PAM-modules Manual (split by chapter):   Section:   Chapter:FastBack: Top   Up: Top   FastForward: pamck   Contents: Table of ContentsIndex: Concept Index

1 Introduction to PAM-modules

PAM-modules is a collection of various pluggable authentication modules. This manual describes each module in detail. The reader is expected to be sufficiently proficient with general UNIX administration issues and with Pluggable Authentication Modules (PAM) in particular.

Each module is configurable from its command line. Modules that require such amounts of configuration data, that are inconvenient to pass from the command line (see sql), implement their separate configuration files.

Several command line options are common for all modules. These are:


Change debugging level (0 <= level <= 100). The debugging information will be logged via syslog channel auth.debug. Notice, that debugging output can reveal authentication credentials. In particular, user password is displayed on debugging level 100.


Log full debugging information (equivalent to debug=100).


Wait for interval seconds before starting. This option is intended for the package developers and is not enabled, unless you configure the package with --enable-debug option. Most probably you will not need this option. The following description is provided in case you decide to participate in PAM-modules development:

When this option is present, the module displays the following diagnostics in syslog auth.crit channel:


and waits for interval seconds (default 3600) before actually starting to do anything. The developer is supposed to attach to the process with a debugger, set the interval variable to 0 and to continue execution of the module in the debugging mode.

Some modules perform PAM item expansion on their arguments. It is a feature similar to shell’s variable expansion. During item expansion, any occurrence of $name in a string is replaced by the value of the PAM item name. If the item in question is not defined, an empty string is substituted instead. A limited support for the shell-style default values is available: namely, the notation ${item:-value} expands to the value of item if it is set, and to value otherwise. Notice, that value must be a literal value (string or numeric).

The following table lists PAM item names:


PAM_SERVICE. The service name (which identifies the PAM stack that will be used).


PAM_USER. The username of the entity under whose identity service will be given.


PAM_TTY. The terminal name: prefixed by ‘/dev/’ if it is a device file; for graphical, X-based, applications the value for this item is usually the $DISPLAY environment variable.


PAM_RHOST. The requesting hostname (the hostname of the machine from which the PAM_RUSER entity is requesting service). That is ‘PAM_RUSER@PAM_RHOST’ identifies the requesting user. In some applications, PAM_RHOST may be ‘NULL’.


PAM_RUSER. The requesting entity: user’s name for a locally requesting user or a remote requesting user. In some cases, PAM_RUSER may be ‘NULL’.


PAM_USER_PROMPT. The string used when prompting for a user’s name. The default value for this string is ‘Please enter username: ’.


PAM_AUTHTOK. The authentication token (often a password).

PAM-modules Manual (split by chapter):   Section:   Chapter:FastBack: Top   Up: Top   FastForward: pamck   Contents: Table of ContentsIndex: Concept Index