| PAM_ALREADYLOGGEDIN(8) | System Manager's Manual | PAM_ALREADYLOGGEDIN(8) |
pam_alreadyloggedin —
Already-logged-in PAM module
[service-name] module-type control-flag pam_alreadyloggedin [options]
The Already-logged-in authentication service module for PAM,
pam_alreadyloggedin provides functionality for only
one PAM category: authentication. In terms of the
module-type parameter, this is the
“auth” feature. It also provides null
functions for other PAM categories.
The Already-logged-in authentication component
(pam_sm_authenticate()),
returns success if and only if the target user's ID is identical to a
current login specified in the utmp(5) database and
verified with matching permissions on that login's respective terminal in
/dev. If a user shows up in w(8)
output, they will generally be allowed to authenticate using this
method.
The following options may be passed to the authentication module:
debugno_debugno_rootrestrict_tty=ttyglob*restrict_tty=/dev/tty[1-6] allows logging from
text consoles of physical terminal only.restrict_loggedin_tty=ttyglob*Modify auth section of the
/etc/pam.d/login file like following:
auth required /lib/security/pam_securetty.so auth sufficient /lib/security/pam_alreadyloggedin.so no_root auth required /lib/security/pam_stack.so service=system-auth
FreeBSD version expects /dev/ prefix in
restrict_tty value, but value of
restrict_loggedin_tty should be without them. Linux
version expects /dev/ in both cases.
fnmatch(3), getuid(2), stat(2), utmp(5), w(8), pam.conf(5), pam(8)
Adopted for Linux PAM by Ilya Evseev at Jan 2004.
The original pam_alreadyloggedin module
and this manual page were developed for the FreeBSD Project by NAI Labs and
ThinkSec AS, the Security Research Division of Network Associates, Inc.
under DARPA/SPAWAR contract N66001-01-C-8035 (“CBOSS”), as
part of the DARPA CHATS research program.
| January 30, 2004 | Linux-PAM |