1*219cf81bSBrad Davis 2*219cf81bSBrad DavisThis directory contains configuration files for the Pluggable 3*219cf81bSBrad DavisAuthentication Modules (PAM) library. 4*219cf81bSBrad Davis 5*219cf81bSBrad DavisEach file details the module chain for a single service, and must be 6*219cf81bSBrad Davisnamed after that service. If no configuration file is found for a 7*219cf81bSBrad Davisparticular service, the /etc/pam.d/other is used instead. If that 8*219cf81bSBrad Davisfile does not exist, /etc/pam.conf is searched for entries matching 9*219cf81bSBrad Davisthe specified service or, failing that, the "other" service. 10*219cf81bSBrad Davis 11*219cf81bSBrad DavisSee the pam(3) manual page for an explanation of the workings of the 12*219cf81bSBrad DavisPAM library and descriptions of the various files and modules. Below 13*219cf81bSBrad Davisis a summary of the format for the pam.conf and /etc/pam.d/* files. 14*219cf81bSBrad Davis 15*219cf81bSBrad DavisConfiguration lines take the following form: 16*219cf81bSBrad Davis 17*219cf81bSBrad Davismodule-type control-flag module-path arguments 18*219cf81bSBrad Davis 19*219cf81bSBrad DavisComments are introduced with a hash mark ('#'). Blank lines and lines 20*219cf81bSBrad Davisconsisting entirely of comments are ignored. 21*219cf81bSBrad Davis 22*219cf81bSBrad DavisThe meanings of the different fields are as follows: 23*219cf81bSBrad Davis 24*219cf81bSBrad Davis module-type: 25*219cf81bSBrad Davis auth: prompt for a password to authenticate that the user is 26*219cf81bSBrad Davis who they say they are, and set any credentials. 27*219cf81bSBrad Davis account: non-authentication based authorization, based on time, 28*219cf81bSBrad Davis resources, etc. 29*219cf81bSBrad Davis session: housekeeping before and/or after login. 30*219cf81bSBrad Davis password: update authentication tokens. 31*219cf81bSBrad Davis 32*219cf81bSBrad Davis control-flag: How libpam handles success or failure of the module. 33*219cf81bSBrad Davis required: success is required; on failure all remaining 34*219cf81bSBrad Davis modules are run, but the request will be denied. 35*219cf81bSBrad Davis requisite: success is required, and on failure no remaining 36*219cf81bSBrad Davis modules are run. 37*219cf81bSBrad Davis sufficient: success is sufficient, and if no previous required 38*219cf81bSBrad Davis module failed, no remaining modules are run. 39*219cf81bSBrad Davis binding: success is sufficient; on failure all remaining 40*219cf81bSBrad Davis modules are run, but the request will be denied. 41*219cf81bSBrad Davis optional: ignored unless the other modules return PAM_IGNORE. 42*219cf81bSBrad Davis 43*219cf81bSBrad Davis arguments: Module-specific options, plus some generic ones: 44*219cf81bSBrad Davis debug: syslog debug info. 45*219cf81bSBrad Davis no_warn: return no warning messages to the application. 46*219cf81bSBrad Davis Remove this to feed back to the user the 47*219cf81bSBrad Davis reason(s) they are being rejected. 48*219cf81bSBrad Davis use_first_pass: try authentication using password from the 49*219cf81bSBrad Davis preceding auth module. 50*219cf81bSBrad Davis try_first_pass: first try authentication using password from 51*219cf81bSBrad Davis the preceding auth module, and if that fails 52*219cf81bSBrad Davis prompt for a new password. 53*219cf81bSBrad Davis use_mapped_pass: convert cleartext password to a crypto key. 54*219cf81bSBrad Davis expose_account: allow printing more info about the user when 55*219cf81bSBrad Davis prompting. 56*219cf81bSBrad Davis 57*219cf81bSBrad DavisNote that having a "sufficient" module as the last entry for a 58*219cf81bSBrad Davisparticular service and module type may result in surprising behaviour. 59*219cf81bSBrad DavisTo get the intended semantics, add a "required" entry listing the 60*219cf81bSBrad Davispam_deny module at the end of the chain. 61