pam_sample(5)
NAME
pam_sample - a sample PAM module
SYNOPSIS
/usr/lib/security/pam_sample.so.1
DESCRIPTION
The SAMPLE service module for PAM is divided into four
components: authentication, account management, password
management, and session management. The sample module is a
shared object that is dynamically loaded to provide the
necessary functionality.
SAMPLE Authentication Component
The SAMPLE authentication module, typically
/usr/lib/security/pam_sample.so.1, provides functions to
test the PAM framework functionality using the
pam_sm_authenticate(3PAM) call. The SAMPLE module implemen-
tation of the pam_sm_authenticate(3PAM) function compares
the user entered password with the password set in the
pam.conf(4) file, or the string "test" if a default test
password has not been set. The following options may be
passed in to the SAMPLE Authentication module:
debug Syslog debugging information at the LOG_DEBUG level.
passwd=newone
Sets the password to be "newone."
first_pass_good
The first password is always good when used with the
use_first_pass or try_first_pass option.
first_pass_bad
The first password is always bad when used with the
use_first_pass or try_first_pass option.
always_fail
Always returns PAM_AUTH_ERR.
always_succeed
Always returns PAM_SUCCESS.
always_ignore
Always returns PAM_IGNORE.
use_first_pass
Use the user's initial password (entered when the user
is authenticated to the first authentication module in
the stack) to authenticate with the SAMPLE module.
If the passwords do not match, or if this is the first
authentication module in the stack, quit and do not
prompt the user for a password. It is recommended that
this option only be used if the SAMPLE authentication
module is designated as optional in the pam.conf con-
figuration file.
try_first_pass
Use the user's initial password (entered when the
user is authenticated to the first authentication
module in the stack) to authenticate with the SAMPLE
module. If the passwords do not match, or if this is
the first authentication module in the stack, prompt
the user for a password. The SAMPLE module
pam_sm_setcred(3PAM) function always returns
PAM_SUCCESS.
SAMPLE Account Management Component
The SAMPLE Account Management Component, typically
pam_sample.so.1, implements a simple access control scheme
that limits machine access to a list of authorized users.
The list of authorized users is supplied as option arguments
to the entry for the SAMPLE account management PAM module
in the pam.conf file. Note that the module always permits
access to the root super user.
The option field syntax to limit access is shown below:
allow= name[,name] allow= name [allow=name]
The example pam.conf show below permits only larry to login
directly. rlogin is allowed only for don and larry. Once a
user is logged in, the user can use su if the user are sam
or eric.
login account require pam_sample.so.1 allow=larry
dtlogin account require pam_sample.so.1 allow=larry
rlogin account require pam_sample.so.1 allow=don allow=larry
su account require pam_sample.so.1 allow=sam,eric
The debug and nowarn options are also supported.
SAMPLE Password Management Component
The SAMPLE Password Management Component function (
pam_sm_chauthtok(3PAM)), always returns PAM_SUCCESS.
SAMPLE Session Management Component
The SAMPLE Session Management Component functions (
pam_sm_open_session(3PAM), pam_sm_close_session(3PAM))
always return PAM_SUCCESS.
ATTRIBUTES
See attributes(5) for description of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
| MT Level | MT-Safe with exceptions |
|_____________________________|_____________________________|
SEE ALSO
pam(3PAM), pam_sm_authenticate(3PAM),
pam_sm_chauthtok(3PAM), pam_sm_close_session(3PAM),
pam_sm_open_session(3PAM), pam_sm_setcred(3PAM),
libpam(3LIB), pam.conf(4), attributes(5)
NOTES
The interfaces in libpam() are MT-Safe only if each thread
within the multi-threaded application uses its own PAM han-
dle.
Man(1) output converted with
man2html