pam_succeed_if

Grant access based on a condition

SYNOPSIS

pam_succeed_if.so [debug] [quiet] [audit]

debug
    Enables debug messages in the system log.

quiet
    Suppresses error messages.

audit
    Logs success and failure events to the audit log.

uid >=
    Checks if the user's UID is greater than or equal to the specified number.

uid <=
    Checks if the user's UID is less than or equal to the specified number.

gid >=
    Checks if the user's GID is greater than or equal to the specified number.

gid <=
    Checks if the user's GID is less than or equal to the specified number.

user =
    Checks if the username matches the specified username.

user !=
    Checks if the username does not matches the specified username.

group =
    Checks if the user is a member of the specified group.

group !=
    Checks if the user is not a member of the specified group.

tty =
    Checks if the login is from the specified TTY.

host =
    Checks if the login is from the specified hostname (resolved via DNS).

host !=
    Checks if the login is not from the specified hostname (resolved via DNS).

rhost =
    Checks if the login is from the specified remote hostname or IP address.

rhost !=
    Checks if the login is not from the specified remote hostname or IP address.

service =
    Checks if the service matches the specified service name.

service !=
    Checks if the service does not matches the specified service name.

user_unknown
    Checks if the user is unknown.

user_present
    Checks if the user is present.

addr =

/
Checks if the remote address is in the network

addr !=

/
    Checks if the remote address is not in the network

env = =
    Checks if the ENV variable exists

env != =
    Checks if the ENV variable does not exists

DESCRIPTION

The pam_succeed_if module is a PAM (Pluggable Authentication Modules) module that conditionally returns success based on various criteria. It allows administrators to create flexible authentication policies by evaluating conditions related to user attributes, environment variables, or other PAM modules. If the specified condition is met, pam_succeed_if returns a PAM_SUCCESS status, effectively allowing the authentication process to continue. If the condition is not met, the module's behavior depends on the use_debug, quiet, and audit options. It's often used to bypass password prompts for specific users, groups, or under certain network conditions. It's a powerful tool for tailoring authentication behavior to specific security needs, enabling more granular control over the login process. The module can be used in authentication, account management, session management, and password management module stacks. However, improper configuration can lead to unexpected authentication behavior, so careful planning and testing are crucial.

CAVEATS

Improper configuration can easily lock users out of the system. Careful testing is crucial before deploying changes to production systems.
Host name resolution can be unreliable. Using IP addresses or network ranges via the addr parameter for rhost is preferable where possible.

RETURN VALUES

PAM_SUCCESS: The condition was met.
PAM_IGNORE: The condition was not met, and the module should be ignored.
PAM_AUTH_ERR: An error occurred.