Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

pam_sample(5) [v7 man page]

pam_sample(5)															     pam_sample(5)

NAME
pam_sample - a sample PAM module SYNOPSIS
/usr/lib/security/pam_sample.so.1 The SAMPLE service module for PAM is divided into four components: authentication, account management, password management, and session management. The sample module is a shared object that is dynamically loaded to provide the necessary functionality. SAMPLE Authentication Component The SAMPLE authentication module provides functions to test the PAM framework functionality using the pam_sm_authenticate(3PAM) call. The SAMPLE module implementation of the pam_sm_authenticate(3PAM) function compares the user entered password with the password set in the pam.conf(4) file, or the string "test" if a default test password has not been set. The following options can be passed in to the SAMPLE Authentication module: debug Syslog debugging information at the LOG_DEBUG level. passwd=newone Sets the password to be "newone." first_pass_good The first password is always good when used with the use_first_pass or try_first_pass option. first_pass_bad The first password is always bad when used with the use_first_pass or try_first_pass option. always_fail Always returns PAM_AUTH_ERR. always_succeed Always returns PAM_SUCCESS. always_ignore Always returns PAM_IGNORE. use_first_pass Use the user's initial password (entered when the user is authenticated to the first authentication module in the stack) to authenticate with the SAMPLE module. If the passwords do not match, or if this is the first authentica- tion module in the stack, quit and do not prompt the user for a password. It is recommended that this option only be used if the SAMPLE authentication module is designated as optional in the pam.conf configuration file. try_first_pass Use the user's initial password (entered when the user is authenticated to the first authentication module in the stack) to authenticate with the SAMPLE module. If the passwords do not match, or if this is the first authentica- tion module in the stack, prompt the user for a password. The SAMPLE module pam_sm_setcred(3PAM) function always returns PAM_SUCCESS. SAMPLE Account Management Component The SAMPLE Account Management Component implements a simple access control scheme that limits machine access to a list of authorized users. The list of authorized users is supplied as option arguments to the entry for the SAMPLE account management PAM module in the pam.conf file. Note that the module always permits access to the root super user. The option field syntax to limit access is shown below: allow= name[,name] allow= name [allow=name] The example pam.conf show below permits only larry to login directly. rlogin is allowed only for don and larry. Once a user is logged in, the user can use su if the user are sam or eric. login account require pam_sample.so.1 allow=larry dtlogin account require pam_sample.so.1 allow=larry rlogin account require pam_sample.so.1 allow=don allow=larry su account require pam_sample.so.1 allow=sam,eric The debug and nowarn options are also supported. SAMPLE Password Management Component The SAMPLE Password Management Component function ( pam_sm_chauthtok(3PAM)), always returns PAM_SUCCESS. SAMPLE Session Management Component The SAMPLE Session Management Component functions ( pam_sm_open_session(3PAM), pam_sm_close_session(3PAM)) always return PAM_SUCCESS. See attributes(5) for description of the following attributes: +-----------------------------+-----------------------------+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | |MT Level |MT-Safe with exceptions | +-----------------------------+-----------------------------+ pam(3PAM), pam_sm_authenticate(3PAM), pam_sm_chauthtok(3PAM), pam_sm_close_session(3PAM), pam_sm_open_session(3PAM), pam_sm_setcred(3PAM), libpam(3LIB), pam.conf(4), attributes(5) This module should never be used outside of a closed debug environment. The examples of the use_first_pass and try_first_pass options are obsolete for all other Solaris delivered PAM service modules The interfaces in libpam() are MT-Safe only if each thread within the multi-threaded application uses its own PAM handle. 16 Aug 2005 pam_sample(5)
Man Page