| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202 |
- <?xml version="1.0" encoding='UTF-8'?>
- <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
- "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
- <refentry id="pam_securetty">
- <refmeta>
- <refentrytitle>pam_securetty</refentrytitle>
- <manvolnum>8</manvolnum>
- <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
- </refmeta>
- <refnamediv id="pam_securetty-name">
- <refname>pam_securetty</refname>
- <refpurpose>Limit root login to special devices</refpurpose>
- </refnamediv>
- <refsynopsisdiv>
- <cmdsynopsis id="pam_securetty-cmdsynopsis">
- <command>pam_securetty.so</command>
- <arg choice="opt">
- debug
- </arg>
- </cmdsynopsis>
- </refsynopsisdiv>
- <refsect1 id="pam_securetty-description">
- <title>DESCRIPTION</title>
- <para>
- pam_securetty is a PAM module that allows root logins only if the
- user is logging in on a "secure" tty, as defined by the listing
- in the <filename>securetty</filename> file. pam_securetty checks at
- first, if <filename>/etc/securetty</filename> exists. If not and
- it was built with vendordir support, it will use
- <filename>%vendordir%/securetty</filename>. pam_securetty also
- checks that the <filename>securetty</filename> files are plain
- files and not world writable. It will also allow root logins on
- the tty specified with <option>console=</option> switch on the
- kernel command line and on ttys from the
- <filename>/sys/class/tty/console/active</filename>.
- </para>
- <para>
- This module has no effect on non-root users and requires that the
- application fills in the <emphasis remap='B'>PAM_TTY</emphasis>
- item correctly.
- </para>
- <para>
- For canonical usage, should be listed as a
- <emphasis remap='B'>required</emphasis> authentication method
- before any <emphasis remap='B'>sufficient</emphasis>
- authentication methods.
- </para>
- </refsect1>
- <refsect1 id="pam_securetty-options">
- <title>OPTIONS</title>
- <variablelist>
- <varlistentry>
- <term>
- <option>debug</option>
- </term>
- <listitem>
- <para>
- Print debug information.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>noconsole</option>
- </term>
- <listitem>
- <para>
- Do not automatically allow root logins on the kernel console
- device, as specified on the kernel command line or by the sys file,
- if it is not also specified in the
- <filename>securetty</filename> file.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
- <refsect1 id="pam_securetty-types">
- <title>MODULE TYPES PROVIDED</title>
- <para>
- Only the <option>auth</option> module type is provided.
- </para>
- </refsect1>
- <refsect1 id='pam_securetty-return_values'>
- <title>RETURN VALUES</title>
- <variablelist>
- <varlistentry>
- <term>PAM_SUCCESS</term>
- <listitem>
- <para>
- The user is allowed to continue authentication.
- Either the user is not root, or the root user is
- trying to log in on an acceptable device.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_AUTH_ERR</term>
- <listitem>
- <para>
- Authentication is rejected. Either root is attempting to
- log in via an unacceptable device, or the
- <filename>securetty</filename> file is world writable or
- not a normal file.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_BUF_ERR</term>
- <listitem>
- <para>
- Memory buffer error.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_CONV_ERR</term>
- <listitem>
- <para>
- The conversation method supplied by the application
- failed to obtain the username.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_INCOMPLETE</term>
- <listitem>
- <para>
- The conversation method supplied by the application
- returned PAM_CONV_AGAIN.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_SERVICE_ERR</term>
- <listitem>
- <para>
- An error occurred while the module was determining the
- user's name or tty, or the module could not open
- the <filename>securetty</filename> file.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_USER_UNKNOWN</term>
- <listitem>
- <para>
- The module could not find the user name in the
- <filename>/etc/passwd</filename> file to verify whether
- the user had a UID of 0. Therefore, the results of running
- this module are ignored.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
- <refsect1 id='pam_securetty-examples'>
- <title>EXAMPLES</title>
- <para>
- <programlisting>
- auth required pam_securetty.so
- auth required pam_unix.so
- </programlisting>
- </para>
- </refsect1>
- <refsect1 id='pam_securetty-see_also'>
- <title>SEE ALSO</title>
- <para>
- <citerefentry>
- <refentrytitle>securetty</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>
- </para>
- </refsect1>
- <refsect1 id='pam_securetty-author'>
- <title>AUTHOR</title>
- <para>
- pam_securetty was written by Elliot Lee <sopwith@cuc.edu>.
- </para>
- </refsect1>
- </refentry>
|
