PAM-modules Manual (split by node):   Section:   Chapter:FastBack: Top   Up: Top   FastForward: pamck   Contents: Table of ContentsIndex: Concept Index

1 Introduction to PAM-modules

PAM-modules is a collection of various pluggable authentication modules. This manual describes each module in detail. The reader is expected to be sufficiently proficient with general UNIX administration issues and with Pluggable Authentication Modules (PAM) in particular.

Each module is configurable from its command line. Modules that require such amounts of configuration data, that are inconvenient to pass from the command line (see sql), implement their separate configuration files.

Several command line options are common for all modules. These are:

debug[=level]

Change debugging level (0 <= level <= 100). The debugging information will be logged via syslog channel auth.debug. Notice, that debugging output can reveal authentication credentials. In particular, user password is displayed on debugging level 100.

audit

Log full debugging information (equivalent to debug=100).

waitdebug[=interval]

Wait for interval seconds before starting. This option is intended for the package developers and is not enabled, unless you configure the package with --enable-debug option. Most probably you will not need this option. The following description is provided in case you decide to participate in PAM-modules development:

When this option is present, the module displays the following diagnostics in syslog auth.crit channel:

WAITING FOR DEBUG

and waits for interval seconds (default 3600) before actually starting to do anything. The developer is supposed to attach to the process with a debugger, set the interval variable to 0 and to continue execution of the module in the debugging mode.

Some modules perform PAM item expansion on their arguments. It is a feature similar to shell’s variable expansion. During item expansion, any occurrence of $name in a string is replaced by the value of the PAM item name. If the item in question is not defined, an empty string is substituted instead. A limited support for the shell-style default values is available: namely, the notation ${item:-value} expands to the value of item if it is set, and to value otherwise. Notice, that value must be a literal value (string or numeric).

The following table lists PAM item names:

service

PAM_SERVICE. The service name (which identifies the PAM stack that will be used).

user

PAM_USER. The username of the entity under whose identity service will be given.

tty

PAM_TTY. The terminal name: prefixed by ‘/dev/’ if it is a device file; for graphical, X-based, applications the value for this item is usually the $DISPLAY environment variable.

rhost

PAM_RHOST. The requesting hostname (the hostname of the machine from which the PAM_RUSER entity is requesting service). That is ‘PAM_RUSER@PAM_RHOST’ identifies the requesting user. In some applications, PAM_RHOST may be ‘NULL’.

ruser

PAM_RUSER. The requesting entity: user’s name for a locally requesting user or a remote requesting user. In some cases, PAM_RUSER may be ‘NULL’.

prompt

PAM_USER_PROMPT. The string used when prompting for a user’s name. The default value for this string is ‘Please enter username: ’.

password

PAM_AUTHTOK. The authentication token (often a password).

PAM-modules Manual (split by node):   Section:   Chapter:FastBack: Top   Up: Top   FastForward: pamck   Contents: Table of ContentsIndex: Concept Index