1 '\" te
2 .\" Copyright (C) 2006, Sun Microsystems, Inc. All Rights Reserved.
3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
4 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
5 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 .TH PAM.CONF 4 "Jun 19, 2006"
7 .SH NAME
8 pam.conf \- configuration file for pluggable authentication modules
9 .SH SYNOPSIS
10 .LP
11 .nf
12 \fB/etc/pam.conf\fR
13 .fi
14
15 .SH DESCRIPTION
16 .sp
17 .LP
18 \fBpam.conf\fR is the configuration file for the Pluggable Authentication
19 Module architecture, or \fBPAM\fR. A \fBPAM\fR module provides functionality
20 for one or more of four possible services: authentication, account management,
21 session management, and password management.
22 .sp
23 .ne 2
24 .na
25 \fBauthentication service module\fR
26 .ad
27 .sp .6
28 .RS 4n
29 Provides functionality to authenticate a user and set up user credentials.
30 .RE
31
32 .sp
33 .ne 2
34 .na
35 \fBaccount management module\fR
36 .ad
37 .sp .6
38 .RS 4n
39 Provides functionality to determine if the current user's account is valid.
40 This includes checking for password and account expiration, as well as
41 verifying access hour restrictions.
65 .LP
66 Each of the four service modules can be implemented as a shared library object
67 which can be referenced in the \fBpam.conf\fR configuration file.
68 .SS "Simplified pam.conf Configuration File"
69 .sp
70 .LP
71 The \fBpam.conf\fR file contains a listing of services. Each service is paired
72 with a corresponding service module. When a service is requested, its
73 associated module is invoked. Each entry may be a maximum of 256 characters,
74 including the end of line, and has the following format:
75 .sp
76 .in +2
77 .nf
78 \fIservice_name module_type control_flag module_path options\fR
79 .fi
80 .in -2
81 .sp
82
83 .sp
84 .LP
85 The following is an example of a \fBpam.conf\fR configuration file with support
86 for authentication, account management, session management and password
87 management modules (See the \fBpam.conf\fR file that is shipped with your
88 system for the contents of this file):
89 .sp
90 .in +2
91 .nf
92 login auth requisite pam_authtok_get.so.1
93 login auth required pam_dhkeys.so.1
94 login auth required pam_unix_auth.so.1
95 login auth required pam_dial_auth.so.1
96
97 other account requisite pam_roles.so.1
98 other account required pam_unix_account.so.1
99
100 other session required pam_unix_session.so.1
101
102 other password required pam_dhkeys.so.1
103 other password requisite pam_authtok_get.so.1
104 other password requisite pam_authtok_check.so.1
115 The keyword, "\fBother\fR," indicates the module that all other applications
116 which have not been specified should use. The "\fBother\fR" keyword can also be
117 used if all services of the same \fImodule_type\fR have the same requirements.
118 .sp
119 .LP
120 In the example, since all of the services use the same session module, they
121 could have been replaced by a single \fBother\fR line.
122 .sp
123 .LP
124 \fImodule_type\fR denotes the service module type: authentication (\fBauth\fR),
125 account management (\fBaccount\fR), session management (\fBsession\fR), or
126 password management (\fBpassword\fR).
127 .sp
128 .LP
129 The \fIcontrol_flag\fR field determines the behavior of stacking.
130 .sp
131 .LP
132 The \fImodule_path\fR field specifies the relative pathname to a shared library
133 object, or an included \fBPAM\fR configuration file, which implements the
134 service functionality. If the pathname is not absolute, shared library objects
135 are assumed to be relative to \fB/usr/lib/security/$ISA/\fR, and included
136 \fBPAM\fR configuration files are assumed to be relative to
137 \fB/usr/lib/security/\fR.
138 .sp
139 .LP
140 The \fBISA\fR token is replaced by an implementation defined directory name
141 which defines the path relative to the calling program's instruction set
142 architecture.
143 .sp
144 .LP
145 The \fIoptions\fR field is used by the \fBPAM\fR framework layer to pass module
146 specific options to the modules. It is up to the module to parse and interpret
147 the options.
148 .sp
149 .LP
150 This field can be used by the modules to turn on debugging or to pass any
151 module specific parameters such as a \fBTIMEOUT\fR value. The options supported
152 by the modules are documented in their respective manual pages.
153 .SS "Integrating Multiple Authentication Services With Stacking"
154 .sp
155 .LP
156 When a \fIservice_name\fR of the same \fImodule_type\fR is defined more than
157 once, the service is said to be stacked. Each module referenced in the
328 .sp
329 .ne 2
330 .na
331 \fB\fBpam_module_name.so.x\fR\fR
332 .ad
333 .RS 29n
334 File that implements various function of specific authentication services. As
335 the relative pathname specified, \fB/usr/lib/security/$ISA\fR is prepended to
336 it.
337 .RE
338
339 .sp
340 .ne 2
341 .na
342 \fB\fB/etc/pam.conf\fR\fR
343 .ad
344 .RS 29n
345 Configuration file
346 .RE
347
348 .sp
349 .ne 2
350 .na
351 \fB\fB/usr/lib/$ISA/libpam.so.1\fR\fR
352 .ad
353 .RS 29n
354 File that implements the \fBPAM\fR framework library
355 .RE
356
357 .SH EXAMPLES
358 .LP
359 \fBExample 1 \fRUsing the include control flag
360 .sp
361 .LP
362 The following example collects the common Unix modules into a single file to be
363 included as needed in the example of a \fBpam.conf\fR file. The common Unix
364 module file is named \fBunix_common\fR and consists of:
365
366 .sp
367 .in +2
|
1 '\" te
2 .\" Copyright (C) 2006, Sun Microsystems, Inc. All Rights Reserved.
3 .\" Copyright 2012 Joshua M. Clulow <josh@sysmgr.org>
4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
5 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
6 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
7 .TH PAM.CONF 4 "Jun 30, 2012"
8 .SH NAME
9 pam.d, pam.conf \- configuration for pluggable authentication modules
10 .SH SYNOPSIS
11 .LP
12 .nf
13 \fB/etc/pam.d\fR
14 .fi
15 .nf
16 \fB/etc/pam.conf\fR
17 .fi
18
19 .SH DESCRIPTION
20 .sp
21 .LP
22
23 \fB/etc/pam.d\fR is the configuration directory for the Pluggable Authentication
24 Module architecture, or \fBPAM\fR. A \fBPAM\fR module provides functionality
25 for one or more of four possible services: authentication, account management,
26 session management, and password management. The configuration directory
27 contains per-service 'shards' of the legacy, monolithic \fBpam.conf\fR file.
28 .sp
29 .ne 2
30 .na
31 \fBauthentication service module\fR
32 .ad
33 .sp .6
34 .RS 4n
35 Provides functionality to authenticate a user and set up user credentials.
36 .RE
37
38 .sp
39 .ne 2
40 .na
41 \fBaccount management module\fR
42 .ad
43 .sp .6
44 .RS 4n
45 Provides functionality to determine if the current user's account is valid.
46 This includes checking for password and account expiration, as well as
47 verifying access hour restrictions.
71 .LP
72 Each of the four service modules can be implemented as a shared library object
73 which can be referenced in the \fBpam.conf\fR configuration file.
74 .SS "Simplified pam.conf Configuration File"
75 .sp
76 .LP
77 The \fBpam.conf\fR file contains a listing of services. Each service is paired
78 with a corresponding service module. When a service is requested, its
79 associated module is invoked. Each entry may be a maximum of 256 characters,
80 including the end of line, and has the following format:
81 .sp
82 .in +2
83 .nf
84 \fIservice_name module_type control_flag module_path options\fR
85 .fi
86 .in -2
87 .sp
88
89 .sp
90 .LP
91 If shard files are used in \fB/etc/pam.d\fR instead of the monolithic
92 \fBpam.conf\fR file, then the \fIservice_name\fR column is not present in
93 those files. The \fIservice_name\fR is, instead, derived from the
94 filename of the shard. As an example, for the service 'login' the configuration
95 would now be in \fB/etc/pam.d/login\fR and would omit the first column
96 (previously containing 'login').
97 .sp
98 .LP
99 The following is an example of a \fBpam.conf\fR configuration file with support
100 for authentication, account management, session management and password
101 management modules (See the \fBpam.conf\fR file that is shipped with your
102 system for the contents of this file):
103 .sp
104 .in +2
105 .nf
106 login auth requisite pam_authtok_get.so.1
107 login auth required pam_dhkeys.so.1
108 login auth required pam_unix_auth.so.1
109 login auth required pam_dial_auth.so.1
110
111 other account requisite pam_roles.so.1
112 other account required pam_unix_account.so.1
113
114 other session required pam_unix_session.so.1
115
116 other password required pam_dhkeys.so.1
117 other password requisite pam_authtok_get.so.1
118 other password requisite pam_authtok_check.so.1
129 The keyword, "\fBother\fR," indicates the module that all other applications
130 which have not been specified should use. The "\fBother\fR" keyword can also be
131 used if all services of the same \fImodule_type\fR have the same requirements.
132 .sp
133 .LP
134 In the example, since all of the services use the same session module, they
135 could have been replaced by a single \fBother\fR line.
136 .sp
137 .LP
138 \fImodule_type\fR denotes the service module type: authentication (\fBauth\fR),
139 account management (\fBaccount\fR), session management (\fBsession\fR), or
140 password management (\fBpassword\fR).
141 .sp
142 .LP
143 The \fIcontrol_flag\fR field determines the behavior of stacking.
144 .sp
145 .LP
146 The \fImodule_path\fR field specifies the relative pathname to a shared library
147 object, or an included \fBPAM\fR configuration file, which implements the
148 service functionality. If the pathname is not absolute, shared library objects
149 are assumed to be relative to \fB/usr/lib/security/$ISA/\fR, and \fBPAM\fR
150 configuration files included in shards are assumed to be relative to
151 \fB/etc/pam.d/\fR, or \fB/usr/lib/security/\fB if included in the legacy
152 \fBpam.conf\fR.
153 .sp
154 .LP
155 The \fBISA\fR token is replaced by an implementation defined directory name
156 which defines the path relative to the calling program's instruction set
157 architecture.
158 .sp
159 .LP
160 The \fIoptions\fR field is used by the \fBPAM\fR framework layer to pass module
161 specific options to the modules. It is up to the module to parse and interpret
162 the options.
163 .sp
164 .LP
165 This field can be used by the modules to turn on debugging or to pass any
166 module specific parameters such as a \fBTIMEOUT\fR value. The options supported
167 by the modules are documented in their respective manual pages.
168 .SS "Integrating Multiple Authentication Services With Stacking"
169 .sp
170 .LP
171 When a \fIservice_name\fR of the same \fImodule_type\fR is defined more than
172 once, the service is said to be stacked. Each module referenced in the
343 .sp
344 .ne 2
345 .na
346 \fB\fBpam_module_name.so.x\fR\fR
347 .ad
348 .RS 29n
349 File that implements various function of specific authentication services. As
350 the relative pathname specified, \fB/usr/lib/security/$ISA\fR is prepended to
351 it.
352 .RE
353
354 .sp
355 .ne 2
356 .na
357 \fB\fB/etc/pam.conf\fR\fR
358 .ad
359 .RS 29n
360 Configuration file
361 .RE
362
363 .sp
364 .ne 2
365 .na
366 \fB\fB/etc/pam.d\fR\fR
367 .ad
368 .RS 29n
369 Configuration directory
370 .RE
371
372 .sp
373 .ne 2
374 .na
375 \fB\fB/usr/lib/$ISA/libpam.so.1\fR\fR
376 .ad
377 .RS 29n
378 File that implements the \fBPAM\fR framework library
379 .RE
380
381 .SH EXAMPLES
382 .LP
383 \fBExample 1 \fRUsing the include control flag
384 .sp
385 .LP
386 The following example collects the common Unix modules into a single file to be
387 included as needed in the example of a \fBpam.conf\fR file. The common Unix
388 module file is named \fBunix_common\fR and consists of:
389
390 .sp
391 .in +2
|