187417Sdes 287417SdesThis directory contains configuration files for the Pluggable 387417SdesAuthentication Modules (PAM) library. 487417Sdes 587417SdesEach file details the module chain for a single service, and must be 687417Sdesnamed after that service. If no configuration file is found for a 787417Sdesparticular service, the /etc/pam.d/other is used instead. If that 887417Sdesfile does not exist, /etc/pam.conf is searched for entries matching 987417Sdesthe specified service or, failing that, the "other" service. 1087417Sdes 11271067SgavinSee the pam(3) manual page for an explanation of the workings of the 1287417SdesPAM library and descriptions of the various files and modules. Below 1387417Sdesis a summary of the format for the pam.conf and /etc/pam.d/* files. 1487417Sdes 1587417SdesConfiguration lines take the following form: 1687417Sdes 1787423Sdesmodule-type control-flag module-path arguments 1887417Sdes 1987417SdesComments are introduced with a hash mark ('#'). Blank lines and lines 2087417Sdesconsisting entirely of comments are ignored. 2187417Sdes 2287423SdesThe meanings of the different fields are as follows: 23130151Sschweikh 2487417Sdes module-type: 2587417Sdes auth: prompt for a password to authenticate that the user is 2687417Sdes who they say they are, and set any credentials. 2787417Sdes account: non-authentication based authorization, based on time, 2887417Sdes resources, etc. 2987417Sdes session: housekeeping before and/or after login. 3087417Sdes password: update authentication tokens. 31130151Sschweikh 3287417Sdes control-flag: How libpam handles success or failure of the module. 33115584Sdes required: success is required; on failure all remaining 34115584Sdes modules are run, but the request will be denied. 3587417Sdes requisite: success is required, and on failure no remaining 3687417Sdes modules are run. 3787417Sdes sufficient: success is sufficient, and if no previous required 3887417Sdes module failed, no remaining modules are run. 39115584Sdes binding: success is sufficient; on failure all remaining 40115584Sdes modules are run, but the request will be denied. 4187417Sdes optional: ignored unless the other modules return PAM_IGNORE. 42130151Sschweikh 4387417Sdes arguments: Module-specific options, plus some generic ones: 4487417Sdes debug: syslog debug info. 4587417Sdes no_warn: return no warning messages to the application. 4687417Sdes Remove this to feed back to the user the 4787417Sdes reason(s) they are being rejected. 4887417Sdes use_first_pass: try authentication using password from the 4987417Sdes preceding auth module. 5087417Sdes try_first_pass: first try authentication using password from 5187417Sdes the preceding auth module, and if that fails 5287417Sdes prompt for a new password. 5387417Sdes use_mapped_pass: convert cleartext password to a crypto key. 5487417Sdes expose_account: allow printing more info about the user when 5587417Sdes prompting. 56130151Sschweikh 5787417SdesNote that having a "sufficient" module as the last entry for a 5887417Sdesparticular service and module type may result in surprising behaviour. 5987417SdesTo get the intended semantics, add a "required" entry listing the 6087417Sdespam_deny module at the end of the chain. 6187417Sdes 6287417Sdes$FreeBSD: releng/10.2/etc/pam.d/README 271067 2014-09-03 23:18:13Z gavin $ 63