Changeset 673 in openpam

Mar 17, 2013, 8:04:06 PM (8 years ago)
Dag-Erling Smørgrav
  • Mention quoting and add a cross-reference to openpam_readword(3), which has a detailed explanation of how the file is parsed.
  • Document the module search path.
  • Warn against include loops.
  • Briefly describe module options which affect libpam itself.
  • Minor markup and formatting improvements.
1 edited


  • trunk/doc/man/pam.conf.5

    r648 r673  
    2929.\" $Id$
    31 .Dd November 3, 2011
     31.Dd March 17, 2013
    3232.Dt PAM.CONF 5
    6666field specifying the name of the service they apply to.
    68 In both types of policy files, blank lines are ignored, as is anything
    69 to the right of a
     68In both cases, blank lines and comments introduced by a
    7069.Ql #
    71 sign.
     70sign are ignored, and the normal shell quoting rules apply.
     71The precise details of how the file is tokenized are described in
     72.Xr openpam_readword 3 .
    7475.Ar facility
    7576field specifies the facility the entry applies to, and is one of:
    76 .Bl -tag -width ".Cm password"
     77.Bl -tag -width 12n
    7778.It Cm auth
    7879Authentication functions
    100101flow of control through (and the final result of) the rest of the
    101102chain, and is one of:
    102 .Bl -tag -width ".Cm sufficient"
     103.Bl -tag -width 12n
    103104.It Cm required
    104105If this module succeeds, the result of the chain will be success
    143144.Ar module-path
    144 field specifies the name, or optionally the full path, of the module
    145 to call.
    146 .Pp
    147 The remaining fields are passed as arguments to the module if and when
    148 it is invoked.
    149 As a special case, if an argument is of the form ``name=value'' and
    150 the right-hand side is surrounded by single or double quotes, any
    151 whitespace between the quote characters will be considered part of the
    152 same argument rather than a separator between this argument and the
    153 next.
     145field specifies the name or full path of the module to call.
     146If only the name is specified, the PAM library will search for it in
     147the following locations:
     148.Bl -enum
     150.Pa /usr/lib
     152.Pa /usr/local/lib
     155The remaining fields, if any, are passed unmodified to the module if
     156and when it is invoked.
    162165The system-wide policy can then be modified without having to also
    163166modify each and every service-specific policy.
     168.Bf -symbolic
     169Take care not to introduce loops when using
     170.Cm include
     171rules, as there is currently no loop detection in place.
     174Some PAM library functions may alter their behavior when called by a
     175service module if certain module options were specified, regardless of
     176whether the module itself accords them any importance.
     177One such option is
     178.Cm debug ,
     179which causes the dispatcher to enable debugging messages before
     180calling each service function, and disable them afterwards (unless
     181they were already enabled).
     182Other special options include:
     183.Bl -tag -width 12n
     184.It Cm authtok_prompt Ns = Ns Ar prompt , Cm oldauthtok_prompt Ns = Ns Ar prompt , Cm user_prompt Ns = Ns Ar prompt
     185These options can be used to override the prompts used by
     186.Xr pam_get_authtok 3
     188.Xr pam_get_user 3 .
     189.It Cm echo_pass
     190This option controls whether
     191.Xr pam_get_authtok 3
     192will allow the user to see what they are typing.
     193.It Cm try_first_pass , Cm use_first_pass
     194These options control
     195.Xr pam_get_authtok 3 Ns 's
     196use of cached authentication tokens.
    164198.Sh SEE ALSO
    165199.Xr pam 3
Note: See TracChangeset for help on using the changeset viewer.