Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
pam_per_user(5)			Authentication		       pam_per_user(5)

       pam_per_user  -	PAM  module for	calling	per-user authentication	mecha-


       pam_per_user is a shared	library	which gets dynamically loaded into the
       PAM  framework.	It allows the selection	of authentication mechanism on
       a per-user basis	for PAM-aware applications.

       The pam_per_user	module reads a map file	to determine what mechanism to
       use  for	 the user being	authenticated.	The map	file consists of lines
       of the following	format:

	      [type=]key : service_name

       Text beginning with a '#' is ignored through the	next  newline.	 Blank
       lines and incomplete lines are also ignored.

       The  optional  type  field  indicates what type of match	should be done
       against key.  Supported types are:

       USER   Perform a	simple string comparison of the	key and	the user.

	      If key is	"*", then the entry will be used as a fallback	match.
	      In  other	 words,	pam_per_user will save this entry and continue
	      reading the map file.  If	a later	entry matches, that match will
	      be  returned.   However, if no other entries match, the fallback
	      entry will be used.  This	allows a default mechanism to  be  se-
	      lected for users which are not explicitly	listed.

       GROUP  Checks to	see whether the	user is	a member of group key.

       If  no  type  field is specified	for a given entry, the default type is

       Once the	map file has been read,	pam_per_user creates a new PAM	handle
       using  the  resulting service name.  The	requested PAM function is then
       called and the value is returned	to the caller.	This recursive use  of
       PAM is transparent to the calling application.

       The  following  special tokens can be specified in the map file instead
       of a PAM	service	name.  They cause pam_per_user to return an  immediate
       result without recursively calling PAM:

       @FAIL  Causes pam_per_user to return PAM_AUTH_ERR.

	      Causes pam_per_user to return PAM_SUCCESS.

	      Causes pam_per_user to return PAM_IGNORE.

       The  pam_per_user  module  accepts  an optional argument	which sets the
       name of the external file that will be read.  If	 no  filename  is  not
       specified, /etc/	will be	read.

       Say  that you want to use the pam_pseudo	module to allow	users to su to
       a special pseudo-user account called foo, you want  to  prevent	people
       from  suing  to	root, and you want members of the "wheel" group	to au-
       thenticate via radius, but you do not want to modify the	 behavior  for
       other accounts.	To do this, create the file /etc/ with
       the following content:

	      foo : su-pseudo
	      root : @FAIL
	      GROUP=wheel : radius
	      *	: su-default

       Then, rename the	su entries in /etc/pam.conf to su-default and add  the
       following new entries:

	      su auth required /usr/local/lib/security/
	      su-pseudo	auth required /usr/local/lib/security/
	      radius auth require /usr/local/lib/security/

       Because	pam_per_user creates a new PAM handle to authenticate the user
       with an alternate service name, it is possible to  create  an  infinite
       loop  by	recursively calling pam_per_user.  No checking is done to pre-
       vent this from happening, so the	administrator must take	care to	 avoid


       pam(3), pam.conf(4)

       Mark D. Roth <>

Feep Networks			   Aug 2005		       pam_per_user(5)


Want to link to this manual page? Use this URL:

home | help