pam_localuser(8) [centos man page]

PAM_LOCALUSER(8)						 Linux-PAM Manual						  PAM_LOCALUSER(8)

NAME

       pam_localuser - require users to be listed in /etc/passwd

SYNOPSIS

       pam_localuser.so [debug] [file=/path/passwd]

DESCRIPTION

       pam_localuser is a PAM module to help implementing site-wide login policies, where they typically include a subset of the network's users
       and a few accounts that are local to a particular workstation. Using pam_localuser and pam_wheel or pam_listfile is an effective way to
       restrict access to either local users and/or a subset of the network's users.

       This could also be implemented using pam_listfile.so and a very short awk script invoked by cron, but it's common enough to have been
       separated out.

OPTIONS

       debug
	   Print debug information.

       file=/path/passwd
	   Use a file other than /etc/passwd.

MODULE TYPES PROVIDED

       All module types (account, auth, password and session) are provided.

RETURN VALUES

       PAM_SUCCESS
	   The new localuser was set successfully.

       PAM_SERVICE_ERR
	   No username was given.

       PAM_USER_UNKNOWN
	   User not known.

EXAMPLES

       Add the following line to /etc/pam.d/su to allow only local users in group wheel to use su.

	   account sufficient pam_localuser.so
	   account required pam_wheel.so

FILES

       /etc/passwd
	   Local user account information.

SEE ALSO

       pam.conf(5), pam.d(5), pam(8)

AUTHOR

       pam_localuser was written by Nalin Dahyabhai <nalin@redhat.com>.

Linux-PAM Manual						    09/19/2013							  PAM_LOCALUSER(8)

PAM_WHEEL(8)							 Linux-PAM Manual						      PAM_WHEEL(8)

NAME

       pam_wheel - Only permit root access to members of group wheel

SYNOPSIS

       pam_wheel.so [debug] [deny] [group=name] [root_only] [trust]

DESCRIPTION

       The pam_wheel PAM module is used to enforce the so-called wheel group. By default it permits root access to the system if the applicant
       user is a member of the wheel group. If no group with this name exist, the module is using the group with the group-ID 0.

OPTIONS

       debug
	   Print debug information.

       deny
	   Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of
	   the group option), deny access. Conversely, if the user is not in the group, return PAM_IGNORE (unless trust was also specified, in
	   which case we return PAM_SUCCESS).

       group=name
	   Instead of checking the wheel or GID 0 groups, use the name group to perform the authentication.

       root_only
	   The check for wheel membership is done only.

       trust
	   The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play
	   stacking the modules the wheel members may be able to su to root without being prompted for a passwd).

MODULE TYPES PROVIDED

       The auth and account module types are provided.

RETURN VALUES

       PAM_AUTH_ERR
	   Authentication failure.

       PAM_BUF_ERR
	   Memory buffer error.

       PAM_IGNORE
	   The return value should be ignored by PAM dispatch.

       PAM_PERM_DENY
	   Permission denied.

       PAM_SERVICE_ERR
	   Cannot determine the user name.

       PAM_SUCCESS
	   Success.

       PAM_USER_UNKNOWN
	   User not known.

EXAMPLES

       The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non-root applicants.

	   su	   auth     sufficient	   pam_rootok.so
	   su	   auth     required	   pam_wheel.so
	   su	   auth     required	   pam_unix.so

SEE ALSO

       pam.conf(5), pam.d(5), pam(7)

AUTHOR

       pam_wheel was written by Cristian Gafton <gafton@redhat.com>.

Linux-PAM Manual						    05/31/2011							      PAM_WHEEL(8)