pam-script - a PAM module that can invoke scripts within the PAM stack.
allows you to execute scripts during authorization, passwd
changes, and on session opening or closing.
Such scripts can perform necessary tasks or influence the outcome of the PAM
stack. For example, if the following entry was included in pam.conf
sshd auth required pam_script
then if the script, pam_script_auth
, exits with a non-zero value this
would cause the user to be denied SSH access to the machine.
A summary of options is included below.
- the default behavior if the module can not find or execute
the script. The default is to fail if the option is not given.
- where to find the pam-scripts to invoke for each of the
various module-types as described below. The default is
dir=/usr/share/libpam-script if not given.
List of scripts
- Executed under auth which handles the authentication
stage of establishing the user via some challenge-response (i.e.
- invoked under account module-type for
non-authentication based account management.
- invoked under passwd for changing the password
- invoked when a session is first opened.
- run after a session is first closed.
All the scripts will be passed several environment variables: PAM_USER,
PAM_RUSER, PAM_RHOST, PAM_SERVICE, PAM_AUTHTOK, PAM_TTY, and PAM_TYPE
referring to the module-type. The pam_script.so arguments in the pam.conf
will be passed on the command line, which can be used to modify the script
- the PAM module
- where the scripts should be placed by default
(7) and the PAM "The System Administrators' Guide"
pam-script was written by Jeroen Nijhof <email@example.com>
with some additions and modifications by R.K. Owen, Ph.D. <firstname.lastname@example.org>.
This manual page was written by R.K. Owen <email@example.com>,
for the Debian project (but may be used by others).