1c3542f02SJoerg Sonnenberger 2c3542f02SJoerg SonnenbergerThis directory contains configuration files for the Pluggable 3c3542f02SJoerg SonnenbergerAuthentication Modules (PAM) library. 4c3542f02SJoerg Sonnenberger 5c3542f02SJoerg SonnenbergerEach file details the module chain for a single service, and must be 6c3542f02SJoerg Sonnenbergernamed after that service. If no configuration file is found for a 7c3542f02SJoerg Sonnenbergerparticular service, the /etc/pam.d/other is used instead. If that 8c3542f02SJoerg Sonnenbergerfile does not exist, /etc/pam.conf is searched for entries matching 9c3542f02SJoerg Sonnenbergerthe specified service or, failing that, the "other" service. 10c3542f02SJoerg Sonnenberger 11*dfc0c85aSSascha WildnerSee the pam(3) manual page for an explanation of the workings of the 12c3542f02SJoerg SonnenbergerPAM library and descriptions of the various files and modules. Below 13c3542f02SJoerg Sonnenbergeris a summary of the format for the pam.conf and /etc/pam.d/* files. 14c3542f02SJoerg Sonnenberger 15c3542f02SJoerg SonnenbergerConfiguration lines take the following form: 16c3542f02SJoerg Sonnenberger 17c3542f02SJoerg Sonnenbergermodule-type control-flag module-path arguments 18c3542f02SJoerg Sonnenberger 19c3542f02SJoerg SonnenbergerComments are introduced with a hash mark ('#'). Blank lines and lines 20c3542f02SJoerg Sonnenbergerconsisting entirely of comments are ignored. 21c3542f02SJoerg Sonnenberger 22c3542f02SJoerg SonnenbergerThe meanings of the different fields are as follows: 23c3542f02SJoerg Sonnenberger 24c3542f02SJoerg Sonnenberger module-type: 25c3542f02SJoerg Sonnenberger auth: prompt for a password to authenticate that the user is 26c3542f02SJoerg Sonnenberger who they say they are, and set any credentials. 27c3542f02SJoerg Sonnenberger account: non-authentication based authorization, based on time, 28c3542f02SJoerg Sonnenberger resources, etc. 29c3542f02SJoerg Sonnenberger session: housekeeping before and/or after login. 30c3542f02SJoerg Sonnenberger password: update authentication tokens. 31c3542f02SJoerg Sonnenberger 32c3542f02SJoerg Sonnenberger control-flag: How libpam handles success or failure of the module. 33c3542f02SJoerg Sonnenberger required: success is required; on failure all remaining 34c3542f02SJoerg Sonnenberger modules are run, but the request will be denied. 35c3542f02SJoerg Sonnenberger requisite: success is required, and on failure no remaining 36c3542f02SJoerg Sonnenberger modules are run. 37c3542f02SJoerg Sonnenberger sufficient: success is sufficient, and if no previous required 38c3542f02SJoerg Sonnenberger module failed, no remaining modules are run. 39c3542f02SJoerg Sonnenberger binding: success is sufficient; on failure all remaining 40c3542f02SJoerg Sonnenberger modules are run, but the request will be denied. 41c3542f02SJoerg Sonnenberger optional: ignored unless the other modules return PAM_IGNORE. 42c3542f02SJoerg Sonnenberger 43c3542f02SJoerg Sonnenberger arguments: Module-specific options, plus some generic ones: 44c3542f02SJoerg Sonnenberger debug: syslog debug info. 45c3542f02SJoerg Sonnenberger no_warn: return no warning messages to the application. 46c3542f02SJoerg Sonnenberger Remove this to feed back to the user the 47c3542f02SJoerg Sonnenberger reason(s) they are being rejected. 48c3542f02SJoerg Sonnenberger use_first_pass: try authentication using password from the 49c3542f02SJoerg Sonnenberger preceding auth module. 50c3542f02SJoerg Sonnenberger try_first_pass: first try authentication using password from 51c3542f02SJoerg Sonnenberger the preceding auth module, and if that fails 52c3542f02SJoerg Sonnenberger prompt for a new password. 53c3542f02SJoerg Sonnenberger use_mapped_pass: convert cleartext password to a crypto key. 54c3542f02SJoerg Sonnenberger expose_account: allow printing more info about the user when 55c3542f02SJoerg Sonnenberger prompting. 56c3542f02SJoerg Sonnenberger 57c3542f02SJoerg SonnenbergerNote that having a "sufficient" module as the last entry for a 58c3542f02SJoerg Sonnenbergerparticular service and module type may result in surprising behaviour. 59c3542f02SJoerg SonnenbergerTo get the intended semantics, add a "required" entry listing the 60c3542f02SJoerg Sonnenbergerpam_deny module at the end of the chain. 61