NetBSD/share/man/man5/pam.conf.5

224 lines
6.7 KiB
Groff

.\" $NetBSD: pam.conf.5,v 1.8 2005/03/17 12:55:26 wiz Exp $
.\"
.\" Copyright (c) 2005 The NetBSD Foundation, Inc.
.\" All rights reserved.
.\"
.\" This code is derived from software contributed to The NetBSD Foundation
.\" by Jason R. Thorpe.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. All advertising materials mentioning features or use of this software
.\" must display the following acknowledgement:
.\" This product includes software developed by the NetBSD
.\" Foundation, Inc. and its contributors.
.\" 4. Neither the name of The NetBSD Foundation nor the names of its
.\" contributors may be used to endorse or promote products derived
.\" from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd March 17, 2005
.Dt PAM.CONF 5
.Os
.Sh NAME
.Nm pam.conf
.Nd Pluggable Authentication Modules configuration file
.Sh DESCRIPTION
The
.Nm
file specifies how Pluggable Authentication Modules
.Pq PAM
should operate.
For an overview of the Pluggable Authentication Modules framework, see
.Xr pam 8 .
.Pp
PAM may be configured using a single
.Pa /etc/pam.conf
configuration file or by using multiple configuration files, one for each
PAM-aware service, located in the
.Pa /etc/pam.d/
directory.
If
.Pa /etc/pam.d/
exists,
.Pa /etc/pam.conf
will be ignored.
.Pa /etc/pam.d/
is the preferred method for configuring PAM.
.Pp
PAM's configuration is based on
.Dq stacking
different modules together to form a processing chain for the task.
A standard PAM configuration stanza is structured as follows:
.Bd -filled -offset indent
.Op Ar service-name
.Ar module-type
.Ar control-flag
.Ar module-name
.Op Ar options
.Ed
.Pp
.Ar service-name
is used only
.Pq and is mandatory
in
.Pa /etc/pam.conf .
It specifies the PAM-aware service whose PAM behavior is being configured.
When
.Pa /etc/pam.d/
is used, the name of the configuration file specifies the service.
.Pp
.Ar module-type
specifies which of the four classes of PAM module functionality is being
configured.
These four classes are
.Em account
.Pq account management ,
.Em auth
.Pq authentication ,
.Em password
.Pq password management ,
and
.Em session
.Pq session management .
.Pp
.Ar control-flag
specifies the behavior of the processing chain upon success or failure
of the PAM module's authentication task.
The following are valid values for
.Ar control-flag :
.Bl -tag -width sufficient
.It binding
If the module succeeds and no earlier module in the chain
has failed, the chain is immediately terminated and the
request is granted.
If the module fails, the rest of the chain is executed,
but the request is ultimately denied.
.It requisite
If the module returns success, continue to execute the processing chain.
If the module fails, immediately return the error code from the first
.Sq required
failure.
.It required
If the module returns success, continue to execute the processing chain.
If the module fails, record as a
.Sq required
failure and continue to execute the processing chain.
If there are any
.Sq required
failures in the processing chain, the chain will ultimately return
failure.
.It optional
If the module returns success, continue to execute the processing chain.
If the module fails, record as an
.Sq optional
failure and continue to execute the processing chain.
.It sufficient
If the module returns success and there have been no recorded
.Sq required
failures, immediately return success without calling any subsequent
modules in the processing chain.
If the module fails, return as an
.Sq optional
failure and continue to execute the processing chain.
.El
.Pp
.Ar module-name
specifies the module to execute for this stanza.
This is either an absolute path name or a path name relative to the
default module location:
.Pa /usr/lib/security .
.Pp
.Ar options
are additional options that may be specified for the module.
Refer to the individual modules' documentation for more information
on available options.
.Pp
In addition to the standard configuration stanza format, there is
an additional stanza format available when
.Pa /etc/pam.d/
is used:
.Bd -filled -offset indent
.Ar module-type
include
.Ar service-name
.Ed
.Pp
This stanza format provides a simple inheritance model for processing
chains.
.Sh FILES
.Bl -tag -width /etc/pam.conf -compact
.It Pa /etc/pam.conf
monolithic PAM configuration file
.It Pa /etc/pam.d/
PAM service configuration file directory
.El
.Sh EXAMPLES
The following
.Em auth
processing chain for the
.Dq login
service
.Po
located in
.Pa /etc/pam.d/login
.Pc
performs the following tasks: allows the login if the old user
and new user are the same, verifies that logins are not disabled using
the
.Pa /var/run/nologin
file, allows Kerberos 5 password authentication, and requires standard
.Ux
password authentication if Kerberos 5 failed:
.Bd -literal -offset indent
auth sufficient pam_self.so
auth required pam_nologin.so
auth sufficient pam_krb5.so
auth required pam_unix.so
.Ed
.Sh NOTES
It is important to note that loading a chain will fail if any of the
components of the chain fail to load or are not available.
A common situation when this can happen is on a system that where
components such as
.Xr kerberos 1
or
.Xr crypto 3
have not been installed.
In that situation
.Xr pam_krb5 8 ,
.Xr pam_ksu 8 ,
or
.Xr pam_ssh 8
might not be present in the system.
In order for a chain to load properly all non-present components must
be removed from the chain.
.Sh SEE ALSO
.Xr login 1 ,
.Xr passwd 1 ,
.Xr su 1 ,
.Xr pam 3 ,
.Xr pam 8
.Sh HISTORY
The
.Nm
file format first appeared in
.Nx 3.0 .