DragonFly On-Line Manual Pages
PAM_REGEX(8) Pam-Modules User Reference PAM_REGEX(8)
NAME
pam_regex - authentication using regular expressions
SYNOPSIS
pam_regex [sense=SENSE] [user=NAME] [regex=EXPRESSION] [basic|extended]
[case|ignore-case|icase] [transform=S-EXPR] [debug[=NUMBER]]
[waitdebug] [audit]
DESCRIPTION
A general-purpose tool for authentication using regular expressions.
It can be used to control access depending on whether the user name
matches a given regular expression or to modify user name as per a sed-
like expression, so that subsequent modules see the modified name.
OPTIONS
regex=EXPRESSION
Compare user name with EXPRESSION. By default the argument is
treated as an extended regular expression with case-sensitive
matching.
When this option is used, pam_regex allows only login attempts
with user names that match the given expression. See the sensed
option to revert that behavior.
sense=allow|deny
What to do if the user name matches the expression given by the
regex option. The value allow (the default) instructs the
module to return PAM_SUCCESS, the deny instructs it to return
PAM_AUTH_ERR.
transform=S-EXPR
Transform the user name using a sed-like expression. The
argument should have the following form:
s/regexp/repl/[flags]
See sed(1), for a detailed description. Supported flags are: g, to
apply the replacement to all matches, not just the first, i, to use
case-insensitive matching, and x, which indicates that regexp is an
extended POSIX regular expression. A decimal number in the flags field
indicates the ordinal number of the match to be replaced. Using it
together with g results in undefined behavior.
Any delimiter can be used in lieue of the slash, the only requirement
being that it be used consistently throughout the expression.
basic Use basic regular expressions.
case Use case-sensitive regular expressions (default).
extended
Use extended regular expressions (default).
ignore-case or icase
Use case-insensitive regular expressions.
user=NAME
Upon successful matching, set PAM user name to STRING.
debug[=NUMBER]
Set debugging level (0 <= NUMBER <= 100).
audit Log full debugging information (equivalent to debug=100).
waitdebug=N
Wait for N seconds before starting up. This option is intended
to facilitate attaching to the module with gdb(1). It is
available only if the package was configured with the
--enable-debug option.
MODULE TYPES PROVIDED
auth
RETURN VALUES
PAM_SUCCESS
Successful return.
PAM_AUTH_ERR
Authentication failed.
PAM_AUTHINFO_UNAVAIL
The input information is not sufficient.
EXAMPLES
1. Deny access to users with login name containig the @ sign.
auth required pam_regex.so sense=deny regex=.*@.*
2. Convert the user name to lower case and remove anything starting
from the @ character:
auth required pam_regex.so extended transform=s/.*/\L&/g;s/@.*//
NOTE
This manpage is a short description of pam_regex. For a detailed
discussion, including examples and usage recommendations, refer to the
PAM-modules Manual available in texinfo format. If the info reader and
the tar documentation are properly installed on your system, the
command
info pam-modules
should give you access to the complete manual.
You can also view the manual using the info mode in emacs(1), or find
it in various formats online at
http://www.gnu.org.ua/software/pam-modules/manual
If any discrepancies occur between this manpage and the PAM-modules
Manual, the later shall be considered the authoritative source.
SEE ALSO
pam.conf(5), pam.d(5), pam(8), regex(7), sed(1).
AUTHORS
Sergey Poznyakoff <gray@gnu.org>
BUG REPORTS
Report bugs to <bug-pam-modules@gnu.org.ua>.
COPYRIGHT
Copyright (C) 2001-2014 Sergey Poznyakoff
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
PAM-MODULES March 28, 2014 PAM_REGEX(8)