This module is intended to be a platform for providing access to all
of the input/output that passes between the user and the application.
It is only suitable for tty-based and (stdin/stdout) applications.
To function this module requires filters to be installed on the
system. The single filter provided with the module simply transposes
upper and lower case letters in the input and output streams. (This
can be very annoying and is not kind to termcap based editors).
Each component of the module has the potential to invoke the desired
filter. The filter is always execv(2) with the privilege of the
calling application and not that of the user. For this reason it
cannot usually be killed by the user without closing their session.
Print debug information.
The default action of the filter is to set the PAM_TTY item to
indicate the terminal that the user is using to connect to the
application. This argument indicates that the filter should set
PAM_TTY to the filtered pseudo-terminal.
don't try to set the PAM_TTY item.
In order that the module can invoke a filter it should know when
to invoke it. This argument is required to tell the filter when
to do this.
Permitted values for X are 1 and 2. These indicate the precise
time that the filter is to be run. To understand this concept it
will be useful to have read the pam(3) manual page. Basically,
for each management group there are up to two ways of calling the
module's functions. In the case of the authentication and session
components there are actually two separate functions. For the
case of authentication, these functions are pam_authenticate(3)
and pam_setcred(3), here run1 means run the filter from the
pam_authenticate function and run2 means run the filter from
pam_setcred. In the case of the session modules, run1 implies
that the filter is invoked at the pam_open_session(3) stage, and
run2 for pam_close_session(3).
For the case of the account component. Either run1 or run2 may be
For the case of the password component, run1 is used to indicate
that the filter is run on the first occasion of pam_chauthtok(3)
(the PAM_PRELIM_CHECK phase) and run2 is used to indicate that
the filter is run on the second occasion (the PAM_UPDATE_AUTHTOK
The full pathname of the filter to be run and any command line
arguments that the filter might expect.
Add the following line to /etc/pam.d/login to see how to configure
login to transpose upper and lower case letters once the user has
session required pam_filter.so run1 /lib/security/pam_filter/upperLOWER
This page is part of the linux-pam (Pluggable Authentication Modules
for Linux) project. Information about the project can be found at
⟨http://www.linux-pam.org/⟩. If you have a bug report for this manual
page, see ⟨//www.linux-pam.org/⟩. This page was obtained from the
tarball Linux-PAM-1.3.0.tar.bz2 fetched from
⟨http://www.linux-pam.org/library/⟩ on 2020-06-09. If you discover
any rendering problems in this HTML version of the page, or you
believe there is a better or more up-to-date source for the page, or
you have corrections or improvements to the information in this
COLOPHON (which is not part of the original manual page), send a mail
Linux-PAM Manual 04/01/2016 PAM_FILTER(8)