X7ROOT File Manager
Current Path:
/usr/share/doc/pam-1.1.8/html
usr
/
share
/
doc
/
pam-1.1.8
/
html
/
π
..
π
Linux-PAM_SAG.html
(8.98 KB)
π
sag-author.html
(3.04 KB)
π
sag-configuration-directory.html
(2.89 KB)
π
sag-configuration-example.html
(5.39 KB)
π
sag-configuration-file.html
(17.11 KB)
π
sag-configuration.html
(2.99 KB)
π
sag-copyright.html
(3.53 KB)
π
sag-introduction.html
(4.34 KB)
π
sag-module-reference.html
(37.26 KB)
π
sag-overview.html
(7.81 KB)
π
sag-pam_access.html
(17.54 KB)
π
sag-pam_cracklib.html
(19.79 KB)
π
sag-pam_debug.html
(7.9 KB)
π
sag-pam_deny.html
(4.59 KB)
π
sag-pam_echo.html
(5.62 KB)
π
sag-pam_env.html
(11.58 KB)
π
sag-pam_exec.html
(8.17 KB)
π
sag-pam_faildelay.html
(4.48 KB)
π
sag-pam_filter.html
(9.12 KB)
π
sag-pam_ftp.html
(6.06 KB)
π
sag-pam_group.html
(9.86 KB)
π
sag-pam_issue.html
(6.23 KB)
π
sag-pam_keyinit.html
(6.85 KB)
π
sag-pam_lastlog.html
(7.89 KB)
π
sag-pam_limits.html
(17.51 KB)
π
sag-pam_listfile.html
(10.29 KB)
π
sag-pam_localuser.html
(5.28 KB)
π
sag-pam_loginuid.html
(5.08 KB)
π
sag-pam_mail.html
(7.58 KB)
π
sag-pam_mkhomedir.html
(6.05 KB)
π
sag-pam_motd.html
(4.19 KB)
π
sag-pam_namespace.html
(19.79 KB)
π
sag-pam_nologin.html
(5.21 KB)
π
sag-pam_permit.html
(4.2 KB)
π
sag-pam_pwhistory.html
(7.63 KB)
π
sag-pam_rhosts.html
(6.25 KB)
π
sag-pam_rootok.html
(4.99 KB)
π
sag-pam_securetty.html
(6.33 KB)
π
sag-pam_selinux.html
(8.12 KB)
π
sag-pam_shells.html
(4.16 KB)
π
sag-pam_succeed_if.html
(8.94 KB)
π
sag-pam_tally.html
(13.68 KB)
π
sag-pam_tally2.html
(14.6 KB)
π
sag-pam_time.html
(9.5 KB)
π
sag-pam_timestamp.html
(6.28 KB)
π
sag-pam_umask.html
(6.17 KB)
π
sag-pam_unix.html
(14.29 KB)
π
sag-pam_userdb.html
(8.29 KB)
π
sag-pam_warn.html
(4.46 KB)
π
sag-pam_wheel.html
(7.01 KB)
π
sag-pam_xauth.html
(8.22 KB)
π
sag-security-issues-other.html
(2.92 KB)
π
sag-security-issues-wrong.html
(2.89 KB)
π
sag-security-issues.html
(2.11 KB)
π
sag-see-also.html
(2.23 KB)
π
sag-text-conventions.html
(3.11 KB)
Editing: sag-pam_listfile.html
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>6.16.Β pam_listfile - deny or allow services based on an arbitrary file</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="Linux-PAM_SAG.html" title="The Linux-PAM System Administrators' Guide"><link rel="up" href="sag-module-reference.html" title="ChapterΒ 6.Β A reference guide for available modules"><link rel="prev" href="sag-pam_limits.html" title="6.15.Β pam_limits - limit resources"><link rel="next" href="sag-pam_localuser.html" title="6.17.Β pam_localuser - require users to be listed in /etc/passwd"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">6.16.Β pam_listfile - deny or allow services based on an arbitrary file</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="sag-pam_limits.html">Prev</a>Β </td><th width="60%" align="center">ChapterΒ 6.Β A reference guide for available modules</th><td width="20%" align="right">Β <a accesskey="n" href="sag-pam_localuser.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sag-pam_listfile"></a>6.16.Β pam_listfile - deny or allow services based on an arbitrary file</h2></div></div></div><div class="cmdsynopsis"><p><code class="command">pam_listfile.so</code> item=[tty|user|rhost|ruser|group|shell] sense=[allow|deny] file=<em class="replaceable"><code>/path/filename</code></em> onerr=[succeed|fail] [ apply=[<em class="replaceable"><code>user</code></em>|<em class="replaceable"><code>@group</code></em>] ] [ quiet ]</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_listfile-description"></a>6.16.1.Β DESCRIPTION</h3></div></div></div><p> pam_listfile is a PAM module which provides a way to deny or allow services based on an arbitrary file. </p><p> The module gets the <code class="option">item</code> of the type specified -- <span class="emphasis"><em>user</em></span> specifies the username, <span class="emphasis"><em>PAM_USER</em></span>; tty specifies the name of the terminal over which the request has been made, <span class="emphasis"><em>PAM_TTY</em></span>; rhost specifies the name of the remote host (if any) from which the request was made, <span class="emphasis"><em>PAM_RHOST</em></span>; and ruser specifies the name of the remote user (if available) who made the request, <span class="emphasis"><em>PAM_RUSER</em></span> -- and looks for an instance of that item in the <code class="option">file=<em class="replaceable"><code>filename</code></em></code>. <code class="filename">filename</code> contains one line per item listed. If the item is found, then if <code class="option">sense=<em class="replaceable"><code>allow</code></em></code>, <span class="emphasis"><em>PAM_SUCCESS</em></span> is returned, causing the authorization request to succeed; else if <code class="option">sense=<em class="replaceable"><code>deny</code></em></code>, <span class="emphasis"><em>PAM_AUTH_ERR</em></span> is returned, causing the authorization request to fail. </p><p> If an error is encountered (for instance, if <code class="filename">filename</code> does not exist, or a poorly-constructed argument is encountered), then if <span class="emphasis"><em>onerr=succeed</em></span>, <span class="emphasis"><em>PAM_SUCCESS</em></span> is returned, otherwise if <span class="emphasis"><em>onerr=fail</em></span>, <span class="emphasis"><em>PAM_AUTH_ERR</em></span> or <span class="emphasis"><em>PAM_SERVICE_ERR</em></span> (as appropriate) will be returned. </p><p> An additional argument, <code class="option">apply=</code>, can be used to restrict the application of the above to a specific user (<code class="option">apply=<em class="replaceable"><code>username</code></em></code>) or a given group (<code class="option">apply=<em class="replaceable"><code>@groupname</code></em></code>). This added restriction is only meaningful when used with the <span class="emphasis"><em>tty</em></span>, <span class="emphasis"><em>rhost</em></span> and <span class="emphasis"><em>shell</em></span> items. </p><p> Besides this last one, all arguments should be specified; do not count on any default behavior. </p><p> No credentials are awarded by this module. </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_listfile-options"></a>6.16.2.Β OPTIONS</h3></div></div></div><p> </p><div class="variablelist"><dl class="variablelist"><dt><span class="term"> <code class="option">item=[tty|user|rhost|ruser|group|shell]</code> </span></dt><dd><p> What is listed in the file and should be checked for. </p></dd><dt><span class="term"> <code class="option">sense=[allow|deny]</code> </span></dt><dd><p> Action to take if found in file, if the item is NOT found in the file, then the opposite action is requested. </p></dd><dt><span class="term"> <code class="option">file=<em class="replaceable"><code>/path/filename</code></em></code> </span></dt><dd><p> File containing one item per line. The file needs to be a plain file and not world writable. </p></dd><dt><span class="term"> <code class="option">onerr=[succeed|fail]</code> </span></dt><dd><p> What to do if something weird happens like being unable to open the file. </p></dd><dt><span class="term"> <code class="option">apply=[<em class="replaceable"><code>user</code></em>|<em class="replaceable"><code>@group</code></em>]</code> </span></dt><dd><p> Restrict the user class for which the restriction apply. Note that with <code class="option">item=[user|ruser|group]</code> this does not make sense, but for <code class="option">item=[tty|rhost|shell]</code> it have a meaning. </p></dd><dt><span class="term"> <code class="option">quiet</code> </span></dt><dd><p> Do not treat service refusals or missing list files as errors that need to be logged. </p></dd></dl></div><p> </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_listfile-types"></a>6.16.3.Β MODULE TYPES PROVIDED</h3></div></div></div><p> All module types (<code class="option">auth</code>, <code class="option">account</code>, <code class="option">password</code> and <code class="option">session</code>) are provided. </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_listfile-return_values"></a>6.16.4.Β RETURN VALUES</h3></div></div></div><p> </p><div class="variablelist"><dl class="variablelist"><dt><span class="term">PAM_AUTH_ERR</span></dt><dd><p>Authentication failure.</p></dd><dt><span class="term">PAM_BUF_ERR</span></dt><dd><p> Memory buffer error. </p></dd><dt><span class="term">PAM_IGNORE</span></dt><dd><p> The rule does not apply to the <code class="option">apply</code> option. </p></dd><dt><span class="term">PAM_SERVICE_ERR</span></dt><dd><p> Error in service module. </p></dd><dt><span class="term">PAM_SUCCESS</span></dt><dd><p> Success. </p></dd></dl></div><p> </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_listfile-examples"></a>6.16.5.Β EXAMPLES</h3></div></div></div><p> Classic 'ftpusers' authentication can be implemented with this entry in <code class="filename">/etc/pam.d/ftpd</code>: </p><pre class="programlisting"> # # deny ftp-access to users listed in the /etc/ftpusers file # auth required pam_listfile.so \ onerr=succeed item=user sense=deny file=/etc/ftpusers </pre><p> Note, users listed in <code class="filename">/etc/ftpusers</code> file are (counterintuitively) <span class="emphasis"><em>not</em></span> allowed access to the ftp service. </p><p> To allow login access only for certain users, you can use a <code class="filename">/etc/pam.d/login</code> entry like this: </p><pre class="programlisting"> # # permit login to users listed in /etc/loginusers # auth required pam_listfile.so \ onerr=fail item=user sense=allow file=/etc/loginusers </pre><p> For this example to work, all users who are allowed to use the login service should be listed in the file <code class="filename">/etc/loginusers</code>. Unless you are explicitly trying to lock out root, make sure that when you do this, you leave a way for root to log in, either by listing root in <code class="filename">/etc/loginusers</code>, or by listing a user who is able to <span class="emphasis"><em>su</em></span> to the root account. </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="sag-pam_listfile-author"></a>6.16.6.Β AUTHOR</h3></div></div></div><p> pam_listfile was written by Michael K. Johnson <johnsonm@redhat.com> and Elliot Lee <sopwith@cuc.edu>. </p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="sag-pam_limits.html">Prev</a>Β </td><td width="20%" align="center"><a accesskey="u" href="sag-module-reference.html">Up</a></td><td width="40%" align="right">Β <a accesskey="n" href="sag-pam_localuser.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">6.15.Β pam_limits - limit resourcesΒ </td><td width="20%" align="center"><a accesskey="h" href="Linux-PAM_SAG.html">Home</a></td><td width="40%" align="right" valign="top">Β 6.17.Β pam_localuser - require users to be listed in /etc/passwd</td></tr></table></div></body></html>
Upload File
Create Folder