PAM Modules

From Notes

Jump to: navigation, search

The purpose of this page is to describe the functionality of PAM modules.

PAM Modules Should Respond to the Following Arguments

  • debug -- Send debug data to the system logs using syslog().
  • expose_account -- If your module supports it, display appropriate information about user accounts, such as displaying the user's real name rather than the username in messages.
  • no_warn -- Don't send warnings to the application.
  • try_first_pass -- Retrieve a token from PAM_AUTHTOK and try it for this module. If it fails, ask the user for an authentication token.
  • use_first_pass -- Retrieve a token from PAM_AUTHTOK and use it for this module. If it fails, the module fails.
  • use_mapped_pass -- Applying this argument may cause you to break local laws regarding encryption. If so, Do not do it. No one wants anyone to get into legal trouble for writing code. If you can legally do so, the module should use the existing authentication token from the PAM_AUTHTOK item, and use it as a key to retrieve the authentication token for this module.

All Arguments

  • audit -- A more extensive form of debug
  • bigcrypt -- Use the DEC "C2" extension to crypt().
  • debug -- Log information using syslog
  • md5 -- Use md5 encryption instead of crypt().
  • nis -- Use NIS (Network Information Service) passwords.
  • nodelay -- By default, the module requests a delay-on-failure of a second. This argument overrides the default.
  • not_set_pass -- Don't use the passwords from other stacked modules. Don't give the new password to other stacked modules.
  • nullok -- By default, if the official password is blank, the authentication fails. This argument overrides the default.
  • remember (remember=n) -- Save n recent passwords to prevent the user from alternating passwords.
  • try_first_pass -- Use the password from the previous stacked auth module, and prompt for a new password if the retrieved password is blank or incorrect.
  • use_authtok -- Set the new password to the one provided by a previous module.
  • use_first_pass -- Use the result from the previous stacked auth module, never prompts the user for a password, fails if the result was a fail.

Control Flags

Simple Form

  • required -- The module must succeed for the stack of this module type to succeed. If this module fails, all other modules in the stack are executed but the stack is considered to fail.
  • requisite -- The module must succeed for the stack of this module type to succeed. No later module of its type is executed: Failure is reported immediately. The return value is that of the first module in the stack to fail.
  • sufficient -- Success of this module is sufficient for the stack of this module type to succeed. If no previous required module has failed, no other modules of this module type are invoked. (This overrides the required execution of all other modules.) Failure of this module does not inherently prevent the stack from succeeding.
  • optional -- Not critical to the success or failure of the stack. If at least one non-optional module succeeds or fails, the result of this module is ignored when calculating the success or failure of the stack.
Retrieved from "http://www.itsecureadmin.com/wiki/index.php/PAM_Modules"
Personal tools