Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

pam-script(7) [debian man page]

PAM-SCRIPT(7)						 Miscellaneous Information Manual					     PAM-SCRIPT(7)

NAME

       pam-script - a PAM module that can invoke scripts within the PAM stack.

SYNOPSIS

       pam-script.so [onerr=(success|fail)][dir=/some/path/]

DESCRIPTION

       pam-script allows you to execute scripts during authorization, passwd changes, and on session opening or closing.

       Such  scripts  can  perform necessary tasks or influence the outcome of the PAM stack.  For example, if the following entry was included in
       pam.conf
	 sshd	 auth required	pam_script

       then if the script, pam_script_auth, exits with a non-zero value this would cause the user to be denied SSH access to the machine.

OPTIONS

       A summary of options is included below.

       onerr=(success|fail)
	      the default behavior if the module can not find or execute the script.  The default is to fail if the option is not given.

       dir=/some/path/
	      where to find the pam-scripts to invoke for each of the various module-types as described below.	The default is dir=/usr/share/lib-
	      pam-script if not given.

	      List of scripts

       pam_script_auth
	      Executed under auth which handles the authentication stage of establishing the user via some challenge-response (i.e. username/pass-
	      word)

       pam_script_acct
	      invoked under account module-type for non-authentication based account management.

       pam_script_passwd
	      invoked under passwd for changing the password tokens.

       pam_script_ses_open
	      invoked when a session is first opened.

       pam_script_ses_close
	      run after a session is first closed.

	      All the scripts will be passed several environment variables: PAM_USER, PAM_RUSER, PAM_RHOST, PAM_SERVICE, PAM_AUTHTOK, PAM_TTY, and
	      PAM_TYPE referring to the module-type.  The pam_script.so arguments in the pam.conf will be passed on the command line, which can be
	      used to modify the script behavior.

FILES

       /lib/security/pam_script.so - the PAM module
       /usr/share/libpam-script - where the scripts should be placed by default

VERSION

       pam-script 1.1.5

SEE ALSO

       PAM(7) and the PAM "The System Administrators' Guide"

AUTHOR

       pam-script was written by Jeroen Nijhof <jeroen@jeroennijhof.nl>
       with some additions and modifications by R.K. Owen, Ph.D. <rkowen@nersc.gov>.

       This manual page was written by R.K. Owen <rkowen@nersc.gov>,
       for the Debian project (but may be used by others).

								  August 22, 2007						     PAM-SCRIPT(7)

Check Out this Related Man Page

PAM_EXEC(8)							 Linux-PAM Manual						       PAM_EXEC(8)

NAME

       pam_exec - PAM module which calls an external command

SYNOPSIS

       pam_exec.so [debug] [expose_authtok] [seteuid] [quiet] [log=file] command [...]

DESCRIPTION

       pam_exec is a PAM module that can be used to run an external command.

       The child's environment is set to the current PAM environment list, as returned by pam_getenvlist(3) In addition, the following PAM items
       are exported as environment variables: PAM_RHOST, PAM_RUSER, PAM_SERVICE, PAM_TTY, PAM_USER and PAM_TYPE, which contains one of the module
       types: account, auth, password, open_session and close_session.

       Commands called by pam_exec need to be aware of that the user can have controll over the environment.

OPTIONS

       debug
	   Print debug information.

       expose_authtok
	   During authentication the calling command can read the password from stdin(3).

       log=file
	   The output of the command is appended to file

       quiet
	   Per default pam_exec.so will echo the exit status of the external command if it fails. Specifying this option will suppress the
	   message.

       seteuid
	   Per default pam_exec.so will execute the external command with the real user ID of the calling process. Specifying this option means
	   the command is run with the effective user ID.

MODULE TYPES PROVIDED

       All module types (auth, account, password and session) are provided.

RETURN VALUES

       PAM_SUCCESS
	   The external command was run successfully.

       PAM_SERVICE_ERR
	   No argument or a wrong number of arguments were given.

       PAM_SYSTEM_ERR
	   A system error occurred or the command to execute failed.

       PAM_IGNORE

	   pam_setcred was called, which does not execute the command.

EXAMPLES

       Add the following line to /etc/pam.d/passwd to rebuild the NIS database after each local password change:

		   password optional pam_exec.so seteuid /usr/bin/make -C /var/yp

       This will execute the command

	   make -C /var/yp

       with effective user ID.

SEE ALSO

       pam.conf(5), pam.d(5), pam(7)

AUTHOR

       pam_exec was written by Thorsten Kukuk <kukuk@thkukuk.de>.

Linux-PAM Manual						    06/04/2011							       PAM_EXEC(8)
Man Page