.. -*- mode: rst -*- .. _server-plugins-generators-account: ======= Account ======= The account plugin manages authentication data, including * ``/etc/passwd`` * ``/etc/group`` * ``/etc/security/limits.conf`` * ``/etc/sudoers`` * ``/root/.ssh/authorized_keys`` User access data is stored in three files in the Account directory: * superusers (a list of users who always have root privs) * rootlist (a list of user:host pairs for scoped root privs) * useraccess (a list of user:host pairs for login access) SSH keys are stored in files named $username.key; these are installed into root's authorized keys for users in the superusers list as well as for the pertitent users in the rootlike file (for the current system). Authentication data is read in from (static|dyn).(passwd|group) The static ones are for system local ones, while the dyn. versions are for external synchronization (from ldap/nis/etc). There is also a static.limits.conf that provides the limits.conf header and any static entries. Files in the Account directory: ``.key`` **Format**: The SSH public key for user . If the user is in the "rootlike" or "superusers" group, these keys will be appended to ``/root/.ssh/auth`` ``useraccess`` **Format**: "user:hostname" on each line. Describes who may login where (via PAMs ``/etc/security/limits.conf``). Everybody else will be denied access.(?) **Example**: If Alice should be able to access host "foo", Bob should access "foo" and "bar":: alice:foo.example.com bob:foo.example.com bob:bar.example.com ``rootlike`` **Format**: "user:hostname" on each line. Describes who will be allowed root access where. The user may login via public key and use sudo. **Example**: If Chris should be root only on host "foo":: chris:foo.example.com ``superusers`` **Format**: usernames, separated by spaces or newlines. (Any whitespace that makes pythons split() happy.) Describes who will be allowed root access on all hosts. The user may login via public key and use sudo. **Example**: Daniel, Eve and Faith are global admins:: daniel eve faith ``static.passwd``, ``static.group`` **Format**: Lines from ``/etc/passwd`` or ``/etc/group`` These entries are appended to the passwd and group files (in addition to the auto-generated entries from "useraccess", "rootlike" and "superusers" above) without doing anything else. ``dyn.passwd``, ``dyn.group`` **Format**: Lines from ``/etc/passwd`` or ``/etc/group`` Similar to "static.*" above, but for entries that are managed "on the network" (yp, LDAP, ...), so it is most likely periodically (re)filled. ``static.limits.conf`` **Format**: Lines from ``/etc/security/limit.conf`` These limits will be appended to limits.conf (in addition to the auto-generated entries from "useraccess", "rootlike" and "superusers" above). ``static.sudoers`` **Format**: Lines from ``/etc/sudoers`` These lines will be appended to to sudoers file (in addition to the auto-generated entries from "useraccess", "rootlike" and "superusers" above).