pam_listfile
Elliot Lee <sopwith@cuc.edu>
Red Hat Software:
Michael K. Johnson <johnsonm@redhat.com> 1996/11/18
(if unavailable, contact Elliot Lee <sopwith@cuc.edu>).
authentication
clean
The list-file module provides a way to deny or allow services based on an arbitrary file.
onerr=succeed|fail
;
sense=allow|deny
;
file=
filename;
item=user|tty|rhost|ruser|group|shell
apply=user|@group
The module gets the item of the type specified -- user
specifies
the username, PAM_USER
; tty specifies the name of the terminal
over which the request has been made, PAM_TTY
; rhost specifies
the name of the remote host (if any) from which the request was made,
PAM_RHOST
; and ruser specifies the name of the remote user
(if available) who made the request, PAM_RUSER
-- and looks for
an instance of that item in the file filename. filename
contains one line per item listed. If the item is found, then if
sense=allow
, PAM_SUCCESS
is returned, causing the
authorization request to succeed; else if sense=deny
,
PAM_AUTH_ERR
is returned, causing the authorization
request to fail.
If an error is encountered (for instance, if filename
does not exist, or a poorly-constructed argument is encountered),
then if onerr=succeed
, PAM_SUCCESS
is returned,
otherwise if onerr=fail
, PAM_AUTH_ERR
or
PAM_SERVICE_ERR
(as appropriate) will be returned.
An additional argument, apply=
, can be used to restrict the
application of the above to a specific user
(apply=
username) or a given group
(apply=@
groupname). This added restriction is only
meaningful when used with the tty
, rhost
and shell
items.
Besides this last one, all arguments should be specified; do not count on any default behavior, as it is subject to change.
No credentials are awarded by this module.
Classic ``ftpusers'' authentication can be implemented with this entry
in /etc/pam.conf
:
#
# deny ftp-access to users listed in the /etc/ftpusers file
#
ftp auth required pam_listfile.so \
onerr=succeed item=user sense=deny file=/etc/ftpusers
Note, users listed in /etc/ftpusers
file are
(counterintuitively) not allowed access to the ftp service.
To allow login access only for certain users, you can use an pam.conf entry like this:
#
# permit login to users listed in /etc/loginusers
#
login auth required pam_listfile.so \
onerr=fail item=user sense=allow file=/etc/loginusers
For this example to work, all users who are allowed to use the login
service should be listed in the file /etc/loginusers
. Unless
you are explicitly trying to lock out root, make sure that when you do
this, you leave a way for root to log in, either by listing root in
/etc/loginusers
, or by listing a user who is able to su
to the root account.