<?xml version='1.0'?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
- "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
<refentry id="pam_systemd" conditional='HAVE_PAM' xmlns:xi="http://www.w3.org/2001/XInclude">
<varlistentry>
<term><varname>class=</varname></term>
- <listitem><para>Takes a string argument which sets the session class. The <varname>XDG_SESSION_CLASS</varname>
- environment variable (see below) takes precedence. One of <literal>user</literal>, <literal>greeter</literal>,
- <literal>lock-screen</literal> or <literal>background</literal>. See
- <citerefentry><refentrytitle>sd_session_get_class</refentrytitle><manvolnum>3</manvolnum></citerefentry> for
- details about the session class.</para>
+ <listitem><para>Takes a string argument which sets the session class. The
+ <varname>XDG_SESSION_CLASS</varname> environment variable (see below) takes precedence. See
+ <citerefentry><refentrytitle>sd_session_get_class</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+ for a way to query the class of a session. The following session classes are defined:</para>
+
+ <table>
+ <title>Session Classes</title>
+ <tgroup cols='2' align='left' colsep='1' rowsep='1'>
+ <colspec colname="name" />
+ <colspec colname="explanation" />
+ <thead>
+ <row>
+ <entry>Name</entry>
+ <entry>Explanation</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry><constant>user</constant></entry>
+ <entry>A regular interactive user session. This is the default class for sessions for which a TTY or X display is known at session registration time.</entry>
+ </row>
+ <row>
+ <entry><constant>user-early</constant></entry>
+ <entry>Similar to <literal>user</literal> but sessions of this class are not ordered after <filename>systemd-user-sessions.service</filename>, i.e. may be started before regular sessions are allowed to be established. This session class is the default for sessions of the root user that would otherwise qualify for the <constant>user</constant> class, see above. (Added in v256.)</entry>
+ </row>
+ <row>
+ <entry><constant>user-incomplete</constant></entry>
+ <entry>Similar to <literal>user</literal> but for sessions which are not fully set up yet, i.e. have no home directory mounted or similar. This is used by <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> to allow users to log in via <command>ssh</command> before their home directory is mounted, delaying the mount until the user provided the unlock password. Sessions of this class are upgraded to the regular <constant>user</constant> class once the home directory is activated.</entry>
+ </row>
+ <row>
+ <entry><constant>greeter</constant></entry>
+ <entry>Similar to <literal>user</literal> but for sessions that are spawned by a display manager ephemerally and which prompt the user for login credentials.</entry>
+ </row>
+ <row>
+ <entry><constant>lock-screen</constant></entry>
+ <entry>Similar to <literal>user</literal> but for sessions that are spawned by a display manager ephemerally and which show a lock screen that can be used to unlock locked user accounts or sessions.</entry>
+ </row>
+ <row>
+ <entry><constant>background</constant></entry>
+ <entry>Used for background sessions, such as those invoked by <command>cron</command> and similar tools. This is the default class for sessions for which no TTY or X display is known at session registration time.</entry>
+ </row>
+ <row>
+ <entry><constant>background-light</constant></entry>
+ <entry>Similar to <constant>background</constant>, but sessions of this class will not pull in the <filename>user@.service</filename> of the user, and thus possibly have no services of the user running. (Added in v256.)</entry>
+ </row>
+ <row>
+ <entry><constant>manager</constant></entry>
+ <entry>The <filename>user@.service</filename> service of the user is registered under this session class. (Added in v256.)</entry>
+ </row>
+ <row>
+ <entry><constant>manager-early</constant></entry>
+ <entry>Similar to <constant>manager</constant>, but for the root user. Compare with the <constant>user</constant> vs. <constant>user-early</constant> situation. (Added in v256.)</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
<xi:include href="version-info.xml" xpointer="v197"/></listitem>
</varlistentry>
<listitem><para>Takes a string argument which sets the session type. The <varname>XDG_SESSION_TYPE</varname>
environment variable (see below) takes precedence. One of <literal>unspecified</literal>,
- <literal>tty</literal>, <literal>x11</literal>, <literal>wayland</literal> or <literal>mir</literal>. See
+ <literal>tty</literal>, <literal>x11</literal>, <literal>wayland</literal>, <literal>mir</literal>, or
+ <literal>web</literal>. See
<citerefentry><refentrytitle>sd_session_get_type</refentrytitle><manvolnum>3</manvolnum></citerefentry> for
details about the session type.</para>
<xi:include href="version-info.xml" xpointer="v245"/></listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>$SHELL_PROMPT_PREFIX</varname></term>
+ <term><varname>$SHELL_PROMPT_SUFFIX</varname></term>
+ <term><varname>$SHELL_WELCOME</varname></term>
+
+ <listitem><para>These environment variables are initialized from the service credentials
+ <literal>shell.prompt.prefix</literal>, <literal>shell.prompt.suffix</literal> and
+ <literal>shell.welcome</literal> if set. They are passed to the invoked session processes, where they
+ are imported into any shell prompt (specifically <varname>$SHELL_PROMPT_PREFIX</varname> is added as
+ prefix to <varname>$PS1</varname>, and <varname>$SHELL_PROMPT_SUFFIX</varname> as suffix) or printed
+ on screen when a shell first initializes.</para>
+
+ <xi:include href="version-info.xml" xpointer="v257"/></listitem>
+ </varlistentry>
+
</variablelist>
<para>The following environment variables are read by the module and may be used by the PAM service to pass
<listitem><para>Sets unit <varname>MemoryMax=</varname>.</para>
- <xi:include href="version-info.xml" xpointer="v246"/></listitem>
+ <xi:include href="version-info.xml" xpointer="v239"/></listitem>
</varlistentry>
<varlistentry>
<listitem><para>Sets unit <varname>TasksMax=</varname>.</para>
- <xi:include href="version-info.xml" xpointer="v246"/></listitem>
+ <xi:include href="version-info.xml" xpointer="v239"/></listitem>
</varlistentry>
<varlistentry>
<listitem><para>Sets unit <varname>CPUWeight=</varname>.</para>
- <xi:include href="version-info.xml" xpointer="v246"/></listitem>
+ <xi:include href="version-info.xml" xpointer="v239"/></listitem>
</varlistentry>
<varlistentry>
<listitem><para>Sets unit <varname>IOWeight=</varname>.</para>
- <xi:include href="version-info.xml" xpointer="v246"/></listitem>
+ <xi:include href="version-info.xml" xpointer="v239"/></listitem>
</varlistentry>
<varlistentry>
<listitem><para>Sets unit <varname>RuntimeMaxSec=</varname>.</para>
- <xi:include href="version-info.xml" xpointer="v246"/></listitem>
+ <xi:include href="version-info.xml" xpointer="v244"/></listitem>
</varlistentry>
</variablelist>
account required pam_permit.so
-password sufficient pam_systemd_home.so
-password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
-
+password sufficient pam_unix.so sha512 shadow try_first_pass
password required pam_deny.so
-session optional pam_keyinit.so revoke
<refsect1>
<title>See Also</title>
- <para>
- <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>logind.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>loginctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>pam_systemd_home</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
- <citerefentry project='man-pages'><refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry project='man-pages'><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
- <citerefentry project='man-pages'><refentrytitle>pam_loginuid</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.scope</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- </para>
+ <para><simplelist type="inline">
+ <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>logind.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>loginctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>pam_systemd_home</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
+ <member><citerefentry project='man-pages'><refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
+ <member><citerefentry project='man-pages'><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
+ <member><citerefentry project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
+ <member><citerefentry project='man-pages'><refentrytitle>pam_loginuid</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>systemd.scope</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>systemd.slice</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
+ <member><citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
+ </simplelist></para>
</refsect1>
</refentry>