From 0096fbd41036713bd560f761da927ec6b5fa9b7b Mon Sep 17 00:00:00 2001 From: Giovanni Simoni Date: Mon, 16 Dec 2024 09:43:34 +0100 Subject: [PATCH] squash! Update README file --- README | 17 ++++++++++------- man/pam_u2f.8.txt | 26 ++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 7 deletions(-) diff --git a/README b/README index 20a3d68..4d8faf9 100644 --- a/README +++ b/README @@ -250,8 +250,6 @@ as SSH. conf_file=file:: Set an alternative location for the <>. The supplied path must be absolute. -This argument is special, in that it can only appear in a file under -`/etc/pam.d/`, and not in a configuration file. IMPORTANT: On dynamic networks (e.g. where hostnames are set by DHCP), @@ -422,12 +420,17 @@ restarts from the top of the list. == Configuration file A global configuration file can be supplied in order to override -the hard-wired defaults for the module arguments. +the hard-wired defaults for the `pam_u2f.so` module arguments. -The file can contain, one per line, the same arguments as -<>. -Brackets around arguments are *not* needed in order to get spaces -correctly recognized. +The file can contain the same arguments as +<> with a few caveats: +- The `conf_file=` argument is special, in that it can only appear in a file + under `/etc/pam.d/`, and not in the `pam_u2f.so` configuration file itself. +- Brackets around arguments are *not* needed in order to get spaces correctly + recognized. + +Arguments appear one per line. +Heading whitespaces are ignored. Lines starting with `#` and empty lines are interpreted as comments. The default position of the configuration file is diff --git a/man/pam_u2f.8.txt b/man/pam_u2f.8.txt index 4524d39..88eb2e0 100644 --- a/man/pam_u2f.8.txt +++ b/man/pam_u2f.8.txt @@ -88,6 +88,7 @@ will be ignored. Set to prompt a message and wait before testing the presence of a U2F device. Recommended if your device doesn't have tactile trigger. + *[prompt=your prompt here]*:: Set individual prompt message for interactive mode. Watch the square brackets around this parameter to get spaces correctly recognized by @@ -134,6 +135,11 @@ FIDO devices. It is not possible to mix native credentials and SSH credentials. Once this option is enabled all credentials will be parsed as SSH. +*conf_file*=_path_:: +Set an alternative location for the configuration file. +The supplied path must be absolute. +See *CONFIGURATION FILE*. + == EXAMPLES Second factor authentication deferring user verification configuration to the @@ -162,6 +168,26 @@ mapping file in an encrypted home directory, will result in the impossibility of logging into the system. The partition is decrypted after login and the mapping file can not be accessed. +== CONFIGURATION FILE +A global configuration file can be supplied in order to override +the hard-wired defaults for the `pam_u2f.so` module arguments. + +The file can contain the same arguments as defined above, with a few caveats: +- The `conf_file=` argument is special, in that it can only appear in a file + under `/etc/pam.d/`, and not in the `pam_u2f.so` configuration file itself. +- Brackets around arguments are *not* needed in order to get spaces correctly + recognized. + +Arguments appear one per line. +Heading whitespaces are ignored. +Lines starting with `#` and empty lines are interpreted as comments. + +The default position of the configuration file is +`/etc/security/pam_u2f.conf`. +Individual files under `/etc/pam.d/` can override such path +file by means of the `conf_file=` argument. +The override will not affect other `/etc/pam.d/` files. + == NOTES *Nodetect*