head 1.11; access; symbols netbsd-8-3-RELEASE:1.9 netbsd-9-4-RELEASE:1.9 netbsd-10-0-RELEASE:1.10 netbsd-10-0-RC6:1.10 netbsd-10-0-RC5:1.10 netbsd-10-0-RC4:1.10 netbsd-10-0-RC3:1.10 netbsd-10-0-RC2:1.10 netbsd-10-0-RC1:1.10 ximenia-2023-06-27:1.1.1.7 netbsd-10:1.10.0.8 netbsd-10-base:1.10 netbsd-9-3-RELEASE:1.9 cjep_sun2x-base1:1.10 cjep_sun2x:1.10.0.6 cjep_sun2x-base:1.10 cjep_staticlib_x-base1:1.10 netbsd-9-2-RELEASE:1.9 cjep_staticlib_x:1.10.0.4 cjep_staticlib_x-base:1.10 netbsd-9-1-RELEASE:1.9 phil-wifi-20200421:1.10 phil-wifi-20200411:1.10 is-mlppp:1.10.0.2 is-mlppp-base:1.10 phil-wifi-20200406:1.10 netbsd-8-2-RELEASE:1.9 netbsd-9-0-RELEASE:1.9 netbsd-9-0-RC2:1.9 tabebuia-20190224:1.1.1.6 netbsd-9-0-RC1:1.9 phil-wifi-20191119:1.9 netbsd-9:1.9.0.12 netbsd-9-base:1.9 phil-wifi-20190609:1.9 netbsd-8-1-RELEASE:1.9 netbsd-8-1-RC1:1.9 pgoyette-compat-merge-20190127:1.9 pgoyette-compat-20190127:1.9 pgoyette-compat-20190118:1.9 pgoyette-compat-1226:1.9 pgoyette-compat-1126:1.9 pgoyette-compat-1020:1.9 pgoyette-compat-0930:1.9 pgoyette-compat-0906:1.9 netbsd-7-2-RELEASE:1.6.4.1 pgoyette-compat-0728:1.9 netbsd-8-0-RELEASE:1.9 phil-wifi:1.9.0.10 phil-wifi-base:1.9 pgoyette-compat-0625:1.9 netbsd-8-0-RC2:1.9 pgoyette-compat-0521:1.9 pgoyette-compat-0502:1.9 pgoyette-compat-0422:1.9 netbsd-8-0-RC1:1.9 pgoyette-compat-0415:1.9 pgoyette-compat-0407:1.9 pgoyette-compat-0330:1.9 pgoyette-compat-0322:1.9 pgoyette-compat-0315:1.9 netbsd-7-1-2-RELEASE:1.6.4.1 pgoyette-compat:1.9.0.8 pgoyette-compat-base:1.9 netbsd-7-1-1-RELEASE:1.6.4.1 matt-nb8-mediatek:1.9.0.6 matt-nb8-mediatek-base:1.9 perseant-stdc-iso10646:1.9.0.4 perseant-stdc-iso10646-base:1.9 netbsd-8:1.9.0.2 netbsd-8-base:1.9 prg-localcount2-base3:1.9 prg-localcount2-base2:1.9 resedacea-20170430:1.1.1.5 prg-localcount2-base1:1.8 prg-localcount2:1.8.0.6 prg-localcount2-base:1.8 pgoyette-localcount-20170426:1.8 bouyer-socketcan-base1:1.8 pgoyette-localcount-20170320:1.8 netbsd-7-1:1.6.4.1.0.6 netbsd-7-1-RELEASE:1.6.4.1 netbsd-7-1-RC2:1.6.4.1 netbsd-7-nhusb-base-20170116:1.6.4.1 bouyer-socketcan:1.8.0.4 bouyer-socketcan-base:1.8 pgoyette-localcount-20170107:1.8 netbsd-7-1-RC1:1.6.4.1 pgoyette-localcount-20161104:1.8 netbsd-7-0-2-RELEASE:1.6.4.1 localcount-20160914:1.8 netbsd-7-nhusb:1.6.4.1.0.4 netbsd-7-nhusb-base:1.6.4.1 pgoyette-localcount-20160806:1.8 pgoyette-localcount-20160726:1.8 pgoyette-localcount:1.8.0.2 pgoyette-localcount-base:1.8 netbsd-7-0-1-RELEASE:1.6.4.1 netbsd-7-0:1.6.4.1.0.2 netbsd-7-0-RELEASE:1.6.4.1 netbsd-7-0-RC3:1.6.4.1 netbsd-7-0-RC2:1.6.4.1 netbsd-7-0-RC1:1.6.4.1 ourouparia-20140912:1.1.1.4 netbsd-6-0-6-RELEASE:1.2 netbsd-6-1-5-RELEASE:1.2 netbsd-7:1.6.0.4 netbsd-7-base:1.6 yamt-pagecache-base9:1.6 yamt-pagecache-tag8:1.2.4.2 netbsd-6-1-4-RELEASE:1.2 netbsd-6-0-5-RELEASE:1.2 tls-earlyentropy:1.6.0.2 tls-earlyentropy-base:1.6 riastradh-xf86-video-intel-2-7-1-pre-2-21-15:1.6 riastradh-drm2-base3:1.6 netbsd-6-1-3-RELEASE:1.2 netbsd-6-0-4-RELEASE:1.2 nummularia-20130907:1.1.1.3 netbsd-6-1-2-RELEASE:1.2 netbsd-6-0-3-RELEASE:1.2 netbsd-6-1-1-RELEASE:1.2 riastradh-drm2-base2:1.4 riastradh-drm2-base1:1.4 riastradh-drm2:1.3.0.4 riastradh-drm2-base:1.3 netbsd-6-1:1.2.0.16 netbsd-6-0-2-RELEASE:1.2 netbsd-6-1-RELEASE:1.2 khorben-n900:1.3.0.2 netbsd-6-1-RC4:1.2 micrampelis-20120526:1.1.1.2 netbsd-6-1-RC3:1.2 agc-symver:1.2.0.14 agc-symver-base:1.2 netbsd-6-1-RC2:1.2 netbsd-6-1-RC1:1.2 yamt-pagecache-base8:1.2 netbsd-6-0-1-RELEASE:1.2 yamt-pagecache-base7:1.2 matt-nb6-plus-nbase:1.2 yamt-pagecache-base6:1.2 netbsd-6-0:1.2.0.10 netbsd-6-0-RELEASE:1.2 netbsd-6-0-RC2:1.2 tls-maxphys:1.2.0.8 tls-maxphys-base:1.6 matt-nb6-plus:1.2.0.6 matt-nb6-plus-base:1.2 netbsd-6-0-RC1:1.2 yamt-pagecache-base5:1.2 yamt-pagecache:1.2.0.4 yamt-pagecache-base4:1.2 netbsd-6:1.2.0.2 netbsd-6-base:1.2 lycopsida-20111218:1.1.1.1 OPENPAM:1.1.1; locks; strict; comment @.\" @; 1.11 date 2023.06.30.21.46.20; author christos; state Exp; branches; next 1.10; commitid aQyRO1094XDPc1vE; 1.10 date 2019.12.15.17.08.21; author christos; state Exp; branches; next 1.9; commitid uRCwGNh5W9KhePOB; 1.9 date 2017.05.06.19.50.09; author christos; state Exp; branches 1.9.10.1; next 1.8; commitid YOve5e43ddU1LmQz; 1.8 date 2014.10.24.18.25.42; author christos; state Exp; branches 1.8.6.1; next 1.7; commitid jdYv1gfVbOvv1uVx; 1.7 date 2014.10.24.18.17.56; author christos; state Exp; branches; next 1.6; commitid bCQQDPMQAB5NYtVx; 1.6 date 2013.12.28.17.36.50; author christos; state Exp; branches 1.6.4.1; next 1.5; commitid Hwz7gaXjdfvAoVix; 1.5 date 2013.12.27.20.10.20; author christos; state Exp; branches; next 1.4; commitid 3tsL9qraCFadhOix; 1.4 date 2013.07.20.21.40.04; author wiz; state Exp; branches; next 1.3; commitid VZsNcbAcdhMJUfYw; 1.3 date 2013.04.06.02.20.26; author christos; state Exp; branches 1.3.4.1; next 1.2; 1.2 date 2011.12.25.22.27.55; author christos; state Exp; branches 1.2.4.1 1.2.8.1; next 1.1; 1.1 date 2011.12.25.21.42.59; author christos; state Exp; branches 1.1.1.1; next ; 1.9.10.1 date 2020.04.08.14.04.09; author martin; state Exp; branches; next ; commitid Qli2aW9E74UFuA3C; 1.8.6.1 date 2017.05.11.02.58.31; author pgoyette; state Exp; branches; next ; commitid p6b6NO9zXediZUQz; 1.6.4.1 date 2015.06.08.20.33.19; author snj; state Exp; branches; next ; commitid w0LtwvtjFddypFoy; 1.3.4.1 date 2013.07.23.21.07.22; author riastradh; state Exp; branches; next ; commitid rochtllMBJfBDDYw; 1.2.4.1 date 2011.12.25.22.27.55; author yamt; state dead; branches; next 1.2.4.2; 1.2.4.2 date 2012.04.17.00.03.56; author yamt; state Exp; branches; next 1.2.4.3; 1.2.4.3 date 2014.05.22.15.50.47; author yamt; state Exp; branches; next ; commitid nD96tyYx5bBg9yBx; 1.2.8.1 date 2013.06.23.06.28.26; author tls; state Exp; branches; next 1.2.8.2; commitid OnlO1cBgtQRcIHUw; 1.2.8.2 date 2014.08.19.23.52.06; author tls; state Exp; branches; next ; commitid jTnpym9Qu0o4R1Nx; 1.1.1.1 date 2011.12.25.21.42.59; author christos; state Exp; branches; next 1.1.1.2; 1.1.1.2 date 2013.04.06.01.23.33; author christos; state Exp; branches; next 1.1.1.3; 1.1.1.3 date 2013.12.27.19.16.10; author christos; state Exp; branches; next 1.1.1.4; commitid 00vs8qprJIxFYNix; 1.1.1.4 date 2014.10.24.18.15.40; author christos; state Exp; branches; next 1.1.1.5; commitid VQfnSg00PA9SXtVx; 1.1.1.5 date 2017.05.06.19.32.38; author christos; state Exp; branches; next 1.1.1.6; commitid gpnmgfuPPHpXEmQz; 1.1.1.6 date 2019.12.15.16.44.29; author christos; state Exp; branches; next 1.1.1.7; commitid QJ3FFPjJpX3M5POB; 1.1.1.7 date 2023.06.30.21.44.04; author christos; state Exp; branches; next ; commitid PlbvsMyWw7JTa1vE; desc @@ 1.11 log @merge openpam ximenia @ text @.\" $NetBSD: pam.conf.5,v 1.10 2019/12/15 17:08:21 christos Exp $ .\" .\"- .\" Copyright (c) 2005-2017 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" 3. The name of the author may not be used to endorse or promote .\" products derived from this software without specific prior written .\" permission. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" .Dd June 27, 2023 .Dt PAM.CONF 5 .Os .Sh NAME .Nm pam.conf .Nd PAM policy file format .Sh DESCRIPTION The PAM library searches for policies in the following files, in decreasing order of preference: .Bl -enum .It .Pa /etc/pam.d/ Ns Ar service-name .It .Pa /etc/pam.conf .\" .It .\" .Pa /usr/local/etc/pam.d/ Ns Ar service-name .\" .It .\" .Pa /usr/local/etc/pam.conf .El .Pp If none of these locations contains a policy for the given service, the .Dq Dv other policy is used instead, if it exists. .Pp Entries in per-service policy files must be of one of the two forms below: .Bd -unfilled -offset indent .Ar facility control-flag module-path Op Ar arguments ... .Ar facility Cm include Ar other-service-name .Ed .Pp Entries in .Pa pam.conf Ns -style policy files are of the same form, but are prefixed by an additional field specifying the name of the service they apply to. .Pp In both cases, blank lines and comments introduced by a .Ql # sign are ignored, and the normal shell quoting rules apply. The precise details of how the file is tokenized are described in .Xr openpam_readword 3 . .Pp The .Ar facility field specifies the facility the entry applies to, and is one of: .Bl -tag -width 12n .It Cm auth Authentication functions .Po .Xr pam_authenticate 3 , .Xr pam_setcred 3 .Pc .It Cm account Account management functions .Pq Xr pam_acct_mgmt 3 .It Cm session Session handling functions .Po .Xr pam_open_session 3 , .Xr pam_close_session 3 .Pc .It Cm password Password management functions .Pq Xr pam_chauthtok 3 .El .Pp The .Ar control-flag field determines how the result returned by the module affects the flow of control through (and the final result of) the rest of the chain, and is one of: .Bl -tag -width 12n .It Cm required If this module succeeds, the result of the chain will be success unless a later module fails. If it fails, the rest of the chain still runs, but the final result will be failure regardless of the success of later modules. .It Cm requisite If this module succeeds, the result of the chain will be success unless a later module fails. If the module fails, the chain is broken and the result is failure. .It Cm sufficient If this module succeeds, the chain is broken and the result is success. If it fails, the rest of the chain still runs, but the final result will be failure unless a later module succeeds. .It Cm binding If this module succeeds, the chain is broken and the result is success. If it fails, the rest of the chain still runs, but the final result will be failure regardless of the success of later modules. .It Cm optional If this module succeeds, the result of the chain will be success unless a later module fails. If this module fails, the result of the chain will be failure unless a later module succeeds. .El .Pp There are two exceptions to the above: .Cm sufficient and .Cm binding modules are treated as .Cm optional by .Xr pam_setcred 3 , and in the .Dv PAM_PRELIM_CHECK phase of .Xr pam_chauthtok 3 . .Pp The .Ar module-path field specifies the name or full path of the module to call. If only the name is specified, the PAM library will search for it in the following location: .Bl -enum .It .\" .Pa /usr/lib .Pa /usr/lib/security .\" .It .\" .Pa /usr/local/lib .El .Pp The remaining fields, if any, are passed unmodified to the module if and when it is invoked. .Pp The .Cm include form of entry causes entries from a different chain (specified by .Ar other-system-name ) to be included in the current one. This allows one to define system-wide policies which are then included into service-specific policies. The system-wide policy can then be modified without having to also modify each and every service-specific policy. .Pp .Bf -symbolic Take care not to introduce loops when using .Cm include rules, as there is currently no loop detection in place. .Ef .Sh MODULE OPTIONS Some PAM library functions may alter their behavior when called by a service module if certain module options were specified, regardless of whether the module itself accords them any importance. One such option is .Cm debug , which causes the dispatcher to enable debugging messages before calling each service function, and disable them afterwards (unless they were already enabled). Other special options include: .Bl -tag -width 12n .It Cm authtok_prompt Ns = Ns Ar prompt , Cm oldauthtok_prompt Ns = Ns Ar prompt , Cm user_prompt Ns = Ns Ar prompt These options can be used to override the prompts used by .Xr pam_get_authtok 3 and .Xr pam_get_user 3 . .It Cm echo_pass This option controls whether .Xr pam_get_authtok 3 will allow the user to see what they are typing. .It Cm try_first_pass , Cm use_first_pass These options control .Xr pam_get_authtok 3 Ns 's use of cached authentication tokens. .El .Sh SEE ALSO .Xr pam 3 .Sh STANDARDS .Rs .%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules" .%D "June 1997" .Re .Sh AUTHORS The OpenPAM library was developed for the .Fx Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , as part of the DARPA CHATS research program. .Pp The OpenPAM library is maintained by .An Dag-Erling Sm\(/orgrav Aq Mt des@@des.no . @ 1.10 log @resolve conflicts @ text @d1 1 a1 1 .\" $NetBSD: pam.conf.5,v 1.9 2017/05/06 19:50:09 christos Exp $ d31 1 a31 3 .\" $OpenPAM: pam.conf.5 947 2019-02-24 20:18:17Z des $ .\" .Dd February 24, 2019 @ 1.9 log @merge conflicts @ text @d1 1 a1 1 .\" $NetBSD: pam.conf.5,v 1.8 2014/10/24 18:25:42 christos Exp $ d31 1 a31 1 .\" $OpenPAM: pam.conf.5 939 2017-04-30 21:36:50Z des $ d33 1 a33 1 .Dd April 30, 2017 @ 1.9.10.1 log @Merge changes from current as of 20200406 @ text @d1 1 a1 1 .\" $NetBSD$ d31 1 a31 1 .\" $OpenPAM: pam.conf.5 947 2019-02-24 20:18:17Z des $ d33 1 a33 1 .Dd February 24, 2019 @ 1.8 log @fix conflicts @ text @d1 1 a1 1 .\" $NetBSD: pam.conf.5,v 1.7 2014/10/24 18:17:56 christos Exp $ d4 1 a4 1 .\" Copyright (c) 2005-2011 Dag-Erling Smørgrav d31 1 a31 1 .\" Id: pam.conf.5 816 2014-09-12 07:50:22Z des d33 1 a33 1 .Dd September 12, 2014 @ 1.8.6.1 log @Sync with HEAD @ text @d1 1 a1 1 .\" $NetBSD: pam.conf.5,v 1.9 2017/05/06 19:50:09 christos Exp $ d4 1 a4 1 .\" Copyright (c) 2005-2017 Dag-Erling Smørgrav d31 1 a31 1 .\" $OpenPAM: pam.conf.5 939 2017-04-30 21:36:50Z des $ d33 1 a33 1 .Dd April 30, 2017 @ 1.7 log @merge conflicts @ text @d1 1 a1 2 <<<<<<< pam.conf.5 .\" $NetBSD: pam.conf.5,v 1.5 2013/12/27 20:10:20 christos Exp $ a2 2 ======= >>>>>>> 1.1.1.4 @ 1.6 log @fix for NetBSD-specific changes. @ text @d1 1 d4 2 d34 1 a34 1 .\" Id: pam.conf.5 741 2013-09-07 13:34:02Z des d36 1 a36 1 .Dd September 7, 2013 @ 1.6.4.1 log @Pull up following revision(s) (requested by christos in ticket #826): external/bsd/openpam/dist/CREDITS: up to 1.1.1.4 external/bsd/openpam/dist/HISTORY: up to 1.1.1.4 external/bsd/openpam/dist/INSTALL: up to 1.1.1.4 external/bsd/openpam/dist/LICENSE: up to 1.1.1.4 external/bsd/openpam/dist/Makefile.am: up to 1.1.1.4 external/bsd/openpam/dist/Makefile.in: up to 1.1.1.4 external/bsd/openpam/dist/README: up to 1.1.1.4 external/bsd/openpam/dist/RELNOTES: up to 1.1.1.4 external/bsd/openpam/dist/TODO: up to 1.1.1.3 external/bsd/openpam/dist/aclocal.m4: up to 1.1.1.4 external/bsd/openpam/dist/autogen.sh: up to 1.1.1.4 external/bsd/openpam/dist/bin/Makefile.in: up to 1.1.1.4 external/bsd/openpam/dist/bin/openpam_dump_policy/Makefile.in: up to 1.1.1.3 external/bsd/openpam/dist/bin/openpam_dump_policy/openpam_dump_policy.c: up to 1.1.1.3 external/bsd/openpam/dist/bin/pamtest/Makefile.in: up to 1.1.1.4 external/bsd/openpam/dist/bin/pamtest/pamtest.1: up to 1.7 external/bsd/openpam/dist/bin/su/Makefile.in: up to 1.1.1.4 external/bsd/openpam/dist/bin/su/su.1: up to 1.7 external/bsd/openpam/dist/config.h.in: up to 1.1.1.4 external/bsd/openpam/dist/configure: up to 1.1.1.4 external/bsd/openpam/dist/configure.ac: up to 1.1.1.4 external/bsd/openpam/dist/doc/Makefile.in: up to 1.1.1.4 external/bsd/openpam/dist/doc/man/Makefile.in: up to 1.1.1.5 external/bsd/openpam/dist/doc/man/openpam.3: up to 1.9 external/bsd/openpam/dist/doc/man/openpam_borrow_cred.3: up to 1.6 external/bsd/openpam/dist/doc/man/openpam_free_data.3: up to 1.6 external/bsd/openpam/dist/doc/man/openpam_free_envlist.3: up to 1.7 external/bsd/openpam/dist/doc/man/openpam_get_feature.3: up to 1.5 external/bsd/openpam/dist/doc/man/openpam_get_option.3: up to 1.6 external/bsd/openpam/dist/doc/man/openpam_log.3: up to 1.6 external/bsd/openpam/dist/doc/man/openpam_nullconv.3: up to 1.6 external/bsd/openpam/dist/doc/man/openpam_readline.3: up to 1.6 external/bsd/openpam/dist/doc/man/openpam_readlinev.3: up to 1.5 external/bsd/openpam/dist/doc/man/openpam_readword.3: up to 1.5 external/bsd/openpam/dist/doc/man/openpam_restore_cred.3: up to 1.6 external/bsd/openpam/dist/doc/man/openpam_set_feature.3: up to 1.5 external/bsd/openpam/dist/doc/man/openpam_set_option.3: up to 1.6 external/bsd/openpam/dist/doc/man/openpam_straddch.3: up to 1.5 external/bsd/openpam/dist/doc/man/openpam_subst.3: up to 1.7 external/bsd/openpam/dist/doc/man/openpam_ttyconv.3: up to 1.6 external/bsd/openpam/dist/doc/man/pam.3: up to 1.9 external/bsd/openpam/dist/doc/man/pam.conf.5: up to 1.8 external/bsd/openpam/dist/doc/man/pam_acct_mgmt.3: up to 1.6 external/bsd/openpam/dist/doc/man/pam_authenticate.3: up to 1.6 external/bsd/openpam/dist/doc/man/pam_chauthtok.3: up to 1.6 external/bsd/openpam/dist/doc/man/pam_close_session.3: up to 1.6 external/bsd/openpam/dist/doc/man/pam_conv.3: up to 1.7 external/bsd/openpam/dist/doc/man/pam_end.3: up to 1.6 external/bsd/openpam/dist/doc/man/pam_error.3: up to 1.6 external/bsd/openpam/dist/doc/man/pam_get_authtok.3: up to 1.7 external/bsd/openpam/dist/doc/man/pam_get_data.3: up to 1.6 external/bsd/openpam/dist/doc/man/pam_get_item.3: up to 1.6 external/bsd/openpam/dist/doc/man/pam_get_user.3: up to 1.7 external/bsd/openpam/dist/doc/man/pam_getenv.3: up to 1.6 external/bsd/openpam/dist/doc/man/pam_getenvlist.3: up to 1.6 external/bsd/openpam/dist/doc/man/pam_info.3: up to 1.6 external/bsd/openpam/dist/doc/man/pam_open_session.3: up to 1.6 external/bsd/openpam/dist/doc/man/pam_prompt.3: up to 1.6 external/bsd/openpam/dist/doc/man/pam_putenv.3: up to 1.6 external/bsd/openpam/dist/doc/man/pam_set_data.3: up to 1.6 external/bsd/openpam/dist/doc/man/pam_set_item.3: up to 1.6 external/bsd/openpam/dist/doc/man/pam_setcred.3: up to 1.6 external/bsd/openpam/dist/doc/man/pam_setenv.3: up to 1.6 external/bsd/openpam/dist/doc/man/pam_sm_acct_mgmt.3: up to 1.6 external/bsd/openpam/dist/doc/man/pam_sm_authenticate.3: up to 1.6 external/bsd/openpam/dist/doc/man/pam_sm_chauthtok.3: up to 1.6 external/bsd/openpam/dist/doc/man/pam_sm_close_session.3: up to 1.6 external/bsd/openpam/dist/doc/man/pam_sm_open_session.3: up to 1.6 external/bsd/openpam/dist/doc/man/pam_sm_setcred.3: up to 1.6 external/bsd/openpam/dist/doc/man/pam_start.3: up to 1.6 external/bsd/openpam/dist/doc/man/pam_strerror.3: up to 1.7 external/bsd/openpam/dist/doc/man/pam_verror.3: up to 1.6 external/bsd/openpam/dist/doc/man/pam_vinfo.3: up to 1.6 external/bsd/openpam/dist/doc/man/pam_vprompt.3: up to 1.6 external/bsd/openpam/dist/include/Makefile.in: up to 1.1.1.4 external/bsd/openpam/dist/include/security/Makefile.in: up to 1.1.1.4 external/bsd/openpam/dist/include/security/openpam_version.h: up to 1.5 external/bsd/openpam/dist/lib/Makefile.am: up to 1.1.1.5 external/bsd/openpam/dist/lib/Makefile.in: up to 1.1.1.5 external/bsd/openpam/dist/lib/libpam/Makefile.am: up to 1.1.1.1 external/bsd/openpam/dist/lib/libpam/Makefile.in: up to 1.1.1.1 external/bsd/openpam/dist/lib/libpam/openpam_asprintf.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_asprintf.h: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_borrow_cred.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_check_owner_perms.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_configure.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_constants.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_constants.h: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_cred.h: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_ctype.h: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_debug.h: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_dispatch.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_dlfunc.h: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_dynamic.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_features.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_features.h: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_findenv.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_free_data.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_free_envlist.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_get_feature.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_get_option.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_impl.h: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_load.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_log.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_nullconv.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_readline.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_readlinev.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_readword.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_restore_cred.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_set_feature.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_set_option.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_static.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_straddch.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_strlcat.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_strlcat.h: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_strlcmp.h: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_strlcpy.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_strlcpy.h: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_strlset.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_strlset.h: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_subst.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_ttyconv.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_vasprintf.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/openpam_vasprintf.h: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_acct_mgmt.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_authenticate.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_authenticate_secondary.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_chauthtok.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_close_session.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_end.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_error.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_get_authtok.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_get_data.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_get_item.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_get_mapped_authtok.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_get_mapped_username.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_get_user.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_getenv.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_getenvlist.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_info.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_open_session.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_prompt.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_putenv.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_set_data.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_set_item.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_set_mapped_authtok.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_set_mapped_username.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_setcred.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_setenv.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_sm_acct_mgmt.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_sm_authenticate.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_sm_authenticate_secondary.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_sm_chauthtok.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_sm_close_session.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_sm_get_mapped_authtok.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_sm_get_mapped_username.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_sm_open_session.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_sm_set_mapped_authtok.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_sm_set_mapped_username.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_sm_setcred.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_start.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_strerror.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_verror.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_vinfo.c: up to 1.2 external/bsd/openpam/dist/lib/libpam/pam_vprompt.c: up to 1.2 external/bsd/openpam/dist/lib/openpam_asprintf.c delete external/bsd/openpam/dist/lib/openpam_asprintf.h delete external/bsd/openpam/dist/lib/openpam_borrow_cred.c delete external/bsd/openpam/dist/lib/openpam_check_owner_perms.c delete external/bsd/openpam/dist/lib/openpam_configure.c delete external/bsd/openpam/dist/lib/openpam_constants.c delete external/bsd/openpam/dist/lib/openpam_constants.h delete external/bsd/openpam/dist/lib/openpam_cred.h delete external/bsd/openpam/dist/lib/openpam_ctype.h delete external/bsd/openpam/dist/lib/openpam_debug.h delete external/bsd/openpam/dist/lib/openpam_dispatch.c delete external/bsd/openpam/dist/lib/openpam_dlfunc.h delete external/bsd/openpam/dist/lib/openpam_dynamic.c delete external/bsd/openpam/dist/lib/openpam_features.c delete external/bsd/openpam/dist/lib/openpam_features.h delete external/bsd/openpam/dist/lib/openpam_findenv.c delete external/bsd/openpam/dist/lib/openpam_free_data.c delete external/bsd/openpam/dist/lib/openpam_free_envlist.c delete external/bsd/openpam/dist/lib/openpam_get_feature.c delete external/bsd/openpam/dist/lib/openpam_get_option.c delete external/bsd/openpam/dist/lib/openpam_impl.h delete external/bsd/openpam/dist/lib/openpam_load.c delete external/bsd/openpam/dist/lib/openpam_log.c delete external/bsd/openpam/dist/lib/openpam_nullconv.c delete external/bsd/openpam/dist/lib/openpam_readline.c delete external/bsd/openpam/dist/lib/openpam_readlinev.c delete external/bsd/openpam/dist/lib/openpam_readword.c delete external/bsd/openpam/dist/lib/openpam_restore_cred.c delete external/bsd/openpam/dist/lib/openpam_set_feature.c delete external/bsd/openpam/dist/lib/openpam_set_option.c delete external/bsd/openpam/dist/lib/openpam_static.c delete external/bsd/openpam/dist/lib/openpam_straddch.c delete external/bsd/openpam/dist/lib/openpam_strlcat.c delete external/bsd/openpam/dist/lib/openpam_strlcat.h delete external/bsd/openpam/dist/lib/openpam_strlcmp.h delete external/bsd/openpam/dist/lib/openpam_strlcpy.c delete external/bsd/openpam/dist/lib/openpam_strlcpy.h delete external/bsd/openpam/dist/lib/openpam_subst.c delete external/bsd/openpam/dist/lib/openpam_ttyconv.c delete external/bsd/openpam/dist/lib/openpam_vasprintf.c delete external/bsd/openpam/dist/lib/openpam_vasprintf.h delete external/bsd/openpam/dist/lib/pam_acct_mgmt.c delete external/bsd/openpam/dist/lib/pam_authenticate.c delete external/bsd/openpam/dist/lib/pam_authenticate_secondary.c delete external/bsd/openpam/dist/lib/pam_chauthtok.c delete external/bsd/openpam/dist/lib/pam_close_session.c delete external/bsd/openpam/dist/lib/pam_end.c delete external/bsd/openpam/dist/lib/pam_error.c delete external/bsd/openpam/dist/lib/pam_get_authtok.c delete external/bsd/openpam/dist/lib/pam_get_data.c delete external/bsd/openpam/dist/lib/pam_get_item.c delete external/bsd/openpam/dist/lib/pam_get_mapped_authtok.c delete external/bsd/openpam/dist/lib/pam_get_mapped_username.c delete external/bsd/openpam/dist/lib/pam_get_user.c delete external/bsd/openpam/dist/lib/pam_getenv.c delete external/bsd/openpam/dist/lib/pam_getenvlist.c delete external/bsd/openpam/dist/lib/pam_info.c delete external/bsd/openpam/dist/lib/pam_open_session.c delete external/bsd/openpam/dist/lib/pam_prompt.c delete external/bsd/openpam/dist/lib/pam_putenv.c delete external/bsd/openpam/dist/lib/pam_set_data.c delete external/bsd/openpam/dist/lib/pam_set_item.c delete external/bsd/openpam/dist/lib/pam_set_mapped_authtok.c delete external/bsd/openpam/dist/lib/pam_set_mapped_username.c delete external/bsd/openpam/dist/lib/pam_setcred.c delete external/bsd/openpam/dist/lib/pam_setenv.c delete external/bsd/openpam/dist/lib/pam_sm_acct_mgmt.c delete external/bsd/openpam/dist/lib/pam_sm_authenticate.c delete external/bsd/openpam/dist/lib/pam_sm_authenticate_secondary.c delete external/bsd/openpam/dist/lib/pam_sm_chauthtok.c delete external/bsd/openpam/dist/lib/pam_sm_close_session.c delete external/bsd/openpam/dist/lib/pam_sm_get_mapped_authtok.c delete external/bsd/openpam/dist/lib/pam_sm_get_mapped_username.c delete external/bsd/openpam/dist/lib/pam_sm_open_session.c delete external/bsd/openpam/dist/lib/pam_sm_set_mapped_authtok.c delete external/bsd/openpam/dist/lib/pam_sm_set_mapped_username.c delete external/bsd/openpam/dist/lib/pam_sm_setcred.c delete external/bsd/openpam/dist/lib/pam_start.c delete external/bsd/openpam/dist/lib/pam_strerror.c delete external/bsd/openpam/dist/lib/pam_verror.c delete external/bsd/openpam/dist/lib/pam_vinfo.c delete external/bsd/openpam/dist/lib/pam_vprompt.c delete external/bsd/openpam/dist/ltmain.sh: up to 1.1.1.3 external/bsd/openpam/dist/m4/libtool.m4 delete external/bsd/openpam/dist/m4/ltoptions.m4 delete external/bsd/openpam/dist/m4/ltsugar.m4 delete external/bsd/openpam/dist/m4/ltversion.m4 delete external/bsd/openpam/dist/m4/lt~obsolete.m4 delete external/bsd/openpam/dist/mkpkgng.in: up to 1.1.1.2 external/bsd/openpam/dist/modules/Makefile.in: up to 1.1.1.4 external/bsd/openpam/dist/modules/pam_deny/Makefile.in: up to 1.1.1.4 external/bsd/openpam/dist/modules/pam_permit/Makefile.in: up to 1.1.1.4 external/bsd/openpam/dist/modules/pam_unix/Makefile.in: up to 1.1.1.4 external/bsd/openpam/dist/pamgdb.in: up to 1.1.1.3 external/bsd/openpam/dist/t/Makefile.am: up to 1.1.1.3 external/bsd/openpam/dist/t/Makefile.in: up to 1.1.1.3 external/bsd/openpam/dist/t/t.h: up to 1.1.1.3 external/bsd/openpam/dist/t/t_file.c: up to 1.1.1.2 external/bsd/openpam/dist/t/t_main.c: up to 1.1.1.3 external/bsd/openpam/dist/t/t_openpam_ctype.c: up to 1.1.1.1 external/bsd/openpam/dist/t/t_openpam_readlinev.c: up to 1.2 external/bsd/openpam/dist/t/t_openpam_readword.c: up to 1.2 external/bsd/openpam/openpam2netbsd: up to 1.3 lib/libpam/libpam/Makefile: revision 1.17 OpenPAM Ourouparia 2014-09-12 - ENHANCE: When executing a chain, require at least one service function to succeed. This mitigates fail-open scenarios caused by misconfigurations or missing modules. - ENHANCE: Make sure to overwrite buffers which may have contained an authentication token when they're no longer needed. - BUGFIX: Under certain circumstances, specifying a non-existent module (or misspelling the name of a module) in a policy could result in a fail-open scenario. (CVE-2014-3879) - FEATURE: Add a search path for modules. This was implemented in Nummularia but inadvertently left out of the release notes. - BUGFIX: The is_upper() predicate only accepted the letter A as an upper-case character instead of the entire A-Z range. As a result, service and module names containing upper-case letters other than A would be rejected. -- pam library has moved and new files @ text @d1 1 a1 1 .\" $NetBSD: pam.conf.5,v 1.8 2014/10/24 18:25:42 christos Exp $ d31 1 a31 1 .\" Id: pam.conf.5 816 2014-09-12 07:50:22Z des d33 1 a33 1 .Dd September 12, 2014 @ 1.5 log @merge conflicts @ text @d1 1 a1 1 .\" $NetBSD: pam.conf.5,v 1.1.1.3 2013/12/27 19:16:10 christos Exp $ d47 4 a50 4 .It .Pa /usr/local/etc/pam.d/ Ns Ar service-name .It .Pa /usr/local/etc/pam.conf d149 1 a149 1 the following locations: d152 4 a155 3 .Pa /usr/lib .It .Pa /usr/local/lib @ 1.4 log @Use Mt for email addresses. @ text @d1 1 a1 1 .\" $NetBSD: pam.conf.5,v 1.3 2013/04/06 02:20:26 christos Exp $ d31 1 a31 1 .\" Id: pam.conf.5 610 2012-05-26 14:03:45Z des d33 1 a33 1 .Dd May 26, 2012 d70 1 a70 2 In both types of policy files, blank lines are ignored, as is anything to the right of a d72 3 a74 1 sign. d79 1 a79 1 .Bl -tag -width ".Cm password" d105 1 a105 1 .Bl -tag -width ".Cm sufficient" d147 9 a155 2 field specifies the name, or optionally the full path, of the module to call. d157 2 a158 7 The remaining fields are passed as arguments to the module if and when it is invoked. As a special case, if an argument is of the form ``name=value'' and the right-hand side is surrounded by single or double quotes, any whitespace between the quote characters will be considered part of the same argument rather than a separator between this argument and the next. d169 31 @ 1.3 log @merge conflicts @ text @d1 1 a1 1 .\" $NetBSD: pam.conf.5,v 1.1.1.2 2013/04/06 01:23:33 christos Exp $ d183 1 a183 1 .An Dag-Erling Sm\(/orgrav Aq des@@des.no . @ 1.3.4.1 log @sync with HEAD @ text @d1 1 a1 1 .\" $NetBSD: pam.conf.5,v 1.4 2013/07/20 21:40:04 wiz Exp $ d183 1 a183 1 .An Dag-Erling Sm\(/orgrav Aq Mt des@@des.no . @ 1.2 log @apply our changes. @ text @d1 1 a1 1 .\" $NetBSD$ d31 1 a31 1 .\" Id: pam.conf.5 485 2011-11-03 16:57:37Z des d33 1 a33 1 .Dd November 3, 2011 d55 1 a55 1 .Dv default d182 2 a183 2 This manual page was written by .An Dag-Erling Sm\(/orgrav Aq des@@FreeBSD.org . @ 1.2.8.1 log @resync from head @ text @d31 1 a31 1 .\" Id: pam.conf.5 610 2012-05-26 14:03:45Z des d33 1 a33 1 .Dd May 26, 2012 d55 1 a55 1 .Dq Dv other d182 2 a183 2 The OpenPAM library is maintained by .An Dag-Erling Sm\(/orgrav Aq des@@des.no . @ 1.2.8.2 log @Rebase to HEAD as of a few days ago. @ text @d31 1 a31 1 .\" Id: pam.conf.5 741 2013-09-07 13:34:02Z des d33 1 a33 1 .Dd September 7, 2013 d47 4 a50 4 .\" .It .\" .Pa /usr/local/etc/pam.d/ Ns Ar service-name .\" .It .\" .Pa /usr/local/etc/pam.conf d70 2 a71 1 In both cases, blank lines and comments introduced by a d73 1 a73 3 sign are ignored, and the normal shell quoting rules apply. The precise details of how the file is tokenized are described in .Xr openpam_readword 3 . d78 1 a78 1 .Bl -tag -width 12n d104 1 a104 1 .Bl -tag -width 12n d146 2 a147 10 field specifies the name or full path of the module to call. If only the name is specified, the PAM library will search for it in the following location: .Bl -enum .It .\" .Pa /usr/lib .Pa /usr/lib/security .\" .It .\" .Pa /usr/local/lib .El d149 7 a155 2 The remaining fields, if any, are passed unmodified to the module if and when it is invoked. a165 31 .Pp .Bf -symbolic Take care not to introduce loops when using .Cm include rules, as there is currently no loop detection in place. .Ef .Sh MODULE OPTIONS Some PAM library functions may alter their behavior when called by a service module if certain module options were specified, regardless of whether the module itself accords them any importance. One such option is .Cm debug , which causes the dispatcher to enable debugging messages before calling each service function, and disable them afterwards (unless they were already enabled). Other special options include: .Bl -tag -width 12n .It Cm authtok_prompt Ns = Ns Ar prompt , Cm oldauthtok_prompt Ns = Ns Ar prompt , Cm user_prompt Ns = Ns Ar prompt These options can be used to override the prompts used by .Xr pam_get_authtok 3 and .Xr pam_get_user 3 . .It Cm echo_pass This option controls whether .Xr pam_get_authtok 3 will allow the user to see what they are typing. .It Cm try_first_pass , Cm use_first_pass These options control .Xr pam_get_authtok 3 Ns 's use of cached authentication tokens. .El d183 1 a183 1 .An Dag-Erling Sm\(/orgrav Aq Mt des@@des.no . @ 1.2.4.1 log @file pam.conf.5 was added on branch yamt-pagecache on 2012-04-17 00:03:56 +0000 @ text @d1 183 @ 1.2.4.2 log @sync with head @ text @a0 183 .\" $NetBSD$ .\" .\"- .\" Copyright (c) 2005-2011 Dag-Erling Smørgrav .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" 3. The name of the author may not be used to endorse or promote .\" products derived from this software without specific prior written .\" permission. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" .\" Id: pam.conf.5 485 2011-11-03 16:57:37Z des .\" .Dd November 3, 2011 .Dt PAM.CONF 5 .Os .Sh NAME .Nm pam.conf .Nd PAM policy file format .Sh DESCRIPTION The PAM library searches for policies in the following files, in decreasing order of preference: .Bl -enum .It .Pa /etc/pam.d/ Ns Ar service-name .It .Pa /etc/pam.conf .It .Pa /usr/local/etc/pam.d/ Ns Ar service-name .It .Pa /usr/local/etc/pam.conf .El .Pp If none of these locations contains a policy for the given service, the .Dv default policy is used instead, if it exists. .Pp Entries in per-service policy files must be of one of the two forms below: .Bd -unfilled -offset indent .Ar facility control-flag module-path Op Ar arguments ... .Ar facility Cm include Ar other-service-name .Ed .Pp Entries in .Pa pam.conf Ns -style policy files are of the same form, but are prefixed by an additional field specifying the name of the service they apply to. .Pp In both types of policy files, blank lines are ignored, as is anything to the right of a .Ql # sign. .Pp The .Ar facility field specifies the facility the entry applies to, and is one of: .Bl -tag -width ".Cm password" .It Cm auth Authentication functions .Po .Xr pam_authenticate 3 , .Xr pam_setcred 3 .Pc .It Cm account Account management functions .Pq Xr pam_acct_mgmt 3 .It Cm session Session handling functions .Po .Xr pam_open_session 3 , .Xr pam_close_session 3 .Pc .It Cm password Password management functions .Pq Xr pam_chauthtok 3 .El .Pp The .Ar control-flag field determines how the result returned by the module affects the flow of control through (and the final result of) the rest of the chain, and is one of: .Bl -tag -width ".Cm sufficient" .It Cm required If this module succeeds, the result of the chain will be success unless a later module fails. If it fails, the rest of the chain still runs, but the final result will be failure regardless of the success of later modules. .It Cm requisite If this module succeeds, the result of the chain will be success unless a later module fails. If the module fails, the chain is broken and the result is failure. .It Cm sufficient If this module succeeds, the chain is broken and the result is success. If it fails, the rest of the chain still runs, but the final result will be failure unless a later module succeeds. .It Cm binding If this module succeeds, the chain is broken and the result is success. If it fails, the rest of the chain still runs, but the final result will be failure regardless of the success of later modules. .It Cm optional If this module succeeds, the result of the chain will be success unless a later module fails. If this module fails, the result of the chain will be failure unless a later module succeeds. .El .Pp There are two exceptions to the above: .Cm sufficient and .Cm binding modules are treated as .Cm optional by .Xr pam_setcred 3 , and in the .Dv PAM_PRELIM_CHECK phase of .Xr pam_chauthtok 3 . .Pp The .Ar module-path field specifies the name, or optionally the full path, of the module to call. .Pp The remaining fields are passed as arguments to the module if and when it is invoked. As a special case, if an argument is of the form ``name=value'' and the right-hand side is surrounded by single or double quotes, any whitespace between the quote characters will be considered part of the same argument rather than a separator between this argument and the next. .Pp The .Cm include form of entry causes entries from a different chain (specified by .Ar other-system-name ) to be included in the current one. This allows one to define system-wide policies which are then included into service-specific policies. The system-wide policy can then be modified without having to also modify each and every service-specific policy. .Sh SEE ALSO .Xr pam 3 .Sh STANDARDS .Rs .%T "X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules" .%D "June 1997" .Re .Sh AUTHORS The OpenPAM library was developed for the .Fx Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division of Network Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 .Pq Dq CBOSS , as part of the DARPA CHATS research program. .Pp This manual page was written by .An Dag-Erling Sm\(/orgrav Aq des@@FreeBSD.org . @ 1.2.4.3 log @sync with head. for a reference, the tree before this commit was tagged as yamt-pagecache-tag8. this commit was splitted into small chunks to avoid a limitation of cvs. ("Protocol error: too many arguments") @ text @d1 1 a1 1 .\" $NetBSD: pam.conf.5,v 1.2.4.2 2012/04/17 00:03:56 yamt Exp $ d31 1 a31 1 .\" Id: pam.conf.5 741 2013-09-07 13:34:02Z des d33 1 a33 1 .Dd September 7, 2013 d47 4 a50 4 .\" .It .\" .Pa /usr/local/etc/pam.d/ Ns Ar service-name .\" .It .\" .Pa /usr/local/etc/pam.conf d55 1 a55 1 .Dq Dv other d70 2 a71 1 In both cases, blank lines and comments introduced by a d73 1 a73 3 sign are ignored, and the normal shell quoting rules apply. The precise details of how the file is tokenized are described in .Xr openpam_readword 3 . d78 1 a78 1 .Bl -tag -width 12n d104 1 a104 1 .Bl -tag -width 12n d146 2 a147 10 field specifies the name or full path of the module to call. If only the name is specified, the PAM library will search for it in the following location: .Bl -enum .It .\" .Pa /usr/lib .Pa /usr/lib/security .\" .It .\" .Pa /usr/local/lib .El d149 7 a155 2 The remaining fields, if any, are passed unmodified to the module if and when it is invoked. a165 31 .Pp .Bf -symbolic Take care not to introduce loops when using .Cm include rules, as there is currently no loop detection in place. .Ef .Sh MODULE OPTIONS Some PAM library functions may alter their behavior when called by a service module if certain module options were specified, regardless of whether the module itself accords them any importance. One such option is .Cm debug , which causes the dispatcher to enable debugging messages before calling each service function, and disable them afterwards (unless they were already enabled). Other special options include: .Bl -tag -width 12n .It Cm authtok_prompt Ns = Ns Ar prompt , Cm oldauthtok_prompt Ns = Ns Ar prompt , Cm user_prompt Ns = Ns Ar prompt These options can be used to override the prompts used by .Xr pam_get_authtok 3 and .Xr pam_get_user 3 . .It Cm echo_pass This option controls whether .Xr pam_get_authtok 3 will allow the user to see what they are typing. .It Cm try_first_pass , Cm use_first_pass These options control .Xr pam_get_authtok 3 Ns 's use of cached authentication tokens. .El d182 2 a183 2 The OpenPAM library is maintained by .An Dag-Erling Sm\(/orgrav Aq Mt des@@des.no . @ 1.1 log @Initial revision @ text @@ 1.1.1.1 log @from sourceforge ENHANCE: removed static build autodetection, which didn't work anyway. Use an explicit, user-specified preprocessor variable instead. ENHANCE: cleaned up the documentation a bit. ENHANCE: added openpam_subst(3), allowing certain PAM items to be embedded in strings such as prompts. Apply it to the prompts used by pam_get_user(3) and pam_get_authtok(3). ENHANCE: added support for the user_prompt, authtok_prompt and oldauthtok_prompt module options, which override the prompts passed by the module to pam_set_user(3) and pam_get_authtok(3). ENHANCE: rewrote the policy parser to support quoted option values. ENHANCE: added pamtest(1), a tool for testing modules and policies. ENHANCE: added code to check the ownership and permissions of a module before loading it. ENHANCE: added / improved input validation in many cases, including the policy file and some function arguments. @ text @@ 1.1.1.2 log @Import openpam-20120526 @ text @d31 1 a31 1 .\" Id: pam.conf.5 610 2012-05-26 14:03:45Z des d33 1 a33 1 .Dd May 26, 2012 d55 1 a55 1 .Dq Dv other d182 2 a183 2 The OpenPAM library is maintained by .An Dag-Erling Sm\(/orgrav Aq des@@des.no . @ 1.1.1.3 log @Import openpam-20130907 @ text @d31 1 a31 1 .\" Id: pam.conf.5 741 2013-09-07 13:34:02Z des d33 1 a33 1 .Dd September 7, 2013 d70 2 a71 1 In both cases, blank lines and comments introduced by a d73 1 a73 3 sign are ignored, and the normal shell quoting rules apply. The precise details of how the file is tokenized are described in .Xr openpam_readword 3 . d78 1 a78 1 .Bl -tag -width 12n d104 1 a104 1 .Bl -tag -width 12n d146 2 a147 9 field specifies the name or full path of the module to call. If only the name is specified, the PAM library will search for it in the following locations: .Bl -enum .It .Pa /usr/lib .It .Pa /usr/local/lib .El d149 7 a155 2 The remaining fields, if any, are passed unmodified to the module if and when it is invoked. a165 31 .Pp .Bf -symbolic Take care not to introduce loops when using .Cm include rules, as there is currently no loop detection in place. .Ef .Sh MODULE OPTIONS Some PAM library functions may alter their behavior when called by a service module if certain module options were specified, regardless of whether the module itself accords them any importance. One such option is .Cm debug , which causes the dispatcher to enable debugging messages before calling each service function, and disable them afterwards (unless they were already enabled). Other special options include: .Bl -tag -width 12n .It Cm authtok_prompt Ns = Ns Ar prompt , Cm oldauthtok_prompt Ns = Ns Ar prompt , Cm user_prompt Ns = Ns Ar prompt These options can be used to override the prompts used by .Xr pam_get_authtok 3 and .Xr pam_get_user 3 . .It Cm echo_pass This option controls whether .Xr pam_get_authtok 3 will allow the user to see what they are typing. .It Cm try_first_pass , Cm use_first_pass These options control .Xr pam_get_authtok 3 Ns 's use of cached authentication tokens. .El @ 1.1.1.4 log @OpenPAM Ourouparia 2014-09-12 - ENHANCE: When executing a chain, require at least one service function to succeed. This mitigates fail-open scenarios caused by misconfigurations or missing modules. - ENHANCE: Make sure to overwrite buffers which may have contained an authentication token when they're no longer needed. - BUGFIX: Under certain circumstances, specifying a non-existent module (or misspelling the name of a module) in a policy could result in a fail-open scenario. (CVE-2014-3879) - FEATURE: Add a search path for modules. This was implemented in Nummularia but inadvertently left out of the release notes. - BUGFIX: The is_upper() predicate only accepted the letter A as an upper-case character instead of the entire A-Z range. As a result, service and module names containing upper-case letters other than A would be rejected. @ text @d1 2 d31 1 a31 1 .\" Id: pam.conf.5 816 2014-09-12 07:50:22Z des d33 1 a33 1 .Dd September 12, 2014 @ 1.1.1.5 log @OpenPAM Resedacea 2017-04-30 - BUGFIX: Reinstore the NULL check in pam_end(3) which was removed in OpenPAM Radula, as it breaks common error-handling constructs. - BUGFIX: Return PAM_SYMBOL_ERR instead of PAM_SYSTEM_ERR from the dispatcher when the required service function could not be found. - ENHANCE: Introduce the PAM_BAD_HANDLE error code for when pamh is NULL in API functions that have a NULL check. - ENHANCE: Introduce the PAM_BAD_ITEM, PAM_BAD_FEATURE and PAM_BAD_CONSTANT error codes for situations where we previously incorrectly used PAM_SYMBOL_ERR to denote that an invalid constant had been passed to an API function. - ENHANCE: Improve the RETURN VALUES section in API man pages, especially for functions that cannot fail, which were incorrectly documented as returning -1 on failure. ============================================================================ OpenPAM Radula 2017-02-19 - BUGFIX: Fix an inverted test which prevented pam_get_authtok(3) and pam_get_user(3) from using application-provided custom prompts. - BUGFIX: Plug a memory leak in pam_set_item(3). - BUGFIX: Plug a potential memory leak in openpam_readlinev(3). - BUGFIX: In openpam_readword(3), support line continuations within whitespace. - ENHANCE: Add a feature flag to control fallback to "other" policy. - ENHANCE: Add a pam_return(8) module which returns an arbitrary code specified in the module options. - ENHANCE: More and better unit tests. @ text @d2 1 a2 1 .\" Copyright (c) 2005-2017 Dag-Erling Smørgrav d29 1 a29 1 .\" $OpenPAM: pam.conf.5 939 2017-04-30 21:36:50Z des $ d31 1 a31 1 .Dd April 30, 2017 d215 1 a215 1 .An Dag-Erling Sm\(/orgrav Aq Mt des@@des.no . @ 1.1.1.6 log @OpenPAM Tabebuia 2019-02-24 - BUGFIX: Fix off-by-one bug in pam_getenv(3) which was introduced in OpenPAM Radula. - ENHANCE: Add unit tests for pam_{get,put,set}env(3). @ text @d29 1 a29 1 .\" $OpenPAM: pam.conf.5 947 2019-02-24 20:18:17Z des $ d31 1 a31 1 .Dd February 24, 2019 @ 1.1.1.7 log @Import ximenia (last was tabebuia) - BUGFIX: Fix race condition in openpam_ttyconv(3) when used with expect scripts. - BUGFIX: In openpam_set_option(3), when removing an option, properly decrement the option count. - BUGFIX: In openpam_subst(3), avoid incrementing past the end of the template. @ text @d29 3 a31 1 .Dd June 27, 2023 @