PAM-modules Manual (split by chapter):   Section:   Chapter:FastBack: fshadow   Up: Top   FastForward: log   Contents: Table of ContentsIndex: Concept Index

4 Authentication using regular expressions.

The module pam_regex is a general-purpose tool for authentication using regular expressions. You can use it, for example, to allow or deny access depending on whether the user name matches a given regular expression. Another possible use is to modify user names following a predefined pattern (as in sed), to supply modules that follow it in the PAM stack with a normalized user name.

As a quick start example, the following pam.conf entry forbids access for any user names that look like email addresses:

httpd auth  required  pam_regex.so sense=deny regex=.*@.*

Here, the argument regex supplies a regular expression to match against, and sense=deny states that any name matching this expression must be denied.

4.1 Using pam_regex to control access.

To control access depending on supplied user name, two options are provided. The option regex introduces a regular expression with which to compare a user name:

regex=expression

Compare user name with expression. By default, extended regular expressions with case-sensitive matching are used, but this can be changed using other options (see below).

When this option is used, pam_regex allows only login attempts with user names that match expression. The sense command line option is provided to control that behavior:

sense={allow|deny}

What to do if the user name matches the expression. The value ‘allow’ means to return PAM_SUCCESS, ‘deny’ means to return PAM_AUTH_ERR. Default is ‘allow’.

4.2 Using pam_regex to alter user names.

Another common use for pam_regex is to alter user names. This mode is enabled when the transfer option is used in the command line:

transform=expression

Transform the user name using given regular expression.

Its argument, expression, is a sed-like replace expression of the form:

s/regexp/replace/[flags]

where regexp is a regular expression, replace is a replacement for each file name part that matches regexp. Both regexp and replace are described in detail in The ‘s’ Command in GNU sed.

As in sed, you can give several replace expressions, separated by a semicolon.

Supported flags are:

g

Apply the replacement to all matches to the regexp, not just the first.

i

Use case-insensitive matching

x

regexp is an extended regular expression (see Extended regular expressions in GNU sed).

number

Only replace the numberth match of the regexp.

Note: the posix standard does not specify what should happen when you mix the ‘g’ and number modifiers. Pam_regex follows the GNU sed implementation in this regard, so the interaction is defined to be: ignore matches before the numberth, and then match and replace all matches from the numberth on.

Any delimiter can be used in lieue of ‘/’, the only requirement being that it be used consistently throughout the expression. For example, the following two expressions are equivalent:

s/one/two/
s,one,two,

Changing delimiters is often useful when the regex contains slashes. For instance, it is more convenient to write s,/,-, than s/\//-/.

The following example converts the user name to lower case and removes any suffix starting from the ‘@’ symbol:

pam_regex.so extended transform=s/.*/\L&/g;s/@.*// 

Both transform and regex can be used simultaneously. For example, the following command line first converts the user name to lower case and removes anything after the ‘@’ symbol, and then compares it to the given regular expression. Access is denied if the resulting user name matches the expression.

pam_regex.so extended transform=s/.*/\L&/g;s/@.*// \
             regex=^(anoncvs|anonymous)$ sense=deny

4.3 Summary of pam_regex options:

basic

Use basic regular expressions.

case

Use case-sensitive regular expressions (default).

extended

Use extended regular expressions (default).

ignore-case
icase

Use case-insensitive regular expressions.

regex=expression

Compare user name with expression.

sense={allow|deny}

What to do if user name matches the expression. The value ‘allow’ means to return PAM_SUCCESS, ‘deny’ means to return PAM_AUTH_ERR. Default is ‘allow’.

user=string

Upon successful matching, set PAM user name to string.

PAM-modules Manual (split by chapter):   Section:   Chapter:FastBack: regex   Up: regex   FastForward: log   Contents: Table of ContentsIndex: Concept Index