2
$Id: pam_filter.sgml,v 1.1.1.2 2002/09/15 20:08:29 hartmans Exp $
4
This file was written by Andrew G. Morgan <morgan@kernel.org>
7
<sect1>The filter module
14
<tag><bf>Module Name:</bf></tag>
18
<tag><bf>Author:</bf></tag>
20
Andrew G. Morgan <morgan@kernel.org>
22
<tag><bf>Maintainer:</bf></tag>
26
<tag><bf>Management groups provided:</bf></tag>
28
account; authentication; password; session
30
<tag><bf>Cryptographically sensitive:</bf></tag>
34
<tag><bf>Security rating:</bf></tag>
36
<tag><bf>Clean code base:</bf></tag>
38
This module compiles cleanly on Linux based systems.
40
<tag><bf>System dependencies:</bf></tag>
42
To function it requires <em/filters/ to be installed on the system.
44
<tag><bf>Network aware:</bf></tag>
48
<sect2>Overview of module
51
This module was written to offer a plug-in alternative to programs
52
like ttysnoop (XXX - need a reference). Since writing a filter that
53
performs this function has not occurred, it is currently only a toy.
54
The single filter provided with the module simply transposes upper and
55
lower case letters in the input and output streams. (This can be very
56
annoying and is not kind to termcap based editors).
58
<sect2>Account+Authentication+Password+Session components
63
<tag><bf>Recognized arguments:</bf></tag>
65
<tt/debug/; <tt/new_term/; <tt/non_term/; <tt/runX/
67
<tag><bf>Description:</bf></tag>
69
Each component of the module has the potential to invoke the desired
70
filter. The filter is always <tt/execv(2)/d with the privilege of the
71
calling application and <bf/not/ that of the user. For this reason it
72
cannot usually be killed by the user without closing their session.
75
The behavior of the module can be significantly altered by the
76
arguments passed to it in the <bf/Linux-PAM/ configuration file:
80
this option increases the amount of information logged to
81
<tt/syslog(3)/ as the module is executed.
85
the default action of the filter is to set the <tt/PAM_TTY/ item to
86
indicate the terminal that the user is using to connect to the
87
application. This argument indicates that the filter should set
88
<tt/PAM_TTY/ to the filtered pseudo-terminal.
91
don't try to set the <tt/PAM_TTY/ item.
95
in order that the module can invoke a filter it should know when to
96
invoke it. This argument is required to tell the filter when to do
97
this. The arguments that follow this one are respectively the full
98
pathname of the filter to be run and any command line arguments that
99
the filter might expect.
102
Permitted values for <tt/X/ are <tt/1/ and <tt/2/. These indicate the
103
precise time that the filter is to be run. To understand this concept
104
it will be useful to have read the Linux-PAM Module developer's
105
guide. Basically, for each management group there are up to two ways
106
of calling the module's functions.
108
In the case of the <em/authentication/ and <em/session/ components
109
there are actually two separate functions. For the case of
110
authentication, these functions are <tt/_authenticate/ and
111
<tt/_setcred/ -- here <tt/run1/ means run the filter from the
112
<tt/_authenticate/ function and <tt/run2/ means run the filter from
113
<tt/_setcred/. In the case of the session modules, <tt/run1/ implies
114
that the filter is invoked at the <tt/_open_session/ stage, and
115
<tt/run2/ for <tt/_close_session/.
118
For the case of the account component. Either <tt/run1/ or <tt/run2/
122
For the case of the password component, <tt/run1/ is used to indicate
123
that the filter is run on the first occasion <tt/_chauthtok/ is run
124
(the <tt/PAM_PRELIM_CHECK/ phase) and <tt/run2/ is used to indicate
125
that the filter is run on the second occasion (the
126
<tt/PAM_UPDATE_AUTHTOK/ phase).
130
<tag><bf>Examples/suggested usage:</bf></tag>
132
At the time of writing there is little real use to be made of this
133
module. For fun you might try adding the following line to your
134
login's configuration entries
138
# An example to see how to configure login to transpose upper and
139
# lower case letters once the user has logged in(!)
141
login session required pam_filter.so \
142
run1 /usr/sbin/pam_filter/upperLOWER
149
End of sgml insert for this module.