From 4db5abec76301a2f7091160e53150e4325be0707 Mon Sep 17 00:00:00 2001 From: Michael Hampton Date: Sun, 9 Sep 2001 16:19:29 +0000 Subject: [PATCH] * Updated PAM configuration file citadel.pam for Red Hat 7.x. --- citadel/ChangeLog | 4 +++- citadel/citadel.pam | 15 ++++++++++++--- citadel/techdoc/PAM.txt | 14 ++++++++++---- 3 files changed, 25 insertions(+), 8 deletions(-) diff --git a/citadel/ChangeLog b/citadel/ChangeLog index 7431ad098..329542eac 100644 --- a/citadel/ChangeLog +++ b/citadel/ChangeLog @@ -1,4 +1,7 @@ $Log$ + Revision 580.41 2001/09/09 16:19:29 error + * Updated PAM configuration file citadel.pam for Red Hat 7.x. + Revision 580.40 2001/09/09 03:19:38 ajc * cdb_cull_logs() now removes log files as soon as the log_archive() function says it's ok to do so. @@ -2738,4 +2741,3 @@ Sat Jul 11 00:20:48 EDT 1998 Nathan Bryant Fri Jul 10 1998 Art Cancro * Initial CVS import - diff --git a/citadel/citadel.pam b/citadel/citadel.pam index 02afd5e5b..0e4bdcab9 100644 --- a/citadel/citadel.pam +++ b/citadel/citadel.pam @@ -5,6 +5,15 @@ # $Id$ # auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed -auth required /lib/security/pam_pwdb.so shadow -auth required /lib/security/pam_shells.so -account required /lib/security/pam_pwdb.so +# Uncomment to use /etc/nologin +#auth required /lib/security/pam_nologin.so +auth required /lib/security/pam_stack.so service=system-auth +account required /lib/security/pam_stack.so service=system-auth +session required /lib/security/pam_stack.so service=system-auth + + +# This file previously looked like this (see techdoc/PAM.txt): +#auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed +#auth required /lib/security/pam_pwdb.so shadow +#auth required /lib/security/pam_shells.so +#account required /lib/security/pam_pwdb.so diff --git a/citadel/techdoc/PAM.txt b/citadel/techdoc/PAM.txt index e296ddb4e..35f18809e 100644 --- a/citadel/techdoc/PAM.txt +++ b/citadel/techdoc/PAM.txt @@ -1,4 +1,10 @@ - + The citadel.pam configuration file has been updated for Red Hat 7.1. +If you have such a system, it should Just Work; if you don't, you're going to +have to tweak it, preferably BEFORE you do a make install. See below. Even +if you have Red Hat 7.1, you should look at the file anyway and understand how +it affects your system security. The original PAM.txt is included below: + + Citadel/UX 5.53 and later include support for Pluggable Authentication Modules (PAM.) However, we don't recommend enabling this feature (./configure --with-pam) unless you understand exactly how it will affect your system's @@ -6,17 +12,17 @@ security. Specifically, the system administrator must supply a configuration for every authentication service which uses PAM. We have automated this process for Linux by supplying a file which is placed in /etc/pam.d during the installation process, but not on other systems, for 2 reasons: - + 1) Other systems don't have /etc/pam.d; instead they use one big configuration file, usually /etc/pam.conf. It's not quite as trivial to automatically modify this file in a safe and secure fashion. - + 2) Other systems have a different set of available authentication modules; they are likely to lack all three of the ones we use in the Linux configuration. We don't have enough information about the features of the authentication modules on other platforms to be able to provide secure configurations. - + That said, the configuration we've provided should work on at least Red Hat Linux 4.2-5.2, (although we don't recommend building Citadel/UX on Red Hat 4.x due to libc thread-safety issues) and if you understand PAM -- 2.39.2