debian man page for pam_alreadyloggedin

Debian Man Pages All Man Pages Latest Topics Forum Categories

Query: pam_alreadyloggedin

OS: debian

Section: 8

Format: Original Unix Latex Style Formatted with HTML and a Horizontal Scroll Bar

PAM_ALREADYLOGGEDIN(8)					    BSD System Manager's Manual 				    PAM_ALREADYLOGGEDIN(8)


NAME

     pam_alreadyloggedin -- Already-logged-in PAM module


SYNOPSIS

     [service-name] module-type control-flag pam_alreadyloggedin [options]


DESCRIPTION

     The Already-logged-in authentication service module for PAM, pam_alreadyloggedin provides functionality for only one PAM category: authenti-
     cation.  In terms of the module-type parameter, this is the ``auth'' feature.  It also provides null functions for other PAM categories.

   Already-logged-in Authentication Module
     The Already-logged-in authentication component (pam_sm_authenticate()), returns success if and only if the target user's ID is identical to a
     current login specified in the utmp(5) database and verified with matching permissions on that login's respective terminal in /dev.  If a
     user shows up in w(8) output, they will generally be allowed to authenticate using this method.

     The following options may be passed to the authentication module:

     debug			     Enable verbose output to syslog at LOG_DEBUG level.

     no_debug			     Disable verbose output to syslog even it's enabled at compile time.

     no_root			     Never allow login with a target user ID of zero.

     restrict_tty=ttyglob*	     Only allow login if the terminal device currently being authenticated on matches ttyglob*.  The ttyglob*
				     argument is specified as a shell glob, and checked using the fnmatch(3) function. For example,
				     restrict_tty=/dev/tty[1-6] allows logging from text consoles of physical terminal only.

     restrict_loggedin_tty=ttyglob*  Disallow recognition that the user is already logged in unless the terminal device logged in upon matches
				     ttyglob*.


EXAMPLE

     Modify auth section of the /etc/pam.d/login file like following:

	   auth required   /lib/security/pam_securetty.so
	   auth sufficient /lib/security/pam_alreadyloggedin.so no_root
	   auth required   /lib/security/pam_stack.so service=system-auth


BUGS

     FreeBSD version expects /dev/ prefix in restrict_tty value, but value of restrict_loggedin_tty should be without them.  Linux version expects
     /dev/ in both cases.


SEE ALSO

     fnmatch(3), getuid(2), stat(2), utmp(5), w(8), pam.conf(5), pam(8)


AUTHORS

     Adopted for Linux PAM by Ilya Evseev at Jan 2004.

     The original pam_alreadyloggedin module and this manual page were developed for the FreeBSD Project by NAI Labs and ThinkSec AS, the Security
     Research Division of Network Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035 (``CBOSS''), as part of the DARPA CHATS research
     program.

Linux-PAM							 January 30, 2004							 Linux-PAM
Related Man Pages
pam_securetty(8) - centos
pam_ksu(8) - netbsd
pam_securetty(8) - php
pam_securetty(8) - plan9
pam_securetty(8) - xfree86
Similar Topics in the Unix Linux Community
Who are all logged out