PAM_ALREADYLOGGEDIN(8)

NAME

pam_alreadyloggedin -- Already-logged-in PAM module

SYNOPSIS

[service-name] module-type control-flag pam_alreadyloggedin [options]

DESCRIPTION

The Already-logged-in authentication service module for PAM,
pam_alreadyloggedin provides functionality for only one PAM category: authentication. In terms of the module-type parameter, this is the ``auth'' feature. It also provides null functions for other PAM categories.
Already-logged-in Authentication Module
The Already-logged-in authentication component (pam_sm_authenticate()), returns success if and only if the target user's ID is identical to a
current login specified in the utmp(5) database and verified with matching permissions on that login's respective terminal in /dev. If a user shows up in w(8) output, they will generally be allowed to authenticate
using this method.
The following options may be passed to the authentication module:
debug Enable verbose output to syslog at
LOG_DEBUG level.
no_debug Disable verbose output to syslog even
it's enabled at compile time.
no_root Never allow login with a target user ID
of zero.
restrict_tty=ttyglob* Only allow login if the terminal device
currently being authenticated on matches ttyglob*. The ttyglob* argument is specified as a shell glob, and checked using the fnmatch(3) function. For example,
restrict_tty=/dev/tty[1-6] allows logging from text consoles of physical terminal
only.
restrict_loggedin_tty=ttyglob* Disallow recognition that the user is
already logged in unless the terminal
device logged in upon matches ttyglob*.

EXAMPLE

Modify auth section of the /etc/pam.d/login file like following:
auth required /lib/security/pam_securetty.so
auth sufficient /lib/security/pam_alreadyloggedin.so no_root
auth required /lib/security/pam_stack.so service=system-auth

BUGS

FreeBSD version expects /dev/ prefix in restrict_tty value, but value of restrict_loggedin_tty should be without them. Linux version expects /dev/ in both cases.

SEE ALSO

fnmatch(3), getuid(2), stat(2), utmp(5), w(8), pam.conf(5), pam(8)

AUTHORS

Adopted for Linux PAM by Ilya Evseev at Jan 2004.

The original pam_alreadyloggedin module and this manual page were developed for the FreeBSD Project by NAI Labs and ThinkSec AS, the Security
Research Division of Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 (``CBOSS''), as part of the DARPA CHATS research
program.

Linux-PAM January 30, 2004 Linux-PAM

Copyright © 2010-2025 Platon Technologies, s.r.o.           Index | Man stránky | tLDP | Dokumenty | Utilitky | O projekte
Design by styleshout