pam_succeed_if

test account characteristics

SYNOPSIS

' pam_succeed_if.so 'u pam_succeed_if.so [ flag ...][ condition ...]

DESCRIPTION

pam_succeed_if .so is designed to succeed or fail authentication based on characteristics of the account belonging to the user being authenticated or values of other PAM items . One use is to select whether to load other modules based on this test .

The module should be given one or more conditions as module arguments, and authentication will succeed only if all of the conditions are met .

OPTIONS

The following flag sare supported:

debug Turns on debugging messages sent to syslog .

use_uid Evaluate conditions using the account of the user whose UID the application is running under instead of the user being authenticated .

quiet Don (Aqt log failure or success to the system log .

quiet_fail Don (Aqt log failure to the system log .

quiet_success Don (Aqt log success to the system log .

audit Log unknown users to the system log .

Condition sare three words: a field, a test, and a value to test for .

Available fields are user , uid , gid , shell , home , ruser , rhost , tty and service :

field< number Field has a value numerically less than number .

field<= number Field has a value numerically less than or equal to number .

fieldeq number Field has a value numerically equal to number .

field>= number Field has a value numerically greater than or equal to number .

field> number Field has a value numerically greater than number .

fieldne number Field has a value numerically different from number .

field= string Field exactly matches the given string .

field!= string Field does not match the given string .

field=~ glob Field matches the given glob .

field!~ glob Field does not match the given glob .

fieldin item:item: . . . Field is contained in the list of items separated by colons .

fieldnotin item:item: . . . Field is not contained in the list of items separated by colons .

useringroup group User is in given group .

usernotingroup group User is not in given group .

userinnetgr netgroup (user,host) is in given netgroup .

usernotinnetgr group (user,host) is not in given netgroup .

MODULE TYPES PROVIDED

All module types ( account , auth , password and session )are provided .

RETURN VALUES

PAM_SUCCESS The condition was true .

PAM_AUTH_ERR The condition was false .

PAM_SERVICE_ERR A service error occurred or the arguments can (Aqt be parsed correctly .

EXAMPLES

To emulate the behaviour of pam_wheel ,except there is no fallback to group 0:


.RS 4
auth required pam_succeed_if .so quiet user ingroup wheel
.RE

Given that the type matches, only loads the othermodule rule if the UID is over 500 . Adjust the number after default to skip several rules .
.RS 4
type [default=1 success=ignore] pam_succeed_if .so quiet uid > 500 type required othermodule .so arguments . . .
.RE

SEE ALSO

glob(7), pam(8)

AUTHOR

Nalin Dahyabhai <nalin@redhat .com>

Copied to clipboard
free 100$ digital ocean credit