1cad237d3Schristos 2cad237d3SchristosThis directory contains configuration files for the Pluggable 3cad237d3SchristosAuthentication Modules (PAM) library. 4cad237d3Schristos 5cad237d3SchristosEach file details the module chain for a single service, and must be 6cad237d3Schristosnamed after that service. If no configuration file is found for a 7cad237d3Schristosparticular service, the /etc/pam.d/other is used instead. If that 8cad237d3Schristosfile does not exist, /etc/pam.conf is searched for entries matching 9cad237d3Schristosthe specified service or, failing that, the "other" service. 10cad237d3Schristos 11cad237d3SchristosSee the pam(8) manual page for an explanation of the workings of the 12cad237d3SchristosPAM library and descriptions of the various files and modules. Below 13cad237d3Schristosis a summary of the format for the pam.conf and /etc/pam.d/* files. 14cad237d3Schristos 15cad237d3SchristosConfiguration lines take the following form: 16cad237d3Schristos 17cad237d3Schristosmodule-type control-flag module-path arguments 18cad237d3Schristos 19cad237d3SchristosComments are introduced with a hash mark ('#'). Blank lines and lines 20cad237d3Schristosconsisting entirely of comments are ignored. 21cad237d3Schristos 22cad237d3SchristosThe meanings of the different fields are as follows: 23cad237d3Schristos 24cad237d3Schristos module-type: 25cad237d3Schristos auth: prompt for a password to authenticate that the user is 26cad237d3Schristos who they say they are, and set any credentials. 27cad237d3Schristos account: non-authentication based authorization, based on time, 28cad237d3Schristos resources, etc. 29cad237d3Schristos session: housekeeping before and/or after login. 30cad237d3Schristos password: update authentication tokens. 31cad237d3Schristos 32cad237d3Schristos control-flag: How libpam handles success or failure of the module. 33cad237d3Schristos required: success is required; on failure all remaining 34cad237d3Schristos modules are run, but the request will be denied. 35cad237d3Schristos requisite: success is required, and on failure no remaining 36cad237d3Schristos modules are run. 37cad237d3Schristos sufficient: success is sufficient, and if no previous required 38cad237d3Schristos module failed, no remaining modules are run. 39cad237d3Schristos binding: success is sufficient; on failure all remaining 40cad237d3Schristos modules are run, but the request will be denied. 41cad237d3Schristos optional: ignored unless the other modules return PAM_IGNORE. 42cad237d3Schristos 43cad237d3Schristos arguments: Module-specific options, plus some generic ones: 44cad237d3Schristos debug: syslog debug info. 45cad237d3Schristos no_warn: return no warning messages to the application. 46cad237d3Schristos Remove this to feed back to the user the 47cad237d3Schristos reason(s) they are being rejected. 48cad237d3Schristos use_first_pass: try authentication using password from the 49cad237d3Schristos preceding auth module. 50cad237d3Schristos try_first_pass: first try authentication using password from 51cad237d3Schristos the preceding auth module, and if that fails 52cad237d3Schristos prompt for a new password. 53cad237d3Schristos use_mapped_pass: convert cleartext password to a crypto key. 54cad237d3Schristos expose_account: allow printing more info about the user when 55cad237d3Schristos prompting. 56cad237d3Schristos 57cad237d3SchristosNote that having a "sufficient" module as the last entry for a 58cad237d3Schristosparticular service and module type may result in surprising behaviour. 59cad237d3SchristosTo get the intended semantics, add a "required" entry listing the 60cad237d3Schristospam_deny module at the end of the chain. 61cad237d3Schristos 62cad237d3Schristos$FreeBSD: src/etc/pam.d/README,v 1.5 2004/06/06 11:46:29 schweikh Exp $ 63*6b367bf7Schristos$NetBSD: README,v 1.2 2004/12/12 08:54:34 christos Exp $ 64