Man Linux: Main Page and Category List


     pam_alreadyloggedin - Already-logged-in PAM module


     [service-name] module-type control-flag pam_alreadyloggedin [options]


     The Already-logged-in authentication service module for PAM,
     pam_alreadyloggedin provides functionality for only one PAM category:
     authentication.  In terms of the module-type parameter, this is the
     “auth” feature.  It also provides null functions for other PAM

   Already-logged-in Authentication Module
     The Already-logged-in authentication component (pam_sm_authenticate()),
     returns success if and only if the target user’s ID is identical to a
     current login specified in the utmp(5) database and verified with
     matching permissions on that login’s respective terminal in /dev.  If a
     user shows up in w(8) output, they will generally be allowed to
     authenticate using this method.

     The following options may be passed to the authentication module:

     debug                           Enable verbose output to syslog at
                                     LOG_DEBUG level.

     no_debug                        Disable verbose output to syslog even
                                     it’s enabled at compile time.

     no_root                         Never allow login with a target user ID
                                     of zero.

     restrict_tty=ttyglob*           Only allow login if the terminal device
                                     currently being authenticated on matches
                                     ttyglob*.  The ttyglob* argument is
                                     specified as a shell glob, and checked
                                     using the fnmatch(3) function. For
                                     example, restrict_tty=/dev/tty[1-6]
                                     allows logging from text consoles of
                                     physical terminal only.

     restrict_loggedin_tty=ttyglob*  Disallow recognition that the user is
                                     already logged in unless the terminal
                                     device logged in upon matches ttyglob*.


     Modify auth section of the /etc/pam.d/login file like following:

           auth required   /lib/security/
           auth sufficient /lib/security/ no_root
           auth required   /lib/security/ service=system-auth


     FreeBSD version expects /dev/ prefix in restrict_tty value, but value of
     restrict_loggedin_tty should be without them.  Linux version expects
     /dev/ in both cases.


     fnmatch(3), getuid(2), stat(2), utmp(5), w(8), pam.conf(5), pam(8)


     Adopted for Linux PAM by Ilya Evseev at Jan 2004.

     The original pam_alreadyloggedin module and this manual page were
     developed for the FreeBSD Project by NAI Labs and ThinkSec AS, the
     Security Research Division of Network Associates, Inc.  under
     DARPA/SPAWAR contract N66001-01-C-8035 (“CBOSS”), as part of the DARPA
     CHATS research program.