summaryrefslogtreecommitdiffstats
path: root/modules/pam_lastlog/pam_lastlog.8
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--modules/pam_lastlog/pam_lastlog.8197
-rw-r--r--modules/pam_lastlog/pam_lastlog.8.xml343
2 files changed, 540 insertions, 0 deletions
diff --git a/modules/pam_lastlog/pam_lastlog.8 b/modules/pam_lastlog/pam_lastlog.8
new file mode 100644
index 0000000..325456e
--- /dev/null
+++ b/modules/pam_lastlog/pam_lastlog.8
@@ -0,0 +1,197 @@
+'\" t
+.\" Title: pam_lastlog
+.\" Author: [see the "AUTHOR" section]
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
+.\" Date: 09/03/2021
+.\" Manual: Linux-PAM Manual
+.\" Source: Linux-PAM Manual
+.\" Language: English
+.\"
+.TH "PAM_LASTLOG" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+pam_lastlog \- PAM module to display date of last login and perform inactive account lock out
+.SH "SYNOPSIS"
+.HP \w'\fBpam_lastlog\&.so\fR\ 'u
+\fBpam_lastlog\&.so\fR [debug] [silent] [never] [nodate] [nohost] [noterm] [nowtmp] [noupdate] [showfailed] [inactive=<days>] [unlimited]
+.SH "DESCRIPTION"
+.PP
+pam_lastlog is a PAM module to display a line of information about the last login of the user\&. In addition, the module maintains the
+/var/log/lastlog
+file\&.
+.PP
+Some applications may perform this function themselves\&. In such cases, this module is not necessary\&.
+.PP
+The module checks
+\fBLASTLOG_UID_MAX\fR
+option in
+/etc/login\&.defs
+and does not update or display last login records for users with UID higher than its value\&. If the option is not present or its value is invalid, no user ID limit is applied\&.
+.PP
+If the module is called in the auth or account phase, the accounts that were not used recently enough will be disallowed to log in\&. The check is not performed for the root account so the root is never locked out\&. It is also not performed for users with UID higher than the
+\fBLASTLOG_UID_MAX\fR
+value\&.
+.SH "OPTIONS"
+.PP
+\fBdebug\fR
+.RS 4
+Print debug information\&.
+.RE
+.PP
+\fBsilent\fR
+.RS 4
+Don\*(Aqt inform the user about any previous login, just update the
+/var/log/lastlog
+file\&. This option does not affect display of bad login attempts\&.
+.RE
+.PP
+\fBnever\fR
+.RS 4
+If the
+/var/log/lastlog
+file does not contain any old entries for the user, indicate that the user has never previously logged in with a welcome message\&.
+.RE
+.PP
+\fBnodate\fR
+.RS 4
+Don\*(Aqt display the date of the last login\&.
+.RE
+.PP
+\fBnoterm\fR
+.RS 4
+Don\*(Aqt display the terminal name on which the last login was attempted\&.
+.RE
+.PP
+\fBnohost\fR
+.RS 4
+Don\*(Aqt indicate from which host the last login was attempted\&.
+.RE
+.PP
+\fBnowtmp\fR
+.RS 4
+Don\*(Aqt update the wtmp entry\&.
+.RE
+.PP
+\fBnoupdate\fR
+.RS 4
+Don\*(Aqt update any file\&.
+.RE
+.PP
+\fBshowfailed\fR
+.RS 4
+Display number of failed login attempts and the date of the last failed attempt from btmp\&. The date is not displayed when
+\fBnodate\fR
+is specified\&.
+.RE
+.PP
+\fBinactive=<days>\fR
+.RS 4
+This option is specific for the auth or account phase\&. It specifies the number of days after the last login of the user when the user will be locked out by the module\&. The default value is 90\&.
+.RE
+.PP
+\fBunlimited\fR
+.RS 4
+If the
+\fIfsize\fR
+limit is set, this option can be used to override it, preventing failures on systems with large UID values that lead lastlog to become a huge sparse file\&.
+.RE
+.SH "MODULE TYPES PROVIDED"
+.PP
+The
+\fBauth\fR
+and
+\fBaccount\fR
+module type allows one to lock out users who did not login recently enough\&. The
+\fBsession\fR
+module type is provided for displaying the information about the last login and/or updating the lastlog and wtmp files\&.
+.SH "RETURN VALUES"
+.PP
+.PP
+PAM_SUCCESS
+.RS 4
+Everything was successful\&.
+.RE
+.PP
+PAM_SERVICE_ERR
+.RS 4
+Internal service module error\&.
+.RE
+.PP
+PAM_USER_UNKNOWN
+.RS 4
+User not known\&.
+.RE
+.PP
+PAM_AUTH_ERR
+.RS 4
+User locked out in the auth or account phase due to inactivity\&.
+.RE
+.PP
+PAM_IGNORE
+.RS 4
+There was an error during reading the lastlog file in the auth or account phase and thus inactivity of the user cannot be determined\&.
+.RE
+.SH "EXAMPLES"
+.PP
+Add the following line to
+/etc/pam\&.d/login
+to display the last login time of a user:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+ session required pam_lastlog\&.so nowtmp
+
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+To reject the user if he did not login during the previous 50 days the following line can be used:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+ auth required pam_lastlog\&.so inactive=50
+
+.fi
+.if n \{\
+.RE
+.\}
+.SH "FILES"
+.PP
+/var/log/lastlog
+.RS 4
+Lastlog logging file
+.RE
+.SH "SEE ALSO"
+.PP
+\fBlimits.conf\fR(5),
+\fBpam.conf\fR(5),
+\fBpam.d\fR(5),
+\fBpam\fR(8)
+.SH "AUTHOR"
+.PP
+pam_lastlog was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&.
+.PP
+Inactive account lock out added by Tomáš Mráz <tm@t8m\&.info>\&.
diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml
new file mode 100644
index 0000000..bada2ea
--- /dev/null
+++ b/modules/pam_lastlog/pam_lastlog.8.xml
@@ -0,0 +1,343 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+
+<refentry id="pam_lastlog">
+
+ <refmeta>
+ <refentrytitle>pam_lastlog</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+ </refmeta>
+
+ <refnamediv id="pam_lastlog-name">
+ <refname>pam_lastlog</refname>
+ <refpurpose>PAM module to display date of last login and perform inactive account lock out</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis id="pam_lastlog-cmdsynopsis">
+ <command>pam_lastlog.so</command>
+ <arg choice="opt">
+ debug
+ </arg>
+ <arg choice="opt">
+ silent
+ </arg>
+ <arg choice="opt">
+ never
+ </arg>
+ <arg choice="opt">
+ nodate
+ </arg>
+ <arg choice="opt">
+ nohost
+ </arg>
+ <arg choice="opt">
+ noterm
+ </arg>
+ <arg choice="opt">
+ nowtmp
+ </arg>
+ <arg choice="opt">
+ noupdate
+ </arg>
+ <arg choice="opt">
+ showfailed
+ </arg>
+ <arg choice="opt">
+ inactive=&lt;days&gt;
+ </arg>
+ <arg choice="opt">
+ unlimited
+ </arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1 id="pam_lastlog-description">
+
+ <title>DESCRIPTION</title>
+
+ <para>
+ pam_lastlog is a PAM module to display a line of information
+ about the last login of the user. In addition, the module maintains
+ the <filename>/var/log/lastlog</filename> file.
+ </para>
+ <para>
+ Some applications may perform this function themselves. In such
+ cases, this module is not necessary.
+ </para>
+ <para>
+ The module checks <option>LASTLOG_UID_MAX</option> option in
+ <filename>/etc/login.defs</filename> and does not update or display
+ last login records for users with UID higher than its value.
+ If the option is not present or its value is invalid, no user ID
+ limit is applied.
+ </para>
+ <para>
+ If the module is called in the auth or account phase, the accounts that
+ were not used recently enough will be disallowed to log in. The
+ check is not performed for the root account so the root is never
+ locked out. It is also not performed for users with UID higher
+ than the <option>LASTLOG_UID_MAX</option> value.
+ </para>
+ </refsect1>
+
+ <refsect1 id="pam_lastlog-options">
+
+ <title>OPTIONS</title>
+ <variablelist>
+ <varlistentry>
+ <term>
+ <option>debug</option>
+ </term>
+ <listitem>
+ <para>
+ Print debug information.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>silent</option>
+ </term>
+ <listitem>
+ <para>
+ Don't inform the user about any previous login,
+ just update the <filename>/var/log/lastlog</filename> file.
+ This option does not affect display of bad login attempts.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>never</option>
+ </term>
+ <listitem>
+ <para>
+ If the <filename>/var/log/lastlog</filename> file does
+ not contain any old entries for the user, indicate that
+ the user has never previously logged in with a welcome
+ message.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>nodate</option>
+ </term>
+ <listitem>
+ <para>
+ Don't display the date of the last login.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>noterm</option>
+ </term>
+ <listitem>
+ <para>
+ Don't display the terminal name on which the
+ last login was attempted.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>nohost</option>
+ </term>
+ <listitem>
+ <para>
+ Don't indicate from which host the last login was
+ attempted.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>nowtmp</option>
+ </term>
+ <listitem>
+ <para>
+ Don't update the wtmp entry.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>noupdate</option>
+ </term>
+ <listitem>
+ <para>
+ Don't update any file.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>showfailed</option>
+ </term>
+ <listitem>
+ <para>
+ Display number of failed login attempts and the date of the
+ last failed attempt from btmp. The date is not displayed
+ when <option>nodate</option> is specified.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>inactive=&lt;days&gt;</option>
+ </term>
+ <listitem>
+ <para>
+ This option is specific for the auth or account phase. It
+ specifies the number of days after the last login of the user
+ when the user will be locked out by the module. The default
+ value is 90.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>unlimited</option>
+ </term>
+ <listitem>
+ <para>
+ If the <emphasis>fsize</emphasis> limit is set, this option can be
+ used to override it, preventing failures on systems with large UID
+ values that lead lastlog to become a huge sparse file.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id="pam_lastlog-types">
+ <title>MODULE TYPES PROVIDED</title>
+ <para>
+ The <option>auth</option> and <option>account</option> module type
+ allows one to lock out users who did not login recently enough.
+ The <option>session</option> module type is provided for displaying
+ the information about the last login and/or updating the lastlog and
+ wtmp files.
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_lastlog-return_values'>
+ <title>RETURN VALUES</title>
+ <para>
+ <variablelist>
+
+ <varlistentry>
+ <term>PAM_SUCCESS</term>
+ <listitem>
+ <para>
+ Everything was successful.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>PAM_SERVICE_ERR</term>
+ <listitem>
+ <para>
+ Internal service module error.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>PAM_USER_UNKNOWN</term>
+ <listitem>
+ <para>
+ User not known.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>PAM_AUTH_ERR</term>
+ <listitem>
+ <para>
+ User locked out in the auth or account phase due to
+ inactivity.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>PAM_IGNORE</term>
+ <listitem>
+ <para>
+ There was an error during reading the lastlog file
+ in the auth or account phase and thus inactivity
+ of the user cannot be determined.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_lastlog-examples'>
+ <title>EXAMPLES</title>
+ <para>
+ Add the following line to <filename>/etc/pam.d/login</filename> to
+ display the last login time of a user:
+ </para>
+ <programlisting>
+ session required pam_lastlog.so nowtmp
+ </programlisting>
+ <para>
+ To reject the user if he did not login during the previous 50 days
+ the following line can be used:
+ </para>
+ <programlisting>
+ auth required pam_lastlog.so inactive=50
+ </programlisting>
+ </refsect1>
+
+ <refsect1 id="pam_lastlog-files">
+ <title>FILES</title>
+ <variablelist>
+ <varlistentry>
+ <term><filename>/var/log/lastlog</filename></term>
+ <listitem>
+ <para>Lastlog logging file</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1 id='pam_lastlog-see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>limits.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+
+ <refsect1 id='pam_lastlog-author'>
+ <title>AUTHOR</title>
+ <para>
+ pam_lastlog was written by Andrew G. Morgan &lt;morgan@kernel.org&gt;.
+ </para>
+ <para>
+ Inactive account lock out added by Tomáš Mráz &lt;tm@t8m.info&gt;.
+ </para>
+ </refsect1>
+
+</refentry>