Files in /etc/pam.d/
Matthew Seaman
matthew at FreeBSD.org
Sun Nov 6 12:14:22 UTC 2016
On 06/11/2016 10:15, Rocky Hotas wrote:
> The directory /etc/pam.d/ contains PAM policies for services. Some
> are pretty clear and unambiguous: /etc/pam.d/sshd is related to the
> ssh listening service. But some other are not. For example: in that
> directory, "login", "passwd" and "system" refer to very similar
> fields. So, I would like to ask: - What exactly is the scope of
> *each* of them? Does exists a documentation about it? - What is (if
> any) the hierarchy followed by them? Let's say that "system" (which
> contains system-wide login policy) and "sshd" have different
> statements: which one will prevail? I have not found an answer to
> these questions on documentation
> (https://www.freebsd.org/doc/en_US.ISO8859-1/articles/pam/index.html).
> Moreover, nor "man pam.d" neither /etc/pam.d/README contain
> information about it.
Hi, Rocky,
As you say, many of the PAM policies clearly relate to protocols the
files are named after.
The 'login' policy covers console logins, and the 'passwd' policy covers
use of the passwd(1) utility for changing your password.
Now, if you look at most of the policies in that directory you'll see
many of the entries include the 'system' policy. The 'system' policy
therefore acts as a form of default policy for many of the different
services. The effect of a statement like this:
session include system
is to substitute the 'session' likes from /etc/pam.d/system, like so:
#session optional pam_ssh.so want_agent
session required pam_lastlog.so no_fail
Considering the 'sshd' policy: since this doesn't include the 'system'
policy only the statements in /etc/pam.d/sshd have any effect. That is,
assuming that ssh(8) is configured to use PAM.
Cheers,
Matthew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20161106/03e3c436/attachment.sig>
More information about the freebsd-questions
mailing list