pam_opieaccess(8)

NAME

pam_opieaccess - OPIEAccess PAM module

[service-name]   module-type    control-flag    pamo_pieaccess
[options]

The pam_opieaccess module is used in conjunction with the
pam_opie(8) PAM module to ascertain that authentication can proceed by other
means (such as the pam_unix(8) module) even if OPIE authentication
failed. To properly use this module, pam_opie(8) should be marked ``suffi
cient'', and
pam_opieaccess should be listed right below it and marked
``requisite''.
The pam_opieaccess module provides functionality for only
one PAM category: authentication. In terms of the module-type parame
ter, this is the ``auth'' feature. It also provides null functions for the
remaining module types.
OPIEAccess Authentication Module: The authentication component (pam_sm_authenticate()), re; turns PAM_SUCCESS
in two cases:; 1. The user does not have OPIE enabled.; 2. The user has OPIE enabled, and the remote host is list
ed as a trusted host in /etc/opieaccess, and the user does not
have a file named opiealways in his home directory.
Otherwise, it returns PAM_AUTH_ERR.
The following options may be passed to the authentication
module:
allow_local Normally, local logins are subjected to the
samerestrictions as remote logins from ``local
host''. This
option causes pam_opieaccess to always al
low local logins.
debug syslog(3) debugging information at LOG_DE
BUG level.
no_warn suppress warning messages to the user.
These messagesinclude reasons why the user's authentica
tion attempt was declined.

/etc/opieaccess List of trusted hosts or networks. See: opieaccess(5) for a description of its
syntax.

The pam_opieaccess module and this manual page were devel
oped for the FreeBSD Project by ThinkSec AS and NAI Labs, the Security
Research Division of Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 (``CBOSS''), as part of the DARPA CHATS re
search program.
BSD January 21, 2002