Skip Lines in PAM Script

In situation where the authentication requires one to skip lines in order to perform logical execution such as success and fail, PAM script has the ability to skip lines. This section guides you on how to skip the lines.

Specify Conditions

Multiple Conditions

Execute Script For Fail Cases

Specify Conditions

To specify conditions, one can do the square bracket with multiple conditions generated by the corresponding module. When a number is given, it tells PAM to skip the X number of lines. Consider the following:

auth    [success=1 default=ignore]      pam_unix.so nullok_secure

Should pam_unix.so module success, it will skip 1 line. Otherwise, it will ignore and proceed to the next statement.

Multiple Conditions

In certain situations, multiple conditions can happen depending on the corresponding PAM module output. Here is an example:

account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so

Here, if pam_unix.so has new authentication token, it will end the authentication process.

Execute Script For Fail Cases

To execute some shell script when fail (e.g. failed to login and perform some custom executions), you need to skip an extra line. Hence, based on the first example above, we change success line from 1 to 2 or more depending on how many things you wish to execute. Here is an example for adding an extra line:

auth    [success=2 default=ignore]      pam_unix.so nullok_secure

# fail case

auth    [default=ignore]                pam_exec.so seteuid /var/myscript.sh --email

auth    requisite                       pam_deny.so

# success case

auth    required                        pam_permit.so

Therefore, when pam_unix.so success, it will skip both fail case statements and go straight to first success statements.

That's all for skipping lines in PAM script.

Back to PAM