summaryrefslogtreecommitdiff
path: root/doc/man/pam.8.xml
diff options
context:
space:
mode:
Diffstat (limited to 'doc/man/pam.8.xml')
-rw-r--r--doc/man/pam.8.xml392
1 files changed, 392 insertions, 0 deletions
diff --git a/doc/man/pam.8.xml b/doc/man/pam.8.xml
new file mode 100644
index 00000000..e8a78234
--- /dev/null
+++ b/doc/man/pam.8.xml
@@ -0,0 +1,392 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
+<refentry id='pam'>
+<refmeta>
+<refentrytitle>pam</refentrytitle>
+<manvolnum>8</manvolnum>
+<refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo>
+</refmeta>
+<refnamediv id='name'>
+<refname>pam</refname>
+<refpurpose>Pluggable Authentication Modules for Linux</refpurpose>
+</refnamediv>
+<!-- body begins here -->
+
+<refsect1 id='description'><title>DESCRIPTION</title>
+<para>This manual is intended to offer a quick introduction to
+<emphasis remap='B'>Linux-PAM</emphasis>.
+For more information the reader is directed to the
+<emphasis remap='B'>Linux-PAM system administrators' guide</emphasis>.</para>
+
+
+<para><emphasis remap='B'>Linux-PAM</emphasis>
+Is a system of libraries that handle the authentication tasks of
+applications (services) on the system. The library provides a stable
+general interface (Application Programming Interface - API) that
+privilege granting programs (such as
+<citerefentry><refentrytitle>login</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+and
+<citerefentry><refentrytitle>su</refentrytitle><manvolnum>1</manvolnum></citerefentry>)
+defer to to perform standard authentication tasks.</para>
+
+
+<para>The principal feature of the PAM approach is that the nature of the
+authentication is dynamically configurable. In other words, the
+system administrator is free to choose how individual
+service-providing applications will authenticate users. This dynamic
+configuration is set by the contents of the single
+<emphasis remap='B'>Linux-PAM</emphasis>
+configuration file
+<filename>/etc/pam.conf</filename>.
+Alternatively, the configuration can be set by individual
+configuration files located in the
+<filename>/etc/pam.d/</filename>
+directory.
+<emphasis remap='I'>The presence of this directory will cause </emphasis><emphasis remap='B'>Linux-PAM</emphasis><emphasis remap='I'> to ignore</emphasis>
+<filename>/etc/pam.conf</filename><literal>.</literal></para>
+
+
+<para>From the point of view of the system administrator, for whom this
+manual is provided, it is not of primary importance to understand the
+internal behavior of the
+<emphasis remap='B'>Linux-PAM</emphasis>
+library. The important point to recognize is that the configuration
+file(s)
+<emphasis remap='I'>define</emphasis>
+the connection between applications
+<emphasis remap='B'></emphasis>(<emphasis remap='B'>services</emphasis>)
+and the pluggable authentication modules
+<emphasis remap='B'></emphasis>(<emphasis remap='B'>PAM</emphasis>s)
+that perform the actual authentication tasks.</para>
+
+
+<para><emphasis remap='B'>Linux-PAM</emphasis>
+separates the tasks of
+<emphasis remap='I'>authentication</emphasis>
+into four independent management groups:
+<emphasis remap='B'>account</emphasis> management;
+<emphasis remap='B'>auth</emphasis>entication management;
+<emphasis remap='B'>password</emphasis> management;
+and
+<emphasis remap='B'>session</emphasis> management.
+(We highlight the abbreviations used for these groups in the
+configuration file.)</para>
+
+
+<para>Simply put, these groups take care of different aspects of a typical
+user's request for a restricted service:</para>
+
+
+<para><emphasis remap='B'>account</emphasis> -
+provide account verification types of service: has the user's password
+expired?; is this user permitted access to the requested service?</para>
+
+<!-- .br -->
+<para><emphasis remap='B'>auth</emphasis>entication -
+authenticate a user and set up user credentials. Typically this is via
+some challenge-response request that the user must satisfy: if you are
+who you claim to be please enter your password. Not all authentications
+are of this type, there exist hardware based authentication schemes
+(such as the use of smart-cards and biometric devices), with suitable
+modules, these may be substituted seamlessly for more standard
+approaches to authentication - such is the flexibility of
+<emphasis remap='B'>Linux-PAM</emphasis>.</para>
+
+<!-- .br -->
+<para><emphasis remap='B'>password</emphasis> -
+this group's responsibility is the task of updating authentication
+mechanisms. Typically, such services are strongly coupled to those of
+the
+<emphasis remap='B'>auth</emphasis>
+group. Some authentication mechanisms lend themselves well to being
+updated with such a function. Standard UN*X password-based access is
+the obvious example: please enter a replacement password.</para>
+
+<!-- .br -->
+<para><emphasis remap='B'>session</emphasis> -
+this group of tasks cover things that should be done prior to a
+service being given and after it is withdrawn. Such tasks include the
+maintenance of audit trails and the mounting of the user's home
+directory. The
+<emphasis remap='B'>session</emphasis>
+management group is important as it provides both an opening and
+closing hook for modules to affect the services available to a user.</para>
+
+</refsect1>
+
+<refsect1 id='the_configuration_files'><title>The configuration file(s)</title>
+<para>When a
+<emphasis remap='B'>Linux-PAM</emphasis>
+aware privilege granting application is started, it activates its
+attachment to the PAM-API. This activation performs a number of
+tasks, the most important being the reading of the configuration file(s):
+<filename>/etc/pam.conf</filename>.
+Alternatively, this may be the contents of the
+<filename>/etc/pam.d/</filename>
+directory.</para>
+
+<para>These files list the
+<emphasis remap='B'>PAM</emphasis>s
+that will do the authentication tasks required by this service, and
+the appropriate behavior of the PAM-API in the event that individual
+<emphasis remap='B'>PAM</emphasis>s
+fail.</para>
+
+
+<para>The syntax of the
+<filename>/etc/pam.conf</filename>
+configuration file is as follows. The file is made
+up of a list of rules, each rule is typically placed on a single line,
+but may be extended with an escaped end of line: `\&lt;LF&gt;'. Comments
+are preceded with `#' marks and extend to the next end of line.</para>
+
+
+<para>The format of each rule is a space separated collection of tokens, the
+first three being case-insensitive:</para>
+
+
+<!-- .br -->
+<para><emphasis remap='B'> service type control module-path module-arguments</emphasis></para>
+
+
+<para>The syntax of files contained in the
+<filename>/etc/pam.d/</filename>
+directory, are identical except for the absence of any
+<emphasis remap='I'>service</emphasis>
+field. In this case, the
+<emphasis remap='I'>service</emphasis>
+is the name of the file in the
+<filename>/etc/pam.d/</filename>
+directory. This filename must be in lower case.</para>
+
+
+<para>An important feature of
+<emphasis remap='B'>Linux-PAM</emphasis>,
+is that a number of rules may be
+<emphasis remap='I'>stacked</emphasis>
+to combine the services of a number of PAMs for a given authentication
+task.</para>
+
+
+<para>The
+<emphasis remap='B'>service</emphasis>
+is typically the familiar name of the corresponding application:
+<emphasis remap='B'>login</emphasis>
+and
+<emphasis remap='B'>su</emphasis>
+are good examples. The
+<emphasis remap='B'>service</emphasis>-name, <emphasis remap='B'>other</emphasis>,
+is reserved for giving
+<emphasis remap='I'>default</emphasis>
+rules. Only lines that mention the current service (or in the absence
+of such, the
+<emphasis remap='B'>other</emphasis>
+entries) will be associated with the given service-application.</para>
+
+
+<para>The
+<emphasis remap='B'>type</emphasis>
+is the management group that the rule corresponds to. It is used to
+specify which of the management groups the subsequent module is to
+be associated with. Valid entries are:
+<emphasis remap='B'>account</emphasis>;
+<emphasis remap='B'>auth</emphasis>;
+<emphasis remap='B'>password</emphasis>;
+and
+<emphasis remap='B'>session</emphasis>.
+The meaning of each of these tokens was explained above.</para>
+
+
+<para>The third field,
+<emphasis remap='B'>control</emphasis>,
+indicates the behavior of the PAM-API should the module fail to
+succeed in its authentication task. There are two types of syntax for
+this control field: the simple one has a single simple keyword; the
+more complicated one involves a square-bracketed selection of
+<emphasis remap='B'>value=action</emphasis>
+pairs.</para>
+
+
+<para>For the simple (historical) syntax valid
+<emphasis remap='B'>control</emphasis>
+values are:
+<emphasis remap='B'>requisite</emphasis>
+- failure of such a PAM results in the immediate termination of the
+authentication process;
+<emphasis remap='B'>required</emphasis>
+- failure of such a PAM will ultimately lead to the PAM-API returning
+failure but only after the remaining
+<emphasis remap='I'>stacked</emphasis>
+modules (for this
+<emphasis remap='B'>service</emphasis>
+and
+<emphasis remap='B'>type</emphasis>)
+have been invoked;
+<emphasis remap='B'>sufficient</emphasis>
+- success of such a module is enough to satisfy the authentication
+requirements of the stack of modules (if a prior
+<emphasis remap='B'>required</emphasis>
+module has failed the success of this one is
+<emphasis remap='I'>ignored</emphasis>);
+<emphasis remap='B'>optional</emphasis>
+- the success or failure of this module is only important if it is the
+only module in the stack associated with this
+<emphasis remap='B'>service</emphasis>+<emphasis remap='B'>type</emphasis>.</para>
+
+
+<para>New control directive first introduced in ALT Linux is
+<emphasis remap='B'>include</emphasis>
+- include all lines of given type from the configuration
+file specified as an argument to this control.</para>
+
+
+<para>For the more complicated syntax valid
+<emphasis remap='B'>control</emphasis>
+values have the following form:</para>
+
+<para>[value1=action1<emphasis remap='B'>value2=action2</emphasis>...]</para>
+
+<para>Where
+<emphasis remap='B'>valueN</emphasis>
+corresponds to the return code from the function invoked in the module
+for which the line is defined. It is selected from one of these:
+<emphasis remap='B'>success</emphasis>;
+<emphasis remap='B'>open_err</emphasis>;
+<emphasis remap='B'>symbol_err</emphasis>;
+<emphasis remap='B'>service_err</emphasis>;
+<emphasis remap='B'>system_err</emphasis>;
+<emphasis remap='B'>buf_err</emphasis>;
+<emphasis remap='B'>perm_denied</emphasis>;
+<emphasis remap='B'>auth_err</emphasis>;
+<emphasis remap='B'>cred_insufficient</emphasis>;
+<emphasis remap='B'>authinfo_unavail</emphasis>;
+<emphasis remap='B'>user_unknown</emphasis>;
+<emphasis remap='B'>maxtries</emphasis>;
+<emphasis remap='B'>new_authtok_reqd</emphasis>;
+<emphasis remap='B'>acct_expired</emphasis>;
+<emphasis remap='B'>session_err</emphasis>;
+<emphasis remap='B'>cred_unavail</emphasis>;
+<emphasis remap='B'>cred_expired</emphasis>;
+<emphasis remap='B'>cred_err</emphasis>;
+<emphasis remap='B'>no_module_data</emphasis>;
+<emphasis remap='B'>conv_err</emphasis>;
+<emphasis remap='B'>authtok_err</emphasis>;
+<emphasis remap='B'>authtok_recover_err</emphasis>;
+<emphasis remap='B'>authtok_lock_busy</emphasis>;
+<emphasis remap='B'>authtok_disable_aging</emphasis>;
+<emphasis remap='B'>try_again</emphasis>;
+<emphasis remap='B'>ignore</emphasis>;
+<emphasis remap='B'>abort</emphasis>;
+<emphasis remap='B'>authtok_expired</emphasis>;
+<emphasis remap='B'>module_unknown</emphasis>;
+<emphasis remap='B'>bad_item</emphasis>; and
+<emphasis remap='B'>default</emphasis>.
+The last of these,
+<emphasis remap='B'>default</emphasis>,
+implies 'all
+<emphasis remap='B'>valueN</emphasis>'s
+not mentioned explicitly. Note, the full list of PAM errors is
+available in /usr/include/security/_pam_types.h . The
+<emphasis remap='B'>actionN</emphasis>
+can be: an unsigned integer,
+<emphasis remap='B'>J</emphasis>,
+signifying an action of 'jump over the next J modules in the stack';
+or take one of the following forms:
+<!-- .br -->
+<emphasis remap='B'>ignore</emphasis>
+- when used with a stack of modules, the module's return status will
+not contribute to the return code the application obtains;
+<!-- .br -->
+<emphasis remap='B'>bad</emphasis>
+- this action indicates that the return code should be thought of as
+indicative of the module failing. If this module is the first in the
+stack to fail, its status value will be used for that of the whole
+stack.
+<!-- .br -->
+<emphasis remap='B'>die</emphasis>
+- equivalent to bad with the side effect of terminating the module
+stack and PAM immediately returning to the application.
+<!-- .br -->
+<emphasis remap='B'>ok</emphasis>
+- this tells PAM that the administrator thinks this return code
+should contribute directly to the return code of the full stack of
+modules. In other words, if the former state of the stack would lead
+to a return of
+<emphasis remap='B'>PAM_SUCCESS</emphasis>,
+the module's return code will override this value. Note, if the former
+state of the stack holds some value that is indicative of a modules
+failure, this 'ok' value will not be used to override that value.
+<!-- .br -->
+<emphasis remap='B'>done</emphasis>
+- equivalent to ok with the side effect of terminating the module
+stack and PAM immediately returning to the application.
+<!-- .br -->
+<emphasis remap='B'>reset</emphasis>
+- clear all memory of the state of the module stack and start again
+with the next stacked module.</para>
+
+
+<para><emphasis remap='B'>module-path</emphasis>
+- this is either the full filename of the PAM to be used by the
+application (it begins with a '/'), or a relative pathname from the
+default module location:
+<filename>/lib/security/</filename>.</para>
+
+
+<para><emphasis remap='B'>module-arguments</emphasis>
+- these are a space separated list of tokens that can be used to
+modify the specific behavior of the given PAM. Such arguments will be
+documented for each individual module.</para>
+
+</refsect1>
+
+<refsect1 id='files'><title>FILES</title>
+<para><filename>/etc/pam.conf</filename> - the configuration file
+<!-- .br -->
+<filename>/etc/pam.d/</filename> - the
+<emphasis remap='B'>Linux-PAM</emphasis>
+configuration directory. Generally, if this directory is present, the
+<filename>/etc/pam.conf</filename>
+file is ignored.
+<!-- .br -->
+<filename>/lib/libpam.so.X</filename> - the dynamic library
+<!-- .br -->
+<filename>/lib/security/*.so</filename> - the PAMs</para>
+
+</refsect1>
+
+<refsect1 id='errors'><title>ERRORS</title>
+<para>Typically errors generated by the
+<emphasis remap='B'>Linux-PAM</emphasis>
+system of libraries, will be written to
+<citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>.</para>
+
+</refsect1>
+
+<refsect1 id='conforming_to'><title>CONFORMING TO</title>
+<para>DCE-RFC 86.0, October 1995.
+<!-- .br -->
+Contains additional features, but remains backwardly compatible with
+this RFC.</para>
+
+</refsect1>
+
+<refsect1 id='bugs'><title>BUGS</title>
+
+
+<para>None known.</para>
+
+</refsect1>
+
+<refsect1 id='see_also'><title>SEE ALSO</title>
+<para>The three
+<emphasis remap='B'>Linux-PAM</emphasis>
+Guides, for
+<emphasis remap='B'>system administrators</emphasis>,
+<emphasis remap='B'>module developers</emphasis>,
+and
+<emphasis remap='B'>application developers</emphasis>. </para>
+</refsect1>
+</refentry>
+
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-30 17:42:57 +0000