pam_debug
PAM module that returns configurable results for debugging stacks
TLDR
SYNOPSIS
pam_debug.so [arg=value...]
DESCRIPTION
pam_debug is a Linux-PAM testing module that lets administrators script the return value of every PAM service-module hook. It is used to exercise PAM stacks under controlled failure conditions, verify that required, requisite, sufficient, and optional control flags behave as designed, and validate fallback paths in custom stacks.The module performs no authentication of its own: it simply returns the requested code (or PAM_SUCCESS by default) and logs each invocation through syslog so the order in which modules execute can be traced. Each argument applies to exactly one of the four PAM management groups (auth, account, password, session).
PARAMETERS
auth=VALUE
Return code for pam_sm_authenticate.cred=VALUE
Return code for pam_sm_setcred.acct=VALUE
Return code for pam_sm_acct_mgmt.prechauthtok=VALUE
Return code for the PAM_PRELIM_CHECK stage of pam_sm_chauthtok.chauthtok=VALUE
Return code for the PAM_UPDATE_AUTHTOK stage of pam_sm_chauthtok.open_session=VALUE
Return code for pam_sm_open_session.close_session=VALUE
Return code for pam_sm_close_session.VALUE is the lower-case form of any PAM return constant (success, autherr, permdenied, user_unknown, ignore, etc.). Defaults to success for any unspecified hook.
CAVEATS
Strictly a development and testing module. Loading it in /etc/pam.d/ for a real service can bypass authentication entirely (for example, forcing auth=success in the system-auth stack). Distribute changes only in scratch configurations and remove them before deploying.
HISTORY
pam_debug ships with Linux-PAM as part of the upstream PAM source tree, alongside other diagnostic modules such as pam_warn and pam_deny. It is intended as a developer aid for module authors and PAM-stack maintainers.
SEE ALSO
pam(8), pam.d(5), pam_deny(8), pam_permit(8)
