Your IP : 216.73.216.86
PK��������Ǩ�\�0�zx���x�������html/sag-pam_echo.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.5. pam_echo - print text messages</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_deny.html" title="6.4. pam_deny - locking-out PAM module"><link rel="next" href="sag-pam_env.html" title="6.6. pam_env - set/unset environment variables"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.5. pam_echo - print text messages</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_deny.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_env.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_echo"></a>6.5. pam_echo - print text messages</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_echo.so</code> [
file=<em class="replaceable"><code>/path/message</code></em>
]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_echo-description"></a>6.5.1. DESCRIPTION</h3></div></div></div><p>
The <span class="emphasis"><em>pam_echo</em></span> PAM module is for printing
text messages to inform user about special things. Sequences
starting with the <span class="emphasis"><em>%</em></span> character are
interpreted in the following way:
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><span class="emphasis"><em>%H</em></span></span></dt><dd><p>The name of the remote host (PAM_RHOST).</p></dd><dt><span class="term"><span class="emphasis"><em>%h</em></span></span></dt><dd><p>The name of the local host.</p></dd><dt><span class="term"><span class="emphasis"><em>%s</em></span></span></dt><dd><p>The service name (PAM_SERVICE).</p></dd><dt><span class="term"><span class="emphasis"><em>%t</em></span></span></dt><dd><p>The name of the controlling terminal (PAM_TTY).</p></dd><dt><span class="term"><span class="emphasis"><em>%U</em></span></span></dt><dd><p>The remote user name (PAM_RUSER).</p></dd><dt><span class="term"><span class="emphasis"><em>%u</em></span></span></dt><dd><p>The local user name (PAM_USER).</p></dd></dl></div><p>
All other sequences beginning with <span class="emphasis"><em>%</em></span>
expands to the characters following the <span class="emphasis"><em>%</em></span>
character.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_echo-options"></a>6.5.2. OPTIONS</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">file=<em class="replaceable"><code>/path/message</code></em></code>
</span></dt><dd><p>
The content of the file <code class="filename">/path/message</code>
will be printed with the PAM conversion function as PAM_TEXT_INFO.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_echo-types"></a>6.5.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
All module types (<code class="option">auth</code>, <code class="option">account</code>,
<code class="option">password</code> and <code class="option">session</code>) are provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_echo-return_values"></a>6.5.4. RETURN VALUES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_BUF_ERR</span></dt><dd><p>
Memory buffer error.
</p></dd><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
Message was successful printed.
</p></dd><dt><span class="term">PAM_IGNORE</span></dt><dd><p>
PAM_SILENT flag was given or message file does not
exist, no message printed.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_echo-examples"></a>6.5.5. EXAMPLES</h3></div></div></div><p>
For an example of the use of this module, we show how it may be
used to print information about good passwords:
</p><pre class="programlisting">
password optional pam_echo.so file=/usr/share/doc/good-password.txt
password required pam_unix.so
</pre><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_echo-author"></a>6.5.6. AUTHOR</h3></div></div></div><p>Thorsten Kukuk <kukuk@thkukuk.de></p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_deny.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_env.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.4. pam_deny - locking-out PAM module </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.6. pam_env - set/unset environment variables</td></tr></table></div></body></html>
PK��������Ǩ�\���P�1���1������html/sag-pam_env.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.6. pam_env - set/unset environment variables</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_echo.html" title="6.5. pam_echo - print text messages"><link rel="next" href="sag-pam_exec.html" title="6.7. pam_exec - call an external command"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.6. pam_env - set/unset environment variables</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_echo.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_exec.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_env"></a>6.6. pam_env - set/unset environment variables</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_env.so</code> [
debug
] [
conffile=<em class="replaceable"><code>conf-file</code></em>
] [
envfile=<em class="replaceable"><code>env-file</code></em>
] [
readenv=<em class="replaceable"><code>0|1</code></em>
] [
user_envfile=<em class="replaceable"><code>env-file</code></em>
] [
user_readenv=<em class="replaceable"><code>0|1</code></em>
]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_env-description"></a>6.6.1. DESCRIPTION</h3></div></div></div><p>
The pam_env PAM module allows the (un)setting of environment
variables. Supported is the use of previously set environment
variables as well as <span class="emphasis"><em>PAM_ITEM</em></span>s such as
<span class="emphasis"><em>PAM_RHOST</em></span>.
</p><p>
By default rules for (un)setting of variables are taken from the
config file <code class="filename">/etc/security/pam_env.conf</code>. An
alternate file can be specified with the <span class="emphasis"><em>conffile</em></span>
option.
</p><p>
Second a file (<code class="filename">/etc/environment</code> by default) with simple
<span class="emphasis"><em>KEY=VAL</em></span> pairs on separate lines will be read.
With the <span class="emphasis"><em>envfile</em></span> option an alternate file can be specified.
And with the <span class="emphasis"><em>readenv</em></span> option this can be completly disabled.
</p><p>
Third it will read a user configuration file
(<code class="filename">$HOME/.pam_environment</code> by default).
The default file file can be changed with the
<span class="emphasis"><em>user_envfile</em></span> option
and it can be turned on and off with the <span class="emphasis"><em>user_readenv</em></span> option.
</p><p>
Since setting of PAM environment variables can have side effects
to other modules, this module should be the last one on the stack.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_env.conf-description"></a>6.6.2. DESCRIPTION</h3></div></div></div><p>
The <code class="filename">/etc/security/pam_env.conf</code> file specifies
the environment variables to be set, unset or modified by
<span class="citerefentry"><span class="refentrytitle">pam_env</span>(8)</span>.
When someone logs in, this file is read and the environment
variables are set according.
</p><p>
Each line starts with the variable name, there are then two possible
options for each variable DEFAULT and OVERRIDE. DEFAULT allows and
administrator to set the value of the variable to some default
value, if none is supplied then the empty string is assumed. The
OVERRIDE option tells pam_env that it should enter in its value
(overriding the default value) if there is one to use. OVERRIDE is
not used, "" is assumed and no override will be done.
</p><p>
<em class="replaceable"><code>VARIABLE</code></em>
[<em class="replaceable"><code>DEFAULT=[value]</code></em>]
[<em class="replaceable"><code>OVERRIDE=[value]</code></em>]
</p><p>
(Possibly non-existent) environment variables may be used in values
using the ${string} syntax and (possibly non-existent) PAM_ITEMs as well
as HOME and SHELL may be used in values using the @{string} syntax. Both
the $ and @ characters can be backslash escaped to be used as literal values
values can be delimited with "", escaped " not supported.
Note that many environment variables that you would like to use
may not be set by the time the module is called.
For example, ${HOME} is used below several times, but
many PAM applications don't make it available by the time you need it.
The special variables @{HOME} and @{SHELL} are expanded to the values
for the user from his <span class="emphasis"><em>passwd</em></span> entry.
</p><p>
The "<span class="emphasis"><em>#</em></span>" character at start of line (no space
at front) can be used to mark this line as a comment line.
</p><p>
The <code class="filename">/etc/environment</code> file specifies
the environment variables to be set. The file must consist of simple
<span class="emphasis"><em>NAME=VALUE</em></span> pairs on separate lines.
The <span class="citerefentry"><span class="refentrytitle">pam_env</span>(8)</span>
module will read the file after the <code class="filename">pam_env.conf</code>
file.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_env-options"></a>6.6.3. OPTIONS</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">conffile=<em class="replaceable"><code>/path/to/pam_env.conf</code></em></code>
</span></dt><dd><p>
Indicate an alternative <code class="filename">pam_env.conf</code>
style configuration file to override the default. This can
be useful when different services need different environments.
</p></dd><dt><span class="term">
<code class="option">debug</code>
</span></dt><dd><p>
A lot of debug information is printed with
<span class="citerefentry"><span class="refentrytitle">syslog</span>(3)</span>.
</p></dd><dt><span class="term">
<code class="option">envfile=<em class="replaceable"><code>/path/to/environment</code></em></code>
</span></dt><dd><p>
Indicate an alternative <code class="filename">environment</code>
file to override the default. The syntax are simple
<span class="emphasis"><em>KEY=VAL</em></span> pairs on separate lines. The
<span class="emphasis"><em>export</em></span> instruction can be specified for bash
compatibility, but will be ignored.
This can be useful when different services need different environments.
</p></dd><dt><span class="term">
<code class="option">readenv=<em class="replaceable"><code>0|1</code></em></code>
</span></dt><dd><p>
Turns on or off the reading of the file specified by envfile
(0 is off, 1 is on). By default this option is on.
</p></dd><dt><span class="term">
<code class="option">user_envfile=<em class="replaceable"><code>filename</code></em></code>
</span></dt><dd><p>
Indicate an alternative <code class="filename">.pam_environment</code>
file to override the default.The syntax is the same as
for <span class="emphasis"><em>/etc/environment</em></span>.
The filename is relative to the user home directory.
This can be useful when different services need different
environments.
</p></dd><dt><span class="term">
<code class="option">user_readenv=<em class="replaceable"><code>0|1</code></em></code>
</span></dt><dd><p>
Turns on or off the reading of the user specific environment
file. 0 is off, 1 is on. By default this option is off as user
supplied environment variables in the PAM environment could affect
behavior of subsequent modules in the stack without the consent
of the system administrator.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_env-types"></a>6.6.4. MODULE TYPES PROVIDED</h3></div></div></div><p>
The <code class="option">auth</code> and <code class="option">session</code> module
types are provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_env-return_values"></a>6.6.5. RETURN VALUES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_ABORT</span></dt><dd><p>
Not all relevant data or options could be gotten.
</p></dd><dt><span class="term">PAM_BUF_ERR</span></dt><dd><p>
Memory buffer error.
</p></dd><dt><span class="term">PAM_IGNORE</span></dt><dd><p>
No pam_env.conf and environment file was found.
</p></dd><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
Environment variables were set.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_env-files"></a>6.6.6. FILES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="filename">/etc/security/pam_env.conf</code></span></dt><dd><p>Default configuration file</p></dd><dt><span class="term"><code class="filename">/etc/environment</code></span></dt><dd><p>Default environment file</p></dd><dt><span class="term"><code class="filename">$HOME/.pam_environment</code></span></dt><dd><p>User specific environment file</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_env.conf-examples"></a>6.6.7. EXAMPLES</h3></div></div></div><p>
These are some example lines which might be specified in
<code class="filename">/etc/security/pam_env.conf</code>.
</p><p>
Set the REMOTEHOST variable for any hosts that are remote, default
to "localhost" rather than not being set at all
</p><pre class="programlisting">
REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST}
</pre><p>
Set the DISPLAY variable if it seems reasonable
</p><pre class="programlisting">
DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}
</pre><p>
Now some simple variables
</p><pre class="programlisting">
PAGER DEFAULT=less
MANPAGER DEFAULT=less
LESS DEFAULT="M q e h15 z23 b80"
NNTPSERVER DEFAULT=localhost
PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\
:/usr/bin:/usr/local/bin/X11:/usr/bin/X11
XDG_DATA_HOME @{HOME}/share/
</pre><p>
Silly examples of escaped variables, just to show how they work.
</p><pre class="programlisting">
DOLLAR DEFAULT=\$
DOLLARDOLLAR DEFAULT= OVERRIDE=\$${DOLLAR}
DOLLARPLUS DEFAULT=\${REMOTEHOST}${REMOTEHOST}
ATSIGN DEFAULT="" OVERRIDE=\@
</pre></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_env-authors"></a>6.6.8. AUTHOR</h3></div></div></div><p>
pam_env was written by Dave Kinchlea <kinch@kinch.ark.com>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_echo.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_exec.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.5. pam_echo - print text messages </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.7. pam_exec - call an external command</td></tr></table></div></body></html>
PK��������Ǩ�\ik��� ��� ������html/sag-pam_exec.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.7. pam_exec - call an external command</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_env.html" title="6.6. pam_env - set/unset environment variables"><link rel="next" href="sag-pam_faildelay.html" title="6.8. pam_faildelay - change the delay on failure per-application"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.7. pam_exec - call an external command</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_env.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_faildelay.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_exec"></a>6.7. pam_exec - call an external command</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_exec.so</code> [
debug
] [
expose_authtok
] [
seteuid
] [
quiet
] [
stdout
] [
log=<em class="replaceable"><code>file</code></em>
] [
type=<em class="replaceable"><code>type</code></em>
]
<em class="replaceable"><code>command</code></em>
[
<em class="replaceable"><code>...</code></em>
]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_exec-description"></a>6.7.1. DESCRIPTION</h3></div></div></div><p>
pam_exec is a PAM module that can be used to run
an external command.
</p><p>
The child's environment is set to the current PAM environment list, as
returned by
<span class="citerefentry"><span class="refentrytitle">pam_getenvlist</span>(3)</span>
In addition, the following PAM items are
exported as environment variables: <span class="emphasis"><em>PAM_RHOST</em></span>,
<span class="emphasis"><em>PAM_RUSER</em></span>, <span class="emphasis"><em>PAM_SERVICE</em></span>,
<span class="emphasis"><em>PAM_TTY</em></span>, <span class="emphasis"><em>PAM_USER</em></span> and
<span class="emphasis"><em>PAM_TYPE</em></span>, which contains one of the module
types: <code class="option">account</code>, <code class="option">auth</code>,
<code class="option">password</code>, <code class="option">open_session</code> and
<code class="option">close_session</code>.
</p><p>
Commands called by pam_exec need to be aware of that the user
can have controll over the environment.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_exec-options"></a>6.7.2. OPTIONS</h3></div></div></div><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">debug</code>
</span></dt><dd><p>
Print debug information.
</p></dd><dt><span class="term">
<code class="option">expose_authtok</code>
</span></dt><dd><p>
During authentication the calling command can read
the password from <span class="citerefentry"><span class="refentrytitle">stdin</span>(3)</span>. Only first <span class="emphasis"><em>PAM_MAX_RESP_SIZE</em></span>
bytes of a password are provided to the command.
</p></dd><dt><span class="term">
<code class="option">log=<em class="replaceable"><code>file</code></em></code>
</span></dt><dd><p>
The output of the command is appended to
<code class="filename">file</code>
</p></dd><dt><span class="term">
<code class="option">type=<em class="replaceable"><code>type</code></em></code>
</span></dt><dd><p>
Only run the command if the module type matches the given type.
</p></dd><dt><span class="term">
<code class="option">stdout</code>
</span></dt><dd><p>
Per default the output of the executed command is written to <code class="filename">/dev/null</code>. With this option, the stdout output of the executed command is redirected to the calling application. It's in the responsibility of this application what happens with the output. The <code class="option">log</code> option is ignored.
</p></dd><dt><span class="term">
<code class="option">quiet</code>
</span></dt><dd><p>
Per default pam_exec.so will echo the exit status of the
external command if it fails.
Specifying this option will suppress the message.
</p></dd><dt><span class="term">
<code class="option">seteuid</code>
</span></dt><dd><p>
Per default pam_exec.so will execute the external command
with the real user ID of the calling process.
Specifying this option means the command is run
with the effective user ID.
</p></dd></dl></div><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_exec-types"></a>6.7.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
All module types (<code class="option">auth</code>, <code class="option">account</code>,
<code class="option">password</code> and <code class="option">session</code>) are provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_exec-return_values"></a>6.7.4. RETURN VALUES</h3></div></div></div><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
The external command was run successfully.
</p></dd><dt><span class="term">PAM_SERVICE_ERR</span></dt><dd><p>
No argument or a wrong number of arguments were given.
</p></dd><dt><span class="term">PAM_SYSTEM_ERR</span></dt><dd><p>
A system error occurred or the command to execute failed.
</p></dd><dt><span class="term">PAM_IGNORE</span></dt><dd><p>
<code class="function">pam_setcred</code> was called, which
does not execute the command. Or, the value given for the type=
parameter did not match the module type.
</p></dd></dl></div><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_exec-examples"></a>6.7.5. EXAMPLES</h3></div></div></div><p>
Add the following line to <code class="filename">/etc/pam.d/passwd</code> to
rebuild the NIS database after each local password change:
</p><pre class="programlisting">
password optional pam_exec.so seteuid /usr/bin/make -C /var/yp
</pre><p>
This will execute the command
</p><pre class="programlisting">make -C /var/yp</pre><p>
with effective user ID.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_exec-author"></a>6.7.6. AUTHOR</h3></div></div></div><p>
pam_exec was written by Thorsten Kukuk <kukuk@thkukuk.de> and
Josh Triplett <josh@joshtriplett.org>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_env.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_faildelay.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.6. pam_env - set/unset environment variables </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.8. pam_faildelay - change the delay on failure per-application</td></tr></table></div></body></html>
PK��������Ǩ�\��me������������html/sag-pam_faildelay.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.8. pam_faildelay - change the delay on failure per-application</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_exec.html" title="6.7. pam_exec - call an external command"><link rel="next" href="sag-pam_filter.html" title="6.9. pam_filter - filter module"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.8. pam_faildelay - change the delay on failure per-application</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_exec.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_filter.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_faildelay"></a>6.8. pam_faildelay - change the delay on failure per-application</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_faildelay.so</code> [
debug
] [
delay=<em class="replaceable"><code>microseconds</code></em>
]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_faildelay-description"></a>6.8.1. DESCRIPTION</h3></div></div></div><p>
pam_faildelay is a PAM module that can be used to set
the delay on failure per-application.
</p><p>
If no <code class="option">delay</code> is given, pam_faildelay will
use the value of FAIL_DELAY from <code class="filename">/etc/login.defs</code>.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_faildelay-options"></a>6.8.2. OPTIONS</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">debug</code>
</span></dt><dd><p>
Turns on debugging messages sent to syslog.
</p></dd><dt><span class="term">
<code class="option">delay=<em class="replaceable"><code>N</code></em></code>
</span></dt><dd><p>
Set the delay on failure to N microseconds.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_faildelay-types"></a>6.8.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
Only the <code class="option">auth</code> module type is provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_faildelay-return_values"></a>6.8.4. RETURN VALUES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_IGNORE</span></dt><dd><p>
Delay was successful adjusted.
</p></dd><dt><span class="term">PAM_SYSTEM_ERR</span></dt><dd><p>
The specified delay was not valid.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_faildelay-examples"></a>6.8.5. EXAMPLES</h3></div></div></div><p>
The following example will set the delay on failure to
10 seconds:
</p><pre class="programlisting">
auth optional pam_faildelay.so delay=10000000
</pre><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_faildelay-author"></a>6.8.6. AUTHOR</h3></div></div></div><p>
pam_faildelay was written by Darren Tucker <dtucker@zip.com.au>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_exec.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_filter.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.7. pam_exec - call an external command </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.9. pam_filter - filter module</td></tr></table></div></body></html>
PK��������Ǩ�\�e�p~$��~$������html/sag-pam_filter.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.9. pam_filter - filter module</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_faildelay.html" title="6.8. pam_faildelay - change the delay on failure per-application"><link rel="next" href="sag-pam_ftp.html" title="6.10. pam_ftp - module for anonymous access"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.9. pam_filter - filter module</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_faildelay.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_ftp.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_filter"></a>6.9. pam_filter - filter module</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_filter.so</code> [
debug
] [
new_term
] [
non_term
]
run1|run2
<em class="replaceable"><code>filter</code></em>
[
<em class="replaceable"><code>...</code></em>
]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_filter-description"></a>6.9.1. DESCRIPTION</h3></div></div></div><p>
This module is intended to be a platform for providing access to all
of the input/output that passes between the user and the application.
It is only suitable for tty-based and (stdin/stdout) applications.
</p><p>
To function this module requires <span class="emphasis"><em>filters</em></span> to be
installed on the system.
The single filter provided with the module simply transposes upper and
lower case letters in the input and output streams. (This can be very
annoying and is not kind to termcap based editors).
</p><p>
Each component of the module has the potential to invoke the
desired filter. The filter is always
<span class="citerefentry"><span class="refentrytitle">execv</span>(2)</span> with the privilege of the calling application
and <span class="emphasis"><em>not</em></span> that of the user. For this reason it
cannot usually be killed by the user without closing their session.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_filter-options"></a>6.9.2. OPTIONS</h3></div></div></div><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">debug</code>
</span></dt><dd><p>
Print debug information.
</p></dd><dt><span class="term">
<code class="option">new_term</code>
</span></dt><dd><p>
The default action of the filter is to set the
<span class="emphasis"><em>PAM_TTY</em></span> item to indicate the
terminal that the user is using to connect to the
application. This argument indicates that the filter
should set <span class="emphasis"><em>PAM_TTY</em></span> to the filtered
pseudo-terminal.
</p></dd><dt><span class="term">
<code class="option">non_term</code>
</span></dt><dd><p>
don't try to set the <span class="emphasis"><em>PAM_TTY</em></span> item.
</p></dd><dt><span class="term">
<code class="option">runX</code>
</span></dt><dd><p>
In order that the module can invoke a filter it should
know when to invoke it. This argument is required to tell
the filter when to do this.
</p><p>
Permitted values for <span class="emphasis"><em>X</em></span> are
<span class="emphasis"><em>1</em></span> and <span class="emphasis"><em>2</em></span>. These
indicate the precise time that the filter is to be run.
To understand this concept it will be useful to have read
the <span class="citerefentry"><span class="refentrytitle">pam</span>(3)</span> manual page.
Basically, for each management group there are up to two ways
of calling the module's functions.
In the case of the <span class="emphasis"><em>authentication</em></span> and
<span class="emphasis"><em>session</em></span> components there are actually
two separate functions. For the case of authentication, these
functions are
<span class="citerefentry"><span class="refentrytitle">pam_authenticate</span>(3)</span> and
<span class="citerefentry"><span class="refentrytitle">pam_setcred</span>(3)</span>, here <code class="option">run1</code> means run the
filter from the <code class="function">pam_authenticate</code> function
and <code class="option">run2</code> means run the filter from
<code class="function">pam_setcred</code>. In the case of the
session modules, <span class="emphasis"><em>run1</em></span> implies
that the filter is invoked at the
<span class="citerefentry"><span class="refentrytitle">pam_open_session</span>(3)</span> stage, and <span class="emphasis"><em>run2</em></span> for
<span class="citerefentry"><span class="refentrytitle">pam_close_session</span>(3)</span>.
</p><p>
For the case of the account component. Either
<span class="emphasis"><em>run1</em></span> or <span class="emphasis"><em>run2</em></span>
may be used.
</p><p>
For the case of the password component, <span class="emphasis"><em>run1</em></span>
is used to indicate that the filter is run on the first
occasion of
<span class="citerefentry"><span class="refentrytitle">pam_chauthtok</span>(3)</span> (the <span class="emphasis"><em>PAM_PRELIM_CHECK</em></span>
phase) and <span class="emphasis"><em>run2</em></span> is used to indicate
that the filter is run on the second occasion (the
<span class="emphasis"><em>PAM_UPDATE_AUTHTOK</em></span> phase).
</p></dd><dt><span class="term">
<code class="option">filter</code>
</span></dt><dd><p>
The full pathname of the filter to be run and any command line
arguments that the filter might expect.
</p></dd></dl></div><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_filter-types"></a>6.9.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
All module types (<code class="option">auth</code>, <code class="option">account</code>,
<code class="option">password</code> and <code class="option">session</code>) are provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_filter-return_values"></a>6.9.4. RETURN VALUES</h3></div></div></div><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
The new filter was set successfully.
</p></dd><dt><span class="term">PAM_ABORT</span></dt><dd><p>
Critical error, immediate abort.
</p></dd></dl></div><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_filter-examples"></a>6.9.5. EXAMPLES</h3></div></div></div><p>
Add the following line to <code class="filename">/etc/pam.d/login</code> to
see how to configure login to transpose upper and lower case letters
once the user has logged in:
</p><pre class="programlisting">
session required pam_filter.so run1 /lib/security/pam_filter/upperLOWER
</pre><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_filter-author"></a>6.9.6. AUTHOR</h3></div></div></div><p>
pam_filter was written by Andrew G. Morgan <morgan@kernel.org>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_faildelay.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_ftp.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.8. pam_faildelay - change the delay on failure per-application </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.10. pam_ftp - module for anonymous access</td></tr></table></div></body></html>
PK��������Ǩ�\[���;���;�������html/sag-pam_ftp.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.10. pam_ftp - module for anonymous access</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_filter.html" title="6.9. pam_filter - filter module"><link rel="next" href="sag-pam_group.html" title="6.11. pam_group - module to modify group access"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.10. pam_ftp - module for anonymous access</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_filter.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_group.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_ftp"></a>6.10. pam_ftp - module for anonymous access</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_ftp.so</code> [
debug
] [
ignore
] [
users=<em class="replaceable"><code>XXX,YYY,</code></em>
...]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_ftp-description"></a>6.10.1. DESCRIPTION</h3></div></div></div><p>
pam_ftp is a PAM module which provides a pluggable
anonymous ftp mode of access.
</p><p>
This module intercepts the user's name and password. If the name is
<span class="emphasis"><em>ftp</em></span> or <span class="emphasis"><em>anonymous</em></span>, the
user's password is broken up at the <span class="emphasis"><em>@</em></span> delimiter
into a <span class="emphasis"><em>PAM_RUSER</em></span> and a
<span class="emphasis"><em>PAM_RHOST</em></span> part; these pam-items being set
accordingly. The username (<span class="emphasis"><em>PAM_USER</em></span>) is set
to <span class="emphasis"><em>ftp</em></span>. In this case the module succeeds.
Alternatively, the module sets the <span class="emphasis"><em>PAM_AUTHTOK</em></span>
item with the entered password and fails.
</p><p>
This module is not safe and easily spoofable.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_ftp-options"></a>6.10.2. OPTIONS</h3></div></div></div><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">debug</code>
</span></dt><dd><p>
Print debug information.
</p></dd><dt><span class="term">
<code class="option">ignore</code>
</span></dt><dd><p>
Pay no attention to the email address of the user
(if supplied).
</p></dd><dt><span class="term">
<code class="option">ftp=<em class="replaceable"><code>XXX,YYY,...</code></em></code>
</span></dt><dd><p>
Instead of <span class="emphasis"><em>ftp</em></span> or
<span class="emphasis"><em>anonymous</em></span>, provide anonymous login
to the comma separated list of users:
<code class="option"><em class="replaceable"><code>XXX,YYY,...</code></em></code>.
Should the applicant enter
one of these usernames the returned username is set to
the first in the list: <span class="emphasis"><em>XXX</em></span>.
</p></dd></dl></div><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_ftp-types"></a>6.10.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
Only the <code class="option">auth</code> module type is provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_ftp-return_values"></a>6.10.4. RETURN VALUES</h3></div></div></div><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
The authentication was successful.
</p></dd><dt><span class="term">PAM_USER_UNKNOWN</span></dt><dd><p>
User not known.
</p></dd></dl></div><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_ftp-examples"></a>6.10.5. EXAMPLES</h3></div></div></div><p>
Add the following line to <code class="filename">/etc/pam.d/ftpd</code> to
handle ftp style anonymous login:
</p><pre class="programlisting">
#
# ftpd; add ftp-specifics. These lines enable anonymous ftp over
# standard UN*X access (the listfile entry blocks access to
# users listed in /etc/ftpusers)
#
auth sufficient pam_ftp.so
auth required pam_unix.so use_first_pass
auth required pam_listfile.so \
onerr=succeed item=user sense=deny file=/etc/ftpusers
</pre><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_ftp-author"></a>6.10.6. AUTHOR</h3></div></div></div><p>
pam_ftp was written by Andrew G. Morgan <morgan@kernel.org>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_filter.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_group.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.9. pam_filter - filter module </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.11. pam_group - module to modify group access</td></tr></table></div></body></html>
PK��������Ǩ�\��q��'���'������html/sag-pam_group.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.11. pam_group - module to modify group access</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_ftp.html" title="6.10. pam_ftp - module for anonymous access"><link rel="next" href="sag-pam_issue.html" title="6.12. pam_issue - add issue file to user prompt"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.11. pam_group - module to modify group access</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_ftp.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_issue.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_group"></a>6.11. pam_group - module to modify group access</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_group.so</code> </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_group-description"></a>6.11.1. DESCRIPTION</h3></div></div></div><p>
The pam_group PAM module does not authenticate the user, but instead
it grants group memberships (in the credential setting phase of the
authentication module) to the user. Such memberships are based on the
service they are applying for.
</p><p>
By default rules for group memberships are taken from config file
<code class="filename">/etc/security/group.conf</code>.
</p><p>
This module's usefulness relies on the file-systems
accessible to the user. The point being that once granted the
membership of a group, the user may attempt to create a
<code class="function">setgid</code> binary with a restricted group ownership.
Later, when the user is not given membership to this group, they can
recover group membership with the precompiled binary. The reason that
the file-systems that the user has access to are so significant, is the
fact that when a system is mounted <span class="emphasis"><em>nosuid</em></span> the user
is unable to create or execute such a binary file. For this module to
provide any level of security, all file-systems that the user has write
access to should be mounted <span class="emphasis"><em>nosuid</em></span>.
</p><p>
The pam_group module functions in parallel with the
<code class="filename">/etc/group</code> file. If the user is granted any groups
based on the behavior of this module, they are granted
<span class="emphasis"><em>in addition</em></span> to those entries
<code class="filename">/etc/group</code> (or equivalent).
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-group.conf-description"></a>6.11.2. DESCRIPTION</h3></div></div></div><p>
The pam_group PAM module does not authenticate the user, but instead
it grants group memberships (in the credential setting phase of the
authentication module) to the user. Such memberships are based on the
service they are applying for.
</p><p>
For this module to function correctly there must be a correctly
formatted <code class="filename">/etc/security/group.conf</code> file present.
White spaces are ignored and lines maybe extended with '\' (escaped
newlines). Text following a '#' is ignored to the end of the line.
</p><p>
The syntax of the lines is as follows:
</p><p>
<em class="replaceable"><code>services</code></em>;<em class="replaceable"><code>ttys</code></em>;<em class="replaceable"><code>users</code></em>;<em class="replaceable"><code>times</code></em>;<em class="replaceable"><code>groups</code></em>
</p><p>
The first field, the <em class="replaceable"><code>services</code></em> field, is a logic list
of PAM service names that the rule applies to.
</p><p>
The second field, the <em class="replaceable"><code>tty</code></em>
field, is a logic list of terminal names that this rule applies to.
</p><p>
The third field, the <em class="replaceable"><code>users</code></em>
field, is a logic list of users, or a UNIX group, or a netgroup of
users to whom this rule applies. Group names are preceded by a '%'
symbol, while netgroup names are preceded by a '@' symbol.
</p><p>
For these items the simple wildcard '*' may be used only once.
With UNIX groups or netgroups no wildcards or logic operators
are allowed.
</p><p>
The <em class="replaceable"><code>times</code></em> field is used to indicate "when"
these groups are to be given to the user. The format here is a logic
list of day/time-range entries. The days are specified by a sequence of
two character entries, MoTuSa for example is Monday Tuesday and Saturday.
Note that repeated days are unset MoMo = no day, and MoWk = all weekdays
bar Monday. The two character combinations accepted are Mo Tu We Th Fr Sa
Su Wk Wd Al, the last two being week-end days and all 7 days of the week
respectively. As a final example, AlFr means all days except Friday.
</p><p>
Each day/time-range can be prefixed with a '!' to indicate "anything but".
The time-range part is two 24-hour times HHMM, separated by a hyphen,
indicating the start and finish time (if the finish time is smaller
than the start time it is deemed to apply on the following day).
</p><p>
The <em class="replaceable"><code>groups</code></em> field is a comma or space
separated list of groups that the user inherits membership of. These
groups are added if the previous fields are satisfied by the user's request.
</p><p>
For a rule to be active, ALL of service+ttys+users must be satisfied
by the applying process.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_group-options"></a>6.11.3. OPTIONS</h3></div></div></div><p>This module does not recognise any options.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_group-types"></a>6.11.4. MODULE TYPES PROVIDED</h3></div></div></div><p>
Only the <code class="option">auth</code> module type is provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_group-return_values"></a>6.11.5. RETURN VALUES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
group membership was granted.
</p></dd><dt><span class="term">PAM_ABORT</span></dt><dd><p>
Not all relevant data could be gotten.
</p></dd><dt><span class="term">PAM_BUF_ERR</span></dt><dd><p>
Memory buffer error.
</p></dd><dt><span class="term">PAM_CRED_ERR</span></dt><dd><p>
Group membership was not granted.
</p></dd><dt><span class="term">PAM_IGNORE</span></dt><dd><p>
<code class="function">pam_sm_authenticate</code> was called which does nothing.
</p></dd><dt><span class="term">PAM_USER_UNKNOWN</span></dt><dd><p>
The user is not known to the system.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_group-files"></a>6.11.6. FILES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="filename">/etc/security/group.conf</code></span></dt><dd><p>Default configuration file</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-group.conf-examples"></a>6.11.7. EXAMPLES</h3></div></div></div><p>
These are some example lines which might be specified in
<code class="filename">/etc/security/group.conf</code>.
</p><p>
Running 'xsh' on tty* (any ttyXXX device), the user 'us' is given access
to the floppy (through membership of the floppy group)
</p><pre class="programlisting">xsh;tty*&!ttyp*;us;Al0000-2400;floppy</pre><p>
Running 'xsh' on tty* (any ttyXXX device), the users 'sword', 'pike' and
'shield' are given access to games (through membership of the floppy group) after work hours.
</p><pre class="programlisting">
xsh; tty* ;sword|pike|shield;!Wk0900-1800;games, sound
xsh; tty* ;*;Al0900-1800;floppy
</pre><p>
Any member of the group 'admin' running 'xsh' on tty*,
is granted access (at any time) to the group 'plugdev'
</p><pre class="programlisting">
xsh; tty* ;%admin;Al0000-2400;plugdev
</pre></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_group-authors"></a>6.11.8. AUTHORS</h3></div></div></div><p>
pam_group was written by Andrew G. Morgan <morgan@kernel.org>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_ftp.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_issue.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.10. pam_ftp - module for anonymous access </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.12. pam_issue - add issue file to user prompt</td></tr></table></div></body></html>
PK��������Ǩ�\UM�v������������html/sag-pam_issue.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.12. pam_issue - add issue file to user prompt</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_group.html" title="6.11. pam_group - module to modify group access"><link rel="next" href="sag-pam_keyinit.html" title="6.13. pam_keyinit - display the keyinit file"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.12. pam_issue - add issue file to user prompt</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_group.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_keyinit.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_issue"></a>6.12. pam_issue - add issue file to user prompt</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_issue.so</code> [
noesc
] [
issue=<em class="replaceable"><code>issue-file-name</code></em>
]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_issue-description"></a>6.12.1. DESCRIPTION</h3></div></div></div><p>
pam_issue is a PAM module to prepend an issue file to the username
prompt. It also by default parses escape codes in the issue file
similar to some common getty's (using \x format).
</p><p>
Recognized escapes:
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><span class="emphasis"><em>\d</em></span></span></dt><dd><p>current day</p></dd><dt><span class="term"><span class="emphasis"><em>\l</em></span></span></dt><dd><p>name of this tty</p></dd><dt><span class="term"><span class="emphasis"><em>\m</em></span></span></dt><dd><p>machine architecture (uname -m)</p></dd><dt><span class="term"><span class="emphasis"><em>\n</em></span></span></dt><dd><p>machine's network node hostname (uname -n)</p></dd><dt><span class="term"><span class="emphasis"><em>\o</em></span></span></dt><dd><p>domain name of this system</p></dd><dt><span class="term"><span class="emphasis"><em>\r</em></span></span></dt><dd><p>release number of operating system (uname -r)</p></dd><dt><span class="term"><span class="emphasis"><em>\t</em></span></span></dt><dd><p>current time</p></dd><dt><span class="term"><span class="emphasis"><em>\s</em></span></span></dt><dd><p>operating system name (uname -s)</p></dd><dt><span class="term"><span class="emphasis"><em>\u</em></span></span></dt><dd><p>number of users currently logged in</p></dd><dt><span class="term"><span class="emphasis"><em>\U</em></span></span></dt><dd><p>
same as \u except it is suffixed with "user" or
"users" (eg. "1 user" or "10 users")
</p></dd><dt><span class="term"><span class="emphasis"><em>\v</em></span></span></dt><dd><p>operating system version and build date (uname -v)</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_issue-options"></a>6.12.2. OPTIONS</h3></div></div></div><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">noesc</code>
</span></dt><dd><p>
Turns off escape code parsing.
</p></dd><dt><span class="term">
<code class="option">issue=<em class="replaceable"><code>issue-file-name</code></em></code>
</span></dt><dd><p>
The file to output if not using the default.
</p></dd></dl></div><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_issue-types"></a>6.12.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
Only the <code class="option">auth</code> module type is provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_issue-return_values"></a>6.12.4. RETURN VALUES</h3></div></div></div><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_BUF_ERR</span></dt><dd><p>
Memory buffer error.
</p></dd><dt><span class="term">PAM_IGNORE</span></dt><dd><p>
The prompt was already changed.
</p></dd><dt><span class="term">PAM_SERVICE_ERR</span></dt><dd><p>
A service module error occurred.
</p></dd><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
The new prompt was set successfully.
</p></dd></dl></div><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_issue-examples"></a>6.12.5. EXAMPLES</h3></div></div></div><p>
Add the following line to <code class="filename">/etc/pam.d/login</code> to
set the user specific issue at login:
</p><pre class="programlisting">
auth optional pam_issue.so issue=/etc/issue
</pre><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_issue-author"></a>6.12.6. AUTHOR</h3></div></div></div><p>
pam_issue was written by Ben Collins <bcollins@debian.org>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_group.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_keyinit.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.11. pam_group - module to modify group access </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.13. pam_keyinit - display the keyinit file</td></tr></table></div></body></html>
PK��������Ǩ�\��jfg���g�������html/sag-pam_keyinit.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.13. pam_keyinit - display the keyinit file</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_issue.html" title="6.12. pam_issue - add issue file to user prompt"><link rel="next" href="sag-pam_lastlog.html" title="6.14. pam_lastlog - display date of last login"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.13. pam_keyinit - display the keyinit file</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_issue.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_lastlog.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_keyinit"></a>6.13. pam_keyinit - display the keyinit file</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_keyinit.so</code> [
debug
] [
force
] [
revoke
]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_keyinit-description"></a>6.13.1. DESCRIPTION</h3></div></div></div><p>
The pam_keyinit PAM module ensures that the invoking process has a
session keyring other than the user default session keyring.
</p><p>
The session component of the module checks to see if the process's
session keyring is the user default, and, if it is, creates a new
anonymous session keyring with which to replace it.
</p><p>
If a new session keyring is created, it will install a link to the user
common keyring in the session keyring so that keys common to the user
will be automatically accessible through it.
</p><p>
The session keyring of the invoking process will thenceforth be inherited
by all its children unless they override it.
</p><p>
This module is intended primarily for use by login processes. Be aware
that after the session keyring has been replaced, the old session keyring
and the keys it contains will no longer be accessible.
</p><p>
This module should not, generally, be invoked by programs like
<span class="emphasis"><em>su</em></span>, since it is usually desirable for the
key set to percolate through to the alternate context. The keys have
their own permissions system to manage this.
</p><p>
This module should be included as early as possible in a PAM
configuration, so that other PAM modules can attach tokens to the
keyring.
</p><p>
The keyutils package is used to manipulate keys more directly. This
can be obtained from:
</p><p>
<a class="ulink" href="http://people.redhat.com/~dhowells/keyutils/" target="_top">
Keyutils
</a>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_keyinit-options"></a>6.13.2. OPTIONS</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">debug</code>
</span></dt><dd><p>
Log debug information with <span class="citerefentry"><span class="refentrytitle">syslog</span>(3)</span>.
</p></dd><dt><span class="term">
<code class="option">force</code>
</span></dt><dd><p>
Causes the session keyring of the invoking process to be replaced
unconditionally.
</p></dd><dt><span class="term">
<code class="option">revoke</code>
</span></dt><dd><p>
Causes the session keyring of the invoking process to be revoked
when the invoking process exits if the session keyring was created
for this process in the first place.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_keyinit-types"></a>6.13.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
Only the <code class="option">session</code> module type is provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_keyinit-return_values"></a>6.13.4. RETURN VALUES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
This module will usually return this value
</p></dd><dt><span class="term">PAM_AUTH_ERR</span></dt><dd><p>
Authentication failure.
</p></dd><dt><span class="term">PAM_BUF_ERR</span></dt><dd><p>
Memory buffer error.
</p></dd><dt><span class="term">PAM_IGNORE</span></dt><dd><p>
The return value should be ignored by PAM dispatch.
</p></dd><dt><span class="term">PAM_SERVICE_ERR</span></dt><dd><p>
Cannot determine the user name.
</p></dd><dt><span class="term">PAM_SESSION_ERR</span></dt><dd><p>
This module will return this value if its arguments are invalid or
if a system error such as ENOMEM occurs.
</p></dd><dt><span class="term">PAM_USER_UNKNOWN</span></dt><dd><p>
User not known.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_keyinit-examples"></a>6.13.5. EXAMPLES</h3></div></div></div><p>
Add this line to your login entries to start each login session with its
own session keyring:
</p><pre class="programlisting">
session required pam_keyinit.so
</pre><p>
</p><p>
This will prevent keys from one session leaking into another session for
the same user.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_keyinit-author"></a>6.13.6. AUTHOR</h3></div></div></div><p>
pam_keyinit was written by David Howells, <dhowells@redhat.com>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_issue.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_lastlog.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.12. pam_issue - add issue file to user prompt </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.14. pam_lastlog - display date of last login</td></tr></table></div></body></html>
PK��������Ǩ�\g�w�L!��L!������html/sag-pam_lastlog.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.14. pam_lastlog - display date of last login</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_keyinit.html" title="6.13. pam_keyinit - display the keyinit file"><link rel="next" href="sag-pam_limits.html" title="6.15. pam_limits - limit resources"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.14. pam_lastlog - display date of last login</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_keyinit.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_limits.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_lastlog"></a>6.14. pam_lastlog - display date of last login</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_lastlog.so</code> [
debug
] [
silent
] [
never
] [
nodate
] [
nohost
] [
noterm
] [
nowtmp
] [
noupdate
] [
showfailed
] [
inactive=<days>
] [
unlimited
]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_lastlog-description"></a>6.14.1. DESCRIPTION</h3></div></div></div><p>
pam_lastlog is a PAM module to display a line of information
about the last login of the user. In addition, the module maintains
the <code class="filename">/var/log/lastlog</code> file.
</p><p>
Some applications may perform this function themselves. In such
cases, this module is not necessary.
</p><p>
If the module is called in the auth or account phase, the accounts that
were not used recently enough will be disallowed to log in. The
check is not performed for the root account so the root is never
locked out.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_lastlog-options"></a>6.14.2. OPTIONS</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">debug</code>
</span></dt><dd><p>
Print debug information.
</p></dd><dt><span class="term">
<code class="option">silent</code>
</span></dt><dd><p>
Don't inform the user about any previous login,
just update the <code class="filename">/var/log/lastlog</code> file.
This option does not affect display of bad login attempts.
</p></dd><dt><span class="term">
<code class="option">never</code>
</span></dt><dd><p>
If the <code class="filename">/var/log/lastlog</code> file does
not contain any old entries for the user, indicate that
the user has never previously logged in with a welcome
message.
</p></dd><dt><span class="term">
<code class="option">nodate</code>
</span></dt><dd><p>
Don't display the date of the last login.
</p></dd><dt><span class="term">
<code class="option">noterm</code>
</span></dt><dd><p>
Don't display the terminal name on which the
last login was attempted.
</p></dd><dt><span class="term">
<code class="option">nohost</code>
</span></dt><dd><p>
Don't indicate from which host the last login was
attempted.
</p></dd><dt><span class="term">
<code class="option">nowtmp</code>
</span></dt><dd><p>
Don't update the wtmp entry.
</p></dd><dt><span class="term">
<code class="option">noupdate</code>
</span></dt><dd><p>
Don't update any file.
</p></dd><dt><span class="term">
<code class="option">showfailed</code>
</span></dt><dd><p>
Display number of failed login attempts and the date of the
last failed attempt from btmp. The date is not displayed
when <code class="option">nodate</code> is specified.
</p></dd><dt><span class="term">
<code class="option">inactive=<days></code>
</span></dt><dd><p>
This option is specific for the auth or account phase. It
specifies the number of days after the last login of the user
when the user will be locked out by the module. The default
value is 90.
</p></dd><dt><span class="term">
<code class="option">unlimited</code>
</span></dt><dd><p>
If the <span class="emphasis"><em>fsize</em></span> limit is set, this option can be
used to override it, preventing failures on systems with large UID
values that lead lastlog to become a huge sparse file.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_lastlog-types"></a>6.14.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
The <code class="option">auth</code> and <code class="option">account</code> module type
allows to lock out users which did not login recently enough.
The <code class="option">session</code> module type is provided for displaying
the information about the last login and/or updating the lastlog and
wtmp files.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_lastlog-return_values"></a>6.14.4. RETURN VALUES</h3></div></div></div><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
Everything was successful.
</p></dd><dt><span class="term">PAM_SERVICE_ERR</span></dt><dd><p>
Internal service module error.
</p></dd><dt><span class="term">PAM_USER_UNKNOWN</span></dt><dd><p>
User not known.
</p></dd><dt><span class="term">PAM_AUTH_ERR</span></dt><dd><p>
User locked out in the auth or account phase due to
inactivity.
</p></dd><dt><span class="term">PAM_IGNORE</span></dt><dd><p>
There was an error during reading the lastlog file
in the auth or account phase and thus inactivity
of the user cannot be determined.
</p></dd></dl></div><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_lastlog-examples"></a>6.14.5. EXAMPLES</h3></div></div></div><p>
Add the following line to <code class="filename">/etc/pam.d/login</code> to
display the last login time of an user:
</p><pre class="programlisting">
session required pam_lastlog.so nowtmp
</pre><p>
To reject the user if he did not login during the previous 50 days
the following line can be used:
</p><pre class="programlisting">
auth required pam_lastlog.so inactive=50
</pre></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_lastlog-author"></a>6.14.6. AUTHOR</h3></div></div></div><p>
pam_lastlog was written by Andrew G. Morgan <morgan@kernel.org>.
</p><p>
Inactive account lock out added by Tomáš Mráz <tm@t8m.info>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_keyinit.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_limits.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.13. pam_keyinit - display the keyinit file </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.15. pam_limits - limit resources</td></tr></table></div></body></html>
PK��������Ǩ�\��k��F���F������html/sag-pam_limits.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.15. pam_limits - limit resources</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_lastlog.html" title="6.14. pam_lastlog - display date of last login"><link rel="next" href="sag-pam_listfile.html" title="6.16. pam_listfile - deny or allow services based on an arbitrary file"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.15. pam_limits - limit resources</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_lastlog.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_listfile.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_limits"></a>6.15. pam_limits - limit resources</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_limits.so</code> [
conf=<em class="replaceable"><code>/path/to/limits.conf</code></em>
] [
debug
] [
set_all
] [
utmp_early
] [
noaudit
]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_limits-description"></a>6.15.1. DESCRIPTION</h3></div></div></div><p>
The pam_limits PAM module sets limits on the system resources that can be
obtained in a user-session. Users of <span class="emphasis"><em>uid=0</em></span> are affected
by this limits, too.
</p><p>
By default limits are taken from the <code class="filename">/etc/security/limits.conf</code>
config file. Then individual *.conf files from the <code class="filename">/etc/security/limits.d/</code>
directory are read. The files are parsed one after another in the order of "C" locale.
The effect of the individual files is the same as if all the files were
concatenated together in the order of parsing.
If a config file is explicitly specified with a module option then the
files in the above directory are not parsed.
</p><p>
The module must not be called by a multithreaded application.
</p><p>
If Linux PAM is compiled with audit support the module will report
when it denies access based on limit of maximum number of concurrent
login sessions.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-limits.conf-description"></a>6.15.2. DESCRIPTION</h3></div></div></div><p>
The <span class="emphasis"><em>pam_limits.so</em></span> module applies ulimit limits,
nice priority and number of simultaneous login sessions limit to user
login sessions. This description of the configuration file syntax
applies to the <code class="filename">/etc/security/limits.conf</code> file and
<code class="filename">*.conf</code> files in the
<code class="filename">/etc/security/limits.d</code> directory.
</p><p>
The syntax of the lines is as follows:
</p><p>
<em class="replaceable"><code><domain></code></em> <em class="replaceable"><code><type></code></em>
<em class="replaceable"><code><item></code></em> <em class="replaceable"><code><value></code></em>
</p><p>
The fields listed above should be filled as follows:
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option"><domain></code>
</span></dt><dd><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
a username
</p></li><li class="listitem"><p>
a groupname, with <span class="emphasis"><em>@group</em></span> syntax.
This should not be confused with netgroups.
</p></li><li class="listitem"><p>
the wildcard <span class="emphasis"><em>*</em></span>, for default entry.
</p></li><li class="listitem"><p>
the wildcard <span class="emphasis"><em>%</em></span>, for maxlogins limit only,
can also be used with <span class="emphasis"><em>%group</em></span> syntax. If the
<span class="emphasis"><em>%</em></span> wildcard is used alone it is identical
to using <span class="emphasis"><em>*</em></span> with maxsyslogins limit. With
a group specified after <span class="emphasis"><em>%</em></span> it limits the total
number of logins of all users that are member of the group.
</p></li><li class="listitem"><p>
an uid range specified as <em class="replaceable"><code><min_uid></code></em><span class="emphasis"><em>:</em></span><em class="replaceable"><code><max_uid></code></em>. If min_uid
is omitted, the match is exact for the max_uid. If max_uid is omitted, all
uids greater than or equal min_uid match.
</p></li><li class="listitem"><p>
a gid range specified as <span class="emphasis"><em>@</em></span><em class="replaceable"><code><min_gid></code></em><span class="emphasis"><em>:</em></span><em class="replaceable"><code><max_gid></code></em>. If min_gid
is omitted, the match is exact for the max_gid. If max_gid is omitted, all
gids greater than or equal min_gid match. For the exact match all groups including
the user's supplementary groups are examined. For the range matches only
the user's primary group is examined.
</p></li><li class="listitem"><p>
a gid specified as <span class="emphasis"><em>%:</em></span><em class="replaceable"><code><gid></code></em> applicable
to maxlogins limit only. It limits the total number of logins of all users
that are member of the group with the specified gid.
</p></li></ul></div></dd><dt><span class="term">
<code class="option"><type></code>
</span></dt><dd><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">hard</code></span></dt><dd><p>
for enforcing <span class="emphasis"><em>hard</em></span> resource limits.
These limits are set by the superuser and enforced by the Kernel.
The user cannot raise his requirement of system resources above such values.
</p></dd><dt><span class="term"><code class="option">soft</code></span></dt><dd><p>
for enforcing <span class="emphasis"><em>soft</em></span> resource limits.
These limits are ones that the user can move up or down within the
permitted range by any pre-existing <span class="emphasis"><em>hard</em></span>
limits. The values specified with this token can be thought of as
<span class="emphasis"><em>default</em></span> values, for normal system usage.
</p></dd><dt><span class="term"><code class="option">-</code></span></dt><dd><p>
for enforcing both <span class="emphasis"><em>soft</em></span> and
<span class="emphasis"><em>hard</em></span> resource limits together.
</p><p>
Note, if you specify a type of '-' but neglect to supply the
item and value fields then the module will never enforce any
limits on the specified user/group etc. .
</p></dd></dl></div></dd><dt><span class="term">
<code class="option"><item></code>
</span></dt><dd><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">core</code></span></dt><dd><p>limits the core file size (KB)</p></dd><dt><span class="term"><code class="option">data</code></span></dt><dd><p>maximum data size (KB)</p></dd><dt><span class="term"><code class="option">fsize</code></span></dt><dd><p>maximum filesize (KB)</p></dd><dt><span class="term"><code class="option">memlock</code></span></dt><dd><p>maximum locked-in-memory address space (KB)</p></dd><dt><span class="term"><code class="option">nofile</code></span></dt><dd><p>maximum number of open file descriptors</p></dd><dt><span class="term"><code class="option">rss</code></span></dt><dd><p>maximum resident set size (KB) (Ignored in Linux 2.4.30 and higher)</p></dd><dt><span class="term"><code class="option">stack</code></span></dt><dd><p>maximum stack size (KB)</p></dd><dt><span class="term"><code class="option">cpu</code></span></dt><dd><p>maximum CPU time (minutes)</p></dd><dt><span class="term"><code class="option">nproc</code></span></dt><dd><p>maximum number of processes</p></dd><dt><span class="term"><code class="option">as</code></span></dt><dd><p>address space limit (KB)</p></dd><dt><span class="term"><code class="option">maxlogins</code></span></dt><dd><p>maximum number of logins for this user (this limit does
not apply to user with <span class="emphasis"><em>uid=0</em></span>)</p></dd><dt><span class="term"><code class="option">maxsyslogins</code></span></dt><dd><p>maximum number of all logins on system; user is not
allowed to log-in if total number of all user logins is
greater than specified number (this limit does not apply to
user with <span class="emphasis"><em>uid=0</em></span>)</p></dd><dt><span class="term"><code class="option">priority</code></span></dt><dd><p>the priority to run user process with (negative
values boost process priority)</p></dd><dt><span class="term"><code class="option">locks</code></span></dt><dd><p>maximum locked files (Linux 2.4 and higher)</p></dd><dt><span class="term"><code class="option">sigpending</code></span></dt><dd><p>maximum number of pending signals (Linux 2.6 and higher)</p></dd><dt><span class="term"><code class="option">msgqueue</code></span></dt><dd><p>maximum memory used by POSIX message queues (bytes)
(Linux 2.6 and higher)</p></dd><dt><span class="term"><code class="option">nice</code></span></dt><dd><p>maximum nice priority allowed to raise to (Linux 2.6.12 and higher) values: [-20,19]</p></dd><dt><span class="term"><code class="option">rtprio</code></span></dt><dd><p>maximum realtime priority allowed for non-privileged processes
(Linux 2.6.12 and higher)</p></dd></dl></div></dd></dl></div><p>
All items support the values <span class="emphasis"><em>-1</em></span>,
<span class="emphasis"><em>unlimited</em></span> or <span class="emphasis"><em>infinity</em></span> indicating no limit,
except for <span class="emphasis"><em>priority</em></span> and <span class="emphasis"><em>nice</em></span>.
If <span class="emphasis"><em>nofile</em></span> is to be set to one of these values,
it will be set to the contents of /proc/sys/fs/nr_open instead (see setrlimit(3)).
</p><p>
If a hard limit or soft limit of a resource is set to a valid value,
but outside of the supported range of the local system, the system
may reject the new limit or unexpected behavior may occur. If the
control value <span class="emphasis"><em>required</em></span> is used, the module will
reject the login if a limit could not be set.
</p><p>
In general, individual limits have priority over group limits, so if
you impose no limits for <span class="emphasis"><em>admin</em></span> group, but one of
the members in this group have a limits line, the user will have its
limits set according to this line.
</p><p>
Also, please note that all limit settings are set
<span class="emphasis"><em>per login</em></span>. They are not global, nor are they
permanent; existing only for the duration of the session.
One exception is the <span class="emphasis"><em>maxlogin</em></span> option, this one
is system wide. But there is a race, concurrent logins at the same
time will not always be detect as such but only counted as one.
</p><p>
In the <span class="emphasis"><em>limits</em></span> configuration file, the
'<span class="emphasis"><em>#</em></span>' character introduces a comment
- after which the rest of the line is ignored.
</p><p>
The pam_limits module does report configuration problems
found in its configuration file and errors via <span class="citerefentry"><span class="refentrytitle">syslog</span>(3)</span>.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_limits-options"></a>6.15.3. OPTIONS</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">conf=<em class="replaceable"><code>/path/to/limits.conf</code></em></code>
</span></dt><dd><p>
Indicate an alternative limits.conf style configuration file to
override the default.
</p></dd><dt><span class="term">
<code class="option">debug</code>
</span></dt><dd><p>
Print debug information.
</p></dd><dt><span class="term">
<code class="option">set_all</code>
</span></dt><dd><p>
Set the limits for which no value is specified in the
configuration file to the one from the process with the
PID 1.
</p></dd><dt><span class="term">
<code class="option">utmp_early</code>
</span></dt><dd><p>
Some broken applications actually allocate a utmp entry for
the user before the user is admitted to the system. If some
of the services you are configuring PAM for do this, you can
selectively use this module argument to compensate for this
behavior and at the same time maintain system-wide consistency
with a single limits.conf file.
</p></dd><dt><span class="term">
<code class="option">noaudit</code>
</span></dt><dd><p>
Do not report exceeded maximum logins count to the audit subsystem.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_limits-types"></a>6.15.4. MODULE TYPES PROVIDED</h3></div></div></div><p>
Only the <code class="option">session</code> module type is provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_limits-return_values"></a>6.15.5. RETURN VALUES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_ABORT</span></dt><dd><p>
Cannot get current limits.
</p></dd><dt><span class="term">PAM_IGNORE</span></dt><dd><p>
No limits found for this user.
</p></dd><dt><span class="term">PAM_PERM_DENIED</span></dt><dd><p>
New limits could not be set.
</p></dd><dt><span class="term">PAM_SERVICE_ERR</span></dt><dd><p>
Cannot read config file.
</p></dd><dt><span class="term">PAM_SESSION_ERR</span></dt><dd><p>
Error recovering account name.
</p></dd><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
Limits were changed.
</p></dd><dt><span class="term">PAM_USER_UNKNOWN</span></dt><dd><p>
The user is not known to the system.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_limits-files"></a>6.15.6. FILES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="filename">/etc/security/limits.conf</code></span></dt><dd><p>Default configuration file</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-limits.conf-examples"></a>6.15.7. EXAMPLES</h3></div></div></div><p>
These are some example lines which might be specified in
<code class="filename">/etc/security/limits.conf</code>.
</p><pre class="programlisting">
* soft core 0
* hard nofile 512
@student hard nproc 20
@faculty soft nproc 20
@faculty hard nproc 50
ftp hard nproc 0
@student - maxlogins 4
:123 hard cpu 5000
@500: soft cpu 10000
600:700 hard locks 10
</pre></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_limits-authors"></a>6.15.8. AUTHORS</h3></div></div></div><p>
pam_limits was initially written by Cristian Gafton <gafton@redhat.com>
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_lastlog.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_listfile.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.14. pam_lastlog - display date of last login </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.16. pam_listfile - deny or allow services based on an arbitrary file</td></tr></table></div></body></html>
PK��������Ǩ�\\=nj&)��&)������html/sag-pam_listfile.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.16. pam_listfile - deny or allow services based on an arbitrary file</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_limits.html" title="6.15. pam_limits - limit resources"><link rel="next" href="sag-pam_localuser.html" title="6.17. pam_localuser - require users to be listed in /etc/passwd"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.16. pam_listfile - deny or allow services based on an arbitrary file</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_limits.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_localuser.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_listfile"></a>6.16. pam_listfile - deny or allow services based on an arbitrary file</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_listfile.so</code>
item=[tty|user|rhost|ruser|group|shell]
sense=[allow|deny]
file=<em class="replaceable"><code>/path/filename</code></em>
onerr=[succeed|fail]
[
apply=[<em class="replaceable"><code>user</code></em>|<em class="replaceable"><code>@group</code></em>]
] [
quiet
]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_listfile-description"></a>6.16.1. DESCRIPTION</h3></div></div></div><p>
pam_listfile is a PAM module which provides a way to deny or
allow services based on an arbitrary file.
</p><p>
The module gets the <code class="option">item</code> of the type specified --
<span class="emphasis"><em>user</em></span> specifies the username,
<span class="emphasis"><em>PAM_USER</em></span>; tty specifies the name of the terminal
over which the request has been made, <span class="emphasis"><em>PAM_TTY</em></span>;
rhost specifies the name of the remote host (if any) from which the
request was made, <span class="emphasis"><em>PAM_RHOST</em></span>; and ruser specifies
the name of the remote user (if available) who made the request,
<span class="emphasis"><em>PAM_RUSER</em></span> -- and looks for an instance of that
item in the <code class="option">file=<em class="replaceable"><code>filename</code></em></code>.
<code class="filename">filename</code> contains one line per item listed. If
the item is found, then if
<code class="option">sense=<em class="replaceable"><code>allow</code></em></code>,
<span class="emphasis"><em>PAM_SUCCESS</em></span> is returned, causing the authorization
request to succeed; else if
<code class="option">sense=<em class="replaceable"><code>deny</code></em></code>,
<span class="emphasis"><em>PAM_AUTH_ERR</em></span> is returned, causing the authorization
request to fail.
</p><p>
If an error is encountered (for instance, if
<code class="filename">filename</code> does not exist, or a poorly-constructed
argument is encountered), then if <span class="emphasis"><em>onerr=succeed</em></span>,
<span class="emphasis"><em>PAM_SUCCESS</em></span> is returned, otherwise if
<span class="emphasis"><em>onerr=fail</em></span>, <span class="emphasis"><em>PAM_AUTH_ERR</em></span> or
<span class="emphasis"><em>PAM_SERVICE_ERR</em></span> (as appropriate) will be returned.
</p><p>
An additional argument, <code class="option">apply=</code>, can be used
to restrict the application of the above to a specific user
(<code class="option">apply=<em class="replaceable"><code>username</code></em></code>)
or a given group
(<code class="option">apply=<em class="replaceable"><code>@groupname</code></em></code>).
This added restriction is only meaningful when used with the
<span class="emphasis"><em>tty</em></span>, <span class="emphasis"><em>rhost</em></span> and
<span class="emphasis"><em>shell</em></span> items.
</p><p>
Besides this last one, all arguments should be specified; do not
count on any default behavior.
</p><p>
No credentials are awarded by this module.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_listfile-options"></a>6.16.2. OPTIONS</h3></div></div></div><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">item=[tty|user|rhost|ruser|group|shell]</code>
</span></dt><dd><p>
What is listed in the file and should be checked for.
</p></dd><dt><span class="term">
<code class="option">sense=[allow|deny]</code>
</span></dt><dd><p>
Action to take if found in file, if the item is NOT found in
the file, then the opposite action is requested.
</p></dd><dt><span class="term">
<code class="option">file=<em class="replaceable"><code>/path/filename</code></em></code>
</span></dt><dd><p>
File containing one item per line. The file needs to be a plain
file and not world writable.
</p></dd><dt><span class="term">
<code class="option">onerr=[succeed|fail]</code>
</span></dt><dd><p>
What to do if something weird happens like being unable to open
the file.
</p></dd><dt><span class="term">
<code class="option">apply=[<em class="replaceable"><code>user</code></em>|<em class="replaceable"><code>@group</code></em>]</code>
</span></dt><dd><p>
Restrict the user class for which the restriction apply. Note that
with <code class="option">item=[user|ruser|group]</code> this does not make sense,
but for <code class="option">item=[tty|rhost|shell]</code> it have a meaning.
</p></dd><dt><span class="term">
<code class="option">quiet</code>
</span></dt><dd><p>
Do not treat service refusals or missing list files as
errors that need to be logged.
</p></dd></dl></div><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_listfile-types"></a>6.16.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
All module types (<code class="option">auth</code>, <code class="option">account</code>,
<code class="option">password</code> and <code class="option">session</code>) are provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_listfile-return_values"></a>6.16.4. RETURN VALUES</h3></div></div></div><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_AUTH_ERR</span></dt><dd><p>Authentication failure.</p></dd><dt><span class="term">PAM_BUF_ERR</span></dt><dd><p>
Memory buffer error.
</p></dd><dt><span class="term">PAM_IGNORE</span></dt><dd><p>
The rule does not apply to the <code class="option">apply</code> option.
</p></dd><dt><span class="term">PAM_SERVICE_ERR</span></dt><dd><p>
Error in service module.
</p></dd><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
Success.
</p></dd></dl></div><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_listfile-examples"></a>6.16.5. EXAMPLES</h3></div></div></div><p>
Classic 'ftpusers' authentication can be implemented with this entry
in <code class="filename">/etc/pam.d/ftpd</code>:
</p><pre class="programlisting">
#
# deny ftp-access to users listed in the /etc/ftpusers file
#
auth required pam_listfile.so \
onerr=succeed item=user sense=deny file=/etc/ftpusers
</pre><p>
Note, users listed in <code class="filename">/etc/ftpusers</code> file are
(counterintuitively) <span class="emphasis"><em>not</em></span> allowed access to
the ftp service.
</p><p>
To allow login access only for certain users, you can use a
<code class="filename">/etc/pam.d/login</code> entry like this:
</p><pre class="programlisting">
#
# permit login to users listed in /etc/loginusers
#
auth required pam_listfile.so \
onerr=fail item=user sense=allow file=/etc/loginusers
</pre><p>
For this example to work, all users who are allowed to use the
login service should be listed in the file
<code class="filename">/etc/loginusers</code>. Unless you are explicitly
trying to lock out root, make sure that when you do this, you leave
a way for root to log in, either by listing root in
<code class="filename">/etc/loginusers</code>, or by listing a user who is
able to <span class="emphasis"><em>su</em></span> to the root account.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_listfile-author"></a>6.16.6. AUTHOR</h3></div></div></div><p>
pam_listfile was written by Michael K. Johnson <johnsonm@redhat.com>
and Elliot Lee <sopwith@cuc.edu>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_limits.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_localuser.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.15. pam_limits - limit resources </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.17. pam_localuser - require users to be listed in /etc/passwd</td></tr></table></div></body></html>
PK��������Ǩ�\��T�F���F�������html/sag-pam_localuser.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.17. pam_localuser - require users to be listed in /etc/passwd</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_listfile.html" title="6.16. pam_listfile - deny or allow services based on an arbitrary file"><link rel="next" href="sag-pam_loginuid.html" title="6.18. pam_loginuid - record user's login uid to the process attribute"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.17. pam_localuser - require users to be listed in /etc/passwd</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_listfile.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_loginuid.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_localuser"></a>6.17. pam_localuser - require users to be listed in /etc/passwd</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_localuser.so</code> [
debug
] [
file=<em class="replaceable"><code>/path/passwd</code></em>
]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_localuser-description"></a>6.17.1. DESCRIPTION</h3></div></div></div><p>
pam_localuser is a PAM module to help implementing site-wide login
policies, where they typically include a subset of the network's
users and a few accounts that are local to a particular workstation.
Using pam_localuser and pam_wheel or pam_listfile is an effective
way to restrict access to either local users and/or a subset of the
network's users.
</p><p>
This could also be implemented using pam_listfile.so and a very
short awk script invoked by cron, but it's common enough to have
been separated out.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_localuser-options"></a>6.17.2. OPTIONS</h3></div></div></div><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">debug</code>
</span></dt><dd><p>
Print debug information.
</p></dd><dt><span class="term">
<code class="option">file=<em class="replaceable"><code>/path/passwd</code></em></code>
</span></dt><dd><p>
Use a file other than <code class="filename">/etc/passwd</code>.
</p></dd></dl></div><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_localuser-types"></a>6.17.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
All module types (<code class="option">account</code>, <code class="option">auth</code>,
<code class="option">password</code> and <code class="option">session</code>) are provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_localuser-return_values"></a>6.17.4. RETURN VALUES</h3></div></div></div><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
The new localuser was set successfully.
</p></dd><dt><span class="term">PAM_SERVICE_ERR</span></dt><dd><p>
No username was given.
</p></dd><dt><span class="term">PAM_PERM_DENIED</span></dt><dd><p>
The user is not listed in the passwd file.
</p></dd></dl></div><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_localuser-examples"></a>6.17.5. EXAMPLES</h3></div></div></div><p>
Add the following lines to <code class="filename">/etc/pam.d/su</code> to
allow only local users or group wheel to use su.
</p><pre class="programlisting">
account sufficient pam_localuser.so
account required pam_wheel.so
</pre><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_localuser-author"></a>6.17.6. AUTHOR</h3></div></div></div><p>
pam_localuser was written by Nalin Dahyabhai <nalin@redhat.com>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_listfile.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_loginuid.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.16. pam_listfile - deny or allow services based on an arbitrary file </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.18. pam_loginuid - record user's login uid to the process attribute</td></tr></table></div></body></html>
PK��������Ǩ�\�e�sY���Y�������html/sag-pam_loginuid.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.18. pam_loginuid - record user's login uid to the process attribute</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_localuser.html" title="6.17. pam_localuser - require users to be listed in /etc/passwd"><link rel="next" href="sag-pam_mail.html" title="6.19. pam_mail - inform about available mail"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.18. pam_loginuid - record user's login uid to the process attribute</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_localuser.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_mail.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_loginuid"></a>6.18. pam_loginuid - record user's login uid to the process attribute</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_loginuid.so</code> [
require_auditd
]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_loginuid-description"></a>6.18.1. DESCRIPTION</h3></div></div></div><p>
The pam_loginuid module sets the loginuid process attribute for the
process that was authenticated. This is necessary for applications
to be correctly audited. This PAM module should only be used for entry
point applications like: login, sshd, gdm, vsftpd, crond and atd.
There are probably other entry point applications besides these.
You should not use it for applications like sudo or su as that
defeats the purpose by changing the loginuid to the account they just
switched to.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_loginuid-options"></a>6.18.2. OPTIONS</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">require_auditd</code>
</span></dt><dd><p>
This option, when given, will cause this module to query
the audit daemon status and deny logins if it is not running.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_loginuid-types"></a>6.18.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
Only the <code class="option">session</code> module type is provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_loginuid-return_values"></a>6.18.4. RETURN VALUES</h3></div></div></div><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
The loginuid value is set and auditd is running if check requested.
</p></dd><dt><span class="term">PAM_IGNORE</span></dt><dd><p>
The /proc/self/loginuid file is not present on the system or the
login process runs inside uid namespace and kernel does not support
overwriting loginuid.
</p></dd><dt><span class="term">PAM_SESSION_ERR</span></dt><dd><p>
Any other error prevented setting loginuid or auditd is not running.
</p></dd></dl></div><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_loginuid-examples"></a>6.18.5. EXAMPLES</h3></div></div></div><pre class="programlisting">
#%PAM-1.0
auth required pam_unix.so
auth required pam_nologin.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
session required pam_loginuid.so
</pre></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_loginuid-author"></a>6.18.6. AUTHOR</h3></div></div></div><p>
pam_loginuid was written by Steve Grubb <sgrubb@redhat.com>
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_localuser.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_mail.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.17. pam_localuser - require users to be listed in /etc/passwd </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.19. pam_mail - inform about available mail</td></tr></table></div></body></html>
PK��������Ǩ�\^u��R���R�������html/sag-pam_mail.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.19. pam_mail - inform about available mail</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_loginuid.html" title="6.18. pam_loginuid - record user's login uid to the process attribute"><link rel="next" href="sag-pam_mkhomedir.html" title="6.20. pam_mkhomedir - create users home directory"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.19. pam_mail - inform about available mail</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_loginuid.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_mkhomedir.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_mail"></a>6.19. pam_mail - inform about available mail</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_mail.so</code> [
close
] [
debug
] [
dir=<em class="replaceable"><code>maildir</code></em>
] [
empty
] [
hash=<em class="replaceable"><code>count</code></em>
] [
noenv
] [
nopen
] [
quiet
] [
standard
]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_mail-description"></a>6.19.1. DESCRIPTION</h3></div></div></div><p>
The pam_mail PAM module provides the "you have new mail"
service to the user. It can be plugged into any application
that has credential or session hooks. It gives a single message
indicating the <span class="emphasis"><em>newness</em></span> of any mail it finds
in the user's mail folder. This module also sets the PAM
environment variable, <span class="emphasis"><em>MAIL</em></span>, to the
user's mail directory.
</p><p>
If the mail spool file (be it <code class="filename">/var/mail/$USER</code>
or a pathname given with the <code class="option">dir=</code> parameter) is
a directory then pam_mail assumes it is in the
<span class="emphasis"><em>Maildir</em></span> format.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_mail-options"></a>6.19.2. OPTIONS</h3></div></div></div><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">close</code>
</span></dt><dd><p>
Indicate if the user has any mail also on logout.
</p></dd><dt><span class="term">
<code class="option">debug</code>
</span></dt><dd><p>
Print debug information.
</p></dd><dt><span class="term">
<code class="option">dir=<em class="replaceable"><code>maildir</code></em></code>
</span></dt><dd><p>
Look for the user's mail in an alternative location defined by
<code class="filename">maildir/<login></code>. The default
location for mail is <code class="filename">/var/mail/<login></code>.
Note, if the supplied
<code class="filename">maildir</code> is prefixed by a '~', the
directory is interpreted as indicating a file in the user's
home directory.
</p></dd><dt><span class="term">
<code class="option">empty</code>
</span></dt><dd><p>
Also print message if user has no mail.
</p></dd><dt><span class="term">
<code class="option">hash=<em class="replaceable"><code>count</code></em></code>
</span></dt><dd><p>
Mail directory hash depth. For example, a
<span class="emphasis"><em>hashcount</em></span> of 2 would
make the mail file be
<code class="filename">/var/spool/mail/u/s/user</code>.
</p></dd><dt><span class="term">
<code class="option">noenv</code>
</span></dt><dd><p>
Do not set the <span class="emphasis"><em>MAIL</em></span>
environment variable.
</p></dd><dt><span class="term">
<code class="option">nopen</code>
</span></dt><dd><p>
Don't print any mail information on login. This flag is
useful to get the <span class="emphasis"><em>MAIL</em></span>
environment variable set, but to not display any information
about it.
</p></dd><dt><span class="term">
<code class="option">quiet</code>
</span></dt><dd><p>
Only report when there is new mail.
</p></dd><dt><span class="term">
<code class="option">standard</code>
</span></dt><dd><p>
Old style "You have..." format which doesn't show the
mail spool being used. This also implies "empty".
</p></dd></dl></div><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_mail-types"></a>6.19.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
The <code class="option">session</code> and
<code class="option">auth</code> (on establishment and
deletion of credentials) module types are provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_mail-return_values"></a>6.19.4. RETURN VALUES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_BUF_ERR</span></dt><dd><p>
Memory buffer error.
</p></dd><dt><span class="term">PAM_SERVICE_ERR</span></dt><dd><p>
Badly formed arguments.
</p></dd><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
Success.
</p></dd><dt><span class="term">PAM_USER_UNKNOWN</span></dt><dd><p>
User not known.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_mail-examples"></a>6.19.5. EXAMPLES</h3></div></div></div><p>
Add the following line to <code class="filename">/etc/pam.d/login</code> to
indicate that the user has new mail when they login to the system.
</p><pre class="programlisting">
session optional pam_mail.so standard
</pre><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_mail-author"></a>6.19.6. AUTHOR</h3></div></div></div><p>
pam_mail was written by Andrew G. Morgan <morgan@kernel.org>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_loginuid.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_mkhomedir.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.18. pam_loginuid - record user's login uid to the process attribute </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.20. pam_mkhomedir - create users home directory</td></tr></table></div></body></html>
PK��������Ǩ�\:l�i4���4�������html/sag-pam_mkhomedir.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.20. pam_mkhomedir - create users home directory</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_mail.html" title="6.19. pam_mail - inform about available mail"><link rel="next" href="sag-pam_motd.html" title="6.21. pam_motd - display the motd file"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.20. pam_mkhomedir - create users home directory</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_mail.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_motd.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_mkhomedir"></a>6.20. pam_mkhomedir - create users home directory</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_mkhomedir.so</code> [
silent
] [
umask=<em class="replaceable"><code>mode</code></em>
] [
skel=<em class="replaceable"><code>skeldir</code></em>
]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_mkhomedir-description"></a>6.20.1. DESCRIPTION</h3></div></div></div><p>
The pam_mkhomedir PAM module will create a users home directory
if it does not exist when the session begins. This allows users
to be present in central database (such as NIS, kerberos or LDAP)
without using a distributed file system or pre-creating a large
number of directories. The skeleton directory (usually
<code class="filename">/etc/skel/</code>) is used to copy default files
and also sets a umask for the creation.
</p><p>
The new users home directory will not be removed after logout
of the user.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_mkhomedir-options"></a>6.20.2. OPTIONS</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">silent</code>
</span></dt><dd><p>
Don't print informative messages.
</p></dd><dt><span class="term">
<code class="option">umask=<em class="replaceable"><code>mask</code></em></code>
</span></dt><dd><p>
The user file-creation mask is set to
<em class="replaceable"><code>mask</code></em>. The default value of mask is
0022.
</p></dd><dt><span class="term">
<code class="option">skel=<em class="replaceable"><code>/path/to/skel/directory</code></em></code>
</span></dt><dd><p>
Indicate an alternative <code class="filename">skel</code> directory
to override the default <code class="filename">/etc/skel</code>.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_mkhomedir-types"></a>6.20.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
Only the <code class="option">session</code> module type is provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_mkhomedir-return_values"></a>6.20.4. RETURN VALUES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_BUF_ERR</span></dt><dd><p>
Memory buffer error.
</p></dd><dt><span class="term">PAM_CRED_INSUFFICIENT</span></dt><dd><p>
Insufficient credentials to access authentication data.
</p></dd><dt><span class="term">PAM_PERM_DENIED</span></dt><dd><p>
Not enough permissions to create the new directory
or read the skel directory.
</p></dd><dt><span class="term">PAM_USER_UNKNOWN</span></dt><dd><p>
User not known to the underlying authentication module.
</p></dd><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
Environment variables were set.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_mkhomedir-examples"></a>6.20.5. EXAMPLES</h3></div></div></div><p>
A sample /etc/pam.d/login file:
</p><pre class="programlisting">
auth requisite pam_securetty.so
auth sufficient pam_ldap.so
auth required pam_unix.so
auth required pam_nologin.so
account sufficient pam_ldap.so
account required pam_unix.so
password required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_unix.so
session optional pam_lastlog.so
session optional pam_mail.so standard
</pre><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_mkhomedir-author"></a>6.20.6. AUTHOR</h3></div></div></div><p>
pam_mkhomedir was written by Jason Gunthorpe <jgg@debian.org>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_mail.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_motd.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.19. pam_mail - inform about available mail </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.21. pam_motd - display the motd file</td></tr></table></div></body></html>
PK��������Ǩ�\�$/�I���I�������html/sag-pam_motd.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.21. pam_motd - display the motd file</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_mkhomedir.html" title="6.20. pam_mkhomedir - create users home directory"><link rel="next" href="sag-pam_namespace.html" title="6.22. pam_namespace - setup a private namespace"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.21. pam_motd - display the motd file</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_mkhomedir.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_namespace.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_motd"></a>6.21. pam_motd - display the motd file</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_motd.so</code> [
motd=<em class="replaceable"><code>/path/filename</code></em>
] [
motd_dir=<em class="replaceable"><code>/path/dirname.d</code></em>
]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_motd-description"></a>6.21.1. DESCRIPTION</h3></div></div></div><p>
pam_motd is a PAM module that can be used to display
arbitrary motd (message of the day) files after a successful
login. By default, pam_motd shows files in the
following locations:
</p><p>
</p><table border="0" summary="Simple list" class="simplelist"><tr><td><code class="filename">/etc/motd</code></td></tr><tr><td><code class="filename">/run/motd</code></td></tr><tr><td><code class="filename">/usr/lib/motd</code></td></tr><tr><td><code class="filename">/etc/motd.d/</code></td></tr><tr><td><code class="filename">/run/motd.d/</code></td></tr><tr><td><code class="filename">/usr/lib/motd.d/</code></td></tr></table><p>
</p><p>
Each message size is limited to 64KB.
</p><p>
If <code class="filename">/etc/motd</code> does not exist,
then <code class="filename">/run/motd</code> is shown. If
<code class="filename">/run/motd</code> does not exist, then
<code class="filename">/usr/lib/motd</code> is shown.
</p><p>
Similar overriding behavior applies to the directories.
Files in <code class="filename">/etc/motd.d/</code> override files
with the same name in <code class="filename">/run/motd.d/</code> and
<code class="filename">/usr/lib/motd.d/</code>. Files in <code class="filename">/run/motd.d/</code>
override files with the same name in <code class="filename">/usr/lib/motd.d/</code>.
</p><p>
Files in the directories listed above are displayed in lexicographic
order by name. Moreover, the files are filtered by reading them with the
credentials of the target user authenticating on the system.
</p><p>
To silence a message,
a symbolic link with target <code class="filename">/dev/null</code>
may be placed in <code class="filename">/etc/motd.d</code> with
the same filename as the message to be silenced. Example:
Creating a symbolic link as follows silences <code class="filename">/usr/lib/motd.d/my_motd</code>.
</p><p>
<span class="command"><strong>ln -s /dev/null /etc/motd.d/my_motd</strong></span>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_motd-options"></a>6.21.2. OPTIONS</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">motd=<em class="replaceable"><code>/path/filename</code></em></code>
</span></dt><dd><p>
The <code class="filename">/path/filename</code> file is displayed
as message of the day. Multiple paths to try can be
specified as a colon-separated list. By default this option
is set to <code class="filename">/etc/motd:/run/motd:/usr/lib/motd</code>.
</p></dd><dt><span class="term">
<code class="option">motd_dir=<em class="replaceable"><code>/path/dirname.d</code></em></code>
</span></dt><dd><p>
The <code class="filename">/path/dirname.d</code> directory is scanned
and each file contained inside of it is displayed. Multiple
directories to scan can be specified as a colon-separated list.
By default this option is set to <code class="filename">/etc/motd.d:/run/motd.d:/usr/lib/motd.d</code>.
</p></dd></dl></div><p>
When no options are given, the default behavior applies for both
options. Specifying either option (or both) will disable the
default behavior for both options.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_motd-types"></a>6.21.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
Only the <code class="option">session</code> module type is provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_motd-return_values"></a>6.21.4. RETURN VALUES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_IGNORE</span></dt><dd><p>
This is the only return value of this module.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_motd-examples"></a>6.21.5. EXAMPLES</h3></div></div></div><p>
The suggested usage for <code class="filename">/etc/pam.d/login</code> is:
</p><pre class="programlisting">
session optional pam_motd.so
</pre><p>
</p><p>
To use a <code class="filename">motd</code> file from a different location:
</p><pre class="programlisting">
session optional pam_motd.so motd=/elsewhere/motd
</pre><p>
</p><p>
To use a <code class="filename">motd</code> file from elsewhere, along with a
corresponding <code class="filename">.d</code> directory:
</p><pre class="programlisting">
session optional pam_motd.so motd=/elsewhere/motd motd_dir=/elsewhere/motd.d
</pre><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_motd-author"></a>6.21.6. AUTHOR</h3></div></div></div><p>
pam_motd was written by Ben Collins <bcollins@debian.org>.
</p><p>
The <code class="option">motd_dir=</code> option was added by
Allison Karlitskaya <allison.karlitskaya@redhat.com>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_mkhomedir.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_namespace.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.20. pam_mkhomedir - create users home directory </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.22. pam_namespace - setup a private namespace</td></tr></table></div></body></html>
PK��������Ǩ�\����P���P������html/sag-pam_namespace.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.22. pam_namespace - setup a private namespace</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_motd.html" title="6.21. pam_motd - display the motd file"><link rel="next" href="sag-pam_nologin.html" title="6.23. pam_nologin - prevent non-root users from login"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.22. pam_namespace - setup a private namespace</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_motd.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_nologin.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_namespace"></a>6.22. pam_namespace - setup a private namespace</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_namespace.so</code> [
debug
] [
unmnt_remnt
] [
unmnt_only
] [
require_selinux
] [
gen_hash
] [
ignore_config_error
] [
ignore_instance_parent_mode
] [
unmount_on_close
] [
use_current_context
] [
use_default_context
] [
mount_private
]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_namespace-description"></a>6.22.1. DESCRIPTION</h3></div></div></div><p>
The pam_namespace PAM module sets up a private namespace for a session
with polyinstantiated directories. A polyinstantiated directory
provides a different instance of itself based on user name, or when
using SELinux, user name, security context or both. If an executable
script <code class="filename">/etc/security/namespace.init</code> exists, it
is used to initialize the instance directory after it is set up
and mounted on the polyinstantiated directory. The script receives the
polyinstantiated directory path, the instance directory path, flag
whether the instance directory was newly created (0 for no, 1 for yes),
and the user name as its arguments.
</p><p>
The pam_namespace module disassociates the session namespace from
the parent namespace. Any mounts/unmounts performed in the parent
namespace, such as mounting of devices, are not reflected in the
session namespace. To propagate selected mount/unmount events from
the parent namespace into the disassociated session namespace, an
administrator may use the special shared-subtree feature. For
additional information on shared-subtree feature, please refer to
the mount(8) man page and the shared-subtree description at
http://lwn.net/Articles/159077 and http://lwn.net/Articles/159092.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-namespace.conf-description"></a>6.22.2. DESCRIPTION</h3></div></div></div><p>
The <span class="emphasis"><em>pam_namespace.so</em></span> module allows setup of
private namespaces with polyinstantiated directories.
Directories can be polyinstantiated based on user name
or, in the case of SELinux, user name, sensitivity level or complete security context. If an
executable script <code class="filename">/etc/security/namespace.init</code>
exists, it is used to initialize the namespace every time an instance
directory is set up and mounted. The script receives the polyinstantiated
directory path and the instance directory path as its arguments.
</p><p>
The <code class="filename">/etc/security/namespace.conf</code> file specifies
which directories are polyinstantiated, how they are polyinstantiated,
how instance directories would be named, and any users for whom
polyinstantiation would not be performed.
</p><p>
When someone logs in, the file <code class="filename">namespace.conf</code> is
scanned. Comments are marked by <span class="emphasis"><em>#</em></span> characters.
Each non comment line represents one polyinstantiated
directory. The fields are separated by spaces but can be quoted by
<span class="emphasis"><em>"</em></span> characters also escape
sequences <span class="emphasis"><em>\b</em></span>, <span class="emphasis"><em>\n</em></span>, and
<span class="emphasis"><em>\t</em></span> are recognized. The fields are as follows:
</p><p><em class="replaceable"><code>polydir</code></em> <em class="replaceable"><code>instance_prefix</code></em> <em class="replaceable"><code>method</code></em> <em class="replaceable"><code>list_of_uids</code></em>
</p><p>
The first field, <em class="replaceable"><code>polydir</code></em>, is the absolute
pathname of the directory to polyinstantiate. The special string
<span class="emphasis"><em>$HOME</em></span> is replaced with the user's home directory,
and <span class="emphasis"><em>$USER</em></span> with the username. This field cannot
be blank.
</p><p>
The second field, <em class="replaceable"><code>instance_prefix</code></em> is
the string prefix used to build the pathname for the instantiation
of <polydir>. Depending on the polyinstantiation
<em class="replaceable"><code>method</code></em> it is then appended with
"instance differentiation string" to generate the final
instance directory path. This directory is created if it did not exist
already, and is then bind mounted on the <polydir> to provide an
instance of <polydir> based on the <method> column.
The special string <span class="emphasis"><em>$HOME</em></span> is replaced with the
user's home directory, and <span class="emphasis"><em>$USER</em></span> with the username.
This field cannot be blank.
</p><p>
The third field, <em class="replaceable"><code>method</code></em>, is the method
used for polyinstantiation. It can take these values; "user"
for polyinstantiation based on user name, "level" for
polyinstantiation based on process MLS level and user name, "context" for
polyinstantiation based on process security context and user name,
"tmpfs" for mounting tmpfs filesystem as an instance dir, and
"tmpdir" for creating temporary directory as an instance dir which is
removed when the user's session is closed.
Methods "context" and "level" are only available with SELinux. This
field cannot be blank.
</p><p>
The fourth field, <em class="replaceable"><code>list_of_uids</code></em>, is
a comma separated list of user names for whom the polyinstantiation
is not performed. If left blank, polyinstantiation will be performed
for all users. If the list is preceded with a single "~" character,
polyinstantiation is performed only for users in the list.
</p><p>
The <em class="replaceable"><code>method</code></em> field can contain also following
optional flags separated by <span class="emphasis"><em>:</em></span> characters.
</p><p><span class="emphasis"><em>create</em></span>=<em class="replaceable"><code>mode</code></em>,<em class="replaceable"><code>owner</code></em>,<em class="replaceable"><code>group</code></em>
- create the polyinstantiated directory. The mode, owner and group parameters
are optional. The default for mode is determined by umask, the default
owner is the user whose session is opened, the default group is the
primary group of the user.
</p><p><span class="emphasis"><em>iscript</em></span>=<em class="replaceable"><code>path</code></em>
- path to the instance directory init script. The base directory for relative
paths is <code class="filename">/etc/security/namespace.d</code>.
</p><p><span class="emphasis"><em>noinit</em></span>
- instance directory init script will not be executed.
</p><p><span class="emphasis"><em>shared</em></span>
- the instance directories for "context" and "level" methods will not
contain the user name and will be shared among all users.
</p><p><span class="emphasis"><em>mntopts</em></span>=<em class="replaceable"><code>value</code></em>
- value of this flag is passed to the mount call when the tmpfs mount is
done. It allows for example the specification of the maximum size of the
tmpfs instance that is created by the mount call. In addition to
options specified in the <span class="citerefentry"><span class="refentrytitle">tmpfs</span>(5)</span> manual the <span class="emphasis"><em>nosuid</em></span>,
<span class="emphasis"><em>noexec</em></span>, and <span class="emphasis"><em>nodev</em></span> flags
can be used to respectively disable setuid bit effect, disable running
executables, and disable devices to be interpreted on the mounted
tmpfs filesystem.
</p><p>
The directory where polyinstantiated instances are to be
created, must exist and must have, by default, the mode of 0000. The
requirement that the instance parent be of mode 0000 can be overridden
with the command line option <span class="emphasis"><em>ignore_instance_parent_mode</em></span>
</p><p>
In case of context or level polyinstantiation the SELinux context
which is used for polyinstantiation is the context used for executing
a new process as obtained by getexeccon. This context must be set
by the calling application or <code class="filename">pam_selinux.so</code>
module. If this context is not set the polyinstatiation will be
based just on user name.
</p><p>
The "instance differentiation string" is <user name> for "user"
method and <user name>_<raw directory context> for "context"
and "level" methods. If the whole string is too long the end of it is
replaced with md5sum of itself. Also when command line option
<span class="emphasis"><em>gen_hash</em></span> is used the whole string is replaced
with md5sum of itself.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_namespace-options"></a>6.22.3. OPTIONS</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">debug</code>
</span></dt><dd><p>
A lot of debug information is logged using syslog
</p></dd><dt><span class="term">
<code class="option">unmnt_remnt</code>
</span></dt><dd><p>
For programs such as su and newrole, the login
session has already setup a polyinstantiated
namespace. For these programs, polyinstantiation
is performed based on new user id or security
context, however the command first needs to
undo the polyinstantiation performed by login.
This argument instructs the command to
first undo previous polyinstantiation before
proceeding with new polyinstantiation based on
new id/context
</p></dd><dt><span class="term">
<code class="option">unmnt_only</code>
</span></dt><dd><p>
For trusted programs that want to undo any
existing bind mounts and process instance
directories on their own, this argument allows
them to unmount currently mounted instance
directories
</p></dd><dt><span class="term">
<code class="option">require_selinux</code>
</span></dt><dd><p>
If selinux is not enabled, return failure
</p></dd><dt><span class="term">
<code class="option">gen_hash</code>
</span></dt><dd><p>
Instead of using the security context string
for the instance name, generate and use its
md5 hash.
</p></dd><dt><span class="term">
<code class="option">ignore_config_error</code>
</span></dt><dd><p>
If a line in the configuration file corresponding
to a polyinstantiated directory contains format
error, skip that line process the next line.
Without this option, pam will return an error
to the calling program resulting in termination
of the session.
</p></dd><dt><span class="term">
<code class="option">ignore_instance_parent_mode</code>
</span></dt><dd><p>
Instance parent directories by default are expected to have
the restrictive mode of 000. Using this option, an administrator
can choose to ignore the mode of the instance parent. This option
should be used with caution as it will reduce security and
isolation goals of the polyinstantiation mechanism.
</p></dd><dt><span class="term">
<code class="option">unmount_on_close</code>
</span></dt><dd><p>
Explicitly unmount the polyinstantiated directories instead
of relying on automatic namespace destruction after the last
process in a namespace exits. This option should be used
only in case it is ensured by other means that there cannot be
any processes running in the private namespace left after the
session close. It is also useful only in case there are
multiple pam session calls in sequence from the same process.
</p></dd><dt><span class="term">
<code class="option">use_current_context</code>
</span></dt><dd><p>
Useful for services which do not change the SELinux context
with setexeccon call. The module will use the current SELinux
context of the calling process for the level and context
polyinstantiation.
</p></dd><dt><span class="term">
<code class="option">use_default_context</code>
</span></dt><dd><p>
Useful for services which do not use pam_selinux for changing
the SELinux context with setexeccon call. The module will use
the default SELinux context of the user for the level and context
polyinstantiation.
</p></dd><dt><span class="term">
<code class="option">mount_private</code>
</span></dt><dd><p>
This option can be used on systems where the / mount point or
its submounts are made shared (for example with a
<span class="command"><strong>mount --make-rshared /</strong></span> command).
The module will mark the whole directory tree so any mount and
unmount operations in the polyinstantiation namespace are private.
Normally the pam_namespace will try to detect the
shared / mount point and make the polyinstantiated directories
private automatically. This option has to be used just when
only a subtree is shared and / is not.
</p><p>
Note that mounts and unmounts done in the private namespace will not
affect the parent namespace if this option is used or when the
shared / mount point is autodetected.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_namespace-types"></a>6.22.4. MODULE TYPES PROVIDED</h3></div></div></div><p>
Only the <code class="option">session</code> module type is provided.
The module must not be called from multithreaded processes.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_namespace-return_values"></a>6.22.5. RETURN VALUES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
Namespace setup was successful.
</p></dd><dt><span class="term">PAM_SERVICE_ERR</span></dt><dd><p>
Unexpected system error occurred while setting up namespace.
</p></dd><dt><span class="term">PAM_SESSION_ERR</span></dt><dd><p>
Unexpected namespace configuration error occurred.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_namespace-files"></a>6.22.6. FILES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="filename">/etc/security/namespace.conf</code></span></dt><dd><p>Main configuration file</p></dd><dt><span class="term"><code class="filename">/etc/security/namespace.d</code></span></dt><dd><p>Directory for additional configuration files</p></dd><dt><span class="term"><code class="filename">/etc/security/namespace.init</code></span></dt><dd><p>Init script for instance directories</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-namespace.conf-examples"></a>6.22.7. EXAMPLES</h3></div></div></div><p>
These are some example lines which might be specified in
<code class="filename">/etc/security/namespace.conf</code>.
</p><div class="literallayout"><p><br>
# The following three lines will polyinstantiate /tmp,<br>
# /var/tmp and user's home directories. /tmp and /var/tmp<br>
# will be polyinstantiated based on the security level<br>
# as well as user name, whereas home directory will be<br>
# polyinstantiated based on the full security context and user name.<br>
# Polyinstantiation will not be performed for user root<br>
# and adm for directories /tmp and /var/tmp, whereas home<br>
# directories will be polyinstantiated for all users.<br>
#<br>
# Note that instance directories do not have to reside inside<br>
# the polyinstantiated directory. In the examples below,<br>
# instances of /tmp will be created in /tmp-inst directory,<br>
# where as instances of /var/tmp and users home directories<br>
# will reside within the directories that are being<br>
# polyinstantiated.<br>
#<br>
/tmp /tmp-inst/ level root,adm<br>
/var/tmp /var/tmp/tmp-inst/ level root,adm<br>
$HOME $HOME/$USER.inst/inst- context<br>
</p></div><p>
For the <service>s you need polyinstantiation (login for example)
put the following line in /etc/pam.d/<service> as the last line for
session group:
</p><p>
session required pam_namespace.so [arguments]
</p><p>
This module also depends on pam_selinux.so setting the context.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_namespace-authors"></a>6.22.8. AUTHORS</h3></div></div></div><p>
The namespace setup scheme was designed by Stephen Smalley, Janak Desai
and Chad Sellers.
The pam_namespace PAM module was developed by Janak Desai <janak@us.ibm.com>,
Chad Sellers <csellers@tresys.com> and Steve Grubb <sgrubb@redhat.com>.
Additional improvements by Xavier Toth <txtoth@gmail.com> and Tomas Mraz
<tmraz@redhat.com>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_motd.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_nologin.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.21. pam_motd - display the motd file </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.23. pam_nologin - prevent non-root users from login</td></tr></table></div></body></html>
PK��������Ǩ�\����������������html/sag-pam_nologin.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.23. pam_nologin - prevent non-root users from login</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_namespace.html" title="6.22. pam_namespace - setup a private namespace"><link rel="next" href="sag-pam_permit.html" title="6.24. pam_permit - the promiscuous module"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.23. pam_nologin - prevent non-root users from login</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_namespace.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_permit.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_nologin"></a>6.23. pam_nologin - prevent non-root users from login</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_nologin.so</code> [
file=<em class="replaceable"><code>/path/nologin</code></em>
] [
successok
]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_nologin-description"></a>6.23.1. DESCRIPTION</h3></div></div></div><p>
pam_nologin is a PAM module that prevents users from logging into
the system when <code class="filename">/var/run/nologin</code> or
<code class="filename">/etc/nologin</code> exists. The contents
of the file are displayed to the user. The pam_nologin module
has no effect on the root user's ability to log in.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_nologin-options"></a>6.23.2. OPTIONS</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">file=<em class="replaceable"><code>/path/nologin</code></em></code>
</span></dt><dd><p>
Use this file instead the default
<code class="filename">/var/run/nologin</code> or
<code class="filename">/etc/nologin</code>.
</p></dd><dt><span class="term">
<code class="option">successok</code>
</span></dt><dd><p>
Return PAM_SUCCESS if no file exists, the default is PAM_IGNORE.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_nologin-types"></a>6.23.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
The <code class="option">auth</code> and <code class="option">acct</code> module
types are provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_nologin-return_values"></a>6.23.4. RETURN VALUES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_AUTH_ERR</span></dt><dd><p>
The user is not root and <code class="filename">/etc/nologin</code>
exists, so the user is not permitted to log in.
</p></dd><dt><span class="term">PAM_BUF_ERR</span></dt><dd><p>Memory buffer error.</p></dd><dt><span class="term">PAM_IGNORE</span></dt><dd><p>
This is the default return value.
</p></dd><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
Success: either the user is root or the
nologin file does not exist.
</p></dd><dt><span class="term">PAM_USER_UNKNOWN</span></dt><dd><p>
User not known to the underlying authentication module.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_nologin-examples"></a>6.23.5. EXAMPLES</h3></div></div></div><p>
The suggested usage for <code class="filename">/etc/pam.d/login</code> is:
</p><pre class="programlisting">
auth required pam_nologin.so
</pre><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_nologin-author"></a>6.23.6. AUTHOR</h3></div></div></div><p>
pam_nologin was written by Michael K. Johnson <johnsonm@redhat.com>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_namespace.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_permit.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.22. pam_namespace - setup a private namespace </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.24. pam_permit - the promiscuous module</td></tr></table></div></body></html>
PK��������Ǩ�\��j�������������html/sag-pam_permit.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.24. pam_permit - the promiscuous module</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_nologin.html" title="6.23. pam_nologin - prevent non-root users from login"><link rel="next" href="sag-pam_pwhistory.html" title="6.25. pam_pwhistory - grant access using .pwhistory file"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.24. pam_permit - the promiscuous module</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_nologin.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_pwhistory.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_permit"></a>6.24. pam_permit - the promiscuous module</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_permit.so</code> </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_permit-description"></a>6.24.1. DESCRIPTION</h3></div></div></div><p>
pam_permit is a PAM module that always permit access. It does
nothing else.
</p><p>
In the case of authentication, the user's name will be set to
<span class="emphasis"><em>nobody</em></span> if the application didn't set one.
Many applications and PAM modules become confused if this name
is unknown.
</p><p>
This module is very dangerous. It should be used with extreme
caution.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_permit-options"></a>6.24.2. OPTIONS</h3></div></div></div><p> This module does not recognise any options.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_permit-types"></a>6.24.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
The <code class="option">auth</code>, <code class="option">account</code>,
<code class="option">password</code> and <code class="option">session</code>
module types are provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_permit-return_values"></a>6.24.4. RETURN VALUES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
This module always returns this value.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_permit-examples"></a>6.24.5. EXAMPLES</h3></div></div></div><p>
Add this line to your other login entries to disable account
management, but continue to permit users to log in.
</p><pre class="programlisting">
account required pam_permit.so
</pre><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_permit-author"></a>6.24.6. AUTHOR</h3></div></div></div><p>
pam_permit was written by Andrew G. Morgan, <morgan@kernel.org>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_nologin.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_pwhistory.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.23. pam_nologin - prevent non-root users from login </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.25. pam_pwhistory - grant access using .pwhistory file</td></tr></table></div></body></html>
PK��������Ǩ�\�0+��!���!������html/sag-pam_pwhistory.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.25. pam_pwhistory - grant access using .pwhistory file</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_permit.html" title="6.24. pam_permit - the promiscuous module"><link rel="next" href="sag-pam_rhosts.html" title="6.26. pam_rhosts - grant access using .rhosts file"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.25. pam_pwhistory - grant access using .pwhistory file</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_permit.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_rhosts.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_pwhistory"></a>6.25. pam_pwhistory - grant access using .pwhistory file</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_pwhistory.so</code> [
debug
] [
use_authtok
] [
enforce_for_root
] [
remember=<em class="replaceable"><code>N</code></em>
] [
retry=<em class="replaceable"><code>N</code></em>
] [
authtok_type=<em class="replaceable"><code>STRING</code></em>
] [
conf=<em class="replaceable"><code>/path/to/config-file</code></em>
]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_pwhistory-description"></a>6.25.1. DESCRIPTION</h3></div></div></div><p>
This module saves the last passwords for each user in order
to force password change history and keep the user from
alternating between the same password too frequently.
</p><p>
This module does not work together with kerberos. In general,
it does not make much sense to use this module in conjunction
with NIS or LDAP, since the old passwords are stored on the
local machine and are not available on another machine for
password history checking.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_pwhistory-options"></a>6.25.2. OPTIONS</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">debug</code>
</span></dt><dd><p>
Turns on debugging via
<span class="citerefentry"><span class="refentrytitle">syslog</span>(3)</span>.
</p></dd><dt><span class="term">
<code class="option">use_authtok</code>
</span></dt><dd><p>
When password changing enforce the module to use the new password
provided by a previously stacked <code class="option">password</code>
module (this is used in the example of the stacking of the
<span class="command"><strong>pam_cracklib</strong></span> module documented below).
</p></dd><dt><span class="term">
<code class="option">enforce_for_root</code>
</span></dt><dd><p>
If this option is set, the check is enforced for root, too.
</p></dd><dt><span class="term">
<code class="option">remember=<em class="replaceable"><code>N</code></em></code>
</span></dt><dd><p>
The last <em class="replaceable"><code>N</code></em> passwords for each
user are saved.
The default is <span class="emphasis"><em>10</em></span>. Value of
<span class="emphasis"><em>0</em></span> makes the module to keep the existing
contents of the <code class="filename">opasswd</code> file unchanged.
</p></dd><dt><span class="term">
<code class="option">retry=<em class="replaceable"><code>N</code></em></code>
</span></dt><dd><p>
Prompt user at most <em class="replaceable"><code>N</code></em> times
before returning with error. The default is
<span class="emphasis"><em>1</em></span>.
</p></dd><dt><span class="term">
<code class="option">authtok_type=<em class="replaceable"><code>STRING</code></em></code>
</span></dt><dd><p>
See <span class="citerefentry"><span class="refentrytitle">pam_get_authtok</span>(3)</span> for more details.
</p></dd><dt><span class="term">
<code class="option">conf=<em class="replaceable"><code>/path/to/config-file</code></em></code>
</span></dt><dd><p>
Use another configuration file instead of the default
<code class="filename">/etc/security/pwhistory.conf</code>.
</p></dd></dl></div><p>
The options for configuring the module behavior are described in the
<span class="citerefentry"><span class="refentrytitle">pwhistory.conf</span>(5)</span> manual page. The options
specified on the module command line override the values from the
configuration file.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_pwhistory-types"></a>6.25.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
Only the <code class="option">password</code> module type is provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_pwhistory-return_values"></a>6.25.4. RETURN VALUES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_AUTHTOK_ERR</span></dt><dd><p>
No new password was entered, the user aborted password
change or new password couldn't be set.
</p></dd><dt><span class="term">PAM_IGNORE</span></dt><dd><p>
Password history was disabled.
</p></dd><dt><span class="term">PAM_MAXTRIES</span></dt><dd><p>
Password was rejected too often.
</p></dd><dt><span class="term">PAM_USER_UNKNOWN</span></dt><dd><p>
User is not known to system.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_pwhistory-files"></a>6.25.5. FILES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="filename">/etc/security/opasswd</code></span></dt><dd><p>File with password history</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_pwhistory-examples"></a>6.25.6. EXAMPLES</h3></div></div></div><p>
An example password section would be:
</p><pre class="programlisting">
#%PAM-1.0
password required pam_pwhistory.so
password required pam_unix.so use_authtok
</pre><p>
</p><p>
In combination with <span class="command"><strong>pam_cracklib</strong></span>:
</p><pre class="programlisting">
#%PAM-1.0
password required pam_cracklib.so retry=3
password required pam_pwhistory.so use_authtok
password required pam_unix.so use_authtok
</pre><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_pwhistory-author"></a>6.25.7. AUTHOR</h3></div></div></div><p>
pam_pwhistory was written by Thorsten Kukuk <kukuk@thkukuk.de>
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_permit.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_rhosts.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.24. pam_permit - the promiscuous module </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.26. pam_rhosts - grant access using .rhosts file</td></tr></table></div></body></html>
PK��������Ǩ�\9��o������������html/sag-pam_rhosts.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.26. pam_rhosts - grant access using .rhosts file</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_pwhistory.html" title="6.25. pam_pwhistory - grant access using .pwhistory file"><link rel="next" href="sag-pam_rootok.html" title="6.27. pam_rootok - gain only root access"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.26. pam_rhosts - grant access using .rhosts file</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_pwhistory.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_rootok.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_rhosts"></a>6.26. pam_rhosts - grant access using .rhosts file</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_rhosts.so</code> </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_rhosts-description"></a>6.26.1. DESCRIPTION</h3></div></div></div><p>
This module performs the standard network authentication for services,
as used by traditional implementations of <span class="command"><strong>rlogin</strong></span>
and <span class="command"><strong>rsh</strong></span> etc.
</p><p>
The authentication mechanism of this module is based on the contents
of two files; <code class="filename">/etc/hosts.equiv</code> (or
and <code class="filename">~/.rhosts</code>. Firstly, hosts listed in the
former file are treated as equivalent to the localhost. Secondly,
entries in the user's own copy of the latter file is used to map
"<span class="emphasis"><em>remote-host remote-user</em></span>" pairs to that user's
account on the current host. Access is granted to the user if their
host is present in <code class="filename">/etc/hosts.equiv</code> and their
remote account is identical to their local one, or if their remote
account has an entry in their personal configuration file.
</p><p>
The module authenticates a remote user (internally specified by the
item <em class="parameter"><code>PAM_RUSER</code></em> connecting from the remote
host (internally specified by the item <span class="command"><strong>PAM_RHOST</strong></span>).
Accordingly, for applications to be compatible this authentication
module they must set these items prior to calling
<code class="function">pam_authenticate()</code>. The module is not capable
of independently probing the network connection for such information.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_rhosts-options"></a>6.26.2. OPTIONS</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">debug</code>
</span></dt><dd><p>
Print debug information.
</p></dd><dt><span class="term">
<code class="option">silent</code>
</span></dt><dd><p>
Don't print informative messages.
</p></dd><dt><span class="term">
<code class="option">superuser=<em class="replaceable"><code>account</code></em></code>
</span></dt><dd><p>
Handle <em class="replaceable"><code>account</code></em> as root.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_rhosts-types"></a>6.26.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
Only the <code class="option">auth</code> module type is provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_rhosts-return_values"></a>6.26.4. RETURN VALUES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_AUTH_ERR</span></dt><dd><p>
The remote host, remote user name or the local user name
couldn't be determined or access was denied by
<code class="filename">.rhosts</code> file.
</p></dd><dt><span class="term">PAM_USER_UNKNOWN</span></dt><dd><p>
User is not known to system.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_rhosts-examples"></a>6.26.5. EXAMPLES</h3></div></div></div><p>
To grant a remote user access by <code class="filename">/etc/hosts.equiv</code>
or <code class="filename">.rhosts</code> for <span class="command"><strong>rsh</strong></span> add the
following lines to <code class="filename">/etc/pam.d/rsh</code>:
</p><pre class="programlisting">
#%PAM-1.0
#
auth required pam_rhosts.so
auth required pam_nologin.so
auth required pam_env.so
auth required pam_unix.so
</pre><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_rhosts-author"></a>6.26.6. AUTHOR</h3></div></div></div><p>
pam_rhosts was written by Thorsten Kukuk <kukuk@thkukuk.de>
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_pwhistory.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_rootok.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.25. pam_pwhistory - grant access using .pwhistory file </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.27. pam_rootok - gain only root access</td></tr></table></div></body></html>
PK��������Ǩ�\x4�L������������html/sag-pam_rootok.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.27. pam_rootok - gain only root access</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_rhosts.html" title="6.26. pam_rhosts - grant access using .rhosts file"><link rel="next" href="sag-pam_securetty.html" title="6.28. pam_securetty - limit root login to special devices"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.27. pam_rootok - gain only root access</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_rhosts.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_securetty.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_rootok"></a>6.27. pam_rootok - gain only root access</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_rootok.so</code> [
debug
]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_rootok-description"></a>6.27.1. DESCRIPTION</h3></div></div></div><p>
pam_rootok is a PAM module that authenticates the user if their
<span class="emphasis"><em>UID</em></span> is <span class="emphasis"><em>0</em></span>.
Applications that are created setuid-root generally retain the
<span class="emphasis"><em>UID</em></span> of the user but run with the authority
of an enhanced effective-UID. It is the real <span class="emphasis"><em>UID</em></span>
that is checked.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_rootok-options"></a>6.27.2. OPTIONS</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">debug</code>
</span></dt><dd><p>
Print debug information.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_rootok-types"></a>6.27.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
The <code class="option">auth</code>, <code class="option">acct</code> and
<code class="option">password</code> module types are provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_rootok-return_values"></a>6.27.4. RETURN VALUES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
The <span class="emphasis"><em>UID</em></span> is <span class="emphasis"><em>0</em></span>.
</p></dd><dt><span class="term">PAM_AUTH_ERR</span></dt><dd><p>
The <span class="emphasis"><em>UID</em></span> is <span class="emphasis"><em>not</em></span>
<span class="emphasis"><em>0</em></span>.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_rootok-examples"></a>6.27.5. EXAMPLES</h3></div></div></div><p>
In the case of the <span class="citerefentry"><span class="refentrytitle">su</span>(1)</span> application the historical usage is to
permit the superuser to adopt the identity of a lesser user
without the use of a password. To obtain this behavior with PAM
the following pair of lines are needed for the corresponding entry
in the <code class="filename">/etc/pam.d/su</code> configuration file:
</p><pre class="programlisting">
# su authentication. Root is granted access by default.
auth sufficient pam_rootok.so
auth required pam_unix.so
</pre><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_rootok-author"></a>6.27.6. AUTHOR</h3></div></div></div><p>
pam_rootok was written by Andrew G. Morgan, <morgan@kernel.org>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_rhosts.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_securetty.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.26. pam_rhosts - grant access using .rhosts file </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.28. pam_securetty - limit root login to special devices</td></tr></table></div></body></html>
PK��������Ǩ�\�=��P���P�������html/sag-pam_securetty.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.28. pam_securetty - limit root login to special devices</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_rootok.html" title="6.27. pam_rootok - gain only root access"><link rel="next" href="sag-pam_selinux.html" title="6.29. pam_selinux - set the default security context"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.28. pam_securetty - limit root login to special devices</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_rootok.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_selinux.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_securetty"></a>6.28. pam_securetty - limit root login to special devices</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_securetty.so</code> [
debug
]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_securetty-description"></a>6.28.1. DESCRIPTION</h3></div></div></div><p>
pam_securetty is a PAM module that allows root logins only if the
user is logging in on a "secure" tty, as defined by the listing
in <code class="filename">/etc/securetty</code>. pam_securetty also checks
to make sure that <code class="filename">/etc/securetty</code> is a plain
file and not world writable. It will also allow root logins on
the tty specified with <code class="option">console=</code> switch on the
kernel command line and on ttys from the
<code class="filename">/sys/class/tty/console/active</code>.
</p><p>
This module has no effect on non-root users and requires that the
application fills in the <span class="emphasis"><em>PAM_TTY</em></span>
item correctly.
</p><p>
For canonical usage, should be listed as a
<span class="emphasis"><em>required</em></span> authentication method
before any <span class="emphasis"><em>sufficient</em></span>
authentication methods.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_securetty-options"></a>6.28.2. OPTIONS</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">debug</code>
</span></dt><dd><p>
Print debug information.
</p></dd><dt><span class="term">
<code class="option">noconsole</code>
</span></dt><dd><p>
Do not automatically allow root logins on the kernel console
device, as specified on the kernel command line or by the sys file,
if it is not also specified in the
<code class="filename">/etc/securetty</code> file.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_securetty-types"></a>6.28.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
Only the <code class="option">auth</code> module type is provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_securetty-return_values"></a>6.28.4. RETURN VALUES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
The user is allowed to continue authentication.
Either the user is not root, or the root user is
trying to log in on an acceptable device.
</p></dd><dt><span class="term">PAM_AUTH_ERR</span></dt><dd><p>
Authentication is rejected. Either root is attempting to
log in via an unacceptable device, or the
<code class="filename">/etc/securetty</code> file is world writable or
not a normal file.
</p></dd><dt><span class="term">PAM_INCOMPLETE</span></dt><dd><p>
An application error occurred. pam_securetty was not able
to get information it required from the application that
called it.
</p></dd><dt><span class="term">PAM_SERVICE_ERR</span></dt><dd><p>
An error occurred while the module was determining the
user's name or tty, or the module could not open
<code class="filename">/etc/securetty</code>.
</p></dd><dt><span class="term">PAM_USER_UNKNOWN</span></dt><dd><p>
The module could not find the user name in the
<code class="filename">/etc/passwd</code> file to verify whether
the user had a UID of 0. Therefore, the results of running
this module are ignored.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_securetty-examples"></a>6.28.5. EXAMPLES</h3></div></div></div><p>
</p><pre class="programlisting">
auth required pam_securetty.so
auth required pam_unix.so
</pre><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_securetty-author"></a>6.28.6. AUTHOR</h3></div></div></div><p>
pam_securetty was written by Elliot Lee <sopwith@cuc.edu>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_rootok.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_selinux.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.27. pam_rootok - gain only root access </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.29. pam_selinux - set the default security context</td></tr></table></div></body></html>
PK��������Ǩ�\�]K�y ��y ������html/sag-pam_selinux.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.29. pam_selinux - set the default security context</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_securetty.html" title="6.28. pam_securetty - limit root login to special devices"><link rel="next" href="sag-pam_shells.html" title="6.30. pam_shells - check for valid login shell"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.29. pam_selinux - set the default security context</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_securetty.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_shells.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_selinux"></a>6.29. pam_selinux - set the default security context</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_selinux.so</code> [
open
] [
close
] [
restore
] [
nottys
] [
debug
] [
verbose
] [
select_context
] [
env_params
] [
use_current_range
]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_selinux-description"></a>6.29.1. DESCRIPTION</h3></div></div></div><p>
pam_selinux is a PAM module that sets up the default SELinux security
context for the next executed process.
</p><p>
When a new session is started, the open_session part of the module
computes and sets up the execution security context used for the next
<span class="citerefentry"><span class="refentrytitle">execve</span>(2)</span>
call, the file security context for the controlling terminal, and
the security context used for creating a new kernel keyring.
</p><p>
When the session is ended, the close_session part of the module restores
old security contexts that were in effect before the change made
by the open_session part of the module.
</p><p>
Adding pam_selinux into the PAM stack might disrupt behavior of other
PAM modules which execute applications. To avoid that,
<span class="emphasis"><em>pam_selinux.so open</em></span> should be placed after such
modules in the PAM stack, and <span class="emphasis"><em>pam_selinux.so close</em></span>
should be placed before them. When such a placement is not feasible,
<span class="emphasis"><em>pam_selinux.so restore</em></span> could be used to temporary
restore original security contexts.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_selinux-options"></a>6.29.2. OPTIONS</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">open</code>
</span></dt><dd><p>
Only execute the open_session part of the module.
</p></dd><dt><span class="term">
<code class="option">close</code>
</span></dt><dd><p>
Only execute the close_session part of the module.
</p></dd><dt><span class="term">
<code class="option">restore</code>
</span></dt><dd><p>
In open_session part of the module, temporarily restore the
security contexts as they were before the previous call of
the module. Another call of this module without the restore
option will set up the new security contexts again.
</p></dd><dt><span class="term">
<code class="option">nottys</code>
</span></dt><dd><p>
Do not setup security context of the controlling terminal.
</p></dd><dt><span class="term">
<code class="option">debug</code>
</span></dt><dd><p>
Turn on debug messages via
<span class="citerefentry"><span class="refentrytitle">syslog</span>(3)</span>.
</p></dd><dt><span class="term">
<code class="option">verbose</code>
</span></dt><dd><p>
Attempt to inform the user when security context is set.
</p></dd><dt><span class="term">
<code class="option">select_context</code>
</span></dt><dd><p>
Attempt to ask the user for a custom security context role.
If MLS is on, ask also for sensitivity level.
</p></dd><dt><span class="term">
<code class="option">env_params</code>
</span></dt><dd><p>
Attempt to obtain a custom security context role from PAM environment.
If MLS is on, obtain also sensitivity level. This option and the
select_context option are mutually exclusive. The respective PAM
environment variables are <span class="emphasis"><em>SELINUX_ROLE_REQUESTED</em></span>,
<span class="emphasis"><em>SELINUX_LEVEL_REQUESTED</em></span>, and
<span class="emphasis"><em>SELINUX_USE_CURRENT_RANGE</em></span>. The first two variables
are self describing and the last one if set to 1 makes the PAM module behave as
if the use_current_range was specified on the command line of the module.
</p></dd><dt><span class="term">
<code class="option">use_current_range</code>
</span></dt><dd><p>
Use the sensitivity level of the current process for the user context
instead of the default level. Also suppresses asking of the
sensitivity level from the user or obtaining it from PAM environment.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_selinux-types"></a>6.29.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
Only the <code class="option">session</code> module type is provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_selinux-return_values"></a>6.29.4. RETURN VALUES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
The security context was set successfully.
</p></dd><dt><span class="term">PAM_SESSION_ERR</span></dt><dd><p>
Unable to get or set a valid context.
</p></dd><dt><span class="term">PAM_USER_UNKNOWN</span></dt><dd><p>
The user is not known to the system.
</p></dd><dt><span class="term">PAM_BUF_ERR</span></dt><dd><p>
Memory allocation error.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_selinux-examples"></a>6.29.5. EXAMPLES</h3></div></div></div><pre class="programlisting">
auth required pam_unix.so
session required pam_permit.so
session optional pam_selinux.so
</pre></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_selinux-author"></a>6.29.6. AUTHOR</h3></div></div></div><p>
pam_selinux was written by Dan Walsh <dwalsh@redhat.com>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_securetty.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_shells.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.28. pam_securetty - limit root login to special devices </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.30. pam_shells - check for valid login shell</td></tr></table></div></body></html>
PK��������Ǩ�\
Բȥ�����������html/sag-pam_shells.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.30. pam_shells - check for valid login shell</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_selinux.html" title="6.29. pam_selinux - set the default security context"><link rel="next" href="sag-pam_succeed_if.html" title="6.31. pam_succeed_if - test account characteristics"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.30. pam_shells - check for valid login shell</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_selinux.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_succeed_if.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_shells"></a>6.30. pam_shells - check for valid login shell</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_shells.so</code> </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_shells-description"></a>6.30.1. DESCRIPTION</h3></div></div></div><p>
pam_shells is a PAM module that only allows access to the
system if the user's shell is listed in <code class="filename">/etc/shells</code>.
</p><p>
It also checks if <code class="filename">/etc/shells</code> is a plain
file and not world writable.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_shells-options"></a>6.30.2. OPTIONS</h3></div></div></div><p> This module does not recognise any options.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_shells-types"></a>6.30.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
The <code class="option">auth</code> and <code class="option">account</code>
module types are provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_shells-return_values"></a>6.30.4. RETURN VALUES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_AUTH_ERR</span></dt><dd><p>
Access to the system was denied.
</p></dd><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
The user's login shell was listed as valid shell in
<code class="filename">/etc/shells</code>.
</p></dd><dt><span class="term">PAM_SERVICE_ERR</span></dt><dd><p>
The module was not able to get the name of the user.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_shells-examples"></a>6.30.5. EXAMPLES</h3></div></div></div><p>
</p><pre class="programlisting">
auth required pam_shells.so
</pre><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_shells-author"></a>6.30.6. AUTHOR</h3></div></div></div><p>
pam_shells was written by Erik Troan <ewt@redhat.com>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_selinux.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_succeed_if.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.29. pam_selinux - set the default security context </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.31. pam_succeed_if - test account characteristics</td></tr></table></div></body></html>
PK��������Ǩ�\���#���#������html/sag-pam_succeed_if.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.31. pam_succeed_if - test account characteristics</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_shells.html" title="6.30. pam_shells - check for valid login shell"><link rel="next" href="sag-pam_tally.html" title="6.32. pam_tally - login counter (tallying) module"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.31. pam_succeed_if - test account characteristics</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_shells.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_tally.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_succeed_if"></a>6.31. pam_succeed_if - test account characteristics</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_succeed_if.so</code> [<em class="replaceable"><code>flag</code></em>...] [<em class="replaceable"><code>condition</code></em>...]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_succeed_if-description"></a>6.31.1. DESCRIPTION</h3></div></div></div><p>
pam_succeed_if.so is designed to succeed or fail authentication
based on characteristics of the account belonging to the user being
authenticated or values of other PAM items. One use is to select whether
to load other modules based on this test.
</p><p>
The module should be given one or more conditions as module arguments,
and authentication will succeed only if all of the conditions are met.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_succeed_if-options"></a>6.31.2. OPTIONS</h3></div></div></div><p>
The following <span class="emphasis"><em>flag</em></span>s are supported:
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">debug</code></span></dt><dd><p>Turns on debugging messages sent to syslog.</p></dd><dt><span class="term"><code class="option">use_uid</code></span></dt><dd><p>
Evaluate conditions using the account of the user whose UID
the application is running under instead of the user being
authenticated.
</p></dd><dt><span class="term"><code class="option">quiet</code></span></dt><dd><p>Don't log failure or success to the system log.</p></dd><dt><span class="term"><code class="option">quiet_fail</code></span></dt><dd><p>
Don't log failure to the system log.
</p></dd><dt><span class="term"><code class="option">quiet_success</code></span></dt><dd><p>
Don't log success to the system log.
</p></dd><dt><span class="term"><code class="option">audit</code></span></dt><dd><p>
Log unknown users to the system log.
</p></dd></dl></div><p>
<span class="emphasis"><em>Condition</em></span>s are three words: a field, a test,
and a value to test for.
</p><p>
Available fields are <span class="emphasis"><em>user</em></span>,
<span class="emphasis"><em>uid</em></span>, <span class="emphasis"><em>gid</em></span>,
<span class="emphasis"><em>shell</em></span>, <span class="emphasis"><em>home</em></span>,
<span class="emphasis"><em>ruser</em></span>, <span class="emphasis"><em>rhost</em></span>,
<span class="emphasis"><em>tty</em></span> and <span class="emphasis"><em>service</em></span>:
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">field < number</code></span></dt><dd><p>Field has a value numerically less than number.</p></dd><dt><span class="term"><code class="option">field <= number</code></span></dt><dd><p>
Field has a value numerically less than or equal to number.
</p></dd><dt><span class="term"><code class="option">field eq number</code></span></dt><dd><p>
Field has a value numerically equal to number.
</p></dd><dt><span class="term"><code class="option">field >= number</code></span></dt><dd><p>
Field has a value numerically greater than or equal to number.
</p></dd><dt><span class="term"><code class="option">field > number</code></span></dt><dd><p>
Field has a value numerically greater than number.
</p></dd><dt><span class="term"><code class="option">field ne number</code></span></dt><dd><p>
Field has a value numerically different from number.
</p></dd><dt><span class="term"><code class="option">field = string</code></span></dt><dd><p>
Field exactly matches the given string.
</p></dd><dt><span class="term"><code class="option">field != string</code></span></dt><dd><p>
Field does not match the given string.
</p></dd><dt><span class="term"><code class="option">field =~ glob</code></span></dt><dd><p>Field matches the given glob.</p></dd><dt><span class="term"><code class="option">field !~ glob</code></span></dt><dd><p>Field does not match the given glob.</p></dd><dt><span class="term"><code class="option">field in item:item:...</code></span></dt><dd><p>Field is contained in the list of items separated by colons.</p></dd><dt><span class="term"><code class="option">field notin item:item:...</code></span></dt><dd><p>Field is not contained in the list of items separated by colons.</p></dd><dt><span class="term"><code class="option">user ingroup group</code></span></dt><dd><p>User is in given group.</p></dd><dt><span class="term"><code class="option">user notingroup group</code></span></dt><dd><p>User is not in given group.</p></dd><dt><span class="term"><code class="option">user innetgr netgroup</code></span></dt><dd><p>(user,host) is in given netgroup.</p></dd><dt><span class="term"><code class="option">user notinnetgr group</code></span></dt><dd><p>(user,host) is not in given netgroup.</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_succeed_if-types"></a>6.31.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
All module types (<code class="option">account</code>, <code class="option">auth</code>,
<code class="option">password</code> and <code class="option">session</code>) are provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_succeed_if-return_values"></a>6.31.4. RETURN VALUES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
The condition was true.
</p></dd><dt><span class="term">PAM_AUTH_ERR</span></dt><dd><p>
The condition was false.
</p></dd><dt><span class="term">PAM_SERVICE_ERR</span></dt><dd><p>
A service error occurred or the arguments can't be
parsed correctly.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_succeed_if-examples"></a>6.31.5. EXAMPLES</h3></div></div></div><p>
To emulate the behaviour of <span class="emphasis"><em>pam_wheel</em></span>, except
there is no fallback to group 0:
</p><pre class="programlisting">
auth required pam_succeed_if.so quiet user ingroup wheel
</pre><p>
Given that the type matches, only loads the othermodule rule if
the UID is over 500. Adjust the number after default to skip
several rules.
</p><pre class="programlisting">
type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500
type required othermodule.so arguments...
</pre></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_succeed_if-author"></a>6.31.6. AUTHOR</h3></div></div></div><p>Nalin Dahyabhai <nalin@redhat.com></p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_shells.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_tally.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.30. pam_shells - check for valid login shell </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.32. pam_tally - login counter (tallying) module</td></tr></table></div></body></html>
PK��������Ǩ�\��k0�%���%������html/sag-pam_time.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.34. pam_time - time controled access</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_tally2.html" title="6.33. pam_tally2 - login counter (tallying) module"><link rel="next" href="sag-pam_timestamp.html" title="6.35. pam_timestamp - authenticate using cached successful authentication attempts"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.34. pam_time - time controled access</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_tally2.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_timestamp.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_time"></a>6.34. pam_time - time controled access</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_time.so</code> [
debug
] [
noaudit
]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_time-description"></a>6.34.1. DESCRIPTION</h3></div></div></div><p>
The pam_time PAM module does not authenticate the user, but instead
it restricts access to a system and or specific applications at
various times of the day and on specific days or over various
terminal lines. This module can be configured to deny access to
(individual) users based on their name, the time of day, the day of
week, the service they are applying for and their terminal from which
they are making their request.
</p><p>
By default rules for time/port access are taken from config file
<code class="filename">/etc/security/time.conf</code>.
</p><p>
If Linux PAM is compiled with audit support the module will report
when it denies access.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-time.conf-description"></a>6.34.2. DESCRIPTION</h3></div></div></div><p>
The pam_time PAM module does not authenticate the user, but instead
it restricts access to a system and or specific applications at
various times of the day and on specific days or over various
terminal lines. This module can be configured to deny access to
(individual) users based on their name, the time of day, the day of
week, the service they are applying for and their terminal from which
they are making their request.
</p><p>
For this module to function correctly there must be a correctly
formatted <code class="filename">/etc/security/time.conf</code> file present.
White spaces are ignored and lines maybe extended with '\' (escaped
newlines). Text following a '#' is ignored to the end of the line.
</p><p>
The syntax of the lines is as follows:
</p><p>
<em class="replaceable"><code>services</code></em>;<em class="replaceable"><code>ttys</code></em>;<em class="replaceable"><code>users</code></em>;<em class="replaceable"><code>times</code></em>
</p><p>
In words, each rule occupies a line, terminated with a newline
or the beginning of a comment; a '<span class="emphasis"><em>#</em></span>'.
It contains four fields separated with semicolons,
'<span class="emphasis"><em>;</em></span>'.
</p><p>
The first field, the <em class="replaceable"><code>services</code></em> field,
is a logic list of PAM service names that the rule applies to.
</p><p>
The second field, the <em class="replaceable"><code>tty</code></em>
field, is a logic list of terminal names that this rule applies to.
</p><p>
The third field, the <em class="replaceable"><code>users</code></em>
field, is a logic list of users or a netgroup of users to whom this
rule applies.
</p><p>
For these items the simple wildcard '*' may be used only once.
With netgroups no wildcards or logic operators are allowed.
</p><p>
The <em class="replaceable"><code>times</code></em> field is used to indicate the times
at which this rule applies. The format here is a logic
list of day/time-range entries. The days are specified by a sequence of
two character entries, MoTuSa for example is Monday Tuesday and Saturday.
Note that repeated days are unset MoMo = no day, and MoWk = all weekdays
bar Monday. The two character combinations accepted are Mo Tu We Th Fr Sa
Su Wk Wd Al, the last two being week-end days and all 7 days of the week
respectively. As a final example, AlFr means all days except Friday.
</p><p>
Each day/time-range can be prefixed with a '!' to indicate
"anything but".
The time-range part is two 24-hour times HHMM, separated by a hyphen,
indicating the start and finish time (if the finish time is smaller
than the start time it is deemed to apply on the following day).
</p><p>
For a rule to be active, ALL of service+ttys+users must be satisfied
by the applying process.
</p><p>
Note, currently there is no daemon enforcing the end of a session.
This needs to be remedied.
</p><p>
Poorly formatted rules are logged as errors using
<span class="citerefentry"><span class="refentrytitle">syslog</span>(3)</span>.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_time-options"></a>6.34.3. OPTIONS</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">debug</code>
</span></dt><dd><p>
Some debug information is printed with
<span class="citerefentry"><span class="refentrytitle">syslog</span>(3)</span>.
</p></dd><dt><span class="term">
<code class="option">noaudit</code>
</span></dt><dd><p>
Do not report logins at disallowed time to the audit subsystem.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_time-types"></a>6.34.4. MODULE TYPES PROVIDED</h3></div></div></div><p>
Only the <code class="option">account</code> type is provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_time-return_values"></a>6.34.5. RETURN VALUES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
Access was granted.
</p></dd><dt><span class="term">PAM_ABORT</span></dt><dd><p>
Not all relevant data could be gotten.
</p></dd><dt><span class="term">PAM_BUF_ERR</span></dt><dd><p>
Memory buffer error.
</p></dd><dt><span class="term">PAM_PERM_DENIED</span></dt><dd><p>
Access was not granted.
</p></dd><dt><span class="term">PAM_USER_UNKNOWN</span></dt><dd><p>
The user is not known to the system.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_time-files"></a>6.34.6. FILES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="filename">/etc/security/time.conf</code></span></dt><dd><p>Default configuration file</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-time.conf-examples"></a>6.34.7. EXAMPLES</h3></div></div></div><p>
These are some example lines which might be specified in
<code class="filename">/etc/security/time.conf</code>.
</p><p>
All users except for <span class="emphasis"><em>root</em></span> are denied access
to console-login at all times:
</p><pre class="programlisting">
login ; tty* & !ttyp* ; !root ; !Al0000-2400
</pre><p>
</p><p>
Games (configured to use PAM) are only to be accessed out of
working hours. This rule does not apply to the user
<span class="emphasis"><em>waster</em></span>:
</p><pre class="programlisting">
games ; * ; !waster ; Wd0000-2400 | Wk1800-0800
</pre><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_time-authors"></a>6.34.8. AUTHOR</h3></div></div></div><p>
pam_time was written by Andrew G. Morgan <morgan@kernel.org>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_tally2.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_timestamp.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.33. pam_tally2 - login counter (tallying) module </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.35. pam_timestamp - authenticate using cached successful authentication attempts</td></tr></table></div></body></html>
PK��������Ǩ�\�PQ*������������html/sag-pam_timestamp.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.35. pam_timestamp - authenticate using cached successful authentication attempts</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_time.html" title="6.34. pam_time - time controled access"><link rel="next" href="sag-pam_umask.html" title="6.36. pam_umask - set the file mode creation mask"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.35. pam_timestamp - authenticate using cached successful authentication attempts</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_time.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_umask.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_timestamp"></a>6.35. pam_timestamp - authenticate using cached successful authentication attempts</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_timestamp.so</code> [
timestampdir=<em class="replaceable"><code>directory</code></em>
] [
timestamp_timeout=<em class="replaceable"><code>number</code></em>
] [
verbose
] [
debug
]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_timestamp-description"></a>6.35.1. DESCRIPTION</h3></div></div></div><p>
In a nutshell, <span class="emphasis"><em>pam_timestamp</em></span> caches successful
authentication attempts, and allows you to use a recent successful attempt as
the basis for authentication. This is similar mechanism which is used in
<span class="command"><strong>sudo</strong></span>.
</p><p>
When an application opens a session using <span class="emphasis"><em>pam_timestamp</em></span>,
a timestamp file is created in the <span class="emphasis"><em>timestampdir</em></span> directory
for the user. When an application attempts to authenticate the user, a
<span class="emphasis"><em>pam_timestamp</em></span> will treat a sufficiently recent timestamp
file as grounds for succeeding.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_timestamp-options"></a>6.35.2. OPTIONS</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">timestampdir=<em class="replaceable"><code>directory</code></em></code>
</span></dt><dd><p>
Specify an alternate directory where
<span class="emphasis"><em>pam_timestamp</em></span> creates timestamp files.
</p></dd><dt><span class="term">
<code class="option">timestamp_timeout=<em class="replaceable"><code>number</code></em></code>
</span></dt><dd><p>
How long should <span class="emphasis"><em>pam_timestamp</em></span>
treat timestamp as valid after their
last modification date (in seconds). Default is 300 seconds.
</p></dd><dt><span class="term">
<code class="option">verbose</code>
</span></dt><dd><p>
Attempt to inform the user when access is granted.
</p></dd><dt><span class="term">
<code class="option">debug</code>
</span></dt><dd><p>
Turns on debugging messages sent to <span class="citerefentry"><span class="refentrytitle">syslog</span>(3)</span>.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_timestamp-types"></a>6.35.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
The <code class="option">auth</code> and <code class="option">session</code>
module types are provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_timestamp-return_values"></a>6.35.4. RETURN VALUES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_AUTH_ERR</span></dt><dd><p>
The module was not able to retrieve the user name or
no valid timestamp file was found.
</p></dd><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
Everything was successful.
</p></dd><dt><span class="term">PAM_SESSION_ERR</span></dt><dd><p>
Timestamp file could not be created or updated.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_timestamp-notes"></a>6.35.5. NOTES</h3></div></div></div><p>
Users can get confused when they are not always asked for passwords when
running a given program. Some users reflexively begin typing information before
noticing that it is not being asked for.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_timestamp-examples"></a>6.35.6. EXAMPLES</h3></div></div></div><pre class="programlisting">
auth sufficient pam_timestamp.so verbose
auth required pam_unix.so
session required pam_unix.so
session optional pam_timestamp.so
</pre></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_timestamp-files"></a>6.35.7. FILES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="filename">/var/run/pam_timestamp/...</code></span></dt><dd><p>timestamp files and directories</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_timestamp-author"></a>6.35.8. AUTHOR</h3></div></div></div><p>
pam_timestamp was written by Nalin Dahyabhai.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_time.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_umask.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.34. pam_time - time controled access </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.36. pam_umask - set the file mode creation mask</td></tr></table></div></body></html>
PK��������Ǩ�\�{�Q������������html/sag-pam_umask.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.36. pam_umask - set the file mode creation mask</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_timestamp.html" title="6.35. pam_timestamp - authenticate using cached successful authentication attempts"><link rel="next" href="sag-pam_unix.html" title="6.37. pam_unix - traditional password authentication"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.36. pam_umask - set the file mode creation mask</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_timestamp.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_unix.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_umask"></a>6.36. pam_umask - set the file mode creation mask</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_umask.so</code> [
debug
] [
silent
] [
usergroups
] [
umask=<em class="replaceable"><code>mask</code></em>
]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_umask-description"></a>6.36.1. DESCRIPTION</h3></div></div></div><p>
pam_umask is a PAM module to set the file mode creation mask
of the current environment. The umask affects the default
permissions assigned to newly created files.
</p><p>
The PAM module tries to get the umask value from the
following places in the following order:
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
umask= entry in the user's GECOS field
</p></li><li class="listitem"><p>
umask= argument
</p></li><li class="listitem"><p>
UMASK entry from /etc/login.defs
</p></li><li class="listitem"><p>
UMASK= entry from /etc/default/login
</p></li></ul></div><p>
</p><p>
The GECOS field is split on comma ',' characters. The module
also in addition to the umask= entry recognizes pri= entry,
which sets the nice priority value for the session, and
ulimit= entry, which sets the maximum size of files the processes
in the session can create.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_umask-options"></a>6.36.2. OPTIONS</h3></div></div></div><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">debug</code>
</span></dt><dd><p>
Print debug information.
</p></dd><dt><span class="term">
<code class="option">silent</code>
</span></dt><dd><p>
Don't print informative messages.
</p></dd><dt><span class="term">
<code class="option">usergroups</code>
</span></dt><dd><p>
If the user is not root and the username is the same as
primary group name, the umask group bits are set to be the
same as owner bits (examples: 022 -> 002, 077 -> 007).
</p></dd><dt><span class="term">
<code class="option">umask=<em class="replaceable"><code>mask</code></em></code>
</span></dt><dd><p>
Sets the calling process's file mode creation mask (umask)
to <code class="option">mask</code> & 0777. The value is interpreted
as Octal.
</p></dd></dl></div><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_umask-types"></a>6.36.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
Only the <code class="option">session</code> type is provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_umask-return_values"></a>6.36.4. RETURN VALUES</h3></div></div></div><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
The new umask was set successfully.
</p></dd><dt><span class="term">PAM_SERVICE_ERR</span></dt><dd><p>
No username was given.
</p></dd><dt><span class="term">PAM_USER_UNKNOWN</span></dt><dd><p>
User not known.
</p></dd></dl></div><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_umask-examples"></a>6.36.5. EXAMPLES</h3></div></div></div><p>
Add the following line to <code class="filename">/etc/pam.d/login</code> to
set the user specific umask at login:
</p><pre class="programlisting">
session optional pam_umask.so umask=0022
</pre><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_umask-author"></a>6.36.6. AUTHOR</h3></div></div></div><p>
pam_umask was written by Thorsten Kukuk <kukuk@thkukuk.de>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_timestamp.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_unix.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.35. pam_timestamp - authenticate using cached successful authentication attempts </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.37. pam_unix - traditional password authentication</td></tr></table></div></body></html>
PK��������Ǩ�\�����:���:������html/sag-pam_unix.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.37. pam_unix - traditional password authentication</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_umask.html" title="6.36. pam_umask - set the file mode creation mask"><link rel="next" href="sag-pam_userdb.html" title="6.38. pam_userdb - authenticate against a db database"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.37. pam_unix - traditional password authentication</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_umask.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_userdb.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_unix"></a>6.37. pam_unix - traditional password authentication</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_unix.so</code> [
...
]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_unix-description"></a>6.37.1. DESCRIPTION</h3></div></div></div><p>
This is the standard Unix authentication module. It uses standard
calls from the system's libraries to retrieve and set account
information as well as authentication. Usually this is obtained
from the /etc/passwd and the /etc/shadow file as well if shadow is
enabled.
</p><p>
The account component performs the task of establishing the status
of the user's account and password based on the following
<span class="emphasis"><em>shadow</em></span> elements: expire, last_change, max_change,
min_change, warn_change. In the case of the latter, it may offer advice
to the user on changing their password or, through the
<span class="emphasis"><em>PAM_AUTHTOKEN_REQD</em></span> return, delay
giving service to the user until they have established a new password.
The entries listed above are documented in the <span class="citerefentry"><span class="refentrytitle">shadow</span>(5)</span> manual page. Should the user's record not contain
one or more of these entries, the corresponding
<span class="emphasis"><em>shadow</em></span> check is not performed.
</p><p>
The authentication component performs the task of checking the
users credentials (password). The default action of this module
is to not permit the user access to a service if their official
password is blank.
</p><p>
A helper binary, <span class="citerefentry"><span class="refentrytitle">unix_chkpwd</span>(8)</span>, is provided
to check the user's password when it is stored in a read
protected database. This binary is very simple and will only
check the password of the user invoking it. It is called
transparently on behalf of the user by the authenticating
component of this module. In this way it is possible
for applications like <span class="citerefentry"><span class="refentrytitle">xlock</span>(1)</span> to work without
being setuid-root. The module, by default, will temporarily turn
off SIGCHLD handling for the duration of execution of the helper
binary. This is generally the right thing to do, as many applications
are not prepared to handle this signal from a child they didn't know
was <code class="function">fork()</code>d. The <code class="option">noreap</code> module
argument can be used to suppress this temporary shielding and may be
needed for use with certain applications.
</p><p>
The maximum length of a password supported by the pam_unix module
via the helper binary is <span class="emphasis"><em>PAM_MAX_RESP_SIZE</em></span>
- currently 512 bytes. The rest of the password provided by the
conversation function to the module will be ignored.
</p><p>
The password component of this module performs the task of updating
the user's password. The default encryption hash is taken from the
<span class="emphasis"><em>ENCRYPT_METHOD</em></span> variable from
<span class="emphasis"><em>/etc/login.defs</em></span>
</p><p>
The session component of this module logs when a user logins
or leave the system.
</p><p>
Remaining arguments, supported by others functions of this
module, are silently ignored. Other arguments are logged as
errors through <span class="citerefentry"><span class="refentrytitle">syslog</span>(3)</span>.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_unix-options"></a>6.37.2. OPTIONS</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">debug</code>
</span></dt><dd><p>
Turns on debugging via
<span class="citerefentry"><span class="refentrytitle">syslog</span>(3)</span>.
</p></dd><dt><span class="term">
<code class="option">audit</code>
</span></dt><dd><p>
A little more extreme than debug.
</p></dd><dt><span class="term">
<code class="option">quiet</code>
</span></dt><dd><p>
Turns off informational messages namely messages about
session open and close via
<span class="citerefentry"><span class="refentrytitle">syslog</span>(3)</span>.
</p></dd><dt><span class="term">
<code class="option">nullok</code>
</span></dt><dd><p>
The default action of this module is to not permit the
user access to a service if their official password is blank.
The <code class="option">nullok</code> argument overrides this default.
</p></dd><dt><span class="term">
<code class="option">try_first_pass</code>
</span></dt><dd><p>
Before prompting the user for their password, the module first
tries the previous stacked module's password in case that
satisfies this module as well.
</p></dd><dt><span class="term">
<code class="option">use_first_pass</code>
</span></dt><dd><p>
The argument <code class="option">use_first_pass</code> forces the module
to use a previous stacked modules password and will never prompt
the user - if no password is available or the password is not
appropriate, the user will be denied access.
</p></dd><dt><span class="term">
<code class="option">nodelay</code>
</span></dt><dd><p>
This argument can be used to discourage the authentication
component from requesting a delay should the authentication
as a whole fail. The default action is for the module to
request a delay-on-failure of the order of two second.
</p></dd><dt><span class="term">
<code class="option">use_authtok</code>
</span></dt><dd><p>
When password changing enforce the module to set the new
password to the one provided by a previously stacked
<code class="option">password</code> module (this is used in the
example of the stacking of the <span class="command"><strong>pam_cracklib</strong></span>
module documented below).
</p></dd><dt><span class="term">
<code class="option">authtok_type=<em class="replaceable"><code>type</code></em></code>
</span></dt><dd><p>
This argument can be used to modify the password prompt
when changing passwords to include the type of the password.
Empty by default.
</p></dd><dt><span class="term">
<code class="option">nis</code>
</span></dt><dd><p>
NIS RPC is used for setting new passwords.
</p></dd><dt><span class="term">
<code class="option">remember=<em class="replaceable"><code>n</code></em></code>
</span></dt><dd><p>
The last <em class="replaceable"><code>n</code></em> passwords for each
user are saved in <code class="filename">/etc/security/opasswd</code>
in order to force password change history and keep the user
from alternating between the same password too frequently.
The MD5 password hash algorithm is used for storing the
old passwords.
Instead of this option the <span class="command"><strong>pam_pwhistory</strong></span>
module should be used.
</p></dd><dt><span class="term">
<code class="option">shadow</code>
</span></dt><dd><p>
Try to maintain a shadow based system.
</p></dd><dt><span class="term">
<code class="option">md5</code>
</span></dt><dd><p>
When a user changes their password next, encrypt
it with the MD5 algorithm.
</p></dd><dt><span class="term">
<code class="option">bigcrypt</code>
</span></dt><dd><p>
When a user changes their password next,
encrypt it with the DEC C2 algorithm.
</p></dd><dt><span class="term">
<code class="option">sha256</code>
</span></dt><dd><p>
When a user changes their password next,
encrypt it with the SHA256 algorithm. The
SHA256 algorithm must be supported by the <span class="citerefentry"><span class="refentrytitle">crypt</span>(3)</span> function.
</p></dd><dt><span class="term">
<code class="option">sha512</code>
</span></dt><dd><p>
When a user changes their password next,
encrypt it with the SHA512 algorithm. The
SHA512 algorithm must be supported by the <span class="citerefentry"><span class="refentrytitle">crypt</span>(3)</span> function.
</p></dd><dt><span class="term">
<code class="option">blowfish</code>
</span></dt><dd><p>
When a user changes their password next,
encrypt it with the blowfish algorithm. The
blowfish algorithm must be supported by the <span class="citerefentry"><span class="refentrytitle">crypt</span>(3)</span> function.
</p></dd><dt><span class="term">
<code class="option">rounds=<em class="replaceable"><code>n</code></em></code>
</span></dt><dd><p>
Set the optional number of rounds of the SHA256, SHA512
and blowfish password hashing algorithms to
<em class="replaceable"><code>n</code></em>.
</p></dd><dt><span class="term">
<code class="option">broken_shadow</code>
</span></dt><dd><p>
Ignore errors reading shadow information for
users in the account management module.
</p></dd><dt><span class="term">
<code class="option">minlen=<em class="replaceable"><code>n</code></em></code>
</span></dt><dd><p>
Set a minimum password length of <em class="replaceable"><code>n</code></em>
characters. The max. for DES crypt based passwords are 8
characters.
</p></dd><dt><span class="term">
<code class="option">no_pass_expiry</code>
</span></dt><dd><p>
When set ignore password expiration as defined by the
<span class="emphasis"><em>shadow</em></span> entry of the user. The option has an
effect only in case <span class="emphasis"><em>pam_unix</em></span> was not used
for the authentication or it returned authentication failure
meaning that other authentication source or method succeeded.
The example can be public key authentication in
<span class="emphasis"><em>sshd</em></span>. The module will return
<span class="emphasis"><em>PAM_SUCCESS</em></span> instead of eventual
<span class="emphasis"><em>PAM_NEW_AUTHTOK_REQD</em></span> or
<span class="emphasis"><em>PAM_AUTHTOK_EXPIRED</em></span>.
</p></dd></dl></div><p>
Invalid arguments are logged with <span class="citerefentry"><span class="refentrytitle">syslog</span>(3)</span>.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_unix-types"></a>6.37.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
All module types (<code class="option">account</code>, <code class="option">auth</code>,
<code class="option">password</code> and <code class="option">session</code>) are provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_unix-return_values"></a>6.37.4. RETURN VALUES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_IGNORE</span></dt><dd><p>
Ignore this module.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_unix-examples"></a>6.37.5. EXAMPLES</h3></div></div></div><p>
An example usage for <code class="filename">/etc/pam.d/login</code>
would be:
</p><pre class="programlisting">
# Authenticate the user
auth required pam_unix.so
# Ensure users account and password are still active
account required pam_unix.so
# Change the user's password, but at first check the strength
# with pam_cracklib(8)
password required pam_cracklib.so retry=3 minlen=6 difok=3
password required pam_unix.so use_authtok nullok md5
session required pam_unix.so
</pre><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_unix-author"></a>6.37.6. AUTHOR</h3></div></div></div><p>
pam_unix was written by various people.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_umask.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_userdb.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.36. pam_umask - set the file mode creation mask </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.38. pam_userdb - authenticate against a db database</td></tr></table></div></body></html>
PK��������Ǩ�\ډ���!���!������html/sag-pam_userdb.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.38. pam_userdb - authenticate against a db database</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_unix.html" title="6.37. pam_unix - traditional password authentication"><link rel="next" href="sag-pam_warn.html" title="6.39. pam_warn - logs all PAM items"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.38. pam_userdb - authenticate against a db database</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_unix.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_warn.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_userdb"></a>6.38. pam_userdb - authenticate against a db database</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_userdb.so</code>
db=<em class="replaceable"><code>/path/database</code></em>
[
debug
] [
crypt=[crypt|none]
] [
icase
] [
dump
] [
try_first_pass
] [
use_first_pass
] [
unknown_ok
] [
key_only
]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_userdb-description"></a>6.38.1. DESCRIPTION</h3></div></div></div><p>
The pam_userdb module is used to verify a username/password pair
against values stored in a Berkeley DB database. The database is
indexed by the username, and the data fields corresponding to the
username keys are the passwords.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_userdb-options"></a>6.38.2. OPTIONS</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">crypt=[crypt|none]</code>
</span></dt><dd><p>
Indicates whether encrypted or plaintext passwords are stored
in the database. If it is <code class="option">crypt</code>, passwords
should be stored in the database in
<span class="citerefentry"><span class="refentrytitle">crypt</span>(3)</span> form. If <code class="option">none</code> is selected,
passwords should be stored in the database as plaintext.
</p></dd><dt><span class="term">
<code class="option">db=<em class="replaceable"><code>/path/database</code></em></code>
</span></dt><dd><p>
Use the <code class="filename">/path/database</code> database for
performing lookup. There is no default; the module will
return <span class="emphasis"><em>PAM_IGNORE</em></span> if no
database is provided. Note that the path to the database file
should be specified without the <code class="filename">.db</code> suffix.
</p></dd><dt><span class="term">
<code class="option">debug</code>
</span></dt><dd><p>
Print debug information. Note that password hashes, both from db
and computed, will be printed to syslog.
</p></dd><dt><span class="term">
<code class="option">dump</code>
</span></dt><dd><p>
Dump all the entries in the database to the log.
Don't do this by default!
</p></dd><dt><span class="term">
<code class="option">icase</code>
</span></dt><dd><p>
Make the password verification to be case insensitive
(ie when working with registration numbers and such).
Only works with plaintext password storage.
</p></dd><dt><span class="term">
<code class="option">try_first_pass</code>
</span></dt><dd><p>
Use the authentication token previously obtained by
another module that did the conversation with the
application. If this token can not be obtained then
the module will try to converse. This option can
be used for stacking different modules that need to
deal with the authentication tokens.
</p></dd><dt><span class="term">
<code class="option">use_first_pass</code>
</span></dt><dd><p>
Use the authentication token previously obtained by
another module that did the conversation with the
application. If this token can not be obtained then
the module will fail. This option can be used for
stacking different modules that need to deal with
the authentication tokens.
</p></dd><dt><span class="term">
<code class="option">unknown_ok</code>
</span></dt><dd><p>
Do not return error when checking for a user that is
not in the database. This can be used to stack more
than one pam_userdb module that will check a
username/password pair in more than a database.
</p></dd><dt><span class="term">
<code class="option">key_only</code>
</span></dt><dd><p>
The username and password are concatenated together
in the database hash as 'username-password' with a
random value. if the concatenation of the username and
password with a dash in the middle returns any result,
the user is valid. this is useful in cases where
the username may not be unique but the username and
password pair are.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_userdb-types"></a>6.38.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
The <code class="option">auth</code> and <code class="option">account</code> module
types are provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_userdb-return_values"></a>6.38.4. RETURN VALUES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_AUTH_ERR</span></dt><dd><p>Authentication failure.</p></dd><dt><span class="term">PAM_AUTHTOK_RECOVERY_ERR</span></dt><dd><p>
Authentication information cannot be recovered.
</p></dd><dt><span class="term">PAM_BUF_ERR</span></dt><dd><p>
Memory buffer error.
</p></dd><dt><span class="term">PAM_CONV_ERR</span></dt><dd><p>
Conversation failure.
</p></dd><dt><span class="term">PAM_SERVICE_ERR</span></dt><dd><p>
Error in service module.
</p></dd><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
Success.
</p></dd><dt><span class="term">PAM_USER_UNKNOWN</span></dt><dd><p>
User not known to the underlying authentication module.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_userdb-examples"></a>6.38.5. EXAMPLES</h3></div></div></div><pre class="programlisting">
auth sufficient pam_userdb.so icase db=/etc/dbtest
</pre></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_userdb-author"></a>6.38.6. AUTHOR</h3></div></div></div><p>
pam_userdb was written by Cristian Gafton >gafton@redhat.com<.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_unix.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_warn.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.37. pam_unix - traditional password authentication </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.39. pam_warn - logs all PAM items</td></tr></table></div></body></html>
PK��������Ǩ�\dU{Y������������html/sag-pam_warn.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.39. pam_warn - logs all PAM items</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_userdb.html" title="6.38. pam_userdb - authenticate against a db database"><link rel="next" href="sag-pam_wheel.html" title="6.40. pam_wheel - only permit root access to members of group wheel"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.39. pam_warn - logs all PAM items</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_userdb.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_wheel.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_warn"></a>6.39. pam_warn - logs all PAM items</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_warn.so</code> </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_warn-description"></a>6.39.1. DESCRIPTION</h3></div></div></div><p>
pam_warn is a PAM module that logs the service, terminal, user,
remote user and remote host to
<span class="citerefentry"><span class="refentrytitle">syslog</span>(3)</span>. The items are not probed for, but instead obtained
from the standard PAM items. The module always returns
<span class="emphasis"><em>PAM_IGNORE</em></span>, indicating that it
does not want to affect the authentication process.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_warn-options"></a>6.39.2. OPTIONS</h3></div></div></div><p>This module does not recognise any options.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_warn-types"></a>6.39.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
The <code class="option">auth</code>, <code class="option">account</code>,
<code class="option">password</code> and <code class="option">session</code> module
types are provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_warn-return_values"></a>6.39.4. RETURN VALUES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_IGNORE</span></dt><dd><p>
This module always returns PAM_IGNORE.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_warn-examples"></a>6.39.5. EXAMPLES</h3></div></div></div><pre class="programlisting">
#%PAM-1.0
#
# If we don't have config entries for a service, the
# OTHER entries are used. To be secure, warn and deny
# access to everything.
other auth required pam_warn.so
other auth required pam_deny.so
other account required pam_warn.so
other account required pam_deny.so
other password required pam_warn.so
other password required pam_deny.so
other session required pam_warn.so
other session required pam_deny.so
</pre></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_warn-author"></a>6.39.6. AUTHOR</h3></div></div></div><p>
pam_warn was written by Andrew G. Morgan <morgan@kernel.org>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_userdb.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_wheel.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.38. pam_userdb - authenticate against a db database </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.40. pam_wheel - only permit root access to members of group wheel</td></tr></table></div></body></html>
PK��������Ǩ�\l/Ò
���
�������html/sag-pam_wheel.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.40. pam_wheel - only permit root access to members of group wheel</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_warn.html" title="6.39. pam_warn - logs all PAM items"><link rel="next" href="sag-pam_xauth.html" title="6.41. pam_xauth - forward xauth keys between users"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.40. pam_wheel - only permit root access to members of group wheel</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_warn.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_xauth.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_wheel"></a>6.40. pam_wheel - only permit root access to members of group wheel</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_wheel.so</code> [
debug
] [
deny
] [
group=<em class="replaceable"><code>name</code></em>
] [
root_only
] [
trust
] [
use_uid
]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_wheel-description"></a>6.40.1. DESCRIPTION</h3></div></div></div><p>
The pam_wheel PAM module is used to enforce the so-called
<span class="emphasis"><em>wheel</em></span> group. By default it permits root
access to the system if the applicant user is a member of the
<span class="emphasis"><em>wheel</em></span> group. If no group with this name exist,
the module is using the group with the group-ID
<span class="emphasis"><em>0</em></span>.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_wheel-options"></a>6.40.2. OPTIONS</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">debug</code>
</span></dt><dd><p>
Print debug information.
</p></dd><dt><span class="term">
<code class="option">deny</code>
</span></dt><dd><p>
Reverse the sense of the auth operation: if the user
is trying to get UID 0 access and is a member of the
wheel group (or the group of the <code class="option">group</code> option),
deny access. Conversely, if the user is not in the group, return
PAM_IGNORE (unless <code class="option">trust</code> was also specified,
in which case we return PAM_SUCCESS).
</p></dd><dt><span class="term">
<code class="option">group=<em class="replaceable"><code>name</code></em></code>
</span></dt><dd><p>
Instead of checking the wheel or GID 0 groups, use
the <code class="option"><em class="replaceable"><code>name</code></em></code> group
to perform the authentication.
</p></dd><dt><span class="term">
<code class="option">root_only</code>
</span></dt><dd><p>
The check for wheel membership is done only when the target user
UID is 0.
</p></dd><dt><span class="term">
<code class="option">trust</code>
</span></dt><dd><p>
The pam_wheel module will return PAM_SUCCESS instead
of PAM_IGNORE if the user is a member of the wheel group
(thus with a little play stacking the modules the wheel
members may be able to su to root without being prompted
for a passwd).
</p></dd><dt><span class="term">
<code class="option">use_uid</code>
</span></dt><dd><p>
The check will be done against the real uid of the calling process,
instead of trying to obtain the user from the login session
associated with the terminal in use.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_wheel-types"></a>6.40.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
The <span class="emphasis"><em>auth</em></span> and
<span class="emphasis"><em>account</em></span> module types are provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_wheel-return_values"></a>6.40.4. RETURN VALUES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_AUTH_ERR</span></dt><dd><p>
Authentication failure.
</p></dd><dt><span class="term">PAM_BUF_ERR</span></dt><dd><p>
Memory buffer error.
</p></dd><dt><span class="term">PAM_IGNORE</span></dt><dd><p>
The return value should be ignored by PAM dispatch.
</p></dd><dt><span class="term">PAM_PERM_DENY</span></dt><dd><p>
Permission denied.
</p></dd><dt><span class="term">PAM_SERVICE_ERR</span></dt><dd><p>
Cannot determine the user name.
</p></dd><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
Success.
</p></dd><dt><span class="term">PAM_USER_UNKNOWN</span></dt><dd><p>
User not known.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_wheel-examples"></a>6.40.5. EXAMPLES</h3></div></div></div><p>
The root account gains access by default (rootok), only wheel
members can become root (wheel) but Unix authenticate non-root
applicants.
</p><pre class="programlisting">
su auth sufficient pam_rootok.so
su auth required pam_wheel.so
su auth required pam_unix.so
</pre><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_wheel-author"></a>6.40.6. AUTHOR</h3></div></div></div><p>
pam_wheel was written by Cristian Gafton <gafton@redhat.com>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_warn.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_xauth.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.39. pam_warn - logs all PAM items </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.41. pam_xauth - forward xauth keys between users</td></tr></table></div></body></html>
PK��������Ǩ�\���� ��� ������html/sag-pam_xauth.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.41. pam_xauth - forward xauth keys between users</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_wheel.html" title="6.40. pam_wheel - only permit root access to members of group wheel"><link rel="next" href="sag-see-also.html" title="Chapter 7. See also"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.41. pam_xauth - forward xauth keys between users</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_wheel.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-see-also.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_xauth"></a>6.41. pam_xauth - forward xauth keys between users</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_xauth.so</code> [
debug
] [
xauthpath=<em class="replaceable"><code>/path/to/xauth</code></em>
] [
systemuser=<em class="replaceable"><code>UID</code></em>
] [
targetuser=<em class="replaceable"><code>UID</code></em>
]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_xauth-description"></a>6.41.1. DESCRIPTION</h3></div></div></div><p>
The pam_xauth PAM module is designed to forward xauth keys
(sometimes referred to as "cookies") between users.
</p><p>
Without pam_xauth, when xauth is enabled and a user uses the
<span class="citerefentry"><span class="refentrytitle">su</span>(1)</span> command to assume another user's privileges,
that user is no longer able to access the original user's X display
because the new user does not have the key needed to access the
display. pam_xauth solves the problem by forwarding the key from
the user running su (the source user) to the user whose identity the
source user is assuming (the target user) when the session is created,
and destroying the key when the session is torn down.
</p><p>
This means, for example, that when you run
<span class="citerefentry"><span class="refentrytitle">su</span>(1)</span> from an xterm session, you will be able to run
X programs without explicitly dealing with the
<span class="citerefentry"><span class="refentrytitle">xauth</span>(1)</span> xauth command or ~/.Xauthority files.
</p><p>
pam_xauth will only forward keys if xauth can list a key connected
to the $DISPLAY environment variable.
</p><p>
Primitive access control is provided by
<code class="filename">~/.xauth/export</code> in the invoking user's home
directory and <code class="filename">~/.xauth/import</code> in the target
user's home directory.
</p><p>
If a user has a <code class="filename">~/.xauth/import</code> file, the user
will only receive cookies from users listed in the file. If there is
no <code class="filename">~/.xauth/import</code> file, the user will accept
cookies from any other user.
</p><p>
If a user has a <code class="filename">.xauth/export</code> file, the user will
only forward cookies to users listed in the file. If there is no
<code class="filename">~/.xauth/export</code> file, and the invoking user is
not <span class="emphasis"><em>root</em></span>, the user will forward cookies
to any other user. If there is no <code class="filename">~/.xauth/export</code>
file, and the invoking user is <span class="emphasis"><em>root</em></span>,
the user will <span class="emphasis"><em>not</em></span> forward cookies to
other users.
</p><p>
Both the import and export files support wildcards (such as
<span class="emphasis"><em>*</em></span>). Both the import and export files
can be empty, signifying that no users are allowed.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_xauth-options"></a>6.41.2. OPTIONS</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">debug</code>
</span></dt><dd><p>
Print debug information.
</p></dd><dt><span class="term">
<code class="option">xauthpath=<em class="replaceable"><code>/path/to/xauth</code></em></code>
</span></dt><dd><p>
Specify the path the xauth program (it is expected in
<code class="filename">/usr/X11R6/bin/xauth</code>,
<code class="filename">/usr/bin/xauth</code>, or
<code class="filename">/usr/bin/X11/xauth</code> by default).
</p></dd><dt><span class="term">
<code class="option">systemuser=<em class="replaceable"><code>UID</code></em></code>
</span></dt><dd><p>
Specify the highest UID which will be assumed to belong to a
"system" user. pam_xauth will refuse to forward credentials to
users with UID less than or equal to this number, except for
root and the "targetuser", if specified.
</p></dd><dt><span class="term">
<code class="option">targetuser=<em class="replaceable"><code>UID</code></em></code>
</span></dt><dd><p>
Specify a single target UID which is exempt from the
systemuser check.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_xauth-types"></a>6.41.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
Only the <span class="emphasis"><em>session</em></span> type is provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_xauth-return_values"></a>6.41.4. RETURN VALUES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_BUF_ERR</span></dt><dd><p>
Memory buffer error.
</p></dd><dt><span class="term">PAM_PERM_DENIED</span></dt><dd><p>
Permission denied by import/export file.
</p></dd><dt><span class="term">PAM_SESSION_ERR</span></dt><dd><p>
Cannot determine user name, UID or access users home directory.
</p></dd><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
Success.
</p></dd><dt><span class="term">PAM_USER_UNKNOWN</span></dt><dd><p>
User not known.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_xauth-examples"></a>6.41.5. EXAMPLES</h3></div></div></div><p>
Add the following line to <code class="filename">/etc/pam.d/su</code> to
forward xauth keys between users when calling su:
</p><pre class="programlisting">
session optional pam_xauth.so
</pre><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_xauth-author"></a>6.41.6. AUTHOR</h3></div></div></div><p>
pam_xauth was written by Nalin Dahyabhai <nalin@redhat.com>,
based on original version by
Michael K. Johnson <johnsonm@redhat.com>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_wheel.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-see-also.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.40. pam_wheel - only permit root access to members of group wheel </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 7. See also</td></tr></table></div></body></html>
PK��������Ǩ�\�HZ���������#���html/sag-security-issues-other.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>5.2. Avoid having a weak `other' configuration</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-security-issues.html" title="Chapter 5. Security issues"><link rel="prev" href="sag-security-issues-wrong.html" title="5.1. If something goes wrong"><link rel="next" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">5.2. Avoid having a weak `other' configuration</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-security-issues-wrong.html">Prev</a> </td><th width="60%" align="center">Chapter 5. Security issues</th><td width="20%" align="right"> <a accesskey="n" href="sag-module-reference.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-security-issues-other"></a>5.2. Avoid having a weak `other' configuration</h2></div></div></div><p>
It is not a good thing to have a weak default
(<span class="emphasis"><em>other</em></span>) entry.
This service is the default configuration for all PAM aware
applications and if it is weak, your system is likely to be
vulnerable to attack.
</p><p>
Here is a sample "other" configuration file. The
<span class="command"><strong>pam_deny</strong></span> module will deny access and the
<span class="command"><strong>pam_warn</strong></span> module will send a syslog message
to <span class="emphasis"><em>auth.notice</em></span>:
</p><pre class="programlisting">
#
# The PAM configuration file for the `other' service
#
auth required pam_deny.so
auth required pam_warn.so
account required pam_deny.so
account required pam_warn.so
password required pam_deny.so
password required pam_warn.so
session required pam_deny.so
session required pam_warn.so
</pre></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-security-issues-wrong.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-security-issues.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-module-reference.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">5.1. If something goes wrong </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 6. A reference guide for available modules</td></tr></table></div></body></html>
PK��������Ǩ�\i��ړ�������#���html/sag-security-issues-wrong.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>5.1. If something goes wrong</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-security-issues.html" title="Chapter 5. Security issues"><link rel="prev" href="sag-security-issues.html" title="Chapter 5. Security issues"><link rel="next" href="sag-security-issues-other.html" title="5.2. Avoid having a weak `other' configuration"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">5.1. If something goes wrong</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-security-issues.html">Prev</a> </td><th width="60%" align="center">Chapter 5. Security issues</th><td width="20%" align="right"> <a accesskey="n" href="sag-security-issues-other.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-security-issues-wrong"></a>5.1. If something goes wrong</h2></div></div></div><p>
<span class="emphasis"><em>Linux-PAM</em></span> has the potential
to seriously change the security of your system. You can
choose to have no security or absolute security (no access
permitted). In general, <span class="emphasis"><em>Linux-PAM</em></span>
errs towards the latter. Any number of configuration errors
can disable access to your system partially, or completely.
</p><p>
The most dramatic problem that is likely to be encountered when
configuring <span class="emphasis"><em>Linux-PAM</em></span> is that of
<span class="emphasis"><em>deleting</em></span> the configuration file(s):
<code class="filename">/etc/pam.d/*</code> and/or
<code class="filename">/etc/pam.conf</code>. This will lock you out of
your own system!
</p><p>
To recover, your best bet is to restore the system from a
backup or boot the system into a rescue system and correct
things from there.
</p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-security-issues.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-security-issues.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-security-issues-other.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 5. Security issues </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 5.2. Avoid having a weak `other' configuration</td></tr></table></div></body></html>
PK��������Ǩ�\�o��q���q�������html/sag-security-issues.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Chapter 5. Security issues</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="prev" href="sag-configuration-example.html" title="4.3. Example configuration file entries"><link rel="next" href="sag-security-issues-wrong.html" title="5.1. If something goes wrong"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 5. Security issues</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-configuration-example.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="sag-security-issues-wrong.html">Next</a></td></tr></table><hr></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a name="sag-security-issues"></a>Chapter 5. Security issues</h1></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl class="toc"><dt><span class="section"><a href="sag-security-issues-wrong.html">5.1. If something goes wrong</a></span></dt><dt><span class="section"><a href="sag-security-issues-other.html">5.2. Avoid having a weak `other' configuration</a></span></dt></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-configuration-example.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="sag-security-issues-wrong.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">4.3. Example configuration file entries </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 5.1. If something goes wrong</td></tr></table></div></body></html>
PK��������Ǩ�\mI��������������html/sag-see-also.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Chapter 7. See also</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="prev" href="sag-pam_xauth.html" title="6.41. pam_xauth - forward xauth keys between users"><link rel="next" href="sag-author.html" title="Chapter 8. Author/acknowledgments"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 7. See also</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_xauth.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="sag-author.html">Next</a></td></tr></table><hr></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a name="sag-see-also"></a>Chapter 7. See also</h1></div></div></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
The Linux-PAM Application Writers' Guide.
</p></li><li class="listitem"><p>
The Linux-PAM Module Writers' Guide.
</p></li><li class="listitem"><p>
The V. Samar and R. Schemers (SunSoft), ``UNIFIED LOGIN WITH
PLUGGABLE AUTHENTICATION MODULES'', Open Software Foundation
Request For Comments 86.0, October 1995.
</p></li></ul></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_xauth.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="sag-author.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.41. pam_xauth - forward xauth keys between users </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 8. Author/acknowledgments</td></tr></table></div></body></html>
PK��������Ǩ�\y���s���s�������html/sag-text-conventions.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Chapter 2. Some comments on the text</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="prev" href="sag-introduction.html" title="Chapter 1. Introduction"><link rel="next" href="sag-overview.html" title="Chapter 3. Overview"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 2. Some comments on the text</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-introduction.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="sag-overview.html">Next</a></td></tr></table><hr></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a name="sag-text-conventions"></a>Chapter 2. Some comments on the text</h1></div></div></div><p>
Before proceeding to read the rest of this document, it should be
noted that the text assumes that certain files are placed in certain
directories. Where they have been specified, the conventions we adopt
here for locating these files are those of the relevant RFC (RFC-86.0,
see <a class="link" href="sag-see-also.html" title="Chapter 7. See also">bibliography"</a>). If you are
using a distribution of Linux (or some other operating system) that
supports PAM but chooses to distribute these files in a different way
you should be careful when copying examples directly from the text.
</p><p>
As an example of the above, where it is explicit, the text assumes
that PAM loadable object files (the
<span class="emphasis"><em>modules</em></span>) are to be located in
the following directory: <code class="filename">/lib/security/</code> or
<code class="filename">/lib64/security</code> depending on the architecture.
This is generally the location that seems to be compatible with the
Filesystem Hierarchy Standard (FHS). On Solaris, which has its own
licensed version of PAM, and some other implementations of UN*X,
these files can be found in <code class="filename">/usr/lib/security</code>.
Please be careful to perform the necessary transcription when using
the examples from the text.
</p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-introduction.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="sag-overview.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 1. Introduction </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 3. Overview</td></tr></table></div></body></html>
PK��������Ǩ�\`�,��#���#������html/Linux-PAM_SAG.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>The Linux-PAM System Administrators' Guide</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><meta name="description" content="This manual documents what a system-administrator needs to know about the Linux-PAM library. It covers the correct syntax of the PAM configuration file and discusses strategies for maintaining a secure system."><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="next" href="sag-introduction.html" title="Chapter 1. Introduction"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">The Linux-PAM System Administrators' Guide</th></tr><tr><td width="20%" align="left"> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="sag-introduction.html">Next</a></td></tr></table><hr></div><div class="book"><div class="titlepage"><div><div><h1 class="title"><a name="sag"></a>The Linux-PAM System Administrators' Guide</h1></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Andrew G.</span> <span class="surname">Morgan</span></h3><code class="email"><<a class="email" href="mailto:morgan@kernel.org">morgan@kernel.org</a>></code></div><div class="author"><h3 class="author"><span class="firstname">Thorsten</span> <span class="surname">Kukuk</span></h3><code class="email"><<a class="email" href="mailto:kukuk@thkukuk.de">kukuk@thkukuk.de</a>></code></div></div></div><div><p class="releaseinfo">Version 1.1.2, 31. August 2010</p></div><div><div class="abstract"><p class="title"><b>Abstract</b></p><p>
This manual documents what a system-administrator needs to know about
the <span class="emphasis"><em>Linux-PAM</em></span> library. It covers the
correct syntax of the PAM configuration file and discusses strategies
for maintaining a secure system.
</p></div></div></div><hr></div><div class="toc"><p><b>Table of Contents</b></p><dl class="toc"><dt><span class="chapter"><a href="sag-introduction.html">1. Introduction</a></span></dt><dt><span class="chapter"><a href="sag-text-conventions.html">2. Some comments on the text</a></span></dt><dt><span class="chapter"><a href="sag-overview.html">3. Overview</a></span></dt><dt><span class="chapter"><a href="sag-configuration.html">4. The Linux-PAM configuration file</a></span></dt><dd><dl><dt><span class="section"><a href="sag-configuration-file.html">4.1. Configuration file syntax</a></span></dt><dt><span class="section"><a href="sag-configuration-directory.html">4.2. Directory based configuration</a></span></dt><dt><span class="section"><a href="sag-configuration-example.html">4.3. Example configuration file entries</a></span></dt></dl></dd><dt><span class="chapter"><a href="sag-security-issues.html">5. Security issues</a></span></dt><dd><dl><dt><span class="section"><a href="sag-security-issues-wrong.html">5.1. If something goes wrong</a></span></dt><dt><span class="section"><a href="sag-security-issues-other.html">5.2. Avoid having a weak `other' configuration</a></span></dt></dl></dd><dt><span class="chapter"><a href="sag-module-reference.html">6. A reference guide for available modules</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_access.html">6.1. pam_access - logdaemon style login access control</a></span></dt><dt><span class="section"><a href="sag-pam_cracklib.html">6.2. pam_cracklib - checks the password against dictionary words</a></span></dt><dt><span class="section"><a href="sag-pam_debug.html">6.3. pam_debug - debug the PAM stack</a></span></dt><dt><span class="section"><a href="sag-pam_deny.html">6.4. pam_deny - locking-out PAM module</a></span></dt><dt><span class="section"><a href="sag-pam_echo.html">6.5. pam_echo - print text messages</a></span></dt><dt><span class="section"><a href="sag-pam_env.html">6.6. pam_env - set/unset environment variables</a></span></dt><dt><span class="section"><a href="sag-pam_exec.html">6.7. pam_exec - call an external command</a></span></dt><dt><span class="section"><a href="sag-pam_faildelay.html">6.8. pam_faildelay - change the delay on failure per-application</a></span></dt><dt><span class="section"><a href="sag-pam_filter.html">6.9. pam_filter - filter module</a></span></dt><dt><span class="section"><a href="sag-pam_ftp.html">6.10. pam_ftp - module for anonymous access</a></span></dt><dt><span class="section"><a href="sag-pam_group.html">6.11. pam_group - module to modify group access</a></span></dt><dt><span class="section"><a href="sag-pam_issue.html">6.12. pam_issue - add issue file to user prompt</a></span></dt><dt><span class="section"><a href="sag-pam_keyinit.html">6.13. pam_keyinit - display the keyinit file</a></span></dt><dt><span class="section"><a href="sag-pam_lastlog.html">6.14. pam_lastlog - display date of last login</a></span></dt><dt><span class="section"><a href="sag-pam_limits.html">6.15. pam_limits - limit resources</a></span></dt><dt><span class="section"><a href="sag-pam_listfile.html">6.16. pam_listfile - deny or allow services based on an arbitrary file</a></span></dt><dt><span class="section"><a href="sag-pam_localuser.html">6.17. pam_localuser - require users to be listed in /etc/passwd</a></span></dt><dt><span class="section"><a href="sag-pam_loginuid.html">6.18. pam_loginuid - record user's login uid to the process attribute</a></span></dt><dt><span class="section"><a href="sag-pam_mail.html">6.19. pam_mail - inform about available mail</a></span></dt><dt><span class="section"><a href="sag-pam_mkhomedir.html">6.20. pam_mkhomedir - create users home directory</a></span></dt><dt><span class="section"><a href="sag-pam_motd.html">6.21. pam_motd - display the motd file</a></span></dt><dt><span class="section"><a href="sag-pam_namespace.html">6.22. pam_namespace - setup a private namespace</a></span></dt><dt><span class="section"><a href="sag-pam_nologin.html">6.23. pam_nologin - prevent non-root users from login</a></span></dt><dt><span class="section"><a href="sag-pam_permit.html">6.24. pam_permit - the promiscuous module</a></span></dt><dt><span class="section"><a href="sag-pam_pwhistory.html">6.25. pam_pwhistory - grant access using .pwhistory file</a></span></dt><dt><span class="section"><a href="sag-pam_rhosts.html">6.26. pam_rhosts - grant access using .rhosts file</a></span></dt><dt><span class="section"><a href="sag-pam_rootok.html">6.27. pam_rootok - gain only root access</a></span></dt><dt><span class="section"><a href="sag-pam_securetty.html">6.28. pam_securetty - limit root login to special devices</a></span></dt><dt><span class="section"><a href="sag-pam_selinux.html">6.29. pam_selinux - set the default security context</a></span></dt><dt><span class="section"><a href="sag-pam_shells.html">6.30. pam_shells - check for valid login shell</a></span></dt><dt><span class="section"><a href="sag-pam_succeed_if.html">6.31. pam_succeed_if - test account characteristics</a></span></dt><dt><span class="section"><a href="sag-pam_tally.html">6.32. pam_tally - login counter (tallying) module</a></span></dt><dt><span class="section"><a href="sag-pam_tally2.html">6.33. pam_tally2 - login counter (tallying) module</a></span></dt><dt><span class="section"><a href="sag-pam_time.html">6.34. pam_time - time controled access</a></span></dt><dt><span class="section"><a href="sag-pam_timestamp.html">6.35. pam_timestamp - authenticate using cached successful authentication attempts</a></span></dt><dt><span class="section"><a href="sag-pam_umask.html">6.36. pam_umask - set the file mode creation mask</a></span></dt><dt><span class="section"><a href="sag-pam_unix.html">6.37. pam_unix - traditional password authentication</a></span></dt><dt><span class="section"><a href="sag-pam_userdb.html">6.38. pam_userdb - authenticate against a db database</a></span></dt><dt><span class="section"><a href="sag-pam_warn.html">6.39. pam_warn - logs all PAM items</a></span></dt><dt><span class="section"><a href="sag-pam_wheel.html">6.40. pam_wheel - only permit root access to members of group wheel</a></span></dt><dt><span class="section"><a href="sag-pam_xauth.html">6.41. pam_xauth - forward xauth keys between users</a></span></dt></dl></dd><dt><span class="chapter"><a href="sag-see-also.html">7. See also</a></span></dt><dt><span class="chapter"><a href="sag-author.html">8. Author/acknowledgments</a></span></dt><dt><span class="chapter"><a href="sag-copyright.html">9. Copyright information for this document</a></span></dt></dl></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="sag-introduction.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top"> </td><td width="20%" align="center"> </td><td width="40%" align="right" valign="top"> Chapter 1. Introduction</td></tr></table></div></body></html>
PK��������Ǩ�\��#�'���'�������html/sag-author.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Chapter 8. Author/acknowledgments</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="prev" href="sag-see-also.html" title="Chapter 7. See also"><link rel="next" href="sag-copyright.html" title="Chapter 9. Copyright information for this document"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 8. Author/acknowledgments</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-see-also.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="sag-copyright.html">Next</a></td></tr></table><hr></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a name="sag-author"></a>Chapter 8. Author/acknowledgments</h1></div></div></div><p>
This document was written by Andrew G. Morgan (morgan@kernel.org)
with many contributions from
Chris Adams, Peter Allgeyer, Tim Baverstock, Tim Berger,
Craig S. Bell, Derrick J. Brashear, Ben Buxton, Seth Chaiklin,
Oliver Crow, Chris Dent, Marc Ewing, Cristian Gafton,
Emmanuel Galanos, Brad M. Garcia, Eric Hester, Michel D'Hooge,
Roger Hu, Eric Jacksch, Michael K. Johnson, David Kinchlea,
Olaf Kirch, Marcin Korzonek, Thorsten Kukuk, Stephen Langasek,
Nicolai Langfeldt, Elliot Lee, Luke Kenneth Casson Leighton,
Al Longyear, Ingo Luetkebohle, Marek Michalkiewicz,
Robert Milkowski, Aleph One, Martin Pool, Sean Reifschneider,
Jan Rekorajski, Erik Troan, Theodore Ts'o, Jeff Uphoff, Myles Uyema,
Savochkin Andrey Vladimirovich, Ronald Wahl, David Wood, John Wilmes,
Joseph S. D. Yao and Alex O. Yuriev.
</p><p>
Thanks are also due to Sun Microsystems, especially to Vipin Samar and
Charlie Lai for their advice. At an early stage in the development of
<span class="emphasis"><em>Linux-PAM</em></span>, Sun graciously made the
documentation for their implementation of PAM available. This act
greatly accelerated the development of
<span class="emphasis"><em>Linux-PAM</em></span>.
</p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-see-also.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="sag-copyright.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 7. See also </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 9. Copyright information for this document</td></tr></table></div></body></html>
PK��������Ǩ�\��
���������%���html/sag-configuration-directory.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>4.2. Directory based configuration</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-configuration.html" title="Chapter 4. The Linux-PAM configuration file"><link rel="prev" href="sag-configuration-file.html" title="4.1. Configuration file syntax"><link rel="next" href="sag-configuration-example.html" title="4.3. Example configuration file entries"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">4.2. Directory based configuration</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-configuration-file.html">Prev</a> </td><th width="60%" align="center">Chapter 4. The Linux-PAM configuration file</th><td width="20%" align="right"> <a accesskey="n" href="sag-configuration-example.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-configuration-directory"></a>4.2. Directory based configuration</h2></div></div></div><p>
More flexible than the single configuration file is it to
configure libpam via the contents of the
<code class="filename">/etc/pam.d/</code> directory. In this case the
directory is filled with files each of which has a filename
equal to a service-name (in lower-case): it is the personal
configuration file for the named service.
</p><p>
The syntax of each file in /etc/pam.d/ is similar to that of the
<code class="filename">/etc/pam.conf</code> file and is made up of lines
of the following form:
</p><pre class="programlisting">
type control module-path module-arguments
</pre><p>
The only difference being that the service-name is not present. The
service-name is of course the name of the given configuration file.
For example, <code class="filename">/etc/pam.d/login</code> contains the
configuration for the <span class="emphasis"><em>login</em></span> service.
</p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-configuration-file.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-configuration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-configuration-example.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">4.1. Configuration file syntax </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 4.3. Example configuration file entries</td></tr></table></div></body></html>
PK��������Ǩ�\@��~��������#���html/sag-configuration-example.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>4.3. Example configuration file entries</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-configuration.html" title="Chapter 4. The Linux-PAM configuration file"><link rel="prev" href="sag-configuration-directory.html" title="4.2. Directory based configuration"><link rel="next" href="sag-security-issues.html" title="Chapter 5. Security issues"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">4.3. Example configuration file entries</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-configuration-directory.html">Prev</a> </td><th width="60%" align="center">Chapter 4. The Linux-PAM configuration file</th><td width="20%" align="right"> <a accesskey="n" href="sag-security-issues.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-configuration-example"></a>4.3. Example configuration file entries</h2></div></div></div><p>
In this section, we give some examples of entries that can
be present in the <span class="emphasis"><em>Linux-PAM</em></span>
configuration file. As a first attempt at configuring your
system you could do worse than to implement these.
</p><p>
If a system is to be considered secure, it had better have a
reasonably secure '<span class="emphasis"><em>other</em></span> entry.
The following is a paranoid setting (which is not a bad place
to start!):
</p><pre class="programlisting">
#
# default; deny access
#
other auth required pam_deny.so
other account required pam_deny.so
other password required pam_deny.so
other session required pam_deny.so
</pre><p>
Whilst fundamentally a secure default, this is not very
sympathetic to a misconfigured system. For example, such
a system is vulnerable to locking everyone out should the
rest of the file become badly written.
</p><p>
The module <span class="command"><strong>pam_deny</strong></span> (documented in a
<a class="link" href="sag-pam_deny.html" title="6.4. pam_deny - locking-out PAM module">later section</a>) is not very
sophisticated. For example, it logs no information when it
is invoked so unless the users of a system contact the
administrator when failing to execute a service application,
the administrator may go for a long while in ignorance of the
fact that his system is misconfigured.
</p><p>
The addition of the following line before those in the above
example would provide a suitable warning to the administrator.
</p><pre class="programlisting">
#
# default; wake up! This application is not configured
#
other auth required pam_warn.so
other password required pam_warn.so
</pre><p>
Having two '<span class="command"><strong>other auth</strong></span>' lines is an
example of stacking.
</p><p>
On a system that uses the <code class="filename">/etc/pam.d/</code>
configuration, the corresponding default setup would be
achieved with the following file:
</p><pre class="programlisting">
#
# default configuration: /etc/pam.d/other
#
auth required pam_warn.so
auth required pam_deny.so
account required pam_deny.so
password required pam_warn.so
password required pam_deny.so
session required pam_deny.so
</pre><p>
This is the only explicit example we give for an
<code class="filename">/etc/pam.d/</code> file. In general, it
should be clear how to transpose the remaining examples
to this configuration scheme.
</p><p>
On a less sensitive computer, one on which the system
administrator wishes to remain ignorant of much of the
power of <span class="emphasis"><em>Linux-PAM</em></span>, the
following selection of lines (in
<code class="filename">/etc/pam.d/other</code>) is likely to
mimic the historically familiar Linux setup.
</p><pre class="programlisting">
#
# default; standard UN*X access
#
auth required pam_unix.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
</pre><p>
In general this will provide a starting place for most applications.
</p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-configuration-directory.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-configuration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-security-issues.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">4.2. Directory based configuration </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 5. Security issues</td></tr></table></div></body></html>
PK��������Ǩ�\��i}oD��oD�� ���html/sag-configuration-file.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>4.1. Configuration file syntax</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-configuration.html" title="Chapter 4. The Linux-PAM configuration file"><link rel="prev" href="sag-configuration.html" title="Chapter 4. The Linux-PAM configuration file"><link rel="next" href="sag-configuration-directory.html" title="4.2. Directory based configuration"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">4.1. Configuration file syntax</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-configuration.html">Prev</a> </td><th width="60%" align="center">Chapter 4. The Linux-PAM configuration file</th><td width="20%" align="right"> <a accesskey="n" href="sag-configuration-directory.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-configuration-file"></a>4.1. Configuration file syntax</h2></div></div></div><p>
The syntax of the <code class="filename">/etc/pam.conf</code>
configuration file is as follows. The file is made up of a list
of rules, each rule is typically placed on a single line,
but may be extended with an escaped end of line: `\<LF>'.
Comments are preceded with `#' marks and extend to the next end of
line.
</p><p>
The format of each rule is a space separated collection of tokens,
the first three being case-insensitive:
</p><p>
<span class="emphasis"><em> service type control module-path module-arguments</em></span>
</p><p>
The syntax of files contained in the <code class="filename">/etc/pam.d/</code>
directory, are identical except for the absence of any
<span class="emphasis"><em>service</em></span> field. In this case, the
<span class="emphasis"><em>service</em></span> is the name of the file in the
<code class="filename">/etc/pam.d/</code> directory. This filename must be
in lower case.
</p><p>
An important feature of <span class="emphasis"><em>PAM</em></span>, is that a
number of rules may be <span class="emphasis"><em>stacked</em></span> to combine
the services of a number of PAMs for a given authentication task.
</p><p>
The <span class="emphasis"><em>service</em></span> is typically the familiar name of
the corresponding application: <span class="emphasis"><em>login</em></span> and
<span class="emphasis"><em>su</em></span> are good examples. The
<span class="emphasis"><em>service</em></span>-name, <span class="emphasis"><em>other</em></span>,
is reserved for giving <span class="emphasis"><em>default</em></span> rules.
Only lines that mention the current service (or in the absence
of such, the <span class="emphasis"><em>other</em></span> entries) will be associated
with the given service-application.
</p><p>
The <span class="emphasis"><em>type</em></span> is the management group that the rule
corresponds to. It is used to specify which of the management groups
the subsequent module is to be associated with. Valid entries are:
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">account</span></dt><dd><p>
this module type performs non-authentication based account
management. It is typically used to restrict/permit access
to a service based on the time of day, currently available
system resources (maximum number of users) or perhaps the
location of the applicant user -- 'root' login only on the
console.
</p></dd><dt><span class="term">auth</span></dt><dd><p>
this module type provides two aspects of authenticating
the user. Firstly, it establishes that the user is who they
claim to be, by instructing the application to prompt the user
for a password or other means of identification. Secondly, the
module can grant group membership or other privileges through
its credential granting properties.
</p></dd><dt><span class="term">password</span></dt><dd><p>
this module type is required for updating the authentication
token associated with the user. Typically, there is one module
for each 'challenge/response' based authentication (auth) type.
</p></dd><dt><span class="term">session</span></dt><dd><p>
this module type is associated with doing things that need to
be done for the user before/after they can be given service.
Such things include the logging of information concerning the
opening/closing of some data exchange with a user, mounting
directories, etc.
</p></dd></dl></div><p>
If the <span class="emphasis"><em>type</em></span> value from the list above is prepended
with a <span class="emphasis"><em>-</em></span> character the PAM library will not log to
the system log if it is not possible to load the module because it is
missing in the system. This can be useful especially for modules which
are not always installed on the system and are not required for correct
authentication and authorization of the login session.
</p><p>
The third field, <span class="emphasis"><em>control</em></span>, indicates the
behavior of the PAM-API should the module fail to succeed in its
authentication task. There are two types of syntax for this control
field: the simple one has a single simple keyword; the more
complicated one involves a square-bracketed selection of
<span class="emphasis"><em>value=action</em></span> pairs.
</p><p>
For the simple (historical) syntax valid <span class="emphasis"><em>control</em></span>
values are:
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">required</span></dt><dd><p>
failure of such a PAM will ultimately lead to the PAM-API
returning failure but only after the remaining
<span class="emphasis"><em>stacked</em></span> modules (for this
<span class="emphasis"><em>service</em></span> and <span class="emphasis"><em>type</em></span>)
have been invoked.
</p></dd><dt><span class="term">requisite</span></dt><dd><p>
like <span class="emphasis"><em>required</em></span>, however, in the case that
such a module returns a failure, control is directly returned
to the application or to the superior PAM stack.
The return value is that associated with
the first required or requisite module to fail. Note, this flag
can be used to protect against the possibility of a user getting
the opportunity to enter a password over an unsafe medium. It is
conceivable that such behavior might inform an attacker of valid
accounts on a system. This possibility should be weighed against
the not insignificant concerns of exposing a sensitive password
in a hostile environment.
</p></dd><dt><span class="term">sufficient</span></dt><dd><p>
if such a module succeeds and no prior <span class="emphasis"><em>required</em></span>
module has failed the PAM framework returns success to
the application or to the superior PAM stack immediately without
calling any further modules in the stack. A failure of a
<span class="emphasis"><em>sufficient</em></span> module is ignored and processing
of the PAM module stack continues unaffected.
</p></dd><dt><span class="term">optional</span></dt><dd><p>
the success or failure of this module is only important if
it is the only module in the stack associated with this
<span class="emphasis"><em>service</em></span>+<span class="emphasis"><em>type</em></span>.
</p></dd><dt><span class="term">include</span></dt><dd><p>
include all lines of given type from the configuration
file specified as an argument to this control.
</p></dd><dt><span class="term">substack</span></dt><dd><p>
include all lines of given type from the configuration
file specified as an argument to this control. This differs from
<span class="emphasis"><em>include</em></span> in that evaluation of the
<span class="emphasis"><em>done</em></span> and <span class="emphasis"><em>die</em></span> actions
in a substack does not cause skipping the rest of the complete
module stack, but only of the substack. Jumps in a substack
also can not make evaluation jump out of it, and the whole substack
is counted as one module when the jump is done in a parent stack.
The <span class="emphasis"><em>reset</em></span> action will reset the state of a
module stack to the state it was in as of beginning of the substack
evaluation.
</p></dd></dl></div><p>
For the more complicated syntax valid <span class="emphasis"><em>control</em></span>
values have the following form:
</p><pre class="programlisting">
[value1=action1 value2=action2 ...]
</pre><p>
Where <span class="emphasis"><em>valueN</em></span> corresponds to the return code
from the function invoked in the module for which the line is
defined. It is selected from one of these:
<span class="emphasis"><em>success</em></span>, <span class="emphasis"><em>open_err</em></span>,
<span class="emphasis"><em>symbol_err</em></span>, <span class="emphasis"><em>service_err</em></span>,
<span class="emphasis"><em>system_err</em></span>, <span class="emphasis"><em>buf_err</em></span>,
<span class="emphasis"><em>perm_denied</em></span>, <span class="emphasis"><em>auth_err</em></span>,
<span class="emphasis"><em>cred_insufficient</em></span>,
<span class="emphasis"><em>authinfo_unavail</em></span>,
<span class="emphasis"><em>user_unknown</em></span>, <span class="emphasis"><em>maxtries</em></span>,
<span class="emphasis"><em>new_authtok_reqd</em></span>,
<span class="emphasis"><em>acct_expired</em></span>, <span class="emphasis"><em>session_err</em></span>,
<span class="emphasis"><em>cred_unavail</em></span>, <span class="emphasis"><em>cred_expired</em></span>,
<span class="emphasis"><em>cred_err</em></span>, <span class="emphasis"><em>no_module_data</em></span>,
<span class="emphasis"><em>conv_err</em></span>, <span class="emphasis"><em>authtok_err</em></span>,
<span class="emphasis"><em>authtok_recover_err</em></span>,
<span class="emphasis"><em>authtok_lock_busy</em></span>,
<span class="emphasis"><em>authtok_disable_aging</em></span>,
<span class="emphasis"><em>try_again</em></span>, <span class="emphasis"><em>ignore</em></span>,
<span class="emphasis"><em>abort</em></span>, <span class="emphasis"><em>authtok_expired</em></span>,
<span class="emphasis"><em>module_unknown</em></span>, <span class="emphasis"><em>bad_item</em></span>,
<span class="emphasis"><em>conv_again</em></span>, <span class="emphasis"><em>incomplete</em></span>,
and <span class="emphasis"><em>default</em></span>.
</p><p>
The last of these, <span class="emphasis"><em>default</em></span>, implies 'all
<span class="emphasis"><em>valueN</em></span>'s not mentioned explicitly. Note, the
full list of PAM errors is available in
<code class="filename">/usr/include/security/_pam_types.h</code>. The
<span class="emphasis"><em>actionN</em></span> can take one of the following forms:
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">ignore</span></dt><dd><p>
when used with a stack of modules, the module's return
status will not contribute to the return code the application
obtains.
</p></dd><dt><span class="term">bad</span></dt><dd><p>
this action indicates that the return code should be thought
of as indicative of the module failing. If this module is the
first in the stack to fail, its status value will be used for
that of the whole stack.
</p></dd><dt><span class="term">die</span></dt><dd><p>
equivalent to bad with the side effect of terminating the
module stack and PAM immediately returning to the application.
</p></dd><dt><span class="term">ok</span></dt><dd><p>
this tells PAM that the administrator thinks this return code
should contribute directly to the return code of the full
stack of modules. In other words, if the former state of the
stack would lead to a return of <span class="emphasis"><em>PAM_SUCCESS</em></span>,
the module's return code will override this value. Note, if
the former state of the stack holds some value that is
indicative of a modules failure, this 'ok' value will not be
used to override that value.
</p></dd><dt><span class="term">done</span></dt><dd><p>
equivalent to ok with the side effect of terminating the module
stack and PAM immediately returning to the application.
</p></dd><dt><span class="term">N (an unsigned integer)</span></dt><dd><p>
equivalent to ok with the side effect of jumping over the
next N modules in the stack. Note that N equal to 0 is not
allowed (and it would be identical to ok in such case).
</p></dd><dt><span class="term">reset</span></dt><dd><p>
clear all memory of the state of the module stack and
start again with the next stacked module.
</p></dd></dl></div><p>
Each of the four keywords: required; requisite; sufficient; and
optional, have an equivalent expression in terms of the [...]
syntax. They are as follows:
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">required</span></dt><dd><p>
[success=ok new_authtok_reqd=ok ignore=ignore default=bad]
</p></dd><dt><span class="term">requisite</span></dt><dd><p>
[success=ok new_authtok_reqd=ok ignore=ignore default=die]
</p></dd><dt><span class="term">sufficient</span></dt><dd><p>
[success=done new_authtok_reqd=done default=ignore]
</p></dd><dt><span class="term">optional</span></dt><dd><p>
[success=ok new_authtok_reqd=ok default=ignore]
</p></dd></dl></div><p>
<span class="emphasis"><em>module-path</em></span> is either the full filename
of the PAM to be used by the application (it begins with a '/'),
or a relative pathname from the default module location:
<code class="filename">/lib/security/</code> or
<code class="filename">/lib64/security/</code>, depending on the architecture.
</p><p>
<span class="emphasis"><em>module-arguments</em></span> are a space separated list
of tokens that can be used to modify the specific behavior of the
given PAM. Such arguments will be documented for each individual
module. Note, if you wish to include spaces in an argument, you
should surround that argument with square brackets.
</p><pre class="programlisting">
squid auth required pam_mysql.so user=passwd_query passwd=mada \
db=eminence [query=select user_name from internet_service \
where user_name='%u' and password=PASSWORD('%p') and \
service='web_proxy']
</pre><p>
When using this convention, you can include `[' characters
inside the string, and if you wish to include a `]' character
inside the string that will survive the argument parsing, you
should use `\]'. In other words:
</p><pre class="programlisting">
[..[..\]..] --> ..[..]..
</pre><p>
Any line in (one of) the configuration file(s), that is not formatted
correctly, will generally tend (erring on the side of caution) to make
the authentication process fail. A corresponding error is written to
the system log files with a call to
<span class="citerefentry"><span class="refentrytitle">syslog</span>(3)</span>.
</p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-configuration.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-configuration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-configuration-directory.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 4. The Linux-PAM configuration file </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 4.2. Directory based configuration</td></tr></table></div></body></html>
PK��������Ǩ�\�x������������html/sag-configuration.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Chapter 4. The Linux-PAM configuration file</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="prev" href="sag-overview.html" title="Chapter 3. Overview"><link rel="next" href="sag-configuration-file.html" title="4.1. Configuration file syntax"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 4. The Linux-PAM configuration file</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-overview.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="sag-configuration-file.html">Next</a></td></tr></table><hr></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a name="sag-configuration"></a>Chapter 4. The Linux-PAM configuration file</h1></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl class="toc"><dt><span class="section"><a href="sag-configuration-file.html">4.1. Configuration file syntax</a></span></dt><dt><span class="section"><a href="sag-configuration-directory.html">4.2. Directory based configuration</a></span></dt><dt><span class="section"><a href="sag-configuration-example.html">4.3. Example configuration file entries</a></span></dt></dl></div><p>
When a <span class="emphasis"><em>PAM</em></span> aware privilege granting application
is started, it activates its attachment to the PAM-API. This
activation performs a number of tasks, the most important being the
reading of the configuration file(s): <code class="filename">/etc/pam.conf</code>.
Alternatively, this may be the contents of the
<code class="filename">/etc/pam.d/</code> directory. The presence of this
directory will cause Linux-PAM to ignore
<code class="filename">/etc/pam.conf</code>.
</p><p>
These files list the <span class="emphasis"><em>PAM</em></span>s that will do the
authentication tasks required by this service, and the appropriate
behavior of the PAM-API in the event that individual
<span class="emphasis"><em>PAM</em></span>s fail.
</p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-overview.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="sag-configuration-file.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 3. Overview </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 4.1. Configuration file syntax</td></tr></table></div></body></html>
PK��������Ǩ�\�[�{!���!�������html/sag-copyright.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Chapter 9. Copyright information for this document</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="prev" href="sag-author.html" title="Chapter 8. Author/acknowledgments"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 9. Copyright information for this document</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-author.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> </td></tr></table><hr></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a name="sag-copyright"></a>Chapter 9. Copyright information for this document</h1></div></div></div><pre class="programlisting">
Copyright (c) 2006 Thorsten Kukuk <kukuk@thkukuk.de>
Copyright (c) 1996-2002 Andrew G. Morgan <morgan@kernel.org>
</pre><p>
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
</p><pre class="programlisting">
1. Redistributions of source code must retain the above copyright
notice, and the entire permission notice in its entirety,
including the disclaimer of warranties.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. The name of the author may not be used to endorse or promote
products derived from this software without specific prior
written permission.
</pre><p>
Alternatively, this product may be distributed under the terms of
the GNU General Public License (GPL), in which case the provisions
of the GNU GPL are required instead of the above restrictions.
(This clause is necessary due to a potential bad interaction between
the GNU GPL and the restrictions contained in a BSD-style copyright.)
</p><pre class="programlisting">
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
</pre></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-author.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> </td></tr><tr><td width="40%" align="left" valign="top">Chapter 8. Author/acknowledgments </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> </td></tr></table></div></body></html>
PK��������Ǩ�\N4QU^���^�������html/sag-introduction.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Chapter 1. Introduction</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="prev" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="next" href="sag-text-conventions.html" title="Chapter 2. Some comments on the text"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 1. Introduction</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Linux-PAM_SAG.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="sag-text-conventions.html">Next</a></td></tr></table><hr></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a name="sag-introduction"></a>Chapter 1. Introduction</h1></div></div></div><p>
<span class="emphasis"><em>Linux-PAM</em></span> (Pluggable Authentication
Modules for Linux) is a suite of shared libraries that enable the
local system administrator to choose how applications authenticate users.
</p><p>
In other words, without (rewriting and) recompiling a PAM-aware
application, it is possible to switch between the authentication
mechanism(s) it uses. Indeed, one may entirely upgrade the local
authentication system without touching the applications themselves.
</p><p>
Historically an application that has required a given user to be
authenticated, has had to be compiled to use a specific authentication
mechanism. For example, in the case of traditional UN*X systems, the
identity of the user is verified by the user entering a correct
password. This password, after being prefixed by a two character
``salt'', is encrypted (with crypt(3)). The user is then authenticated
if this encrypted password is identical to the second field of the
user's entry in the system password database (the
<code class="filename">/etc/passwd</code> file). On such systems, most if
not all forms of privileges are granted based on this single
authentication scheme. Privilege comes in the form of a personal
user-identifier (UID) and membership of various groups. Services and
applications are available based on the personal and group identity
of the user. Traditionally, group membership has been assigned based
on entries in the <code class="filename">/etc/group</code> file.
</p><p>
It is the purpose of the <span class="emphasis"><em>Linux-PAM</em></span>
project to separate the development of privilege granting software
from the development of secure and appropriate authentication schemes.
This is accomplished by providing a library of functions that an
application may use to request that a user be authenticated. This
PAM library is configured locally with a system file,
<code class="filename">/etc/pam.conf</code> (or a series of configuration
files located in <code class="filename">/etc/pam.d/</code>) to authenticate a
user request via the locally available authentication modules. The
modules themselves will usually be located in the directory
<code class="filename">/lib/security</code> or
<code class="filename">/lib64/security</code> and take the form of dynamically
loadable object files (see <span class="citerefentry"><span class="refentrytitle">dlopen</span>(3)</span>).
</p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Linux-PAM_SAG.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="sag-text-conventions.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">The Linux-PAM System Administrators' Guide </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 2. Some comments on the text</td></tr></table></div></body></html>
PK��������Ǩ�\N���������������html/sag-module-reference.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Chapter 6. A reference guide for available modules</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="prev" href="sag-security-issues-other.html" title="5.2. Avoid having a weak `other' configuration"><link rel="next" href="sag-pam_access.html" title="6.1. pam_access - logdaemon style login access control"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 6. A reference guide for available modules</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-security-issues-other.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_access.html">Next</a></td></tr></table><hr></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a name="sag-module-reference"></a>Chapter 6. A reference guide for available modules</h1></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl class="toc"><dt><span class="section"><a href="sag-pam_access.html">6.1. pam_access - logdaemon style login access control</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_access.html#sag-pam_access-description">6.1.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_access.html#sag-access.conf-description">6.1.2. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_access.html#sag-pam_access-options">6.1.3. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_access.html#sag-pam_access-types">6.1.4. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_access.html#sag-pam_access-return_values">6.1.5. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_access.html#sag-pam_access-files">6.1.6. FILES</a></span></dt><dt><span class="section"><a href="sag-pam_access.html#sag-access.conf-examples">6.1.7. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_access.html#sag-pam_access-authors">6.1.8. AUTHORS</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_cracklib.html">6.2. pam_cracklib - checks the password against dictionary words</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_cracklib.html#sag-pam_cracklib-description">6.2.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_cracklib.html#sag-pam_cracklib-options">6.2.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_cracklib.html#sag-pam_cracklib-types">6.2.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_cracklib.html#sag-pam_cracklib-return_values">6.2.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_cracklib.html#sag-pam_cracklib-examples">6.2.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_cracklib.html#sag-pam_cracklib-author">6.2.6. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_debug.html">6.3. pam_debug - debug the PAM stack</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_debug.html#sag-pam_debug-description">6.3.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_debug.html#sag-pam_debug-options">6.3.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_debug.html#sag-pam_debug-types">6.3.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_debug.html#sag-pam_debug-return_values">6.3.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_debug.html#sag-pam_debug-examples">6.3.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_debug.html#sag-pam_debug-author">6.3.6. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_deny.html">6.4. pam_deny - locking-out PAM module</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_deny.html#sag-pam_deny-description">6.4.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_deny.html#sag-pam_deny-options">6.4.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_deny.html#sag-pam_deny-types">6.4.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_deny.html#sag-pam_deny-return_values">6.4.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_deny.html#sag-pam_deny-examples">6.4.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_deny.html#sag-pam_deny-author">6.4.6. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_echo.html">6.5. pam_echo - print text messages</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_echo.html#sag-pam_echo-description">6.5.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_echo.html#sag-pam_echo-options">6.5.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_echo.html#sag-pam_echo-types">6.5.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_echo.html#sag-pam_echo-return_values">6.5.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_echo.html#sag-pam_echo-examples">6.5.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_echo.html#sag-pam_echo-author">6.5.6. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_env.html">6.6. pam_env - set/unset environment variables</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_env.html#sag-pam_env-description">6.6.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_env.html#sag-pam_env.conf-description">6.6.2. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_env.html#sag-pam_env-options">6.6.3. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_env.html#sag-pam_env-types">6.6.4. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_env.html#sag-pam_env-return_values">6.6.5. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_env.html#sag-pam_env-files">6.6.6. FILES</a></span></dt><dt><span class="section"><a href="sag-pam_env.html#sag-pam_env.conf-examples">6.6.7. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_env.html#sag-pam_env-authors">6.6.8. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_exec.html">6.7. pam_exec - call an external command</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_exec.html#sag-pam_exec-description">6.7.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_exec.html#sag-pam_exec-options">6.7.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_exec.html#sag-pam_exec-types">6.7.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_exec.html#sag-pam_exec-return_values">6.7.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_exec.html#sag-pam_exec-examples">6.7.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_exec.html#sag-pam_exec-author">6.7.6. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_faildelay.html">6.8. pam_faildelay - change the delay on failure per-application</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_faildelay.html#sag-pam_faildelay-description">6.8.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_faildelay.html#sag-pam_faildelay-options">6.8.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_faildelay.html#sag-pam_faildelay-types">6.8.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_faildelay.html#sag-pam_faildelay-return_values">6.8.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_faildelay.html#sag-pam_faildelay-examples">6.8.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_faildelay.html#sag-pam_faildelay-author">6.8.6. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_filter.html">6.9. pam_filter - filter module</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_filter.html#sag-pam_filter-description">6.9.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_filter.html#sag-pam_filter-options">6.9.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_filter.html#sag-pam_filter-types">6.9.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_filter.html#sag-pam_filter-return_values">6.9.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_filter.html#sag-pam_filter-examples">6.9.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_filter.html#sag-pam_filter-author">6.9.6. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_ftp.html">6.10. pam_ftp - module for anonymous access</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_ftp.html#sag-pam_ftp-description">6.10.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_ftp.html#sag-pam_ftp-options">6.10.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_ftp.html#sag-pam_ftp-types">6.10.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_ftp.html#sag-pam_ftp-return_values">6.10.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_ftp.html#sag-pam_ftp-examples">6.10.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_ftp.html#sag-pam_ftp-author">6.10.6. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_group.html">6.11. pam_group - module to modify group access</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_group.html#sag-pam_group-description">6.11.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_group.html#sag-group.conf-description">6.11.2. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_group.html#sag-pam_group-options">6.11.3. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_group.html#sag-pam_group-types">6.11.4. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_group.html#sag-pam_group-return_values">6.11.5. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_group.html#sag-pam_group-files">6.11.6. FILES</a></span></dt><dt><span class="section"><a href="sag-pam_group.html#sag-group.conf-examples">6.11.7. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_group.html#sag-pam_group-authors">6.11.8. AUTHORS</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_issue.html">6.12. pam_issue - add issue file to user prompt</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_issue.html#sag-pam_issue-description">6.12.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_issue.html#sag-pam_issue-options">6.12.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_issue.html#sag-pam_issue-types">6.12.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_issue.html#sag-pam_issue-return_values">6.12.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_issue.html#sag-pam_issue-examples">6.12.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_issue.html#sag-pam_issue-author">6.12.6. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_keyinit.html">6.13. pam_keyinit - display the keyinit file</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_keyinit.html#sag-pam_keyinit-description">6.13.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_keyinit.html#sag-pam_keyinit-options">6.13.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_keyinit.html#sag-pam_keyinit-types">6.13.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_keyinit.html#sag-pam_keyinit-return_values">6.13.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_keyinit.html#sag-pam_keyinit-examples">6.13.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_keyinit.html#sag-pam_keyinit-author">6.13.6. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_lastlog.html">6.14. pam_lastlog - display date of last login</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_lastlog.html#sag-pam_lastlog-description">6.14.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_lastlog.html#sag-pam_lastlog-options">6.14.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_lastlog.html#sag-pam_lastlog-types">6.14.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_lastlog.html#sag-pam_lastlog-return_values">6.14.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_lastlog.html#sag-pam_lastlog-examples">6.14.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_lastlog.html#sag-pam_lastlog-author">6.14.6. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_limits.html">6.15. pam_limits - limit resources</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_limits.html#sag-pam_limits-description">6.15.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_limits.html#sag-limits.conf-description">6.15.2. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_limits.html#sag-pam_limits-options">6.15.3. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_limits.html#sag-pam_limits-types">6.15.4. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_limits.html#sag-pam_limits-return_values">6.15.5. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_limits.html#sag-pam_limits-files">6.15.6. FILES</a></span></dt><dt><span class="section"><a href="sag-pam_limits.html#sag-limits.conf-examples">6.15.7. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_limits.html#sag-pam_limits-authors">6.15.8. AUTHORS</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_listfile.html">6.16. pam_listfile - deny or allow services based on an arbitrary file</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_listfile.html#sag-pam_listfile-description">6.16.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_listfile.html#sag-pam_listfile-options">6.16.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_listfile.html#sag-pam_listfile-types">6.16.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_listfile.html#sag-pam_listfile-return_values">6.16.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_listfile.html#sag-pam_listfile-examples">6.16.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_listfile.html#sag-pam_listfile-author">6.16.6. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_localuser.html">6.17. pam_localuser - require users to be listed in /etc/passwd</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_localuser.html#sag-pam_localuser-description">6.17.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_localuser.html#sag-pam_localuser-options">6.17.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_localuser.html#sag-pam_localuser-types">6.17.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_localuser.html#sag-pam_localuser-return_values">6.17.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_localuser.html#sag-pam_localuser-examples">6.17.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_localuser.html#sag-pam_localuser-author">6.17.6. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_loginuid.html">6.18. pam_loginuid - record user's login uid to the process attribute</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_loginuid.html#sag-pam_loginuid-description">6.18.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_loginuid.html#sag-pam_loginuid-options">6.18.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_loginuid.html#sag-pam_loginuid-types">6.18.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_loginuid.html#sag-pam_loginuid-return_values">6.18.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_loginuid.html#sag-pam_loginuid-examples">6.18.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_loginuid.html#sag-pam_loginuid-author">6.18.6. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_mail.html">6.19. pam_mail - inform about available mail</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_mail.html#sag-pam_mail-description">6.19.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_mail.html#sag-pam_mail-options">6.19.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_mail.html#sag-pam_mail-types">6.19.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_mail.html#sag-pam_mail-return_values">6.19.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_mail.html#sag-pam_mail-examples">6.19.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_mail.html#sag-pam_mail-author">6.19.6. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_mkhomedir.html">6.20. pam_mkhomedir - create users home directory</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_mkhomedir.html#sag-pam_mkhomedir-description">6.20.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_mkhomedir.html#sag-pam_mkhomedir-options">6.20.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_mkhomedir.html#sag-pam_mkhomedir-types">6.20.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_mkhomedir.html#sag-pam_mkhomedir-return_values">6.20.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_mkhomedir.html#sag-pam_mkhomedir-examples">6.20.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_mkhomedir.html#sag-pam_mkhomedir-author">6.20.6. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_motd.html">6.21. pam_motd - display the motd file</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_motd.html#sag-pam_motd-description">6.21.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_motd.html#sag-pam_motd-options">6.21.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_motd.html#sag-pam_motd-types">6.21.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_motd.html#sag-pam_motd-return_values">6.21.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_motd.html#sag-pam_motd-examples">6.21.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_motd.html#sag-pam_motd-author">6.21.6. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_namespace.html">6.22. pam_namespace - setup a private namespace</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_namespace.html#sag-pam_namespace-description">6.22.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_namespace.html#sag-namespace.conf-description">6.22.2. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_namespace.html#sag-pam_namespace-options">6.22.3. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_namespace.html#sag-pam_namespace-types">6.22.4. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_namespace.html#sag-pam_namespace-return_values">6.22.5. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_namespace.html#sag-pam_namespace-files">6.22.6. FILES</a></span></dt><dt><span class="section"><a href="sag-pam_namespace.html#sag-namespace.conf-examples">6.22.7. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_namespace.html#sag-pam_namespace-authors">6.22.8. AUTHORS</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_nologin.html">6.23. pam_nologin - prevent non-root users from login</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_nologin.html#sag-pam_nologin-description">6.23.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_nologin.html#sag-pam_nologin-options">6.23.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_nologin.html#sag-pam_nologin-types">6.23.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_nologin.html#sag-pam_nologin-return_values">6.23.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_nologin.html#sag-pam_nologin-examples">6.23.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_nologin.html#sag-pam_nologin-author">6.23.6. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_permit.html">6.24. pam_permit - the promiscuous module</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_permit.html#sag-pam_permit-description">6.24.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_permit.html#sag-pam_permit-options">6.24.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_permit.html#sag-pam_permit-types">6.24.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_permit.html#sag-pam_permit-return_values">6.24.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_permit.html#sag-pam_permit-examples">6.24.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_permit.html#sag-pam_permit-author">6.24.6. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_pwhistory.html">6.25. pam_pwhistory - grant access using .pwhistory file</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_pwhistory.html#sag-pam_pwhistory-description">6.25.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_pwhistory.html#sag-pam_pwhistory-options">6.25.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_pwhistory.html#sag-pam_pwhistory-types">6.25.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_pwhistory.html#sag-pam_pwhistory-return_values">6.25.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_pwhistory.html#sag-pam_pwhistory-files">6.25.5. FILES</a></span></dt><dt><span class="section"><a href="sag-pam_pwhistory.html#sag-pam_pwhistory-examples">6.25.6. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_pwhistory.html#sag-pam_pwhistory-author">6.25.7. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_rhosts.html">6.26. pam_rhosts - grant access using .rhosts file</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_rhosts.html#sag-pam_rhosts-description">6.26.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_rhosts.html#sag-pam_rhosts-options">6.26.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_rhosts.html#sag-pam_rhosts-types">6.26.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_rhosts.html#sag-pam_rhosts-return_values">6.26.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_rhosts.html#sag-pam_rhosts-examples">6.26.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_rhosts.html#sag-pam_rhosts-author">6.26.6. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_rootok.html">6.27. pam_rootok - gain only root access</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_rootok.html#sag-pam_rootok-description">6.27.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_rootok.html#sag-pam_rootok-options">6.27.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_rootok.html#sag-pam_rootok-types">6.27.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_rootok.html#sag-pam_rootok-return_values">6.27.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_rootok.html#sag-pam_rootok-examples">6.27.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_rootok.html#sag-pam_rootok-author">6.27.6. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_securetty.html">6.28. pam_securetty - limit root login to special devices</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_securetty.html#sag-pam_securetty-description">6.28.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_securetty.html#sag-pam_securetty-options">6.28.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_securetty.html#sag-pam_securetty-types">6.28.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_securetty.html#sag-pam_securetty-return_values">6.28.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_securetty.html#sag-pam_securetty-examples">6.28.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_securetty.html#sag-pam_securetty-author">6.28.6. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_selinux.html">6.29. pam_selinux - set the default security context</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_selinux.html#sag-pam_selinux-description">6.29.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_selinux.html#sag-pam_selinux-options">6.29.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_selinux.html#sag-pam_selinux-types">6.29.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_selinux.html#sag-pam_selinux-return_values">6.29.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_selinux.html#sag-pam_selinux-examples">6.29.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_selinux.html#sag-pam_selinux-author">6.29.6. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_shells.html">6.30. pam_shells - check for valid login shell</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_shells.html#sag-pam_shells-description">6.30.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_shells.html#sag-pam_shells-options">6.30.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_shells.html#sag-pam_shells-types">6.30.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_shells.html#sag-pam_shells-return_values">6.30.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_shells.html#sag-pam_shells-examples">6.30.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_shells.html#sag-pam_shells-author">6.30.6. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_succeed_if.html">6.31. pam_succeed_if - test account characteristics</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_succeed_if.html#sag-pam_succeed_if-description">6.31.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_succeed_if.html#sag-pam_succeed_if-options">6.31.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_succeed_if.html#sag-pam_succeed_if-types">6.31.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_succeed_if.html#sag-pam_succeed_if-return_values">6.31.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_succeed_if.html#sag-pam_succeed_if-examples">6.31.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_succeed_if.html#sag-pam_succeed_if-author">6.31.6. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_tally.html">6.32. pam_tally - login counter (tallying) module</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_tally.html#sag-pam_tally-description">6.32.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_tally.html#sag-pam_tally-options">6.32.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_tally.html#sag-pam_tally-types">6.32.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_tally.html#sag-pam_tally-return_values">6.32.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_tally.html#sag-pam_tally-examples">6.32.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_tally.html#sag-pam_tally-author">6.32.6. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_tally2.html">6.33. pam_tally2 - login counter (tallying) module</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_tally2.html#sag-pam_tally2-description">6.33.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_tally2.html#sag-pam_tally2-options">6.33.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_tally2.html#sag-pam_tally2-types">6.33.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_tally2.html#sag-pam_tally2-return_values">6.33.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_tally2.html#sag-pam_tally2-notes">6.33.5. NOTES</a></span></dt><dt><span class="section"><a href="sag-pam_tally2.html#sag-pam_tally2-examples">6.33.6. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_tally2.html#sag-pam_tally2-files">6.33.7. FILES</a></span></dt><dt><span class="section"><a href="sag-pam_tally2.html#sag-pam_tally2-author">6.33.8. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_time.html">6.34. pam_time - time controled access</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_time.html#sag-pam_time-description">6.34.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_time.html#sag-time.conf-description">6.34.2. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_time.html#sag-pam_time-options">6.34.3. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_time.html#sag-pam_time-types">6.34.4. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_time.html#sag-pam_time-return_values">6.34.5. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_time.html#sag-pam_time-files">6.34.6. FILES</a></span></dt><dt><span class="section"><a href="sag-pam_time.html#sag-time.conf-examples">6.34.7. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_time.html#sag-pam_time-authors">6.34.8. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_timestamp.html">6.35. pam_timestamp - authenticate using cached successful authentication attempts</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_timestamp.html#sag-pam_timestamp-description">6.35.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_timestamp.html#sag-pam_timestamp-options">6.35.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_timestamp.html#sag-pam_timestamp-types">6.35.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_timestamp.html#sag-pam_timestamp-return_values">6.35.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_timestamp.html#sag-pam_timestamp-notes">6.35.5. NOTES</a></span></dt><dt><span class="section"><a href="sag-pam_timestamp.html#sag-pam_timestamp-examples">6.35.6. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_timestamp.html#sag-pam_timestamp-files">6.35.7. FILES</a></span></dt><dt><span class="section"><a href="sag-pam_timestamp.html#sag-pam_timestamp-author">6.35.8. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_umask.html">6.36. pam_umask - set the file mode creation mask</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_umask.html#sag-pam_umask-description">6.36.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_umask.html#sag-pam_umask-options">6.36.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_umask.html#sag-pam_umask-types">6.36.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_umask.html#sag-pam_umask-return_values">6.36.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_umask.html#sag-pam_umask-examples">6.36.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_umask.html#sag-pam_umask-author">6.36.6. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_unix.html">6.37. pam_unix - traditional password authentication</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_unix.html#sag-pam_unix-description">6.37.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_unix.html#sag-pam_unix-options">6.37.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_unix.html#sag-pam_unix-types">6.37.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_unix.html#sag-pam_unix-return_values">6.37.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_unix.html#sag-pam_unix-examples">6.37.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_unix.html#sag-pam_unix-author">6.37.6. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_userdb.html">6.38. pam_userdb - authenticate against a db database</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_userdb.html#sag-pam_userdb-description">6.38.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_userdb.html#sag-pam_userdb-options">6.38.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_userdb.html#sag-pam_userdb-types">6.38.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_userdb.html#sag-pam_userdb-return_values">6.38.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_userdb.html#sag-pam_userdb-examples">6.38.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_userdb.html#sag-pam_userdb-author">6.38.6. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_warn.html">6.39. pam_warn - logs all PAM items</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_warn.html#sag-pam_warn-description">6.39.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_warn.html#sag-pam_warn-options">6.39.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_warn.html#sag-pam_warn-types">6.39.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_warn.html#sag-pam_warn-return_values">6.39.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_warn.html#sag-pam_warn-examples">6.39.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_warn.html#sag-pam_warn-author">6.39.6. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_wheel.html">6.40. pam_wheel - only permit root access to members of group wheel</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_wheel.html#sag-pam_wheel-description">6.40.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_wheel.html#sag-pam_wheel-options">6.40.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_wheel.html#sag-pam_wheel-types">6.40.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_wheel.html#sag-pam_wheel-return_values">6.40.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_wheel.html#sag-pam_wheel-examples">6.40.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_wheel.html#sag-pam_wheel-author">6.40.6. AUTHOR</a></span></dt></dl></dd><dt><span class="section"><a href="sag-pam_xauth.html">6.41. pam_xauth - forward xauth keys between users</a></span></dt><dd><dl><dt><span class="section"><a href="sag-pam_xauth.html#sag-pam_xauth-description">6.41.1. DESCRIPTION</a></span></dt><dt><span class="section"><a href="sag-pam_xauth.html#sag-pam_xauth-options">6.41.2. OPTIONS</a></span></dt><dt><span class="section"><a href="sag-pam_xauth.html#sag-pam_xauth-types">6.41.3. MODULE TYPES PROVIDED</a></span></dt><dt><span class="section"><a href="sag-pam_xauth.html#sag-pam_xauth-return_values">6.41.4. RETURN VALUES</a></span></dt><dt><span class="section"><a href="sag-pam_xauth.html#sag-pam_xauth-examples">6.41.5. EXAMPLES</a></span></dt><dt><span class="section"><a href="sag-pam_xauth.html#sag-pam_xauth-author">6.41.6. AUTHOR</a></span></dt></dl></dd></dl></div><p>
Here, we collect together the descriptions of the various modules
coming with Linux-PAM.
</p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-security-issues-other.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_access.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">5.2. Avoid having a weak `other' configuration </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.1. pam_access - logdaemon style login access control</td></tr></table></div></body></html>
PK��������Ǩ�\���T;���;�������html/sag-overview.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Chapter 3. Overview</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="prev" href="sag-text-conventions.html" title="Chapter 2. Some comments on the text"><link rel="next" href="sag-configuration.html" title="Chapter 4. The Linux-PAM configuration file"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 3. Overview</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-text-conventions.html">Prev</a> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="sag-configuration.html">Next</a></td></tr></table><hr></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a name="sag-overview"></a>Chapter 3. Overview</h1></div></div></div><p>
For the uninitiated, we begin by considering an example. We take an
application that grants some service to users;
<span class="command"><strong>login</strong></span> is one such program.
<span class="command"><strong>Login</strong></span> does two things, it first establishes that
the requesting user is whom they claim to be and second provides
them with the requested service: in the case of
<span class="command"><strong>login</strong></span> the service is a command shell
(bash, tcsh, zsh, etc.) running with the identity of the user.
</p><p>
Traditionally, the former step is achieved by the
<span class="command"><strong>login</strong></span> application prompting the user for a
password and then verifying that it agrees with that located on
the system; hence verifying that as far as the system is concerned
the user is who they claim to be. This is the task that is delegated
to <span class="emphasis"><em>Linux-PAM</em></span>.
</p><p>
From the perspective of the application programmer (in this case
the person that wrote the <span class="command"><strong>login</strong></span> application),
<span class="emphasis"><em>Linux-PAM</em></span> takes care of this
authentication task -- verifying the identity of the user.
</p><p>
The flexibility of <span class="emphasis"><em>Linux-PAM</em></span> is
that <span class="emphasis"><em>you</em></span>, the system administrator, have
the freedom to stipulate which authentication scheme is to be
used. You have the freedom to set the scheme for any/all
PAM-aware applications on your Linux system. That is, you can
authenticate from anything as naive as
<span class="emphasis"><em>simple trust</em></span> (<span class="command"><strong>pam_permit</strong></span>)
to something as paranoid as a combination of a retinal scan, a
voice print and a one-time password!
</p><p>
To illustrate the flexibility you face, consider the following
situation: a system administrator (parent) wishes to improve the
mathematical ability of her users (children). She can configure
their favorite ``Shoot 'em up game'' (PAM-aware of course) to
authenticate them with a request for the product of a couple of
random numbers less than 12. It is clear that if the game is any
good they will soon learn their
<span class="emphasis"><em>multiplication tables</em></span>. As they mature, the
authentication can be upgraded to include (long) division!
</p><p>
<span class="emphasis"><em>Linux-PAM</em></span> deals with four
separate types of (management) task. These are:
<span class="emphasis"><em>authentication management</em></span>;
<span class="emphasis"><em>account management</em></span>;
<span class="emphasis"><em>session management</em></span>; and
<span class="emphasis"><em>password management</em></span>.
The association of the preferred management scheme with the behavior
of an application is made with entries in the relevant
<span class="emphasis"><em>Linux-PAM</em></span> configuration file.
The management functions are performed by <span class="emphasis"><em>modules</em></span>
specified in the configuration file. The syntax for this
file is discussed in the section
<a class="link" href="sag-configuration.html" title="Chapter 4. The Linux-PAM configuration file">below</a>.
</p><p>
Here is a figure that describes the overall organization of
<span class="emphasis"><em>Linux-PAM</em></span>:
</p><pre class="programlisting">
+----------------+
| application: X |
+----------------+ / +----------+ +================+
| authentication-[---->--\--] Linux- |--<--| PAM config file|
| + [----<--/--] PAM | |================|
|[conversation()][--+ \ | | | X auth .. a.so |
+----------------+ | / +-n--n-----+ | X auth .. b.so |
| | | __| | | _____/
| service user | A | | |____,-----'
| | | V A
+----------------+ +------|-----|---------+ -----+------+
+---u-----u----+ | | |
| auth.... |--[ a ]--[ b ]--[ c ]
+--------------+
| acct.... |--[ b ]--[ d ]
+--------------+
| password |--[ b ]--[ c ]
+--------------+
| session |--[ e ]--[ c ]
+--------------+
</pre><p>
By way of explanation, the left of the figure represents the
application; application X. Such an application interfaces with the
<span class="emphasis"><em>Linux-PAM</em></span> library and knows none of
the specifics of its configured authentication method. The
<span class="emphasis"><em>Linux-PAM</em></span> library (in the center)
consults the contents of the PAM configuration file and loads the
modules that are appropriate for application-X. These modules fall
into one of four management groups (lower-center) and are stacked in
the order they appear in the configuration file. These modules, when
called by <span class="emphasis"><em>Linux-PAM</em></span>, perform the
various authentication tasks for the application. Textual information,
required from/or offered to the user, can be exchanged through the
use of the application-supplied <span class="emphasis"><em>conversation</em></span>
function.
</p><p>
If a program is going to use PAM, then it has to have PAM
functions explicitly coded into the program. If you have
access to the source code you can add the appropriate PAM
functions. If you do not have access to the source code, and
the binary does not have the PAM functions included, then
it is not possible to use PAM.
</p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-text-conventions.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="sag-configuration.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 2. Some comments on the text </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 4. The Linux-PAM configuration file</td></tr></table></div></body></html>
PK��������Ǩ�\ͶV9�F���F������html/sag-pam_access.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.1. pam_access - logdaemon style login access control</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="next" href="sag-pam_cracklib.html" title="6.2. pam_cracklib - checks the password against dictionary words"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.1. pam_access - logdaemon style login access control</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-module-reference.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_cracklib.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_access"></a>6.1. pam_access - logdaemon style login access control</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_access.so</code> [
debug
] [
noaudit
] [
nodefgroup
] [
nodns
] [
accessfile=<em class="replaceable"><code>file</code></em>
] [
fieldsep=<em class="replaceable"><code>sep</code></em>
] [
listsep=<em class="replaceable"><code>sep</code></em>
]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_access-description"></a>6.1.1. DESCRIPTION</h3></div></div></div><p>
The pam_access PAM module is mainly for access management.
It provides logdaemon style login access control based on login
names, host or domain names, internet addresses or network numbers,
or on terminal line names, X <code class="varname">$DISPLAY</code> values,
or PAM service names in case of non-networked logins.
</p><p>
By default rules for access management are taken from config file
<code class="filename">/etc/security/access.conf</code> if you don't specify
another file.
Then individual <code class="filename">*.conf</code> files from the
<code class="filename">/etc/security/access.d/</code> directory are read.
The files are parsed one after another in the order of the system locale.
The effect of the individual files is the same as if all the files were
concatenated together in the order of parsing. This means that once
a pattern is matched in some file no further files are parsed.
If a config file is explicitly specified with the <code class="option">accessfile</code>
option the files in the above directory are not parsed.
</p><p>
If Linux PAM is compiled with audit support the module will report
when it denies access based on origin (host, tty, etc.).
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-access.conf-description"></a>6.1.2. DESCRIPTION</h3></div></div></div><p>
The <code class="filename">/etc/security/access.conf</code> file specifies
(<em class="replaceable"><code>user/group</code></em>, <em class="replaceable"><code>host</code></em>),
(<em class="replaceable"><code>user/group</code></em>, <em class="replaceable"><code>network/netmask</code></em>),
(<em class="replaceable"><code>user/group</code></em>, <em class="replaceable"><code>tty</code></em>),
(<em class="replaceable"><code>user/group</code></em>,
<em class="replaceable"><code>X-$DISPLAY-value</code></em>), or
(<em class="replaceable"><code>user/group</code></em>,
<em class="replaceable"><code>pam-service-name</code></em>)
combinations for which a login will be either accepted or refused.
</p><p>
When someone logs in, the file <code class="filename">access.conf</code> is
scanned for the first entry that matches the
(<em class="replaceable"><code>user/group</code></em>, <em class="replaceable"><code>host</code></em>) or
(<em class="replaceable"><code>user/group</code></em>, <em class="replaceable"><code>network/netmask</code></em>)
combination, or, in case of non-networked logins, the first entry
that matches the
(<em class="replaceable"><code>user/group</code></em>, <em class="replaceable"><code>tty</code></em>)
combination, or in the case of non-networked logins without a
tty, the first entry that matches the
(<em class="replaceable"><code>user/group</code></em>,
<em class="replaceable"><code>X-$DISPLAY-value</code></em>) or
(<em class="replaceable"><code>user/group</code></em>,
<em class="replaceable"><code>pam-service-name/</code></em>)
combination. The permissions field of that table entry
determines
whether the login will be accepted or refused.
</p><p>
Each line of the login access control table has three fields separated
by a ":" character (colon):
</p><p>
<em class="replaceable"><code>permission</code></em>:<em class="replaceable"><code>users/groups</code></em>:<em class="replaceable"><code>origins</code></em>
</p><p>
The first field, the <em class="replaceable"><code>permission</code></em> field, can be either a
"<span class="emphasis"><em>+</em></span>" character (plus) for access granted or a
"<span class="emphasis"><em>-</em></span>" character (minus) for access denied.
</p><p>
The second field, the
<em class="replaceable"><code>users</code></em>/<em class="replaceable"><code>group</code></em>
field, should be a list of one or more login names, group names, or
<span class="emphasis"><em>ALL</em></span> (which always matches). To differentiate
user entries from group entries, group entries should be written
with brackets, e.g. <span class="emphasis"><em>(group)</em></span>.
</p><p>
The third field, the <em class="replaceable"><code>origins</code></em>
field, should be a list of one or more tty names (for non-networked
logins), X <code class="varname">$DISPLAY</code> values or PAM service
names (for non-networked logins without a tty), host names,
domain names (begin with "."), host addresses,
internet network numbers (end with "."), internet network addresses
with network mask (where network mask can be a decimal number or an
internet address also), <span class="emphasis"><em>ALL</em></span> (which always matches)
or <span class="emphasis"><em>LOCAL</em></span>. The <span class="emphasis"><em>LOCAL</em></span>
keyword matches when the user connects without a network
connection (e.g., <span class="emphasis"><em>su</em></span>,
<span class="emphasis"><em>login</em></span>). A connection through the loopback
device (e.g., <span class="command"><strong>ssh user@localhost</strong></span>) is
considered a network connection, and thus, the
<span class="emphasis"><em>LOCAL</em></span> keyword does not match.
</p><p>
If supported by the system you can use
<span class="emphasis"><em>@netgroupname</em></span> in host or user patterns. The
<span class="emphasis"><em>@@netgroupname</em></span> syntax is supported in the user
pattern only and it makes the local system hostname to be passed
to the netgroup match call in addition to the user name. This might not
work correctly on some libc implementations causing the match to
always fail.
</p><p>
The <em class="replaceable"><code>EXCEPT</code></em> operator makes it possible to
write very compact rules.
</p><p>
If the <code class="option">nodefgroup</code> is not set, the group file
is searched when a name does not match that of the logged-in
user. Only groups are matched in which users are explicitly listed.
However the PAM module does not look at the primary group id of a user.
</p><p>
The "<span class="emphasis"><em>#</em></span>" character at start of line (no space
at front) can be used to mark this line as a comment line.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_access-options"></a>6.1.3. OPTIONS</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">accessfile=<em class="replaceable"><code>/path/to/access.conf</code></em></code>
</span></dt><dd><p>
Indicate an alternative <code class="filename">access.conf</code>
style configuration file to override the default. This can
be useful when different services need different access lists.
</p></dd><dt><span class="term">
<code class="option">debug</code>
</span></dt><dd><p>
A lot of debug information is printed with
<span class="citerefentry"><span class="refentrytitle">syslog</span>(3)</span>.
</p></dd><dt><span class="term">
<code class="option">noaudit</code>
</span></dt><dd><p>
Do not report logins from disallowed hosts and ttys to the audit subsystem.
</p></dd><dt><span class="term">
nodefgroup
</span></dt><dd><p>
User tokens which are not enclosed in parentheses will not be
matched against the group database. The backwards compatible default is
to try the group database match even for tokens not enclosed
in parentheses.
</p></dd><dt><span class="term">
nodns
</span></dt><dd><p>
Do not try to resolve tokens as hostnames, only IPv4 and IPv6
addresses will be resolved. Which means to allow login from a
remote host, the IP addresses need to be specified in <code class="filename">access.conf</code>.
</p></dd><dt><span class="term">
quiet_log
</span></dt><dd><p>
Do not log denials with
<span class="citerefentry"><span class="refentrytitle">syslog</span>(3)</span>.
</p></dd><dt><span class="term">
fieldsep=separators
</span></dt><dd><p>
This option modifies the field separator character that
pam_access will recognize when parsing the access
configuration file. For example:
<span class="emphasis"><em>fieldsep=|</em></span> will cause the
default `:' character to be treated as part of a field value
and `|' becomes the field separator. Doing this may be
useful in conjunction with a system that wants to use
pam_access with X based applications, since the
<span class="emphasis"><em>PAM_TTY</em></span> item is likely to be
of the form "hostname:0" which includes a `:' character in
its value. But you should not need this.
</p></dd><dt><span class="term">
<code class="option">listsep=<em class="replaceable"><code>separators</code></em></code>
</span></dt><dd><p>
This option modifies the list separator character that
pam_access will recognize when parsing the access
configuration file. For example:
<span class="emphasis"><em>listsep=,</em></span> will cause the
default ` ' (space) and `\t' (tab) characters to be treated
as part of a list element value and `,' becomes the only
list element separator. Doing this may be useful on a system
with group information obtained from a Windows domain,
where the default built-in groups "Domain Users",
"Domain Admins" contain a space.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_access-types"></a>6.1.4. MODULE TYPES PROVIDED</h3></div></div></div><p>
All module types (<code class="option">auth</code>, <code class="option">account</code>,
<code class="option">password</code> and <code class="option">session</code>) are provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_access-return_values"></a>6.1.5. RETURN VALUES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
Access was granted.
</p></dd><dt><span class="term">PAM_PERM_DENIED</span></dt><dd><p>
Access was not granted.
</p></dd><dt><span class="term">PAM_IGNORE</span></dt><dd><p>
<code class="function">pam_setcred</code> was called which does nothing.
</p></dd><dt><span class="term">PAM_ABORT</span></dt><dd><p>
Not all relevant data or options could be gotten.
</p></dd><dt><span class="term">PAM_USER_UNKNOWN</span></dt><dd><p>
The user is not known to the system.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_access-files"></a>6.1.6. FILES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="filename">/etc/security/access.conf</code></span></dt><dd><p>Default configuration file</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-access.conf-examples"></a>6.1.7. EXAMPLES</h3></div></div></div><p>
These are some example lines which might be specified in
<code class="filename">/etc/security/access.conf</code>.
</p><p>
User <span class="emphasis"><em>root</em></span> should be allowed to get access via
<span class="emphasis"><em>cron</em></span>, X11 terminal <span class="emphasis"><em>:0</em></span>,
<span class="emphasis"><em>tty1</em></span>, ..., <span class="emphasis"><em>tty5</em></span>,
<span class="emphasis"><em>tty6</em></span>.
</p><p>+:root:crond :0 tty1 tty2 tty3 tty4 tty5 tty6</p><p>
User <span class="emphasis"><em>root</em></span> should be allowed to get access from
hosts which own the IPv4 addresses. This does not mean that the
connection have to be a IPv4 one, a IPv6 connection from a host with
one of this IPv4 addresses does work, too.
</p><p>+:root:192.168.200.1 192.168.200.4 192.168.200.9</p><p>+:root:127.0.0.1</p><p>
User <span class="emphasis"><em>root</em></span> should get access from network
<code class="literal">192.168.201.</code> where the term will be evaluated by
string matching. But it might be better to use network/netmask instead.
The same meaning of <code class="literal">192.168.201.</code> is
<span class="emphasis"><em>192.168.201.0/24</em></span> or
<span class="emphasis"><em>192.168.201.0/255.255.255.0</em></span>.
</p><p>+:root:192.168.201.</p><p>
User <span class="emphasis"><em>root</em></span> should be able to have access from hosts
<span class="emphasis"><em>foo1.bar.org</em></span> and <span class="emphasis"><em>foo2.bar.org</em></span>
(uses string matching also).
</p><p>+:root:foo1.bar.org foo2.bar.org</p><p>
User <span class="emphasis"><em>root</em></span> should be able to have access from
domain <span class="emphasis"><em>foo.bar.org</em></span> (uses string matching also).
</p><p>+:root:.foo.bar.org</p><p>
User <span class="emphasis"><em>root</em></span> should be denied to get access
from all other sources.
</p><p>-:root:ALL</p><p>
User <span class="emphasis"><em>foo</em></span> and members of netgroup
<span class="emphasis"><em>admins</em></span> should be allowed to get access
from all sources. This will only work if netgroup service is available.
</p><p>+:@admins foo:ALL</p><p>
User <span class="emphasis"><em>john</em></span> and <span class="emphasis"><em>foo</em></span>
should get access from IPv6 host address.
</p><p>+:john foo:2001:db8:0:101::1</p><p>
User <span class="emphasis"><em>john</em></span> should get access from IPv6 net/mask.
</p><p>+:john:2001:db8:0:101::/64</p><p>
Disallow console logins to all but the shutdown, sync and all
other accounts, which are a member of the wheel group.
</p><p>-:ALL EXCEPT (wheel) shutdown sync:LOCAL</p><p>
All other users should be denied to get access from all sources.
</p><p>-:ALL:ALL</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_access-authors"></a>6.1.8. AUTHORS</h3></div></div></div><p>
The logdaemon style login access control scheme was designed and implemented by
Wietse Venema.
The pam_access PAM module was developed by
Alexei Nogin <alexei@nogin.dnttm.ru>.
The IPv6 support and the network(address) / netmask feature
was developed and provided by Mike Becher <mike.becher@lrz-muenchen.de>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-module-reference.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_cracklib.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 6. A reference guide for available modules </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.2. pam_cracklib - checks the password against dictionary words</td></tr></table></div></body></html>
PK��������Ǩ�\����/O��/O������html/sag-pam_cracklib.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.2. pam_cracklib - checks the password against dictionary words</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_access.html" title="6.1. pam_access - logdaemon style login access control"><link rel="next" href="sag-pam_debug.html" title="6.3. pam_debug - debug the PAM stack"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.2. pam_cracklib - checks the password against dictionary words</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_access.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_debug.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_cracklib"></a>6.2. pam_cracklib - checks the password against dictionary words</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_cracklib.so</code> [
<em class="replaceable"><code>...</code></em>
]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_cracklib-description"></a>6.2.1. DESCRIPTION</h3></div></div></div><p>
This module can be plugged into the <span class="emphasis"><em>password</em></span> stack of
a given application to provide some plug-in strength-checking for passwords.
</p><p>
The action of this module is to prompt the user for a password and
check its strength against a system dictionary and a set of rules for
identifying poor choices.
</p><p>
The first action is to prompt for a single password, check its
strength and then, if it is considered strong, prompt for the password
a second time (to verify that it was typed correctly on the first
occasion). All being well, the password is passed on to subsequent
modules to be installed as the new authentication token.
</p><p>
The strength checks works in the following manner: at first the
<code class="function">Cracklib</code> routine is called to check if the password
is part of a dictionary; if this is not the case an additional set of
strength checks is done. These checks are:
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">Palindrome</span></dt><dd><p>
Is the new password a palindrome?
</p></dd><dt><span class="term">Case Change Only</span></dt><dd><p>
Is the new password the the old one with only a change of case?
</p></dd><dt><span class="term">Similar</span></dt><dd><p>
Is the new password too much like the old one?
This is primarily controlled by one argument,
<code class="option">difok</code> which is a number of character changes
(inserts, removals, or replacements) between the old and new
password that are enough to accept the new password.
This defaults to 5 changes.
</p></dd><dt><span class="term">Simple</span></dt><dd><p>
Is the new password too small?
This is controlled by 6 arguments <code class="option">minlen</code>,
<code class="option">maxclassrepeat</code>,
<code class="option">dcredit</code>, <code class="option">ucredit</code>,
<code class="option">lcredit</code>, and <code class="option">ocredit</code>. See the section
on the arguments for the details of how these work and there defaults.
</p></dd><dt><span class="term">Rotated</span></dt><dd><p>
Is the new password a rotated version of the old password?
</p></dd><dt><span class="term">Same consecutive characters</span></dt><dd><p>
Optional check for same consecutive characters.
</p></dd><dt><span class="term">Too long monotonic character sequence</span></dt><dd><p>
Optional check for too long monotonic character sequence.
</p></dd><dt><span class="term">Contains user name</span></dt><dd><p>
Optional check whether the password contains the user's name
in some form.
</p></dd></dl></div><p>
This module with no arguments will work well for standard unix
password encryption. With md5 encryption, passwords can be longer
than 8 characters and the default settings for this module can make it
hard for the user to choose a satisfactory new password. Notably, the
requirement that the new password contain no more than 1/2 of the
characters in the old password becomes a non-trivial constraint. For
example, an old password of the form "the quick brown fox jumped over
the lazy dogs" would be difficult to change... In addition, the
default action is to allow passwords as small as 5 characters in
length. For a md5 systems it can be a good idea to increase the
required minimum size of a password. One can then allow more credit
for different kinds of characters but accept that the new password may
share most of these characters with the old password.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_cracklib-options"></a>6.2.2. OPTIONS</h3></div></div></div><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">debug</code>
</span></dt><dd><p>
This option makes the module write information to
<span class="citerefentry"><span class="refentrytitle">syslog</span>(3)</span>
indicating the behavior of the module (this option does
not write password information to the log file).
</p></dd><dt><span class="term">
<code class="option">authtok_type=<em class="replaceable"><code>XXX</code></em></code>
</span></dt><dd><p>
The default action is for the module to use the
following prompts when requesting passwords:
"New UNIX password: " and "Retype UNIX password: ".
The example word <span class="emphasis"><em>UNIX</em></span> can
be replaced with this option, by default it is empty.
</p></dd><dt><span class="term">
<code class="option">retry=<em class="replaceable"><code>N</code></em></code>
</span></dt><dd><p>
Prompt user at most <em class="replaceable"><code>N</code></em> times
before returning with error. The default is
<span class="emphasis"><em>1</em></span>.
</p></dd><dt><span class="term">
<code class="option">difok=<em class="replaceable"><code>N</code></em></code>
</span></dt><dd><p>
This argument will change the default of
<span class="emphasis"><em>5</em></span> for the number of character
changes in the new password that differentiate it
from the old password.
</p></dd><dt><span class="term">
<code class="option">minlen=<em class="replaceable"><code>N</code></em></code>
</span></dt><dd><p>
The minimum acceptable size for the new password (plus
one if credits are not disabled which is the default).
In addition to the number of characters in the new password,
credit (of +1 in length) is given for each different kind
of character (<span class="emphasis"><em>other</em></span>,
<span class="emphasis"><em>upper</em></span>, <span class="emphasis"><em>lower</em></span> and
<span class="emphasis"><em>digit</em></span>). The default for this parameter
is <span class="emphasis"><em>9</em></span> which is good for a old style UNIX
password all of the same type of character but may be too low
to exploit the added security of a md5 system. Note that
there is a pair of length limits in
<span class="emphasis"><em>Cracklib</em></span> itself, a "way too short" limit
of 4 which is hard coded in and a defined limit (6) that will
be checked without reference to <code class="option">minlen</code>.
If you want to allow passwords as short as 5 characters you
should not use this module.
</p></dd><dt><span class="term">
<code class="option">dcredit=<em class="replaceable"><code>N</code></em></code>
</span></dt><dd><p>
(N >= 0) This is the maximum credit for having digits in
the new password. If you have less than or
<em class="replaceable"><code>N</code></em>
digits, each digit will count +1 towards meeting the current
<code class="option">minlen</code> value. The default for
<code class="option">dcredit</code> is 1 which is the recommended
value for <code class="option">minlen</code> less than 10.
</p><p>
(N < 0) This is the minimum number of digits that must
be met for a new password.
</p></dd><dt><span class="term">
<code class="option">ucredit=<em class="replaceable"><code>N</code></em></code>
</span></dt><dd><p>
(N >= 0) This is the maximum credit for having upper
case letters in the new password. If you have less than
or <em class="replaceable"><code>N</code></em> upper case letters each
letter will count +1 towards meeting the current
<code class="option">minlen</code> value. The default for
<code class="option">ucredit</code> is <span class="emphasis"><em>1</em></span> which
is the recommended value for <code class="option">minlen</code> less
than 10.
</p><p>
(N < 0) This is the minimum number of upper
case letters that must be met for a new password.
</p></dd><dt><span class="term">
<code class="option">lcredit=<em class="replaceable"><code>N</code></em></code>
</span></dt><dd><p>
(N >= 0) This is the maximum credit for having
lower case letters in the new password. If you have
less than or <em class="replaceable"><code>N</code></em> lower case
letters, each letter will count +1 towards meeting the
current <code class="option">minlen</code> value. The default for
<code class="option">lcredit</code> is 1 which is the recommended
value for <code class="option">minlen</code> less than 10.
</p><p>
(N < 0) This is the minimum number of lower
case letters that must be met for a new password.
</p></dd><dt><span class="term">
<code class="option">ocredit=<em class="replaceable"><code>N</code></em></code>
</span></dt><dd><p>
(N >= 0) This is the maximum credit for having other
characters in the new password. If you have less than or
<em class="replaceable"><code>N</code></em> other characters, each
character will count +1 towards meeting the current
<code class="option">minlen</code> value. The default for
<code class="option">ocredit</code> is 1 which is the recommended
value for <code class="option">minlen</code> less than 10.
</p><p>
(N < 0) This is the minimum number of other
characters that must be met for a new password.
</p></dd><dt><span class="term">
<code class="option">minclass=<em class="replaceable"><code>N</code></em></code>
</span></dt><dd><p>
The minimum number of required classes of characters for
the new password. The default number is zero. The four
classes are digits, upper and lower letters and other
characters.
The difference to the <code class="option">credit</code> check is
that a specific class if of characters is not required.
Instead <em class="replaceable"><code>N</code></em> out of four of the
classes are required.
</p></dd><dt><span class="term">
<code class="option">maxrepeat=<em class="replaceable"><code>N</code></em></code>
</span></dt><dd><p>
Reject passwords which contain more than N same consecutive
characters. The default is 0 which means that this check
is disabled.
</p></dd><dt><span class="term">
<code class="option">maxsequence=<em class="replaceable"><code>N</code></em></code>
</span></dt><dd><p>
Reject passwords which contain monotonic character sequences
longer than N. The default is 0 which means that this check
is disabled. Examples of such sequence are '12345' or 'fedcb'.
Note that most such passwords will not pass the simplicity
check unless the sequence is only a minor part of the password.
</p></dd><dt><span class="term">
<code class="option">maxclassrepeat=<em class="replaceable"><code>N</code></em></code>
</span></dt><dd><p>
Reject passwords which contain more than N consecutive
characters of the same class. The default is 0 which means
that this check is disabled.
</p></dd><dt><span class="term">
<code class="option">reject_username</code>
</span></dt><dd><p>
Check whether the name of the user in straight or reversed
form is contained in the new password. If it is found the
new password is rejected.
</p></dd><dt><span class="term">
<code class="option">gecoscheck</code>
</span></dt><dd><p>
Check whether the words from the GECOS field (usualy full name
of the user) longer than 3 characters in straight or reversed
form are contained in the new password. If any such word is
found the new password is rejected.
</p></dd><dt><span class="term">
<code class="option">enforce_for_root</code>
</span></dt><dd><p>
The module will return error on failed check also if the user
changing the password is root. This option is off by default
which means that just the message about the failed check is
printed but root can change the password anyway.
Note that root is not asked for an old password so the checks
that compare the old and new password are not performed.
</p></dd><dt><span class="term">
<code class="option">use_authtok</code>
</span></dt><dd><p>
This argument is used to <span class="emphasis"><em>force</em></span> the
module to not prompt the user for a new password but use
the one provided by the previously stacked
<span class="emphasis"><em>password</em></span> module.
</p></dd><dt><span class="term">
<code class="option">dictpath=<em class="replaceable"><code>/path/to/dict</code></em></code>
</span></dt><dd><p>
Path to the cracklib dictionaries.
</p></dd></dl></div><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_cracklib-types"></a>6.2.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
Only the <code class="option">password</code> module type is provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_cracklib-return_values"></a>6.2.4. RETURN VALUES</h3></div></div></div><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
The new password passes all checks.
</p></dd><dt><span class="term">PAM_AUTHTOK_ERR</span></dt><dd><p>
No new password was entered,
the username could not be determined or the new
password fails the strength checks.
</p></dd><dt><span class="term">PAM_AUTHTOK_RECOVERY_ERR</span></dt><dd><p>
The old password was not supplied by a previous stacked
module or got not requested from the user.
The first error can happen if <code class="option">use_authtok</code>
is specified.
</p></dd><dt><span class="term">PAM_SERVICE_ERR</span></dt><dd><p>
A internal error occurred.
</p></dd></dl></div><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_cracklib-examples"></a>6.2.5. EXAMPLES</h3></div></div></div><p>
For an example of the use of this module, we show how it may be
stacked with the password component of
<span class="citerefentry"><span class="refentrytitle">pam_unix</span>(8)</span>
</p><pre class="programlisting">
#
# These lines stack two password type modules. In this example the
# user is given 3 opportunities to enter a strong password. The
# "use_authtok" argument ensures that the pam_unix module does not
# prompt for a password, but instead uses the one provided by
# pam_cracklib.
#
passwd password required pam_cracklib.so retry=3
passwd password required pam_unix.so use_authtok
</pre><p>
</p><p>
Another example (in the <code class="filename">/etc/pam.d/passwd</code> format)
is for the case that you want to use md5 password encryption:
</p><pre class="programlisting">
#%PAM-1.0
#
# These lines allow a md5 systems to support passwords of at least 14
# bytes with extra credit of 2 for digits and 2 for others the new
# password must have at least three bytes that are not present in the
# old password
#
password required pam_cracklib.so \
difok=3 minlen=15 dcredit= 2 ocredit=2
password required pam_unix.so use_authtok nullok md5
</pre><p>
</p><p>
And here is another example in case you don't want to use credits:
</p><pre class="programlisting">
#%PAM-1.0
#
# These lines require the user to select a password with a minimum
# length of 8 and with at least 1 digit number, 1 upper case letter,
# and 1 other character
#
password required pam_cracklib.so \
dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
password required pam_unix.so use_authtok nullok md5
</pre><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_cracklib-author"></a>6.2.6. AUTHOR</h3></div></div></div><p>
pam_cracklib was written by Cristian Gafton <gafton@redhat.com>
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_access.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_debug.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.1. pam_access - logdaemon style login access control </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.3. pam_debug - debug the PAM stack</td></tr></table></div></body></html>
PK��������Ǩ�\���x������������html/sag-pam_debug.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.3. pam_debug - debug the PAM stack</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_cracklib.html" title="6.2. pam_cracklib - checks the password against dictionary words"><link rel="next" href="sag-pam_deny.html" title="6.4. pam_deny - locking-out PAM module"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.3. pam_debug - debug the PAM stack</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_cracklib.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_deny.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_debug"></a>6.3. pam_debug - debug the PAM stack</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_debug.so</code> [
auth=<em class="replaceable"><code>value</code></em>
] [
cred=<em class="replaceable"><code>value</code></em>
] [
acct=<em class="replaceable"><code>value</code></em>
] [
prechauthtok=<em class="replaceable"><code>value</code></em>
] [
chauthtok=<em class="replaceable"><code>value</code></em>
] [
auth=<em class="replaceable"><code>value</code></em>
] [
open_session=<em class="replaceable"><code>value</code></em>
] [
close_session=<em class="replaceable"><code>value</code></em>
]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_debug-description"></a>6.3.1. DESCRIPTION</h3></div></div></div><p>
The pam_debug PAM module is intended as a debugging aide for
determining how the PAM stack is operating. This module returns
what its module arguments tell it to return.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_debug-options"></a>6.3.2. OPTIONS</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">
<code class="option">auth=<em class="replaceable"><code>value</code></em></code>
</span></dt><dd><p>
The
<span class="citerefentry"><span class="refentrytitle">pam_sm_authenticate</span>(3)</span> function will return
<em class="replaceable"><code>value</code></em>.
</p></dd><dt><span class="term">
<code class="option">cred=<em class="replaceable"><code>value</code></em></code>
</span></dt><dd><p>
The
<span class="citerefentry"><span class="refentrytitle">pam_sm_setcred</span>(3)</span> function will return
<em class="replaceable"><code>value</code></em>.
</p></dd><dt><span class="term">
<code class="option">acct=<em class="replaceable"><code>value</code></em></code>
</span></dt><dd><p>
The
<span class="citerefentry"><span class="refentrytitle">pam_sm_acct_mgmt</span>(3)</span> function will return
<em class="replaceable"><code>value</code></em>.
</p></dd><dt><span class="term">
<code class="option">prechauthtok=<em class="replaceable"><code>value</code></em></code>
</span></dt><dd><p>
The
<span class="citerefentry"><span class="refentrytitle">pam_sm_chauthtok</span>(3)</span> function will return
<em class="replaceable"><code>value</code></em> if the
<span class="emphasis"><em>PAM_PRELIM_CHECK</em></span> flag is set.
</p></dd><dt><span class="term">
<code class="option">chauthtok=<em class="replaceable"><code>value</code></em></code>
</span></dt><dd><p>
The
<span class="citerefentry"><span class="refentrytitle">pam_sm_chauthtok</span>(3)</span> function will return
<em class="replaceable"><code>value</code></em> if the
<span class="emphasis"><em>PAM_PRELIM_CHECK</em></span> flag is
<span class="emphasis"><em>not</em></span> set.
</p></dd><dt><span class="term">
<code class="option">open_session=<em class="replaceable"><code>value</code></em></code>
</span></dt><dd><p>
The
<span class="citerefentry"><span class="refentrytitle">pam_sm_open_session</span>(3)</span> function will return
<em class="replaceable"><code>value</code></em>.
</p></dd><dt><span class="term">
<code class="option">close_session=<em class="replaceable"><code>value</code></em></code>
</span></dt><dd><p>
The
<span class="citerefentry"><span class="refentrytitle">pam_sm_close_session</span>(3)</span> function will return
<em class="replaceable"><code>value</code></em>.
</p></dd></dl></div><p>
Where <em class="replaceable"><code>value</code></em> can be one of: success,
open_err, symbol_err, service_err, system_err, buf_err, perm_denied,
auth_err, cred_insufficient, authinfo_unavail, user_unknown,
maxtries, new_authtok_reqd, acct_expired, session_err, cred_unavail,
cred_expired, cred_err, no_module_data, conv_err, authtok_err,
authtok_recover_err, authtok_lock_busy, authtok_disable_aging,
try_again, ignore, abort, authtok_expired, module_unknown,
bad_item, conv_again, incomplete.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_debug-types"></a>6.3.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
All module types (<code class="option">auth</code>, <code class="option">account</code>,
<code class="option">password</code> and <code class="option">session</code>) are provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_debug-return_values"></a>6.3.4. RETURN VALUES</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_SUCCESS</span></dt><dd><p>
Default return code if no other value was specified,
else specified return value.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_debug-examples"></a>6.3.5. EXAMPLES</h3></div></div></div><pre class="programlisting">
auth requisite pam_permit.so
auth [success=2 default=ok] pam_debug.so auth=perm_denied cred=success
auth [default=reset] pam_debug.so auth=success cred=perm_denied
auth [success=done default=die] pam_debug.so
auth optional pam_debug.so auth=perm_denied cred=perm_denied
auth sufficient pam_debug.so auth=success cred=success
</pre></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_debug-author"></a>6.3.6. AUTHOR</h3></div></div></div><p>
pam_debug was written by Andrew G. Morgan <morgan@kernel.org>.
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_cracklib.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_deny.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.2. pam_cracklib - checks the password against dictionary words </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.4. pam_deny - locking-out PAM module</td></tr></table></div></body></html>
PK��������Ǩ�\�B��`���`�������html/sag-pam_deny.htmlnu���[������������<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.4. pam_deny - locking-out PAM module</title><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="Chapter 6. A reference guide for available modules"><link rel="prev" href="sag-pam_debug.html" title="6.3. pam_debug - debug the PAM stack"><link rel="next" href="sag-pam_echo.html" title="6.5. pam_echo - print text messages"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.4. pam_deny - locking-out PAM module</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_debug.html">Prev</a> </td><th width="60%" align="center">Chapter 6. A reference guide for available modules</th><td width="20%" align="right"> <a accesskey="n" href="sag-pam_echo.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_deny"></a>6.4. pam_deny - locking-out PAM module</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_deny.so</code> </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_deny-description"></a>6.4.1. DESCRIPTION</h3></div></div></div><p>
This module can be used to deny access. It always indicates a failure
to the application through the PAM framework. It might be suitable
for using for default (the <span class="emphasis"><em>OTHER</em></span>) entries.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_deny-options"></a>6.4.2. OPTIONS</h3></div></div></div><p>This module does not recognise any options.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_deny-types"></a>6.4.3. MODULE TYPES PROVIDED</h3></div></div></div><p>
All module types (<code class="option">account</code>, <code class="option">auth</code>,
<code class="option">password</code> and <code class="option">session</code>) are provided.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_deny-return_values"></a>6.4.4. RETURN VALUES</h3></div></div></div><p>
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_AUTH_ERR</span></dt><dd><p>
This is returned by the account and auth services.
</p></dd><dt><span class="term">PAM_CRED_ERR</span></dt><dd><p>
This is returned by the setcred function.
</p></dd><dt><span class="term">PAM_AUTHTOK_ERR</span></dt><dd><p>
This is returned by the password service.
</p></dd><dt><span class="term">PAM_SESSION_ERR</span></dt><dd><p>
This is returned by the session service.
</p></dd></dl></div><p>
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_deny-examples"></a>6.4.5. EXAMPLES</h3></div></div></div><pre class="programlisting">
#%PAM-1.0
#
# If we don't have config entries for a service, the
# OTHER entries are used. To be secure, warn and deny
# access to everything.
other auth required pam_warn.so
other auth required pam_deny.so
other account required pam_warn.so
other account required pam_deny.so
other password required pam_warn.so
other password required pam_deny.so
other session required pam_warn.so
other session required pam_deny.so
</pre></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_deny-author"></a>6.4.6. AUTHOR</h3></div></div></div><p>
pam_deny was written by Andrew G. Morgan <morgan@kernel.org>
</p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_debug.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="sag-pam_echo.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.3. pam_debug - debug the PAM stack </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top"> 6.5. pam_echo - print text messages</td></tr></table></div></body></html>
PK��������Ǩ�\�m���
���
������txts/README.pam_motdnu���[������������pam_motd -- Display the motd file
--------------------------------------------------------------------------
DESCRIPTION
pam_motd is a PAM module that can be used to display arbitrary motd
(message of the day) files after a successful login. By default, pam_motd
shows files in the following locations:
/etc/motd
/run/motd
/usr/lib/motd
/etc/motd.d/
/run/motd.d/
/usr/lib/motd.d/
Each message size is limited to 64KB.
If /etc/motd does not exist, then /run/motd is shown. If /run/motd does
not exist, then /usr/lib/motd is shown.
Similar overriding behavior applies to the directories. Files in
/etc/motd.d/ override files with the same name in /run/motd.d/ and
/usr/lib/motd.d/. Files in /run/motd.d/ override files with the same name
in /usr/lib/motd.d/.
Files in the directories listed above are displayed in lexicographic order
by name. Moreover, the files are filtered by reading them with the
credentials of the target user authenticating on the system.
To silence a message, a symbolic link with target /dev/null may be placed
in /etc/motd.d with the same filename as the message to be silenced.
Example: Creating a symbolic link as follows silences
/usr/lib/motd.d/my_motd.
ln -s /dev/null /etc/motd.d/my_motd
OPTIONS
motd=/path/filename
The /path/filename file is displayed as message of the day.
Multiple paths to try can be specified as a colon-separated list.
By default this option is set to
/etc/motd:/run/motd:/usr/lib/motd.
motd_dir=/path/dirname.d
The /path/dirname.d directory is scanned and each file contained
inside of it is displayed. Multiple directories to scan can be
specified as a colon-separated list. By default this option is set
to /etc/motd.d:/run/motd.d:/usr/lib/motd.d.
When no options are given, the default behavior applies for both options.
Specifying either option (or both) will disable the default behavior for
both options.
EXAMPLES
The suggested usage for /etc/pam.d/login is:
session optional pam_motd.so
To use a motd file from a different location:
session optional pam_motd.so motd=/elsewhere/motd
To use a motd file from elsewhere, along with a corresponding .d
directory:
session optional pam_motd.so motd=/elsewhere/motd motd_dir=/elsewhere/motd.d
AUTHOR
pam_motd was written by Ben Collins <bcollins@debian.org>.
The motd_dir= option was added by Allison Karlitskaya
<allison.karlitskaya@redhat.com>.
PK��������Ǩ�\�NK��-���-������txts/README.pam_namespacenu���[������������pam_namespace -- PAM module for configuring namespace for a session
--------------------------------------------------------------------------
DESCRIPTION
The pam_namespace PAM module sets up a private namespace for a session
with polyinstantiated directories. A polyinstantiated directory provides a
different instance of itself based on user name, or when using SELinux,
user name, security context or both. If an executable script
/etc/security/namespace.init exists, it is used to initialize the instance
directory after it is set up and mounted on the polyinstantiated
directory. The script receives the polyinstantiated directory path, the
instance directory path, flag whether the instance directory was newly
created (0 for no, 1 for yes), and the user name as its arguments.
The pam_namespace module disassociates the session namespace from the
parent namespace. Any mounts/unmounts performed in the parent namespace,
such as mounting of devices, are not reflected in the session namespace.
To propagate selected mount/unmount events from the parent namespace into
the disassociated session namespace, an administrator may use the special
shared-subtree feature. For additional information on shared-subtree
feature, please refer to the mount(8) man page and the shared-subtree
description at http://lwn.net/Articles/159077 and
http://lwn.net/Articles/159092.
OPTIONS
debug
A lot of debug information is logged using syslog
unmnt_remnt
For programs such as su and newrole, the login session has already
setup a polyinstantiated namespace. For these programs,
polyinstantiation is performed based on new user id or security
context, however the command first needs to undo the
polyinstantiation performed by login. This argument instructs the
command to first undo previous polyinstantiation before proceeding
with new polyinstantiation based on new id/context
unmnt_only
For trusted programs that want to undo any existing bind mounts
and process instance directories on their own, this argument
allows them to unmount currently mounted instance directories
require_selinux
If selinux is not enabled, return failure
gen_hash
Instead of using the security context string for the instance
name, generate and use its md5 hash.
ignore_config_error
If a line in the configuration file corresponding to a
polyinstantiated directory contains format error, skip that line
process the next line. Without this option, pam will return an
error to the calling program resulting in termination of the
session.
ignore_instance_parent_mode
Instance parent directories by default are expected to have the
restrictive mode of 000. Using this option, an administrator can
choose to ignore the mode of the instance parent. This option
should be used with caution as it will reduce security and
isolation goals of the polyinstantiation mechanism.
unmount_on_close
Explicitly unmount the polyinstantiated directories instead of
relying on automatic namespace destruction after the last process
in a namespace exits. This option should be used only in case it
is ensured by other means that there cannot be any processes
running in the private namespace left after the session close. It
is also useful only in case there are multiple pam session calls
in sequence from the same process.
use_current_context
Useful for services which do not change the SELinux context with
setexeccon call. The module will use the current SELinux context
of the calling process for the level and context
polyinstantiation.
use_default_context
Useful for services which do not use pam_selinux for changing the
SELinux context with setexeccon call. The module will use the
default SELinux context of the user for the level and context
polyinstantiation.
mount_private
This option can be used on systems where the / mount point or its
submounts are made shared (for example with a mount --make-rshared
/ command). The module will mark the whole directory tree so any
mount and unmount operations in the polyinstantiation namespace
are private. Normally the pam_namespace will try to detect the
shared / mount point and make the polyinstantiated directories
private automatically. This option has to be used just when only a
subtree is shared and / is not.
Note that mounts and unmounts done in the private namespace will
not affect the parent namespace if this option is used or when the
shared / mount point is autodetected.
DESCRIPTION
The pam_namespace.so module allows setup of private namespaces with
polyinstantiated directories. Directories can be polyinstantiated based on
user name or, in the case of SELinux, user name, sensitivity level or
complete security context. If an executable script
/etc/security/namespace.init exists, it is used to initialize the
namespace every time an instance directory is set up and mounted. The
script receives the polyinstantiated directory path and the instance
directory path as its arguments.
The /etc/security/namespace.conf file specifies which directories are
polyinstantiated, how they are polyinstantiated, how instance directories
would be named, and any users for whom polyinstantiation would not be
performed.
When someone logs in, the file namespace.conf is scanned. Comments are
marked by # characters. Each non comment line represents one
polyinstantiated directory. The fields are separated by spaces but can be
quoted by " characters also escape sequences \b, \n, and \t are
recognized. The fields are as follows:
polydir instance_prefix method list_of_uids
The first field, polydir, is the absolute pathname of the directory to
polyinstantiate. The special string $HOME is replaced with the user's home
directory, and $USER with the username. This field cannot be blank.
The second field, instance_prefix is the string prefix used to build the
pathname for the instantiation of <polydir>. Depending on the
polyinstantiation method it is then appended with "instance
differentiation string" to generate the final instance directory path.
This directory is created if it did not exist already, and is then bind
mounted on the <polydir> to provide an instance of <polydir> based on the
<method> column. The special string $HOME is replaced with the user's home
directory, and $USER with the username. This field cannot be blank.
The third field, method, is the method used for polyinstantiation. It can
take these values; "user" for polyinstantiation based on user name,
"level" for polyinstantiation based on process MLS level and user name,
"context" for polyinstantiation based on process security context and user
name, "tmpfs" for mounting tmpfs filesystem as an instance dir, and
"tmpdir" for creating temporary directory as an instance dir which is
removed when the user's session is closed. Methods "context" and "level"
are only available with SELinux. This field cannot be blank.
The fourth field, list_of_uids, is a comma separated list of user names
for whom the polyinstantiation is not performed. If left blank,
polyinstantiation will be performed for all users. If the list is preceded
with a single "~" character, polyinstantiation is performed only for users
in the list.
The method field can contain also following optional flags separated by :
characters.
create=mode,owner,group - create the polyinstantiated directory. The mode,
owner and group parameters are optional. The default for mode is
determined by umask, the default owner is the user whose session is
opened, the default group is the primary group of the user.
iscript=path - path to the instance directory init script. The base
directory for relative paths is /etc/security/namespace.d.
noinit - instance directory init script will not be executed.
shared - the instance directories for "context" and "level" methods will
not contain the user name and will be shared among all users.
mntopts=value - value of this flag is passed to the mount call when the
tmpfs mount is done. It allows for example the specification of the
maximum size of the tmpfs instance that is created by the mount call. In
addition to options specified in the tmpfs(5) manual the nosuid, noexec,
and nodev flags can be used to respectively disable setuid bit effect,
disable running executables, and disable devices to be interpreted on the
mounted tmpfs filesystem.
The directory where polyinstantiated instances are to be created, must
exist and must have, by default, the mode of 0000. The requirement that
the instance parent be of mode 0000 can be overridden with the command
line option ignore_instance_parent_mode
In case of context or level polyinstantiation the SELinux context which is
used for polyinstantiation is the context used for executing a new process
as obtained by getexeccon. This context must be set by the calling
application or pam_selinux.so module. If this context is not set the
polyinstatiation will be based just on user name.
The "instance differentiation string" is <user name> for "user" method and
<user name>_<raw directory context> for "context" and "level" methods. If
the whole string is too long the end of it is replaced with md5sum of
itself. Also when command line option gen_hash is used the whole string is
replaced with md5sum of itself.
EXAMPLES
These are some example lines which might be specified in
/etc/security/namespace.conf.
# The following three lines will polyinstantiate /tmp,
# /var/tmp and user's home directories. /tmp and /var/tmp
# will be polyinstantiated based on the security level
# as well as user name, whereas home directory will be
# polyinstantiated based on the full security context and user name.
# Polyinstantiation will not be performed for user root
# and adm for directories /tmp and /var/tmp, whereas home
# directories will be polyinstantiated for all users.
#
# Note that instance directories do not have to reside inside
# the polyinstantiated directory. In the examples below,
# instances of /tmp will be created in /tmp-inst directory,
# where as instances of /var/tmp and users home directories
# will reside within the directories that are being
# polyinstantiated.
#
/tmp /tmp-inst/ level root,adm
/var/tmp /var/tmp/tmp-inst/ level root,adm
$HOME $HOME/$USER.inst/inst- context
For the <service>s you need polyinstantiation (login for example) put the
following line in /etc/pam.d/<service> as the last line for session group:
session required pam_namespace.so [arguments]
This module also depends on pam_selinux.so setting the context.
PK��������Ǩ�\�0�[D���D�������txts/README.pam_nologinnu���[������������pam_nologin — Prevent non-root users from login
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DESCRIPTION
pam_nologin is a PAM module that prevents users from logging into the system
when /var/run/nologin or /etc/nologin exists. The contents of the file are
displayed to the user. The pam_nologin module has no effect on the root user's
ability to log in.
OPTIONS
file=/path/nologin
Use this file instead the default /var/run/nologin or /etc/nologin.
successok
Return PAM_SUCCESS if no file exists, the default is PAM_IGNORE.
EXAMPLES
The suggested usage for /etc/pam.d/login is:
auth required pam_nologin.so
NOTES
In order to make this module effective, all login methods should be secured by
it. It should be used as a required method listed before any sufficient methods
in order to get standard Unix nologin semantics. Note, the use of successok
module argument causes the module to return PAM_SUCCESS and as such would break
such a configuration - failing sufficient modules would lead to a successful
login because the nologin module succeeded.
AUTHOR
pam_nologin was written by Michael K. Johnson <johnsonm@redhat.com>.
PK��������Ǩ�\Ӧ�H������������txts/README.pam_permitnu���[������������pam_permit — The promiscuous module
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DESCRIPTION
pam_permit is a PAM module that always permit access. It does nothing else.
In the case of authentication, the user's name will be set to nobody if the
application didn't set one. Many applications and PAM modules become confused
if this name is unknown.
This module is very dangerous. It should be used with extreme caution.
OPTIONS
This module does not recognise any options.
EXAMPLES
Add this line to your other login entries to disable account management, but
continue to permit users to log in.
account required pam_permit.so
AUTHOR
pam_permit was written by Andrew G. Morgan, <morgan@kernel.org>.
PK��������Ǩ�\�r��Z���Z�������txts/README.pam_postgresoknu���[������������pam_postgresok:
Similar to pam_rootok, this module checks that the current real
user ID is 26 (per /usr/share/doc/setup-*/uidgid on Red Hat
Linux) and belongs to a user named "postgres".
RECOGNIZED ARGUMENTS:
debug write debugging messages to syslog
MODULE SERVICES PROVIDED:
authentication
AUTHOR:
Fernando Nasser <fnasser@redhat.com>
PK��������Ǩ�\�u'j������������txts/README.pam_pwhistorynu���[������������pam_pwhistory -- PAM module to remember last passwords
--------------------------------------------------------------------------
DESCRIPTION
This module saves the last passwords for each user in order to force
password change history and keep the user from alternating between the
same password too frequently.
This module does not work together with kerberos. In general, it does not
make much sense to use this module in conjunction with NIS or LDAP, since
the old passwords are stored on the local machine and are not available on
another machine for password history checking.
OPTIONS
debug
Turns on debugging via syslog(3).
use_authtok
When password changing enforce the module to use the new password
provided by a previously stacked password module (this is used in
the example of the stacking of the pam_cracklib module documented
below).
enforce_for_root
If this option is set, the check is enforced for root, too.
remember=N
The last N passwords for each user are saved. The default is 10.
Value of 0 makes the module to keep the existing contents of the
opasswd file unchanged.
retry=N
Prompt user at most N times before returning with error. The
default is 1.
authtok_type=STRING
See pam_get_authtok(3) for more details.
conf=/path/to/config-file
Use another configuration file instead of the default
/etc/security/pwhistory.conf.
The options for configuring the module behavior are described in the
pwhistory.conf(5) manual page. The options specified on the module command
line override the values from the configuration file.
EXAMPLES
An example password section would be:
#%PAM-1.0
password required pam_pwhistory.so
password required pam_unix.so use_authtok
In combination with pam_cracklib:
#%PAM-1.0
password required pam_cracklib.so retry=3
password required pam_pwhistory.so use_authtok
password required pam_unix.so use_authtok
AUTHOR
pam_pwhistory was written by Thorsten Kukuk <kukuk@thkukuk.de>
PK��������Ǩ�\��O Z���Z�������txts/README.pam_rhostsnu���[������������pam_rhosts — The rhosts PAM module
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DESCRIPTION
This module performs the standard network authentication for services, as used
by traditional implementations of rlogin and rsh etc.
The authentication mechanism of this module is based on the contents of two
files; /etc/hosts.equiv (or and ~/.rhosts. Firstly, hosts listed in the former
file are treated as equivalent to the localhost. Secondly, entries in the
user's own copy of the latter file is used to map "remote-host remote-user"
pairs to that user's account on the current host. Access is granted to the user
if their host is present in /etc/hosts.equiv and their remote account is
identical to their local one, or if their remote account has an entry in their
personal configuration file.
The module authenticates a remote user (internally specified by the item
PAM_RUSER connecting from the remote host (internally specified by the item
PAM_RHOST). Accordingly, for applications to be compatible this authentication
module they must set these items prior to calling pam_authenticate(). The
module is not capable of independently probing the network connection for such
information.
OPTIONS
debug
Print debug information.
silent
Don't print informative messages.
superuser=account
Handle account as root.
EXAMPLES
To grant a remote user access by /etc/hosts.equiv or .rhosts for rsh add the
following lines to /etc/pam.d/rsh:
#%PAM-1.0
#
auth required pam_rhosts.so
auth required pam_nologin.so
auth required pam_env.so
auth required pam_unix.so
AUTHOR
pam_rhosts was written by Thorsten Kukuk <kukuk@thkukuk.de>
PK��������Ǩ�\�(��>���>�������txts/README.pam_rootoknu���[������������pam_rootok — Gain only root access
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DESCRIPTION
pam_rootok is a PAM module that authenticates the user if their UID is 0.
Applications that are created setuid-root generally retain the UID of the user
but run with the authority of an enhanced effective-UID. It is the real UID
that is checked.
OPTIONS
debug
Print debug information.
EXAMPLES
In the case of the su(1) application the historical usage is to permit the
superuser to adopt the identity of a lesser user without the use of a password.
To obtain this behavior with PAM the following pair of lines are needed for the
corresponding entry in the /etc/pam.d/su configuration file:
# su authentication. Root is granted access by default.
auth sufficient pam_rootok.so
auth required pam_unix.so
AUTHOR
pam_rootok was written by Andrew G. Morgan, <morgan@kernel.org>.
PK��������Ǩ�\0��>���>�������txts/README.pam_securettynu���[������������pam_securetty — Limit root login to special devices
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DESCRIPTION
pam_securetty is a PAM module that allows root logins only if the user is
logging in on a "secure" tty, as defined by the listing in /etc/securetty.
pam_securetty also checks to make sure that /etc/securetty is a plain file and
not world writable. It will also allow root logins on the tty specified with
console= switch on the kernel command line and on ttys from the /sys/class/tty/
console/active.
This module has no effect on non-root users and requires that the application
fills in the PAM_TTY item correctly.
For canonical usage, should be listed as a required authentication method
before any sufficient authentication methods.
OPTIONS
debug
Print debug information.
noconsole
Do not automatically allow root logins on the kernel console device, as
specified on the kernel command line or by the sys file, if it is not also
specified in the /etc/securetty file.
EXAMPLES
auth required pam_securetty.so
auth required pam_unix.so
AUTHOR
pam_securetty was written by Elliot Lee <sopwith@cuc.edu>.
PK��������Ǩ�\��x�]���]�������txts/README.pam_selinuxnu���[������������pam_selinux — PAM module to set the default security context
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DESCRIPTION
pam_selinux is a PAM module that sets up the default SELinux security context
for the next executed process.
When a new session is started, the open_session part of the module computes and
sets up the execution security context used for the next execve(2) call, the
file security context for the controlling terminal, and the security context
used for creating a new kernel keyring.
When the session is ended, the close_session part of the module restores old
security contexts that were in effect before the change made by the
open_session part of the module.
Adding pam_selinux into the PAM stack might disrupt behavior of other PAM
modules which execute applications. To avoid that, pam_selinux.so open should
be placed after such modules in the PAM stack, and pam_selinux.so close should
be placed before them. When such a placement is not feasible, pam_selinux.so
restore could be used to temporary restore original security contexts.
OPTIONS
open
Only execute the open_session part of the module.
close
Only execute the close_session part of the module.
restore
In open_session part of the module, temporarily restore the security
contexts as they were before the previous call of the module. Another call
of this module without the restore option will set up the new security
contexts again.
nottys
Do not setup security context of the controlling terminal.
debug
Turn on debug messages via syslog(3).
verbose
Attempt to inform the user when security context is set.
select_context
Attempt to ask the user for a custom security context role. If MLS is on,
ask also for sensitivity level.
env_params
Attempt to obtain a custom security context role from PAM environment. If
MLS is on, obtain also sensitivity level. This option and the
select_context option are mutually exclusive. The respective PAM
environment variables are SELINUX_ROLE_REQUESTED, SELINUX_LEVEL_REQUESTED,
and SELINUX_USE_CURRENT_RANGE. The first two variables are self describing
and the last one if set to 1 makes the PAM module behave as if the
use_current_range was specified on the command line of the module.
use_current_range
Use the sensitivity level of the current process for the user context
instead of the default level. Also suppresses asking of the sensitivity
level from the user or obtaining it from PAM environment.
EXAMPLES
auth required pam_unix.so
session required pam_permit.so
session optional pam_selinux.so
AUTHOR
pam_selinux was written by Dan Walsh <dwalsh@redhat.com>.
PK��������Ǩ�\�jx�p���p�������txts/README.pam_sepermitnu���[������������pam_sepermit — PAM module to allow/deny login depending on SELinux enforcement
state
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DESCRIPTION
The pam_sepermit module allows or denies login depending on SELinux enforcement
state.
When the user which is logging in matches an entry in the config file he is
allowed access only when the SELinux is in enforcing mode. Otherwise he is
denied access. For users not matching any entry in the config file the
pam_sepermit module returns PAM_IGNORE return value.
The config file contains a list of user names one per line with optional
arguments. If the name is prefixed with @ character it means that all users in
the group name match. If it is prefixed with a % character the SELinux user is
used to match against the name instead of the account name. Note that when
SELinux is disabled the SELinux user assigned to the account cannot be
determined. This means that such entries are never matched when SELinux is
disabled and pam_sepermit will return PAM_IGNORE.
See sepermit.conf(5) for details.
OPTIONS
debug
Turns on debugging via syslog(3).
conf=/path/to/config/file
Path to alternative config file overriding the default.
EXAMPLES
auth [success=done ignore=ignore default=bad] pam_sepermit.so
auth required pam_unix.so
account required pam_unix.so
session required pam_permit.so
AUTHOR
pam_sepermit and this manual page were written by Tomas Mraz
<tmraz@redhat.com>.
PK��������Ǩ�\� KC������������txts/README.pam_shellsnu���[������������pam_shells — PAM module to check for valid login shell
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DESCRIPTION
pam_shells is a PAM module that only allows access to the system if the user's
shell is listed in /etc/shells.
It also checks if /etc/shells is a plain file and not world writable.
OPTIONS
This module does not recognise any options.
EXAMPLES
auth required pam_shells.so
AUTHOR
pam_shells was written by Erik Troan <ewt@redhat.com>.
PK��������Ǩ�\{c]�������������txts/README.pam_stressnu���[������������#
# This describes the behavior of this module with respect to the
# /etc/pam.conf file.
#
# writen by Andrew Morgan <morgan@parc.power.net>
#
This module recognizes the following arguments.
debug put lots of information in syslog.
*NOTE* this option writes passwords to syslog, so
don't use anything sensitive when testing.
no_warn don't give warnings about things (otherwise warnings are issued
via the conversation function)
use_first_pass don't prompt for a password, for pam_sm_authentication
function just use item PAM_AUTHTOK.
try_first_pass don't prompt for a password unless there has been no
previous authentication token (item PAM_AUTHTOK is NULL)
rootok This is intended for the pam_sm_chauthtok function and
it instructs this function to permit root to change
the user's password without entering the old password.
The following arguments are acted on by the module. They are intended
to make the module give the impression of failing as a fully
functioning module might.
expired an argument intended for the account and chauthtok module
parts. It instructs the module to act as if the user's
password has expired
fail_1 this instructs the module to make its first function fail.
fail_2 this instructs the module to make its second function (if there
is one) fail.
The function break up is indicated in the Module
Developers' Guide. Listed here it is:
service function 1 function 2
------- ---------- ----------
auth pam_sm_authenticate pam_sm_setcred
password pam_sm_chauthtok
session pam_sm_open_session pam_sm_close_session
account pam_sm_acct_mgmt
prelim for pam_sm_chauthtok, means fail on PAM_PRELIM_CHECK.
required for pam_sm_chauthtok, means fail if the user hasn't already
been authenticated by this module. (See stress_new_pwd data
item below.)
#
# data strings that this module uses are the following:
#
data name value(s) Comments
--------- -------- --------
stress_new_pwd yes tells pam_sm_chauthtok that
pam_sm_acct_mgmt says we need a new
password
PK��������Ǩ�\,�U�0���0�������txts/README.pam_succeed_ifnu���[������������pam_succeed_if — test account characteristics
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DESCRIPTION
pam_succeed_if.so is designed to succeed or fail authentication based on
characteristics of the account belonging to the user being authenticated or
values of other PAM items. One use is to select whether to load other modules
based on this test.
The module should be given one or more conditions as module arguments, and
authentication will succeed only if all of the conditions are met.
OPTIONS
The following flags are supported:
debug
Turns on debugging messages sent to syslog.
use_uid
Evaluate conditions using the account of the user whose UID the application
is running under instead of the user being authenticated.
quiet
Don't log failure or success to the system log.
quiet_fail
Don't log failure to the system log.
quiet_success
Don't log success to the system log.
audit
Log unknown users to the system log.
Conditions are three words: a field, a test, and a value to test for.
Available fields are user, uid, gid, shell, home, ruser, rhost, tty and service
:
field < number
Field has a value numerically less than number.
field <= number
Field has a value numerically less than or equal to number.
field eq number
Field has a value numerically equal to number.
field >= number
Field has a value numerically greater than or equal to number.
field > number
Field has a value numerically greater than number.
field ne number
Field has a value numerically different from number.
field = string
Field exactly matches the given string.
field != string
Field does not match the given string.
field =~ glob
Field matches the given glob.
field !~ glob
Field does not match the given glob.
field in item:item:...
Field is contained in the list of items separated by colons.
field notin item:item:...
Field is not contained in the list of items separated by colons.
user ingroup group
User is in given group.
user notingroup group
User is not in given group.
user innetgr netgroup
(user,host) is in given netgroup.
user notinnetgr group
(user,host) is not in given netgroup.
EXAMPLES
To emulate the behaviour of pam_wheel, except there is no fallback to group 0:
auth required pam_succeed_if.so quiet user ingroup wheel
Given that the type matches, only loads the othermodule rule if the UID is over
500. Adjust the number after default to skip several rules.
type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500
type required othermodule.so arguments...
AUTHOR
Nalin Dahyabhai <nalin@redhat.com>
PK��������Ǩ�\�%��������������txts/README.pam_timenu���[������������pam_time — PAM module for time control access
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DESCRIPTION
The pam_time PAM module does not authenticate the user, but instead it
restricts access to a system and or specific applications at various times of
the day and on specific days or over various terminal lines. This module can be
configured to deny access to (individual) users based on their name, the time
of day, the day of week, the service they are applying for and their terminal
from which they are making their request.
By default rules for time/port access are taken from config file /etc/security/
time.conf.
If Linux PAM is compiled with audit support the module will report when it
denies access.
EXAMPLES
These are some example lines which might be specified in /etc/security/
time.conf.
All users except for root are denied access to console-login at all times:
login ; tty* & !ttyp* ; !root ; !Al0000-2400
Games (configured to use PAM) are only to be accessed out of working hours.
This rule does not apply to the user waster:
games ; * ; !waster ; Wd0000-2400 | Wk1800-0800
PK��������Ǩ�\z���P���P�������txts/README.pam_timestampnu���[������������pam_timestamp — Authenticate using cached successful authentication attempts
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DESCRIPTION
In a nutshell, pam_timestamp caches successful authentication attempts, and
allows you to use a recent successful attempt as the basis for authentication.
This is similar mechanism which is used in sudo.
When an application opens a session using pam_timestamp, a timestamp file is
created in the timestampdir directory for the user. When an application
attempts to authenticate the user, a pam_timestamp will treat a sufficiently
recent timestamp file as grounds for succeeding.
OPTIONS
timestampdir=directory
Specify an alternate directory where pam_timestamp creates timestamp files.
timestamp_timeout=number
How long should pam_timestamp treat timestamp as valid after their last
modification date (in seconds). Default is 300 seconds.
verbose
Attempt to inform the user when access is granted.
debug
Turns on debugging messages sent to syslog(3).
NOTES
Users can get confused when they are not always asked for passwords when
running a given program. Some users reflexively begin typing information before
noticing that it is not being asked for.
EXAMPLES
auth sufficient pam_timestamp.so verbose
auth required pam_unix.so
session required pam_unix.so
session optional pam_timestamp.so
AUTHOR
pam_timestamp was written by Nalin Dahyabhai.
PK��������Ǩ�\g�s��
���
������txts/README.pam_tty_auditnu���[������������pam_tty_audit -- Enable or disable TTY auditing for specified users
--------------------------------------------------------------------------
DESCRIPTION
The pam_tty_audit PAM module is used to enable or disable TTY auditing. By
default, the kernel does not audit input on any TTY.
OPTIONS
disable=patterns
For each user matching patterns, disable TTY auditing. This
overrides any previous enable option matching the same user name
on the command line. See NOTES for further description of
patterns.
enable=patterns
For each user matching patterns, enable TTY auditing. This
overrides any previous disable option matching the same user name
on the command line. See NOTES for further description of
patterns.
open_only
Set the TTY audit flag when opening the session, but do not
restore it when closing the session. Using this option is
necessary for some services that don't fork() to run the
authenticated session, such as sudo.
log_passwd
Log keystrokes when ECHO mode is off but ICANON mode is active.
This is the mode in which the tty is placed during password entry.
By default, passwords are not logged. This option may not be
available on older kernels (3.9?).
NOTES
When TTY auditing is enabled, it is inherited by all processes started by
that user. In particular, daemons restarted by an user will still have TTY
auditing enabled, and audit TTY input even by other users unless auditing
for these users is explicitly disabled. Therefore, it is recommended to
use disable=* as the first option for most daemons using PAM.
To view the data that was logged by the kernel to audit use the command
aureport --tty.
The patterns are comma separated lists of glob patterns or ranges of uids.
A range is specified as min_uid:max_uid where one of these values can be
empty. If min_uid is empty only user with the uid max_uid will be matched.
If max_uid is empty users with the uid greater than or equal to min_uid
will be matched.
Please note that passwords in some circumstances may be logged by TTY
auditing even if the log_passwd is not used. For example, all input to an
ssh session will be logged - even if there is a password being typed into
some software running at the remote host because only the local TTY state
affects the local TTY auditing.
EXAMPLES
Audit all administrative actions.
session required pam_tty_audit.so disable=* enable=root
AUTHOR
pam_tty_audit was written by Miloslav Trmac <mitr@redhat.com>. The
log_passwd option was added by Richard Guy Briggs <rgb@redhat.com>.
PK��������Ǩ�\J�\m_���_�������txts/README.pam_umasknu���[������������pam_umask — PAM module to set the file mode creation mask
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DESCRIPTION
pam_umask is a PAM module to set the file mode creation mask of the current
environment. The umask affects the default permissions assigned to newly
created files.
The PAM module tries to get the umask value from the following places in the
following order:
• umask= entry in the user's GECOS field
• umask= argument
• UMASK entry from /etc/login.defs
• UMASK= entry from /etc/default/login
The GECOS field is split on comma ',' characters. The module also in addition
to the umask= entry recognizes pri= entry, which sets the nice priority value
for the session, and ulimit= entry, which sets the maximum size of files the
processes in the session can create.
OPTIONS
debug
Print debug information.
silent
Don't print informative messages.
usergroups
If the user is not root and the username is the same as primary group name,
the umask group bits are set to be the same as owner bits (examples: 022 ->
002, 077 -> 007).
umask=mask
Sets the calling process's file mode creation mask (umask) to mask & 0777.
The value is interpreted as Octal.
EXAMPLES
Add the following line to /etc/pam.d/login to set the user specific umask at
login:
session optional pam_umask.so umask=0022
AUTHOR
pam_umask was written by Thorsten Kukuk <kukuk@thkukuk.de>.
PK��������Ǩ�\����a���a�������txts/README.pam_unixnu���[������������pam_unix -- Module for traditional password authentication
--------------------------------------------------------------------------
DESCRIPTION
This is the standard Unix authentication module. It uses standard calls
from the system's libraries to retrieve and set account information as
well as authentication. Usually this is obtained from the /etc/passwd and
the /etc/shadow file as well if shadow is enabled.
The account component performs the task of establishing the status of the
user's account and password based on the following shadow elements:
expire, last_change, max_change, min_change, warn_change. In the case of
the latter, it may offer advice to the user on changing their password or,
through the PAM_AUTHTOKEN_REQD return, delay giving service to the user
until they have established a new password. The entries listed above are
documented in the shadow(5) manual page. Should the user's record not
contain one or more of these entries, the corresponding shadow check is
not performed.
The authentication component performs the task of checking the users
credentials (password). The default action of this module is to not permit
the user access to a service if their official password is blank.
A helper binary, unix_chkpwd(8), is provided to check the user's password
when it is stored in a read protected database. This binary is very simple
and will only check the password of the user invoking it. It is called
transparently on behalf of the user by the authenticating component of
this module. In this way it is possible for applications like xlock(1) to
work without being setuid-root. The module, by default, will temporarily
turn off SIGCHLD handling for the duration of execution of the helper
binary. This is generally the right thing to do, as many applications are
not prepared to handle this signal from a child they didn't know was
fork()d. The noreap module argument can be used to suppress this temporary
shielding and may be needed for use with certain applications.
The maximum length of a password supported by the pam_unix module via the
helper binary is PAM_MAX_RESP_SIZE - currently 512 bytes. The rest of the
password provided by the conversation function to the module will be
ignored.
The password component of this module performs the task of updating the
user's password. The default encryption hash is taken from the
ENCRYPT_METHOD variable from /etc/login.defs
The session component of this module logs when a user logins or leave the
system.
Remaining arguments, supported by others functions of this module, are
silently ignored. Other arguments are logged as errors through syslog(3).
OPTIONS
debug
Turns on debugging via syslog(3).
audit
A little more extreme than debug.
quiet
Turns off informational messages namely messages about session
open and close via syslog(3).
nullok
The default action of this module is to not permit the user access
to a service if their official password is blank. The nullok
argument overrides this default.
try_first_pass
Before prompting the user for their password, the module first
tries the previous stacked module's password in case that
satisfies this module as well.
use_first_pass
The argument use_first_pass forces the module to use a previous
stacked modules password and will never prompt the user - if no
password is available or the password is not appropriate, the user
will be denied access.
nodelay
This argument can be used to discourage the authentication
component from requesting a delay should the authentication as a
whole fail. The default action is for the module to request a
delay-on-failure of the order of two second.
use_authtok
When password changing enforce the module to set the new password
to the one provided by a previously stacked password module (this
is used in the example of the stacking of the pam_cracklib module
documented below).
authtok_type=type
This argument can be used to modify the password prompt when
changing passwords to include the type of the password. Empty by
default.
nis
NIS RPC is used for setting new passwords.
remember=n
The last n passwords for each user are saved in
/etc/security/opasswd in order to force password change history
and keep the user from alternating between the same password too
frequently. The MD5 password hash algorithm is used for storing
the old passwords. Instead of this option the pam_pwhistory module
should be used.
shadow
Try to maintain a shadow based system.
md5
When a user changes their password next, encrypt it with the MD5
algorithm.
bigcrypt
When a user changes their password next, encrypt it with the DEC
C2 algorithm.
sha256
When a user changes their password next, encrypt it with the
SHA256 algorithm. The SHA256 algorithm must be supported by the
crypt(3) function.
sha512
When a user changes their password next, encrypt it with the
SHA512 algorithm. The SHA512 algorithm must be supported by the
crypt(3) function.
blowfish
When a user changes their password next, encrypt it with the
blowfish algorithm. The blowfish algorithm must be supported by
the crypt(3) function.
rounds=n
Set the optional number of rounds of the SHA256, SHA512 and
blowfish password hashing algorithms to n.
broken_shadow
Ignore errors reading shadow information for users in the account
management module.
minlen=n
Set a minimum password length of n characters. The max. for DES
crypt based passwords are 8 characters.
no_pass_expiry
When set ignore password expiration as defined by the shadow entry
of the user. The option has an effect only in case pam_unix was
not used for the authentication or it returned authentication
failure meaning that other authentication source or method
succeeded. The example can be public key authentication in sshd.
The module will return PAM_SUCCESS instead of eventual
PAM_NEW_AUTHTOK_REQD or PAM_AUTHTOK_EXPIRED.
Invalid arguments are logged with syslog(3).
EXAMPLES
An example usage for /etc/pam.d/login would be:
# Authenticate the user
auth required pam_unix.so
# Ensure users account and password are still active
account required pam_unix.so
# Change the user's password, but at first check the strength
# with pam_cracklib(8)
password required pam_cracklib.so retry=3 minlen=6 difok=3
password required pam_unix.so use_authtok nullok md5
session required pam_unix.so
AUTHOR
pam_unix was written by various people.
PK��������Ǩ�\����������������txts/README.pam_userdbnu���[������������pam_userdb -- PAM module to authenticate against a db database
--------------------------------------------------------------------------
DESCRIPTION
The pam_userdb module is used to verify a username/password pair against
values stored in a Berkeley DB database. The database is indexed by the
username, and the data fields corresponding to the username keys are the
passwords.
OPTIONS
crypt=[crypt|none]
Indicates whether encrypted or plaintext passwords are stored in
the database. If it is crypt, passwords should be stored in the
database in crypt(3) form. If none is selected, passwords should
be stored in the database as plaintext.
db=/path/database
Use the /path/database database for performing lookup. There is no
default; the module will return PAM_IGNORE if no database is
provided. Note that the path to the database file should be
specified without the .db suffix.
debug
Print debug information. Note that password hashes, both from db
and computed, will be printed to syslog.
dump
Dump all the entries in the database to the log. Don't do this by
default!
icase
Make the password verification to be case insensitive (ie when
working with registration numbers and such). Only works with
plaintext password storage.
try_first_pass
Use the authentication token previously obtained by another module
that did the conversation with the application. If this token can
not be obtained then the module will try to converse. This option
can be used for stacking different modules that need to deal with
the authentication tokens.
use_first_pass
Use the authentication token previously obtained by another module
that did the conversation with the application. If this token can
not be obtained then the module will fail. This option can be used
for stacking different modules that need to deal with the
authentication tokens.
unknown_ok
Do not return error when checking for a user that is not in the
database. This can be used to stack more than one pam_userdb
module that will check a username/password pair in more than a
database.
key_only
The username and password are concatenated together in the
database hash as 'username-password' with a random value. if the
concatenation of the username and password with a dash in the
middle returns any result, the user is valid. this is useful in
cases where the username may not be unique but the username and
password pair are.
EXAMPLES
auth sufficient pam_userdb.so icase db=/etc/dbtest
AUTHOR
pam_userdb was written by Cristian Gafton >gafton@redhat.com<.
PK��������Ǩ�\��
&������������txts/README.pam_usertypenu���[������������pam_usertype -- check if the authenticated user is a system or regular account
--------------------------------------------------------------------------
DESCRIPTION
pam_usertype.so is designed to succeed or fail authentication based on
type of the account of the authenticated user. The type of the account is
decided with help of SYS_UID_MAX settings in /etc/login.defs. One use is
to select whether to load other modules based on this test.
The module should be given only one condition as module argument.
Authentication will succeed only if the condition is met.
OPTIONS
The following flags are supported:
use_uid
Evaluate conditions using the account of the user whose UID the
application is running under instead of the user being
authenticated.
audit
Log unknown users to the system log.
Available conditions are:
issystem
Succeed if the user is a system user.
isregular
Succeed if the user is a regular user.
EXAMPLES
Skip remaining modules if the user is a system user:
account sufficient pam_usertype.so issystem
AUTHOR
Pavel Brezina <pbrezina@redhat.com>
PK��������Ǩ�\��[�������������txts/README.pam_warnnu���[������������pam_warn — PAM module which logs all PAM items if called
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DESCRIPTION
pam_warn is a PAM module that logs the service, terminal, user, remote user and
remote host to syslog(3). The items are not probed for, but instead obtained
from the standard PAM items. The module always returns PAM_IGNORE, indicating
that it does not want to affect the authentication process.
OPTIONS
This module does not recognise any options.
EXAMPLES
#%PAM-1.0
#
# If we don't have config entries for a service, the
# OTHER entries are used. To be secure, warn and deny
# access to everything.
other auth required pam_warn.so
other auth required pam_deny.so
other account required pam_warn.so
other account required pam_deny.so
other password required pam_warn.so
other password required pam_deny.so
other session required pam_warn.so
other session required pam_deny.so
AUTHOR
pam_warn was written by Andrew G. Morgan <morgan@kernel.org>.
PK��������Ǩ�\X���������������txts/README.pam_wheelnu���[������������pam_wheel -- Only permit root access to members of group wheel
--------------------------------------------------------------------------
DESCRIPTION
The pam_wheel PAM module is used to enforce the so-called wheel group. By
default it permits root access to the system if the applicant user is a
member of the wheel group. If no group with this name exist, the module is
using the group with the group-ID 0.
OPTIONS
debug
Print debug information.
deny
Reverse the sense of the auth operation: if the user is trying to
get UID 0 access and is a member of the wheel group (or the group
of the group option), deny access. Conversely, if the user is not
in the group, return PAM_IGNORE (unless trust was also specified,
in which case we return PAM_SUCCESS).
group=name
Instead of checking the wheel or GID 0 groups, use the name group
to perform the authentication.
root_only
The check for wheel membership is done only when the target user
UID is 0.
trust
The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE
if the user is a member of the wheel group (thus with a little
play stacking the modules the wheel members may be able to su to
root without being prompted for a passwd).
use_uid
The check will be done against the real uid of the calling
process, instead of trying to obtain the user from the login
session associated with the terminal in use.
EXAMPLES
The root account gains access by default (rootok), only wheel members can
become root (wheel) but Unix authenticate non-root applicants.
su auth sufficient pam_rootok.so
su auth required pam_wheel.so
su auth required pam_unix.so
AUTHOR
pam_wheel was written by Cristian Gafton <gafton@redhat.com>.
PK��������Ǩ�\�fPbo���o�������txts/README.pam_xauthnu���[������������pam_xauth — PAM module to forward xauth keys between users
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DESCRIPTION
The pam_xauth PAM module is designed to forward xauth keys (sometimes referred
to as "cookies") between users.
Without pam_xauth, when xauth is enabled and a user uses the su(1) command to
assume another user's privileges, that user is no longer able to access the
original user's X display because the new user does not have the key needed to
access the display. pam_xauth solves the problem by forwarding the key from the
user running su (the source user) to the user whose identity the source user is
assuming (the target user) when the session is created, and destroying the key
when the session is torn down.
This means, for example, that when you run su(1) from an xterm session, you
will be able to run X programs without explicitly dealing with the xauth(1)
xauth command or ~/.Xauthority files.
pam_xauth will only forward keys if xauth can list a key connected to the
$DISPLAY environment variable.
Primitive access control is provided by ~/.xauth/export in the invoking user's
home directory and ~/.xauth/import in the target user's home directory.
If a user has a ~/.xauth/import file, the user will only receive cookies from
users listed in the file. If there is no ~/.xauth/import file, the user will
accept cookies from any other user.
If a user has a .xauth/export file, the user will only forward cookies to users
listed in the file. If there is no ~/.xauth/export file, and the invoking user
is not root, the user will forward cookies to any other user. If there is no ~
/.xauth/export file, and the invoking user is root, the user will not forward
cookies to other users.
Both the import and export files support wildcards (such as *). Both the import
and export files can be empty, signifying that no users are allowed.
OPTIONS
debug
Print debug information.
xauthpath=/path/to/xauth
Specify the path the xauth program (it is expected in /usr/X11R6/bin/xauth,
/usr/bin/xauth, or /usr/bin/X11/xauth by default).
systemuser=UID
Specify the highest UID which will be assumed to belong to a "system" user.
pam_xauth will refuse to forward credentials to users with UID less than or
equal to this number, except for root and the "targetuser", if specified.
targetuser=UID
Specify a single target UID which is exempt from the systemuser check.
EXAMPLES
Add the following line to /etc/pam.d/su to forward xauth keys between users
when calling su:
session optional pam_xauth.so
IMPLEMENTATION DETAILS
pam_xauth will work only if it is used from a setuid application in which the
getuid() call returns the id of the user running the application, and for which
PAM can supply the name of the account that the user is attempting to assume.
The typical application of this type is su(1). The application must call both
pam_open_session() and pam_close_session() with the ruid set to the uid of the
calling user and the euid set to root, and must have provided as the PAM_USER
item the name of the target user.
pam_xauth calls xauth(1) as the source user to extract the key for $DISPLAY,
then calls xauth as the target user to merge the key into the a temporary
database and later remove the database.
pam_xauth cannot be told to not remove the keys when the session is closed.
AUTHOR
pam_xauth was written by Nalin Dahyabhai <nalin@redhat.com>, based on original
version by Michael K. Johnson <johnsonm@redhat.com>.
PK��������Ǩ�\�⬟������������txts/README.pam_accessnu���[������������pam_access -- PAM module for logdaemon style login access control
--------------------------------------------------------------------------
DESCRIPTION
The pam_access PAM module is mainly for access management. It provides
logdaemon style login access control based on login names, host or domain
names, internet addresses or network numbers, or on terminal line names, X
$DISPLAY values, or PAM service names in case of non-networked logins.
By default rules for access management are taken from config file
/etc/security/access.conf if you don't specify another file. Then
individual *.conf files from the /etc/security/access.d/ directory are
read. The files are parsed one after another in the order of the system
locale. The effect of the individual files is the same as if all the files
were concatenated together in the order of parsing. This means that once a
pattern is matched in some file no further files are parsed. If a config
file is explicitly specified with the accessfile option the files in the
above directory are not parsed.
If Linux PAM is compiled with audit support the module will report when it
denies access based on origin (host, tty, etc.).
OPTIONS
accessfile=/path/to/access.conf
Indicate an alternative access.conf style configuration file to
override the default. This can be useful when different services
need different access lists.
debug
A lot of debug information is printed with syslog(3).
noaudit
Do not report logins from disallowed hosts and ttys to the audit
subsystem.
nodefgroup
User tokens which are not enclosed in parentheses will not be
matched against the group database. The backwards compatible
default is to try the group database match even for tokens not
enclosed in parentheses.
nodns
Do not try to resolve tokens as hostnames, only IPv4 and IPv6
addresses will be resolved. Which means to allow login from a
remote host, the IP addresses need to be specified in access.conf.
quiet_log
Do not log denials with syslog(3).
fieldsep=separators
This option modifies the field separator character that pam_access
will recognize when parsing the access configuration file. For
example: fieldsep=| will cause the default `:' character to be
treated as part of a field value and `|' becomes the field
separator. Doing this may be useful in conjunction with a system
that wants to use pam_access with X based applications, since the
PAM_TTY item is likely to be of the form "hostname:0" which
includes a `:' character in its value. But you should not need
this.
listsep=separators
This option modifies the list separator character that pam_access
will recognize when parsing the access configuration file. For
example: listsep=, will cause the default ` ' (space) and `\t'
(tab) characters to be treated as part of a list element value and
`,' becomes the only list element separator. Doing this may be
useful on a system with group information obtained from a Windows
domain, where the default built-in groups "Domain Users", "Domain
Admins" contain a space.
EXAMPLES
These are some example lines which might be specified in
/etc/security/access.conf.
User root should be allowed to get access via cron, X11 terminal :0, tty1,
..., tty5, tty6.
+:root:crond :0 tty1 tty2 tty3 tty4 tty5 tty6
User root should be allowed to get access from hosts which own the IPv4
addresses. This does not mean that the connection have to be a IPv4 one, a
IPv6 connection from a host with one of this IPv4 addresses does work,
too.
+:root:192.168.200.1 192.168.200.4 192.168.200.9
+:root:127.0.0.1
User root should get access from network 192.168.201. where the term will
be evaluated by string matching. But it might be better to use
network/netmask instead. The same meaning of 192.168.201. is
192.168.201.0/24 or 192.168.201.0/255.255.255.0.
+:root:192.168.201.
User root should be able to have access from hosts foo1.bar.org and
foo2.bar.org (uses string matching also).
+:root:foo1.bar.org foo2.bar.org
User root should be able to have access from domain foo.bar.org (uses
string matching also).
+:root:.foo.bar.org
User root should be denied to get access from all other sources.
-:root:ALL
User foo and members of netgroup admins should be allowed to get access
from all sources. This will only work if netgroup service is available.
+:@admins foo:ALL
User john and foo should get access from IPv6 host address.
+:john foo:2001:db8:0:101::1
User john should get access from IPv6 net/mask.
+:john:2001:db8:0:101::/64
Disallow console logins to all but the shutdown, sync and all other
accounts, which are a member of the wheel group.
-:ALL EXCEPT (wheel) shutdown sync:LOCAL
All other users should be denied to get access from all sources.
-:ALL:ALL
PK��������Ǩ�\�A�}������������txts/README.pam_chrootnu���[������������This pam_chroot module provides session support only. It is based
almost entirely on Matthew Kirkwood's original version obtained from
ftp://ferret.lmh.ox.ac.uk/users/weejock/pam_chroot/.
Operation:
When the calling application attempts to open a session, pam_chroot
opens /etc/security/chroot.conf and searches for a line of the form:
user directory
where the "user" listed is actually a regular expression. If the
PAM_USER for whom the session is being opened matches the regular
expression, the module will attempt to chroot() to the given directory.
Optional arguments:
"debug" Log debug messages to syslog.
"onerr=" Values can be "succeed" or "fail". The action to take if
the configuration file can not be opened, the chroot()
fails, or the user does not match any of the expressions
listed in the configuration file. Default is "succeed".
Other Notes:
The calling application must be executing with root privileges in order to
be able to chroot() at all. If the application needs to exec() other programs
(such as a server process or spawning a shell), you will need to duplicate
some portions of an actual root environment under the chroot()ed directory
in order for it to work at all. (This includes configuration and logging
files.) If configured incorrectly, this module may potentially render the
service unusable and, under some circumstances, pose a security risk.
In particular, the new root directory and all of its parent directories must
not be writable by anyone but root.
PK��������Ǩ�\T�P|������������txts/README.pam_consolenu���[������������README for pam_console
======================
NOTE: This software is very powerful. Incautious use could leave your
system open to attack, or difficult to use.
pam_console is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Because pam_console integrates GPL-licensed code, all of pam_console
is licensed only under the GPL, unlike most PAM modules. See the
file COPYING for the license terms under which this software is
licensed.
(If this software breaks your system, you get to keep all the pieces.)
The pam_console module exists to change file permissions when users
log on at the console, and to change them back when they log out of
the console. It also cooperates with the pam_listfile module to
make it possible to allow users who are at the console to run
various programs that would otherwise be restricted to root only.
The pam_console.8 and pam_console_apply.8 man pages explain this
software in more detail.
Please note: the current version depends on too many external tools
and libraries, making it big and hard to evaluate for security.
This is only a bootstrap stage; I'll be fixing it later. I'm using
lex/yacc right now so that it is trivial to change the grammar, and
I'm using glib because I didn't want to write my own hashtables
while I was busy thinking about file locking. Don't report those
as bugs, I'll fix them later once I've ironed out the important
details...
Michael K. Johnson
Red Hat Software, Inc.
Additional note: the current version is improved so that the functionality
of changing the ownership and permissions of the devices is split out
of the pam_console.so module to the pam_console_apply executable,
which is called from the pam_console module when the lock is obtained.
Thus the module doesn't depend on the glib.
Copyright 1999, 2005 Red Hat, Inc.
PK��������Ǩ�\�1���&���&������txts/README.pam_cracklibnu���[������������pam_cracklib — PAM module to check the password against dictionary words
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DESCRIPTION
This module can be plugged into the password stack of a given application to
provide some plug-in strength-checking for passwords.
The action of this module is to prompt the user for a password and check its
strength against a system dictionary and a set of rules for identifying poor
choices.
The first action is to prompt for a single password, check its strength and
then, if it is considered strong, prompt for the password a second time (to
verify that it was typed correctly on the first occasion). All being well, the
password is passed on to subsequent modules to be installed as the new
authentication token.
The strength checks works in the following manner: at first the Cracklib
routine is called to check if the password is part of a dictionary; if this is
not the case an additional set of strength checks is done. These checks are:
Palindrome
Is the new password a palindrome?
Case Change Only
Is the new password the the old one with only a change of case?
Similar
Is the new password too much like the old one? This is primarily controlled
by one argument, difok which is a number of character changes (inserts,
removals, or replacements) between the old and new password that are enough
to accept the new password. This defaults to 5 changes.
Simple
Is the new password too small? This is controlled by 6 arguments minlen,
maxclassrepeat, dcredit, ucredit, lcredit, and ocredit. See the section on
the arguments for the details of how these work and there defaults.
Rotated
Is the new password a rotated version of the old password?
Same consecutive characters
Optional check for same consecutive characters.
Too long monotonic character sequence
Optional check for too long monotonic character sequence.
Contains user name
Optional check whether the password contains the user's name in some form.
This module with no arguments will work well for standard unix password
encryption. With md5 encryption, passwords can be longer than 8 characters and
the default settings for this module can make it hard for the user to choose a
satisfactory new password. Notably, the requirement that the new password
contain no more than 1/2 of the characters in the old password becomes a
non-trivial constraint. For example, an old password of the form "the quick
brown fox jumped over the lazy dogs" would be difficult to change... In
addition, the default action is to allow passwords as small as 5 characters in
length. For a md5 systems it can be a good idea to increase the required
minimum size of a password. One can then allow more credit for different kinds
of characters but accept that the new password may share most of these
characters with the old password.
OPTIONS
debug
This option makes the module write information to syslog(3) indicating the
behavior of the module (this option does not write password information to
the log file).
authtok_type=XXX
The default action is for the module to use the following prompts when
requesting passwords: "New UNIX password: " and "Retype UNIX password: ".
The example word UNIX can be replaced with this option, by default it is
empty.
retry=N
Prompt user at most N times before returning with error. The default is 1.
difok=N
This argument will change the default of 5 for the number of character
changes in the new password that differentiate it from the old password.
minlen=N
The minimum acceptable size for the new password (plus one if credits are
not disabled which is the default). In addition to the number of characters
in the new password, credit (of +1 in length) is given for each different
kind of character (other, upper, lower and digit). The default for this
parameter is 9 which is good for a old style UNIX password all of the same
type of character but may be too low to exploit the added security of a md5
system. Note that there is a pair of length limits in Cracklib itself, a
"way too short" limit of 4 which is hard coded in and a defined limit (6)
that will be checked without reference to minlen. If you want to allow
passwords as short as 5 characters you should not use this module.
dcredit=N
(N >= 0) This is the maximum credit for having digits in the new password.
If you have less than or N digits, each digit will count +1 towards meeting
the current minlen value. The default for dcredit is 1 which is the
recommended value for minlen less than 10.
(N < 0) This is the minimum number of digits that must be met for a new
password.
ucredit=N
(N >= 0) This is the maximum credit for having upper case letters in the
new password. If you have less than or N upper case letters each letter
will count +1 towards meeting the current minlen value. The default for
ucredit is 1 which is the recommended value for minlen less than 10.
(N < 0) This is the minimum number of upper case letters that must be met
for a new password.
lcredit=N
(N >= 0) This is the maximum credit for having lower case letters in the
new password. If you have less than or N lower case letters, each letter
will count +1 towards meeting the current minlen value. The default for
lcredit is 1 which is the recommended value for minlen less than 10.
(N < 0) This is the minimum number of lower case letters that must be met
for a new password.
ocredit=N
(N >= 0) This is the maximum credit for having other characters in the new
password. If you have less than or N other characters, each character will
count +1 towards meeting the current minlen value. The default for ocredit
is 1 which is the recommended value for minlen less than 10.
(N < 0) This is the minimum number of other characters that must be met for
a new password.
minclass=N
The minimum number of required classes of characters for the new password.
The default number is zero. The four classes are digits, upper and lower
letters and other characters. The difference to the credit check is that a
specific class if of characters is not required. Instead N out of four of
the classes are required.
maxrepeat=N
Reject passwords which contain more than N same consecutive characters. The
default is 0 which means that this check is disabled.
maxsequence=N
Reject passwords which contain monotonic character sequences longer than N.
The default is 0 which means that this check is disabled. Examples of such
sequence are '12345' or 'fedcb'. Note that most such passwords will not
pass the simplicity check unless the sequence is only a minor part of the
password.
maxclassrepeat=N
Reject passwords which contain more than N consecutive characters of the
same class. The default is 0 which means that this check is disabled.
reject_username
Check whether the name of the user in straight or reversed form is
contained in the new password. If it is found the new password is rejected.
gecoscheck
Check whether the words from the GECOS field (usualy full name of the user)
longer than 3 characters in straight or reversed form are contained in the
new password. If any such word is found the new password is rejected.
enforce_for_root
The module will return error on failed check also if the user changing the
password is root. This option is off by default which means that just the
message about the failed check is printed but root can change the password
anyway. Note that root is not asked for an old password so the checks that
compare the old and new password are not performed.
use_authtok
This argument is used to force the module to not prompt the user for a new
password but use the one provided by the previously stacked password
module.
dictpath=/path/to/dict
Path to the cracklib dictionaries.
EXAMPLES
For an example of the use of this module, we show how it may be stacked with
the password component of pam_unix(8)
#
# These lines stack two password type modules. In this example the
# user is given 3 opportunities to enter a strong password. The
# "use_authtok" argument ensures that the pam_unix module does not
# prompt for a password, but instead uses the one provided by
# pam_cracklib.
#
passwd password required pam_cracklib.so retry=3
passwd password required pam_unix.so use_authtok
Another example (in the /etc/pam.d/passwd format) is for the case that you want
to use md5 password encryption:
#%PAM-1.0
#
# These lines allow a md5 systems to support passwords of at least 14
# bytes with extra credit of 2 for digits and 2 for others the new
# password must have at least three bytes that are not present in the
# old password
#
password required pam_cracklib.so \
difok=3 minlen=15 dcredit= 2 ocredit=2
password required pam_unix.so use_authtok nullok md5
And here is another example in case you don't want to use credits:
#%PAM-1.0
#
# These lines require the user to select a password with a minimum
# length of 8 and with at least 1 digit number, 1 upper case letter,
# and 1 other character
#
password required pam_cracklib.so \
dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
password required pam_unix.so use_authtok nullok md5
AUTHOR
pam_cracklib was written by Cristian Gafton <gafton@redhat.com>
PK��������Ǩ�\�/�+������������txts/README.pam_debugnu���[������������pam_debug — PAM module to debug the PAM stack
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DESCRIPTION
The pam_debug PAM module is intended as a debugging aide for determining how
the PAM stack is operating. This module returns what its module arguments tell
it to return.
OPTIONS
auth=value
The pam_sm_authenticate(3) function will return value.
cred=value
The pam_sm_setcred(3) function will return value.
acct=value
The pam_sm_acct_mgmt(3) function will return value.
prechauthtok=value
The pam_sm_chauthtok(3) function will return value if the PAM_PRELIM_CHECK
flag is set.
chauthtok=value
The pam_sm_chauthtok(3) function will return value if the PAM_PRELIM_CHECK
flag is not set.
open_session=value
The pam_sm_open_session(3) function will return value.
close_session=value
The pam_sm_close_session(3) function will return value.
Where value can be one of: success, open_err, symbol_err, service_err,
system_err, buf_err, perm_denied, auth_err, cred_insufficient,
authinfo_unavail, user_unknown, maxtries, new_authtok_reqd, acct_expired,
session_err, cred_unavail, cred_expired, cred_err, no_module_data, conv_err,
authtok_err, authtok_recover_err, authtok_lock_busy, authtok_disable_aging,
try_again, ignore, abort, authtok_expired, module_unknown, bad_item,
conv_again, incomplete.
EXAMPLES
auth requisite pam_permit.so
auth [success=2 default=ok] pam_debug.so auth=perm_denied cred=success
auth [default=reset] pam_debug.so auth=success cred=perm_denied
auth [success=done default=die] pam_debug.so
auth optional pam_debug.so auth=perm_denied cred=perm_denied
auth sufficient pam_debug.so auth=success cred=success
AUTHOR
pam_debug was written by Andrew G. Morgan <morgan@kernel.org>.
PK��������Ǩ�\���������������txts/README.pam_denynu���[������������pam_deny — The locking-out PAM module
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DESCRIPTION
This module can be used to deny access. It always indicates a failure to the
application through the PAM framework. It might be suitable for using for
default (the OTHER) entries.
EXAMPLES
#%PAM-1.0
#
# If we don't have config entries for a service, the
# OTHER entries are used. To be secure, warn and deny
# access to everything.
other auth required pam_warn.so
other auth required pam_deny.so
other account required pam_warn.so
other account required pam_deny.so
other password required pam_warn.so
other password required pam_deny.so
other session required pam_warn.so
other session required pam_deny.so
AUTHOR
pam_deny was written by Andrew G. Morgan <morgan@kernel.org>
PK��������Ǩ�\~�GpL���L�������txts/README.pam_echonu���[������������pam_echo — PAM module for printing text messages
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DESCRIPTION
The pam_echo PAM module is for printing text messages to inform user about
special things. Sequences starting with the % character are interpreted in the
following way:
%H
The name of the remote host (PAM_RHOST).
%h
The name of the local host.
%s
The service name (PAM_SERVICE).
%t
The name of the controlling terminal (PAM_TTY).
%U
The remote user name (PAM_RUSER).
%u
The local user name (PAM_USER).
All other sequences beginning with % expands to the characters following the %
character.
EXAMPLES
For an example of the use of this module, we show how it may be used to print
information about good passwords:
password optional pam_echo.so file=/usr/share/doc/good-password.txt
password required pam_unix.so
AUTHOR
Thorsten Kukuk <kukuk@thkukuk.de>
PK��������Ǩ�\��D�+���+�������txts/README.pam_envnu���[������������pam_env -- PAM module to set/unset environment variables
--------------------------------------------------------------------------
DESCRIPTION
The pam_env PAM module allows the (un)setting of environment variables.
Supported is the use of previously set environment variables as well as
PAM_ITEMs such as PAM_RHOST.
By default rules for (un)setting of variables are taken from the config
file /etc/security/pam_env.conf. An alternate file can be specified with
the conffile option.
Second a file (/etc/environment by default) with simple KEY=VAL pairs on
separate lines will be read. With the envfile option an alternate file can
be specified. And with the readenv option this can be completly disabled.
Third it will read a user configuration file ($HOME/.pam_environment by
default). The default file file can be changed with the user_envfile
option and it can be turned on and off with the user_readenv option.
Since setting of PAM environment variables can have side effects to other
modules, this module should be the last one on the stack.
OPTIONS
conffile=/path/to/pam_env.conf
Indicate an alternative pam_env.conf style configuration file to
override the default. This can be useful when different services
need different environments.
debug
A lot of debug information is printed with syslog(3).
envfile=/path/to/environment
Indicate an alternative environment file to override the default.
The syntax are simple KEY=VAL pairs on separate lines. The export
instruction can be specified for bash compatibility, but will be
ignored. This can be useful when different services need different
environments.
readenv=0|1
Turns on or off the reading of the file specified by envfile (0 is
off, 1 is on). By default this option is on.
user_envfile=filename
Indicate an alternative .pam_environment file to override the
default.The syntax is the same as for /etc/environment. The
filename is relative to the user home directory. This can be
useful when different services need different environments.
user_readenv=0|1
Turns on or off the reading of the user specific environment file.
0 is off, 1 is on. By default this option is off as user supplied
environment variables in the PAM environment could affect behavior
of subsequent modules in the stack without the consent of the
system administrator.
EXAMPLES
These are some example lines which might be specified in
/etc/security/pam_env.conf.
Set the REMOTEHOST variable for any hosts that are remote, default to
"localhost" rather than not being set at all
REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST}
Set the DISPLAY variable if it seems reasonable
DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}
Now some simple variables
PAGER DEFAULT=less
MANPAGER DEFAULT=less
LESS DEFAULT="M q e h15 z23 b80"
NNTPSERVER DEFAULT=localhost
PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\
:/usr/bin:/usr/local/bin/X11:/usr/bin/X11
XDG_DATA_HOME @{HOME}/share/
Silly examples of escaped variables, just to show how they work.
DOLLAR DEFAULT=\$
DOLLARDOLLAR DEFAULT= OVERRIDE=\$${DOLLAR}
DOLLARPLUS DEFAULT=\${REMOTEHOST}${REMOTEHOST}
ATSIGN DEFAULT="" OVERRIDE=\@
PK��������Ǩ�\W"�<������������txts/README.pam_execnu���[������������pam_exec — PAM module which calls an external command
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DESCRIPTION
pam_exec is a PAM module that can be used to run an external command.
The child's environment is set to the current PAM environment list, as returned
by pam_getenvlist(3) In addition, the following PAM items are exported as
environment variables: PAM_RHOST, PAM_RUSER, PAM_SERVICE, PAM_TTY, PAM_USER and
PAM_TYPE, which contains one of the module types: account, auth, password,
open_session and close_session.
Commands called by pam_exec need to be aware of that the user can have controll
over the environment.
OPTIONS
debug
Print debug information.
expose_authtok
During authentication the calling command can read the password from stdin
(3). Only first PAM_MAX_RESP_SIZE bytes of a password are provided to the
command.
log=file
The output of the command is appended to file
type=type
Only run the command if the module type matches the given type.
stdout
Per default the output of the executed command is written to /dev/null.
With this option, the stdout output of the executed command is redirected
to the calling application. It's in the responsibility of this application
what happens with the output. The log option is ignored.
quiet
Per default pam_exec.so will echo the exit status of the external command
if it fails. Specifying this option will suppress the message.
seteuid
Per default pam_exec.so will execute the external command with the real
user ID of the calling process. Specifying this option means the command is
run with the effective user ID.
EXAMPLES
Add the following line to /etc/pam.d/passwd to rebuild the NIS database after
each local password change:
password optional pam_exec.so seteuid /usr/bin/make -C /var/yp
This will execute the command
make -C /var/yp
with effective user ID.
AUTHOR
pam_exec was written by Thorsten Kukuk <kukuk@thkukuk.de> and Josh Triplett
<josh@joshtriplett.org>.
PK��������Ǩ�\$��^;���;�������txts/README.pam_faildelaynu���[������������pam_faildelay — Change the delay on failure per-application
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DESCRIPTION
pam_faildelay is a PAM module that can be used to set the delay on failure
per-application.
If no delay is given, pam_faildelay will use the value of FAIL_DELAY from /etc/
login.defs.
OPTIONS
debug
Turns on debugging messages sent to syslog.
delay=N
Set the delay on failure to N microseconds.
EXAMPLES
The following example will set the delay on failure to 10 seconds:
auth optional pam_faildelay.so delay=10000000
AUTHOR
pam_faildelay was written by Darren Tucker <dtucker@zip.com.au>.
PK��������Ǩ�\�0��������������txts/README.pam_faillocknu���[������������pam_faillock -- Module counting authentication failures during a specified
interval
--------------------------------------------------------------------------
DESCRIPTION
This module maintains a list of failed authentication attempts per user
during a specified interval and locks the account in case there were more
than deny consecutive failed authentications.
Normally, failed attempts to authenticate root will not cause the root
account to become blocked, to prevent denial-of-service: if your users
aren't given shell accounts and root may only login via su or at the
machine console (not telnet/rsh, etc), this is safe.
OPTIONS
{preauth|authfail|authsucc}
This argument must be set accordingly to the position of this
module instance in the PAM stack.
The preauth argument must be used when the module is called before
the modules which ask for the user credentials such as the
password. The module just examines whether the user should be
blocked from accessing the service in case there were anomalous
number of failed consecutive authentication attempts recently.
This call is optional if authsucc is used.
The authfail argument must be used when the module is called after
the modules which determine the authentication outcome, failed.
Unless the user is already blocked due to previous authentication
failures, the module will record the failure into the appropriate
user tally file.
The authsucc argument must be used when the module is called after
the modules which determine the authentication outcome, succeded.
Unless the user is already blocked due to previous authentication
failures, the module will then clear the record of the failures in
the respective user tally file. Otherwise it will return
authentication error. If this call is not done, the pam_faillock
will not distinguish between consecutive and non-consecutive
failed authentication attempts. The preauth call must be used in
such case. Due to complications in the way the PAM stack can be
configured it is also possible to call pam_faillock as an account
module. In such configuration the module must be also called in
the preauth stage.
The options for configuring the module behavior are described in the
faillock.conf(5) manual page. The options specified on the module command
line override the values from the configuration file.
NOTES
Configuring options on the module command line is not recommend. The
/etc/security/faillock.conf should be used instead.
The setup of pam_faillock in the PAM stack is different from the
pam_tally2 module setup.
Individual files with the failure records are created as owned by the
user. This allows pam_faillock.so module to work correctly when it is
called from a screensaver.
Note that using the module in preauth without the silent option specified
in /etc/security/faillock.conf or with requisite control field leaks an
information about existence or non-existence of an user account in the
system because the failures are not recorded for the unknown users. The
message about the user account being locked is never displayed for
nonexisting user accounts allowing the adversary to infer that a
particular account is not existing on a system.
EXAMPLES
Here are two possible configuration examples for /etc/pam.d/login. They
make pam_faillock to lock the account after 4 consecutive failed logins
during the default interval of 15 minutes. Root account will be locked as
well. The accounts will be automatically unlocked after 20 minutes.
In the first example the module is called only in the auth phase and the
module does not print any information about the account blocking by
pam_faillock. The preauth call can be added to tell the user that his
login is blocked by the module and also to abort the authentication
without even asking for password in such case.
/etc/security/faillock.conf file example:
deny=4
unlock_time=1200
silent
/etc/pam.d/config file example:
auth required pam_securetty.so
auth required pam_env.so
auth required pam_nologin.so
# optionally call: auth requisite pam_faillock.so preauth
# to display the message about account being locked
auth [success=1 default=bad] pam_unix.so
auth [default=die] pam_faillock.so authfail
auth sufficient pam_faillock.so authsucc
auth required pam_deny.so
account required pam_unix.so
password required pam_unix.so shadow
session required pam_selinux.so close
session required pam_loginuid.so
session required pam_unix.so
session required pam_selinux.so open
In the second example the module is called both in the auth and account
phases and the module gives the authenticating user message when the
account is locked if silent option is not specified in the faillock.conf.
auth required pam_securetty.so
auth required pam_env.so
auth required pam_nologin.so
auth required pam_faillock.so preauth
# optionally use requisite above if you do not want to prompt for the password
# on locked accounts
auth sufficient pam_unix.so
auth [default=die] pam_faillock.so authfail
auth required pam_deny.so
account required pam_faillock.so
# if you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures
account required pam_unix.so
password required pam_unix.so shadow
session required pam_selinux.so close
session required pam_loginuid.so
session required pam_unix.so
session required pam_selinux.so open
AUTHOR
pam_faillock was written by Tomas Mraz.
PK��������Ǩ�\2Ш�������������txts/README.pam_filternu���[������������pam_filter — PAM filter module
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DESCRIPTION
This module is intended to be a platform for providing access to all of the
input/output that passes between the user and the application. It is only
suitable for tty-based and (stdin/stdout) applications.
To function this module requires filters to be installed on the system. The
single filter provided with the module simply transposes upper and lower case
letters in the input and output streams. (This can be very annoying and is not
kind to termcap based editors).
Each component of the module has the potential to invoke the desired filter.
The filter is always execv(2) with the privilege of the calling application and
not that of the user. For this reason it cannot usually be killed by the user
without closing their session.
OPTIONS
debug
Print debug information.
new_term
The default action of the filter is to set the PAM_TTY item to indicate the
terminal that the user is using to connect to the application. This
argument indicates that the filter should set PAM_TTY to the filtered
pseudo-terminal.
non_term
don't try to set the PAM_TTY item.
runX
In order that the module can invoke a filter it should know when to invoke
it. This argument is required to tell the filter when to do this.
Permitted values for X are 1 and 2. These indicate the precise time that
the filter is to be run. To understand this concept it will be useful to
have read the pam(3) manual page. Basically, for each management group
there are up to two ways of calling the module's functions. In the case of
the authentication and session components there are actually two separate
functions. For the case of authentication, these functions are
pam_authenticate(3) and pam_setcred(3), here run1 means run the filter from
the pam_authenticate function and run2 means run the filter from
pam_setcred. In the case of the session modules, run1 implies that the
filter is invoked at the pam_open_session(3) stage, and run2 for
pam_close_session(3).
For the case of the account component. Either run1 or run2 may be used.
For the case of the password component, run1 is used to indicate that the
filter is run on the first occasion of pam_chauthtok(3) (the
PAM_PRELIM_CHECK phase) and run2 is used to indicate that the filter is run
on the second occasion (the PAM_UPDATE_AUTHTOK phase).
filter
The full pathname of the filter to be run and any command line arguments
that the filter might expect.
EXAMPLES
Add the following line to /etc/pam.d/login to see how to configure login to
transpose upper and lower case letters once the user has logged in:
session required pam_filter.so run1 /lib/security/pam_filter/upperLOWER
AUTHOR
pam_filter was written by Andrew G. Morgan <morgan@kernel.org>.
PK��������Ǩ�\ւH1������������txts/README.pam_ftpnu���[������������pam_ftp — PAM module for anonymous access module
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DESCRIPTION
pam_ftp is a PAM module which provides a pluggable anonymous ftp mode of
access.
This module intercepts the user's name and password. If the name is ftp or
anonymous, the user's password is broken up at the @ delimiter into a PAM_RUSER
and a PAM_RHOST part; these pam-items being set accordingly. The username (
PAM_USER) is set to ftp. In this case the module succeeds. Alternatively, the
module sets the PAM_AUTHTOK item with the entered password and fails.
This module is not safe and easily spoofable.
OPTIONS
debug
Print debug information.
ignore
Pay no attention to the email address of the user (if supplied).
ftp=XXX,YYY,...
Instead of ftp or anonymous, provide anonymous login to the comma separated
list of users: XXX,YYY,.... Should the applicant enter one of these
usernames the returned username is set to the first in the list: XXX.
EXAMPLES
Add the following line to /etc/pam.d/ftpd to handle ftp style anonymous login:
#
# ftpd; add ftp-specifics. These lines enable anonymous ftp over
# standard UN*X access (the listfile entry blocks access to
# users listed in /etc/ftpusers)
#
auth sufficient pam_ftp.so
auth required pam_unix.so use_first_pass
auth required pam_listfile.so \
onerr=succeed item=user sense=deny file=/etc/ftpusers
AUTHOR
pam_ftp was written by Andrew G. Morgan <morgan@kernel.org>.
PK��������Ǩ�\9��P����������txts/README.pam_groupnu���[������������pam_group — PAM module for group access
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DESCRIPTION
The pam_group PAM module does not authenticate the user, but instead it grants
group memberships (in the credential setting phase of the authentication
module) to the user. Such memberships are based on the service they are
applying for.
By default rules for group memberships are taken from config file /etc/security
/group.conf.
This module's usefulness relies on the file-systems accessible to the user. The
point being that once granted the membership of a group, the user may attempt
to create a setgid binary with a restricted group ownership. Later, when the
user is not given membership to this group, they can recover group membership
with the precompiled binary. The reason that the file-systems that the user has
access to are so significant, is the fact that when a system is mounted nosuid
the user is unable to create or execute such a binary file. For this module to
provide any level of security, all file-systems that the user has write access
to should be mounted nosuid.
The pam_group module functions in parallel with the /etc/group file. If the
user is granted any groups based on the behavior of this module, they are
granted in addition to those entries /etc/group (or equivalent).
EXAMPLES
These are some example lines which might be specified in /etc/security/
group.conf.
Running 'xsh' on tty* (any ttyXXX device), the user 'us' is given access to the
floppy (through membership of the floppy group)
xsh;tty*&!ttyp*;us;Al0000-2400;floppy
Running 'xsh' on tty* (any ttyXXX device), the users 'sword', 'pike' and
'shield' are given access to games (through membership of the floppy group)
after work hours.
xsh; tty* ;sword|pike|shield;!Wk0900-1800;games, sound
xsh; tty* ;*;Al0900-1800;floppy
Any member of the group 'admin' running 'xsh' on tty*, is granted access (at
any time) to the group 'plugdev'
xsh; tty* ;%admin;Al0000-2400;plugdev
PK��������Ǩ�\^zO0L���L�������txts/README.pam_issuenu���[������������pam_issue — PAM module to add issue file to user prompt
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DESCRIPTION
pam_issue is a PAM module to prepend an issue file to the username prompt. It
also by default parses escape codes in the issue file similar to some common
getty's (using \x format).
Recognized escapes:
\d
current day
\l
name of this tty
\m
machine architecture (uname -m)
\n
machine's network node hostname (uname -n)
\o
domain name of this system
\r
release number of operating system (uname -r)
\t
current time
\s
operating system name (uname -s)
\u
number of users currently logged in
\U
same as \u except it is suffixed with "user" or "users" (eg. "1 user" or
"10 users")
\v
operating system version and build date (uname -v)
OPTIONS
noesc
Turns off escape code parsing.
issue=issue-file-name
The file to output if not using the default.
EXAMPLES
Add the following line to /etc/pam.d/login to set the user specific issue at
login:
auth optional pam_issue.so issue=/etc/issue
AUTHOR
pam_issue was written by Ben Collins <bcollins@debian.org>.
PK��������Ǩ�\����������������txts/README.pam_keyinitnu���[������������pam_keyinit — Kernel session keyring initialiser module
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DESCRIPTION
The pam_keyinit PAM module ensures that the invoking process has a session
keyring other than the user default session keyring.
The session component of the module checks to see if the process's session
keyring is the user default, and, if it is, creates a new anonymous session
keyring with which to replace it.
If a new session keyring is created, it will install a link to the user common
keyring in the session keyring so that keys common to the user will be
automatically accessible through it.
The session keyring of the invoking process will thenceforth be inherited by
all its children unless they override it.
This module is intended primarily for use by login processes. Be aware that
after the session keyring has been replaced, the old session keyring and the
keys it contains will no longer be accessible.
This module should not, generally, be invoked by programs like su, since it is
usually desirable for the key set to percolate through to the alternate
context. The keys have their own permissions system to manage this.
This module should be included as early as possible in a PAM configuration, so
that other PAM modules can attach tokens to the keyring.
The keyutils package is used to manipulate keys more directly. This can be
obtained from:
Keyutils
OPTIONS
debug
Log debug information with syslog(3).
force
Causes the session keyring of the invoking process to be replaced
unconditionally.
revoke
Causes the session keyring of the invoking process to be revoked when the
invoking process exits if the session keyring was created for this process
in the first place.
EXAMPLES
Add this line to your login entries to start each login session with its own
session keyring:
session required pam_keyinit.so
This will prevent keys from one session leaking into another session for the
same user.
AUTHOR
pam_keyinit was written by David Howells, <dhowells@redhat.com>.
PK��������Ǩ�\��q�%
��%
������txts/README.pam_lastlognu���[������������pam_lastlog -- PAM module to display date of last login and perform inactive
account lock out
--------------------------------------------------------------------------
DESCRIPTION
pam_lastlog is a PAM module to display a line of information about the
last login of the user. In addition, the module maintains the
/var/log/lastlog file.
Some applications may perform this function themselves. In such cases,
this module is not necessary.
If the module is called in the auth or account phase, the accounts that
were not used recently enough will be disallowed to log in. The check is
not performed for the root account so the root is never locked out.
OPTIONS
debug
Print debug information.
silent
Don't inform the user about any previous login, just update the
/var/log/lastlog file. This option does not affect display of bad
login attempts.
never
If the /var/log/lastlog file does not contain any old entries for
the user, indicate that the user has never previously logged in
with a welcome message.
nodate
Don't display the date of the last login.
noterm
Don't display the terminal name on which the last login was
attempted.
nohost
Don't indicate from which host the last login was attempted.
nowtmp
Don't update the wtmp entry.
noupdate
Don't update any file.
showfailed
Display number of failed login attempts and the date of the last
failed attempt from btmp. The date is not displayed when nodate is
specified.
inactive=<days>
This option is specific for the auth or account phase. It
specifies the number of days after the last login of the user when
the user will be locked out by the module. The default value is
90.
unlimited
If the fsize limit is set, this option can be used to override it,
preventing failures on systems with large UID values that lead
lastlog to become a huge sparse file.
EXAMPLES
Add the following line to /etc/pam.d/login to display the last login time
of an user:
session required pam_lastlog.so nowtmp
To reject the user if he did not login during the previous 50 days the
following line can be used:
auth required pam_lastlog.so inactive=50
AUTHOR
pam_lastlog was written by Andrew G. Morgan <morgan@kernel.org>.
Inactive account lock out added by Tomas Mraz <tm@t8m.info>.
PK��������Ǩ�\p�E�u ��u ������txts/README.pam_limitsnu���[������������pam_limits -- PAM module to limit resources
--------------------------------------------------------------------------
DESCRIPTION
The pam_limits PAM module sets limits on the system resources that can be
obtained in a user-session. Users of uid=0 are affected by this limits,
too.
By default limits are taken from the /etc/security/limits.conf config
file. Then individual *.conf files from the /etc/security/limits.d/
directory are read. The files are parsed one after another in the order of
"C" locale. The effect of the individual files is the same as if all the
files were concatenated together in the order of parsing. If a config file
is explicitly specified with a module option then the files in the above
directory are not parsed.
The module must not be called by a multithreaded application.
If Linux PAM is compiled with audit support the module will report when it
denies access based on limit of maximum number of concurrent login
sessions.
OPTIONS
conf=/path/to/limits.conf
Indicate an alternative limits.conf style configuration file to
override the default.
debug
Print debug information.
set_all
Set the limits for which no value is specified in the
configuration file to the one from the process with the PID 1.
utmp_early
Some broken applications actually allocate a utmp entry for the
user before the user is admitted to the system. If some of the
services you are configuring PAM for do this, you can selectively
use this module argument to compensate for this behavior and at
the same time maintain system-wide consistency with a single
limits.conf file.
noaudit
Do not report exceeded maximum logins count to the audit
subsystem.
EXAMPLES
These are some example lines which might be specified in
/etc/security/limits.conf.
* soft core 0
* hard nofile 512
@student hard nproc 20
@faculty soft nproc 20
@faculty hard nproc 50
ftp hard nproc 0
@student - maxlogins 4
:123 hard cpu 5000
@500: soft cpu 10000
600:700 hard locks 10
PK��������Ǩ�\�cAT*���*�������txts/README.pam_listfilenu���[������������pam_listfile — deny or allow services based on an arbitrary file
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DESCRIPTION
pam_listfile is a PAM module which provides a way to deny or allow services
based on an arbitrary file.
The module gets the item of the type specified -- user specifies the username,
PAM_USER; tty specifies the name of the terminal over which the request has
been made, PAM_TTY; rhost specifies the name of the remote host (if any) from
which the request was made, PAM_RHOST; and ruser specifies the name of the
remote user (if available) who made the request, PAM_RUSER -- and looks for an
instance of that item in the file=filename. filename contains one line per item
listed. If the item is found, then if sense=allow, PAM_SUCCESS is returned,
causing the authorization request to succeed; else if sense=deny, PAM_AUTH_ERR
is returned, causing the authorization request to fail.
If an error is encountered (for instance, if filename does not exist, or a
poorly-constructed argument is encountered), then if onerr=succeed, PAM_SUCCESS
is returned, otherwise if onerr=fail, PAM_AUTH_ERR or PAM_SERVICE_ERR (as
appropriate) will be returned.
An additional argument, apply=, can be used to restrict the application of the
above to a specific user (apply=username) or a given group (apply=@groupname).
This added restriction is only meaningful when used with the tty, rhost and
shell items.
Besides this last one, all arguments should be specified; do not count on any
default behavior.
No credentials are awarded by this module.
OPTIONS
item=[tty|user|rhost|ruser|group|shell]
What is listed in the file and should be checked for.
sense=[allow|deny]
Action to take if found in file, if the item is NOT found in the file, then
the opposite action is requested.
file=/path/filename
File containing one item per line. The file needs to be a plain file and
not world writable.
onerr=[succeed|fail]
What to do if something weird happens like being unable to open the file.
apply=[user|@group]
Restrict the user class for which the restriction apply. Note that with
item=[user|ruser|group] this does not make sense, but for item=[tty|rhost|
shell] it have a meaning.
quiet
Do not treat service refusals or missing list files as errors that need to
be logged.
EXAMPLES
Classic 'ftpusers' authentication can be implemented with this entry in /etc/
pam.d/ftpd:
#
# deny ftp-access to users listed in the /etc/ftpusers file
#
auth required pam_listfile.so \
onerr=succeed item=user sense=deny file=/etc/ftpusers
Note, users listed in /etc/ftpusers file are (counterintuitively) not allowed
access to the ftp service.
To allow login access only for certain users, you can use a /etc/pam.d/login
entry like this:
#
# permit login to users listed in /etc/loginusers
#
auth required pam_listfile.so \
onerr=fail item=user sense=allow file=/etc/loginusers
For this example to work, all users who are allowed to use the login service
should be listed in the file /etc/loginusers. Unless you are explicitly trying
to lock out root, make sure that when you do this, you leave a way for root to
log in, either by listing root in /etc/loginusers, or by listing a user who is
able to su to the root account.
AUTHOR
pam_listfile was written by Michael K. Johnson <johnsonm@redhat.com> and Elliot
Lee <sopwith@cuc.edu>.
PK��������Ǩ�\,���������������txts/README.pam_localusernu���[������������pam_localuser — require users to be listed in /etc/passwd
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DESCRIPTION
pam_localuser is a PAM module to help implementing site-wide login policies,
where they typically include a subset of the network's users and a few accounts
that are local to a particular workstation. Using pam_localuser and pam_wheel
or pam_listfile is an effective way to restrict access to either local users
and/or a subset of the network's users.
This could also be implemented using pam_listfile.so and a very short awk
script invoked by cron, but it's common enough to have been separated out.
OPTIONS
debug
Print debug information.
file=/path/passwd
Use a file other than /etc/passwd.
EXAMPLES
Add the following lines to /etc/pam.d/su to allow only local users or group
wheel to use su.
account sufficient pam_localuser.so
account required pam_wheel.so
AUTHOR
pam_localuser was written by Nalin Dahyabhai <nalin@redhat.com>.
PK��������Ǩ�\��ݫ]���]�������txts/README.pam_loginuidnu���[������������pam_loginuid — Record user's login uid to the process attribute
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DESCRIPTION
The pam_loginuid module sets the loginuid process attribute for the process
that was authenticated. This is necessary for applications to be correctly
audited. This PAM module should only be used for entry point applications like:
login, sshd, gdm, vsftpd, crond and atd. There are probably other entry point
applications besides these. You should not use it for applications like sudo or
su as that defeats the purpose by changing the loginuid to the account they
just switched to.
EXAMPLES
#%PAM-1.0
auth required pam_unix.so
auth required pam_nologin.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
session required pam_loginuid.so
AUTHOR
pam_loginuid was written by Steve Grubb <sgrubb@redhat.com>
PK��������Ǩ�\�:�+������������txts/README.pam_mailnu���[������������pam_mail — Inform about available mail
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DESCRIPTION
The pam_mail PAM module provides the "you have new mail" service to the user.
It can be plugged into any application that has credential or session hooks. It
gives a single message indicating the newness of any mail it finds in the
user's mail folder. This module also sets the PAM environment variable, MAIL,
to the user's mail directory.
If the mail spool file (be it /var/mail/$USER or a pathname given with the dir=
parameter) is a directory then pam_mail assumes it is in the Maildir format.
OPTIONS
close
Indicate if the user has any mail also on logout.
debug
Print debug information.
dir=maildir
Look for the user's mail in an alternative location defined by maildir/
<login>. The default location for mail is /var/mail/<login>. Note, if the
supplied maildir is prefixed by a '~', the directory is interpreted as
indicating a file in the user's home directory.
empty
Also print message if user has no mail.
hash=count
Mail directory hash depth. For example, a hashcount of 2 would make the
mail file be /var/spool/mail/u/s/user.
noenv
Do not set the MAIL environment variable.
nopen
Don't print any mail information on login. This flag is useful to get the
MAIL environment variable set, but to not display any information about it.
quiet
Only report when there is new mail.
standard
Old style "You have..." format which doesn't show the mail spool being
used. This also implies "empty".
EXAMPLES
Add the following line to /etc/pam.d/login to indicate that the user has new
mail when they login to the system.
session optional pam_mail.so standard
AUTHOR
pam_mail was written by Andrew G. Morgan <morgan@kernel.org>.
PK��������Ǩ�\�q�Q���Q�������txts/README.pam_mkhomedirnu���[������������pam_mkhomedir — PAM module to create users home directory
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DESCRIPTION
The pam_mkhomedir PAM module will create a users home directory if it does not
exist when the session begins. This allows users to be present in central
database (such as NIS, kerberos or LDAP) without using a distributed file
system or pre-creating a large number of directories. The skeleton directory
(usually /etc/skel/) is used to copy default files and also sets a umask for
the creation.
The new users home directory will not be removed after logout of the user.
EXAMPLES
A sample /etc/pam.d/login file:
auth requisite pam_securetty.so
auth sufficient pam_ldap.so
auth required pam_unix.so
auth required pam_nologin.so
account sufficient pam_ldap.so
account required pam_unix.so
password required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_unix.so
session optional pam_lastlog.so
session optional pam_mail.so standard
AUTHOR
pam_mkhomedir was written by Jason Gunthorpe <jgg@debian.org>.
PK��������Ǩ�\��ʎW���W�������Linux-PAM_SAG.txtnu���[������������ The Linux-PAM System Administrators' Guide
Andrew G. Morgan
<morgan@kernel.org>
Thorsten Kukuk
<kukuk@thkukuk.de>
Version 1.1.2, 31. August 2010
Abstract
This manual documents what a system-administrator needs to know about the
Linux-PAM library. It covers the correct syntax of the PAM configuration
file and discusses strategies for maintaining a secure system.
--------------------------------------------------------------------------
1. Introduction
2. Some comments on the text
3. Overview
4. The Linux-PAM configuration file
4.1. Configuration file syntax
4.2. Directory based configuration
4.3. Example configuration file entries
5. Security issues
5.1. If something goes wrong
5.2. Avoid having a weak `other' configuration
6. A reference guide for available modules
6.1. pam_access - logdaemon style login access control
6.2. pam_cracklib - checks the password against dictionary
words
6.3. pam_debug - debug the PAM stack
6.4. pam_deny - locking-out PAM module
6.5. pam_echo - print text messages
6.6. pam_env - set/unset environment variables
6.7. pam_exec - call an external command
6.8. pam_faildelay - change the delay on failure
per-application
6.9. pam_filter - filter module
6.10. pam_ftp - module for anonymous access
6.11. pam_group - module to modify group access
6.12. pam_issue - add issue file to user prompt
6.13. pam_keyinit - display the keyinit file
6.14. pam_lastlog - display date of last login
6.15. pam_limits - limit resources
6.16. pam_listfile - deny or allow services based on an
arbitrary file
6.17. pam_localuser - require users to be listed in
/etc/passwd
6.18. pam_loginuid - record user's login uid to the process
attribute
6.19. pam_mail - inform about available mail
6.20. pam_mkhomedir - create users home directory
6.21. pam_motd - display the motd file
6.22. pam_namespace - setup a private namespace
6.23. pam_nologin - prevent non-root users from login
6.24. pam_permit - the promiscuous module
6.25. pam_pwhistory - grant access using .pwhistory file
6.26. pam_rhosts - grant access using .rhosts file
6.27. pam_rootok - gain only root access
6.28. pam_securetty - limit root login to special devices
6.29. pam_selinux - set the default security context
6.30. pam_shells - check for valid login shell
6.31. pam_succeed_if - test account characteristics
6.32. pam_tally - login counter (tallying) module
6.33. pam_tally2 - login counter (tallying) module
6.34. pam_time - time controled access
6.35. pam_timestamp - authenticate using cached successful
authentication attempts
6.36. pam_umask - set the file mode creation mask
6.37. pam_unix - traditional password authentication
6.38. pam_userdb - authenticate against a db database
6.39. pam_warn - logs all PAM items
6.40. pam_wheel - only permit root access to members of group
wheel
6.41. pam_xauth - forward xauth keys between users
7. See also
8. Author/acknowledgments
9. Copyright information for this document
Chapter 1. Introduction
Linux-PAM (Pluggable Authentication Modules for Linux) is a suite of
shared libraries that enable the local system administrator to choose how
applications authenticate users.
In other words, without (rewriting and) recompiling a PAM-aware
application, it is possible to switch between the authentication
mechanism(s) it uses. Indeed, one may entirely upgrade the local
authentication system without touching the applications themselves.
Historically an application that has required a given user to be
authenticated, has had to be compiled to use a specific authentication
mechanism. For example, in the case of traditional UN*X systems, the
identity of the user is verified by the user entering a correct password.
This password, after being prefixed by a two character ``salt'', is
encrypted (with crypt(3)). The user is then authenticated if this
encrypted password is identical to the second field of the user's entry in
the system password database (the /etc/passwd file). On such systems, most
if not all forms of privileges are granted based on this single
authentication scheme. Privilege comes in the form of a personal
user-identifier (UID) and membership of various groups. Services and
applications are available based on the personal and group identity of the
user. Traditionally, group membership has been assigned based on entries
in the /etc/group file.
It is the purpose of the Linux-PAM project to separate the development of
privilege granting software from the development of secure and appropriate
authentication schemes. This is accomplished by providing a library of
functions that an application may use to request that a user be
authenticated. This PAM library is configured locally with a system file,
/etc/pam.conf (or a series of configuration files located in /etc/pam.d/)
to authenticate a user request via the locally available authentication
modules. The modules themselves will usually be located in the directory
/lib/security or /lib64/security and take the form of dynamically loadable
object files (see dlopen(3)).
Chapter 2. Some comments on the text
Before proceeding to read the rest of this document, it should be noted
that the text assumes that certain files are placed in certain
directories. Where they have been specified, the conventions we adopt here
for locating these files are those of the relevant RFC (RFC-86.0, see
bibliography"). If you are using a distribution of Linux (or some other
operating system) that supports PAM but chooses to distribute these files
in a different way you should be careful when copying examples directly
from the text.
As an example of the above, where it is explicit, the text assumes that
PAM loadable object files (the modules) are to be located in the following
directory: /lib/security/ or /lib64/security depending on the
architecture. This is generally the location that seems to be compatible
with the Filesystem Hierarchy Standard (FHS). On Solaris, which has its
own licensed version of PAM, and some other implementations of UN*X, these
files can be found in /usr/lib/security. Please be careful to perform the
necessary transcription when using the examples from the text.
Chapter 3. Overview
For the uninitiated, we begin by considering an example. We take an
application that grants some service to users; login is one such program.
Login does two things, it first establishes that the requesting user is
whom they claim to be and second provides them with the requested service:
in the case of login the service is a command shell (bash, tcsh, zsh,
etc.) running with the identity of the user.
Traditionally, the former step is achieved by the login application
prompting the user for a password and then verifying that it agrees with
that located on the system; hence verifying that as far as the system is
concerned the user is who they claim to be. This is the task that is
delegated to Linux-PAM.
From the perspective of the application programmer (in this case the
person that wrote the login application), Linux-PAM takes care of this
authentication task -- verifying the identity of the user.
The flexibility of Linux-PAM is that you, the system administrator, have
the freedom to stipulate which authentication scheme is to be used. You
have the freedom to set the scheme for any/all PAM-aware applications on
your Linux system. That is, you can authenticate from anything as naive as
simple trust (pam_permit) to something as paranoid as a combination of a
retinal scan, a voice print and a one-time password!
To illustrate the flexibility you face, consider the following situation:
a system administrator (parent) wishes to improve the mathematical ability
of her users (children). She can configure their favorite ``Shoot 'em up
game'' (PAM-aware of course) to authenticate them with a request for the
product of a couple of random numbers less than 12. It is clear that if
the game is any good they will soon learn their multiplication tables. As
they mature, the authentication can be upgraded to include (long)
division!
Linux-PAM deals with four separate types of (management) task. These are:
authentication management; account management; session management; and
password management. The association of the preferred management scheme
with the behavior of an application is made with entries in the relevant
Linux-PAM configuration file. The management functions are performed by
modules specified in the configuration file. The syntax for this file is
discussed in the section below.
Here is a figure that describes the overall organization of Linux-PAM:
+----------------+
| application: X |
+----------------+ / +----------+ +================+
| authentication-[---->--\--] Linux- |--<--| PAM config file|
| + [----<--/--] PAM | |================|
|[conversation()][--+ \ | | | X auth .. a.so |
+----------------+ | / +-n--n-----+ | X auth .. b.so |
| | | __| | | _____/
| service user | A | | |____,-----'
| | | V A
+----------------+ +------|-----|---------+ -----+------+
+---u-----u----+ | | |
| auth.... |--[ a ]--[ b ]--[ c ]
+--------------+
| acct.... |--[ b ]--[ d ]
+--------------+
| password |--[ b ]--[ c ]
+--------------+
| session |--[ e ]--[ c ]
+--------------+
By way of explanation, the left of the figure represents the application;
application X. Such an application interfaces with the Linux-PAM library
and knows none of the specifics of its configured authentication method.
The Linux-PAM library (in the center) consults the contents of the PAM
configuration file and loads the modules that are appropriate for
application-X. These modules fall into one of four management groups
(lower-center) and are stacked in the order they appear in the
configuration file. These modules, when called by Linux-PAM, perform the
various authentication tasks for the application. Textual information,
required from/or offered to the user, can be exchanged through the use of
the application-supplied conversation function.
If a program is going to use PAM, then it has to have PAM functions
explicitly coded into the program. If you have access to the source code
you can add the appropriate PAM functions. If you do not have access to
the source code, and the binary does not have the PAM functions included,
then it is not possible to use PAM.
Chapter 4. The Linux-PAM configuration file
When a PAM aware privilege granting application is started, it activates
its attachment to the PAM-API. This activation performs a number of tasks,
the most important being the reading of the configuration file(s):
/etc/pam.conf. Alternatively, this may be the contents of the /etc/pam.d/
directory. The presence of this directory will cause Linux-PAM to ignore
/etc/pam.conf.
These files list the PAMs that will do the authentication tasks required
by this service, and the appropriate behavior of the PAM-API in the event
that individual PAMs fail.
4.1. Configuration file syntax
The syntax of the /etc/pam.conf configuration file is as follows. The file
is made up of a list of rules, each rule is typically placed on a single
line, but may be extended with an escaped end of line: `\<LF>'. Comments
are preceded with `#' marks and extend to the next end of line.
The format of each rule is a space separated collection of tokens, the
first three being case-insensitive:
service type control module-path module-arguments
The syntax of files contained in the /etc/pam.d/ directory, are identical
except for the absence of any service field. In this case, the service is
the name of the file in the /etc/pam.d/ directory. This filename must be
in lower case.
An important feature of PAM, is that a number of rules may be stacked to
combine the services of a number of PAMs for a given authentication task.
The service is typically the familiar name of the corresponding
application: login and su are good examples. The service-name, other, is
reserved for giving default rules. Only lines that mention the current
service (or in the absence of such, the other entries) will be associated
with the given service-application.
The type is the management group that the rule corresponds to. It is used
to specify which of the management groups the subsequent module is to be
associated with. Valid entries are:
account
this module type performs non-authentication based account
management. It is typically used to restrict/permit access to a
service based on the time of day, currently available system
resources (maximum number of users) or perhaps the location of the
applicant user -- 'root' login only on the console.
auth
this module type provides two aspects of authenticating the user.
Firstly, it establishes that the user is who they claim to be, by
instructing the application to prompt the user for a password or
other means of identification. Secondly, the module can grant
group membership or other privileges through its credential
granting properties.
password
this module type is required for updating the authentication token
associated with the user. Typically, there is one module for each
'challenge/response' based authentication (auth) type.
session
this module type is associated with doing things that need to be
done for the user before/after they can be given service. Such
things include the logging of information concerning the
opening/closing of some data exchange with a user, mounting
directories, etc.
If the type value from the list above is prepended with a - character the
PAM library will not log to the system log if it is not possible to load
the module because it is missing in the system. This can be useful
especially for modules which are not always installed on the system and
are not required for correct authentication and authorization of the login
session.
The third field, control, indicates the behavior of the PAM-API should the
module fail to succeed in its authentication task. There are two types of
syntax for this control field: the simple one has a single simple keyword;
the more complicated one involves a square-bracketed selection of
value=action pairs.
For the simple (historical) syntax valid control values are:
required
failure of such a PAM will ultimately lead to the PAM-API
returning failure but only after the remaining stacked modules
(for this service and type) have been invoked.
requisite
like required, however, in the case that such a module returns a
failure, control is directly returned to the application or to the
superior PAM stack. The return value is that associated with the
first required or requisite module to fail. Note, this flag can be
used to protect against the possibility of a user getting the
opportunity to enter a password over an unsafe medium. It is
conceivable that such behavior might inform an attacker of valid
accounts on a system. This possibility should be weighed against
the not insignificant concerns of exposing a sensitive password in
a hostile environment.
sufficient
if such a module succeeds and no prior required module has failed
the PAM framework returns success to the application or to the
superior PAM stack immediately without calling any further modules
in the stack. A failure of a sufficient module is ignored and
processing of the PAM module stack continues unaffected.
optional
the success or failure of this module is only important if it is
the only module in the stack associated with this service+type.
include
include all lines of given type from the configuration file
specified as an argument to this control.
substack
include all lines of given type from the configuration file
specified as an argument to this control. This differs from
include in that evaluation of the done and die actions in a
substack does not cause skipping the rest of the complete module
stack, but only of the substack. Jumps in a substack also can not
make evaluation jump out of it, and the whole substack is counted
as one module when the jump is done in a parent stack. The reset
action will reset the state of a module stack to the state it was
in as of beginning of the substack evaluation.
For the more complicated syntax valid control values have the following
form:
[value1=action1 value2=action2 ...]
Where valueN corresponds to the return code from the function invoked in
the module for which the line is defined. It is selected from one of
these: success, open_err, symbol_err, service_err, system_err, buf_err,
perm_denied, auth_err, cred_insufficient, authinfo_unavail, user_unknown,
maxtries, new_authtok_reqd, acct_expired, session_err, cred_unavail,
cred_expired, cred_err, no_module_data, conv_err, authtok_err,
authtok_recover_err, authtok_lock_busy, authtok_disable_aging, try_again,
ignore, abort, authtok_expired, module_unknown, bad_item, conv_again,
incomplete, and default.
The last of these, default, implies 'all valueN's not mentioned
explicitly. Note, the full list of PAM errors is available in
/usr/include/security/_pam_types.h. The actionN can take one of the
following forms:
ignore
when used with a stack of modules, the module's return status will
not contribute to the return code the application obtains.
bad
this action indicates that the return code should be thought of as
indicative of the module failing. If this module is the first in
the stack to fail, its status value will be used for that of the
whole stack.
die
equivalent to bad with the side effect of terminating the module
stack and PAM immediately returning to the application.
ok
this tells PAM that the administrator thinks this return code
should contribute directly to the return code of the full stack of
modules. In other words, if the former state of the stack would
lead to a return of PAM_SUCCESS, the module's return code will
override this value. Note, if the former state of the stack holds
some value that is indicative of a modules failure, this 'ok'
value will not be used to override that value.
done
equivalent to ok with the side effect of terminating the module
stack and PAM immediately returning to the application.
N (an unsigned integer)
equivalent to ok with the side effect of jumping over the next N
modules in the stack. Note that N equal to 0 is not allowed (and
it would be identical to ok in such case).
reset
clear all memory of the state of the module stack and start again
with the next stacked module.
Each of the four keywords: required; requisite; sufficient; and optional,
have an equivalent expression in terms of the [...] syntax. They are as
follows:
required
[success=ok new_authtok_reqd=ok ignore=ignore default=bad]
requisite
[success=ok new_authtok_reqd=ok ignore=ignore default=die]
sufficient
[success=done new_authtok_reqd=done default=ignore]
optional
[success=ok new_authtok_reqd=ok default=ignore]
module-path is either the full filename of the PAM to be used by the
application (it begins with a '/'), or a relative pathname from the
default module location: /lib/security/ or /lib64/security/, depending on
the architecture.
module-arguments are a space separated list of tokens that can be used to
modify the specific behavior of the given PAM. Such arguments will be
documented for each individual module. Note, if you wish to include spaces
in an argument, you should surround that argument with square brackets.
squid auth required pam_mysql.so user=passwd_query passwd=mada \
db=eminence [query=select user_name from internet_service \
where user_name='%u' and password=PASSWORD('%p') and \
service='web_proxy']
When using this convention, you can include `[' characters inside the
string, and if you wish to include a `]' character inside the string that
will survive the argument parsing, you should use `\]'. In other words:
[..[..\]..] --> ..[..]..
Any line in (one of) the configuration file(s), that is not formatted
correctly, will generally tend (erring on the side of caution) to make the
authentication process fail. A corresponding error is written to the
system log files with a call to syslog(3).
4.2. Directory based configuration
More flexible than the single configuration file is it to configure libpam
via the contents of the /etc/pam.d/ directory. In this case the directory
is filled with files each of which has a filename equal to a service-name
(in lower-case): it is the personal configuration file for the named
service.
The syntax of each file in /etc/pam.d/ is similar to that of the
/etc/pam.conf file and is made up of lines of the following form:
type control module-path module-arguments
The only difference being that the service-name is not present. The
service-name is of course the name of the given configuration file. For
example, /etc/pam.d/login contains the configuration for the login
service.
4.3. Example configuration file entries
In this section, we give some examples of entries that can be present in
the Linux-PAM configuration file. As a first attempt at configuring your
system you could do worse than to implement these.
If a system is to be considered secure, it had better have a reasonably
secure 'other entry. The following is a paranoid setting (which is not a
bad place to start!):
#
# default; deny access
#
other auth required pam_deny.so
other account required pam_deny.so
other password required pam_deny.so
other session required pam_deny.so
Whilst fundamentally a secure default, this is not very sympathetic to a
misconfigured system. For example, such a system is vulnerable to locking
everyone out should the rest of the file become badly written.
The module pam_deny (documented in a later section) is not very
sophisticated. For example, it logs no information when it is invoked so
unless the users of a system contact the administrator when failing to
execute a service application, the administrator may go for a long while
in ignorance of the fact that his system is misconfigured.
The addition of the following line before those in the above example would
provide a suitable warning to the administrator.
#
# default; wake up! This application is not configured
#
other auth required pam_warn.so
other password required pam_warn.so
Having two 'other auth' lines is an example of stacking.
On a system that uses the /etc/pam.d/ configuration, the corresponding
default setup would be achieved with the following file:
#
# default configuration: /etc/pam.d/other
#
auth required pam_warn.so
auth required pam_deny.so
account required pam_deny.so
password required pam_warn.so
password required pam_deny.so
session required pam_deny.so
This is the only explicit example we give for an /etc/pam.d/ file. In
general, it should be clear how to transpose the remaining examples to
this configuration scheme.
On a less sensitive computer, one on which the system administrator wishes
to remain ignorant of much of the power of Linux-PAM, the following
selection of lines (in /etc/pam.d/other) is likely to mimic the
historically familiar Linux setup.
#
# default; standard UN*X access
#
auth required pam_unix.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
In general this will provide a starting place for most applications.
Chapter 5. Security issues
5.1. If something goes wrong
Linux-PAM has the potential to seriously change the security of your
system. You can choose to have no security or absolute security (no access
permitted). In general, Linux-PAM errs towards the latter. Any number of
configuration errors can disable access to your system partially, or
completely.
The most dramatic problem that is likely to be encountered when
configuring Linux-PAM is that of deleting the configuration file(s):
/etc/pam.d/* and/or /etc/pam.conf. This will lock you out of your own
system!
To recover, your best bet is to restore the system from a backup or boot
the system into a rescue system and correct things from there.
5.2. Avoid having a weak `other' configuration
It is not a good thing to have a weak default (other) entry. This service
is the default configuration for all PAM aware applications and if it is
weak, your system is likely to be vulnerable to attack.
Here is a sample "other" configuration file. The pam_deny module will deny
access and the pam_warn module will send a syslog message to auth.notice:
#
# The PAM configuration file for the `other' service
#
auth required pam_deny.so
auth required pam_warn.so
account required pam_deny.so
account required pam_warn.so
password required pam_deny.so
password required pam_warn.so
session required pam_deny.so
session required pam_warn.so
Chapter 6. A reference guide for available modules
Here, we collect together the descriptions of the various modules coming
with Linux-PAM.
6.1. pam_access - logdaemon style login access control
pam_access.so [ debug ] [ noaudit ] [ nodefgroup ] [ nodns ] [
accessfile=file ] [ fieldsep=sep ] [ listsep=sep ]
6.1.1. DESCRIPTION
The pam_access PAM module is mainly for access management. It provides
logdaemon style login access control based on login names, host or domain
names, internet addresses or network numbers, or on terminal line names, X
$DISPLAY values, or PAM service names in case of non-networked logins.
By default rules for access management are taken from config file
/etc/security/access.conf if you don't specify another file. Then
individual *.conf files from the /etc/security/access.d/ directory are
read. The files are parsed one after another in the order of the system
locale. The effect of the individual files is the same as if all the files
were concatenated together in the order of parsing. This means that once a
pattern is matched in some file no further files are parsed. If a config
file is explicitly specified with the accessfile option the files in the
above directory are not parsed.
If Linux PAM is compiled with audit support the module will report when it
denies access based on origin (host, tty, etc.).
6.1.2. DESCRIPTION
The /etc/security/access.conf file specifies (user/group, host),
(user/group, network/netmask), (user/group, tty), (user/group,
X-$DISPLAY-value), or (user/group, pam-service-name) combinations for
which a login will be either accepted or refused.
When someone logs in, the file access.conf is scanned for the first entry
that matches the (user/group, host) or (user/group, network/netmask)
combination, or, in case of non-networked logins, the first entry that
matches the (user/group, tty) combination, or in the case of non-networked
logins without a tty, the first entry that matches the (user/group,
X-$DISPLAY-value) or (user/group, pam-service-name/) combination. The
permissions field of that table entry determines whether the login will be
accepted or refused.
Each line of the login access control table has three fields separated by
a ":" character (colon):
permission:users/groups:origins
The first field, the permission field, can be either a "+" character
(plus) for access granted or a "-" character (minus) for access denied.
The second field, the users/group field, should be a list of one or more
login names, group names, or ALL (which always matches). To differentiate
user entries from group entries, group entries should be written with
brackets, e.g. (group).
The third field, the origins field, should be a list of one or more tty
names (for non-networked logins), X $DISPLAY values or PAM service names
(for non-networked logins without a tty), host names, domain names (begin
with "."), host addresses, internet network numbers (end with "."),
internet network addresses with network mask (where network mask can be a
decimal number or an internet address also), ALL (which always matches) or
LOCAL. The LOCAL keyword matches when the user connects without a network
connection (e.g., su, login). A connection through the loopback device
(e.g., ssh user@localhost) is considered a network connection, and thus,
the LOCAL keyword does not match.
If supported by the system you can use @netgroupname in host or user
patterns. The @@netgroupname syntax is supported in the user pattern only
and it makes the local system hostname to be passed to the netgroup match
call in addition to the user name. This might not work correctly on some
libc implementations causing the match to always fail.
The EXCEPT operator makes it possible to write very compact rules.
If the nodefgroup is not set, the group file is searched when a name does
not match that of the logged-in user. Only groups are matched in which
users are explicitly listed. However the PAM module does not look at the
primary group id of a user.
The "#" character at start of line (no space at front) can be used to mark
this line as a comment line.
6.1.3. OPTIONS
accessfile=/path/to/access.conf
Indicate an alternative access.conf style configuration file to
override the default. This can be useful when different services
need different access lists.
debug
A lot of debug information is printed with syslog(3).
noaudit
Do not report logins from disallowed hosts and ttys to the audit
subsystem.
nodefgroup
User tokens which are not enclosed in parentheses will not be
matched against the group database. The backwards compatible
default is to try the group database match even for tokens not
enclosed in parentheses.
nodns
Do not try to resolve tokens as hostnames, only IPv4 and IPv6
addresses will be resolved. Which means to allow login from a
remote host, the IP addresses need to be specified in access.conf.
quiet_log
Do not log denials with syslog(3).
fieldsep=separators
This option modifies the field separator character that pam_access
will recognize when parsing the access configuration file. For
example: fieldsep=| will cause the default `:' character to be
treated as part of a field value and `|' becomes the field
separator. Doing this may be useful in conjunction with a system
that wants to use pam_access with X based applications, since the
PAM_TTY item is likely to be of the form "hostname:0" which
includes a `:' character in its value. But you should not need
this.
listsep=separators
This option modifies the list separator character that pam_access
will recognize when parsing the access configuration file. For
example: listsep=, will cause the default ` ' (space) and `\t'
(tab) characters to be treated as part of a list element value and
`,' becomes the only list element separator. Doing this may be
useful on a system with group information obtained from a Windows
domain, where the default built-in groups "Domain Users", "Domain
Admins" contain a space.
6.1.4. MODULE TYPES PROVIDED
All module types (auth, account, password and session) are provided.
6.1.5. RETURN VALUES
PAM_SUCCESS
Access was granted.
PAM_PERM_DENIED
Access was not granted.
PAM_IGNORE
pam_setcred was called which does nothing.
PAM_ABORT
Not all relevant data or options could be gotten.
PAM_USER_UNKNOWN
The user is not known to the system.
6.1.6. FILES
/etc/security/access.conf
Default configuration file
6.1.7. EXAMPLES
These are some example lines which might be specified in
/etc/security/access.conf.
User root should be allowed to get access via cron, X11 terminal :0, tty1,
..., tty5, tty6.
+:root:crond :0 tty1 tty2 tty3 tty4 tty5 tty6
User root should be allowed to get access from hosts which own the IPv4
addresses. This does not mean that the connection have to be a IPv4 one, a
IPv6 connection from a host with one of this IPv4 addresses does work,
too.
+:root:192.168.200.1 192.168.200.4 192.168.200.9
+:root:127.0.0.1
User root should get access from network 192.168.201. where the term will
be evaluated by string matching. But it might be better to use
network/netmask instead. The same meaning of 192.168.201. is
192.168.201.0/24 or 192.168.201.0/255.255.255.0.
+:root:192.168.201.
User root should be able to have access from hosts foo1.bar.org and
foo2.bar.org (uses string matching also).
+:root:foo1.bar.org foo2.bar.org
User root should be able to have access from domain foo.bar.org (uses
string matching also).
+:root:.foo.bar.org
User root should be denied to get access from all other sources.
-:root:ALL
User foo and members of netgroup admins should be allowed to get access
from all sources. This will only work if netgroup service is available.
+:@admins foo:ALL
User john and foo should get access from IPv6 host address.
+:john foo:2001:db8:0:101::1
User john should get access from IPv6 net/mask.
+:john:2001:db8:0:101::/64
Disallow console logins to all but the shutdown, sync and all other
accounts, which are a member of the wheel group.
-:ALL EXCEPT (wheel) shutdown sync:LOCAL
All other users should be denied to get access from all sources.
-:ALL:ALL
6.1.8. AUTHORS
The logdaemon style login access control scheme was designed and
implemented by Wietse Venema. The pam_access PAM module was developed by
Alexei Nogin <alexei@nogin.dnttm.ru>. The IPv6 support and the
network(address) / netmask feature was developed and provided by Mike
Becher <mike.becher@lrz-muenchen.de>.
6.2. pam_cracklib - checks the password against dictionary words
pam_cracklib.so [ ... ]
6.2.1. DESCRIPTION
This module can be plugged into the password stack of a given application
to provide some plug-in strength-checking for passwords.
The action of this module is to prompt the user for a password and check
its strength against a system dictionary and a set of rules for
identifying poor choices.
The first action is to prompt for a single password, check its strength
and then, if it is considered strong, prompt for the password a second
time (to verify that it was typed correctly on the first occasion). All
being well, the password is passed on to subsequent modules to be
installed as the new authentication token.
The strength checks works in the following manner: at first the Cracklib
routine is called to check if the password is part of a dictionary; if
this is not the case an additional set of strength checks is done. These
checks are:
Palindrome
Is the new password a palindrome?
Case Change Only
Is the new password the the old one with only a change of case?
Similar
Is the new password too much like the old one? This is primarily
controlled by one argument, difok which is a number of character
changes (inserts, removals, or replacements) between the old and
new password that are enough to accept the new password. This
defaults to 5 changes.
Simple
Is the new password too small? This is controlled by 6 arguments
minlen, maxclassrepeat, dcredit, ucredit, lcredit, and ocredit.
See the section on the arguments for the details of how these work
and there defaults.
Rotated
Is the new password a rotated version of the old password?
Same consecutive characters
Optional check for same consecutive characters.
Too long monotonic character sequence
Optional check for too long monotonic character sequence.
Contains user name
Optional check whether the password contains the user's name in
some form.
This module with no arguments will work well for standard unix password
encryption. With md5 encryption, passwords can be longer than 8 characters
and the default settings for this module can make it hard for the user to
choose a satisfactory new password. Notably, the requirement that the new
password contain no more than 1/2 of the characters in the old password
becomes a non-trivial constraint. For example, an old password of the form
"the quick brown fox jumped over the lazy dogs" would be difficult to
change... In addition, the default action is to allow passwords as small
as 5 characters in length. For a md5 systems it can be a good idea to
increase the required minimum size of a password. One can then allow more
credit for different kinds of characters but accept that the new password
may share most of these characters with the old password.
6.2.2. OPTIONS
debug
This option makes the module write information to syslog(3)
indicating the behavior of the module (this option does not write
password information to the log file).
authtok_type=XXX
The default action is for the module to use the following prompts
when requesting passwords: "New UNIX password: " and "Retype UNIX
password: ". The example word UNIX can be replaced with this
option, by default it is empty.
retry=N
Prompt user at most N times before returning with error. The
default is 1.
difok=N
This argument will change the default of 5 for the number of
character changes in the new password that differentiate it from
the old password.
minlen=N
The minimum acceptable size for the new password (plus one if
credits are not disabled which is the default). In addition to the
number of characters in the new password, credit (of +1 in length)
is given for each different kind of character (other, upper, lower
and digit). The default for this parameter is 9 which is good for
a old style UNIX password all of the same type of character but
may be too low to exploit the added security of a md5 system. Note
that there is a pair of length limits in Cracklib itself, a "way
too short" limit of 4 which is hard coded in and a defined limit
(6) that will be checked without reference to minlen. If you want
to allow passwords as short as 5 characters you should not use
this module.
dcredit=N
(N >= 0) This is the maximum credit for having digits in the new
password. If you have less than or N digits, each digit will count
+1 towards meeting the current minlen value. The default for
dcredit is 1 which is the recommended value for minlen less than
10.
(N < 0) This is the minimum number of digits that must be met for
a new password.
ucredit=N
(N >= 0) This is the maximum credit for having upper case letters
in the new password. If you have less than or N upper case letters
each letter will count +1 towards meeting the current minlen
value. The default for ucredit is 1 which is the recommended value
for minlen less than 10.
(N < 0) This is the minimum number of upper case letters that must
be met for a new password.
lcredit=N
(N >= 0) This is the maximum credit for having lower case letters
in the new password. If you have less than or N lower case
letters, each letter will count +1 towards meeting the current
minlen value. The default for lcredit is 1 which is the
recommended value for minlen less than 10.
(N < 0) This is the minimum number of lower case letters that must
be met for a new password.
ocredit=N
(N >= 0) This is the maximum credit for having other characters in
the new password. If you have less than or N other characters,
each character will count +1 towards meeting the current minlen
value. The default for ocredit is 1 which is the recommended value
for minlen less than 10.
(N < 0) This is the minimum number of other characters that must
be met for a new password.
minclass=N
The minimum number of required classes of characters for the new
password. The default number is zero. The four classes are digits,
upper and lower letters and other characters. The difference to
the credit check is that a specific class if of characters is not
required. Instead N out of four of the classes are required.
maxrepeat=N
Reject passwords which contain more than N same consecutive
characters. The default is 0 which means that this check is
disabled.
maxsequence=N
Reject passwords which contain monotonic character sequences
longer than N. The default is 0 which means that this check is
disabled. Examples of such sequence are '12345' or 'fedcb'. Note
that most such passwords will not pass the simplicity check unless
the sequence is only a minor part of the password.
maxclassrepeat=N
Reject passwords which contain more than N consecutive characters
of the same class. The default is 0 which means that this check is
disabled.
reject_username
Check whether the name of the user in straight or reversed form is
contained in the new password. If it is found the new password is
rejected.
gecoscheck
Check whether the words from the GECOS field (usualy full name of
the user) longer than 3 characters in straight or reversed form
are contained in the new password. If any such word is found the
new password is rejected.
enforce_for_root
The module will return error on failed check also if the user
changing the password is root. This option is off by default which
means that just the message about the failed check is printed but
root can change the password anyway. Note that root is not asked
for an old password so the checks that compare the old and new
password are not performed.
use_authtok
This argument is used to force the module to not prompt the user
for a new password but use the one provided by the previously
stacked password module.
dictpath=/path/to/dict
Path to the cracklib dictionaries.
6.2.3. MODULE TYPES PROVIDED
Only the password module type is provided.
6.2.4. RETURN VALUES
PAM_SUCCESS
The new password passes all checks.
PAM_AUTHTOK_ERR
No new password was entered, the username could not be determined
or the new password fails the strength checks.
PAM_AUTHTOK_RECOVERY_ERR
The old password was not supplied by a previous stacked module or
got not requested from the user. The first error can happen if
use_authtok is specified.
PAM_SERVICE_ERR
A internal error occurred.
6.2.5. EXAMPLES
For an example of the use of this module, we show how it may be stacked
with the password component of pam_unix(8)
#
# These lines stack two password type modules. In this example the
# user is given 3 opportunities to enter a strong password. The
# "use_authtok" argument ensures that the pam_unix module does not
# prompt for a password, but instead uses the one provided by
# pam_cracklib.
#
passwd password required pam_cracklib.so retry=3
passwd password required pam_unix.so use_authtok
Another example (in the /etc/pam.d/passwd format) is for the case that you
want to use md5 password encryption:
#%PAM-1.0
#
# These lines allow a md5 systems to support passwords of at least 14
# bytes with extra credit of 2 for digits and 2 for others the new
# password must have at least three bytes that are not present in the
# old password
#
password required pam_cracklib.so \
difok=3 minlen=15 dcredit= 2 ocredit=2
password required pam_unix.so use_authtok nullok md5
And here is another example in case you don't want to use credits:
#%PAM-1.0
#
# These lines require the user to select a password with a minimum
# length of 8 and with at least 1 digit number, 1 upper case letter,
# and 1 other character
#
password required pam_cracklib.so \
dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
password required pam_unix.so use_authtok nullok md5
6.2.6. AUTHOR
pam_cracklib was written by Cristian Gafton <gafton@redhat.com>
6.3. pam_debug - debug the PAM stack
pam_debug.so [ auth=value ] [ cred=value ] [ acct=value ] [
prechauthtok=value ] [ chauthtok=value ] [ auth=value ] [
open_session=value ] [ close_session=value ]
6.3.1. DESCRIPTION
The pam_debug PAM module is intended as a debugging aide for determining
how the PAM stack is operating. This module returns what its module
arguments tell it to return.
6.3.2. OPTIONS
auth=value
The pam_sm_authenticate(3) function will return value.
cred=value
The pam_sm_setcred(3) function will return value.
acct=value
The pam_sm_acct_mgmt(3) function will return value.
prechauthtok=value
The pam_sm_chauthtok(3) function will return value if the
PAM_PRELIM_CHECK flag is set.
chauthtok=value
The pam_sm_chauthtok(3) function will return value if the
PAM_PRELIM_CHECK flag is not set.
open_session=value
The pam_sm_open_session(3) function will return value.
close_session=value
The pam_sm_close_session(3) function will return value.
Where value can be one of: success, open_err, symbol_err, service_err,
system_err, buf_err, perm_denied, auth_err, cred_insufficient,
authinfo_unavail, user_unknown, maxtries, new_authtok_reqd, acct_expired,
session_err, cred_unavail, cred_expired, cred_err, no_module_data,
conv_err, authtok_err, authtok_recover_err, authtok_lock_busy,
authtok_disable_aging, try_again, ignore, abort, authtok_expired,
module_unknown, bad_item, conv_again, incomplete.
6.3.3. MODULE TYPES PROVIDED
All module types (auth, account, password and session) are provided.
6.3.4. RETURN VALUES
PAM_SUCCESS
Default return code if no other value was specified, else
specified return value.
6.3.5. EXAMPLES
auth requisite pam_permit.so
auth [success=2 default=ok] pam_debug.so auth=perm_denied cred=success
auth [default=reset] pam_debug.so auth=success cred=perm_denied
auth [success=done default=die] pam_debug.so
auth optional pam_debug.so auth=perm_denied cred=perm_denied
auth sufficient pam_debug.so auth=success cred=success
6.3.6. AUTHOR
pam_debug was written by Andrew G. Morgan <morgan@kernel.org>.
6.4. pam_deny - locking-out PAM module
pam_deny.so
6.4.1. DESCRIPTION
This module can be used to deny access. It always indicates a failure to
the application through the PAM framework. It might be suitable for using
for default (the OTHER) entries.
6.4.2. OPTIONS
This module does not recognise any options.
6.4.3. MODULE TYPES PROVIDED
All module types (account, auth, password and session) are provided.
6.4.4. RETURN VALUES
PAM_AUTH_ERR
This is returned by the account and auth services.
PAM_CRED_ERR
This is returned by the setcred function.
PAM_AUTHTOK_ERR
This is returned by the password service.
PAM_SESSION_ERR
This is returned by the session service.
6.4.5. EXAMPLES
#%PAM-1.0
#
# If we don't have config entries for a service, the
# OTHER entries are used. To be secure, warn and deny
# access to everything.
other auth required pam_warn.so
other auth required pam_deny.so
other account required pam_warn.so
other account required pam_deny.so
other password required pam_warn.so
other password required pam_deny.so
other session required pam_warn.so
other session required pam_deny.so
6.4.6. AUTHOR
pam_deny was written by Andrew G. Morgan <morgan@kernel.org>
6.5. pam_echo - print text messages
pam_echo.so [ file=/path/message ]
6.5.1. DESCRIPTION
The pam_echo PAM module is for printing text messages to inform user about
special things. Sequences starting with the % character are interpreted in
the following way:
%H
The name of the remote host (PAM_RHOST).
%h
The name of the local host.
%s
The service name (PAM_SERVICE).
%t
The name of the controlling terminal (PAM_TTY).
%U
The remote user name (PAM_RUSER).
%u
The local user name (PAM_USER).
All other sequences beginning with % expands to the characters following
the % character.
6.5.2. OPTIONS
file=/path/message
The content of the file /path/message will be printed with the PAM
conversion function as PAM_TEXT_INFO.
6.5.3. MODULE TYPES PROVIDED
All module types (auth, account, password and session) are provided.
6.5.4. RETURN VALUES
PAM_BUF_ERR
Memory buffer error.
PAM_SUCCESS
Message was successful printed.
PAM_IGNORE
PAM_SILENT flag was given or message file does not exist, no
message printed.
6.5.5. EXAMPLES
For an example of the use of this module, we show how it may be used to
print information about good passwords:
password optional pam_echo.so file=/usr/share/doc/good-password.txt
password required pam_unix.so
6.5.6. AUTHOR
Thorsten Kukuk <kukuk@thkukuk.de>
6.6. pam_env - set/unset environment variables
pam_env.so [ debug ] [ conffile=conf-file ] [ envfile=env-file ] [
readenv=0|1 ] [ user_envfile=env-file ] [ user_readenv=0|1 ]
6.6.1. DESCRIPTION
The pam_env PAM module allows the (un)setting of environment variables.
Supported is the use of previously set environment variables as well as
PAM_ITEMs such as PAM_RHOST.
By default rules for (un)setting of variables are taken from the config
file /etc/security/pam_env.conf. An alternate file can be specified with
the conffile option.
Second a file (/etc/environment by default) with simple KEY=VAL pairs on
separate lines will be read. With the envfile option an alternate file can
be specified. And with the readenv option this can be completly disabled.
Third it will read a user configuration file ($HOME/.pam_environment by
default). The default file file can be changed with the user_envfile
option and it can be turned on and off with the user_readenv option.
Since setting of PAM environment variables can have side effects to other
modules, this module should be the last one on the stack.
6.6.2. DESCRIPTION
The /etc/security/pam_env.conf file specifies the environment variables to
be set, unset or modified by pam_env(8). When someone logs in, this file
is read and the environment variables are set according.
Each line starts with the variable name, there are then two possible
options for each variable DEFAULT and OVERRIDE. DEFAULT allows and
administrator to set the value of the variable to some default value, if
none is supplied then the empty string is assumed. The OVERRIDE option
tells pam_env that it should enter in its value (overriding the default
value) if there is one to use. OVERRIDE is not used, "" is assumed and no
override will be done.
VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]]
(Possibly non-existent) environment variables may be used in values using
the ${string} syntax and (possibly non-existent) PAM_ITEMs as well as HOME
and SHELL may be used in values using the @{string} syntax. Both the $ and
@ characters can be backslash escaped to be used as literal values values
can be delimited with "", escaped " not supported. Note that many
environment variables that you would like to use may not be set by the
time the module is called. For example, ${HOME} is used below several
times, but many PAM applications don't make it available by the time you
need it. The special variables @{HOME} and @{SHELL} are expanded to the
values for the user from his passwd entry.
The "#" character at start of line (no space at front) can be used to mark
this line as a comment line.
The /etc/environment file specifies the environment variables to be set.
The file must consist of simple NAME=VALUE pairs on separate lines. The
pam_env(8) module will read the file after the pam_env.conf file.
6.6.3. OPTIONS
conffile=/path/to/pam_env.conf
Indicate an alternative pam_env.conf style configuration file to
override the default. This can be useful when different services
need different environments.
debug
A lot of debug information is printed with syslog(3).
envfile=/path/to/environment
Indicate an alternative environment file to override the default.
The syntax are simple KEY=VAL pairs on separate lines. The export
instruction can be specified for bash compatibility, but will be
ignored. This can be useful when different services need different
environments.
readenv=0|1
Turns on or off the reading of the file specified by envfile (0 is
off, 1 is on). By default this option is on.
user_envfile=filename
Indicate an alternative .pam_environment file to override the
default.The syntax is the same as for /etc/environment. The
filename is relative to the user home directory. This can be
useful when different services need different environments.
user_readenv=0|1
Turns on or off the reading of the user specific environment file.
0 is off, 1 is on. By default this option is off as user supplied
environment variables in the PAM environment could affect behavior
of subsequent modules in the stack without the consent of the
system administrator.
6.6.4. MODULE TYPES PROVIDED
The auth and session module types are provided.
6.6.5. RETURN VALUES
PAM_ABORT
Not all relevant data or options could be gotten.
PAM_BUF_ERR
Memory buffer error.
PAM_IGNORE
No pam_env.conf and environment file was found.
PAM_SUCCESS
Environment variables were set.
6.6.6. FILES
/etc/security/pam_env.conf
Default configuration file
/etc/environment
Default environment file
$HOME/.pam_environment
User specific environment file
6.6.7. EXAMPLES
These are some example lines which might be specified in
/etc/security/pam_env.conf.
Set the REMOTEHOST variable for any hosts that are remote, default to
"localhost" rather than not being set at all
REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST}
Set the DISPLAY variable if it seems reasonable
DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}
Now some simple variables
PAGER DEFAULT=less
MANPAGER DEFAULT=less
LESS DEFAULT="M q e h15 z23 b80"
NNTPSERVER DEFAULT=localhost
PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\
:/usr/bin:/usr/local/bin/X11:/usr/bin/X11
XDG_DATA_HOME @{HOME}/share/
Silly examples of escaped variables, just to show how they work.
DOLLAR DEFAULT=\$
DOLLARDOLLAR DEFAULT= OVERRIDE=\$${DOLLAR}
DOLLARPLUS DEFAULT=\${REMOTEHOST}${REMOTEHOST}
ATSIGN DEFAULT="" OVERRIDE=\@
6.6.8. AUTHOR
pam_env was written by Dave Kinchlea <kinch@kinch.ark.com>.
6.7. pam_exec - call an external command
pam_exec.so [ debug ] [ expose_authtok ] [ seteuid ] [ quiet ] [ stdout ]
[ log=file ] [ type=type ] command [ ... ]
6.7.1. DESCRIPTION
pam_exec is a PAM module that can be used to run an external command.
The child's environment is set to the current PAM environment list, as
returned by pam_getenvlist(3) In addition, the following PAM items are
exported as environment variables: PAM_RHOST, PAM_RUSER, PAM_SERVICE,
PAM_TTY, PAM_USER and PAM_TYPE, which contains one of the module types:
account, auth, password, open_session and close_session.
Commands called by pam_exec need to be aware of that the user can have
controll over the environment.
6.7.2. OPTIONS
debug
Print debug information.
expose_authtok
During authentication the calling command can read the password
from stdin(3). Only first PAM_MAX_RESP_SIZE bytes of a password
are provided to the command.
log=file
The output of the command is appended to file
type=type
Only run the command if the module type matches the given type.
stdout
Per default the output of the executed command is written to
/dev/null. With this option, the stdout output of the executed
command is redirected to the calling application. It's in the
responsibility of this application what happens with the output.
The log option is ignored.
quiet
Per default pam_exec.so will echo the exit status of the external
command if it fails. Specifying this option will suppress the
message.
seteuid
Per default pam_exec.so will execute the external command with the
real user ID of the calling process. Specifying this option means
the command is run with the effective user ID.
6.7.3. MODULE TYPES PROVIDED
All module types (auth, account, password and session) are provided.
6.7.4. RETURN VALUES
PAM_SUCCESS
The external command was run successfully.
PAM_SERVICE_ERR
No argument or a wrong number of arguments were given.
PAM_SYSTEM_ERR
A system error occurred or the command to execute failed.
PAM_IGNORE
pam_setcred was called, which does not execute the command. Or,
the value given for the type= parameter did not match the module
type.
6.7.5. EXAMPLES
Add the following line to /etc/pam.d/passwd to rebuild the NIS database
after each local password change:
password optional pam_exec.so seteuid /usr/bin/make -C /var/yp
This will execute the command
make -C /var/yp
with effective user ID.
6.7.6. AUTHOR
pam_exec was written by Thorsten Kukuk <kukuk@thkukuk.de> and Josh
Triplett <josh@joshtriplett.org>.
6.8. pam_faildelay - change the delay on failure per-application
pam_faildelay.so [ debug ] [ delay=microseconds ]
6.8.1. DESCRIPTION
pam_faildelay is a PAM module that can be used to set the delay on failure
per-application.
If no delay is given, pam_faildelay will use the value of FAIL_DELAY from
/etc/login.defs.
6.8.2. OPTIONS
debug
Turns on debugging messages sent to syslog.
delay=N
Set the delay on failure to N microseconds.
6.8.3. MODULE TYPES PROVIDED
Only the auth module type is provided.
6.8.4. RETURN VALUES
PAM_IGNORE
Delay was successful adjusted.
PAM_SYSTEM_ERR
The specified delay was not valid.
6.8.5. EXAMPLES
The following example will set the delay on failure to 10 seconds:
auth optional pam_faildelay.so delay=10000000
6.8.6. AUTHOR
pam_faildelay was written by Darren Tucker <dtucker@zip.com.au>.
6.9. pam_filter - filter module
pam_filter.so [ debug ] [ new_term ] [ non_term ] run1|run2 filter [ ... ]
6.9.1. DESCRIPTION
This module is intended to be a platform for providing access to all of
the input/output that passes between the user and the application. It is
only suitable for tty-based and (stdin/stdout) applications.
To function this module requires filters to be installed on the system.
The single filter provided with the module simply transposes upper and
lower case letters in the input and output streams. (This can be very
annoying and is not kind to termcap based editors).
Each component of the module has the potential to invoke the desired
filter. The filter is always execv(2) with the privilege of the calling
application and not that of the user. For this reason it cannot usually be
killed by the user without closing their session.
6.9.2. OPTIONS
debug
Print debug information.
new_term
The default action of the filter is to set the PAM_TTY item to
indicate the terminal that the user is using to connect to the
application. This argument indicates that the filter should set
PAM_TTY to the filtered pseudo-terminal.
non_term
don't try to set the PAM_TTY item.
runX
In order that the module can invoke a filter it should know when
to invoke it. This argument is required to tell the filter when to
do this.
Permitted values for X are 1 and 2. These indicate the precise
time that the filter is to be run. To understand this concept it
will be useful to have read the pam(3) manual page. Basically, for
each management group there are up to two ways of calling the
module's functions. In the case of the authentication and session
components there are actually two separate functions. For the case
of authentication, these functions are pam_authenticate(3) and
pam_setcred(3), here run1 means run the filter from the
pam_authenticate function and run2 means run the filter from
pam_setcred. In the case of the session modules, run1 implies that
the filter is invoked at the pam_open_session(3) stage, and run2
for pam_close_session(3).
For the case of the account component. Either run1 or run2 may be
used.
For the case of the password component, run1 is used to indicate
that the filter is run on the first occasion of pam_chauthtok(3)
(the PAM_PRELIM_CHECK phase) and run2 is used to indicate that the
filter is run on the second occasion (the PAM_UPDATE_AUTHTOK
phase).
filter
The full pathname of the filter to be run and any command line
arguments that the filter might expect.
6.9.3. MODULE TYPES PROVIDED
All module types (auth, account, password and session) are provided.
6.9.4. RETURN VALUES
PAM_SUCCESS
The new filter was set successfully.
PAM_ABORT
Critical error, immediate abort.
6.9.5. EXAMPLES
Add the following line to /etc/pam.d/login to see how to configure login
to transpose upper and lower case letters once the user has logged in:
session required pam_filter.so run1 /lib/security/pam_filter/upperLOWER
6.9.6. AUTHOR
pam_filter was written by Andrew G. Morgan <morgan@kernel.org>.
6.10. pam_ftp - module for anonymous access
pam_ftp.so [ debug ] [ ignore ] [ users=XXX,YYY, ...]
6.10.1. DESCRIPTION
pam_ftp is a PAM module which provides a pluggable anonymous ftp mode of
access.
This module intercepts the user's name and password. If the name is ftp or
anonymous, the user's password is broken up at the @ delimiter into a
PAM_RUSER and a PAM_RHOST part; these pam-items being set accordingly. The
username (PAM_USER) is set to ftp. In this case the module succeeds.
Alternatively, the module sets the PAM_AUTHTOK item with the entered
password and fails.
This module is not safe and easily spoofable.
6.10.2. OPTIONS
debug
Print debug information.
ignore
Pay no attention to the email address of the user (if supplied).
ftp=XXX,YYY,...
Instead of ftp or anonymous, provide anonymous login to the comma
separated list of users: XXX,YYY,.... Should the applicant enter
one of these usernames the returned username is set to the first
in the list: XXX.
6.10.3. MODULE TYPES PROVIDED
Only the auth module type is provided.
6.10.4. RETURN VALUES
PAM_SUCCESS
The authentication was successful.
PAM_USER_UNKNOWN
User not known.
6.10.5. EXAMPLES
Add the following line to /etc/pam.d/ftpd to handle ftp style anonymous
login:
#
# ftpd; add ftp-specifics. These lines enable anonymous ftp over
# standard UN*X access (the listfile entry blocks access to
# users listed in /etc/ftpusers)
#
auth sufficient pam_ftp.so
auth required pam_unix.so use_first_pass
auth required pam_listfile.so \
onerr=succeed item=user sense=deny file=/etc/ftpusers
6.10.6. AUTHOR
pam_ftp was written by Andrew G. Morgan <morgan@kernel.org>.
6.11. pam_group - module to modify group access
pam_group.so
6.11.1. DESCRIPTION
The pam_group PAM module does not authenticate the user, but instead it
grants group memberships (in the credential setting phase of the
authentication module) to the user. Such memberships are based on the
service they are applying for.
By default rules for group memberships are taken from config file
/etc/security/group.conf.
This module's usefulness relies on the file-systems accessible to the
user. The point being that once granted the membership of a group, the
user may attempt to create a setgid binary with a restricted group
ownership. Later, when the user is not given membership to this group,
they can recover group membership with the precompiled binary. The reason
that the file-systems that the user has access to are so significant, is
the fact that when a system is mounted nosuid the user is unable to create
or execute such a binary file. For this module to provide any level of
security, all file-systems that the user has write access to should be
mounted nosuid.
The pam_group module functions in parallel with the /etc/group file. If
the user is granted any groups based on the behavior of this module, they
are granted in addition to those entries /etc/group (or equivalent).
6.11.2. DESCRIPTION
The pam_group PAM module does not authenticate the user, but instead it
grants group memberships (in the credential setting phase of the
authentication module) to the user. Such memberships are based on the
service they are applying for.
For this module to function correctly there must be a correctly formatted
/etc/security/group.conf file present. White spaces are ignored and lines
maybe extended with '\' (escaped newlines). Text following a '#' is
ignored to the end of the line.
The syntax of the lines is as follows:
services;ttys;users;times;groups
The first field, the services field, is a logic list of PAM service names
that the rule applies to.
The second field, the tty field, is a logic list of terminal names that
this rule applies to.
The third field, the users field, is a logic list of users, or a UNIX
group, or a netgroup of users to whom this rule applies. Group names are
preceded by a '%' symbol, while netgroup names are preceded by a '@'
symbol.
For these items the simple wildcard '*' may be used only once. With UNIX
groups or netgroups no wildcards or logic operators are allowed.
The times field is used to indicate "when" these groups are to be given to
the user. The format here is a logic list of day/time-range entries. The
days are specified by a sequence of two character entries, MoTuSa for
example is Monday Tuesday and Saturday. Note that repeated days are unset
MoMo = no day, and MoWk = all weekdays bar Monday. The two character
combinations accepted are Mo Tu We Th Fr Sa Su Wk Wd Al, the last two
being week-end days and all 7 days of the week respectively. As a final
example, AlFr means all days except Friday.
Each day/time-range can be prefixed with a '!' to indicate "anything but".
The time-range part is two 24-hour times HHMM, separated by a hyphen,
indicating the start and finish time (if the finish time is smaller than
the start time it is deemed to apply on the following day).
The groups field is a comma or space separated list of groups that the
user inherits membership of. These groups are added if the previous fields
are satisfied by the user's request.
For a rule to be active, ALL of service+ttys+users must be satisfied by
the applying process.
6.11.3. OPTIONS
This module does not recognise any options.
6.11.4. MODULE TYPES PROVIDED
Only the auth module type is provided.
6.11.5. RETURN VALUES
PAM_SUCCESS
group membership was granted.
PAM_ABORT
Not all relevant data could be gotten.
PAM_BUF_ERR
Memory buffer error.
PAM_CRED_ERR
Group membership was not granted.
PAM_IGNORE
pam_sm_authenticate was called which does nothing.
PAM_USER_UNKNOWN
The user is not known to the system.
6.11.6. FILES
/etc/security/group.conf
Default configuration file
6.11.7. EXAMPLES
These are some example lines which might be specified in
/etc/security/group.conf.
Running 'xsh' on tty* (any ttyXXX device), the user 'us' is given access
to the floppy (through membership of the floppy group)
xsh;tty*&!ttyp*;us;Al0000-2400;floppy
Running 'xsh' on tty* (any ttyXXX device), the users 'sword', 'pike' and
'shield' are given access to games (through membership of the floppy
group) after work hours.
xsh; tty* ;sword|pike|shield;!Wk0900-1800;games, sound
xsh; tty* ;*;Al0900-1800;floppy
Any member of the group 'admin' running 'xsh' on tty*, is granted access
(at any time) to the group 'plugdev'
xsh; tty* ;%admin;Al0000-2400;plugdev
6.11.8. AUTHORS
pam_group was written by Andrew G. Morgan <morgan@kernel.org>.
6.12. pam_issue - add issue file to user prompt
pam_issue.so [ noesc ] [ issue=issue-file-name ]
6.12.1. DESCRIPTION
pam_issue is a PAM module to prepend an issue file to the username prompt.
It also by default parses escape codes in the issue file similar to some
common getty's (using \x format).
Recognized escapes:
\d
current day
\l
name of this tty
\m
machine architecture (uname -m)
\n
machine's network node hostname (uname -n)
\o
domain name of this system
\r
release number of operating system (uname -r)
\t
current time
\s
operating system name (uname -s)
\u
number of users currently logged in
\U
same as \u except it is suffixed with "user" or "users" (eg. "1
user" or "10 users")
\v
operating system version and build date (uname -v)
6.12.2. OPTIONS
noesc
Turns off escape code parsing.
issue=issue-file-name
The file to output if not using the default.
6.12.3. MODULE TYPES PROVIDED
Only the auth module type is provided.
6.12.4. RETURN VALUES
PAM_BUF_ERR
Memory buffer error.
PAM_IGNORE
The prompt was already changed.
PAM_SERVICE_ERR
A service module error occurred.
PAM_SUCCESS
The new prompt was set successfully.
6.12.5. EXAMPLES
Add the following line to /etc/pam.d/login to set the user specific issue
at login:
auth optional pam_issue.so issue=/etc/issue
6.12.6. AUTHOR
pam_issue was written by Ben Collins <bcollins@debian.org>.
6.13. pam_keyinit - display the keyinit file
pam_keyinit.so [ debug ] [ force ] [ revoke ]
6.13.1. DESCRIPTION
The pam_keyinit PAM module ensures that the invoking process has a session
keyring other than the user default session keyring.
The session component of the module checks to see if the process's session
keyring is the user default, and, if it is, creates a new anonymous
session keyring with which to replace it.
If a new session keyring is created, it will install a link to the user
common keyring in the session keyring so that keys common to the user will
be automatically accessible through it.
The session keyring of the invoking process will thenceforth be inherited
by all its children unless they override it.
This module is intended primarily for use by login processes. Be aware
that after the session keyring has been replaced, the old session keyring
and the keys it contains will no longer be accessible.
This module should not, generally, be invoked by programs like su, since
it is usually desirable for the key set to percolate through to the
alternate context. The keys have their own permissions system to manage
this.
This module should be included as early as possible in a PAM
configuration, so that other PAM modules can attach tokens to the keyring.
The keyutils package is used to manipulate keys more directly. This can be
obtained from:
Keyutils
6.13.2. OPTIONS
debug
Log debug information with syslog(3).
force
Causes the session keyring of the invoking process to be replaced
unconditionally.
revoke
Causes the session keyring of the invoking process to be revoked
when the invoking process exits if the session keyring was created
for this process in the first place.
6.13.3. MODULE TYPES PROVIDED
Only the session module type is provided.
6.13.4. RETURN VALUES
PAM_SUCCESS
This module will usually return this value
PAM_AUTH_ERR
Authentication failure.
PAM_BUF_ERR
Memory buffer error.
PAM_IGNORE
The return value should be ignored by PAM dispatch.
PAM_SERVICE_ERR
Cannot determine the user name.
PAM_SESSION_ERR
This module will return this value if its arguments are invalid or
if a system error such as ENOMEM occurs.
PAM_USER_UNKNOWN
User not known.
6.13.5. EXAMPLES
Add this line to your login entries to start each login session with its
own session keyring:
session required pam_keyinit.so
This will prevent keys from one session leaking into another session for
the same user.
6.13.6. AUTHOR
pam_keyinit was written by David Howells, <dhowells@redhat.com>.
6.14. pam_lastlog - display date of last login
pam_lastlog.so [ debug ] [ silent ] [ never ] [ nodate ] [ nohost ] [
noterm ] [ nowtmp ] [ noupdate ] [ showfailed ] [ inactive=<days> ] [
unlimited ]
6.14.1. DESCRIPTION
pam_lastlog is a PAM module to display a line of information about the
last login of the user. In addition, the module maintains the
/var/log/lastlog file.
Some applications may perform this function themselves. In such cases,
this module is not necessary.
If the module is called in the auth or account phase, the accounts that
were not used recently enough will be disallowed to log in. The check is
not performed for the root account so the root is never locked out.
6.14.2. OPTIONS
debug
Print debug information.
silent
Don't inform the user about any previous login, just update the
/var/log/lastlog file. This option does not affect display of bad
login attempts.
never
If the /var/log/lastlog file does not contain any old entries for
the user, indicate that the user has never previously logged in
with a welcome message.
nodate
Don't display the date of the last login.
noterm
Don't display the terminal name on which the last login was
attempted.
nohost
Don't indicate from which host the last login was attempted.
nowtmp
Don't update the wtmp entry.
noupdate
Don't update any file.
showfailed
Display number of failed login attempts and the date of the last
failed attempt from btmp. The date is not displayed when nodate is
specified.
inactive=<days>
This option is specific for the auth or account phase. It
specifies the number of days after the last login of the user when
the user will be locked out by the module. The default value is
90.
unlimited
If the fsize limit is set, this option can be used to override it,
preventing failures on systems with large UID values that lead
lastlog to become a huge sparse file.
6.14.3. MODULE TYPES PROVIDED
The auth and account module type allows to lock out users which did not
login recently enough. The session module type is provided for displaying
the information about the last login and/or updating the lastlog and wtmp
files.
6.14.4. RETURN VALUES
PAM_SUCCESS
Everything was successful.
PAM_SERVICE_ERR
Internal service module error.
PAM_USER_UNKNOWN
User not known.
PAM_AUTH_ERR
User locked out in the auth or account phase due to inactivity.
PAM_IGNORE
There was an error during reading the lastlog file in the auth or
account phase and thus inactivity of the user cannot be
determined.
6.14.5. EXAMPLES
Add the following line to /etc/pam.d/login to display the last login time
of an user:
session required pam_lastlog.so nowtmp
To reject the user if he did not login during the previous 50 days the
following line can be used:
auth required pam_lastlog.so inactive=50
6.14.6. AUTHOR
pam_lastlog was written by Andrew G. Morgan <morgan@kernel.org>.
Inactive account lock out added by Tomas Mraz <tm@t8m.info>.
6.15. pam_limits - limit resources
pam_limits.so [ conf=/path/to/limits.conf ] [ debug ] [ set_all ] [
utmp_early ] [ noaudit ]
6.15.1. DESCRIPTION
The pam_limits PAM module sets limits on the system resources that can be
obtained in a user-session. Users of uid=0 are affected by this limits,
too.
By default limits are taken from the /etc/security/limits.conf config
file. Then individual *.conf files from the /etc/security/limits.d/
directory are read. The files are parsed one after another in the order of
"C" locale. The effect of the individual files is the same as if all the
files were concatenated together in the order of parsing. If a config file
is explicitly specified with a module option then the files in the above
directory are not parsed.
The module must not be called by a multithreaded application.
If Linux PAM is compiled with audit support the module will report when it
denies access based on limit of maximum number of concurrent login
sessions.
6.15.2. DESCRIPTION
The pam_limits.so module applies ulimit limits, nice priority and number
of simultaneous login sessions limit to user login sessions. This
description of the configuration file syntax applies to the
/etc/security/limits.conf file and *.conf files in the
/etc/security/limits.d directory.
The syntax of the lines is as follows:
<domain> <type> <item> <value>
The fields listed above should be filled as follows:
<domain>
* a username
* a groupname, with @group syntax. This should not be confused
with netgroups.
* the wildcard *, for default entry.
* the wildcard %, for maxlogins limit only, can also be used
with %group syntax. If the % wildcard is used alone it is
identical to using * with maxsyslogins limit. With a group
specified after % it limits the total number of logins of all
users that are member of the group.
* an uid range specified as <min_uid>:<max_uid>. If min_uid is
omitted, the match is exact for the max_uid. If max_uid is
omitted, all uids greater than or equal min_uid match.
* a gid range specified as @<min_gid>:<max_gid>. If min_gid is
omitted, the match is exact for the max_gid. If max_gid is
omitted, all gids greater than or equal min_gid match. For
the exact match all groups including the user's supplementary
groups are examined. For the range matches only the user's
primary group is examined.
* a gid specified as %:<gid> applicable to maxlogins limit
only. It limits the total number of logins of all users that
are member of the group with the specified gid.
<type>
hard
for enforcing hard resource limits. These limits are
set by the superuser and enforced by the Kernel. The
user cannot raise his requirement of system resources
above such values.
soft
for enforcing soft resource limits. These limits are
ones that the user can move up or down within the
permitted range by any pre-existing hard limits. The
values specified with this token can be thought of as
default values, for normal system usage.
-
for enforcing both soft and hard resource limits
together.
Note, if you specify a type of '-' but neglect to
supply the item and value fields then the module will
never enforce any limits on the specified user/group
etc. .
<item>
core
limits the core file size (KB)
data
maximum data size (KB)
fsize
maximum filesize (KB)
memlock
maximum locked-in-memory address space (KB)
nofile
maximum number of open file descriptors
rss
maximum resident set size (KB) (Ignored in Linux
2.4.30 and higher)
stack
maximum stack size (KB)
cpu
maximum CPU time (minutes)
nproc
maximum number of processes
as
address space limit (KB)
maxlogins
maximum number of logins for this user (this limit
does not apply to user with uid=0)
maxsyslogins
maximum number of all logins on system; user is not
allowed to log-in if total number of all user logins
is greater than specified number (this limit does not
apply to user with uid=0)
priority
the priority to run user process with (negative
values boost process priority)
locks
maximum locked files (Linux 2.4 and higher)
sigpending
maximum number of pending signals (Linux 2.6 and
higher)
msgqueue
maximum memory used by POSIX message queues (bytes)
(Linux 2.6 and higher)
nice
maximum nice priority allowed to raise to (Linux
2.6.12 and higher) values: [-20,19]
rtprio
maximum realtime priority allowed for non-privileged
processes (Linux 2.6.12 and higher)
All items support the values -1, unlimited or infinity indicating no
limit, except for priority and nice. If nofile is to be set to one of
these values, it will be set to the contents of /proc/sys/fs/nr_open
instead (see setrlimit(3)).
If a hard limit or soft limit of a resource is set to a valid value, but
outside of the supported range of the local system, the system may reject
the new limit or unexpected behavior may occur. If the control value
required is used, the module will reject the login if a limit could not be
set.
In general, individual limits have priority over group limits, so if you
impose no limits for admin group, but one of the members in this group
have a limits line, the user will have its limits set according to this
line.
Also, please note that all limit settings are set per login. They are not
global, nor are they permanent; existing only for the duration of the
session. One exception is the maxlogin option, this one is system wide.
But there is a race, concurrent logins at the same time will not always be
detect as such but only counted as one.
In the limits configuration file, the '#' character introduces a comment -
after which the rest of the line is ignored.
The pam_limits module does report configuration problems found in its
configuration file and errors via syslog(3).
6.15.3. OPTIONS
conf=/path/to/limits.conf
Indicate an alternative limits.conf style configuration file to
override the default.
debug
Print debug information.
set_all
Set the limits for which no value is specified in the
configuration file to the one from the process with the PID 1.
utmp_early
Some broken applications actually allocate a utmp entry for the
user before the user is admitted to the system. If some of the
services you are configuring PAM for do this, you can selectively
use this module argument to compensate for this behavior and at
the same time maintain system-wide consistency with a single
limits.conf file.
noaudit
Do not report exceeded maximum logins count to the audit
subsystem.
6.15.4. MODULE TYPES PROVIDED
Only the session module type is provided.
6.15.5. RETURN VALUES
PAM_ABORT
Cannot get current limits.
PAM_IGNORE
No limits found for this user.
PAM_PERM_DENIED
New limits could not be set.
PAM_SERVICE_ERR
Cannot read config file.
PAM_SESSION_ERR
Error recovering account name.
PAM_SUCCESS
Limits were changed.
PAM_USER_UNKNOWN
The user is not known to the system.
6.15.6. FILES
/etc/security/limits.conf
Default configuration file
6.15.7. EXAMPLES
These are some example lines which might be specified in
/etc/security/limits.conf.
* soft core 0
* hard nofile 512
@student hard nproc 20
@faculty soft nproc 20
@faculty hard nproc 50
ftp hard nproc 0
@student - maxlogins 4
:123 hard cpu 5000
@500: soft cpu 10000
600:700 hard locks 10
6.15.8. AUTHORS
pam_limits was initially written by Cristian Gafton <gafton@redhat.com>
6.16. pam_listfile - deny or allow services based on an arbitrary file
pam_listfile.so item=[tty|user|rhost|ruser|group|shell] sense=[allow|deny]
file=/path/filename onerr=[succeed|fail] [ apply=[user|@group] ] [ quiet ]
6.16.1. DESCRIPTION
pam_listfile is a PAM module which provides a way to deny or allow
services based on an arbitrary file.
The module gets the item of the type specified -- user specifies the
username, PAM_USER; tty specifies the name of the terminal over which the
request has been made, PAM_TTY; rhost specifies the name of the remote
host (if any) from which the request was made, PAM_RHOST; and ruser
specifies the name of the remote user (if available) who made the request,
PAM_RUSER -- and looks for an instance of that item in the file=filename.
filename contains one line per item listed. If the item is found, then if
sense=allow, PAM_SUCCESS is returned, causing the authorization request to
succeed; else if sense=deny, PAM_AUTH_ERR is returned, causing the
authorization request to fail.
If an error is encountered (for instance, if filename does not exist, or a
poorly-constructed argument is encountered), then if onerr=succeed,
PAM_SUCCESS is returned, otherwise if onerr=fail, PAM_AUTH_ERR or
PAM_SERVICE_ERR (as appropriate) will be returned.
An additional argument, apply=, can be used to restrict the application of
the above to a specific user (apply=username) or a given group
(apply=@groupname). This added restriction is only meaningful when used
with the tty, rhost and shell items.
Besides this last one, all arguments should be specified; do not count on
any default behavior.
No credentials are awarded by this module.
6.16.2. OPTIONS
item=[tty|user|rhost|ruser|group|shell]
What is listed in the file and should be checked for.
sense=[allow|deny]
Action to take if found in file, if the item is NOT found in the
file, then the opposite action is requested.
file=/path/filename
File containing one item per line. The file needs to be a plain
file and not world writable.
onerr=[succeed|fail]
What to do if something weird happens like being unable to open
the file.
apply=[user|@group]
Restrict the user class for which the restriction apply. Note that
with item=[user|ruser|group] this does not make sense, but for
item=[tty|rhost|shell] it have a meaning.
quiet
Do not treat service refusals or missing list files as errors that
need to be logged.
6.16.3. MODULE TYPES PROVIDED
All module types (auth, account, password and session) are provided.
6.16.4. RETURN VALUES
PAM_AUTH_ERR
Authentication failure.
PAM_BUF_ERR
Memory buffer error.
PAM_IGNORE
The rule does not apply to the apply option.
PAM_SERVICE_ERR
Error in service module.
PAM_SUCCESS
Success.
6.16.5. EXAMPLES
Classic 'ftpusers' authentication can be implemented with this entry in
/etc/pam.d/ftpd:
#
# deny ftp-access to users listed in the /etc/ftpusers file
#
auth required pam_listfile.so \
onerr=succeed item=user sense=deny file=/etc/ftpusers
Note, users listed in /etc/ftpusers file are (counterintuitively) not
allowed access to the ftp service.
To allow login access only for certain users, you can use a
/etc/pam.d/login entry like this:
#
# permit login to users listed in /etc/loginusers
#
auth required pam_listfile.so \
onerr=fail item=user sense=allow file=/etc/loginusers
For this example to work, all users who are allowed to use the login
service should be listed in the file /etc/loginusers. Unless you are
explicitly trying to lock out root, make sure that when you do this, you
leave a way for root to log in, either by listing root in /etc/loginusers,
or by listing a user who is able to su to the root account.
6.16.6. AUTHOR
pam_listfile was written by Michael K. Johnson <johnsonm@redhat.com> and
Elliot Lee <sopwith@cuc.edu>.
6.17. pam_localuser - require users to be listed in /etc/passwd
pam_localuser.so [ debug ] [ file=/path/passwd ]
6.17.1. DESCRIPTION
pam_localuser is a PAM module to help implementing site-wide login
policies, where they typically include a subset of the network's users and
a few accounts that are local to a particular workstation. Using
pam_localuser and pam_wheel or pam_listfile is an effective way to
restrict access to either local users and/or a subset of the network's
users.
This could also be implemented using pam_listfile.so and a very short awk
script invoked by cron, but it's common enough to have been separated out.
6.17.2. OPTIONS
debug
Print debug information.
file=/path/passwd
Use a file other than /etc/passwd.
6.17.3. MODULE TYPES PROVIDED
All module types (account, auth, password and session) are provided.
6.17.4. RETURN VALUES
PAM_SUCCESS
The new localuser was set successfully.
PAM_SERVICE_ERR
No username was given.
PAM_PERM_DENIED
The user is not listed in the passwd file.
6.17.5. EXAMPLES
Add the following lines to /etc/pam.d/su to allow only local users or
group wheel to use su.
account sufficient pam_localuser.so
account required pam_wheel.so
6.17.6. AUTHOR
pam_localuser was written by Nalin Dahyabhai <nalin@redhat.com>.
6.18. pam_loginuid - record user's login uid to the process attribute
pam_loginuid.so [ require_auditd ]
6.18.1. DESCRIPTION
The pam_loginuid module sets the loginuid process attribute for the
process that was authenticated. This is necessary for applications to be
correctly audited. This PAM module should only be used for entry point
applications like: login, sshd, gdm, vsftpd, crond and atd. There are
probably other entry point applications besides these. You should not use
it for applications like sudo or su as that defeats the purpose by
changing the loginuid to the account they just switched to.
6.18.2. OPTIONS
require_auditd
This option, when given, will cause this module to query the audit
daemon status and deny logins if it is not running.
6.18.3. MODULE TYPES PROVIDED
Only the session module type is provided.
6.18.4. RETURN VALUES
PAM_SUCCESS
The loginuid value is set and auditd is running if check
requested.
PAM_IGNORE
The /proc/self/loginuid file is not present on the system or the
login process runs inside uid namespace and kernel does not
support overwriting loginuid.
PAM_SESSION_ERR
Any other error prevented setting loginuid or auditd is not
running.
6.18.5. EXAMPLES
#%PAM-1.0
auth required pam_unix.so
auth required pam_nologin.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so
session required pam_loginuid.so
6.18.6. AUTHOR
pam_loginuid was written by Steve Grubb <sgrubb@redhat.com>
6.19. pam_mail - inform about available mail
pam_mail.so [ close ] [ debug ] [ dir=maildir ] [ empty ] [ hash=count ] [
noenv ] [ nopen ] [ quiet ] [ standard ]
6.19.1. DESCRIPTION
The pam_mail PAM module provides the "you have new mail" service to the
user. It can be plugged into any application that has credential or
session hooks. It gives a single message indicating the newness of any
mail it finds in the user's mail folder. This module also sets the PAM
environment variable, MAIL, to the user's mail directory.
If the mail spool file (be it /var/mail/$USER or a pathname given with the
dir= parameter) is a directory then pam_mail assumes it is in the Maildir
format.
6.19.2. OPTIONS
close
Indicate if the user has any mail also on logout.
debug
Print debug information.
dir=maildir
Look for the user's mail in an alternative location defined by
maildir/<login>. The default location for mail is
/var/mail/<login>. Note, if the supplied maildir is prefixed by a
'~', the directory is interpreted as indicating a file in the
user's home directory.
empty
Also print message if user has no mail.
hash=count
Mail directory hash depth. For example, a hashcount of 2 would
make the mail file be /var/spool/mail/u/s/user.
noenv
Do not set the MAIL environment variable.
nopen
Don't print any mail information on login. This flag is useful to
get the MAIL environment variable set, but to not display any
information about it.
quiet
Only report when there is new mail.
standard
Old style "You have..." format which doesn't show the mail spool
being used. This also implies "empty".
6.19.3. MODULE TYPES PROVIDED
The session and auth (on establishment and deletion of credentials) module
types are provided.
6.19.4. RETURN VALUES
PAM_BUF_ERR
Memory buffer error.
PAM_SERVICE_ERR
Badly formed arguments.
PAM_SUCCESS
Success.
PAM_USER_UNKNOWN
User not known.
6.19.5. EXAMPLES
Add the following line to /etc/pam.d/login to indicate that the user has
new mail when they login to the system.
session optional pam_mail.so standard
6.19.6. AUTHOR
pam_mail was written by Andrew G. Morgan <morgan@kernel.org>.
6.20. pam_mkhomedir - create users home directory
pam_mkhomedir.so [ silent ] [ umask=mode ] [ skel=skeldir ]
6.20.1. DESCRIPTION
The pam_mkhomedir PAM module will create a users home directory if it does
not exist when the session begins. This allows users to be present in
central database (such as NIS, kerberos or LDAP) without using a
distributed file system or pre-creating a large number of directories. The
skeleton directory (usually /etc/skel/) is used to copy default files and
also sets a umask for the creation.
The new users home directory will not be removed after logout of the user.
6.20.2. OPTIONS
silent
Don't print informative messages.
umask=mask
The user file-creation mask is set to mask. The default value of
mask is 0022.
skel=/path/to/skel/directory
Indicate an alternative skel directory to override the default
/etc/skel.
6.20.3. MODULE TYPES PROVIDED
Only the session module type is provided.
6.20.4. RETURN VALUES
PAM_BUF_ERR
Memory buffer error.
PAM_CRED_INSUFFICIENT
Insufficient credentials to access authentication data.
PAM_PERM_DENIED
Not enough permissions to create the new directory or read the
skel directory.
PAM_USER_UNKNOWN
User not known to the underlying authentication module.
PAM_SUCCESS
Environment variables were set.
6.20.5. EXAMPLES
A sample /etc/pam.d/login file:
auth requisite pam_securetty.so
auth sufficient pam_ldap.so
auth required pam_unix.so
auth required pam_nologin.so
account sufficient pam_ldap.so
account required pam_unix.so
password required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_unix.so
session optional pam_lastlog.so
session optional pam_mail.so standard
6.20.6. AUTHOR
pam_mkhomedir was written by Jason Gunthorpe <jgg@debian.org>.
6.21. pam_motd - display the motd file
pam_motd.so [ motd=/path/filename ] [ motd_dir=/path/dirname.d ]
6.21.1. DESCRIPTION
pam_motd is a PAM module that can be used to display arbitrary motd
(message of the day) files after a successful login. By default, pam_motd
shows files in the following locations:
/etc/motd
/run/motd
/usr/lib/motd
/etc/motd.d/
/run/motd.d/
/usr/lib/motd.d/
Each message size is limited to 64KB.
If /etc/motd does not exist, then /run/motd is shown. If /run/motd does
not exist, then /usr/lib/motd is shown.
Similar overriding behavior applies to the directories. Files in
/etc/motd.d/ override files with the same name in /run/motd.d/ and
/usr/lib/motd.d/. Files in /run/motd.d/ override files with the same name
in /usr/lib/motd.d/.
Files in the directories listed above are displayed in lexicographic order
by name. Moreover, the files are filtered by reading them with the
credentials of the target user authenticating on the system.
To silence a message, a symbolic link with target /dev/null may be placed
in /etc/motd.d with the same filename as the message to be silenced.
Example: Creating a symbolic link as follows silences
/usr/lib/motd.d/my_motd.
ln -s /dev/null /etc/motd.d/my_motd
6.21.2. OPTIONS
motd=/path/filename
The /path/filename file is displayed as message of the day.
Multiple paths to try can be specified as a colon-separated list.
By default this option is set to
/etc/motd:/run/motd:/usr/lib/motd.
motd_dir=/path/dirname.d
The /path/dirname.d directory is scanned and each file contained
inside of it is displayed. Multiple directories to scan can be
specified as a colon-separated list. By default this option is set
to /etc/motd.d:/run/motd.d:/usr/lib/motd.d.
When no options are given, the default behavior applies for both options.
Specifying either option (or both) will disable the default behavior for
both options.
6.21.3. MODULE TYPES PROVIDED
Only the session module type is provided.
6.21.4. RETURN VALUES
PAM_IGNORE
This is the only return value of this module.
6.21.5. EXAMPLES
The suggested usage for /etc/pam.d/login is:
session optional pam_motd.so
To use a motd file from a different location:
session optional pam_motd.so motd=/elsewhere/motd
To use a motd file from elsewhere, along with a corresponding .d
directory:
session optional pam_motd.so motd=/elsewhere/motd motd_dir=/elsewhere/motd.d
6.21.6. AUTHOR
pam_motd was written by Ben Collins <bcollins@debian.org>.
The motd_dir= option was added by Allison Karlitskaya
<allison.karlitskaya@redhat.com>.
6.22. pam_namespace - setup a private namespace
pam_namespace.so [ debug ] [ unmnt_remnt ] [ unmnt_only ] [
require_selinux ] [ gen_hash ] [ ignore_config_error ] [
ignore_instance_parent_mode ] [ unmount_on_close ] [ use_current_context ]
[ use_default_context ] [ mount_private ]
6.22.1. DESCRIPTION
The pam_namespace PAM module sets up a private namespace for a session
with polyinstantiated directories. A polyinstantiated directory provides a
different instance of itself based on user name, or when using SELinux,
user name, security context or both. If an executable script
/etc/security/namespace.init exists, it is used to initialize the instance
directory after it is set up and mounted on the polyinstantiated
directory. The script receives the polyinstantiated directory path, the
instance directory path, flag whether the instance directory was newly
created (0 for no, 1 for yes), and the user name as its arguments.
The pam_namespace module disassociates the session namespace from the
parent namespace. Any mounts/unmounts performed in the parent namespace,
such as mounting of devices, are not reflected in the session namespace.
To propagate selected mount/unmount events from the parent namespace into
the disassociated session namespace, an administrator may use the special
shared-subtree feature. For additional information on shared-subtree
feature, please refer to the mount(8) man page and the shared-subtree
description at http://lwn.net/Articles/159077 and
http://lwn.net/Articles/159092.
6.22.2. DESCRIPTION
The pam_namespace.so module allows setup of private namespaces with
polyinstantiated directories. Directories can be polyinstantiated based on
user name or, in the case of SELinux, user name, sensitivity level or
complete security context. If an executable script
/etc/security/namespace.init exists, it is used to initialize the
namespace every time an instance directory is set up and mounted. The
script receives the polyinstantiated directory path and the instance
directory path as its arguments.
The /etc/security/namespace.conf file specifies which directories are
polyinstantiated, how they are polyinstantiated, how instance directories
would be named, and any users for whom polyinstantiation would not be
performed.
When someone logs in, the file namespace.conf is scanned. Comments are
marked by # characters. Each non comment line represents one
polyinstantiated directory. The fields are separated by spaces but can be
quoted by " characters also escape sequences \b, \n, and \t are
recognized. The fields are as follows:
polydir instance_prefix method list_of_uids
The first field, polydir, is the absolute pathname of the directory to
polyinstantiate. The special string $HOME is replaced with the user's home
directory, and $USER with the username. This field cannot be blank.
The second field, instance_prefix is the string prefix used to build the
pathname for the instantiation of <polydir>. Depending on the
polyinstantiation method it is then appended with "instance
differentiation string" to generate the final instance directory path.
This directory is created if it did not exist already, and is then bind
mounted on the <polydir> to provide an instance of <polydir> based on the
<method> column. The special string $HOME is replaced with the user's home
directory, and $USER with the username. This field cannot be blank.
The third field, method, is the method used for polyinstantiation. It can
take these values; "user" for polyinstantiation based on user name,
"level" for polyinstantiation based on process MLS level and user name,
"context" for polyinstantiation based on process security context and user
name, "tmpfs" for mounting tmpfs filesystem as an instance dir, and
"tmpdir" for creating temporary directory as an instance dir which is
removed when the user's session is closed. Methods "context" and "level"
are only available with SELinux. This field cannot be blank.
The fourth field, list_of_uids, is a comma separated list of user names
for whom the polyinstantiation is not performed. If left blank,
polyinstantiation will be performed for all users. If the list is preceded
with a single "~" character, polyinstantiation is performed only for users
in the list.
The method field can contain also following optional flags separated by :
characters.
create=mode,owner,group - create the polyinstantiated directory. The mode,
owner and group parameters are optional. The default for mode is
determined by umask, the default owner is the user whose session is
opened, the default group is the primary group of the user.
iscript=path - path to the instance directory init script. The base
directory for relative paths is /etc/security/namespace.d.
noinit - instance directory init script will not be executed.
shared - the instance directories for "context" and "level" methods will
not contain the user name and will be shared among all users.
mntopts=value - value of this flag is passed to the mount call when the
tmpfs mount is done. It allows for example the specification of the
maximum size of the tmpfs instance that is created by the mount call. In
addition to options specified in the tmpfs(5) manual the nosuid, noexec,
and nodev flags can be used to respectively disable setuid bit effect,
disable running executables, and disable devices to be interpreted on the
mounted tmpfs filesystem.
The directory where polyinstantiated instances are to be created, must
exist and must have, by default, the mode of 0000. The requirement that
the instance parent be of mode 0000 can be overridden with the command
line option ignore_instance_parent_mode
In case of context or level polyinstantiation the SELinux context which is
used for polyinstantiation is the context used for executing a new process
as obtained by getexeccon. This context must be set by the calling
application or pam_selinux.so module. If this context is not set the
polyinstatiation will be based just on user name.
The "instance differentiation string" is <user name> for "user" method and
<user name>_<raw directory context> for "context" and "level" methods. If
the whole string is too long the end of it is replaced with md5sum of
itself. Also when command line option gen_hash is used the whole string is
replaced with md5sum of itself.
6.22.3. OPTIONS
debug
A lot of debug information is logged using syslog
unmnt_remnt
For programs such as su and newrole, the login session has already
setup a polyinstantiated namespace. For these programs,
polyinstantiation is performed based on new user id or security
context, however the command first needs to undo the
polyinstantiation performed by login. This argument instructs the
command to first undo previous polyinstantiation before proceeding
with new polyinstantiation based on new id/context
unmnt_only
For trusted programs that want to undo any existing bind mounts
and process instance directories on their own, this argument
allows them to unmount currently mounted instance directories
require_selinux
If selinux is not enabled, return failure
gen_hash
Instead of using the security context string for the instance
name, generate and use its md5 hash.
ignore_config_error
If a line in the configuration file corresponding to a
polyinstantiated directory contains format error, skip that line
process the next line. Without this option, pam will return an
error to the calling program resulting in termination of the
session.
ignore_instance_parent_mode
Instance parent directories by default are expected to have the
restrictive mode of 000. Using this option, an administrator can
choose to ignore the mode of the instance parent. This option
should be used with caution as it will reduce security and
isolation goals of the polyinstantiation mechanism.
unmount_on_close
Explicitly unmount the polyinstantiated directories instead of
relying on automatic namespace destruction after the last process
in a namespace exits. This option should be used only in case it
is ensured by other means that there cannot be any processes
running in the private namespace left after the session close. It
is also useful only in case there are multiple pam session calls
in sequence from the same process.
use_current_context
Useful for services which do not change the SELinux context with
setexeccon call. The module will use the current SELinux context
of the calling process for the level and context
polyinstantiation.
use_default_context
Useful for services which do not use pam_selinux for changing the
SELinux context with setexeccon call. The module will use the
default SELinux context of the user for the level and context
polyinstantiation.
mount_private
This option can be used on systems where the / mount point or its
submounts are made shared (for example with a mount --make-rshared
/ command). The module will mark the whole directory tree so any
mount and unmount operations in the polyinstantiation namespace
are private. Normally the pam_namespace will try to detect the
shared / mount point and make the polyinstantiated directories
private automatically. This option has to be used just when only a
subtree is shared and / is not.
Note that mounts and unmounts done in the private namespace will
not affect the parent namespace if this option is used or when the
shared / mount point is autodetected.
6.22.4. MODULE TYPES PROVIDED
Only the session module type is provided. The module must not be called
from multithreaded processes.
6.22.5. RETURN VALUES
PAM_SUCCESS
Namespace setup was successful.
PAM_SERVICE_ERR
Unexpected system error occurred while setting up namespace.
PAM_SESSION_ERR
Unexpected namespace configuration error occurred.
6.22.6. FILES
/etc/security/namespace.conf
Main configuration file
/etc/security/namespace.d
Directory for additional configuration files
/etc/security/namespace.init
Init script for instance directories
6.22.7. EXAMPLES
These are some example lines which might be specified in
/etc/security/namespace.conf.
# The following three lines will polyinstantiate /tmp,
# /var/tmp and user's home directories. /tmp and /var/tmp
# will be polyinstantiated based on the security level
# as well as user name, whereas home directory will be
# polyinstantiated based on the full security context and user name.
# Polyinstantiation will not be performed for user root
# and adm for directories /tmp and /var/tmp, whereas home
# directories will be polyinstantiated for all users.
#
# Note that instance directories do not have to reside inside
# the polyinstantiated directory. In the examples below,
# instances of /tmp will be created in /tmp-inst directory,
# where as instances of /var/tmp and users home directories
# will reside within the directories that are being
# polyinstantiated.
#
/tmp /tmp-inst/ level root,adm
/var/tmp /var/tmp/tmp-inst/ level root,adm
$HOME $HOME/$USER.inst/inst- context
For the <service>s you need polyinstantiation (login for example) put the
following line in /etc/pam.d/<service> as the last line for session group:
session required pam_namespace.so [arguments]
This module also depends on pam_selinux.so setting the context.
6.22.8. AUTHORS
The namespace setup scheme was designed by Stephen Smalley, Janak Desai
and Chad Sellers. The pam_namespace PAM module was developed by Janak
Desai <janak@us.ibm.com>, Chad Sellers <csellers@tresys.com> and Steve
Grubb <sgrubb@redhat.com>. Additional improvements by Xavier Toth
<txtoth@gmail.com> and Tomas Mraz <tmraz@redhat.com>.
6.23. pam_nologin - prevent non-root users from login
pam_nologin.so [ file=/path/nologin ] [ successok ]
6.23.1. DESCRIPTION
pam_nologin is a PAM module that prevents users from logging into the
system when /var/run/nologin or /etc/nologin exists. The contents of the
file are displayed to the user. The pam_nologin module has no effect on
the root user's ability to log in.
6.23.2. OPTIONS
file=/path/nologin
Use this file instead the default /var/run/nologin or
/etc/nologin.
successok
Return PAM_SUCCESS if no file exists, the default is PAM_IGNORE.
6.23.3. MODULE TYPES PROVIDED
The auth and acct module types are provided.
6.23.4. RETURN VALUES
PAM_AUTH_ERR
The user is not root and /etc/nologin exists, so the user is not
permitted to log in.
PAM_BUF_ERR
Memory buffer error.
PAM_IGNORE
This is the default return value.
PAM_SUCCESS
Success: either the user is root or the nologin file does not
exist.
PAM_USER_UNKNOWN
User not known to the underlying authentication module.
6.23.5. EXAMPLES
The suggested usage for /etc/pam.d/login is:
auth required pam_nologin.so
6.23.6. AUTHOR
pam_nologin was written by Michael K. Johnson <johnsonm@redhat.com>.
6.24. pam_permit - the promiscuous module
pam_permit.so
6.24.1. DESCRIPTION
pam_permit is a PAM module that always permit access. It does nothing
else.
In the case of authentication, the user's name will be set to nobody if
the application didn't set one. Many applications and PAM modules become
confused if this name is unknown.
This module is very dangerous. It should be used with extreme caution.
6.24.2. OPTIONS
This module does not recognise any options.
6.24.3. MODULE TYPES PROVIDED
The auth, account, password and session module types are provided.
6.24.4. RETURN VALUES
PAM_SUCCESS
This module always returns this value.
6.24.5. EXAMPLES
Add this line to your other login entries to disable account management,
but continue to permit users to log in.
account required pam_permit.so
6.24.6. AUTHOR
pam_permit was written by Andrew G. Morgan, <morgan@kernel.org>.
6.25. pam_pwhistory - grant access using .pwhistory file
pam_pwhistory.so [ debug ] [ use_authtok ] [ enforce_for_root ] [
remember=N ] [ retry=N ] [ authtok_type=STRING ] [
conf=/path/to/config-file ]
6.25.1. DESCRIPTION
This module saves the last passwords for each user in order to force
password change history and keep the user from alternating between the
same password too frequently.
This module does not work together with kerberos. In general, it does not
make much sense to use this module in conjunction with NIS or LDAP, since
the old passwords are stored on the local machine and are not available on
another machine for password history checking.
6.25.2. OPTIONS
debug
Turns on debugging via syslog(3).
use_authtok
When password changing enforce the module to use the new password
provided by a previously stacked password module (this is used in
the example of the stacking of the pam_cracklib module documented
below).
enforce_for_root
If this option is set, the check is enforced for root, too.
remember=N
The last N passwords for each user are saved. The default is 10.
Value of 0 makes the module to keep the existing contents of the
opasswd file unchanged.
retry=N
Prompt user at most N times before returning with error. The
default is 1.
authtok_type=STRING
See pam_get_authtok(3) for more details.
conf=/path/to/config-file
Use another configuration file instead of the default
/etc/security/pwhistory.conf.
The options for configuring the module behavior are described in the
pwhistory.conf(5) manual page. The options specified on the module command
line override the values from the configuration file.
6.25.3. MODULE TYPES PROVIDED
Only the password module type is provided.
6.25.4. RETURN VALUES
PAM_AUTHTOK_ERR
No new password was entered, the user aborted password change or
new password couldn't be set.
PAM_IGNORE
Password history was disabled.
PAM_MAXTRIES
Password was rejected too often.
PAM_USER_UNKNOWN
User is not known to system.
6.25.5. FILES
/etc/security/opasswd
File with password history
6.25.6. EXAMPLES
An example password section would be:
#%PAM-1.0
password required pam_pwhistory.so
password required pam_unix.so use_authtok
In combination with pam_cracklib:
#%PAM-1.0
password required pam_cracklib.so retry=3
password required pam_pwhistory.so use_authtok
password required pam_unix.so use_authtok
6.25.7. AUTHOR
pam_pwhistory was written by Thorsten Kukuk <kukuk@thkukuk.de>
6.26. pam_rhosts - grant access using .rhosts file
pam_rhosts.so
6.26.1. DESCRIPTION
This module performs the standard network authentication for services, as
used by traditional implementations of rlogin and rsh etc.
The authentication mechanism of this module is based on the contents of
two files; /etc/hosts.equiv (or and ~/.rhosts. Firstly, hosts listed in
the former file are treated as equivalent to the localhost. Secondly,
entries in the user's own copy of the latter file is used to map
"remote-host remote-user" pairs to that user's account on the current
host. Access is granted to the user if their host is present in
/etc/hosts.equiv and their remote account is identical to their local one,
or if their remote account has an entry in their personal configuration
file.
The module authenticates a remote user (internally specified by the item
PAM_RUSER connecting from the remote host (internally specified by the
item PAM_RHOST). Accordingly, for applications to be compatible this
authentication module they must set these items prior to calling
pam_authenticate(). The module is not capable of independently probing the
network connection for such information.
6.26.2. OPTIONS
debug
Print debug information.
silent
Don't print informative messages.
superuser=account
Handle account as root.
6.26.3. MODULE TYPES PROVIDED
Only the auth module type is provided.
6.26.4. RETURN VALUES
PAM_AUTH_ERR
The remote host, remote user name or the local user name couldn't
be determined or access was denied by .rhosts file.
PAM_USER_UNKNOWN
User is not known to system.
6.26.5. EXAMPLES
To grant a remote user access by /etc/hosts.equiv or .rhosts for rsh add
the following lines to /etc/pam.d/rsh:
#%PAM-1.0
#
auth required pam_rhosts.so
auth required pam_nologin.so
auth required pam_env.so
auth required pam_unix.so
6.26.6. AUTHOR
pam_rhosts was written by Thorsten Kukuk <kukuk@thkukuk.de>
6.27. pam_rootok - gain only root access
pam_rootok.so [ debug ]
6.27.1. DESCRIPTION
pam_rootok is a PAM module that authenticates the user if their UID is 0.
Applications that are created setuid-root generally retain the UID of the
user but run with the authority of an enhanced effective-UID. It is the
real UID that is checked.
6.27.2. OPTIONS
debug
Print debug information.
6.27.3. MODULE TYPES PROVIDED
The auth, acct and password module types are provided.
6.27.4. RETURN VALUES
PAM_SUCCESS
The UID is 0.
PAM_AUTH_ERR
The UID is not 0.
6.27.5. EXAMPLES
In the case of the su(1) application the historical usage is to permit the
superuser to adopt the identity of a lesser user without the use of a
password. To obtain this behavior with PAM the following pair of lines are
needed for the corresponding entry in the /etc/pam.d/su configuration
file:
# su authentication. Root is granted access by default.
auth sufficient pam_rootok.so
auth required pam_unix.so
6.27.6. AUTHOR
pam_rootok was written by Andrew G. Morgan, <morgan@kernel.org>.
6.28. pam_securetty - limit root login to special devices
pam_securetty.so [ debug ]
6.28.1. DESCRIPTION
pam_securetty is a PAM module that allows root logins only if the user is
logging in on a "secure" tty, as defined by the listing in /etc/securetty.
pam_securetty also checks to make sure that /etc/securetty is a plain file
and not world writable. It will also allow root logins on the tty
specified with console= switch on the kernel command line and on ttys from
the /sys/class/tty/console/active.
This module has no effect on non-root users and requires that the
application fills in the PAM_TTY item correctly.
For canonical usage, should be listed as a required authentication method
before any sufficient authentication methods.
6.28.2. OPTIONS
debug
Print debug information.
noconsole
Do not automatically allow root logins on the kernel console
device, as specified on the kernel command line or by the sys
file, if it is not also specified in the /etc/securetty file.
6.28.3. MODULE TYPES PROVIDED
Only the auth module type is provided.
6.28.4. RETURN VALUES
PAM_SUCCESS
The user is allowed to continue authentication. Either the user is
not root, or the root user is trying to log in on an acceptable
device.
PAM_AUTH_ERR
Authentication is rejected. Either root is attempting to log in
via an unacceptable device, or the /etc/securetty file is world
writable or not a normal file.
PAM_INCOMPLETE
An application error occurred. pam_securetty was not able to get
information it required from the application that called it.
PAM_SERVICE_ERR
An error occurred while the module was determining the user's name
or tty, or the module could not open /etc/securetty.
PAM_USER_UNKNOWN
The module could not find the user name in the /etc/passwd file to
verify whether the user had a UID of 0. Therefore, the results of
running this module are ignored.
6.28.5. EXAMPLES
auth required pam_securetty.so
auth required pam_unix.so
6.28.6. AUTHOR
pam_securetty was written by Elliot Lee <sopwith@cuc.edu>.
6.29. pam_selinux - set the default security context
pam_selinux.so [ open ] [ close ] [ restore ] [ nottys ] [ debug ] [
verbose ] [ select_context ] [ env_params ] [ use_current_range ]
6.29.1. DESCRIPTION
pam_selinux is a PAM module that sets up the default SELinux security
context for the next executed process.
When a new session is started, the open_session part of the module
computes and sets up the execution security context used for the next
execve(2) call, the file security context for the controlling terminal,
and the security context used for creating a new kernel keyring.
When the session is ended, the close_session part of the module restores
old security contexts that were in effect before the change made by the
open_session part of the module.
Adding pam_selinux into the PAM stack might disrupt behavior of other PAM
modules which execute applications. To avoid that, pam_selinux.so open
should be placed after such modules in the PAM stack, and pam_selinux.so
close should be placed before them. When such a placement is not feasible,
pam_selinux.so restore could be used to temporary restore original
security contexts.
6.29.2. OPTIONS
open
Only execute the open_session part of the module.
close
Only execute the close_session part of the module.
restore
In open_session part of the module, temporarily restore the
security contexts as they were before the previous call of the
module. Another call of this module without the restore option
will set up the new security contexts again.
nottys
Do not setup security context of the controlling terminal.
debug
Turn on debug messages via syslog(3).
verbose
Attempt to inform the user when security context is set.
select_context
Attempt to ask the user for a custom security context role. If MLS
is on, ask also for sensitivity level.
env_params
Attempt to obtain a custom security context role from PAM
environment. If MLS is on, obtain also sensitivity level. This
option and the select_context option are mutually exclusive. The
respective PAM environment variables are SELINUX_ROLE_REQUESTED,
SELINUX_LEVEL_REQUESTED, and SELINUX_USE_CURRENT_RANGE. The first
two variables are self describing and the last one if set to 1
makes the PAM module behave as if the use_current_range was
specified on the command line of the module.
use_current_range
Use the sensitivity level of the current process for the user
context instead of the default level. Also suppresses asking of
the sensitivity level from the user or obtaining it from PAM
environment.
6.29.3. MODULE TYPES PROVIDED
Only the session module type is provided.
6.29.4. RETURN VALUES
PAM_SUCCESS
The security context was set successfully.
PAM_SESSION_ERR
Unable to get or set a valid context.
PAM_USER_UNKNOWN
The user is not known to the system.
PAM_BUF_ERR
Memory allocation error.
6.29.5. EXAMPLES
auth required pam_unix.so
session required pam_permit.so
session optional pam_selinux.so
6.29.6. AUTHOR
pam_selinux was written by Dan Walsh <dwalsh@redhat.com>.
6.30. pam_shells - check for valid login shell
pam_shells.so
6.30.1. DESCRIPTION
pam_shells is a PAM module that only allows access to the system if the
user's shell is listed in /etc/shells.
It also checks if /etc/shells is a plain file and not world writable.
6.30.2. OPTIONS
This module does not recognise any options.
6.30.3. MODULE TYPES PROVIDED
The auth and account module types are provided.
6.30.4. RETURN VALUES
PAM_AUTH_ERR
Access to the system was denied.
PAM_SUCCESS
The user's login shell was listed as valid shell in /etc/shells.
PAM_SERVICE_ERR
The module was not able to get the name of the user.
6.30.5. EXAMPLES
auth required pam_shells.so
6.30.6. AUTHOR
pam_shells was written by Erik Troan <ewt@redhat.com>.
6.31. pam_succeed_if - test account characteristics
pam_succeed_if.so [flag...] [condition...]
6.31.1. DESCRIPTION
pam_succeed_if.so is designed to succeed or fail authentication based on
characteristics of the account belonging to the user being authenticated
or values of other PAM items. One use is to select whether to load other
modules based on this test.
The module should be given one or more conditions as module arguments, and
authentication will succeed only if all of the conditions are met.
6.31.2. OPTIONS
The following flags are supported:
debug
Turns on debugging messages sent to syslog.
use_uid
Evaluate conditions using the account of the user whose UID the
application is running under instead of the user being
authenticated.
quiet
Don't log failure or success to the system log.
quiet_fail
Don't log failure to the system log.
quiet_success
Don't log success to the system log.
audit
Log unknown users to the system log.
Conditions are three words: a field, a test, and a value to test for.
Available fields are user, uid, gid, shell, home, ruser, rhost, tty and
service:
field < number
Field has a value numerically less than number.
field <= number
Field has a value numerically less than or equal to number.
field eq number
Field has a value numerically equal to number.
field >= number
Field has a value numerically greater than or equal to number.
field > number
Field has a value numerically greater than number.
field ne number
Field has a value numerically different from number.
field = string
Field exactly matches the given string.
field != string
Field does not match the given string.
field =~ glob
Field matches the given glob.
field !~ glob
Field does not match the given glob.
field in item:item:...
Field is contained in the list of items separated by colons.
field notin item:item:...
Field is not contained in the list of items separated by colons.
user ingroup group
User is in given group.
user notingroup group
User is not in given group.
user innetgr netgroup
(user,host) is in given netgroup.
user notinnetgr group
(user,host) is not in given netgroup.
6.31.3. MODULE TYPES PROVIDED
All module types (account, auth, password and session) are provided.
6.31.4. RETURN VALUES
PAM_SUCCESS
The condition was true.
PAM_AUTH_ERR
The condition was false.
PAM_SERVICE_ERR
A service error occurred or the arguments can't be parsed
correctly.
6.31.5. EXAMPLES
To emulate the behaviour of pam_wheel, except there is no fallback to
group 0:
auth required pam_succeed_if.so quiet user ingroup wheel
Given that the type matches, only loads the othermodule rule if the UID is
over 500. Adjust the number after default to skip several rules.
type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500
type required othermodule.so arguments...
6.31.6. AUTHOR
Nalin Dahyabhai <nalin@redhat.com>
6.32. pam_tally - login counter (tallying) module
pam_tally.so [ file=/path/to/counter ] [ onerr=[fail|succeed] ] [
magic_root ] [ even_deny_root_account ] [ deny=n ] [ lock_time=n ] [
unlock_time=n ] [ per_user ] [ no_lock_time ] [ no_reset ] [ audit ] [
silent ] [ no_log_info ]
pam_tally [ --file /path/to/counter ] [ --user username ] [ --reset[=n] ]
[ --quiet ]
6.32.1. DESCRIPTION
This module maintains a count of attempted accesses, can reset count on
success, can deny access if too many attempts fail.
pam_tally has several limitations, which are solved with pam_tally2. For
this reason pam_tally is deprecated and will be removed in a future
release.
pam_tally comes in two parts: pam_tally.so and pam_tally. The former is
the PAM module and the latter, a stand-alone program. pam_tally is an
(optional) application which can be used to interrogate and manipulate the
counter file. It can display user counts, set individual counts, or clear
all counts. Setting artificially high counts may be useful for blocking
users without changing their passwords. For example, one might find it
useful to clear all counts every midnight from a cron job. The faillog(8)
command can be used instead of pam_tally to to maintain the counter file.
Normally, failed attempts to access root will not cause the root account
to become blocked, to prevent denial-of-service: if your users aren't
given shell accounts and root may only login via su or at the machine
console (not telnet/rsh, etc), this is safe.
6.32.2. OPTIONS
GLOBAL OPTIONS
This can be used for auth and account module types.
onerr=[fail|succeed]
If something weird happens (like unable to open the
file), return with PAM_SUCCESS if onerr=succeed is
given, else with the corresponding PAM error code.
file=/path/to/counter
File where to keep counts. Default is
/var/log/faillog.
audit
Will log the user name into the system log if the
user is not found.
silent
Don't print informative messages.
no_log_info
Don't log informative messages via syslog(3).
AUTH OPTIONS
Authentication phase first checks if user should be denied access
and if not it increments attempted login counter. Then on call to
pam_setcred(3) it resets the attempts counter.
deny=n
Deny access if tally for this user exceeds n.
lock_time=n
Always deny for n seconds after failed attempt.
unlock_time=n
Allow access after n seconds after failed attempt. If
this option is used the user will be locked out for
the specified amount of time after he exceeded his
maximum allowed attempts. Otherwise the account is
locked until the lock is removed by a manual
intervention of the system administrator.
magic_root
If the module is invoked by a user with uid=0 the
counter is not incremented. The sysadmin should use
this for user launched services, like su, otherwise
this argument should be omitted.
no_lock_time
Do not use the .fail_locktime field in
/var/log/faillog for this user.
no_reset
Don't reset count on successful entry, only
decrement.
even_deny_root_account
Root account can become unavailable.
per_user
If /var/log/faillog contains a non-zero
.fail_max/.fail_locktime field for this user then use
it instead of deny=n/ lock_time=n parameter.
no_lock_time
Don't use .fail_locktime filed in /var/log/faillog
for this user.
ACCOUNT OPTIONS
Account phase resets attempts counter if the user is not magic
root. This phase can be used optionally for services which don't
call pam_setcred(3) correctly or if the reset should be done
regardless of the failure of the account phase of other modules.
magic_root
If the module is invoked by a user with uid=0 the
counter is not incremented. The sysadmin should use
this for user launched services, like su, otherwise
this argument should be omitted.
no_reset
Don't reset count on successful entry, only
decrement.
6.32.3. MODULE TYPES PROVIDED
The auth and account module types are provided.
6.32.4. RETURN VALUES
PAM_AUTH_ERR
A invalid option was given, the module was not able to retrieve
the user name, no valid counter file was found, or too many failed
logins.
PAM_SUCCESS
Everything was successful.
PAM_USER_UNKNOWN
User not known.
6.32.5. EXAMPLES
Add the following line to /etc/pam.d/login to lock the account after too
many failed logins. The number of allowed fails is specified by
/var/log/faillog and needs to be set with pam_tally or faillog(8) before.
auth required pam_securetty.so
auth required pam_tally.so per_user
auth required pam_env.so
auth required pam_unix.so
auth required pam_nologin.so
account required pam_unix.so
password required pam_unix.so
session required pam_limits.so
session required pam_unix.so
session required pam_lastlog.so nowtmp
session optional pam_mail.so standard
6.32.6. AUTHOR
pam_tally was written by Tim Baverstock and Tomas Mraz.
6.33. pam_tally2 - login counter (tallying) module
pam_tally2.so [ file=/path/to/counter ] [ onerr=[fail|succeed] ] [
magic_root ] [ even_deny_root ] [ deny=n ] [ lock_time=n ] [ unlock_time=n
] [ root_unlock_time=n ] [ serialize ] [ audit ] [ silent ] [ no_log_info
] [ debug ]
pam_tally2 [ --file /path/to/counter ] [ --user username ] [ --reset[=n] ]
[ --quiet ]
6.33.1. DESCRIPTION
This module maintains a count of attempted accesses, can reset count on
success, can deny access if too many attempts fail.
pam_tally2 comes in two parts: pam_tally2.so and pam_tally2. The former is
the PAM module and the latter, a stand-alone program. pam_tally2 is an
(optional) application which can be used to interrogate and manipulate the
counter file. It can display user counts, set individual counts, or clear
all counts. Setting artificially high counts may be useful for blocking
users without changing their passwords. For example, one might find it
useful to clear all counts every midnight from a cron job.
Normally, failed attempts to access root will not cause the root account
to become blocked, to prevent denial-of-service: if your users aren't
given shell accounts and root may only login via su or at the machine
console (not telnet/rsh, etc), this is safe.
6.33.2. OPTIONS
GLOBAL OPTIONS
This can be used for auth and account module types.
onerr=[fail|succeed]
If something weird happens (like unable to open the
file), return with PAM_SUCCESS if onerr=succeed is
given, else with the corresponding PAM error code.
file=/path/to/counter
File where to keep counts. Default is
/var/log/tallylog.
audit
Will log the user name into the system log if the
user is not found.
silent
Don't print informative messages.
no_log_info
Don't log informative messages via syslog(3).
debug
Always log tally count when it is incremented as a
debug level message to the system log.
AUTH OPTIONS
Authentication phase first increments attempted login counter and
checks if user should be denied access. If the user is
authenticated and the login process continues on call to
pam_setcred(3) it resets the attempts counter.
deny=n
Deny access if tally for this user exceeds n.
lock_time=n
Always deny for n seconds after failed attempt.
unlock_time=n
Allow access after n seconds after failed attempt. If
this option is used the user will be locked out for
the specified amount of time after he exceeded his
maximum allowed attempts. Otherwise the account is
locked until the lock is removed by a manual
intervention of the system administrator.
magic_root
If the module is invoked by a user with uid=0 the
counter is not incremented. The sysadmin should use
this for user launched services, like su, otherwise
this argument should be omitted.
even_deny_root
Root account can become unavailable.
root_unlock_time=n
This option implies even_deny_root option. Allow
access after n seconds to root account after failed
attempt. If this option is used the root user will be
locked out for the specified amount of time after he
exceeded his maximum allowed attempts.
serialize
Serialize access to the tally file using locks. This
option might be used only for non-multithreaded
services because it depends on the fcntl locking of
the tally file. Also it is a good idea to use this
option only in such configurations where the time
between auth phase and account or setcred phase is
not dependent on the authenticating client. Otherwise
the authenticating client will be able to prevent
simultaneous authentications by the same user by
simply artificially prolonging the time the file
record lock is held.
ACCOUNT OPTIONS
Account phase resets attempts counter if the user is not magic
root. This phase can be used optionally for services which don't
call pam_setcred(3) correctly or if the reset should be done
regardless of the failure of the account phase of other modules.
magic_root
If the module is invoked by a user with uid=0 the
counter is not changed. The sysadmin should use this
for user launched services, like su, otherwise this
argument should be omitted.
6.33.3. MODULE TYPES PROVIDED
The auth and account module types are provided.
6.33.4. RETURN VALUES
PAM_AUTH_ERR
A invalid option was given, the module was not able to retrieve
the user name, no valid counter file was found, or too many failed
logins.
PAM_SUCCESS
Everything was successful.
PAM_USER_UNKNOWN
User not known.
6.33.5. NOTES
pam_tally2 is not compatible with the old pam_tally faillog file format.
This is caused by requirement of compatibility of the tallylog file format
between 32bit and 64bit architectures on multiarch systems.
There is no setuid wrapper for access to the data file such as when the
pam_tally2.so module is called from xscreensaver. As this would make it
impossible to share PAM configuration with such services the following
workaround is used: If the data file cannot be opened because of
insufficient permissions (EACCES) the module returns PAM_IGNORE.
6.33.6. EXAMPLES
Add the following line to /etc/pam.d/login to lock the account after 4
failed logins. Root account will be locked as well. The accounts will be
automatically unlocked after 20 minutes. The module does not have to be
called in the account phase because the login calls pam_setcred(3)
correctly.
auth required pam_securetty.so
auth required pam_tally2.so deny=4 even_deny_root unlock_time=1200
auth required pam_env.so
auth required pam_unix.so
auth required pam_nologin.so
account required pam_unix.so
password required pam_unix.so
session required pam_limits.so
session required pam_unix.so
session required pam_lastlog.so nowtmp
session optional pam_mail.so standard
6.33.7. FILES
/var/log/tallylog
failure count logging file
6.33.8. AUTHOR
pam_tally2 was written by Tim Baverstock and Tomas Mraz.
6.34. pam_time - time controled access
pam_time.so [ debug ] [ noaudit ]
6.34.1. DESCRIPTION
The pam_time PAM module does not authenticate the user, but instead it
restricts access to a system and or specific applications at various times
of the day and on specific days or over various terminal lines. This
module can be configured to deny access to (individual) users based on
their name, the time of day, the day of week, the service they are
applying for and their terminal from which they are making their request.
By default rules for time/port access are taken from config file
/etc/security/time.conf.
If Linux PAM is compiled with audit support the module will report when it
denies access.
6.34.2. DESCRIPTION
The pam_time PAM module does not authenticate the user, but instead it
restricts access to a system and or specific applications at various times
of the day and on specific days or over various terminal lines. This
module can be configured to deny access to (individual) users based on
their name, the time of day, the day of week, the service they are
applying for and their terminal from which they are making their request.
For this module to function correctly there must be a correctly formatted
/etc/security/time.conf file present. White spaces are ignored and lines
maybe extended with '\' (escaped newlines). Text following a '#' is
ignored to the end of the line.
The syntax of the lines is as follows:
services;ttys;users;times
In words, each rule occupies a line, terminated with a newline or the
beginning of a comment; a '#'. It contains four fields separated with
semicolons, ';'.
The first field, the services field, is a logic list of PAM service names
that the rule applies to.
The second field, the tty field, is a logic list of terminal names that
this rule applies to.
The third field, the users field, is a logic list of users or a netgroup
of users to whom this rule applies.
For these items the simple wildcard '*' may be used only once. With
netgroups no wildcards or logic operators are allowed.
The times field is used to indicate the times at which this rule applies.
The format here is a logic list of day/time-range entries. The days are
specified by a sequence of two character entries, MoTuSa for example is
Monday Tuesday and Saturday. Note that repeated days are unset MoMo = no
day, and MoWk = all weekdays bar Monday. The two character combinations
accepted are Mo Tu We Th Fr Sa Su Wk Wd Al, the last two being week-end
days and all 7 days of the week respectively. As a final example, AlFr
means all days except Friday.
Each day/time-range can be prefixed with a '!' to indicate "anything but".
The time-range part is two 24-hour times HHMM, separated by a hyphen,
indicating the start and finish time (if the finish time is smaller than
the start time it is deemed to apply on the following day).
For a rule to be active, ALL of service+ttys+users must be satisfied by
the applying process.
Note, currently there is no daemon enforcing the end of a session. This
needs to be remedied.
Poorly formatted rules are logged as errors using syslog(3).
6.34.3. OPTIONS
debug
Some debug information is printed with syslog(3).
noaudit
Do not report logins at disallowed time to the audit subsystem.
6.34.4. MODULE TYPES PROVIDED
Only the account type is provided.
6.34.5. RETURN VALUES
PAM_SUCCESS
Access was granted.
PAM_ABORT
Not all relevant data could be gotten.
PAM_BUF_ERR
Memory buffer error.
PAM_PERM_DENIED
Access was not granted.
PAM_USER_UNKNOWN
The user is not known to the system.
6.34.6. FILES
/etc/security/time.conf
Default configuration file
6.34.7. EXAMPLES
These are some example lines which might be specified in
/etc/security/time.conf.
All users except for root are denied access to console-login at all times:
login ; tty* & !ttyp* ; !root ; !Al0000-2400
Games (configured to use PAM) are only to be accessed out of working
hours. This rule does not apply to the user waster:
games ; * ; !waster ; Wd0000-2400 | Wk1800-0800
6.34.8. AUTHOR
pam_time was written by Andrew G. Morgan <morgan@kernel.org>.
6.35. pam_timestamp - authenticate using cached successful authentication
attempts
pam_timestamp.so [ timestampdir=directory ] [ timestamp_timeout=number ] [
verbose ] [ debug ]
6.35.1. DESCRIPTION
In a nutshell, pam_timestamp caches successful authentication attempts,
and allows you to use a recent successful attempt as the basis for
authentication. This is similar mechanism which is used in sudo.
When an application opens a session using pam_timestamp, a timestamp file
is created in the timestampdir directory for the user. When an application
attempts to authenticate the user, a pam_timestamp will treat a
sufficiently recent timestamp file as grounds for succeeding.
6.35.2. OPTIONS
timestampdir=directory
Specify an alternate directory where pam_timestamp creates
timestamp files.
timestamp_timeout=number
How long should pam_timestamp treat timestamp as valid after their
last modification date (in seconds). Default is 300 seconds.
verbose
Attempt to inform the user when access is granted.
debug
Turns on debugging messages sent to syslog(3).
6.35.3. MODULE TYPES PROVIDED
The auth and session module types are provided.
6.35.4. RETURN VALUES
PAM_AUTH_ERR
The module was not able to retrieve the user name or no valid
timestamp file was found.
PAM_SUCCESS
Everything was successful.
PAM_SESSION_ERR
Timestamp file could not be created or updated.
6.35.5. NOTES
Users can get confused when they are not always asked for passwords when
running a given program. Some users reflexively begin typing information
before noticing that it is not being asked for.
6.35.6. EXAMPLES
auth sufficient pam_timestamp.so verbose
auth required pam_unix.so
session required pam_unix.so
session optional pam_timestamp.so
6.35.7. FILES
/var/run/pam_timestamp/...
timestamp files and directories
6.35.8. AUTHOR
pam_timestamp was written by Nalin Dahyabhai.
6.36. pam_umask - set the file mode creation mask
pam_umask.so [ debug ] [ silent ] [ usergroups ] [ umask=mask ]
6.36.1. DESCRIPTION
pam_umask is a PAM module to set the file mode creation mask of the
current environment. The umask affects the default permissions assigned to
newly created files.
The PAM module tries to get the umask value from the following places in
the following order:
* umask= entry in the user's GECOS field
* umask= argument
* UMASK entry from /etc/login.defs
* UMASK= entry from /etc/default/login
The GECOS field is split on comma ',' characters. The module also in
addition to the umask= entry recognizes pri= entry, which sets the nice
priority value for the session, and ulimit= entry, which sets the maximum
size of files the processes in the session can create.
6.36.2. OPTIONS
debug
Print debug information.
silent
Don't print informative messages.
usergroups
If the user is not root and the username is the same as primary
group name, the umask group bits are set to be the same as owner
bits (examples: 022 -> 002, 077 -> 007).
umask=mask
Sets the calling process's file mode creation mask (umask) to mask
& 0777. The value is interpreted as Octal.
6.36.3. MODULE TYPES PROVIDED
Only the session type is provided.
6.36.4. RETURN VALUES
PAM_SUCCESS
The new umask was set successfully.
PAM_SERVICE_ERR
No username was given.
PAM_USER_UNKNOWN
User not known.
6.36.5. EXAMPLES
Add the following line to /etc/pam.d/login to set the user specific umask
at login:
session optional pam_umask.so umask=0022
6.36.6. AUTHOR
pam_umask was written by Thorsten Kukuk <kukuk@thkukuk.de>.
6.37. pam_unix - traditional password authentication
pam_unix.so [ ... ]
6.37.1. DESCRIPTION
This is the standard Unix authentication module. It uses standard calls
from the system's libraries to retrieve and set account information as
well as authentication. Usually this is obtained from the /etc/passwd and
the /etc/shadow file as well if shadow is enabled.
The account component performs the task of establishing the status of the
user's account and password based on the following shadow elements:
expire, last_change, max_change, min_change, warn_change. In the case of
the latter, it may offer advice to the user on changing their password or,
through the PAM_AUTHTOKEN_REQD return, delay giving service to the user
until they have established a new password. The entries listed above are
documented in the shadow(5) manual page. Should the user's record not
contain one or more of these entries, the corresponding shadow check is
not performed.
The authentication component performs the task of checking the users
credentials (password). The default action of this module is to not permit
the user access to a service if their official password is blank.
A helper binary, unix_chkpwd(8), is provided to check the user's password
when it is stored in a read protected database. This binary is very simple
and will only check the password of the user invoking it. It is called
transparently on behalf of the user by the authenticating component of
this module. In this way it is possible for applications like xlock(1) to
work without being setuid-root. The module, by default, will temporarily
turn off SIGCHLD handling for the duration of execution of the helper
binary. This is generally the right thing to do, as many applications are
not prepared to handle this signal from a child they didn't know was
fork()d. The noreap module argument can be used to suppress this temporary
shielding and may be needed for use with certain applications.
The maximum length of a password supported by the pam_unix module via the
helper binary is PAM_MAX_RESP_SIZE - currently 512 bytes. The rest of the
password provided by the conversation function to the module will be
ignored.
The password component of this module performs the task of updating the
user's password. The default encryption hash is taken from the
ENCRYPT_METHOD variable from /etc/login.defs
The session component of this module logs when a user logins or leave the
system.
Remaining arguments, supported by others functions of this module, are
silently ignored. Other arguments are logged as errors through syslog(3).
6.37.2. OPTIONS
debug
Turns on debugging via syslog(3).
audit
A little more extreme than debug.
quiet
Turns off informational messages namely messages about session
open and close via syslog(3).
nullok
The default action of this module is to not permit the user access
to a service if their official password is blank. The nullok
argument overrides this default.
try_first_pass
Before prompting the user for their password, the module first
tries the previous stacked module's password in case that
satisfies this module as well.
use_first_pass
The argument use_first_pass forces the module to use a previous
stacked modules password and will never prompt the user - if no
password is available or the password is not appropriate, the user
will be denied access.
nodelay
This argument can be used to discourage the authentication
component from requesting a delay should the authentication as a
whole fail. The default action is for the module to request a
delay-on-failure of the order of two second.
use_authtok
When password changing enforce the module to set the new password
to the one provided by a previously stacked password module (this
is used in the example of the stacking of the pam_cracklib module
documented below).
authtok_type=type
This argument can be used to modify the password prompt when
changing passwords to include the type of the password. Empty by
default.
nis
NIS RPC is used for setting new passwords.
remember=n
The last n passwords for each user are saved in
/etc/security/opasswd in order to force password change history
and keep the user from alternating between the same password too
frequently. The MD5 password hash algorithm is used for storing
the old passwords. Instead of this option the pam_pwhistory module
should be used.
shadow
Try to maintain a shadow based system.
md5
When a user changes their password next, encrypt it with the MD5
algorithm.
bigcrypt
When a user changes their password next, encrypt it with the DEC
C2 algorithm.
sha256
When a user changes their password next, encrypt it with the
SHA256 algorithm. The SHA256 algorithm must be supported by the
crypt(3) function.
sha512
When a user changes their password next, encrypt it with the
SHA512 algorithm. The SHA512 algorithm must be supported by the
crypt(3) function.
blowfish
When a user changes their password next, encrypt it with the
blowfish algorithm. The blowfish algorithm must be supported by
the crypt(3) function.
rounds=n
Set the optional number of rounds of the SHA256, SHA512 and
blowfish password hashing algorithms to n.
broken_shadow
Ignore errors reading shadow information for users in the account
management module.
minlen=n
Set a minimum password length of n characters. The max. for DES
crypt based passwords are 8 characters.
no_pass_expiry
When set ignore password expiration as defined by the shadow entry
of the user. The option has an effect only in case pam_unix was
not used for the authentication or it returned authentication
failure meaning that other authentication source or method
succeeded. The example can be public key authentication in sshd.
The module will return PAM_SUCCESS instead of eventual
PAM_NEW_AUTHTOK_REQD or PAM_AUTHTOK_EXPIRED.
Invalid arguments are logged with syslog(3).
6.37.3. MODULE TYPES PROVIDED
All module types (account, auth, password and session) are provided.
6.37.4. RETURN VALUES
PAM_IGNORE
Ignore this module.
6.37.5. EXAMPLES
An example usage for /etc/pam.d/login would be:
# Authenticate the user
auth required pam_unix.so
# Ensure users account and password are still active
account required pam_unix.so
# Change the user's password, but at first check the strength
# with pam_cracklib(8)
password required pam_cracklib.so retry=3 minlen=6 difok=3
password required pam_unix.so use_authtok nullok md5
session required pam_unix.so
6.37.6. AUTHOR
pam_unix was written by various people.
6.38. pam_userdb - authenticate against a db database
pam_userdb.so db=/path/database [ debug ] [ crypt=[crypt|none] ] [ icase ]
[ dump ] [ try_first_pass ] [ use_first_pass ] [ unknown_ok ] [ key_only ]
6.38.1. DESCRIPTION
The pam_userdb module is used to verify a username/password pair against
values stored in a Berkeley DB database. The database is indexed by the
username, and the data fields corresponding to the username keys are the
passwords.
6.38.2. OPTIONS
crypt=[crypt|none]
Indicates whether encrypted or plaintext passwords are stored in
the database. If it is crypt, passwords should be stored in the
database in crypt(3) form. If none is selected, passwords should
be stored in the database as plaintext.
db=/path/database
Use the /path/database database for performing lookup. There is no
default; the module will return PAM_IGNORE if no database is
provided. Note that the path to the database file should be
specified without the .db suffix.
debug
Print debug information. Note that password hashes, both from db
and computed, will be printed to syslog.
dump
Dump all the entries in the database to the log. Don't do this by
default!
icase
Make the password verification to be case insensitive (ie when
working with registration numbers and such). Only works with
plaintext password storage.
try_first_pass
Use the authentication token previously obtained by another module
that did the conversation with the application. If this token can
not be obtained then the module will try to converse. This option
can be used for stacking different modules that need to deal with
the authentication tokens.
use_first_pass
Use the authentication token previously obtained by another module
that did the conversation with the application. If this token can
not be obtained then the module will fail. This option can be used
for stacking different modules that need to deal with the
authentication tokens.
unknown_ok
Do not return error when checking for a user that is not in the
database. This can be used to stack more than one pam_userdb
module that will check a username/password pair in more than a
database.
key_only
The username and password are concatenated together in the
database hash as 'username-password' with a random value. if the
concatenation of the username and password with a dash in the
middle returns any result, the user is valid. this is useful in
cases where the username may not be unique but the username and
password pair are.
6.38.3. MODULE TYPES PROVIDED
The auth and account module types are provided.
6.38.4. RETURN VALUES
PAM_AUTH_ERR
Authentication failure.
PAM_AUTHTOK_RECOVERY_ERR
Authentication information cannot be recovered.
PAM_BUF_ERR
Memory buffer error.
PAM_CONV_ERR
Conversation failure.
PAM_SERVICE_ERR
Error in service module.
PAM_SUCCESS
Success.
PAM_USER_UNKNOWN
User not known to the underlying authentication module.
6.38.5. EXAMPLES
auth sufficient pam_userdb.so icase db=/etc/dbtest
6.38.6. AUTHOR
pam_userdb was written by Cristian Gafton >gafton@redhat.com<.
6.39. pam_warn - logs all PAM items
pam_warn.so
6.39.1. DESCRIPTION
pam_warn is a PAM module that logs the service, terminal, user, remote
user and remote host to syslog(3). The items are not probed for, but
instead obtained from the standard PAM items. The module always returns
PAM_IGNORE, indicating that it does not want to affect the authentication
process.
6.39.2. OPTIONS
This module does not recognise any options.
6.39.3. MODULE TYPES PROVIDED
The auth, account, password and session module types are provided.
6.39.4. RETURN VALUES
PAM_IGNORE
This module always returns PAM_IGNORE.
6.39.5. EXAMPLES
#%PAM-1.0
#
# If we don't have config entries for a service, the
# OTHER entries are used. To be secure, warn and deny
# access to everything.
other auth required pam_warn.so
other auth required pam_deny.so
other account required pam_warn.so
other account required pam_deny.so
other password required pam_warn.so
other password required pam_deny.so
other session required pam_warn.so
other session required pam_deny.so
6.39.6. AUTHOR
pam_warn was written by Andrew G. Morgan <morgan@kernel.org>.
6.40. pam_wheel - only permit root access to members of group wheel
pam_wheel.so [ debug ] [ deny ] [ group=name ] [ root_only ] [ trust ] [
use_uid ]
6.40.1. DESCRIPTION
The pam_wheel PAM module is used to enforce the so-called wheel group. By
default it permits root access to the system if the applicant user is a
member of the wheel group. If no group with this name exist, the module is
using the group with the group-ID 0.
6.40.2. OPTIONS
debug
Print debug information.
deny
Reverse the sense of the auth operation: if the user is trying to
get UID 0 access and is a member of the wheel group (or the group
of the group option), deny access. Conversely, if the user is not
in the group, return PAM_IGNORE (unless trust was also specified,
in which case we return PAM_SUCCESS).
group=name
Instead of checking the wheel or GID 0 groups, use the name group
to perform the authentication.
root_only
The check for wheel membership is done only when the target user
UID is 0.
trust
The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE
if the user is a member of the wheel group (thus with a little
play stacking the modules the wheel members may be able to su to
root without being prompted for a passwd).
use_uid
The check will be done against the real uid of the calling
process, instead of trying to obtain the user from the login
session associated with the terminal in use.
6.40.3. MODULE TYPES PROVIDED
The auth and account module types are provided.
6.40.4. RETURN VALUES
PAM_AUTH_ERR
Authentication failure.
PAM_BUF_ERR
Memory buffer error.
PAM_IGNORE
The return value should be ignored by PAM dispatch.
PAM_PERM_DENY
Permission denied.
PAM_SERVICE_ERR
Cannot determine the user name.
PAM_SUCCESS
Success.
PAM_USER_UNKNOWN
User not known.
6.40.5. EXAMPLES
The root account gains access by default (rootok), only wheel members can
become root (wheel) but Unix authenticate non-root applicants.
su auth sufficient pam_rootok.so
su auth required pam_wheel.so
su auth required pam_unix.so
6.40.6. AUTHOR
pam_wheel was written by Cristian Gafton <gafton@redhat.com>.
6.41. pam_xauth - forward xauth keys between users
pam_xauth.so [ debug ] [ xauthpath=/path/to/xauth ] [ systemuser=UID ] [
targetuser=UID ]
6.41.1. DESCRIPTION
The pam_xauth PAM module is designed to forward xauth keys (sometimes
referred to as "cookies") between users.
Without pam_xauth, when xauth is enabled and a user uses the su(1) command
to assume another user's privileges, that user is no longer able to access
the original user's X display because the new user does not have the key
needed to access the display. pam_xauth solves the problem by forwarding
the key from the user running su (the source user) to the user whose
identity the source user is assuming (the target user) when the session is
created, and destroying the key when the session is torn down.
This means, for example, that when you run su(1) from an xterm session,
you will be able to run X programs without explicitly dealing with the
xauth(1) xauth command or ~/.Xauthority files.
pam_xauth will only forward keys if xauth can list a key connected to the
$DISPLAY environment variable.
Primitive access control is provided by ~/.xauth/export in the invoking
user's home directory and ~/.xauth/import in the target user's home
directory.
If a user has a ~/.xauth/import file, the user will only receive cookies
from users listed in the file. If there is no ~/.xauth/import file, the
user will accept cookies from any other user.
If a user has a .xauth/export file, the user will only forward cookies to
users listed in the file. If there is no ~/.xauth/export file, and the
invoking user is not root, the user will forward cookies to any other
user. If there is no ~/.xauth/export file, and the invoking user is root,
the user will not forward cookies to other users.
Both the import and export files support wildcards (such as *). Both the
import and export files can be empty, signifying that no users are
allowed.
6.41.2. OPTIONS
debug
Print debug information.
xauthpath=/path/to/xauth
Specify the path the xauth program (it is expected in
/usr/X11R6/bin/xauth, /usr/bin/xauth, or /usr/bin/X11/xauth by
default).
systemuser=UID
Specify the highest UID which will be assumed to belong to a
"system" user. pam_xauth will refuse to forward credentials to
users with UID less than or equal to this number, except for root
and the "targetuser", if specified.
targetuser=UID
Specify a single target UID which is exempt from the systemuser
check.
6.41.3. MODULE TYPES PROVIDED
Only the session type is provided.
6.41.4. RETURN VALUES
PAM_BUF_ERR
Memory buffer error.
PAM_PERM_DENIED
Permission denied by import/export file.
PAM_SESSION_ERR
Cannot determine user name, UID or access users home directory.
PAM_SUCCESS
Success.
PAM_USER_UNKNOWN
User not known.
6.41.5. EXAMPLES
Add the following line to /etc/pam.d/su to forward xauth keys between
users when calling su:
session optional pam_xauth.so
6.41.6. AUTHOR
pam_xauth was written by Nalin Dahyabhai <nalin@redhat.com>, based on
original version by Michael K. Johnson <johnsonm@redhat.com>.
Chapter 7. See also
* The Linux-PAM Application Writers' Guide.
* The Linux-PAM Module Writers' Guide.
* The V. Samar and R. Schemers (SunSoft), ``UNIFIED LOGIN WITH PLUGGABLE
AUTHENTICATION MODULES'', Open Software Foundation Request For
Comments 86.0, October 1995.
Chapter 8. Author/acknowledgments
This document was written by Andrew G. Morgan (morgan@kernel.org) with
many contributions from Chris Adams, Peter Allgeyer, Tim Baverstock, Tim
Berger, Craig S. Bell, Derrick J. Brashear, Ben Buxton, Seth Chaiklin,
Oliver Crow, Chris Dent, Marc Ewing, Cristian Gafton, Emmanuel Galanos,
Brad M. Garcia, Eric Hester, Michel D'Hooge, Roger Hu, Eric Jacksch,
Michael K. Johnson, David Kinchlea, Olaf Kirch, Marcin Korzonek, Thorsten
Kukuk, Stephen Langasek, Nicolai Langfeldt, Elliot Lee, Luke Kenneth
Casson Leighton, Al Longyear, Ingo Luetkebohle, Marek Michalkiewicz,
Robert Milkowski, Aleph One, Martin Pool, Sean Reifschneider, Jan
Rekorajski, Erik Troan, Theodore Ts'o, Jeff Uphoff, Myles Uyema, Savochkin
Andrey Vladimirovich, Ronald Wahl, David Wood, John Wilmes, Joseph S. D.
Yao and Alex O. Yuriev.
Thanks are also due to Sun Microsystems, especially to Vipin Samar and
Charlie Lai for their advice. At an early stage in the development of
Linux-PAM, Sun graciously made the documentation for their implementation
of PAM available. This act greatly accelerated the development of
Linux-PAM.
Chapter 9. Copyright information for this document
Copyright (c) 2006 Thorsten Kukuk <kukuk@thkukuk.de>
Copyright (c) 1996-2002 Andrew G. Morgan <morgan@kernel.org>
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
1. Redistributions of source code must retain the above copyright
notice, and the entire permission notice in its entirety,
including the disclaimer of warranties.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. The name of the author may not be used to endorse or promote
products derived from this software without specific prior
written permission.
Alternatively, this product may be distributed under the terms of the GNU
General Public License (GPL), in which case the provisions of the GNU GPL
are required instead of the above restrictions. (This clause is necessary
due to a potential bad interaction between the GNU GPL and the
restrictions contained in a BSD-style copyright.)
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
PK����������Ǩ�\�0�zx���x���������������������html/sag-pam_echo.htmlnu���[������������PK����������Ǩ�\���P�1���1��������������������html/sag-pam_env.htmlnu���[������������PK����������Ǩ�\ik��� ��� �����������������H��html/sag-pam_exec.htmlnu���[������������PK����������Ǩ�\��me�����������������������i��html/sag-pam_faildelay.htmlnu���[������������PK����������Ǩ�\�e�p~$��~$����������������1|��html/sag-pam_filter.htmlnu���[������������PK����������Ǩ�\[���;���;���������������������html/sag-pam_ftp.htmlnu���[������������PK����������Ǩ�\��q��'���'����������������w���html/sag-pam_group.htmlnu���[������������PK����������Ǩ�\UM�v����������������������V���html/sag-pam_issue.htmlnu���[������������PK����������Ǩ�\��jfg���g���������������������html/sag-pam_keyinit.htmlnu���[������������PK����������Ǩ�\g�w�L!��L!����������������7���html/sag-pam_lastlog.htmlnu���[������������PK����������Ǩ�\��k��F���F�����������������7��html/sag-pam_limits.htmlnu���[������������PK����������Ǩ�\\=nj&)��&)�����������������~��html/sag-pam_listfile.htmlnu���[������������PK����������Ǩ�\��T�F���F�����������������F���html/sag-pam_localuser.htmlnu���[������������PK����������Ǩ�\�e�sY���Y�������������������html/sag-pam_loginuid.htmlnu���[������������PK����������Ǩ�\^u��R���R�����������������z���html/sag-pam_mail.htmlnu���[������������PK����������Ǩ�\:l�i4���4���������������������html/sag-pam_mkhomedir.htmlnu���[������������PK����������Ǩ�\�$/�I���I������������������ ��html/sag-pam_motd.htmlnu���[������������PK����������Ǩ�\����P���P���������������� (��html/sag-pam_namespace.htmlnu���[������������PK����������Ǩ�\���������������������������y��html/sag-pam_nologin.htmlnu���[������������PK����������Ǩ�\��j�����������������������(���html/sag-pam_permit.htmlnu���[������������PK����������Ǩ�\�0+��!���!����������������@���html/sag-pam_pwhistory.htmlnu���[������������PK����������Ǩ�\9��o��������������������������html/sag-pam_rhosts.htmlnu���[������������PK����������Ǩ�\x4�L��������������������������html/sag-pam_rootok.htmlnu���[������������PK����������Ǩ�\�=��P���P�����������������0���html/sag-pam_securetty.htmlnu���[������������PK����������Ǩ�\�]K�y ��y ��������������������html/sag-pam_selinux.htmlnu���[������������PK����������Ǩ�\
Բȥ����������������������(��html/sag-pam_shells.htmlnu���[������������PK����������Ǩ�\���#���#����������������z9��html/sag-pam_succeed_if.htmlnu���[������������PK����������Ǩ�\��k0�%���%�����������������]��html/sag-pam_time.htmlnu���[������������PK����������Ǩ�\�PQ*����������������������˃��html/sag-pam_timestamp.htmlnu���[������������PK����������Ǩ�\�{�Q��������������������������html/sag-pam_umask.htmlnu���[������������PK����������Ǩ�\�����:���:�������������������html/sag-pam_unix.htmlnu���[������������PK����������Ǩ�\ډ���!���!����������������
���html/sag-pam_userdb.htmlnu���[������������PK����������Ǩ�\dU{Y��������������������������html/sag-pam_warn.htmlnu���[������������PK����������Ǩ�\l/Ò
���
������������������&��html/sag-pam_wheel.htmlnu���[������������PK����������Ǩ�\���� ��� ����������������NC��html/sag-pam_xauth.htmlnu���[������������PK����������Ǩ�\�HZ���������#�������������yd��html/sag-security-issues-other.htmlnu���[������������PK����������Ǩ�\i��ړ�������#�������������}p��html/sag-security-issues-wrong.htmlnu���[������������PK����������Ǩ�\�o��q���q�����������������c|��html/sag-security-issues.htmlnu���[������������PK����������Ǩ�\mI������������������������!���html/sag-see-also.htmlnu���[������������PK����������Ǩ�\y���s���s�����������������R���html/sag-text-conventions.htmlnu���[������������PK����������Ǩ�\`�,��#���#��������������������html/Linux-PAM_SAG.htmlnu���[������������PK����������Ǩ�\��#�'���'�����������������F���html/sag-author.htmlnu���[������������PK����������Ǩ�\��
���������%�����������������html/sag-configuration-directory.htmlnu���[������������PK����������Ǩ�\@��~��������#�����������������html/sag-configuration-example.htmlnu���[������������PK����������Ǩ�\��i}oD��oD�� �����������������html/sag-configuration-file.htmlnu���[������������PK����������Ǩ�\�x����������������������@2��html/sag-configuration.htmlnu���[������������PK����������Ǩ�\�[�{!���!������������������>��html/sag-copyright.htmlnu���[������������PK����������Ǩ�\N4QU^���^������������������L��html/sag-introduction.htmlnu���[������������PK����������Ǩ�\N��������������������������^��html/sag-module-reference.htmlnu���[������������PK����������Ǩ�\���T;���;���������������������html/sag-overview.htmlnu���[������������PK����������Ǩ�\ͶV9�F���F����������������k���html/sag-pam_access.htmlnu���[������������PK����������Ǩ�\����/O��/O����������������{Z��html/sag-pam_cracklib.htmlnu���[������������PK����������Ǩ�\���x�������������������������html/sag-pam_debug.htmlnu���[������������PK����������Ǩ�\�B��`���`���������������������html/sag-pam_deny.htmlnu���[������������PK����������Ǩ�\�m���
���
����������������x���txts/README.pam_motdnu���[������������PK����������Ǩ�\�NK��-���-��������������������txts/README.pam_namespacenu���[������������PK����������Ǩ�\�0�[D���D�����������������8���txts/README.pam_nologinnu���[������������PK����������Ǩ�\Ӧ�H��������������������������txts/README.pam_permitnu���[������������PK����������Ǩ�\�r��Z���Z���������������������txts/README.pam_postgresoknu���[������������PK����������Ǩ�\�u'j����������������������8���txts/README.pam_pwhistorynu���[������������PK����������Ǩ�\��O Z���Z�����������������D(��txts/README.pam_rhostsnu���[������������PK����������Ǩ�\�(��>���>������������������/��txts/README.pam_rootoknu���[������������PK����������Ǩ�\0��>���>�����������������h4��txts/README.pam_securettynu���[������������PK����������Ǩ�\��x�]���]������������������9��txts/README.pam_selinuxnu���[������������PK����������Ǩ�\�jx�p���p������������������E��txts/README.pam_sepermitnu���[������������PK����������Ǩ�\� KC����������������������KL��txts/README.pam_shellsnu���[������������PK����������Ǩ�\{c]������������������������O��txts/README.pam_stressnu���[������������PK����������Ǩ�\,�U�0���0�����������������pW��txts/README.pam_succeed_ifnu���[������������PK����������Ǩ�\�%�������������������������b��txts/README.pam_timenu���[������������PK����������Ǩ�\z���P���P�����������������Ch��txts/README.pam_timestampnu���[������������PK����������Ǩ�\g�s��
���
�����������������n��txts/README.pam_tty_auditnu���[������������PK����������Ǩ�\J�\m_���_������������������z��txts/README.pam_umasknu���[������������PK����������Ǩ�\����a���a���������������������txts/README.pam_unixnu���[������������PK����������Ǩ�\��������������������������I���txts/README.pam_userdbnu���[������������PK����������Ǩ�\��
&����������������������,���txts/README.pam_usertypenu���[������������PK����������Ǩ�\��[�����������������������$���txts/README.pam_warnnu���[������������PK����������Ǩ�\X�������������������������0���txts/README.pam_wheelnu���[������������PK����������Ǩ�\�fPbo���o�����������������%���txts/README.pam_xauthnu���[������������PK����������Ǩ�\�⬟��������������������������txts/README.pam_accessnu���[������������PK����������Ǩ�\�A�}��������������������������txts/README.pam_chrootnu���[������������PK����������Ǩ�\T�P|��������������������������txts/README.pam_consolenu���[������������PK����������Ǩ�\�1���&���&��������������������txts/README.pam_cracklibnu���[������������PK����������Ǩ�\�/�+��������������������������txts/README.pam_debugnu���[������������PK����������Ǩ�\�����������������������������txts/README.pam_denynu���[������������PK����������Ǩ�\~�GpL���L�����������������`���txts/README.pam_echonu���[������������PK����������Ǩ�\��D�+���+������������������#��txts/README.pam_envnu���[������������PK����������Ǩ�\W"�<����������������������^2��txts/README.pam_execnu���[������������PK����������Ǩ�\$��^;���;�����������������X;��txts/README.pam_faildelaynu���[������������PK����������Ǩ�\�0�������������������������>��txts/README.pam_faillocknu���[������������PK����������Ǩ�\2Ш������������������������V��txts/README.pam_filternu���[������������PK����������Ǩ�\ւH1����������������������6c��txts/README.pam_ftpnu���[������������PK����������Ǩ�\9��P���������������������j��txts/README.pam_groupnu���[������������PK����������Ǩ�\^zO0L���L������������������r��txts/README.pam_issuenu���[������������PK����������Ǩ�\��������������������������qx��txts/README.pam_keyinitnu���[������������PK����������Ǩ�\��q�%
��%
����������������}���txts/README.pam_lastlognu���[������������PK����������Ǩ�\p�E�u ��u �������������������txts/README.pam_limitsnu���[������������PK����������Ǩ�\�cAT*���*���������������������txts/README.pam_listfilenu���[������������PK����������Ǩ�\,�����������������������������txts/README.pam_localusernu���[������������PK����������Ǩ�\��ݫ]���]��������������������txts/README.pam_loginuidnu���[������������PK����������Ǩ�\�:�+��������������������������txts/README.pam_mailnu���[������������PK����������Ǩ�\�q�Q���Q���������������������txts/README.pam_mkhomedirnu���[������������PK����������Ǩ�\��ʎW���W�����������������J���Linux-PAM_SAG.txtnu���[������������PK������f�f� #�������