pam-auth-update(8) [linux man page]
PAM-AUTH-UPDATE(8) System Manager's Manual PAM-AUTH-UPDATE(8) NAME
pam-auth-update - manage PAM configuration using packaged profiles SYNOPSIS
pam-auth-update [--package [--remove profile [profile...]]] [--force] DESCRIPTION
pam-auth-update is a utility that permits configuring the central authentication policy for the system using pre-defined profiles as sup- plied by PAM module packages. Profiles shipped in the /usr/share/pam-configs/ directory specify the modules, with options, to enable; the preferred ordering with respect to other profiles; and whether a profile should be enabled by default. Packages providing PAM modules reg- ister their profiles at install time by calling pam-auth-update --package. Selection of profiles is done using the standard debconf inter- face. The profile selection question will be asked at `medium' priority when packages are added or removed, so no user interaction is required by default. Users may invoke pam-auth-update directly to change their authentication configuration. The script makes every effort to respect local changes to /etc/pam.d/common-*. Local modifications to the list of module options will be preserved, and additions of modules within the managed portion of the stack will cause pam-auth-update to treat the config files as locally modified and not make further changes to the config files unless given the --force option. If the user specifies that pam-auth-update should override local configuration changes, the locally-modified files will be saved in /etc/pam.d/ with a suffix of .pam-old. OPTIONS
--package Indicate that the caller is a package maintainer script; lowers the priority of debconf questions to `medium' so that the user is not prompted by default. --remove profile [profile...] Remove the specified profiles from the system configuration. pam-auth-update --remove should be used to remove profiles from the configuration before the modules they reference are removed from disk, to ensure that PAM is in a consistent and usable state at all times during package upgrades or removals. --force Overwrite the current PAM configuration, without prompting. This option must not be used by package maintainer scripts; it is intended for use by administrators only. FILES
/etc/pam.d/common-* Global configuration of PAM, affecting all installed services. /usr/share/pam-configs/ Package-supplied authentication profiles. AUTHOR
Steve Langasek <steve.langasek@canonical.com> COPYRIGHT
Copyright (C) 2008 Canonical Ltd. SEE ALSO
PAM(7), pam.d(5), debconf(7) Debian 08/23/2008 PAM-AUTH-UPDATE(8)
Check Out this Related Man Page
pam_user.conf(4) Kernel Interfaces Manual pam_user.conf(4) NAME
pam_user.conf - user configuration file for pluggable authentication modules SYNOPSIS
DESCRIPTION
is the user configuration file for the Pluggable Authentication Module architecture, or PAM. It is not designed to replace the PAM system configuration file, For PAM to work properly, is mandatory (see pam.conf(4)). is optional. It is used only when a user basis configura- tion is needed. It mainly specifies options to be used by service modules on a user basis. The options defined in indicate the default for users who are not configured in or if the module type is not configured for some users. For the configuration in to take effect, needs to configure service module (see pam.conf(4)). Simplified pam_user.conf Configuration File The file contains a listing of login names. Each login name is paired with a corresponding service module with or without options speci- fied. Each entry has the following format: login_name module_type module_path options Below is an example of the configuration file. tom auth /usr/lib/security/$ISA/libpam_unix.so.1 debug use_psd tom auth /usr/lib/security/$ISA/libpam_dce.so.1 use_first_pass tom account /usr/lib/security/$ISA/libpam_unix.so.1 use_psd tom account /usr/lib/security/$ISA/libpam_dce.so.1 try_first_pass susan auth /usr/lib/security/$ISA/libpam_unix.so.1 susan auth /usr/lib/security/$ISA/libpam_dce.so.1 try_first_pass The login_name denotes the login name of a user (for example, For detailed information on module_type, module_path, and options, see pam.conf(4). The first entry indicates that when the UNIX authentication is invoked for the options and will be used. The second entry indicates that when the DCE authentication is invoked for the option will be used. The module type is not configured for therefore, the options will take effect. For those users who are not configured, the options apply. Notes If an error is found in an entry due to invalid login_name or module_type, then the entry is ignored. If there are no valid entries for the given module_type, the PAM framework ignores and reads the configuration in EXAMPLES
The following is a sample configuration file. Lines that begin with the symbol are treated as comments, and therefore ignored. # # PAM user configuration # # Authentication management john auth /usr/lib/security/$ISA/libpam_unix.so.1 john auth /usr/lib/security/$ISA/libpam_inhouse.so.1 try_first_pass david auth /usr/lib/security/$ISA/libpam_unix.so.1 use_psd david auth /usr/lib/security/$ISA/libpam_inhouse.so.1 try_first_pass susan auth /usr/lib/security/$ISA/libpam_unix.so.1 use_psd susan auth /usr/lib/security/$ISA/libpam_inhouse.so.1 try_first_pass # Password management john password /usr/lib/security/$ISA/libpam_unix.so.1 david password /usr/lib/security/$ISA/libpam_unix.so.1 use_psd susan password /usr/lib/security/$ISA/libpam_unix.so.1 use_psd SEE ALSO
pam(3), pam.conf(4). pam_user.conf(4)