Skip to content

Commit ceb2328

Browse files
committed
man: update terminology
1 parent 8f88099 commit ceb2328

File tree

1 file changed

+22
-21
lines changed

1 file changed

+22
-21
lines changed

man/pam_u2f.8.txt

+22-21
Original file line numberDiff line numberDiff line change
@@ -31,10 +31,10 @@ Set the relying party ID for the FIDO authentication procedure. If no
3131
value is specified, the identifier "pam://$HOSTNAME" is used.
3232

3333
*appid*=_appid_::
34-
Set the application ID for the U2F authentication
34+
Set the application ID for the FIDO authentication
3535
procedure. If no value is specified, the same value used for origin is
3636
taken ("pam://$HOSTNAME" if also origin is not specified). This setting
37-
is only applicable for U2F credentials created with pamu2fcfg versions
37+
is only applicable for FIDO credentials created with pamu2fcfg versions
3838
v1.0.8 or earlier. Note that on v1.1.0 and v1.1.1 of pam-u2f, handling
3939
of this setting was temporarily broken if the value was not the same as
4040
the value of origin.
@@ -54,13 +54,14 @@ local user name (`PAM_USER`) and `%%` is expanded to `%`. Unknown expansion
5454
sequences result in an authentication error. See also `openasuser`.
5555

5656
*authpending_file*=_file_::
57-
Set the location of the file that is used for touch request
58-
notifications. This file will be opened when pam-u2f starts waiting
59-
for a user to touch the device, and will be closed when it no longer
60-
waits for a touch. Use inotify to listen on these events, or a more
61-
high-level tool like yubikey-touch-detector. Default value:
62-
/var/run/user/$UID/pam-u2f-authpending. Set an empty value in order to
63-
disable this functionality, like so: "authpending_file=".
57+
Set the location of the file that is used for touch request notifications. This
58+
file will be opened when pam-u2f starts waiting for a user to touch the FIDO
59+
authenticator, and will be closed when it no longer waits for a touch. Use
60+
inotify to listen on these events, or a more high-level tool like
61+
yubikey-touch-detector.
62+
Default value: /var/run/user/$UID/pam-u2f-authpending.
63+
Set an empty value in order to disable this functionality, like so:
64+
"authpending_file=".
6465

6566
*nouserok*::
6667
Set to enable authentication attempts to succeed even if the user
@@ -80,13 +81,13 @@ Set to enable all authentication attempts to succeed (aka presentation
8081
mode).
8182

8283
*max_devices*=_n_devices_::
83-
Maximum number of devices (credentials) allowed per user (default is 24).
84-
Devices specified in the authorization mapping file that exceed this value
85-
will be ignored.
84+
Maximum number of FIDO authenticators allowed per user (default is 24).
85+
FIDO authenticators specified in the authorization mapping file that exceed
86+
this value will be ignored.
8687

8788
*interactive*::
88-
Set to prompt a message and wait before testing the presence of a U2F
89-
device. Recommended if your device doesn't have tactile trigger.
89+
Set to prompt a message and wait before testing the presence of a FIDO
90+
authenticator. Recommended if your authenticator doesn't have tactile trigger.
9091

9192
*[prompt=your prompt here]*::
9293
Set individual prompt message for interactive mode. Watch the square
@@ -96,20 +97,20 @@ PAM.
9697
*manual*::
9798
Set to drop to a manual console where challenges are printed on screen
9899
and response read from standard input. Useful for debugging and SSH
99-
sessions without U2F-support from the SSH client/server. If enabled,
100+
sessions without FIDO support from the SSH client/server. If enabled,
100101
interactive mode becomes redundant and has no effect.
101102

102103
*cue*::
103-
Set to prompt a message to remind to touch the device.
104+
Set to prompt a message to remind to touch the FIDO authenticator.
104105

105106
*[cue_prompt=your prompt here]*::
106107
Set individual prompt message for the cue option. Watch the square
107108
brackets around this parameter to get spaces correctly recognized by
108109
PAM.
109110

110111
*nodetect*::
111-
Skip detecting if a suitable key is inserted before performing a full
112-
authentication. See *NOTES* below.
112+
Skip detecting if a suitable FIDO authenticator is inserted before performing a
113+
full authentication. See *NOTES* below.
113114

114115
*userpresence*=_int_::
115116
If 1, require user presence during authentication. If 0, do not
@@ -130,7 +131,7 @@ support for a FIDO2 PIN is required.
130131

131132
*sshformat*::
132133
Use credentials produced by versions of OpenSSH that have support for
133-
FIDO devices. It is not possible to mix native credentials and SSH
134+
FIDO authenticator. It is not possible to mix native credentials and SSH
134135
credentials. Once this option is enabled all credentials will be parsed
135136
as SSH.
136137

@@ -210,8 +211,8 @@ determine that pam_u2f is part of the authentication stack by
210211
inserting any random U2F token and performing an authentication
211212
attempt. In this scenario, the attacker would see the cue message
212213
followed by an immediate failure, whereas with detection enabled, the
213-
U2F authentication will fail silently. Understand that an attacker
214-
could choose a U2F token that alerts him or her in some way to the
214+
authentication will fail silently. Understand that an attacker
215+
could choose an authenticator that alerts him or her in some way to the
215216
"check-only" authentication attempt, so this precaution only pushes
216217
the issue back a step.
217218

0 commit comments

Comments
 (0)