Print this page 
5069 Removal of wu-ftpd
Reviewed by: Josef 'Jeff' Sipek <josef.sipek@nexenta.com>
Reviewed by: Garrett D'Amore <garrett@damore.org>
Reviewed by: Milan Jurik <milan.jurik@xylab.cz>
Reviewed by: Igor Kozhukhov <ikozhukhov@gmail.com>
Reviewed by: Gary Mills <gary_mills@fastmail.fm>
Reviewed by: Toomas Soome <tsoome@me.com>
Reviewed by: Adam Stevko <adam.stevko@gmail.com>
   1 '\" te
   2 .\" Copyright (C) 2006, Sun Microsystems, Inc. All Rights Reserved.
   3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
   4 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
   5 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
   6 .TH PAM.CONF 4 "Jun 19, 2006"
   7 .SH NAME
   8 pam.conf \- configuration file for pluggable authentication modules
   9 .SH SYNOPSIS
  10 .LP
  11 .nf
  12 \fB/etc/pam.conf\fR
  13 .fi
  14 
  15 .SH DESCRIPTION
  16 .sp
  17 .LP
  18 \fBpam.conf\fR is the configuration file for the Pluggable Authentication
  19 Module architecture, or \fBPAM\fR. A \fBPAM\fR module provides functionality
  20 for one or more of four possible services: authentication, account management,
  21 session management, and password management.
  22 .sp
  23 .ne 2
  24 .na
  25 \fBauthentication service module\fR
  26 .ad
  27 .sp .6
  28 .RS 4n
  29 Provides functionality to authenticate a user and set up user credentials.
  30 .RE
  31 
  32 .sp
  33 .ne 2
  34 .na
  35 \fBaccount management module\fR
  36 .ad


  49 .sp .6
  50 .RS 4n
  51 Provides functionality to set up and terminate login sessions.
  52 .RE
  53 
  54 .sp
  55 .ne 2
  56 .na
  57 \fBpassword management module\fR
  58 .ad
  59 .sp .6
  60 .RS 4n
  61 Provides functionality to change a user's authentication token or password.
  62 .RE
  63 
  64 .sp
  65 .LP
  66 Each of the four service modules can be implemented as a shared library object
  67 which can be referenced in the \fBpam.conf\fR configuration file.
  68 .SS "Simplified pam.conf Configuration File"
  69 .sp
  70 .LP
  71 The \fBpam.conf\fR file contains a listing of services. Each service is paired
  72 with a corresponding service module. When a service is requested, its
  73 associated module is invoked. Each entry may be a maximum of 256 characters,
  74 including the end of line, and has the following format:
  75 .sp
  76 .in +2
  77 .nf
  78 \fIservice_name module_type control_flag module_path options\fR
  79 .fi
  80 .in -2
  81 .sp
  82 
  83 .sp
  84 .LP
  85 The following is an example of a \fBpam.conf\fR configuration file with support
  86 for authentication, account management, session management and password
  87 management modules (See the \fBpam.conf\fR file that is shipped with your
  88 system for the contents of this file):
  89 .sp


 134 service functionality. If the pathname is not absolute, shared library objects
 135 are assumed to be relative to \fB/usr/lib/security/$ISA/\fR, and included
 136 \fBPAM\fR configuration files are assumed to be relative to
 137 \fB/usr/lib/security/\fR.
 138 .sp
 139 .LP
 140 The \fBISA\fR token is replaced by an implementation defined directory name
 141 which defines the path relative to the calling program's instruction set
 142 architecture.
 143 .sp
 144 .LP
 145 The \fIoptions\fR field is used by the \fBPAM\fR framework layer to pass module
 146 specific options to the modules. It is up to the module to parse and interpret
 147 the options.
 148 .sp
 149 .LP
 150 This field can be used by the modules to turn on debugging or to pass any
 151 module specific parameters such as a \fBTIMEOUT\fR value. The options supported
 152 by the modules are documented in their respective manual pages.
 153 .SS "Integrating Multiple Authentication Services With Stacking"
 154 .sp
 155 .LP
 156 When a \fIservice_name\fR of the same \fImodule_type\fR is defined more than
 157 once, the service is said to be stacked. Each module referenced in the
 158 \fImodule_path\fR for that service is then processed in the order that it
 159 occurs in the configuration file. The \fIcontrol_flag\fR field specifies the
 160 continuation and failure semantics of the modules, and can contain one of the
 161 following values:
 162 .sp
 163 .ne 2
 164 .na
 165 \fB\fBbinding\fR\fR
 166 .ad
 167 .RS 14n
 168 If the service module returns success and no preceding \fBrequired\fR modules
 169 returned failures, immediately return success without calling any subsequent
 170 modules. If a failure is returned, treat the failure as a \fBrequired\fR module
 171 failure, and continue to process the \fBPAM\fR stack.
 172 .RE
 173 
 174 .sp


 297 module is invoked. \fBinhouse\fR authentication is optional by virtue of the
 298 optional keyword in the \fIcontrol_flag\fR field. The user can still log in
 299 even if \fBinhouse\fR authentication fails, assuming the modules stacked above
 300 succeeded.
 301 .sp
 302 .LP
 303 In the case of \fBrlogin\fR, the \fBsufficient\fR keyword for
 304 \fIcontrol_flag\fR specifies that if the \fBrhosts\fR authentication check
 305 succeeds, then \fBPAM\fR should return success to \fBrlogin\fR and \fBrlogin\fR
 306 should not prompt the user for a password. The other authentication modules,
 307 which are in the stack, will only be invoked if the \fBrhosts\fR check fails.
 308 This gives the system administrator the flexibility to determine if
 309 \fBrhosts\fR alone is sufficient enough to authenticate a remote user.
 310 .sp
 311 .LP
 312 Some modules return \fBPAM_IGNORE\fR in certain situations. In these cases the
 313 \fBPAM\fR framework ignores the entire entry in \fBpam.conf\fR regardless of
 314 whether or not it is \fBbinding\fR, \fBrequisite\fR, \fBrequired\fR,
 315 \fBoptional\fR, or \fBsufficient\fR.
 316 .SS "Utilities and Files"
 317 .sp
 318 .LP
 319 The specific service names and module types for each service should be
 320 documented in the man page for that service. For instance, the \fBsshd\fR(1M)
 321 man page lists all of the \fBPAM\fR service names and module types for the
 322 \fBsshd\fR command.
 323 .sp
 324 .LP
 325 The \fBPAM\fR configuration file does not dictate either the name or the
 326 location of the service specific modules. The convention, however, is the
 327 following:
 328 .sp
 329 .ne 2
 330 .na
 331 \fB\fBpam_module_name.so.x\fR\fR
 332 .ad
 333 .RS 29n
 334 File that implements various function of specific authentication services. As
 335 the relative pathname specified, \fB/usr/lib/security/$ISA\fR is prepended to
 336 it.
 337 .RE


 407 #
 408 # Default definition for Account management
 409 # Used when service name is not explicitly mentioned
 410 #
 411 OTHER   account include      unix_common
 412 #
 413 # Default definition for Session management
 414 # Used when service name is not explicitly mentioned
 415 #
 416 OTHER   session include         unix_common
 417 #
 418 # Default definition for  Password management
 419 # Used when service name is not explicitly mentioned
 420 #
 421 OTHER   password include        unix_common
 422 .fi
 423 .in -2
 424 .sp
 425 
 426 .SH ATTRIBUTES
 427 .sp
 428 .LP
 429 See \fBattributes\fR(5) for descriptions of the following attributes:
 430 .sp
 431 
 432 .sp
 433 .TS
 434 box;
 435 c | c
 436 l | l .
 437 ATTRIBUTE TYPE  ATTRIBUTE VALUE
 438 _
 439 Interface Stability     See Below.
 440 .TE
 441 
 442 .sp
 443 .LP
 444 The format is Stable. The contents has no stability attributes.
 445 .SH SEE ALSO
 446 .sp
 447 .LP
 448 \fBlogin\fR(1), \fBpasswd\fR(1), \fBin.ftpd\fR(1M), \fBin.rlogind\fR(1M),
 449 \fBin.rshd\fR(1M), \fBin.telnetd\fR(1M), \fBin.uucpd\fR(1M), \fBinit\fR(1M),
 450 \fBrpc.rexd\fR(1M), \fBsac\fR(1M), \fBttymon\fR(1M), \fBsu\fR(1M),
 451 \fBpam\fR(3PAM), \fBsyslog\fR(3C), \fBlibpam\fR(3LIB), \fBattributes\fR(5),
 452 \fBenviron\fR(5), \fBpam_authtok_check\fR(5), \fBpam_authtok_get\fR(5),
 453 \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), \fBpam_krb5\fR(5),
 454 \fBpam_passwd_auth\fR(5), \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5),
 455 \fBpam_unix_session\fR(5)
 456 .SH NOTES
 457 .sp
 458 .LP
 459 The \fBpam_unix\fR module is no longer supported. Similar functionality is
 460 provided by \fBpam_authtok_check\fR(5), \fBpam_authtok_get\fR(5),
 461 \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), \fBpam_passwd_auth\fR(5),
 462 \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5), and
 463 \fBpam_unix_session\fR(5).
 464 .sp
 465 .LP
 466 With the removal of the \fBpam_unix\fR module, the SunOS delivered PAM service
 467 modules no longer need or support the "\fBuse_first_pass\fR" or
 468 "\fBtry_first_pass\fR" options. This functionality is provided by stacking
 469 \fBpam_authtok_get\fR(5) above a module that requires a password.

   1 '\" te
   2 .\" Copyright (C) 2006, Sun Microsystems, Inc. All Rights Reserved.
   3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
   4 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
   5 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
   6 .TH PAM.CONF 4 "Jun 19, 2006"
   7 .SH NAME
   8 pam.conf \- configuration file for pluggable authentication modules
   9 .SH SYNOPSIS
  10 .LP
  11 .nf
  12 \fB/etc/pam.conf\fR
  13 .fi
  14 
  15 .SH DESCRIPTION

  16 .LP
  17 \fBpam.conf\fR is the configuration file for the Pluggable Authentication
  18 Module architecture, or \fBPAM\fR. A \fBPAM\fR module provides functionality
  19 for one or more of four possible services: authentication, account management,
  20 session management, and password management.
  21 .sp
  22 .ne 2
  23 .na
  24 \fBauthentication service module\fR
  25 .ad
  26 .sp .6
  27 .RS 4n
  28 Provides functionality to authenticate a user and set up user credentials.
  29 .RE
  30 
  31 .sp
  32 .ne 2
  33 .na
  34 \fBaccount management module\fR
  35 .ad


  48 .sp .6
  49 .RS 4n
  50 Provides functionality to set up and terminate login sessions.
  51 .RE
  52 
  53 .sp
  54 .ne 2
  55 .na
  56 \fBpassword management module\fR
  57 .ad
  58 .sp .6
  59 .RS 4n
  60 Provides functionality to change a user's authentication token or password.
  61 .RE
  62 
  63 .sp
  64 .LP
  65 Each of the four service modules can be implemented as a shared library object
  66 which can be referenced in the \fBpam.conf\fR configuration file.
  67 .SS "Simplified pam.conf Configuration File"

  68 .LP
  69 The \fBpam.conf\fR file contains a listing of services. Each service is paired
  70 with a corresponding service module. When a service is requested, its
  71 associated module is invoked. Each entry may be a maximum of 256 characters,
  72 including the end of line, and has the following format:
  73 .sp
  74 .in +2
  75 .nf
  76 \fIservice_name module_type control_flag module_path options\fR
  77 .fi
  78 .in -2
  79 .sp
  80 
  81 .sp
  82 .LP
  83 The following is an example of a \fBpam.conf\fR configuration file with support
  84 for authentication, account management, session management and password
  85 management modules (See the \fBpam.conf\fR file that is shipped with your
  86 system for the contents of this file):
  87 .sp


 132 service functionality. If the pathname is not absolute, shared library objects
 133 are assumed to be relative to \fB/usr/lib/security/$ISA/\fR, and included
 134 \fBPAM\fR configuration files are assumed to be relative to
 135 \fB/usr/lib/security/\fR.
 136 .sp
 137 .LP
 138 The \fBISA\fR token is replaced by an implementation defined directory name
 139 which defines the path relative to the calling program's instruction set
 140 architecture.
 141 .sp
 142 .LP
 143 The \fIoptions\fR field is used by the \fBPAM\fR framework layer to pass module
 144 specific options to the modules. It is up to the module to parse and interpret
 145 the options.
 146 .sp
 147 .LP
 148 This field can be used by the modules to turn on debugging or to pass any
 149 module specific parameters such as a \fBTIMEOUT\fR value. The options supported
 150 by the modules are documented in their respective manual pages.
 151 .SS "Integrating Multiple Authentication Services With Stacking"

 152 .LP
 153 When a \fIservice_name\fR of the same \fImodule_type\fR is defined more than
 154 once, the service is said to be stacked. Each module referenced in the
 155 \fImodule_path\fR for that service is then processed in the order that it
 156 occurs in the configuration file. The \fIcontrol_flag\fR field specifies the
 157 continuation and failure semantics of the modules, and can contain one of the
 158 following values:
 159 .sp
 160 .ne 2
 161 .na
 162 \fB\fBbinding\fR\fR
 163 .ad
 164 .RS 14n
 165 If the service module returns success and no preceding \fBrequired\fR modules
 166 returned failures, immediately return success without calling any subsequent
 167 modules. If a failure is returned, treat the failure as a \fBrequired\fR module
 168 failure, and continue to process the \fBPAM\fR stack.
 169 .RE
 170 
 171 .sp


 294 module is invoked. \fBinhouse\fR authentication is optional by virtue of the
 295 optional keyword in the \fIcontrol_flag\fR field. The user can still log in
 296 even if \fBinhouse\fR authentication fails, assuming the modules stacked above
 297 succeeded.
 298 .sp
 299 .LP
 300 In the case of \fBrlogin\fR, the \fBsufficient\fR keyword for
 301 \fIcontrol_flag\fR specifies that if the \fBrhosts\fR authentication check
 302 succeeds, then \fBPAM\fR should return success to \fBrlogin\fR and \fBrlogin\fR
 303 should not prompt the user for a password. The other authentication modules,
 304 which are in the stack, will only be invoked if the \fBrhosts\fR check fails.
 305 This gives the system administrator the flexibility to determine if
 306 \fBrhosts\fR alone is sufficient enough to authenticate a remote user.
 307 .sp
 308 .LP
 309 Some modules return \fBPAM_IGNORE\fR in certain situations. In these cases the
 310 \fBPAM\fR framework ignores the entire entry in \fBpam.conf\fR regardless of
 311 whether or not it is \fBbinding\fR, \fBrequisite\fR, \fBrequired\fR,
 312 \fBoptional\fR, or \fBsufficient\fR.
 313 .SS "Utilities and Files"

 314 .LP
 315 The specific service names and module types for each service should be
 316 documented in the man page for that service. For instance, the \fBsshd\fR(1M)
 317 man page lists all of the \fBPAM\fR service names and module types for the
 318 \fBsshd\fR command.
 319 .sp
 320 .LP
 321 The \fBPAM\fR configuration file does not dictate either the name or the
 322 location of the service specific modules. The convention, however, is the
 323 following:
 324 .sp
 325 .ne 2
 326 .na
 327 \fB\fBpam_module_name.so.x\fR\fR
 328 .ad
 329 .RS 29n
 330 File that implements various function of specific authentication services. As
 331 the relative pathname specified, \fB/usr/lib/security/$ISA\fR is prepended to
 332 it.
 333 .RE


 403 #
 404 # Default definition for Account management
 405 # Used when service name is not explicitly mentioned
 406 #
 407 OTHER   account include      unix_common
 408 #
 409 # Default definition for Session management
 410 # Used when service name is not explicitly mentioned
 411 #
 412 OTHER   session include         unix_common
 413 #
 414 # Default definition for  Password management
 415 # Used when service name is not explicitly mentioned
 416 #
 417 OTHER   password include        unix_common
 418 .fi
 419 .in -2
 420 .sp
 421 
 422 .SH ATTRIBUTES

 423 .LP
 424 See \fBattributes\fR(5) for descriptions of the following attributes:
 425 .sp
 426 
 427 .sp
 428 .TS
 429 box;
 430 c | c
 431 l | l .
 432 ATTRIBUTE TYPE  ATTRIBUTE VALUE
 433 _
 434 Interface Stability     See Below.
 435 .TE
 436 
 437 .sp
 438 .LP
 439 The format is Stable. The contents has no stability attributes.
 440 .SH SEE ALSO

 441 .LP
 442 \fBlogin\fR(1), \fBpasswd\fR(1), \fBin.rlogind\fR(1M),
 443 \fBin.rshd\fR(1M), \fBin.telnetd\fR(1M), \fBin.uucpd\fR(1M), \fBinit\fR(1M),
 444 \fBrpc.rexd\fR(1M), \fBsac\fR(1M), \fBttymon\fR(1M), \fBsu\fR(1M),
 445 \fBpam\fR(3PAM), \fBsyslog\fR(3C), \fBlibpam\fR(3LIB), \fBattributes\fR(5),
 446 \fBenviron\fR(5), \fBpam_authtok_check\fR(5), \fBpam_authtok_get\fR(5),
 447 \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), \fBpam_krb5\fR(5),
 448 \fBpam_passwd_auth\fR(5), \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5),
 449 \fBpam_unix_session\fR(5)
 450 .SH NOTES

 451 .LP
 452 The \fBpam_unix\fR module is no longer supported. Similar functionality is
 453 provided by \fBpam_authtok_check\fR(5), \fBpam_authtok_get\fR(5),
 454 \fBpam_authtok_store\fR(5), \fBpam_dhkeys\fR(5), \fBpam_passwd_auth\fR(5),
 455 \fBpam_unix_account\fR(5), \fBpam_unix_auth\fR(5), and
 456 \fBpam_unix_session\fR(5).
 457 .sp
 458 .LP
 459 With the removal of the \fBpam_unix\fR module, the SunOS delivered PAM service
 460 modules no longer need or support the "\fBuse_first_pass\fR" or
 461 "\fBtry_first_pass\fR" options. This functionality is provided by stacking
 462 \fBpam_authtok_get\fR(5) above a module that requires a password.