| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294 |
- <?xml version="1.0" encoding='UTF-8'?>
- <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
- "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
- <refentry id="pam_userdb">
- <refmeta>
- <refentrytitle>pam_userdb</refentrytitle>
- <manvolnum>8</manvolnum>
- <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
- </refmeta>
- <refnamediv id="pam_userdb-name">
- <refname>pam_userdb</refname>
- <refpurpose>PAM module to authenticate against a db database</refpurpose>
- </refnamediv>
- <refsynopsisdiv>
- <cmdsynopsis id="pam_userdb-cmdsynopsis">
- <command>pam_userdb.so</command>
- <arg choice="plain">
- db=<replaceable>/path/database</replaceable>
- </arg>
- <arg choice="opt">
- debug
- </arg>
- <arg choice="opt">
- crypt=[crypt|none]
- </arg>
- <arg choice="opt">
- icase
- </arg>
- <arg choice="opt">
- dump
- </arg>
- <arg choice="opt">
- try_first_pass
- </arg>
- <arg choice="opt">
- use_first_pass
- </arg>
- <arg choice="opt">
- unknown_ok
- </arg>
- <arg choice="opt">
- key_only
- </arg>
- </cmdsynopsis>
- </refsynopsisdiv>
- <refsect1 id="pam_userdb-description">
- <title>DESCRIPTION</title>
- <para>
- The pam_userdb module is used to verify a username/password pair
- against values stored in a Berkeley DB database. The database is
- indexed by the username, and the data fields corresponding to the
- username keys are the passwords.
- </para>
- </refsect1>
- <refsect1 id="pam_userdb-options">
- <title>OPTIONS</title>
- <variablelist>
- <varlistentry>
- <term>
- <option>crypt=[crypt|none]</option>
- </term>
- <listitem>
- <para>
- Indicates whether encrypted or plaintext passwords are stored
- in the database. If it is <option>crypt</option>, passwords
- should be stored in the database in
- <citerefentry>
- <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
- </citerefentry> form. If <option>none</option> is selected,
- passwords should be stored in the database as plaintext.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>db=<replaceable>/path/database</replaceable></option>
- </term>
- <listitem>
- <para>
- Use the <filename>/path/database</filename> database for
- performing lookup. There is no default; the module will
- return <emphasis remap='B'>PAM_IGNORE</emphasis> if no
- database is provided. Note that the path to the database file
- should be specified without the <filename>.db</filename> suffix.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>debug</option>
- </term>
- <listitem>
- <para>
- Print debug information. Note that password hashes, both from db
- and computed, will be printed to syslog.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>dump</option>
- </term>
- <listitem>
- <para>
- Dump all the entries in the database to the log.
- Don't do this by default!
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>icase</option>
- </term>
- <listitem>
- <para>
- Make the password verification to be case insensitive
- (ie when working with registration numbers and such).
- Only works with plaintext password storage.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>try_first_pass</option>
- </term>
- <listitem>
- <para>
- Use the authentication token previously obtained by
- another module that did the conversation with the
- application. If this token can not be obtained then
- the module will try to converse. This option can
- be used for stacking different modules that need to
- deal with the authentication tokens.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>use_first_pass</option>
- </term>
- <listitem>
- <para>
- Use the authentication token previously obtained by
- another module that did the conversation with the
- application. If this token can not be obtained then
- the module will fail. This option can be used for
- stacking different modules that need to deal with
- the authentication tokens.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>unknown_ok</option>
- </term>
- <listitem>
- <para>
- Do not return error when checking for a user that is
- not in the database. This can be used to stack more
- than one pam_userdb module that will check a
- username/password pair in more than a database.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>key_only</option>
- </term>
- <listitem>
- <para>
- The username and password are concatenated together
- in the database hash as 'username-password' with a
- random value. if the concatenation of the username and
- password with a dash in the middle returns any result,
- the user is valid. this is useful in cases where
- the username may not be unique but the username and
- password pair are.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
- <refsect1 id="pam_userdb-types">
- <title>MODULE TYPES PROVIDED</title>
- <para>
- The <option>auth</option> and <option>account</option> module
- types are provided.
- </para>
- </refsect1>
- <refsect1 id='pam_userdb-return_values'>
- <title>RETURN VALUES</title>
- <variablelist>
- <varlistentry>
- <term>PAM_AUTH_ERR</term>
- <listitem>
- <para>Authentication failure.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_AUTHTOK_RECOVERY_ERR</term>
- <listitem>
- <para>
- Authentication information cannot be recovered.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_BUF_ERR</term>
- <listitem>
- <para>
- Memory buffer error.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_CONV_ERR</term>
- <listitem>
- <para>
- Conversation failure.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_SERVICE_ERR</term>
- <listitem>
- <para>
- Error in service module.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_SUCCESS</term>
- <listitem>
- <para>
- Success.
- </para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>PAM_USER_UNKNOWN</term>
- <listitem>
- <para>
- User not known to the underlying authentication module.
- </para>
- </listitem>
- </varlistentry>
- </variablelist>
- </refsect1>
- <refsect1 id='pam_userdb-examples'>
- <title>EXAMPLES</title>
- <programlisting>
- auth sufficient pam_userdb.so icase db=/etc/dbtest
- </programlisting>
- </refsect1>
- <refsect1 id='pam_userdb-see_also'>
- <title>SEE ALSO</title>
- <para>
- <citerefentry>
- <refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
- </citerefentry>,
- <citerefentry>
- <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
- </citerefentry>
- </para>
- </refsect1>
- <refsect1 id='pam_userdb-author'>
- <title>AUTHOR</title>
- <para>
- pam_userdb was written by Cristian Gafton >gafton@redhat.com<.
- </para>
- </refsect1>
- </refentry>
|
