Visit Our UNIX and Linux User Community

Linux and UNIX Man Pages

Test Your Knowledge in Computers #821
Difficulty: Easy
HTML5 is a software solution stack that defines the properties and behaviors of web page content by implementing a markup based pattern to it.
True or False?
Linux & Unix Commands - Search Man Pages

pam.conf(5) [netbsd man page]

PAM.CONF(5)						      BSD File Formats Manual						       PAM.CONF(5)

pam.conf -- Pluggable Authentication Modules configuration file DESCRIPTION
The pam.conf file specifies how Pluggable Authentication Modules (PAM) should operate. For an overview of the Pluggable Authentication Mod- ules framework, see pam(8). PAM may be configured using a single /etc/pam.conf configuration file or by using multiple configuration files, one for each PAM-aware ser- vice, located in the /etc/pam.d/ directory. If /etc/pam.d/ exists, /etc/pam.conf will be ignored. /etc/pam.d/ is the preferred method for configuring PAM. PAM's configuration is based on ``stacking'' different modules together to form a processing chain for the task. A standard PAM configura- tion stanza is structured as follows: [service-name] module-type control-flag module-name [options] service-name is used only (and is mandatory) in /etc/pam.conf. It specifies the PAM-aware service whose PAM behavior is being configured. When /etc/pam.d/ is used, the name of the configuration file specifies the service. module-type specifies which of the four classes of PAM module functionality is being configured. These four classes are account (account management), auth (authentication), password (password management), and session (session management). control-flag specifies the behavior of the processing chain upon success or failure of the PAM module's authentication task. The following are valid values for control-flag: binding If the module succeeds and no earlier module in the chain has failed, the chain is immediately terminated and the request is granted. If the module fails, the rest of the chain is executed, but the request is ultimately denied. requisite If the module returns success, continue to execute the processing chain. If the module fails, immediately return the error code from the first 'required' failure. required If the module returns success, continue to execute the processing chain. If the module fails, record as a 'required' failure and continue to execute the processing chain. If there are any 'required' failures in the processing chain, the chain will ulti- mately return failure. optional If the module returns success, continue to execute the processing chain. If the module fails, record as an 'optional' failure and continue to execute the processing chain. sufficient If the module returns success and there have been no recorded 'required' failures, immediately return success without calling any subsequent modules in the processing chain. If the module fails, return as an 'optional' failure and continue to execute the processing chain. module-name specifies the module to execute for this stanza. This is either an absolute path name or a path name relative to the default module location: /usr/lib/security. options are additional options that may be specified for the module. Refer to the individual modules' documentation for more information on available options. In addition to the standard configuration stanza format, there is an additional stanza format available when /etc/pam.d/ is used: module-type include service-name This stanza format provides a simple inheritance model for processing chains. FILES
/etc/pam.conf monolithic PAM configuration file /etc/pam.d/ PAM service configuration file directory EXAMPLES
The following auth processing chain for the ``login'' service (located in /etc/pam.d/login) performs the following tasks: allows the login if the old user and new user are the same, verifies that logins are not disabled using the /var/run/nologin file, allows Kerberos 5 password authentication, and requires standard UNIX password authentication if Kerberos 5 failed: auth sufficient auth required auth sufficient auth required NOTES
It is important to note that loading a chain will fail if any of the components of the chain fail to load or are not available. A common situation when this can happen is on a system that where components such as kerberos(1) or crypto(3) have not been installed. In that situa- tion pam_krb5(8), pam_ksu(8), or pam_ssh(8) might not be present in the system. In order for a chain to load properly all non-present compo- nents must be removed from the chain. SEE ALSO
login(1), passwd(1), su(1), pam(3), pam(8) HISTORY
The pam.conf file format first appeared in NetBSD 3.0. BSD
March 17, 2005 BSD

Featured Tech Videos