From owner-freebsd-questions@freebsd.org Sun Nov 6 12:14:21 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E87B0C26B5F for ; Sun, 6 Nov 2016 12:14:21 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:c4ea:bd49:619b:6cb3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 781686EB for ; Sun, 6 Nov 2016 12:14:21 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from liminal.local (unknown [IPv6:2001:8b0:151:1:1c1d:86a1:a200:b700]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id 2F7F6131E for ; Sun, 6 Nov 2016 12:14:18 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org Authentication-Results: smtp.infracaninophile.co.uk/2F7F6131E; dkim=none; dkim-atps=neutral Subject: Re: Files in /etc/pam.d/ To: freebsd-questions@freebsd.org References: From: Matthew Seaman Message-ID: Date: Sun, 6 Nov 2016 12:14:17 +0000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="e42EQsesf3M1vwdi5S1h1WsiwDT6D0mkr" X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00,RDNS_NONE, SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on smtp.infracaninophile.co.uk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Nov 2016 12:14:22 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --e42EQsesf3M1vwdi5S1h1WsiwDT6D0mkr Content-Type: multipart/mixed; boundary="3Nk4Mw2Lw8jaQoM6NP64kQtV30aIfWu4E"; protected-headers="v1" From: Matthew Seaman To: freebsd-questions@freebsd.org Message-ID: Subject: Re: Files in /etc/pam.d/ References: In-Reply-To: --3Nk4Mw2Lw8jaQoM6NP64kQtV30aIfWu4E Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 06/11/2016 10:15, Rocky Hotas wrote: > The directory /etc/pam.d/ contains PAM policies for services. Some > are pretty clear and unambiguous: /etc/pam.d/sshd is related to the > ssh listening service. But some other are not. For example: in that > directory, "login", "passwd" and "system" refer to very similar > fields. So, I would like to ask: - What exactly is the scope of > *each* of them? Does exists a documentation about it? - What is (if > any) the hierarchy followed by them? Let's say that "system" (which > contains system-wide login policy) and "sshd" have different > statements: which one will prevail? I have not found an answer to > these questions on documentation > (https://www.freebsd.org/doc/en_US.ISO8859-1/articles/pam/index.html). > Moreover, nor "man pam.d" neither /etc/pam.d/README contain > information about it. Hi, Rocky, As you say, many of the PAM policies clearly relate to protocols the files are named after. The 'login' policy covers console logins, and the 'passwd' policy covers use of the passwd(1) utility for changing your password. Now, if you look at most of the policies in that directory you'll see many of the entries include the 'system' policy. The 'system' policy therefore acts as a form of default policy for many of the different services. The effect of a statement like this: session include system is to substitute the 'session' likes from /etc/pam.d/system, like so: #session optional pam_ssh.so want_agent session required pam_lastlog.so no_fail Considering the 'sshd' policy: since this doesn't include the 'system' policy only the statements in /etc/pam.d/sshd have any effect. That is, assuming that ssh(8) is configured to use PAM. Cheers, Matthew --3Nk4Mw2Lw8jaQoM6NP64kQtV30aIfWu4E-- --e42EQsesf3M1vwdi5S1h1WsiwDT6D0mkr Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJYHx6ZXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATnOgP+wS9n/pzzQOUPT+zMfQnWwhc 4bdW0xeMdfxsICWfqEMfNj9U+fyjC21Qn5VV+VK1tl2VYcQ/+ThqvcHeBJVrljVh W1LKIO9tj7yXYlcJf2TJo5W47hCo5yIbbvKp0+V8LShydwzPB7Nuo/3yzPyrA3+V DqqsKGCH5CLkaUhr3nvBByjeCYeoSo5BggeBXuFJWSJ7YVu0Bf5ew57QO84CAcGU 0HKqe5PONZ6NKFm+edgKF97Kg8Xn/+oyas8vCE9XSxaz5zkyUou4c7nGpdknRj1Z 7x9bg0/kJP/7c3l35zTF6sducc/hUhZ+fCSXTsZIXzRctzcM4DJmIUeu3h+mgyXQ hf/TJmowzihbTbcQ48oqtBFWJjkRDmxe8Le/hSLw8QIj0wqzDNELVw5UIcPoWxOV GX4wGLg7wOiZbpGWXgwI6naFPnmAGLA0+/1CMVpZiH8bWMnAlqbGS0o3jmbM1AGs SOmN06fPk1H/1m86vFZKvS0xDQDGz2QrTwhtWKBAo1NPW0WbIBUPQMduK1wvfEbR 5pN82K5fXA+t5yUkdPITjaYxbzSxjNPAAJFdm50Y3g4zvDgB26BrjqWogpfGE49t kmarg3J5s43RFVbdDg5qOiIGlfCewZk6+qB4cW3DZEhfzd0VVv7wEaSRvNSqi7rx SC0Ph/M9RlkJtoJf+8ga =n3jl -----END PGP SIGNATURE----- --e42EQsesf3M1vwdi5S1h1WsiwDT6D0mkr--