Copyright (c) 2005 The NetBSD Foundation, Inc.
All rights reserved.
This code is derived from software contributed to The NetBSD Foundation
by Jason R. Thorpe.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
.Dd March 17, 2005 .Dt PAM.CONF 5 .Os .Sh NAME .Nm pam.conf .Nd Pluggable Authentication Modules configuration file .Sh DESCRIPTION The .Nm file specifies how Pluggable Authentication Modules
q PAM should operate. For an overview of the Pluggable Authentication Modules framework, see .Xr pam 8 .
p PAM may be configured using a single
a /etc/pam.conf configuration file or by using multiple configuration files, one for each PAM-aware service, located in the
a /etc/pam.conf will be ignored.
a /etc/pam.d/ is the preferred method for configuring PAM.
p PAM's configuration is based on .Dq stacking different modules together to form a processing chain for the task. A standard PAM configuration stanza is structured as follows: d -filled -offset indent .Op Ar service-name .Ar module-type .Ar control-flag .Ar module-name .Op Ar options .Ed
p .Ar service-name is used only
q and is mandatory in
a /etc/pam.conf . It specifies the PAM-aware service whose PAM behavior is being configured. When
a /etc/pam.d/ is used, the name of the configuration file specifies the service.
p .Ar module-type specifies which of the four classes of PAM module functionality is being configured. These four classes are .Em account
q account management , .Em auth
q authentication , .Em password
q password management , and .Em session
q session management .
p .Ar control-flag specifies the behavior of the processing chain upon success or failure of the PAM module's authentication task. The following are valid values for .Ar control-flag : l -tag -width sufficient t binding If the module succeeds and no earlier module in the chain has failed, the chain is immediately terminated and the request is granted. If the module fails, the rest of the chain is executed, but the request is ultimately denied. t requisite If the module returns success, continue to execute the processing chain. If the module fails, immediately return the error code from the first .Sq required failure. t required If the module returns success, continue to execute the processing chain. If the module fails, record as a .Sq required failure and continue to execute the processing chain. If there are any .Sq required failures in the processing chain, the chain will ultimately return failure. t optional If the module returns success, continue to execute the processing chain. If the module fails, record as an .Sq optional failure and continue to execute the processing chain. t sufficient If the module returns success and there have been no recorded .Sq required failures, immediately return success without calling any subsequent modules in the processing chain. If the module fails, return as an .Sq optional failure and continue to execute the processing chain. .El
p .Ar module-name specifies the module to execute for this stanza. This is either an absolute path name or a path name relative to the default module location:
p .Ar options are additional options that may be specified for the module. Refer to the individual modules' documentation for more information on available options.
p In addition to the standard configuration stanza format, there is an additional stanza format available when
a /etc/pam.d/ is used: d -filled -offset indent .Ar module-type include .Ar service-name .Ed
p This stanza format provides a simple inheritance model for processing chains. .Sh FILES l -tag -width /etc/pam.conf -compact t Pa /etc/pam.conf monolithic PAM configuration file t Pa /etc/pam.d/ PAM service configuration file directory .El .Sh EXAMPLES The following .Em auth processing chain for the .Dq login service
o located in
c performs the following tasks: allows the login if the old user and new user are the same, verifies that logins are not disabled using the
a /var/run/nologin file, allows Kerberos 5 password authentication, and requires standard x password authentication if Kerberos 5 failed: d -literal -offset indent auth sufficient pam_self.so auth required pam_nologin.so auth sufficient pam_krb5.so auth required pam_unix.so .Ed .Sh NOTES It is important to note that loading a chain will fail if any of the components of the chain fail to load or are not available. A common situation when this can happen is on a system that where components such as .Xr kerberos 1 or .Xr crypto 3 have not been installed. In that situation .Xr pam_krb5 8 , .Xr pam_ksu 8 , or .Xr pam_ssh 8 might not be present in the system. In order for a chain to load properly all non-present components must be removed from the chain. .Sh SEE ALSO .Xr login 1 , .Xr passwd 1 , .Xr su 1 , .Xr pam 3 , .Xr pam 8 .Sh HISTORY The .Nm file format first appeared in .Nx 3.0 .