Go to main content

man pages section 7: Standards, Environments, Macros, Character Sets, and Miscellany

Exit Print View

Updated: Wednesday, July 27, 2022
 
 

pam_user_policy(7)

Name

pam_user_policy - PAM user authentication policy module

Synopsis

pam_user_policy.so.1

Description

The pam_user_policy module causes a user-specific PAM configuration to be evaluated and returns the result of evaluating such a configuration.

The pam_user_policy module implements all PAM service module functions.

The PAM configuration to evaluate is determined by looking for a pam_policy key in a user's attributes (see user_attr(5)) or any rights profiles assigned to the user in user_attr or in a default rights profile granted in policy.conf(5), and then finally for any value assigned to PAM_POLICY in policy.conf. If no pam_policy key is found for the user, the pam_user_policy module returns PAM_IGNORE.

Failure to obtain a user name is considered an error (see below).

This module should generally be stacked as the first module, possibly as the only module, in a PAM service configuration using a control_flag value of 'definitive'. A control_flag value of 'sufficient' or 'binding' may also work, depending on the PAM service and the contents of the user-specific PAM configuration.

The pathname to the user-specific PAM configuration file passed to pam_eval(3PAM) must be absolute so pam_user_policy prepends “/etc/security/pam_policy” to any non-absolute PAM configuration pathnames. The user-specific PAM configuration file has the same format as pam.conf and must include the service name field just as /etc/pam.conf. For more information, see the pam.conf(5) man page.

The following option can be passed to the module:

debug

syslog(3C) debugging information at the LOG_DEBUG level

Authentication Module

The pam_get_user(3PAM) function is used to retrieve the current user name and sets this to be the value of PAM_USER if PAM_USER was not already set. If no user name can be obtained, PAM_IGNORE is returned.

If assuming a role which has been configured with the roleauth=user attribute in the user_attr() function then the authenticated user name specified in PAM_AUSER, if set, is treated as the current user name. For more information, see the user_attr(5) man page.

The pam_user_policy authentication module then looks up the name of a PAM configuration file to use for that user as described above and evaluates the named configuration by calling pam_eval() with the same flags as were passed to the pam_user_policy authentication module.

The configuration file name found is saved as module data (see pam_set_data(3PAM) for use by other pam_user_policy modules.

Other Modules

If the PAM_USER item is not set to a non-empty string then pam_user_policy returns PAM_IGNORE immediately. If a PAM configuration file name was saved as module data by a previous call to a pam_user_policy module, then that configuration will be used; otherwise a PAM configuration will be looked up as described above. The service module then evaluates the named configuration by calling pam_eval() with the same flags as were passed to the service module.

The configuration file name found is saved as module data (see pam_set_data(3PAM)) for use by other pam_user_policy modules.

Return Values

If PAM_USER is not set or cannot be obtained, the module's service functions return PAM_IGNORE. If a pam_policy configuration file has been specified for a user and the corresponding file name does not exist, PAM_SYSTEM_ERR is returned. If an invalid path to a configuration file is specified, for example a missing pam_policy attribute value or a relative path containing a slash /, PAM_IGNORE is returned. If module-specific data cannot be stored, PAM_SERVICE_ERR is returned. Failure to allocate resources causes the module to return PAM_BUF_ERR. Otherwise the value returned by pam_eval() is returned.

Files

A number of pam.conf files for inclusion by pam_user_policy can be found in /etc/security/pam_policy:

unix

Use only UNIX passwords for authentication, account management, and password management.

krb5_only

Use Kerberos V5 only for authentication, account management, and password management.

krb5_first

Use Kerberos V5 for authentication with fallback on UNIX authentication, use Kerberos V5 for account management and password management for Kerberos users and UNIX for account management and password management for UNIX users.

krb5_optional

Use UNIX for authentication, account management, and password management and then optionally using Kerberos V5 for authentication, account management and password management for Kerberos users.

ldap

Use pam_ldap(7) for authentication, account management, and password management for LDAP users and UNIX for authentication, account management, and password management for UNIX users.

any

Try Kerberos V, LDAP and UNIX, in that order, and as sufficient, for authentication, account management, and password management.

krb5_keytab

Use pam_krb5_keytab for PAM authentication with Kerberos through keytab and optionally, authentication through pam_gss_s4u for Services For Users (S4U). For more information, see the pam_gss_s4u(7) man page.

gss_s4u

Use pam_krb5_keytab for PAM authentication with Kerberos through keytab and optionally, authentication through pam_gss_s4u for Services For Users (S4U). For more information, see the pam_gss_s4u(7) man page.

Examples

Example 1 Authenticate a user with Kerberos V5 for all PAM services.

In the following example, user 'larry' should only be authenticated with Kerberos V5 for all PAM services.

$ usermod -K pam_policy=krb5_only larry
Example 2 Use the PAM configuration /etc/security/pam_policy/custom for a user.

In the following example, the PAM configuration /etc/security/pam_policy/custom should be used for user 'curly'. This custom PAM configuration might have different configurations for different PAM services, such as requiring UNIX authentication for console logins but Kerberos V5 for all other PAM services.

$ usermod -K pam_policy=custom curly
Example 3 Create a new profile.

The following example creates a new profile named “PAM Per-User Policy of LDAP” and assign it to user 'moe' indicating that pam_ldap(7) should be used for all PAM services. Alternatively the profile could be assigned to all users by adding it to PROFS_GRANTED in policy.conf(5).

$ profiles -p "PAM Per-User Policy of LDAP" \
   'set desc="Profile which sets pam_policy=ldap";
   set pam_policy=ldap; exit;'
$ usermod -P "PAM Per-User Policy of LDAP" moe
Example 4 Add a new user.

The following example adds a new user named 'shemp' who uses the PAM configuration /usr/local/etc/pam.conf for all PAM services.

$ useradd -K pam_policy=/usr/local/etc/pam.conf shemp

Attributes

See attributes(7) for descriptions of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Interface Stability
Committed
MT-Level
MT-Safe with exceptions

See Also

syslog(3C), libpam(3LIB), pam(3PAM), pam_eval(3PAM), pam_get_user(3PAM), pam_set_data(3PAM), pam.conf(5), policy.conf(5), prof_attr(5), user_attr(5), attributes(7), pam_ldap(7)

Notes

The interfaces in libpam(3LIB) are MT-Safe only if each thread within the multithreaded application uses its own PAM handle.