1pam_console(8) System Administrator's Manual pam_console(8)
2
6 pam_console - determine user owning the system console
7
9 session optional pam_console.so
10 auth required pam_console.so
11
13 pam_console.so is designed to give users at the physical console (vir‐
14 tual terminals and local xdm-managed X sessions by default, but that is
15 configurable) capabilities that they would not otherwise have, and to
16 take those capabilities away when the are no longer logged in at the
17 console. It provides two main kinds of capabilities: file permissions
18 and authentication.
19 When a user logs in at the console and no other user is currently
21 logged in at the console, pam_console.so will run handler programs
22 specified in the file /etc/security/console.handlers such as pam_con‐
23 sole_apply which changes permissions and ownership of files as
24 described in the file /etc/security/console.perms. That user may then
25 log in on other terminals that are considered part of the console, and
26 as long as the user is still logged in at any one of those terminals,
27 that user will own those devices. When the user logs out of the last
28 terminal, the console may be taken by the next user to log in. Other
29 users who have logged in at the console during the time that the first
30 user was logged in will not be given ownership of the devices unless
31 they log in on one of the terminals; having done so on any one termi‐
32 nal, the next user will own those devices until he or she has logged
33 out of every terminal that is part of the physical console. Then the
34 race can start for the next user. In practice, this is not a problem;
35 the physical console is not generally in use by many people at the same
36 time, and pam_console.so just tries to do the right thing in weird
37 cases.
38 When an application attempts to authenticate the user and this user is
40 already logged in at the console, pam_console.so checks whether there
41 is a file in /etc/security/console.apps/ directory with the same name
42 as the application servicename, and if such a file exists, authentica‐
43 tion succeeds. This way pam_console may be utilized to run some system
44 applications (reboots, config tools) without root password, or to enter
45 user password on the first system login only.
46
49 debug turns on debugging
50 allow_nonroot_tty
52 gain console locks and change permissions even if the TTY's
53 owner is not root.
54 handlersfile=filename
56 tells pam_console.so to get the list of the handlers from a dif‐
57 ferent file than /etc/security/console.handlers
58
60 /etc/pam.d/some-system-tool:
61 auth sufficient pam_rootok.so
62 auth required pam_console.so
63 /etc/pam.d/some-login-service:
65 auth sufficient pam_console.so
66 auth required pam_unix.so
67 session required pam_unix.so
68 session optional pam_console.so
69
71 /var/run/console/
72 /var/run/console/console.lock
73 /etc/security/console.apps
74 /etc/security/console.handlers
75
77 When pam_console "auth" is used for login services which provide possi‐
78 bility of remote login, it is necessary to make sure the application
79 correctly sets PAM_RHOST variable, or to deny remote logins completely.
80 Currently, /bin/login (invoked from telnetd) and gdm is OK, others may
81 be not.
82
84 console.perms(5)
85 console.apps(5)
86 console.handlers(5)
87 pam_console_apply(8)
88 /usr/share/doc/pam*/html/index.html
89
91 Let's hope not, but if you find any, please report them via the "Bug
92 Track" link at http://bugzilla.redhat.com/bugzilla/
93
95 Michael K. Johnson <johnsonm@redhat.com>
96 Support of console.handlers and other improvements by Tomas Mraz
97 <tmraz@redhat.com>
98Red Hat 2005/10/4 pam_console(8)