aboutsummaryrefslogtreecommitdiff
path: root/README
diff options
context:
space:
mode:
Diffstat (limited to 'README')
-rw-r--r--README40
1 files changed, 40 insertions, 0 deletions
diff --git a/README b/README
new file mode 100644
index 0000000..1e431ae
--- /dev/null
+++ b/README
@@ -0,0 +1,40 @@
+The purpose of this module is to call an external program. This can e.g. be
+used to call a lockout process, that locks out a user after multiple failed
+login attempts, a script that logs usernames to a file or whatever you can
+think of. The program gets called as:
+
+ program pam_function user=... ruser=... rhost=... tty=... service=...
+
+Where pam_function is either pam_authenticate, pam_setcred, pam_acct_mgmt,
+pam_open_session, pam_close_session or pam_chauthtok (see below). It returns
+PAM_IGNORE on success (since it doesn't want to affect the authentication
+process) on "success" and tries to report errors properly otherwise.
+
+Recognized arguments:
+
+ exec=<arg> Program to execute
+ debug Print debuging information
+
+module services provided:
+
+ auth _authenticate and _setcred (blank)
+ acct _acct_mgmt [mapped to _authenticate]
+ session _open_session and
+ _close_session [mapped to _authenticate ]
+ password _chauthtok [mapped to _authenticate]
+
+
+Example:
+ Put this in /etc/pam.d/su to log all the available information to /root/dump
+ on failed su attempts:
+
+ auth [success=1] pam_unix.so nullok_secure
+ auth required pam_exec.so exec=/root/dumpit debug
+ auth required pam_permit.so
+
+ where /root/dumpit is a shell script:
+
+ #!/bin/sh
+ echo "$@" > /root/dump
+
+ -- Guido Guenther <agx@sigxcpu.org> Fri, 4 Nov 2005 13:32:15 +0100