summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--doc/server/plugins/generators/account.txt95
1 files changed, 90 insertions, 5 deletions
diff --git a/doc/server/plugins/generators/account.txt b/doc/server/plugins/generators/account.txt
index 3bae157cc..99c35c814 100644
--- a/doc/server/plugins/generators/account.txt
+++ b/doc/server/plugins/generators/account.txt
@@ -8,11 +8,11 @@ Account
The account plugin manages authentication data, including
-* /etc/passwd
-* /etc/group
-* /etc/security/limits.conf
-* /etc/sudoers
-* /root/.ssh/authorized_keys
+* ``/etc/passwd``
+* ``/etc/group``
+* ``/etc/security/limits.conf``
+* ``/etc/sudoers``
+* ``/root/.ssh/authorized_keys``
User access data is stored in three files in the Account directory:
@@ -28,3 +28,88 @@ Authentication data is read in from (static|dyn).(passwd|group) The static
ones are for system local ones, while the dyn. versions are for external
synchronization (from ldap/nis/etc). There is also a static.limits.conf
that provides the limits.conf header and any static entries.
+
+Files in the Account directory:
+
+``<username>.key``
+
+ **Format**: The SSH public key for user <username>.
+
+ If the user is in the "rootlike" or "superusers" group, these
+ keys will be appended to ``/root/.ssh/auth``
+
+``useraccess``
+
+ **Format**: "user:hostname" on each line.
+
+ Describes who may login where (via PAMs
+ ``/etc/security/limits.conf``). Everybody else will be denied
+ access.(?)
+
+ **Example**:
+
+ If Alice should be able to access host "foo", Bob should access
+ "foo" and "bar"::
+
+ alice:foo.example.com
+ bob:foo.example.com
+ bob:bar.example.com
+
+``rootlike``
+
+ **Format**: "user:hostname" on each line.
+
+ Describes who will be allowed root access where. The user may
+ login via public key and use sudo.
+
+ **Example**:
+
+ If Chris should be root only on host "foo"::
+
+ chris:foo.example.com
+
+``superusers``
+
+ **Format**: usernames, separated by spaces or newlines. (Any whitespace that makes pythons split() happy.)
+
+ Describes who will be allowed root access on all hosts. The user
+ may login via public key and use sudo.
+
+ **Example**:
+
+ Daniel, Eve and Faith are global admins::
+
+ daniel eve
+ faith
+
+``static.passwd``, ``static.group``
+
+ **Format**: Lines from ``/etc/passwd`` or ``/etc/group``
+
+ These entries are appended to the passwd and group files
+ (in addition to the auto-generated entries from "useraccess",
+ "rootlike" and "superusers" above) without doing anything else.
+
+``dyn.passwd``, ``dyn.group``
+
+ **Format**: Lines from ``/etc/passwd`` or ``/etc/group``
+
+ Similar to "static.*" above, but for entries that are managed "on
+ the network" (yp, LDAP, ...), so it is most likely periodically
+ (re)filled.
+
+``static.limits.conf``
+
+ **Format**: Lines from ``/etc/security/limit.conf``
+
+ These limits will be appended to limits.conf (in addition to
+ the auto-generated entries from "useraccess", "rootlike" and
+ "superusers" above).
+
+``static.sudoers``
+
+ **Format**: Lines from ``/etc/sudoers``
+
+ These lines will be appended to to sudoers file (in addition
+ to the auto-generated entries from "useraccess", "rootlike" and
+ "superusers" above).