1PAM_LISTFILE(8) Linux-PAM Manual PAM_LISTFILE(8)
2
3
4
6 pam_listfile - deny or allow services based on an arbitrary file
7
9 pam_listfile.so item=[tty|user|rhost|ruser|group|shell]
10 sense=[allow|deny] file=/path/filename
11 onerr=[succeed|fail] [apply=[user|@group]]
12
14 pam_listfile is a PAM module which provides a way to deny or allow
15 services based on an arbitrary file.
16
17 The module gets the item of the type specified -- user specifies the
18 username, PAM_USER; tty specifies the name of the terminal over which
19 the request has been made, PAM_TTY; rhost specifies the name of the
20 remote host (if any) from which the request was made, PAM_RHOST; and
21 ruser specifies the name of the remote user (if available) who made the
22 request, PAM_RUSER -- and looks for an instance of that item in the
23 file=filename. filename contains one line per item listed. If the item
24 is found, then if sense=allow, PAM_SUCCESS is returned, causing the
25 authorization request to succeed; else if sense=deny, PAM_AUTH_ERR is
26 returned, causing the authorization request to fail.
27
28 If an error is encountered (for instance, if filename does not exist,
29 or a poorly-constructed argument is encountered), then if
30 onerr=succeed, PAM_SUCCESS is returned, otherwise if onerr=fail,
31 PAM_AUTH_ERR or PAM_SERVICE_ERR (as appropriate) will be returned.
32
33 An additional argument, apply=, can be used to restrict the application
34 of the above to a specific user (apply=username) or a given group
35 (apply=@groupname). This added restriction is only meaningful when used
36 with the tty, rhost and shell items.
37
38 Besides this last one, all arguments should be specified; do not count
39 on any default behavior.
40
41 No credentials are awarded by this module.
42
44 item=[tty|user|rhost|ruser|group|shell]
45 What is listed in the file and should be checked for.
46
47 sense=[allow|deny]
48 Action to take if found in file, if the item is NOT found in the
49 file, then the opposite action is requested.
50
51 file=/path/filename
52 File containing one item per line. The file needs to be a plain file
53 and not world writeable.
54
55 onerr=[succeed|fail]
56 What to do if something weird happens like being unable to open the
57 file.
58
59 apply=[user|@group]
60 Restrict the user class for which the restriction apply. Note that
61 with item=[user|ruser|group] this oes not make sense, but for
62 item=[tty|rhost|shell] it have a meaning.
63
65 The services auth, account, password and session are supported.
66
68 PAM_AUTH_ERR
69 Authentication failure.
70
71 PAM_BUF_ERR
72 Memory buffer error.
73
74 PAM_IGNORE
75 The rule does not apply to the apply option.
76
77 PAM_SERVICE_ERR
78 Error in service module.
79
80 PAM_SUCCESS
81 Success.
82
84 Classic 'ftpusers' authentication can be implemented with this entry in
85 /etc/pam.d/ftpd:
86
87 #
88 # deny ftp-access to users listed in the /etc/ftpusers file
89 #
90 auth required pam_listfile.so \
91 onerr=succeed item=user sense=deny file=/etc/ftpusers
92
93
94 Note, users listed in /etc/ftpusers file are (counterintuitively) not
95 allowed access to the ftp service.
96
97 To allow login access only for certain users, you can use a
98 /etc/pam.d/login entry like this:
99
100 #
101 # permit login to users listed in /etc/loginusers
102 #
103 auth required pam_listfile.so \
104 onerr=fail item=user sense=allow file=/etc/loginusers
105
106
107 For this example to work, all users who are allowed to use the login
108 service should be listed in the file /etc/loginusers. Unless you are
109 explicitly trying to lock out root, make sure that when you do this,
110 you leave a way for root to log in, either by listing root in
111 /etc/loginusers, or by listing a user who is able to su to the root
112 account.
113
115 pam.conf(5), pam.d(8), pam(8)
116
118 pam_listfile was written by Michael K. Johnson <johnsonm@redhat.com>
119 and Elliot Lee <sopwith@cuc.edu>.
120
121
122
123Linux-PAM Manual 06/22/2006 PAM_LISTFILE(8)