pam_user_policy - PAM user authentication policy module
The pam_user_policy module causes a user-specific PAM configuration to be evaluated and returns the result of evaluating such a configuration.
The pam_user_policy module implements all PAM service module functions.
The PAM configuration to evaluate is determined by looking for a pam_policy key in a user's attributes (see user_attr(4)) or any rights profiles assigned to the user in user_attr(4) or in a default rights profile granted in policy.conf(4), and then finally for any value assigned to PAM_POLICY in policy.conf. If no PAM configuration is found, the “unix” policy is used.
Failure to obtain a user name is considered an error (see below).
This module should generally be stacked as the first module, possibly as the only module, in a PAM service configuration using a control_flag value of 'sufficient' or 'binding', depending on the contents of the user-specific PAM configuration.
The pathname to the user-specific PAM configuration file passed to pam_eval(3PAM) must be absolute so pam_user_policy prepends “ /etc/security/pam_policy” to any non-absolute PAM configuration pathnames.
The following option can be passed to the module:
syslog(3C) debugging information at the LOG_DEBUG level
The pam_get_user(3PAM) function is used to retrieve the current user name and sets this to be the value of PAM_USER if PAM_USER was not already set. If no user name can be obtained, PAM_USER_UNKNOWN is returned.
If assuming a role which has been configured with the roleauth=user attribute in the user_attr() function then the authenticated user name specified in PAM_AUSER, if set, is treated as the current user name. For more information, see the user_attr(4)
The pam_user_policy authentication module then looks up the name of a PAM configuration file to use for that user as described above and evaluates the named configuration by calling pam_eval() with the same flags as were passed to the pam_user_policy authentication module.
The configuration file name found or the default “unix” is saved as module data (see pam_set_data(3PAM) for use by other pam_user_policy modules.
If the PAM_USER item is not set to a non-empty string then pam_user_policy returns PAM_USER_UNKNOWN immediately. If a PAM configuration file name was saved as module data by a previous call to a pam_user_policy module, then that configuration will be used; otherwise a PAM configuration will be looked up as described above. The service module then evaluates the named configuration by calling pam_eval() with the same flags as were passed to the service module.
The configuration file name found or the default “unix” is saved as module data (see pam_set_data(3PAM)) for use by other pam_user_policy modules.
If PAM_USER is not set or cannot be obtained, the module's service functions return PAM_USER_UNKNOWN. If module-specific data cannot be stored, PAM_SERVICE_ERR is returned. Failure to allocate resources causes the module to return PAM_BUF_ERR. Otherwise the value returned by pam_eval () is returned.
A number of pam.conf files for inclusion by pam_user_policy can be found in /etc/security/pam_policy :
Use only Unix passwords for authentication, account management, and password management.
Use Kerberos V5 only for authentication, account management, and password management.
Use Kerberos V5 for authentication with fallback on Unix authentication, use Kerberos V5 for account management and password management for Kerberos users and Unix for account management and password management for Unix users.
Use Unix for authentication, account management, and password management and then optionally using Kerberos V5 for authentication, account management and password management for Kerberos users.
Use pam_ldap(5) for authentication, account management, and password management for LDAP users and Unix for authentication, account management, and password management for Unix users.
Try Kerberos V, LDAP and Unix, in that order, and as sufficient, for authentication, account management, and password management.
In the following example, user 'larry' should only be authenticated with Kerberos V5 for all PAM services.
$ usermod -K pam_policy=krb5_only larryExample 2 Use the PAM configuration /etc/security/pam_policy/custom for a user.
In the following example, the PAM configuration /etc/security/pam_policy/custom should be used for user 'curly'. This custom PAM configuration might have different configurations for different PAM services, such as requiring Unix authentication for console logins but Kerberos V5 for all other PAM services.
$ usermod -K pam_policy=custom curlyExample 3 Create a new profile.
The following example creates a new profile named “PAM Per-User Policy of LDAP” and assign it to user 'moe' indicating that pam_ldap (5) should be used for all PAM services. Alternatively the profile could be assigned to all users by adding it to PROFS_GRANTED in policy.conf(4).
$ profiles -p "PAM Per-User Policy of LDAP" \ 'set desc="Profile which sets pam_policy=ldap"; set pam_policy=ldap; exit;' $ usermod -P "PAM Per-User Policy of LDAP" moeExample 4 Add a new user.
The following example adds a new user named 'shemp' who uses the PAM configuration /usr/local/etc/pam.conf for all PAM services.
$ useradd -K pam_policy=/usr/local/etc/pam.conf shemp
See attributes(5) for descriptions of the following attributes:
The interfaces in libpam(3LIB) are MT-Safe only if each thread within the multithreaded application uses its own PAM handle.