Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

pam-script(7) [debian man page]

PAM-SCRIPT(7)						 Miscellaneous Information Manual					     PAM-SCRIPT(7)

NAME

       pam-script - a PAM module that can invoke scripts within the PAM stack.

SYNOPSIS

       pam-script.so [onerr=(success|fail)][dir=/some/path/]

DESCRIPTION

       pam-script allows you to execute scripts during authorization, passwd changes, and on session opening or closing.

       Such  scripts  can  perform necessary tasks or influence the outcome of the PAM stack.  For example, if the following entry was included in
       pam.conf
	 sshd	 auth required	pam_script

       then if the script, pam_script_auth, exits with a non-zero value this would cause the user to be denied SSH access to the machine.

OPTIONS

       A summary of options is included below.

       onerr=(success|fail)
	      the default behavior if the module can not find or execute the script.  The default is to fail if the option is not given.

       dir=/some/path/
	      where to find the pam-scripts to invoke for each of the various module-types as described below.	The default is dir=/usr/share/lib-
	      pam-script if not given.

	      List of scripts

       pam_script_auth
	      Executed under auth which handles the authentication stage of establishing the user via some challenge-response (i.e. username/pass-
	      word)

       pam_script_acct
	      invoked under account module-type for non-authentication based account management.

       pam_script_passwd
	      invoked under passwd for changing the password tokens.

       pam_script_ses_open
	      invoked when a session is first opened.

       pam_script_ses_close
	      run after a session is first closed.

	      All the scripts will be passed several environment variables: PAM_USER, PAM_RUSER, PAM_RHOST, PAM_SERVICE, PAM_AUTHTOK, PAM_TTY, and
	      PAM_TYPE referring to the module-type.  The pam_script.so arguments in the pam.conf will be passed on the command line, which can be
	      used to modify the script behavior.

FILES

       /lib/security/pam_script.so - the PAM module
       /usr/share/libpam-script - where the scripts should be placed by default

VERSION

       pam-script 1.1.5

SEE ALSO

       PAM(7) and the PAM "The System Administrators' Guide"

AUTHOR

       pam-script was written by Jeroen Nijhof <jeroen@jeroennijhof.nl>
       with some additions and modifications by R.K. Owen, Ph.D. <rkowen@nersc.gov>.

       This manual page was written by R.K. Owen <rkowen@nersc.gov>,
       for the Debian project (but may be used by others).

								  August 22, 2007						     PAM-SCRIPT(7)

Check Out this Related Man Page

SYSTEM-AUTH-AC(5)						File Formats Manual						 SYSTEM-AUTH-AC(5)

NAME

       system-auth-ac,	password-auth-ac,  smartcard-auth-ac, fingerprint-auth-ac, postlogin-ac - Common configuration files for PAMified services
       written by authconfig(8)

SYNOPSIS

       /etc/pam.d/system-auth-ac

DESCRIPTION

       The purpose of this configuration file is to provide common configuration file  for  all  applications  and  service  daemons  calling  PAM
       library.

       The system-auth configuration file is included from all individual service configuration files with the help of the include directive. When
       authconfig(8) writes the system PAM configuration file it replaces the default system-auth file with a symlink pointing	to  system-auth-ac
       and writes the configuration to this file. The symlink is not changed on subsequent configuration changes even if it points elsewhere. This
       allows system administrators to override the configuration written by authconfig.

       The  authconfig	now  writes  the  authentication  modules  also  into  additional  PAM	configuration  files  /etc/pam.d/password-auth-ac,
       /etc/pam.d/smartcard-auth-ac, and /etc/pam.d/fingerprint-auth-ac.  These configuration files contain only modules which perform authentica-
       tion with the respective kinds of authentication tokens.  For example /etc/pam.d/smartcard-auth[-ac] will not contain pam_unix and pam_ldap
       modules and /etc/pam.d/password-auth[-ac] will not contain pam_pkcs11 and pam_fprintd modules.

       The  file  /etc/pam.d/postlogin-ac  contains  common services to be invoked after login. An example can be a module that encrypts an user's
       filesystem or user's keyring and is decrypted by his password.

       The PAM configuration files of services which are accessed by remote connections such as sshd or ftpd now include the  /etc/pam.d/password-
       auth configuration file instead of /etc/pam.d/system-auth.

EXAMPLE

       Configure  system  to  use  pam_tally2  for  configuration  of maximum number of failed logins. Also call pam_access to verify if access is
       allowed.

       Make system-auth symlink point to system-auth-local which contains:

       auth	       requisite       pam_access.so
       auth	       requisite       pam_tally2.so deny=3 lock_time=30 
					     unlock_time=3600
       auth	       include	       system-auth-ac
       account	       required        pam_tally2.so
       account	       include	       system-auth-ac
       password        include	       system-auth-ac
       session	       include	       system-auth-ac

BUGS

       None known.

SEE ALSO

       authconfig(8), authconfig-gtk(8), pam(8), system-auth(5)

Red Hat, Inc.							   2010 March 31						 SYSTEM-AUTH-AC(5)
Man Page