te
Copyright (c) 2007, Sun Microsystems, Inc. All Rights Reserved
The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
pam_sample - a sample PAM module

pam_sample.so.1

The SAMPLE service module for PAM, pam_sample.so.1, is divided into four components: authentication, account management, password management, and session management. The SAMPLE authentication module provides functions to test the PAM framework functionality using the pam_sm_authenticate(3PAM) call. The SAMPLE module implementation of the pam_sm_authenticate(3PAM) function compares the user entered password with the password set in the pam.conf(5) file, or the string "test" if a default test password has not been set. The following options can be passed in to the SAMPLE Authentication module: debug pass=newone first_pass_good first_pass_bad always_fail always_succeed always_ignore use_first_pass try_first_pass The SAMPLE Account Management Component implements a simple access control scheme that limits machine access to a list of authorized users. The list of authorized users is supplied as option arguments to the entry for the SAMPLE account management PAM module in the pam.conf file. Note that the module always permits access to the root super user.

The option field syntax to limit access is shown below: allow= name[,name] allow= name [allow=name]

The example pam.conf show below permits only larry to login directly. rlogin is allowed only for don and larry. Once a user is logged in, the user can use su if the user are sam or eric.

login account require pam_sample.so.1 allow=larry

dtlogin account require pam_sample.so.1 allow=larry

rlogin account require pam_sample.so.1 allow=don allow=larry

su account require pam_sample.so.1 allow=sam,eric

The debug and nowarn options are also supported.

The SAMPLE Password Management Component function ( pam_sm_chauthtok(3PAM)), always returns PAM_SUCCESS. The SAMPLE Session Management Component functions ( pam_sm_open_session(3PAM), pam_sm_close_session(3PAM)) always return PAM_SUCCESS. See attributes(7) for description of the following attributes:

ATTRIBUTE TYPE ATTRIBUTE VALUE

MT Level MT-Safe with exceptions

libpam (3LIB), pam (3PAM), pam_sm_authenticate (3PAM), pam_sm_chauthtok (3PAM), pam_sm_close_session (3PAM), pam_sm_open_session (3PAM), pam_sm_setcred (3PAM), pam.conf (5), attributes (7) This module should never be used outside of a closed debug environment. The examples of the use_first_pass and try_first_pass options are obsolete for all other delivered PAM service modules The interfaces in libpam(3LIB) are MT-Safe only if each thread within the multi-threaded application uses its own PAM handle.