[BACK]Return to README CVS log [TXT] [DIR] Up to [ELWIX - Embedded LightWeight unIX -] / elwix / config / etc / default / pam.d
File:  [ELWIX - Embedded LightWeight unIX -] / elwix / config / etc / default / pam.d / README
Revision 1.1: download - view: text, annotated - select for diffs - revision graph
Tue Jul 5 23:43:00 2011 UTC (13 years ago) by misho
CVS tags: MAIN, HEAD
Initial revision

    1: 
    2: This directory contains configuration files for the Pluggable
    3: Authentication Modules (PAM) library.
    4: 
    5: Each file details the module chain for a single service, and must be
    6: named after that service.  If no configuration file is found for a
    7: particular service, the /etc/pam.d/other is used instead.  If that
    8: file does not exist, /etc/pam.conf is searched for entries matching
    9: the specified service or, failing that, the "other" service.
   10: 
   11: See the pam(8) manual page for an explanation of the workings of the
   12: PAM library and descriptions of the various files and modules.  Below
   13: is a summary of the format for the pam.conf and /etc/pam.d/* files.
   14: 
   15: Configuration lines take the following form:
   16: 
   17: module-type	control-flag	module-path	arguments
   18: 
   19: Comments are introduced with a hash mark ('#').  Blank lines and lines
   20: consisting entirely of comments are ignored.
   21: 
   22: The meanings of the different fields are as follows:
   23: 
   24:  module-type:
   25:    auth:      prompt for a password to authenticate that the user is
   26:               who they say they are, and set any credentials.
   27:    account:   non-authentication based authorization, based on time,
   28:               resources, etc.
   29:    session:   housekeeping before and/or after login.
   30:    password:  update authentication tokens.
   31: 
   32:  control-flag: How libpam handles success or failure of the module.
   33:    required:   success is required; on failure all remaining
   34:                modules are run, but the request will be denied.
   35:    requisite:  success is required, and on failure no remaining
   36:                modules are run.
   37:    sufficient: success is sufficient, and if no previous required
   38:                module failed, no remaining modules are run.
   39:    binding:    success is sufficient; on failure all remaining
   40:                modules are run, but the request will be denied.
   41:    optional:   ignored unless the other modules return PAM_IGNORE.
   42: 
   43:  arguments: Module-specific options, plus some generic ones:
   44:    debug:           syslog debug info.
   45:    no_warn:         return no warning messages to the application.
   46:                     Remove this to feed back to the user the
   47:                     reason(s) they are being rejected.
   48:    use_first_pass:  try authentication using password from the
   49:                     preceding auth module.
   50:    try_first_pass:  first try authentication using password from
   51:                     the preceding auth module, and if that fails
   52:                     prompt for a new password.
   53:    use_mapped_pass: convert cleartext password to a crypto key.
   54:    expose_account:  allow printing more info about the user when
   55:                     prompting.
   56: 
   57: Note that having a "sufficient" module as the last entry for a
   58: particular service and module type may result in surprising behaviour.
   59: To get the intended semantics, add a "required" entry listing the
   60: pam_deny module at the end of the chain.
   61: 
   62: $FreeBSD: src/etc/pam.d/README,v 1.5 2004/06/06 11:46:29 schweikh Exp $
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>