diff options
author | Sergey Poznyakoff <gray@gnu.org> | 2014-05-21 23:01:50 +0300 |
---|---|---|
committer | Sergey Poznyakoff <gray@gnu.org> | 2014-05-21 23:01:50 +0300 |
commit | d953e91e234f4237289367699f6a277554a789c5 (patch) | |
tree | 078ccd17ebc317fd167a856d0c0c5c8be68dd7bb | |
parent | 3e9c3f3c3b9edce9e3821f11be27350cae33b288 (diff) | |
download | pam-modules-d953e91e234f4237289367699f6a277554a789c5.tar.gz pam-modules-d953e91e234f4237289367699f6a277554a789c5.tar.bz2 |
Version 1.9release_1_9
* NEWS: Update version number.
* configure.ac: Likewise.
* doc/pam_ldaphome.8in: Reorder configuration statements.
* pamck/pamck.c: Update copyright years.
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | configure.ac | 2 | ||||
-rw-r--r-- | doc/pam_ldaphome.8in | 116 | ||||
-rw-r--r-- | pamck/pamck.c | 2 |
4 files changed, 67 insertions, 57 deletions
@@ -2,13 +2,13 @@ pam-modules -- history of user-visible changes. 2014-05-21 Copyright (C) 2001, 2004-2005, 2007-2012, 2014 Sergey Poznyakoff See the end of file for copying conditions. Please send pam-modules bug reports to <bug-pam-modules@gnu.org.ua> -Version 1.8.93, (Git) +Version 1.9, 2014-05-21 * New module pam_groupmember Tests whether the user is a member of one or more groups. * pam_ldaphome can invoke an external program @@ -165,13 +165,13 @@ Version 0.1 Initial release. See README for short description. ^L ========================================================================= Copyright information: -Copyright (C) 2001, 2004-2005, 2007-2012 Sergey Poznyakoff +Copyright (C) 2001, 2004-2005, 2007-2014 Sergey Poznyakoff Permission is granted to anyone to make or distribute verbatim copies of this document as received, in any medium, provided that the copyright notice and this permission notice are preserved, thus giving the recipient permission to redistribute in turn. diff --git a/configure.ac b/configure.ac index 413dc80..c45e5fd 100644 --- a/configure.ac +++ b/configure.ac @@ -13,13 +13,13 @@ # # You should have received a copy of the GNU General Public License along # with this program. If not, see <http://www.gnu.org/licenses/>. AC_PREREQ(2.63) -AC_INIT(pam-modules, 1.8.93, bug-pam-modules@gnu.org.ua) +AC_INIT(pam-modules, 1.9, bug-pam-modules@gnu.org.ua) AC_CONFIG_SRCDIR(pam_fshadow/pam_fshadow.c) AC_CONFIG_AUX_DIR([build-aux]) AC_CONFIG_MACRO_DIR([m4]) AM_INIT_AUTOMAKE([1.11 no-exeext tar-ustar dist-xz silent-rules]) AM_CONFIG_HEADER(config.h) diff --git a/doc/pam_ldaphome.8in b/doc/pam_ldaphome.8in index 5150849..f40ee66 100644 --- a/doc/pam_ldaphome.8in +++ b/doc/pam_ldaphome.8in @@ -11,13 +11,13 @@ .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the .\" GNU General Public License for more details. .\" .\" You should have received a copy of the GNU General Public License .\" along with PAM-Modules. If not, see <http://www.gnu.org/licenses/>. .so config.so -.TH PAM_LDAPHOME 8 "May 19, 2014" "PAM-MODULES" "Pam-Modules User Reference" +.TH PAM_LDAPHOME 8 "May 21, 2014" "PAM-MODULES" "Pam-Modules User Reference" .SH NAME pam_ldaphome \- create and populate user home directories .SH SYNOPSIS .nh .na \fBpam_ldaphome\fR\ @@ -43,33 +43,13 @@ The configuration is kept in the file The file is a usual UNIX-style configuration file with comments introduced by the \fB#\fR character. Long statements can be split across several physical lines of text by ending each line but the last with a backslash character. .PP Available configuration directives are: -.TP -.BI allow\-home\-dir " PATH" -Lists directories in which it is allowed to create home directories. -\fIPATH\fR is a list of directories separated by colons. The user's -home directory will be created only if the directory part of its name -is listed in \fIPATH\fR. -.TP -.BI skel " DIR" -Supplies the name of a \fIskeleton directory\fR. The contents of this -directory is copied to each newly created user home directory. The -file modes and permissions are retained. -.TP -.BI uri " ARG" -Sets the URI of the LDAP server to consult for the user profile. -.TP -.BI ldap\-version " NUM" -Sets the LDAP version to use. Valid arguments are -.B 2 -and -.B 3 -(the default). +.SS LDAP Settings .TP .BI base " SEARCHBASE" Use \fISEARCHBASE\fR as starting point for searches. .TP .BI binddn " DN" Use the Distinguished Name \fIDB\fR to bind to the LDAP directory. @@ -78,79 +58,105 @@ Use the Distinguished Name \fIDB\fR to bind to the LDAP directory. Used together with \fBbinddn\fR, this statement supplies the password for simple authentication. .TP .BI bindpwfile " FILE" Read password for simple authentication from \fIFILE\fR. .TP +.BI filter " EXPR" +Defines a LDAP filter expression which returns the user profile. The +\fIEXPR\fR should conform to the string representation for search +filters as defined in RFC 4515. +.TP +.BI ldap\-version " NUM" +Sets the LDAP version to use. Valid arguments are +.B 2 +and +.B 3 +(the default). +.TP +.BI pubkey\-attr " TEXT" +Defines the name of the attribute that keeps user's public SSH key. +.TP .BI tls " VAL" Controls whether TLS is desired or required. If \fIVAL\fR is \fBno\fR (the default), TLS will not be used. If it is \fByes\fR, the module will issue the \fIStartTLS\fR command, but will continue anyway if it fails. Finally, if \fIVAL\fR is the word \fBonly\fR, the use of TLS becomes mandatory, and the module will not establish LDAP connection unless \fIStartTLS\fR succeeds. .TP -.BI min\-uid " N" -Sets the minimal UID. For users with UIDs less than \fIN\fR, -\fBpam_ldaphome\fR will return \fBPAM_SUCCESS\fR immediately. This -allows you to have a set of basic users whose credentials are kept in -the system database and who will not be disturbed by -\fBpam_ldaphome\fR. See also \fBmin\-gid\fR and \fBallow\-groups\fR. -.TP -.BI min\-gid " N" -Sets the minimal GID. For users with GIDs less than \fIN\fR, -the module will return \fBPAM_SUCCESS\fR immediately. -.TP -\fBallow\-groups\fR \fIGROUP\fR [\fIGROUP\fR...] -Only handle members of the listed groups. -.TP -.BI filter " EXPR" -Defines a LDAP filter expression which returns the user profile. The -\fIEXPR\fR should conform to the string representation for search -filters as defined in RFC 4515. -.TP -.BI import\-public\-keys " BOOL" -When set to \fBno\fR, disables importing public keys from LDAP. You -may wish to use this option if you are using \fBopenssh\fR 6.1 or -later with \fBldappubkey\fR as \fBAuthorizedKeysCommand\fR. +.BI uri " ARG" +Sets the URI of the LDAP server to consult for the user profile. +.SS Home directory creation .TP -.BI pubkey\-attr " TEXT" -Defines the name of the attribute that keeps user's public SSH key. +.BI allow\-home\-dir " PATH" +Lists directories in which it is allowed to create home directories. +\fIPATH\fR is a list of directories separated by colons. The user's +home directory will be created only if the directory part of its name +is listed in \fIPATH\fR. .TP .BI copy\-buf\-size " N" Sets the size of the buffer used to copy files from the skeleton directory to the newly created home. The default value is 16384 bytes. .TP .BI home\-dir\-mode " MODE" Defines the file mode (octal) for creation of the user directories. .TP -.BI keyfile\-mode " MODE" -Defines the file mode (octal) for creation of authorized keys files. +.BI skel " DIR" +Supplies the name of a \fIskeleton directory\fR. The contents of this +directory is copied to each newly created user home directory. The +file modes and permissions are retained. +.SS Authorized keys file control .TP .BI authorized_keys " NAME" Sets the pathname (relative to the home directory) for the authorized keys file. The default is \fB.ssh/authorized_keys\fR. For normal operation, this value must be the same as the value of \fBAuthorizedKeysFile\fR variable in .BR sshd_config (5). Unless you change the latter, there's no need to edit it. .TP +.BI import\-public\-keys " BOOL" +When set to \fBno\fR, disables importing public keys from LDAP. You +may wish to use this option if you are using \fBopenssh\fR 6.2p1 or +later with \fBldappubkey\fR as \fBAuthorizedKeysCommand\fR. +.TP +.BI keyfile\-mode " MODE" +Defines the file mode (octal) for creation of authorized keys files. +.SS Access control +.TP +\fBallow\-groups\fR \fIGROUP\fR [\fIGROUP\fR...] +Only handle members of the listed groups. +.TP +.BI min\-gid " N" +Sets the minimal GID. For users with GIDs less than \fIN\fR, +the module will return \fBPAM_SUCCESS\fR immediately. +.TP +.BI min\-uid " N" +Sets the minimal UID. For users with UIDs less than \fIN\fR, +\fBpam_ldaphome\fR will return \fBPAM_SUCCESS\fR immediately. This +allows you to have a set of basic users whose credentials are kept in +the system database and who will not be disturbed by +\fBpam_ldaphome\fR. See also \fBmin\-gid\fR and \fBallow\-groups\fR. +.SS Initialization script support +.TP +.BI exec\-timeout " SECONDS" +Sets maximum time the \fBinitrc\-command\fR is allowed to run. If +it runs longer than \fISECONDS\fR, it will be terminated with a +\fBSIGKILL\fR, and the module will return \fBPAM_SYSTEM_ERR\fR. +.TP .BI initrc\-command " COMMAND" Run \fICOMMAND\fR after populating the user home directory with files from the skeleton directory. The user login name is passed to \fICOMMAND\fR as its argument. Before invoking, the current working directory is changed to the user home, standard input is closed, and standard output is redirected to standard errror. The command should exit with code 0 on success. If it exits with a non-zero code, PAM_SYSTEM_ERR will be reported. .TP -.BI initrc-log " FILE" -Redirects standard output and error from the -\fBinitrc\-command\fR to \fIFILE\fR. -.TP \fBinitrc\-environ\fR \fIENV\fR ... Modifies the environment of \fBinitrc\-command\fR. This statement takes one or more arguments. Each argument can be one of: .RS +4 @@ -182,12 +188,16 @@ Retain variable \fINAME\fR and prepend \fIVALUE\fR to its existing value. If no such variable is present in the environment, it is created. If \fIVALUE\fR ends with a punctuation character, this character is removed from it before assignment. .RE The \fIVALUE\fR part can be enclosed in single or double quotes, in which case the usual shell dequoting rules apply. +.TP +.BI initrc-log " FILE" +Redirects standard output and error from the +\fBinitrc\-command\fR to \fIFILE\fR. .SH OPTIONS .TP .BI config= FILE Read configuration from \fIFILE\fR instead of .nh .na diff --git a/pamck/pamck.c b/pamck/pamck.c index 983bcdb..e8f9461 100644 --- a/pamck/pamck.c +++ b/pamck/pamck.c @@ -36,13 +36,13 @@ help() void version() { printf("%s (%s) %s\n", program_name, PACKAGE, PACKAGE_VERSION); fputs ("\ -Copyright (C) 2009 Sergey Poznyakoff\n\ +Copyright (C) 2009-2012, 2014 Sergey Poznyakoff\n\ \n\ License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.\n\ This is free software: you are free to change and redistribute it.\n\ There is NO WARRANTY, to the extent permitted by law.\n\ \n\ ", stdout); |