![[image of the Head of a GNU]](/graphics/gnu-head-sm.jpg)
|
|
PAM-Modules |
A Collection of Modules for PAM |
Sergey Poznyakoff |
PAM-modules Manual (split by node): 
PAM-modules is a collection of various pluggable authentication modules. This manual describes each module in detail. The reader is expected to be sufficiently proficient with general UNIX administration issues and with Pluggable Authentication Modules (PAM) in particular.
Each module is configurable from its command line. Modules that require such amounts of configuration data, that are inconvenient to pass from the command line (see sql), implement their separate configuration files.
Several command line options are common for all modules. These are:
Change debugging level (0 <= level <= 100). The debugging
information will be logged via syslog channel
auth.debug. Notice, that debugging output can reveal
authentication credentials. In particular, user password is displayed
on debugging level 100.
Log full debugging information (equivalent to debug=100).
Wait for interval seconds before starting. This option is
intended for the package developers and is not enabled, unless you
configure the package with --enable-debug option. Most
probably you will not need this option. The following
description is provided in case you decide to participate in
PAM-modules development:
When this option is present, the module displays the
following diagnostics in syslog auth.crit channel:
WAITING FOR DEBUG
and waits for interval seconds (default 3600) before actually
starting to do anything. The developer is supposed to attach to the
process with a debugger, set the interval variable to 0 and to
continue execution of the module in the debugging mode.
Some modules perform PAM item expansion on their
arguments. It is a feature similar to shell’s variable expansion.
During item expansion, any occurrence of $name in a
string is replaced by the value of the PAM item name.
If the item in question is not defined, an empty string is substituted
instead. A limited support for the shell-style default values is
available: namely, the notation ${item:-value}
expands to the value of item if it is set, and to value
otherwise. Notice, that value must be a literal value (string
or numeric).
The following table lists PAM item names:
PAM_SERVICE. The service name (which identifies
the PAM stack that will be used).
PAM_USER. The username of the entity under whose identity
service will be given.
PAM_TTY. The terminal name: prefixed by
‘/dev/’ if it is a device file; for graphical, X-based,
applications the value for this item is usually the $DISPLAY
environment variable.
PAM_RHOST. The requesting hostname (the hostname of the machine
from which the PAM_RUSER entity is requesting service). That is
‘PAM_RUSER@PAM_RHOST’ identifies the requesting
user. In some applications, PAM_RHOST may be ‘NULL’.
PAM_RUSER. The requesting entity: user’s name for a locally
requesting user or a remote requesting user. In some cases,
PAM_RUSER may be ‘NULL’.
PAM_USER_PROMPT. The string used when prompting for a user’s
name. The default value for this string is ‘Please enter
username: ’.
PAM_AUTHTOK. The authentication token (often a password).
PAM-modules Manual (split by node):
This document was generated on August 11, 2021 using makeinfo.
Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.