/etc/security/console.handlers determines which programs will be run when an user obtains the console lock at login time, and when the user loses it on log out. It is read by the pam_console module.
The format is:
handler-filename lock|unlock [flag ...]
Where handler-filename is a name of the executable to be run, lock or unlock specifies on which event it should be run, and flags specify how should pam_console call it.
Additionally there should be a line which specifies glob patterns of console devices.
The format of this line is: console-name consoledevs regex [regex ...]
Where console-name is a name of the console class - currently ignored - and regexes are regular expression patterns which specify the name of the tty device. Only the first such line is consulted.
The pam_console module should log error to the system log if the return value of the handler is not zero or if the handler can not be executed.
The pam_console should wait for the handler to exit before continuing.
The handler should be executed with uid/gid of the user which obtained the console lock.
The handler will get a tty name as obtained from PAM as a parameter.
The handler will get an user name as obtained from PAM as a parameter.
Anything else will be added directly as a parameter to the handler executable.
Tomas Mraz <email@example.com>