freebsd-dev/etc/pam.d
Robert Watson 64ac587b8a Exempt the "wheel group requirement" by default when su'ing to root if
the wheel group has no explicit members listed in /etc/group.  This adds
the "exempt_if_empty" flag to pam_wheel in the default configuration;
in some environments, it may be appropriate to remove this flag, however,
this default is the same as pre-pam_wheel.

Reviewed by:	markm
Sponsored by:	DARPA, Network Associates Laboratories
2002-10-18 02:39:21 +00:00
..
convert.pl Unmunge the version preservation code and obfuscate it so CVS won't munge 2002-01-12 23:08:59 +00:00
ftp Don't list pam_unix in the session chain, since it does not provide any 2002-04-18 17:40:27 +00:00
ftpd Don't list pam_unix in the session chain, since it does not provide any 2002-04-18 17:40:27 +00:00
gdm xdm plays horrid tricks with PAM, and dumps core if it's allowed to call 2002-05-02 05:00:40 +00:00
imap Enable OPIE by default, using the no_fake_prompts option to hide it from 2002-01-21 18:51:24 +00:00
kde Enable OPIE by default, using the no_fake_prompts option to hide it from 2002-01-21 18:51:24 +00:00
login Use pam_lastlog(8)'s new no_fail option. 2002-05-08 00:33:02 +00:00
Makefile We don't use this any more. 2002-06-19 20:01:25 +00:00
other Use pam_lastlog(8)'s new no_fail option. 2002-05-08 00:33:02 +00:00
passwd Add PAM policy for the "passwd" service, including a sample config line 2002-04-15 03:01:32 +00:00
pop3 Enable OPIE by default, using the no_fake_prompts option to hide it from 2002-01-21 18:51:24 +00:00
README Awright, egg on my face. I should have taken more time with this. The 2001-12-05 21:26:00 +00:00
rexecd Add a PAM policy for rexecd(8). 2002-05-02 05:05:28 +00:00
rsh Don't list pam_unix in the session chain, since it does not provide any 2002-04-18 17:40:27 +00:00
sshd Silence pam_lastlog for now. 2002-07-07 10:00:43 +00:00
su Exempt the "wheel group requirement" by default when su'ing to root if 2002-10-18 02:39:21 +00:00
telnetd Enable OPIE for sshd and telnetd. I thought I'd done this a long time 2002-06-19 20:00:43 +00:00
xdm xdm plays horrid tricks with PAM, and dumps core if it's allowed to call 2002-05-02 05:00:40 +00:00
xserver Awright, egg on my face. I should have taken more time with this. The 2001-12-05 21:26:00 +00:00

This directory contains configuration files for the Pluggable
Authentication Modules (PAM) library.

Each file details the module chain for a single service, and must be
named after that service.  If no configuration file is found for a
particular service, the /etc/pam.d/other is used instead.  If that
file does not exist, /etc/pam.conf is searched for entries matching
the specified service or, failing that, the "other" service.

See the pam(8) manual page for an explanation of the workings of the
PAM library and descriptions of the various files and modules.  Below
is a summary of the format for the pam.conf and /etc/pam.d/* files.

Configuration lines take the following form:

module-type	control-flag	module-path	arguments

Comments are introduced with a hash mark ('#').  Blank lines and lines
consisting entirely of comments are ignored.

The meanings of the different fields are as follows:
 
 module-type:
   auth:      prompt for a password to authenticate that the user is
              who they say they are, and set any credentials.
   account:   non-authentication based authorization, based on time,
              resources, etc.
   session:   housekeeping before and/or after login.
   password:  update authentication tokens.
 
 control-flag: How libpam handles success or failure of the module.
   required:   success is required, and on failure all remaining
               modules are run.
   requisite:  success is required, and on failure no remaining
               modules are run.
   sufficient: success is sufficient, and if no previous required
               module failed, no remaining modules are run.
   optional:   ignored unless the other modules return PAM_IGNORE.
 
 arguments: Module-specific options, plus some generic ones:
   debug:           syslog debug info.
   no_warn:         return no warning messages to the application.
                    Remove this to feed back to the user the
                    reason(s) they are being rejected.
   use_first_pass:  try authentication using password from the
                    preceding auth module.
   try_first_pass:  first try authentication using password from
                    the preceding auth module, and if that fails
                    prompt for a new password.
   use_mapped_pass: convert cleartext password to a crypto key.
   expose_account:  allow printing more info about the user when
                    prompting.
 
Note that having a "sufficient" module as the last entry for a
particular service and module type may result in surprising behaviour.
To get the intended semantics, add a "required" entry listing the
pam_deny module at the end of the chain.

$FreeBSD$