blob: e6e4f2aaa3eafe0c477b8dce0db05e4f92efc2f5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
|
pam_succeed_if:
Succeed or fail based on account characteristics.
pam_succeed_if.so is designed to succeed or fail authentication based
on characteristics of the account belonging to the user being
authenticated.
The module can be given one or more conditions as module arguments, and
authentication will succeed only if all of the conditions are met.
Conditions are expressed in the form
ATTRIBUTE OPERATOR VALUE
Recognized attributes:
LOGIN - The user's login name.
UID - The user's UID.
GID - The user's primary GID.
SHELL - The user's shell.
HOME - The user's home directory.
Recognized operators:
< - Arithmetic less-than.
<= - Arithmetic less-than-or-equal-to.
> - Arithmetic greater-than.
>= - Arithmetic greater-than-or-equal-to.
eq - Arithmetic equality.
= - String equality.
ne - Arithmetic inequality.
!= - String inequality.
=~ - Wildcard match.
!~ - Wildcard mismatch.
ingroup - Group membership check. [*]
notingroup - Group non-membership check. [*]
innetgr - Netgroup membership check. [*][+]
notinnetgr - Netgroup non-membership check. [*][+]
* The "ingroup", "notingroup", "innetgr" and "notinnetgr"
operators should only be used with the USER attribute.
+ The "innetgr" and "notinnetgr" operators always match
both remote host and USER against the netgroup. If a remote
host is not set by the application it will be matched
against any host in the netgroup triplet.
Examples:
Deny authentication to all users except those in the wheel
group, before even asking for a password:
auth requisite pam_succeed_if.so user ingroup wheel
Assume all users with UID less than 500 ("system users") have
valid accounts.
account sufficient pam_succeed_if.so uid < 500
Deny login to all nologin users.
auth requisite pam_succeed_if.so shell !~ nologin
RECOGNIZED ARGUMENTS:
debug write debugging messages to syslog
use_uid perform checks on the account of the user under whose
UID the application is running instead of the user
being authenticated
quiet don't log failure or success to syslog
quiet_fail don't log failure to syslog
quiet_success don't log success to syslog
MODULE SERVICES PROVIDED:
authentication, account management
AUTHOR:
Nalin Dahyabhai <nalin@redhat.com>
|