unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.10)
Page:
Section:
Apropos / Subsearch:
optional field

pam_sample(5)         Standards, Environments, and Macros        pam_sample(5)



NAME
       pam_sample - a sample PAM module

SYNOPSIS
       /usr/lib/security/pam_sample.so.1

DESCRIPTION
       The  SAMPLE  service  module for  PAM is divided  into four components:
       authentication, account management, password  management,  and  session
       management.  The  sample  module is a shared object that is dynamically
       loaded to provide the necessary functionality.

SAMPLE Authentication Component
       The SAMPLE authentication module, typically  /usr/lib/security/pam_sam-
       ple.so.1,  provides  functions to test the  PAM framework functionality
       using the pam_sm_authenticate(3PAM) call. The SAMPLE module implementa-
       tion  of  the  pam_sm_authenticate(3PAM)  function  compares  the  user
       entered password with the password set in the pam.conf(4) file, or  the
       string  "test" if a default test password has not been set. The follow-
       ing options may be passed in to the SAMPLE Authentication module:

       debug                   Syslog debugging information at the   LOG_DEBUG
                               level.



       passwd=newone           Sets the password to be "newone."



       first_pass_good         The  first  password  is  always good when used
                               with  the  use_first_pass  or    try_first_pass
                               option.



       first_pass_bad          The first password is always bad when used with
                               the use_first_pass or  try_first_pass option.



       always_fail             Always returns  PAM_AUTH_ERR.



       always_succeed          Always returns  PAM_SUCCESS.



       always_ignore           Always returns  PAM_IGNORE.



       use_first_pass          Use the user's initial password  (entered  when
                               the  user is authenticated to the first authen-
                               tication module in the stack)  to  authenticate
                               with  the   SAMPLE module.  If the passwords do
                               not match, or if this is the first  authentica-
                               tion  module  in  the   stack,  quit and do not
                               prompt the user for a password.  It  is  recom-
                               mended  that  this  option  only be used if the
                               SAMPLE authentication  module is designated  as
                               optional in the pam.conf configuration file.



       try_first_pass          Use  the user's  initial password (entered when
                               the user is authenticated to the first  authen-
                               tication  module  in the stack) to authenticate
                               with the SAMPLE module. If the passwords do not
                               match,  or  if this is the first authentication
                               module  in the stack, prompt  the  user  for  a
                               password.    The   SAMPLE   module  pam_sm_set-
                               cred(3PAM) function  always  returns   PAM_SUC-
                               CESS.



SAMPLE Account Management Component
       The  SAMPLE  Account  Management  Component, typically pam_sample.so.1,
       implements a simple access control scheme that limits machine access to
       a list of authorized users. The list of authorized users is supplied as
       option arguments to the entry for the SAMPLE  account  management   PAM
       module in the pam.conf file. Note that the module always permits access
       to the root super user.

       The option field  syntax  to  limit  access  is  shown  below:   allow=
       name[,name] allow= name [allow=name]

       The  example  pam.conf show below permits only larry to login directly.
       rlogin is allowed only for don and larry. Once a user is logged in, the
       user  can use su if the user  are sam or eric.


       tab();    lw(1.100000i)   lw(1.100000i)   lw(1.100000i)   lw(1.100000i)
       lw(1.100000i).   loginaccountrequirepam_sample.so.1allow=larry  dtlogi-
       naccountrequirepam_sample.so.1allow=larry  rloginaccountrequirepam_sam-
       ple.so.1allow=don         allow=larry          suaccountrequirepam_sam-
       ple.so.1allow=sam,eric


       The debug and nowarn options are also supported.

SAMPLE Password Management Component
       The  SAMPLE  Password  Management  Component  function ( pam_sm_chauth-
       tok(3PAM)), always returns  PAM_SUCCESS.

SAMPLE Session Management Component
       The SAMPLE Session Management Component  functions  (  pam_sm_open_ses-
       sion(3PAM), pam_sm_close_session(3PAM)) always return  PAM_SUCCESS.

ATTRIBUTES
       See attributes(5) for description of the following attributes:


       tab()  box;  cw(2.750000i)| cw(2.750000i) lw(2.750000i)| lw(2.750000i).
       ATTRIBUTE TYPEATTRIBUTE VALUE MT LevelMT-Safe with exceptions


SEE ALSO
       pam(3PAM),      pam_sm_authenticate(3PAM),      pam_sm_chauthtok(3PAM),
       pam_sm_close_session(3PAM),    pam_sm_open_session(3PAM),   pam_sm_set-
       cred(3PAM), libpam(3LIB), pam.conf(4), attributes(5)

NOTES
       The interfaces in  libpam() are MT-Safe only if each thread within  the
       multi-threaded application uses its own  PAM handle.



SunOS 5.10                        28 Oct 1996                    pam_sample(5)