From 30d6e72e175e1733b16860906550a24aca92440f Mon Sep 17 00:00:00 2001 From: Sergey Poznyakoff Date: Fri, 30 Jan 2015 14:45:25 +0200 Subject: Document user-keys-boundary --- NEWS | 18 +++++++++++++++++- doc/pam-modules.texi | 19 +++++++++++++++++++ doc/pam_ldaphome.8in | 15 ++++++++++++++- 3 files changed, 50 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index 5cb954e..79dbb71 100644 --- a/NEWS +++ b/NEWS @@ -1,4 +1,4 @@ -pam-modules -- history of user-visible changes. 2015-01-28 +pam-modules -- history of user-visible changes. 2015-01-30 Copyright (C) 2001, 2004-2005, 2007-2012, 2015 Sergey Poznyakoff See the end of file for copying conditions. @@ -16,6 +16,22 @@ This is in addition to its regular configuration file. To run the command with root privileges, the configuration variable initrc-root must be set to true. +* New pam_ldaphome variable: user-keys-boundary + +User key files can contain both keys managed by pam_ldaphome and +added by the user. These two groups of keys must be separated by +a special comment line, which informs pam_ldaphome that all keys +below it must be retained. + +This feature is enabled by the user-keys-boundary configuration +setting. Its value defines a string which, when used after a +'#' character, forms the delimiting comment. E.g. if the +configuration file contains: + + user-keys-boundary :user + +then the line '#:user' can be used to delimit ldap-synchronized +and user-specific keys. Version 1.9, 2014-05-21 diff --git a/doc/pam-modules.texi b/doc/pam-modules.texi index be28285..a37a8ae 100644 --- a/doc/pam-modules.texi +++ b/doc/pam-modules.texi @@ -1338,6 +1338,25 @@ later with @command{ldappubkey} as @samp{AuthorizedKeysCommand}. Sets the mode (octal) for the created authorized keys file. @end deffn +@deffn {pam_ldaphome config} user-keys-boundary @var{string} +User key files can contain both keys managed by @command{pam_ldaphome} +and added by the user. These two groups of keys must be separated by +a special comment line, which informs the module that all keys +below it must be retained. + +This feature is enabled by the @code{user-keys-boundary} setting. +The delimiting comment is formed as @samp{#@var{string}}. E.g. if the +configuration file contains: + +@example +user-keys-boundary :user-defined +@end example + +@noindent +then the line @samp{#:user-defined} can be used to delimit +ldap-synchronized and user-specific keys. +@end deffn + @subheading Access control @deffn {pam_ldaphome config} allow-groups @var{group} [@var{group}...] Only handle members of the listed groups. diff --git a/doc/pam_ldaphome.8in b/doc/pam_ldaphome.8in index f85eb75..01b0a1c 100644 --- a/doc/pam_ldaphome.8in +++ b/doc/pam_ldaphome.8in @@ -14,7 +14,7 @@ .\" You should have received a copy of the GNU General Public License .\" along with PAM-Modules. If not, see . .so config.so -.TH PAM_LDAPHOME 8 "January 28, 2015" "PAM-MODULES" "Pam-Modules User Reference" +.TH PAM_LDAPHOME 8 "January 30, 2015" "PAM-MODULES" "Pam-Modules User Reference" .SH NAME pam_ldaphome \- create and populate user home directories .SH SYNOPSIS @@ -149,6 +149,19 @@ later with \fBldappubkey\fR as \fBAuthorizedKeysCommand\fR. .TP .BI keyfile\-mode " MODE" Defines the file mode (octal) for creation of authorized keys files. +.TP +.BI user\-keys\-boundary " STRING" +User key files can contain both keys managed by \fBpam_ldaphome\fR and +added by the user. These two groups of keys must be separated by +a special comment line, which informs the module that all keys +below it must be retained. + +This feature is enabled by the \fBuser\-keys\-boundary\fR setting. +The delimiting comment is formed by \fB#\fR character immediately +followed by \fISTRING\fR. E.g. if the configuration file contains +.BR "user\-keys\-boundary :user-defined" , +then the line \fB#:user-defined\fR can be used to delimit ldap-synchronized +and user-specific keys. .SS Access control .TP \fBallow\-groups\fR \fIGROUP\fR [\fIGROUP\fR...] -- cgit v1.2.1