summaryrefslogtreecommitdiff
blob: 5cc84b7514ebf3f0401710fb80ad0447a6f4cdfa (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
	<maintainer type="project">
		<email>base-system@gentoo.org</email>
	</maintainer>
	<maintainer type="person">
		<email>zlogene@gentoo.org</email>
		<name>Mikle Kolyada</name>
	</maintainer>
	<maintainer type="person">
		<email>sam@gentoo.org</email>
		<name>Sam James</name>
	</maintainer>
	<use>
		<flag name="elogind">
			Use pam_elogind module to register user sessions with elogind.
		</flag>
		<flag name="systemd">
			Use pam_systemd module to register user sessions in the systemd
			control group hierarchy.
		</flag>
		<flag name="homed">
			Use pam_systemd_home module to manage home directories with
			the systemd-homed service
		</flag>
		<flag name="debug">
			Enable debug information logging on syslog(3) for all the
			modules supporting this in the system authentication and system
			login stacks.
		</flag>
		<flag name="passwdqc">
			Enable pam_passwdqc module on system auth stack for password
			quality validation. This module produces warnings, rejecting 
			or providing example passwords when changing your system password.
			It is used by default by OpenWall GNU/*/Linux and by FreeBSD.
		</flag>
		<flag name="pwhistory">
			Enable pam_pwhistory module on system auth stack to save
			the last passwords for each user in order to force password
			change history and keep the user from alternating between
			the same password too frequently.
		</flag>
		<flag name="pwquality">
			Enable pam_pwquality module on system auth stack for passwd
			quality validation. It is used be dafault by Fedora GNU/*/Linux.
		</flag>
		<flag name="mktemp">
			Enable pam_mktemp module on system auth stack for session
			handling. This module creates a private temporary directory for
			the user, and sets TMP and TMPDIR accordingly.
		</flag>
		<flag name="pam_ssh">
			Enable pam_ssh module on system auth stack for authentication
			and session handling. This module will accept as password the
			passphrase of a private SSH key (one of ~/.ssh/id_rsa,
			~/.ssh/id_dsa or ~/.ssh/identity), and will spawn an ssh-agent
			instance to cache the open key.
		</flag>
		<flag name="sha512">
			Switch Linux-PAM's pam_unix module to use sha512 for passwords
			hashes rather than MD5. This option requires
			<pkg>sys-libs/pam</pkg> version 1.0.1 built against
			<pkg>sys-libs/glibc</pkg> version 2.7, if it's built against an
			earlier version, it will silently be ignored, and MD5 hashes
			will be used. All the passwords changed after this USE flag is
			enabled will be saved to the shadow file hashed using SHA512
			function. The password previously saved will be left
			untouched. Please note that while SHA512-hashed passwords will
			still be recognised if the USE flag is removed, the shadow file
			will not be compatible with systems using an earlier glibc
			version.
		</flag>
		<flag name="yescrypt">
			Switch Linux-PAM's pam_unix module to use yescrypt for passwords hashes rather than MD5
		</flag>
		<flag name="pam_krb5">
			Enable pam_krb5 module on system auth stack, as an alternative
			to pam_unix. If Kerberos authentication succeed, only pam_unix
			will be ignore, and all the other modules will proceed as usual,
			including Gnome Keyring and other session modules. It requires
			<pkg>sys-libs/pam</pkg> as PAM implementation.
		</flag>
		<flag name="minimal">
			Disables the standard PAM modules that provide extra information
			to users on login; this includes pam_lastlog, pam_motd, pam_mail
			and other similar modules. This might not be a good idea on 
			a multi-user system but could reduce slightly the overhead on
			single-user non-networked systems.
		</flag>
		<flag name="nullok">
			Enable the nullok option with the pam_unix module. This allows
			people to login with blank passwords.
		</flag>
		<flag name="securetty">
			Enable pam_securetty module in the login stack. Not generally
			relevant anymore as the login stack only refers to local logins
			and local terminals imply secure access in the first place.
		</flag>
	</use>
</pkgmetadata>