source-git / pam

Clone
Source Code
GIT

Files

  1.   7e982e56f66b90061d5bf584115f1a5d137a728a
  2.   modules
  3.   pam_succeed_if
  4.   pam_succeed_if.8
Blob Blame History Raw 
'\" t
.\"     Title: pam_succeed_if
.\"    Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\"      Date: 05/18/2017
.\"    Manual: Linux-PAM
.\"    Source: Linux-PAM
.\"  Language: English
.\"
.TH "PAM_SUCCEED_IF" "8" "05/18/2017" "Linux-PAM" "Linux\-PAM"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
pam_succeed_if \- test account characteristics
.SH "SYNOPSIS"
.HP \w'\fBpam_succeed_if\&.so\fR\ 'u
\fBpam_succeed_if\&.so\fR [\fIflag\fR...] [\fIcondition\fR...]
.SH "DESCRIPTION"
.PP
pam_succeed_if\&.so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated or values of other PAM items\&. One use is to select whether to load other modules based on this test\&.
.PP
The module should be given one or more conditions as module arguments, and authentication will succeed only if all of the conditions are met\&.
.SH "OPTIONS"
.PP
The following
\fIflag\fRs are supported:
.PP
\fBdebug\fR
.RS 4
Turns on debugging messages sent to syslog\&.
.RE
.PP
\fBuse_uid\fR
.RS 4
Evaluate conditions using the account of the user whose UID the application is running under instead of the user being authenticated\&.
.RE
.PP
\fBquiet\fR
.RS 4
Don\*(Aqt log failure or success to the system log\&.
.RE
.PP
\fBquiet_fail\fR
.RS 4
Don\*(Aqt log failure to the system log\&.
.RE
.PP
\fBquiet_success\fR
.RS 4
Don\*(Aqt log success to the system log\&.
.RE
.PP
\fBaudit\fR
.RS 4
Log unknown users to the system log\&.
.RE
.PP
\fICondition\fRs are three words: a field, a test, and a value to test for\&.
.PP
Available fields are
\fIuser\fR,
\fIuid\fR,
\fIgid\fR,
\fIshell\fR,
\fIhome\fR,
\fIruser\fR,
\fIrhost\fR,
\fItty\fR
and
\fIservice\fR:
.PP
\fBfield < number\fR
.RS 4
Field has a value numerically less than number\&.
.RE
.PP
\fBfield <= number\fR
.RS 4
Field has a value numerically less than or equal to number\&.
.RE
.PP
\fBfield eq number\fR
.RS 4
Field has a value numerically equal to number\&.
.RE
.PP
\fBfield >= number\fR
.RS 4
Field has a value numerically greater than or equal to number\&.
.RE
.PP
\fBfield > number\fR
.RS 4
Field has a value numerically greater than number\&.
.RE
.PP
\fBfield ne number\fR
.RS 4
Field has a value numerically different from number\&.
.RE
.PP
\fBfield = string\fR
.RS 4
Field exactly matches the given string\&.
.RE
.PP
\fBfield != string\fR
.RS 4
Field does not match the given string\&.
.RE
.PP
\fBfield =~ glob\fR
.RS 4
Field matches the given glob\&.
.RE
.PP
\fBfield !~ glob\fR
.RS 4
Field does not match the given glob\&.
.RE
.PP
\fBfield in item:item:\&.\&.\&.\fR
.RS 4
Field is contained in the list of items separated by colons\&.
.RE
.PP
\fBfield notin item:item:\&.\&.\&.\fR
.RS 4
Field is not contained in the list of items separated by colons\&.
.RE
.PP
\fBuser ingroup group\fR
.RS 4
User is in given group\&.
.RE
.PP
\fBuser notingroup group\fR
.RS 4
User is not in given group\&.
.RE
.PP
\fBuser innetgr netgroup\fR
.RS 4
(user,host) is in given netgroup\&.
.RE
.PP
\fBuser notinnetgr group\fR
.RS 4
(user,host) is not in given netgroup\&.
.RE
.SH "MODULE TYPES PROVIDED"
.PP
All module types (\fBaccount\fR,
\fBauth\fR,
\fBpassword\fR
and
\fBsession\fR) are provided\&.
.SH "RETURN VALUES"
.PP
PAM_SUCCESS
.RS 4
The condition was true\&.
.RE
.PP
PAM_AUTH_ERR
.RS 4
The condition was false\&.
.RE
.PP
PAM_SERVICE_ERR
.RS 4
A service error occurred or the arguments can\*(Aqt be parsed correctly\&.
.RE
.SH "EXAMPLES"
.PP
To emulate the behaviour of
\fIpam_wheel\fR, except there is no fallback to group 0:
.sp
.if n \{\
.RS 4
.\}
.nf
auth required pam_succeed_if\&.so quiet user ingroup wheel
    
.fi
.if n \{\
.RE
.\}
.PP
Given that the type matches, only loads the othermodule rule if the UID is over 500\&. Adjust the number after default to skip several rules\&.
.sp
.if n \{\
.RS 4
.\}
.nf
type [default=1 success=ignore] pam_succeed_if\&.so quiet uid > 500
type required othermodule\&.so arguments\&.\&.\&.
    
.fi
.if n \{\
.RE
.\}
.SH "SEE ALSO"
.PP
\fBglob\fR(7),
\fBpam\fR(8)
.SH "AUTHOR"
.PP
Nalin Dahyabhai <nalin@redhat\&.com>

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation