aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSergey Poznyakoff <gray@gnu.org.ua>2015-01-30 14:45:25 +0200
committerSergey Poznyakoff <gray@gnu.org.ua>2015-01-30 14:45:25 +0200
commit30d6e72e175e1733b16860906550a24aca92440f (patch)
tree6e5dbb23fe8adf8d67cc9cd8036fc15248d74c7f
parent946c85c169be274811cc60297be0172645835c34 (diff)
downloadpam-modules-30d6e72e175e1733b16860906550a24aca92440f.tar.gz
pam-modules-30d6e72e175e1733b16860906550a24aca92440f.tar.bz2
Document user-keys-boundary
-rw-r--r--NEWS18
-rw-r--r--doc/pam-modules.texi19
-rw-r--r--doc/pam_ldaphome.8in15
3 files changed, 50 insertions, 2 deletions
diff --git a/NEWS b/NEWS
index 5cb954e..79dbb71 100644
--- a/NEWS
+++ b/NEWS
@@ -1,7 +1,7 @@
-pam-modules -- history of user-visible changes. 2015-01-28
+pam-modules -- history of user-visible changes. 2015-01-30
Copyright (C) 2001, 2004-2005, 2007-2012, 2015 Sergey Poznyakoff
See the end of file for copying conditions.
Please send pam-modules bug reports to <bug-pam-modules@gnu.org.ua>
@@ -13,12 +13,28 @@ This is in addition to its regular configuration file.
* pam_ldaphome runs inirc-command with user privileges
To run the command with root privileges, the configuration
variable initrc-root must be set to true.
+* New pam_ldaphome variable: user-keys-boundary
+
+User key files can contain both keys managed by pam_ldaphome and
+added by the user. These two groups of keys must be separated by
+a special comment line, which informs pam_ldaphome that all keys
+below it must be retained.
+
+This feature is enabled by the user-keys-boundary configuration
+setting. Its value defines a string which, when used after a
+'#' character, forms the delimiting comment. E.g. if the
+configuration file contains:
+
+ user-keys-boundary :user
+
+then the line '#:user' can be used to delimit ldap-synchronized
+and user-specific keys.
Version 1.9, 2014-05-21
* New module pam_groupmember
Tests whether the user is a member of one or more groups.
diff --git a/doc/pam-modules.texi b/doc/pam-modules.texi
index be28285..a37a8ae 100644
--- a/doc/pam-modules.texi
+++ b/doc/pam-modules.texi
@@ -1335,12 +1335,31 @@ later with @command{ldappubkey} as @samp{AuthorizedKeysCommand}.
@end deffn
@deffn {pam_ldaphome config} keyfile-mode @var{mode}
Sets the mode (octal) for the created authorized keys file.
@end deffn
+@deffn {pam_ldaphome config} user-keys-boundary @var{string}
+User key files can contain both keys managed by @command{pam_ldaphome}
+and added by the user. These two groups of keys must be separated by
+a special comment line, which informs the module that all keys
+below it must be retained.
+
+This feature is enabled by the @code{user-keys-boundary} setting.
+The delimiting comment is formed as @samp{#@var{string}}. E.g. if the
+configuration file contains:
+
+@example
+user-keys-boundary :user-defined
+@end example
+
+@noindent
+then the line @samp{#:user-defined} can be used to delimit
+ldap-synchronized and user-specific keys.
+@end deffn
+
@subheading Access control
@deffn {pam_ldaphome config} allow-groups @var{group} [@var{group}...]
Only handle members of the listed groups.
@end deffn
@deffn {pam_ldaphome config} min-gid @var{n}
diff --git a/doc/pam_ldaphome.8in b/doc/pam_ldaphome.8in
index f85eb75..01b0a1c 100644
--- a/doc/pam_ldaphome.8in
+++ b/doc/pam_ldaphome.8in
@@ -11,13 +11,13 @@
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
.\" GNU General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with PAM-Modules. If not, see <http://www.gnu.org/licenses/>.
.so config.so
-.TH PAM_LDAPHOME 8 "January 28, 2015" "PAM-MODULES" "Pam-Modules User Reference"
+.TH PAM_LDAPHOME 8 "January 30, 2015" "PAM-MODULES" "Pam-Modules User Reference"
.SH NAME
pam_ldaphome \- create and populate user home directories
.SH SYNOPSIS
.nh
.na
\fBpam_ldaphome\fR\
@@ -146,12 +146,25 @@ Unless you change the latter, there's no need to edit it.
When set to \fBno\fR, disables importing public keys from LDAP. You
may wish to use this option if you are using \fBopenssh\fR 6.2p1 or
later with \fBldappubkey\fR as \fBAuthorizedKeysCommand\fR.
.TP
.BI keyfile\-mode " MODE"
Defines the file mode (octal) for creation of authorized keys files.
+.TP
+.BI user\-keys\-boundary " STRING"
+User key files can contain both keys managed by \fBpam_ldaphome\fR and
+added by the user. These two groups of keys must be separated by
+a special comment line, which informs the module that all keys
+below it must be retained.
+
+This feature is enabled by the \fBuser\-keys\-boundary\fR setting.
+The delimiting comment is formed by \fB#\fR character immediately
+followed by \fISTRING\fR. E.g. if the configuration file contains
+.BR "user\-keys\-boundary :user-defined" ,
+then the line \fB#:user-defined\fR can be used to delimit ldap-synchronized
+and user-specific keys.
.SS Access control
.TP
\fBallow\-groups\fR \fIGROUP\fR [\fIGROUP\fR...]
Only handle members of the listed groups.
.TP
.BI min\-gid " N"

Return to:

Send suggestions and report system problems to the System administrator.