/[smeserver]/rpms/pam_abl/sme10/pam_abl-0.2.3-fixes.patch
ViewVC logotype

Annotation of /rpms/pam_abl/sme10/pam_abl-0.2.3-fixes.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Fri Mar 18 10:53:17 2016 UTC (8 years, 7 months ago) by unnilennium
Branch: MAIN
CVS Tags: pam_abl-0_2_3-2_el7_sme, HEAD
Initial import

1 unnilennium 1.1 Patch by Robert Scheck <robert@fedoraproject.org> for pam_abl 0.2.3, changes:
2    
3     * pam_abl/pam_abl.c
4     - Fixed compiler warning "dereferencing type-punned pointer will break
5     strict-aliasing rules"
6    
7     * pam_abl/Makefile
8     - Always honor $RPM_OPT_FLAGS when available
9     - Fixed the make warning "jobserver unavailable: using -j1. Add `+' to
10     parent make rule"
11    
12     * pam_abl/tools/Makefile
13     - Always honor $RPM_OPT_FLAGS when available
14    
15     * pam_abl/doc/pam_abl.1
16     - Initial version of a pam_abl man page based on the current docs
17    
18     * pam_abl/CONFIGURATION
19     - Initial version of a pam_abl text documentation based on the HTML files
20    
21     * pam_abl/conf/system-auth
22     - Removed use of /lib/security/$ISA, because it will break on any 64 bit
23     system having /lib64 instead of /lib; should fix sf.net Bug ID #1325837
24    
25     * pam_abl/doc/index.html
26     - Never ever use /lib/security, will break any 64 bit compatibility
27    
28     * pam_abl/QUICKSTART
29     - Quickstart guide heavily based on README.fedora written by the Fedora
30     Extras maintainer Alexander Dalloz <alex {%} dalloz {*} de>
31    
32     Following patch was sent upstream at Sat, 17 Jun 2006 21:24:50 +0200 and it
33     was confirmed by the upstream maintainer, that this patch will be added to
34     the next pam_abl release - but unfortunately nothing happened, yet.
35    
36     --- pam_abl/pam_abl.c 2005-10-12 21:22:26.000000000 +0200
37     +++ pam_abl/pam_abl.c.rsc 2006-06-17 18:36:44.000000000 +0200
38     @@ -168,7 +168,7 @@
39     const char *rhost;
40     int err;
41    
42     - if (err = pam_get_item(args->pamh, PAM_RHOST, (const void **) &rhost), PAM_SUCCESS != err) {
43     + if (err = pam_get_item(args->pamh, PAM_RHOST, (const void **)( const void*) &rhost), PAM_SUCCESS != err) {
44     log_pam_error(args, err, "getting PAM_RHOST");
45     return err;
46     }
47     @@ -187,7 +187,7 @@
48     if (NULL != args->user_db) {
49     const char *user;
50     int err;
51     - if (err = pam_get_item(args->pamh, PAM_USER, (const void **) &user), PAM_SUCCESS != err) {
52     + if (err = pam_get_item(args->pamh, PAM_USER, (const void **) (const void*) &user), PAM_SUCCESS != err) {
53     log_pam_error(args, err, "getting PAM_USER");
54     return err;
55     }
56     @@ -285,7 +285,7 @@
57     if (NULL != args->host_db) {
58     const char *rhost;
59     int err;
60     - if (err = pam_get_item(args->pamh, PAM_RHOST, (const void **) &rhost), PAM_SUCCESS != err) {
61     + if (err = pam_get_item(args->pamh, PAM_RHOST, (const void **) (const void*) &rhost), PAM_SUCCESS != err) {
62     log_pam_error(args, err, "getting PAM_RHOST");
63     return err;
64     }
65     @@ -316,12 +316,12 @@
66     const char *user;
67     const char *service;
68    
69     - if (err = pam_get_item(args->pamh, PAM_USER, (const void **) &user), PAM_SUCCESS != err) {
70     + if (err = pam_get_item(args->pamh, PAM_USER, (const void **) (const void*) &user), PAM_SUCCESS != err) {
71     log_pam_error(args, err, "getting PAM_USER");
72     return err;
73     }
74    
75     - if (err = pam_get_item(args->pamh, PAM_SERVICE, (const void **) &service), PAM_SUCCESS != err) {
76     + if (err = pam_get_item(args->pamh, PAM_SERVICE, (const void **) (const void*) &service), PAM_SUCCESS != err) {
77     log_pam_error(args, err, "getting PAM_SERVICE");
78     return err;
79     }
80     @@ -374,9 +374,9 @@
81     check_attempt(args, &rv);
82     if (rv) {
83     const char *rhost, *user, *service;
84     - if (PAM_SUCCESS == pam_get_item(args->pamh, PAM_RHOST, (const void **) &rhost ) &&
85     - PAM_SUCCESS == pam_get_item(args->pamh, PAM_USER, (const void **) &user ) &&
86     - PAM_SUCCESS == pam_get_item(args->pamh, PAM_SERVICE, (const void **) &service)) {
87     + if (PAM_SUCCESS == pam_get_item(args->pamh, PAM_RHOST, (const void **) (const void*) &rhost ) &&
88     + PAM_SUCCESS == pam_get_item(args->pamh, PAM_USER, (const void **) (const void*) &user ) &&
89     + PAM_SUCCESS == pam_get_item(args->pamh, PAM_SERVICE, (const void **) (const void*) &service)) {
90     log_info(args, "Blocking access from %s to service %s, user %s", rhost, service, user);
91     }
92     return PAM_AUTH_ERR;
93     --- pam_abl/Makefile 2005-10-12 21:22:25.000000000 +0200
94     +++ pam_abl/Makefile.rsc 2006-06-17 18:45:43.000000000 +0200
95     @@ -1,7 +1,7 @@
96     # Makefile
97     # $Id: Makefile,v 1.1.1.1 2005/10/12 19:22:25 tagishandy Exp $
98    
99     -CFLAGS=-Wall -fPIC
100     +CFLAGS=-Wall -fPIC $(RPM_OPT_FLAGS)
101     PAMDIR=/lib/security
102     CONFDIR=/etc/security
103     DBDIR=/var/lib/abl
104     @@ -11,26 +11,26 @@
105     SUBDIRS=tools
106    
107     all : $(MODULE)
108     - for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done
109     + for d in $(SUBDIRS) ; do cd $$d && $(MAKE) $@ && cd .. ; done
110    
111     $(MODULE) : $(OBJ)
112     ld -x --shared $(LIBS) -o $@ $^
113    
114     clean :
115     rm -f $(MODULE) $(OBJ)
116     - for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done
117     + for d in $(SUBDIRS) ; do cd $$d && $(MAKE) $@ && cd .. ; done
118    
119     install : $(MODULE)
120     install --mode=755 --strip $(MODULE) $(PAMDIR)
121     #install --mode=644 conf/pam_abl.conf $(CONFDIR)
122     install -d --mode=755 $(DBDIR)
123     - for d in t $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done
124     + for d in t $(SUBDIRS) ; do cd $$d && $(MAKE) $@ && cd .. ; done
125    
126     depend :
127     cc -MM *.c > deps
128     - for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done
129     + for d in $(SUBDIRS) ; do cd $$d && $(MAKE) $@ && cd .. ; done
130    
131     test :
132     - cd t && make && cd ..
133     + cd t && $(MAKE) && cd ..
134    
135     include deps
136     --- pam_abl/tools/Makefile 2005-10-12 21:22:27.000000000 +0200
137     +++ pam_abl/tools/Makefile.rsc 2006-06-17 19:15:25.000000000 +0200
138     @@ -1,6 +1,6 @@
139     # Makefile
140    
141     -CFLAGS=-Wall
142     +CFLAGS=-Wall -fPIC $(RPM_OPT_FLAGS)
143     LIBS=-ldb -lpthread
144     TARGET=pam_abl
145     OBJ=log.o config.o rule.o pam_abl.o
146     --- pam_abl/doc/pam_abl.1 1970-01-01 01:00:00.000000000 +0100
147     +++ pam_abl/doc/pam_abl.1.rsc 2006-06-17 20:02:44.000000000 +0200
148     @@ -0,0 +1,52 @@
149     +.TH pam_abl 1 "Oct 13, 2005"
150     +.LO 1
151     +.SH NAME
152     +pam_abl - query or purge the databases used by the pam_abl module
153     +.SH OVERVIEW
154     +\fBpam_abl\fR [ \fIOPTIONS \fR] [ \fICONFIG \fR]
155     +.SH DESCRIPTION
156     +Performs maintenance on the databases used by the pam_abl (auto blacklist) module. CONFIG is the name of the pam_abl config file (/etc/security/pam_abl.conf). The config file is read to discover the names of the pam_abl databases and the rules that control purging of old data from them.
157     +.SH OPTIONS
158     +.TP
159     +.B -h, --help
160     +See a help message
161     +.TP
162     +.B -p, --purge
163     +Purge databases according to purge rules in config
164     +.TP
165     +.B -r, --relative
166     +Display times relative to now otherwise absolute times will be displayed
167     +.TP
168     +.B -v, --verbose
169     +Verbose output
170     +.TP
171     +.B --okuser=USER
172     +Unblock USER
173     +.TP
174     +.B --okhost=HOST
175     +Unblock HOST
176     +.SH EXAMPLES
177     +.TP
178     +Obtain a list of failed hosts and users:
179     +$ pam_abl
180     +.TP
181     +Obtain a full list of failures listing times relative to now:
182     +$ pam_abl -rv
183     +.br
184     +$ pam_abl --relative --verbose
185     +.TP
186     +Purge old data:
187     +$ pam_abl -p
188     +.br
189     +$ pam_abl --purge
190     +.TP
191     +Unblock all example.com, somewhere.com hosts:
192     +$ pam_abl -v --okhost=*.example.com --okhost=*.somewhere.com
193     +.SH AUTHOR
194     +Andy Armstrong <andy@hexten.net>
195     +.SH SEE ALSO
196     +/usr/share/doc/pam_abl-*/CONFIGURATION
197     +.SH REPORT BUGS
198     +Please report bugs in English language to the author.
199     +.SH COPYRIGHT
200     +pam_abl is licensed under GNU General Public License, the complete license you can get at: http://www.gnu.org/copyleft/gpl.html
201     --- pam_abl/CONFIGURATION 1970-01-01 01:00:00.000000000 +0100
202     +++ pam_abl/CONFIGURATION.rsc 2006-06-17 20:02:44.000000000 +0200
203     @@ -0,0 +1,251 @@
204     +The Auto Blacklist Module: pam_abl
205     +
206     +Synopsis
207     +
208     +Module name:
209     + pam_abl
210     +Author:
211     + Andy Armstrong <andy@hexten.net>
212     +Maintainer:
213     + Andy Armstrong <andy@hexten.net>
214     +Management groups provided:
215     + auth
216     +Cryptographically sensitive:
217     + No.
218     +Security rating:
219     +Clean code base:
220     + Clean.
221     +System dependencies:
222     + Requires Berkeley DB (tested with 4.3.21 and 4.2.50).
223     + Requires a configuration file (by convention /etc/security/pam_abl.conf)
224     +Network aware:
225     + No.
226     +
227     +Overview of module
228     +
229     +Provides auto blacklisting of hosts and users responsible for repeated failed
230     +authentication attempts. Generally configured so that blacklisted users still
231     +see normal login prompts but are guaranteed to fail to authenticate.
232     +
233     +This functionality is only available to services which call PAM as root. If
234     +pam_abl is called for uid != 0 it will silently succeed.
235     +
236     +Auth component
237     +
238     +Recognised arguments:
239     +
240     + Name Arguments Description
241     + debug None Enable debug output to syslog.
242     + expose_account None Ignored
243     + no_warn None Disable warnings which are otherwise output
244     + to syslog.
245     + try_first_pass None Ignored
246     + use_first_pass None Ignored
247     + use_mapped_pass None Ignored
248     + The configuration file contains additional
249     + arguments. In order for the pam_abl command
250     + Path to the line tool to work correctly most of the
251     + config configuration configuration should be placed in the config
252     + file. file rather than being provided by arguments.
253     + The format of the config file is described
254     + below.
255     + Path to host Path to the Berkeley DB which is used to log
256     + host_db database the host responsible for failed
257     + file. authentication attempts.
258     + Purge time Defines how long failed hosts are retained in
259     + host_purge for the host the host database. Defaults to 1 day.
260     + database.
261     + Rule for host The rule (see below for format) which defines
262     + host_rule blacklisting. the conditions under which a failed hosts
263     + will be blackisted.
264     + Path to user Path to the Berkeley DB which is used to log
265     + user_db database the user responsible for failed
266     + file. authentication attempts.
267     + Purge time Defines how long failed users are retained in
268     + user_purge for the user the user database. Defaults to 1 day.
269     + database.
270     + Rule for user The rule (see below for format) which defines
271     + user_rule blacklisting. the conditions under which a failed users
272     + will be blackisted.
273     +
274     +Description:
275     +
276     + Brute force password discovery attacks involve repeated attempts to
277     + authenticate against a service using a dictionary of common passwords.
278     + While it is desirable to enforce strong passwords for users this is not
279     + always possible and in cases where a weak password has been used brute
280     + force attacks can be effective.
281     +
282     + The pam_abl module monitors failed authentication attempts and
283     + automatically blacklists those hosts (and accounts) that are responsible
284     + for large numbers of failed attempts. Once a host is blacklisted it is
285     + guaranteed to fail authentication even if the correct credentials are
286     + provided.
287     +
288     + Blacklisting is triggered when the number of failed authentication attempts
289     + in a particular period of time exceeds a predefined limit. Hosts which stop
290     + attempting to authenticate will, after a period of time, be un-blacklisted.
291     +
292     + This functionality is only available to services which call PAM as root. If
293     + pam_abl is called for uid != 0 it will silently succeed. If this was not
294     + the case it would be possible for a malicious local user to poison the
295     + pam_abl data by, for example, discovering the names of the hosts from which
296     + root typically logs in and then constructing PAM authentication code to
297     + lock out root login attempts from those hosts.
298     +
299     +Usage:
300     +
301     + Typically pam_abl.so is added to the auth stack as a required module just
302     + before whatever modules actually peform authentication. Here's a fragment
303     + of the PAM config for a production server that is running pam_abl:
304     +
305     + auth required pam_env.so
306     + auth required pam_abl.so config=/etc/security/pam_abl.conf
307     + auth sufficient pam_unix.so try_first_pass nullok
308     + auth required pam_deny.so
309     +
310     + Although all of accepted arguments can be supplied here they will usually
311     + be placed in a separate config file and linked to using the config argument
312     + as in the above example. The pam_abl command line tool reads the external
313     + config file (/etc/security/pam_abl.conf in this case) to find the databases
314     + so in order for it work correctly an external config should be used.
315     +
316     +Config file syntax:
317     +
318     + The config file can contain any arguments that would be supplied via PAM
319     + config. In the config file arguments are placed on separate lines. Comments
320     + may be included after a '#' and line continuation is possible by placing a
321     + back slash at the end of the line to be continued. Here is a sample /etc/
322     + security/pam_abl.conf:
323     +
324     + # /etc/security/pam_abl.conf
325     + debug
326     + host_db=/var/lib/abl/hosts.db
327     + host_purge=2d
328     + host_rule=*:10/1h,30/1d
329     + user_db=/var/lib/abl/users.db
330     + user_purge=2d
331     + user_rule=!root:10/1h,30/1d
332     +
333     + All of the standard PAM arguments (debug, expose_account, no_warn,
334     + try_first_pass, use_first_pass, use_mapped_pass) are accepted; with the
335     + exception of debug and no_warn these are ignored.
336     +
337     + The arguments that are specific to pam_abl are as follows:
338     +
339     + Specify the name of the databases that will be used to log
340     + failed authentication attempts. The host database is used to
341     + host_db, log the hostname responsible for a failed auth and the user
342     + user_db database is used to log the requested username. If host_db or
343     + user_db is omitted the corresponding auto blacklisting will be
344     + disabled.
345     + Specify the length of time for which failed attempts should be
346     + kept in the databases. For rules to work correctly this must be
347     + at least as long as the longest period specified in a
348     + corresponding rule. You may wish to retain information about
349     + failed attempts for longer than this so that the pam_abl
350     + command line tool can report information over a longer period
351     + host_purge, of time. The format for this item is a number with an optional
352     + user_purge multiplier suffix, 's', 'm', 'h' or 'd' which correspond with
353     + seconds, minutes, hours and days. To specify seven days for
354     + example one would use '7d'. Note that in normal operation
355     + pam_abl will only purge the logged data for a particular host
356     + or user if it happens to be updating it, i.e. if that host or
357     + user makes another failed attempt. To purge all old entries the
358     + pam_abl command line tool should be used.
359     + These are the rules which determine the circumstances under
360     + which accounts are auto-blacklisted. The host_rule is used to
361     + host_rule, block access to hosts that are responsible for excessive
362     + user_rule authentication failures and the user_rule is used to disable
363     + accounts for which there have been excessive authentication
364     + failures. The rule syntax is described in full below.
365     +
366     +Rule syntax:
367     +
368     + Each rule consists of a number of space separated 'user clauses'. A user
369     + clause specifies the user (and service) names to match and a set of
370     + triggers. A simple example would be
371     +
372     + *:10/1h
373     +
374     + which means 'block any user (*) if they are responsible for ten or more
375     + failed authentication attempts in the last hour'. In place of the '*' which
376     + matches any user a list of usernames can be supplied like this
377     +
378     + root|dba|admin:10/1h
379     +
380     + which means 'block the users root, dba and admin if they are responsible
381     + for ten or more failed authentication attempts in the last hour'. You can
382     + also specify a service name to match against like this
383     +
384     + root/sshd|dba/*:3/1d
385     +
386     + which means 'block the users root for service 'sshd' and dba for any
387     + service if they are responsible for three or more failed authentication
388     + attempts in the last day'. Finally you can specify multiple triggers like
389     + this
390     +
391     + root:10/1h,20/1d
392     +
393     + which means 'block the user root if they are responsible for ten or more
394     + failed attempts in the last hour or twenty or more failed attempts in the
395     + last day.
396     +
397     + Multiple rules can be provided separated by spaces like this
398     +
399     + *:10/1h root:5/1h,10/1d
400     +
401     + in which case all rules that match a particular user and service will be
402     + checked. The user or host will be blocked if any of the rule triggers
403     + matches. The sense of the user matching can be inverted by placing a '!' in
404     + front of the rule so that
405     +
406     + !root:20/1d
407     +
408     + is a rule which would match for all users apart from root. It is important
409     + to treat root as a special case in the user_rule otherwise excessive
410     + attempts to authenticate as root will result in the root account being
411     + locked out even for valid holders of root credentials.
412     +
413     + Here is the full syntax for rules:
414     +
415     + word ::= /[^\s\|\/\*]+/
416     + name ::= word | '*'
417     + username ::= name
418     + servicename ::= name
419     + userservice ::= username
420     + | username '/' servicename
421     + namelist ::= userservice
422     + | userservice '|' namelist
423     + userspec ::= namelist
424     + | '!' namelist
425     + multiplier ::= 's' | 'm' | 'h' | 'd'
426     + number ::= /\d+/
427     + period ::= number
428     + | number multiplier
429     + trigger ::= number '/' period
430     + triglist ::= trigger
431     + | trigger ',' triglist
432     + userclause ::= userspec ':' triglist
433     + rule ::= userclause
434     + | userclause /\s+/ rule
435     +
436     +Examples/suggested usage:
437     +
438     + Sample PAM config fragment:
439     +
440     + auth required pam_env.so
441     + auth required pam_abl.so config=/etc/security/pam_abl.conf
442     + auth sufficient pam_unix.so try_first_pass nullok
443     + auth required pam_deny.so
444     +
445     + Sample /etc/security/pam_abl.conf:
446     +
447     + # /etc/security/pam_abl.conf
448     + debug
449     + host_db=/var/lib/abl/hosts.db
450     + host_purge=2d
451     + host_rule=*:10/1h,30/1d
452     + user_db=/var/lib/abl/users.db
453     + user_purge=2d
454     + user_rule=!root:10/1h,30/1d
455     --- pam_abl/conf/system-auth 2006-06-17 20:02:05.000000000 +0200
456     +++ pam_abl/conf/system-auth.rsc 2006-06-17 20:07:49.000000000 +0200
457     @@ -1,15 +1,14 @@
458     #%PAM-1.0
459     -auth required /lib/security/$ISA/pam_env.so
460     -auth required /lib/security/$ISA/pam_abl.so config=/etc/security/pam_abl.conf
461     -auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
462     -auth required /lib/security/$ISA/pam_deny.so
463     +auth required pam_env.so
464     +auth required pam_abl.so config=/etc/security/pam_abl.conf
465     +auth sufficient pam_unix.so try_first_pass nullok
466     +auth required pam_deny.so
467    
468     -account required /lib/security/$ISA/pam_unix.so
469     +account required pam_unix.so
470    
471     -password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
472     -password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
473     -password required /lib/security/$ISA/pam_deny.so
474     +password required pam_cracklib.so try_first_pass retry=3
475     +password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow
476     +password required pam_deny.so
477    
478     -session required /lib/security/$ISA/pam_limits.so
479     -session required /lib/security/$ISA/pam_abl.so
480     -session required /lib/security/$ISA/pam_unix.so
481     +session required pam_limits.so
482     +session required pam_unix.so
483     --- pam_abl/doc/index.html 2005-10-12 21:22:27.000000000 +0200
484     +++ pam_abl/doc/index.html.rsc 2006-06-17 20:23:22.000000000 +0200
485     @@ -171,10 +171,10 @@
486     <p>Typically pam_abl.so is added to the auth stack as a required module just before whatever modules actually peform authentication. Here's a fragment of the PAM config for a production server that is running pam_abl:</p>
487    
488     <table class="config">
489     - <tr><td>auth</td><td>required</td><td>/lib/security/pam_env.so</td></tr>
490     - <tr><td>auth</td><td>required</td><td>/lib/security/pam_abl.so config=/etc/security/pam_abl.conf</td></tr>
491     - <tr><td>auth</td><td>sufficient</td><td>/lib/security/pam_unix.so likeauth nullok</td></tr>
492     - <tr><td>auth</td><td>required</td><td>/lib/security/pam_deny.so</td></tr>
493     + <tr><td>auth</td><td>required</td><td>pam_env.so</td></tr>
494     + <tr><td>auth</td><td>required</td><td>pam_abl.so config=/etc/security/pam_abl.conf</td></tr>
495     + <tr><td>auth</td><td>sufficient</td><td>pam_unix.so try_first_pass nullok</td></tr>
496     + <tr><td>auth</td><td>required</td><td>pam_deny.so</td></tr>
497     </table>
498    
499     <p>Although all of accepted arguments can be supplied here they will usually be placed in a separate config file and linked to using the config argument as in the above example. The <a href="pam_abl.html">pam_abl command line tool</a> reads the external config file (/etc/security/pam_abl.conf in this case) to find the databases so in order for it work correctly an external config should be used.</p>
500     @@ -282,10 +282,10 @@
501     <p>Sample PAM config fragment:</p>
502    
503     <table class="config">
504     - <tr><td>auth</td><td>required</td><td>/lib/security/pam_env.so</td></tr>
505     - <tr><td>auth</td><td>required</td><td>/lib/security/pam_abl.so config=/etc/security/pam_abl.conf</td></tr>
506     - <tr><td>auth</td><td>sufficient</td><td>/lib/security/pam_unix.so likeauth nullok</td></tr>
507     - <tr><td>auth</td><td>required</td><td>/lib/security/pam_deny.so</td></tr>
508     + <tr><td>auth</td><td>required</td><td>pam_env.so</td></tr>
509     + <tr><td>auth</td><td>required</td><td>pam_abl.so config=/etc/security/pam_abl.conf</td></tr>
510     + <tr><td>auth</td><td>sufficient</td><td>pam_unix.so try_first_pass nullok</td></tr>
511     + <tr><td>auth</td><td>required</td><td>pam_deny.so</td></tr>
512     </table>
513    
514     <p>Sample /etc/security/pam_abl.conf:</p>
515     --- pam_abl/QUICKSTART 1970-01-01 01:00:00.000000000 +0100
516     +++ pam_abl/QUICKSTART.rsc 2006-06-17 20:34:27.000000000 +0200
517     @@ -0,0 +1,23 @@
518     +QUICKSTART GUIDE
519     +
520     +------------------------------------------------------------------------
521     +Any time changes to the PAM configuration are done by hand, they have
522     +to be done with great care to avoid disabling system access by accident.
523     +------------------------------------------------------------------------
524     +
525     +To activate the use of pam_abl.so you need to add a PAM rule like
526     +
527     + auth required pam_abl.so config=/etc/security/pam_abl.conf
528     +
529     +i.e. in /etc/pam.d/system-auth. Doing so please be aware that
530     +/etc/pam.d/system-auth is auto-generated at e.g. Fedora Core and Red
531     +Hat Enterprise Linux systems and that user changes will be destroyed
532     +the next time authconfig is run, thus this step has to be redone.
533     +
534     +You are able to customize the pam_abl.so behaviour by editing
535     +/etc/security/pam_abl.conf. For detailed instructions please read
536     +the application's page online at
537     +
538     + http://www.hexten.net/sw/pam_abl/doc/index.html
539     +
540     +or have a look to the index.html and pam_abl.html documentation.

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed