PAM_OPIEACCESS(8) | FreeBSD System Manager's Manual | PAM_OPIEACCESS(8) |
NAME
pam_opieaccess — OPIEAccess PAM moduleSYNOPSIS
[ service-name] module-type control-flag pam_opieaccess [ options]DESCRIPTION
The pam_opieaccess module is used in conjunction with the pam_opie(8) PAM module to ascertain that authentication can proceed by other means (such as the pam_unix(8) module) even if OPIE authentication failed. To properly use this module, pam_opie(8) should be marked “sufficient
”, and
pam_opieaccess should be listed right below it and marked “
requisite
”.
The pam_opieaccess module provides functionality for only one PAM category: authentication. In terms of the module-type parameter, this is the “ auth
” feature. It also provides null functions for the remaining module types.
OPIEAccess Authentication Module
The authentication component ( pam_sm_authenticate()), returns PAM_SUCCESS in two cases:- The user does not have OPIE enabled.
- The user has OPIE enabled, and the remote host is listed as a trusted host in /etc/opieaccess, and the user does not have a file named .opiealways in his home directory.
Otherwise, it returns PAM_AUTH_ERR.
The following options may be passed to the authentication module:
- allow_local
- Normally, local logins are subjected to the same restrictions as remote logins from “localhost”. This option causes pam_opieaccess to always allow local logins.
- debug
- syslog(3) debugging information at LOG_DEBUG level.
- no_warn
- suppress warning messages to the user. These messages include reasons why the user's authentication attempt was declined.
FILES
- /etc/opieaccess
- List of trusted hosts or networks. See opieaccess(5) for a description of its syntax.
- $HOME/.opiealways
- The presence of this file makes OPIE mandatory for the user.
AUTHORS
The pam_opieaccess module and this manual page were developed for the FreeBSD Project by ThinkSec AS and NAI Labs, the Security Research Division of Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 (“CBOSS”), as part of the DARPA CHATS research program.October 26, 2007 | FreeBSD |