summaryrefslogtreecommitdiffstats
path: root/contrib/libpam/doc
diff options
context:
space:
mode:
authorjdp <jdp@FreeBSD.org>1998-11-25 19:46:10 +0000
committerjdp <jdp@FreeBSD.org>1998-11-25 19:46:10 +0000
commitfcce754470b5d0db4da5cdda5f12d56c25107682 (patch)
treea2da70898c64d0431b2d72de71fe9d4b79f84cd8 /contrib/libpam/doc
parentaec3e1ab2f35e76981af7bfbffeb96922839135a (diff)
downloadFreeBSD-src-fcce754470b5d0db4da5cdda5f12d56c25107682.zip
FreeBSD-src-fcce754470b5d0db4da5cdda5f12d56c25107682.tar.gz
Remove files that we don't use and are unlikely to use. You can
still get them with "cvs upd -r pam_unpruned" if you want to look at them.
Diffstat (limited to 'contrib/libpam/doc')
-rw-r--r--contrib/libpam/doc/modules/README13
-rw-r--r--contrib/libpam/doc/modules/module.sgml-template170
-rw-r--r--contrib/libpam/doc/modules/pam_chroot.sgml86
-rw-r--r--contrib/libpam/doc/modules/pam_cracklib.sgml254
-rw-r--r--contrib/libpam/doc/modules/pam_deny.sgml179
-rw-r--r--contrib/libpam/doc/modules/pam_env.sgml125
-rw-r--r--contrib/libpam/doc/modules/pam_filter.sgml150
-rw-r--r--contrib/libpam/doc/modules/pam_ftp.sgml93
-rw-r--r--contrib/libpam/doc/modules/pam_group.sgml108
-rw-r--r--contrib/libpam/doc/modules/pam_krb4.sgml126
-rw-r--r--contrib/libpam/doc/modules/pam_lastlog.sgml119
-rw-r--r--contrib/libpam/doc/modules/pam_limits.sgml196
-rw-r--r--contrib/libpam/doc/modules/pam_listfile.sgml138
-rw-r--r--contrib/libpam/doc/modules/pam_mail.sgml124
-rw-r--r--contrib/libpam/doc/modules/pam_nologin.sgml75
-rw-r--r--contrib/libpam/doc/modules/pam_permit.sgml83
-rw-r--r--contrib/libpam/doc/modules/pam_pwdb.sgml245
-rw-r--r--contrib/libpam/doc/modules/pam_radius.sgml117
-rw-r--r--contrib/libpam/doc/modules/pam_rhosts.sgml157
-rw-r--r--contrib/libpam/doc/modules/pam_rootok.sgml85
-rw-r--r--contrib/libpam/doc/modules/pam_securetty.sgml72
-rw-r--r--contrib/libpam/doc/modules/pam_time.sgml166
-rw-r--r--contrib/libpam/doc/modules/pam_warn.sgml67
-rw-r--r--contrib/libpam/doc/modules/pam_wheel.sgml124
-rw-r--r--contrib/libpam/doc/ps/README3
-rw-r--r--contrib/libpam/doc/specs/draft-morgan-pam-00.raw270
-rw-r--r--contrib/libpam/doc/specs/formatter/Makefile16
-rw-r--r--contrib/libpam/doc/specs/formatter/parse.lex11
-rw-r--r--contrib/libpam/doc/specs/formatter/parse.y293
-rw-r--r--contrib/libpam/doc/txts/README3
30 files changed, 0 insertions, 3668 deletions
diff --git a/contrib/libpam/doc/modules/README b/contrib/libpam/doc/modules/README
deleted file mode 100644
index b97b2cd..0000000
--- a/contrib/libpam/doc/modules/README
+++ /dev/null
@@ -1,13 +0,0 @@
-$Id: README,v 1.2 1996/11/17 17:20:28 morgan Exp $
-
-This directory contains a number of sgml sub-files. One for each
-documented module. They contain a description of each module and give
-some indication of its reliability.
-
-Additionally, there is a 'module.sgml-template' file which should be
-used as a blank form for new module descriptions.
-
-Please feel free to submit amendments/comments etc. regarding these
-files to:
-
- Andrew G. Morgan <morgan@parc.power.net>
diff --git a/contrib/libpam/doc/modules/module.sgml-template b/contrib/libpam/doc/modules/module.sgml-template
deleted file mode 100644
index 53cd809..0000000
--- a/contrib/libpam/doc/modules/module.sgml-template
+++ /dev/null
@@ -1,170 +0,0 @@
-<!--
-
- $Id: module.sgml-template,v 1.1 1996/11/30 20:59:32 morgan Exp $
-
- This template file was written by Andrew G. Morgan
- <morgan@parc.power.net>
-
-[
- Text that should be deleted/replaced, is enclosed within
- '[' .. ']'
- marks. For example, this text should be deleted!
-]
-
--->
-
-<sect1> [*Familiar full name of module*, eg. The "allow all" module.]
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-[
- insert the name of the module
-
- Blank is not permitted.
-]
-
-<tag><bf>Author[s]:</bf></tag>
-
-[
- Insert author names here
-
- Blank is not permitted. If in doubt, put "unknown" if the
- author wishes to remain anonymous, put "anonymous".
-]
-
-<tag><bf>Maintainer:</bf></tag>
-
-[
- Insert names and date-begun of most recent maintainer.
-]
-
-<tag><bf>Management groups provided:</bf></tag>
-
-[
- list the subset of four management groups supported by the
- module. Choose from: account; authentication; password;
- session.
-
- Blank entries are not permitted. Explicitly list all of the
- management groups. In the future more may be added to libpam!
-]
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-[
- Indicate whether this module contains code that can perform
- reversible (strong) encryption. This field is primarily to
- ensure that people redistributing it are not unwittingly
- breaking laws...
-
- Modules may also require the presence of some local library
- that performs the necessary encryption via some standard API.
- In this case "uses API" can be included in this field. The
- library in question should be added to the system requirements
- below.
-
- Blank = no cryptography is used by module.
-]
-
-<tag><bf>Security rating:</bf></tag>
-
-[
- Initially, this field should be left blank. If someone takes
- it upon themselves to test the strength of the module, it can
- later be filled.
-
- Blank = unknown.
-]
-
-<tag><bf>Clean code base:</bf></tag>
-
-[
- This will probably be filled by the libpam maintainer.
- It can be considered to be a public humiliation list. :*)
-
- I am of the opinion that "gcc -with_all_those_flags" is
- trying to tell us something about whether the program
- works as intended. Since there is currently no Security
- evaluation procedure for modules IMHO this is not a
- completely unreasonable indication (a lower bound anyway)
- of the reliability of a module.
-
- This field would indicate the number and flavor of
- warnings that gcc barfs up when trying to compile the
- module as part of the tree. Is this too tyrannical?
-
- Blank = Linux-PAM maintainer has not tested it :)
-]
-
-<tag><bf>System dependencies:</bf></tag>
-
-[
- here we list config files, dynamic libraries needed, system
- resources, kernel options.. etc.
-
- Blank = nothing more than libc required.
-]
-
-<tag><bf>Network aware:</bf></tag>
-
-[
- Does the module base its behavior on probing a network
- connection? Does it expect to be protected by the
- application?
-
- Blank = Ignorance of network.
-]
-
-</descrip>
-
-<sect2>Overview of module
-
-[
- some text describing the intended actions of the module
- general comments mainly (specifics in sections
- below).
-]
-
-[
-
- [ now we have a <sect2> level subsection for each of the
- management groups. Include as many as there are groups
- listed above in the synopsis ]
-
-<sect2>[ Account | Authentication | Password | Session ] component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-[
- List the supported arguments (leave their description for the
- description below.
-
- Blank = no arguments are read and nothing is logged to syslog
- about any arguments that are passed. Note, this
- behavior is contrary to the RFC!
-]
-
-<tag><bf>Description:</bf></tag>
-
-[
- This component of the module performs the task of ...
-]
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-[
- Here we list some doos and don'ts for this module.
-]
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_chroot.sgml b/contrib/libpam/doc/modules/pam_chroot.sgml
deleted file mode 100644
index 7f8c4a3..0000000
--- a/contrib/libpam/doc/modules/pam_chroot.sgml
+++ /dev/null
@@ -1,86 +0,0 @@
-<!--
- $Id: pam_chroot.sgml,v 1.1 1996/11/30 20:59:32 morgan Exp $
-
- This file was written by Bruce Campbell <brucec@humbug.org.au>
--->
-
-<sect1>Chroot
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_chroot/
-
-<tag><bf>Author:</bf></tag>
-Bruce Campbell &lt;brucec@humbug.org.au&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author; proposed on 20/11/96 - email for status
-
-<tag><bf>Management groups provided:</bf></tag>
-account; session; authentication
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-Unwritten.
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-Expects localhost.
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module is intended to provide a transparent wrapper around the
-average user, one that puts them in a fake file-system (eg, their
-'<tt>/</tt>' is really <tt>/some/where/else</tt>).
-
-<p>
-Useful if you have several classes of users, and are slightly paranoid
-about security. Can be used to limit who else users can see on the
-system, and to limit the selection of programs they can run.
-
-<sect2>Account component:
-
-<p>
-<em/Need more info here./
-
-<sect2>Authentication component:
-
-<p>
-<em/Need more info here./
-
-<sect2>Session component:
-
-<p>
-<em/Need more info here./
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-Arguments and logging levels for the PAM version are being worked on.
-
-<tag><bf>Description:</bf></tag>
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-Do provide a reasonable list of programs - just tossing 'cat', 'ls', 'rm',
-'cp' and 'ed' in there is a bit...
-<p>
-Don't take it to extremes (eg, you can set up a separate environment for
-each user, but its a big waste of your disk space.)
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_cracklib.sgml b/contrib/libpam/doc/modules/pam_cracklib.sgml
deleted file mode 100644
index 4700c2a0..0000000
--- a/contrib/libpam/doc/modules/pam_cracklib.sgml
+++ /dev/null
@@ -1,254 +0,0 @@
-<!--
- $Id: pam_cracklib.sgml,v 1.2 1997/02/15 18:25:44 morgan Exp morgan $
-
- This file was written by Andrew G. Morgan <morgan@parc.power.net>
- long password amendments are from Philip W. Dalrymple III <pwd@mdtsoft.com>
--->
-
-<sect1>Cracklib pluggable password strength-checker
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-
-pam_cracklib
-
-<tag><bf>Author:</bf></tag>
-
-Cristian Gafton &lt;gafton@redhat.com&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-
-Author.
-
-<tag><bf>Management groups provided:</bf></tag>
-
-password
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-
-Requires the system library <tt/libcrack/ and a system dictionary:
-<tt>/usr/lib/cracklib_dict</tt>.
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module can be plugged into the <tt/password/ stack of a given
-application to provide some plug-in strength-checking for passwords.
-(XXX - note this does not necessarily work with the pam_unix module,
-although it is known to work with the pam_pwdb replacement for the
-unix module -- see example and pam_pwdb write up for more
-information).
-
-<p>
-This module works in the following manner: it first calls the
-<em>Cracklib</em> routine to check the strength of the password; if
-crack likes the password, the module does an additional set of
-strength checks. These checks are:
-<itemize>
-
-<item> <bf/Palindrome/ -
-
-Is the new password a palindrome of the old one?
-
-<item> <bf/Case Change Only/ -
-
-Is the new password the the old one with only a change of case?
-
-<item> <bf/Similar/ -
-
-Is the new password too much like the old one? This is controlled
-by one argument, <tt/difok/ which is a number of characters that if
-different between the old and new are enough to accept the new
-password, this defaults to 10 or 1/2 the size of the new password
-whichever is smaller.
-
-<item <bf/Simple/ -
-
-Is the new password too small? This is controlled by 5 arguments
-<tt/minlen/, <tt/dcredit/, <tt/ucredit/, <tt/lcredit/, and
-<tt/ocredit/. See the section on the arguments for the details of how
-these work and there defaults.
-
-<item <bf/Rotated/ -
-
-Is the new password a rotated version of the old password?
-
-</itemize>
-
-<p>
-This module with no arguments will work well for standard unix
-password encryption. With md5 encryption, passwords can be longer
-than 8 characters and the default settings for this module can make it
-hard for the user to choose a satisfactory new password. Notably, the
-requirement that the new password contain no more than 1/2 of the
-characters in the old password becomes a non-trivial constraint. For
-example, an old password of the form "the quick brown fox jumped over
-the lazy dogs" would be difficult to change... In addition, the
-default action is to allow passwords as small as 5 characters in
-length. For a md5 systems it can be a good idea to increase the
-required minimum size of a password. One can then allow more credit
-for different kinds of characters but accept that the new password may
-share most of these characters with the old password.
-
-<sect2>Password component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tt/debug/; <tt/type=XXX/; <tt/retry=N/; <tt/difok=N/; <tt/minlen=N/;
-<tt/dcredit=N/; <tt/ucredit=N/; <tt/lcredit=N/; <tt/ocredit=N/;
-
-<tag><bf>Description:</bf></tag>
-
-The action of this module is to prompt the user for a password and
-check its strength against a system dictionary and a set of rules for
-identifying poor choices.
-
-<p>
-The default action is to prompt for a single password, check its
-strength and then, if it is considered strong, prompt for the password
-a second time (to verify that it was typed correctly on the first
-occasion). All being well, the password is passed on to subsequent
-modules to be installed as the new authentication token.
-
-<p>
-The default action may be modified in a number of ways using the
-arguments recognized by the module:
-<itemize>
-
-<item> <tt/debug/ -
-
-this option makes the module write information to syslog(3) indicating
-the behavior of the module (this option does <bf/not/ write password
-information to the log file).
-
-<item> <tt/type=XXX/ -
-
-the default action is for the module to use the following prompts when
-requesting passwords: ``New UNIX password: '' and ``Retype UNIX
-password: ''. Using this option you can replace the word UNIX with
-<tt/XXX/.
-
-<item> <tt/retry=N/ -
-
-the default number of times this module will request a new password
-(for strength-checking) from the user is 1. Using this argument this
-can be increased to <tt/N/.
-
-<item> <tt/difok=N/ -
-
-This argument will change the default of 10 for the number of
-characters in the new password that must not be present in the old
-password. In addition, if 1/2 of the characters in the new password
-are different then the new password will be accepted anyway.
-
-<item> <tt/minlen=N/ -
-
-The minimum acceptable size for the new password plus one. In
-addition to the number of characters in the new password, credit (of
-+1 in length) is given for each different kind of character (<em>other,
-upper, lower</em> and <em/digit/). The default for this parameter is
-9 which is good for a old style UNIX password all of the same type of
-character but may be too low to exploit the added security of a md5
-system. Note that there is a pair of length limits in
-<em>Cracklib</em> itself, a "way too short" limit of 4 which is hard
-coded in and a defined limit (6) that will be checked without
-reference to <tt>minlen</tt>. If you want to allow passwords as short
-as 5 characters you should either not use this module or recompile
-the crack library and then recompile this module.
-
-<item> <tt/dcredit=N/ -
-
-This is the maximum credit for having digits in the new password. If
-you have less than or <tt/N/ digits, each digit will count +1 towards
-meeting the current <tt/minlen/ value. The default for <tt/dcredit/
-is 1 which is the recommended value for <tt/minlen/ less than 10.
-
-<item> <tt/ucredit=N/ -
-
-This is the maximum credit for having upper case letters in the new
-password. If you have less than or <tt/N/ upper case letters each
-letter will count +1 towards meeting the current <tt/minlen/ value.
-The default for <tt/ucredit/ is 1 which is the recommended value for
-<tt/minlen/ less than 10.
-
-<item> <tt/lcredit=N/ -
-
-This is the maximum credit for having lower case letters in the new
-password. If you have less than or <tt/N/ lower case letters, each
-letter will count +1 towards meeting the current <tt/minlen/ value.
-The default for <tt/lcredit/ is 1 which is the recommended value for
-<tt/minlen/ less than 10.
-
-<item> <tt/ocredit=N/ -
-
-This is the maximum credit for having other characters in the new
-password. If you have less than or <tt/N/ other characters, each
-character will count +1 towards meeting the current <tt/minlen/ value.
-The default for <tt/ocredit/ is 1 which is the recommended value for
-<tt/minlen/ less than 10.
-
-</itemize>
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-(At the time of writing, this module can only be stacked before the
-<tt/pam_pwdb/ module. Cracklib strength checking may be compiled by
-default into the <tt/pam_unix/ module.)
-
-<p>
-For an example of the use of this module, we show how it may be
-stacked with the password component of <tt/pam_pwdb/:
-<tscreen>
-<verb>
-#
-# These lines stack two password type modules. In this example the
-# user is given 3 opportunities to enter a strong password. The
-# "use_authtok" argument ensures that the pam_pwdb module does not
-# prompt for a password, but instead uses the one provided by
-# pam_cracklib.
-#
-passwd password required pam_cracklib.so retry=3
-passwd password required pam_pwdb.so use_authtok
-</verb>
-</tscreen>
-
-<p>
-Another example (in the <tt>/etc/pam.d/passwd</tt> format) is for the
-case that you want to use md5 password encryption:
-<tscreen>
-<verb>
-#%PAM-1.0
-#
-# These lines allow a md5 systems to support passwords of at least 14
-# bytes with extra credit of 2 for digits and 2 for others the new
-# password must have at least three bytes that are not present in the
-# old password
-#
-password required pam_cracklib.so \
- difok=3 minlen=15 dcredit= 2 ocredit=2
-password required pam_pwdb.so use_authtok nullok md5
-</verb>
-</tscreen>
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_deny.sgml b/contrib/libpam/doc/modules/pam_deny.sgml
deleted file mode 100644
index 99f3671..0000000
--- a/contrib/libpam/doc/modules/pam_deny.sgml
+++ /dev/null
@@ -1,179 +0,0 @@
-<!--
- $Id: pam_deny.sgml,v 1.3 1997/02/15 18:25:44 morgan Exp morgan $
-
- This file was written by Andrew G. Morgan <morgan@parc.power.net>
--->
-
-<sect1>The locking-out module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-pam_deny
-
-<tag><bf>Author:</bf></tag>
-Andrew G. Morgan &lt;morgan@parc.power.net&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-current <bf/Linux-PAM/ maintainer
-
-<tag><bf>Management groups provided:</bf></tag>
-account; authentication; password; session
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-clean.
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module can be used to deny access. It always indicates a failure
-to the application through the PAM framework. As is commented in the
-overview section <ref id="overview-section" name="above">, this module
-might be suitable for using for default (the <tt/OTHER/) entries.
-
-<sect2>Account component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-This component does nothing other than return a failure. The
-failure type is <tt/PAM_ACCT_EXPIRED/.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-Stacking this module with type <tt/account/ will prevent the user from
-gaining access to the system via applications that refer to
-<bf/Linux-PAM/'s account management function <tt/pam_acct_mgmt()/.
-
-<p>
-The following example would make it impossible to login:
-<tscreen>
-<verb>
-#
-# add this line to your other login entries to disable all accounts
-#
-login account required pam_deny.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-This component does nothing other than return a failure. The failure
-type is <tt/PAM_AUTH_ERR/ in the case that <tt/pam_authenticate()/ is
-called (when the application tries to authenticate the user), and is
-<tt/PAM_CRED_UNAVAIL/ when the application calls <tt/pam_setcred()/
-(to establish and set the credentials of the user -- it is unlikely
-that this function will ever be called in practice).
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-To deny access to default applications with this component of the
-<tt/pam_deny/ module, you might include the following line in your
-<bf/Linux-PAM/ configuration file:
-<tscreen>
-<verb>
-#
-# add this line to your existing OTHER entries to prevent
-# authentication succeeding with default applications.
-#
-OTHER auth required pam_deny.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<sect2>Password component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-This component of the module denies the user the opportunity to change
-their password. It always responds with <tt/PAM_AUTHTOK_ERR/ when
-invoked.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-This module should be used to prevent an application from updating the
-applicant user's password. For example, to prevent <tt/login/ from
-automatically prompting for a new password when the old one has
-expired you should include the following line in your configuration
-file:
-<tscreen>
-<verb>
-#
-# add this line to your other login entries to prevent the login
-# application from being able to change the user's password.
-#
-login password required pam_deny.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<sect2>Session component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-This aspect of the module prevents an application from starting a
-session on the host computer.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-Together with another session module, that displays a message of the
-day perhaps (XXX - such a module needs to be written),
-this module can be used to block a user from starting a shell. Given
-the presence of a <tt/pam_motd/ module, we might use the following
-entries in the configuration file to inform the user it is system
-time:
-<tscreen>
-<verb>
-#
-# An example to see how to configure login to refuse the user a
-# session (politely)
-#
-login session required pam_motd.so \
- file=/etc/system_time
-login session required pam_deny.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_env.sgml b/contrib/libpam/doc/modules/pam_env.sgml
deleted file mode 100644
index a62f457..0000000
--- a/contrib/libpam/doc/modules/pam_env.sgml
+++ /dev/null
@@ -1,125 +0,0 @@
-<!--
- $Id: pam_env.sgml,v 1.1 1997/04/05 06:50:42 morgan Exp $
-
- This file was written by Dave Kinchlea <kinch@kinch.ark.com>
- Ed. AGM
--->
-
-<sect1>Set/unset environment variables
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_env/
-
-<tag><bf>Author:</bf></tag>
-Dave Kinchlea &lt;kinch@kinch.ark.com&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author
-
-<tag><bf>Management groups provided:</bf></tag>
-Authentication (setcred)
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-<tt>/etc/security/pam_env.conf</tt>
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module allows the (un)setting of environment variables. Supported
-is the use of previously set environment variables as well as
-<em>PAM_ITEM</em>s such as <tt>PAM_RHOST</tt>.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/; <tt/conffile=/<em/configuration-file-name/
-
-<tag><bf>Description:</bf></tag>
-This module allows you to (un)set arbitrary environment variables
-using fixed strings, the value of previously set environment variables
-and/or <em/PAM_ITEM/s.
-
-<p>
-All is controlled via a configuration file (by default,
-<tt>/etc/security/pam_env.conf</tt> but can be overriden with
-<tt>connfile</tt> argument). Each line starts with the variable name,
-there are then two possible options for each variable <bf>DEFAULT</bf>
-and <bf>OVERRIDE</bf>. <bf>DEFAULT</bf> allows and administrator to
-set the value of the variable to some default value, if none is
-supplied then the empty string is assumed. The <bf>OVERRIDE</bf>
-option tells pam_env that it should enter in its value (overriding the
-default value) if there is one to use. <bf>OVERRIDE</bf> is not used,
-<tt>""</tt> is assumed and no override will be done.
-
-<p>
-<tscreen>
-<verb>
-VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]]
-</verb>
-</tscreen>
-
-<p>
-(Possibly non-existent) environment variables may be used in values
-using the <tt>&dollar;&lcub;string&rcub;</tt> syntax and (possibly
-non-existent) <em/PAM_ITEM/s may be used in values using the
-<tt>&commat;&lcub;string&rcub;</tt> syntax. Both the <tt>&dollar;</tt>
-and <tt>&commat;</tt> characters can be backslash-escaped to be used
-as literal values (as in <tt>&bsol;&dollar;</tt>. Double quotes may
-be used in values (but not environment variable names) when white
-space is needed <bf>the full value must be delimited by the quotes and
-embedded or escaped quotes are not supported</bf>.
-
-<p>
-The behavior of this module can be modified with one of the following
-flags:
-
-<p>
-<itemize>
-
-<item><tt/debug/
-- write more information to <tt/syslog(3)/.
-
-<item><tt/conffile=/<em/filename/
-- by default the file <tt>/etc/security/pam_env.conf</tt> is used as
-the configuration file. This option overrides the default. You must
-supply a complete path + file name.
-
-</itemize>
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-See sample <tt>pam_env.conf</tt> for more information and examples.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
-
-
-
-
-
-
-
-
-
-
diff --git a/contrib/libpam/doc/modules/pam_filter.sgml b/contrib/libpam/doc/modules/pam_filter.sgml
deleted file mode 100644
index 99f06ef..0000000
--- a/contrib/libpam/doc/modules/pam_filter.sgml
+++ /dev/null
@@ -1,150 +0,0 @@
-<!--
- $Id: pam_filter.sgml,v 1.2 1997/02/15 18:25:44 morgan Exp $
-
- This file was written by Andrew G. Morgan <morgan@parc.power.net>
--->
-
-<sect1>The filter module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-
-pam_filter
-
-<tag><bf>Author:</bf></tag>
-
-Andrew G. Morgan &lt;morgan@parc.power.net&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-
-Author.
-
-<tag><bf>Management groups provided:</bf></tag>
-
-account; authentication; password; session
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-Not yet.
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-This module compiles cleanly on Linux based systems.
-
-<tag><bf>System dependencies:</bf></tag>
-
-To function it requires <em/filters/ to be installed on the system.
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module was written to offer a plug-in alternative to programs
-like ttysnoop (XXX - need a reference). Since writing a filter that
-performs this function has not occurred, it is currently only a toy.
-The single filter provided with the module simply transposes upper and
-lower case letters in the input and output streams. (This can be very
-annoying and is not kind to termcap based editors).
-
-<sect2>Account+Authentication+Password+Session components
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tt/debug/; <tt/new_term/; <tt/non_term/; <tt/runX/
-
-<tag><bf>Description:</bf></tag>
-
-Each component of the module has the potential to invoke the desired
-filter. The filter is always <tt/execv(2)/d with the privilege of the
-calling application and <bf/not/ that of the user. For this reason it
-cannot usually be killed by the user without closing their session.
-
-<p>
-The behavior of the module can be significantly altered by the
-arguments passed to it in the <bf/Linux-PAM/ configuration file:
-<itemize>
-<item><tt/debug/ -
-
-this option increases the amount of information logged to
-<tt/syslog(3)/ as the module is executed.
-
-<item><tt/new_term/ -
-
-the default action of the filter is to set the <tt/PAM_TTY/ item to
-indicate the terminal that the user is using to connect to the
-application. This argument indicates that the filter should set
-<tt/PAM_TTY/ to the filtered pseudo-terminal.
-
-<item><tt/non_term/ -
-don't try to set the <tt/PAM_TTY/ item.
-
-<item><tt/runX/ -
-
-in order that the module can invoke a filter it should know when to
-invoke it. This argument is required to tell the filter when to do
-this. The arguments that follow this one are respectively the full
-pathname of the filter to be run and any command line arguments that
-the filter might expect.
-
-<p>
-Permitted values for <tt/X/ are <tt/1/ and <tt/2/. These indicate the
-precise time the that filter is to be run. To explain this concept it
-will be useful to have read the Linux-PAM Module developer's
-guide. Basically, for each management group there are up to two ways
-of calling the module's functions.
-
-In the case of the <em/authentication/ and <em/session/ components
-there are actually two separate functions. For the case of
-authentication, these functions are <tt/_authenticate/ and
-<tt/_setcred/ -- here <tt/run1/ means run the filter from the
-<tt/_authenticate/ function and <tt/run2/ means run the filter from
-<tt/_setcred/. In the case of the session modules, <tt/run1/ implies
-that the filter is invoked at the <tt/_open_session/ stage, and
-<tt/run2/ for <tt/_close_session/.
-
-<p>
-For the case of the account component. Either <tt/run1/ or <tt/run2/
-may be used.
-
-<p>
-For the case of the password component, <tt/run1/ is used to indicate
-that the filter is run on the first occasion <tt/_chauthtok/ is run
-(the <tt/PAM_PRELIM_CHECK/ phase) and <tt/run2/ is used to indicate
-that the filter is run on the second occasion (the
-<tt/PAM_UPDATE_AUTHTOK/ phase).
-
-</itemize>
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-At the time of writing there is little real use to be made of this
-module. For fun you might try adding the following line to your
-login's configuration entries
-<tscreen>
-<verb>
-#
-# An example to see how to configure login to transpose upper and
-# lower case letters once the user has logged in(!)
-#
-login session required pam_filter.so \
- run1 /usr/sbin/pam_filter/upperLOWER
-</verb>
-</tscreen>
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_ftp.sgml b/contrib/libpam/doc/modules/pam_ftp.sgml
deleted file mode 100644
index ca2e065..0000000
--- a/contrib/libpam/doc/modules/pam_ftp.sgml
+++ /dev/null
@@ -1,93 +0,0 @@
-<!--
- $Id: pam_ftp.sgml,v 1.1 1996/11/30 20:59:32 morgan Exp $
-
- This file was written by Andrew G. Morgan <morgan@parc.power.net>
--->
-
-<sect1>Anonymous access module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_ftp.so/
-
-<tag><bf>Author:</bf></tag>
-Andrew G. Morgan &lt;morgan@parc.power.net&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author.
-
-<tag><bf>Management groups provided:</bf></tag>
-authentication
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-prompts for email address of user; easily spoofed (XXX - needs work)
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-The purpose of this module is to provide a pluggable anonymous ftp
-mode of access.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/;
-<tt/users=XXX,YYY,.../;
-<tt/ignore/
-
-<tag><bf>Description:</bf></tag>
-
-This module intercepts the user's name and password. If the name is
-``<tt/ftp/'' or ``<tt/anonymous/'', the user's password is broken up
-at the `<tt/@/' delimiter into a <tt/PAM_RUSER/ and a <tt/PAM_RHOST/
-part; these pam-items being set accordingly. The username is set to
-``<tt/ftp/''. In this case the module succeeds. Alternatively, the
-module sets the <tt/PAM_AUTHTOK/ item with the entered password and
-fails.
-
-<p>
-The behavior of the module can be modified with the following flags:
-<itemize>
-<item><tt/debug/ -
-log more information to with <tt/syslog(3)/.
-
-<item><tt/users=XXX,YYY,.../ -
-instead of ``<tt/ftp/'' or ``<tt/anonymous/'', provide anonymous login
-to the comma separated list of users; ``<tt/XXX,YYY,.../''. Should the
-applicant enter one of these usernames the returned username is set to
-the first in the list; ``<tt/XXX/''.
-
-<item><tt/ignore/ -
-pay no attention to the email address of the user (if supplied).
-
-</itemize>
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-An example of the use of this module is provided in the configuration
-file section <ref id="configuration" name="above">. With care, this
-module could be used to provide new/temporary account anonymous
-login.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_group.sgml b/contrib/libpam/doc/modules/pam_group.sgml
deleted file mode 100644
index 360edee..0000000
--- a/contrib/libpam/doc/modules/pam_group.sgml
+++ /dev/null
@@ -1,108 +0,0 @@
-<!--
- $Id: pam_group.sgml,v 1.2 1997/01/04 20:50:10 morgan Exp $
-
- This file was written by Andrew G. Morgan <morgan@parc.power.net>
--->
-
-<sect1>The group access module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_group/
-
-<tag><bf>Author:</bf></tag>
-Andrew G. Morgan &lt;morgan@parc.power.net&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author.
-
-<tag><bf>Management groups provided:</bf></tag>
-authentication
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-Sensitive to <em/setgid/ status of file-systems accessible to users.
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-Requires an <tt>/etc/security/group.conf</tt> file. Can be compiled
-with or without <tt/libpwdb/.
-
-<tag><bf>Network aware:</bf></tag>
-Only through correctly set <tt/PAM_TTY/ item.
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module provides group-settings based on the user's name and the
-terminal they are requesting a given service from. It takes note of
-the time of day.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-This module does not authenticate the user, but instead it grants
-group memberships (in the credential setting phase of the
-authentication module) to the user. Such memberships are based on the
-service they are applying for. The group memberships are listed in
-text form in the <tt>/etc/security/group.conf</tt> file.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-For this module to function correctly there must be a correctly
-formatted <tt>/etc/security/groups.conf</tt> file present. The format
-of this file is as follows. Group memberships are given based on the
-service application satisfying any combination of lines in the
-configuration file. Each line (barring comments which are preceded by
-`<tt/#/' marks) has the following
-syntax:
-<tscreen>
-<verb>
-services ; ttys ; users ; times ; groups
-</verb>
-</tscreen>
-Here the first four fields share the syntax of the <tt>pam_time</tt>
-configuration file; <tt>/etc/security/pam_time.conf</tt>, and the last
-field, the <tt/groups/ field, is a comma (or space) separated list of
-the text-names of a selection of groups. If the users application for
-service satisfies the first four fields, the user is granted membership
-of the listed groups.
-
-<p>
-As stated in above this module's usefulness relies on the file-systems
-accessible to the user. The point being that once granted the
-membership of a group, the user may attempt to create a <em/setgid/
-binary with a restricted group ownership. Later, when the user is not
-given membership to this group, they can recover group membership with
-the precompiled binary. The reason that the file-systems that the user
-has access to are so significant, is the fact that when a system is
-mounted <em/nosuid/ the user is unable to create or execute such a
-binary file. For this module to provide any level of security, all
-file-systems that the user has write access to should be mounted
-<em/nosuid/.
-
-<p>
-The <tt>pam_group</tt> module fuctions in parallel with the
-<tt>/etc/group</tt> file. If the user is granted any groups based on
-the behavior of this module, they are granted <em>in addition</em> to
-those entries <tt>/etc/group</tt> (or equivalent).
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_krb4.sgml b/contrib/libpam/doc/modules/pam_krb4.sgml
deleted file mode 100644
index edb87d1..0000000
--- a/contrib/libpam/doc/modules/pam_krb4.sgml
+++ /dev/null
@@ -1,126 +0,0 @@
-<!--
- $Id: pam_krb4.sgml,v 1.1 1996/11/30 20:59:32 morgan Exp $
-
- This file was written by Derrick J. Brashear <shadow@DEMENTIA.ORG>
--->
-
-<sect1>The Kerberos 4 module.
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_krb4/
-
-<tag><bf>Author:</bf></tag>
-Derrick J. Brashear &lt;shadow@dementia.org&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author.
-
-<tag><bf>Management groups provided:</bf></tag>
-authentication; password; session
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-uses API
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-libraries - <tt/libkrb/, <tt/libdes/, <tt/libcom_err/, <tt/libkadm/;
-and a set of Kerberos include files.
-
-<tag><bf>Network aware:</bf></tag>
-Gets Kerberos ticket granting ticket via a Kerberos key distribution
-center reached via the network.
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module provides an interface for doing Kerberos verification of a
-user's password, getting the user a Kerberos ticket granting ticket
-for use with the Kerberos ticket granting service, destroying the
-user's tickets at logout time, and changing a Kerberos password.
-
-<sect2> Session component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-This component of the module currently sets the user's <tt/KRBTKFILE/
-environment variable (although there is currently no way to export
-this), as well as deleting the user's ticket file upon logout (until
-<tt/PAM_CRED_DELETE/ is supported by <em/login/).
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-This part of the module won't be terribly useful until we can change
-the environment from within a <tt/Linux-PAM/ module.
-
-</descrip>
-
-<sect2> Password component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/use_first_pass/; <tt/try_first_pass/
-
-<tag><bf>Description:</bf></tag>
-
-This component of the module changes a user's Kerberos password
-by first getting and using the user's old password to get
-a session key for the password changing service, then sending
-a new password to that service.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-This should only be used with a real Kerberos v4 <tt/kadmind/. It
-cannot be used with an AFS kaserver unless special provisions are
-made. Contact the module author for more information.
-
-</descrip>
-
-<sect2> Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/use_first_pass/; <tt/try_first_pass/
-
-<tag><bf>Description:</bf></tag>
-
-This component of the module verifies a user's Kerberos password
-by requesting a ticket granting ticket from the Kerberos server
-and optionally using it to attempt to retrieve the local computer's
-host key and verifying using the key file on the local machine if
-one exists.
-
-It also writes out a ticket file for the user to use later, and
-deletes the ticket file upon logout (not until <tt/PAM_CRED_DELETE/
-is called from <em/login/).
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-This module can be used with a real Kerberos server using MIT
-v4 Kerberos keys. The module or the system Kerberos libraries
-may be modified to support AFS style Kerberos keys. Currently
-this is not supported to avoid cryptography constraints.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_lastlog.sgml b/contrib/libpam/doc/modules/pam_lastlog.sgml
deleted file mode 100644
index 8c0e662..0000000
--- a/contrib/libpam/doc/modules/pam_lastlog.sgml
+++ /dev/null
@@ -1,119 +0,0 @@
-<!--
- $Id: pam_mail.sgml,v 1.2 1997/02/15 18:25:44 morgan Exp $
-
- This file was written by Andrew G. Morgan <morgan@parc.power.net>
--->
-
-<sect1>The last login module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_lastlog/
-
-<tag><bf>Author:</bf></tag>
-Andrew G. Morgan &lt;morgan@parc.power.net&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author
-
-<tag><bf>Management groups provided:</bf></tag>
-auth
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-uses information contained in the <tt>/var/log/wtmp</tt> file.
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This session module maintains the <tt>/var/log/wtmp</tt> file. Adding
-an open entry when called via the <tt>pam_open_seesion()</tt> function
-and completing it when <tt>pam_close_session()</tt> is called. This
-module can also display a line of information about the last login of
-the user. If an application already performs these tasks, it is not
-necessary to use this module.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/; <tt/nodate/; <tt/noterm/; <tt/nohost/; <tt/silent/;
-<tt/never/
-
-<tag><bf>Description:</bf></tag>
-
-<p>
-This module can be used to provide a ``Last login on ...''
-message. when the user logs into the system from what ever application
-uses the PAM libraries. In addition, the module maintains the
-<tt>/var/log/wtmp</tt> file.
-
-<p>
-The behavior of this module can be modified with one of the following
-flags:
-
-<p>
-<itemize>
-<item><tt/debug/
-- write more information to <tt/syslog(3)/.
-
-<item><tt/nodate/
-- neglect to give the date of the last login when displaying
-information about the last login on the system.
-
-<item><tt/noterm/
-- neglect to diplay the terminal name on which the last login was
-attempt.
-
-<item><tt/nohost/
-- neglect to indicate from which host the last login was attempted.
-
-<item><tt/silent/
-- neglect to inform the user about any previous login: just update
-the <tt>/var/log/wtmp</tt> file.
-
-<item><tt/never/
-- if the <tt>/var/log/wtmp</tt> file does not contain any old entries
-for the user, indicate that the user has never previously logged in
-with a ``welcome..." message.
-
-</itemize>
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-This module can be used to indicate that the user has new mail when
-they <em/login/ to the system. Here is a sample entry for your
-<tt>/etc/pam.conf</tt> file:
-<tscreen>
-<verb>
-#
-# do we have any mail?
-#
-login session optional pam_lastlog.so
-</verb>
-</tscreen>
-
-<p>
-Note, some applications may perform this function themselves. In such
-cases, this module is not necessary.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_limits.sgml b/contrib/libpam/doc/modules/pam_limits.sgml
deleted file mode 100644
index 6b98ea6..0000000
--- a/contrib/libpam/doc/modules/pam_limits.sgml
+++ /dev/null
@@ -1,196 +0,0 @@
-<!--
- $Id: pam_limits.sgml,v 1.2 1997/02/15 18:25:44 morgan Exp $
-
- This file was written by Andrew G. Morgan <morgan@parc.power.net>
- from information compiled by Cristian Gafton (author of module)
--->
-
-<sect1>The resource limits module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_limits/
-
-<tag><bf>Authors:</bf></tag>
-Cristian Gafton &lt;gafton@redhat.com&gt; <newline>
-Thanks are also due to Elliot Lee &lt;sopwith@redhat.com&gt;
-for his comments on improving this module.
-
-<tag><bf>Maintainer:</bf></tag>
-Cristian Gafton - 1996/11/20
-
-<tag><bf>Management groups provided:</bf></tag>
-session
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-requires an <tt>/etc/security/limits.conf</tt> file and kernel support
-for resource limits. Also uses the library, <tt/libpwdb/.
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module, through the <bf/Linux-PAM/ <em/open/-session hook, sets
-limits on the system resources that can be obtained in a
-user-session. Its actions are dictated more explicitly through the
-configuration file discussed below.
-
-<sect2>Session component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/; <tt>conf=/path/to/file.conf</tt>
-
-<tag><bf>Description:</bf></tag>
-
-Through the contents of the configuration file,
-<tt>/etc/security/limits.conf</tt>, resource limits are placed on
-users' sessions. Users of <tt/uid=0/ are not affected by this
-restriction.
-
-<p>
-The behavior of this module can be modified with the following
-arguments:
-<itemize>
-
-<item><tt/debug/ -
-verbose logging to <tt/syslog(3)/.
-
-<item><tt>conf=/path/to/file.conf</tt> -
-indicate an alternative <em/limits/ configuration file to the default.
-
-</itemize>
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-In order to use this module the system administrator must first create
-a <em/root-only-readable/ file (default is
-<tt>/etc/security/limits.conf</tt>). This file describes the resource
-limits the superuser wishes to impose on users and groups. No limits
-are imposed on <tt/uid=0/ accounts.
-
-<p>
-Each line of the configuration file describes a limit for a user in
-the form:
-<tscreen>
-<verb>
-<domain> <type> <item> <value>
-</verb>
-</tscreen>
-
-<p>
-The fields listed above should be filled as follows...<newline>
-<tt>&lt;domain&gt;</tt> can be:
-<itemize>
-<item> a username
-<item> a groupname, with <tt>@group</tt> syntax
-<item> the wild-card <tt/*/, for default entry
-</itemize>
-
-<p>
-<tt>&lt;type&gt;</tt> can have the two values:
-<itemize>
-
-<item> <tt/hard/ for enforcing <em/hard/ resource limits. These limits
-are set by the superuser and enforced by the Linux Kernel. The user
-cannot raise his requirement of system resources above such values.
-
-<item> <tt/soft/ for enforcing <em/soft/ resource limits. These limits
-are ones that the user can move up or down within the permitted range
-by any pre-exisiting <em/hard/ limits. The values specified with this
-token can be thought of as <em/default/ values, for normal system
-usage.
-
-</itemize>
-
-<p>
-<tt>&lt;item&gt;</tt> can be one of the following:
-<itemize>
-<item><tt/core/ - limits the core file size (KB)
-<item><tt/data/ - max data size (KB)
-<item><tt/fsize/ - maximum filesize (KB)
-<item><tt/memlock/ - max locked-in-memory address space (KB)
-<item><tt/nofile/ - max number of open files
-<item><tt/rss/ - max resident set size (KB)
-<item><tt/stack/ - max stack size (KB)
-<item><tt/cpu/ - max CPU time (MIN)
-<item><tt/nproc/ - max number of processes
-<item><tt/as/ - address space limit
-<item><tt/maxlogins/ - max number of logins for this user.
-</itemize>
-
-<p>
-To completely disable limits for a user (or a group), a single dash
-(-) will do (Example: ``<tt/bin -/'', ``<tt/@admin -/''). Please
-remember that individual limits have priority over group limits, so if
-you impose no limits for <tt/admin/ group, but one of the members in this
-group have a limits line, the user will have its limits set according
-to this line.
-
-<p>
-Also, please note that all limit settings are set <em/per login/.
-They are not global, nor are they permanent; existing only for the
-duration of the session.
-
-<p>
-In the <em/limits/ configuration file, the ``<tt/#/'' character
-introduces a comment - after which the rest of the line is ignored.
-
-<p>
-The <tt/pam_limits/ module does its best to report configuration
-problems found in its configuration file via <tt/syslog(3)/.
-
-<p>
-The following is an example configuration file:
-<tscreen>
-<verb>
-# EXAMPLE /etc/security/limits.conf file:
-# =======================================
-# <domain> <type> <item> <value>
-* soft core 0
-* hard rss 10000
-@student hard nproc 20
-@faculty soft nproc 20
-@faculty hard nproc 50
-ftp hard nproc 0
-@student - maxlogins 4
-</verb>
-</tscreen>
-Note, the use of <tt/soft/ and <tt/hard/ limits for the same resource
-(see <tt/@faculty/) -- this establishes the <em/default/ and permitted
-<em/extreme/ level of resources that the user can can obtain in a
-given service-session.
-
-<p>
-For the services that need resources limits (login for example) put a
-the following line in <tt>/etc/pam.conf</tt> as the last line for that
-service (usually after the pam_unix session line:
-<tscreen>
-<verb>
-#
-# Resource limits imposed on login sessions via pam_limits
-#
-login session required pam_limits.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_listfile.sgml b/contrib/libpam/doc/modules/pam_listfile.sgml
deleted file mode 100644
index fe4a0d2..0000000
--- a/contrib/libpam/doc/modules/pam_listfile.sgml
+++ /dev/null
@@ -1,138 +0,0 @@
-<!--
- $Id: pam_listfile.sgml,v 1.3 1997/02/15 18:25:44 morgan Exp $
-
- This file was written by Michael K. Johnson <johnsonm@redhat.com>
--->
-
-<sect1>The list-file module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_listfile/
-
-<tag><bf>Author:</bf></tag>
-Elliot Lee <tt>&lt;sopwith@cuc.edu&gt;</tt>
-
-<tag><bf>Maintainer:</bf></tag>
-Red Hat Software:<newline>
-Michael K. Johnson &lt;johnsonm@redhat.com&gt; 1996/11/18<newline>
-(if unavailable, contact Elliot Lee &lt;sopwith@cuc.edu&gt;).
-
-<tag><bf>Management groups provided:</bf></tag>
-authentication
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-clean
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-The list-file module provides a way to deny or allow services based on
-an arbitrary file.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tt>onerr=succeed|fail</tt>;
-<tt>sense=allow|deny</tt>;
-<tt>file=</tt><it>filename</it>;
-<tt>item=user|tty|rhost|ruser|group|shell</tt>
-<tt>apply=user|@group</tt>
-
-<tag><bf>Description:</bf></tag>
-
-The module gets the item of the type specified -- <tt>user</tt> specifies
-the username, <tt>PAM_USER</tt>; tty specifies the name of the terminal
-over which the request has been made, <tt>PAM_TTY</tt>; rhost specifies
-the name of the remote host (if any) from which the request was made,
-<tt>PAM_RHOST</tt>; and ruser specifies the name of the remote user
-(if available) who made the request, <tt>PAM_RUSER</tt> -- and looks for
-an instance of that item in the file <it>filename</it>. <it>filename</it>
-contains one line per item listed. If the item is found, then if
-<tt>sense=allow</tt>, <tt>PAM_SUCCESS</tt> is returned, causing the
-authorization request to succeed; else if <tt>sense=deny</tt>,
-<tt>PAM_AUTH_ERR</tt> is returned, causing the authorization
-request to fail.
-
-<p>
-If an error is encountered (for instance, if <it>filename</it>
-does not exist, or a poorly-constructed argument is encountered),
-then if <tt>onerr=succeed</tt>, <tt>PAM_SUCCESS</tt> is returned,
-otherwise if <tt>onerr=fail</tt>, <tt>PAM_AUTH_ERR</tt> or
-<tt>PAM_SERVICE_ERR</tt> (as appropriate) will be returned.
-
-<p>
-An additional argument, <tt>apply=</tt>, can be used to restrict the
-application of the above to a specific user
-(<tt>apply=</tt><em>username</em>) or a given group
-(<tt>apply=@</tt><em>groupname</em>). This added restriction is only
-meaningful when used with the <tt/tty/, <tt/rhost/ and <tt/shell/
-<em/items/.
-
-<p>
-Besides this last one, all arguments should be specified; do not count
-on any default behavior, as it is subject to change.
-
-<p>
-No credentials are awarded by this module.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-Classic ``ftpusers'' authentication can be implemented with this entry
-in <tt>/etc/pam.conf</tt>:
-<tscreen>
-<verb>
-#
-# deny ftp-access to users listed in the /etc/ftpusers file
-#
-ftp auth required pam_listfile.so \
- onerr=succeed item=user sense=deny file=/etc/ftpusers
-</verb>
-</tscreen>
-Note, users listed in <tt>/etc/ftpusers</tt> file are
-(counterintuitively) <bf/not/ allowed access to the ftp service.
-
-<p>
-To allow login access only for certain users, you can use an
-pam.conf entry like this:
-<tscreen>
-<verb>
-#
-# permit login to users listed in /etc/loginusers
-#
-login auth required pam_listfile.so \
- onerr=fail item=user sense=allow file=/etc/loginusers
-</verb>
-</tscreen>
-
-<p>
-For this example to work, all users who are allowed to use the login
-service should be listed in the file <tt>/etc/loginusers</tt>. Unless
-you are explicitly trying to lock out root, make sure that when you do
-this, you leave a way for root to log in, either by listing root in
-<tt>/etc/loginusers</tt>, or by listing a user who is able to <em/su/
-to the root account.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_mail.sgml b/contrib/libpam/doc/modules/pam_mail.sgml
deleted file mode 100644
index 9a99f20..0000000
--- a/contrib/libpam/doc/modules/pam_mail.sgml
+++ /dev/null
@@ -1,124 +0,0 @@
-<!--
- $Id: pam_mail.sgml,v 1.2 1997/02/15 18:25:44 morgan Exp $
-
- This file was written by Andrew G. Morgan <morgan@parc.power.net>
--->
-
-<sect1>The mail module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_mail/
-
-<tag><bf>Author:</bf></tag>
-Andrew G. Morgan &lt;morgan@parc.power.net&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author
-
-<tag><bf>Management groups provided:</bf></tag>
-auth
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-Default mail directory <tt>/var/spool/mail/</tt>
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module looks at the user's mail directory and indicates
-whether the user has any mail in it.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/; <tt/dir=/<em/direcory-name/; <tt/nopen/; <tt/close/;
-<tt/noenv/; <tt/empty/
-
-<tag><bf>Description:</bf></tag>
-
-This module provides the ``you have new mail'' service to the user. It
-can be plugged into any application that has credential hooks. It gives a
-single message indicating the <em/newness/ of any mail it finds in the
-user's mail folder. This module also sets the <bf/Linux-PAM/
-environment variable, <tt/MAIL/, to the user's mail directory.
-
-<p>
-Although the module supplies functions for the authentication
-management group of functions, it cannot be used to authenticate a
-user; its authentication function instructs <tt/libpam/ to simply
-ignore it when authenticating the user.
-
-<p>
-The behavior of this module can be modified with one of the following
-flags:
-
-<p>
-<itemize>
-<item><tt/debug/
-- write more information to <tt/syslog(3)/.
-
-<item><tt/dir=/<em/pathname/
-- look for the users' mail in an alternative directory given by
-<em/pathname/. The default location for mail is
-<tt>/var/spool/mail</tt>. Note, if the supplied <em/pathname/ is
-prefixed by a `<tt/&tilde;/', the directory is interpreted as
-indicating a file in the user's home directory.
-
-<item><tt/nopen/
-- instruct the module to <em/not/ print any mail information when the
-user's credentials are acquired. This flag is useful to get the <tt/MAIL/
-environment variable set, but to not display any information about it.
-
-<item><tt/close/
-- instruct the module to indicate if the user has any mail at the as
-the user's credentials are revoked.
-
-<item><tt/noenv/
-- do not set the <tt/MAIL/ environment variable.
-
-<item><tt/empty/
-- indicate that the user's mail directory is empty if this is found to
-be the case.
-
-</itemize>
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-This module can be used to indicate that the user has new mail when
-they <em/login/ to the system. Here is a sample entry for your
-<tt>/etc/pam.conf</tt> file:
-<tscreen>
-<verb>
-#
-# do we have any mail?
-#
-login auth optional pam_mail.so
-</verb>
-</tscreen>
-
-<p>
-Note, some applications may perform this function themselves. In such
-cases, this module is not necessary.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_nologin.sgml b/contrib/libpam/doc/modules/pam_nologin.sgml
deleted file mode 100644
index de4b32a..0000000
--- a/contrib/libpam/doc/modules/pam_nologin.sgml
+++ /dev/null
@@ -1,75 +0,0 @@
-<!--
- $Id: pam_nologin.sgml,v 1.2 1997/01/04 21:56:55 morgan Exp $
-
- This file was written by Michael K. Johnson <johnsonm@redhat.com>
--->
-
-<sect1>The no-login module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_nologin/
-
-<tag><bf>Author:</bf></tag>
-Written by Michael K. Johnson &lt;johnsonm@redhat.com&gt;<newline>
-(based on code taken from a module written by Andrew G. Morgan
-&lt;morgan@parc.power.net&gt;).
-
-<tag><bf>Maintainer:</bf></tag>
-Michael K. Johnson &lt;johnsonm@redhat.com&gt;
-
-<tag><bf>Management groups provided:</bf></tag>
-authentication
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-1 warning about dropping const
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-Provides standard Unix <em/nologin/ authentication.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-Provides standard Unix <em/nologin/ authentication. If the file
-<tt>/etc/nologin</tt> exists, only root is allowed to log in; other
-users are turned away with an error message. All users (root or
-otherwise) are shown the contents of <tt>/etc/nologin</tt>.
-
-<p>
-If the file <tt>/etc/nologin</tt> does not exist, this module succeeds
-silently.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-In order to make this module effective, all login methods should
-be secured by it. It should be used as a <tt>required</tt>
-method listed before any <tt>sufficient</tt> methods in order to
-get standard Unix nologin semantics.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_permit.sgml b/contrib/libpam/doc/modules/pam_permit.sgml
deleted file mode 100644
index 84df9fc..0000000
--- a/contrib/libpam/doc/modules/pam_permit.sgml
+++ /dev/null
@@ -1,83 +0,0 @@
-<!--
- $Id: pam_permit.sgml,v 1.2 1997/02/15 18:20:12 morgan Exp $
-
- This file was written by Andrew G. Morgan <morgan@parc.power.net>
--->
-
-<sect1>The promiscuous module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-pam_permit
-
-<tag><bf>Author:</bf></tag>
-Andrew G. Morgan, &lt;morgan@parc.power.net&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Linux-PAM maintainer.
-
-<tag><bf>Management groups provided:</bf></tag>
-account; authentication; password; session
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-VERY LOW. Use with extreme caution.
-
-<tag><bf>Clean code base:</bf></tag>
-Clean.
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module is very dangerous. It should be used with extreme
-caution. Its action is always to permit access. It does nothing else.
-
-<sect2>Account+Authentication+Password+Session components
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-No matter what management group, the action of this module is to
-simply return <tt/PAM_SUCCESS/ -- operation successful.
-
-<p>
-In the case of authentication, the user's name will be acquired. Many
-applications become confused if this name is unknown.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-It is seldom a good idea to use this module. However, it does have
-some legitimate uses. For example, if the system-administrator wishes
-to turn off the account management on a workstation, and at the same
-time continue to allow logins, then she might use the following
-configuration file entry for login:
-<tscreen>
-<verb>
-#
-# add this line to your other login entries to disable account
-# management, but continue to permit users to log in...
-#
-login account required pam_permit.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_pwdb.sgml b/contrib/libpam/doc/modules/pam_pwdb.sgml
deleted file mode 100644
index c9f7bff..0000000
--- a/contrib/libpam/doc/modules/pam_pwdb.sgml
+++ /dev/null
@@ -1,245 +0,0 @@
-<!--
- $Id: pam_pwdb.sgml,v 1.3 1997/04/05 06:50:42 morgan Exp morgan $
-
- This file was written by Andrew G. Morgan <morgan@parc.power.net>
--->
-
-<sect1>The Password-Database module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-pam_pwdb
-
-<tag><bf>Author:</bf></tag>
-Cristian Gafton &lt;gafton@redhat.com&gt; <newline>
-and Andrew G. Morgan &lt;morgan@parc.power.net&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Authors.
-
-<tag><bf>Management groups provided:</bf></tag>
-account; authentication; password; session
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-Requires properly configured <tt/libpwdb/
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module is a pluggable replacement for the <tt/pam_unix_../
-modules. It uses the generic interface of the <em/Password Database/
-library
-<tt><htmlurl
-url="http://parc.power.net/morgan/libpwdb/index.html"
-name="http://parc.power.net/morgan/libpwdb/index.html"></tt>.
-
-<sect2>Account component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/
-
-<tag><bf>Description:</bf></tag>
-
-The <tt/debug/ argument makes the accounting functions of this module
-<tt/syslog(3)/ more information on its actions. (Remaining arguments
-supported by the other functions of this module are silently ignored,
-but others are logged as errors through <tt/syslog(3)/).
-
-Based on the following <tt/pwdb_element/s:
-<tt/expire/;
-<tt/last_change/;
-<tt/max_change/;
-<tt/defer_change/;
-<tt/warn_change/,
-this module performs the task of establishing the status of the user's
-account and password. In the case of the latter, it may offer advice
-to the user on changing their password or, through the
-<tt/PAM_AUTHTOKEN_REQD/ return, delay giving service to the user until
-they have established a new password. The entries listed above are
-documented in the <em/Password Database Library Guide/ (see pointer
-above). Should the user's record not contain one or more of these
-entries, the corresponding <em/shadow/ check is not performed.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-In its accounting mode, this module can be inserted as follows:
-<tscreen>
-<verb>
-#
-# Ensure users account and password are still active
-#
-login account required pam_pwdb.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/;
-<tt/use_first_pass/;
-<tt/try_first_pass/;
-<tt/nullok/;
-<tt/nodelay/
-
-<tag><bf>Description:</bf></tag>
-
-The <tt/debug/ argument makes the authentication functions of this
-module <tt/syslog(3)/ more information on its actions.
-
-<p>
-The default action of this module is to not permit the user access to
-a service if their <em/official/ password is blank. The <tt/nullok/
-argument overrides this default.
-
-<p>
-When given the argument <tt/try_first_pass/, before prompting the user
-for their password, the module first tries the previous stacked
-<tt/auth/-module's password in case that satisfies this module as
-well. The argument <tt/use_first_pass/ forces the module to use such a
-recalled password and will never prompt the user - if no password is
-available or the password is not appropriate, the user will be denied
-access.
-
-<p>
-The argument, <tt>nodelay</tt>, can be used to discourage the
-authentication component from requesting a delay should the
-authentication as a whole fail. The default action is for the module
-to request a delay-on-failure of the order of one second.
-
-<p>
-Remaining arguments, supported by the other functions of this module,
-are silently ignored. Other arguments are logged as errors through
-<tt/syslog(3)/.
-
-<p>
-A helper binary, <tt>pwdb_chkpwd</tt>, is provided to check the user's
-password when it is stored in a read protected database. This binary
-is very simple and will only check the password of the user invoking
-it. It is called transparently on behalf of the user by the
-authenticating component of this module. In this way it is possible
-for applications like <em>xlock</em> to work without being setuid-root.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-The correct functionality of this module is dictated by having an
-appropriate <tt>/etc/pwdb.conf</tt> file, the user
-databases specified there dictate the source of the authenticated
-user's record.
-
-</descrip>
-
-<sect2>Password component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/; <tt/nullok/; <tt/not_set_pass/; <tt/use_authtok/;
-<tt/try_first_pass/; <tt/use_first_pass/; <tt/md5/; <tt/bigcrypt/;
-<tt/shadow/; <tt/radius/; <tt/unix/
-
-<tag><bf>Description:</bf></tag>
-
-This part of the <tt/pam_pwdb/ module performs the task of updating
-the user's password. Thanks to the flexibility of <tt/libpwdb/ this
-module is able to move the user's password from one database to
-another, perhaps securing the user's database entry in a dynamic
-manner (<em/this is very ALPHA code at the moment!/) - this is the
-purpose of the <tt/shadow/, <tt/radius/ and <tt/unix/ arguments.
-
-<p>
-In the case of conventional unix databases (which store the password
-encrypted) the <tt/md5/ argument is used to do the encryption with the
-MD5 function as opposed to the <em/conventional/ <tt/crypt(3)/ call.
-As an alternative to this, the <tt/bigcrypt/ argument can be used to
-encrypt more than the first 8 characters of a password with DEC's
-(Digital Equipment Cooperation) `C2' extension to the standard UNIX
-<tt/crypt()/ algorithm.
-
-<p>
-The <tt/nullok/ module is used to permit the changing of a password
-<em/from/ an empty one. Without this argument, empty passwords are
-treated as account-locking ones.
-
-<p>
-The argument <tt/use_first_pass/ is used to lock the choice of old and
-new passwords to that dictated by the previously stacked <tt/password/
-module. The <tt/try_first_pass/ argument is used to avoid the user
-having to re-enter an old password when <tt/pam_pwdb/ follows a module
-that possibly shared the user's old password - if this old password is
-not correct the user will be prompted for the correct one. The
-argument <tt/use_authtok/ is used to <em/force/ this module to set the
-new password to the one provided by the previously stacked
-<tt/password/ module (this is used in an example of the stacking of
-the <em/Cracklib/ module documented above).
-
-<p>
-The <tt/not_set_pass/ argument is used to inform the module that it is
-not to pay attention to/make available the old or new passwords from/to
-other (stacked) password modules.
-
-<p>
-The <tt/debug/ argument makes the password functions of this module
-<tt/syslog(3)/ more information on its actions. Other arguments may be
-logged as erroneous to <tt/syslog(3)/.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-An example of the stacking of this module with respect to the
-pluggable password checking module, <tt/pam_cracklib/, is given in
-that modules section above.
-</descrip>
-
-<sect2>Session component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-No arguments are recognized by this module component. Its action is
-simply to log the username and the service-type to
-<tt/syslog(3)/. Messages are logged at the beginning and end of the
-user's session.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-The use of the session modules is straightforward:
-<tscreen>
-<verb>
-#
-# pwdb - unix like session opening and closing
-#
-login session required pam_pwdb.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_radius.sgml b/contrib/libpam/doc/modules/pam_radius.sgml
deleted file mode 100644
index 4d5f39a..0000000
--- a/contrib/libpam/doc/modules/pam_radius.sgml
+++ /dev/null
@@ -1,117 +0,0 @@
-<!--
- $Id: pam_radius.sgml,v 1.2 1997/02/15 18:25:44 morgan Exp $
-
- This file was written by Cristian Gafton <gafton@redhat.com>
--->
-
-<sect1>The RADIUS session module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_radius/
-
-<tag><bf>Author:</bf></tag>
-Cristian Gafton &lt;gafton@redhat.com&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author.
-
-<tag><bf>Management groups provided:</bf></tag>
-session
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-This module does not deal with passwords
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-gcc reports 1 warning when compiling <tt>/usr/include/rpc/clnt.h</tt>.
-Hey, is not my fault !
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-
-yes; this is a network module (independent of application).
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module is intended to provide the session service for users
-autheticated with a RADIUS server. At the present stage, the only
-option supported is the use of the RADIUS server as an accounting
-server.
-
-<sect2>Session component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tt/debug/ - verbose logging to <tt/syslog(3)/.
-
-<tag><bf>Description:</bf></tag>
-
-This module is intended to provide the session service for users
-autheticated with a RADIUS server. At the present stage, the only
-option supported is the use of the RADIUS server as an <em/accounting/
-server.
-
-<p>
-(There are few things which needs to be cleared out first in
-the PAM project until one will be able to use this module and expect
-it to magically start pppd in response to a RADIUS server command to
-use PPP for this user, or to initiate a telnet connection to another
-host, or to hang and call back the user using parameters provided in
-the RADIUS server response. Most of these things are better suited for
-the radius login application. I hope to make available Real Soon (tm)
-patches for the login apps to make it work this way.)
-
-<p>
-When opening a session, this module sends an ``Accounting-Start''
-message to the RADIUS server, which will log/update/whatever a
-database for this user. On close, an ``Accounting-Stop'' message is
-sent to the RADIUS server.
-
-<p>
-This module has no other prerequisites for making it work. One can
-install a RADIUS server just for fun and use it as a centralized
-accounting server and forget about wtmp/last/sac etc. .
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-For the services that need this module (<em/login/ for example) put
-the following line in <tt>/etc/pam.conf</tt> as the last line for that
-service (usually after the pam_unix session line):
-<tscreen>
-<verb>
-login session required pam_radius.so
-</verb>
-</tscreen>
-Replace <tt/login/ for each service you are using this module.
-
-<p>
-This module make extensive use of the API provided in libpwdb
-0.54preB or later. By default, it will read the radius server
-configuration (hostname and secret) from <tt>/etc/raddb/server</tt>.
-This is a default compiled into libpwdb, and curently there is no way to
-modify this default without recompiling libpwdb. I am working on
-extending the radius support from libpwdb to provide a possibility
-to make this runtime-configurable.
-
-Also please note that libpwdb will require also the RADIUS
-dictionary to be present (<tt>/etc/raddb/dictionary</tt>).
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
-
diff --git a/contrib/libpam/doc/modules/pam_rhosts.sgml b/contrib/libpam/doc/modules/pam_rhosts.sgml
deleted file mode 100644
index 9100102..0000000
--- a/contrib/libpam/doc/modules/pam_rhosts.sgml
+++ /dev/null
@@ -1,157 +0,0 @@
-<!--
- $Id: pam_rhosts.sgml,v 1.4 1997/04/05 06:50:42 morgan Exp $
-
- This file was written by Andrew G. Morgan <morgan@parc.power.net>
--->
-
-<sect1>The rhosts module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_rhosts_auth/
-
-<tag><bf>Author:</bf></tag>
-Al Longyear &lt;longyear@netcom.com&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-
-<tag><bf>Management groups provided:</bf></tag>
-authentication
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-Clean.
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-Standard <tt/inet_addr()/, <tt/gethostbyname()/ function calls.
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module performs the standard network authentication for services,
-as used by traditional implementations of <em/rlogin/ and <em/rsh/
-etc.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/no_hosts_equiv/; <tt/no_rhosts/; <tt/debug/; <tt/no_warn/;
-<tt/privategroup/; <tt/promiscuous/; <tt/suppress/
-
-<tag><bf>Description:</bf></tag>
-
-The authentication mechanism of this module is based on the contents
-of two files; <tt>/etc/hosts.equiv</tt> (or <tt/_PATH_HEQUIV/ in
-<tt>#include &lt;netdb.h&gt;</tt>) and <tt>~/.rhosts</tt>. Firstly,
-hosts listed in the former file are treated as equivalent to the
-localhost. Secondly, entries in the user's own copy of the latter file
-is used to map "<tt/remote-host remote-user/" pairs to that user's
-account on the current host. Access is granted to the user if their
-host is present in <tt>/etc/hosts.equiv</tt> and their remote account
-is identical to their local one, or if their remote account has an
-entry in their personal configuration file.
-
-<p>
-Some restrictions are applied to the attributes of the user's personal
-configuration file: it must be a regular file (as defined by
-<tt/S_ISREG(x)/ of POSIX.1); it must be owned by the <em/superuser/ or
-the user; it must not be writable by any user besides its owner.
-
-<p>
-The module authenticates a remote user (internally specified by the
-item <tt/PAM_RUSER/) connecting from the remote host (internally
-specified by the item <tt/PAM_RHOST/). Accordingly, for applications
-to be compatible this authentication module they must set these items
-prior to calling <tt/pam_authenticate()/. The module is not capable
-of independently probing the network connection for such information.
-
-<p>
-In the case of <tt/root/-access, the <tt>/etc/host.equiv</tt> file is
-<em/ignored/. Instead, the superuser must have a correctly configured
-personal configuration file.
-
-<p>
-The behavior of the module is modified by flags:
-<itemize>
-<item>
-<tt/debug/ -
-log more information to <tt/syslog(3)/. (XXX - actually, this module
-does not do any logging currently, please volunteer to fix this!)
-
-<item>
-<tt/no_warn/ -
-do not give verbal warnings to the user about failures etc. (XXX -
-this module currently does not issue any warnings, please volunteer to
-fix this!)
-
-<item>
-<tt/no_hosts_equiv/ -
-ignore the contents of the <tt>/etc/hosts.equiv</tt> file.
-
-<item>
-<tt/no_rhosts/ -
-ignore the contents of all user's personal configuration file
-<tt>~/.rhosts</tt>.
-
-<item>
-<tt/privategroup/ -
-normally, the <tt>~/.rhosts</tt> file must not be writable by anyone
-other than its owner. This option overlooks group write access in the
-case that the group owner of this file has the same name as the
-user being authenticated. To lessen the security problems associated
-with this option, the module also checks that the user is the only
-member of their private group.
-
-<item>
-<tt/promiscuous/ -
-A host entry of `+' will lead to all hosts being granted
-access. Without this option, '+' entries will be ignored. Note, that
-the <tt/debug/ option will syslog a warning in this latter case.
-
-<item>
-<tt/suppress/ -
-This will prevent the module from <tt/syslog(3)/ing a warning message
-when this authentication fails. This option is mostly for keeping
-logs free of meaningless errors, in particular when the module is used
-with the <tt/sufficient/ control flag.
-
-</itemize>
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-To allow users to login from trusted remote machines, you should try
-adding the following line to your <tt>/etc/pam.conf</tt> file
-<em/before/ the line that would otherwise prompt the user for a
-password:
-<tscreen>
-<verb>
-#
-# No passwords required for users from hosts listed above.
-#
-login auth sufficient pam_rhosts_auth.so no_rhosts
-</verb>
-</tscreen>
-Note, in this example, the system administrator has turned off all
-<em/personal/ <em/rhosts/ configuration files. Also note, that this module
-can be used to <em/only/ allow remote login from hosts specified in
-the <tt>/etc/host.equiv</tt> file, by replacing <tt/sufficient/ in the
-above example with <tt/required/.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_rootok.sgml b/contrib/libpam/doc/modules/pam_rootok.sgml
deleted file mode 100644
index ff6aa86..0000000
--- a/contrib/libpam/doc/modules/pam_rootok.sgml
+++ /dev/null
@@ -1,85 +0,0 @@
-<!--
- $Id: pam_rootok.sgml,v 1.2 1997/02/15 18:25:44 morgan Exp $
-
- This file was written by Andrew G. Morgan <morgan@parc.power.net>
--->
-
-<sect1>The root access module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-pam_rootok
-
-<tag><bf>Author:</bf></tag>
-Andrew G. Morgan &lt;morgan@parc.power.net&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-<bf>Linux-PAM</bf> maintainer
-
-<tag><bf>Management groups provided:</bf></tag>
-authentication
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-Clean.
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module is for use in situations where the superuser wishes
-to gain access to a service without having to enter a password.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/
-
-<tag><bf>Description:</bf></tag>
-
-This module authenticates the user if their <tt/uid/ is <tt/0/.
-Applications that are created <em/setuid/-root generally retain the
-<tt/uid/ of the user but run with the authority of an enhanced
-<em/effective-/<tt/uid/. It is the real <tt/uid/ that is checked.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-In the case of the <tt/su/ application the historical usage is to
-permit the superuser to adopt the identity of a lesser user without
-the use of a password. To obtain this behavior under <tt/Linux-PAM/
-the following pair of lines are needed for the corresponding entry in
-the configuration file:
-<tscreen>
-<verb>
-#
-# su authentication. Root is granted access by default.
-#
-su auth sufficient pam_rootok.so
-su auth required pam_unix_auth.so
-</verb>
-</tscreen>
-
-<p>
-Note. For programs that are run by the superuser (or started when the
-system boots) this module should not be used to authenticate users.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_securetty.sgml b/contrib/libpam/doc/modules/pam_securetty.sgml
deleted file mode 100644
index 276ae90..0000000
--- a/contrib/libpam/doc/modules/pam_securetty.sgml
+++ /dev/null
@@ -1,72 +0,0 @@
-<!--
- $Id: pam_securetty.sgml,v 1.1 1996/11/30 20:59:32 morgan Exp $
-
- This file was written by Michael K. Johnson <johnsonm@redhat.com>
--->
-
-<sect1>The securetty module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_securetty/
-
-<tag><bf>Author[s]:</bf></tag>
-Elliot Lee &lt;sopwith@cuc.edu&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Red Hat Software:<newline>
-<em/currently/ Michael K. Johnson &lt;johnsonm@redhat.com&gt;<newline>
-(if unavailable, contact Elliot Lee &lt;sopwith@cuc.edu&gt;).
-
-<tag><bf>Management groups provided:</bf></tag>
-authentication
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-<tt>/etc/securetty</tt> file
-
-<tag><bf>Network aware:</bf></tag>
-
-Requires the application to fill in the <tt>PAM_TTY</tt> item
-correctly in order to act meaningfully.
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-Provides standard Unix securetty checking.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-Provides standard Unix securetty checking, which causes authentication
-for root to fail unless <tt>PAM_TTY</tt> is set to a string listed in
-the <tt>/etc/securetty</tt> file. For all other users, it succeeds.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-For canonical usage, should be listed as a <tt>required</tt>
-authentication method before any <tt>sufficient</tt> authentication
-methods.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_time.sgml b/contrib/libpam/doc/modules/pam_time.sgml
deleted file mode 100644
index 0b3cddf..0000000
--- a/contrib/libpam/doc/modules/pam_time.sgml
+++ /dev/null
@@ -1,166 +0,0 @@
-<!--
- $Id: pam_time.sgml,v 1.2 1997/02/15 18:25:44 morgan Exp $
-
- This file was written by Andrew G. Morgan <morgan@parc.power.net>
--->
-
-<sect1>Time control
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_time/
-
-<tag><bf>Author:</bf></tag>
-Andrew G. Morgan <tt>&lt;morgan@parc.power.net&gt;</tt>
-
-<tag><bf>Maintainer:</bf></tag>
-Author
-
-<tag><bf>Management groups provided:</bf></tag>
-account
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-Requires a configuration file <tt>/etc/security/time.conf</tt>
-
-<tag><bf>Network aware:</bf></tag>
-Through the <tt/PAM_TTY/ item only
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-Running a well regulated system occasionally involves restricting
-access to certain services in a selective manner. This module offers
-some time control for access to services offered by a system. Its
-actions are determined with a configuration file. This module can be
-configured to deny access to (individual) users based on their name,
-the time of day, the day of week, the service they are applying for
-and their terminal from which they are making their request.
-
-<sect2>Account component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-This module bases its actions on the rules listed in its configuration
-file: <tt>/etc/security/pam.conf</tt>. Each rule has the following
-form,
-<tscreen>
-<em/services/<tt/;/<em/ttys/<tt/;/<em/users/<tt/;/<em/times/
-</tscreen>
-In words, each rule occupies a line, terminated with a newline or the
-beginning of a comment; a `<tt/#/'. It contains four fields separated
-with semicolons, `<tt/;/'. The fields are as follows:
-
-<p>
-<itemize>
-<item><em/services/ -
-a logic list of service names that are affected by this rule.
-
-<item><em/ttys/ -
-a logic list of terminal names indicating those terminals covered by
-the rule.
-
-<item><em/user/ -
-a logic list of usernames to which this rule applies
-
-<p>
-By a logic list we mean a sequence of tokens (associated with the
-appropriate <tt/PAM_/ item), containing no more than one wildcard
-character; `<tt/*/', and optionally prefixed with a negation operator;
-`<tt/!/'. Such a sequence is concatenated with one of two logical
-operators: <tt/&amp;/ (logical AND) and <tt/|/ (logical OR). Two
-examples are: <tt>!morgan&amp;!root</tt>, indicating that this rule
-does not apply to the user <tt>morgan</tt> nor to <tt>root</tt>; and
-<tt>tty*&amp;!ttyp*</tt>, which indicates that the rule applies only
-to console terminals but not pseudoterminals.
-
-<item><em/times/ - a logic list of times at which this rule
-applies. The format of each element is a day/time-range. The days are
-specified by a sequence of two character entries. For example,
-<tt/MoTuSa/, indicates Monday Tuesday and Saturday. Note that
-repeated days are <em/unset/; <tt/MoTuMo/ indicates Tuesday, and
-<tt/MoWk/ means all weekdays bar Monday. The two character
-combinations accepted are,
-<tscreen>
-<verb>
-Mo Tu We Th Fr Sa Su Wk Wd Al
-</verb>
-</tscreen>
-The last two of these being <em/weekend/ days and <em/all 7 days/ of
-the week respectively.
-
-<p>
-The time range part is a pair of 24-hour times, <em/HHMM/, separated
-by a hyphen -- indicating the start and finish time for the rule. If
-the finsish time is smaller than the start time, it is assumed to
-apply on the following day. For an example, <tt/Mo1800-0300/ indicates
-that the permitted times are Monday night from 6pm to 3am the
-following morning.
-
-</itemize>
-
-<p>
-Note, that the given time restriction is only applied when the first
-three fields are satisfied by a user's application for service.
-
-<p>
-For convenience and readability a rule can be extended beyond a single
-line with a `<tt>&bsol;</tt><em/newline/'.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-The use of this module is initiated with an entry in the
-<bf/Linux-PAM/ configuration file of the following type:
-<tscreen>
-<verb>
-#
-# apply pam_time accounting to login requests
-#
-login account required pam_time.so
-</verb>
-</tscreen>
-where, here we are applying the module to the <em/login/ application.
-
-<p>
-Some examples of rules that can be placed in the
-<tt>/etc/security/time.conf</tt> configuration file are the following:
-<descrip>
-
-<tag><tt>login ; tty* &amp ; !ttyp* ; !root ; !Al0000-2400</tt></tag>
-all users except for <tt/root/ are denied access to console-login at
-all times.
-
-<tag><tt>games ; * ; !waster ; Wd0000-2400 | Wk1800-0800</tt></tag>
-games (configured to use Linux-PAM) are only to be accessed out of
-working hours. This rule does not apply to the user <tt/waster/.
-
-</descrip>
-
-<p>
-Note, currently there is no daemon enforcing the end of a session.
-This needs to be remedied.
-
-<p>
-Poorly formatted rules are logged as errors using <tt/syslog(3)/.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_warn.sgml b/contrib/libpam/doc/modules/pam_warn.sgml
deleted file mode 100644
index 6e81f18..0000000
--- a/contrib/libpam/doc/modules/pam_warn.sgml
+++ /dev/null
@@ -1,67 +0,0 @@
-<!--
- $Id: pam_warn.sgml,v 1.1 1996/11/30 20:59:32 morgan Exp $
-
- This file was written by Andrew G. Morgan <morgan@parc.power.net>
--->
-
-<sect1>Warning logger module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_warn/
-
-<tag><bf>Author:</bf></tag>
-Andrew G. Morgan &lt;morgan@parc.power.net&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author.
-
-<tag><bf>Management groups provided:</bf></tag>
-authentication; password
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-
-<tag><bf>Network aware:</bf></tag>
-logs information about the remote user and host (if pam-items are known)
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-This module is principally for logging information about a
-proposed authentication or application to update a password.
-
-<sect2>Authentication+Password component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-
-<tag><bf>Description:</bf></tag>
-
-Log the service, terminal, user, remote user and remote host to
-<tt/syslog(3)/. The items are not probed for, but instead obtained
-from the standard pam-items.
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-an example is provided in the configuration file section <ref
-id="configuration" name="above">.
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/modules/pam_wheel.sgml b/contrib/libpam/doc/modules/pam_wheel.sgml
deleted file mode 100644
index 9139695..0000000
--- a/contrib/libpam/doc/modules/pam_wheel.sgml
+++ /dev/null
@@ -1,124 +0,0 @@
-<!--
- $Id: pam_wheel.sgml,v 1.3 1997/02/15 18:25:44 morgan Exp morgan $
-
- This file was written by Andrew G. Morgan <morgan@parc.power.net>
- from notes provided by Cristian Gafton.
--->
-
-<sect1>The wheel module
-
-<sect2>Synopsis
-
-<p>
-<descrip>
-
-<tag><bf>Module Name:</bf></tag>
-<tt/pam_wheel/
-
-<tag><bf>Author:</bf></tag>
-Cristian Gafton &lt;gafton@redhat.com&gt;
-
-<tag><bf>Maintainer:</bf></tag>
-Author.
-
-<tag><bf>Management groups provided:</bf></tag>
-authentication
-
-<tag><bf>Cryptographically sensitive:</bf></tag>
-
-<tag><bf>Security rating:</bf></tag>
-
-<tag><bf>Clean code base:</bf></tag>
-
-<tag><bf>System dependencies:</bf></tag>
-Requires libpwdb.
-
-<tag><bf>Network aware:</bf></tag>
-
-</descrip>
-
-<sect2>Overview of module
-
-<p>
-Only permit root access to members of the wheel (<tt/gid=0/) group.
-
-<sect2>Authentication component
-
-<p>
-<descrip>
-
-<tag><bf>Recognized arguments:</bf></tag>
-<tt/debug/;
-<tt/use_uid/;
-<tt/trust/;
-<tt/deny/;
-<tt/group=XXXX/
-
-<tag><bf>Description:</bf></tag>
-
-This module is used to enforce the so-called wheel group. By default,
-it permits root access to the system if the applicant user is a member
-of the <tt/wheel/ group (better described as the group with group-id
-<tt/0/).
-
-<p>
-The action of the module may be modified from this default by one or
-more of the following flags in the <tt>/etc/pam.conf</tt> file.
-<itemize>
-<item>
-<tt/debug/ -
-Supply more debugging information to <tt/syslog(3)/.
-
-<item>
-<tt/use_id/ -
-This option modifies the behavior of the module by using the current
-<tt/uid/ of the process and not the <tt/getlogin(3)/ name of the user.
-This option is useful for being able to jump from one account to
-another, for example with 'su'.
-
-<item>
-<tt/trust/ -
-This option instructs the module to return <tt/PAM_SUCCESS/ should it
-find the user applying for root privilege is a member of the wheel
-group. The default action is to return <tt/PAM_IGNORE/ in this
-situation. By using the <tt/trust/ option it is possible to arrange
-for <tt/wheel/-group members to become root without typing a
-password. <bf/USE WITH CARE/.
-
-<item>
-<tt/deny/ -
-This is used to reverse the logic of the module's behavior.
-If the user is trying to get <tt/uid=0/ access and is a member of the wheel
-group, deny access (for the wheel group, this is perhaps nonsense!):
-it is intended for use in conjunction with the <tt/group=/ argument...
-
-<item>
-<tt/group=XXXX/ -
-Instead of checking the <tt/gid=0/ group, use the user's <tt/XXXX/
-group membership for the authentication. Here, <tt/XXXX/ is the name
-of the group and <bf/not/ its numeric identifier.
-
-</itemize>
-
-<tag><bf>Examples/suggested usage:</bf></tag>
-
-To restrict access to superuser status to the members of the
-<tt/wheel/ group, use the following entries in your configuration
-file:
-<tscreen>
-<verb>
-#
-# root gains access by default (rootok), only wheel members can
-# become root (wheel) but Unix authenticate non-root applicants.
-#
-su auth sufficient pam_rootok.so
-su auth required pam_wheel.so
-su auth required pam_unix_auth.so
-</verb>
-</tscreen>
-
-</descrip>
-
-<!--
-End of sgml insert for this module.
--->
diff --git a/contrib/libpam/doc/ps/README b/contrib/libpam/doc/ps/README
deleted file mode 100644
index 6234e14..0000000
--- a/contrib/libpam/doc/ps/README
+++ /dev/null
@@ -1,3 +0,0 @@
-$Id: README,v 1.1 1996/11/10 19:28:16 morgan Exp $
-
-this is the directory for the postscipt documentation
diff --git a/contrib/libpam/doc/specs/draft-morgan-pam-00.raw b/contrib/libpam/doc/specs/draft-morgan-pam-00.raw
deleted file mode 100644
index 6e37b86..0000000
--- a/contrib/libpam/doc/specs/draft-morgan-pam-00.raw
+++ /dev/null
@@ -1,270 +0,0 @@
-PAM working group ## A.G. Morgan
-Internet Draft: ## March 24, 1998
-Document: draft-morgan-pam-00.txt ##
-Expires: September 24, 1998 ##
-Obsoletes: ##
-
-## Pluggable Authentication Modules ##
-
-#$ Status of this memo
-
-This document is an Internet-Draft. Internet-Drafts are working
-documents of the Internet Engineering Task Force (IETF), its areas,
-and its working groups. Note that other groups may also distribute
-working documents as Internet-Drafts.
-
-Internet-Drafts are draft documents valid for a maximum of six months
-and may be updated, replaced, or obsoleted by other documents at any
-time. It is inappropriate to use Internet- Drafts as reference
-material or to cite them other than as "work in progress."
-
-To view the entire list of current Internet-Drafts, please check the
-"1id-abstracts.txt" listing contained in the Internet-Drafts Shadow
-Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern Europe),
-ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific Rim),
-ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast).
-
-#$ Abstract
-
-This document is concerned with the definition of a general
-infrastructure for module based authentication. The infrastructure is
-named Pluggable Authentication Modules (PAM for short).
-
-#$ Introduction
-
-Computers are tools. They provide services to people and other
-computers (collectively we shall call these "users" entities). In
-order to provide convenient, reliable and individual service to
-different entities, it is common for entities to be labelled. Having
-defined a label as refering to a some specific entity, the label is
-used for the purpose of protecting and allocating data resources.
-
-All modern operating systems have a notion of labelled entities and
-all modern operating systems face a common problem: how to
-authenticate the association of a predefined label with applicant
-entities.
-
-There are as many authentication methods as one might care to count.
-None of them are perfect and none of them are invulnerable. In
-general, any given authentication method becomes weaker over time. It
-is common then for new authentication methods to be developed in
-response to newly discovered weaknesses in the old authentication
-methods.
-
-The problem with reinventing authentication methods is the fact that
-old applications do not support them. This contributes to an inertia
-that discourages the overhaul of weakly protected systems. Another
-problem is that individuals (people) are frequently powerless to layer
-the protective authentication around their systems. They are forced
-to rely on single (lowest common denominator) authentication schemes
-even in situations where this is far from appropriate.
-
-PAM, as discussed in this document, is a generalization of the
-approach first introduced in [#$R#{OSF_RFC_PAM}]. In short, it is a
-general framework of interfaces that abstract the process of
-authentication. With PAM, a service provider can custom protect
-individual services to the level that they deam is appropriate.
-
-PAM has nothing explicit to say about transport layer encryption.
-Within the context of this document encryption and/or compression of
-data exchanges are application specific (strictly between client and
-server).
-
-#$ Definitions
-
-Here we pose the authentication problem as one of configuring defined
-interfaces between two entities.
-
-#$$#{players} Players in the authentication process
-
-PAM reserves the following words to specify unique entities in the
-authentication process:
-
- applicant
- the entity (user) initiating an application for service
- [PAM associates PAM_RUSER with this requesting user].
-
- arbitrator
- the entity (user) under who's identity the service application
- is negotiated and with who's authority service is granted.
-
- user
- the entity (user) who's identity is being authenticated
- [PAM associates PAM_USER with this identity].
-
- server
- the application that provides service, or acts as an
- authenticated gateway to the requested service. This
- application is completely responsible for the transport
- layer. PAM makes no assumptions about how data is
- exchanged between the server and the client.
-
- client
- application providing the direct/primary interface to
- applicant. This application is completely responsible
- for transporting client-side data to the server.
- PAM makes no assumptions about how data is exchanged between
- the client and the server.
-
- module
- authentication binary that provides server-side support for
- some authentication method.
-
- agent
- authentication binary that provides client-side support for
- some authentication method.
-
-#$$ Special cases
-
-In the previous section (#{players}) we identified the most general
-selection of authentication participants. In the case of network
-authentication, it is easy to ascribe identities to the defined
-players. However, there are special (less general) cases and we
-recognize them here.
-
-The primary authentication step, when a user is directly introduced
-into a computer system (log's on to a workstation) is a special case.
-In this situation, the "client" and the "server" are generally one
-application. Before authenticating such a user, the "applicant" is
-formally unknown.
-
-#$ Defined interfaces
-
-Here, we discuss the formal interfaces between the players in the
-authentication process.
-
-#$$#{applicant_client} Applicant <-> client
-
-Once the client is invoked, requests to the applicant entity are
-initiated by the client application. General clients are able to make
-the following requests to an applicant:
-
- echo text
- echo error
- prompt for echo'd text input
- prompt for concealed text input
-
-the nature of the interface provided by the client for the benefit of
-the applicant entity is client specific and not defined by PAM.
-
-#$$ Client <-> agent
-
-In general, authentication schemes require more modes of exchange than
-the four defined in the previous section (#{applicant_client}). This
-provides a role for client-loadable agents. The client and agent
-exchange binary-messages that can have one of the following forms:
-
- client -> agent
- prompt for binary data packet using a binary packet
-
- agent -> client
- set environment variable
- get environment variable
- echo text
- echo error
- prompt for echo'd text input
- prompt for concealed text input
-
-The single defined procedure for exchange is that the client first
-prompts the agent with a binary packet and expects to receive a binary
-(response) packet in return. Before returning the binary response,
-the agent may request an arbitrary number of exchanges with the client.
-
-#$$ Client <-> server
-
-Once the client has established a connection with the server (the
-nature of the transport protocol is not specified by PAM), the server
-is reponsible for driving the authentication process.
-
-General servers can request the following from the client:
-
- (directed to the applicant)
- echo text
- echo error
- prompt for echo'd text response
- prompt for concealed text response
-
- (directed to the appropriate agent)
- binary prompt for a binary response
-
-Client side agents are required to process binary prompts. Their
-binary responses are passed directly back to the server.
-
-#$$ Server <-> module
-
-Modules drive the authentication process. The server provides a
-conversation function with which it encapsulates module-generated
-requests and exchanges them with the client.
-
-General conversation functions can support the following five
-"conversation" requests:
-
- echo text
- echo error
- prompt for echo'd text response
- prompt for concealed text response
- prompt for binary packet with binary packet
-
-The server is responsible for redirecting these requests to the
-client.
-
-#$ C API for defined interfaces
-
-#$$ Applicant <-> client
-
-No API is defined for this interface. The interface is considered to
-be specific to the client application. Example applications include
-terminal login, (X)windows login, machine file transfer applications.
-
-#$$ Client <-> agent
-
-This interface is concerned with the exchange of "binary prompts". A
-binary prompt has the following form: { 4 8-bit bytes in network order
-encoding an unsigened 32 bit integer (length), 4 8-bit bytes in
-network order encoding an unsigened 32 bit integer (control),
-"length-4" 8-bit bytes bytes comprising upto 2^32-4 bytes of binary
-data }.
-
-## [ u32 | u32 | (length-4 bytes) ] ##
-## length control data ##
-
-The composition of the "data" is not specified. Valid control values
-are:
-
-##control value | used by | description ##
-##------------------------------------------------------------------##
-## | | ##
-##PAMC_CONTROL_OK | agent | agent is happy ##
-##PAMC_CONTROL_FAIL | agent | agent failed ##
-##PAMC_CONTROL_BUSY | agent | agent is busy ##
-##PAMC_CONTROL_PUTENV | agent | set envvar of client ##
-##PAMC_CONTROL_GETENV | agent | want envvar of client ##
-##PAMC_CONTROL_GETECHO | agent | echo'd prompt to applicant##
-##PAMC_CONTROL_GETNOECHO | agent | secret prompt to applicant##
-##PAMC_CONTROL_PUTTEXT | agent | echo text to applicant ##
-##PAMC_CONTROL_SELECT | client | client selects named agent##
-##PAMC_CONTROL_EXCHANGE | client+agent | data exchange packet ##
-##PAMC_CONTROL_DONE | agent | agent has completed ##
-##PAMC_CONTROL_EMPTY | agent | agent has no reply ##
-
-#$ Security considerations
-
-This document is devoted to standardizing authentication
-infrastructure: everything in this document has implications for
-security.
-
-#$ Contact
-
-The email list for discussing issues related to this document is
-<pam-list@redhat.com>.
-
-#$ References
-
-[#{OSF_RFC_PAM}] OSF RFC 86.0, "Unified Login with Pluggable Authentication
- Modules (PAM)", October 1995
-
-#$ Author's Address
-
-Andrew Morgan
-Email: morgan@ftp.kernel.org
-
diff --git a/contrib/libpam/doc/specs/formatter/Makefile b/contrib/libpam/doc/specs/formatter/Makefile
deleted file mode 100644
index d73258d..0000000
--- a/contrib/libpam/doc/specs/formatter/Makefile
+++ /dev/null
@@ -1,16 +0,0 @@
-LIBS=-lfl
-
-padout: parse.tab.o
- $(CC) -o padout parse.tab.o $(LIBS)
-
-parse.tab.o: parse.tab.c lex.yy.c
- $(CC) -c parse.tab.c
-
-parse.tab.c: parse.y
- bison parse.y
-
-lex.yy.c: parse.lex
- flex parse.lex
-
-clean:
- rm -f parse.tab.o parse.tab.c lex.yy.c padout *~ core
diff --git a/contrib/libpam/doc/specs/formatter/parse.lex b/contrib/libpam/doc/specs/formatter/parse.lex
deleted file mode 100644
index 1d5c898..0000000
--- a/contrib/libpam/doc/specs/formatter/parse.lex
+++ /dev/null
@@ -1,11 +0,0 @@
-%%
-
-\#[\$]+[a-zA-Z]*(\=[0-9]+)? return NEW_COUNTER;
-\#\{[a-zA-Z][a-zA-Z0-9\_]*\} return LABEL;
-\# return NO_INDENT;
-\#\# return RIGHT;
-\\\# return HASH;
-[^\n] return CHAR;
-[\n] return NEWLINE;
-
-%%
diff --git a/contrib/libpam/doc/specs/formatter/parse.y b/contrib/libpam/doc/specs/formatter/parse.y
deleted file mode 100644
index 6da47d1..0000000
--- a/contrib/libpam/doc/specs/formatter/parse.y
+++ /dev/null
@@ -1,293 +0,0 @@
-
-%{
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#define MAXLINE 1000
-#define INDENT_STRING " "
-#define PAPER_WIDTH 74
-
- int indent=0;
- int line=1;
- char *last_label=NULL;
-
- extern void yyerror(const char *x);
- extern char *get_label(const char *label);
- extern void set_label(const char *label, const char *target);
- char *new_counter(const char *key);
-
-#include "lex.yy.c"
-
-%}
-
-%union {
- int def;
- char *string;
-}
-
-%token NEW_COUNTER LABEL HASH CHAR NEWLINE NO_INDENT RIGHT
-%type <string> stuff text
-
-%start doc
-
-%%
-
-doc:
-| doc NEWLINE {
- printf("\n");
- ++line;
-}
-| doc stuff NEWLINE {
- if (strlen($2) > (PAPER_WIDTH-(indent ? strlen(INDENT_STRING):0))) {
- yyerror("line too long");
- }
- printf("%s%s\n", indent ? INDENT_STRING:"", $2);
- free($2);
- indent = 1;
- ++line;
-}
-| doc stuff RIGHT stuff NEWLINE {
- char fixed[PAPER_WIDTH+1];
- int len;
-
- len = PAPER_WIDTH-(strlen($2)+strlen($4));
-
- if (len >= 0) {
- memset(fixed, ' ', len);
- fixed[len] = '\0';
- } else {
- yyerror("line too wide");
- fixed[0] = '\0';
- }
- printf("%s%s%s\n", $2, fixed, $4);
- free($2);
- free($4);
- indent = 1;
- ++line;
-}
-| doc stuff RIGHT stuff RIGHT stuff NEWLINE {
- char fixed[PAPER_WIDTH+1];
- int len, l;
-
- len = PAPER_WIDTH-(strlen($2)+strlen($4));
-
- if (len < 0) {
- len = 0;
- yyerror("line too wide");
- }
-
- l = len/2;
- memset(fixed, ' ', l);
- fixed[l] = '\0';
- printf("%s%s%s", $2, fixed, $4);
- free($2);
- free($4);
-
- l = (len+1)/2;
- memset(fixed, ' ', l);
- fixed[l] = '\0';
- printf("%s%s\n", fixed, $6);
- free($6);
-
- indent = 1;
- ++line;
-}
-| doc stuff RIGHT stuff RIGHT stuff NEWLINE {
- char fixed[PAPER_WIDTH+1];
- int len, l;
-
- len = PAPER_WIDTH-(strlen($2)+strlen($4));
-
- if (len < 0) {
- len = 0;
- yyerror("line too wide");
- }
-
- l = len/2;
- memset(fixed, ' ', l);
- fixed[l] = '\0';
- printf("%s%s%s", $2, fixed, $4);
- free($2);
- free($4);
-
- l = (len+1)/2;
- memset(fixed, ' ', l);
- fixed[l] = '\0';
- printf("%s%s\n", fixed, $6);
- free($6);
-
- indent = 1;
- ++line;
-}
-;
-
-stuff: {
- $$ = strdup("");
-}
-| stuff text {
- $$ = malloc(strlen($1)+strlen($2)+1);
- sprintf($$,"%s%s", $1, $2);
- free($1);
- free($2);
-}
-;
-
-text: CHAR {
- $$ = strdup(yytext);
-}
-| text CHAR {
- $$ = malloc(strlen($1)+2);
- sprintf($$,"%s%s", $1, yytext);
- free($1);
-}
-| NO_INDENT {
- $$ = strdup("");
- indent = 0;
-}
-| HASH {
- $$ = strdup("#");
-}
-| LABEL {
- if (($$ = get_label(yytext)) == NULL) {
- set_label(yytext, last_label);
- $$ = strdup("");
- }
-}
-| NEW_COUNTER {
- $$ = new_counter(yytext);
-}
-;
-
-%%
-
-typedef struct node_s {
- struct node_s *left, *right;
- const char *key;
- char *value;
-} *node_t;
-
-node_t label_root = NULL;
-node_t counter_root = NULL;
-
-const char *find_key(node_t root, const char *key)
-{
- while (root) {
- int cmp = strcmp(key, root->key);
-
- if (cmp > 0) {
- root = root->right;
- } else if (cmp) {
- root = root->left;
- } else {
- return root->value;
- }
- }
- return NULL;
-}
-
-node_t set_key(node_t root, const char *key, const char *value)
-{
- if (root) {
- int cmp = strcmp(key, root->key);
- if (cmp > 0) {
- root->right = set_key(root->right, key, value);
- } else if (cmp) {
- root->left = set_key(root->left, key, value);
- } else {
- free(root->value);
- root->value = strdup(value);
- }
- } else {
- root = malloc(sizeof(struct node_s));
- root->right = root->left = NULL;
- root->key = strdup(key);
- root->value = strdup(value);
- }
- return root;
-}
-
-void yyerror(const char *x)
-{
- fprintf(stderr, "line %d: %s\n", line, x);
-}
-
-char *get_label(const char *label)
-{
- const char *found = find_key(label_root, label);
-
- if (found) {
- return strdup(found);
- }
- return NULL;
-}
-
-void set_label(const char *label, const char *target)
-{
- if (target == NULL) {
- yyerror("no hanging value for label");
- target = "<??>";
- }
- label_root = set_key(label_root, label, target);
-}
-
-char *new_counter(const char *key)
-{
- int i=0, j, ndollars = 0;
- const char *old;
- char *new;
-
- if (key[i++] != '#') {
- yyerror("bad index");
- return strdup("<???>");
- }
-
- while (key[i] == '$') {
- ++ndollars;
- ++i;
- }
-
- key += i;
- old = find_key(counter_root, key);
- new = malloc(20*ndollars);
-
- if (old) {
- for (j=0; ndollars > 1 && old[j]; ) {
- if (old[j++] == '.' && --ndollars <= 0) {
- break;
- }
- }
- if (j) {
- strncpy(new, old, j);
- }
- if (old[j]) {
- i = atoi(old+j);
- } else {
- new[j++] = '.';
- i = 0;
- }
- } else {
- j=0;
- while (--ndollars > 0) {
- new[j++] = '0';
- new[j++] = '.';
- }
- i = 0;
- }
- new[j] = '\0';
- sprintf(new+j, "%d", ++i);
-
- counter_root = set_key(counter_root, key, new);
-
- if (last_label) {
- free(last_label);
- }
- last_label = strdup(new);
-
- return new;
-}
-
-main()
-{
- yyparse();
-}
diff --git a/contrib/libpam/doc/txts/README b/contrib/libpam/doc/txts/README
deleted file mode 100644
index b62bc2d..0000000
--- a/contrib/libpam/doc/txts/README
+++ /dev/null
@@ -1,3 +0,0 @@
-$Id: README,v 1.1 1996/11/10 19:18:06 morgan Exp $
-
-This is a directory for text versions of the pam documentation
OpenPOWER on IntegriCloud