From d3ea4ac5edbb0b19e79556447299ca4f21fa5a25 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 31 Jul 2003 12:40:54 +0000 Subject: Moved everything to trunk git-svn-id: file:///home/lennart/svn/public/pam_dotfile/trunk@13 5391d09e-f7c1-0310-8aa1-84a1c93f5a38 --- doc/Makefile.am | 35 +++++++ doc/README.html.in | 265 +++++++++++++++++++++++++++++++++++++++++++++++++++++ doc/style.css | 12 +++ 3 files changed, 312 insertions(+) create mode 100644 doc/Makefile.am create mode 100644 doc/README.html.in create mode 100644 doc/style.css (limited to 'doc') diff --git a/doc/Makefile.am b/doc/Makefile.am new file mode 100644 index 0000000..5c36d4e --- /dev/null +++ b/doc/Makefile.am @@ -0,0 +1,35 @@ +# $Id$ + +# This file is part of pam_dotfile. +# +# pam_dotfile is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# pam_dotfile is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with pam_dotfile; if not, write to the Free Software Foundation, +# Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. + +noinst_DATA = README.html README +EXTRA_DIST = $(noinst_DATA) style.css README.html.in + +MAINTAINERCLEANFILES = README README.html +CLEANFILES = + +if USE_LYNX +README: README.html + lynx --dump $^ | sed 's,file://localhost/.*/doc/README.html,README,' > $@ + +CLEANFILES += README +endif + +tidy: README.html + tidy -e < README.html + +.PHONY: tidy diff --git a/doc/README.html.in b/doc/README.html.in new file mode 100644 index 0000000..59d4614 --- /dev/null +++ b/doc/README.html.in @@ -0,0 +1,265 @@ + + + + + +pam_dotfile @PACKAGE_VERSION@ + + + + +

pam_dotfile @PACKAGE_VERSION@

+ +

Copyright 2002,2003 Lennart Poettering <mzcnzqbgsvyr [at] itaparica.org>

+ + + +

License

+ +

This program is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License as +published by the Free Software Foundation; either version 2 of the +License, or (at your option) any later version.

+ +

This program is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details.

+ +

You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

+ +

News

+ +
Mon July 21 2003:

Version +0.6 released, changes include: Fix MD5 digest generation. This +breaks compatibility with pam_dotfile <= 0.5 unless +--enable-compat05 is specified at compile time. Minor other +fixes (mostly related to the build system). All users should update.

+ +
Tue July 8 2003:

Version +0.5 released, changes include: Autoconf support, fixed an important bug regarding a race on child process creation. All users should update.

+ +

Overview

+ +

pam_dotfileis a PAM module which allows users to have more +than one password for a single account, each for a different +service. This is desirable because many users have objections to using +the same password for (as an example) an IMAP4 mailbox and SSH +access. The IMAP4 password should be distinct from the SSH password +because the user wants to save the former in the configuration of his +mail agent, but not the latter. The same applies to POP3 mailboxes, +FTP and comparable services.

+ +

Status

+ +

Version @PACKAGE_VERSION@ is stable and feature complete.

+ +

Documentation

+ +

How does it work?

+ +

The module needs be activated for the specific service in the +configuration file /etc/pam.d/<service>. The user is +than able to create a second valid password for that service by +issuing the following commands:

+ +
+pam-dotfile-gen -a <service>
+
+ +

Replace <service> by the PAM service name, e.g. imapd. The user has to enter the new password twice. This will save the +password to ~/.pam-<service> in a hashed way.

+ +

A complete example for the service imap (for the IMAP server dovecot in this +case):

+ +

/etc/pam.d/imap:

+ +
+#%PAM-1.0
+auth sufficient pam_unix_auth.so
+auth sufficient pam_dotfile.so use_first_pass no_warn
+auth required pam_deny.so
+
+ +

As user waldo:

+ +
+[waldo@wonder] ~$ pam-dotfile-gen -a imap
+Password:quux
+Please repeat; password:quux
+Password added.
+
+ +

That's it. User waldo may now access his IMAP mail store either by +using his unix password or by using quux.

+ +

If you want to deny access with the unix password when a .pam file +exists, you should install the following /etc/pam.d/imap:

+ +
+#%PAM-1.0
+auth [success=done new_authtok_reqd=done authinfo_unavail=ignore default=die] pam_dotfile.so no_warn
+auth [success=done new_authtok_reqd=done default=die] pam_unix.so use_first_pass
+
+ +

Please note: the pam.d fragments shown above are based on Debian +GNU/Linux' default PAM installation. I know that some distributions +(i.e. Red Hat) use pam_pwdb.so instead of pam_unix.so as default +authentication mechanism. Please adapt the pam.d configuration to your +specific distribution.

+ +

Notes

+ +

For getting access to the user's files a SUID root helper utility +/sbin/pam-dotfile-helper is used.

+ +

The .pam files are ignored when their access mode AND 077 is non-zero, +when they are symlinks or when any parent directory is group or world +writable.

+ +

pam_dotfile will try to open the the following files for +authentication (in that order):

+ +
    +
  1. ~/.pam-<service>
    2. +
  2. ~/.pam/<service>
    3. +
  3. ~/.pam-other
    4. +
  4. ~/.pam/other
    5. +
+ +

The first file in this list that exists is used for +authentication. Regardless of any of the passwords contained therein +are correct the other files are NOT evaluated.

+ +

The hashing is implemented in the following way:

+ +
    +
  1. A 16 byte random string is read from /dev/urandom (salt)
    2. +
  2. It is formatted in a 32 character hexadecimal string
    3. +
  3. The password is appended
    4. +
  4. The MD5 hash of this string is calculated
    5. +
  5. The hash is formatted in another 32 character hexadecimal string
    6. +
  6. The result is the concatenation of the two hexadecimal strings
    7. +
+ +

I believe that this is somewhat secure. However, I am not a +cryptoanalyst, I cannot guarantee for this. (Probably a cryptoanalyst +cannot either.)

+ +

The hashing function changed a little from 0.5 to 0.6. There was an +ugly error in formatting the digest into a hexadecimal string. By fixing +this the old hashed passwords became incompatible with newer releases +of pam_dotfile. For sake of compatibility I added the option +--enable-compat05 to the configure script. Passwords +for 0.6 are prefixed with a + in the dot files, older +passwords are not. You are encouraged to fix your passwords to comply +with the new version.

+ +

pam-dotfile-gen may be used as a filter that reads a text stream +with unencrypted passwords and crypts them. Empty lines and those +starting with # are passed in an unmodified way to STDOUT. Thus the +user may comment the passwords in his .pam files.

+ +

PAM parameters

+ + + + +

Requirements

+ +

pam_dotfile was developed and tested on Debian GNU/Linux +"testing" from July 2003, it should work on most other Linux +distributions (and maybe Unix versions) since it uses GNU autoconf and +GNU libtool for source code configuration and shared library +management.

+ +

You need the PAM development headers installed (naturally...)

+ +

Installation

+ +

As this package is made with the GNU autotools you should run +./configure inside the distribution directory for configuring +the source tree. After that you should run make for +compilation and make install (as root) for installation of +pam_dotfile.

+ +

If you upgrade from versions prior to 0.6 you should pass +--enable-compat05 to configure to enable +compatibility with old user dot files. If you do not specify this, old +passwords are ignored, the users have to recreate their passwords with +pam-dotfile-gen.

+ +

If you do a fresh install you should not pass +--enable-compat05 to configure. (An alternative is +to specify --enable-compat05 but to disable it afterwards by +using nocompat05 on the pam configuration line.)

+ +

Acknowledgements

+ +

This software includes an implementation of the MD5 algorithm by +L. Peter Deutsch. Thanks to him for this.

+ +

Oliver Kurth for packaging pam_dotfile for Debian

+ +

Christian Loitsch provided a patch with some bugfixes and support +for stat_only_home

+ +

Download

+ +

The newest release is always available from http://www.stud.uni-hamburg.de/~lennart/projects/pam_dotfile/

+ +

The current release is @PACKAGE_VERSION@

+ +

You may find a mostly up to date Debian package of pam_dotfile on the Debian package repository.

+ +
+ +
Lennart Poettering <mzcnzqbgsvyr [at] itaparica.org>, July 2003
+
$Id$
+ + + diff --git a/doc/style.css b/doc/style.css new file mode 100644 index 0000000..0a40aef --- /dev/null +++ b/doc/style.css @@ -0,0 +1,12 @@ +/* $Id$ */ +body { color: black; background-color: white; margin: 0.5cm; } +a:link, a:visited { color: #900000; } +p { margin-left: 0.5cm; margin-right: 0.5cm; } +div.news-date { margin-left: 0.5cm; font-size: 80%; color: #4f0000; } +p.news-text { margin-left: 1cm; } +ul { margin-left: .5cm; } +ol { margin-left: .5cm; } +h1 { color: #00009F; } +h2 { color: #00009F; } +h3 { color: #00004F; margin-left: 0.5cm; } +pre { margin-left: .5cm; background-color: #f0f0f0; padding: 0.4cm;} -- cgit