.. -*- mode: rst -*-

.. _server-plugins-generators-account:

=======
Account
=======

The account plugin manages authentication data, including

* ``/etc/passwd``
* ``/etc/group``
* ``/etc/security/limits.conf``
* ``/etc/sudoers``
* ``/root/.ssh/authorized_keys``

User access data is stored in three files in the Account directory:

* superusers (a list of users who always have root privs)
* rootlist (a list of user:host pairs for scoped root privs)
* useraccess (a list of user:host pairs for login access)

SSH keys are stored in files named $username.key; these are installed
into root's authorized keys for users in the superusers list as well as
for the pertitent users in the rootlike file (for the current system).

Authentication data is read in from (static|dyn).(passwd|group) The static
ones are for system local ones, while the dyn. versions are for external
synchronization (from ldap/nis/etc). There is also a static.limits.conf
that provides the limits.conf header and any static entries.

Files in the Account directory:

``<username>.key``

    **Format**: The SSH public key for user <username>.

        If the user is in the "rootlike" or "superusers" group, these
        keys will be appended to ``/root/.ssh/auth``

``useraccess``

    **Format**: "user:hostname" on each line.

        Describes who may login where (via PAMs
        ``/etc/security/limits.conf``). Everybody else will be denied
        access.(?)

    **Example**:

        If Alice should be able to access host "foo", Bob should access
        "foo" and "bar"::

                 alice:foo.example.com
                 bob:foo.example.com
                 bob:bar.example.com

``rootlike``

    **Format**: "user:hostname" on each line.

        Describes who will be allowed root access where. The user may
        login via public key and use sudo.

    **Example**:

        If Chris should be root only on host "foo"::

                 chris:foo.example.com

``superusers``

    **Format**: usernames, separated by spaces or newlines. (Any whitespace that makes pythons split() happy.)

        Describes who will be allowed root access on all hosts. The user
        may login via public key and use sudo.

    **Example**:

        Daniel, Eve and Faith are global admins::

                 daniel eve
                 faith

``static.passwd``, ``static.group``

    **Format**: Lines from ``/etc/passwd`` or ``/etc/group``

        These entries are appended to the passwd and group files
        (in addition to the auto-generated entries from "useraccess",
        "rootlike" and "superusers" above) without doing anything else.

``dyn.passwd``, ``dyn.group``

    **Format**: Lines from ``/etc/passwd`` or ``/etc/group``

        Similar to "static.*" above, but for entries that are managed "on
        the network" (yp, LDAP, ...), so it is most likely periodically
        (re)filled.

``static.limits.conf``

    **Format**: Lines from ``/etc/security/limit.conf``

        These limits will be appended to limits.conf (in addition to
        the auto-generated entries from "useraccess", "rootlike" and
        "superusers" above).

``static.sudoers``

    **Format**: Lines from ``/etc/sudoers``

        These lines will be appended to to sudoers file (in addition
        to the auto-generated entries from "useraccess", "rootlike" and
        "superusers" above).