Home Man
Today's Posts

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:
Select Section of Man Page:
Select Man Page Repository:

NetBSD 6.1.5 - man page for pam.conf (netbsd section 5)

PAM.CONF(5)			     BSD File Formats Manual			      PAM.CONF(5)

     pam.conf -- Pluggable Authentication Modules configuration file

     The pam.conf file specifies how Pluggable Authentication Modules (PAM) should operate.  For
     an overview of the Pluggable Authentication Modules framework, see pam(8).

     PAM may be configured using a single /etc/pam.conf configuration file or by using multiple
     configuration files, one for each PAM-aware service, located in the /etc/pam.d/ directory.
     If /etc/pam.d/ exists, /etc/pam.conf will be ignored.  /etc/pam.d/ is the preferred method
     for configuring PAM.

     PAM's configuration is based on ``stacking'' different modules together to form a processing
     chain for the task.  A standard PAM configuration stanza is structured as follows:

	   [service-name] module-type control-flag module-name [options]

     service-name is used only (and is mandatory) in /etc/pam.conf.  It specifies the PAM-aware
     service whose PAM behavior is being configured.  When /etc/pam.d/ is used, the name of the
     configuration file specifies the service.

     module-type specifies which of the four classes of PAM module functionality is being config-
     ured.  These four classes are account (account management), auth (authentication), password
     (password management), and session (session management).

     control-flag specifies the behavior of the processing chain upon success or failure of the
     PAM module's authentication task.	The following are valid values for control-flag:

     binding	 If the module succeeds and no earlier module in the chain has failed, the chain
		 is immediately terminated and the request is granted.	If the module fails, the
		 rest of the chain is executed, but the request is ultimately denied.

     requisite	 If the module returns success, continue to execute the processing chain.  If the
		 module fails, immediately return the error code from the first 'required' fail-

     required	 If the module returns success, continue to execute the processing chain.  If the
		 module fails, record as a 'required' failure and continue to execute the pro-
		 cessing chain.  If there are any 'required' failures in the processing chain,
		 the chain will ultimately return failure.

     optional	 If the module returns success, continue to execute the processing chain.  If the
		 module fails, record as an 'optional' failure and continue to execute the pro-
		 cessing chain.

     sufficient  If the module returns success and there have been no recorded 'required' fail-
		 ures, immediately return success without calling any subsequent modules in the
		 processing chain.  If the module fails, return as an 'optional' failure and con-
		 tinue to execute the processing chain.

     module-name specifies the module to execute for this stanza.  This is either an absolute
     path name or a path name relative to the default module location: /usr/lib/security.

     options are additional options that may be specified for the module.  Refer to the individ-
     ual modules' documentation for more information on available options.

     In addition to the standard configuration stanza format, there is an additional stanza for-
     mat available when /etc/pam.d/ is used:

	   module-type include service-name

     This stanza format provides a simple inheritance model for processing chains.

     /etc/pam.conf  monolithic PAM configuration file
     /etc/pam.d/    PAM service configuration file directory

     The following auth processing chain for the ``login'' service (located in /etc/pam.d/login)
     performs the following tasks: allows the login if the old user and new user are the same,
     verifies that logins are not disabled using the /var/run/nologin file, allows Kerberos 5
     password authentication, and requires standard UNIX password authentication if Kerberos 5

	   auth    sufficient	   pam_self.so
	   auth    required	   pam_nologin.so
	   auth    sufficient	   pam_krb5.so
	   auth    required	   pam_unix.so

     It is important to note that loading a chain will fail if any of the components of the chain
     fail to load or are not available.  A common situation when this can happen is on a system
     that where components such as kerberos(1) or crypto(3) have not been installed.  In that
     situation pam_krb5(8), pam_ksu(8), or pam_ssh(8) might not be present in the system.  In
     order for a chain to load properly all non-present components must be removed from the

     login(1), passwd(1), su(1), pam(3), pam(8)

     The pam.conf file format first appeared in NetBSD 3.0.

BSD					  March 17, 2005				      BSD

All times are GMT -4. The time now is 03:34 AM.

Unix & Linux Forums Content Copyrightę1993-2018. All Rights Reserved.
Show Password