Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
PAM_PEFS(8)		FreeBSD	System Manager's Manual		   PAM_PEFS(8)

     pam_pefs -- pefs PAM module

     [service-name] module-type	control-flag pam_pefs [options]

     The pefs authentication service module for	PAM, pam_pefs provides func-
     tionality for two PAM categories: authentication and session management.
     In	terms of the module-type parameter, they are the "auth"	and "session"

     Module expects pefs file system to	be mounted on user home	directory and
     fails otherwise.

   Pefs	Authentication Module
     The pefs authentication component provides	a function to verify the iden-
     tity of a user (pam_sm_authenticate()), by	prompting the user for a
     passphrase	and verifying that it exists in	pefs key chain database.

     The following options may be passed to the	authentication module:

     use_first_pass  If	the authentication module is not the first in the
		     stack, and	a previous module obtained the user's pass-
		     word, that	password is used to authenticate the user.  If
		     this fails, the authentication module returns failure
		     without prompting the user	for a password.	 This option
		     has no effect if the authentication module	is the first
		     in	the stack, or if no previous modules obtained the
		     user's password.

     try_first_pass  This option is similar to the use_first_pass option, ex-
		     cept that if the previously obtained password fails, the
		     user is prompted for another password.

     ignore_missing  Accept any	passphrase provided by the user.  This option
		     is	used not to authenticate user, but to preserve keys
		     that should be added to pefs file system by session man-
		     agement module.  Option is	incompatible with
		     try_first_pass option and should be used with
		     use_first_pass option.

     delkeys	     Remove keys at the	end of last session.  Module tracks
		     the number	of concurrent sessions,	removing all keys from
		     file system when session count reaches zero.

   Pefs	Session	Management Module
     The pefs session management component provides functions to initiate
     (pam_sm_open_session()) and terminate (pam_sm_close_session()) sessions.
     The pam_sm_open_session() function	adds key or key	chain decrypted	during
     the authentication	phase to the pefs file system mounted on user home di-

     $HOME/.pefs.conf  pefs configuration file
     $HOME/.pefs.db    pefs key	chain database file

     pam.conf(5), pam(8) pefs(8)

     The pam_pefs module was written by	Gleb Kurtsou <>.

     pam_sm_close_session() function doesn't delete keys added during by

FreeBSD	13.0		       December	1, 2009			  FreeBSD 13.0


Want to link to this manual page? Use this URL:

home | help