1PAM_LISTFILE(8)                Linux-PAM Manual                PAM_LISTFILE(8)
2
3
4

NAME

6       pam_listfile - deny or allow services based on an arbitrary file
7

SYNOPSIS

9       pam_listfile.so item=[tty|user|rhost|ruser|group|shell]
10                       sense=[allow|deny] file=/path/filename
11                       onerr=[succeed|fail] [apply=[user|@group]]
12

DESCRIPTION

14       pam_listfile is a PAM module which provides a way to deny or allow
15       services based on an arbitrary file.
16
17       The module gets the item of the type specified -- user specifies the
18       username, PAM_USER; tty specifies the name of the terminal over which
19       the request has been made, PAM_TTY; rhost specifies the name of the
20       remote host (if any) from which the request was made, PAM_RHOST; and
21       ruser specifies the name of the remote user (if available) who made the
22       request, PAM_RUSER -- and looks for an instance of that item in the
23       file=filename.  filename contains one line per item listed. If the item
24       is found, then if sense=allow, PAM_SUCCESS is returned, causing the
25       authorization request to succeed; else if sense=deny, PAM_AUTH_ERR is
26       returned, causing the authorization request to fail.
27
28       If an error is encountered (for instance, if filename does not exist,
29       or a poorly-constructed argument is encountered), then if
30       onerr=succeed, PAM_SUCCESS is returned, otherwise if onerr=fail,
31       PAM_AUTH_ERR or PAM_SERVICE_ERR (as appropriate) will be returned.
32
33       An additional argument, apply=, can be used to restrict the application
34       of the above to a specific user (apply=username) or a given group
35       (apply=@groupname). This added restriction is only meaningful when used
36       with the tty, rhost and shell items.
37
38       Besides this last one, all arguments should be specified; do not count
39       on any default behavior.
40
41       No credentials are awarded by this module.
42

OPTIONS

44       item=[tty|user|rhost|ruser|group|shell]
45          What is listed in the file and should be checked for.
46
47       sense=[allow|deny]
48          Action to take if found in file, if the item is NOT found in the
49          file, then the opposite action is requested.
50
51       file=/path/filename
52          File containing one item per line. The file needs to be a plain file
53          and not world writeable.
54
55       onerr=[succeed|fail]
56          What to do if something weird happens like being unable to open the
57          file.
58
59       apply=[user|@group]
60          Restrict the user class for which the restriction apply. Note that
61          with item=[user|ruser|group] this oes not make sense, but for
62          item=[tty|rhost|shell] it have a meaning.
63

MODULE SERVICES PROVIDED

65       The services auth, account, password and session are supported.
66

RETURN VALUES

68       PAM_AUTH_ERR
69          Authentication failure.
70
71       PAM_BUF_ERR
72          Memory buffer error.
73
74       PAM_IGNORE
75          The rule does not apply to the apply option.
76
77       PAM_SERVICE_ERR
78          Error in service module.
79
80       PAM_SUCCESS
81          Success.
82

EXAMPLES

84       Classic 'ftpusers' authentication can be implemented with this entry in
85       /etc/pam.d/ftpd:
86
87          #
88          # deny ftp-access to users listed in the /etc/ftpusers file
89          #
90          auth    required       pam_listfile.so \
91                  onerr=succeed item=user sense=deny file=/etc/ftpusers
92
93
94       Note, users listed in /etc/ftpusers file are (counterintuitively) not
95       allowed access to the ftp service.
96
97       To allow login access only for certain users, you can use a
98       /etc/pam.d/login entry like this:
99
100          #
101          # permit login to users listed in /etc/loginusers
102          #
103          auth    required       pam_listfile.so \
104                  onerr=fail item=user sense=allow file=/etc/loginusers
105
106
107       For this example to work, all users who are allowed to use the login
108       service should be listed in the file /etc/loginusers. Unless you are
109       explicitly trying to lock out root, make sure that when you do this,
110       you leave a way for root to log in, either by listing root in
111       /etc/loginusers, or by listing a user who is able to su to the root
112       account.
113

SEE ALSO

115       pam.conf(5), pam.d(8), pam(8)
116

AUTHOR

118       pam_listfile was written by Michael K. Johnson <johnsonm@redhat.com>
119       and Elliot Lee <sopwith@cuc.edu>.
120
121
122
123Linux-PAM Manual                  06/22/2006                   PAM_LISTFILE(8)
Impressum