1pam_sample(5)         Standards, Environments, and Macros        pam_sample(5)
2
3
4

NAME

6       pam_sample - a sample PAM module
7

SYNOPSIS

9       /usr/lib/security/pam_sample.so.1
10
11

DESCRIPTION

13       The  SAMPLE  service  module  for  PAM is divided into four components:
14       authentication, account management, password  management,  and  session
15       management.  The  sample  module is a shared object that is dynamically
16       loaded to provide the necessary functionality.
17

SAMPLE AUTHENTICATION COMPONENT

19       The SAMPLE authentication module provides functions  to  test  the  PAM
20       framework  functionality  using the pam_sm_authenticate(3PAM) call. The
21       SAMPLE module implementation of the pam_sm_authenticate(3PAM)  function
22       compares  the  user  entered  password  with  the  password  set in the
23       pam.conf(4) file, or the string "test" if a default test  password  has
24       not  been  set.  The  following  options can be passed in to the SAMPLE
25       Authentication module:
26
27       debug               Syslog  debugging  information  at  the   LOG_DEBUG
28                           level.
29
30
31       pass=newone         Sets the password to be "newone".
32
33
34       first_pass_good     The  first  password  is always good when used with
35                           the use_first_pass or try_first_pass option.
36
37
38       first_pass_bad      The first password is always bad when used with the
39                           use_first_pass or try_first_pass option.
40
41
42       always_fail         Always returns PAM_AUTH_ERR.
43
44
45       always_succeed      Always returns PAM_SUCCESS.
46
47
48       always_ignore       Always returns PAM_IGNORE.
49
50
51       use_first_pass      Use  the  user's initial password (entered when the
52                           user is authenticated to the  first  authentication
53                           module  in the stack) to authenticate with the SAM‐
54                           PLE module. If the passwords do not  match,  or  if
55                           this  is  the  first  authentication  module in the
56                           stack, quit and do not prompt the user for a  pass‐
57                           word.  It  is  recommended that this option only be
58                           used if the SAMPLE authentication module is  desig‐
59                           nated  as  optional  in  the pam.conf configuration
60                           file.
61
62
63       try_first_pass      Use the user's initial password (entered  when  the
64                           user  is  authenticated to the first authentication
65                           module in the stack) to authenticate with the  SAM‐
66                           PLE  module.  If  the passwords do not match, or if
67                           this is the  first  authentication  module  in  the
68                           stack, prompt the user for a password.
69
70                           The  SAMPLE  module  pam_sm_setcred(3PAM)  function
71                           always returns PAM_SUCCESS.
72
73

SAMPLE ACCOUNT MANAGEMENT COMPONENT

75       The SAMPLE Account Management Component implements a simple access con‐
76       trol  scheme  that limits machine access to a list of authorized users.
77       The list of authorized users is supplied as  option  arguments  to  the
78       entry  for  the  SAMPLE  account  management PAM module in the pam.conf
79       file. Note that the module always permits  access  to  the  root  super
80       user.
81
82
83       The  option  field  syntax  to  limit  access  is  shown  below: allow=
84       name[,name] allow= name [allow=name]
85
86
87       The example pam.conf show below permits only larry to  login  directly.
88       rlogin is allowed only for don and larry. Once a user is logged in, the
89       user can use su if the user are sam or eric.
90
91
92
93
94       login     account   require   pam_sample.so.1   allow=larry
95       dtlogin   account   require   pam_sample.so.1   allow=larry
96       rlogin    account   require   pam_sample.so.1   allow=don allow=larry
97       su        account   require   pam_sample.so.1   allow=sam,eric
98
99
100
101       The debug and nowarn options are also supported.
102

SAMPLE PASSWORD MANAGEMENT COMPONENT

104       The SAMPLE Password  Management  Component  function  (  pam_sm_chauth‐
105       tok(3PAM)), always returns PAM_SUCCESS.
106

SAMPLE SESSION MANAGEMENT COMPONENT

108       The  SAMPLE  Session  Management Component functions ( pam_sm_open_ses‐
109       sion(3PAM), pam_sm_close_session(3PAM)) always return PAM_SUCCESS.
110

ATTRIBUTES

112       See attributes(5) for description of the following attributes:
113
114
115
116
117       ┌───────────────────────────────────────────────────────────┐
118       │      ATTRIBUTE TYPE                ATTRIBUTE VALUE        │
119       │MT Level                      MT-Safe with exceptions      │
120       └───────────────────────────────────────────────────────────┘
121

SEE ALSO

123       pam(3PAM),      pam_sm_authenticate(3PAM),      pam_sm_chauthtok(3PAM),
124       pam_sm_close_session(3PAM),    pam_sm_open_session(3PAM),   pam_sm_set‐
125       cred(3PAM), libpam(3LIB), pam.conf(4), attributes(5)
126

WARNINGS

128       This module should never be used outside of a closed debug environment.
129       The examples of the use_first_pass and try_first_pass options are obso‐
130       lete for all other Solaris delivered PAM service modules
131

NOTES

133       The interfaces in libpam() are MT-Safe only if each thread  within  the
134       multi-threaded application uses its own PAM handle.
135
136
137
138SunOS 5.11                        4 Apr 2007                     pam_sample(5)
Impressum