pam_alreadyloggedin(8) [debian man page]
PAM_ALREADYLOGGEDIN(8) BSD System Manager's Manual PAM_ALREADYLOGGEDIN(8) NAME
pam_alreadyloggedin -- Already-logged-in PAM module SYNOPSIS
[service-name] module-type control-flag pam_alreadyloggedin [options] DESCRIPTION
The Already-logged-in authentication service module for PAM, pam_alreadyloggedin provides functionality for only one PAM category: authenti- cation. In terms of the module-type parameter, this is the ``auth'' feature. It also provides null functions for other PAM categories. Already-logged-in Authentication Module The Already-logged-in authentication component (pam_sm_authenticate()), returns success if and only if the target user's ID is identical to a current login specified in the utmp(5) database and verified with matching permissions on that login's respective terminal in /dev. If a user shows up in w(8) output, they will generally be allowed to authenticate using this method. The following options may be passed to the authentication module: debug Enable verbose output to syslog at LOG_DEBUG level. no_debug Disable verbose output to syslog even it's enabled at compile time. no_root Never allow login with a target user ID of zero. restrict_tty=ttyglob* Only allow login if the terminal device currently being authenticated on matches ttyglob*. The ttyglob* argument is specified as a shell glob, and checked using the fnmatch(3) function. For example, restrict_tty=/dev/tty[1-6] allows logging from text consoles of physical terminal only. restrict_loggedin_tty=ttyglob* Disallow recognition that the user is already logged in unless the terminal device logged in upon matches ttyglob*. EXAMPLE
Modify auth section of the /etc/pam.d/login file like following: auth required /lib/security/pam_securetty.so auth sufficient /lib/security/pam_alreadyloggedin.so no_root auth required /lib/security/pam_stack.so service=system-auth BUGS
FreeBSD version expects /dev/ prefix in restrict_tty value, but value of restrict_loggedin_tty should be without them. Linux version expects /dev/ in both cases. SEE ALSO
fnmatch(3), getuid(2), stat(2), utmp(5), w(8), pam.conf(5), pam(8) AUTHORS
Adopted for Linux PAM by Ilya Evseev at Jan 2004. The original pam_alreadyloggedin module and this manual page were developed for the FreeBSD Project by NAI Labs and ThinkSec AS, the Security Research Division of Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 (``CBOSS''), as part of the DARPA CHATS research program. Linux-PAM January 30, 2004 Linux-PAM
Check Out this Related Man Page
pam_user.conf(4) Kernel Interfaces Manual pam_user.conf(4) NAME
pam_user.conf - user configuration file for pluggable authentication modules SYNOPSIS
DESCRIPTION
is the user configuration file for the Pluggable Authentication Module architecture, or PAM. It is not designed to replace the PAM system configuration file, For PAM to work properly, is mandatory (see pam.conf(4)). is optional. It is used only when a user basis configura- tion is needed. It mainly specifies options to be used by service modules on a user basis. The options defined in indicate the default for users who are not configured in or if the module type is not configured for some users. For the configuration in to take effect, needs to configure service module (see pam.conf(4)). Simplified pam_user.conf Configuration File The file contains a listing of login names. Each login name is paired with a corresponding service module with or without options speci- fied. Each entry has the following format: login_name module_type module_path options Below is an example of the configuration file. tom auth /usr/lib/security/$ISA/libpam_unix.so.1 debug use_psd tom auth /usr/lib/security/$ISA/libpam_dce.so.1 use_first_pass tom account /usr/lib/security/$ISA/libpam_unix.so.1 use_psd tom account /usr/lib/security/$ISA/libpam_dce.so.1 try_first_pass susan auth /usr/lib/security/$ISA/libpam_unix.so.1 susan auth /usr/lib/security/$ISA/libpam_dce.so.1 try_first_pass The login_name denotes the login name of a user (for example, For detailed information on module_type, module_path, and options, see pam.conf(4). The first entry indicates that when the UNIX authentication is invoked for the options and will be used. The second entry indicates that when the DCE authentication is invoked for the option will be used. The module type is not configured for therefore, the options will take effect. For those users who are not configured, the options apply. Notes If an error is found in an entry due to invalid login_name or module_type, then the entry is ignored. If there are no valid entries for the given module_type, the PAM framework ignores and reads the configuration in EXAMPLES
The following is a sample configuration file. Lines that begin with the symbol are treated as comments, and therefore ignored. # # PAM user configuration # # Authentication management john auth /usr/lib/security/$ISA/libpam_unix.so.1 john auth /usr/lib/security/$ISA/libpam_inhouse.so.1 try_first_pass david auth /usr/lib/security/$ISA/libpam_unix.so.1 use_psd david auth /usr/lib/security/$ISA/libpam_inhouse.so.1 try_first_pass susan auth /usr/lib/security/$ISA/libpam_unix.so.1 use_psd susan auth /usr/lib/security/$ISA/libpam_inhouse.so.1 try_first_pass # Password management john password /usr/lib/security/$ISA/libpam_unix.so.1 david password /usr/lib/security/$ISA/libpam_unix.so.1 use_psd susan password /usr/lib/security/$ISA/libpam_unix.so.1 use_psd SEE ALSO
pam(3), pam.conf(4). pam_user.conf(4)