{"id":3431,"date":"2022-12-20T17:02:40","date_gmt":"2022-12-20T20:02:40","guid":{"rendered":"http:\/\/lode.uno\/linux-man\/index.php\/2022\/12\/20\/pam_listfile-man8\/"},"modified":"2022-12-20T17:02:40","modified_gmt":"2022-12-20T20:02:40","slug":"pam_listfile-man8","status":"publish","type":"post","link":"https:\/\/lode.uno\/linux-man\/2022\/12\/20\/pam_listfile-man8\/","title":{"rendered":"PAM_LISTFILE (man8)"},"content":{"rendered":"

PAM_LISTFILE<\/h1>\n

NAME<\/a>
SYNOPSIS<\/a>
DESCRIPTION<\/a>
OPTIONS<\/a>
MODULE TYPES PROVIDED<\/a>
RETURN VALUES<\/a>
EXAMPLES<\/a>
SEE ALSO<\/a>
AUTHOR<\/a> <\/p>\n

\n

NAME <\/a> <\/h2>\n

pam_listfile \u2212 deny or allow services based on an arbitrary file<\/p>\n

SYNOPSIS <\/a> <\/h2>\n\n\n
<\/td>\n\n

pam_listfile.so<\/b> item=[tty|user|rhost|ruser|group|shell] sense=[allow|deny] file=\/path\/filename<\/i> onerr=[succeed|fail] [apply=[user<\/i>|@group<\/i>]] [quiet]<\/p>\n<\/td>\n<\/tr>\n<\/table>\n

DESCRIPTION <\/a> <\/h2>\n

pam_listfile is a PAM module which provides a way to deny or allow services based on an arbitrary file.<\/p>\n

The module gets the item<\/b> of the type specified \u2212\u2212 user<\/i> specifies the username, PAM_USER<\/i>; tty specifies the name of the terminal over which the request has been made, PAM_TTY<\/i>; rhost specifies the name of the remote host (if any) from which the request was made, PAM_RHOST<\/i>; and ruser specifies the name of the remote user (if available) who made the request, PAM_RUSER<\/i> \u2212\u2212 and looks for an instance of that item in the file=<\/b>filename<\/i>. filename contains one line per item listed. If the item is found, then if sense=<\/b>allow<\/i>, PAM_SUCCESS<\/i> is returned, causing the authorization request to succeed; else if sense=<\/b>deny<\/i>, PAM_AUTH_ERR<\/i> is returned, causing the authorization request to fail.<\/p>\n

If an error is encountered (for instance, if filename does not exist, or a poorly\u2212constructed argument is encountered), then if onerr=succeed<\/i>, PAM_SUCCESS<\/i> is returned, otherwise if onerr=fail<\/i>, PAM_AUTH_ERR<\/i> or PAM_SERVICE_ERR<\/i> (as appropriate) will be returned.<\/p>\n

An additional argument, apply=<\/b>, can be used to restrict the application of the above to a specific user (apply=<\/b>username<\/i>) or a given group (apply=<\/b>@groupname<\/i>). This added restriction is only meaningful when used with the tty<\/i>, rhost<\/i> and shell<\/i> items.<\/p>\n

Besides this last one, all arguments should be specified; do not count on any default behavior.<\/p>\n

No credentials are awarded by this module.<\/p>\n

OPTIONS <\/a> <\/h2>\n

item=[tty|user|rhost|ruser|group|shell]<\/b><\/p>\n

What is listed in the file and should be checked for.<\/p>\n

sense=[allow|deny]<\/b><\/p>\n

Action to take if found in file, if the item is NOT found in the file, then the opposite action is requested.<\/p>\n

file=<\/b>\/path\/filename<\/i><\/p>\n

File containing one item per line. The file needs to be a plain file and not world writable.<\/p>\n

onerr=[succeed|fail]<\/b><\/p>\n

What to do if something weird happens like being unable to open the file.<\/p>\n

apply=[<\/b>user<\/i>|<\/b>@group<\/i>]<\/b><\/p>\n

Restrict the user class for which the restriction apply. Note that with item=[user|ruser|group]<\/b> this does not make sense, but for item=[tty|rhost|shell]<\/b> it have a meaning.<\/p>\n

quiet<\/b><\/p>\n

Do not treat service refusals or missing list files as errors that need to be logged.<\/p>\n

MODULE TYPES PROVIDED <\/a> <\/h2>\n

All module types (auth<\/b>, account<\/b>, password<\/b> and session<\/b>) are provided.<\/p>\n

RETURN VALUES <\/a> <\/h2>\n

PAM_AUTH_ERR<\/p>\n

Authentication failure.<\/p>\n

PAM_BUF_ERR<\/p>\n

Memory buffer error.<\/p>\n

PAM_IGNORE<\/p>\n

The rule does not apply to the apply<\/b> option.<\/p>\n

PAM_SERVICE_ERR<\/p>\n

Error in service module.<\/p>\n

PAM_SUCCESS<\/p>\n

Success.<\/p>\n

EXAMPLES <\/a> <\/h2>\n

Classic ‘ftpusers’ authentication can be implemented with this entry in \/etc\/pam.d\/ftpd:<\/p>\n

#
# deny ftp\u2212access to users listed in the \/etc\/ftpusers file
#
auth required pam_listfile.so
onerr=succeed item=user sense=deny file=\/etc\/ftpusers<\/p>\n

Note, users listed in \/etc\/ftpusers file are (counterintuitively) not<\/i> allowed access to the ftp service.<\/p>\n

To allow login access only for certain users, you can use a \/etc\/pam.d\/login entry like this:<\/p>\n

#
# permit login to users listed in \/etc\/loginusers
#
auth required pam_listfile.so
onerr=fail item=user sense=allow file=\/etc\/loginusers<\/p>\n

For this example to work, all users who are allowed to use the login service should be listed in the file \/etc\/loginusers. Unless you are explicitly trying to lock out root, make sure that when you do this, you leave a way for root to log in, either by listing root in \/etc\/loginusers, or by listing a user who is able to su<\/i> to the root account.<\/p>\n

SEE ALSO <\/a> <\/h2>\n

pam.conf<\/b>(5), pam.d<\/b>(5), pam<\/b>(8)<\/p>\n

AUTHOR <\/a> <\/h2>\n

pam_listfile was written by Michael K. Johnson and Elliot Lee .<\/p>\n

\n","protected":false},"excerpt":{"rendered":"

pam_listfile \u2212 deny or allow services based on an arbitrary file <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[5,52,4,557],"class_list":["post-3431","post","type-post","status-publish","format-standard","hentry","category-8-administracion-del-sistema","tag-5","tag-administracion","tag-man8","tag-pam_listfile"],"gutentor_comment":0,"_links":{"self":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/3431","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/comments?post=3431"}],"version-history":[{"count":0,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/3431\/revisions"}],"wp:attachment":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/media?parent=3431"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/categories?post=3431"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/tags?post=3431"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}