1PAM_ABL(1) User Commands PAM_ABL(1)
2
3
4
6 pam_abl - query or purge the databases used by the pam_abl module.
7
9 pam_abl [OPTION] [CONFIG]
10
12 Provides a non-pam interface to the infomration stored in the pam_abl
13 module databases. CONFIG is the name of the pam_abl config file
14 (default: /etc/security/pam_abl.conf). The config file is read to
15 discover the names of the pam_abl databases, the rules that control
16 purging of old data from them and commands to run when a user or host
17 switches state.
18
20 MAINTENANCE
21 -h, --help
22 See this message.
23
24 -d, --debugcommand
25 Print the block/clear commands split in arguments.
26
27 -p, --purge
28 Purge databases according to purge rules in config.
29
30 -r, --relative
31 Display times relative to now.
32
33 -v, --verbose
34 Verbose output.
35
36 NON-PAM INTERACTION
37 -f, --fail
38 Fail user or host.
39
40 -w, --whitelist
41 Perform whitelisting (remove from blacklist, does not provide
42 immunity).
43
44 -c, --check
45 Check status. Returns non-zero if currently blocked Prints name:
46 status if verboseness is specified. If more than one host or user
47 is given, checks only the first host/user pair.
48
49 -u, --update
50 Update the state of all users/hosts in the db. This will also cause
51 the appropriate scripts to be called.
52
53 -s, --service
54 Operate in context of specified service. Defaults to none.
55
56 -U, --user
57 Operate on user (wildcards are ok for whitelisting).
58
59 -H, --host
60 Operate on host (wildcards are ok for whitelisting).
61
62 -R, --reason
63 Only used when -f is provided (defaults to "AUTH"). Specifies why
64 the authentication failed. Possible values are USER, HOST, BOTH,
65 AUTH
66
67 If you specified commands to run in your configuration, those commands
68 will try to run if the host or user switches state (blocked <→ clear)
69 since the last time it was checked. The command will only be able to
70 run, however, if you supply enough information to fill in the
71 substitutions in the command. For instance, if your host_clr_command
72 uses the %s parameter, you will need to specify the service with -s in
73 order for the command to actually run.
74
76 Obtain a list of failed hosts and users:
77
78 $ pam_abl
79
80 Obtain a full list of failures listing times relative to now:
81
82 $ pam_abl -rv $ pam_abl --relative --verbose
83
84 Purge old data:
85
86 $ pam_abl -p $ pam_abl --purge
87
88 Unblock all example.com, somewhere.com hosts:
89
90 $ pam_abl -w -H *.example.com -H \*.somewhere.com
91
92 Fail the host badguy.com and the user joe because the authentication
93 failed:
94
95 $ pam_abl -f -H badguy.com -U joe -R AUTH
96
97 Check whether joe is currently allowed to use your neato service from
98 somehost, running the necessary commands if he switches state:
99
100 $ pam_abl -c -U joe -H somehost -s neato
101
102 Because the user/host state is only updated when an attempt is made,
103 you can manually force pam-abl to update the states and call the
104 correct scripts:
105
106 $ pam_abl -u
107
109 Lode Mertens <pam-abl@danta.be>
110
111 Andy Armstrong <andy@hexten.net>
112
113 Chris Tasma <pam-abl@deksai.com>
114
116 Report bugs to <pam-abl@deksai.com> or using the bugtracker on
117 sourceforge.
118
120 pam_abl.conf(5), pam_abl(8)
121
123 Chris Tasma
124 Author.
125
126
127
128GNU 07/25/2019 PAM_ABL(1)