path: root/README.pam
diff options
authortoma <toma@283d02a7-25f6-0310-bc7c-ecb5cbfe19da>2009-11-25 17:56:58 +0000
committertoma <toma@283d02a7-25f6-0310-bc7c-ecb5cbfe19da>2009-11-25 17:56:58 +0000
commit4aed2c8219774f5d797760606b8489a92ddc5163 (patch)
tree3f8c130f7d269626bf6a9447407ef6c35954426a /README.pam
Copy the KDE 3.5 branch to branches/trinity for new KDE 3.5 features.
BUG:215923 git-svn-id: svn:// 283d02a7-25f6-0310-bc7c-ecb5cbfe19da
Diffstat (limited to 'README.pam')
1 files changed, 72 insertions, 0 deletions
diff --git a/README.pam b/README.pam
new file mode 100644
index 00000000..544b4e83
--- /dev/null
+++ b/README.pam
@@ -0,0 +1,72 @@
+KDE can be configured to support the PAM ("Pluggable Authentication
+Modules") system for password checking by the display manager kdm and
+by the screen saver kscreensaver (for unlocking the display).
+PAM is a flexible application-transparent configurable user-authentication
+system found on FreeBSD, Solaris, and Linux (and maybe other unixes).
+Information about PAM may be found on its homepage
+(Despite the location, this information is NOT Linux-specific.)
+Known Solaris Issues:
+For compiling PAM support on Solaris, PAM_MESSAGE_NONCONST must
+be defined. This should now be handled automatically by the
+configure script.
+Using PAM
+By default, PAM is automatically used, if it is found. Use
+./configure --without-pam to disable it.
+If PAM is found, KDE usually uses the PAM service "kde". You may
+override it for all KDE programs by using --with-pam=<service> and/or
+individually by using --with-<prog>-pam=<service>, where <prog> is
+one of kdm, kcp and kss (for kdm, kcheckpass and kscreensaver).
+"make install" will attempt to create suitable service definitions; either
+by putting files into /etc/pam.d/ or by adding text to /etc/pam.conf. The
+services are just copies of the "login" service.
+You may want to edit these definitions to meet your needs.
+There are also two example service definitions in this directory -
+kde.pamd and kscreensaver.pamd - but don't just copy them!
+If the services are misconfigured, you will NOT be able to login via KDM
+and/or unlock a locked screen!
+If there is ever any doubt about which PAM service a program was
+compiled with, it can be determined by examining the PAM-generated
+entries in the system log associated with kdm logins or kscreensaver
+authentication failures.
+PAM configuration files have four types of entries for each service:
+type used by kdm used by kscreensaver
+---- ----------- --------------------
+auth x x
+account x
+password x
+session x
+There may be more than one entry of each type. Check existing PAM
+configuration files and PAM documentation on your system for guidance as
+to what entries to make. If you call a PAM service that is not
+configured, the default action of PAM is likely to be denial of service.
+Note: kdm implements PAM "session" support, which is not implemented in
+certain PAM-aware xdm's that it may be replacing (e.g., the Red Hat
+Linux 5.x xdm did not implement it). This may be configured to carry out
+actions when a user opens or closes an kdm session, if a suitable PAM
+module is available (e.g., mount and unmount user-specific filesystems).
+Note 2: Screensavers typically only authenticate a user to allow her to
+continue working. They may also renew tokens etc., where supported.
+See the Linux PAM Administrators guide, which is part of the PAM
+distribution, for more details.