Diff for /wikisrc/guide/pam.mdwn between versions 1.4 and 1.5

version 1.4, 2013/03/21 11:11:21 version 1.5, 2015/06/19 19:18:31
Line 104  by way of a handful of simple examples. Line 104  by way of a handful of simple examples.
 #### Client and server are one  #### Client and server are one
   
 This simple example shows `alice`  This simple example shows `alice`
 [su(1)](http://netbsd.gw.com/cgi-bin/man-cgi?su+1+NetBSD-5.0.1+i386)'ing to  [[!template id=man name="su" section="1"]]'ing to
 `root`:  `root`:
   
     $ whoami      $ whoami
Line 118  This simple example shows `alice` Line 118  This simple example shows `alice`
   
  * The applicant is `alice`.   * The applicant is `alice`.
  * The account is `root`.   * The account is `root`.
  * The [su(1)](http://netbsd.gw.com/cgi-bin/man-cgi?su+1+NetBSD-5.0.1+i386)   * The [[!template id=man name="su" section="1"]]
    process is both client and server.     process is both client and server.
  * The authentication token is `xi3kiune`.   * The authentication token is `xi3kiune`.
  * The arbitrator is `root`, which is why   * The arbitrator is `root`, which is why
    [su(1)](http://netbsd.gw.com/cgi-bin/man-cgi?su+1+NetBSD-5.0.1+i386) is     [[!template id=man name="su" section="1"]] is
    setuid `root`.     setuid `root`.
   
 #### Client and server are separate  #### Client and server are separate
   
 The example below shows `eve` try to initiate an  The example below shows `eve` try to initiate an
 [ssh(1)](http://netbsd.gw.com/cgi-bin/man-cgi?ssh+1+NetBSD-5.0.1+i386)  [[!template id=man name="ssh" section="1"]]
 connection to `login.example.com`, ask to log in as `bob`, and succeed. Bob  connection to `login.example.com`, ask to log in as `bob`, and succeed. Bob
 should have chosen a better password!  should have chosen a better password!
   
Line 144  should have chosen a better password! Line 144  should have chosen a better password!
   
  * The applicant is `eve`.   * The applicant is `eve`.
  * The client is Eve's   * The client is Eve's
    [ssh(1)](http://netbsd.gw.com/cgi-bin/man-cgi?ssh+1+NetBSD-5.0.1+i386)     [[!template id=man name="ssh" section="1"]]
    process.     process.
  * The server is the   * The server is the
    [sshd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?sshd+8+NetBSD-5.0.1+i386)     [[!template id=man name="sshd" section="8"]]
    process on `login.example.com`     process on `login.example.com`
  * The account is `bob`.   * The account is `bob`.
  * The authentication token is `god`.   * The authentication token is `god`.
Line 166  The following is FreeBSD's default polic Line 166  The following is FreeBSD's default polic
   
  * This policy applies to the `sshd` service (which is not necessarily   * This policy applies to the `sshd` service (which is not necessarily
    restricted to the     restricted to the
    [sshd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?sshd+8+NetBSD-5.0.1+i386)     [[!template id=man name="sshd" section="8"]]
    server.)     server.)
   
  * `auth`, `account`, `session` and `password` are facilities.   * `auth`, `account`, `session` and `password` are facilities.
Line 196  facilities, which are described below. Line 196  facilities, which are described below.
    the applicant and establishing the account credentials. It provides two     the applicant and establishing the account credentials. It provides two
    primitives:     primitives:
   
         * [pam\_authenticate(3)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_authenticate+3+NetBSD-5.0.1+i386)          * [[!template id=man name="pam\_authenticate" section="3"]]
           authenticates the applicant, usually by requesting an authentication token            authenticates the applicant, usually by requesting an authentication token
           and comparing it with a value stored in a database or obtained from an            and comparing it with a value stored in a database or obtained from an
           authentication server.            authentication server.
   
         * [pam\_setcred(3)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_setcred+3+NetBSD-5.0.1+i386)          * [[!template id=man name="pam\_setcred" section="3"]]
           establishes account credentials such as user ID, group membership and            establishes account credentials such as user ID, group membership and
           resource limits.            resource limits.
   
Line 210  facilities, which are described below. Line 210  facilities, which are described below.
    restrictions based on the time of day or the server's work load. It provides     restrictions based on the time of day or the server's work load. It provides
    a single primitive:     a single primitive:
   
         * [pam\_acct\_mgmt(3)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_acct_mgmt+3+NetBSD-5.0.1+i386)          * [[!template id=man name="pam\_acct\_mgmt" section="3"]]
           verifies that the requested account is available.            verifies that the requested account is available.
   
  * `session` -- *Session management.* This facility handles tasks associated   * `session` -- *Session management.* This facility handles tasks associated
    with session set-up and tear-down, such as login accounting. It provides two     with session set-up and tear-down, such as login accounting. It provides two
    primitives:     primitives:
   
         * [pam\_open\_session(3)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_open_session+3+NetBSD-5.0.1+i386)          * [[!template id=man name="pam\_open\_session" section="3"]]
           performs tasks associated with session set-up: add an entry in the `utmp`            performs tasks associated with session set-up: add an entry in the `utmp`
           and `wtmp` databases, start an SSH agent, etc.            and `wtmp` databases, start an SSH agent, etc.
   
         * [pam\_close\_session(3)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_close_session+3+NetBSD-5.0.1+i386)          * [[!template id=man name="pam\_close\_session" section="3"]]
           performs tasks associated with session tear-down: add an entry in the            performs tasks associated with session tear-down: add an entry in the
           `utmp` and `wtmp` databases, stop the SSH agent, etc.            `utmp` and `wtmp` databases, stop the SSH agent, etc.
   
Line 230  facilities, which are described below. Line 230  facilities, which are described below.
    expired or because the user wishes to change it. It provides a single     expired or because the user wishes to change it. It provides a single
    primitive:     primitive:
   
         * [pam\_chauthtok(3)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_chauthtok+3+NetBSD-5.0.1+i386)          * [[!template id=man name="pam\_chauthtok" section="3"]]
           changes the authentication token, optionally verifying that it is            changes the authentication token, optionally verifying that it is
           sufficiently hard to guess, has not been used previously, etc.            sufficiently hard to guess, has not been used previously, etc.
   
Line 251  include the facility name as well as the Line 251  include the facility name as well as the
 name one example, Solaris has a `pam_dial_auth.so.1` module which is commonly  name one example, Solaris has a `pam_dial_auth.so.1` module which is commonly
 used to authenticate dialup users. Also, almost every module has a man page with  used to authenticate dialup users. Also, almost every module has a man page with
 the same name, i.e.:  the same name, i.e.:
 [pam\_unix(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_unix+8+NetBSD-5.0.1+i386)  [[!template id=man name="pam\_unix" section="8"]]
 explains how the `pam_unix.so` module works.  explains how the `pam_unix.so` module works.
   
 #### Module Versioning  #### Module Versioning
Line 282  located at `/usr/lib` and, under NetBSD, Line 282  located at `/usr/lib` and, under NetBSD,
   
 When a server initiates a PAM transaction, the PAM library tries to load a  When a server initiates a PAM transaction, the PAM library tries to load a
 policy for the service specified in the  policy for the service specified in the
 [pam\_start(3)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_start+3+NetBSD-5.0.1+i386)  [[!template id=man name="pam\_start" section="3"]]
 call. The policy specifies how authentication requests should be processed, and  call. The policy specifies how authentication requests should be processed, and
 is defined in a configuration file. This is the other central concept in PAM:  is defined in a configuration file. This is the other central concept in PAM:
 the possibility for the admin to tune the system security policy (in the wider  the possibility for the admin to tune the system security policy (in the wider
Line 351  client and abort the transaction. Line 351  client and abort the transaction.
     or of being setuid `root`.      or of being setuid `root`.
   
  2. The server calls   2. The server calls
     [pam\_start(3)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_start+3+NetBSD-5.0.1+i386)      [[!template id=man name="pam\_start" section="3"]]
     to initialize the PAM library and specify its service name and the target      to initialize the PAM library and specify its service name and the target
     account, and register a suitable conversation function.      account, and register a suitable conversation function.
   
  3. The server obtains various information relating to the transaction (such as   3. The server obtains various information relating to the transaction (such as
     the applicant's user name and the name of the host the client runs on) and      the applicant's user name and the name of the host the client runs on) and
     submits it to PAM using      submits it to PAM using
     [pam\_set\_item(3)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_set_item+3+NetBSD-5.0.1+i386).      [[!template id=man name="pam\_set\_item" section="3"]].
   
  4. The server calls   4. The server calls
     [pam\_authenticate(3)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_authenticate+3+NetBSD-5.0.1+i386)      [[!template id=man name="pam\_authenticate" section="3"]]
     to authenticate the applicant.      to authenticate the applicant.
   
  5. The server calls   5. The server calls
     [pam\_acct\_mgmt(3)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_acct_mgmt+3+NetBSD-5.0.1+i386)      [[!template id=man name="pam\_acct\_mgmt" section="3"]]
     to verify that the requested account is available and valid. If the password is      to verify that the requested account is available and valid. If the password is
     correct but has expired,      correct but has expired,
     [pam\_acct\_mgmt(3)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_acct_mgmt+3+NetBSD-5.0.1+i386)      [[!template id=man name="pam\_acct\_mgmt" section="3"]]
     will return `PAM_NEW_AUTHTOK_REQD` instead of `PAM_SUCCESS`.      will return `PAM_NEW_AUTHTOK_REQD` instead of `PAM_SUCCESS`.
   
  6. If the previous step returned `PAM_NEW_AUTHTOK_REQD`, the server now calls   6. If the previous step returned `PAM_NEW_AUTHTOK_REQD`, the server now calls
     [pam\_chauthtok(3)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_chauthtok+3+NetBSD-5.0.1+i386)      [[!template id=man name="pam\_chauthtok" section="3"]]
     to force the client to change the authentication token for the requested      to force the client to change the authentication token for the requested
     account.      account.
   
  7. Now that the applicant has been properly authenticated, the server calls   7. Now that the applicant has been properly authenticated, the server calls
     [pam\_setcred(3)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_setcred+3+NetBSD-5.0.1+i386)      [[!template id=man name="pam\_setcred" section="3"]]
     to establish the credentials of the requested account. It is able to do this      to establish the credentials of the requested account. It is able to do this
     because it acts on behalf of the arbitrator, and holds the arbitrator's      because it acts on behalf of the arbitrator, and holds the arbitrator's
     credentials.      credentials.
   
  8. Once the correct credentials have been established, the server calls   8. Once the correct credentials have been established, the server calls
     [pam\_open\_session(3)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_open_session+3+NetBSD-5.0.1+i386)      [[!template id=man name="pam\_open\_session" section="3"]]
     to set up the session.      to set up the session.
   
  9. The server now performs whatever service the client requested -- for   9. The server now performs whatever service the client requested -- for
     instance, provide the applicant with a shell.      instance, provide the applicant with a shell.
   
 10. Once the server is done serving the client, it calls  10. Once the server is done serving the client, it calls
     [pam\_close\_session(3)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_close_session+3+NetBSD-5.0.1+i386)      [[!template id=man name="pam\_close\_session" section="3"]]
     to tear down the session.      to tear down the session.
   
 11. Finally, the server calls  11. Finally, the server calls
     [pam\_end(3)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_end+3+NetBSD-5.0.1+i386)      [[!template id=man name="pam\_end" section="3"]]
     to notify the PAM library that it is done and that it can release whatever      to notify the PAM library that it is done and that it can release whatever
     resources it has allocated in the course of the transaction.      resources it has allocated in the course of the transaction.
   
Line 494  To configure PAM correctly, it is essent Line 494  To configure PAM correctly, it is essent
 interpreted.  interpreted.
   
 When an application calls  When an application calls
 [pam\_start(3)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_start+3+NetBSD-5.0.1+i386),  [[!template id=man name="pam\_start" section="3"]],
 the PAM library loads the policy for the specified service and constructs four  the PAM library loads the policy for the specified service and constructs four
 module chains (one for each facility.) If one or more of these chains are empty,  module chains (one for each facility.) If one or more of these chains are empty,
 the corresponding chains from the policy for the `other` service are  the corresponding chains from the policy for the `other` service are
Line 527  returned `PAM_NEW_AUTHTOK_REQD`, the dis Line 527  returned `PAM_NEW_AUTHTOK_REQD`, the dis
 `PAM_NEW_AUTHTOK_REQD`.  `PAM_NEW_AUTHTOK_REQD`.
   
 The second exception is that  The second exception is that
 [pam\_setcred(3)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_setcred+3+NetBSD-5.0.1+i386)  [[!template id=man name="pam\_setcred" section="3"]]
 treats `binding` and `sufficient` modules as if they were `required`.  treats `binding` and `sufficient` modules as if they were `required`.
   
 The third and final exception is that  The third and final exception is that
 [pam\_chauthtok(3)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_chauthtok+3+NetBSD-5.0.1+i386)  [[!template id=man name="pam\_chauthtok" section="3"]]
 runs the entire chain twice (once for preliminary checks and once to actually  runs the entire chain twice (once for preliminary checks and once to actually
 set the password), and in the preliminary phase it treats `binding` and  set the password), and in the preliminary phase it treats `binding` and
 `sufficient` modules as if they were `required`.  `sufficient` modules as if they were `required`.
Line 543  set the password), and in the preliminar Line 543  set the password), and in the preliminar
 #### pam\_deny(8)  #### pam\_deny(8)
   
 The  The
 [pam\_deny(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_deny+8+NetBSD-5.0.1+i386)  [[!template id=man name="pam\_deny" section="8"]]
 module is one of the simplest modules available; it responds to any request with  module is one of the simplest modules available; it responds to any request with
 `PAM_AUTH_ERR`. It is useful for quickly disabling a service (add it to the top  `PAM_AUTH_ERR`. It is useful for quickly disabling a service (add it to the top
 of every chain), or for terminating chains of `sufficient` modules.  of every chain), or for terminating chains of `sufficient` modules.
Line 551  of every chain), or for terminating chai Line 551  of every chain), or for terminating chai
 #### pam\_echo(8)  #### pam\_echo(8)
   
 The  The
 [pam\_echo(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_echo+8+NetBSD-5.0.1+i386)  [[!template id=man name="pam\_echo" section="8"]]
 module simply passes its arguments to the conversation function as a  module simply passes its arguments to the conversation function as a
 `PAM_TEXT_INFO` message. It is mostly useful for debugging, but can also serve  `PAM_TEXT_INFO` message. It is mostly useful for debugging, but can also serve
 to display messages such as `Unauthorized access will be prosecuted` before  to display messages such as `Unauthorized access will be prosecuted` before
Line 560  starting the authentication procedure. Line 560  starting the authentication procedure.
 #### pam\_exec(8)  #### pam\_exec(8)
   
 The  The
 [pam\_exec(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_exec+8+NetBSD-5.0.1+i386)  [[!template id=man name="pam\_exec" section="8"]]
 module takes its first argument to be the name of a program to execute, and the  module takes its first argument to be the name of a program to execute, and the
 remaining arguments are passed to that program as command-line arguments. One  remaining arguments are passed to that program as command-line arguments. One
 possible application is to use it to run a program at login time which mounts  possible application is to use it to run a program at login time which mounts
Line 569  the user's home directory. Line 569  the user's home directory.
 #### pam\_ftpusers(8)  #### pam\_ftpusers(8)
   
 The  The
 [pam\_ftpusers(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_ftpusers+8+NetBSD-5.0.1+i386)  [[!template id=man name="pam\_ftpusers" section="8"]]
 module successes if and only if the user is listed in `/etc/ftpusers`.  module successes if and only if the user is listed in `/etc/ftpusers`.
 Currently, in NetBSD, this module doesn't understand the extended syntax of  Currently, in NetBSD, this module doesn't understand the extended syntax of
 [ftpd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?ftpd+8+NetBSD-5.0.1+i386), but  [[!template id=man name="ftpd" section="8"]], but
 this will be fixed in the future.  this will be fixed in the future.
   
 #### pam\_group(8)  #### pam\_group(8)
   
 The  The
 [pam\_group(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_group+8+NetBSD-5.0.1+i386)  [[!template id=man name="pam\_group" section="8"]]
 module accepts or rejects applicants on the basis of their membership in a  module accepts or rejects applicants on the basis of their membership in a
 particular file group (normally `wheel` for  particular file group (normally `wheel` for
 [su(1)](http://netbsd.gw.com/cgi-bin/man-cgi?su+1+NetBSD-5.0.1+i386)). It is  [[!template id=man name="su" section="1"]]). It is
 primarily intended for maintaining the traditional behaviour of BSD  primarily intended for maintaining the traditional behaviour of BSD
 [su(1)](http://netbsd.gw.com/cgi-bin/man-cgi?su+1+NetBSD-5.0.1+i386), but has  [[!template id=man name="su" section="1"]], but has
 many other uses, such as excluding certain groups of users from a particular  many other uses, such as excluding certain groups of users from a particular
 service.  service.
   
Line 593  to authenticate using his own password. Line 593  to authenticate using his own password.
 #### pam\_guest(8)  #### pam\_guest(8)
   
 The  The
 [pam\_guest(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_guest+8+NetBSD-5.0.1+i386)  [[!template id=man name="pam\_guest" section="8"]]
 module allows guest logins using fixed login names. Various requirements can be  module allows guest logins using fixed login names. Various requirements can be
 placed on the password, but the default behaviour is to allow any password as  placed on the password, but the default behaviour is to allow any password as
 long as the login name is that of a guest account. The  long as the login name is that of a guest account. The
 [pam\_guest(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_guest+8+NetBSD-5.0.1+i386)  [[!template id=man name="pam\_guest" section="8"]]
 module can easily be used to implement anonymous FTP logins.  module can easily be used to implement anonymous FTP logins.
   
 #### pam\_krb5(8)  #### pam\_krb5(8)
   
 The  The
 [pam\_krb5(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_krb5+8+NetBSD-5.0.1+i386)  [[!template id=man name="pam\_krb5" section="8"]]
 module provides functions to verify the identity of a user and to set user  module provides functions to verify the identity of a user and to set user
 specific credentials using Kerberos 5. It prompts the user for a password and  specific credentials using Kerberos 5. It prompts the user for a password and
 obtains a new Kerberos TGT for the principal. The TGT is verified by obtaining a  obtains a new Kerberos TGT for the principal. The TGT is verified by obtaining a
 service ticket for the local host. The newly acquired credentials are stored in  service ticket for the local host. The newly acquired credentials are stored in
 a credential cache and the environment variable KRB5CCNAME is set appropriately.  a credential cache and the environment variable KRB5CCNAME is set appropriately.
 The credentials cache should be destroyed by the user at logout with  The credentials cache should be destroyed by the user at logout with
 [kdestroy(1)](http://netbsd.gw.com/cgi-bin/man-cgi?kdestroy+1+NetBSD-5.0.1+i386).  [[!template id=man name="kdestroy" section="1"]].
   
 #### pam\_ksu(8)  #### pam\_ksu(8)
   
 The  The
 [pam\_ksu(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_ksu+8+NetBSD-5.0.1+i386)  [[!template id=man name="pam\_ksu" section="8"]]
 module provides only authentication services for Kerberos 5 to determine whether  module provides only authentication services for Kerberos 5 to determine whether
 or not the applicant is authorized to obtain the privileges of the target  or not the applicant is authorized to obtain the privileges of the target
 account.  account.
Line 623  account. Line 623  account.
 #### pam\_lastlog(8)  #### pam\_lastlog(8)
   
 The  The
 [pam\_lastlog(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_lastlog+8+NetBSD-5.0.1+i386)  [[!template id=man name="pam\_lastlog" section="8"]]
 module provides only session management services. It records the session in  module provides only session management services. It records the session in
 [utmp(5)](http://netbsd.gw.com/cgi-bin/man-cgi?utmp+5+NetBSD-5.0.1+i386),  [[!template id=man name="utmp" section="5"]],
 [utmpx(5)](http://netbsd.gw.com/cgi-bin/man-cgi?utmpx+5+NetBSD-5.0.1+i386),  [[!template id=man name="utmpx" section="5"]],
 [wtmp(5)](http://netbsd.gw.com/cgi-bin/man-cgi?wtmp+5+NetBSD-5.0.1+i386),  [[!template id=man name="wtmp" section="5"]],
 [wtmpx(5)](http://netbsd.gw.com/cgi-bin/man-cgi?wtmpx+5+NetBSD-5.0.1+i386),  [[!template id=man name="wtmpx" section="5"]],
 [lastlog(5)](http://netbsd.gw.com/cgi-bin/man-cgi?lastlog+5+NetBSD-5.0.1+i386)  [[!template id=man name="lastlog" section="5"]]
 and  and
 [lastlogx(5)](http://netbsd.gw.com/cgi-bin/man-cgi?lastlogx+5+NetBSD-5.0.1+i386)  [[!template id=man name="lastlogx" section="5"]]
 databases.  databases.
   
 #### pam\_login\_access(8)  #### pam\_login\_access(8)
   
 The  The
 [pam\_login\_access(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_login_access+8+NetBSD-5.0.1+i386)  [[!template id=man name="pam\_login\_access" section="8"]]
 module provides an implementation of the account management primitive which  module provides an implementation of the account management primitive which
 enforces the login restrictions specified in the  enforces the login restrictions specified in the
 [login.access(5)](http://netbsd.gw.com/cgi-bin/man-cgi?login.access+5+NetBSD-5.0.1+i386)  [[!template id=man name="login.access" section="5"]]
 table.  table.
   
 #### pam\_nologin(8)  #### pam\_nologin(8)
   
 The  The
 [pam\_nologin(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_nologin+8+NetBSD-5.0.1+i386)  [[!template id=man name="pam\_nologin" section="8"]]
 module refuses non-root logins when `/var/run/nologin` exists. This file is  module refuses non-root logins when `/var/run/nologin` exists. This file is
 normally created by  normally created by
 [shutdown(8)](http://netbsd.gw.com/cgi-bin/man-cgi?shutdown+8+NetBSD-5.0.1+i386)  [[!template id=man name="shutdown" section="8"]]
 when less than five minutes remain until the scheduled shutdown time.  when less than five minutes remain until the scheduled shutdown time.
   
 #### pam\_permit(8)  #### pam\_permit(8)
   
 The  The
 [pam\_permit(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_permit+8+NetBSD-5.0.1+i386)  [[!template id=man name="pam\_permit" section="8"]]
 module is one of the simplest modules available; it responds to any request with  module is one of the simplest modules available; it responds to any request with
 `PAM_SUCCESS`. It is useful as a placeholder for services where one or more  `PAM_SUCCESS`. It is useful as a placeholder for services where one or more
 chains would otherwise be empty.  chains would otherwise be empty.
Line 663  chains would otherwise be empty. Line 663  chains would otherwise be empty.
 #### pam\_radius(8)  #### pam\_radius(8)
   
 The  The
 [pam\_radius(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_radius+8+NetBSD-5.0.1+i386)  [[!template id=man name="pam\_radius" section="8"]]
 module provides authentication services based upon the RADIUS (Remote  module provides authentication services based upon the RADIUS (Remote
 Authentication Dial In User Service) protocol.  Authentication Dial In User Service) protocol.
   
 #### pam\_rhosts(8)  #### pam\_rhosts(8)
   
 The  The
 [pam\_rhosts(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_rhosts+8+NetBSD-5.0.1+i386)  [[!template id=man name="pam\_rhosts" section="8"]]
 module provides only authentication services. It reports success if and only if  module provides only authentication services. It reports success if and only if
 the target user's ID is not 0 and the remote host and user are listed in  the target user's ID is not 0 and the remote host and user are listed in
 `/etc/hosts.equiv` or in the target user's `~/.rhosts`.  `/etc/hosts.equiv` or in the target user's `~/.rhosts`.
Line 678  the target user's ID is not 0 and the re Line 678  the target user's ID is not 0 and the re
 #### pam\_rootok(8)  #### pam\_rootok(8)
   
 The  The
 [pam\_rootok(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_rootok+8+NetBSD-5.0.1+i386)  [[!template id=man name="pam\_rootok" section="8"]]
 module reports success if and only if the real user id of the process calling it  module reports success if and only if the real user id of the process calling it
 (which is assumed to be run by the applicant) is 0. This is useful for  (which is assumed to be run by the applicant) is 0. This is useful for
 non-networked services such as  non-networked services such as
 [su(1)](http://netbsd.gw.com/cgi-bin/man-cgi?su+1+NetBSD-5.0.1+i386) or  [[!template id=man name="su" section="1"]] or
 [passwd(1)](http://netbsd.gw.com/cgi-bin/man-cgi?passwd+1+NetBSD-5.0.1+i386), to  [[!template id=man name="passwd" section="1"]], to
 which the `root` should have automatic access.  which the `root` should have automatic access.
   
 #### pam\_securetty(8)  #### pam\_securetty(8)
   
 The  The
 [pam\_securetty(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_securetty+8+NetBSD-5.0.1+i386)  [[!template id=man name="pam\_securetty" section="8"]]
 module provides only account services. It is used when the applicant is  module provides only account services. It is used when the applicant is
 attempting to authenticate as superuser, and the process is attached to an  attempting to authenticate as superuser, and the process is attached to an
 insecure TTY.  insecure TTY.
Line 697  insecure TTY. Line 697  insecure TTY.
 #### pam\_self(8)  #### pam\_self(8)
   
 The  The
 [pam\_self(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_self+8+NetBSD-5.0.1+i386)  [[!template id=man name="pam\_self" section="8"]]
 module reports success if and only if the names of the applicant matches that of  module reports success if and only if the names of the applicant matches that of
 the target account. It is most useful for non-networked services such as  the target account. It is most useful for non-networked services such as
 [su(1)](http://netbsd.gw.com/cgi-bin/man-cgi?su+1+NetBSD-5.0.1+i386), where the  [[!template id=man name="su" section="1"]], where the
 identity of the applicant can be easily verified.  identity of the applicant can be easily verified.
   
 #### pam\_ssh(8)  #### pam\_ssh(8)
   
 The  The
 [pam\_ssh(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_ssh+8+NetBSD-5.0.1+i386)  [[!template id=man name="pam\_ssh" section="8"]]
 module provides both authentication and session services. The authentication  module provides both authentication and session services. The authentication
 service allows users who have passphrase-protected SSH secret keys in their  service allows users who have passphrase-protected SSH secret keys in their
 `~/.ssh` directory to authenticate themselves by typing their passphrase. The  `~/.ssh` directory to authenticate themselves by typing their passphrase. The
 session service starts  session service starts
 [ssh-agent(1)](http://netbsd.gw.com/cgi-bin/man-cgi?ssh-agent+1+NetBSD-5.0.1+i386)  [[!template id=man name="ssh-agent" section="1"]]
 and preloads it with the keys that were decrypted in the authentication phase.  and preloads it with the keys that were decrypted in the authentication phase.
 This feature is particularly useful for local logins, whether in X (using  This feature is particularly useful for local logins, whether in X (using
 [xdm(1)](http://netbsd.gw.com/cgi-bin/man-cgi?xdm+1+NetBSD-5.0.1+i386) or  [[!template id=man name="xdm" section="1"]] or
 another PAM-aware X login manager) or at the console.  another PAM-aware X login manager) or at the console.
   
 This module implements what is fundamentally a password authentication scheme.  This module implements what is fundamentally a password authentication scheme.
Line 723  encrypted session, etc.), otherwise the  Line 723  encrypted session, etc.), otherwise the 
 compromised.  compromised.
   
 Additional consideration should be given to the use of  Additional consideration should be given to the use of
 [pam\_ssh(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_ssh+8+NetBSD-5.0.1+i386).  [[!template id=man name="pam\_ssh" section="8"]].
 Users often assume that file permissions are sufficient to protect their SSH  Users often assume that file permissions are sufficient to protect their SSH
 keys, and thus use weak or no passphrases. Since the system administrator has no  keys, and thus use weak or no passphrases. Since the system administrator has no
 effective means of enforcing SSH passphrase quality, this has the potential to  effective means of enforcing SSH passphrase quality, this has the potential to
Line 732  expose the system to security risks. Line 732  expose the system to security risks.
 #### pam\_unix(8)  #### pam\_unix(8)
   
 The  The
 [pam\_unix(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_unix+8+NetBSD-5.0.1+i386)  [[!template id=man name="pam\_unix" section="8"]]
 module implements traditional UNIX® password authentication, using  module implements traditional UNIX® password authentication, using
 [getpwnam(3)](http://netbsd.gw.com/cgi-bin/man-cgi?getpwnam+3+NetBSD-5.0.1+i386)  [[!template id=man name="getpwnam" section="3"]]
 under FreeBSD or  under FreeBSD or
 [getpwnam\_r(3)](http://netbsd.gw.com/cgi-bin/man-cgi?getpwnam_r+3+NetBSD-5.0.1+i386)  [[!template id=man name="getpwnam\_r" section="3"]]
 under NetBSD to obtain the target account's password and compare it with the one  under NetBSD to obtain the target account's password and compare it with the one
 provided by the applicant. It also provides account management services  provided by the applicant. It also provides account management services
 (enforcing account and password expiration times) and password-changing  (enforcing account and password expiration times) and password-changing
Line 748  of admins will want to maintain historic Line 748  of admins will want to maintain historic
 #### pam\_skey(8)  #### pam\_skey(8)
   
 The  The
 [pam\_skey(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_skey+8+NetBSD-5.0.1+i386)  [[!template id=man name="pam\_skey" section="8"]]
 module implements S/Key One Time Password (OTP) authentication methods, using  module implements S/Key One Time Password (OTP) authentication methods, using
 the `/etc/skeykeys` database.  the `/etc/skeykeys` database.
   
Line 763  This section has not yet been written. Line 763  This section has not yet been written.
 ## Sample PAM Application  ## Sample PAM Application
   
 The following is a minimal implementation of  The following is a minimal implementation of
 [su(1)](http://netbsd.gw.com/cgi-bin/man-cgi?su+1+NetBSD-5.0.1+i386) using PAM.  [[!template id=man name="su" section="1"]] using PAM.
 Note that it uses the OpenPAM-specific  Note that it uses the OpenPAM-specific
 [openpam\_ttyconv(3)](http://netbsd.gw.com/cgi-bin/man-cgi?openpam_ttyconv+3+NetBSD-5.0.1+i386)  [[!template id=man name="openpam\_ttyconv" section="3"]]
 conversation function, which is prototyped in `security/openpam.h`. If you wish  conversation function, which is prototyped in `security/openpam.h`. If you wish
 build this application on a system with a different PAM library, you will have  build this application on a system with a different PAM library, you will have
 to provide your own conversation function. A robust conversation function is  to provide your own conversation function. A robust conversation function is
Line 927  used in real-world applications. Line 927  used in real-world applications.
 ## Sample PAM Module  ## Sample PAM Module
   
 The following is a minimal implementation of  The following is a minimal implementation of
 [pam\_unix(8)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_unix+8+NetBSD-5.0.1+i386),  [[!template id=man name="pam\_unix" section="8"]],
 offering only authentication services. It should build and run with most PAM  offering only authentication services. It should build and run with most PAM
 implementations, but takes advantage of OpenPAM extensions if available: note  implementations, but takes advantage of OpenPAM extensions if available: note
 the use of  the use of
 [pam\_get\_authtok(3)](http://netbsd.gw.com/cgi-bin/man-cgi?pam_get_authtok+3+NetBSD-5.0.1+i386),  [[!template id=man name="pam\_get\_authtok" section="3"]],
 which enormously simplifies prompting the user for a password.  which enormously simplifies prompting the user for a password.
   
     #include <sys/param.h>      #include <sys/param.h>
Line 1070  which enormously simplifies prompting th Line 1070  which enormously simplifies prompting th
   
 The conversation function presented below is a greatly simplified version of  The conversation function presented below is a greatly simplified version of
 OpenPAM's  OpenPAM's
 [openpam\_ttyconv(3)](http://netbsd.gw.com/cgi-bin/man-cgi?openpam_ttyconv+3+NetBSD-5.0.1+i386).  [[!template id=man name="openpam\_ttyconv" section="3"]].
 It is fully functional, and should give the reader a good idea of how a  It is fully functional, and should give the reader a good idea of how a
 conversation function should behave, but it is far too simple for real-world  conversation function should behave, but it is far too simple for real-world
 use. Even if you're not using OpenPAM, feel free to download the source code and  use. Even if you're not using OpenPAM, feel free to download the source code and
 adapt  adapt
 [openpam\_ttyconv(3)](http://netbsd.gw.com/cgi-bin/man-cgi?openpam_ttyconv+3+NetBSD-5.0.1+i386)  [[!template id=man name="openpam\_ttyconv" section="3"]]
 to your uses; we believe it to be as robust as a tty-oriented conversation  to your uses; we believe it to be as robust as a tty-oriented conversation
 function can reasonably get.  function can reasonably get.
   

Removed from v.1.4  
changed lines
  Added in v.1.5


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb