- Mention quoting and add a cross-reference to openpam_readword(3),

which has a detailed explanation of how the file is parsed.

- Document the module search path.

- Warn against include loops.

- Briefly describe module options which affect libpam itself.

- Minor markup and formatting improvements.


git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@673 185d5e19-27fe-0310-9dcf-9bff6b9f3609

doc/man/pam.conf.5

@@ -28,7 +28,7 @@
 .\"
 .\" $Id$
 .\"
-.Dd November 3, 2011
+.Dd March 17, 2013
 .Dt PAM.CONF 5
 .Os
 .Sh NAME
@@ -65,15 +65,16 @@ Entries in
 policy files are of the same form, but are prefixed by an additional
 field specifying the name of the service they apply to.
 .Pp
-In both types of policy files, blank lines are ignored, as is anything
-to the right of a
+In both cases, blank lines and comments introduced by a
 .Ql #
-sign.
+sign are ignored, and the normal shell quoting rules apply.
+The precise details of how the file is tokenized are described in
+.Xr openpam_readword 3 .
 .Pp
 The
 .Ar facility
 field specifies the facility the entry applies to, and is one of:
-.Bl -tag -width ".Cm password"
+.Bl -tag -width 12n
 .It Cm auth
 Authentication functions
 .Po
@@ -99,7 +100,7 @@ The
 field determines how the result returned by the module affects the
 flow of control through (and the final result of) the rest of the
 chain, and is one of:
-.Bl -tag -width ".Cm sufficient"
+.Bl -tag -width 12n
 .It Cm required
 If this module succeeds, the result of the chain will be success
 unless a later module fails.
@@ -141,16 +142,18 @@ phase of
 .Pp
 The
 .Ar module-path
-field specifies the name, or optionally the full path, of the module
-to call.
+field specifies the name or full path of the module to call.
+If only the name is specified, the PAM library will search for it in
+the following locations:
+.Bl -enum
+.It
+.Pa /usr/lib
+.It
+.Pa /usr/local/lib
+.El
 .Pp
-The remaining fields are passed as arguments to the module if and when
-it is invoked.
-As a special case, if an argument is of the form ``name=value'' and
-the right-hand side is surrounded by single or double quotes, any
-whitespace between the quote characters will be considered part of the
-same argument rather than a separator between this argument and the
-next.
+The remaining fields, if any, are passed unmodified to the module if
+and when it is invoked.
 .Pp
 The
 .Cm include
@@ -161,6 +164,37 @@ This allows one to define system-wide policies which are then included
 into service-specific policies.
 The system-wide policy can then be modified without having to also
 modify each and every service-specific policy.
+.Pp
+.Bf -symbolic
+Take care not to introduce loops when using
+.Cm include
+rules, as there is currently no loop detection in place.
+.Ef
+.Sh MODULE OPTIONS
+Some PAM library functions may alter their behavior when called by a
+service module if certain module options were specified, regardless of
+whether the module itself accords them any importance.
+One such option is
+.Cm debug ,
+which causes the dispatcher to enable debugging messages before
+calling each service function, and disable them afterwards (unless
+they were already enabled).
+Other special options include:
+.Bl -tag -width 12n
+.It Cm authtok_prompt Ns = Ns Ar prompt , Cm oldauthtok_prompt Ns = Ns Ar prompt , Cm user_prompt Ns = Ns Ar prompt
+These options can be used to override the prompts used by
+.Xr pam_get_authtok 3
+and
+.Xr pam_get_user 3 .
+.It Cm echo_pass
+This option controls whether
+.Xr pam_get_authtok 3
+will allow the user to see what they are typing.
+.It Cm try_first_pass , Cm use_first_pass
+These options control
+.Xr pam_get_authtok 3 Ns 's
+use of cached authentication tokens.
+.El
 .Sh SEE ALSO
 .Xr pam 3
 .Sh STANDARDS