"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "doc/sag/Linux-PAM_SAG.txt" between
Linux-PAM-1.4.0-docs.tar.xz and Linux-PAM-1.5.0-docs.tar.xz

About: Linux-PAM is the Pluggable Authentication Modules for Linux. Documentation.

[ To the main Linux-PAM (docs) source changes report ]

Linux-PAM_SAG.txt  (Linux-PAM-1.4.0-docs.tar.xz):Linux-PAM_SAG.txt  (Linux-PAM-1.5.0-docs.tar.xz)
skipping to change at line 38 skipping to change at line 38
4.3. Example configuration file entries 4.3. Example configuration file entries
5. Security issues 5. Security issues
5.1. If something goes wrong 5.1. If something goes wrong
5.2. Avoid having a weak `other' configuration 5.2. Avoid having a weak `other' configuration
6. A reference guide for available modules 6. A reference guide for available modules
6.1. pam_access - logdaemon style login access control 6.1. pam_access - logdaemon style login access control
6.2. pam_cracklib - checks the password against dictionary words 6.2. pam_debug - debug the PAM stack
6.3. pam_debug - debug the PAM stack 6.3. pam_deny - locking-out PAM module
6.4. pam_deny - locking-out PAM module 6.4. pam_echo - print text messages
6.5. pam_echo - print text messages 6.5. pam_env - set/unset environment variables
6.6. pam_env - set/unset environment variables 6.6. pam_exec - call an external command
6.7. pam_exec - call an external command 6.7. pam_faildelay - change the delay on failure per-application
6.8. pam_faildelay - change the delay on failure per-application 6.8. pam_filter - filter module
6.9. pam_filter - filter module 6.9. pam_ftp - module for anonymous access
6.10. pam_ftp - module for anonymous access 6.10. pam_group - module to modify group access
6.11. pam_group - module to modify group access 6.11. pam_issue - add issue file to user prompt
6.12. pam_issue - add issue file to user prompt 6.12. pam_keyinit - display the keyinit file
6.13. pam_keyinit - display the keyinit file 6.13. pam_lastlog - display date of last login
6.14. pam_lastlog - display date of last login 6.14. pam_limits - limit resources
6.15. pam_limits - limit resources 6.15. pam_listfile - deny or allow services based on an arbitrary file
6.16. pam_listfile - deny or allow services based on an arbitrary file 6.16. pam_localuser - require users to be listed in /etc/passwd
6.17. pam_localuser - require users to be listed in /etc/passwd 6.17. pam_loginuid - record user's login uid to the process attribute
6.18. pam_loginuid - record user's login uid to the process attribute 6.18. pam_mail - inform about available mail
6.19. pam_mail - inform about available mail 6.19. pam_mkhomedir - create users home directory
6.20. pam_mkhomedir - create users home directory 6.20. pam_motd - display the motd file
6.21. pam_motd - display the motd file 6.21. pam_namespace - setup a private namespace
6.22. pam_namespace - setup a private namespace 6.22. pam_nologin - prevent non-root users from login
6.23. pam_nologin - prevent non-root users from login 6.23. pam_permit - the promiscuous module
6.24. pam_permit - the promiscuous module 6.24. pam_pwhistory - grant access using .pwhistory file
6.25. pam_pwhistory - grant access using .pwhistory file 6.25. pam_rhosts - grant access using .rhosts file
6.26. pam_rhosts - grant access using .rhosts file 6.26. pam_rootok - gain only root access
6.27. pam_rootok - gain only root access 6.27. pam_securetty - limit root login to special devices
6.28. pam_securetty - limit root login to special devices 6.28. pam_selinux - set the default security context
6.29. pam_selinux - set the default security context 6.29. pam_shells - check for valid login shell
6.30. pam_shells - check for valid login shell 6.30. pam_succeed_if - test account characteristics
6.31. pam_succeed_if - test account characteristics 6.31. pam_time - time controlled access
6.32. pam_tally - login counter (tallying) module 6.32. pam_timestamp - authenticate using cached successful authentication
6.33. pam_tally2 - login counter (tallying) module
6.34. pam_time - time controlled access
6.35. pam_timestamp - authenticate using cached successful authentication
attempts attempts
6.36. pam_umask - set the file mode creation mask 6.33. pam_umask - set the file mode creation mask
6.37. pam_unix - traditional password authentication 6.34. pam_unix - traditional password authentication
6.38. pam_userdb - authenticate against a db database 6.35. pam_userdb - authenticate against a db database
6.39. pam_warn - logs all PAM items 6.36. pam_warn - logs all PAM items
6.40. pam_wheel - only permit root access to members of group wheel 6.37. pam_wheel - only permit root access to members of group wheel
6.41. pam_xauth - forward xauth keys between users 6.38. pam_xauth - forward xauth keys between users
7. See also 7. See also
8. Author/acknowledgments 8. Author/acknowledgments
9. Copyright information for this document 9. Copyright information for this document
Chapter 1. Introduction Chapter 1. Introduction
Linux-PAM (Pluggable Authentication Modules for Linux) is a suite of shared Linux-PAM (Pluggable Authentication Modules for Linux) is a suite of shared
libraries that enable the local system administrator to choose how applications libraries that enable the local system administrator to choose how applications
authenticate users. authenticate users.
skipping to change at line 815 skipping to change at line 812
-:ALL:ALL -:ALL:ALL
6.1.8. AUTHORS 6.1.8. AUTHORS
The logdaemon style login access control scheme was designed and implemented by The logdaemon style login access control scheme was designed and implemented by
Wietse Venema. The pam_access PAM module was developed by Alexei Nogin Wietse Venema. The pam_access PAM module was developed by Alexei Nogin
<alexei@nogin.dnttm.ru>. The IPv6 support and the network(address) / netmask <alexei@nogin.dnttm.ru>. The IPv6 support and the network(address) / netmask
feature was developed and provided by Mike Becher feature was developed and provided by Mike Becher
<mike.becher@lrz-muenchen.de>. <mike.becher@lrz-muenchen.de>.
6.2. pam_cracklib - checks the password against dictionary words 6.2. pam_debug - debug the PAM stack
pam_cracklib.so [ ... ]
6.2.1. DESCRIPTION
This module can be plugged into the password stack of a given application to
provide some plug-in strength-checking for passwords.
The action of this module is to prompt the user for a password and check its
strength against a system dictionary and a set of rules for identifying poor
choices.
The first action is to prompt for a single password, check its strength and
then, if it is considered strong, prompt for the password a second time (to
verify that it was typed correctly on the first occasion). All being well, the
password is passed on to subsequent modules to be installed as the new
authentication token.
The strength checks works in the following manner: at first the Cracklib
routine is called to check if the password is part of a dictionary; if this is
not the case an additional set of strength checks is done. These checks are:
Palindrome
Is the new password a palindrome?
Case Change Only
Is the new password the old one with only a change of case?
Similar
Is the new password too much like the old one? This is primarily controlled
by one argument, difok which is a number of character changes (inserts,
removals, or replacements) between the old and new password that are enough
to accept the new password. This defaults to 5 changes.
Simple
Is the new password too small? This is controlled by 6 arguments minlen,
maxclassrepeat, dcredit, ucredit, lcredit, and ocredit. See the section on
the arguments for the details of how these work and there defaults.
Rotated
Is the new password a rotated version of the old password?
Same consecutive characters
Optional check for same consecutive characters.
Too long monotonic character sequence
Optional check for too long monotonic character sequence.
Contains user name
Optional check whether the password contains the user's name in some form.
This module with no arguments will work well for standard unix password
encryption. With md5 encryption, passwords can be longer than 8 characters and
the default settings for this module can make it hard for the user to choose a
satisfactory new password. Notably, the requirement that the new password
contain no more than 1/2 of the characters in the old password becomes a
non-trivial constraint. For example, an old password of the form "the quick
brown fox jumped over the lazy dogs" would be difficult to change... In
addition, the default action is to allow passwords as small as 5 characters in
length. For a md5 systems it can be a good idea to increase the required
minimum size of a password. One can then allow more credit for different kinds
of characters but accept that the new password may share most of these
characters with the old password.
6.2.2. OPTIONS
debug
This option makes the module write information to syslog(3) indicating the
behavior of the module (this option does not write password information to
the log file).
authtok_type=XXX
The default action is for the module to use the following prompts when
requesting passwords: "New UNIX password: " and "Retype UNIX password: ".
The example word UNIX can be replaced with this option, by default it is
empty.
retry=N
Prompt user at most N times before returning with error. The default is 1.
difok=N
This argument will change the default of 5 for the number of character
changes in the new password that differentiate it from the old password.
minlen=N
The minimum acceptable size for the new password (plus one if credits are
not disabled which is the default). In addition to the number of characters
in the new password, credit (of +1 in length) is given for each different
kind of character (other, upper, lower and digit). The default for this
parameter is 9 which is good for a old style UNIX password all of the same
type of character but may be too low to exploit the added security of a md5
system. Note that there is a pair of length limits in Cracklib itself, a
"way too short" limit of 4 which is hard coded in and a defined limit (6)
that will be checked without reference to minlen. If you want to allow
passwords as short as 5 characters you should not use this module.
dcredit=N
(N >= 0) This is the maximum credit for having digits in the new password.
If you have less than or N digits, each digit will count +1 towards meeting
the current minlen value. The default for dcredit is 1 which is the
recommended value for minlen less than 10.
(N < 0) This is the minimum number of digits that must be met for a new
password.
ucredit=N
(N >= 0) This is the maximum credit for having upper case letters in the
new password. If you have less than or N upper case letters each letter
will count +1 towards meeting the current minlen value. The default for
ucredit is 1 which is the recommended value for minlen less than 10.
(N < 0) This is the minimum number of upper case letters that must be met
for a new password.
lcredit=N
(N >= 0) This is the maximum credit for having lower case letters in the
new password. If you have less than or N lower case letters, each letter
will count +1 towards meeting the current minlen value. The default for
lcredit is 1 which is the recommended value for minlen less than 10.
(N < 0) This is the minimum number of lower case letters that must be met
for a new password.
ocredit=N
(N >= 0) This is the maximum credit for having other characters in the new
password. If you have less than or N other characters, each character will
count +1 towards meeting the current minlen value. The default for ocredit
is 1 which is the recommended value for minlen less than 10.
(N < 0) This is the minimum number of other characters that must be met for
a new password.
minclass=N
The minimum number of required classes of characters for the new password.
The default number is zero. The four classes are digits, upper and lower
letters and other characters. The difference to the credit check is that a
specific class if of characters is not required. Instead N out of four of
the classes are required.
maxrepeat=N
Reject passwords which contain more than N same consecutive characters. The
default is 0 which means that this check is disabled.
maxsequence=N
Reject passwords which contain monotonic character sequences longer than N.
The default is 0 which means that this check is disabled. Examples of such
sequence are '12345' or 'fedcb'. Note that most such passwords will not
pass the simplicity check unless the sequence is only a minor part of the
password.
maxclassrepeat=N
Reject passwords which contain more than N consecutive characters of the
same class. The default is 0 which means that this check is disabled.
reject_username
Check whether the name of the user in straight or reversed form is
contained in the new password. If it is found the new password is rejected.
gecoscheck
Check whether the words from the GECOS field (usually full name of the
user) longer than 3 characters in straight or reversed form are contained
in the new password. If any such word is found the new password is
rejected.
enforce_for_root
The module will return error on failed check also if the user changing the
password is root. This option is off by default which means that just the
message about the failed check is printed but root can change the password
anyway. Note that root is not asked for an old password so the checks that
compare the old and new password are not performed.
use_authtok
This argument is used to force the module to not prompt the user for a new
password but use the one provided by the previously stacked password
module.
dictpath=/path/to/dict
Path to the cracklib dictionaries.
6.2.3. MODULE TYPES PROVIDED
Only the password module type is provided.
6.2.4. RETURN VALUES
PAM_SUCCESS
The new password passes all checks.
PAM_AUTHTOK_ERR
No new password was entered, the username could not be determined or the
new password fails the strength checks.
PAM_AUTHTOK_RECOVERY_ERR
The old password was not supplied by a previous stacked module or got not
requested from the user. The first error can happen if use_authtok is
specified.
PAM_SERVICE_ERR
A internal error occurred.
6.2.5. EXAMPLES
For an example of the use of this module, we show how it may be stacked with
the password component of pam_unix(8)
#
# These lines stack two password type modules. In this example the
# user is given 3 opportunities to enter a strong password. The
# "use_authtok" argument ensures that the pam_unix module does not
# prompt for a password, but instead uses the one provided by
# pam_cracklib.
#
passwd password required pam_cracklib.so retry=3
passwd password required pam_unix.so use_authtok
Another example (in the /etc/pam.d/passwd format) is for the case that you want
to use md5 password encryption:
#%PAM-1.0
#
# These lines allow a md5 systems to support passwords of at least 14
# bytes with extra credit of 2 for digits and 2 for others the new
# password must have at least three bytes that are not present in the
# old password
#
password required pam_cracklib.so \
difok=3 minlen=15 dcredit= 2 ocredit=2
password required pam_unix.so use_authtok nullok md5
And here is another example in case you don't want to use credits:
#%PAM-1.0
#
# These lines require the user to select a password with a minimum
# length of 8 and with at least 1 digit number, 1 upper case letter,
# and 1 other character
#
password required pam_cracklib.so \
dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
password required pam_unix.so use_authtok nullok md5
6.2.6. AUTHOR
pam_cracklib was written by Cristian Gafton <gafton@redhat.com>
6.3. pam_debug - debug the PAM stack
pam_debug.so [ auth=value ] [ cred=value ] [ acct=value ] [ prechauthtok=value pam_debug.so [ auth=value ] [ cred=value ] [ acct=value ] [ prechauthtok=value
] [ chauthtok=value ] [ auth=value ] [ open_session=value ] [ close_session= ] [ chauthtok=value ] [ auth=value ] [ open_session=value ] [ close_session=
value ] value ]
6.3.1. DESCRIPTION 6.2.1. DESCRIPTION
The pam_debug PAM module is intended as a debugging aide for determining how The pam_debug PAM module is intended as a debugging aide for determining how
the PAM stack is operating. This module returns what its module arguments tell the PAM stack is operating. This module returns what its module arguments tell
it to return. it to return.
6.3.2. OPTIONS 6.2.2. OPTIONS
auth=value auth=value
The pam_sm_authenticate(3) function will return value. The pam_sm_authenticate(3) function will return value.
cred=value cred=value
The pam_sm_setcred(3) function will return value. The pam_sm_setcred(3) function will return value.
acct=value acct=value
skipping to change at line 1143 skipping to change at line 864
The pam_sm_close_session(3) function will return value. The pam_sm_close_session(3) function will return value.
Where value can be one of: success, open_err, symbol_err, service_err, Where value can be one of: success, open_err, symbol_err, service_err,
system_err, buf_err, perm_denied, auth_err, cred_insufficient, system_err, buf_err, perm_denied, auth_err, cred_insufficient,
authinfo_unavail, user_unknown, maxtries, new_authtok_reqd, acct_expired, authinfo_unavail, user_unknown, maxtries, new_authtok_reqd, acct_expired,
session_err, cred_unavail, cred_expired, cred_err, no_module_data, conv_err, session_err, cred_unavail, cred_expired, cred_err, no_module_data, conv_err,
authtok_err, authtok_recover_err, authtok_lock_busy, authtok_disable_aging, authtok_err, authtok_recover_err, authtok_lock_busy, authtok_disable_aging,
try_again, ignore, abort, authtok_expired, module_unknown, bad_item, try_again, ignore, abort, authtok_expired, module_unknown, bad_item,
conv_again, incomplete. conv_again, incomplete.
6.3.3. MODULE TYPES PROVIDED 6.2.3. MODULE TYPES PROVIDED
All module types (auth, account, password and session) are provided. All module types (auth, account, password and session) are provided.
6.3.4. RETURN VALUES 6.2.4. RETURN VALUES
PAM_SUCCESS PAM_SUCCESS
Default return code if no other value was specified, else specified return Default return code if no other value was specified, else specified return
value. value.
6.3.5. EXAMPLES 6.2.5. EXAMPLES
auth requisite pam_permit.so auth requisite pam_permit.so
auth [success=2 default=ok] pam_debug.so auth=perm_denied cred=success auth [success=2 default=ok] pam_debug.so auth=perm_denied cred=success
auth [default=reset] pam_debug.so auth=success cred=perm_denied auth [default=reset] pam_debug.so auth=success cred=perm_denied
auth [success=done default=die] pam_debug.so auth [success=done default=die] pam_debug.so
auth optional pam_debug.so auth=perm_denied cred=perm_denied auth optional pam_debug.so auth=perm_denied cred=perm_denied
auth sufficient pam_debug.so auth=success cred=success auth sufficient pam_debug.so auth=success cred=success
6.3.6. AUTHOR 6.2.6. AUTHOR
pam_debug was written by Andrew G. Morgan <morgan@kernel.org>. pam_debug was written by Andrew G. Morgan <morgan@kernel.org>.
6.4. pam_deny - locking-out PAM module 6.3. pam_deny - locking-out PAM module
pam_deny.so pam_deny.so
6.4.1. DESCRIPTION 6.3.1. DESCRIPTION
This module can be used to deny access. It always indicates a failure to the This module can be used to deny access. It always indicates a failure to the
application through the PAM framework. It might be suitable for using for application through the PAM framework. It might be suitable for using for
default (the OTHER) entries. default (the OTHER) entries.
6.4.2. OPTIONS 6.3.2. OPTIONS
This module does not recognise any options. This module does not recognise any options.
6.4.3. MODULE TYPES PROVIDED 6.3.3. MODULE TYPES PROVIDED
All module types (account, auth, password and session) are provided. All module types (account, auth, password and session) are provided.
6.4.4. RETURN VALUES 6.3.4. RETURN VALUES
PAM_AUTH_ERR PAM_AUTH_ERR
This is returned by the account and auth services. This is returned by the account and auth services.
PAM_CRED_ERR PAM_CRED_ERR
This is returned by the setcred function. This is returned by the setcred function.
PAM_AUTHTOK_ERR PAM_AUTHTOK_ERR
This is returned by the password service. This is returned by the password service.
PAM_SESSION_ERR PAM_SESSION_ERR
This is returned by the session service. This is returned by the session service.
6.4.5. EXAMPLES 6.3.5. EXAMPLES
#%PAM-1.0 #%PAM-1.0
# #
# If we don't have config entries for a service, the # If we don't have config entries for a service, the
# OTHER entries are used. To be secure, warn and deny # OTHER entries are used. To be secure, warn and deny
# access to everything. # access to everything.
other auth required pam_warn.so other auth required pam_warn.so
other auth required pam_deny.so other auth required pam_deny.so
other account required pam_warn.so other account required pam_warn.so
other account required pam_deny.so other account required pam_deny.so
other password required pam_warn.so other password required pam_warn.so
other password required pam_deny.so other password required pam_deny.so
other session required pam_warn.so other session required pam_warn.so
other session required pam_deny.so other session required pam_deny.so
6.4.6. AUTHOR 6.3.6. AUTHOR
pam_deny was written by Andrew G. Morgan <morgan@kernel.org> pam_deny was written by Andrew G. Morgan <morgan@kernel.org>
6.5. pam_echo - print text messages 6.4. pam_echo - print text messages
pam_echo.so [ file=/path/message ] pam_echo.so [ file=/path/message ]
6.5.1. DESCRIPTION 6.4.1. DESCRIPTION
The pam_echo PAM module is for printing text messages to inform user about The pam_echo PAM module is for printing text messages to inform user about
special things. Sequences starting with the % character are interpreted in the special things. Sequences starting with the % character are interpreted in the
following way: following way:
%H %H
The name of the remote host (PAM_RHOST). The name of the remote host (PAM_RHOST).
%h %h
skipping to change at line 1260 skipping to change at line 981
The remote user name (PAM_RUSER). The remote user name (PAM_RUSER).
%u %u
The local user name (PAM_USER). The local user name (PAM_USER).
All other sequences beginning with % expands to the characters following the % All other sequences beginning with % expands to the characters following the %
character. character.
6.5.2. OPTIONS 6.4.2. OPTIONS
file=/path/message file=/path/message
The content of the file /path/message will be printed with the PAM The content of the file /path/message will be printed with the PAM
conversion function as PAM_TEXT_INFO. conversion function as PAM_TEXT_INFO.
6.5.3. MODULE TYPES PROVIDED 6.4.3. MODULE TYPES PROVIDED
All module types (auth, account, password and session) are provided. All module types (auth, account, password and session) are provided.
6.5.4. RETURN VALUES 6.4.4. RETURN VALUES
PAM_BUF_ERR PAM_BUF_ERR
Memory buffer error. Memory buffer error.
PAM_SUCCESS PAM_SUCCESS
Message was successful printed. Message was successful printed.
PAM_IGNORE PAM_IGNORE
PAM_SILENT flag was given or message file does not exist, no message PAM_SILENT flag was given or message file does not exist, no message
printed. printed.
6.5.5. EXAMPLES 6.4.5. EXAMPLES
For an example of the use of this module, we show how it may be used to print For an example of the use of this module, we show how it may be used to print
information about good passwords: information about good passwords:
password optional pam_echo.so file=/usr/share/doc/good-password.txt password optional pam_echo.so file=/usr/share/doc/good-password.txt
password required pam_unix.so password required pam_unix.so
6.5.6. AUTHOR 6.4.6. AUTHOR
Thorsten Kukuk <kukuk@thkukuk.de> Thorsten Kukuk <kukuk@thkukuk.de>
6.6. pam_env - set/unset environment variables 6.5. pam_env - set/unset environment variables
pam_env.so [ debug ] [ conffile=conf-file ] [ envfile=env-file ] [ readenv=0|1 pam_env.so [ debug ] [ conffile=conf-file ] [ envfile=env-file ] [ readenv=0|1
] [ user_envfile=env-file ] [ user_readenv=0|1 ] ] [ user_envfile=env-file ] [ user_readenv=0|1 ]
6.6.1. DESCRIPTION 6.5.1. DESCRIPTION
The pam_env PAM module allows the (un)setting of environment variables. The pam_env PAM module allows the (un)setting of environment variables.
Supported is the use of previously set environment variables as well as Supported is the use of previously set environment variables as well as
PAM_ITEMs such as PAM_RHOST. PAM_ITEMs such as PAM_RHOST.
By default rules for (un)setting of variables are taken from the config file / By default rules for (un)setting of variables are taken from the config file /
etc/security/pam_env.conf. An alternate file can be specified with the conffile etc/security/pam_env.conf. An alternate file can be specified with the conffile
option. option.
Second a file (/etc/environment by default) with simple KEY=VAL pairs on Second a file (/etc/environment by default) with simple KEY=VAL pairs on
separate lines will be read. With the envfile option an alternate file can be separate lines will be read. With the envfile option an alternate file can be
specified. And with the readenv option this can be completely disabled. specified. And with the readenv option this can be completely disabled.
Third it will read a user configuration file ($HOME/.pam_environment by Third it will read a user configuration file ($HOME/.pam_environment by
default). The default file can be changed with the user_envfile option and it default). The default file can be changed with the user_envfile option and it
can be turned on and off with the user_readenv option. can be turned on and off with the user_readenv option.
Since setting of PAM environment variables can have side effects to other Since setting of PAM environment variables can have side effects to other
modules, this module should be the last one on the stack. modules, this module should be the last one on the stack.
6.6.2. DESCRIPTION 6.5.2. DESCRIPTION
The /etc/security/pam_env.conf file specifies the environment variables to be The /etc/security/pam_env.conf file specifies the environment variables to be
set, unset or modified by pam_env(8). When someone logs in, this file is read set, unset or modified by pam_env(8). When someone logs in, this file is read
and the environment variables are set according. and the environment variables are set according.
Each line starts with the variable name, there are then two possible options Each line starts with the variable name, there are then two possible options
for each variable DEFAULT and OVERRIDE. DEFAULT allows and administrator to set for each variable DEFAULT and OVERRIDE. DEFAULT allows an administrator to set
the value of the variable to some default value, if none is supplied then the the value of the variable to some default value, if none is supplied then the
empty string is assumed. The OVERRIDE option tells pam_env that it should enter empty string is assumed. The OVERRIDE option tells pam_env that it should enter
in its value (overriding the default value) if there is one to use. OVERRIDE is in its value (overriding the default value) if there is one to use. OVERRIDE is
not used, "" is assumed and no override will be done. not used, "" is assumed and no override will be done.
VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]] VARIABLE [DEFAULT=[value]] [OVERRIDE=[value]]
(Possibly non-existent) environment variables may be used in values using the $ (Possibly non-existent) environment variables may be used in values using the $
{string} syntax and (possibly non-existent) PAM_ITEMs as well as HOME and SHELL {string} syntax and (possibly non-existent) PAM_ITEMs as well as HOME and SHELL
may be used in values using the @{string} syntax. Both the $ and @ characters may be used in values using the @{string} syntax. Both the $ and @ characters
skipping to change at line 1356 skipping to change at line 1077
available by the time you need it. The special variables @{HOME} and @{SHELL} available by the time you need it. The special variables @{HOME} and @{SHELL}
are expanded to the values for the user from his passwd entry. are expanded to the values for the user from his passwd entry.
The "#" character at start of line (no space at front) can be used to mark this The "#" character at start of line (no space at front) can be used to mark this
line as a comment line. line as a comment line.
The /etc/environment file specifies the environment variables to be set. The The /etc/environment file specifies the environment variables to be set. The
file must consist of simple NAME=VALUE pairs on separate lines. The pam_env(8) file must consist of simple NAME=VALUE pairs on separate lines. The pam_env(8)
module will read the file after the pam_env.conf file. module will read the file after the pam_env.conf file.
6.6.3. OPTIONS 6.5.3. OPTIONS
conffile=/path/to/pam_env.conf conffile=/path/to/pam_env.conf
Indicate an alternative pam_env.conf style configuration file to override Indicate an alternative pam_env.conf style configuration file to override
the default. This can be useful when different services need different the default. This can be useful when different services need different
environments. environments.
debug debug
A lot of debug information is printed with syslog(3). A lot of debug information is printed with syslog(3).
skipping to change at line 1390 skipping to change at line 1111
user_envfile=filename user_envfile=filename
Indicate an alternative .pam_environment file to override the default.The Indicate an alternative .pam_environment file to override the default.The
syntax is the same as for /etc/security/pam_env.conf. The filename is syntax is the same as for /etc/security/pam_env.conf. The filename is
relative to the user home directory. This can be useful when different relative to the user home directory. This can be useful when different
services need different environments. services need different environments.
user_readenv=0|1 user_readenv=0|1
Turns on or off the reading of the user specific environment file. 0 is Turns on or off the reading of the user specific environment file. 0 is
off, 1 is on. By default this option is off. off, 1 is on. By default this option is off as user supplied environment
variables in the PAM environment could affect behavior of subsequent
modules in the stack without the consent of the system administrator.
Due to problematic security this functionality is deprecated since the
1.5.0 version and will be removed completely at some point in the future.
6.6.4. MODULE TYPES PROVIDED 6.5.4. MODULE TYPES PROVIDED
The auth and session module types are provided. The auth and session module types are provided.
6.6.5. RETURN VALUES 6.5.5. RETURN VALUES
PAM_ABORT PAM_ABORT
Not all relevant data or options could be gotten. Not all relevant data or options could be gotten.
PAM_BUF_ERR PAM_BUF_ERR
Memory buffer error. Memory buffer error.
PAM_IGNORE PAM_IGNORE
No pam_env.conf and environment file was found. No pam_env.conf and environment file was found.
PAM_SUCCESS PAM_SUCCESS
Environment variables were set. Environment variables were set.
6.6.6. FILES 6.5.6. FILES
/etc/security/pam_env.conf /etc/security/pam_env.conf
Default configuration file Default configuration file
/etc/environment /etc/environment
Default environment file Default environment file
$HOME/.pam_environment $HOME/.pam_environment
User specific environment file User specific environment file
6.6.7. EXAMPLES 6.5.7. EXAMPLES
These are some example lines which might be specified in /etc/security/ These are some example lines which might be specified in /etc/security/
pam_env.conf. pam_env.conf.
Set the REMOTEHOST variable for any hosts that are remote, default to Set the REMOTEHOST variable for any hosts that are remote, default to
"localhost" rather than not being set at all "localhost" rather than not being set at all
REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST} REMOTEHOST DEFAULT=localhost OVERRIDE=@{PAM_RHOST}
Set the DISPLAY variable if it seems reasonable Set the DISPLAY variable if it seems reasonable
skipping to change at line 1459 skipping to change at line 1185
:/usr/bin:/usr/local/bin/X11:/usr/bin/X11 :/usr/bin:/usr/local/bin/X11:/usr/bin/X11
XDG_DATA_HOME @{HOME}/share/ XDG_DATA_HOME @{HOME}/share/
Silly examples of escaped variables, just to show how they work. Silly examples of escaped variables, just to show how they work.
DOLLAR DEFAULT=\$ DOLLAR DEFAULT=\$
DOLLARDOLLAR DEFAULT= OVERRIDE=\$${DOLLAR} DOLLARDOLLAR DEFAULT= OVERRIDE=\$${DOLLAR}
DOLLARPLUS DEFAULT=\${REMOTEHOST}${REMOTEHOST} DOLLARPLUS DEFAULT=\${REMOTEHOST}${REMOTEHOST}
ATSIGN DEFAULT="" OVERRIDE=\@ ATSIGN DEFAULT="" OVERRIDE=\@
6.6.8. AUTHOR 6.5.8. AUTHOR
pam_env was written by Dave Kinchlea <kinch@kinch.ark.com>. pam_env was written by Dave Kinchlea <kinch@kinch.ark.com>.
6.7. pam_exec - call an external command 6.6. pam_exec - call an external command
pam_exec.so [ debug ] [ expose_authtok ] [ seteuid ] [ quiet ] [ stdout ] [ log pam_exec.so [ debug ] [ expose_authtok ] [ seteuid ] [ quiet ] [ stdout ] [ log
=file ] [ type=type ] command [ ... ] =file ] [ type=type ] command [ ... ]
6.7.1. DESCRIPTION 6.6.1. DESCRIPTION
pam_exec is a PAM module that can be used to run an external command. pam_exec is a PAM module that can be used to run an external command.
The child's environment is set to the current PAM environment list, as returned The child's environment is set to the current PAM environment list, as returned
by pam_getenvlist(3) In addition, the following PAM items are exported as by pam_getenvlist(3) In addition, the following PAM items are exported as
environment variables: PAM_RHOST, PAM_RUSER, PAM_SERVICE, PAM_TTY, PAM_USER and environment variables: PAM_RHOST, PAM_RUSER, PAM_SERVICE, PAM_TTY, PAM_USER and
PAM_TYPE, which contains one of the module types: account, auth, password, PAM_TYPE, which contains one of the module types: account, auth, password,
open_session and close_session. open_session and close_session.
Commands called by pam_exec need to be aware of that the user can have control Commands called by pam_exec need to be aware of that the user can have control
over the environment. over the environment.
6.7.2. OPTIONS 6.6.2. OPTIONS
debug debug
Print debug information. Print debug information.
expose_authtok expose_authtok
During authentication the calling command can read the password from stdin During authentication the calling command can read the password from stdin
(3). Only first PAM_MAX_RESP_SIZE bytes of a password are provided to the (3). Only first PAM_MAX_RESP_SIZE bytes of a password are provided to the
command. command.
skipping to change at line 1519 skipping to change at line 1245
Per default pam_exec.so will echo the exit status of the external command Per default pam_exec.so will echo the exit status of the external command
if it fails. Specifying this option will suppress the message. if it fails. Specifying this option will suppress the message.
seteuid seteuid
Per default pam_exec.so will execute the external command with the real Per default pam_exec.so will execute the external command with the real
user ID of the calling process. Specifying this option means the command is user ID of the calling process. Specifying this option means the command is
run with the effective user ID. run with the effective user ID.
6.7.3. MODULE TYPES PROVIDED 6.6.3. MODULE TYPES PROVIDED
All module types (auth, account, password and session) are provided. All module types (auth, account, password and session) are provided.
6.7.4. RETURN VALUES 6.6.4. RETURN VALUES
PAM_SUCCESS PAM_SUCCESS
The external command was run successfully. The external command was run successfully.
PAM_BUF_ERR PAM_BUF_ERR
Memory buffer error. Memory buffer error.
PAM_CONV_ERR PAM_CONV_ERR
skipping to change at line 1556 skipping to change at line 1282
PAM_SYSTEM_ERR PAM_SYSTEM_ERR
A system error occurred or the command to execute failed. A system error occurred or the command to execute failed.
PAM_IGNORE PAM_IGNORE
pam_setcred was called, which does not execute the command. Or, the value pam_setcred was called, which does not execute the command. Or, the value
given for the type= parameter did not match the module type. given for the type= parameter did not match the module type.
6.7.5. EXAMPLES 6.6.5. EXAMPLES
Add the following line to /etc/pam.d/passwd to rebuild the NIS database after Add the following line to /etc/pam.d/passwd to rebuild the NIS database after
each local password change: each local password change:
password optional pam_exec.so seteuid /usr/bin/make -C /var/yp password optional pam_exec.so seteuid /usr/bin/make -C /var/yp
This will execute the command This will execute the command
make -C /var/yp make -C /var/yp
with effective user ID. with effective user ID.
6.7.6. AUTHOR 6.6.6. AUTHOR
pam_exec was written by Thorsten Kukuk <kukuk@thkukuk.de> and Josh Triplett pam_exec was written by Thorsten Kukuk <kukuk@thkukuk.de> and Josh Triplett
<josh@joshtriplett.org>. <josh@joshtriplett.org>.
6.8. pam_faildelay - change the delay on failure per-application 6.7. pam_faildelay - change the delay on failure per-application
pam_faildelay.so [ debug ] [ delay=microseconds ] pam_faildelay.so [ debug ] [ delay=microseconds ]
6.8.1. DESCRIPTION 6.7.1. DESCRIPTION
pam_faildelay is a PAM module that can be used to set the delay on failure pam_faildelay is a PAM module that can be used to set the delay on failure
per-application. per-application.
If no delay is given, pam_faildelay will use the value of FAIL_DELAY from /etc/ If no delay is given, pam_faildelay will use the value of FAIL_DELAY from /etc/
login.defs. login.defs.
6.8.2. OPTIONS 6.7.2. OPTIONS
debug debug
Turns on debugging messages sent to syslog. Turns on debugging messages sent to syslog.
delay=N delay=N
Set the delay on failure to N microseconds. Set the delay on failure to N microseconds.
6.8.3. MODULE TYPES PROVIDED 6.7.3. MODULE TYPES PROVIDED
Only the auth module type is provided. Only the auth module type is provided.
6.8.4. RETURN VALUES 6.7.4. RETURN VALUES
PAM_IGNORE PAM_IGNORE
Delay was successful adjusted. Delay was successful adjusted.
PAM_SYSTEM_ERR PAM_SYSTEM_ERR
The specified delay was not valid. The specified delay was not valid.
6.8.5. EXAMPLES 6.7.5. EXAMPLES
The following example will set the delay on failure to 10 seconds: The following example will set the delay on failure to 10 seconds:
auth optional pam_faildelay.so delay=10000000 auth optional pam_faildelay.so delay=10000000
6.8.6. AUTHOR 6.7.6. AUTHOR
pam_faildelay was written by Darren Tucker <dtucker@zip.com.au>. pam_faildelay was written by Darren Tucker <dtucker@zip.com.au>.
6.9. pam_filter - filter module 6.8. pam_filter - filter module
pam_filter.so [ debug ] [ new_term ] [ non_term ] run1|run2 filter [ ... ] pam_filter.so [ debug ] [ new_term ] [ non_term ] run1|run2 filter [ ... ]
6.9.1. DESCRIPTION 6.8.1. DESCRIPTION
This module is intended to be a platform for providing access to all of the This module is intended to be a platform for providing access to all of the
input/output that passes between the user and the application. It is only input/output that passes between the user and the application. It is only
suitable for tty-based and (stdin/stdout) applications. suitable for tty-based and (stdin/stdout) applications.
To function this module requires filters to be installed on the system. The To function this module requires filters to be installed on the system. The
single filter provided with the module simply transposes upper and lower case single filter provided with the module simply transposes upper and lower case
letters in the input and output streams. (This can be very annoying and is not letters in the input and output streams. (This can be very annoying and is not
kind to termcap based editors). kind to termcap based editors).
Each component of the module has the potential to invoke the desired filter. Each component of the module has the potential to invoke the desired filter.
The filter is always execv(2) with the privilege of the calling application and The filter is always execv(2) with the privilege of the calling application and
not that of the user. For this reason it cannot usually be killed by the user not that of the user. For this reason it cannot usually be killed by the user
without closing their session. without closing their session.
6.9.2. OPTIONS 6.8.2. OPTIONS
debug debug
Print debug information. Print debug information.
new_term new_term
The default action of the filter is to set the PAM_TTY item to indicate the The default action of the filter is to set the PAM_TTY item to indicate the
terminal that the user is using to connect to the application. This terminal that the user is using to connect to the application. This
argument indicates that the filter should set PAM_TTY to the filtered argument indicates that the filter should set PAM_TTY to the filtered
skipping to change at line 1686 skipping to change at line 1412
For the case of the password component, run1 is used to indicate that the For the case of the password component, run1 is used to indicate that the
filter is run on the first occasion of pam_chauthtok(3) (the filter is run on the first occasion of pam_chauthtok(3) (the
PAM_PRELIM_CHECK phase) and run2 is used to indicate that the filter is run PAM_PRELIM_CHECK phase) and run2 is used to indicate that the filter is run
on the second occasion (the PAM_UPDATE_AUTHTOK phase). on the second occasion (the PAM_UPDATE_AUTHTOK phase).
filter filter
The full pathname of the filter to be run and any command line arguments The full pathname of the filter to be run and any command line arguments
that the filter might expect. that the filter might expect.
6.9.3. MODULE TYPES PROVIDED 6.8.3. MODULE TYPES PROVIDED
All module types (auth, account, password and session) are provided. All module types (auth, account, password and session) are provided.
6.9.4. RETURN VALUES 6.8.4. RETURN VALUES
PAM_SUCCESS PAM_SUCCESS
The new filter was set successfully. The new filter was set successfully.
PAM_ABORT PAM_ABORT
Critical error, immediate abort. Critical error, immediate abort.
6.9.5. EXAMPLES 6.8.5. EXAMPLES
Add the following line to /etc/pam.d/login to see how to configure login to Add the following line to /etc/pam.d/login to see how to configure login to
transpose upper and lower case letters once the user has logged in: transpose upper and lower case letters once the user has logged in:
session required pam_filter.so run1 /lib/security/pam_filter/upperLOWER session required pam_filter.so run1 /lib/security/pam_filter/upperLOWER
6.9.6. AUTHOR 6.8.6. AUTHOR
pam_filter was written by Andrew G. Morgan <morgan@kernel.org>. pam_filter was written by Andrew G. Morgan <morgan@kernel.org>.
6.10. pam_ftp - module for anonymous access 6.9. pam_ftp - module for anonymous access
pam_ftp.so [ debug ] [ ignore ] [ users=XXX,YYY, ...] pam_ftp.so [ debug ] [ ignore ] [ users=XXX,YYY, ...]
6.10.1. DESCRIPTION 6.9.1. DESCRIPTION
pam_ftp is a PAM module which provides a pluggable anonymous ftp mode of pam_ftp is a PAM module which provides a pluggable anonymous ftp mode of
access. access.
This module intercepts the user's name and password. If the name is ftp or This module intercepts the user's name and password. If the name is ftp or
anonymous, the user's password is broken up at the @ delimiter into a PAM_RUSER anonymous, the user's password is broken up at the @ delimiter into a PAM_RUSER
and a PAM_RHOST part; these pam-items being set accordingly. The username ( and a PAM_RHOST part; these pam-items being set accordingly. The username (
PAM_USER) is set to ftp. In this case the module succeeds. Alternatively, the PAM_USER) is set to ftp. In this case the module succeeds. Alternatively, the
module sets the PAM_AUTHTOK item with the entered password and fails. module sets the PAM_AUTHTOK item with the entered password and fails.
This module is not safe and easily spoofable. This module is not safe and easily spoofable.
6.10.2. OPTIONS 6.9.2. OPTIONS
debug debug
Print debug information. Print debug information.
ignore ignore
Pay no attention to the email address of the user (if supplied). Pay no attention to the email address of the user (if supplied).
ftp=XXX,YYY,... ftp=XXX,YYY,...
Instead of ftp or anonymous, provide anonymous login to the comma separated Instead of ftp or anonymous, provide anonymous login to the comma separated
list of users: XXX,YYY,.... Should the applicant enter one of these list of users: XXX,YYY,.... Should the applicant enter one of these
usernames the returned username is set to the first in the list: XXX. usernames the returned username is set to the first in the list: XXX.
6.10.3. MODULE TYPES PROVIDED 6.9.3. MODULE TYPES PROVIDED
Only the auth module type is provided. Only the auth module type is provided.
6.10.4. RETURN VALUES 6.9.4. RETURN VALUES
PAM_SUCCESS PAM_SUCCESS
The authentication was successful. The authentication was successful.
PAM_USER_UNKNOWN PAM_USER_UNKNOWN
User not known. User not known.
6.10.5. EXAMPLES 6.9.5. EXAMPLES
Add the following line to /etc/pam.d/ftpd to handle ftp style anonymous login: Add the following line to /etc/pam.d/ftpd to handle ftp style anonymous login:
# #
# ftpd; add ftp-specifics. These lines enable anonymous ftp over # ftpd; add ftp-specifics. These lines enable anonymous ftp over
# standard UN*X access (the listfile entry blocks access to # standard UN*X access (the listfile entry blocks access to
# users listed in /etc/ftpusers) # users listed in /etc/ftpusers)
# #
auth sufficient pam_ftp.so auth sufficient pam_ftp.so
auth required pam_unix.so use_first_pass auth required pam_unix.so use_first_pass
auth required pam_listfile.so \ auth required pam_listfile.so \
onerr=succeed item=user sense=deny file=/etc/ftpusers onerr=succeed item=user sense=deny file=/etc/ftpusers
6.10.6. AUTHOR 6.9.6. AUTHOR
pam_ftp was written by Andrew G. Morgan <morgan@kernel.org>. pam_ftp was written by Andrew G. Morgan <morgan@kernel.org>.
6.11. pam_group - module to modify group access 6.10. pam_group - module to modify group access
pam_group.so pam_group.so
6.11.1. DESCRIPTION 6.10.1. DESCRIPTION
The pam_group PAM module does not authenticate the user, but instead it grants The pam_group PAM module does not authenticate the user, but instead it grants
group memberships (in the credential setting phase of the authentication group memberships (in the credential setting phase of the authentication
module) to the user. Such memberships are based on the service they are module) to the user. Such memberships are based on the service they are
applying for. applying for.
By default rules for group memberships are taken from config file /etc/security By default rules for group memberships are taken from config file /etc/security
/group.conf. /group.conf.
This module's usefulness relies on the file-systems accessible to the user. The This module's usefulness relies on the file-systems accessible to the user. The
skipping to change at line 1804 skipping to change at line 1530
with the precompiled binary. The reason that the file-systems that the user has with the precompiled binary. The reason that the file-systems that the user has
access to are so significant, is the fact that when a system is mounted nosuid access to are so significant, is the fact that when a system is mounted nosuid
the user is unable to create or execute such a binary file. For this module to the user is unable to create or execute such a binary file. For this module to
provide any level of security, all file-systems that the user has write access provide any level of security, all file-systems that the user has write access
to should be mounted nosuid. to should be mounted nosuid.
The pam_group module functions in parallel with the /etc/group file. If the The pam_group module functions in parallel with the /etc/group file. If the
user is granted any groups based on the behavior of this module, they are user is granted any groups based on the behavior of this module, they are
granted in addition to those entries /etc/group (or equivalent). granted in addition to those entries /etc/group (or equivalent).
6.11.2. DESCRIPTION 6.10.2. DESCRIPTION
The pam_group PAM module does not authenticate the user, but instead it grants The pam_group PAM module does not authenticate the user, but instead it grants
group memberships (in the credential setting phase of the authentication group memberships (in the credential setting phase of the authentication
module) to the user. Such memberships are based on the service they are module) to the user. Such memberships are based on the service they are
applying for. applying for.
For this module to function correctly there must be a correctly formatted /etc/ For this module to function correctly there must be a correctly formatted /etc/
security/group.conf file present. White spaces are ignored and lines maybe security/group.conf file present. White spaces are ignored and lines maybe
extended with '\' (escaped newlines). Text following a '#' is ignored to the extended with '\' (escaped newlines). Text following a '#' is ignored to the
end of the line. end of the line.
skipping to change at line 1856 skipping to change at line 1582
the start and finish time (if the finish time is smaller than the start time it the start and finish time (if the finish time is smaller than the start time it
is deemed to apply on the following day). is deemed to apply on the following day).
The groups field is a comma or space separated list of groups that the user The groups field is a comma or space separated list of groups that the user
inherits membership of. These groups are added if the previous fields are inherits membership of. These groups are added if the previous fields are
satisfied by the user's request. satisfied by the user's request.
For a rule to be active, ALL of service+ttys+users must be satisfied by the For a rule to be active, ALL of service+ttys+users must be satisfied by the
applying process. applying process.
6.11.3. OPTIONS 6.10.3. OPTIONS
This module does not recognise any options. This module does not recognise any options.
6.11.4. MODULE TYPES PROVIDED 6.10.4. MODULE TYPES PROVIDED
Only the auth module type is provided. Only the auth module type is provided.
6.11.5. RETURN VALUES 6.10.5. RETURN VALUES
PAM_SUCCESS PAM_SUCCESS
group membership was granted. group membership was granted.
PAM_ABORT PAM_ABORT
Not all relevant data could be gotten. Not all relevant data could be gotten.
PAM_BUF_ERR PAM_BUF_ERR
skipping to change at line 1890 skipping to change at line 1616
Group membership was not granted. Group membership was not granted.
PAM_IGNORE PAM_IGNORE
pam_sm_authenticate was called which does nothing. pam_sm_authenticate was called which does nothing.
PAM_USER_UNKNOWN PAM_USER_UNKNOWN
The user is not known to the system. The user is not known to the system.
6.11.6. FILES 6.10.6. FILES
/etc/security/group.conf /etc/security/group.conf
Default configuration file Default configuration file
6.11.7. EXAMPLES 6.10.7. EXAMPLES
These are some example lines which might be specified in /etc/security/ These are some example lines which might be specified in /etc/security/
group.conf. group.conf.
Running 'xsh' on tty* (any ttyXXX device), the user 'us' is given access to the Running 'xsh' on tty* (any ttyXXX device), the user 'us' is given access to the
floppy (through membership of the floppy group) floppy (through membership of the floppy group)
xsh;tty*&!ttyp*;us;Al0000-2400;floppy xsh;tty*&!ttyp*;us;Al0000-2400;floppy
Running 'xsh' on tty* (any ttyXXX device), the users 'sword', 'pike' and Running 'xsh' on tty* (any ttyXXX device), the users 'sword', 'pike' and
skipping to change at line 1918 skipping to change at line 1644
after work hours. after work hours.
xsh; tty* ;sword|pike|shield;!Wk0900-1800;games, sound xsh; tty* ;sword|pike|shield;!Wk0900-1800;games, sound
xsh; tty* ;*;Al0900-1800;floppy xsh; tty* ;*;Al0900-1800;floppy
Any member of the group 'admin' running 'xsh' on tty*, is granted access (at Any member of the group 'admin' running 'xsh' on tty*, is granted access (at
any time) to the group 'plugdev' any time) to the group 'plugdev'
xsh; tty* ;%admin;Al0000-2400;plugdev xsh; tty* ;%admin;Al0000-2400;plugdev
6.11.8. AUTHORS 6.10.8. AUTHORS
pam_group was written by Andrew G. Morgan <morgan@kernel.org>. pam_group was written by Andrew G. Morgan <morgan@kernel.org>.
6.12. pam_issue - add issue file to user prompt 6.11. pam_issue - add issue file to user prompt
pam_issue.so [ noesc ] [ issue=issue-file-name ] pam_issue.so [ noesc ] [ issue=issue-file-name ]
6.12.1. DESCRIPTION 6.11.1. DESCRIPTION
pam_issue is a PAM module to prepend an issue file to the username prompt. It pam_issue is a PAM module to prepend an issue file to the username prompt. It
also by default parses escape codes in the issue file similar to some common also by default parses escape codes in the issue file similar to some common
getty's (using \x format). getty's (using \x format).
Recognized escapes: Recognized escapes:
\d \d
current day current day
skipping to change at line 1979 skipping to change at line 1705
\U \U
same as \u except it is suffixed with "user" or "users" (eg. "1 user" or same as \u except it is suffixed with "user" or "users" (eg. "1 user" or
"10 users") "10 users")
\v \v
operating system version and build date (uname -v) operating system version and build date (uname -v)
6.12.2. OPTIONS 6.11.2. OPTIONS
noesc noesc
Turns off escape code parsing. Turns off escape code parsing.
issue=issue-file-name issue=issue-file-name
The file to output if not using the default. The file to output if not using the default.
6.12.3. MODULE TYPES PROVIDED 6.11.3. MODULE TYPES PROVIDED
Only the auth module type is provided. Only the auth module type is provided.
6.12.4. RETURN VALUES 6.11.4. RETURN VALUES
PAM_BUF_ERR PAM_BUF_ERR
Memory buffer error. Memory buffer error.
PAM_IGNORE PAM_IGNORE
The prompt was already changed. The prompt was already changed.
PAM_SERVICE_ERR PAM_SERVICE_ERR
A service module error occurred. A service module error occurred.
PAM_SUCCESS PAM_SUCCESS
The new prompt was set successfully. The new prompt was set successfully.
6.12.5. EXAMPLES 6.11.5. EXAMPLES
Add the following line to /etc/pam.d/login to set the user specific issue at Add the following line to /etc/pam.d/login to set the user specific issue at
login: login:
auth optional pam_issue.so issue=/etc/issue auth optional pam_issue.so issue=/etc/issue
6.12.6. AUTHOR 6.11.6. AUTHOR
pam_issue was written by Ben Collins <bcollins@debian.org>. pam_issue was written by Ben Collins <bcollins@debian.org>.
6.13. pam_keyinit - display the keyinit file 6.12. pam_keyinit - display the keyinit file
pam_keyinit.so [ debug ] [ force ] [ revoke ] pam_keyinit.so [ debug ] [ force ] [ revoke ]
6.13.1. DESCRIPTION 6.12.1. DESCRIPTION
The pam_keyinit PAM module ensures that the invoking process has a session The pam_keyinit PAM module ensures that the invoking process has a session
keyring other than the user default session keyring. keyring other than the user default session keyring.
The module checks to see if the process's session keyring is the The module checks to see if the process's session keyring is the
user-session-keyring(7), and, if it is, creates a new session-keyring(7) with user-session-keyring(7), and, if it is, creates a new session-keyring(7) with
which to replace it. If a new session keyring is created, it will install a which to replace it. If a new session keyring is created, it will install a
link to the user-keyring(7) in the session keyring so that keys common to the link to the user-keyring(7) in the session keyring so that keys common to the
user will be automatically accessible through it. The session keyring of the user will be automatically accessible through it. The session keyring of the
invoking process will thenceforth be inherited by all its children unless they invoking process will thenceforth be inherited by all its children unless they
skipping to change at line 2057 skipping to change at line 1783
This module should not, generally, be invoked by programs like su, since it is This module should not, generally, be invoked by programs like su, since it is
usually desirable for the key set to percolate through to the alternate usually desirable for the key set to percolate through to the alternate
context. The keys have their own permissions system to manage this. context. The keys have their own permissions system to manage this.
The keyutils package is used to manipulate keys more directly. This can be The keyutils package is used to manipulate keys more directly. This can be
obtained from: obtained from:
Keyutils Keyutils
6.13.2. OPTIONS 6.12.2. OPTIONS
debug debug
Log debug information with syslog(3). Log debug information with syslog(3).
force force
Causes the session keyring of the invoking process to be replaced Causes the session keyring of the invoking process to be replaced
unconditionally. unconditionally.
revoke revoke
Causes the session keyring of the invoking process to be revoked when the Causes the session keyring of the invoking process to be revoked when the
invoking process exits if the session keyring was created for this process invoking process exits if the session keyring was created for this process
in the first place. in the first place.
6.13.3. MODULE TYPES PROVIDED 6.12.3. MODULE TYPES PROVIDED
Only the session module type is provided. Only the session module type is provided.
6.13.4. RETURN VALUES 6.12.4. RETURN VALUES
PAM_SUCCESS PAM_SUCCESS
This module will usually return this value This module will usually return this value
PAM_AUTH_ERR PAM_AUTH_ERR
Authentication failure. Authentication failure.
PAM_BUF_ERR PAM_BUF_ERR
skipping to change at line 2109 skipping to change at line 1835
PAM_SESSION_ERR PAM_SESSION_ERR
This module will return this value if its arguments are invalid or if a This module will return this value if its arguments are invalid or if a
system error such as ENOMEM occurs. system error such as ENOMEM occurs.
PAM_USER_UNKNOWN PAM_USER_UNKNOWN
User not known. User not known.
6.13.5. EXAMPLES 6.12.5. EXAMPLES
Add this line to your login entries to start each login session with its own Add this line to your login entries to start each login session with its own
session keyring: session keyring:
session required pam_keyinit.so session required pam_keyinit.so
This will prevent keys from one session leaking into another session for the This will prevent keys from one session leaking into another session for the
same user. same user.
6.13.6. AUTHOR 6.12.6. AUTHOR
pam_keyinit was written by David Howells, <dhowells@redhat.com>. pam_keyinit was written by David Howells, <dhowells@redhat.com>.
6.14. pam_lastlog - display date of last login 6.13. pam_lastlog - display date of last login
pam_lastlog.so [ debug ] [ silent ] [ never ] [ nodate ] [ nohost ] [ noterm ] pam_lastlog.so [ debug ] [ silent ] [ never ] [ nodate ] [ nohost ] [ noterm ]
[ nowtmp ] [ noupdate ] [ showfailed ] [ inactive=<days> ] [ unlimited ] [ nowtmp ] [ noupdate ] [ showfailed ] [ inactive=<days> ] [ unlimited ]
6.14.1. DESCRIPTION 6.13.1. DESCRIPTION
pam_lastlog is a PAM module to display a line of information about the last pam_lastlog is a PAM module to display a line of information about the last
login of the user. In addition, the module maintains the /var/log/lastlog file. login of the user. In addition, the module maintains the /var/log/lastlog file.
Some applications may perform this function themselves. In such cases, this Some applications may perform this function themselves. In such cases, this
module is not necessary. module is not necessary.
The module checks LASTLOG_UID_MAX option in /etc/login.defs and does not update The module checks LASTLOG_UID_MAX option in /etc/login.defs and does not update
or display last login records for users with UID higher than its value. If the or display last login records for users with UID higher than its value. If the
option is not present or its value is invalid, no user ID limit is applied. option is not present or its value is invalid, no user ID limit is applied.
If the module is called in the auth or account phase, the accounts that were If the module is called in the auth or account phase, the accounts that were
not used recently enough will be disallowed to log in. The check is not not used recently enough will be disallowed to log in. The check is not
performed for the root account so the root is never locked out. It is also not performed for the root account so the root is never locked out. It is also not
performed for users with UID higher than the LASTLOG_UID_MAX value. performed for users with UID higher than the LASTLOG_UID_MAX value.
6.14.2. OPTIONS 6.13.2. OPTIONS
debug debug
Print debug information. Print debug information.
silent silent
Don't inform the user about any previous login, just update the /var/log/ Don't inform the user about any previous login, just update the /var/log/
lastlog file. This option does not affect display of bad login attempts. lastlog file. This option does not affect display of bad login attempts.
skipping to change at line 2199 skipping to change at line 1925
This option is specific for the auth or account phase. It specifies the This option is specific for the auth or account phase. It specifies the
number of days after the last login of the user when the user will be number of days after the last login of the user when the user will be
locked out by the module. The default value is 90. locked out by the module. The default value is 90.
unlimited unlimited
If the fsize limit is set, this option can be used to override it, If the fsize limit is set, this option can be used to override it,
preventing failures on systems with large UID values that lead lastlog to preventing failures on systems with large UID values that lead lastlog to
become a huge sparse file. become a huge sparse file.
6.14.3. MODULE TYPES PROVIDED 6.13.3. MODULE TYPES PROVIDED
The auth and account module type allows one to lock out users who did not login The auth and account module type allows one to lock out users who did not login
recently enough. The session module type is provided for displaying the recently enough. The session module type is provided for displaying the
information about the last login and/or updating the lastlog and wtmp files. information about the last login and/or updating the lastlog and wtmp files.
6.14.4. RETURN VALUES 6.13.4. RETURN VALUES
PAM_SUCCESS PAM_SUCCESS
Everything was successful. Everything was successful.
PAM_SERVICE_ERR PAM_SERVICE_ERR
Internal service module error. Internal service module error.
PAM_USER_UNKNOWN PAM_USER_UNKNOWN
skipping to change at line 2228 skipping to change at line 1954
PAM_AUTH_ERR PAM_AUTH_ERR
User locked out in the auth or account phase due to inactivity. User locked out in the auth or account phase due to inactivity.
PAM_IGNORE PAM_IGNORE
There was an error during reading the lastlog file in the auth or account There was an error during reading the lastlog file in the auth or account
phase and thus inactivity of the user cannot be determined. phase and thus inactivity of the user cannot be determined.
6.14.5. EXAMPLES 6.13.5. EXAMPLES
Add the following line to /etc/pam.d/login to display the last login time of an Add the following line to /etc/pam.d/login to display the last login time of an
user: user:
session required pam_lastlog.so nowtmp session required pam_lastlog.so nowtmp
To reject the user if he did not login during the previous 50 days the To reject the user if he did not login during the previous 50 days the
following line can be used: following line can be used:
auth required pam_lastlog.so inactive=50 auth required pam_lastlog.so inactive=50
6.14.6. AUTHOR 6.13.6. AUTHOR
pam_lastlog was written by Andrew G. Morgan <morgan@kernel.org>. pam_lastlog was written by Andrew G. Morgan <morgan@kernel.org>.
Inactive account lock out added by Tomáš Mráz <tm@t8m.info>. Inactive account lock out added by Tomáš Mráz <tm@t8m.info>.
6.15. pam_limits - limit resources 6.14. pam_limits - limit resources
pam_limits.so [ conf=/path/to/limits.conf ] [ debug ] [ set_all ] [ utmp_early pam_limits.so [ conf=/path/to/limits.conf ] [ debug ] [ set_all ] [ utmp_early
] [ noaudit ] ] [ noaudit ]
6.15.1. DESCRIPTION 6.14.1. DESCRIPTION
The pam_limits PAM module sets limits on the system resources that can be The pam_limits PAM module sets limits on the system resources that can be
obtained in a user-session. Users of uid=0 are affected by this limits, too. obtained in a user-session. Users of uid=0 are affected by this limits, too.
By default limits are taken from the /etc/security/limits.conf config file. By default limits are taken from the /etc/security/limits.conf config file.
Then individual *.conf files from the /etc/security/limits.d/ directory are Then individual *.conf files from the /etc/security/limits.d/ directory are
read. The files are parsed one after another in the order of "C" locale. The read. The files are parsed one after another in the order of "C" locale. The
effect of the individual files is the same as if all the files were effect of the individual files is the same as if all the files were
concatenated together in the order of parsing. If a config file is explicitly concatenated together in the order of parsing. If a config file is explicitly
specified with a module option then the files in the above directory are not specified with a module option then the files in the above directory are not
parsed. parsed.
The module must not be called by a multithreaded application. The module must not be called by a multithreaded application.
If Linux PAM is compiled with audit support the module will report when it If Linux PAM is compiled with audit support the module will report when it
denies access based on limit of maximum number of concurrent login sessions. denies access based on limit of maximum number of concurrent login sessions.
6.15.2. DESCRIPTION 6.14.2. DESCRIPTION
The pam_limits.so module applies ulimit limits, nice priority and number of The pam_limits.so module applies ulimit limits, nice priority and number of
simultaneous login sessions limit to user login sessions. This description of simultaneous login sessions limit to user login sessions. This description of
the configuration file syntax applies to the /etc/security/limits.conf file and the configuration file syntax applies to the /etc/security/limits.conf file and
*.conf files in the /etc/security/limits.d directory. *.conf files in the /etc/security/limits.d directory.
The syntax of the lines is as follows: The syntax of the lines is as follows:
<domain> <type> <item> <value> <domain> <type> <item> <value>
skipping to change at line 2385 skipping to change at line 2111
maximum number of logins for this user (this limit does not apply to maximum number of logins for this user (this limit does not apply to
user with uid=0) user with uid=0)
maxsyslogins maxsyslogins
maximum number of all logins on system; user is not allowed to log-in maximum number of all logins on system; user is not allowed to log-in
if total number of all user logins is greater than specified number if total number of all user logins is greater than specified number
(this limit does not apply to user with uid=0) (this limit does not apply to user with uid=0)
nonewprivs
value of 0 or 1; if set to 1 disables acquiring new privileges by
invoking prctl(PR_SET_NO_NEW_PRIVS)
priority priority
the priority to run user process with (negative values boost process the priority to run user process with (negative values boost process
priority) priority)
locks locks
maximum locked files (Linux 2.4 and higher) maximum locked files (Linux 2.4 and higher)
sigpending sigpending
skipping to change at line 2414 skipping to change at line 2145
maximum nice priority allowed to raise to (Linux 2.6.12 and higher) maximum nice priority allowed to raise to (Linux 2.6.12 and higher)
values: [-20,19] values: [-20,19]
rtprio rtprio
maximum realtime priority allowed for non-privileged processes (Linux maximum realtime priority allowed for non-privileged processes (Linux
2.6.12 and higher) 2.6.12 and higher)
All items support the values -1, unlimited or infinity indicating no limit, All items support the values -1, unlimited or infinity indicating no limit,
except for priority and nice. except for priority, nice, and nonewprivs.
If a hard limit or soft limit of a resource is set to a valid value, but If a hard limit or soft limit of a resource is set to a valid value, but
outside of the supported range of the local system, the system may reject the outside of the supported range of the local system, the system may reject the
new limit or unexpected behavior may occur. If the control value required is new limit or unexpected behavior may occur. If the control value required is
used, the module will reject the login if a limit could not be set. used, the module will reject the login if a limit could not be set.
In general, individual limits have priority over group limits, so if you impose In general, individual limits have priority over group limits, so if you impose
no limits for admin group, but one of the members in this group have a limits no limits for admin group, but one of the members in this group have a limits
line, the user will have its limits set according to this line. line, the user will have its limits set according to this line.
skipping to change at line 2437 skipping to change at line 2168
One exception is the maxlogin option, this one is system wide. But there is a One exception is the maxlogin option, this one is system wide. But there is a
race, concurrent logins at the same time will not always be detect as such but race, concurrent logins at the same time will not always be detect as such but
only counted as one. only counted as one.
In the limits configuration file, the '#' character introduces a comment - In the limits configuration file, the '#' character introduces a comment -
after which the rest of the line is ignored. after which the rest of the line is ignored.
The pam_limits module does report configuration problems found in its The pam_limits module does report configuration problems found in its
configuration file and errors via syslog(3). configuration file and errors via syslog(3).
6.15.3. OPTIONS 6.14.3. OPTIONS
conf=/path/to/limits.conf conf=/path/to/limits.conf
Indicate an alternative limits.conf style configuration file to override Indicate an alternative limits.conf style configuration file to override
the default. the default.
debug debug
Print debug information. Print debug information.
skipping to change at line 2467 skipping to change at line 2198
Some broken applications actually allocate a utmp entry for the user before Some broken applications actually allocate a utmp entry for the user before
the user is admitted to the system. If some of the services you are the user is admitted to the system. If some of the services you are
configuring PAM for do this, you can selectively use this module argument configuring PAM for do this, you can selectively use this module argument
to compensate for this behavior and at the same time maintain system-wide to compensate for this behavior and at the same time maintain system-wide
consistency with a single limits.conf file. consistency with a single limits.conf file.
noaudit noaudit
Do not report exceeded maximum logins count to the audit subsystem. Do not report exceeded maximum logins count to the audit subsystem.
6.15.4. MODULE TYPES PROVIDED 6.14.4. MODULE TYPES PROVIDED
Only the session module type is provided. Only the session module type is provided.
6.15.5. RETURN VALUES 6.14.5. RETURN VALUES
PAM_ABORT PAM_ABORT
Cannot get current limits. Cannot get current limits.
PAM_IGNORE PAM_IGNORE
No limits found for this user. No limits found for this user.
PAM_PERM_DENIED PAM_PERM_DENIED
skipping to change at line 2501 skipping to change at line 2232
Error recovering account name. Error recovering account name.
PAM_SUCCESS PAM_SUCCESS
Limits were changed. Limits were changed.
PAM_USER_UNKNOWN PAM_USER_UNKNOWN
The user is not known to the system. The user is not known to the system.
6.15.6. FILES 6.14.6. FILES
/etc/security/limits.conf /etc/security/limits.conf
Default configuration file Default configuration file
6.15.7. EXAMPLES 6.14.7. EXAMPLES
These are some example lines which might be specified in /etc/security/ These are some example lines which might be specified in /etc/security/
limits.conf. limits.conf.
* soft core 0 * soft core 0
* hard nofile 512 * hard nofile 512
@student hard nproc 20 @student hard nproc 20
@faculty soft nproc 20 @faculty soft nproc 20
@faculty hard nproc 50 @faculty hard nproc 50
ftp hard nproc 0 ftp hard nproc 0
@student - maxlogins 4 @student - maxlogins 4
@student - nonewprivs 1
:123 hard cpu 5000 :123 hard cpu 5000
@500: soft cpu 10000 @500: soft cpu 10000
600:700 hard locks 10 600:700 hard locks 10
6.15.8. AUTHORS 6.14.8. AUTHORS
pam_limits was initially written by Cristian Gafton <gafton@redhat.com> pam_limits was initially written by Cristian Gafton <gafton@redhat.com>
6.16. pam_listfile - deny or allow services based on an arbitrary file 6.15. pam_listfile - deny or allow services based on an arbitrary file
pam_listfile.so item=[tty|user|rhost|ruser|group|shell] sense=[allow|deny] file pam_listfile.so item=[tty|user|rhost|ruser|group|shell] sense=[allow|deny] file
=/path/filename onerr=[succeed|fail] [ apply=[user|@group] ] [ quiet ] =/path/filename onerr=[succeed|fail] [ apply=[user|@group] ] [ quiet ]
6.16.1. DESCRIPTION 6.15.1. DESCRIPTION
pam_listfile is a PAM module which provides a way to deny or allow services pam_listfile is a PAM module which provides a way to deny or allow services
based on an arbitrary file. based on an arbitrary file.
The module gets the item of the type specified -- user specifies the username, The module gets the item of the type specified -- user specifies the username,
PAM_USER; tty specifies the name of the terminal over which the request has PAM_USER; tty specifies the name of the terminal over which the request has
been made, PAM_TTY; rhost specifies the name of the remote host (if any) from been made, PAM_TTY; rhost specifies the name of the remote host (if any) from
which the request was made, PAM_RHOST; and ruser specifies the name of the which the request was made, PAM_RHOST; and ruser specifies the name of the
remote user (if available) who made the request, PAM_RUSER -- and looks for an remote user (if available) who made the request, PAM_RUSER -- and looks for an
instance of that item in the file=filename. filename contains one line per item instance of that item in the file=filename. filename contains one line per item
skipping to change at line 2562 skipping to change at line 2294
An additional argument, apply=, can be used to restrict the application of the An additional argument, apply=, can be used to restrict the application of the
above to a specific user (apply=username) or a given group (apply=@groupname). above to a specific user (apply=username) or a given group (apply=@groupname).
This added restriction is only meaningful when used with the tty, rhost and This added restriction is only meaningful when used with the tty, rhost and
shell items. shell items.
Besides this last one, all arguments should be specified; do not count on any Besides this last one, all arguments should be specified; do not count on any
default behavior. default behavior.
No credentials are awarded by this module. No credentials are awarded by this module.
6.16.2. OPTIONS 6.15.2. OPTIONS
item=[tty|user|rhost|ruser|group|shell] item=[tty|user|rhost|ruser|group|shell]
What is listed in the file and should be checked for. What is listed in the file and should be checked for.
sense=[allow|deny] sense=[allow|deny]
Action to take if found in file, if the item is NOT found in the file, then Action to take if found in file, if the item is NOT found in the file, then
the opposite action is requested. the opposite action is requested.
skipping to change at line 2593 skipping to change at line 2325
Restrict the user class for which the restriction apply. Note that with Restrict the user class for which the restriction apply. Note that with
item=[user|ruser|group] this does not make sense, but for item=[tty|rhost| item=[user|ruser|group] this does not make sense, but for item=[tty|rhost|
shell] it have a meaning. shell] it have a meaning.
quiet quiet
Do not treat service refusals or missing list files as errors that need to Do not treat service refusals or missing list files as errors that need to
be logged. be logged.
6.16.3. MODULE TYPES PROVIDED 6.15.3. MODULE TYPES PROVIDED
All module types (auth, account, password and session) are provided. All module types (auth, account, password and session) are provided.
6.16.4. RETURN VALUES 6.15.4. RETURN VALUES
PAM_AUTH_ERR PAM_AUTH_ERR
Authentication failure. Authentication failure.
PAM_BUF_ERR PAM_BUF_ERR
Memory buffer error. Memory buffer error.
PAM_IGNORE PAM_IGNORE
skipping to change at line 2619 skipping to change at line 2351
The rule does not apply to the apply option. The rule does not apply to the apply option.
PAM_SERVICE_ERR PAM_SERVICE_ERR
Error in service module. Error in service module.
PAM_SUCCESS PAM_SUCCESS
Success. Success.
6.16.5. EXAMPLES 6.15.5. EXAMPLES
Classic 'ftpusers' authentication can be implemented with this entry in /etc/ Classic 'ftpusers' authentication can be implemented with this entry in /etc/
pam.d/ftpd: pam.d/ftpd:
# #
# deny ftp-access to users listed in the /etc/ftpusers file # deny ftp-access to users listed in the /etc/ftpusers file
# #
auth required pam_listfile.so \ auth required pam_listfile.so \
onerr=succeed item=user sense=deny file=/etc/ftpusers onerr=succeed item=user sense=deny file=/etc/ftpusers
skipping to change at line 2648 skipping to change at line 2380
# #
auth required pam_listfile.so \ auth required pam_listfile.so \
onerr=fail item=user sense=allow file=/etc/loginusers onerr=fail item=user sense=allow file=/etc/loginusers
For this example to work, all users who are allowed to use the login service For this example to work, all users who are allowed to use the login service
should be listed in the file /etc/loginusers. Unless you are explicitly trying should be listed in the file /etc/loginusers. Unless you are explicitly trying
to lock out root, make sure that when you do this, you leave a way for root to to lock out root, make sure that when you do this, you leave a way for root to
log in, either by listing root in /etc/loginusers, or by listing a user who is log in, either by listing root in /etc/loginusers, or by listing a user who is
able to su to the root account. able to su to the root account.
6.16.6. AUTHOR 6.15.6. AUTHOR
pam_listfile was written by Michael K. Johnson <johnsonm@redhat.com> and Elliot pam_listfile was written by Michael K. Johnson <johnsonm@redhat.com> and Elliot
Lee <sopwith@cuc.edu>. Lee <sopwith@cuc.edu>.
6.17. pam_localuser - require users to be listed in /etc/passwd 6.16. pam_localuser - require users to be listed in /etc/passwd
pam_localuser.so [ debug ] [ file=/path/passwd ] pam_localuser.so [ debug ] [ file=/path/passwd ]
6.17.1. DESCRIPTION 6.16.1. DESCRIPTION
pam_localuser is a PAM module to help implementing site-wide login policies, pam_localuser is a PAM module to help implementing site-wide login policies,
where they typically include a subset of the network's users and a few accounts where they typically include a subset of the network's users and a few accounts
that are local to a particular workstation. Using pam_localuser and pam_wheel that are local to a particular workstation. Using pam_localuser and pam_wheel
or pam_listfile is an effective way to restrict access to either local users or pam_listfile is an effective way to restrict access to either local users
and/or a subset of the network's users. and/or a subset of the network's users.
This could also be implemented using pam_listfile.so and a very short awk This could also be implemented using pam_listfile.so and a very short awk
script invoked by cron, but it's common enough to have been separated out. script invoked by cron, but it's common enough to have been separated out.
6.17.2. OPTIONS 6.16.2. OPTIONS
debug debug
Print debug information. Print debug information.
file=/path/passwd file=/path/passwd
Use a file other than /etc/passwd. Use a file other than /etc/passwd.
6.17.3. MODULE TYPES PROVIDED 6.16.3. MODULE TYPES PROVIDED
All module types (account, auth, password and session) are provided. All module types (account, auth, password and session) are provided.
6.17.4. RETURN VALUES 6.16.4. RETURN VALUES
PAM_SUCCESS PAM_SUCCESS
The new localuser was set successfully. The new localuser was set successfully.
PAM_BUF_ERR PAM_BUF_ERR
Memory buffer error. Memory buffer error.
PAM_CONV_ERR PAM_CONV_ERR
skipping to change at line 2710 skipping to change at line 2442
PAM_CONV_AGAIN. PAM_CONV_AGAIN.
PAM_SERVICE_ERR PAM_SERVICE_ERR
The user name is not valid or the passwd file is unavailable. The user name is not valid or the passwd file is unavailable.
PAM_PERM_DENIED PAM_PERM_DENIED
The user is not listed in the passwd file. The user is not listed in the passwd file.
6.17.5. EXAMPLES 6.16.5. EXAMPLES
Add the following lines to /etc/pam.d/su to allow only local users or group Add the following lines to /etc/pam.d/su to allow only local users or group
wheel to use su. wheel to use su.
account sufficient pam_localuser.so account sufficient pam_localuser.so
account required pam_wheel.so account required pam_wheel.so
6.17.6. AUTHOR 6.16.6. AUTHOR
pam_localuser was written by Nalin Dahyabhai <nalin@redhat.com>. pam_localuser was written by Nalin Dahyabhai <nalin@redhat.com>.
6.18. pam_loginuid - record user's login uid to the process attribute 6.17. pam_loginuid - record user's login uid to the process attribute
pam_loginuid.so [ require_auditd ] pam_loginuid.so [ require_auditd ]
6.18.1. DESCRIPTION 6.17.1. DESCRIPTION
The pam_loginuid module sets the loginuid process attribute for the process The pam_loginuid module sets the loginuid process attribute for the process
that was authenticated. This is necessary for applications to be correctly that was authenticated. This is necessary for applications to be correctly
audited. This PAM module should only be used for entry point applications like: audited. This PAM module should only be used for entry point applications like:
login, sshd, gdm, vsftpd, crond and atd. There are probably other entry point login, sshd, gdm, vsftpd, crond and atd. There are probably other entry point
applications besides these. You should not use it for applications like sudo or applications besides these. You should not use it for applications like sudo or
su as that defeats the purpose by changing the loginuid to the account they su as that defeats the purpose by changing the loginuid to the account they
just switched to. just switched to.
6.18.2. OPTIONS 6.17.2. OPTIONS
require_auditd require_auditd
This option, when given, will cause this module to query the audit daemon This option, when given, will cause this module to query the audit daemon
status and deny logins if it is not running. status and deny logins if it is not running.
6.18.3. MODULE TYPES PROVIDED 6.17.3. MODULE TYPES PROVIDED
Only the session module type is provided. Only the session module type is provided.
6.18.4. RETURN VALUES 6.17.4. RETURN VALUES
PAM_SUCCESS PAM_SUCCESS
The loginuid value is set and auditd is running if check requested. The loginuid value is set and auditd is running if check requested.
PAM_IGNORE PAM_IGNORE
The /proc/self/loginuid file is not present on the system or the login The /proc/self/loginuid file is not present on the system or the login
process runs inside uid namespace and kernel does not support overwriting process runs inside uid namespace and kernel does not support overwriting
loginuid. loginuid.
PAM_SESSION_ERR PAM_SESSION_ERR
Any other error prevented setting loginuid or auditd is not running. Any other error prevented setting loginuid or auditd is not running.
6.18.5. EXAMPLES 6.17.5. EXAMPLES
#%PAM-1.0 #%PAM-1.0
auth required pam_unix.so auth required pam_unix.so
auth required pam_nologin.so auth required pam_nologin.so
account required pam_unix.so account required pam_unix.so
password required pam_unix.so password required pam_unix.so
session required pam_unix.so session required pam_unix.so
session required pam_loginuid.so session required pam_loginuid.so
6.18.6. AUTHOR 6.17.6. AUTHOR
pam_loginuid was written by Steve Grubb <sgrubb@redhat.com> pam_loginuid was written by Steve Grubb <sgrubb@redhat.com>
6.19. pam_mail - inform about available mail 6.18. pam_mail - inform about available mail
pam_mail.so [ close ] [ debug ] [ dir=maildir ] [ empty ] [ hash=count ] [ pam_mail.so [ close ] [ debug ] [ dir=maildir ] [ empty ] [ hash=count ] [
noenv ] [ nopen ] [ quiet ] [ standard ] noenv ] [ nopen ] [ quiet ] [ standard ]
6.19.1. DESCRIPTION 6.18.1. DESCRIPTION
The pam_mail PAM module provides the "you have new mail" service to the user. The pam_mail PAM module provides the "you have new mail" service to the user.
It can be plugged into any application that has credential or session hooks. It It can be plugged into any application that has credential or session hooks. It
gives a single message indicating the newness of any mail it finds in the gives a single message indicating the newness of any mail it finds in the
user's mail folder. This module also sets the PAM environment variable, MAIL, user's mail folder. This module also sets the PAM environment variable, MAIL,
to the user's mail directory. to the user's mail directory.
If the mail spool file (be it /var/mail/$USER or a pathname given with the dir= If the mail spool file (be it /var/mail/$USER or a pathname given with the dir=
parameter) is a directory then pam_mail assumes it is in the Maildir format. parameter) is a directory then pam_mail assumes it is in the Maildir format.
6.19.2. OPTIONS 6.18.2. OPTIONS
close close
Indicate if the user has any mail also on logout. Indicate if the user has any mail also on logout.
debug debug
Print debug information. Print debug information.
dir=maildir dir=maildir
skipping to change at line 2837 skipping to change at line 2569
quiet quiet
Only report when there is new mail. Only report when there is new mail.
standard standard
Old style "You have..." format which doesn't show the mail spool being Old style "You have..." format which doesn't show the mail spool being
used. This also implies "empty". used. This also implies "empty".
6.19.3. MODULE TYPES PROVIDED 6.18.3. MODULE TYPES PROVIDED
The session and auth (on establishment and deletion of credentials) module The session and auth (on establishment and deletion of credentials) module
types are provided. types are provided.
6.19.4. RETURN VALUES 6.18.4. RETURN VALUES
PAM_BUF_ERR PAM_BUF_ERR
Memory buffer error. Memory buffer error.
PAM_SERVICE_ERR PAM_SERVICE_ERR
Badly formed arguments. Badly formed arguments.
PAM_SUCCESS PAM_SUCCESS
Success. Success.
PAM_USER_UNKNOWN PAM_USER_UNKNOWN
User not known. User not known.
6.19.5. EXAMPLES 6.18.5. EXAMPLES
Add the following line to /etc/pam.d/login to indicate that the user has new Add the following line to /etc/pam.d/login to indicate that the user has new
mail when they login to the system. mail when they login to the system.
session optional pam_mail.so standard session optional pam_mail.so standard
6.19.6. AUTHOR 6.18.6. AUTHOR
pam_mail was written by Andrew G. Morgan <morgan@kernel.org>. pam_mail was written by Andrew G. Morgan <morgan@kernel.org>.
6.20. pam_mkhomedir - create users home directory 6.19. pam_mkhomedir - create users home directory
pam_mkhomedir.so [ silent ] [ debug ] [ umask=mode ] [ skel=skeldir ] pam_mkhomedir.so [ silent ] [ debug ] [ umask=mode ] [ skel=skeldir ]
6.20.1. DESCRIPTION 6.19.1. DESCRIPTION
The pam_mkhomedir PAM module will create a users home directory if it does not The pam_mkhomedir PAM module will create a users home directory if it does not
exist when the session begins. This allows users to be present in central exist when the session begins. This allows users to be present in central
database (such as NIS, kerberos or LDAP) without using a distributed file database (such as NIS, kerberos or LDAP) without using a distributed file
system or pre-creating a large number of directories. The skeleton directory system or pre-creating a large number of directories. The skeleton directory
(usually /etc/skel/) is used to copy default files and also sets a umask for (usually /etc/skel/) is used to copy default files and also sets a umask for
the creation. the creation.
The new users home directory will not be removed after logout of the user. The new users home directory will not be removed after logout of the user.
6.20.2. OPTIONS 6.19.2. OPTIONS
silent silent
Don't print informative messages. Don't print informative messages.
debug debug
Turns on debugging via syslog(3). Turns on debugging via syslog(3).
umask=mask umask=mask
The user file-creation mask is set to mask. The default value of mask is The user file-creation mask is set to mask. The default value of mask is
0022. 0022.
skel=/path/to/skel/directory skel=/path/to/skel/directory
Indicate an alternative skel directory to override the default /etc/skel. Indicate an alternative skel directory to override the default /etc/skel.
6.20.3. MODULE TYPES PROVIDED 6.19.3. MODULE TYPES PROVIDED
Only the session module type is provided. Only the session module type is provided.
6.20.4. RETURN VALUES 6.19.4. RETURN VALUES
PAM_BUF_ERR PAM_BUF_ERR
Memory buffer error. Memory buffer error.
PAM_PERM_DENIED PAM_PERM_DENIED
Not enough permissions to create the new directory or read the skel Not enough permissions to create the new directory or read the skel
directory. directory.
PAM_USER_UNKNOWN PAM_USER_UNKNOWN
User not known to the underlying authentication module. User not known to the underlying authentication module.
PAM_SUCCESS PAM_SUCCESS
Environment variables were set. Environment variables were set.
6.20.5. EXAMPLES 6.19.5. EXAMPLES
A sample /etc/pam.d/login file: A sample /etc/pam.d/login file:
auth requisite pam_securetty.so auth requisite pam_securetty.so
auth sufficient pam_ldap.so auth sufficient pam_ldap.so
auth required pam_unix.so auth required pam_unix.so
auth required pam_nologin.so auth required pam_nologin.so
account sufficient pam_ldap.so account sufficient pam_ldap.so
account required pam_unix.so account required pam_unix.so
password required pam_unix.so password required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_unix.so session required pam_unix.so
session optional pam_lastlog.so session optional pam_lastlog.so
session optional pam_mail.so standard session optional pam_mail.so standard
6.20.6. AUTHOR 6.19.6. AUTHOR
pam_mkhomedir was written by Jason Gunthorpe <jgg@debian.org>. pam_mkhomedir was written by Jason Gunthorpe <jgg@debian.org>.
6.21. pam_motd - display the motd file 6.20. pam_motd - display the motd file
pam_motd.so [ motd=/path/filename ] [ motd_dir=/path/dirname.d ] pam_motd.so [ motd=/path/filename ] [ motd_dir=/path/dirname.d ]
6.21.1. DESCRIPTION 6.20.1. DESCRIPTION
pam_motd is a PAM module that can be used to display arbitrary motd (message of pam_motd is a PAM module that can be used to display arbitrary motd (message of
the day) files after a successful login. By default, pam_motd shows files in the day) files after a successful login. By default, pam_motd shows files in
the following locations: the following locations:
/etc/motd /etc/motd
/run/motd /run/motd
/usr/lib/motd /usr/lib/motd
/etc/motd.d/ /etc/motd.d/
/run/motd.d/ /run/motd.d/
skipping to change at line 2974 skipping to change at line 2706
Each message size is limited to 64KB. Each message size is limited to 64KB.
If /etc/motd does not exist, then /run/motd is shown. If /run/motd does not If /etc/motd does not exist, then /run/motd is shown. If /run/motd does not
exist, then /usr/lib/motd is shown. exist, then /usr/lib/motd is shown.
Similar overriding behavior applies to the directories. Files in /etc/motd.d/ Similar overriding behavior applies to the directories. Files in /etc/motd.d/
override files with the same name in /run/motd.d/ and /usr/lib/motd.d/. Files override files with the same name in /run/motd.d/ and /usr/lib/motd.d/. Files
in /run/motd.d/ override files with the same name in /usr/lib/motd.d/. in /run/motd.d/ override files with the same name in /usr/lib/motd.d/.
Files the in the directories listed above are displayed in lexicographic order Files in the directories listed above are displayed in lexicographic order by
by name. name. Moreover, the files are filtered by reading them with the credentials of
the target user authenticating on the system.
To silence a message, a symbolic link with target /dev/null may be placed in / To silence a message, a symbolic link with target /dev/null may be placed in /
etc/motd.d with the same filename as the message to be silenced. Example: etc/motd.d with the same filename as the message to be silenced. Example:
Creating a symbolic link as follows silences /usr/lib/motd.d/my_motd. Creating a symbolic link as follows silences /usr/lib/motd.d/my_motd.
ln -s /dev/null /etc/motd.d/my_motd ln -s /dev/null /etc/motd.d/my_motd
The MOTD_SHOWN=pam environment variable is set after showing the motd files, The MOTD_SHOWN=pam environment variable is set after showing the motd files,
even when all of them were silenced using symbolic links. even when all of them were silenced using symbolic links.
6.21.2. OPTIONS 6.20.2. OPTIONS
motd=/path/filename motd=/path/filename
The /path/filename file is displayed as message of the day. Multiple paths The /path/filename file is displayed as message of the day. Multiple paths
to try can be specified as a colon-separated list. By default this option to try can be specified as a colon-separated list. By default this option
is set to /etc/motd:/run/motd:/usr/lib/motd. is set to /etc/motd:/run/motd:/usr/lib/motd.
motd_dir=/path/dirname.d motd_dir=/path/dirname.d
The /path/dirname.d directory is scanned and each file contained inside of The /path/dirname.d directory is scanned and each file contained inside of
it is displayed. Multiple directories to scan can be specified as a it is displayed. Multiple directories to scan can be specified as a
colon-separated list. By default this option is set to /etc/motd.d:/run/ colon-separated list. By default this option is set to /etc/motd.d:/run/
motd.d:/usr/lib/motd.d. motd.d:/usr/lib/motd.d.
When no options are given, the default behavior applies for both options. When no options are given, the default behavior applies for both options.
Specifying either option (or both) will disable the default behavior for both Specifying either option (or both) will disable the default behavior for both
options. options.
6.21.3. MODULE TYPES PROVIDED 6.20.3. MODULE TYPES PROVIDED
Only the session module type is provided. Only the session module type is provided.
6.21.4. RETURN VALUES 6.20.4. RETURN VALUES
PAM_ABORT PAM_ABORT
Not all relevant data or options could be obtained. Not all relevant data or options could be obtained.
PAM_BUF_ERR PAM_BUF_ERR
Memory buffer error. Memory buffer error.
PAM_IGNORE PAM_IGNORE
This is the default return value of this module. This is the default return value of this module.
6.21.5. EXAMPLES 6.20.5. EXAMPLES
The suggested usage for /etc/pam.d/login is: The suggested usage for /etc/pam.d/login is:
session optional pam_motd.so session optional pam_motd.so
To use a motd file from a different location: To use a motd file from a different location:
session optional pam_motd.so motd=/elsewhere/motd session optional pam_motd.so motd=/elsewhere/motd
To use a motd file from elsewhere, along with a corresponding .d directory: To use a motd file from elsewhere, along with a corresponding .d directory:
session optional pam_motd.so motd=/elsewhere/motd motd_dir=/elsewhere/motd.d session optional pam_motd.so motd=/elsewhere/motd motd_dir=/elsewhere/motd.d
6.21.6. AUTHOR 6.20.6. AUTHOR
pam_motd was written by Ben Collins <bcollins@debian.org>. pam_motd was written by Ben Collins <bcollins@debian.org>.
The motd_dir= option was added by Allison Karlitskaya The motd_dir= option was added by Allison Karlitskaya
<allison.karlitskaya@redhat.com>. <allison.karlitskaya@redhat.com>.
6.22. pam_namespace - setup a private namespace 6.21. pam_namespace - setup a private namespace
pam_namespace.so [ debug ] [ unmnt_remnt ] [ unmnt_only ] [ require_selinux ] [ pam_namespace.so [ debug ] [ unmnt_remnt ] [ unmnt_only ] [ require_selinux ] [
gen_hash ] [ ignore_config_error ] [ ignore_instance_parent_mode ] [ gen_hash ] [ ignore_config_error ] [ ignore_instance_parent_mode ] [
unmount_on_close ] [ use_current_context ] [ use_default_context ] [ unmount_on_close ] [ use_current_context ] [ use_default_context ] [
mount_private ] mount_private ]
6.22.1. DESCRIPTION 6.21.1. DESCRIPTION
The pam_namespace PAM module sets up a private namespace for a session with The pam_namespace PAM module sets up a private namespace for a session with
polyinstantiated directories. A polyinstantiated directory provides a different polyinstantiated directories. A polyinstantiated directory provides a different
instance of itself based on user name, or when using SELinux, user name, instance of itself based on user name, or when using SELinux, user name,
security context or both. If an executable script /etc/security/namespace.init security context or both. If an executable script /etc/security/namespace.init
exists, it is used to initialize the instance directory after it is set up and exists, it is used to initialize the instance directory after it is set up and
mounted on the polyinstantiated directory. The script receives the mounted on the polyinstantiated directory. The script receives the
polyinstantiated directory path, the instance directory path, flag whether the polyinstantiated directory path, the instance directory path, flag whether the
instance directory was newly created (0 for no, 1 for yes), and the user name instance directory was newly created (0 for no, 1 for yes), and the user name
as its arguments. as its arguments.
The pam_namespace module disassociates the session namespace from the parent The pam_namespace module disassociates the session namespace from the parent
namespace. Any mounts/unmounts performed in the parent namespace, such as namespace. Any mounts/unmounts performed in the parent namespace, such as
mounting of devices, are not reflected in the session namespace. To propagate mounting of devices, are not reflected in the session namespace. To propagate
selected mount/unmount events from the parent namespace into the disassociated selected mount/unmount events from the parent namespace into the disassociated
session namespace, an administrator may use the special shared-subtree feature. session namespace, an administrator may use the special shared-subtree feature.
For additional information on shared-subtree feature, please refer to the mount For additional information on shared-subtree feature, please refer to the mount
(8) man page and the shared-subtree description at http://lwn.net/Articles/ (8) man page and the shared-subtree description at http://lwn.net/Articles/
159077 and http://lwn.net/Articles/159092. 159077 and http://lwn.net/Articles/159092.
6.22.2. DESCRIPTION 6.21.2. DESCRIPTION
The pam_namespace.so module allows setup of private namespaces with The pam_namespace.so module allows setup of private namespaces with
polyinstantiated directories. Directories can be polyinstantiated based on user polyinstantiated directories. Directories can be polyinstantiated based on user
name or, in the case of SELinux, user name, sensitivity level or complete name or, in the case of SELinux, user name, sensitivity level or complete
security context. If an executable script /etc/security/namespace.init exists, security context. If an executable script /etc/security/namespace.init exists,
it is used to initialize the namespace every time an instance directory is set it is used to initialize the namespace every time an instance directory is set
up and mounted. The script receives the polyinstantiated directory path and the up and mounted. The script receives the polyinstantiated directory path and the
instance directory path as its arguments. instance directory path as its arguments.
The /etc/security/namespace.conf file specifies which directories are The /etc/security/namespace.conf file specifies which directories are
skipping to change at line 3160 skipping to change at line 2893
obtained by getexeccon. This context must be set by the calling application or obtained by getexeccon. This context must be set by the calling application or
pam_selinux.so module. If this context is not set the polyinstatiation will be pam_selinux.so module. If this context is not set the polyinstatiation will be
based just on user name. based just on user name.
The "instance differentiation string" is <user name> for "user" method and The "instance differentiation string" is <user name> for "user" method and
<user name>_<raw directory context> for "context" and "level" methods. If the <user name>_<raw directory context> for "context" and "level" methods. If the
whole string is too long the end of it is replaced with md5sum of itself. Also whole string is too long the end of it is replaced with md5sum of itself. Also
when command line option gen_hash is used the whole string is replaced with when command line option gen_hash is used the whole string is replaced with
md5sum of itself. md5sum of itself.
6.22.3. OPTIONS 6.21.3. OPTIONS
debug debug
A lot of debug information is logged using syslog A lot of debug information is logged using syslog
unmnt_remnt unmnt_remnt
For programs such as su and newrole, the login session has already setup a For programs such as su and newrole, the login session has already setup a
polyinstantiated namespace. For these programs, polyinstantiation is polyinstantiated namespace. For these programs, polyinstantiation is
performed based on new user id or security context, however the command performed based on new user id or security context, however the command
skipping to change at line 3240 skipping to change at line 2973
module will mark the whole directory tree so any mount and unmount module will mark the whole directory tree so any mount and unmount
operations in the polyinstantiation namespace are private. Normally the operations in the polyinstantiation namespace are private. Normally the
pam_namespace will try to detect the shared / mount point and make the pam_namespace will try to detect the shared / mount point and make the
polyinstantiated directories private automatically. This option has to be polyinstantiated directories private automatically. This option has to be
used just when only a subtree is shared and / is not. used just when only a subtree is shared and / is not.
Note that mounts and unmounts done in the private namespace will not affect Note that mounts and unmounts done in the private namespace will not affect
the parent namespace if this option is used or when the shared / mount the parent namespace if this option is used or when the shared / mount
point is autodetected. point is autodetected.
6.22.4. MODULE TYPES PROVIDED 6.21.4. MODULE TYPES PROVIDED
Only the session module type is provided. The module must not be called from Only the session module type is provided. The module must not be called from
multithreaded processes. multithreaded processes.
6.22.5. RETURN VALUES 6.21.5. RETURN VALUES
PAM_SUCCESS PAM_SUCCESS
Namespace setup was successful. Namespace setup was successful.
PAM_SERVICE_ERR PAM_SERVICE_ERR
Unexpected system error occurred while setting up namespace. Unexpected system error occurred while setting up namespace.
PAM_SESSION_ERR PAM_SESSION_ERR
Unexpected namespace configuration error occurred. Unexpected namespace configuration error occurred.
6.22.6. FILES 6.21.6. FILES
/etc/security/namespace.conf /etc/security/namespace.conf
Main configuration file Main configuration file
/etc/security/namespace.d /etc/security/namespace.d
Directory for additional configuration files Directory for additional configuration files
/etc/security/namespace.init /etc/security/namespace.init
Init script for instance directories Init script for instance directories
6.22.7. EXAMPLES 6.21.7. EXAMPLES
These are some example lines which might be specified in /etc/security/ These are some example lines which might be specified in /etc/security/
namespace.conf. namespace.conf.
      # The following three lines will polyinstantiate /tmp,       # The following three lines will polyinstantiate /tmp,
      # /var/tmp and user's home directories. /tmp and /var/tmp       # /var/tmp and user's home directories. /tmp and /var/tmp
      # will be polyinstantiated based on the security level       # will be polyinstantiated based on the security level
      # as well as user name, whereas home directory will be       # as well as user name, whereas home directory will be
      # polyinstantiated based on the full security context and user name.       # polyinstantiated based on the full security context and user name.
      # Polyinstantiation will not be performed for user root       # Polyinstantiation will not be performed for user root
skipping to change at line 3306 skipping to change at line 3039
      $HOME    $HOME/$USER.inst/inst- context       $HOME    $HOME/$USER.inst/inst- context
         
For the <service>s you need polyinstantiation (login for example) put the For the <service>s you need polyinstantiation (login for example) put the
following line in /etc/pam.d/<service> as the last line for session group: following line in /etc/pam.d/<service> as the last line for session group:
session required pam_namespace.so [arguments] session required pam_namespace.so [arguments]
This module also depends on pam_selinux.so setting the context. This module also depends on pam_selinux.so setting the context.
6.22.8. AUTHORS 6.21.8. AUTHORS
The namespace setup scheme was designed by Stephen Smalley, Janak Desai and The namespace setup scheme was designed by Stephen Smalley, Janak Desai and
Chad Sellers. The pam_namespace PAM module was developed by Janak Desai Chad Sellers. The pam_namespace PAM module was developed by Janak Desai
<janak@us.ibm.com>, Chad Sellers <csellers@tresys.com> and Steve Grubb <janak@us.ibm.com>, Chad Sellers <csellers@tresys.com> and Steve Grubb
<sgrubb@redhat.com>. Additional improvements by Xavier Toth <txtoth@gmail.com> <sgrubb@redhat.com>. Additional improvements by Xavier Toth <txtoth@gmail.com>
and Tomas Mraz <tmraz@redhat.com>. and Tomas Mraz <tmraz@redhat.com>.
6.23. pam_nologin - prevent non-root users from login 6.22. pam_nologin - prevent non-root users from login
pam_nologin.so [ file=/path/nologin ] [ successok ] pam_nologin.so [ file=/path/nologin ] [ successok ]
6.23.1. DESCRIPTION 6.22.1. DESCRIPTION
pam_nologin is a PAM module that prevents users from logging into the system pam_nologin is a PAM module that prevents users from logging into the system
when /var/run/nologin or /etc/nologin exists. The contents of the file are when /var/run/nologin or /etc/nologin exists. The contents of the file are
displayed to the user. The pam_nologin module has no effect on the root user's displayed to the user. The pam_nologin module has no effect on the root user's
ability to log in. ability to log in.
6.23.2. OPTIONS 6.22.2. OPTIONS
file=/path/nologin file=/path/nologin
Use this file instead the default /var/run/nologin or /etc/nologin. Use this file instead the default /var/run/nologin or /etc/nologin.
successok successok
Return PAM_SUCCESS if no file exists, the default is PAM_IGNORE. Return PAM_SUCCESS if no file exists, the default is PAM_IGNORE.
6.23.3. MODULE TYPES PROVIDED 6.22.3. MODULE TYPES PROVIDED
The auth and account module types are provided. The auth and account module types are provided.
6.23.4. RETURN VALUES 6.22.4. RETURN VALUES
PAM_AUTH_ERR PAM_AUTH_ERR
The user is not root and /etc/nologin exists, so the user is not permitted The user is not root and /etc/nologin exists, so the user is not permitted
to log in. to log in.
PAM_BUF_ERR PAM_BUF_ERR
Memory buffer error. Memory buffer error.
skipping to change at line 3362 skipping to change at line 3095
This is the default return value. This is the default return value.
PAM_SUCCESS PAM_SUCCESS
Success: either the user is root or the nologin file does not exist. Success: either the user is root or the nologin file does not exist.
PAM_USER_UNKNOWN PAM_USER_UNKNOWN
User not known to the underlying authentication module. User not known to the underlying authentication module.
6.23.5. EXAMPLES 6.22.5. EXAMPLES
The suggested usage for /etc/pam.d/login is: The suggested usage for /etc/pam.d/login is:
auth required pam_nologin.so auth required pam_nologin.so
6.23.6. AUTHOR 6.22.6. AUTHOR
pam_nologin was written by Michael K. Johnson <johnsonm@redhat.com>. pam_nologin was written by Michael K. Johnson <johnsonm@redhat.com>.
6.24. pam_permit - the promiscuous module 6.23. pam_permit - the promiscuous module
pam_permit.so pam_permit.so
6.24.1. DESCRIPTION 6.23.1. DESCRIPTION
pam_permit is a PAM module that always permit access. It does nothing else. pam_permit is a PAM module that always permit access. It does nothing else.
In the case of authentication, the user's name will be set to nobody if the In the case of authentication, the user's name will be set to nobody if the
application didn't set one. Many applications and PAM modules become confused application didn't set one. Many applications and PAM modules become confused
if this name is unknown. if this name is unknown.
This module is very dangerous. It should be used with extreme caution. This module is very dangerous. It should be used with extreme caution.
6.24.2. OPTIONS 6.23.2. OPTIONS
This module does not recognise any options. This module does not recognise any options.
6.24.3. MODULE TYPES PROVIDED 6.23.3. MODULE TYPES PROVIDED
The auth, account, password and session module types are provided. The auth, account, password and session module types are provided.
6.24.4. RETURN VALUES 6.23.4. RETURN VALUES
PAM_SUCCESS PAM_SUCCESS
This module always returns this value. This module always returns this value.
6.24.5. EXAMPLES 6.23.5. EXAMPLES
Add this line to your other login entries to disable account management, but Add this line to your other login entries to disable account management, but
continue to permit users to log in. continue to permit users to log in.
account required pam_permit.so account required pam_permit.so
6.24.6. AUTHOR 6.23.6. AUTHOR
pam_permit was written by Andrew G. Morgan, <morgan@kernel.org>. pam_permit was written by Andrew G. Morgan, <morgan@kernel.org>.
6.25. pam_pwhistory - grant access using .pwhistory file 6.24. pam_pwhistory - grant access using .pwhistory file
pam_pwhistory.so [ debug ] [ use_authtok ] [ enforce_for_root ] [ remember=N ] pam_pwhistory.so [ debug ] [ use_authtok ] [ enforce_for_root ] [ remember=N ]
[ retry=N ] [ authtok_type=STRING ] [ retry=N ] [ authtok_type=STRING ]
6.25.1. DESCRIPTION 6.24.1. DESCRIPTION
This module saves the last passwords for each user in order to force password This module saves the last passwords for each user in order to force password
change history and keep the user from alternating between the same password too change history and keep the user from alternating between the same password too
frequently. frequently.
This module does not work together with kerberos. In general, it does not make This module does not work together with kerberos. In general, it does not make
much sense to use this module in conjunction with NIS or LDAP, since the old much sense to use this module in conjunction with NIS or LDAP, since the old
passwords are stored on the local machine and are not available on another passwords are stored on the local machine and are not available on another
machine for password history checking. machine for password history checking.
6.25.2. OPTIONS 6.24.2. OPTIONS
debug debug
Turns on debugging via syslog(3). Turns on debugging via syslog(3).
use_authtok use_authtok
When password changing enforce the module to use the new password provided When password changing enforce the module to use the new password provided
by a previously stacked password module (this is used in the example of the by a previously stacked password module (this is used in the example of the
stacking of the pam_cracklib module documented below). stacking of the pam_passwdqc module documented below).
enforce_for_root enforce_for_root
If this option is set, the check is enforced for root, too. If this option is set, the check is enforced for root, too.
remember=N remember=N
The last N passwords for each user are saved in /etc/security/opasswd. The The last N passwords for each user are saved in /etc/security/opasswd. The
default is 10. Value of 0 makes the module to keep the existing contents of default is 10. Value of 0 makes the module to keep the existing contents of
the opasswd file unchanged. the opasswd file unchanged.
retry=N retry=N
Prompt user at most N times before returning with error. The default is 1. Prompt user at most N times before returning with error. The default is 1.
authtok_type=STRING authtok_type=STRING
See pam_get_authtok(3) for more details. See pam_get_authtok(3) for more details.
6.25.3. MODULE TYPES PROVIDED 6.24.3. MODULE TYPES PROVIDED
Only the password module type is provided. Only the password module type is provided.
6.25.4. RETURN VALUES 6.24.4. RETURN VALUES
PAM_AUTHTOK_ERR PAM_AUTHTOK_ERR
No new password was entered, the user aborted password change or new No new password was entered, the user aborted password change or new
password couldn't be set. password couldn't be set.
PAM_IGNORE PAM_IGNORE
Password history was disabled. Password history was disabled.
PAM_MAXTRIES PAM_MAXTRIES
Password was rejected too often. Password was rejected too often.
PAM_USER_UNKNOWN PAM_USER_UNKNOWN
User is not known to system. User is not known to system.
6.25.5. FILES 6.24.5. FILES
/etc/security/opasswd /etc/security/opasswd
File with password history File with password history
6.25.6. EXAMPLES 6.24.6. EXAMPLES
An example password section would be: An example password section would be:
#%PAM-1.0 #%PAM-1.0
password required pam_pwhistory.so password required pam_pwhistory.so
password required pam_unix.so use_authtok password required pam_unix.so use_authtok
In combination with pam_cracklib: In combination with pam_passwdqc:
#%PAM-1.0 #%PAM-1.0
password required pam_cracklib.so retry=3 password required pam_passwdqc.so config=/etc/passwdqc.conf
password required pam_pwhistory.so use_authtok password required pam_pwhistory.so use_authtok
password required pam_unix.so use_authtok password required pam_unix.so use_authtok
6.25.7. AUTHOR 6.24.7. AUTHOR
pam_pwhistory was written by Thorsten Kukuk <kukuk@thkukuk.de> pam_pwhistory was written by Thorsten Kukuk <kukuk@thkukuk.de>
6.26. pam_rhosts - grant access using .rhosts file 6.25. pam_rhosts - grant access using .rhosts file
pam_rhosts.so pam_rhosts.so
6.26.1. DESCRIPTION 6.25.1. DESCRIPTION
This module performs the standard network authentication for services, as used This module performs the standard network authentication for services, as used
by traditional implementations of rlogin and rsh etc. by traditional implementations of rlogin and rsh etc.
The authentication mechanism of this module is based on the contents of two The authentication mechanism of this module is based on the contents of two
files; /etc/hosts.equiv (or and ~/.rhosts. Firstly, hosts listed in the former files; /etc/hosts.equiv (or and ~/.rhosts. Firstly, hosts listed in the former
file are treated as equivalent to the localhost. Secondly, entries in the file are treated as equivalent to the localhost. Secondly, entries in the
user's own copy of the latter file is used to map "remote-host remote-user" user's own copy of the latter file is used to map "remote-host remote-user"
pairs to that user's account on the current host. Access is granted to the user pairs to that user's account on the current host. Access is granted to the user
if their host is present in /etc/hosts.equiv and their remote account is if their host is present in /etc/hosts.equiv and their remote account is
identical to their local one, or if their remote account has an entry in their identical to their local one, or if their remote account has an entry in their
personal configuration file. personal configuration file.
The module authenticates a remote user (internally specified by the item The module authenticates a remote user (internally specified by the item
PAM_RUSER connecting from the remote host (internally specified by the item PAM_RUSER connecting from the remote host (internally specified by the item
PAM_RHOST). Accordingly, for applications to be compatible this authentication PAM_RHOST). Accordingly, for applications to be compatible this authentication
module they must set these items prior to calling pam_authenticate(). The module they must set these items prior to calling pam_authenticate(). The
module is not capable of independently probing the network connection for such module is not capable of independently probing the network connection for such
information. information.
6.26.2. OPTIONS 6.25.2. OPTIONS
debug debug
Print debug information. Print debug information.
silent silent
Don't print informative messages. Don't print informative messages.
superuser=account superuser=account
Handle account as root. Handle account as root.
6.26.3. MODULE TYPES PROVIDED 6.25.3. MODULE TYPES PROVIDED
Only the auth module type is provided. Only the auth module type is provided.
6.26.4. RETURN VALUES 6.25.4. RETURN VALUES
PAM_AUTH_ERR PAM_AUTH_ERR
The remote host, remote user name or the local user name couldn't be The remote host, remote user name or the local user name couldn't be
determined or access was denied by .rhosts file. determined or access was denied by .rhosts file.
PAM_USER_UNKNOWN PAM_USER_UNKNOWN
User is not known to system. User is not known to system.
6.26.5. EXAMPLES 6.25.5. EXAMPLES
To grant a remote user access by /etc/hosts.equiv or .rhosts for rsh add the To grant a remote user access by /etc/hosts.equiv or .rhosts for rsh add the
following lines to /etc/pam.d/rsh: following lines to /etc/pam.d/rsh:
#%PAM-1.0 #%PAM-1.0
# #
auth required pam_rhosts.so auth required pam_rhosts.so
auth required pam_nologin.so auth required pam_nologin.so
auth required pam_env.so auth required pam_env.so
auth required pam_unix.so auth required pam_unix.so
6.26.6. AUTHOR 6.25.6. AUTHOR
pam_rhosts was written by Thorsten Kukuk <kukuk@thkukuk.de> pam_rhosts was written by Thorsten Kukuk <kukuk@thkukuk.de>
6.27. pam_rootok - gain only root access 6.26. pam_rootok - gain only root access
pam_rootok.so [ debug ] pam_rootok.so [ debug ]
6.27.1. DESCRIPTION 6.26.1. DESCRIPTION
pam_rootok is a PAM module that authenticates the user if their UID is 0. pam_rootok is a PAM module that authenticates the user if their UID is 0.
Applications that are created setuid-root generally retain the UID of the user Applications that are created setuid-root generally retain the UID of the user
but run with the authority of an enhanced effective-UID. It is the real UID but run with the authority of an enhanced effective-UID. It is the real UID
that is checked. that is checked.
6.27.2. OPTIONS 6.26.2. OPTIONS
debug debug
Print debug information. Print debug information.
6.27.3. MODULE TYPES PROVIDED 6.26.3. MODULE TYPES PROVIDED
The auth, account and password module types are provided. The auth, account and password module types are provided.
6.27.4. RETURN VALUES 6.26.4. RETURN VALUES
PAM_SUCCESS PAM_SUCCESS
The UID is 0. The UID is 0.
PAM_AUTH_ERR PAM_AUTH_ERR
The UID is not 0. The UID is not 0.
6.27.5. EXAMPLES 6.26.5. EXAMPLES
In the case of the su(1) application the historical usage is to permit the In the case of the su(1) application the historical usage is to permit the
superuser to adopt the identity of a lesser user without the use of a password. superuser to adopt the identity of a lesser user without the use of a password.
To obtain this behavior with PAM the following pair of lines are needed for the To obtain this behavior with PAM the following pair of lines are needed for the
corresponding entry in the /etc/pam.d/su configuration file: corresponding entry in the /etc/pam.d/su configuration file:
# su authentication. Root is granted access by default. # su authentication. Root is granted access by default.
auth sufficient pam_rootok.so auth sufficient pam_rootok.so
auth required pam_unix.so auth required pam_unix.so
6.27.6. AUTHOR 6.26.6. AUTHOR
pam_rootok was written by Andrew G. Morgan, <morgan@kernel.org>. pam_rootok was written by Andrew G. Morgan, <morgan@kernel.org>.
6.28. pam_securetty - limit root login to special devices 6.27. pam_securetty - limit root login to special devices
pam_securetty.so [ debug ] pam_securetty.so [ debug ]
6.28.1. DESCRIPTION 6.27.1. DESCRIPTION
pam_securetty is a PAM module that allows root logins only if the user is pam_securetty is a PAM module that allows root logins only if the user is
logging in on a "secure" tty, as defined by the listing in the securetty file. logging in on a "secure" tty, as defined by the listing in the securetty file.
pam_securetty checks at first, if /etc/securetty exists. If not and it was pam_securetty checks at first, if /etc/securetty exists. If not and it was
built with vendordir support, it will use %vendordir%/securetty. pam_securetty built with vendordir support, it will use %vendordir%/securetty. pam_securetty
also checks that the securetty files are plain files and not world writable. It also checks that the securetty files are plain files and not world writable. It
will also allow root logins on the tty specified with console= switch on the will also allow root logins on the tty specified with console= switch on the
kernel command line and on ttys from the /sys/class/tty/console/active. kernel command line and on ttys from the /sys/class/tty/console/active.
This module has no effect on non-root users and requires that the application This module has no effect on non-root users and requires that the application
fills in the PAM_TTY item correctly. fills in the PAM_TTY item correctly.
For canonical usage, should be listed as a required authentication method For canonical usage, should be listed as a required authentication method
before any sufficient authentication methods. before any sufficient authentication methods.
6.28.2. OPTIONS 6.27.2. OPTIONS
debug debug
Print debug information. Print debug information.
noconsole noconsole
Do not automatically allow root logins on the kernel console device, as Do not automatically allow root logins on the kernel console device, as
specified on the kernel command line or by the sys file, if it is not also specified on the kernel command line or by the sys file, if it is not also
specified in the securetty file. specified in the securetty file.
6.28.3. MODULE TYPES PROVIDED 6.27.3. MODULE TYPES PROVIDED
Only the auth module type is provided. Only the auth module type is provided.
6.28.4. RETURN VALUES 6.27.4. RETURN VALUES
PAM_SUCCESS PAM_SUCCESS
The user is allowed to continue authentication. Either the user is not The user is allowed to continue authentication. Either the user is not
root, or the root user is trying to log in on an acceptable device. root, or the root user is trying to log in on an acceptable device.
PAM_AUTH_ERR PAM_AUTH_ERR
Authentication is rejected. Either root is attempting to log in via an Authentication is rejected. Either root is attempting to log in via an
unacceptable device, or the securetty file is world writable or not a unacceptable device, or the securetty file is world writable or not a
skipping to change at line 3695 skipping to change at line 3428
An error occurred while the module was determining the user's name or tty, An error occurred while the module was determining the user's name or tty,
or the module could not open the securetty file. or the module could not open the securetty file.
PAM_USER_UNKNOWN PAM_USER_UNKNOWN
The module could not find the user name in the /etc/passwd file to verify The module could not find the user name in the /etc/passwd file to verify
whether the user had a UID of 0. Therefore, the results of running this whether the user had a UID of 0. Therefore, the results of running this
module are ignored. module are ignored.
6.28.5. EXAMPLES 6.27.5. EXAMPLES
auth required pam_securetty.so auth required pam_securetty.so
auth required pam_unix.so auth required pam_unix.so
6.28.6. AUTHOR 6.27.6. AUTHOR
pam_securetty was written by Elliot Lee <sopwith@cuc.edu>. pam_securetty was written by Elliot Lee <sopwith@cuc.edu>.
6.29. pam_selinux - set the default security context 6.28. pam_selinux - set the default security context
pam_selinux.so [ open ] [ close ] [ restore ] [ nottys ] [ debug ] [ verbose ] pam_selinux.so [ open ] [ close ] [ restore ] [ nottys ] [ debug ] [ verbose ]
[ select_context ] [ env_params ] [ use_current_range ] [ select_context ] [ env_params ] [ use_current_range ]
6.29.1. DESCRIPTION 6.28.1. DESCRIPTION
pam_selinux is a PAM module that sets up the default SELinux security context pam_selinux is a PAM module that sets up the default SELinux security context
for the next executed process. for the next executed process.
When a new session is started, the open_session part of the module computes and When a new session is started, the open_session part of the module computes and
sets up the execution security context used for the next execve(2) call, the sets up the execution security context used for the next execve(2) call, the
file security context for the controlling terminal, and the security context file security context for the controlling terminal, and the security context
used for creating a new kernel keyring. used for creating a new kernel keyring.
When the session is ended, the close_session part of the module restores old When the session is ended, the close_session part of the module restores old
security contexts that were in effect before the change made by the security contexts that were in effect before the change made by the
open_session part of the module. open_session part of the module.
Adding pam_selinux into the PAM stack might disrupt behavior of other PAM Adding pam_selinux into the PAM stack might disrupt behavior of other PAM
modules which execute applications. To avoid that, pam_selinux.so open should modules which execute applications. To avoid that, pam_selinux.so open should
be placed after such modules in the PAM stack, and pam_selinux.so close should be placed after such modules in the PAM stack, and pam_selinux.so close should
be placed before them. When such a placement is not feasible, pam_selinux.so be placed before them. When such a placement is not feasible, pam_selinux.so
restore could be used to temporary restore original security contexts. restore could be used to temporary restore original security contexts.
6.29.2. OPTIONS 6.28.2. OPTIONS
open open
Only execute the open_session part of the module. Only execute the open_session part of the module.
close close
Only execute the close_session part of the module. Only execute the close_session part of the module.
restore restore
skipping to change at line 3779 skipping to change at line 3512
and SELINUX_USE_CURRENT_RANGE. The first two variables are self describing and SELINUX_USE_CURRENT_RANGE. The first two variables are self describing
and the last one if set to 1 makes the PAM module behave as if the and the last one if set to 1 makes the PAM module behave as if the
use_current_range was specified on the command line of the module. use_current_range was specified on the command line of the module.
use_current_range use_current_range
Use the sensitivity level of the current process for the user context Use the sensitivity level of the current process for the user context
instead of the default level. Also suppresses asking of the sensitivity instead of the default level. Also suppresses asking of the sensitivity
level from the user or obtaining it from PAM environment. level from the user or obtaining it from PAM environment.
6.29.3. MODULE TYPES PROVIDED 6.28.3. MODULE TYPES PROVIDED
Only the session module type is provided. Only the session module type is provided.
6.29.4. RETURN VALUES 6.28.4. RETURN VALUES
PAM_SUCCESS PAM_SUCCESS
The security context was set successfully. The security context was set successfully.
PAM_SESSION_ERR PAM_SESSION_ERR
Unable to get or set a valid context. Unable to get or set a valid context.
PAM_USER_UNKNOWN PAM_USER_UNKNOWN
The user is not known to the system. The user is not known to the system.
PAM_BUF_ERR PAM_BUF_ERR
Memory allocation error. Memory allocation error.
6.29.5. EXAMPLES 6.28.5. EXAMPLES
auth required pam_unix.so auth required pam_unix.so
session required pam_permit.so session required pam_permit.so
session optional pam_selinux.so session optional pam_selinux.so
6.29.6. AUTHOR 6.28.6. AUTHOR
pam_selinux was written by Dan Walsh <dwalsh@redhat.com>. pam_selinux was written by Dan Walsh <dwalsh@redhat.com>.
6.30. pam_shells - check for valid login shell 6.29. pam_shells - check for valid login shell
pam_shells.so pam_shells.so
6.30.1. DESCRIPTION 6.29.1. DESCRIPTION
pam_shells is a PAM module that only allows access to the system if the user's pam_shells is a PAM module that only allows access to the system if the user's
shell is listed in /etc/shells. shell is listed in /etc/shells.
It also checks if /etc/shells is a plain file and not world writable. It also checks if /etc/shells is a plain file and not world writable.
6.30.2. OPTIONS 6.29.2. OPTIONS
This module does not recognise any options. This module does not recognise any options.
6.30.3. MODULE TYPES PROVIDED 6.29.3. MODULE TYPES PROVIDED
The auth and account module types are provided. The auth and account module types are provided.
6.30.4. RETURN VALUES 6.29.4. RETURN VALUES
PAM_AUTH_ERR PAM_AUTH_ERR
Access to the system was denied. Access to the system was denied.
PAM_SUCCESS PAM_SUCCESS
The user's login shell was listed as valid shell in /etc/shells. The user's login shell was listed as valid shell in /etc/shells.
PAM_SERVICE_ERR PAM_SERVICE_ERR
The module was not able to get the name of the user. The module was not able to get the name of the user.
6.30.5. EXAMPLES 6.29.5. EXAMPLES
auth required pam_shells.so auth required pam_shells.so
6.30.6. AUTHOR 6.29.6. AUTHOR
pam_shells was written by Erik Troan <ewt@redhat.com>. pam_shells was written by Erik Troan <ewt@redhat.com>.
6.31. pam_succeed_if - test account characteristics 6.30. pam_succeed_if - test account characteristics
pam_succeed_if.so [flag...] [condition...] pam_succeed_if.so [flag...] [condition...]
6.31.1. DESCRIPTION 6.30.1. DESCRIPTION
pam_succeed_if.so is designed to succeed or fail authentication based on pam_succeed_if.so is designed to succeed or fail authentication based on
characteristics of the account belonging to the user being authenticated or characteristics of the account belonging to the user being authenticated or
values of other PAM items. One use is to select whether to load other modules values of other PAM items. One use is to select whether to load other modules
based on this test. based on this test.
The module should be given one or more conditions as module arguments, and The module should be given one or more conditions as module arguments, and
authentication will succeed only if all of the conditions are met. authentication will succeed only if all of the conditions are met.
6.31.2. OPTIONS 6.30.2. OPTIONS
The following flags are supported: The following flags are supported:
debug debug
Turns on debugging messages sent to syslog. Turns on debugging messages sent to syslog.
use_uid use_uid
Evaluate conditions using the account of the user whose UID the application Evaluate conditions using the account of the user whose UID the application
skipping to change at line 3964 skipping to change at line 3697
User is not in given group(s). User is not in given group(s).
user innetgr netgroup user innetgr netgroup
(user,host) is in given netgroup. (user,host) is in given netgroup.
user notinnetgr group user notinnetgr group
(user,host) is not in given netgroup. (user,host) is not in given netgroup.
6.31.3. MODULE TYPES PROVIDED 6.30.3. MODULE TYPES PROVIDED
All module types (account, auth, password and session) are provided. All module types (account, auth, password and session) are provided.
6.31.4. RETURN VALUES 6.30.4. RETURN VALUES
PAM_SUCCESS PAM_SUCCESS
The condition was true. The condition was true.
PAM_AUTH_ERR PAM_AUTH_ERR
The condition was false. The condition was false.
PAM_SERVICE_ERR PAM_SERVICE_ERR
A service error occurred or the arguments can't be parsed correctly. A service error occurred or the arguments can't be parsed correctly.
6.31.5. EXAMPLES 6.30.5. EXAMPLES
To emulate the behaviour of pam_wheel, except there is no fallback to group 0 To emulate the behaviour of pam_wheel, except there is no fallback to group 0
being only approximated by checking also the root group membership: being only approximated by checking also the root group membership:
auth required pam_succeed_if.so quiet user ingroup wheel:root auth required pam_succeed_if.so quiet user ingroup wheel:root
Given that the type matches, only loads the othermodule rule if the UID is over Given that the type matches, only loads the othermodule rule if the UID is over
500. Adjust the number after default to skip several rules. 500. Adjust the number after default to skip several rules.
type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500 type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500
type required othermodule.so arguments... type required othermodule.so arguments...
6.31.6. AUTHOR 6.30.6. AUTHOR
Nalin Dahyabhai <nalin@redhat.com> Nalin Dahyabhai <nalin@redhat.com>
6.32. pam_tally - login counter (tallying) module 6.31. pam_time - time controlled access
pam_tally.so [ file=/path/to/counter ] [ onerr=[fail|succeed] ] [ magic_root ]
[ even_deny_root_account ] [ deny=n ] [ lock_time=n ] [ unlock_time=n ] [
per_user ] [ no_lock_time ] [ no_reset ] [ audit ] [ silent ] [ no_log_info ]
pam_tally [ --file /path/to/counter ] [ --user username ] [ --reset[=n] ] [
6.32.1. DESCRIPTION
This module maintains a count of attempted accesses, can reset count on
success, can deny access if too many attempts fail.
pam_tally has several limitations, which are solved with pam_tally2. For this
reason pam_tally is deprecated and will be removed in a future release.
pam_tally comes in two parts: pam_tally.so and pam_tally. The former is the PAM
module and the latter, a stand-alone program. pam_tally is an (optional)
application which can be used to interrogate and manipulate the counter file.
It can display user counts, set individual counts, or clear all counts. Setting
artificially high counts may be useful for blocking users without changing
their passwords. For example, one might find it useful to clear all counts
every midnight from a cron job. The faillog(8) command can be used instead of
pam_tally to to maintain the counter file.
Normally, failed attempts to access root will not cause the root account to
become blocked, to prevent denial-of-service: if your users aren't given shell
accounts and root may only login via su or at the machine console (not telnet/
rsh, etc), this is safe.
6.32.2. OPTIONS
GLOBAL OPTIONS
This can be used for auth and account module types.
onerr=[fail|succeed]
If something weird happens (like unable to open the file), return with
PAM_SUCCESS if onerr=succeed is given, else with the corresponding PAM
error code.
file=/path/to/counter
File where to keep counts. Default is /var/log/faillog.
audit
Will log the user name into the system log if the user is not found.
silent
Don't print informative messages. The messages printed without the
silent option leak presence of accounts on the system because they are
not printed for non-existing accounts.
no_log_info
Don't log informative messages via syslog(3).
AUTH OPTIONS
Authentication phase first checks if user should be denied access and if
not it increments attempted login counter. Then on call to pam_setcred(3)
it resets the attempts counter.
deny=n
Deny access if tally for this user exceeds n.
lock_time=n
Always deny for n seconds after failed attempt.
unlock_time=n
Allow access after n seconds after failed attempt. If this option is
used the user will be locked out for the specified amount of time after
he exceeded his maximum allowed attempts. Otherwise the account is
locked until the lock is removed by a manual intervention of the system
administrator.
magic_root
If the module is invoked by a user with uid=0 the counter is not
incremented. The sysadmin should use this for user launched services,
like su, otherwise this argument should be omitted.
no_lock_time
Do not use the .fail_locktime field in /var/log/faillog for this user.
no_reset
Don't reset count on successful entry, only decrement.
even_deny_root_account
Root account can become unavailable.
per_user
If /var/log/faillog contains a non-zero .fail_max/.fail_locktime field
for this user then use it instead of deny=n/ lock_time=n parameter.
no_lock_time
Don't use .fail_locktime filed in /var/log/faillog for this user.
ACCOUNT OPTIONS
Account phase resets attempts counter if the user is not magic root. This
phase can be used optionally for services which don't call pam_setcred(3)
correctly or if the reset should be done regardless of the failure of the
account phase of other modules.
magic_root
If the module is invoked by a user with uid=0 the counter is not
incremented. The sysadmin should use this for user launched services,
like su, otherwise this argument should be omitted.
no_reset
Don't reset count on successful entry, only decrement.
6.32.3. MODULE TYPES PROVIDED
The auth and account module types are provided.
6.32.4. RETURN VALUES
PAM_AUTH_ERR
A invalid option was given, the module was not able to retrieve the user
name, no valid counter file was found, or too many failed logins.
PAM_SUCCESS
Everything was successful.
PAM_USER_UNKNOWN
User not known.
6.32.5. EXAMPLES
Add the following line to /etc/pam.d/login to lock the account after too many
failed logins. The number of allowed fails is specified by /var/log/faillog and
needs to be set with pam_tally or faillog(8) before.
auth required pam_securetty.so
auth required pam_tally.so per_user
auth required pam_env.so
auth required pam_unix.so
auth required pam_nologin.so
account required pam_unix.so
password required pam_unix.so
session required pam_limits.so
session required pam_unix.so
session required pam_lastlog.so nowtmp
session optional pam_mail.so standard
6.32.6. AUTHOR
pam_tally was written by Tim Baverstock and Tomas Mraz.
6.33. pam_tally2 - login counter (tallying) module
pam_tally2.so [ file=/path/to/counter ] [ onerr=[fail|succeed] ] [ magic_root ]
[ even_deny_root ] [ deny=n ] [ lock_time=n ] [ unlock_time=n ] [
root_unlock_time=n ] [ serialize ] [ audit ] [ silent ] [ no_log_info ] [ debug
]
pam_tally2 [ --file /path/to/counter ] [ --user username ] [ --reset[=n] ] [
6.33.1. DESCRIPTION
This module maintains a count of attempted accesses, can reset count on
success, can deny access if too many attempts fail.
pam_tally2 comes in two parts: pam_tally2.so and pam_tally2. The former is the
PAM module and the latter, a stand-alone program. pam_tally2 is an (optional)
application which can be used to interrogate and manipulate the counter file.
It can display user counts, set individual counts, or clear all counts. Setting
artificially high counts may be useful for blocking users without changing
their passwords. For example, one might find it useful to clear all counts
every midnight from a cron job.
Normally, failed attempts to access root will not cause the root account to
become blocked, to prevent denial-of-service: if your users aren't given shell
accounts and root may only login via su or at the machine console (not telnet/
rsh, etc), this is safe.
6.33.2. OPTIONS
GLOBAL OPTIONS
This can be used for auth and account module types.
onerr=[fail|succeed]
If something weird happens (like unable to open the file), return with
PAM_SUCCESS if onerr=succeed is given, else with the corresponding PAM
error code.
file=/path/to/counter
File where to keep counts. Default is /var/log/tallylog.
audit
Will log the user name into the system log if the user is not found.
silent
Don't print informative messages. The messages printed without the
silent option leak presence of accounts on the system because they are
not printed for non-existing accounts.
no_log_info
Don't log informative messages via syslog(3).
debug
Always log tally count when it is incremented as a debug level message
to the system log.
AUTH OPTIONS
Authentication phase first increments attempted login counter and checks if
user should be denied access. If the user is authenticated and the login
process continues on call to pam_setcred(3) it resets the attempts counter.
deny=n
Deny access if tally for this user exceeds n.
lock_time=n
Always deny for n seconds after failed attempt.
unlock_time=n
Allow access after n seconds after failed attempt. If this option is
used the user will be locked out for the specified amount of time after
he exceeded his maximum allowed attempts. Otherwise the account is
locked until the lock is removed by a manual intervention of the system
administrator.
magic_root
If the module is invoked by a user with uid=0 the counter is not
incremented. The sysadmin should use this for user launched services,
like su, otherwise this argument should be omitted.
even_deny_root
Root account can become unavailable.
root_unlock_time=n
This option implies even_deny_root option. Allow access after n seconds
to root account after failed attempt. If this option is used the root
user will be locked out for the specified amount of time after he
exceeded his maximum allowed attempts.
serialize
Serialize access to the tally file using locks. This option might be
used only for non-multithreaded services because it depends on the
fcntl locking of the tally file. Also it is a good idea to use this
option only in such configurations where the time between auth phase
and account or setcred phase is not dependent on the authenticating
client. Otherwise the authenticating client will be able to prevent
simultaneous authentications by the same user by simply artificially
prolonging the time the file record lock is held.
ACCOUNT OPTIONS
Account phase resets attempts counter if the user is not magic root. This
phase can be used optionally for services which don't call pam_setcred(3)
correctly or if the reset should be done regardless of the failure of the
account phase of other modules.
magic_root
If the module is invoked by a user with uid=0 the counter is not
changed. The sysadmin should use this for user launched services, like
su, otherwise this argument should be omitted.
6.33.3. MODULE TYPES PROVIDED
The auth and account module types are provided.
6.33.4. RETURN VALUES
PAM_AUTH_ERR
A invalid option was given, the module was not able to retrieve the user
name, no valid counter file was found, or too many failed logins.
PAM_SUCCESS
Everything was successful.
PAM_USER_UNKNOWN
User not known.
6.33.5. NOTES
pam_tally2 is not compatible with the old pam_tally faillog file format. This
is caused by requirement of compatibility of the tallylog file format between
32bit and 64bit architectures on multiarch systems.
There is no setuid wrapper for access to the data file such as when the
pam_tally2.so module is called from xscreensaver. As this would make it
impossible to share PAM configuration with such services the following
workaround is used: If the data file cannot be opened because of insufficient
permissions (EACCES) the module returns PAM_IGNORE.
6.33.6. EXAMPLES
Add the following line to /etc/pam.d/login to lock the account after 4 failed
logins. Root account will be locked as well. The accounts will be automatically
unlocked after 20 minutes. The module does not have to be called in the account
phase because the login calls pam_setcred(3) correctly.
auth required pam_securetty.so
auth required pam_tally2.so deny=4 even_deny_root unlock_time=1200
auth required pam_env.so
auth required pam_unix.so
auth required pam_nologin.so
account required pam_unix.so
password required pam_unix.so
session required pam_limits.so
session required pam_unix.so
session required pam_lastlog.so nowtmp
session optional pam_mail.so standard
6.33.7. FILES
/var/log/tallylog
failure count logging file
6.33.8. AUTHOR
pam_tally2 was written by Tim Baverstock and Tomas Mraz.
6.34. pam_time - time controlled access
pam_time.so [ conffile=conf-file ] [ debug ] [ noaudit ] pam_time.so [ conffile=conf-file ] [ debug ] [ noaudit ]
6.34.1. DESCRIPTION 6.31.1. DESCRIPTION
The pam_time PAM module does not authenticate the user, but instead it The pam_time PAM module does not authenticate the user, but instead it
restricts access to a system and or specific applications at various times of restricts access to a system and or specific applications at various times of
the day and on specific days or over various terminal lines. This module can be the day and on specific days or over various terminal lines. This module can be
configured to deny access to (individual) users based on their name, the time configured to deny access to (individual) users based on their name, the time
of day, the day of week, the service they are applying for and their terminal of day, the day of week, the service they are applying for and their terminal
from which they are making their request. from which they are making their request.
By default rules for time/port access are taken from config file /etc/security/ By default rules for time/port access are taken from config file /etc/security/
time.conf. An alternative file can be specified with the conffile option. time.conf. An alternative file can be specified with the conffile option.
If Linux PAM is compiled with audit support the module will report when it If Linux PAM is compiled with audit support the module will report when it
denies access. denies access.
6.34.2. DESCRIPTION 6.31.2. DESCRIPTION
The pam_time PAM module does not authenticate the user, but instead it The pam_time PAM module does not authenticate the user, but instead it
restricts access to a system and or specific applications at various times of restricts access to a system and or specific applications at various times of
the day and on specific days or over various terminal lines. This module can be the day and on specific days or over various terminal lines. This module can be
configured to deny access to (individual) users based on their name, the time configured to deny access to (individual) users based on their name, the time
of day, the day of week, the service they are applying for and their terminal of day, the day of week, the service they are applying for and their terminal
from which they are making their request. from which they are making their request.
For this module to function correctly there must be a correctly formatted /etc/ For this module to function correctly there must be a correctly formatted /etc/
security/time.conf file present. White spaces are ignored and lines maybe security/time.conf file present. White spaces are ignored and lines maybe
skipping to change at line 4429 skipping to change at line 3808
is deemed to apply on the following day). is deemed to apply on the following day).
For a rule to be active, ALL of service+ttys+users must be satisfied by the For a rule to be active, ALL of service+ttys+users must be satisfied by the
applying process. applying process.
Note, currently there is no daemon enforcing the end of a session. This needs Note, currently there is no daemon enforcing the end of a session. This needs
to be remedied. to be remedied.
Poorly formatted rules are logged as errors using syslog(3). Poorly formatted rules are logged as errors using syslog(3).
6.34.3. OPTIONS 6.31.3. OPTIONS
conffile=/path/to/time.conf conffile=/path/to/time.conf
Indicate an alternative time.conf style configuration file to override the Indicate an alternative time.conf style configuration file to override the
default. default.
debug debug
Some debug information is printed with syslog(3). Some debug information is printed with syslog(3).
noaudit noaudit
Do not report logins at disallowed time to the audit subsystem. Do not report logins at disallowed time to the audit subsystem.
6.34.4. MODULE TYPES PROVIDED 6.31.4. MODULE TYPES PROVIDED
Only the account type is provided. Only the account type is provided.
6.34.5. RETURN VALUES 6.31.5. RETURN VALUES
PAM_SUCCESS PAM_SUCCESS
Access was granted. Access was granted.
PAM_ABORT PAM_ABORT
Not all relevant data could be gotten. Not all relevant data could be gotten.
PAM_BUF_ERR PAM_BUF_ERR
skipping to change at line 4470 skipping to change at line 3849
Memory buffer error. Memory buffer error.
PAM_PERM_DENIED PAM_PERM_DENIED
Access was not granted. Access was not granted.
PAM_USER_UNKNOWN PAM_USER_UNKNOWN
The user is not known to the system. The user is not known to the system.
6.34.6. FILES 6.31.6. FILES
/etc/security/time.conf /etc/security/time.conf
Default configuration file Default configuration file
6.34.7. EXAMPLES 6.31.7. EXAMPLES
These are some example lines which might be specified in /etc/security/ These are some example lines which might be specified in /etc/security/
time.conf. time.conf.
All users except for root are denied access to console-login at all times: All users except for root are denied access to console-login at all times:
login ; tty* & !ttyp* ; !root ; !Al0000-2400 login ; tty* & !ttyp* ; !root ; !Al0000-2400
Games (configured to use PAM) are only to be accessed out of working hours. Games (configured to use PAM) are only to be accessed out of working hours.
This rule does not apply to the user waster: This rule does not apply to the user waster:
games ; * ; !waster ; Wd0000-2400 | Wk1800-0800 games ; * ; !waster ; Wd0000-2400 | Wk1800-0800
6.34.8. AUTHOR 6.31.8. AUTHOR
pam_time was written by Andrew G. Morgan <morgan@kernel.org>. pam_time was written by Andrew G. Morgan <morgan@kernel.org>.
6.35. pam_timestamp - authenticate using cached successful authentication 6.32. pam_timestamp - authenticate using cached successful authentication
attempts attempts
pam_timestamp.so [ timestampdir=directory ] [ timestamp_timeout=number ] [ pam_timestamp.so [ timestampdir=directory ] [ timestamp_timeout=number ] [
verbose ] [ debug ] verbose ] [ debug ]
6.35.1. DESCRIPTION 6.32.1. DESCRIPTION
In a nutshell, pam_timestamp caches successful authentication attempts, and In a nutshell, pam_timestamp caches successful authentication attempts, and
allows you to use a recent successful attempt as the basis for authentication. allows you to use a recent successful attempt as the basis for authentication.
This is similar mechanism which is used in sudo. This is similar mechanism which is used in sudo.
When an application opens a session using pam_timestamp, a timestamp file is When an application opens a session using pam_timestamp, a timestamp file is
created in the timestampdir directory for the user. When an application created in the timestampdir directory for the user. When an application
attempts to authenticate the user, a pam_timestamp will treat a sufficiently attempts to authenticate the user, a pam_timestamp will treat a sufficiently
recent timestamp file as grounds for succeeding. recent timestamp file as grounds for succeeding.
6.35.2. OPTIONS 6.32.2. OPTIONS
timestampdir=directory timestampdir=directory
Specify an alternate directory where pam_timestamp creates timestamp files. Specify an alternate directory where pam_timestamp creates timestamp files.
timestamp_timeout=number timestamp_timeout=number
How long should pam_timestamp treat timestamp as valid after their last How long should pam_timestamp treat timestamp as valid after their last
modification date (in seconds). Default is 300 seconds. modification date (in seconds). Default is 300 seconds.
verbose verbose
Attempt to inform the user when access is granted. Attempt to inform the user when access is granted.
debug debug
Turns on debugging messages sent to syslog(3). Turns on debugging messages sent to syslog(3).
6.35.3. MODULE TYPES PROVIDED 6.32.3. MODULE TYPES PROVIDED
The auth and session module types are provided. The auth and session module types are provided.
6.35.4. RETURN VALUES 6.32.4. RETURN VALUES
PAM_AUTH_ERR PAM_AUTH_ERR
The module was not able to retrieve the user name or no valid timestamp The module was not able to retrieve the user name or no valid timestamp
file was found. file was found.
PAM_SUCCESS PAM_SUCCESS
Everything was successful. Everything was successful.
PAM_SESSION_ERR PAM_SESSION_ERR
Timestamp file could not be created or updated. Timestamp file could not be created or updated.
6.35.5. NOTES 6.32.5. NOTES
Users can get confused when they are not always asked for passwords when Users can get confused when they are not always asked for passwords when
running a given program. Some users reflexively begin typing information before running a given program. Some users reflexively begin typing information before
noticing that it is not being asked for. noticing that it is not being asked for.
6.35.6. EXAMPLES 6.32.6. EXAMPLES
auth sufficient pam_timestamp.so verbose auth sufficient pam_timestamp.so verbose
auth required pam_unix.so auth required pam_unix.so
session required pam_unix.so session required pam_unix.so
session optional pam_timestamp.so session optional pam_timestamp.so
6.35.7. FILES 6.32.7. FILES
/var/run/pam_timestamp/... /var/run/pam_timestamp/...
timestamp files and directories timestamp files and directories
6.35.8. AUTHOR 6.32.8. AUTHOR
pam_timestamp was written by Nalin Dahyabhai. pam_timestamp was written by Nalin Dahyabhai.
6.36. pam_umask - set the file mode creation mask 6.33. pam_umask - set the file mode creation mask
pam_umask.so [ debug ] [ silent ] [ usergroups ] [ nousergroups ] [ umask=mask pam_umask.so [ debug ] [ silent ] [ usergroups ] [ nousergroups ] [ umask=mask
] ]
6.36.1. DESCRIPTION 6.33.1. DESCRIPTION
pam_umask is a PAM module to set the file mode creation mask of the current pam_umask is a PAM module to set the file mode creation mask of the current
environment. The umask affects the default permissions assigned to newly environment. The umask affects the default permissions assigned to newly
created files. created files.
The PAM module tries to get the umask value from the following places in the The PAM module tries to get the umask value from the following places in the
following order: following order:
• umask= entry in the user's GECOS field • umask= entry in the user's GECOS field
skipping to change at line 4600 skipping to change at line 3979
• UMASK entry from /etc/login.defs • UMASK entry from /etc/login.defs
• UMASK= entry from /etc/default/login • UMASK= entry from /etc/default/login
The GECOS field is split on comma ',' characters. The module also in addition The GECOS field is split on comma ',' characters. The module also in addition
to the umask= entry recognizes pri= entry, which sets the nice priority value to the umask= entry recognizes pri= entry, which sets the nice priority value
for the session, and ulimit= entry, which sets the maximum size of files the for the session, and ulimit= entry, which sets the maximum size of files the
processes in the session can create. processes in the session can create.
6.36.2. OPTIONS 6.33.2. OPTIONS
debug debug
Print debug information. Print debug information.
silent silent
Don't print informative messages. Don't print informative messages.
usergroups usergroups
skipping to change at line 4627 skipping to change at line 4006
This is the direct opposite of the usergroups option described above, which This is the direct opposite of the usergroups option described above, which
can be useful in case pam_umask has been compiled with usergroups enabled can be useful in case pam_umask has been compiled with usergroups enabled
by default and you want to disable it at runtime. by default and you want to disable it at runtime.
umask=mask umask=mask
Sets the calling process's file mode creation mask (umask) to mask & 0777. Sets the calling process's file mode creation mask (umask) to mask & 0777.
The value is interpreted as Octal. The value is interpreted as Octal.
6.36.3. MODULE TYPES PROVIDED 6.33.3. MODULE TYPES PROVIDED
Only the session type is provided. Only the session type is provided.
6.36.4. RETURN VALUES 6.33.4. RETURN VALUES
PAM_SUCCESS PAM_SUCCESS
The new umask was set successfully. The new umask was set successfully.
PAM_BUF_ERR PAM_BUF_ERR
Memory buffer error. Memory buffer error.
PAM_CONV_ERR PAM_CONV_ERR
skipping to change at line 4659 skipping to change at line 4038
PAM_CONV_AGAIN. PAM_CONV_AGAIN.
PAM_SERVICE_ERR PAM_SERVICE_ERR
No username was given. No username was given.
PAM_USER_UNKNOWN PAM_USER_UNKNOWN
User not known. User not known.
6.36.5. EXAMPLES 6.33.5. EXAMPLES
Add the following line to /etc/pam.d/login to set the user specific umask at Add the following line to /etc/pam.d/login to set the user specific umask at
login: login:
session optional pam_umask.so umask=0022 session optional pam_umask.so umask=0022
6.36.6. AUTHOR 6.33.6. AUTHOR
pam_umask was written by Thorsten Kukuk <kukuk@thkukuk.de>. pam_umask was written by Thorsten Kukuk <kukuk@thkukuk.de>.
6.37. pam_unix - traditional password authentication 6.34. pam_unix - traditional password authentication
pam_unix.so [ ... ] pam_unix.so [ ... ]
6.37.1. DESCRIPTION 6.34.1. DESCRIPTION
This is the standard Unix authentication module. It uses standard calls from This is the standard Unix authentication module. It uses standard calls from
the system's libraries to retrieve and set account information as well as the system's libraries to retrieve and set account information as well as
authentication. Usually this is obtained from the /etc/passwd and the /etc/ authentication. Usually this is obtained from the /etc/passwd and the /etc/
shadow file as well if shadow is enabled. shadow file as well if shadow is enabled.
The account component performs the task of establishing the status of the The account component performs the task of establishing the status of the
user's account and password based on the following shadow elements: expire, user's account and password based on the following shadow elements: expire,
last_change, max_change, min_change, warn_change. In the case of the latter, it last_change, max_change, min_change, warn_change. In the case of the latter, it
may offer advice to the user on changing their password or, through the may offer advice to the user on changing their password or, through the
skipping to change at line 4720 skipping to change at line 4099
The password component of this module performs the task of updating the user's The password component of this module performs the task of updating the user's
password. The default encryption hash is taken from the ENCRYPT_METHOD variable password. The default encryption hash is taken from the ENCRYPT_METHOD variable
from /etc/login.defs from /etc/login.defs
The session component of this module logs when a user logins or leave the The session component of this module logs when a user logins or leave the
system. system.
Remaining arguments, supported by others functions of this module, are silently Remaining arguments, supported by others functions of this module, are silently
ignored. Other arguments are logged as errors through syslog(3). ignored. Other arguments are logged as errors through syslog(3).
6.37.2. OPTIONS 6.34.2. OPTIONS
debug debug
Turns on debugging via syslog(3). Turns on debugging via syslog(3).
audit audit
A little more extreme than debug. A little more extreme than debug.
quiet quiet
skipping to change at line 4771 skipping to change at line 4150
This argument can be used to discourage the authentication component from This argument can be used to discourage the authentication component from
requesting a delay should the authentication as a whole fail. The default requesting a delay should the authentication as a whole fail. The default
action is for the module to request a delay-on-failure of the order of two action is for the module to request a delay-on-failure of the order of two
second. second.
use_authtok use_authtok
When password changing enforce the module to set the new password to the When password changing enforce the module to set the new password to the
one provided by a previously stacked password module (this is used in the one provided by a previously stacked password module (this is used in the
example of the stacking of the pam_cracklib module documented below). example of the stacking of the pam_passwdqc module documented below).
authtok_type=type authtok_type=type
This argument can be used to modify the password prompt when changing This argument can be used to modify the password prompt when changing
passwords to include the type of the password. Empty by default. passwords to include the type of the password. Empty by default.
nis nis
NIS RPC is used for setting new passwords. NIS RPC is used for setting new passwords.
skipping to change at line 4857 skipping to change at line 4236
When set ignore password expiration as defined by the shadow entry of the When set ignore password expiration as defined by the shadow entry of the
user. The option has an effect only in case pam_unix was not used for the user. The option has an effect only in case pam_unix was not used for the
authentication or it returned authentication failure meaning that other authentication or it returned authentication failure meaning that other
authentication source or method succeeded. The example can be public key authentication source or method succeeded. The example can be public key
authentication in sshd. The module will return PAM_SUCCESS instead of authentication in sshd. The module will return PAM_SUCCESS instead of
eventual PAM_NEW_AUTHTOK_REQD or PAM_AUTHTOK_EXPIRED. eventual PAM_NEW_AUTHTOK_REQD or PAM_AUTHTOK_EXPIRED.
Invalid arguments are logged with syslog(3). Invalid arguments are logged with syslog(3).
6.37.3. MODULE TYPES PROVIDED 6.34.3. MODULE TYPES PROVIDED
All module types (account, auth, password and session) are provided. All module types (account, auth, password and session) are provided.
6.37.4. RETURN VALUES 6.34.4. RETURN VALUES
PAM_IGNORE PAM_IGNORE
Ignore this module. Ignore this module.
6.37.5. EXAMPLES 6.34.5. EXAMPLES
An example usage for /etc/pam.d/login would be: An example usage for /etc/pam.d/login would be:
# Authenticate the user # Authenticate the user
auth required pam_unix.so auth required pam_unix.so
# Ensure users account and password are still active # Ensure users account and password are still active
account required pam_unix.so account required pam_unix.so
# Change the user's password, but at first check the strength # Change the user's password, but at first check the strength
# with pam_cracklib(8) # with pam_passwdqc(8)
password required pam_cracklib.so retry=3 minlen=6 difok=3 password required pam_passwdqc.so config=/etc/passwdqc.conf
password required pam_unix.so use_authtok nullok yescrypt password required pam_unix.so use_authtok nullok yescrypt
session required pam_unix.so session required pam_unix.so
6.37.6. AUTHOR 6.34.6. AUTHOR
pam_unix was written by various people. pam_unix was written by various people.
6.38. pam_userdb - authenticate against a db database 6.35. pam_userdb - authenticate against a db database
pam_userdb.so db=/path/database [ debug ] [ crypt=[crypt|none] ] [ icase ] [ pam_userdb.so db=/path/database [ debug ] [ crypt=[crypt|none] ] [ icase ] [
dump ] [ try_first_pass ] [ use_first_pass ] [ unknown_ok ] [ key_only ] dump ] [ try_first_pass ] [ use_first_pass ] [ unknown_ok ] [ key_only ]
6.38.1. DESCRIPTION 6.35.1. DESCRIPTION
The pam_userdb module is used to verify a username/password pair against values The pam_userdb module is used to verify a username/password pair against values
stored in a Berkeley DB database. The database is indexed by the username, and stored in a Berkeley DB database. The database is indexed by the username, and
the data fields corresponding to the username keys are the passwords. the data fields corresponding to the username keys are the passwords.
6.38.2. OPTIONS 6.35.2. OPTIONS
crypt=[crypt|none] crypt=[crypt|none]
Indicates whether encrypted or plaintext passwords are stored in the Indicates whether encrypted or plaintext passwords are stored in the
database. If it is crypt, passwords should be stored in the database in database. If it is crypt, passwords should be stored in the database in
crypt(3) form. If none is selected, passwords should be stored in the crypt(3) form. If none is selected, passwords should be stored in the
database as plaintext. database as plaintext.
db=/path/database db=/path/database
skipping to change at line 4952 skipping to change at line 4331
username/password pair in more than a database. username/password pair in more than a database.
key_only key_only
The username and password are concatenated together in the database hash as The username and password are concatenated together in the database hash as
'username-password' with a random value. if the concatenation of the 'username-password' with a random value. if the concatenation of the
username and password with a dash in the middle returns any result, the username and password with a dash in the middle returns any result, the
user is valid. this is useful in cases where the username may not be unique user is valid. this is useful in cases where the username may not be unique
but the username and password pair are. but the username and password pair are.
6.38.3. MODULE TYPES PROVIDED 6.35.3. MODULE TYPES PROVIDED
The auth and account module types are provided. The auth and account module types are provided.
6.38.4. RETURN VALUES 6.35.4. RETURN VALUES
PAM_AUTH_ERR PAM_AUTH_ERR
Authentication failure. Authentication failure.
PAM_AUTHTOK_RECOVERY_ERR PAM_AUTHTOK_RECOVERY_ERR
Authentication information cannot be recovered. Authentication information cannot be recovered.
PAM_BUF_ERR PAM_BUF_ERR
skipping to change at line 4986 skipping to change at line 4365
Error in service module. Error in service module.
PAM_SUCCESS PAM_SUCCESS
Success. Success.
PAM_USER_UNKNOWN PAM_USER_UNKNOWN
User not known to the underlying authentication module. User not known to the underlying authentication module.
6.38.5. EXAMPLES 6.35.5. EXAMPLES
auth sufficient pam_userdb.so icase db=/etc/dbtest auth sufficient pam_userdb.so icase db=/etc/dbtest
6.38.6. AUTHOR 6.35.6. AUTHOR
pam_userdb was written by Cristian Gafton >gafton@redhat.com<. pam_userdb was written by Cristian Gafton >gafton@redhat.com<.
6.39. pam_warn - logs all PAM items 6.36. pam_warn - logs all PAM items
pam_warn.so pam_warn.so
6.39.1. DESCRIPTION 6.36.1. DESCRIPTION
pam_warn is a PAM module that logs the service, terminal, user, remote user and pam_warn is a PAM module that logs the service, terminal, user, remote user and
remote host to syslog(3). The items are not probed for, but instead obtained remote host to syslog(3). The items are not probed for, but instead obtained
from the standard PAM items. The module always returns PAM_IGNORE, indicating from the standard PAM items. The module always returns PAM_IGNORE, indicating
that it does not want to affect the authentication process. that it does not want to affect the authentication process.
6.39.2. OPTIONS 6.36.2. OPTIONS
This module does not recognise any options. This module does not recognise any options.
6.39.3. MODULE TYPES PROVIDED 6.36.3. MODULE TYPES PROVIDED
The auth, account, password and session module types are provided. The auth, account, password and session module types are provided.
6.39.4. RETURN VALUES 6.36.4. RETURN VALUES
PAM_IGNORE PAM_IGNORE
This module always returns PAM_IGNORE. This module always returns PAM_IGNORE.
6.39.5. EXAMPLES 6.36.5. EXAMPLES
#%PAM-1.0 #%PAM-1.0
# #
# If we don't have config entries for a service, the # If we don't have config entries for a service, the
# OTHER entries are used. To be secure, warn and deny # OTHER entries are used. To be secure, warn and deny
# access to everything. # access to everything.
other auth required pam_warn.so other auth required pam_warn.so
other auth required pam_deny.so other auth required pam_deny.so
other account required pam_warn.so other account required pam_warn.so
other account required pam_deny.so other account required pam_deny.so
other password required pam_warn.so other password required pam_warn.so
other password required pam_deny.so other password required pam_deny.so
other session required pam_warn.so other session required pam_warn.so
other session required pam_deny.so other session required pam_deny.so
6.39.6. AUTHOR 6.36.6. AUTHOR
pam_warn was written by Andrew G. Morgan <morgan@kernel.org>. pam_warn was written by Andrew G. Morgan <morgan@kernel.org>.
6.40. pam_wheel - only permit root access to members of group wheel 6.37. pam_wheel - only permit root access to members of group wheel
pam_wheel.so [ debug ] [ deny ] [ group=name ] [ root_only ] [ trust ] [ pam_wheel.so [ debug ] [ deny ] [ group=name ] [ root_only ] [ trust ] [
use_uid ] use_uid ]
6.40.1. DESCRIPTION 6.37.1. DESCRIPTION
The pam_wheel PAM module is used to enforce the so-called wheel group. By The pam_wheel PAM module is used to enforce the so-called wheel group. By
default it permits access to the target user if the applicant user is a member default it permits access to the target user if the applicant user is a member
of the wheel group. If no group with this name exist, the module is using the of the wheel group. If no group with this name exist, the module is using the
group with the group-ID 0. group with the group-ID 0.
6.40.2. OPTIONS 6.37.2. OPTIONS
debug debug
Print debug information. Print debug information.
deny deny
Reverse the sense of the auth operation: if the user is trying to get UID 0 Reverse the sense of the auth operation: if the user is trying to get UID 0
access and is a member of the wheel group (or the group of the group access and is a member of the wheel group (or the group of the group
option), deny access. Conversely, if the user is not in the group, return option), deny access. Conversely, if the user is not in the group, return
skipping to change at line 5083 skipping to change at line 4462
trust trust
The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the
user is a member of the wheel group (thus with a little play stacking the user is a member of the wheel group (thus with a little play stacking the
modules the wheel members may be able to su to root without being prompted modules the wheel members may be able to su to root without being prompted
for a passwd). for a passwd).
use_uid use_uid
The check for wheel membership will be done against the current uid instead The check will be done against the real uid of the calling process, instead
of the original one (useful when jumping with su from one account to of trying to obtain the user from the login session associated with the
another for example). terminal in use.
6.40.3. MODULE TYPES PROVIDED 6.37.3. MODULE TYPES PROVIDED
The auth and account module types are provided. The auth and account module types are provided.
6.40.4. RETURN VALUES 6.37.4. RETURN VALUES
PAM_AUTH_ERR PAM_AUTH_ERR
Authentication failure. Authentication failure.
PAM_BUF_ERR PAM_BUF_ERR
Memory buffer error. Memory buffer error.
PAM_IGNORE PAM_IGNORE
skipping to change at line 5121 skipping to change at line 4500
Cannot determine the user name. Cannot determine the user name.
PAM_SUCCESS PAM_SUCCESS
Success. Success.
PAM_USER_UNKNOWN PAM_USER_UNKNOWN
User not known. User not known.
6.40.5. EXAMPLES 6.37.5. EXAMPLES
The root account gains access by default (rootok), only wheel members can The root account gains access by default (rootok), only wheel members can
become root (wheel) but Unix authenticate non-root applicants. become root (wheel) but Unix authenticate non-root applicants.
su auth sufficient pam_rootok.so su auth sufficient pam_rootok.so
su auth required pam_wheel.so su auth required pam_wheel.so
su auth required pam_unix.so su auth required pam_unix.so
6.40.6. AUTHOR 6.37.6. AUTHOR
pam_wheel was written by Cristian Gafton <gafton@redhat.com>. pam_wheel was written by Cristian Gafton <gafton@redhat.com>.
6.41. pam_xauth - forward xauth keys between users 6.38. pam_xauth - forward xauth keys between users
pam_xauth.so [ debug ] [ xauthpath=/path/to/xauth ] [ systemuser=UID ] [ pam_xauth.so [ debug ] [ xauthpath=/path/to/xauth ] [ systemuser=UID ] [
targetuser=UID ] targetuser=UID ]
6.41.1. DESCRIPTION 6.38.1. DESCRIPTION
The pam_xauth PAM module is designed to forward xauth keys (sometimes referred The pam_xauth PAM module is designed to forward xauth keys (sometimes referred
to as "cookies") between users. to as "cookies") between users.
Without pam_xauth, when xauth is enabled and a user uses the su(1) command to Without pam_xauth, when xauth is enabled and a user uses the su(1) command to
assume another user's privileges, that user is no longer able to access the assume another user's privileges, that user is no longer able to access the
original user's X display because the new user does not have the key needed to original user's X display because the new user does not have the key needed to
access the display. pam_xauth solves the problem by forwarding the key from the access the display. pam_xauth solves the problem by forwarding the key from the
user running su (the source user) to the user whose identity the source user is user running su (the source user) to the user whose identity the source user is
assuming (the target user) when the session is created, and destroying the key assuming (the target user) when the session is created, and destroying the key
skipping to change at line 5175 skipping to change at line 4554
If a user has a .xauth/export file, the user will only forward cookies to users If a user has a .xauth/export file, the user will only forward cookies to users
listed in the file. If there is no ~/.xauth/export file, and the invoking user listed in the file. If there is no ~/.xauth/export file, and the invoking user
is not root, the user will forward cookies to any other user. If there is no ~ is not root, the user will forward cookies to any other user. If there is no ~
/.xauth/export file, and the invoking user is root, the user will not forward /.xauth/export file, and the invoking user is root, the user will not forward
cookies to other users. cookies to other users.
Both the import and export files support wildcards (such as *). Both the import Both the import and export files support wildcards (such as *). Both the import
and export files can be empty, signifying that no users are allowed. and export files can be empty, signifying that no users are allowed.
6.41.2. OPTIONS 6.38.2. OPTIONS
debug debug
Print debug information. Print debug information.
xauthpath=/path/to/xauth xauthpath=/path/to/xauth
Specify the path the xauth program (it is expected in /usr/X11R6/bin/xauth, Specify the path the xauth program (it is expected in /usr/X11R6/bin/xauth,
/usr/bin/xauth, or /usr/bin/X11/xauth by default). /usr/bin/xauth, or /usr/bin/X11/xauth by default).
systemuser=UID systemuser=UID
Specify the highest UID which will be assumed to belong to a "system" user. Specify the highest UID which will be assumed to belong to a "system" user.
pam_xauth will refuse to forward credentials to users with UID less than or pam_xauth will refuse to forward credentials to users with UID less than or
equal to this number, except for root and the "targetuser", if specified. equal to this number, except for root and the "targetuser", if specified.
targetuser=UID targetuser=UID
Specify a single target UID which is exempt from the systemuser check. Specify a single target UID which is exempt from the systemuser check.
6.41.3. MODULE TYPES PROVIDED 6.38.3. MODULE TYPES PROVIDED
Only the session type is provided. Only the session type is provided.
6.41.4. RETURN VALUES 6.38.4. RETURN VALUES
PAM_BUF_ERR PAM_BUF_ERR
Memory buffer error. Memory buffer error.
PAM_PERM_DENIED PAM_PERM_DENIED
Permission denied by import/export file. Permission denied by import/export file.
PAM_SESSION_ERR PAM_SESSION_ERR
skipping to change at line 5222 skipping to change at line 4601
Cannot determine user name, UID or access users home directory. Cannot determine user name, UID or access users home directory.
PAM_SUCCESS PAM_SUCCESS
Success. Success.
PAM_USER_UNKNOWN PAM_USER_UNKNOWN
User not known. User not known.
6.41.5. EXAMPLES 6.38.5. EXAMPLES
Add the following line to /etc/pam.d/su to forward xauth keys between users Add the following line to /etc/pam.d/su to forward xauth keys between users
when calling su: when calling su:
session optional pam_xauth.so session optional pam_xauth.so
6.41.6. AUTHOR 6.38.6. AUTHOR
pam_xauth was written by Nalin Dahyabhai <nalin@redhat.com>, based on original pam_xauth was written by Nalin Dahyabhai <nalin@redhat.com>, based on original
version by Michael K. Johnson <johnsonm@redhat.com>. version by Michael K. Johnson <johnsonm@redhat.com>.
Chapter 7. See also Chapter 7. See also
• The Linux-PAM Application Writers' Guide. • The Linux-PAM Application Writers' Guide.
• The Linux-PAM Module Writers' Guide. • The Linux-PAM Module Writers' Guide.
 End of changes. 286 change blocks. 
954 lines changed or deleted 335 lines changed or added
To the Text Files section of the Linux-PAM (docs) source changes report or the top of this page
Mainly generated by pkgdiff using rfcdiff
Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)