diff options
author | Steve Langasek <steve.langasek@ubuntu.com> | 2019-01-03 21:22:21 -0800 |
---|---|---|
committer | Steve Langasek <steve.langasek@ubuntu.com> | 2019-01-03 21:22:45 -0800 |
commit | 795badba7f95e737f979917859cd32c9bd47bcad (patch) | |
tree | 212a6a00baa11e9d0ca7bc27b12420d1dce6f07c /modules/pam_lastlog/pam_lastlog.8.xml | |
parent | c55c14c5c6762139ec6695d84ea0e2e917da5264 (diff) | |
parent | ba315ae8effdcad591608c99452dad05c4cf20ab (diff) |
New upstream version 1.1.8
Diffstat (limited to 'modules/pam_lastlog/pam_lastlog.8.xml')
-rw-r--r-- | modules/pam_lastlog/pam_lastlog.8.xml | 61 |
1 files changed, 59 insertions, 2 deletions
diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml index 2a6794ad..77da9dbc 100644 --- a/modules/pam_lastlog/pam_lastlog.8.xml +++ b/modules/pam_lastlog/pam_lastlog.8.xml @@ -12,7 +12,7 @@ <refnamediv id="pam_lastlog-name"> <refname>pam_lastlog</refname> - <refpurpose>PAM module to display date of last login</refpurpose> + <refpurpose>PAM module to display date of last login and perform inactive account lock out</refpurpose> </refnamediv> <refsynopsisdiv> @@ -45,6 +45,9 @@ <arg choice="opt"> showfailed </arg> + <arg choice="opt"> + inactive=<days> + </arg> </cmdsynopsis> </refsynopsisdiv> @@ -61,6 +64,12 @@ Some applications may perform this function themselves. In such cases, this module is not necessary. </para> + <para> + If the module is called in the auth or account phase, the accounts that + were not used recently enough will be disallowed to log in. The + check is not performed for the root account so the root is never + locked out. + </para> </refsect1> <refsect1 id="pam_lastlog-options"> @@ -165,13 +174,30 @@ </para> </listitem> </varlistentry> + <varlistentry> + <term> + <option>inactive=<days></option> + </term> + <listitem> + <para> + This option is specific for the auth or account phase. It + specifies the number of days after the last login of the user + when the user will be locked out by the module. The default + value is 90. + </para> + </listitem> + </varlistentry> </variablelist> </refsect1> <refsect1 id="pam_lastlog-types"> <title>MODULE TYPES PROVIDED</title> <para> - Only the <option>session</option> module type is provided. + The <option>auth</option> and <option>account</option> module type + allows to lock out users which did not login recently enough. + The <option>session</option> module type is provided for displaying + the information about the last login and/or updating the lastlog and + wtmp files. </para> </refsect1> @@ -207,6 +233,27 @@ </listitem> </varlistentry> + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + User locked out in the auth or account phase due to + inactivity. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_IGNORE</term> + <listitem> + <para> + There was an error during reading the lastlog file + in the auth or account phase and thus inactivity + of the user cannot be determined. + </para> + </listitem> + </varlistentry> + </variablelist> </para> </refsect1> @@ -220,6 +267,13 @@ <programlisting> session required pam_lastlog.so nowtmp </programlisting> + <para> + To reject the user if he did not login during the previous 50 days + the following line can be used: + </para> + <programlisting> + auth required pam_lastlog.so inactive=50 + </programlisting> </refsect1> <refsect1 id="pam_lastlog-files"> @@ -254,6 +308,9 @@ <para> pam_lastlog was written by Andrew G. Morgan <morgan@kernel.org>. </para> + <para> + Inactive account lock out added by Tomáš Mráz <tm@t8m.info>. + </para> </refsect1> </refentry> |