Provided by: libpam-alreadyloggedin_0.3-12_amd64 bug

NAME

     pam_alreadyloggedin — Already-logged-in PAM module

SYNOPSIS

     [service-name] module-type control-flag pam_alreadyloggedin [options]

DESCRIPTION

     The Already-logged-in authentication service module for PAM, pam_alreadyloggedin provides
     functionality for only one PAM category: authentication.  In terms of the module-type
     parameter, this is the “auth” feature.  It also provides null functions for other PAM
     categories.

   Already-logged-in Authentication Module
     The Already-logged-in authentication component (pam_sm_authenticate()), returns success if
     and only if the target user's ID is identical to a current login specified in the utmp(5)
     database and verified with matching permissions on that login's respective terminal in /dev.
     If a user shows up in w(8) output, they will generally be allowed to authenticate using this
     method.

     The following options may be passed to the authentication module:

     debug                           Enable verbose output to syslog at LOG_DEBUG level.

     no_debug                        Disable verbose output to syslog even it's enabled at
                                     compile time.

     no_root                         Never allow login with a target user ID of zero.

     restrict_tty=ttyglob*           Only allow login if the terminal device currently being
                                     authenticated on matches ttyglob*.  The ttyglob* argument is
                                     specified as a shell glob, and checked using the fnmatch(3)
                                     function. For example, restrict_tty=/dev/tty[1-6] allows
                                     logging from text consoles of physical terminal only.

     restrict_loggedin_tty=ttyglob*  Disallow recognition that the user is already logged in
                                     unless the terminal device logged in upon matches ttyglob*.

EXAMPLE

     Modify auth section of the /etc/pam.d/login file like following:

           auth required   /lib/security/pam_securetty.so
           auth sufficient /lib/security/pam_alreadyloggedin.so no_root
           auth required   /lib/security/pam_stack.so service=system-auth

BUGS

     FreeBSD version expects /dev/ prefix in restrict_tty value, but value of
     restrict_loggedin_tty should be without them.  Linux version expects /dev/ in both cases.

SEE ALSO

     fnmatch(3), getuid(2), stat(2), utmp(5), w(8), pam.conf(5), pam(8)

AUTHORS

     Adopted for Linux PAM by Ilya Evseev at Jan 2004.

     The original pam_alreadyloggedin module and this manual page were developed for the FreeBSD
     Project by NAI Labs and ThinkSec AS, the Security Research Division of Network Associates,
     Inc.  under DARPA/SPAWAR contract N66001-01-C-8035 (“CBOSS”), as part of the DARPA CHATS
     research program.