Katana_mirror/kde-workspace
1
0
Fork 0
mirror of https://bitbucket.org/smil3y/kde-workspace.git synced 2025-02-23 18:32:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
kde-workspace/README.pam
Ivailo Monev cb432f7389 generic: add BSD host and configuration test hint to README.pam [ci skip] 
Signed-off-by: Ivailo Monev <xakepa10@gmail.com>
2021-06-13 00:54:29 +03:00

75 lines
3.1 KiB
Text
Raw Blame History

KDE can be configured to support the PAM ("Pluggable Authentication
Modules") system for password checking by the display manager kdm and
by the screen saver kscreensaver (for unlocking the display).
PAM is a flexible application-transparent configurable user-authentication
system found on FreeBSD, Solaris, and Linux (and maybe other unixes).
Information about PAM may be found on its homepage
http://www.kernel.org/pub/linux/libs/pam/
(Despite the location, this information is NOT Linux-specific.)
Known Solaris Issues:
--------------------
For compiling PAM support on Solaris, PAM_MESSAGE_CONST must NOT
be defined. This should now be handled automatically by the
configure script.
Using PAM
---------
By default, PAM is automatically used, if it is found. Use
-DWITH_PAM=FALSE to disable it.
If PAM is found, KDE usually uses the PAM service "kde". You may
override it for all KDE programs by using -DKDE4_COMMON_PAM_SERVICE=<service>
and/or individually by using -D<prog>_PAM_SERVICE=<service>, where <prog> is
one of KDM and kscreensaver (both use kcheckpass).
Two files are provided but not installed - kde.pamd and kscreensaver.pamd.
The usual location to put these files is /etc/pam.d/. You may want to edit
the definitions in them to meet your needs, on BSD host for example you may
have to substitue "pam_unix.so" with "pam_bsdauth.so". If the services are
misconfigured, you will NOT be able to login via KDM and/or unlock a locked
screen!
To verify the configuration you can invoke kcheckpass directly and examine
its exit status. If it is not 0 when correct password is entered (if
password for the user is set) then you will have to thinker with the
configuration. kcheckpass is usually installed in /usr/libexec/kde4.
Authorization failure reason should be logged to /var/log/auth.log.
If there is ever any doubt about which PAM service a program was
compiled with, it can be determined by examining the PAM-generated
entries in the system log associated with kdm logins or kscreensaver
authentication failures.
PAM configuration files have four types of entries for each service:
type used by kdm used by kscreensaver
---- ----------- --------------------
auth x x
account x
password x
session x
There may be more than one entry of each type. Check existing PAM
configuration files and PAM documentation on your system for guidance as
to what entries to make. If you call a PAM service that is not
configured, the default action of PAM is likely to be denial of service.
Note: kdm implements PAM "session" support, which is not implemented in
certain PAM-aware xdm's that it may be replacing (e.g., the Red Hat
Linux 5.x xdm did not implement it). This may be configured to carry out
actions when a user opens or closes an kdm session, if a suitable PAM
module is available (e.g., mount and unmount user-specific filesystems).
Note 2: Screensavers typically only authenticate a user to allow him/her
to continue working. They may also renew tokens etc., where supported.
See the Linux PAM Administrators guide, which is part of the PAM
distribution, for more details.
Reference in a new issue View git blame Copy permalink