pam_per_user(5) Authentication pam_per_user(5)NAMEpam_per_user - PAM module for calling per-user authentication mecha‐
nisms
SYNOPSIS
/usr/local/lib/security/pam_per_user.so.1
DESCRIPTIONpam_per_user is a shared library which gets dynamically loaded into the
PAM framework. It allows the selection of authentication mechanism on
a per-user basis for PAM-aware applications.
The pam_per_user module reads a map file to determine what mechanism to
use for the user being authenticated. The map file consists of lines
of the following format:
[type=]key : service_name
Text beginning with a '#' is ignored through the next newline. Blank
lines and incomplete lines are also ignored.
The optional type field indicates what type of match should be done
against key. Supported types are:
USER Perform a simple string comparison of the key and the user.
If key is "*", then the entry will be used as a fallback match.
In other words, pam_per_user will save this entry and continue
reading the map file. If a later entry matches, that match will
be returned. However, if no other entries match, the fallback
entry will be used. This allows a default mechanism to be
selected for users which are not explicitly listed.
GROUP Checks to see whether the user is a member of group key.
If no type field is specified for a given entry, the default type is
USER.
Once the map file has been read, pam_per_user creates a new PAM handle
using the resulting service name. The requested PAM function is then
called and the value is returned to the caller. This recursive use of
PAM is transparent to the calling application.
The following special tokens can be specified in the map file instead
of a PAM service name. They cause pam_per_user to return an immediate
result without recursively calling PAM:
@FAIL Causes pam_per_user to return PAM_AUTH_ERR.
@SUCCEED
Causes pam_per_user to return PAM_SUCCESS.
@IGNORE
Causes pam_per_user to return PAM_IGNORE.
OPTIONS
The pam_per_user module accepts an optional argument which sets the
name of the external file that will be read. If no filename is not
specified, /etc/pam_per_user.map will be read.
EXAMPLE
Say that you want to use the pam_pseudo module to allow users to su to
a special pseudo-user account called foo, you want to prevent people
from suing to root, and you want members of the "wheel" group to
authenticate via radius, but you do not want to modify the behavior for
other accounts. To do this, create the file /etc/pam_per_user.map with
the following content:
foo : su-pseudo
root : @FAIL
GROUP=wheel : radius
* : su-default
Then, rename the su entries in /etc/pam.conf to su-default and add the
following new entries:
su auth required /usr/local/lib/security/pam_per_user.so.1
su-pseudo auth required /usr/local/lib/security/pam_pseudo.so.1
radius auth require /usr/local/lib/security/pam_radius_auth.so.1
NOTES
Because pam_per_user creates a new PAM handle to authenticate the user
with an alternate service name, it is possible to create an infinite
loop by recursively calling pam_per_user. No checking is done to pre‐
vent this from happening, so the administrator must take care to avoid
it.
FILES
/etc/pam_per_user.map
/etc/pam.conf
SEE ALSOpam(3), pam.conf(4)AUTHOR
Mark D. Roth <roth@feep.net>
Feep Networks Aug 2005 pam_per_user(5)
