The
module is used in conjunction with the
pam_opie8
PAM module to ascertain that authentication can proceed by other means
(such as the
pam_unix8
module) even if OPIE authentication failed.
To properly use this module,
pam_opie8
should be marked
``sufficient
''
and
should be listed right below it and marked
``requisite
''
The
module provides functionality for only one PAM category:
authentication.
In terms of the
module-type
parameter, this is the
``auth
''
feature.
It also provides null functions for the remaining module types.
OPIEAccess Authentication Module
The authentication component
(Fn pam_sm_authenticate
)
returns
PAM_SUCCESS
in two cases:
The user does not have OPIE enabled.
The user has OPIE enabled, and the remote host is listed as a trusted
host in
/etc/opieaccess
and the user does not have a file named
.opiealways
in his home directory.
Otherwise, it returns
PAM_AUTH_ERR
The following options may be passed to the authentication module:
allow_local
Normally, local logins are subjected to the same restrictions as
remote logins from
``localhost''
This option causes
to always allow local logins.
debug
syslog(3)
debugging information at
LOG_DEBUG
level.
no_warn
suppress warning messages to the user.
These messages include reasons why the user's authentication attempt
was declined.
FILES
/etc/opieaccess
List of trusted hosts or networks.
See
opieaccess(5)
for a description of its syntax.
$HOME/.opiealways
The presence of this file makes OPIE mandatory for the user.
The
module and this manual page were developed for the
Fx Project by
ThinkSec AS and NAI Labs, the Security Research Division of Network
Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
(``CBOSS''
)
as part of the DARPA CHATS research program.
