blob: 1e431ae7f2db90a91a0aed1304e45e00ddd3c62c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
The purpose of this module is to call an external program. This can e.g. be
used to call a lockout process, that locks out a user after multiple failed
login attempts, a script that logs usernames to a file or whatever you can
think of. The program gets called as:
program pam_function user=... ruser=... rhost=... tty=... service=...
Where pam_function is either pam_authenticate, pam_setcred, pam_acct_mgmt,
pam_open_session, pam_close_session or pam_chauthtok (see below). It returns
PAM_IGNORE on success (since it doesn't want to affect the authentication
process) on "success" and tries to report errors properly otherwise.
Recognized arguments:
exec=<arg> Program to execute
debug Print debuging information
module services provided:
auth _authenticate and _setcred (blank)
acct _acct_mgmt [mapped to _authenticate]
session _open_session and
_close_session [mapped to _authenticate ]
password _chauthtok [mapped to _authenticate]
Example:
Put this in /etc/pam.d/su to log all the available information to /root/dump
on failed su attempts:
auth [success=1] pam_unix.so nullok_secure
auth required pam_exec.so exec=/root/dumpit debug
auth required pam_permit.so
where /root/dumpit is a shell script:
#!/bin/sh
echo "$@" > /root/dump
-- Guido Guenther <agx@sigxcpu.org> Fri, 4 Nov 2005 13:32:15 +0100
|