diff --git a/NEWS b/NEWS index fd74ce3..5e2a832 100644 --- a/NEWS +++ b/NEWS @@ -5,7 +5,7 @@ See the end of file for copying conditions. Please send pam-modules bug reports to -Version 1.8.93, (Git) +Version 1.9, 2014-05-21 * New module pam_groupmember @@ -168,7 +168,7 @@ Version 0.1 ========================================================================= Copyright information: -Copyright (C) 2001, 2004-2005, 2007-2012 Sergey Poznyakoff +Copyright (C) 2001, 2004-2005, 2007-2014 Sergey Poznyakoff Permission is granted to anyone to make or distribute verbatim copies of this document as received, in any medium, provided that the diff --git a/configure.ac b/configure.ac index 413dc80..c45e5fd 100644 --- a/configure.ac +++ b/configure.ac @@ -16,7 +16,7 @@ AC_PREREQ(2.63) -AC_INIT(pam-modules, 1.8.93, bug-pam-modules@gnu.org.ua) +AC_INIT(pam-modules, 1.9, bug-pam-modules@gnu.org.ua) AC_CONFIG_SRCDIR(pam_fshadow/pam_fshadow.c) AC_CONFIG_AUX_DIR([build-aux]) AC_CONFIG_MACRO_DIR([m4]) diff --git a/doc/pam_ldaphome.8in b/doc/pam_ldaphome.8in index 5150849..f40ee66 100644 --- a/doc/pam_ldaphome.8in +++ b/doc/pam_ldaphome.8in @@ -14,7 +14,7 @@ .\" You should have received a copy of the GNU General Public License .\" along with PAM-Modules. If not, see . .so config.so -.TH PAM_LDAPHOME 8 "May 19, 2014" "PAM-MODULES" "Pam-Modules User Reference" +.TH PAM_LDAPHOME 8 "May 21, 2014" "PAM-MODULES" "Pam-Modules User Reference" .SH NAME pam_ldaphome \- create and populate user home directories .SH SYNOPSIS @@ -46,27 +46,7 @@ split across several physical lines of text by ending each line but the last with a backslash character. .PP Available configuration directives are: -.TP -.BI allow\-home\-dir " PATH" -Lists directories in which it is allowed to create home directories. -\fIPATH\fR is a list of directories separated by colons. The user's -home directory will be created only if the directory part of its name -is listed in \fIPATH\fR. -.TP -.BI skel " DIR" -Supplies the name of a \fIskeleton directory\fR. The contents of this -directory is copied to each newly created user home directory. The -file modes and permissions are retained. -.TP -.BI uri " ARG" -Sets the URI of the LDAP server to consult for the user profile. -.TP -.BI ldap\-version " NUM" -Sets the LDAP version to use. Valid arguments are -.B 2 -and -.B 3 -(the default). +.SS LDAP Settings .TP .BI base " SEARCHBASE" Use \fISEARCHBASE\fR as starting point for searches. @@ -81,6 +61,21 @@ password for simple authentication. .BI bindpwfile " FILE" Read password for simple authentication from \fIFILE\fR. .TP +.BI filter " EXPR" +Defines a LDAP filter expression which returns the user profile. The +\fIEXPR\fR should conform to the string representation for search +filters as defined in RFC 4515. +.TP +.BI ldap\-version " NUM" +Sets the LDAP version to use. Valid arguments are +.B 2 +and +.B 3 +(the default). +.TP +.BI pubkey\-attr " TEXT" +Defines the name of the attribute that keeps user's public SSH key. +.TP .BI tls " VAL" Controls whether TLS is desired or required. If \fIVAL\fR is \fBno\fR (the default), TLS will not be used. If it is \fByes\fR, @@ -89,32 +84,15 @@ anyway if it fails. Finally, if \fIVAL\fR is the word \fBonly\fR, the use of TLS becomes mandatory, and the module will not establish LDAP connection unless \fIStartTLS\fR succeeds. .TP -.BI min\-uid " N" -Sets the minimal UID. For users with UIDs less than \fIN\fR, -\fBpam_ldaphome\fR will return \fBPAM_SUCCESS\fR immediately. This -allows you to have a set of basic users whose credentials are kept in -the system database and who will not be disturbed by -\fBpam_ldaphome\fR. See also \fBmin\-gid\fR and \fBallow\-groups\fR. +.BI uri " ARG" +Sets the URI of the LDAP server to consult for the user profile. +.SS Home directory creation .TP -.BI min\-gid " N" -Sets the minimal GID. For users with GIDs less than \fIN\fR, -the module will return \fBPAM_SUCCESS\fR immediately. -.TP -\fBallow\-groups\fR \fIGROUP\fR [\fIGROUP\fR...] -Only handle members of the listed groups. -.TP -.BI filter " EXPR" -Defines a LDAP filter expression which returns the user profile. The -\fIEXPR\fR should conform to the string representation for search -filters as defined in RFC 4515. -.TP -.BI import\-public\-keys " BOOL" -When set to \fBno\fR, disables importing public keys from LDAP. You -may wish to use this option if you are using \fBopenssh\fR 6.1 or -later with \fBldappubkey\fR as \fBAuthorizedKeysCommand\fR. -.TP -.BI pubkey\-attr " TEXT" -Defines the name of the attribute that keeps user's public SSH key. +.BI allow\-home\-dir " PATH" +Lists directories in which it is allowed to create home directories. +\fIPATH\fR is a list of directories separated by colons. The user's +home directory will be created only if the directory part of its name +is listed in \fIPATH\fR. .TP .BI copy\-buf\-size " N" Sets the size of the buffer used to copy files from the skeleton @@ -123,8 +101,11 @@ directory to the newly created home. The default value is 16384 bytes. .BI home\-dir\-mode " MODE" Defines the file mode (octal) for creation of the user directories. .TP -.BI keyfile\-mode " MODE" -Defines the file mode (octal) for creation of authorized keys files. +.BI skel " DIR" +Supplies the name of a \fIskeleton directory\fR. The contents of this +directory is copied to each newly created user home directory. The +file modes and permissions are retained. +.SS Authorized keys file control .TP .BI authorized_keys " NAME" Sets the pathname (relative to the home directory) for the authorized @@ -134,6 +115,35 @@ operation, this value must be the same as the value of .BR sshd_config (5). Unless you change the latter, there's no need to edit it. .TP +.BI import\-public\-keys " BOOL" +When set to \fBno\fR, disables importing public keys from LDAP. You +may wish to use this option if you are using \fBopenssh\fR 6.2p1 or +later with \fBldappubkey\fR as \fBAuthorizedKeysCommand\fR. +.TP +.BI keyfile\-mode " MODE" +Defines the file mode (octal) for creation of authorized keys files. +.SS Access control +.TP +\fBallow\-groups\fR \fIGROUP\fR [\fIGROUP\fR...] +Only handle members of the listed groups. +.TP +.BI min\-gid " N" +Sets the minimal GID. For users with GIDs less than \fIN\fR, +the module will return \fBPAM_SUCCESS\fR immediately. +.TP +.BI min\-uid " N" +Sets the minimal UID. For users with UIDs less than \fIN\fR, +\fBpam_ldaphome\fR will return \fBPAM_SUCCESS\fR immediately. This +allows you to have a set of basic users whose credentials are kept in +the system database and who will not be disturbed by +\fBpam_ldaphome\fR. See also \fBmin\-gid\fR and \fBallow\-groups\fR. +.SS Initialization script support +.TP +.BI exec\-timeout " SECONDS" +Sets maximum time the \fBinitrc\-command\fR is allowed to run. If +it runs longer than \fISECONDS\fR, it will be terminated with a +\fBSIGKILL\fR, and the module will return \fBPAM_SYSTEM_ERR\fR. +.TP .BI initrc\-command " COMMAND" Run \fICOMMAND\fR after populating the user home directory with files from the skeleton directory. The user login name is passed to @@ -144,10 +154,6 @@ standard output is redirected to standard errror. The command should exit with code 0 on success. If it exits with a non-zero code, PAM_SYSTEM_ERR will be reported. .TP -.BI initrc-log " FILE" -Redirects standard output and error from the -\fBinitrc\-command\fR to \fIFILE\fR. -.TP \fBinitrc\-environ\fR \fIENV\fR ... Modifies the environment of \fBinitrc\-command\fR. @@ -185,6 +191,10 @@ is removed from it before assignment. .RE The \fIVALUE\fR part can be enclosed in single or double quotes, in which case the usual shell dequoting rules apply. +.TP +.BI initrc-log " FILE" +Redirects standard output and error from the +\fBinitrc\-command\fR to \fIFILE\fR. .SH OPTIONS .TP .BI config= FILE diff --git a/pamck/pamck.c b/pamck/pamck.c index 983bcdb..e8f9461 100644 --- a/pamck/pamck.c +++ b/pamck/pamck.c @@ -39,7 +39,7 @@ version() { printf("%s (%s) %s\n", program_name, PACKAGE, PACKAGE_VERSION); fputs ("\ -Copyright (C) 2009 Sergey Poznyakoff\n\ +Copyright (C) 2009-2012, 2014 Sergey Poznyakoff\n\ \n\ License GPLv3+: GNU GPL version 3 or later .\n\ This is free software: you are free to change and redistribute it.\n\