Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

pam-script(7) [debian man page]

PAM-SCRIPT(7)						 Miscellaneous Information Manual					     PAM-SCRIPT(7)

NAME

       pam-script - a PAM module that can invoke scripts within the PAM stack.

SYNOPSIS

       pam-script.so [onerr=(success|fail)][dir=/some/path/]

DESCRIPTION

       pam-script allows you to execute scripts during authorization, passwd changes, and on session opening or closing.

       Such  scripts  can  perform necessary tasks or influence the outcome of the PAM stack.  For example, if the following entry was included in
       pam.conf
	 sshd	 auth required	pam_script

       then if the script, pam_script_auth, exits with a non-zero value this would cause the user to be denied SSH access to the machine.

OPTIONS

       A summary of options is included below.

       onerr=(success|fail)
	      the default behavior if the module can not find or execute the script.  The default is to fail if the option is not given.

       dir=/some/path/
	      where to find the pam-scripts to invoke for each of the various module-types as described below.	The default is dir=/usr/share/lib-
	      pam-script if not given.

	      List of scripts

       pam_script_auth
	      Executed under auth which handles the authentication stage of establishing the user via some challenge-response (i.e. username/pass-
	      word)

       pam_script_acct
	      invoked under account module-type for non-authentication based account management.

       pam_script_passwd
	      invoked under passwd for changing the password tokens.

       pam_script_ses_open
	      invoked when a session is first opened.

       pam_script_ses_close
	      run after a session is first closed.

	      All the scripts will be passed several environment variables: PAM_USER, PAM_RUSER, PAM_RHOST, PAM_SERVICE, PAM_AUTHTOK, PAM_TTY, and
	      PAM_TYPE referring to the module-type.  The pam_script.so arguments in the pam.conf will be passed on the command line, which can be
	      used to modify the script behavior.

FILES

       /lib/security/pam_script.so - the PAM module
       /usr/share/libpam-script - where the scripts should be placed by default

VERSION

       pam-script 1.1.5

SEE ALSO

       PAM(7) and the PAM "The System Administrators' Guide"

AUTHOR

       pam-script was written by Jeroen Nijhof <jeroen@jeroennijhof.nl>
       with some additions and modifications by R.K. Owen, Ph.D. <rkowen@nersc.gov>.

       This manual page was written by R.K. Owen <rkowen@nersc.gov>,
       for the Debian project (but may be used by others).

								  August 22, 2007						     PAM-SCRIPT(7)

Check Out this Related Man Page

pam_allow(5)						Standards, Environments, and Macros					      pam_allow(5)

NAME

       pam_allow - PAM authentication, account, session and password management PAM module to allow operations

SYNOPSIS

       pam_allow.so.1

DESCRIPTION

       The  pam_allow  module  implements  all	the  PAM service module functions and returns PAM_SUCCESS for all calls. Opposite functionality is
       available in the pam_deny(5) module.

       Proper Solaris authentication operation requires pam_unix_cred(5) be stacked above pam_allow.

       The following options are interpreted:

       debug	Provides syslog(3C) debugging information at the LOG_AUTH | LOG_DEBUG level.

ERRORS

       PAM_SUCCESS is always returned.

EXAMPLES

       Example 1 Allowing ssh none

       The following example is a pam.conf fragment that illustrates a sample for allowing ssh none authentication:

	 sshd-none  auth    required	  pam_unix_cred.so.1
	 sshd-none  auth    sufficient	  pam_allow.so.1
	 sshd-none  account sufficient	  pam_allow.so.1
	 sshd-none  session sufficient	  pam_allow.so.1
	 sshd-none  password sufficient   pam_allow.so.1

       Example 2 Allowing Kiosk Automatic Login Service

       The following is example is a pam.conf fragment that illustrates a sample for allowing gdm kiosk auto login:

	 gdm-autologin auth  required	 pam_unix_cred.so.1
	 gdm-autologin auth  sufficient  pam_allow.so.1

ATTRIBUTES

       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Stable			   |
       +-----------------------------+-----------------------------+
       |MT Level		     |MT-Safe with exceptions	   |
       +-----------------------------+-----------------------------+

SEE ALSO

       libpam(3LIB), pam(3PAM), pam_sm(3PAM), syslog(3C), pam.conf(4), attributes(5), pam_deny(5), pam_unix_cred(5)

NOTES

       The interfaces in libpam(3LIB) are MT-Safe only if each thread within the multi-threaded application uses its own PAM handle.

       This module is intended to be used to either allow access to specific services names, or to all service names not specified (by	specifying
       it as the default service stack).

SunOS 5.11							    25 Aug 2005 						      pam_allow(5)
Man Page