217 lines
6.2 KiB
Groff
217 lines
6.2 KiB
Groff
.\" $NetBSD: pam.conf.5,v 1.9 2008/04/30 13:10:57 martin Exp $
|
|
.\"
|
|
.\" Copyright (c) 2005 The NetBSD Foundation, Inc.
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" This code is derived from software contributed to The NetBSD Foundation
|
|
.\" by Jason R. Thorpe.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
|
|
.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
|
|
.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
.\" POSSIBILITY OF SUCH DAMAGE.
|
|
.\"
|
|
.Dd March 17, 2005
|
|
.Dt PAM.CONF 5
|
|
.Os
|
|
.Sh NAME
|
|
.Nm pam.conf
|
|
.Nd Pluggable Authentication Modules configuration file
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm
|
|
file specifies how Pluggable Authentication Modules
|
|
.Pq PAM
|
|
should operate.
|
|
For an overview of the Pluggable Authentication Modules framework, see
|
|
.Xr pam 8 .
|
|
.Pp
|
|
PAM may be configured using a single
|
|
.Pa /etc/pam.conf
|
|
configuration file or by using multiple configuration files, one for each
|
|
PAM-aware service, located in the
|
|
.Pa /etc/pam.d/
|
|
directory.
|
|
If
|
|
.Pa /etc/pam.d/
|
|
exists,
|
|
.Pa /etc/pam.conf
|
|
will be ignored.
|
|
.Pa /etc/pam.d/
|
|
is the preferred method for configuring PAM.
|
|
.Pp
|
|
PAM's configuration is based on
|
|
.Dq stacking
|
|
different modules together to form a processing chain for the task.
|
|
A standard PAM configuration stanza is structured as follows:
|
|
.Bd -filled -offset indent
|
|
.Op Ar service-name
|
|
.Ar module-type
|
|
.Ar control-flag
|
|
.Ar module-name
|
|
.Op Ar options
|
|
.Ed
|
|
.Pp
|
|
.Ar service-name
|
|
is used only
|
|
.Pq and is mandatory
|
|
in
|
|
.Pa /etc/pam.conf .
|
|
It specifies the PAM-aware service whose PAM behavior is being configured.
|
|
When
|
|
.Pa /etc/pam.d/
|
|
is used, the name of the configuration file specifies the service.
|
|
.Pp
|
|
.Ar module-type
|
|
specifies which of the four classes of PAM module functionality is being
|
|
configured.
|
|
These four classes are
|
|
.Em account
|
|
.Pq account management ,
|
|
.Em auth
|
|
.Pq authentication ,
|
|
.Em password
|
|
.Pq password management ,
|
|
and
|
|
.Em session
|
|
.Pq session management .
|
|
.Pp
|
|
.Ar control-flag
|
|
specifies the behavior of the processing chain upon success or failure
|
|
of the PAM module's authentication task.
|
|
The following are valid values for
|
|
.Ar control-flag :
|
|
.Bl -tag -width sufficient
|
|
.It binding
|
|
If the module succeeds and no earlier module in the chain
|
|
has failed, the chain is immediately terminated and the
|
|
request is granted.
|
|
If the module fails, the rest of the chain is executed,
|
|
but the request is ultimately denied.
|
|
.It requisite
|
|
If the module returns success, continue to execute the processing chain.
|
|
If the module fails, immediately return the error code from the first
|
|
.Sq required
|
|
failure.
|
|
.It required
|
|
If the module returns success, continue to execute the processing chain.
|
|
If the module fails, record as a
|
|
.Sq required
|
|
failure and continue to execute the processing chain.
|
|
If there are any
|
|
.Sq required
|
|
failures in the processing chain, the chain will ultimately return
|
|
failure.
|
|
.It optional
|
|
If the module returns success, continue to execute the processing chain.
|
|
If the module fails, record as an
|
|
.Sq optional
|
|
failure and continue to execute the processing chain.
|
|
.It sufficient
|
|
If the module returns success and there have been no recorded
|
|
.Sq required
|
|
failures, immediately return success without calling any subsequent
|
|
modules in the processing chain.
|
|
If the module fails, return as an
|
|
.Sq optional
|
|
failure and continue to execute the processing chain.
|
|
.El
|
|
.Pp
|
|
.Ar module-name
|
|
specifies the module to execute for this stanza.
|
|
This is either an absolute path name or a path name relative to the
|
|
default module location:
|
|
.Pa /usr/lib/security .
|
|
.Pp
|
|
.Ar options
|
|
are additional options that may be specified for the module.
|
|
Refer to the individual modules' documentation for more information
|
|
on available options.
|
|
.Pp
|
|
In addition to the standard configuration stanza format, there is
|
|
an additional stanza format available when
|
|
.Pa /etc/pam.d/
|
|
is used:
|
|
.Bd -filled -offset indent
|
|
.Ar module-type
|
|
include
|
|
.Ar service-name
|
|
.Ed
|
|
.Pp
|
|
This stanza format provides a simple inheritance model for processing
|
|
chains.
|
|
.Sh FILES
|
|
.Bl -tag -width /etc/pam.conf -compact
|
|
.It Pa /etc/pam.conf
|
|
monolithic PAM configuration file
|
|
.It Pa /etc/pam.d/
|
|
PAM service configuration file directory
|
|
.El
|
|
.Sh EXAMPLES
|
|
The following
|
|
.Em auth
|
|
processing chain for the
|
|
.Dq login
|
|
service
|
|
.Po
|
|
located in
|
|
.Pa /etc/pam.d/login
|
|
.Pc
|
|
performs the following tasks: allows the login if the old user
|
|
and new user are the same, verifies that logins are not disabled using
|
|
the
|
|
.Pa /var/run/nologin
|
|
file, allows Kerberos 5 password authentication, and requires standard
|
|
.Ux
|
|
password authentication if Kerberos 5 failed:
|
|
.Bd -literal -offset indent
|
|
auth sufficient pam_self.so
|
|
auth required pam_nologin.so
|
|
auth sufficient pam_krb5.so
|
|
auth required pam_unix.so
|
|
.Ed
|
|
.Sh NOTES
|
|
It is important to note that loading a chain will fail if any of the
|
|
components of the chain fail to load or are not available.
|
|
A common situation when this can happen is on a system that where
|
|
components such as
|
|
.Xr kerberos 1
|
|
or
|
|
.Xr crypto 3
|
|
have not been installed.
|
|
In that situation
|
|
.Xr pam_krb5 8 ,
|
|
.Xr pam_ksu 8 ,
|
|
or
|
|
.Xr pam_ssh 8
|
|
might not be present in the system.
|
|
In order for a chain to load properly all non-present components must
|
|
be removed from the chain.
|
|
.Sh SEE ALSO
|
|
.Xr login 1 ,
|
|
.Xr passwd 1 ,
|
|
.Xr su 1 ,
|
|
.Xr pam 3 ,
|
|
.Xr pam 8
|
|
.Sh HISTORY
|
|
The
|
|
.Nm
|
|
file format first appeared in
|
|
.Nx 3.0 .
|