PAM_ALREADYLOGGEDIN(8) | System Manager's Manual | PAM_ALREADYLOGGEDIN(8) |
NAME¶
pam_alreadyloggedin
—
Already-logged-in PAM module
SYNOPSIS¶
[service-name
]
module-type
control-flag
pam_alreadyloggedin
[options
]
DESCRIPTION¶
The Already-logged-in authentication service module for PAM,pam_alreadyloggedin
provides functionality
for only one PAM category: authentication. In terms of the
module-type parameter, this is the
“auth
” feature. It also provides null
functions for other PAM categories.
Already-logged-in Authentication Module¶
The Already-logged-in authentication component (pam_sm_authenticate
()), returns success if
and only if the target user's ID is identical to a current login specified in
the utmp(5) database and verified with matching
permissions on that login's respective terminal in
/dev. If a user shows up in
w(8) output, they will generally be allowed to
authenticate using this method.
The following options may be passed to the authentication module:
debug
- Enable verbose output to syslog at LOG_DEBUG level.
no_debug
- Disable verbose output to syslog even it's enabled at compile time.
no_root
- Never allow login with a target user ID of zero.
restrict_tty
=ttyglob*- Only allow login if the terminal device currently being authenticated on
matches ttyglob*. The
ttyglob* argument is specified as a shell
glob, and checked using the fnmatch(3)
function. For example,
restrict_tty=/dev/tty[1-6]
allows logging from text consoles of physical terminal only. restrict_loggedin_tty
=ttyglob*- Disallow recognition that the user is already logged in unless the terminal device logged in upon matches ttyglob*.
EXAMPLE¶
Modifyauth
section of the
/etc/pam.d/login file like following:
auth required /lib/security/pam_securetty.so auth sufficient /lib/security/pam_alreadyloggedin.so no_root auth required /lib/security/pam_stack.so service=system-auth
BUGS¶
FreeBSD version expects /dev/ prefix inrestrict_tty
value, but value of
restrict_loggedin_tty
should be without
them. Linux version expects /dev/ in both
cases.
SEE ALSO¶
fnmatch(3), getuid(2), stat(2), utmp(5), w(8), pam.conf(5), pam(8)AUTHORS¶
Adopted for Linux PAM by Ilya Evseev at Jan 2004. The originalpam_alreadyloggedin
module and
this manual page were developed for the FreeBSD Project by NAI Labs and
ThinkSec AS, the Security Research Division of Network Associates, Inc. under
DARPA/SPAWAR contract N66001-01-C-8035 (“CBOSS”), as part of the
DARPA CHATS research program.January 30, 2004 | Linux-PAM |