pam_succeed_if
Grant access based on a condition
SYNOPSIS
pam_succeed_if.so [debug] [quiet] [audit]
PARAMETERS
debug
Enables debug messages in the system log.
quiet
Suppresses error messages.
audit
Logs success and failure events to the audit log.
uid >=
Checks if the user's UID is greater than or equal to the specified number.
uid <=
Checks if the user's UID is less than or equal to the specified number.
gid >=
Checks if the user's GID is greater than or equal to the specified number.
gid <=
Checks if the user's GID is less than or equal to the specified number.
user =
Checks if the username matches the specified username.
user !=
Checks if the username does not matches the specified username.
group =
Checks if the user is a member of the specified group.
group !=
Checks if the user is not a member of the specified group.
tty =
Checks if the login is from the specified TTY.
host =
Checks if the login is from the specified hostname (resolved via DNS).
host !=
Checks if the login is not from the specified hostname (resolved via DNS).
rhost =
Checks if the login is from the specified remote hostname or IP address.
rhost !=
Checks if the login is not from the specified remote hostname or IP address.
service =
Checks if the service matches the specified service name.
service !=
Checks if the service does not matches the specified service name.
user_unknown
Checks if the user is unknown.
user_present
Checks if the user is present.
addr = /
Checks if the remote address is in the network
addr != /
Checks if the remote address is not in the network
env =
Checks if the ENV variable exists
env !=
Checks if the ENV variable does not exists
DESCRIPTION
The pam_succeed_if module is a PAM (Pluggable Authentication Modules) module that conditionally returns success based on various criteria. It allows administrators to create flexible authentication policies by evaluating conditions related to user attributes, environment variables, or other PAM modules. If the specified condition is met, pam_succeed_if returns a PAM_SUCCESS status, effectively allowing the authentication process to continue. If the condition is not met, the module's behavior depends on the use_debug, quiet, and audit options. It's often used to bypass password prompts for specific users, groups, or under certain network conditions. It's a powerful tool for tailoring authentication behavior to specific security needs, enabling more granular control over the login process. The module can be used in authentication, account management, session management, and password management module stacks. However, improper configuration can lead to unexpected authentication behavior, so careful planning and testing are crucial.
CAVEATS
Improper configuration can easily lock users out of the system. Careful testing is crucial before deploying changes to production systems.
Host name resolution can be unreliable. Using IP addresses or network ranges via the addr parameter for rhost is preferable where possible.
RETURN VALUES
PAM_SUCCESS: The condition was met.
PAM_IGNORE: The condition was not met, and the module should be ignored.
PAM_AUTH_ERR: An error occurred.