aboutsummaryrefslogtreecommitdiff
The  purpose of this module is to call an external program. This can e.g. be
used to call a lockout process, that locks out a user after multiple failed
login attempts, a script that logs usernames to a file or whatever you can
think of. The program gets called as:

	program pam_function user=... ruser=... rhost=... tty=... service=...

Where pam_function is either pam_authenticate, pam_setcred, pam_acct_mgmt,
pam_open_session, pam_close_session or pam_chauthtok (see below). It returns
PAM_IGNORE on success (since it doesn't want to affect the authentication
process) on "success" and tries to report errors properly otherwise.

Recognized arguments:

	exec=<arg>	Program to execute
	debug		Print debuging information

module services provided:

	auth		_authenticate and _setcred (blank)
	acct		_acct_mgmt [mapped to _authenticate]
	session		_open_session and
			_close_session [mapped to _authenticate ]
	password	_chauthtok [mapped to _authenticate]


Example:
 Put this in /etc/pam.d/su to log all the available information to /root/dump
 on failed su attempts:

 auth   [success=1] pam_unix.so nullok_secure
 auth   required pam_exec.so exec=/root/dumpit debug
 auth   required pam_permit.so

 where /root/dumpit is a shell script:

 #!/bin/sh
 echo "$@" > /root/dump

 -- Guido Guenther <agx@sigxcpu.org> Fri,  4 Nov 2005 13:32:15 +0100
generated by cgit v1.2.3 (git 2.39.1) at 2024-04-19 07:08:24 +0000