xref: /freebsd/contrib/openpam/doc/man/pam.conf.5 (revision 1719886f6d08408b834d270c59ffcfd821c8f63a)
1.\"-
2.\" Copyright (c) 2005-2017 Dag-Erling Smørgrav
3.\" All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\" 1. Redistributions of source code must retain the above copyright
9.\"    notice, this list of conditions and the following disclaimer.
10.\" 2. Redistributions in binary form must reproduce the above copyright
11.\"    notice, this list of conditions and the following disclaimer in the
12.\"    documentation and/or other materials provided with the distribution.
13.\" 3. The name of the author may not be used to endorse or promote
14.\"    products derived from this software without specific prior written
15.\"    permission.
16.\"
17.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27.\" SUCH DAMAGE.
28.\"
29.Dd June 27, 2023
30.Dt PAM.CONF 5
31.Os
32.Sh NAME
33.Nm pam.conf
34.Nd PAM policy file format
35.Sh DESCRIPTION
36The PAM library searches for policies in the following files, in
37decreasing order of preference:
38.Bl -enum
39.It
40.Pa /etc/pam.d/ Ns Ar service-name
41.It
42.Pa /etc/pam.conf
43.It
44.Pa /usr/local/etc/pam.d/ Ns Ar service-name
45.It
46.Pa /usr/local/etc/pam.conf
47.El
48.Pp
49If none of these locations contains a policy for the given service,
50the
51.Dq Dv other
52policy is used instead, if it exists.
53.Pp
54Entries in per-service policy files must be of one of the two forms
55below:
56.Bd -unfilled -offset indent
57.Ar facility control-flag module-path Op Ar arguments ...
58.Ar facility Cm include Ar other-service-name
59.Ed
60.Pp
61Entries in
62.Pa pam.conf Ns -style
63policy files are of the same form, but are prefixed by an additional
64field specifying the name of the service they apply to.
65.Pp
66In both cases, blank lines and comments introduced by a
67.Ql #
68sign are ignored, and the normal shell quoting rules apply.
69The precise details of how the file is tokenized are described in
70.Xr openpam_readword 3 .
71.Pp
72The
73.Ar facility
74field specifies the facility the entry applies to, and is one of:
75.Bl -tag -width 12n
76.It Cm auth
77Authentication functions
78.Po
79.Xr pam_authenticate 3 ,
80.Xr pam_setcred 3
81.Pc
82.It Cm account
83Account management functions
84.Pq Xr pam_acct_mgmt 3
85.It Cm session
86Session handling functions
87.Po
88.Xr pam_open_session 3 ,
89.Xr pam_close_session 3
90.Pc
91.It Cm password
92Password management functions
93.Pq Xr pam_chauthtok 3
94.El
95.Pp
96The
97.Ar control-flag
98field determines how the result returned by the module affects the
99flow of control through (and the final result of) the rest of the
100chain, and is one of:
101.Bl -tag -width 12n
102.It Cm required
103If this module succeeds, the result of the chain will be success
104unless a later module fails.
105If it fails, the rest of the chain still runs, but the final result
106will be failure regardless of the success of later modules.
107.It Cm requisite
108If this module succeeds, the result of the chain will be success
109unless a later module fails.
110If the module fails, the chain is broken and the result is failure.
111.It Cm sufficient
112If this module succeeds, the chain is broken and the result is
113success.
114If it fails, the rest of the chain still runs, but the final result
115will be failure unless a later module succeeds.
116.It Cm binding
117If this module succeeds, the chain is broken and the result is
118success.
119If it fails, the rest of the chain still runs, but the final result
120will be failure regardless of the success of later modules.
121.It Cm optional
122If this module succeeds, the result of the chain will be success
123unless a later module fails.
124If this module fails, the result of the chain will be failure unless a
125later module succeeds.
126.El
127.Pp
128There are two exceptions to the above:
129.Cm sufficient
130and
131.Cm binding
132modules are treated as
133.Cm optional
134by
135.Xr pam_setcred 3 ,
136and in the
137.Dv PAM_PRELIM_CHECK
138phase of
139.Xr pam_chauthtok 3 .
140.Pp
141The
142.Ar module-path
143field specifies the name or full path of the module to call.
144If only the name is specified, the PAM library will search for it in
145the following locations:
146.Bl -enum
147.It
148.Pa /usr/lib
149.It
150.Pa /usr/local/lib
151.El
152.Pp
153The remaining fields, if any, are passed unmodified to the module if
154and when it is invoked.
155.Pp
156The
157.Cm include
158form of entry causes entries from a different chain (specified by
159.Ar other-system-name )
160to be included in the current one.
161This allows one to define system-wide policies which are then included
162into service-specific policies.
163The system-wide policy can then be modified without having to also
164modify each and every service-specific policy.
165.Pp
166.Bf -symbolic
167Take care not to introduce loops when using
168.Cm include
169rules, as there is currently no loop detection in place.
170.Ef
171.Sh MODULE OPTIONS
172Some PAM library functions may alter their behavior when called by a
173service module if certain module options were specified, regardless of
174whether the module itself accords them any importance.
175One such option is
176.Cm debug ,
177which causes the dispatcher to enable debugging messages before
178calling each service function, and disable them afterwards (unless
179they were already enabled).
180Other special options include:
181.Bl -tag -width 12n
182.It Cm authtok_prompt Ns = Ns Ar prompt , Cm oldauthtok_prompt Ns = Ns Ar prompt , Cm user_prompt Ns = Ns Ar prompt
183These options can be used to override the prompts used by
184.Xr pam_get_authtok 3
185and
186.Xr pam_get_user 3 .
187.It Cm echo_pass
188This option controls whether
189.Xr pam_get_authtok 3
190will allow the user to see what they are typing.
191.It Cm try_first_pass , Cm use_first_pass
192These options control
193.Xr pam_get_authtok 3 Ns 's
194use of cached authentication tokens.
195.El
196.Sh SEE ALSO
197.Xr pam 3
198.Sh STANDARDS
199.Rs
200.%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules"
201.%D "June 1997"
202.Re
203.Sh AUTHORS
204The OpenPAM library was developed for the
205.Fx
206Project by ThinkSec AS and Network Associates Laboratories, the
207Security Research Division of Network Associates, Inc.\& under
208DARPA/SPAWAR contract N66001-01-C-8035
209.Pq Dq CBOSS ,
210as part of the DARPA CHATS research program.
211.Pp
212The OpenPAM library is maintained by
213.An Dag-Erling Sm\(/orgrav Aq Mt des@des.no .
214