SYNOPSIS

pam-script.so [onerr=(success|fail)][dir=/some/path/]

DESCRIPTION

pam-script allows you to execute scripts during authorization, passwd changes, and on session opening or closing.

Such scripts can perform necessary tasks or influence the outcome of the PAM stack. For example, if the following entry was included in pam.conf

  sshd	auth	required	pam_script

then if the script, pam_script_auth, exits with a non-zero value this would cause the user to be denied SSH access to the machine.

OPTIONS

A summary of options is included below.

onerr=(success|fail)

the default behavior if the module can not find or execute the script. The default is to fail if the option is not given.

dir=/some/path/

where to find the pam-scripts to invoke for each of the various module-types as described below. The default is dir=/usr/share/libpam-script if not given.

List of scripts

pam_script_auth

Executed under auth which handles the authentication stage of establishing the user via some challenge-response (i.e. username/password)

pam_script_acct

invoked under account module-type for non-authentication based account management.

pam_script_passwd

invoked under passwd for changing the password tokens.

pam_script_ses_open

invoked when a session is first opened.

pam_script_ses_close

run after a session is first closed.

All the scripts will be passed several environment variables: PAM_USER, PAM_RUSER, PAM_RHOST, PAM_SERVICE, PAM_AUTHTOK, PAM_TTY, and PAM_TYPE referring to the module-type. The pam_script.so arguments in the pam.conf will be passed on the command line, which can be used to modify the script behavior.

FILES

/lib/security/pam_script.so - the PAM module

/usr/share/libpam-script - where the scripts should be placed by default

VERSION

pam-script 1.1.7

RELATED TO pam-script…

PAM(7) and the PAM "The System Administrators' Guide"

AUTHOR

pam-script was written by Jeroen Nijhof <[email protected]>
with some additions and modifications by R.K. Owen, Ph.D. <[email protected]>.

This manual page was written by R.K. Owen <[email protected]>,
for the Debian project (but may be used by others).