Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

pam-script(7) [debian man page]

PAM-SCRIPT(7)						 Miscellaneous Information Manual					     PAM-SCRIPT(7)

NAME

       pam-script - a PAM module that can invoke scripts within the PAM stack.

SYNOPSIS

       pam-script.so [onerr=(success|fail)][dir=/some/path/]

DESCRIPTION

       pam-script allows you to execute scripts during authorization, passwd changes, and on session opening or closing.

       Such  scripts  can  perform necessary tasks or influence the outcome of the PAM stack.  For example, if the following entry was included in
       pam.conf
	 sshd	 auth required	pam_script

       then if the script, pam_script_auth, exits with a non-zero value this would cause the user to be denied SSH access to the machine.

OPTIONS

       A summary of options is included below.

       onerr=(success|fail)
	      the default behavior if the module can not find or execute the script.  The default is to fail if the option is not given.

       dir=/some/path/
	      where to find the pam-scripts to invoke for each of the various module-types as described below.	The default is dir=/usr/share/lib-
	      pam-script if not given.

	      List of scripts

       pam_script_auth
	      Executed under auth which handles the authentication stage of establishing the user via some challenge-response (i.e. username/pass-
	      word)

       pam_script_acct
	      invoked under account module-type for non-authentication based account management.

       pam_script_passwd
	      invoked under passwd for changing the password tokens.

       pam_script_ses_open
	      invoked when a session is first opened.

       pam_script_ses_close
	      run after a session is first closed.

	      All the scripts will be passed several environment variables: PAM_USER, PAM_RUSER, PAM_RHOST, PAM_SERVICE, PAM_AUTHTOK, PAM_TTY, and
	      PAM_TYPE referring to the module-type.  The pam_script.so arguments in the pam.conf will be passed on the command line, which can be
	      used to modify the script behavior.

FILES

       /lib/security/pam_script.so - the PAM module
       /usr/share/libpam-script - where the scripts should be placed by default

VERSION

       pam-script 1.1.5

SEE ALSO

       PAM(7) and the PAM "The System Administrators' Guide"

AUTHOR

       pam-script was written by Jeroen Nijhof <jeroen@jeroennijhof.nl>
       with some additions and modifications by R.K. Owen, Ph.D. <rkowen@nersc.gov>.

       This manual page was written by R.K. Owen <rkowen@nersc.gov>,
       for the Debian project (but may be used by others).

								  August 22, 2007						     PAM-SCRIPT(7)

Check Out this Related Man Page

PAM-AUTH-UPDATE(8)					      System Manager's Manual						PAM-AUTH-UPDATE(8)

NAME

       pam-auth-update - manage PAM configuration using packaged profiles

SYNOPSIS

       pam-auth-update [--package [--remove profile [profile...]]]  [--force]

DESCRIPTION

       pam-auth-update	is  a utility that permits configuring the central authentication policy for the system using pre-defined profiles as sup-
       plied by PAM module packages.  Profiles shipped in the /usr/share/pam-configs/ directory specify the modules, with options, to enable;  the
       preferred ordering with respect to other profiles; and whether a profile should be enabled by default.  Packages providing PAM modules reg-
       ister their profiles at install time by calling pam-auth-update --package.  Selection of profiles is done using the standard debconf inter-
       face.   The  profile  selection	question  will be asked at `medium' priority when packages are added or removed, so no user interaction is
       required by default.  Users may invoke pam-auth-update directly to change their authentication configuration.

       The script makes every effort to respect local changes to /etc/pam.d/common-*.  Local modifications to the list of module options  will	be
       preserved, and additions of modules within the managed portion of the stack will cause pam-auth-update to treat the config files as locally
       modified and not make further changes to the config files unless given the --force option.

       If the user specifies that pam-auth-update should override local configuration  changes,  the  locally-modified	files  will  be  saved	in
       /etc/pam.d/ with a suffix of .pam-old.

OPTIONS

       --package
	      Indicate	that  the  caller is a package maintainer script; lowers the priority of debconf questions to `medium' so that the user is
	      not prompted by default.

       --remove profile [profile...]
	      Remove the specified profiles from the system configuration.  pam-auth-update --remove should be used to remove  profiles  from  the
	      configuration before the modules they reference are removed from disk, to ensure that PAM is in a consistent and usable state at all
	      times during package upgrades or removals.

       --force
	      Overwrite the current PAM configuration, without prompting.  This option must not be used  by  package  maintainer  scripts;  it	is
	      intended for use by administrators only.

FILES

       /etc/pam.d/common-*
	   Global configuration of PAM, affecting all installed services.

       /usr/share/pam-configs/
	   Package-supplied authentication profiles.

AUTHOR

       Steve Langasek <steve.langasek@canonical.com>

COPYRIGHT

       Copyright (C) 2008 Canonical Ltd.

SEE ALSO

       PAM(7), pam.d(5), debconf(7)

Debian								    08/23/2008							PAM-AUTH-UPDATE(8)
Man Page