DragonFly On-Line Manual Pages
pam_pseudo(5) Authentication pam_pseudo(5)
NAME
pam_pseudo - PAM module for pseudo-user authentication
SYNOPSIS
/usr/local/lib/security/pam_pseudo.so.1
DESCRIPTION
pam_pseudo is a shared library which gets dynamically loaded into the
PAM framework. It provides authentication for pseudo-user accounts to
PAM-aware applications.
The pam_pseudo module supports a local text file called
/etc/pam_pseudo.map which maps local pseudo-user names to a list of
real users allowed to access them. The file consists of lines of the
format:
pseudo_user : real_user [...]
Text beginning with a '#' is ignored through the next newline. Blank
lines and incomplete lines are also ignored.
OPTIONS
The pam_pseudo module accepts the optional argument
unknown_user=disposition. This option tells the module what to do when
it cannot read the /etc/pam_pseudo.map file or when the pseudo_user
name is not found in the file.
There are three possible values for disposition:
fail The authentication will fail if the pseudo-user is not found in
the /etc/pam_pseudo.map file.
succeed
The authentication will succeed if the pseudo-user is not found
in the /etc/pam_pseudo.map file.
ignore The authentication attempt will be ignored if the pseudo-user is
not found in the /etc/pam_pseudo.map file.
If this option is not specified, the default behavior is for the
authentication request to be denied.
EXAMPLE
A common practice for services with multiple administrators is to have
a pseudo-user account under which the service is installed and runs.
Each service administrator has their own login, but can su to the
pseudo-user account using their own password.
To set this up, here's what you'd put in /etc/pam.conf:
su auth sufficient /usr/local/lib/security/pam_pseudo.so.1
unknown_user=ignore
su auth required /usr/lib/security/pam_unix.so.1
Then, put the pseudo-user accounts in the /etc/pam_pseudo.map file:
# John Smith and Jane Doe allowed to become news
news : smith jdoe
BUGS
The pam_pseudo module only implements the functions for the "auth"
module type (pam_sm_authenticate(3) and pam_sm_setcred(3)). The module
does not implement functions for the "account", "session", and
"password" module types.
FILES
/etc/pam_pseudo.map
/etc/pam.conf
SEE ALSO
pam(3), pam.conf(4)
AUTHOR
Mark D. Roth <roth@feep.net>
University of Illinois Aug 2001 pam_pseudo(5)