PAM_SAMPLE(7) Standards, Environments, and Macros PAM_SAMPLE(7)

NAME


pam_sample - a sample PAM module

SYNOPSIS


pam_sample.so.1


DESCRIPTION


The SAMPLE service module for PAM, pam_sample.so.1, is divided into four
components: authentication, account management, password management, and
session management.

SAMPLE AUTHENTICATION COMPONENT


The SAMPLE authentication module provides functions to test the PAM
framework functionality using the pam_sm_authenticate(3PAM) call. The
SAMPLE module implementation of the pam_sm_authenticate(3PAM) function
compares the user entered password with the password set in the
pam.conf(5) file, or the string "test" if a default test password has not
been set. The following options can be passed in to the SAMPLE
Authentication module:

debug
Syslog debugging information at the LOG_DEBUG level.


pass=newone
Sets the password to be "newone".


first_pass_good
The first password is always good when used with the
use_first_pass or try_first_pass option.


first_pass_bad
The first password is always bad when used with the
use_first_pass or try_first_pass option.


always_fail
Always returns PAM_AUTH_ERR.


always_succeed
Always returns PAM_SUCCESS.


always_ignore
Always returns PAM_IGNORE.


use_first_pass
Use the user's initial password (entered when the
user is authenticated to the first authentication
module in the stack) to authenticate with the SAMPLE
module. If the passwords do not match, or if this is
the first authentication module in the stack, quit
and do not prompt the user for a password. It is
recommended that this option only be used if the
SAMPLE authentication module is designated as
optional in the pam.conf configuration file.


try_first_pass
Use the user's initial password (entered when the
user is authenticated to the first authentication
module in the stack) to authenticate with the SAMPLE
module. If the passwords do not match, or if this is
the first authentication module in the stack, prompt
the user for a password.

The SAMPLE module pam_sm_setcred(3PAM) function
always returns PAM_SUCCESS.


SAMPLE ACCOUNT MANAGEMENT COMPONENT


The SAMPLE Account Management Component implements a simple access
control scheme that limits machine access to a list of authorized users.
The list of authorized users is supplied as option arguments to the entry
for the SAMPLE account management PAM module in the pam.conf file. Note
that the module always permits access to the root super user.


The option field syntax to limit access is shown below: allow=
name[,name] allow= name [allow=name]


The example pam.conf show below permits only larry to login directly.
rlogin is allowed only for don and larry. Once a user is logged in, the
user can use su if the user are sam or eric.


login account require pam_sample.so.1 allow=larry
dtlogin account require pam_sample.so.1 allow=larry
rlogin account require pam_sample.so.1 allow=don allow=larry
su account require pam_sample.so.1 allow=sam,eric


The debug and nowarn options are also supported.

SAMPLE PASSWORD MANAGEMENT COMPONENT


The SAMPLE Password Management Component function (
pam_sm_chauthtok(3PAM)), always returns PAM_SUCCESS.

SAMPLE SESSION MANAGEMENT COMPONENT


The SAMPLE Session Management Component functions (
pam_sm_open_session(3PAM), pam_sm_close_session(3PAM)) always return
PAM_SUCCESS.

ATTRIBUTES


See attributes(7) for description of the following attributes:


+---------------+-------------------------+
|ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+---------------+-------------------------+
|MT Level | MT-Safe with exceptions |
+---------------+-------------------------+

SEE ALSO


libpam(3LIB), pam(3PAM), pam_sm_authenticate(3PAM),
pam_sm_chauthtok(3PAM), pam_sm_close_session(3PAM),
pam_sm_open_session(3PAM), pam_sm_setcred(3PAM), pam.conf(5),
attributes(7)

WARNINGS


This module should never be used outside of a closed debug environment.
The examples of the use_first_pass and try_first_pass options are
obsolete for all other delivered PAM service modules

NOTES


The interfaces in libpam(3LIB) are MT-Safe only if each thread within the
multi-threaded application uses its own PAM handle.

illumos August 19, 2023 PAM_SAMPLE(7)