diff options
author | Sergey Poznyakoff <gray@gnu.org.ua> | 2015-01-30 14:45:25 +0200 |
---|---|---|
committer | Sergey Poznyakoff <gray@gnu.org.ua> | 2015-01-30 14:45:25 +0200 |
commit | 30d6e72e175e1733b16860906550a24aca92440f (patch) | |
tree | 6e5dbb23fe8adf8d67cc9cd8036fc15248d74c7f | |
parent | 946c85c169be274811cc60297be0172645835c34 (diff) | |
download | pam-modules-30d6e72e175e1733b16860906550a24aca92440f.tar.gz pam-modules-30d6e72e175e1733b16860906550a24aca92440f.tar.bz2 |
Document user-keys-boundary
-rw-r--r-- | NEWS | 18 | ||||
-rw-r--r-- | doc/pam-modules.texi | 19 | ||||
-rw-r--r-- | doc/pam_ldaphome.8in | 15 |
3 files changed, 50 insertions, 2 deletions
@@ -1,7 +1,7 @@ -pam-modules -- history of user-visible changes. 2015-01-28 +pam-modules -- history of user-visible changes. 2015-01-30 Copyright (C) 2001, 2004-2005, 2007-2012, 2015 Sergey Poznyakoff See the end of file for copying conditions. Please send pam-modules bug reports to <bug-pam-modules@gnu.org.ua> @@ -13,12 +13,28 @@ This is in addition to its regular configuration file. * pam_ldaphome runs inirc-command with user privileges To run the command with root privileges, the configuration variable initrc-root must be set to true. +* New pam_ldaphome variable: user-keys-boundary + +User key files can contain both keys managed by pam_ldaphome and +added by the user. These two groups of keys must be separated by +a special comment line, which informs pam_ldaphome that all keys +below it must be retained. + +This feature is enabled by the user-keys-boundary configuration +setting. Its value defines a string which, when used after a +'#' character, forms the delimiting comment. E.g. if the +configuration file contains: + + user-keys-boundary :user + +then the line '#:user' can be used to delimit ldap-synchronized +and user-specific keys. Version 1.9, 2014-05-21 * New module pam_groupmember Tests whether the user is a member of one or more groups. diff --git a/doc/pam-modules.texi b/doc/pam-modules.texi index be28285..a37a8ae 100644 --- a/doc/pam-modules.texi +++ b/doc/pam-modules.texi @@ -1335,12 +1335,31 @@ later with @command{ldappubkey} as @samp{AuthorizedKeysCommand}. @end deffn @deffn {pam_ldaphome config} keyfile-mode @var{mode} Sets the mode (octal) for the created authorized keys file. @end deffn +@deffn {pam_ldaphome config} user-keys-boundary @var{string} +User key files can contain both keys managed by @command{pam_ldaphome} +and added by the user. These two groups of keys must be separated by +a special comment line, which informs the module that all keys +below it must be retained. + +This feature is enabled by the @code{user-keys-boundary} setting. +The delimiting comment is formed as @samp{#@var{string}}. E.g. if the +configuration file contains: + +@example +user-keys-boundary :user-defined +@end example + +@noindent +then the line @samp{#:user-defined} can be used to delimit +ldap-synchronized and user-specific keys. +@end deffn + @subheading Access control @deffn {pam_ldaphome config} allow-groups @var{group} [@var{group}...] Only handle members of the listed groups. @end deffn @deffn {pam_ldaphome config} min-gid @var{n} diff --git a/doc/pam_ldaphome.8in b/doc/pam_ldaphome.8in index f85eb75..01b0a1c 100644 --- a/doc/pam_ldaphome.8in +++ b/doc/pam_ldaphome.8in @@ -11,13 +11,13 @@ .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the .\" GNU General Public License for more details. .\" .\" You should have received a copy of the GNU General Public License .\" along with PAM-Modules. If not, see <http://www.gnu.org/licenses/>. .so config.so -.TH PAM_LDAPHOME 8 "January 28, 2015" "PAM-MODULES" "Pam-Modules User Reference" +.TH PAM_LDAPHOME 8 "January 30, 2015" "PAM-MODULES" "Pam-Modules User Reference" .SH NAME pam_ldaphome \- create and populate user home directories .SH SYNOPSIS .nh .na \fBpam_ldaphome\fR\ @@ -146,12 +146,25 @@ Unless you change the latter, there's no need to edit it. When set to \fBno\fR, disables importing public keys from LDAP. You may wish to use this option if you are using \fBopenssh\fR 6.2p1 or later with \fBldappubkey\fR as \fBAuthorizedKeysCommand\fR. .TP .BI keyfile\-mode " MODE" Defines the file mode (octal) for creation of authorized keys files. +.TP +.BI user\-keys\-boundary " STRING" +User key files can contain both keys managed by \fBpam_ldaphome\fR and +added by the user. These two groups of keys must be separated by +a special comment line, which informs the module that all keys +below it must be retained. + +This feature is enabled by the \fBuser\-keys\-boundary\fR setting. +The delimiting comment is formed by \fB#\fR character immediately +followed by \fISTRING\fR. E.g. if the configuration file contains +.BR "user\-keys\-boundary :user-defined" , +then the line \fB#:user-defined\fR can be used to delimit ldap-synchronized +and user-specific keys. .SS Access control .TP \fBallow\-groups\fR \fIGROUP\fR [\fIGROUP\fR...] Only handle members of the listed groups. .TP .BI min\-gid " N" |