This is the pam_netid module.  It is VERY Linux specific as it makes
extensive use of the /proc/ filesystem.

Please note, this module _does_ _not_ _offer_ _any_ _inherent_
_security_ when used on its own!  Any PC can be used to spoof this
module with little or no effort!  The module may be arguably used for
enhanced security and audit purposes when used in conjuction with
other authentication schemes and/or in a secure network environment.
Unless you know enough to write this module, do not base your security
solely upon this code! :^)

To make this work with a recent 2.1.60+ kernel, you need to substitute
the 'link.c' file in this directory for the linux/fs/proc/link.c file
in the kernel source and recompile the kernel.  The changes in this
file were included in 2.1.78.

For reference, I wrote this module as a prototype for modules of this
type that use a second channel to authenticate the user.  It is also
an example of how to write a module that can be compiled as a stand
alone program.

By default, this module performs a number of tasks:

	1. trivial check to see if any parent (or grandparent ...) is
	   drawing its 'stdin' from a TCP connection.

	2. finding that 1. is true, this module attempts to identify
	   the remote owner of the associated TCP socket, by connecting
	   to the 'auth/113' privileged port on the remote machine.

The behavior of this module can be modified with the following options:

	debug		- log more information (make netid program more
			verbose).

	setuser		- if the remote user is identified, then set
			PAM_USER appropriately.

	auth		- if PAM_USER is equal to the reported remote
			user then the module returns PAM_SUCCESS.  If
			the remote user is identified but is not the
			same as PAM_USER then PAM_AUTH_ERR is returned.

	enforce		- normally, the module returns PAM_IGNORE.
			this option is used to replace PAM_IGNORE with
			PAM_PERM_DENIED.

	nonet		- if the user is logged in via the network then
			return PAM_PERM_DENIED.  This is useful for enforcing
			things like no root access over the network.  This
			can be overridden with 'auth', so the module can be
			configured to only authenticate remote connections
			that are identd-able.

	quiet		- don't log authentication failures.

	silent		- don't log successes or failures.

	refresh		- each time the module is called, retry the
			network connection.

	timeout=<number>	- seconds before timing out the remote
				identd connection

	port=<port number>	- select a port different from the default
				(113)

	os=<OS name>		- select an operating system name different
				from the default (UNIX)

	fd=<file descriptor> 	- normally, the module tests the standard
				input of all processes upto pid=1 (fd=0).
				This option can be used to probe a different
				file descriptor.  Note, inetd (TCP wrappers
				et al.) works with the default.  Other
				network connections may require other numbers
				(eg. sshd 1.2.17 has been known to use fd=5).

In addition to the above module options, when compiled as a stand
alone program, the resulting application accepts the following
options:

	pid=<pid>  	- this option is only available when the module is
			compiled as a stand alone program.  It indicates that
			the program should search the parentage of a given
			process-id.

Enjoy

Andrew Morgan <morgan@linux.kernel.org>
1997/1/4
