.translate.xml:65 msgid "" "This article was written for the FreeBSD Project by ThinkSec AS and Network " "Associates Laboratories, the Security Research Division of Network " "Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 (CBOSS), as part of the DARPA CHATS research program." msgstr "" #. (itstool) path: legalnotice/para #: article.translate.xml:73 msgid "FreeBSD is a registered trademark of the FreeBSD Foundation." msgstr "" #. (itstool) path: legalnotice/para #: article.translate.xml:75 msgid "Linux is a registered trademark of Linus Torvalds." msgstr "" #. (itstool) path: legalnotice/para #: article.translate.xml:77 msgid "" "Motif, OSF/1, and UNIX are registered trademarks and IT DialTone and The " "Open Group are trademarks of The Open Group in the United States and other " "countries." msgstr "" #. (itstool) path: legalnotice/para #: article.translate.xml:81 msgid "" "Sun, Sun Microsystems, Java, Java Virtual Machine, JDK, JRE, JSP, JVM, " "Netra, OpenJDK, Solaris, StarOffice, SunOS and VirtualBox are trademarks or " "registered trademarks of Sun Microsystems, Inc. in the United States and " "other countries." msgstr "" #. (itstool) path: legalnotice/para #: article.translate.xml:86 msgid "" "Many of the designations used by manufacturers and sellers to distinguish " "their products are claimed as trademarks. Where those designations appear in " "this document, and the FreeBSD Project was aware of the trademark claim, the " "designations have been followed by the ™ or the ® symbol." msgstr "" #. (itstool) path: info/releaseinfo #: article.translate.xml:94 msgid "" "$FreeBSD: head/en_US.ISO8859-1/articles/pam/article.xml 54299 2020-06-27 " "18:15:55Z carlavilla $" msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-intro.title #: article.translate.xml:98 msgid "Introduction" msgstr "" #. (itstool) path: section/para #: article.translate.xml:100 msgid "" "The Pluggable Authentication Modules (PAM) library is a generalized API for " "authentication-related services which allows a system administrator to add " "new authentication methods simply by installing new PAM modules, and to " "modify authentication policies by editing configuration files." msgstr "" #. (itstool) path: section/para #: article.translate.xml:106 msgid "" "PAM was defined and developed in 1995 by Vipin Samar and Charlie Lai of Sun " "Microsystems, and has not changed much since. In 1997, the Open Group " "published the X/Open Single Sign-on (XSSO) preliminary specification, which " "standardized the PAM API and added extensions for single (or rather " "integrated) sign-on. At the time of this writing, this specification has not " "yet been adopted as a standard." msgstr "" #. (itstool) path: section/para #: article.translate.xml:114 msgid "" "Although this article focuses primarily on FreeBSD 5.x, which uses OpenPAM, " "it should be equally applicable to FreeBSD 4.x, which uses Linux-PAM, and " "other operating systems such as Linux and Solaris." msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-terms.title #: article.translate.xml:121 msgid "Terms and Conventions" msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-definitions.title #: article.translate.xml:124 msgid "Definitions" msgstr "" #. (itstool) path: section/para #: article.translate.xml:126 msgid "" "The terminology surrounding PAM is rather confused. Neither Samar and Lai's " "original paper nor the XSSO specification made any attempt at formally " "defining terms for the various actors and entities involved in PAM, and the " "terms that they do use (but do not define) are sometimes misleading and " "ambiguous. The first attempt at establishing a consistent and unambiguous " "terminology was a whitepaper written by Andrew G. Morgan (author of Linux-" "PAM) in 1999. While Morgan's choice of terminology was a huge leap forward, " "it is in this author's opinion by no means perfect. What follows is an " "attempt, heavily inspired by Morgan, to define precise and unambiguous terms " "for all actors and entities involved in PAM." msgstr "" #. (itstool) path: glossentry/glossterm #: article.translate.xml:142 msgid "account" msgstr "" #. (itstool) path: glossdef/para #: article.translate.xml:144 msgid "The set of credentials the applicant is requesting from the arbitrator." msgstr "" #. (itstool) path: glossentry/glossterm #: article.translate.xml:150 msgid "applicant" msgstr "" #. (itstool) path: glossdef/para #: article.translate.xml:152 msgid "The user or entity requesting authentication." msgstr "" #. (itstool) path: glossentry/glossterm #: article.translate.xml:157 msgid "arbitrator" msgstr "" #. (itstool) path: glossdef/para #: article.translate.xml:159 msgid "" "The user or entity who has the privileges necessary to verify the " "applicant's credentials and the authority to grant or deny the request." msgstr "" #. (itstool) path: glossentry/glossterm #: article.translate.xml:166 msgid "chain" msgstr "" #. (itstool) path: glossdef/para #: article.translate.xml:168 msgid "" "A sequence of modules that will be invoked in response to a PAM request. The " "chain includes information about the order in which to invoke the modules, " "what arguments to pass to them, and how to interpret the results." msgstr "" #. (itstool) path: glossentry/glossterm #: article.translate.xml:177 msgid "client" msgstr "" #. (itstool) path: glossdef/para #: article.translate.xml:179 msgid "" "The application responsible for initiating an authentication request on " "behalf of the applicant and for obtaining the necessary authentication " "information from him." msgstr "" #. (itstool) path: glossentry/glossterm #: article.translate.xml:187 msgid "facility" msgstr "" #. (itstool) path: glossdef/para #: article.translate.xml:189 msgid "" "One of the four basic groups of functionality provided by PAM: " "authentication, account management, session management and authentication " "token update." msgstr "" #. (itstool) path: glossentry/glossterm #: article.translate.xml:197 msgid "module" msgstr "" #. (itstool) path: glossdef/para #: article.translate.xml:199 msgid "" "A collection of one or more related functions implementing a particular " "authentication facility, gathered into a single (normally dynamically " "loadable) binary file and identified by a single name." msgstr "" #. (itstool) path: glossentry/glossterm #: article.translate.xml:207 msgid "policy" msgstr "" #. (itstool) path: glossdef/para #: article.translate.xml:209 msgid "" "The complete set of configuration statements describing how to handle PAM " "requests for a particular service. A policy normally consists of four " "chains, one for each facility, though some services do not use all four " "facilities." msgstr "" #. (itstool) path: glossentry/glossterm #: article.translate.xml:218 msgid "server" msgstr "" #. (itstool) path: glossdef/para #: article.translate.xml:220 msgid "" "The application acting on behalf of the arbitrator to converse with the " "client, retrieve authentication information, verify the applicant's " "credentials and grant or deny requests." msgstr "" #. (itstool) path: glossentry/glossterm #: article.translate.xml:228 msgid "service" msgstr "" #. (itstool) path: glossdef/para #: article.translate.xml:230 msgid "" "A class of servers providing similar or related functionality and requiring " "similar authentication. PAM policies are defined on a per-service basis, so " "all servers that claim the same service name will be subject to the same " "policy." msgstr "" #. (itstool) path: glossentry/glossterm #: article.translate.xml:239 msgid "session" msgstr "" #. (itstool) path: glossdef/para #: article.translate.xml:241 msgid "" "The context within which service is rendered to the applicant by the server. " "One of PAM's four facilities, session management, is concerned exclusively " "with setting up and tearing down this context." msgstr "" #. (itstool) path: glossentry/glossterm #: article.translate.xml:249 msgid "token" msgstr "" #. (itstool) path: glossdef/para #: article.translate.xml:251 msgid "" "A chunk of information associated with the account, such as a password or " "passphrase, which the applicant must provide to prove his identity." msgstr "" #. (itstool) path: glossentry/glossterm #: article.translate.xml:258 msgid "transaction" msgstr "" #. (itstool) path: glossdef/para #: article.translate.xml:260 msgid "" "A sequence of requests from the same applicant to the same instance of the " "same server, beginning with authentication and session set-up and ending " "with session tear-down." msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-usage-examples.title #: article.translate.xml:270 msgid "Usage Examples" msgstr "" #. (itstool) path: section/para #: article.translate.xml:272 msgid "" "This section aims to illustrate the meanings of some of the terms defined " "above by way of a handful of simple examples." msgstr "" #. (itstool) path: section/title #: article.translate.xml:277 msgid "Client and Server Are One" msgstr "" #. (itstool) path: section/para #: article.translate.xml:279 msgid "" "This simple example shows alice " "su1'ing to root." msgstr "" #. (itstool) path: section/screen #: article.translate.xml:282 #, no-wrap msgid "" "% whoami\n" "alice\n" "% ls -l `which su`\n" "-r-sr-xr-x 1 root wheel 10744 Dec 6 19:06 /usr/bin/su\n" "% su -\n" "Password: xi3kiune\n" "# whoami\n" "root" msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:293 msgid "The applicant is alice." msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:296 msgid "The account is root." msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:299 msgid "" "The su1 process is both client and server." msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:303 msgid "The authentication token is xi3kiune." msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:307 msgid "" "The arbitrator is root, which is why " "su1 is setuid root." msgstr "" #. (itstool) path: section/title #: article.translate.xml:314 msgid "Client and Server Are Separate" msgstr "" #. (itstool) path: section/para #: article.translate.xml:316 msgid "" "The example below shows eve try to initiate an " "ssh1 connection to login.example.com, ask to log " "in as bob, and succeed. Bob should have chosen a better " "password!" msgstr "" #. (itstool) path: section/screen #: article.translate.xml:322 #, no-wrap msgid "" "% whoami\n" "eve\n" "% ssh bob@login.example.com\n" "bob@login.example.com's password: god\n" "Last login: Thu Oct 11 09:52:57 2001 from 192.168.0.1\n" "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994\n" "\tThe Regents of the University of California. All rights reserved.\n" "FreeBSD 4.4-STABLE (LOGIN) #4: Tue Nov 27 18:10:34 PST 2001\n" "\n" "Welcome to FreeBSD!\n" "%" msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:336 msgid "The applicant is eve." msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:339 msgid "" "The client is Eve's ssh1 process." msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:342 msgid "" "The server is the sshd8 process on " "login.example.com" msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:346 msgid "The account is bob." msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:349 msgid "The authentication token is god." msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:353 msgid "" "Although this is not shown in this example, the arbitrator is root." msgstr "" #. (itstool) path: section/title #: article.translate.xml:360 msgid "Sample Policy" msgstr "" #. (itstool) path: section/para #: article.translate.xml:362 msgid "The following is FreeBSD's default policy for sshd:" msgstr "" #. (itstool) path: section/programlisting #: article.translate.xml:365 #, no-wrap msgid "" "sshd\tauth\t\trequired\tpam_nologin.so\tno_warn\n" "sshd\tauth\t\trequired\tpam_unix.so\tno_warn try_first_pass\n" "sshd\taccount\t\trequired\tpam_login_access.so\n" "sshd\taccount\t\trequired\tpam_unix.so\n" "sshd\tsession\t\trequired\tpam_lastlog.so\tno_fail\n" "sshd\tpassword\trequired\tpam_permit.so" msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:374 msgid "" "This policy applies to the sshd service (which is not " "necessarily restricted to the sshd8 server.)" msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:379 msgid "" "auth, account, session and password are facilities." msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:384 msgid "" "pam_nologin.so, pam_unix.so, " "pam_login_access.so, pam_lastlog.so and pam_permit.so are modules. It is clear " "from this example that pam_unix.so provides at least " "two facilities (authentication and account management.)" msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-essentials.title #: article.translate.xml:408 msgid "PAM Essentials" msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-facilities-primitives.title #: article.translate.xml:411 msgid "Facilities and Primitives" msgstr "" #. (itstool) path: section/para #: article.translate.xml:414 msgid "" "The PAM API offers six different authentication primitives grouped in four " "facilities, which are described below." msgstr "" #. (itstool) path: varlistentry/term #: article.translate.xml:419 msgid "auth" msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:421 msgid "" "Authentication. This facility concerns itself with " "authenticating the applicant and establishing the account credentials. It " "provides two primitives:" msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:428 msgid "" "pam_authenticate3 authenticates the applicant, usually by requesting " "an authentication token and comparing it with a value stored in a database " "or obtained from an authentication server." msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:436 msgid "" "pam_setcred3 establishes account credentials such as user ID, " "group membership and resource limits." msgstr "" #. (itstool) path: varlistentry/term #: article.translate.xml:445 msgid "account" msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:447 msgid "" "Account management. This facility handles non-" "authentication-related issues of account availability, such as access " "restrictions based on the time of day or the server's work load. It provides " "a single primitive:" msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:455 msgid "" "pam_acct_mgmt3 verifies that the requested account is available." msgstr "" #. (itstool) path: varlistentry/term #: article.translate.xml:463 msgid "session" msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:465 msgid "" "Session management. This facility handles tasks " "associated with session set-up and tear-down, such as login accounting. It " "provides two primitives:" msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:472 msgid "" "pam_open_session3 performs tasks associated with session set-up: add " "an entry in the utmp and wtmp " "databases, start an SSH agent, etc." msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:480 msgid "" "pam_close_session3 performs tasks associated with session tear-down: " "add an entry in the utmp and wtmp " "databases, stop the SSH agent, etc." msgstr "" #. (itstool) path: varlistentry/term #: article.translate.xml:491 msgid "password" msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:493 msgid "" "Password management. This facility is used to change " "the authentication token associated with an account, either because it has " "expired or because the user wishes to change it. It provides a single " "primitive:" msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:501 msgid "" "pam_chauthtok3 changes the authentication token, optionally " "verifying that it is sufficiently hard to guess, has not been used " "previously, etc." msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-modules.title #: article.translate.xml:514 msgid "Modules" msgstr "" #. (itstool) path: section/para #: article.translate.xml:516 msgid "" "Modules are a very central concept in PAM; after all, they are the M in PAM. A PAM module is a self-contained piece of " "program code that implements the primitives in one or more facilities for " "one particular mechanism; possible mechanisms for the authentication " "facility, for instance, include the UNIX password database, NIS, LDAP and Radius." msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-module-naming.title #: article.translate.xml:525 msgid "Module Naming" msgstr "" #. (itstool) path: section/para #: article.translate.xml:527 msgid "" "FreeBSD implements each mechanism in a single module, named " "pam_mechanism.so (for " "instance, pam_unix.so for the UNIX mechanism.) Other implementations sometimes " "have separate modules for separate facilities, and include the facility name " "as well as the mechanism name in the module name. To name one example, " "Solaris has a pam_dial_auth.so.1 " "module which is commonly used to authenticate dialup users." msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-module-versioning.title #: article.translate.xml:540 msgid "Module Versioning" msgstr "" #. (itstool) path: section/para #: article.translate.xml:543 msgid "" "FreeBSD's original PAM implementation, based on Linux-PAM, did not use " "version numbers for PAM modules. This would commonly cause problems with " "legacy applications, which might be linked against older versions of the " "system libraries, as there was no way to load a matching version of the " "required modules." msgstr "" #. (itstool) path: section/para #: article.translate.xml:550 msgid "" "OpenPAM, on the other hand, looks for modules that have the same version " "number as the PAM library (currently 2), and only falls back to an " "unversioned module if no versioned module could be loaded. Thus legacy " "modules can be provided for legacy applications, while allowing new (or " "newly built) applications to take advantage of the most recent modules." msgstr "" #. (itstool) path: section/para #: article.translate.xml:558 msgid "" "Although Solaris PAM modules commonly have a version " "number, they are not truly versioned, because the number is a part of the " "module name and must be included in the configuration." msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-chains-policies.title #: article.translate.xml:566 msgid "Chains and Policies" msgstr "" #. (itstool) path: section/para #: article.translate.xml:569 msgid "" "When a server initiates a PAM transaction, the PAM library tries to load a " "policy for the service specified in the " "pam_start3 call. The policy specifies how authentication " "requests should be processed, and is defined in a configuration file. This " "is the other central concept in PAM: the possibility for the admin to tune " "the system security policy (in the wider sense of the word) simply by " "editing a text file." msgstr "" #. (itstool) path: section/para #: article.translate.xml:578 msgid "" "A policy consists of four chains, one for each of the four PAM facilities. " "Each chain is a sequence of configuration statements, each specifying a " "module to invoke, some (optional) parameters to pass to the module, and a " "control flag that describes how to interpret the return code from the module." msgstr "" #. (itstool) path: section/para #: article.translate.xml:585 msgid "" "Understanding the control flags is essential to understanding PAM " "configuration files. There are four different control flags:" msgstr "" #. (itstool) path: varlistentry/term #: article.translate.xml:591 msgid "binding" msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:593 msgid "" "If the module succeeds and no earlier module in the chain has failed, the " "chain is immediately terminated and the request is granted. If the module " "fails, the rest of the chain is executed, but the request is ultimately " "denied." msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:599 msgid "" "This control flag was introduced by Sun in Solaris 9 " "(SunOS 5.9), and is also supported by OpenPAM." msgstr "" #. (itstool) path: varlistentry/term #: article.translate.xml:606 msgid "required" msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:608 msgid "" "If the module succeeds, the rest of the chain is executed, and the request " "is granted unless some other module fails. If the module fails, the rest of " "the chain is also executed, but the request is ultimately denied." msgstr "" #. (itstool) path: varlistentry/term #: article.translate.xml:617 msgid "requisite" msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:619 msgid "" "If the module succeeds, the rest of the chain is executed, and the request " "is granted unless some other module fails. If the module fails, the chain is " "immediately terminated and the request is denied." msgstr "" #. (itstool) path: varlistentry/term #: article.translate.xml:627 msgid "sufficient" msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:629 msgid "" "If the module succeeds and no earlier module in the chain has failed, the " "chain is immediately terminated and the request is granted. If the module " "fails, the module is ignored and the rest of the chain is executed." msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:635 msgid "" "As the semantics of this flag may be somewhat confusing, especially when it " "is used for the last module in a chain, it is recommended that the " "binding control flag be used instead if the " "implementation supports it." msgstr "" #. (itstool) path: varlistentry/term #: article.translate.xml:644 msgid "optional" msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:646 msgid "" "The module is executed, but its result is ignored. If all modules in a chain " "are marked optional, all requests will always be granted." msgstr "" #. (itstool) path: section/para #: article.translate.xml:654 msgid "" "When a server invokes one of the six PAM primitives, PAM retrieves the chain " "for the facility the primitive belongs to, and invokes each of the modules " "listed in the chain, in the order they are listed, until it reaches the end, " "or determines that no further processing is necessary (either because a " "binding or sufficient module " "succeeded, or because a requisite module failed.) The " "request is granted if and only if at least one module was invoked, and all " "non-optional modules succeeded." msgstr "" #. (itstool) path: section/para #: article.translate.xml:665 msgid "" "Note that it is possible, though not very common, to have the same module " "listed several times in the same chain. For instance, a module that looks up " "user names and passwords in a directory server could be invoked multiple " "times with different parameters specifying different directory servers to " "contact. PAM treat different occurrences of the same module in the same " "chain as different, unrelated modules." msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-transactions.title #: article.translate.xml:675 msgid "Transactions" msgstr "" #. (itstool) path: section/para #: article.translate.xml:677 msgid "" "The lifecycle of a typical PAM transaction is described below. Note that if " "any of these steps fails, the server should report a suitable error message " "to the client and abort the transaction." msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:684 msgid "" "If necessary, the server obtains arbitrator credentials through a mechanism " "independent of PAM—most commonly by virtue of having been started by " "root, or of being setuid root." msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:692 msgid "" "The server calls pam_start3 to initialize the PAM " "library and specify its service name and the target account, and register a " "suitable conversation function." msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:699 msgid "" "The server obtains various information relating to the transaction (such as " "the applicant's user name and the name of the host the client runs on) and " "submits it to PAM using pam_set_item3." msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:706 msgid "" "The server calls pam_authenticate3 to authenticate the " "applicant." msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:711 msgid "" "The server calls pam_acct_mgmt3 to verify that the " "requested account is available and valid. If the password is correct but has " "expired, pam_acct_mgmt3 will return " "PAM_NEW_AUTHTOK_REQD instead of PAM_SUCCESS." msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:719 msgid "" "If the previous step returned PAM_NEW_AUTHTOK_REQD, the " "server now calls pam_chauthtok3 to force the client to " "change the authentication token for the requested account." msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:726 msgid "" "Now that the applicant has been properly authenticated, the server calls " "pam_setcred3 to establish the credentials of the requested " "account. It is able to do this because it acts on behalf of the arbitrator, " "and holds the arbitrator's credentials." msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:734 msgid "" "Once the correct credentials have been established, the server calls " "pam_open_session3 to set up the session." msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:740 msgid "" "The server now performs whatever service the client requested—for instance, " "provide the applicant with a shell." msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:746 msgid "" "Once the server is done serving the client, it calls " "pam_close_session3 to tear down the session." msgstr "" #. (itstool) path: listitem/para #: article.translate.xml:751 msgid "" "Finally, the server calls pam_end3 to notify the PAM " "library that it is done and that it can release whatever resources it has " "allocated in the course of the transaction." msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-config.title #: article.translate.xml:761 msgid "PAM Configuration" msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-config-file.title #: article.translate.xml:764 msgid "PAM Policy Files" msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-config-pam.conf.title #: article.translate.xml:767 msgid "The /etc/pam.conf" msgstr "" #. (itstool) path: section/para #: article.translate.xml:770 msgid "" "The traditional PAM policy file is /etc/pam.conf. This " "file contains all the PAM policies for your system. Each line of the file " "describes one step in a chain, as shown below:" msgstr "" #. (itstool) path: section/programlisting #: article.translate.xml:775 #, no-wrap msgid "login auth required pam_nologin.so no_warn" msgstr "" #. (itstool) path: section/para #: article.translate.xml:777 msgid "" "The fields are, in order: service name, facility name, control flag, module " "name, and module arguments. Any additional fields are interpreted as " "additional module arguments." msgstr "" #. (itstool) path: section/para #: article.translate.xml:782 msgid "" "A separate chain is constructed for each service / facility pair, so while " "the order in which lines for the same service and facility appear is " "significant, the order in which the individual services and facilities are " "listed is not. The examples in the original PAM paper grouped configuration " "lines by facility, and the Solaris stock " "pam.conf still does that, but FreeBSD's stock " "configuration groups configuration lines by service. Either way is fine; " "either way makes equal sense." msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-config-pam.d.title #: article.translate.xml:794 msgid "The /etc/pam.d" msgstr "" #. (itstool) path: section/para #: article.translate.xml:797 msgid "" "OpenPAM and Linux-PAM support an alternate configuration mechanism, which is " "the preferred mechanism in FreeBSD. In this scheme, each policy is contained " "in a separate file bearing the name of the service it applies to. These " "files are stored in /etc/pam.d/." msgstr "" #. (itstool) path: section/para #: article.translate.xml:803 msgid "" "These per-service policy files have only four fields instead of " "pam.conf's five: the service name field is omitted. " "Thus, instead of the sample pam.conf line from the " "previous section, one would have the following line in /etc/pam.d/" "login:" msgstr "" #. (itstool) path: section/programlisting #: article.translate.xml:810 #, no-wrap msgid "auth required pam_nologin.so no_warn" msgstr "" #. (itstool) path: section/para #: article.translate.xml:812 msgid "" "As a consequence of this simplified syntax, it is possible to use the same " "policy for multiple services by linking each service name to a same policy " "file. For instance, to use the same policy for the su and " "sudo services, one could do as follows:" msgstr "" #. (itstool) path: section/screen #: article.translate.xml:819 #, no-wrap msgid "" "# cd /etc/pam.d\n" "# ln -s su sudo" msgstr "" #. (itstool) path: section/para #: article.translate.xml:822 msgid "" "This works because the service name is determined from the file name rather " "than specified in the policy file, so the same file can be used for multiple " "differently-named services." msgstr "" #. (itstool) path: section/para #: article.translate.xml:827 msgid "" "Since each service's policy is stored in a separate file, the pam." "d mechanism also makes it very easy to install additional " "policies for third-party software packages." msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-config-file-order.title #: article.translate.xml:834 msgid "The Policy Search Order" msgstr "" #. (itstool) path: section/para #: article.translate.xml:837 msgid "" "As we have seen above, PAM policies can be found in a number of places. What " "happens if policies for the same service exist in multiple places?" msgstr "" #. (itstool) path: section/para #: article.translate.xml:841 msgid "" "It is essential to understand that PAM's configuration system is centered on " "chains." msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-config-breakdown.title #: article.translate.xml:848 msgid "Breakdown of a Configuration Line" msgstr "" #. (itstool) path: section/para #: article.translate.xml:851 msgid "" "As explained in , each line in /" "etc/pam.conf consists of four or more fields: the service name, " "the facility name, the control flag, the module name, and zero or more " "module arguments." msgstr "" #. (itstool) path: section/para #: article.translate.xml:857 msgid "" "The service name is generally (though not always) the name of the " "application the statement applies to. If you are unsure, refer to the " "individual application's documentation to determine what service name it " "uses." msgstr "" #. (itstool) path: section/para #: article.translate.xml:862 msgid "" "Note that if you use /etc/pam.d/ instead of /" "etc/pam.conf, the service name is specified by the name of the " "policy file, and omitted from the actual configuration lines, which then " "start with the facility name." msgstr "" #. (itstool) path: section/para #: article.translate.xml:868 msgid "" "The facility is one of the four facility keywords described in ." msgstr "" #. (itstool) path: section/para #: article.translate.xml:871 msgid "" "Likewise, the control flag is one of the four keywords described in , describing how to interpret the return " "code from the module. Linux-PAM supports an alternate syntax that lets you " "specify the action to associate with each possible return code, but this " "should be avoided as it is non-standard and closely tied in with the way " "Linux-PAM dispatches service calls (which differs greatly from the way " "Solaris and OpenPAM do it.) Unsurprisingly, OpenPAM " "does not support this syntax." msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-policies.title #: article.translate.xml:883 msgid "Policies" msgstr "" #. (itstool) path: section/para #: article.translate.xml:885 msgid "" "To configure PAM correctly, it is essential to understand how policies are " "interpreted." msgstr "" #. (itstool) path: section/para #: article.translate.xml:888 msgid "" "When an application calls pam_start3, the PAM library loads " "the policy for the specified service and constructs four module chains (one " "for each facility.) If one or more of these chains are empty, the " "corresponding chains from the policy for the other " "service are substituted." msgstr "" #. (itstool) path: section/para #: article.translate.xml:895 msgid "" "When the application later calls one of the six PAM primitives, the PAM " "library retrieves the chain for the corresponding facility and calls the " "appropriate service function in each module listed in the chain, in the " "order in which they were listed in the configuration. After each call to a " "service function, the module type and the error code returned by the service " "function are used to determine what happens next. With a few exceptions, " "which we discuss below, the following table applies:" msgstr "" #. (itstool) path: table/title #: article.translate.xml:906 msgid "PAM Chain Execution Summary" msgstr "" #. (itstool) path: row/entry #: article.translate.xml:916 msgid "PAM_SUCCESS" msgstr "" #. (itstool) path: row/entry #: article.translate.xml:917 msgid "PAM_IGNORE" msgstr "" #. (itstool) path: row/entry #: article.translate.xml:918 msgid "other" msgstr "" #. (itstool) path: row/entry #: article.translate.xml:923 msgid "binding" msgstr "" #. (itstool) path: row/entry #: article.translate.xml:924 article.translate.xml:945 msgid "if (!fail) break;" msgstr "" #. (itstool) path: row/entry #: article.translate.xml:925 article.translate.xml:931 #: article.translate.xml:932 article.translate.xml:938 #: article.translate.xml:939 article.translate.xml:946 #: article.translate.xml:947 article.translate.xml:952 #: article.translate.xml:953 article.translate.xml:954 msgid "-" msgstr "" #. (itstool) path: row/entry #: article.translate.xml:926 article.translate.xml:933 msgid "fail = true;" msgstr "" #. (itstool) path: row/entry #: article.translate.xml:930 msgid "required" msgstr "" #. (itstool) path: row/entry #: article.translate.xml:937 msgid "requisite" msgstr "" #. (itstool) path: row/entry #: article.translate.xml:940 msgid "fail = true; break;" msgstr "" #. (itstool) path: row/entry #: article.translate.xml:944 msgid "sufficient" msgstr "" #. (itstool) path: row/entry #: article.translate.xml:951 msgid "optional" msgstr "" #. (itstool) path: section/para #: article.translate.xml:960 msgid "" "If fail is true at the end of a chain, or when a " "break is reached, the dispatcher returns the error code " "returned by the first module that failed. Otherwise, it returns " "PAM_SUCCESS." msgstr "" #. (itstool) path: section/para #: article.translate.xml:966 msgid "" "The first exception of note is that the error code " "PAM_NEW_AUTHTOK_REQD is treated like a success, except " "that if no module failed, and at least one module returned " "PAM_NEW_AUTHTOK_REQD, the dispatcher will return " "PAM_NEW_AUTHTOK_REQD." msgstr "" #. (itstool) path: section/para #: article.translate.xml:973 msgid "" "The second exception is that pam_setcred3 treats " "binding and sufficient modules as if " "they were required." msgstr "" #. (itstool) path: section/para #: article.translate.xml:977 msgid "" "The third and final exception is that " "pam_chauthtok3 runs the entire chain twice (once for preliminary " "checks and once to actually set the password), and in the preliminary phase " "it treats binding and sufficient " "modules as if they were required." msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-freebsd-modules.title #: article.translate.xml:987 msgid "FreeBSD PAM Modules" msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-modules-deny.title #: article.translate.xml:991 msgid "" "pam_deny8" msgstr "" #. (itstool) path: section/para #: article.translate.xml:993 msgid "" "The pam_deny8 module is one of the simplest modules available; " "it responds to any request with PAM_AUTH_ERR. It is " "useful for quickly disabling a service (add it to the top of every chain), " "or for terminating chains of sufficient modules." msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-modules-echo.title #: article.translate.xml:1002 msgid "" "pam_echo8" msgstr "" #. (itstool) path: section/para #: article.translate.xml:1004 msgid "" "The pam_echo8 module simply passes its arguments to the " "conversation function as a PAM_TEXT_INFO message. It is " "mostly useful for debugging, but can also serve to display messages such as " "Unauthorized access will be prosecuted before starting the " "authentication procedure." msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-modules-exec.title #: article.translate.xml:1013 msgid "" "pam_exec8" msgstr "" #. (itstool) path: section/para #: article.translate.xml:1015 msgid "" "The pam_exec8 module takes its first argument to be the name of " "a program to execute, and the remaining arguments are passed to that program " "as command-line arguments. One possible application is to use it to run a " "program at login time which mounts the user's home directory." msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-modules-ftpusers.title #: article.translate.xml:1023 msgid "" "pam_ftpusers8" msgstr "" #. (itstool) path: section/para #: article.translate.xml:1025 msgid "" "The pam_ftpusers8 module" msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-modules-group.title #: article.translate.xml:1029 msgid "" "pam_group8" msgstr "" #. (itstool) path: section/para #: article.translate.xml:1031 msgid "" "The pam_group8 module accepts or rejects applicants on the basis " "of their membership in a particular file group (normally wheel for su1). It is primarily intended for maintaining the " "traditional behavior of BSD su1, but has many other " "uses, such as excluding certain groups of users from a particular service." msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-modules-guest.title #: article.translate.xml:1040 msgid "" "pam_guest8" msgstr "" #. (itstool) path: section/para #: article.translate.xml:1042 msgid "" "The pam_guest8 module allows guest logins using fixed login " "names. Various requirements can be placed on the password, but the default " "behavior is to allow any password as long as the login name is that of a " "guest account. The pam_guest8 module can easily be " "used to implement anonymous FTP logins." msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-modules-krb5.title #: article.translate.xml:1051 msgid "" "pam_krb58" msgstr "" #. (itstool) path: section/para #: article.translate.xml:1053 msgid "" "The pam_krb58 module" msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-modules-ksu.title #: article.translate.xml:1057 msgid "" "pam_ksu8" msgstr "" #. (itstool) path: section/para #: article.translate.xml:1059 msgid "" "The pam_ksu8 module" msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-modules-lastlog.title #: article.translate.xml:1063 msgid "" "pam_lastlog8" msgstr "" #. (itstool) path: section/para #: article.translate.xml:1065 msgid "" "The pam_lastlog8 module" msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-modules-login-access.title #: article.translate.xml:1069 msgid "" "pam_login_access8" msgstr "" #. (itstool) path: section/para #: article.translate.xml:1071 msgid "" "The pam_login_access8 module provides an " "implementation of the account management primitive which enforces the login " "restrictions specified in the login.access5 table." msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-modules-nologin.title #: article.translate.xml:1078 msgid "" "pam_nologin8" msgstr "" #. (itstool) path: section/para #: article.translate.xml:1080 msgid "" "The pam_nologin8 module refuses non-root logins when /var/" "run/nologin exists. This file is normally created by " "shutdown8 when less than five minutes remain until the " "scheduled shutdown time." msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-modules-opie.title #: article.translate.xml:1087 msgid "" "pam_opie8" msgstr "" #. (itstool) path: section/para #: article.translate.xml:1089 msgid "" "The pam_opie8 module implements the " "opie4 authentication method. The opie4 system is a challenge-" "response mechanism where the response to each challenge is a direct function " "of the challenge and a passphrase, so the response can be easily computed " "just in time by anyone possessing the passphrase, eliminating " "the need for password lists. Moreover, since " "opie4 never reuses a challenge that has been correctly answered, it " "is not vulnerable to replay attacks." msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-modules-opieaccess.title #: article.translate.xml:1101 msgid "" "pam_opieaccess8" msgstr "" #. (itstool) path: section/para #: article.translate.xml:1103 msgid "" "The pam_opieaccess8 module is a companion module to " "pam_opie8. Its purpose is to enforce the restrictions " "codified in opieaccess5, which regulate the " "conditions under which a user who would normally authenticate herself using " "opie4 is allowed to use alternate methods. This is most often used " "to prohibit the use of password authentication from untrusted hosts." msgstr "" #. (itstool) path: section/para #: article.translate.xml:1111 msgid "" "In order to be effective, the pam_opieaccess8 module must be listed " "as requisite immediately after a sufficient entry for pam_opie8, and before any other " "modules, in the auth chain." msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-modules-passwdqc.title #: article.translate.xml:1119 msgid "" "pam_passwdqc8" msgstr "" #. (itstool) path: section/para #: article.translate.xml:1121 msgid "" "The pam_passwdqc8 module" msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-modules-permit.title #: article.translate.xml:1125 msgid "" "pam_permit8" msgstr "" #. (itstool) path: section/para #: article.translate.xml:1127 msgid "" "The pam_permit8 module is one of the simplest modules available; " "it responds to any request with PAM_SUCCESS. It is useful " "as a placeholder for services where one or more chains would otherwise be " "empty." msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-modules-radius.title #: article.translate.xml:1135 msgid "" "pam_radius8" msgstr "" #. (itstool) path: section/para #: article.translate.xml:1137 msgid "" "The pam_radius8 module" msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-modules-rhosts.title #: article.translate.xml:1141 msgid "" "pam_rhosts8" msgstr "" #. (itstool) path: section/para #: article.translate.xml:1143 msgid "" "The pam_rhosts8 module" msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-modules-rootok.title #: article.translate.xml:1147 msgid "" "pam_rootok8" msgstr "" #. (itstool) path: section/para #: article.translate.xml:1149 msgid "" "The pam_rootok8 module reports success if and only if the real " "user id of the process calling it (which is assumed to be run by the " "applicant) is 0. This is useful for non-networked services such as " "su1 or passwd1, to which the " "root should have automatic access." msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-modules-securetty.title #: article.translate.xml:1158 msgid "" "pam_securetty8" msgstr "" #. (itstool) path: section/para #: article.translate.xml:1160 msgid "" "The pam_securetty8 module" msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-modules-self.title #: article.translate.xml:1164 msgid "" "pam_self8" msgstr "" #. (itstool) path: section/para #: article.translate.xml:1166 msgid "" "The pam_self8 module reports success if and only if the names of " "the applicant matches that of the target account. It is most useful for non-" "networked services such as su1, where the identity of " "the applicant can be easily verified." msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-modules-ssh.title #: article.translate.xml:1174 msgid "" "pam_ssh8" msgstr "" #. (itstool) path: section/para #: article.translate.xml:1176 msgid "" "The pam_ssh8 module provides both authentication and session " "services. The authentication service allows users who have passphrase-" "protected SSH secret keys in their ~/.ssh directory to " "authenticate themselves by typing their passphrase. The session service " "starts ssh-agent1 and preloads it with the keys that were decrypted " "in the authentication phase. This feature is particularly useful for local " "logins, whether in X (using xdm1 or another PAM-aware X login manager) or at the console." msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-modules-tacplus.title #: article.translate.xml:1189 msgid "" "pam_tacplus8" msgstr "" #. (itstool) path: section/para #: article.translate.xml:1191 msgid "" "The pam_tacplus8 module" msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-modules-unix.title #: article.translate.xml:1195 msgid "" "pam_unix8" msgstr "" #. (itstool) path: section/para #: article.translate.xml:1197 msgid "" "The pam_unix8 module implements traditional UNIX password authentication, using " "getpwnam3 to obtain the target account's password and " "compare it with the one provided by the applicant. It also provides account " "management services (enforcing account and password expiration times) and " "password-changing services. This is probably the single most useful module, " "as the great majority of admins will want to maintain historical behavior " "for at least some services." msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-appl-prog.title #: article.translate.xml:1210 msgid "PAM Application Programming" msgstr "" #. (itstool) path: section/para #: article.translate.xml:1213 article.translate.xml:1234 msgid "This section has not yet been written." msgstr "" #. (itstool) path: section/title #. (itstool) id: article.translate.xml#pam-module-prog.title #: article.translate.xml:1231 msgid "PAM Module Programming" msgstr "" #. (itstool) path: appendix/title #. (itstool) id: article.translate.xml#pam-sample-appl.title #: article.translate.xml:1238 msgid "Sample PAM Application" msgstr "" #. (itstool) path: appendix/para #: article.translate.xml:1241 msgid "" "The following is a minimal implementation of " "su1 using PAM. Note that it uses the OpenPAM-specific " "openpam_ttyconv3 conversation function, which is prototyped in " "security/openpam.h. If you wish build this application " "on a system with a different PAM library, you will have to provide your own " "conversation function. A robust conversation function is surprisingly " "difficult to implement; the one presented in is a good starting point, but should not be used in real-world " "applications." msgstr "" #. (itstool) path: appendix/programlisting #: article.translate.xml:1251 #, no-wrap msgid "" "/*-\n" " * Copyright (c) 2002,2003 Networks Associates Technology, Inc.\n" " * All rights reserved.\n" " *\n" " * This software was developed for the FreeBSD Project by ThinkSec AS and\n" " * Network Associates Laboratories, the Security Research Division of\n" " * Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035\n" " * (\"CBOSS\"), as part of the DARPA CHATS research program.\n" " *\n" " * Redistribution and use in source and binary forms, with or without\n" " * modification, are permitted provided that the following conditions\n" " * are met:\n" " * 1. Redistributions of source code must retain the above copyright\n" " * notice, this list of conditions and the following disclaimer.\n" " * 2. Redistributions in binary form must reproduce the above copyright\n" " * notice, this list of conditions and the following disclaimer in the\n" " * documentation and/or other materials provided with the distribution.\n" " * 3. The name of the author may not be used to endorse or promote\n" " * products derived from this software without specific prior written\n" " * permission.\n" " *\n" " * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND\n" " * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\n" " * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE\n" " * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE\n" " * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\n" " * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS\n" " * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)\n" " * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT\n" " * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY\n" " * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF\n" " * SUCH DAMAGE.\n" " *\n" " * $P4: //depot/projects/openpam/bin/su/su.c#10 $\n" " * $FreeBSD: head/en_US.ISO8859-1/articles/pam/su.c 38826 2012-05-17 19:12:14Z hrs $\n" " */\n" "\n" "#include <sys/param.h>\n" "#include <sys/wait.h>\n" "\n" "#include <err.h>\n" "#include <pwd.h>\n" "#include <stdio.h>\n" "#include <stdlib.h>\n" "#include <string.h>\n" "#include <syslog.h>\n" "#include <unistd.h>\n" "\n" "#include <security/pam_appl.h>\n" "#include <security/openpam.h>\t/* for openpam_ttyconv() */\n" "\n" "extern char **environ;\n" "\n" "static pam_handle_t *pamh;\n" "static struct pam_conv pamc;\n" "\n" "static void\n" "usage(void)\n" "{\n" "\n" "\tfprintf(stderr, \"Usage: su [login [args]]\\n\");\n" "\texit(1);\n" "}\n" "\n" "int\n" "main(int argc, char *argv[])\n" "{\n" "\tchar hostname[MAXHOSTNAMELEN];\n" "\tconst char *user, *tty;\n" "\tchar **args, **pam_envlist, **pam_env;\n" "\tstruct passwd *pwd;\n" "\tint o, pam_err, status;\n" "\tpid_t pid;\n" "\n" "\twhile ((o = getopt(argc, argv, \"h\")) != -1)\n" "\t\tswitch (o) {\n" "\t\tcase 'h':\n" "\t\tdefault:\n" "\t\t\tusage();\n" "\t\t}\n" "\n" "\targc -= optind;\n" "\targv += optind;\n" "\n" "\tif (argc > 0) {\n" "\t\tuser = *argv;\n" "\t\t--argc;\n" "\t\t++argv;\n" "\t} else {\n" "\t\tuser = \"root\";\n" "\t}\n" "\n" "\t/* initialize PAM */\n" "\tpamc.conv = &openpam_ttyconv;\n" "\tpam_start(\"su\", user, &pamc, &pamh);\n" "\n" "\t/* set some items */\n" "\tgethostname(hostname, sizeof(hostname));\n" "\tif ((pam_err = pam_set_item(pamh, PAM_RHOST, hostname)) != PAM_SUCCESS)\n" "\t\tgoto pamerr;\n" "\tuser = getlogin();\n" "\tif ((pam_err = pam_set_item(pamh, PAM_RUSER, user)) != PAM_SUCCESS)\n" "\t\tgoto pamerr;\n" "\ttty = ttyname(STDERR_FILENO);\n" "\tif ((pam_err = pam_set_item(pamh, PAM_TTY, tty)) != PAM_SUCCESS)\n" "\t\tgoto pamerr;\n" "\n" "\t/* authenticate the applicant */\n" "\tif ((pam_err = pam_authenticate(pamh, 0)) != PAM_SUCCESS)\n" "\t\tgoto pamerr;\n" "\tif ((pam_err = pam_acct_mgmt(pamh, 0)) == PAM_NEW_AUTHTOK_REQD)\n" "\t\tpam_err = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);\n" "\tif (pam_err != PAM_SUCCESS)\n" "\t\tgoto pamerr;\n" "\n" "\t/* establish the requested credentials */\n" "\tif ((pam_err = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS)\n" "\t\tgoto pamerr;\n" "\n" "\t/* authentication succeeded; open a session */\n" "\tif ((pam_err = pam_open_session(pamh, 0)) != PAM_SUCCESS)\n" "\t\tgoto pamerr;\n" "\n" "\t/* get mapped user name; PAM may have changed it */\n" "\tpam_err = pam_get_item(pamh, PAM_USER, (const void **)&user);\n" "\tif (pam_err != PAM_SUCCESS || (pwd = getpwnam(user)) == NULL)\n" "\t\tgoto pamerr;\n" "\n" "\t/* export PAM environment */\n" "\tif ((pam_envlist = pam_getenvlist(pamh)) != NULL) {\n" "\t\tfor (pam_env = pam_envlist; *pam_env != NULL; ++pam_env) {\n" "\t\t\tputenv(*pam_env);\n" "\t\t\tfree(*pam_env);\n" "\t\t}\n" "\t\tfree(pam_envlist);\n" "\t}\n" "\n" "\t/* build argument list */\n" "\tif ((args = calloc(argc + 2, sizeof *args)) == NULL) {\n" "\t\twarn(\"calloc()\");\n" "\t\tgoto err;\n" "\t}\n" "\t*args = pwd->pw_shell;\n" "\tmemcpy(args + 1, argv, argc * sizeof *args);\n" "\n" "\t/* fork and exec */\n" "\tswitch ((pid = fork())) {\n" "\tcase -1:\n" "\t\twarn(\"fork()\");\n" "\t\tgoto err;\n" "\tcase 0:\n" "\t\t/* child: give up privs and start a shell */\n" "\n" "\t\t/* set uid and groups */\n" "\t\tif (initgroups(pwd->pw_name, pwd->pw_gid) == -1) {\n" "\t\t\twarn(\"initgroups()\");\n" "\t\t\t_exit(1);\n" "\t\t}\n" "\t\tif (setgid(pwd->pw_gid) == -1) {\n" "\t\t\twarn(\"setgid()\");\n" "\t\t\t_exit(1);\n" "\t\t}\n" "\t\tif (setuid(pwd->pw_uid) == -1) {\n" "\t\t\twarn(\"setuid()\");\n" "\t\t\t_exit(1);\n" "\t\t}\n" "\t\texecve(*args, args, environ);\n" "\t\twarn(\"execve()\");\n" "\t\t_exit(1);\n" "\tdefault:\n" "\t\t/* parent: wait for child to exit */\n" "\t\twaitpid(pid, &status, 0);\n" "\n" "\t\t/* close the session and release PAM resources */\n" "\t\tpam_err = pam_close_session(pamh, 0);\n" "\t\tpam_end(pamh, pam_err);\n" "\n" "\t\texit(WEXITSTATUS(status));\n" "\t}\n" "\n" "pamerr:\n" "\tfprintf(stderr, \"Sorry\\n\");\n" "err:\n" "\tpam_end(pamh, pam_err);\n" "\texit(1);\n" "}\n" msgstr "" #. (itstool) path: appendix/title #. (itstool) id: article.translate.xml#pam-sample-module.title #: article.translate.xml:1441 msgid "Sample PAM Module" msgstr "" #. (itstool) path: appendix/para #: article.translate.xml:1443 msgid "" "The following is a minimal implementation of " "pam_unix8, offering only authentication services. It should " "build and run with most PAM implementations, but takes advantage of OpenPAM " "extensions if available: note the use of " "pam_get_authtok3, which enormously simplifies prompting the user " "for a password." msgstr "" #. (itstool) path: appendix/programlisting #: article.translate.xml:1450 #, no-wrap msgid "" "/*-\n" " * Copyright (c) 2002 Networks Associates Technology, Inc.\n" " * All rights reserved.\n" " *\n" " * This software was developed for the FreeBSD Project by ThinkSec AS and\n" " * Network Associates Laboratories, the Security Research Division of\n" " * Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035\n" " * (\"CBOSS\"), as part of the DARPA CHATS research program.\n" " *\n" " * Redistribution and use in source and binary forms, with or without\n" " * modification, are permitted provided that the following conditions\n" " * are met:\n" " * 1. Redistributions of source code must retain the above copyright\n" " * notice, this list of conditions and the following disclaimer.\n" " * 2. Redistributions in binary form must reproduce the above copyright\n" " * notice, this list of conditions and the following disclaimer in the\n" " * documentation and/or other materials provided with the distribution.\n" " * 3. The name of the author may not be used to endorse or promote\n" " * products derived from this software without specific prior written\n" " * permission.\n" " *\n" " * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND\n" " * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\n" " * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE\n" " * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE\n" " * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\n" " * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS\n" " * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)\n" " * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT\n" " * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY\n" " * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF\n" " * SUCH DAMAGE.\n" " *\n" " * $P4: //depot/projects/openpam/modules/pam_unix/pam_unix.c#3 $\n" " * $FreeBSD: head/en_US.ISO8859-1/articles/pam/pam_unix.c 38826 2012-05-17 19:12:14Z hrs $\n" " */\n" "\n" "#include <sys/param.h>\n" "\n" "#include <pwd.h>\n" "#include <stdlib.h>\n" "#include <stdio.h>\n" "#include <string.h>\n" "#include <unistd.h>\n" "\n" "#include <security/pam_modules.h>\n" "#include <security/pam_appl.h>\n" "\n" "#ifndef _OPENPAM\n" "static char password_prompt[] = \"Password:\";\n" "#endif\n" "\n" "#ifndef PAM_EXTERN\n" "#define PAM_EXTERN\n" "#endif\n" "\n" "PAM_EXTERN int\n" "pam_sm_authenticate(pam_handle_t *pamh, int flags,\n" "\tint argc, const char *argv[])\n" "{\n" "#ifndef _OPENPAM\n" "\tstruct pam_conv *conv;\n" "\tstruct pam_message msg;\n" "\tconst struct pam_message *msgp;\n" "\tstruct pam_response *resp;\n" "#endif\n" "\tstruct passwd *pwd;\n" "\tconst char *user;\n" "\tchar *crypt_password, *password;\n" "\tint pam_err, retry;\n" "\n" "\t/* identify user */\n" "\tif ((pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)\n" "\t\treturn (pam_err);\n" "\tif ((pwd = getpwnam(user)) == NULL)\n" "\t\treturn (PAM_USER_UNKNOWN);\n" "\n" "\t/* get password */\n" "#ifndef _OPENPAM\n" "\tpam_err = pam_get_item(pamh, PAM_CONV, (const void **)&conv);\n" "\tif (pam_err != PAM_SUCCESS)\n" "\t\treturn (PAM_SYSTEM_ERR);\n" "\tmsg.msg_style = PAM_PROMPT_ECHO_OFF;\n" "\tmsg.msg = password_prompt;\n" "\tmsgp = &msg;\n" "#endif\n" "\tfor (retry = 0; retry < 3; ++retry) {\n" "#ifdef _OPENPAM\n" "\t\tpam_err = pam_get_authtok(pamh, PAM_AUTHTOK,\n" "\t\t (const char **)&password, NULL);\n" "#else\n" "\t\tresp = NULL;\n" "\t\tpam_err = (*conv->conv)(1, &msgp, &resp, conv->appdata_ptr);\n" "\t\tif (resp != NULL) {\n" "\t\t\tif (pam_err == PAM_SUCCESS)\n" "\t\t\t\tpassword = resp->resp;\n" "\t\t\telse\n" "\t\t\t\tfree(resp->resp);\n" "\t\t\tfree(resp);\n" "\t\t}\n" "#endif\n" "\t\tif (pam_err == PAM_SUCCESS)\n" "\t\t\tbreak;\n" "\t}\n" "\tif (pam_err == PAM_CONV_ERR)\n" "\t\treturn (pam_err);\n" "\tif (pam_err != PAM_SUCCESS)\n" "\t\treturn (PAM_AUTH_ERR);\n" "\n" "\t/* compare passwords */\n" "\tif ((!pwd->pw_passwd[0] && (flags & PAM_DISALLOW_NULL_AUTHTOK)) ||\n" "\t (crypt_password = crypt(password, pwd->pw_passwd)) == NULL ||\n" "\t strcmp(crypt_password, pwd->pw_passwd) != 0)\n" "\t\tpam_err = PAM_AUTH_ERR;\n" "\telse\n" "\t\tpam_err = PAM_SUCCESS;\n" "#ifndef _OPENPAM\n" "\tfree(password);\n" "#endif\n" "\treturn (pam_err);\n" "}\n" "\n" "PAM_EXTERN int\n" "pam_sm_setcred(pam_handle_t *pamh, int flags,\n" "\tint argc, const char *argv[])\n" "{\n" "\n" "\treturn (PAM_SUCCESS);\n" "}\n" "\n" "PAM_EXTERN int\n" "pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,\n" "\tint argc, const char *argv[])\n" "{\n" "\n" "\treturn (PAM_SUCCESS);\n" "}\n" "\n" "PAM_EXTERN int\n" "pam_sm_open_session(pam_handle_t *pamh, int flags,\n" "\tint argc, const char *argv[])\n" "{\n" "\n" "\treturn (PAM_SUCCESS);\n" "}\n" "\n" "PAM_EXTERN int\n" "pam_sm_close_session(pam_handle_t *pamh, int flags,\n" "\tint argc, const char *argv[])\n" "{\n" "\n" "\treturn (PAM_SUCCESS);\n" "}\n" "\n" "PAM_EXTERN int\n" "pam_sm_chauthtok(pam_handle_t *pamh, int flags,\n" "\tint argc, const char *argv[])\n" "{\n" "\n" "\treturn (PAM_SERVICE_ERR);\n" "}\n" "\n" "#ifdef PAM_MODULE_ENTRY\n" "PAM_MODULE_ENTRY(\"pam_unix\");\n" "#endif\n" msgstr "" #. (itstool) path: appendix/title #. (itstool) id: article.translate.xml#pam-sample-conv.title #: article.translate.xml:1619 msgid "Sample PAM Conversation Function" msgstr "" #. (itstool) path: appendix/para #: article.translate.xml:1622 msgid "" "The conversation function presented below is a greatly simplified version of " "OpenPAM's openpam_ttyconv3. It is fully " "functional, and should give the reader a good idea of how a conversation " "function should behave, but it is far too simple for real-world use. Even if " "you are not using OpenPAM, feel free to download the source code and adapt " "openpam_ttyconv3 to your uses; we believe it to be as robust as a " "tty-oriented conversation function can reasonably get." msgstr "" #. (itstool) path: appendix/programlisting #: article.translate.xml:1632 #, no-wrap msgid "" "/*-\n" " * Copyright (c) 2002 Networks Associates Technology, Inc.\n" " * All rights reserved.\n" " *\n" " * This software was developed for the FreeBSD Project by ThinkSec AS and\n" " * Network Associates Laboratories, the Security Research Division of\n" " * Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035\n" " * (\"CBOSS\"), as part of the DARPA CHATS research program.\n" " *\n" " * Redistribution and use in source and binary forms, with or without\n" " * modification, are permitted provided that the following conditions\n" " * are met:\n" " * 1. Redistributions of source code must retain the above copyright\n" " * notice, this list of conditions and the following disclaimer.\n" " * 2. Redistributions in binary form must reproduce the above copyright\n" " * notice, this list of conditions and the following disclaimer in the\n" " * documentation and/or other materials provided with the distribution.\n" " * 3. The name of the author may not be used to endorse or promote\n" " * products derived from this software without specific prior written\n" " * permission.\n" " *\n" " * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND\n" " * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\n" " * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE\n" " * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE\n" " * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\n" " * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS\n" " * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)\n" " * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT\n" " * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY\n" " * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF\n" " * SUCH DAMAGE.\n" " *\n" " * $FreeBSD: head/en_US.ISO8859-1/articles/pam/converse.c 38826 2012-05-17 19:12:14Z hrs $\n" " */\n" "\n" "#include <stdio.h>\n" "#include <stdlib.h>\n" "#include <string.h>\n" "#include <unistd.h>\n" "\n" "#include <security/pam_appl.h>\n" "\n" "int\n" "converse(int n, const struct pam_message **msg,\n" "\tstruct pam_response **resp, void *data)\n" "{\n" "\tstruct pam_response *aresp;\n" "\tchar buf[PAM_MAX_RESP_SIZE];\n" "\tint i;\n" "\n" "\tdata = data;\n" "\tif (n <= 0 || n > PAM_MAX_NUM_MSG)\n" "\t\treturn (PAM_CONV_ERR);\n" "\tif ((aresp = calloc(n, sizeof *aresp)) == NULL)\n" "\t\treturn (PAM_BUF_ERR);\n" "\tfor (i = 0; i < n; ++i) {\n" "\t\taresp[i].resp_retcode = 0;\n" "\t\taresp[i].resp = NULL;\n" "\t\tswitch (msg[i]->msg_style) {\n" "\t\tcase PAM_PROMPT_ECHO_OFF:\n" "\t\t\taresp[i].resp = strdup(getpass(msg[i]->msg));\n" "\t\t\tif (aresp[i].resp == NULL)\n" "\t\t\t\tgoto fail;\n" "\t\t\tbreak;\n" "\t\tcase PAM_PROMPT_ECHO_ON:\n" "\t\t\tfputs(msg[i]->msg, stderr);\n" "\t\t\tif (fgets(buf, sizeof buf, stdin) == NULL)\n" "\t\t\t\tgoto fail;\n" "\t\t\taresp[i].resp = strdup(buf);\n" "\t\t\tif (aresp[i].resp == NULL)\n" "\t\t\t\tgoto fail;\n" "\t\t\tbreak;\n" "\t\tcase PAM_ERROR_MSG:\n" "\t\t\tfputs(msg[i]->msg, stderr);\n" "\t\t\tif (strlen(msg[i]->msg) > 0 &&\n" "\t\t\t msg[i]->msg[strlen(msg[i]->msg) - 1] != '\\n')\n" "\t\t\t\tfputc('\\n', stderr);\n" "\t\t\tbreak;\n" "\t\tcase PAM_TEXT_INFO:\n" "\t\t\tfputs(msg[i]->msg, stdout);\n" "\t\t\tif (strlen(msg[i]->msg) > 0 &&\n" "\t\t\t msg[i]->msg[strlen(msg[i]->msg) - 1] != '\\n')\n" "\t\t\t\tfputc('\\n', stdout);\n" "\t\t\tbreak;\n" "\t\tdefault:\n" "\t\t\tgoto fail;\n" "\t\t}\n" "\t}\n" "\t*resp = aresp;\n" "\treturn (PAM_SUCCESS);\n" " fail:\n" " for (i = 0; i < n; ++i) {\n" " if (aresp[i].resp != NULL) {\n" " memset(aresp[i].resp, 0, strlen(aresp[i].resp));\n" " free(aresp[i].resp);\n" " }\n" " }\n" " memset(aresp, 0, n * sizeof *aresp);\n" "\t*resp = NULL;\n" "\treturn (PAM_CONV_ERR);\n" "}\n" msgstr "" #. (itstool) path: info/title #. (itstool) id: article.translate.xml#pam-further.title #: article.translate.xml:1739 msgid "Further Reading" msgstr "" #. (itstool) path: abstract/para #: article.translate.xml:1742 msgid "" "This is a list of documents relevant to PAM and related issues. It is by no " "means complete." msgstr "" #. (itstool) path: bibliodiv/title #: article.translate.xml:1748 msgid "Papers" msgstr "" #. (itstool) path: biblioentry/citetitle #: article.translate.xml:1751 msgid "Making Login Services Independent of Authentication Technologies" msgstr "" #. (itstool) path: authorgroup/author #: article.translate.xml:1754 msgid "" " Samar Vipin " msgstr "" #. (itstool) path: authorgroup/author #: article.translate.xml:1760 msgid "" " Lai Charlie " msgstr "" #. (itstool) path: biblioentry/orgname #: article.translate.xml:1767 article.translate.xml:1799 #: article.translate.xml:1832 msgid "Sun Microsystems" msgstr "" #. (itstool) path: biblioentry/citetitle #: article.translate.xml:1771 msgid "" "X/" "Open Single Sign-on Preliminary Specification" msgstr "" #. (itstool) path: biblioentry/orgname #: article.translate.xml:1774 msgid "The Open Group" msgstr "" #. (itstool) path: biblioentry/biblioid #: article.translate.xml:1775 msgid "1-85912-144-6" msgstr "" #. (itstool) path: biblioentry/pubdate #: article.translate.xml:1776 msgid "June 1997" msgstr "" #. (itstool) path: biblioentry/citetitle #: article.translate.xml:1780 msgid "" " Pluggable Authentication Modules" msgstr "" #. (itstool) path: biblioentry/author #: article.translate.xml:1782 article.translate.xml:1821 msgid "" " Morgan Andrew " "G. " msgstr "" #. (itstool) path: biblioentry/pubdate #: article.translate.xml:1789 msgid "1999-10-06" msgstr "" #. (itstool) path: bibliodiv/title #: article.translate.xml:1794 msgid "User Manuals" msgstr "" #. (itstool) path: biblioentry/citetitle #: article.translate.xml:1797 msgid "" " PAM Administration" msgstr "" #. (itstool) path: bibliodiv/title #: article.translate.xml:1804 msgid "Related Web Pages" msgstr "" #. (itstool) path: biblioentry/citetitle #: article.translate.xml:1807 msgid "OpenPAM homepage" msgstr "" #. (itstool) path: biblioentry/author #: article.translate.xml:1809 msgid "" " Smørgrav Dag-Erling " msgstr "" #. (itstool) path: biblioentry/orgname #: article.translate.xml:1815 msgid "ThinkSec AS" msgstr "" #. (itstool) path: biblioentry/citetitle #: article.translate.xml:1819 msgid "" "Linux-PAM " "homepage" msgstr "" #. (itstool) path: biblioentry/citetitle #: article.translate.xml:1831 msgid "Solaris PAM homepage" msgstr ""