Convert to markdown. Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> --- src/pam_login.md | 107 +++++++++++++++++++++++++---------------------- 1 file changed, 56 insertions(+), 51 deletions(-) diff --git a/src/pam_login.md b/src/pam_login.md index 08e1599..2b30bff 100644 --- a/src/pam_login.md +++ b/src/pam_login.md @@ -4,21 +4,18 @@ Applications used to provide login services (such as ***ssh**(1)*) in Fedora use the PAM (Pluggable Authentication Modules) infrastructure to provide the following services: -- **Account Management** - This manages services such as password expiry, -service entitlement (i.e. what services the login process is allowed to -access). - -- **Authentication Management** - Authenticate the user or subject and set -up the credentials. PAM can handle a variety of devices including -smart-cards and biometric devices. - -- **Password Management** - Manages password updates as needed by the -specific authentication mechanism being used and the password policy. - -- **Session Management** - Manages any services that must be invoked -before the login process completes and / or when the login process -terminates. For SELinux this is where hooks are used to manage the -domains the subject may enter. +- **Account Management** - This manages services such as password expiry, + service entitlement (i.e. what services the login process is allowed to + access). +- **Authentication Management** - Authenticate the user or subject and set + up the credentials. PAM can handle a variety of devices including + smart-cards and biometric devices. +- **Password Management** - Manages password updates as needed by the + specific authentication mechanism being used and the password policy. +- **Session Management** - Manages any services that must be invoked + before the login process completes and / or when the login process + terminates. For SELinux this is where hooks are used to manage the + domains the subject may enter. The ***pam**(8)* and ***pam.conf**(5)* *man* pages describe the services and configuration in detail and only a summary is provided here covering the @@ -43,32 +40,40 @@ service type control module-path arguments **Where:** -<table> -<tbody> -<tr> -<td>service</td> -<td>The service name such as <em>gdm</em> and <em>login</em> reflecting the login application. If there is a <em>/etc/pam.d</em> directory, then this is the name of a configuration file name under this directory. Alternatively, a configuration file called <em>/etc/pam.conf</em> can be used. Fedora uses the <em>/etc/pam.d</em> configuration.</td> -</tr> -<tr> -<td>type</td> -<td>These are the management groups used by PAM with valid entries being: <em>account</em>, <em>auth</em>, <em>password</em> and <em>session</em> that correspond to the descriptions given above. Where there are multiple entries of the same '<em>type</em>', the order they appear could be significant.</td> -</tr> -<tr> -<td>control</td> -<td><p>This entry states how the module should behave when the requested task fails. There can be two formats: a single keyword such as <em>required</em>, <em>optional</em>, and <em>include</em>; or multiple space separated entries enclosed in square brackets consisting of :</p> -<p> [value1=action1 value2=action2 ..]</p> -<p>Both formats are shown in the example file below, however see the <em><strong>pam.conf</strong>(5)</em> man pages for the gory details. </p></td> -</tr> -<tr> -<td>module-path</td> -<td>Either the full path name of the module or its location relative to <em>/lib/security</em> (but does depend on the system architecture).</td> -</tr> -<tr> -<td>arguments</td> -<td>A space separated list of the arguments that are defined for the module.</td> -</tr> -</tbody> -</table> +*service* + +- The service name such as *gdm* and *login* reflecting the login application. + If there is a */etc/pam.d* directory, then this is the name of a + configuration file name under this directory. Alternatively, a + configuration file called */etc/pam.conf* can be used. Fedora uses the + */etc/pam.d* configuration. + +*type* + +- These are the management groups used by PAM with valid entries being: + *account*, *auth*, *password* and *session* that correspond to the + descriptions given above. Where there are multiple entries of the same + '*type*', the order they appear could be significant. + +*control* + +- This entry states how the module should behave when the requested task + fails. There can be two formats: a single keyword such as *required*, + *optional*, and *include*; or multiple space separated entries enclosed in + square brackets consisting of (see the ***pam.conf**(5)* man pages): + +``` +[value1=action1 value2=action2 ..] +``` + +*module-path* + +- Either the full path name of the module or its location relative to + */lib/security* (but does depend on the system architecture). + +*arguments* + +- A space separated list of the arguments that are defined for the module. The */etc/pam.d/sshd* PAM configuration file for the OpenSSH service is as follows: @@ -99,17 +104,17 @@ the *libselinux* API to obtain its configuration information and the three SELinux PAM entries highlighted in the above configuration file perform the following functions: -- ***pam_sepermit.so*** - Allows pre-defined users the ability to - logon provided that SELinux is in enforcing mode (see the - [*/etc/security/sepermit.conf*](global_config_files.md#etcsecuritysepermit.conf) - section). -- ***pam_selinux.so open*** - Allows a security context to be set up for - the user at initial logon (as all programs exec'ed from here will use - this context). How the context is retrieved is described in the - [***Policy Configuration Files** - seusers*](policy_config_files.md#seusers) - section. +- ***pam_sepermit.so*** - Allows pre-defined users the ability to + logon provided that SELinux is in enforcing mode (see the + [*/etc/security/sepermit.conf*](global_config_files.md#etcsecuritysepermit.conf) + section). +- ***pam_selinux.so open*** - Allows a security context to be set up for + the user at initial logon (as all programs exec'ed from here will use + this context). How the context is retrieved is described in the + [***Policy Configuration Files** - seusers*](policy_config_files.md#seusers) + section. - ***pam_selinux.so close*** - This will reset the login programs context - to the context defined in the policy. + to the context defined in the policy. <!-- %CUTHERE% --> -- 2.26.2
