passwdd.conf

Name

passwdd.conf — PASSWorD synchronization Daemon CONFiguration file

DESCRIPTION

The passwdd.conf file defines the site-specific configuration data for the passwdd package. The file is required.

Configuration File Syntax

Empty lines are allowed. All statements are case sensitive.

Comments begin with # as the first non-white character. Lines starting with % are also interpreted as comments.

The whole configuration file is divided in sections. A section names should be enclosed in square brackets.

In each section there is one or more key/value pairs. The key value is formed by the characters which reside on the left side of the = character. The data for the specific key is on the right side. Items not in a section are disallowed. The passwdd client programs will report error on parsing but the cgi-client will suppress errors and will use default values. So, be careful.

Configuration File Entries

Here are the descriptions of the configuration statements grouped by section.

Global Section

max_processes

The maximum number of simultaneous passwdd processes. Specify here a reasonable value to prevent some DoS and searching attacks.

port

This is the number of the port on which the passwdd daemon will listen for incoming connections. The default value is 1099.

retry

This is an entry specifying the retry scheme for an unsucsessful connection. The string is a comma sepparated list of retry attempts and intervals among them separated by *. For example the string 12*30,6*60,3*120,2*180 means that the passwdd daemon will make 12 attempts to connect with the the silent daeomons with interval of 30 minutes, then 6 attempts with intervals of 1 hour among them, and so on. All intervals are in minutes.

Security Section

key

This is the full pathname of the passwdd private key. The private key should be protected from unauthorized access as its disclosure may heavily violate the privacy of the system. A public/private keypair can be generated with the rsakeys utility, provided with this package.

key_directory

A publicly writable directory for the public keys of the other passwdd daemons. This directory is common among the passwdd server and clients. It is used by the keep and try mechanism of the passwdd server that is used to attempt repeatedly connections with a non-responding server on request from a client.

encrypt_passwords

A boolean value yes or no enabling the encryption mechanism. The encryption should be always enabled. This option is provided only for debugging purposes.

Permissions Section

hosts_allow

A comma separated list of IP numbers or host names of machines that are allowed to send request to this server. Pairs of network address/mask are allowed as well.

users_allow

A comma separated list of usernames whose accounts are allowed to be modified by the passwdd utility. You can specify a whole group by writing for example @users. You can also specify all groups above a certain gid or uid by specifying >99. The last is useful in some Linux systems that assign each user a different group.

master

Here you can give permission to a specified user or group to modify the passwords of another users and groups. Once again @ denotes the whole group and > means everybody with gid or uid above the specified value.

Delete Section

These entries set up the removal of an user's account.

remove

Boolean value (yes or no) specifiying if to remove the directories of the deleted users.

move

Boolean value (yes or no) specifiying if to move the directories of the deleted users to the directory pointed by the trash (see below) entry.

trash

The locations where the deleted home directories are moved. This location and the home directories should reside on the same filesystem.

Add Section

These entries set up the creation of an user's account.

master

A comma delimited list of users who are allowed to add new accounts. Whole groups can be authorized by using the @ character in front of the user name.

group

The default gid for a newly created account. You can use the $USER value if you want the new user's gid to be the same as his uid. If the add_group is set to yes then a new group will be added in case it does not exist.

shell

The default shell for the new user. This should be a valid shell, registered in the shells file.

directory

The default directory for a newly created user. You can use the $USER variable and in this case it will be substituted with the login name in this account.

add_group

If this boolean entry is set to yes, new user is added and his group is not existing then it will be automatically created with the gid equal to the uid of this user and the group name the same as the user name.

add_directory

Enable or disable the creation of a new user directory.

AUTHOR

SEE ALSO

groupadd(1), groupdel(1), useradd(1), userdel(1), userchfn(1), passwdc(1).