Date: Sun, 6 Nov 2016 12:14:17 +0000 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Subject: Re: Files in /etc/pam.d/ Message-ID: <c8db5036-8b5e-8d61-fbb7-bb6071344165@FreeBSD.org> In-Reply-To: <trinity-95522cbe-b5b9-41f5-9fde-dfbe9bc197b1-1478427356711@3capp-mailcom-lxa11> References: <trinity-95522cbe-b5b9-41f5-9fde-dfbe9bc197b1-1478427356711@3capp-mailcom-lxa11>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --e42EQsesf3M1vwdi5S1h1WsiwDT6D0mkr Content-Type: multipart/mixed; boundary="3Nk4Mw2Lw8jaQoM6NP64kQtV30aIfWu4E"; protected-headers="v1" From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Message-ID: <c8db5036-8b5e-8d61-fbb7-bb6071344165@FreeBSD.org> Subject: Re: Files in /etc/pam.d/ References: <trinity-95522cbe-b5b9-41f5-9fde-dfbe9bc197b1-1478427356711@3capp-mailcom-lxa11> In-Reply-To: <trinity-95522cbe-b5b9-41f5-9fde-dfbe9bc197b1-1478427356711@3capp-mailcom-lxa11> --3Nk4Mw2Lw8jaQoM6NP64kQtV30aIfWu4E Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 06/11/2016 10:15, Rocky Hotas wrote: > The directory /etc/pam.d/ contains PAM policies for services. Some > are pretty clear and unambiguous: /etc/pam.d/sshd is related to the > ssh listening service. But some other are not. For example: in that > directory, "login", "passwd" and "system" refer to very similar > fields. So, I would like to ask: - What exactly is the scope of > *each* of them? Does exists a documentation about it? - What is (if > any) the hierarchy followed by them? Let's say that "system" (which > contains system-wide login policy) and "sshd" have different > statements: which one will prevail? I have not found an answer to > these questions on documentation > (https://www.freebsd.org/doc/en_US.ISO8859-1/articles/pam/index.html). > Moreover, nor "man pam.d" neither /etc/pam.d/README contain > information about it. Hi, Rocky, As you say, many of the PAM policies clearly relate to protocols the files are named after. The 'login' policy covers console logins, and the 'passwd' policy covers use of the passwd(1) utility for changing your password. Now, if you look at most of the policies in that directory you'll see many of the entries include the 'system' policy. The 'system' policy therefore acts as a form of default policy for many of the different services. The effect of a statement like this: session include system is to substitute the 'session' likes from /etc/pam.d/system, like so: #session optional pam_ssh.so want_agent session required pam_lastlog.so no_fail Considering the 'sshd' policy: since this doesn't include the 'system' policy only the statements in /etc/pam.d/sshd have any effect. That is, assuming that ssh(8) is configured to use PAM. Cheers, Matthew --3Nk4Mw2Lw8jaQoM6NP64kQtV30aIfWu4E-- --e42EQsesf3M1vwdi5S1h1WsiwDT6D0mkr Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJYHx6ZXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATnOgP+wS9n/pzzQOUPT+zMfQnWwhc 4bdW0xeMdfxsICWfqEMfNj9U+fyjC21Qn5VV+VK1tl2VYcQ/+ThqvcHeBJVrljVh W1LKIO9tj7yXYlcJf2TJo5W47hCo5yIbbvKp0+V8LShydwzPB7Nuo/3yzPyrA3+V DqqsKGCH5CLkaUhr3nvBByjeCYeoSo5BggeBXuFJWSJ7YVu0Bf5ew57QO84CAcGU 0HKqe5PONZ6NKFm+edgKF97Kg8Xn/+oyas8vCE9XSxaz5zkyUou4c7nGpdknRj1Z 7x9bg0/kJP/7c3l35zTF6sducc/hUhZ+fCSXTsZIXzRctzcM4DJmIUeu3h+mgyXQ hf/TJmowzihbTbcQ48oqtBFWJjkRDmxe8Le/hSLw8QIj0wqzDNELVw5UIcPoWxOV GX4wGLg7wOiZbpGWXgwI6naFPnmAGLA0+/1CMVpZiH8bWMnAlqbGS0o3jmbM1AGs SOmN06fPk1H/1m86vFZKvS0xDQDGz2QrTwhtWKBAo1NPW0WbIBUPQMduK1wvfEbR 5pN82K5fXA+t5yUkdPITjaYxbzSxjNPAAJFdm50Y3g4zvDgB26BrjqWogpfGE49t kmarg3J5s43RFVbdDg5qOiIGlfCewZk6+qB4cW3DZEhfzd0VVv7wEaSRvNSqi7rx SC0Ph/M9RlkJtoJf+8ga =n3jl -----END PGP SIGNATURE----- --e42EQsesf3M1vwdi5S1h1WsiwDT6D0mkr--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c8db5036-8b5e-8d61-fbb7-bb6071344165>