/[smeserver]/rpms/pam_abl/sme10/pam_abl-0.2.3-fixes.patch
ViewVC logotype

Contents of /rpms/pam_abl/sme10/pam_abl-0.2.3-fixes.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Fri Mar 18 10:53:17 2016 UTC (8 years, 7 months ago) by unnilennium
Branch: MAIN
CVS Tags: pam_abl-0_2_3-2_el7_sme, HEAD
Error occurred while calculating annotation data.
Initial import

1 Patch by Robert Scheck <robert@fedoraproject.org> for pam_abl 0.2.3, changes:
2
3 * pam_abl/pam_abl.c
4 - Fixed compiler warning "dereferencing type-punned pointer will break
5 strict-aliasing rules"
6
7 * pam_abl/Makefile
8 - Always honor $RPM_OPT_FLAGS when available
9 - Fixed the make warning "jobserver unavailable: using -j1. Add `+' to
10 parent make rule"
11
12 * pam_abl/tools/Makefile
13 - Always honor $RPM_OPT_FLAGS when available
14
15 * pam_abl/doc/pam_abl.1
16 - Initial version of a pam_abl man page based on the current docs
17
18 * pam_abl/CONFIGURATION
19 - Initial version of a pam_abl text documentation based on the HTML files
20
21 * pam_abl/conf/system-auth
22 - Removed use of /lib/security/$ISA, because it will break on any 64 bit
23 system having /lib64 instead of /lib; should fix sf.net Bug ID #1325837
24
25 * pam_abl/doc/index.html
26 - Never ever use /lib/security, will break any 64 bit compatibility
27
28 * pam_abl/QUICKSTART
29 - Quickstart guide heavily based on README.fedora written by the Fedora
30 Extras maintainer Alexander Dalloz <alex {%} dalloz {*} de>
31
32 Following patch was sent upstream at Sat, 17 Jun 2006 21:24:50 +0200 and it
33 was confirmed by the upstream maintainer, that this patch will be added to
34 the next pam_abl release - but unfortunately nothing happened, yet.
35
36 --- pam_abl/pam_abl.c 2005-10-12 21:22:26.000000000 +0200
37 +++ pam_abl/pam_abl.c.rsc 2006-06-17 18:36:44.000000000 +0200
38 @@ -168,7 +168,7 @@
39 const char *rhost;
40 int err;
41
42 - if (err = pam_get_item(args->pamh, PAM_RHOST, (const void **) &rhost), PAM_SUCCESS != err) {
43 + if (err = pam_get_item(args->pamh, PAM_RHOST, (const void **)( const void*) &rhost), PAM_SUCCESS != err) {
44 log_pam_error(args, err, "getting PAM_RHOST");
45 return err;
46 }
47 @@ -187,7 +187,7 @@
48 if (NULL != args->user_db) {
49 const char *user;
50 int err;
51 - if (err = pam_get_item(args->pamh, PAM_USER, (const void **) &user), PAM_SUCCESS != err) {
52 + if (err = pam_get_item(args->pamh, PAM_USER, (const void **) (const void*) &user), PAM_SUCCESS != err) {
53 log_pam_error(args, err, "getting PAM_USER");
54 return err;
55 }
56 @@ -285,7 +285,7 @@
57 if (NULL != args->host_db) {
58 const char *rhost;
59 int err;
60 - if (err = pam_get_item(args->pamh, PAM_RHOST, (const void **) &rhost), PAM_SUCCESS != err) {
61 + if (err = pam_get_item(args->pamh, PAM_RHOST, (const void **) (const void*) &rhost), PAM_SUCCESS != err) {
62 log_pam_error(args, err, "getting PAM_RHOST");
63 return err;
64 }
65 @@ -316,12 +316,12 @@
66 const char *user;
67 const char *service;
68
69 - if (err = pam_get_item(args->pamh, PAM_USER, (const void **) &user), PAM_SUCCESS != err) {
70 + if (err = pam_get_item(args->pamh, PAM_USER, (const void **) (const void*) &user), PAM_SUCCESS != err) {
71 log_pam_error(args, err, "getting PAM_USER");
72 return err;
73 }
74
75 - if (err = pam_get_item(args->pamh, PAM_SERVICE, (const void **) &service), PAM_SUCCESS != err) {
76 + if (err = pam_get_item(args->pamh, PAM_SERVICE, (const void **) (const void*) &service), PAM_SUCCESS != err) {
77 log_pam_error(args, err, "getting PAM_SERVICE");
78 return err;
79 }
80 @@ -374,9 +374,9 @@
81 check_attempt(args, &rv);
82 if (rv) {
83 const char *rhost, *user, *service;
84 - if (PAM_SUCCESS == pam_get_item(args->pamh, PAM_RHOST, (const void **) &rhost ) &&
85 - PAM_SUCCESS == pam_get_item(args->pamh, PAM_USER, (const void **) &user ) &&
86 - PAM_SUCCESS == pam_get_item(args->pamh, PAM_SERVICE, (const void **) &service)) {
87 + if (PAM_SUCCESS == pam_get_item(args->pamh, PAM_RHOST, (const void **) (const void*) &rhost ) &&
88 + PAM_SUCCESS == pam_get_item(args->pamh, PAM_USER, (const void **) (const void*) &user ) &&
89 + PAM_SUCCESS == pam_get_item(args->pamh, PAM_SERVICE, (const void **) (const void*) &service)) {
90 log_info(args, "Blocking access from %s to service %s, user %s", rhost, service, user);
91 }
92 return PAM_AUTH_ERR;
93 --- pam_abl/Makefile 2005-10-12 21:22:25.000000000 +0200
94 +++ pam_abl/Makefile.rsc 2006-06-17 18:45:43.000000000 +0200
95 @@ -1,7 +1,7 @@
96 # Makefile
97 # $Id: Makefile,v 1.1.1.1 2005/10/12 19:22:25 tagishandy Exp $
98
99 -CFLAGS=-Wall -fPIC
100 +CFLAGS=-Wall -fPIC $(RPM_OPT_FLAGS)
101 PAMDIR=/lib/security
102 CONFDIR=/etc/security
103 DBDIR=/var/lib/abl
104 @@ -11,26 +11,26 @@
105 SUBDIRS=tools
106
107 all : $(MODULE)
108 - for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done
109 + for d in $(SUBDIRS) ; do cd $$d && $(MAKE) $@ && cd .. ; done
110
111 $(MODULE) : $(OBJ)
112 ld -x --shared $(LIBS) -o $@ $^
113
114 clean :
115 rm -f $(MODULE) $(OBJ)
116 - for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done
117 + for d in $(SUBDIRS) ; do cd $$d && $(MAKE) $@ && cd .. ; done
118
119 install : $(MODULE)
120 install --mode=755 --strip $(MODULE) $(PAMDIR)
121 #install --mode=644 conf/pam_abl.conf $(CONFDIR)
122 install -d --mode=755 $(DBDIR)
123 - for d in t $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done
124 + for d in t $(SUBDIRS) ; do cd $$d && $(MAKE) $@ && cd .. ; done
125
126 depend :
127 cc -MM *.c > deps
128 - for d in $(SUBDIRS) ; do cd $$d && make $@ && cd .. ; done
129 + for d in $(SUBDIRS) ; do cd $$d && $(MAKE) $@ && cd .. ; done
130
131 test :
132 - cd t && make && cd ..
133 + cd t && $(MAKE) && cd ..
134
135 include deps
136 --- pam_abl/tools/Makefile 2005-10-12 21:22:27.000000000 +0200
137 +++ pam_abl/tools/Makefile.rsc 2006-06-17 19:15:25.000000000 +0200
138 @@ -1,6 +1,6 @@
139 # Makefile
140
141 -CFLAGS=-Wall
142 +CFLAGS=-Wall -fPIC $(RPM_OPT_FLAGS)
143 LIBS=-ldb -lpthread
144 TARGET=pam_abl
145 OBJ=log.o config.o rule.o pam_abl.o
146 --- pam_abl/doc/pam_abl.1 1970-01-01 01:00:00.000000000 +0100
147 +++ pam_abl/doc/pam_abl.1.rsc 2006-06-17 20:02:44.000000000 +0200
148 @@ -0,0 +1,52 @@
149 +.TH pam_abl 1 "Oct 13, 2005"
150 +.LO 1
151 +.SH NAME
152 +pam_abl - query or purge the databases used by the pam_abl module
153 +.SH OVERVIEW
154 +\fBpam_abl\fR [ \fIOPTIONS \fR] [ \fICONFIG \fR]
155 +.SH DESCRIPTION
156 +Performs maintenance on the databases used by the pam_abl (auto blacklist) module. CONFIG is the name of the pam_abl config file (/etc/security/pam_abl.conf). The config file is read to discover the names of the pam_abl databases and the rules that control purging of old data from them.
157 +.SH OPTIONS
158 +.TP
159 +.B -h, --help
160 +See a help message
161 +.TP
162 +.B -p, --purge
163 +Purge databases according to purge rules in config
164 +.TP
165 +.B -r, --relative
166 +Display times relative to now otherwise absolute times will be displayed
167 +.TP
168 +.B -v, --verbose
169 +Verbose output
170 +.TP
171 +.B --okuser=USER
172 +Unblock USER
173 +.TP
174 +.B --okhost=HOST
175 +Unblock HOST
176 +.SH EXAMPLES
177 +.TP
178 +Obtain a list of failed hosts and users:
179 +$ pam_abl
180 +.TP
181 +Obtain a full list of failures listing times relative to now:
182 +$ pam_abl -rv
183 +.br
184 +$ pam_abl --relative --verbose
185 +.TP
186 +Purge old data:
187 +$ pam_abl -p
188 +.br
189 +$ pam_abl --purge
190 +.TP
191 +Unblock all example.com, somewhere.com hosts:
192 +$ pam_abl -v --okhost=*.example.com --okhost=*.somewhere.com
193 +.SH AUTHOR
194 +Andy Armstrong <andy@hexten.net>
195 +.SH SEE ALSO
196 +/usr/share/doc/pam_abl-*/CONFIGURATION
197 +.SH REPORT BUGS
198 +Please report bugs in English language to the author.
199 +.SH COPYRIGHT
200 +pam_abl is licensed under GNU General Public License, the complete license you can get at: http://www.gnu.org/copyleft/gpl.html
201 --- pam_abl/CONFIGURATION 1970-01-01 01:00:00.000000000 +0100
202 +++ pam_abl/CONFIGURATION.rsc 2006-06-17 20:02:44.000000000 +0200
203 @@ -0,0 +1,251 @@
204 +The Auto Blacklist Module: pam_abl
205 +
206 +Synopsis
207 +
208 +Module name:
209 + pam_abl
210 +Author:
211 + Andy Armstrong <andy@hexten.net>
212 +Maintainer:
213 + Andy Armstrong <andy@hexten.net>
214 +Management groups provided:
215 + auth
216 +Cryptographically sensitive:
217 + No.
218 +Security rating:
219 +Clean code base:
220 + Clean.
221 +System dependencies:
222 + Requires Berkeley DB (tested with 4.3.21 and 4.2.50).
223 + Requires a configuration file (by convention /etc/security/pam_abl.conf)
224 +Network aware:
225 + No.
226 +
227 +Overview of module
228 +
229 +Provides auto blacklisting of hosts and users responsible for repeated failed
230 +authentication attempts. Generally configured so that blacklisted users still
231 +see normal login prompts but are guaranteed to fail to authenticate.
232 +
233 +This functionality is only available to services which call PAM as root. If
234 +pam_abl is called for uid != 0 it will silently succeed.
235 +
236 +Auth component
237 +
238 +Recognised arguments:
239 +
240 + Name Arguments Description
241 + debug None Enable debug output to syslog.
242 + expose_account None Ignored
243 + no_warn None Disable warnings which are otherwise output
244 + to syslog.
245 + try_first_pass None Ignored
246 + use_first_pass None Ignored
247 + use_mapped_pass None Ignored
248 + The configuration file contains additional
249 + arguments. In order for the pam_abl command
250 + Path to the line tool to work correctly most of the
251 + config configuration configuration should be placed in the config
252 + file. file rather than being provided by arguments.
253 + The format of the config file is described
254 + below.
255 + Path to host Path to the Berkeley DB which is used to log
256 + host_db database the host responsible for failed
257 + file. authentication attempts.
258 + Purge time Defines how long failed hosts are retained in
259 + host_purge for the host the host database. Defaults to 1 day.
260 + database.
261 + Rule for host The rule (see below for format) which defines
262 + host_rule blacklisting. the conditions under which a failed hosts
263 + will be blackisted.
264 + Path to user Path to the Berkeley DB which is used to log
265 + user_db database the user responsible for failed
266 + file. authentication attempts.
267 + Purge time Defines how long failed users are retained in
268 + user_purge for the user the user database. Defaults to 1 day.
269 + database.
270 + Rule for user The rule (see below for format) which defines
271 + user_rule blacklisting. the conditions under which a failed users
272 + will be blackisted.
273 +
274 +Description:
275 +
276 + Brute force password discovery attacks involve repeated attempts to
277 + authenticate against a service using a dictionary of common passwords.
278 + While it is desirable to enforce strong passwords for users this is not
279 + always possible and in cases where a weak password has been used brute
280 + force attacks can be effective.
281 +
282 + The pam_abl module monitors failed authentication attempts and
283 + automatically blacklists those hosts (and accounts) that are responsible
284 + for large numbers of failed attempts. Once a host is blacklisted it is
285 + guaranteed to fail authentication even if the correct credentials are
286 + provided.
287 +
288 + Blacklisting is triggered when the number of failed authentication attempts
289 + in a particular period of time exceeds a predefined limit. Hosts which stop
290 + attempting to authenticate will, after a period of time, be un-blacklisted.
291 +
292 + This functionality is only available to services which call PAM as root. If
293 + pam_abl is called for uid != 0 it will silently succeed. If this was not
294 + the case it would be possible for a malicious local user to poison the
295 + pam_abl data by, for example, discovering the names of the hosts from which
296 + root typically logs in and then constructing PAM authentication code to
297 + lock out root login attempts from those hosts.
298 +
299 +Usage:
300 +
301 + Typically pam_abl.so is added to the auth stack as a required module just
302 + before whatever modules actually peform authentication. Here's a fragment
303 + of the PAM config for a production server that is running pam_abl:
304 +
305 + auth required pam_env.so
306 + auth required pam_abl.so config=/etc/security/pam_abl.conf
307 + auth sufficient pam_unix.so try_first_pass nullok
308 + auth required pam_deny.so
309 +
310 + Although all of accepted arguments can be supplied here they will usually
311 + be placed in a separate config file and linked to using the config argument
312 + as in the above example. The pam_abl command line tool reads the external
313 + config file (/etc/security/pam_abl.conf in this case) to find the databases
314 + so in order for it work correctly an external config should be used.
315 +
316 +Config file syntax:
317 +
318 + The config file can contain any arguments that would be supplied via PAM
319 + config. In the config file arguments are placed on separate lines. Comments
320 + may be included after a '#' and line continuation is possible by placing a
321 + back slash at the end of the line to be continued. Here is a sample /etc/
322 + security/pam_abl.conf:
323 +
324 + # /etc/security/pam_abl.conf
325 + debug
326 + host_db=/var/lib/abl/hosts.db
327 + host_purge=2d
328 + host_rule=*:10/1h,30/1d
329 + user_db=/var/lib/abl/users.db
330 + user_purge=2d
331 + user_rule=!root:10/1h,30/1d
332 +
333 + All of the standard PAM arguments (debug, expose_account, no_warn,
334 + try_first_pass, use_first_pass, use_mapped_pass) are accepted; with the
335 + exception of debug and no_warn these are ignored.
336 +
337 + The arguments that are specific to pam_abl are as follows:
338 +
339 + Specify the name of the databases that will be used to log
340 + failed authentication attempts. The host database is used to
341 + host_db, log the hostname responsible for a failed auth and the user
342 + user_db database is used to log the requested username. If host_db or
343 + user_db is omitted the corresponding auto blacklisting will be
344 + disabled.
345 + Specify the length of time for which failed attempts should be
346 + kept in the databases. For rules to work correctly this must be
347 + at least as long as the longest period specified in a
348 + corresponding rule. You may wish to retain information about
349 + failed attempts for longer than this so that the pam_abl
350 + command line tool can report information over a longer period
351 + host_purge, of time. The format for this item is a number with an optional
352 + user_purge multiplier suffix, 's', 'm', 'h' or 'd' which correspond with
353 + seconds, minutes, hours and days. To specify seven days for
354 + example one would use '7d'. Note that in normal operation
355 + pam_abl will only purge the logged data for a particular host
356 + or user if it happens to be updating it, i.e. if that host or
357 + user makes another failed attempt. To purge all old entries the
358 + pam_abl command line tool should be used.
359 + These are the rules which determine the circumstances under
360 + which accounts are auto-blacklisted. The host_rule is used to
361 + host_rule, block access to hosts that are responsible for excessive
362 + user_rule authentication failures and the user_rule is used to disable
363 + accounts for which there have been excessive authentication
364 + failures. The rule syntax is described in full below.
365 +
366 +Rule syntax:
367 +
368 + Each rule consists of a number of space separated 'user clauses'. A user
369 + clause specifies the user (and service) names to match and a set of
370 + triggers. A simple example would be
371 +
372 + *:10/1h
373 +
374 + which means 'block any user (*) if they are responsible for ten or more
375 + failed authentication attempts in the last hour'. In place of the '*' which
376 + matches any user a list of usernames can be supplied like this
377 +
378 + root|dba|admin:10/1h
379 +
380 + which means 'block the users root, dba and admin if they are responsible
381 + for ten or more failed authentication attempts in the last hour'. You can
382 + also specify a service name to match against like this
383 +
384 + root/sshd|dba/*:3/1d
385 +
386 + which means 'block the users root for service 'sshd' and dba for any
387 + service if they are responsible for three or more failed authentication
388 + attempts in the last day'. Finally you can specify multiple triggers like
389 + this
390 +
391 + root:10/1h,20/1d
392 +
393 + which means 'block the user root if they are responsible for ten or more
394 + failed attempts in the last hour or twenty or more failed attempts in the
395 + last day.
396 +
397 + Multiple rules can be provided separated by spaces like this
398 +
399 + *:10/1h root:5/1h,10/1d
400 +
401 + in which case all rules that match a particular user and service will be
402 + checked. The user or host will be blocked if any of the rule triggers
403 + matches. The sense of the user matching can be inverted by placing a '!' in
404 + front of the rule so that
405 +
406 + !root:20/1d
407 +
408 + is a rule which would match for all users apart from root. It is important
409 + to treat root as a special case in the user_rule otherwise excessive
410 + attempts to authenticate as root will result in the root account being
411 + locked out even for valid holders of root credentials.
412 +
413 + Here is the full syntax for rules:
414 +
415 + word ::= /[^\s\|\/\*]+/
416 + name ::= word | '*'
417 + username ::= name
418 + servicename ::= name
419 + userservice ::= username
420 + | username '/' servicename
421 + namelist ::= userservice
422 + | userservice '|' namelist
423 + userspec ::= namelist
424 + | '!' namelist
425 + multiplier ::= 's' | 'm' | 'h' | 'd'
426 + number ::= /\d+/
427 + period ::= number
428 + | number multiplier
429 + trigger ::= number '/' period
430 + triglist ::= trigger
431 + | trigger ',' triglist
432 + userclause ::= userspec ':' triglist
433 + rule ::= userclause
434 + | userclause /\s+/ rule
435 +
436 +Examples/suggested usage:
437 +
438 + Sample PAM config fragment:
439 +
440 + auth required pam_env.so
441 + auth required pam_abl.so config=/etc/security/pam_abl.conf
442 + auth sufficient pam_unix.so try_first_pass nullok
443 + auth required pam_deny.so
444 +
445 + Sample /etc/security/pam_abl.conf:
446 +
447 + # /etc/security/pam_abl.conf
448 + debug
449 + host_db=/var/lib/abl/hosts.db
450 + host_purge=2d
451 + host_rule=*:10/1h,30/1d
452 + user_db=/var/lib/abl/users.db
453 + user_purge=2d
454 + user_rule=!root:10/1h,30/1d
455 --- pam_abl/conf/system-auth 2006-06-17 20:02:05.000000000 +0200
456 +++ pam_abl/conf/system-auth.rsc 2006-06-17 20:07:49.000000000 +0200
457 @@ -1,15 +1,14 @@
458 #%PAM-1.0
459 -auth required /lib/security/$ISA/pam_env.so
460 -auth required /lib/security/$ISA/pam_abl.so config=/etc/security/pam_abl.conf
461 -auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
462 -auth required /lib/security/$ISA/pam_deny.so
463 +auth required pam_env.so
464 +auth required pam_abl.so config=/etc/security/pam_abl.conf
465 +auth sufficient pam_unix.so try_first_pass nullok
466 +auth required pam_deny.so
467
468 -account required /lib/security/$ISA/pam_unix.so
469 +account required pam_unix.so
470
471 -password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
472 -password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
473 -password required /lib/security/$ISA/pam_deny.so
474 +password required pam_cracklib.so try_first_pass retry=3
475 +password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow
476 +password required pam_deny.so
477
478 -session required /lib/security/$ISA/pam_limits.so
479 -session required /lib/security/$ISA/pam_abl.so
480 -session required /lib/security/$ISA/pam_unix.so
481 +session required pam_limits.so
482 +session required pam_unix.so
483 --- pam_abl/doc/index.html 2005-10-12 21:22:27.000000000 +0200
484 +++ pam_abl/doc/index.html.rsc 2006-06-17 20:23:22.000000000 +0200
485 @@ -171,10 +171,10 @@
486 <p>Typically pam_abl.so is added to the auth stack as a required module just before whatever modules actually peform authentication. Here's a fragment of the PAM config for a production server that is running pam_abl:</p>
487
488 <table class="config">
489 - <tr><td>auth</td><td>required</td><td>/lib/security/pam_env.so</td></tr>
490 - <tr><td>auth</td><td>required</td><td>/lib/security/pam_abl.so config=/etc/security/pam_abl.conf</td></tr>
491 - <tr><td>auth</td><td>sufficient</td><td>/lib/security/pam_unix.so likeauth nullok</td></tr>
492 - <tr><td>auth</td><td>required</td><td>/lib/security/pam_deny.so</td></tr>
493 + <tr><td>auth</td><td>required</td><td>pam_env.so</td></tr>
494 + <tr><td>auth</td><td>required</td><td>pam_abl.so config=/etc/security/pam_abl.conf</td></tr>
495 + <tr><td>auth</td><td>sufficient</td><td>pam_unix.so try_first_pass nullok</td></tr>
496 + <tr><td>auth</td><td>required</td><td>pam_deny.so</td></tr>
497 </table>
498
499 <p>Although all of accepted arguments can be supplied here they will usually be placed in a separate config file and linked to using the config argument as in the above example. The <a href="pam_abl.html">pam_abl command line tool</a> reads the external config file (/etc/security/pam_abl.conf in this case) to find the databases so in order for it work correctly an external config should be used.</p>
500 @@ -282,10 +282,10 @@
501 <p>Sample PAM config fragment:</p>
502
503 <table class="config">
504 - <tr><td>auth</td><td>required</td><td>/lib/security/pam_env.so</td></tr>
505 - <tr><td>auth</td><td>required</td><td>/lib/security/pam_abl.so config=/etc/security/pam_abl.conf</td></tr>
506 - <tr><td>auth</td><td>sufficient</td><td>/lib/security/pam_unix.so likeauth nullok</td></tr>
507 - <tr><td>auth</td><td>required</td><td>/lib/security/pam_deny.so</td></tr>
508 + <tr><td>auth</td><td>required</td><td>pam_env.so</td></tr>
509 + <tr><td>auth</td><td>required</td><td>pam_abl.so config=/etc/security/pam_abl.conf</td></tr>
510 + <tr><td>auth</td><td>sufficient</td><td>pam_unix.so try_first_pass nullok</td></tr>
511 + <tr><td>auth</td><td>required</td><td>pam_deny.so</td></tr>
512 </table>
513
514 <p>Sample /etc/security/pam_abl.conf:</p>
515 --- pam_abl/QUICKSTART 1970-01-01 01:00:00.000000000 +0100
516 +++ pam_abl/QUICKSTART.rsc 2006-06-17 20:34:27.000000000 +0200
517 @@ -0,0 +1,23 @@
518 +QUICKSTART GUIDE
519 +
520 +------------------------------------------------------------------------
521 +Any time changes to the PAM configuration are done by hand, they have
522 +to be done with great care to avoid disabling system access by accident.
523 +------------------------------------------------------------------------
524 +
525 +To activate the use of pam_abl.so you need to add a PAM rule like
526 +
527 + auth required pam_abl.so config=/etc/security/pam_abl.conf
528 +
529 +i.e. in /etc/pam.d/system-auth. Doing so please be aware that
530 +/etc/pam.d/system-auth is auto-generated at e.g. Fedora Core and Red
531 +Hat Enterprise Linux systems and that user changes will be destroyed
532 +the next time authconfig is run, thus this step has to be redone.
533 +
534 +You are able to customize the pam_abl.so behaviour by editing
535 +/etc/security/pam_abl.conf. For detailed instructions please read
536 +the application's page online at
537 +
538 + http://www.hexten.net/sw/pam_abl/doc/index.html
539 +
540 +or have a look to the index.html and pam_abl.html documentation.

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed