NAME
pam_user.conf — user configuration file for pluggable authentication modules
DESCRIPTION
pam_user.conf
is the user configuration file
for the Pluggable Authentication Module architecture, or PAM.
It is not designed to replace the PAM system configuration file,
pam.conf.
For PAM to work properly,
pam.conf
is mandatory (see
pam.conf(4)).
pam_user.conf
is optional.
It is used only when a user basis configuration is needed.
It mainly specifies
options
to be used by service modules on a user basis.
The
options
defined in
pam.conf
indicate the default for users who are not configured in
pam_user.conf
or if the module type is not configured for some users.
For the configuration in
pam_user.conf
to take effect,
pam.conf
needs to configure service module
libpam_updbe
(see
pam.conf(4)).
Simplified pam_user.conf Configuration File
The
pam_user.conf
file contains a listing of login names.
Each login name is paired with a
corresponding service module with or without options specified.
Each entry has the following format:
login_name module_type module_path options
Below is an example of the
pam_user.conf
configuration file.
tom auth /usr/lib/security/$ISA/libpam_unix.so.1 debug use_psd
tom auth /usr/lib/security/$ISA/libpam_dce.so.1 use_first_pass
tom account /usr/lib/security/$ISA/libpam_unix.so.1 use_psd
tom account /usr/lib/security/$ISA/libpam_dce.so.1 try_first_pass
susan auth /usr/lib/security/$ISA/libpam_unix.so.1
susan auth /usr/lib/security/$ISA/libpam_dce.so.1 try_first_pass
The
login_name
denotes the login name of a user (for example,
tom,
susan).
For detailed information on
module_type,
module_path,
and
options,
see
pam.conf(4).
The first entry indicates that when the UNIX authentication
is invoked for
tom,
the
options
debug
and
use_psd
will be used.
The second entry
indicates that when the DCE authentication is invoked for
tom,
the
option
use_first_pass
will be used.
The module type
password
is not configured for
tom,
therefore, the
/etc/pam.conf
options will take effect.
For
those users who are not configured, the
/etc/pam.conf
options apply.
Notes
If an error is found in an entry due to invalid
login_name
or
module_type,
then the entry is ignored.
If there are no valid entries for the given
module_type,
the PAM framework ignores
pam_user.conf
and reads the configuration in
pam.conf.
EXAMPLES
The following is a sample
pam_user.conf
configuration file.
Lines that begin with the
#
symbol are treated as comments, and therefore ignored.
#
# PAM user configuration
#
# Authentication management
john auth /usr/lib/security/$ISA/libpam_unix.so.1
john auth /usr/lib/security/$ISA/libpam_inhouse.so.1 try_first_pass
david auth /usr/lib/security/$ISA/libpam_unix.so.1 use_psd
david auth /usr/lib/security/$ISA/libpam_inhouse.so.1 try_first_pass
susan auth /usr/lib/security/$ISA/libpam_unix.so.1 use_psd
susan auth /usr/lib/security/$ISA/libpam_inhouse.so.1 try_first_pass
# Password management
john password /usr/lib/security/$ISA/libpam_unix.so.1
david password /usr/lib/security/$ISA/libpam_unix.so.1 use_psd
susan password /usr/lib/security/$ISA/libpam_unix.so.1 use_psd