Changeset View
Changeset View
Standalone View
Standalone View
documentation/content/en/articles/pam/_index.adoc
Show First 20 Lines • Show All 538 Lines • ▼ Show 20 Lines | |||||
The man:pam_login_access[8] module provides an implementation of the account management primitive which enforces the login restrictions specified in the man:login.access[5] table. | The man:pam_login_access[8] module provides an implementation of the account management primitive which enforces the login restrictions specified in the man:login.access[5] table. | ||||
[[pam-modules-nologin]] | [[pam-modules-nologin]] | ||||
=== man:pam_nologin[8] | === man:pam_nologin[8] | ||||
The man:pam_nologin[8] module refuses non-root logins when [.filename]#/var/run/nologin# exists. | The man:pam_nologin[8] module refuses non-root logins when [.filename]#/var/run/nologin# exists. | ||||
This file is normally created by man:shutdown[8] when less than five minutes remain until the scheduled shutdown time. | This file is normally created by man:shutdown[8] when less than five minutes remain until the scheduled shutdown time. | ||||
[[pam-modules-opie]] | |||||
=== man:pam_opie[8] | |||||
The man:pam_opie[8] module implements the man:opie[4] authentication method. | |||||
The man:opie[4] system is a challenge-response mechanism where the response to each challenge is a direct function of the challenge and a passphrase, so the response can be easily computed "just in time" by anyone possessing the passphrase, eliminating the need for password lists. | |||||
Moreover, since man:opie[4] never reuses a challenge that has been correctly answered, it is not vulnerable to replay attacks. | |||||
[[pam-modules-opieaccess]] | |||||
=== man:pam_opieaccess[8] | |||||
The man:pam_opieaccess[8] module is a companion module to man:pam_opie[8]. | |||||
Its purpose is to enforce the restrictions codified in man:opieaccess[5], which regulate the conditions under which a user who would normally authenticate herself using man:opie[4] is allowed to use alternate methods. | |||||
This is most often used to prohibit the use of password authentication from untrusted hosts. | |||||
In order to be effective, the man:pam_opieaccess[8] module must be listed as `requisite` immediately after a `sufficient` entry for man:pam_opie[8], and before any other modules, in the `auth` chain. | |||||
[[pam-modules-passwdqc]] | [[pam-modules-passwdqc]] | ||||
=== man:pam_passwdqc[8] | === man:pam_passwdqc[8] | ||||
The man:pam_passwdqc[8] module | The man:pam_passwdqc[8] module | ||||
[[pam-modules-permit]] | [[pam-modules-permit]] | ||||
=== man:pam_permit[8] | === man:pam_permit[8] | ||||
▲ Show 20 Lines • Show All 130 Lines • Show Last 20 Lines |