Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
PAM.CONF(5)		    BSD	File Formats Manual		   PAM.CONF(5)

NAME
     pam.conf -- Pluggable Authentication Modules configuration	file

DESCRIPTION
     The pam.conf file specifies how Pluggable Authentication Modules (PAM)
     should operate.  For an overview of the Pluggable Authentication Modules
     framework,	see pam(8).

     PAM may be	configured using a single /etc/pam.conf	configuration file or
     by	using multiple configuration files, one	for each PAM-aware service,
     located in	the /etc/pam.d/	directory.  If /etc/pam.d/ exists,
     /etc/pam.conf will	be ignored.  /etc/pam.d/ is the	preferred method for
     configuring PAM.

     PAM's configuration is based on "stacking"	different modules together to
     form a processing chain for the task.  A standard PAM configuration
     stanza is structured as follows:

	   [service-name] module-type control-flag module-name [options]

     service-name is used only (and is mandatory) in /etc/pam.conf.  It	speci-
     fies the PAM-aware	service	whose PAM behavior is being configured.	 When
     /etc/pam.d/ is used, the name of the configuration	file specifies the
     service.

     module-type specifies which of the	four classes of	PAM module functional-
     ity is being configured.  These four classes are account (account
     management), auth (authentication), password (password management), and
     session (session management).

     control-flag specifies the	behavior of the	processing chain upon success
     or	failure	of the PAM module's authentication task.  The following	are
     valid values for control-flag:

     binding	 If the	module succeeds	and no earlier module in the chain has
		 failed, the chain is immediately terminated and the request
		 is granted.  If the module fails, the rest of the chain is
		 executed, but the request is ultimately denied.

     requisite	 If the	module returns success,	continue to execute the	pro-
		 cessing chain.	 If the	module fails, immediately return the
		 error code from the first `required' failure.

     required	 If the	module returns success,	continue to execute the	pro-
		 cessing chain.	 If the	module fails, record as	a `required'
		 failure and continue to execute the processing	chain.	If
		 there are any `required' failures in the processing chain,
		 the chain will	ultimately return failure.

     optional	 If the	module returns success,	continue to execute the	pro-
		 cessing chain.	 If the	module fails, record as	an `optional'
		 failure and continue to execute the processing	chain.

     sufficient	 If the	module returns success and there have been no recorded
		 `required' failures, immediately return success without call-
		 ing any subsequent modules in the processing chain.  If the
		 module	fails, return as an `optional' failure and continue to
		 execute the processing	chain.

     module-name specifies the module to execute for this stanza.  This	is ei-
     ther an absolute path name	or a path name relative	to the default module
     location: /usr/lib/security.

     options are additional options that may be	specified for the module.  Re-
     fer to the	individual modules' documentation for more information on
     available options.

     In	addition to the	standard configuration stanza format, there is an ad-
     ditional stanza format available when /etc/pam.d/ is used:

	   module-type include service-name

     This stanza format	provides a simple inheritance model for	processing
     chains.

FILES
     /etc/pam.conf  monolithic PAM configuration file
     /etc/pam.d/    PAM	service	configuration file directory

EXAMPLES
     The following auth	processing chain for the "login" service (located in
     /etc/pam.d/login) performs	the following tasks: allows the	login if the
     old user and new user are the same, verifies that logins are not disabled
     using the /var/run/nologin	file, allows Kerberos 5	password authentica-
     tion, and requires	standard UNIX password authentication if Kerberos 5
     failed:

	   auth	   sufficient	   pam_self.so
	   auth	   required	   pam_nologin.so
	   auth	   sufficient	   pam_krb5.so
	   auth	   required	   pam_unix.so

NOTES
     It	is important to	note that loading a chain will fail if any of the com-
     ponents of	the chain fail to load or are not available.  A	common situa-
     tion when this can	happen is on a system that where components such as
     kerberos(1) or crypto(3) have not been installed.	In that	situation
     pam_krb5(8), pam_ksu(8), or pam_ssh(8) might not be present in the	sys-
     tem.  In order for	a chain	to load	properly all non-present components
     must be removed from the chain.

SEE ALSO
     login(1), passwd(1), su(1), pam(3), pam(8)

HISTORY
     The pam.conf file format first appeared in	NetBSD 3.0.

BSD				March 17, 2005				   BSD

NAME | DESCRIPTION | FILES | EXAMPLES | NOTES | SEE ALSO | HISTORY

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=pam.conf&sektion=5&manpath=NetBSD+6.0>

home | help