diff options
Diffstat (limited to '')
| -rw-r--r-- | modules/pam_lastlog/pam_lastlog.8 | 197 | ||||
| -rw-r--r-- | modules/pam_lastlog/pam_lastlog.8.xml | 343 |
2 files changed, 540 insertions, 0 deletions
diff --git a/modules/pam_lastlog/pam_lastlog.8 b/modules/pam_lastlog/pam_lastlog.8 new file mode 100644 index 0000000..325456e --- /dev/null +++ b/modules/pam_lastlog/pam_lastlog.8 @@ -0,0 +1,197 @@ +'\" t +.\" Title: pam_lastlog +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> +.\" Date: 09/03/2021 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_LASTLOG" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_lastlog \- PAM module to display date of last login and perform inactive account lock out +.SH "SYNOPSIS" +.HP \w'\fBpam_lastlog\&.so\fR\ 'u +\fBpam_lastlog\&.so\fR [debug] [silent] [never] [nodate] [nohost] [noterm] [nowtmp] [noupdate] [showfailed] [inactive=<days>] [unlimited] +.SH "DESCRIPTION" +.PP +pam_lastlog is a PAM module to display a line of information about the last login of the user\&. In addition, the module maintains the +/var/log/lastlog +file\&. +.PP +Some applications may perform this function themselves\&. In such cases, this module is not necessary\&. +.PP +The module checks +\fBLASTLOG_UID_MAX\fR +option in +/etc/login\&.defs +and does not update or display last login records for users with UID higher than its value\&. If the option is not present or its value is invalid, no user ID limit is applied\&. +.PP +If the module is called in the auth or account phase, the accounts that were not used recently enough will be disallowed to log in\&. The check is not performed for the root account so the root is never locked out\&. It is also not performed for users with UID higher than the +\fBLASTLOG_UID_MAX\fR +value\&. +.SH "OPTIONS" +.PP +\fBdebug\fR +.RS 4 +Print debug information\&. +.RE +.PP +\fBsilent\fR +.RS 4 +Don\*(Aqt inform the user about any previous login, just update the +/var/log/lastlog +file\&. This option does not affect display of bad login attempts\&. +.RE +.PP +\fBnever\fR +.RS 4 +If the +/var/log/lastlog +file does not contain any old entries for the user, indicate that the user has never previously logged in with a welcome message\&. +.RE +.PP +\fBnodate\fR +.RS 4 +Don\*(Aqt display the date of the last login\&. +.RE +.PP +\fBnoterm\fR +.RS 4 +Don\*(Aqt display the terminal name on which the last login was attempted\&. +.RE +.PP +\fBnohost\fR +.RS 4 +Don\*(Aqt indicate from which host the last login was attempted\&. +.RE +.PP +\fBnowtmp\fR +.RS 4 +Don\*(Aqt update the wtmp entry\&. +.RE +.PP +\fBnoupdate\fR +.RS 4 +Don\*(Aqt update any file\&. +.RE +.PP +\fBshowfailed\fR +.RS 4 +Display number of failed login attempts and the date of the last failed attempt from btmp\&. The date is not displayed when +\fBnodate\fR +is specified\&. +.RE +.PP +\fBinactive=<days>\fR +.RS 4 +This option is specific for the auth or account phase\&. It specifies the number of days after the last login of the user when the user will be locked out by the module\&. The default value is 90\&. +.RE +.PP +\fBunlimited\fR +.RS 4 +If the +\fIfsize\fR +limit is set, this option can be used to override it, preventing failures on systems with large UID values that lead lastlog to become a huge sparse file\&. +.RE +.SH "MODULE TYPES PROVIDED" +.PP +The +\fBauth\fR +and +\fBaccount\fR +module type allows one to lock out users who did not login recently enough\&. The +\fBsession\fR +module type is provided for displaying the information about the last login and/or updating the lastlog and wtmp files\&. +.SH "RETURN VALUES" +.PP +.PP +PAM_SUCCESS +.RS 4 +Everything was successful\&. +.RE +.PP +PAM_SERVICE_ERR +.RS 4 +Internal service module error\&. +.RE +.PP +PAM_USER_UNKNOWN +.RS 4 +User not known\&. +.RE +.PP +PAM_AUTH_ERR +.RS 4 +User locked out in the auth or account phase due to inactivity\&. +.RE +.PP +PAM_IGNORE +.RS 4 +There was an error during reading the lastlog file in the auth or account phase and thus inactivity of the user cannot be determined\&. +.RE +.SH "EXAMPLES" +.PP +Add the following line to +/etc/pam\&.d/login +to display the last login time of a user: +.sp +.if n \{\ +.RS 4 +.\} +.nf + session required pam_lastlog\&.so nowtmp + +.fi +.if n \{\ +.RE +.\} +.PP +To reject the user if he did not login during the previous 50 days the following line can be used: +.sp +.if n \{\ +.RS 4 +.\} +.nf + auth required pam_lastlog\&.so inactive=50 + +.fi +.if n \{\ +.RE +.\} +.SH "FILES" +.PP +/var/log/lastlog +.RS 4 +Lastlog logging file +.RE +.SH "SEE ALSO" +.PP +\fBlimits.conf\fR(5), +\fBpam.conf\fR(5), +\fBpam.d\fR(5), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_lastlog was written by Andrew G\&. Morgan <morgan@kernel\&.org>\&. +.PP +Inactive account lock out added by Tomáš Mráz <tm@t8m\&.info>\&. diff --git a/modules/pam_lastlog/pam_lastlog.8.xml b/modules/pam_lastlog/pam_lastlog.8.xml new file mode 100644 index 0000000..bada2ea --- /dev/null +++ b/modules/pam_lastlog/pam_lastlog.8.xml @@ -0,0 +1,343 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_lastlog"> + + <refmeta> + <refentrytitle>pam_lastlog</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_lastlog-name"> + <refname>pam_lastlog</refname> + <refpurpose>PAM module to display date of last login and perform inactive account lock out</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_lastlog-cmdsynopsis"> + <command>pam_lastlog.so</command> + <arg choice="opt"> + debug + </arg> + <arg choice="opt"> + silent + </arg> + <arg choice="opt"> + never + </arg> + <arg choice="opt"> + nodate + </arg> + <arg choice="opt"> + nohost + </arg> + <arg choice="opt"> + noterm + </arg> + <arg choice="opt"> + nowtmp + </arg> + <arg choice="opt"> + noupdate + </arg> + <arg choice="opt"> + showfailed + </arg> + <arg choice="opt"> + inactive=<days> + </arg> + <arg choice="opt"> + unlimited + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_lastlog-description"> + + <title>DESCRIPTION</title> + + <para> + pam_lastlog is a PAM module to display a line of information + about the last login of the user. In addition, the module maintains + the <filename>/var/log/lastlog</filename> file. + </para> + <para> + Some applications may perform this function themselves. In such + cases, this module is not necessary. + </para> + <para> + The module checks <option>LASTLOG_UID_MAX</option> option in + <filename>/etc/login.defs</filename> and does not update or display + last login records for users with UID higher than its value. + If the option is not present or its value is invalid, no user ID + limit is applied. + </para> + <para> + If the module is called in the auth or account phase, the accounts that + were not used recently enough will be disallowed to log in. The + check is not performed for the root account so the root is never + locked out. It is also not performed for users with UID higher + than the <option>LASTLOG_UID_MAX</option> value. + </para> + </refsect1> + + <refsect1 id="pam_lastlog-options"> + + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Print debug information. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>silent</option> + </term> + <listitem> + <para> + Don't inform the user about any previous login, + just update the <filename>/var/log/lastlog</filename> file. + This option does not affect display of bad login attempts. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>never</option> + </term> + <listitem> + <para> + If the <filename>/var/log/lastlog</filename> file does + not contain any old entries for the user, indicate that + the user has never previously logged in with a welcome + message. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>nodate</option> + </term> + <listitem> + <para> + Don't display the date of the last login. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>noterm</option> + </term> + <listitem> + <para> + Don't display the terminal name on which the + last login was attempted. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>nohost</option> + </term> + <listitem> + <para> + Don't indicate from which host the last login was + attempted. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>nowtmp</option> + </term> + <listitem> + <para> + Don't update the wtmp entry. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>noupdate</option> + </term> + <listitem> + <para> + Don't update any file. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>showfailed</option> + </term> + <listitem> + <para> + Display number of failed login attempts and the date of the + last failed attempt from btmp. The date is not displayed + when <option>nodate</option> is specified. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>inactive=<days></option> + </term> + <listitem> + <para> + This option is specific for the auth or account phase. It + specifies the number of days after the last login of the user + when the user will be locked out by the module. The default + value is 90. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>unlimited</option> + </term> + <listitem> + <para> + If the <emphasis>fsize</emphasis> limit is set, this option can be + used to override it, preventing failures on systems with large UID + values that lead lastlog to become a huge sparse file. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_lastlog-types"> + <title>MODULE TYPES PROVIDED</title> + <para> + The <option>auth</option> and <option>account</option> module type + allows one to lock out users who did not login recently enough. + The <option>session</option> module type is provided for displaying + the information about the last login and/or updating the lastlog and + wtmp files. + </para> + </refsect1> + + <refsect1 id='pam_lastlog-return_values'> + <title>RETURN VALUES</title> + <para> + <variablelist> + + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Everything was successful. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_SERVICE_ERR</term> + <listitem> + <para> + Internal service module error. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + User not known. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + User locked out in the auth or account phase due to + inactivity. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>PAM_IGNORE</term> + <listitem> + <para> + There was an error during reading the lastlog file + in the auth or account phase and thus inactivity + of the user cannot be determined. + </para> + </listitem> + </varlistentry> + + </variablelist> + </para> + </refsect1> + + <refsect1 id='pam_lastlog-examples'> + <title>EXAMPLES</title> + <para> + Add the following line to <filename>/etc/pam.d/login</filename> to + display the last login time of a user: + </para> + <programlisting> + session required pam_lastlog.so nowtmp + </programlisting> + <para> + To reject the user if he did not login during the previous 50 days + the following line can be used: + </para> + <programlisting> + auth required pam_lastlog.so inactive=50 + </programlisting> + </refsect1> + + <refsect1 id="pam_lastlog-files"> + <title>FILES</title> + <variablelist> + <varlistentry> + <term><filename>/var/log/lastlog</filename></term> + <listitem> + <para>Lastlog logging file</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_lastlog-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>limits.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_lastlog-author'> + <title>AUTHOR</title> + <para> + pam_lastlog was written by Andrew G. Morgan <morgan@kernel.org>. + </para> + <para> + Inactive account lock out added by Tomáš Mráz <tm@t8m.info>. + </para> + </refsect1> + +</refentry> |