PAM_ALREADYLOGGEDIN(8) - man page online | administration and privileged commands

Already-logged-in PAM module.

January 30, 2004
PAM_ALREADYLOGGEDIN(8)             BSD System Manager's Manual             PAM_ALREADYLOGGEDIN(8)


pam_alreadyloggedin — Already-logged-in PAM module


[service-name] module-type control-flag pam_alreadyloggedin [options]


The Already-logged-in authentication service module for PAM, pam_alreadyloggedin provides functionality for only one PAM category: authentication. In terms of the module-type param‐ eter, this is the “auth” feature. It also provides null functions for other PAM categories. Already-logged-in Authentication Module The Already-logged-in authentication component (pam_sm_authenticate()), returns success if and only if the target user's ID is identical to a current login specified in the utmp(5) database and verified with matching permissions on that login's respective terminal in /dev. If a user shows up in w(8) output, they will generally be allowed to authenticate using this method. The following options may be passed to the authentication module: debug Enable verbose output to syslog at LOG_DEBUG level. no_debug Disable verbose output to syslog even it's enabled at com‐ pile time. no_root Never allow login with a target user ID of zero. restrict_tty=ttyglob* Only allow login if the terminal device currently being authenticated on matches ttyglob*. The ttyglob* argument is specified as a shell glob, and checked using the fnmatch(3) function. For example, restrict_tty=/dev/tty[1-6] allows logging from text consoles of physical terminal only. restrict_loggedin_tty=ttyglob* Disallow recognition that the user is already logged in unless the terminal device logged in upon matches ttyglob*.


Modify auth section of the /etc/pam.d/login file like following: auth required /lib/security/ auth sufficient /lib/security/ no_root auth required /lib/security/ service=system-auth


FreeBSD version expects /dev/ prefix in restrict_tty value, but value of restrict_loggedin_tty should be without them. Linux version expects /dev/ in both cases.


fnmatch(3), getuid(2), stat(2), utmp(5), w(8), pam.conf(5), pam(8)


Adopted for Linux PAM by Ilya Evseev at Jan 2004. The original pam_alreadyloggedin module and this manual page were developed for the FreeBSD Project by NAI Labs and ThinkSec AS, the Security Research Division of Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 (“CBOSS”), as part of the DARPA CHATS research program.
Linux-PAM January 30, 2004 Linux-PAM
This manual Reference Other manuals
pam_alreadyloggedin(8) referred by
refer to fnmatch(3) | getuid(2) | pam.conf(5) | stat(2) | utmp(5)