logo
Free, unlimited AI code reviews that run on commit
git-lrc git-lrc GitHub Install Now We'd appreciate a star git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt

pam_alreadyloggedin — Already-logged-in PAM module

Contents

Authors

       Adopted for Linux PAM by Ilya Evseev at Jan 2004.

       The original pam_alreadyloggedin module and this manual page were developed for the  FreeBSD  Project  by
       NAI  Labs and ThinkSec AS, the Security Research Division of Network Associates, Inc.  under DARPA/SPAWAR
       contract N66001-01-C-8035 (“CBOSS”), as part of the DARPA CHATS research program.

Linux-PAM                                       January 30, 2004                          PAM_ALREADYLOGGEDIN(8)

Bugs

       FreeBSD  version expects /dev/ prefix in restrict_tty value, but value of restrict_loggedin_tty should be
       without them.  Linux version expects /dev/ in both cases.

Description

       The  Already-logged-in  authentication service module for PAM, pam_alreadyloggedin provides functionality
       for only one PAM category: authentication.  In terms of the module-type parameter,  this  is  the  “auth”
       feature.  It also provides null functions for other PAM categories.

   Already-logged-inAuthenticationModule
       The  Already-logged-in  authentication  component (pam_sm_authenticate()), returns success if and only if
       the target user's ID is identical to a current login specified in the utmp(5) database and verified  with
       matching  permissions  on  that  login's respective terminal in /dev.  If a user shows up in w(8) output,
       they will generally be allowed to authenticate using this method.

       The following options may be passed to the authentication module:

       debug                           Enable verbose output to syslog at LOG_DEBUG level.

       no_debug                        Disable verbose output to syslog even it's enabled at compile time.

       no_root                         Never allow login with a target user ID of zero.

       restrict_tty=ttyglob*           Only allow login if the terminal device currently being authenticated  on
                                       matches  ttyglob*.   The  ttyglob* argument is specified as a shell glob,
                                       and   checked   using   the    fnmatch(3)    function.    For    example,
                                       restrict_tty=/dev/tty[1-6]  allows logging from text consoles of physical
                                       terminal only.

       restrict_loggedin_tty=ttyglob*  Disallow recognition that the  user  is  already  logged  in  unless  the
                                       terminal device logged in upon matches ttyglob*.

Example

       Modify auth section of the /etc/pam.d/login file like following:

             auth required   /lib/security/pam_securetty.so
             auth sufficient /lib/security/pam_alreadyloggedin.so no_root
             auth required   /lib/security/pam_stack.so service=system-auth

Name

       pam_alreadyloggedin — Already-logged-in PAM module

See Also

fnmatch(3), getuid(2), stat(2), utmp(5), w(8), pam.conf(5), pam(8)

Synopsis

       [service-name] module-typecontrol-flagpam_alreadyloggedin [options]

See Also

Man Pages
module Man Pages
Man Pages
rpc.rusersd Man Pages
Man Pages
rpma_conn_delete Man Pages
Man Pages
auth Man Pages
Man Pages
Restrictions Man Pages
Login
Login PNG Icons
User
User PNG Icons
← View System admin Category← Back to Security and firewalls🙏  Credits & Acknowledgments