aboutsummaryrefslogtreecommitdiff
path: root/doc/pam_pgsql.8in
diff options
context:
space:
mode:
Diffstat (limited to 'doc/pam_pgsql.8in')
-rw-r--r--doc/pam_pgsql.8in365
1 files changed, 365 insertions, 0 deletions
diff --git a/doc/pam_pgsql.8in b/doc/pam_pgsql.8in
new file mode 100644
index 0000000..6aa39bf
--- /dev/null
+++ b/doc/pam_pgsql.8in
@@ -0,0 +1,365 @@
+.\" This file is part of PAM-Modules -*- nroff -*-
+.\" Copyright (C) 2001-2014 Sergey Poznyakoff
+.\"
+.\" PAM-Modules is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 3, or (at your option)
+.\" any later version.
+.\"
+.\" PAM-Modules is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with PAM-Modules. If not, see
+.\" <http://www.gnu.org/licenses/>.
+.so config.so
+.TH PAM_PGSQL 8 "April 2, 2014" "PAM-MODULES" "Pam-Modules User Reference"
+.SH NAME
+pam_pgsql \- authenticate using a PostgreSQL database
+.SH SYNOPSIS
+.nh
+.na
+\fBpam_pgsql\fR [\fBconfig=\fIFILE\fR]\
+ [\fBuse_authtok\fR]\
+ [\fBdebug\fR[\fB=\fINUMBER\fR]]\
+ [\fBwaitdebug\fR]\
+ [\fBaudit\fR]
+.ad
+.hy
+.SH DESCRIPTION
+Provides authentication and account management services via a PostgreSQL
+database.
+.PP
+When used in the \fBauth\fR stack, the module first connects to the
+database using credentials supplied in the configuration file (see
+below). Then, it retrieves the value of the \fBpasswd\-query\fR
+configuration parameter and performs \fBPAM\fR item expansion over
+it. The resulting query is sent to the \fBSQL\fR server. If this
+query produces a non-empty result, the first column from the first
+tuple is used as encrypted user password and is compared with the
+supplied authentication token. If it matches, the user is
+authenticated successfully. The comparison includes the following
+checks, performed in that order until one of them returns match or the
+list is exhausted:
+.nr step 1 1
+.IP \n[step].
+Compare the retrieved password with the result of the system
+.BR crypt (3)
+function called with the authentication token and retrieved password
+as its arguments
+.IP \n+[step].
+Compare password with the MD5 sum of the authentication token.
+.IP \n+[step].
+Assume the password is encrypted using the
+.BR LDAP -style
+encoding and compare it accordingly.
+.IP \n+[step].
+Compare both strings literally. This check is performed only if
+the
+.B allow\-plaintext\-pass
+configuration parameter is set.
+.PP
+Any of these checks can be disabled using the corresponding
+configuration setting.
+.SH CONFIGURATION
+The configuration information is supplied in a file
+.BR \*(ET/pam_sql.conf .
+An alternative location can be given via the \fBconfig\fR command line
+option. The file is a usual UNIX-style configuration file with
+comments introduced by the \fB#\fR character. Long statements can be
+split across several physical lines of text by ending each line but
+the last with a backslash character.
+.PP
+The following statements are defined.
+.SS Database connection configuration
+.TP
+.BI host " NAME"
+Sets hostname or IP address of the PostgreSQL server.
+
+If the database is listening on the local socket, the \fINAME\fR
+is the pathname of the local socket.
+.TP
+.BI port " NUMBER"
+Sets the PostgreSQL port number. The default value is 5432.
+.TP
+.BI db " NAME"
+Sets the database name.
+.TP
+.BI login " NAME"
+Sets the database user name. The user must have \fBSELECT\fR
+privileges on tables in the database.
+.TP
+.BI pass " TEXT"
+Sets password for database access.
+.SS Queries
+These statements define \fBSQL\fR queries used by the module. The
+argument of each statement is subject to
+.BR "PAM item expansion" ,
+which is described in detail in the following section.
+.TP
+.BI passwd\-query " QUERY"
+Defines \fBSQL\fR query to be used to obtain the user's password from the
+database.
+.TP
+.BI session\-start\-query " QUERY"
+Defines \fBSQL\fR query to be executed on session start.
+.TP
+.BI session\-stop\-query " QUERY"
+Defines \fBSQL\fR query to be executed on session termination.
+.TP
+.BI setenv\-query " QUERY"
+This query is available when the package is compiled with
+.B Linux PAM
+implementation. The data it selects from the database are then
+stored in the \fBPAM\fR environment. Only the first tuple returned
+is used; the column names are treated as environment variable names,
+and column values as their values.
+.SS Password encryption
+The variables in this subsections control how the module treats
+passwords returned by the
+.BR passwd\-query .
+Their argument is a boolean value: \fByes\fR, \fBtrue\fR or \fBt\fR,
+for true value and \fBno\fR, \fBfalse\fR or \fBf\fR, for false value.
+.TP
+.BI allow\-plaintext\-pass " BOOL"
+Controls whether the
+.B passwd\-query
+may return a plaintext password.
+.TP
+.BI allow\-ldap\-pass " BOOL"
+The returned password may be a
+.BR LDAP -style
+password hash, i.e. the hash value encoded as base-64 and prefixed
+with a hashing algorithm name in curly braces. This variable is
+\fBtrue\fR by default.
+.TP
+.BI allow\-md5-pass " BOOL"
+The returned password may be encrypted using \fBPostgreSQL md5\fR
+function.
+.SH PAM ITEM EXPANSION
+The query strings described in the previous section are subject to
+item expansion prior to being sent to the \fBPostgreSQL\fR server. This
+feature is similar to the shell variable expansion. During item
+expansion, any occurrence of \fB$\fINAME\fR is replaced with the
+actual value of the \fBPAM\fR item \fINAME\fR. If the item in
+question is not defined, an empty string is substituted instead. A
+limited support for the shell-style default values is available:
+namely, the notation \fB${\fIITEM\fB:-\fIVALUE\fB}\fR expands to the
+value of \fBITEM\fR if it is set, and to \fIVALUE\fR otherwise.
+Notice, that \fIVALUE\fR must be a literal value (string or numeric).
+.PP
+The following table lists valid \fBPAM\fR item names:
+.TP
+.B service
+.BR PAM_SERVICE .
+The service name (identifies the \fBPAM\fR stack that will be used).
+.TP
+.B user
+.BR PAM_USER .
+The username of the entity under whose identity service will be given.
+.TP
+.B tty
+.BR PAM_TTY .
+The terminal name: prefixed by \fB/dev/\fR if it is a device file; for
+graphical, X-based, applications the value for this item is usually
+the \fB$DISPLAY\fR environment variable.
+.TP
+.B rhost
+.BR PAM_RHOST .
+The requesting hostname (the hostname of the machine
+from which the \fBPAM_RUSER\fR entity is requesting service). That is
+\fBPAM_RUSER@PAM_RHOST\fR identifies the requesting user. In some
+applications, \fBPAM_RHOST\fR may be \fBNULL\fR.
+.TP
+.B ruser
+.BR PAM_RUSER .
+The requesting entity: user's name for a locally requesting user or a
+remote requesting user. In some cases, \fBPAM_RUSER\fR may be \fBNULL\fR.
+.TP
+.B prompt
+.BR PAM_USER_PROMPT .
+The string used when prompting for a user's name. The default value
+for this string is:
+.sp
+.nh
+.na
+.B Please enter username:
+.ad
+.hy
+.TP
+.B password
+.BR PAM_AUTHTOK .
+The authentication token (often a password).
+.SH OPTIONS
+.TP
+.BI config= FILE
+Read configuration from \fIFILE\fR instead of
+.BR \*(ET/pam_sql.conf .
+.TP
+\fBuse_authtok\fR
+Do not prompt the user for password, take it from the saved
+authentication tokens.
+.TP
+\fBdebug\fR\fB=\fINUMBER\fR]
+Set debugging level (0 <= \fINUMBER\fR <= 100).
+.TP
+\fBwaitdebug\fR
+Wait for \fIN\fR seconds before starting up. This option is intended
+to facilitate attaching to the module with
+.BR gdb (1).
+It is available only if the package was configured with
+the \fB\-\-enable\-debug\fR option.
+.TP
+\fBaudit\fR
+Log auditing information.
+.SH MODULE TYPES PROVIDED
+.BR auth ,
+.BR session .
+.SH RETURN VALUES
+.TP
+.B PAM_SUCCESS
+Successful termination
+.TP
+.B PAM_AUTH_ERR
+Authentication failed.
+.TP
+.B PAM_USER_UNKNOWN
+Supplied username not found.
+.TP
+.B PAM_AUTHTOK_RECOVER_ERR
+Failed to obtain stored authentication token. This code can be
+returned if \fBuse_authtok\fR was used.
+.TP
+.B PAM_SERVICE_ERR
+Some configuration or internal module error: required configuration
+parameter is missing, etc.
+.SH EXAMPLES
+.SS Simple authentication
+This example assumes the authentication table of the following
+structure:
+.PP
+.EX
+CREATE TABLE auth (
+ user char(32),
+ passwd char(128),
+ PRIMARY KEY (user_name)
+);
+.PP
+The configuration file will look like:
+.PP
+.EX
+# Authentication data
+host localhost
+db userdb
+login test
+pass guessme
+# Retrieve password from the database.
+passwd-query SELECT passwd\\
+ FROM auth\
+ WHERE user='${user}'
+.EE
+.SS Accounting
+This example assumes the accounting table of the following structure:
+.PP
+.EX
+CREATE TABLE acct (
+ type int, -- 0 for active session, 1 for a terminated one
+ user char(32), -- user name
+ host char(256), -- remote host name
+ tty char(16), -- tty name
+ service char(32),-- PAM service name
+ ts datetime, -- timestamp
+ duration int, -- duration of the session if type==1
+ primary key (user,host,service,tty)
+);
+.EE
+.PP
+The correspondig configuration statements (without the database
+credentials part) are:
+.EX
+session-start-query INSERT INTO acct\\
+ (type, user, service, tty, host, ts)\\
+ VALUES(0, $user, $service, $tty, $rhost, now())
+session-stop-query UPDATE acct\\
+ SET type=1, duration=now()-ts\\
+ WHERE user='$user'\\
+ AND host='$host'\\
+ AND service='$service'\\
+ AND tty='$tty'
+.EE
+.SS Setting the Environment
+This example assumes the following table structure:
+.PP
+.EX
+CREATE TABLE userprop (
+ user varchar(32),
+ dir varchar(128),
+ uid int,
+ gid int
+);
+.EE
+.PP
+The following
+.B setenv\-query
+statement will set the \fBPAM\fR environment variables
+.BR home ,
+.BR uid ", and"
+.BR gid :
+.PP
+.EX
+setenv-query SELECT dir as home, uid, gid\\
+ FROM userprop\\
+ WHERE username='$user'
+.EE
+.SH NOTE
+This manpage is a short description of \fBpam_pgsql\fR. For a detailed
+discussion, including examples and usage recommendations, refer to the
+\fBPAM-modules Manual\fR available in texinfo format. If the \fBinfo\fR
+reader and the tar documentation are properly installed on your
+system, the command
+.PP
+.RS +4
+.B info pam-modules
+.RE
+.PP
+should give you access to the complete manual.
+.PP
+You can also view the manual using the info mode in
+.BR emacs (1),
+or find it in various formats online at
+.PP
+.RS +4
+.B http://www.gnu.org.ua/software/pam-modules/manual
+.RE
+.PP
+If any discrepancies occur between this manpage and the
+\fBPAM-modules Manual\fR, the later shall be considered the authoritative
+source.
+.SH "SEE ALSO"
+.BR pam_mysql (8),
+.BR pam.conf (5),
+.BR pam.d (5),
+.BR pam (8).
+.SH AUTHORS
+Sergey Poznyakoff <gray@gnu.org>
+.SH "BUG REPORTS"
+Report bugs to <bug\-pam\-modules@gnu.org.ua>.
+.SH COPYRIGHT
+Copyright \(co 2001-2014 Sergey Poznyakoff
+.br
+.na
+License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
+.br
+.ad
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.
+.\" Local variables:
+.\" eval: (add-hook 'write-file-hooks 'time-stamp)
+.\" time-stamp-start: ".TH [A-Z_][A-Z0-9_.\\-]* [0-9] \""
+.\" time-stamp-format: "%:B %:d, %:y"
+.\" time-stamp-end: "\""
+.\" time-stamp-line-limit: 20
+.\" end:
+

Return to:

Send suggestions and report system problems to the System administrator.

Generated by cgit.