pam_localuser

pam_localuser is a PAM module and is configured within PAM service files (e.g., /etc/pam.d/sshd). It is not executed as a standalone command.

The general syntax in a PAM configuration file is:
auth [control_flag] pam_localuser.so [options]

Example:
auth required pam_localuser.so file=/etc/my_local_users group=sudo sense=allow

file=/path/to/passwd
    Specifies an alternative local password file to check against, instead of the system's default /etc/passwd.

group=name
    Instructs the module to check if the user is a member of the specified local group (name) in /etc/group (or the file specified by file). If this option is used, the module checks group membership instead of simple presence in the password file.

sense=allow|deny
    Controls the module's success condition:
allow: The module succeeds if the user is found in the local password file (or in the specified group, if group is used). This is the default if sense is not specified.
deny: The module succeeds if the user is not found in the local password file (or not in the specified group, if group is used).

The pam_localuser module is a Pluggable Authentication Module (PAM) designed to check if an authenticating user is a 'local' user. A local user is typically defined as an entry found in the system's local password database, such as /etc/passwd, rather than a user managed by network services like LDAP, Kerberos, or NIS.

This module is primarily used in the auth PAM stack, allowing administrators to differentiate authentication requirements based on a user's origin. For instance, you might want to grant special privileges or deny access to certain services if a user is not local or, conversely, ensure only local users can access a specific service.

It can also be configured to check for membership in a specific local group, providing finer-grained control over who is considered 'local' for a given service. By default, it succeeds if the user is found locally; however, this logic can be inverted.

The definition of 'local' for pam_localuser strictly refers to entries in the /etc/passwd and /etc/group files (or an alternative file specified). It does not consult NSSwitch (Name Service Switch) or other directories. Thus, if a user exists via LDAP but not in /etc/passwd, they are considered 'non-local' by this module.

While not specific to pam_localuser, its behavior within the PAM stack is heavily influenced by the control flags specified before the module, such as required, requisite, sufficient, and optional. These flags dictate how the success or failure of pam_localuser affects the overall authentication process for a given service. For example, auth required pam_localuser.so would mean that the user must be local for authentication to proceed.

Common uses include:
- Restricting SSH or console logins only to users defined in /etc/passwd.
- Ensuring that users in a specific administrative group are also local users.
- Allowing non-local users to access certain services while denying them others.

PAM (Pluggable Authentication Modules) was developed in the mid-1990s to provide a modular and flexible authentication framework. pam_localuser is one of the core modules that has been part of the PAM suite since its early days, fulfilling the fundamental need to distinguish between system-native users and those managed by external authentication sources.

pam(8), pam_unix(8), passwd(5), group(5), nsswitch.conf(5)