

Standards, Environments, and Macros       pam_unix_user_policy(5)


NNNNAAAAMMMMEEEE
     pam_user_policy - PAM user authentication policy module

SSSSYYYYNNNNOOOOPPPPSSSSIIIISSSS
     pam_user_policy.so.1

DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN
     The pam_user_policy module checks to see that the PAM_USER
     is set to a non-empty value, looks up the name of a PAM
     configuration to use for that user in the user's ppppaaaammmm____ppppoooolllliiiiccccyyyy
     user attribute (see _u_s_e_r__a_t_t_r(4)) or in the ppppaaaammmm____ppppoooolllliiiiccccyyyy
     attribute of the user's profiles in the listed order ((see
     _p_r_o_f__a_t_t_r(4)) and includes the named configuration by
     calling _p_a_m__e_v_a_l(3PAM).

     In the auth stack, if PAM_USER is not set then
     pam_user_policy prompts for a username and sets PAM_USER.
     The prompt string used is the same as is used by
     _p_a_m__a_u_t_h_t_o_k__g_e_t(5).

     If a user's ppppaaaammmm____ppppoooolllliiiiccccyyyy user or profile attribute is not
     found or has an empty value then pam_user_policy returns
     PAM_IGNORE.  This allows pam_user_policy to be stacked as
     binding at the top of any stack in /etc/pam.conf without
     having any effect until the ppppaaaammmm____ppppoooolllliiiiccccyyyy user attribute is
     added to individual users or their profiles.

     "/usr/lib/security/" is prepended to any non-absolute file
     paths listed in a user's ppppaaaammmm____ppppoooolllliiiiccccyyyy user or profile
     attribute; see _p_a_m__e_v_a_l(3PAM).

RRRREEEETTTTUUUURRRRNNNN VVVVAAAALLLLUUUUEEEESSSS
     If the PAM_USER item is not set then, in the auth stack,
     pam_user_policy prompts for a PAM_USER and returns
     PAM_USER_UNKNOWN if the user enters an empty username or if
     the conversation function returns anything other than
     PAM_SUCCESS.

     If the PAM_USER item is not set then for any stack other
     than auth pam_user_policy returns PAM_IGNORE.

     If the PAM_USER has no ppppaaaammmm____ppppoooolllliiiiccccyyyy user or profile attribute,
     or if its ppppaaaammmm____ppppoooolllliiiiccccyyyy attribute's value is empty, then
     pam_user_policy returns PAM_IGNORE.

     Otherwise pam_user_policy returns the value returned by
     _p_a_m__e_v_a_l(3PAM) when called to evaluate the configuration
     associated with the PAM_USER, though if _p_a_m__e_v_a_l(3PAM)
     returns PAM_IGNORE then pam_user_policy returns the default
     error for the current stack (e.g., PAM_AUTH_ERR).


21/Apr/105              Last change: 5.11                       1


Standards, Environments, and Macros       pam_unix_user_policy(5)


FFFFIIIILLLLEEEESSSS
     A number of pam.conf files for inclusion by pam_user_policy
     can be found in /usr/lib/security/:

     +o   unix.conf -- use only Unix passwords for authentication,
         Unix for account management

     +o   krb5.conf -- use Kerberos V only for authentication,
         Unix for account management

     +o   krb5-fallback-unix.conf -- use Kerberos V for
         authentication with fallback on Unix authentication, and
         use Unix for account management

     +o   ldap.conf -- use LDAP BIND for authentication and LDAP
         for account management

     +o   any.conf -- try Kerberos V, LDAP and Unix, in that
         order, and as sufficient, for authentication, and
         account management;

EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS
     1.  pam_policy=krb5.conf;

         Indicates that the user should be authenticated with
         Kerberos V for all services.

     2.  pam_policy=custom1.conf

         Indicates that the configuration
         /usr/lib/security/custom1.conf should be used for this
         user.  Such a custom configuration might have different
         configurations for different services, such as requiring
         Unix authentication for console logins but Kerberos V
         for all other services.

     3.  pam_policy=/etc/pam-custom2.conf

         Indicates that the configuration  /etc/pam-custom2.conf
         should be used for this user.  Such a custom
         configuration might have different configurations for
         different services, such as requiring Unix
         authentication for console logins but Kerberos V for all
         other services.

AAAATTTTTTTTRRRRIIIIBBBBUUUUTTTTEEEESSSS
     See _a_t_t_r_i_b_u_t_e_s(5) for descriptions of the following
     attributes:

     ____________________________________________________________
     |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE
     |


21/Apr/105              Last change: 5.11                       2


Standards, Environments, and Macros       pam_unix_user_policy(5)


     |_____________________________|_____________________________|
     | Interface Stability         |
     |
     |_____________________________|_____________________________|
     |   pam_user_policy.so.1      | Stable
     |
     |_____________________________|_____________________________|
     |   unix.conf                 | Stable
     |
     |_____________________________|_____________________________|
     |   krb5.conf                 | Stable
     |
     |_____________________________|_____________________________|
     |   krb5-fallback-unix.conf   | Stable
     |
     |_____________________________|_____________________________|
     |   ldap.conf                 | Stable
     |
     |_____________________________|_____________________________|
     |   any.conf                  | Stable
     |
     |_____________________________|_____________________________|
     | MT-Level                    |
     |
     |_____________________________|_____________________________|
     |   pam_user_policy.so.1      | MT-Safe with exceptions
     |
     |_____________________________|_____________________________|

SSSSEEEEEEEE AAAALLLLSSSSOOOO
     _p_a_m(3PAM), _p_a_m__e_v_a_l(3PAM), _u_s_e_r__a_t_t_r(4), _p_r_o_f__a_t_t_r(4),
     _p_a_m__a_u_t_h_t_o_k__g_e_t(5)


21/Apr/105              Last change: 5.11                       3