Penguin
Annotated edit history of pam.d(8) version 1, including all changes. View license author blame.
Rev Author # Line
1 perry 1 PAM
2 !!!PAM
3 NAME
4 SYNOPSIS
5 DESCRIPTION
6 The configuration file(s)
7 FILES
8 ERRORS
9 CONFORMING TO
10 BUGS
11 SEE ALSO
12 ----
13 !!NAME
14
15
16 Linux-PAM - Pluggable Authentication Modules for Linux
17 !!SYNOPSIS
18
19
20 __/etc/pam.conf__
21 !!DESCRIPTION
22
23
24 This manual is intended to offer a quick introduction to
25 __Linux-PAM__. For more information the reader is
26 directed to the __Linux-PAM system administrators'
27 guide__.
28
29
30 __Linux-PAM__ Is a system of libraries that handle the
31 authentication tasks of applications (services) on the
32 system. The library provides a stable general interface
33 (Application Programming Interface - API) that privilege
34 granting programs (such as login(1) and su(1))
35 defer to to perform standard authentication
36 tasks.
37
38
39 The principal feature of the PAM approach is that the nature
40 of the authentication is dynamically configurable. In other
41 words, the system administrator is free to choose how
42 individual service-providing applications will authenticate
43 users. This dynamic configuration is set by the contents of
44 the single __Linux-PAM__ configuration file
45 __/etc/pam.conf__. Alternatively, the configuration can
46 be set by individual configuration files located in the
47 __/etc/pam.d/__ directory. ''The presence of this
48 directory will cause'' __Linux-PAM__ ''to ignore''
49 __/etc/pam.conf__''.''
50
51
52 From the point of view of the system administrator, for whom
53 this manual is provided, it is not of primary importance to
54 understand the internal behavior of the __Linux-PAM__
55 library. The important point to recognize is that the
56 configuration file(s) ''define'' the connection between
57 applications (__services__) and the pluggable
58 authentication modules (__PAM__s) that perform the actual
59 authentication tasks.
60
61
62 __Linux-PAM__ separates the tasks of
63 ''authentication'' into four independent management
64 groups: __account__ management; __auth__entication
65 management; __password__ management; and __session__
66 management. (We highlight the abbreviations used for these
67 groups in the configuration file.)
68
69
70 Simply put, these groups take care of different aspects of a
71 typical user's request for a restricted
72 service:
73
74
75 __account__ - provide account verification types of
76 service: has the user's password expired?; is this user
77 permitted access to the requested service?
78
79
80 __auth__entication - establish the user is who they claim
81 to be. Typically this is via some challenge-response request
82 that the user must satisfy: if you are who you claim to be
83 please enter your password. Not all authentications are of
84 this type, there exist hardware based authentication schemes
85 (such as the use of smart-cards and biometric devices), with
86 suitable modules, these may be substituted seamlessly for
87 more standard approaches to authentication - such is the
88 flexibility of __Linux-PAM__.
89
90
91 __password__ - this group's responsibility is the task of
92 updating authentication mechanisms. Typically, such services
93 are strongly coupled to those of the __auth__ group. Some
94 authentication mechanisms lend themselves well to being
95 updated with such a function. Standard UN*X password-based
96 access is the obvious example: please enter a replacement
97 password.
98
99
100 __session__ - this group of tasks cover things that
101 should be done prior to a service being given and after it
102 is withdrawn. Such tasks include the maintenance of audit
103 trails and the mounting of the user's home directory. The
104 __session__ management group is important as it provides
105 both an opening and closing hook for modules to affect the
106 services available to a user.
107 !!The configuration file(s)
108
109
110 When a __Linux-PAM__ aware privilege granting application
111 is started, it activates its attachment to the PAM-API. This
112 activation performs a number of tasks, the most important
113 being the reading of the configuration file(s):
114 __/etc/pam.conf__. Alternatively, this may be the
115 contents of the __/etc/pam.d/__ directory.
116
117
118 These files list the __PAM__s that will do the
119 authentication tasks required by this service, and the
120 appropriate behavior of the PAM-API in the event that
121 individual __PAM__s fail.
122
123
124 The syntax of the __/etc/pam.conf__ configuration file is
125 as follows. The file is made up of a list of rules, each
126 rule is typically placed on a single line, but may be
127 extended with an escaped end of line: `
128 __
129
130
131 The format of each rule is a space separated collection of
132 tokens, the first three being case-insensitive:
133
134
135 __service type control module-path
136 module-arguments__
137
138
139 The syntax of files contained in the __/etc/pam.d/__
140 directory, are identical except for the absence of any
141 ''service'' field. In this case, the ''service'' is
142 the name of the file in the __/etc/pam.d/__ directory.
143 This filename must be in lower case.
144
145
146 An important feature of __Linux-PAM__, is that a number
147 of rules may be ''stacked'' to combine the services of a
148 number of PAMs for a given authentication task.
149
150
151 The __service__ is typically the familiar name of the
152 corresponding application: __login__ and __su__ are
153 good examples. The __service__-name, __other__, is
154 reserved for giving ''default'' rules. Only lines that
155 mention the current service (or in the absence of such, the
156 __other__ entries) will be associated with the given
157 service-application.
158
159
160 The __type__ is the management group that the rule
161 corresponds to. It is used to specify which of the
162 management groups the subsequent module is to be associated
163 with. Valid entries are: __account__; __auth__;
164 __password__; and __session__. The meaning of each of
165 these tokens was explained above.
166
167
168 The third field, __control__, indicates the behavior of
169 the PAM-API should the module fail to succeed in its
170 authentication task. Valid __control__ values are:
171 __requisite__ - failure of such a PAM results in the
172 immediate termination of the authentication process;
173 __required__ - failure of such a PAM will ultimately lead
174 to the PAM-API returning failure but only after the
175 remaining ''stacked'' modules (for this __service__
176 and __type__) have been invoked; __sufficient__ -
177 success of such a module is enough to satisfy the
178 authentication requirements of the stack of modules (if a
179 prior __required__ module has failed the success of this
180 one is ''ignored''); __optional__ - the success or
181 failure of this module is only important if it is the only
182 module in the stack associated with this
183 __service__+__type__.
184
185
186 __module-path__ - this is the full filename of the PAM to
187 be used by the application
188
189
190 __module-arguments__ - these are a space separated list
191 of tokens that can be used to modify the specific behavior
192 of the given PAM. Such arguments will be documented for each
193 individual module.
194 !!FILES
195
196
197 __/etc/pam.conf__ - the configuration file__
198 /etc/pam.d/__ - the __Linux-PAM__ configuration
199 directory. If this directory is present, the
200 __/etc/pam.conf__ file is ignored.__
201 /usr/lib/libpam.so.X__ - the dynamic library__
202 /usr/lib/security/*.so__ - the PAMs
203
204
205 Note, to conform to the Linux File-system standard, the
206 libraries and modules in your system may be located in
207 __/lib__ and __/lib/security__
208 respectively.
209 !!ERRORS
210
211
212 Typically errors generated by the __Linux-PAM__ system of
213 libraries, will be written to syslog(3).
214 !!CONFORMING TO
215
216
217 DCE-RFC 86.0, October 1995.
218 Contains additional features, currently under consideration
219 by the DCE-RFC committee.
220 !!BUGS
221
222
223 None known.
224 !!SEE ALSO
225
226
227 The three __Linux-PAM__ Guides, for __System
228 administrators__, __module developers__, and
229 __application developers__.
230 ----
This page is a man page (or other imported legacy content). We are unable to automatically determine the license status of this page.