"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "doc/sag/Linux-PAM_SAG.txt" between
Linux-PAM-1.3.1-docs.tar.xz and Linux-PAM-1.4.0-docs.tar.xz

About: Linux-PAM is the Pluggable Authentication Modules for Linux. Documentation.

[ To the main Linux-PAM (docs) source changes report ]

Linux-PAM_SAG.txt  (Linux-PAM-1.3.1-docs.tar.xz):Linux-PAM_SAG.txt  (Linux-PAM-1.4.0-docs.tar.xz)
skipping to change at line 70 skipping to change at line 70
6.24. pam_permit - the promiscuous module 6.24. pam_permit - the promiscuous module
6.25. pam_pwhistory - grant access using .pwhistory file 6.25. pam_pwhistory - grant access using .pwhistory file
6.26. pam_rhosts - grant access using .rhosts file 6.26. pam_rhosts - grant access using .rhosts file
6.27. pam_rootok - gain only root access 6.27. pam_rootok - gain only root access
6.28. pam_securetty - limit root login to special devices 6.28. pam_securetty - limit root login to special devices
6.29. pam_selinux - set the default security context 6.29. pam_selinux - set the default security context
6.30. pam_shells - check for valid login shell 6.30. pam_shells - check for valid login shell
6.31. pam_succeed_if - test account characteristics 6.31. pam_succeed_if - test account characteristics
6.32. pam_tally - login counter (tallying) module 6.32. pam_tally - login counter (tallying) module
6.33. pam_tally2 - login counter (tallying) module 6.33. pam_tally2 - login counter (tallying) module
6.34. pam_time - time controled access 6.34. pam_time - time controlled access
6.35. pam_timestamp - authenticate using cached successful authentication 6.35. pam_timestamp - authenticate using cached successful authentication
attempts attempts
6.36. pam_umask - set the file mode creation mask 6.36. pam_umask - set the file mode creation mask
6.37. pam_unix - traditional password authentication 6.37. pam_unix - traditional password authentication
6.38. pam_userdb - authenticate against a db database 6.38. pam_userdb - authenticate against a db database
6.39. pam_warn - logs all PAM items 6.39. pam_warn - logs all PAM items
6.40. pam_wheel - only permit root access to members of group wheel 6.40. pam_wheel - only permit root access to members of group wheel
6.41. pam_xauth - forward xauth keys between users 6.41. pam_xauth - forward xauth keys between users
7. See also 7. See also
skipping to change at line 402 skipping to change at line 402
the former state of the stack holds some value that is indicative of a the former state of the stack holds some value that is indicative of a
modules failure, this 'ok' value will not be used to override that value. modules failure, this 'ok' value will not be used to override that value.
done done
equivalent to ok with the side effect of terminating the module stack and equivalent to ok with the side effect of terminating the module stack and
PAM immediately returning to the application. PAM immediately returning to the application.
N (an unsigned integer) N (an unsigned integer)
equivalent to ok with the side effect of jumping over the next N modules in jump over the next N modules in the stack. Note that N equal to 0 is not
the stack. Note that N equal to 0 is not allowed (and it would be identical allowed, it would be treated as ignore in such case. The side effect
to ok in such case). depends on the PAM function call: for pam_authenticate, pam_acct_mgmt,
pam_chauthtok, and pam_open_session it is ignore; for pam_setcred and
pam_close_session it is one of ignore, ok, or bad depending on the module's
return value.
reset reset
clear all memory of the state of the module stack and start again with the clear all memory of the state of the module stack and start again with the
next stacked module. next stacked module.
Each of the four keywords: required; requisite; sufficient; and optional, have Each of the four keywords: required; requisite; sufficient; and optional, have
an equivalent expression in terms of the [...] syntax. They are as follows: an equivalent expression in terms of the [...] syntax. They are as follows:
required required
skipping to change at line 791 skipping to change at line 794
+:@admins foo:ALL +:@admins foo:ALL
User john and foo should get access from IPv6 host address. User john and foo should get access from IPv6 host address.
+:john foo:2001:db8:0:101::1 +:john foo:2001:db8:0:101::1
User john should get access from IPv6 net/mask. User john should get access from IPv6 net/mask.
+:john:2001:db8:0:101::/64 +:john:2001:db8:0:101::/64
Members of group wheel should be allowed to get access from all sources.
+:(wheel):ALL
Disallow console logins to all but the shutdown, sync and all other accounts, Disallow console logins to all but the shutdown, sync and all other accounts,
which are a member of the wheel group. which are a member of the wheel group.
-:ALL EXCEPT (wheel) shutdown sync:LOCAL -:ALL EXCEPT (wheel) shutdown sync:LOCAL
All other users should be denied to get access from all sources. All other users should be denied to get access from all sources.
-:ALL:ALL -:ALL:ALL
6.1.8. AUTHORS 6.1.8. AUTHORS
skipping to change at line 837 skipping to change at line 844
The strength checks works in the following manner: at first the Cracklib The strength checks works in the following manner: at first the Cracklib
routine is called to check if the password is part of a dictionary; if this is routine is called to check if the password is part of a dictionary; if this is
not the case an additional set of strength checks is done. These checks are: not the case an additional set of strength checks is done. These checks are:
Palindrome Palindrome
Is the new password a palindrome? Is the new password a palindrome?
Case Change Only Case Change Only
Is the new password the the old one with only a change of case? Is the new password the old one with only a change of case?
Similar Similar
Is the new password too much like the old one? This is primarily controlled Is the new password too much like the old one? This is primarily controlled
by one argument, difok which is a number of character changes (inserts, by one argument, difok which is a number of character changes (inserts,
removals, or replacements) between the old and new password that are enough removals, or replacements) between the old and new password that are enough
to accept the new password. This defaults to 5 changes. to accept the new password. This defaults to 5 changes.
Simple Simple
skipping to change at line 991 skipping to change at line 998
Reject passwords which contain more than N consecutive characters of the Reject passwords which contain more than N consecutive characters of the
same class. The default is 0 which means that this check is disabled. same class. The default is 0 which means that this check is disabled.
reject_username reject_username
Check whether the name of the user in straight or reversed form is Check whether the name of the user in straight or reversed form is
contained in the new password. If it is found the new password is rejected. contained in the new password. If it is found the new password is rejected.
gecoscheck gecoscheck
Check whether the words from the GECOS field (usualy full name of the user) Check whether the words from the GECOS field (usually full name of the
longer than 3 characters in straight or reversed form are contained in the user) longer than 3 characters in straight or reversed form are contained
new password. If any such word is found the new password is rejected. in the new password. If any such word is found the new password is
rejected.
enforce_for_root enforce_for_root
The module will return error on failed check also if the user changing the The module will return error on failed check also if the user changing the
password is root. This option is off by default which means that just the password is root. This option is off by default which means that just the
message about the failed check is printed but root can change the password message about the failed check is printed but root can change the password
anyway. Note that root is not asked for an old password so the checks that anyway. Note that root is not asked for an old password so the checks that
compare the old and new password are not performed. compare the old and new password are not performed.
use_authtok use_authtok
skipping to change at line 1307 skipping to change at line 1315
The pam_env PAM module allows the (un)setting of environment variables. The pam_env PAM module allows the (un)setting of environment variables.
Supported is the use of previously set environment variables as well as Supported is the use of previously set environment variables as well as
PAM_ITEMs such as PAM_RHOST. PAM_ITEMs such as PAM_RHOST.
By default rules for (un)setting of variables are taken from the config file / By default rules for (un)setting of variables are taken from the config file /
etc/security/pam_env.conf. An alternate file can be specified with the conffile etc/security/pam_env.conf. An alternate file can be specified with the conffile
option. option.
Second a file (/etc/environment by default) with simple KEY=VAL pairs on Second a file (/etc/environment by default) with simple KEY=VAL pairs on
separate lines will be read. With the envfile option an alternate file can be separate lines will be read. With the envfile option an alternate file can be
specified. And with the readenv option this can be completly disabled. specified. And with the readenv option this can be completely disabled.
Third it will read a user configuration file ($HOME/.pam_environment by Third it will read a user configuration file ($HOME/.pam_environment by
default). The default file file can be changed with the user_envfile option and default). The default file can be changed with the user_envfile option and it
it can be turned on and off with the user_readenv option. can be turned on and off with the user_readenv option.
Since setting of PAM environment variables can have side effects to other Since setting of PAM environment variables can have side effects to other
modules, this module should be the last one on the stack. modules, this module should be the last one on the stack.
6.6.2. DESCRIPTION 6.6.2. DESCRIPTION
The /etc/security/pam_env.conf file specifies the environment variables to be The /etc/security/pam_env.conf file specifies the environment variables to be
set, unset or modified by pam_env(8). When someone logs in, this file is read set, unset or modified by pam_env(8). When someone logs in, this file is read
and the environment variables are set according. and the environment variables are set according.
skipping to change at line 1375 skipping to change at line 1383
useful when different services need different environments. useful when different services need different environments.
readenv=0|1 readenv=0|1
Turns on or off the reading of the file specified by envfile (0 is off, 1 Turns on or off the reading of the file specified by envfile (0 is off, 1
is on). By default this option is on. is on). By default this option is on.
user_envfile=filename user_envfile=filename
Indicate an alternative .pam_environment file to override the default.The Indicate an alternative .pam_environment file to override the default.The
syntax is the same as for /etc/environment. The filename is relative to the syntax is the same as for /etc/security/pam_env.conf. The filename is
user home directory. This can be useful when different services need relative to the user home directory. This can be useful when different
different environments. services need different environments.
user_readenv=0|1 user_readenv=0|1
Turns on or off the reading of the user specific environment file. 0 is Turns on or off the reading of the user specific environment file. 0 is
off, 1 is on. By default this option is on. off, 1 is on. By default this option is off.
6.6.4. MODULE TYPES PROVIDED 6.6.4. MODULE TYPES PROVIDED
The auth and session module types are provided. The auth and session module types are provided.
6.6.5. RETURN VALUES 6.6.5. RETURN VALUES
PAM_ABORT PAM_ABORT
Not all relevant data or options could be gotten. Not all relevant data or options could be gotten.
skipping to change at line 1470 skipping to change at line 1478
6.7.1. DESCRIPTION 6.7.1. DESCRIPTION
pam_exec is a PAM module that can be used to run an external command. pam_exec is a PAM module that can be used to run an external command.
The child's environment is set to the current PAM environment list, as returned The child's environment is set to the current PAM environment list, as returned
by pam_getenvlist(3) In addition, the following PAM items are exported as by pam_getenvlist(3) In addition, the following PAM items are exported as
environment variables: PAM_RHOST, PAM_RUSER, PAM_SERVICE, PAM_TTY, PAM_USER and environment variables: PAM_RHOST, PAM_RUSER, PAM_SERVICE, PAM_TTY, PAM_USER and
PAM_TYPE, which contains one of the module types: account, auth, password, PAM_TYPE, which contains one of the module types: account, auth, password,
open_session and close_session. open_session and close_session.
Commands called by pam_exec need to be aware of that the user can have controll Commands called by pam_exec need to be aware of that the user can have control
over the environment. over the environment.
6.7.2. OPTIONS 6.7.2. OPTIONS
debug debug
Print debug information. Print debug information.
expose_authtok expose_authtok
skipping to change at line 1521 skipping to change at line 1529
6.7.3. MODULE TYPES PROVIDED 6.7.3. MODULE TYPES PROVIDED
All module types (auth, account, password and session) are provided. All module types (auth, account, password and session) are provided.
6.7.4. RETURN VALUES 6.7.4. RETURN VALUES
PAM_SUCCESS PAM_SUCCESS
The external command was run successfully. The external command was run successfully.
PAM_BUF_ERR
Memory buffer error.
PAM_CONV_ERR
The conversation method supplied by the application failed to obtain the
username.
PAM_INCOMPLETE
The conversation method supplied by the application returned
PAM_CONV_AGAIN.
PAM_SERVICE_ERR PAM_SERVICE_ERR
No argument or a wrong number of arguments were given. No argument or a wrong number of arguments were given.
PAM_SYSTEM_ERR PAM_SYSTEM_ERR
A system error occurred or the command to execute failed. A system error occurred or the command to execute failed.
PAM_IGNORE PAM_IGNORE
skipping to change at line 1808 skipping to change at line 1830
The first field, the services field, is a logic list of PAM service names that The first field, the services field, is a logic list of PAM service names that
the rule applies to. the rule applies to.
The second field, the tty field, is a logic list of terminal names that this The second field, the tty field, is a logic list of terminal names that this
rule applies to. rule applies to.
The third field, the users field, is a logic list of users, or a UNIX group, or The third field, the users field, is a logic list of users, or a UNIX group, or
a netgroup of users to whom this rule applies. Group names are preceded by a a netgroup of users to whom this rule applies. Group names are preceded by a
'%' symbol, while netgroup names are preceded by a '@' symbol. '%' symbol, while netgroup names are preceded by a '@' symbol.
A logic list namely means individual tokens that are optionally prefixed with
'!' (logical not) and separated with '&' (logical and) and '|' (logical or).
For these items the simple wildcard '*' may be used only once. With UNIX groups For these items the simple wildcard '*' may be used only once. With UNIX groups
or netgroups no wildcards or logic operators are allowed. or netgroups no wildcards or logic operators are allowed.
The times field is used to indicate "when" these groups are to be given to the The times field is used to indicate "when" these groups are to be given to the
user. The format here is a logic list of day/time-range entries. The days are user. The format here is a logic list of day/time-range entries. The days are
specified by a sequence of two character entries, MoTuSa for example is Monday specified by a sequence of two character entries, MoTuSa for example is Monday
Tuesday and Saturday. Note that repeated days are unset MoMo = no day, and MoWk Tuesday and Saturday. Note that repeated days are unset MoMo = no day, and MoWk
= all weekdays bar Monday. The two character combinations accepted are Mo Tu We = all weekdays bar Monday. The two character combinations accepted are Mo Tu We
Th Fr Sa Su Wk Wd Al, the last two being week-end days and all 7 days of the Th Fr Sa Su Wk Wd Al, the last two being week-end days and all 7 days of the
week respectively. As a final example, AlFr means all days except Friday. week respectively. As a final example, AlFr means all days except Friday.
skipping to change at line 2006 skipping to change at line 2031
6.13. pam_keyinit - display the keyinit file 6.13. pam_keyinit - display the keyinit file
pam_keyinit.so [ debug ] [ force ] [ revoke ] pam_keyinit.so [ debug ] [ force ] [ revoke ]
6.13.1. DESCRIPTION 6.13.1. DESCRIPTION
The pam_keyinit PAM module ensures that the invoking process has a session The pam_keyinit PAM module ensures that the invoking process has a session
keyring other than the user default session keyring. keyring other than the user default session keyring.
The session component of the module checks to see if the process's session The module checks to see if the process's session keyring is the
keyring is the user default, and, if it is, creates a new anonymous session user-session-keyring(7), and, if it is, creates a new session-keyring(7) with
keyring with which to replace it. which to replace it. If a new session keyring is created, it will install a
link to the user-keyring(7) in the session keyring so that keys common to the
If a new session keyring is created, it will install a link to the user common user will be automatically accessible through it. The session keyring of the
keyring in the session keyring so that keys common to the user will be invoking process will thenceforth be inherited by all its children unless they
automatically accessible through it. override it.
The session keyring of the invoking process will thenceforth be inherited by In order to allow other PAM modules to attach tokens to the keyring, this
all its children unless they override it. module provides both an auth (limited to pam_setcred(3) and a session
component. The session keyring is created in the module called. Moreover this
module should be included as early as possible in a PAM configuration.
This module is intended primarily for use by login processes. Be aware that This module is intended primarily for use by login processes. Be aware that
after the session keyring has been replaced, the old session keyring and the after the session keyring has been replaced, the old session keyring and the
keys it contains will no longer be accessible. keys it contains will no longer be accessible.
This module should not, generally, be invoked by programs like su, since it is This module should not, generally, be invoked by programs like su, since it is
usually desirable for the key set to percolate through to the alternate usually desirable for the key set to percolate through to the alternate
context. The keys have their own permissions system to manage this. context. The keys have their own permissions system to manage this.
This module should be included as early as possible in a PAM configuration, so
that other PAM modules can attach tokens to the keyring.
The keyutils package is used to manipulate keys more directly. This can be The keyutils package is used to manipulate keys more directly. This can be
obtained from: obtained from:
Keyutils Keyutils
6.13.2. OPTIONS 6.13.2. OPTIONS
debug debug
Log debug information with syslog(3). Log debug information with syslog(3).
skipping to change at line 2102 skipping to change at line 2126
This will prevent keys from one session leaking into another session for the This will prevent keys from one session leaking into another session for the
same user. same user.
6.13.6. AUTHOR 6.13.6. AUTHOR
pam_keyinit was written by David Howells, <dhowells@redhat.com>. pam_keyinit was written by David Howells, <dhowells@redhat.com>.
6.14. pam_lastlog - display date of last login 6.14. pam_lastlog - display date of last login
pam_lastlog.so [ debug ] [ silent ] [ never ] [ nodate ] [ nohost ] [ noterm ] pam_lastlog.so [ debug ] [ silent ] [ never ] [ nodate ] [ nohost ] [ noterm ]
[ nowtmp ] [ noupdate ] [ showfailed ] [ inactive=<days> ] [ nowtmp ] [ noupdate ] [ showfailed ] [ inactive=<days> ] [ unlimited ]
6.14.1. DESCRIPTION 6.14.1. DESCRIPTION
pam_lastlog is a PAM module to display a line of information about the last pam_lastlog is a PAM module to display a line of information about the last
login of the user. In addition, the module maintains the /var/log/lastlog file. login of the user. In addition, the module maintains the /var/log/lastlog file.
Some applications may perform this function themselves. In such cases, this Some applications may perform this function themselves. In such cases, this
module is not necessary. module is not necessary.
The module checks LASTLOG_UID_MAX option in /etc/login.defs and does not update
or display last login records for users with UID higher than its value. If the
option is not present or its value is invalid, no user ID limit is applied.
If the module is called in the auth or account phase, the accounts that were If the module is called in the auth or account phase, the accounts that were
not used recently enough will be disallowed to log in. The check is not not used recently enough will be disallowed to log in. The check is not
performed for the root account so the root is never locked out. performed for the root account so the root is never locked out. It is also not
performed for users with UID higher than the LASTLOG_UID_MAX value.
6.14.2. OPTIONS 6.14.2. OPTIONS
debug debug
Print debug information. Print debug information.
silent silent
Don't inform the user about any previous login, just update the /var/log/ Don't inform the user about any previous login, just update the /var/log/
lastlog file. lastlog file. This option does not affect display of bad login attempts.
never never
If the /var/log/lastlog file does not contain any old entries for the user, If the /var/log/lastlog file does not contain any old entries for the user,
indicate that the user has never previously logged in with a welcome indicate that the user has never previously logged in with a welcome
message. message.
nodate nodate
Don't display the date of the last login. Don't display the date of the last login.
skipping to change at line 2164 skipping to change at line 2193
Display number of failed login attempts and the date of the last failed Display number of failed login attempts and the date of the last failed
attempt from btmp. The date is not displayed when nodate is specified. attempt from btmp. The date is not displayed when nodate is specified.
inactive=<days> inactive=<days>
This option is specific for the auth or account phase. It specifies the This option is specific for the auth or account phase. It specifies the
number of days after the last login of the user when the user will be number of days after the last login of the user when the user will be
locked out by the module. The default value is 90. locked out by the module. The default value is 90.
unlimited
If the fsize limit is set, this option can be used to override it,
preventing failures on systems with large UID values that lead lastlog to
become a huge sparse file.
6.14.3. MODULE TYPES PROVIDED 6.14.3. MODULE TYPES PROVIDED
The auth and account module type allows to lock out users which did not login The auth and account module type allows one to lock out users who did not login
recently enough. The session module type is provided for displaying the recently enough. The session module type is provided for displaying the
information about the last login and/or updating the lastlog and wtmp files. information about the last login and/or updating the lastlog and wtmp files.
6.14.4. RETURN VALUES 6.14.4. RETURN VALUES
PAM_SUCCESS PAM_SUCCESS
Everything was successful. Everything was successful.
PAM_SERVICE_ERR PAM_SERVICE_ERR
skipping to change at line 2416 skipping to change at line 2451
Indicate an alternative limits.conf style configuration file to override Indicate an alternative limits.conf style configuration file to override
the default. the default.
debug debug
Print debug information. Print debug information.
set_all set_all
Set the limits for which no value is specified in the configuration file to Set the limits for which no value is specified in the configuration file to
the one from the process with the PID 1. the one from the process with the PID 1. Please note that if the init
process is systemd these limits will not be the kernel default limits and
this option should not be used.
utmp_early utmp_early
Some broken applications actually allocate a utmp entry for the user before Some broken applications actually allocate a utmp entry for the user before
the user is admitted to the system. If some of the services you are the user is admitted to the system. If some of the services you are
configuring PAM for do this, you can selectively use this module argument configuring PAM for do this, you can selectively use this module argument
to compensate for this behavior and at the same time maintain system-wide to compensate for this behavior and at the same time maintain system-wide
consistency with a single limits.conf file. consistency with a single limits.conf file.
noaudit noaudit
skipping to change at line 2651 skipping to change at line 2688
6.17.3. MODULE TYPES PROVIDED 6.17.3. MODULE TYPES PROVIDED
All module types (account, auth, password and session) are provided. All module types (account, auth, password and session) are provided.
6.17.4. RETURN VALUES 6.17.4. RETURN VALUES
PAM_SUCCESS PAM_SUCCESS
The new localuser was set successfully. The new localuser was set successfully.
PAM_BUF_ERR
Memory buffer error.
PAM_CONV_ERR
The conversation method supplied by the application failed to obtain the
username.
PAM_INCOMPLETE
The conversation method supplied by the application returned
PAM_CONV_AGAIN.
PAM_SERVICE_ERR PAM_SERVICE_ERR
No username was given. The user name is not valid or the passwd file is unavailable.
PAM_PERM_DENIED PAM_PERM_DENIED
The user is not listed in the passwd file. The user is not listed in the passwd file.
6.17.5. EXAMPLES 6.17.5. EXAMPLES
Add the following lines to /etc/pam.d/su to allow only local users or group Add the following lines to /etc/pam.d/su to allow only local users or group
wheel to use su. wheel to use su.
skipping to change at line 2822 skipping to change at line 2873
mail when they login to the system. mail when they login to the system.
session optional pam_mail.so standard session optional pam_mail.so standard
6.19.6. AUTHOR 6.19.6. AUTHOR
pam_mail was written by Andrew G. Morgan <morgan@kernel.org>. pam_mail was written by Andrew G. Morgan <morgan@kernel.org>.
6.20. pam_mkhomedir - create users home directory 6.20. pam_mkhomedir - create users home directory
pam_mkhomedir.so [ silent ] [ umask=mode ] [ skel=skeldir ] pam_mkhomedir.so [ silent ] [ debug ] [ umask=mode ] [ skel=skeldir ]
6.20.1. DESCRIPTION 6.20.1. DESCRIPTION
The pam_mkhomedir PAM module will create a users home directory if it does not The pam_mkhomedir PAM module will create a users home directory if it does not
exist when the session begins. This allows users to be present in central exist when the session begins. This allows users to be present in central
database (such as NIS, kerberos or LDAP) without using a distributed file database (such as NIS, kerberos or LDAP) without using a distributed file
system or pre-creating a large number of directories. The skeleton directory system or pre-creating a large number of directories. The skeleton directory
(usually /etc/skel/) is used to copy default files and also sets a umask for (usually /etc/skel/) is used to copy default files and also sets a umask for
the creation. the creation.
The new users home directory will not be removed after logout of the user. The new users home directory will not be removed after logout of the user.
6.20.2. OPTIONS 6.20.2. OPTIONS
silent silent
Don't print informative messages. Don't print informative messages.
debug
Turns on debugging via syslog(3).
umask=mask umask=mask
The user file-creation mask is set to mask. The default value of mask is The user file-creation mask is set to mask. The default value of mask is
0022. 0022.
skel=/path/to/skel/directory skel=/path/to/skel/directory
Indicate an alternative skel directory to override the default /etc/skel. Indicate an alternative skel directory to override the default /etc/skel.
6.20.3. MODULE TYPES PROVIDED 6.20.3. MODULE TYPES PROVIDED
Only the session module type is provided. Only the session module type is provided.
6.20.4. RETURN VALUES 6.20.4. RETURN VALUES
PAM_BUF_ERR PAM_BUF_ERR
Memory buffer error. Memory buffer error.
PAM_CRED_INSUFFICIENT
Insufficient credentials to access authentication data.
PAM_PERM_DENIED PAM_PERM_DENIED
Not enough permissions to create the new directory or read the skel Not enough permissions to create the new directory or read the skel
directory. directory.
PAM_USER_UNKNOWN PAM_USER_UNKNOWN
User not known to the underlying authentication module. User not known to the underlying authentication module.
PAM_SUCCESS PAM_SUCCESS
skipping to change at line 2899 skipping to change at line 2950
session required pam_unix.so session required pam_unix.so
session optional pam_lastlog.so session optional pam_lastlog.so
session optional pam_mail.so standard session optional pam_mail.so standard
6.20.6. AUTHOR 6.20.6. AUTHOR
pam_mkhomedir was written by Jason Gunthorpe <jgg@debian.org>. pam_mkhomedir was written by Jason Gunthorpe <jgg@debian.org>.
6.21. pam_motd - display the motd file 6.21. pam_motd - display the motd file
pam_motd.so [ motd=/path/filename ] pam_motd.so [ motd=/path/filename ] [ motd_dir=/path/dirname.d ]
6.21.1. DESCRIPTION 6.21.1. DESCRIPTION
pam_motd is a PAM module that can be used to display arbitrary motd (message of pam_motd is a PAM module that can be used to display arbitrary motd (message of
the day) files after a successful login. By default the /etc/motd file is the day) files after a successful login. By default, pam_motd shows files in
shown. The message size is limited to 64KB. the following locations:
/etc/motd
/run/motd
/usr/lib/motd
/etc/motd.d/
/run/motd.d/
/usr/lib/motd.d/
Each message size is limited to 64KB.
If /etc/motd does not exist, then /run/motd is shown. If /run/motd does not
exist, then /usr/lib/motd is shown.
Similar overriding behavior applies to the directories. Files in /etc/motd.d/
override files with the same name in /run/motd.d/ and /usr/lib/motd.d/. Files
in /run/motd.d/ override files with the same name in /usr/lib/motd.d/.
Files the in the directories listed above are displayed in lexicographic order
by name.
To silence a message, a symbolic link with target /dev/null may be placed in /
etc/motd.d with the same filename as the message to be silenced. Example:
Creating a symbolic link as follows silences /usr/lib/motd.d/my_motd.
ln -s /dev/null /etc/motd.d/my_motd
The MOTD_SHOWN=pam environment variable is set after showing the motd files,
even when all of them were silenced using symbolic links.
6.21.2. OPTIONS 6.21.2. OPTIONS
motd=/path/filename motd=/path/filename
The /path/filename file is displayed as message of the day. The /path/filename file is displayed as message of the day. Multiple paths
to try can be specified as a colon-separated list. By default this option
is set to /etc/motd:/run/motd:/usr/lib/motd.
motd_dir=/path/dirname.d motd_dir=/path/dirname.d
The /path/dirname.d directory is scanned and each file contained inside of The /path/dirname.d directory is scanned and each file contained inside of
it is displayed. it is displayed. Multiple directories to scan can be specified as a
colon-separated list. By default this option is set to /etc/motd.d:/run/
When no options are given, the default is to display both /etc/motd and the motd.d:/usr/lib/motd.d.
contents of /etc/motd.d. Specifying either option (or both) will disable this
default behavior. When no options are given, the default behavior applies for both options.
Specifying either option (or both) will disable the default behavior for both
options.
6.21.3. MODULE TYPES PROVIDED 6.21.3. MODULE TYPES PROVIDED
Only the session module type is provided. Only the session module type is provided.
6.21.4. RETURN VALUES 6.21.4. RETURN VALUES
PAM_ABORT
Not all relevant data or options could be obtained.
PAM_BUF_ERR
Memory buffer error.
PAM_IGNORE PAM_IGNORE
This is the only return value of this module. This is the default return value of this module.
6.21.5. EXAMPLES 6.21.5. EXAMPLES
The suggested usage for /etc/pam.d/login is: The suggested usage for /etc/pam.d/login is:
session optional pam_motd.so session optional pam_motd.so
To use a motd file from a different location: To use a motd file from a different location:
session optional pam_motd.so motd=/elsewhere/motd session optional pam_motd.so motd=/elsewhere/motd
skipping to change at line 3047 skipping to change at line 3138
iscript=path - path to the instance directory init script. The base directory iscript=path - path to the instance directory init script. The base directory
for relative paths is /etc/security/namespace.d. for relative paths is /etc/security/namespace.d.
noinit - instance directory init script will not be executed. noinit - instance directory init script will not be executed.
shared - the instance directories for "context" and "level" methods will not shared - the instance directories for "context" and "level" methods will not
contain the user name and will be shared among all users. contain the user name and will be shared among all users.
mntopts=value - value of this flag is passed to the mount call when the tmpfs mntopts=value - value of this flag is passed to the mount call when the tmpfs
mount is done. It allows for example the specification of the maximum size of mount is done. It allows for example the specification of the maximum size of
the tmpfs instance that is created by the mount call. See mount(8) for details. the tmpfs instance that is created by the mount call. In addition to options
specified in the tmpfs(5) manual the nosuid, noexec, and nodev flags can be
used to respectively disable setuid bit effect, disable running executables,
and disable devices to be interpreted on the mounted tmpfs filesystem.
The directory where polyinstantiated instances are to be created, must exist The directory where polyinstantiated instances are to be created, must exist
and must have, by default, the mode of 0000. The requirement that the instance and must have, by default, the mode of 0000. The requirement that the instance
parent be of mode 0000 can be overridden with the command line option parent be of mode 0000 can be overridden with the command line option
ignore_instance_parent_mode ignore_instance_parent_mode
In case of context or level polyinstantiation the SELinux context which is used In case of context or level polyinstantiation the SELinux context which is used
for polyinstantiation is the context used for executing a new process as for polyinstantiation is the context used for executing a new process as
obtained by getexeccon. This context must be set by the calling application or obtained by getexeccon. This context must be set by the calling application or
pam_selinux.so module. If this context is not set the polyinstatiation will be pam_selinux.so module. If this context is not set the polyinstatiation will be
skipping to change at line 3243 skipping to change at line 3337
file=/path/nologin file=/path/nologin
Use this file instead the default /var/run/nologin or /etc/nologin. Use this file instead the default /var/run/nologin or /etc/nologin.
successok successok
Return PAM_SUCCESS if no file exists, the default is PAM_IGNORE. Return PAM_SUCCESS if no file exists, the default is PAM_IGNORE.
6.23.3. MODULE TYPES PROVIDED 6.23.3. MODULE TYPES PROVIDED
The auth and acct module types are provided. The auth and account module types are provided.
6.23.4. RETURN VALUES 6.23.4. RETURN VALUES
PAM_AUTH_ERR PAM_AUTH_ERR
The user is not root and /etc/nologin exists, so the user is not permitted The user is not root and /etc/nologin exists, so the user is not permitted
to log in. to log in.
PAM_BUF_ERR PAM_BUF_ERR
skipping to change at line 3500 skipping to change at line 3594
that is checked. that is checked.
6.27.2. OPTIONS 6.27.2. OPTIONS
debug debug
Print debug information. Print debug information.
6.27.3. MODULE TYPES PROVIDED 6.27.3. MODULE TYPES PROVIDED
The auth, acct and password module types are provided. The auth, account and password module types are provided.
6.27.4. RETURN VALUES 6.27.4. RETURN VALUES
PAM_SUCCESS PAM_SUCCESS
The UID is 0. The UID is 0.
PAM_AUTH_ERR PAM_AUTH_ERR
The UID is not 0. The UID is not 0.
skipping to change at line 3534 skipping to change at line 3628
pam_rootok was written by Andrew G. Morgan, <morgan@kernel.org>. pam_rootok was written by Andrew G. Morgan, <morgan@kernel.org>.
6.28. pam_securetty - limit root login to special devices 6.28. pam_securetty - limit root login to special devices
pam_securetty.so [ debug ] pam_securetty.so [ debug ]
6.28.1. DESCRIPTION 6.28.1. DESCRIPTION
pam_securetty is a PAM module that allows root logins only if the user is pam_securetty is a PAM module that allows root logins only if the user is
logging in on a "secure" tty, as defined by the listing in /etc/securetty. logging in on a "secure" tty, as defined by the listing in the securetty file.
pam_securetty also checks to make sure that /etc/securetty is a plain file and pam_securetty checks at first, if /etc/securetty exists. If not and it was
not world writable. It will also allow root logins on the tty specified with built with vendordir support, it will use %vendordir%/securetty. pam_securetty
console= switch on the kernel command line and on ttys from the /sys/class/tty/ also checks that the securetty files are plain files and not world writable. It
console/active. will also allow root logins on the tty specified with console= switch on the
kernel command line and on ttys from the /sys/class/tty/console/active.
This module has no effect on non-root users and requires that the application This module has no effect on non-root users and requires that the application
fills in the PAM_TTY item correctly. fills in the PAM_TTY item correctly.
For canonical usage, should be listed as a required authentication method For canonical usage, should be listed as a required authentication method
before any sufficient authentication methods. before any sufficient authentication methods.
6.28.2. OPTIONS 6.28.2. OPTIONS
debug debug
Print debug information. Print debug information.
noconsole noconsole
Do not automatically allow root logins on the kernel console device, as Do not automatically allow root logins on the kernel console device, as
specified on the kernel command line or by the sys file, if it is not also specified on the kernel command line or by the sys file, if it is not also
specified in the /etc/securetty file. specified in the securetty file.
6.28.3. MODULE TYPES PROVIDED 6.28.3. MODULE TYPES PROVIDED
Only the auth module type is provided. Only the auth module type is provided.
6.28.4. RETURN VALUES 6.28.4. RETURN VALUES
PAM_SUCCESS PAM_SUCCESS
The user is allowed to continue authentication. Either the user is not The user is allowed to continue authentication. Either the user is not
root, or the root user is trying to log in on an acceptable device. root, or the root user is trying to log in on an acceptable device.
PAM_AUTH_ERR PAM_AUTH_ERR
Authentication is rejected. Either root is attempting to log in via an Authentication is rejected. Either root is attempting to log in via an
unacceptable device, or the /etc/securetty file is world writable or not a unacceptable device, or the securetty file is world writable or not a
normal file. normal file.
PAM_BUF_ERR
Memory buffer error.
PAM_CONV_ERR
The conversation method supplied by the application failed to obtain the
username.
PAM_INCOMPLETE PAM_INCOMPLETE
An application error occurred. pam_securetty was not able to get The conversation method supplied by the application returned
information it required from the application that called it. PAM_CONV_AGAIN.
PAM_SERVICE_ERR PAM_SERVICE_ERR
An error occurred while the module was determining the user's name or tty, An error occurred while the module was determining the user's name or tty,
or the module could not open /etc/securetty. or the module could not open the securetty file.
PAM_USER_UNKNOWN PAM_USER_UNKNOWN
The module could not find the user name in the /etc/passwd file to verify The module could not find the user name in the /etc/passwd file to verify
whether the user had a UID of 0. Therefore, the results of running this whether the user had a UID of 0. Therefore, the results of running this
module are ignored. module are ignored.
6.28.5. EXAMPLES 6.28.5. EXAMPLES
auth required pam_securetty.so auth required pam_securetty.so
skipping to change at line 3844 skipping to change at line 3948
Field does not match the given glob. Field does not match the given glob.
field in item:item:... field in item:item:...
Field is contained in the list of items separated by colons. Field is contained in the list of items separated by colons.
field notin item:item:... field notin item:item:...
Field is not contained in the list of items separated by colons. Field is not contained in the list of items separated by colons.
user ingroup group user ingroup group[:group:....]
User is in given group. User is in given group(s).
user notingroup group user notingroup group[:group:....]
User is not in given group. User is not in given group(s).
user innetgr netgroup user innetgr netgroup
(user,host) is in given netgroup. (user,host) is in given netgroup.
user notinnetgr group user notinnetgr group
(user,host) is not in given netgroup. (user,host) is not in given netgroup.
6.31.3. MODULE TYPES PROVIDED 6.31.3. MODULE TYPES PROVIDED
skipping to change at line 3880 skipping to change at line 3984
PAM_AUTH_ERR PAM_AUTH_ERR
The condition was false. The condition was false.
PAM_SERVICE_ERR PAM_SERVICE_ERR
A service error occurred or the arguments can't be parsed correctly. A service error occurred or the arguments can't be parsed correctly.
6.31.5. EXAMPLES 6.31.5. EXAMPLES
To emulate the behaviour of pam_wheel, except there is no fallback to group 0: To emulate the behaviour of pam_wheel, except there is no fallback to group 0
being only approximated by checking also the root group membership:
auth required pam_succeed_if.so quiet user ingroup wheel auth required pam_succeed_if.so quiet user ingroup wheel:root
Given that the type matches, only loads the othermodule rule if the UID is over Given that the type matches, only loads the othermodule rule if the UID is over
500. Adjust the number after default to skip several rules. 500. Adjust the number after default to skip several rules.
type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500 type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500
type required othermodule.so arguments... type required othermodule.so arguments...
6.31.6. AUTHOR 6.31.6. AUTHOR
Nalin Dahyabhai <nalin@redhat.com> Nalin Dahyabhai <nalin@redhat.com>
skipping to change at line 3947 skipping to change at line 4052
file=/path/to/counter file=/path/to/counter
File where to keep counts. Default is /var/log/faillog. File where to keep counts. Default is /var/log/faillog.
audit audit
Will log the user name into the system log if the user is not found. Will log the user name into the system log if the user is not found.
silent silent
Don't print informative messages. Don't print informative messages. The messages printed without the
silent option leak presence of accounts on the system because they are
not printed for non-existing accounts.
no_log_info no_log_info
Don't log informative messages via syslog(3). Don't log informative messages via syslog(3).
AUTH OPTIONS AUTH OPTIONS
Authentication phase first checks if user should be denied access and if Authentication phase first checks if user should be denied access and if
not it increments attempted login counter. Then on call to pam_setcred(3) not it increments attempted login counter. Then on call to pam_setcred(3)
it resets the attempts counter. it resets the attempts counter.
skipping to change at line 4110 skipping to change at line 4217
file=/path/to/counter file=/path/to/counter
File where to keep counts. Default is /var/log/tallylog. File where to keep counts. Default is /var/log/tallylog.
audit audit
Will log the user name into the system log if the user is not found. Will log the user name into the system log if the user is not found.
silent silent
Don't print informative messages. Don't print informative messages. The messages printed without the
silent option leak presence of accounts on the system because they are
not printed for non-existing accounts.
no_log_info no_log_info
Don't log informative messages via syslog(3). Don't log informative messages via syslog(3).
debug debug
Always log tally count when it is incremented as a debug level message Always log tally count when it is incremented as a debug level message
to the system log. to the system log.
skipping to change at line 4244 skipping to change at line 4353
6.33.7. FILES 6.33.7. FILES
/var/log/tallylog /var/log/tallylog
failure count logging file failure count logging file
6.33.8. AUTHOR 6.33.8. AUTHOR
pam_tally2 was written by Tim Baverstock and Tomas Mraz. pam_tally2 was written by Tim Baverstock and Tomas Mraz.
6.34. pam_time - time controled access 6.34. pam_time - time controlled access
pam_time.so [ debug ] [ noaudit ] pam_time.so [ conffile=conf-file ] [ debug ] [ noaudit ]
6.34.1. DESCRIPTION 6.34.1. DESCRIPTION
The pam_time PAM module does not authenticate the user, but instead it The pam_time PAM module does not authenticate the user, but instead it
restricts access to a system and or specific applications at various times of restricts access to a system and or specific applications at various times of
the day and on specific days or over various terminal lines. This module can be the day and on specific days or over various terminal lines. This module can be
configured to deny access to (individual) users based on their name, the time configured to deny access to (individual) users based on their name, the time
of day, the day of week, the service they are applying for and their terminal of day, the day of week, the service they are applying for and their terminal
from which they are making their request. from which they are making their request.
By default rules for time/port access are taken from config file /etc/security/ By default rules for time/port access are taken from config file /etc/security/
time.conf. time.conf. An alternative file can be specified with the conffile option.
If Linux PAM is compiled with audit support the module will report when it If Linux PAM is compiled with audit support the module will report when it
denies access. denies access.
6.34.2. DESCRIPTION 6.34.2. DESCRIPTION
The pam_time PAM module does not authenticate the user, but instead it The pam_time PAM module does not authenticate the user, but instead it
restricts access to a system and or specific applications at various times of restricts access to a system and or specific applications at various times of
the day and on specific days or over various terminal lines. This module can be the day and on specific days or over various terminal lines. This module can be
configured to deny access to (individual) users based on their name, the time configured to deny access to (individual) users based on their name, the time
skipping to change at line 4293 skipping to change at line 4402
The first field, the services field, is a logic list of PAM service names that The first field, the services field, is a logic list of PAM service names that
the rule applies to. the rule applies to.
The second field, the tty field, is a logic list of terminal names that this The second field, the tty field, is a logic list of terminal names that this
rule applies to. rule applies to.
The third field, the users field, is a logic list of users or a netgroup of The third field, the users field, is a logic list of users or a netgroup of
users to whom this rule applies. users to whom this rule applies.
A logic list namely means individual tokens that are optionally prefixed with
'!' (logical not) and separated with '&' (logical and) and '|' (logical or).
For these items the simple wildcard '*' may be used only once. With netgroups For these items the simple wildcard '*' may be used only once. With netgroups
no wildcards or logic operators are allowed. no wildcards or logic operators are allowed.
The times field is used to indicate the times at which this rule applies. The The times field is used to indicate the times at which this rule applies. The
format here is a logic list of day/time-range entries. The days are specified format here is a logic list of day/time-range entries. The days are specified
by a sequence of two character entries, MoTuSa for example is Monday Tuesday by a sequence of two character entries, MoTuSa for example is Monday Tuesday
and Saturday. Note that repeated days are unset MoMo = no day, and MoWk = all and Saturday. Note that repeated days are unset MoMo = no day, and MoWk = all
weekdays bar Monday. The two character combinations accepted are Mo Tu We Th Fr weekdays bar Monday. The two character combinations accepted are Mo Tu We Th Fr
Sa Su Wk Wd Al, the last two being week-end days and all 7 days of the week Sa Su Wk Wd Al, the last two being week-end days and all 7 days of the week
respectively. As a final example, AlFr means all days except Friday. respectively. As a final example, AlFr means all days except Friday.
skipping to change at line 4319 skipping to change at line 4431
For a rule to be active, ALL of service+ttys+users must be satisfied by the For a rule to be active, ALL of service+ttys+users must be satisfied by the
applying process. applying process.
Note, currently there is no daemon enforcing the end of a session. This needs Note, currently there is no daemon enforcing the end of a session. This needs
to be remedied. to be remedied.
Poorly formatted rules are logged as errors using syslog(3). Poorly formatted rules are logged as errors using syslog(3).
6.34.3. OPTIONS 6.34.3. OPTIONS
conffile=/path/to/time.conf
Indicate an alternative time.conf style configuration file to override the
default.
debug debug
Some debug information is printed with syslog(3). Some debug information is printed with syslog(3).
noaudit noaudit
Do not report logins at disallowed time to the audit subsystem. Do not report logins at disallowed time to the audit subsystem.
6.34.4. MODULE TYPES PROVIDED 6.34.4. MODULE TYPES PROVIDED
skipping to change at line 4458 skipping to change at line 4575
/var/run/pam_timestamp/... /var/run/pam_timestamp/...
timestamp files and directories timestamp files and directories
6.35.8. AUTHOR 6.35.8. AUTHOR
pam_timestamp was written by Nalin Dahyabhai. pam_timestamp was written by Nalin Dahyabhai.
6.36. pam_umask - set the file mode creation mask 6.36. pam_umask - set the file mode creation mask
pam_umask.so [ debug ] [ silent ] [ usergroups ] [ umask=mask ] pam_umask.so [ debug ] [ silent ] [ usergroups ] [ nousergroups ] [ umask=mask
]
6.36.1. DESCRIPTION 6.36.1. DESCRIPTION
pam_umask is a PAM module to set the file mode creation mask of the current pam_umask is a PAM module to set the file mode creation mask of the current
environment. The umask affects the default permissions assigned to newly environment. The umask affects the default permissions assigned to newly
created files. created files.
The PAM module tries to get the umask value from the following places in the The PAM module tries to get the umask value from the following places in the
following order: following order:
skipping to change at line 4498 skipping to change at line 4616
silent silent
Don't print informative messages. Don't print informative messages.
usergroups usergroups
If the user is not root and the username is the same as primary group name, If the user is not root and the username is the same as primary group name,
the umask group bits are set to be the same as owner bits (examples: 022 -> the umask group bits are set to be the same as owner bits (examples: 022 ->
002, 077 -> 007). 002, 077 -> 007).
nousergroups
This is the direct opposite of the usergroups option described above, which
can be useful in case pam_umask has been compiled with usergroups enabled
by default and you want to disable it at runtime.
umask=mask umask=mask
Sets the calling process's file mode creation mask (umask) to mask & 0777. Sets the calling process's file mode creation mask (umask) to mask & 0777.
The value is interpreted as Octal. The value is interpreted as Octal.
6.36.3. MODULE TYPES PROVIDED 6.36.3. MODULE TYPES PROVIDED
Only the session type is provided. Only the session type is provided.
6.36.4. RETURN VALUES 6.36.4. RETURN VALUES
PAM_SUCCESS PAM_SUCCESS
The new umask was set successfully. The new umask was set successfully.
PAM_BUF_ERR
Memory buffer error.
PAM_CONV_ERR
The conversation method supplied by the application failed to obtain the
username.
PAM_INCOMPLETE
The conversation method supplied by the application returned
PAM_CONV_AGAIN.
PAM_SERVICE_ERR PAM_SERVICE_ERR
No username was given. No username was given.
PAM_USER_UNKNOWN PAM_USER_UNKNOWN
User not known. User not known.
6.36.5. EXAMPLES 6.36.5. EXAMPLES
skipping to change at line 4603 skipping to change at line 4741
Turns off informational messages namely messages about session open and Turns off informational messages namely messages about session open and
close via syslog(3). close via syslog(3).
nullok nullok
The default action of this module is to not permit the user access to a The default action of this module is to not permit the user access to a
service if their official password is blank. The nullok argument overrides service if their official password is blank. The nullok argument overrides
this default. this default.
nullresetok
Allow users to authenticate with blank password if password reset is
enforced even if nullok is not set. If password reset is not required and
nullok is not set the authentication with blank password will be denied.
try_first_pass try_first_pass
Before prompting the user for their password, the module first tries the Before prompting the user for their password, the module first tries the
previous stacked module's password in case that satisfies this module as previous stacked module's password in case that satisfies this module as
well. well.
use_first_pass use_first_pass
The argument use_first_pass forces the module to use a previous stacked The argument use_first_pass forces the module to use a previous stacked
modules password and will never prompt the user - if no password is modules password and will never prompt the user - if no password is
skipping to change at line 4662 skipping to change at line 4806
When a user changes their password next, encrypt it with the MD5 algorithm. When a user changes their password next, encrypt it with the MD5 algorithm.
bigcrypt bigcrypt
When a user changes their password next, encrypt it with the DEC C2 When a user changes their password next, encrypt it with the DEC C2
algorithm. algorithm.
sha256 sha256
When a user changes their password next, encrypt it with the SHA256 When a user changes their password next, encrypt it with the SHA256
algorithm. If the SHA256 algorithm is not known to the crypt(3) function, algorithm. The SHA256 algorithm must be supported by the crypt(3) function.
fall back to MD5.
sha512 sha512
When a user changes their password next, encrypt it with the SHA512 When a user changes their password next, encrypt it with the SHA512
algorithm. If the SHA512 algorithm is not known to the crypt(3) function, algorithm. The SHA512 algorithm must be supported by the crypt(3) function.
fall back to MD5.
blowfish blowfish
When a user changes their password next, encrypt it with the blowfish When a user changes their password next, encrypt it with the blowfish
algorithm. If the blowfish algorithm is not known to the crypt(3) function, algorithm. The blowfish algorithm must be supported by the crypt(3)
fall back to MD5. function.
gost_yescrypt
When a user changes their password next, encrypt it with the gost-yescrypt
algorithm. The gost-yescrypt algorithm must be supported by the crypt(3)
function.
yescrypt
When a user changes their password next, encrypt it with the yescrypt
algorithm. The yescrypt algorithm must be supported by the crypt(3)
function.
rounds=n rounds=n
Set the optional number of rounds of the SHA256, SHA512 and blowfish Set the optional number of rounds of the SHA256, SHA512, blowfish,
password hashing algorithms to n. gost-yescrypt, and yescrypt password hashing algorithms to n.
broken_shadow broken_shadow
Ignore errors reading shadow information for users in the account Ignore errors reading shadow information for users in the account
management module. management module.
minlen=n minlen=n
Set a minimum password length of n characters. The max. for DES crypt based Set a minimum password length of n characters. The max. for DES crypt based
passwords are 8 characters. passwords are 8 characters.
skipping to change at line 4724 skipping to change at line 4878
An example usage for /etc/pam.d/login would be: An example usage for /etc/pam.d/login would be:
# Authenticate the user # Authenticate the user
auth required pam_unix.so auth required pam_unix.so
# Ensure users account and password are still active # Ensure users account and password are still active
account required pam_unix.so account required pam_unix.so
# Change the user's password, but at first check the strength # Change the user's password, but at first check the strength
# with pam_cracklib(8) # with pam_cracklib(8)
password required pam_cracklib.so retry=3 minlen=6 difok=3 password required pam_cracklib.so retry=3 minlen=6 difok=3
password required pam_unix.so use_authtok nullok md5 password required pam_unix.so use_authtok nullok yescrypt
session required pam_unix.so session required pam_unix.so
6.37.6. AUTHOR 6.37.6. AUTHOR
pam_unix was written by various people. pam_unix was written by various people.
6.38. pam_userdb - authenticate against a db database 6.38. pam_userdb - authenticate against a db database
pam_userdb.so db=/path/database [ debug ] [ crypt=[crypt|none] ] [ icase ] [ pam_userdb.so db=/path/database [ debug ] [ crypt=[crypt|none] ] [ icase ] [
dump ] [ try_first_pass ] [ use_first_pass ] [ unknown_ok ] [ key_only ] dump ] [ try_first_pass ] [ use_first_pass ] [ unknown_ok ] [ key_only ]
skipping to change at line 4893 skipping to change at line 5047
pam_warn was written by Andrew G. Morgan <morgan@kernel.org>. pam_warn was written by Andrew G. Morgan <morgan@kernel.org>.
6.40. pam_wheel - only permit root access to members of group wheel 6.40. pam_wheel - only permit root access to members of group wheel
pam_wheel.so [ debug ] [ deny ] [ group=name ] [ root_only ] [ trust ] [ pam_wheel.so [ debug ] [ deny ] [ group=name ] [ root_only ] [ trust ] [
use_uid ] use_uid ]
6.40.1. DESCRIPTION 6.40.1. DESCRIPTION
The pam_wheel PAM module is used to enforce the so-called wheel group. By The pam_wheel PAM module is used to enforce the so-called wheel group. By
default it permits root access to the system if the applicant user is a member default it permits access to the target user if the applicant user is a member
of the wheel group. If no group with this name exist, the module is using the of the wheel group. If no group with this name exist, the module is using the
group with the group-ID 0. group with the group-ID 0.
6.40.2. OPTIONS 6.40.2. OPTIONS
debug debug
Print debug information. Print debug information.
deny deny
 End of changes. 64 change blocks. 
85 lines changed or deleted 239 lines changed or added
To the Text Files section of the Linux-PAM (docs) source changes report or the top of this page
Mainly generated by pkgdiff using rfcdiff
Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)