187417Sdes
287417SdesThis directory contains configuration files for the Pluggable
387417SdesAuthentication Modules (PAM) library.
487417Sdes
587417SdesEach file details the module chain for a single service, and must be
687417Sdesnamed after that service.  If no configuration file is found for a
787417Sdesparticular service, the /etc/pam.d/other is used instead.  If that
887417Sdesfile does not exist, /etc/pam.conf is searched for entries matching
987417Sdesthe specified service or, failing that, the "other" service.
1087417Sdes
11271067SgavinSee the pam(3) manual page for an explanation of the workings of the
1287417SdesPAM library and descriptions of the various files and modules.  Below
1387417Sdesis a summary of the format for the pam.conf and /etc/pam.d/* files.
1487417Sdes
1587417SdesConfiguration lines take the following form:
1687417Sdes
1787423Sdesmodule-type	control-flag	module-path	arguments
1887417Sdes
1987417SdesComments are introduced with a hash mark ('#').  Blank lines and lines
2087417Sdesconsisting entirely of comments are ignored.
2187417Sdes
2287423SdesThe meanings of the different fields are as follows:
23130151Sschweikh
2487417Sdes module-type:
2587417Sdes   auth:      prompt for a password to authenticate that the user is
2687417Sdes              who they say they are, and set any credentials.
2787417Sdes   account:   non-authentication based authorization, based on time,
2887417Sdes              resources, etc.
2987417Sdes   session:   housekeeping before and/or after login.
3087417Sdes   password:  update authentication tokens.
31130151Sschweikh
3287417Sdes control-flag: How libpam handles success or failure of the module.
33115584Sdes   required:   success is required; on failure all remaining
34115584Sdes               modules are run, but the request will be denied.
3587417Sdes   requisite:  success is required, and on failure no remaining
3687417Sdes               modules are run.
3787417Sdes   sufficient: success is sufficient, and if no previous required
3887417Sdes               module failed, no remaining modules are run.
39115584Sdes   binding:    success is sufficient; on failure all remaining
40115584Sdes               modules are run, but the request will be denied.
4187417Sdes   optional:   ignored unless the other modules return PAM_IGNORE.
42130151Sschweikh
4387417Sdes arguments: Module-specific options, plus some generic ones:
4487417Sdes   debug:           syslog debug info.
4587417Sdes   no_warn:         return no warning messages to the application.
4687417Sdes                    Remove this to feed back to the user the
4787417Sdes                    reason(s) they are being rejected.
4887417Sdes   use_first_pass:  try authentication using password from the
4987417Sdes                    preceding auth module.
5087417Sdes   try_first_pass:  first try authentication using password from
5187417Sdes                    the preceding auth module, and if that fails
5287417Sdes                    prompt for a new password.
5387417Sdes   use_mapped_pass: convert cleartext password to a crypto key.
5487417Sdes   expose_account:  allow printing more info about the user when
5587417Sdes                    prompting.
56130151Sschweikh
5787417SdesNote that having a "sufficient" module as the last entry for a
5887417Sdesparticular service and module type may result in surprising behaviour.
5987417SdesTo get the intended semantics, add a "required" entry listing the
6087417Sdespam_deny module at the end of the chain.
6187417Sdes
6287417Sdes$FreeBSD$
63