The tcfs 2.0.1 module

1) Synopsis

Module name: pam_tcfs

Author: Luigi Catuogno [luicat@mikonos.dia.unisa.it]

Maintainer: author

Management groups provided: authentication, session, password

System dependencies: The system must be a tcfs 2.0 server/client and the
sources of tcfs must be available.

2) Overview of module

This module does needed adjustments and settings to the tcsf
structures/files during authentication, session, and pwd changing, according
to requests and data provided by the application and by the other modules in
the same pam service. The tcfs module does not perform any effective
authentication. It assumes the authentication has been already done elsewere
and simply decides either to activate tcfs features to registered users or
not.

3) Authentication component

recognized arguments: none

description: this component of the module verifies if the user is registered
to tcfs, and in this case it extracts his default tcfs-key from
/etc/tcfspasswd, decrypts it with the user's auth. token and, finally,
stores it in a pam-data "variable" named tcfskey, to be used by other
components/modules.

example/suggested usage: since this component does not perform any
conversation, it must be used together with another one which does. Whenever
the module is loaded for some service, the component must be configured as
"optional" because it returns PAM_SUCCESS only if the user is registered
with tcfs. If the component is configured as required, access to the service
would be denied to users not registered with tcfs.

4) Session component

recognized argument: none

description: If the pam-data tcfskey was previously defined, the session
component pushes it into the tcfs device's hash table, in order to enable
the encrypted file system owned by the user. When the session ends, it
simply removes the key from the table.

examples/suggested usage: Whenever the module is loaded for services
available both to tcfs users and non-tcfs users, the session component must
be configured as "optional" because it returns PAM_SUCCESS only if the user
is registered to tcfs (i.e., tcfskey is defined).

5) Password component

recognized arguments: none

description: since the user's password is used to encrypt the tcfskey into
/etc/tcfspasswd, whenever the token changes, the coding of the tcfs-key must
consequently change. The password component extracts the key entry from the
file, decodes it with the old token, encodes it with the new one, then
writea it back to /etc/tcfspasswd. If the user is not registered, no changes
are made.

examples/suggested usage: Since this component does not perform any
conversation, it must be used together with another one which does it;
furthermore it must be configured as "required" for each service it is
included, in order to save the validity of tcfskey extracted from
/etc/tcfspasswd during authentications.
