is the Pluggable Authentication Modules for Linux. Documentation.
| Linux-PAM_SAG.txt (Linux-PAM-1.5.1-docs.tar.xz) | : | Linux-PAM_SAG.txt (Linux-PAM-1.5.2-docs.tar.xz) |
|---|
| | |
| skipping to change at line 376 | | skipping to change at line 376 |
|---|
| | |
| ignore | | ignore |
| | |
| when used with a stack of modules, the module's return status will not | | when used with a stack of modules, the module's return status will not |
| contribute to the return code the application obtains. | | contribute to the return code the application obtains. |
| | |
| bad | | bad |
| | |
| this action indicates that the return code should be thought of as | | this action indicates that the return code should be thought of as |
| indicative of the module failing. If this module is the first in the stack | | indicative of the module failing. If this module is the first in the stack |
|
| to fail, its status value will be used for that of the whole stack. | | to fail, its status value will be used for that of the whole stack. This is |
| | the default action for all return codes. |
| | |
| die | | die |
| | |
| equivalent to bad with the side effect of terminating the module stack and | | equivalent to bad with the side effect of terminating the module stack and |
| PAM immediately returning to the application. | | PAM immediately returning to the application. |
| | |
| ok | | ok |
| | |
| this tells PAM that the administrator thinks this return code should | | this tells PAM that the administrator thinks this return code should |
| contribute directly to the return code of the full stack of modules. In | | contribute directly to the return code of the full stack of modules. In |
| other words, if the former state of the stack would lead to a return of | | other words, if the former state of the stack would lead to a return of |
| PAM_SUCCESS, the module's return code will override this value. Note, if | | PAM_SUCCESS, the module's return code will override this value. Note, if |
| the former state of the stack holds some value that is indicative of a | | the former state of the stack holds some value that is indicative of a |
| modules failure, this 'ok' value will not be used to override that value. | | modules failure, this 'ok' value will not be used to override that value. |
| | |
| done | | done |
| | |
| equivalent to ok with the side effect of terminating the module stack and | | equivalent to ok with the side effect of terminating the module stack and |
|
| PAM immediately returning to the application. | | PAM immediately returning to the application unless there was a non-ignored |
| | module failure before. |
| | |
| N (an unsigned integer) | | N (an unsigned integer) |
| | |
| jump over the next N modules in the stack. Note that N equal to 0 is not | | jump over the next N modules in the stack. Note that N equal to 0 is not |
| allowed, it would be treated as ignore in such case. The side effect | | allowed, it would be treated as ignore in such case. The side effect |
| depends on the PAM function call: for pam_authenticate, pam_acct_mgmt, | | depends on the PAM function call: for pam_authenticate, pam_acct_mgmt, |
| pam_chauthtok, and pam_open_session it is ignore; for pam_setcred and | | pam_chauthtok, and pam_open_session it is ignore; for pam_setcred and |
| pam_close_session it is one of ignore, ok, or bad depending on the module's | | pam_close_session it is one of ignore, ok, or bad depending on the module's |
| return value. | | return value. |
| | |
| reset | | reset |
| | |
| clear all memory of the state of the module stack and start again with the | | clear all memory of the state of the module stack and start again with the |
| next stacked module. | | next stacked module. |
| | |
|
| | If a return code's action is not specifically defined via a valueN token, and |
| | the default value is not specified, that return code's action defaults to bad. |
| | |
| Each of the four keywords: required; requisite; sufficient; and optional, have | | Each of the four keywords: required; requisite; sufficient; and optional, have |
| an equivalent expression in terms of the [...] syntax. They are as follows: | | an equivalent expression in terms of the [...] syntax. They are as follows: |
| | |
| required | | required |
| | |
| [success=ok new_authtok_reqd=ok ignore=ignore default=bad] | | [success=ok new_authtok_reqd=ok ignore=ignore default=bad] |
| | |
| requisite | | requisite |
| | |
| [success=ok new_authtok_reqd=ok ignore=ignore default=die] | | [success=ok new_authtok_reqd=ok ignore=ignore default=die] |
| | |
| skipping to change at line 1176 | | skipping to change at line 1181 |
|---|
| DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY} | | DISPLAY DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY} |
| | |
| Now some simple variables | | Now some simple variables |
| | |
| PAGER DEFAULT=less | | PAGER DEFAULT=less |
| MANPAGER DEFAULT=less | | MANPAGER DEFAULT=less |
| LESS DEFAULT="M q e h15 z23 b80" | | LESS DEFAULT="M q e h15 z23 b80" |
| NNTPSERVER DEFAULT=localhost | | NNTPSERVER DEFAULT=localhost |
| PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\ | | PATH DEFAULT=${HOME}/bin:/usr/local/bin:/bin\ |
| :/usr/bin:/usr/local/bin/X11:/usr/bin/X11 | | :/usr/bin:/usr/local/bin/X11:/usr/bin/X11 |
|
| XDG_DATA_HOME @{HOME}/share/ | | XDG_DATA_HOME DEFAULT=@{HOME}/share/ |
| | |
| Silly examples of escaped variables, just to show how they work. | | Silly examples of escaped variables, just to show how they work. |
| | |
| DOLLAR DEFAULT=\$ | | DOLLAR DEFAULT=\$ |
| DOLLARDOLLAR DEFAULT= OVERRIDE=\$${DOLLAR} | | DOLLARDOLLAR DEFAULT= OVERRIDE=\$${DOLLAR} |
| DOLLARPLUS DEFAULT=\${REMOTEHOST}${REMOTEHOST} | | DOLLARPLUS DEFAULT=\${REMOTEHOST}${REMOTEHOST} |
| ATSIGN DEFAULT="" OVERRIDE=\@ | | ATSIGN DEFAULT="" OVERRIDE=\@ |
| | |
| 6.5.8. AUTHOR | | 6.5.8. AUTHOR |
| | |
| pam_env was written by Dave Kinchlea <kinch@kinch.ark.com>. | | pam_env was written by Dave Kinchlea <kinch@kinch.ark.com>. |
| | |
| 6.6. pam_exec - call an external command | | 6.6. pam_exec - call an external command |
| | |
|
| pam_exec.so [ debug ] [ expose_authtok ] [ seteuid ] [ quiet ] [ stdout ] [ log | | pam_exec.so [ debug ] [ expose_authtok ] [ seteuid ] [ quiet ] [ quiet_log ] [ |
| =file ] [ type=type ] command [ ... ] | | stdout ] [ log=file ] [ type=type ] command [ ... ] |
| | |
| 6.6.1. DESCRIPTION | | 6.6.1. DESCRIPTION |
| | |
| pam_exec is a PAM module that can be used to run an external command. | | pam_exec is a PAM module that can be used to run an external command. |
| | |
| The child's environment is set to the current PAM environment list, as returned | | The child's environment is set to the current PAM environment list, as returned |
| by pam_getenvlist(3) In addition, the following PAM items are exported as | | by pam_getenvlist(3) In addition, the following PAM items are exported as |
| environment variables: PAM_RHOST, PAM_RUSER, PAM_SERVICE, PAM_TTY, PAM_USER and | | environment variables: PAM_RHOST, PAM_RUSER, PAM_SERVICE, PAM_TTY, PAM_USER and |
| PAM_TYPE, which contains one of the module types: account, auth, password, | | PAM_TYPE, which contains one of the module types: account, auth, password, |
| open_session and close_session. | | open_session and close_session. |
| | |
| skipping to change at line 1239 | | skipping to change at line 1244 |
|---|
| Per default the output of the executed command is written to /dev/null. | | Per default the output of the executed command is written to /dev/null. |
| With this option, the stdout output of the executed command is redirected | | With this option, the stdout output of the executed command is redirected |
| to the calling application. It's in the responsibility of this application | | to the calling application. It's in the responsibility of this application |
| what happens with the output. The log option is ignored. | | what happens with the output. The log option is ignored. |
| | |
| quiet | | quiet |
| | |
| Per default pam_exec.so will echo the exit status of the external command | | Per default pam_exec.so will echo the exit status of the external command |
| if it fails. Specifying this option will suppress the message. | | if it fails. Specifying this option will suppress the message. |
| | |
|
| | quiet_log |
| | |
| | Per default pam_exec.so will log the exit status of the external command if |
| | it fails. Specifying this option will suppress the log message. |
| | |
| seteuid | | seteuid |
| | |
| Per default pam_exec.so will execute the external command with the real | | Per default pam_exec.so will execute the external command with the real |
| user ID of the calling process. Specifying this option means the command is | | user ID of the calling process. Specifying this option means the command is |
| run with the effective user ID. | | run with the effective user ID. |
| | |
| 6.6.3. MODULE TYPES PROVIDED | | 6.6.3. MODULE TYPES PROVIDED |
| | |
| All module types (auth, account, password and session) are provided. | | All module types (auth, account, password and session) are provided. |
| | |
| | |
| skipping to change at line 2145 | | skipping to change at line 2155 |
|---|
| | |
| maximum nice priority allowed to raise to (Linux 2.6.12 and higher) | | maximum nice priority allowed to raise to (Linux 2.6.12 and higher) |
| values: [-20,19] | | values: [-20,19] |
| | |
| rtprio | | rtprio |
| | |
| maximum realtime priority allowed for non-privileged processes (Linux | | maximum realtime priority allowed for non-privileged processes (Linux |
| 2.6.12 and higher) | | 2.6.12 and higher) |
| | |
| All items support the values -1, unlimited or infinity indicating no limit, | | All items support the values -1, unlimited or infinity indicating no limit, |
|
| except for priority, nice, and nonewprivs. | | except for priority, nice, and nonewprivs. If nofile is to be set to one of |
| | these values, it will be set to the contents of /proc/sys/fs/nr_open instead |
| | (see setrlimit(3)). |
| | |
| If a hard limit or soft limit of a resource is set to a valid value, but | | If a hard limit or soft limit of a resource is set to a valid value, but |
| outside of the supported range of the local system, the system may reject the | | outside of the supported range of the local system, the system may reject the |
| new limit or unexpected behavior may occur. If the control value required is | | new limit or unexpected behavior may occur. If the control value required is |
| used, the module will reject the login if a limit could not be set. | | used, the module will reject the login if a limit could not be set. |
| | |
| In general, individual limits have priority over group limits, so if you impose | | In general, individual limits have priority over group limits, so if you impose |
| no limits for admin group, but one of the members in this group have a limits | | no limits for admin group, but one of the members in this group have a limits |
| line, the user will have its limits set according to this line. | | line, the user will have its limits set according to this line. |
| | |
| | |
| skipping to change at line 2630 | | skipping to change at line 2642 |
|---|
| silent | | silent |
| | |
| Don't print informative messages. | | Don't print informative messages. |
| | |
| debug | | debug |
| | |
| Turns on debugging via syslog(3). | | Turns on debugging via syslog(3). |
| | |
| umask=mask | | umask=mask |
| | |
|
| The user file-creation mask is set to mask. The default value of mask is | | The file mode creation mask is set to mask. The default value of mask is |
| 0022. | | 0022. If this option is not specified, then the permissions of created user |
| | home directory is set to the value of HOME_MODE configuration item from / |
| | etc/login.defs. If there is no such configuration item then the value is |
| | computed from the value of UMASK in the same file. If there is no such |
| | configuration option either the default value of 0755 is used for the mode. |
| | |
| skel=/path/to/skel/directory | | skel=/path/to/skel/directory |
| | |
| Indicate an alternative skel directory to override the default /etc/skel. | | Indicate an alternative skel directory to override the default /etc/skel. |
| | |
| 6.19.3. MODULE TYPES PROVIDED | | 6.19.3. MODULE TYPES PROVIDED |
| | |
| Only the session module type is provided. | | Only the session module type is provided. |
| | |
| 6.19.4. RETURN VALUES | | 6.19.4. RETURN VALUES |
| | |
| skipping to change at line 3890 | | skipping to change at line 3906 |
|---|
| | |
| In a nutshell, pam_timestamp caches successful authentication attempts, and | | In a nutshell, pam_timestamp caches successful authentication attempts, and |
| allows you to use a recent successful attempt as the basis for authentication. | | allows you to use a recent successful attempt as the basis for authentication. |
| This is similar mechanism which is used in sudo. | | This is similar mechanism which is used in sudo. |
| | |
| When an application opens a session using pam_timestamp, a timestamp file is | | When an application opens a session using pam_timestamp, a timestamp file is |
| created in the timestampdir directory for the user. When an application | | created in the timestampdir directory for the user. When an application |
| attempts to authenticate the user, a pam_timestamp will treat a sufficiently | | attempts to authenticate the user, a pam_timestamp will treat a sufficiently |
| recent timestamp file as grounds for succeeding. | | recent timestamp file as grounds for succeeding. |
| | |
|
| | The default encryption hash is taken from the HMAC_CRYPTO_ALGO variable from / |
| | etc/login.defs. |
| | |
| 6.32.2. OPTIONS | | 6.32.2. OPTIONS |
| | |
| timestampdir=directory | | timestampdir=directory |
| | |
| Specify an alternate directory where pam_timestamp creates timestamp files. | | Specify an alternate directory where pam_timestamp creates timestamp files. |
| | |
| timestamp_timeout=number | | timestamp_timeout=number |
| | |
| How long should pam_timestamp treat timestamp as valid after their last | | How long should pam_timestamp treat timestamp as valid after their last |
| modification date (in seconds). Default is 300 seconds. | | modification date (in seconds). Default is 300 seconds. |
| | |
| skipping to change at line 4292 | | skipping to change at line 4311 |
|---|
| database as plaintext. | | database as plaintext. |
| | |
| db=/path/database | | db=/path/database |
| | |
| Use the /path/database database for performing lookup. There is no default; | | Use the /path/database database for performing lookup. There is no default; |
| the module will return PAM_IGNORE if no database is provided. Note that the | | the module will return PAM_IGNORE if no database is provided. Note that the |
| path to the database file should be specified without the .db suffix. | | path to the database file should be specified without the .db suffix. |
| | |
| debug | | debug |
| | |
|
| Print debug information. | | Print debug information. Note that password hashes, both from db and |
| | computed, will be printed to syslog. |
| | |
| dump | | dump |
| | |
| Dump all the entries in the database to the log. Don't do this by default! | | Dump all the entries in the database to the log. Don't do this by default! |
| | |
| icase | | icase |
| | |
| Make the password verification to be case insensitive (ie when working with | | Make the password verification to be case insensitive (ie when working with |
| registration numbers and such). Only works with plaintext password storage. | | registration numbers and such). Only works with plaintext password storage. |
| | |
| | | |
| End of changes. 10 change blocks. |
|---|
| 9 lines changed or deleted | | 29 lines changed or added |
|---|
"Fossies" - the Fresh Open Source Software Archive 