11.1Schristos
21.1SchristosThis directory contains configuration files for the Pluggable
31.1SchristosAuthentication Modules (PAM) library.
41.1Schristos
51.1SchristosEach file details the module chain for a single service, and must be
61.1Schristosnamed after that service.  If no configuration file is found for a
71.1Schristosparticular service, the /etc/pam.d/other is used instead.  If that
81.1Schristosfile does not exist, /etc/pam.conf is searched for entries matching
91.1Schristosthe specified service or, failing that, the "other" service.
101.1Schristos
111.1SchristosSee the pam(8) manual page for an explanation of the workings of the
121.1SchristosPAM library and descriptions of the various files and modules.  Below
131.1Schristosis a summary of the format for the pam.conf and /etc/pam.d/* files.
141.1Schristos
151.1SchristosConfiguration lines take the following form:
161.1Schristos
171.1Schristosmodule-type	control-flag	module-path	arguments
181.1Schristos
191.1SchristosComments are introduced with a hash mark ('#').  Blank lines and lines
201.1Schristosconsisting entirely of comments are ignored.
211.1Schristos
221.1SchristosThe meanings of the different fields are as follows:
231.1Schristos
241.1Schristos module-type:
251.1Schristos   auth:      prompt for a password to authenticate that the user is
261.1Schristos              who they say they are, and set any credentials.
271.1Schristos   account:   non-authentication based authorization, based on time,
281.1Schristos              resources, etc.
291.1Schristos   session:   housekeeping before and/or after login.
301.1Schristos   password:  update authentication tokens.
311.1Schristos
321.1Schristos control-flag: How libpam handles success or failure of the module.
331.1Schristos   required:   success is required; on failure all remaining
341.1Schristos               modules are run, but the request will be denied.
351.1Schristos   requisite:  success is required, and on failure no remaining
361.1Schristos               modules are run.
371.1Schristos   sufficient: success is sufficient, and if no previous required
381.1Schristos               module failed, no remaining modules are run.
391.1Schristos   binding:    success is sufficient; on failure all remaining
401.1Schristos               modules are run, but the request will be denied.
411.1Schristos   optional:   ignored unless the other modules return PAM_IGNORE.
421.1Schristos
431.1Schristos arguments: Module-specific options, plus some generic ones:
441.1Schristos   debug:           syslog debug info.
451.1Schristos   no_warn:         return no warning messages to the application.
461.1Schristos                    Remove this to feed back to the user the
471.1Schristos                    reason(s) they are being rejected.
481.1Schristos   use_first_pass:  try authentication using password from the
491.1Schristos                    preceding auth module.
501.1Schristos   try_first_pass:  first try authentication using password from
511.1Schristos                    the preceding auth module, and if that fails
521.1Schristos                    prompt for a new password.
531.1Schristos   use_mapped_pass: convert cleartext password to a crypto key.
541.1Schristos   expose_account:  allow printing more info about the user when
551.1Schristos                    prompting.
561.1Schristos
571.1SchristosNote that having a "sufficient" module as the last entry for a
581.1Schristosparticular service and module type may result in surprising behaviour.
591.1SchristosTo get the intended semantics, add a "required" entry listing the
601.1Schristospam_deny module at the end of the chain.
611.1Schristos
621.1Schristos$FreeBSD: src/etc/pam.d/README,v 1.5 2004/06/06 11:46:29 schweikh Exp $
631.2Schristos$NetBSD: README,v 1.2 2004/12/12 08:54:34 christos Exp $
64