NAME

pam_regex - authentication using regular expressions

SYNOPSIS

pam_regex [sense=SENSE] [user=NAME] [regex=EXPRESSION] [basic|extended] [case|ignore-case|icase] [transform=S-EXPR] [debug[=NUMBER]] [waitdebug] [audit]

DESCRIPTION

A general-purpose tool for authentication using regular expressions. It can be used to control access depending on whether the user name matches a given regular expression or to modify user name as per a sed-like expression, so that subsequent modules see the modified name.

OPTIONS

regex=EXPRESSION: Compare user name with EXPRESSION. By default the argument is treated as an extended regular expression with case-sensitive matching.
When this option is used, pam_regex allows only login attempts with user names that match the given expression. See the sensed option to revert that behavior.
sense=allow|deny: What to do if the user name matches the expression given by the regex option. The value allow (the default) instructs the module to return PAM_SUCCESS, the deny instructs it to return PAM_AUTH_ERR.
transform=S-EXPR: Transform the user name using a sed-like expression. The argument should have the following form:

s/regexp/repl/[flags]

See sed(1), for a detailed description. Supported flags are: g, to apply the replacement to all matches, not just the first, i, to use case-insensitive matching, and x, which indicates that regexp is an extended POSIX regular expression. A decimal number in the flags field indicates the ordinal number of the match to be replaced. Using it together with g results in undefined behavior.

Any delimiter can be used in lieue of the slash, the only requirement being that it be used consistently throughout the expression.

basic: Use basic regular expressions.
case: Use case-sensitive regular expressions (default).
extended: Use extended regular expressions (default).
ignore-case or icase: Use case-insensitive regular expressions.
user=NAME: Upon successful matching, set PAM user name to STRING.
debug[=NUMBER]: Set debugging level (0 <= NUMBER <= 100).
audit: Log full debugging information (equivalent to debug=100).
waitdebug=N: Wait for N seconds before starting up. This option is intended to facilitate attaching to the module with gdb(1). It is available only if the package was configured with the --enable-debug option.

MODULE TYPES PROVIDED

auth

RETURN VALUES

PAM_SUCCESS: Successful return.
PAM_AUTH_ERR: Authentication failed.
PAM_AUTHINFO_UNAVAIL: The input information is not sufficient.

EXAMPLES

1.: Deny access to users with login name containig the @ sign.

auth  required  pam_regex.so sense=deny regex=.*@.*

2.: Convert the user name to lower case and remove anything starting from the @ character:

auth  required  pam_regex.so extended transform=s/.*/\L&/g;s/@.*//

NOTE

This manpage is a short description of pam_regex. For a detailed discussion, including examples and usage recommendations, refer to the PAM-modules Manual available in texinfo format. If the info reader and the tar documentation are properly installed on your system, the command

info pam-modules

should give you access to the complete manual.

You can also view the manual using the info mode in emacs(1), or find it in various formats online at

http://www.gnu.org.ua/software/pam-modules/manual

If any discrepancies occur between this manpage and the PAM-modules Manual, the later shall be considered the authoritative source.

AUTHORS

Sergey Poznyakoff <gray@gnu.org>

BUG REPORTS

Report bugs to <bug-pam-modules@gnu.org.ua>.

COPYRIGHT

Copyright © 2001-2014 Sergey Poznyakoff
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.