- Mention quoting and add a cross-reference to openpam_readword(3),
which has a detailed explanation of how the file is parsed. - Document the module search path. - Warn against include loops. - Briefly describe module options which affect libpam itself. - Minor markup and formatting improvements. git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@673 185d5e19-27fe-0310-9dcf-9bff6b9f3609
This commit is contained in:
parent
794601a544
commit
422a3ccd39
|
@ -28,7 +28,7 @@
|
||||||
.\"
|
.\"
|
||||||
.\" $Id$
|
.\" $Id$
|
||||||
.\"
|
.\"
|
||||||
.Dd November 3, 2011
|
.Dd March 17, 2013
|
||||||
.Dt PAM.CONF 5
|
.Dt PAM.CONF 5
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
|
@ -65,15 +65,16 @@ Entries in
|
||||||
policy files are of the same form, but are prefixed by an additional
|
policy files are of the same form, but are prefixed by an additional
|
||||||
field specifying the name of the service they apply to.
|
field specifying the name of the service they apply to.
|
||||||
.Pp
|
.Pp
|
||||||
In both types of policy files, blank lines are ignored, as is anything
|
In both cases, blank lines and comments introduced by a
|
||||||
to the right of a
|
|
||||||
.Ql #
|
.Ql #
|
||||||
sign.
|
sign are ignored, and the normal shell quoting rules apply.
|
||||||
|
The precise details of how the file is tokenized are described in
|
||||||
|
.Xr openpam_readword 3 .
|
||||||
.Pp
|
.Pp
|
||||||
The
|
The
|
||||||
.Ar facility
|
.Ar facility
|
||||||
field specifies the facility the entry applies to, and is one of:
|
field specifies the facility the entry applies to, and is one of:
|
||||||
.Bl -tag -width ".Cm password"
|
.Bl -tag -width 12n
|
||||||
.It Cm auth
|
.It Cm auth
|
||||||
Authentication functions
|
Authentication functions
|
||||||
.Po
|
.Po
|
||||||
|
@ -99,7 +100,7 @@ The
|
||||||
field determines how the result returned by the module affects the
|
field determines how the result returned by the module affects the
|
||||||
flow of control through (and the final result of) the rest of the
|
flow of control through (and the final result of) the rest of the
|
||||||
chain, and is one of:
|
chain, and is one of:
|
||||||
.Bl -tag -width ".Cm sufficient"
|
.Bl -tag -width 12n
|
||||||
.It Cm required
|
.It Cm required
|
||||||
If this module succeeds, the result of the chain will be success
|
If this module succeeds, the result of the chain will be success
|
||||||
unless a later module fails.
|
unless a later module fails.
|
||||||
|
@ -141,16 +142,18 @@ phase of
|
||||||
.Pp
|
.Pp
|
||||||
The
|
The
|
||||||
.Ar module-path
|
.Ar module-path
|
||||||
field specifies the name, or optionally the full path, of the module
|
field specifies the name or full path of the module to call.
|
||||||
to call.
|
If only the name is specified, the PAM library will search for it in
|
||||||
|
the following locations:
|
||||||
|
.Bl -enum
|
||||||
|
.It
|
||||||
|
.Pa /usr/lib
|
||||||
|
.It
|
||||||
|
.Pa /usr/local/lib
|
||||||
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
The remaining fields are passed as arguments to the module if and when
|
The remaining fields, if any, are passed unmodified to the module if
|
||||||
it is invoked.
|
and when it is invoked.
|
||||||
As a special case, if an argument is of the form ``name=value'' and
|
|
||||||
the right-hand side is surrounded by single or double quotes, any
|
|
||||||
whitespace between the quote characters will be considered part of the
|
|
||||||
same argument rather than a separator between this argument and the
|
|
||||||
next.
|
|
||||||
.Pp
|
.Pp
|
||||||
The
|
The
|
||||||
.Cm include
|
.Cm include
|
||||||
|
@ -161,6 +164,37 @@ This allows one to define system-wide policies which are then included
|
||||||
into service-specific policies.
|
into service-specific policies.
|
||||||
The system-wide policy can then be modified without having to also
|
The system-wide policy can then be modified without having to also
|
||||||
modify each and every service-specific policy.
|
modify each and every service-specific policy.
|
||||||
|
.Pp
|
||||||
|
.Bf -symbolic
|
||||||
|
Take care not to introduce loops when using
|
||||||
|
.Cm include
|
||||||
|
rules, as there is currently no loop detection in place.
|
||||||
|
.Ef
|
||||||
|
.Sh MODULE OPTIONS
|
||||||
|
Some PAM library functions may alter their behavior when called by a
|
||||||
|
service module if certain module options were specified, regardless of
|
||||||
|
whether the module itself accords them any importance.
|
||||||
|
One such option is
|
||||||
|
.Cm debug ,
|
||||||
|
which causes the dispatcher to enable debugging messages before
|
||||||
|
calling each service function, and disable them afterwards (unless
|
||||||
|
they were already enabled).
|
||||||
|
Other special options include:
|
||||||
|
.Bl -tag -width 12n
|
||||||
|
.It Cm authtok_prompt Ns = Ns Ar prompt , Cm oldauthtok_prompt Ns = Ns Ar prompt , Cm user_prompt Ns = Ns Ar prompt
|
||||||
|
These options can be used to override the prompts used by
|
||||||
|
.Xr pam_get_authtok 3
|
||||||
|
and
|
||||||
|
.Xr pam_get_user 3 .
|
||||||
|
.It Cm echo_pass
|
||||||
|
This option controls whether
|
||||||
|
.Xr pam_get_authtok 3
|
||||||
|
will allow the user to see what they are typing.
|
||||||
|
.It Cm try_first_pass , Cm use_first_pass
|
||||||
|
These options control
|
||||||
|
.Xr pam_get_authtok 3 Ns 's
|
||||||
|
use of cached authentication tokens.
|
||||||
|
.El
|
||||||
.Sh SEE ALSO
|
.Sh SEE ALSO
|
||||||
.Xr pam 3
|
.Xr pam 3
|
||||||
.Sh STANDARDS
|
.Sh STANDARDS
|
||||||
|
|
Loading…
Reference in New Issue