tail head cat sleep
QR code linking to this page

Manual Pages  — PAM_OPIEACCESS


pam_opieaccess – OPIEAccess PAM module



[service-name] module-type control-flag pam_opieaccess [options]


The pam_opieaccess module is used in conjunction with the pam_opie(8) PAM module to ascertain that authentication can proceed by other means (such as the pam_unix(8) module) even if OPIE authentication failed. To properly use this module, pam_opie(8) should be marked "sufficient", and pam_opieaccess should be listed right below it and marked "requisite".

The pam_opieaccess module provides functionality for only one PAM category: authentication. In terms of the module-type parameter, this is the "auth" feature. It also provides null functions for the remaining module types.

OPIEAccess Authentication Module

The authentication component (pam_sm_authenticate()), returns PAM_SUCCESS in two cases:
  1. The user does not have OPIE enabled.
  2. The user has OPIE enabled, and the remote host is listed as a trusted host in /etc/opieaccess, and the user does not have a file named .opiealways in his home directory.

Otherwise, it returns PAM_AUTH_ERR.

The following options may be passed to the authentication module:
  Normally, local logins are subjected to the same restrictions as remote logins from "localhost". This option causes pam_opieaccess to always allow local logins.
debug syslog(3) debugging information at LOG_DEBUG level.
no_warn suppress warning messages to the user. These messages include reasons why the user's authentication attempt was declined.


/etc/opieaccess List of trusted hosts or networks. See opieaccess(5) for a description of its syntax.
  The presence of this file makes OPIE mandatory for the user.


opie(4), opieaccess(5), pam.conf(5), pam(8), pam_opie(8)


The pam_opieaccess module and this manual page were developed for the FreeBSD Project by ThinkSec AS and NAI Labs, the Security Research Division of Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA CHATS research program.

PAM_OPIEACCESS (8) October 26, 2007

tail head cat sleep
QR code linking to this page

Please direct any comments about this manual page service to Ben Bullock. Privacy policy.

Today, the Unix equivalent of a power drill would have 20 dials and switches, come with a nonstandard plug, require the user to hand-wind the motor coil, and not accept 3/8" or 7/8" drill bits (though this would be documented in the BUGS section of its instruction manual).
— The Unix Haters' handbook