PAM filter module


' 'u [debug] [new_term] [non_term] run1|run2 filter [ . . . ]


This module is intended to be a platform for providing access to all of the input/output that passes between the user and the application . It is only suitable for tty -based and (stdin/stdout) applications .

To function this module requires filters to be installed on the system . The single filter provided with the module simply transposes upper and lower case letters in the input and output streams . (This can be very annoying and is not kind to termcap based editors) .

Each component of the module has the potential to invoke the desired filter . The filter is always execv (2) with the privilege of the calling application and not that of the user . For this reason it cannot usually be killed by the user without closing their session .


debug Print debug information .

new_term The default action of the filter is to set the PAM_TTY item to indicate the terminal that the user is using to connect to the application . This argument indicates that the filter should set PAM_TTY to the filtered pseudo -terminal .

non_term don (Aqt try to set the PAM_TTY item .

runX In order that the module can invoke a filter it should know when to invoke it . This argument is required to tell the filter when to do this .

Permitted values for X are 1 and 2 . These indicate the precise time that the filter is to be run . To understand this concept it will be useful to have read the pam (3) manual page . Basically, for each management group there are up to two ways of calling the module (Aqs functions . In the case of the authentication and session components there are actually two separate functions . For the case of authentication, these functions are pam_authenticate (3) and pam_setcred (3),here run1 means run the filter from the pam_authenticate function and run2 means run the filter from pam_setcred . In the case of the session modules, run1 implies that the filter is invoked at the pam_open_session (3) stage, and run2 for pam_close_session (3).
For the case of the account component . Either run1 or run2 may be used .
For the case of the password component, run1 is used to indicate that the filter is run on the first occasion of pam_chauthtok (3) (the PAM_PRELIM_CHECK phase) and run2 is used to indicate that the filter is run on the second occasion (the PAM_UPDATE_AUTHTOK phase) .

filter The full pathname of the filter to be run and any command line arguments that the filter might expect .


All module types ( auth , account , password and session )are provided .


PAM_SUCCESS The new filter was set successfully .

PAM_ABORT Critical error, immediate abort .


Add the following line to /etc/pam .d/login to see how to configure login to transpose upper and lower case letters once the user has logged in:

.RS 4
session required pam_filter .so run1 /lib/security/pam_filter/upperLOWER


pam.conf(5), pam.d(5), pam(8)


pam_filter was written by Andrew G . Morgan <morgan@kernel .org> .

Copied to clipboard
free 100$ digital ocean credit