summaryrefslogtreecommitdiff
blob: 97d83d57b2d5684d91ab9f1289e3ed5335be5706 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
  <herd>pam</herd>
  <maintainer>
    <email>pam-bugs@gentoo.org</email>
  </maintainer>
  <use>
    <flag name="cracklib">
      Enable pam_cracklib module on system authentication stack. This
      produces warnings when changing password to something easily
      crackable. It requires the same USE flag to be enabled on
      <pkg>sys-libs/pam</pkg> or system login might be impossible.
    </flag>
    <flag name="consolekit">
      Enable pam_ck_connector module on local system logins. This
      allows for console logins to make use of ConsoleKit
      authorization.
    </flag>
    <flag name="systemd">
      Use pam_systemd module to register user sessions in the systemd
      control group hierarchy.
    </flag>
    <flag name="gnome-keyring">
      Enable pam_gnome_keyring module on system login stack. This
      enables proper Gnome Keyring access to logins, whether they are
      done with the login shell, a Desktop Manager or a remote login
      systems such as SSH.
    </flag>
    <flag name="debug">
      Enable debug information logging on syslog(3) for all the
      modules supporting this in the system authentication and system
      login stacks.
    </flag>
    <flag name="passwdqc">
      Enable pam_passwdqc module on system auth stack for password
      quality validation. This is an alternative to pam_cracklib
      producing warnings, rejecting or providing example passwords
      when changing your system password. It is used by default by
      OpenWall GNU/*/Linux and by FreeBSD.
    </flag>
    <flag name="mktemp">
      Enable pam_mktemp module on system auth stack for session
      handling. This module creates a private temporary directory for
      the user, and sets TMP and TMPDIR accordingly.
    </flag>
    <flag name="pam_ssh">
      Enable pam_ssh module on system auth stack for authentication
      and session handling. This module will accept as password the
      passphrase of a private SSH key (one of ~/.ssh/id_rsa,
      ~/.ssh/id_dsa or ~/.ssh/identity), and will spawn an ssh-agent
      instance to cache the open key.
    </flag>
    <flag name="sha512">
      Switch Linux-PAM's pam_unix module to use sha512 for passwords
      hashes rather than MD5. This option requires
      <pkg>&gt;=sys-libs/pam-1.0.1</pkg> built against
      <pkg>&gt;=sys-libs/glibc-2.7</pkg>, if it's built against an
      earlier version, it will silently be ignored, and MD5 hashes
      will be used. All the passwords changed after this USE flag is
      enabled will be saved to the shadow file hashed using SHA512
      function. The password previously saved will be left
      untouched. Please note that while SHA512-hashed passwords will
      still be recognised if the USE flag is removed, the shadow file
      will not be compatible with systems using an earlier glibc
      version.
    </flag>
    <flag name="pam_krb5">
      Enable pam_krb5 module on system auth stack, as an alternative
      to pam_unix. If Kerberos authentication succeed, only pam_unix
      will be ignore, and all the other modules will proceed as usual,
      including Gnome Keyring and other session modules. It requires
      <pkg>sys-libs/pam</pkg> as PAM implementation.
    </flag>
    <flag name="minimal">
      Disables the standard PAM modules that provide extra information
      to users on login; this includes pam_tally (and pam_tally2 for
      Linux PAM 1.1 and later), pam_lastlog, pam_motd and other
      similar modules. This might not be a good idea on a multi-user
      system but could reduce slightly the overhead on single-user
      non-networked systems.
    </flag>
    <flag name="nullok">
      Enable the nullok option with the pam_unix module. This allows
      people to login with blank passwords.
    </flag>
    <flag name="securetty">
      Enable pam_securetty module in the login stack. Not generally
      relevant anymore as the login stack only refers to local logins
      and local terminals imply secure access in the first place.
    </flag>
  </use>
</pkgmetadata>