Initial import of the CDE 2.1.30 sources from the Open Group.

cde/lib/pam/man/man5/pam_dce.5

@@ -0,0 +1,146 @@
+.\" $XConsortium: pam_dce.5 /main/5 1996/10/29 15:41:52 drk $
+.\" Sccs id goes here
+'\"macro stdmacro
+.\" Copyright (c) 1995, Sun Microsystems, Inc. 
+.\" All Rights Reserved
+.nr X
+.TH pam_dce 5 "19 Jan 1996"
+.SH NAME
+pam_dce \- authentication, account, and password management PAM functions for DCE
+.SH SYNOPSIS
+.LP
+.B /usr/lib/security/pam_dce.so.1
+.P
+.LP
+.SH DESCRIPTION
+.IX "pam_dce" "" "\fLpam_dce\fP \(em authentication, account, and password management for DCE"
+.PP
+The DCE PAM module allows for integration of DCE into the system entry services
+(such as
+.BR login )
+through the
+.BR pam.conf (4)
+file.
+The DCE service module for PAM consists of
+three components:
+authentication, account management, and password management.
+All three components are supported through the same loadable library,
+.BR /usr/lib/security/pam_dce.so.1 .
+.SH DCE Authentication Module
+The DCE authentication component
+provides functions to verify the identity of a user
+(\f3pam_sm_authenticate\f1(3)),
+and to initialize DCE credentials
+(\f3pam_sm_setcred\f1(3)).
+The DCE implementation of the
+.BR pam_sm_authenticate (3) 
+function compares the user entered password with the password from the DCE Security
+Service (i.e., the DCE Registry). If the passwords match, the user is 
+authenticated and obtains DCE credentials.
+The following options may be passed to the DCE Authentication module:
+.RS
+.IP debug 15
+Syslog debugging information at the LOG_DEBUG level.
+.IP nowarn 15
+Turns off warning messages about not being able to acquire DCE credentials.
+.IP use_first_pass 15
+Use the user's  initial password (entered when the user is authenticated to the
+first authentication module in the stack) to authenticate with DCE.
+If the passwords do not match, or if this is the first authentication module in the 
+stack, quit and do not prompt the user for a password. It is
+recommended that this option only be used if the DCE authentication 
+module is designated as
+.I optional
+in the
+.B pam.conf
+configuration file. 
+.IP try_first_pass 15
+Use the user's  initial password (entered when the user is authenticated to the
+first authentication module in the PAM stack) to authenticate with DCE.  If the
+passwords do not match, or if this is the first authentication module in the 
+stack, prompt the user for a password. 
+.IP use_mapped_pass 15
+This option will attempt to retrieve the "onc_dce_passwd" attribute from
+the user's XFN context and use the user's initial password to decrypt
+the DCE password stored in this attribute. If the DCE password stored in
+this attribute is incorrect, then quit and do not prompt the user for a
+password. It is recommended that this option only be used if the DCE
+authentication module is designated as
+.I optional.
+.IP try_mapped_pass 15
+Similar to 
+.B use_mapped_pass
+with two exceptions. If the DCE password is incorrect,
+prompt for it. Once a valid DCE password is entered, encrypt it
+using the initial (first) password and store the encrypted value in the
+"onc_dce_passwd" attribute in the user's XFN context.
+.PP
+Note that both
+.B use_mapped_pass 
+and
+.B try_mapped_pass
+require that the UNIX authentication module (see
+.BR pam_unix (5))
+occurs before the DCE
+authentication module. This to ensure that the user's secure RPC credentials
+(for XFN/NIS+) have already been acquired.
+.RE
+
+If the user's DCE account has expired then an 
+error will be returned from
+.BR pam_sm_authenticate (3).
+.PP
+In order to authenticate the user to the DCE security service
+.BR pam_sm_authenticate (3)
+calls 
+.BR sec_login_setup_identity (3)
+followed by
+.BR sec_login_valid_and_cert_ident (3).
+.PP
+.BR pam_sm_setcred (3) 
+calls the function
+.BR sec_login_set_context (3)
+to set the DCE credentials after they have been validated by
+.BR pam_sm_authenticate .
+.SH DCE Account Management Module
+The DCE account management component
+provides a function to perform account management
+(\f3pam_sm_acct_mgmt\f1(3)).
+The DCE implementation of the
+.BR pam_sm_acct_mgmt (3)
+function retrieves the user's account and password expiration information from
+the DCE Security Server and verifies that the user's account and password
+have not expired.
+The following options may be passed to the DCE account module:
+.RS
+.IP allow_expired_passwd 20
+Allows a user with an expired password to login.
+.IP debug 20
+Syslog debugging information at the LOG_DEBUG level.
+.IP nowarn 20
+Turns off the warning messages displayed when a user's account and/or
+password are going to expire.
+.RE
+.PP
+.BR pam_sm_acct_mgmt (3) 
+calls the function
+.BR sec_login_inquire_net_info (3)
+to retrieve information about when a user's account and/or password is
+going to expire.
+.SH DCE Password Management Module
+The DCE password management component
+provides a function to change passwords
+(\f3pam_sm_chauthtok\f1(3)).
+The following option may be passwd to the DCE account module:
+.RS
+.IP debug 15
+Syslog debugging information at the LOG_DEBUG level.
+.RE
+.SH "SEE ALSO"
+.BR pam (3),
+.BR sec_login_setup_identity (3),
+.BR sec_login_valid_and_cert_ident (3),
+.BR sec_login_set_context (3),
+.BR sec_login_inquire_net_info (3),
+.BR pam.conf (4),
+.BR pam_unix (5)

cde/lib/pam/man/man5/pam_dial_auth.5

@@ -0,0 +1,68 @@
+.\" $XConsortium: pam_dial_auth.5 /main/4 1996/10/29 15:42:09 drk $
+.\" Sccs id goes here
+'\"macro stdmacro
+.\" Copyright (c) 1995, Sun Microsystems, Inc. 
+.\" All Rights Reserved
+.nr X
+.TH pam_dial_auth 5 "19 Jan 1996"
+.SH NAME
+pam_dial_auth \- authentication management PAM module for dialups
+.SH SYNOPSIS
+.LP
+.B /usr/lib/security/pam_dial_auth.so.1
+.LP
+.SH DESCRIPTION
+.IX "pam_dial_auth" "" "\fLpam_dial_auth\fP \(em authentication management for dialups"
+.PP
+The dialup PAM module,
+.BR /usr/lib/security/pam_dial_auth.so.1 ,
+authenticates a user according to the
+.B /etc/dialups
+and
+.B /etc/d_passwd
+files.
+Only
+.B pam_sm_authenticate(\|)
+is implemented within this module.
+.B pam_sm_setcred(\|)
+is a null function.
+.B /usr/lib/security/pam_dial_auth.so.1
+is designed to be stacked immediately below
+the
+.B /usr/lib/security/pam_unix.so.1
+module
+for the login service.
+.PP
+.B pam_sm_authenticate(\|)
+performs authentication only if both the
+.B /etc/dialups
+and 
+.B /etc/d_passwd
+files exist.
+The user's terminal line is checked against
+entries in the
+.B /etc/dialups
+file.
+If there is a match, the user's
+shell is compared against entries in the
+.B /etc/d_passwd
+file.
+If there is a matching entry, the user is
+prompted for a password which is validated against the entry
+in the
+.B /etc/d_passwd
+file. If the passwords match, the
+user is authenticated.
+The following option may be passed in to this service module:
+.RS
+.IP debug 15
+.BR syslog (3)
+debugging information at LOG_DEBUG level
+.RE
+.SH "SEE ALSO"
+.BR pam (3),
+.BR pam_authenticate (3),
+.BR d_passwd (4),
+.BR dialups (4),
+.BR pam.conf (4)
+

cde/lib/pam/man/man5/pam_rhosts_auth.5

@@ -0,0 +1,62 @@
+.\" $XConsortium: pam_rhosts_auth.5 /main/4 1996/10/29 15:42:24 drk $
+.\" Sccs id goes here
+'\"macro stdmacro
+.\" Copyright (c) 1995, Sun Microsystems, Inc. 
+.\" All Rights Reserved
+.nr X
+.TH pam_rhosts_auth 5 "19 Jan 1996"
+.SH NAME
+pam_rhosts_auth \- authentication management PAM modules using ruserok()
+.SH SYNOPSIS
+.LP
+.B /usr/lib/security/pam_rhosts_auth.so.1
+.LP
+.SH DESCRIPTION
+.IX "pam_rhosts_auth" "" "\fLpam_rhosts_auth\fP \(em authentication management using ruserok()"
+.PP
+The rhosts PAM module, 
+.BR /usr/lib/security/pam_rhosts_auth.so.1 ,
+authenticates a user via the
+.B rlogin
+authentication protocol.
+Only
+.B pam_sm_authenticate(\|)
+is implemented within this module.
+.B pam_sm_authenticate(\|)
+uses the
+.BR ruserok (3)
+library funtion to authenticate the
+.B rlogin
+or
+.B rsh
+user.
+.B pam_sm_setcred(\|)
+is a null function.
+.PP
+.B /usr/lib/security/pam_rhosts_auth.so.1
+is designed to be stacked on top of 
+the
+.B /usr/lib/security/pam_unix.so.1
+module
+for both the
+.B rlogin
+and
+.B rsh
+services.
+This module is normally configured as
+.I sufficient
+so that subsequent
+authentication is performed only on failure of
+.BR pam_sm_authenticate(\|) .
+The following option may be passed in to this service module:
+.RS
+.IP debug 15
+.B syslog(3)
+debugging information at LOG_DEBUG level
+.RE
+.SH "SEE ALSO"
+.BR pam (3),
+.BR pam_authenticate (3),
+.BR ruserok (3),
+.BR syslog (3),
+.BR pam.conf (4)

cde/lib/pam/man/man5/pam_unix.5

@@ -0,0 +1,206 @@
+.\" $XConsortium: pam_unix.5 /main/5 1996/10/29 15:42:45 drk $
+.\" Sccs id goes here
+'\"macro stdmacro
+.\" Copyright (c) 1995, Sun Microsystems, Inc. 
+.\" All Rights Reserved
+.nr X
+.TH pam_unix 5 "19 Jan 1996"
+.SH NAME
+pam_unix \- authentication, account, session, and password management PAM modules for UNIX
+.SH SYNOPSIS
+.LP
+.B /usr/lib/security/pam_unix.so.1
+.LP
+.SH DESCRIPTION
+.IX "pam_unix" "" "\fLpam_unix\fP \(em authentication, account, session and password management for UNIX"
+.PP
+The UNIX service module for PAM,
+.BR /usr/lib/security/pam_unix.so.1 ,
+provides functionality for all four
+PAM modules: authentication, account management, session management
+and password management.
+The
+.B pam_unix.so.1
+ module is a shared object
+that can be dynamically loaded to provide
+the necessary functionality upon demand.
+Its path is specified in the
+.SM PAM
+configuration file.
+.SH Unix Authentication Module
+The UNIX authentication component
+provides functions to verify the identity of a user,
+(\f3pam_sm_authenticate(\|)\f1)
+and to set user specific credentials
+(\f3pam_sm_setcred(\|)\f1).
+.B pam_sm_authenticate(\|) 
+compares the user entered password with the password from UNIX password
+database.  If the passwords match, the user is authenticated.
+If the user also has secure
+.SM RPC
+credentials and the secure
+.SM RPC
+password is the same as the
+.SM UNIX
+password, then the secure
+.SM RPC
+credentials are also obtained.
+.LP
+The following options may be passed to the UNIX service module:
+.RS
+.IP debug 15
+.BR syslog (3)
+debugging information at LOG_DEBUG level
+.IP nowarn 15
+turn off warning messages
+.IP use_first_pass 15
+It compares the password in the password database with the user's initial
+password (entered when the user authenticated to the first authentication
+module in the stack).  If the passwords do not match, or if no password
+has been entered,
+quit and do not prompt the user for a password.  This option should
+only be used if the authentication service is designated as
+.I optional
+in the
+.B pam.conf
+configuration file.
+.IP try_first_pass 15
+It compares the password in the password database with the user's initial
+password (entered when the user authenticated to the first authentication
+module in the stack).  If the passwords do not match, or if no password
+has been entered,
+prompt the user for a password.
+.RE
+.LP
+When prompting for the current password, the UNIX authentication
+module will use the prompt, "password:" unless one of
+the following scenarios occur:
+.RS 6
+.TP 5
+1.
+The option try_first_pass is specified and the password entered for the
+first module in the stack fails for the
+.SM UNIX
+module.
+.TP
+2.
+The option try_first_pass is not specified,
+and the earlier authentication modules listed in the
+.B pam.conf
+file have prompted the user for the password.
+.RE
+.LP
+In these two cases, the UNIX authentication module will use
+the prompt "UNIX password:".
+.LP
+The
+.B pam_sm_setcred(\|)
+function sets user specific credentials.
+If the user had secure
+.SM RPC
+credentials, but the secure
+.SM RPC
+password was not the same as the
+.SM UNIX password,
+then a warning message is printed.
+If the user wants to get secure
+.SM RPC
+credentials, then
+.BR keylogin (1)
+needs to be run.
+.SH Unix Account Management Module
+The UNIX account management component
+provides a function to perform account management
+(\f3pam_sm_acct_mgmt\f1()).
+The function
+retrieves the user's password entry from the UNIX password database
+and verifies that the user's account and password
+have not expired.
+The following options may be passed in to the UNIX service module:
+.RS
+.IP debug 15
+.BR syslog (3)
+debugging information at LOG_DEBUG level
+.IP nowarn 15
+turn off warning messages
+.RE
+.SH Unix Session Management Module
+The UNIX session management component
+provides functions to initiate
+(\f3pam_sm_open_session(\|)\f1)
+and terminate
+(\f3pam_sm_close_session(\|)\f1)
+UNIX sessions.
+For UNIX ,
+.B pam_open_session
+updates the
+.B /var/adm/lastlog
+file.
+The account management module reads this file to 
+determine the previous time the user logged in.
+The following options may be passed in to the UNIX service module:
+.RS
+.IP debug 15
+.BR syslog (3)
+debugging information at LOG_DEBUG level
+.IP nowarn 15
+turn off warning messages
+.RE
+.LP
+.B pam_close_session
+is a NULL function.
+.SH Unix Password Management Module
+The UNIX password management component
+provides a function to change passwords
+(\f3pam_sm_chauthtok(\|)\f1)
+in the UNIX password database.
+This module must be
+.I required
+in
+.B pam.conf.
+It can not be
+.I optional
+or
+.I sufficient.
+The following options may be passed in to the UNIX service module:
+.RS
+.IP debug 15
+.BR syslog (3)
+debugging information at LOG_DEBUG level
+.IP nowarn 15
+turn off warning messages
+.IP use_first_pass 15
+It compares the password in the password database with the user's old
+password (entered to the first password module in the stack).
+If the passwords do not match, or if no password has been entered,
+quit and do not prompt the user for the old password.  It also attempts
+to use the new password (entered to the first password module in the stack)
+as the new password for this module.  If the new password fails,
+quit and do not prompt the user for a new password.
+.IP try_first_pass 15
+It compares the password in the password database with the user's old
+password (entered to the first password module in the stack).
+If the passwords do not match, or if no password has been entered,
+prompt the user for the old password.  It also attempts
+to use the new password (entered to the first password module in the stack)
+as the new password for this module.  If the new password fails,
+prompt the user for a new password.
+.RE
+.LP
+If the user's password has expired, the UNIX account module saves
+this information in the authentication handle using
+.BR pam_set_data(\|) ,
+with a unique name,
+SUNW_UNIX_AUTHOK_DATA.
+The UNIX password module retrieves this information
+from the authentication handle using
+.B pam_get_data(\|)
+to determine whether or not to force the
+user to update their password.
+.SH "SEE ALSO"
+.BR keylogin (1),
+.BR pam (3),
+.BR pam_authenticate (3),
+.BR pam_setcred (3),
+.BR syslog (3),
+.BR pam.conf (4)