README revision 1.1
1 1.1 christos 2 1.1 christos This directory contains configuration files for the Pluggable 3 1.1 christos Authentication Modules (PAM) library. 4 1.1 christos 5 1.1 christos Each file details the module chain for a single service, and must be 6 1.1 christos named after that service. If no configuration file is found for a 7 1.1 christos particular service, the /etc/pam.d/other is used instead. If that 8 1.1 christos file does not exist, /etc/pam.conf is searched for entries matching 9 1.1 christos the specified service or, failing that, the "other" service. 10 1.1 christos 11 1.1 christos See the pam(8) manual page for an explanation of the workings of the 12 1.1 christos PAM library and descriptions of the various files and modules. Below 13 1.1 christos is a summary of the format for the pam.conf and /etc/pam.d/* files. 14 1.1 christos 15 1.1 christos Configuration lines take the following form: 16 1.1 christos 17 1.1 christos module-type control-flag module-path arguments 18 1.1 christos 19 1.1 christos Comments are introduced with a hash mark ('#'). Blank lines and lines 20 1.1 christos consisting entirely of comments are ignored. 21 1.1 christos 22 1.1 christos The meanings of the different fields are as follows: 23 1.1 christos 24 1.1 christos module-type: 25 1.1 christos auth: prompt for a password to authenticate that the user is 26 1.1 christos who they say they are, and set any credentials. 27 1.1 christos account: non-authentication based authorization, based on time, 28 1.1 christos resources, etc. 29 1.1 christos session: housekeeping before and/or after login. 30 1.1 christos password: update authentication tokens. 31 1.1 christos 32 1.1 christos control-flag: How libpam handles success or failure of the module. 33 1.1 christos required: success is required; on failure all remaining 34 1.1 christos modules are run, but the request will be denied. 35 1.1 christos requisite: success is required, and on failure no remaining 36 1.1 christos modules are run. 37 1.1 christos sufficient: success is sufficient, and if no previous required 38 1.1 christos module failed, no remaining modules are run. 39 1.1 christos binding: success is sufficient; on failure all remaining 40 1.1 christos modules are run, but the request will be denied. 41 1.1 christos optional: ignored unless the other modules return PAM_IGNORE. 42 1.1 christos 43 1.1 christos arguments: Module-specific options, plus some generic ones: 44 1.1 christos debug: syslog debug info. 45 1.1 christos no_warn: return no warning messages to the application. 46 1.1 christos Remove this to feed back to the user the 47 1.1 christos reason(s) they are being rejected. 48 1.1 christos use_first_pass: try authentication using password from the 49 1.1 christos preceding auth module. 50 1.1 christos try_first_pass: first try authentication using password from 51 1.1 christos the preceding auth module, and if that fails 52 1.1 christos prompt for a new password. 53 1.1 christos use_mapped_pass: convert cleartext password to a crypto key. 54 1.1 christos expose_account: allow printing more info about the user when 55 1.1 christos prompting. 56 1.1 christos 57 1.1 christos Note that having a "sufficient" module as the last entry for a 58 1.1 christos particular service and module type may result in surprising behaviour. 59 1.1 christos To get the intended semantics, add a "required" entry listing the 60 1.1 christos pam_deny module at the end of the chain. 61 1.1 christos 62 1.1 christos $FreeBSD: src/etc/pam.d/README,v 1.5 2004/06/06 11:46:29 schweikh Exp $ 63
Indexes created Fri Oct 03 02:09:57 GMT 2025