README (115584) | README (130151) |
---|---|
1 2This directory contains configuration files for the Pluggable 3Authentication Modules (PAM) library. 4 5Each file details the module chain for a single service, and must be 6named after that service. If no configuration file is found for a 7particular service, the /etc/pam.d/other is used instead. If that 8file does not exist, /etc/pam.conf is searched for entries matching --- 6 unchanged lines hidden (view full) --- 15Configuration lines take the following form: 16 17module-type control-flag module-path arguments 18 19Comments are introduced with a hash mark ('#'). Blank lines and lines 20consisting entirely of comments are ignored. 21 22The meanings of the different fields are as follows: | 1 2This directory contains configuration files for the Pluggable 3Authentication Modules (PAM) library. 4 5Each file details the module chain for a single service, and must be 6named after that service. If no configuration file is found for a 7particular service, the /etc/pam.d/other is used instead. If that 8file does not exist, /etc/pam.conf is searched for entries matching --- 6 unchanged lines hidden (view full) --- 15Configuration lines take the following form: 16 17module-type control-flag module-path arguments 18 19Comments are introduced with a hash mark ('#'). Blank lines and lines 20consisting entirely of comments are ignored. 21 22The meanings of the different fields are as follows: |
23 | 23 |
24 module-type: 25 auth: prompt for a password to authenticate that the user is 26 who they say they are, and set any credentials. 27 account: non-authentication based authorization, based on time, 28 resources, etc. 29 session: housekeeping before and/or after login. 30 password: update authentication tokens. | 24 module-type: 25 auth: prompt for a password to authenticate that the user is 26 who they say they are, and set any credentials. 27 account: non-authentication based authorization, based on time, 28 resources, etc. 29 session: housekeeping before and/or after login. 30 password: update authentication tokens. |
31 | 31 |
32 control-flag: How libpam handles success or failure of the module. 33 required: success is required; on failure all remaining 34 modules are run, but the request will be denied. 35 requisite: success is required, and on failure no remaining 36 modules are run. 37 sufficient: success is sufficient, and if no previous required 38 module failed, no remaining modules are run. 39 binding: success is sufficient; on failure all remaining 40 modules are run, but the request will be denied. 41 optional: ignored unless the other modules return PAM_IGNORE. | 32 control-flag: How libpam handles success or failure of the module. 33 required: success is required; on failure all remaining 34 modules are run, but the request will be denied. 35 requisite: success is required, and on failure no remaining 36 modules are run. 37 sufficient: success is sufficient, and if no previous required 38 module failed, no remaining modules are run. 39 binding: success is sufficient; on failure all remaining 40 modules are run, but the request will be denied. 41 optional: ignored unless the other modules return PAM_IGNORE. |
42 | 42 |
43 arguments: Module-specific options, plus some generic ones: 44 debug: syslog debug info. 45 no_warn: return no warning messages to the application. 46 Remove this to feed back to the user the 47 reason(s) they are being rejected. 48 use_first_pass: try authentication using password from the 49 preceding auth module. 50 try_first_pass: first try authentication using password from 51 the preceding auth module, and if that fails 52 prompt for a new password. 53 use_mapped_pass: convert cleartext password to a crypto key. 54 expose_account: allow printing more info about the user when 55 prompting. | 43 arguments: Module-specific options, plus some generic ones: 44 debug: syslog debug info. 45 no_warn: return no warning messages to the application. 46 Remove this to feed back to the user the 47 reason(s) they are being rejected. 48 use_first_pass: try authentication using password from the 49 preceding auth module. 50 try_first_pass: first try authentication using password from 51 the preceding auth module, and if that fails 52 prompt for a new password. 53 use_mapped_pass: convert cleartext password to a crypto key. 54 expose_account: allow printing more info about the user when 55 prompting. |
56 | 56 |
57Note that having a "sufficient" module as the last entry for a 58particular service and module type may result in surprising behaviour. 59To get the intended semantics, add a "required" entry listing the 60pam_deny module at the end of the chain. 61 | 57Note that having a "sufficient" module as the last entry for a 58particular service and module type may result in surprising behaviour. 59To get the intended semantics, add a "required" entry listing the 60pam_deny module at the end of the chain. 61 |
62$FreeBSD: head/etc/pam.d/README 115584 2003-06-01 00:34:38Z des $ | 62$FreeBSD: head/etc/pam.d/README 130151 2004-06-06 11:46:29Z schweikh $ |