path: root/modules/pam_unix/README
diff options
authorSteve Langasek <>2019-01-22 14:54:11 -0800
committerSteve Langasek <>2019-01-22 14:54:11 -0800
commitf00afb1ef201b2eef7f9ddbe5a0c6ca802cf49bb (patch)
tree402838c53047b0e21466a653ae88d86a8e4b7b65 /modules/pam_unix/README
parent795badba7f95e737f979917859cd32c9bd47bcad (diff)
parent1cad9fb2a0d729c5b5e5aa7297c521df7d5a2d33 (diff)
New upstream version 1.3.0
Diffstat (limited to 'modules/pam_unix/README')
1 files changed, 26 insertions, 8 deletions
diff --git a/modules/pam_unix/README b/modules/pam_unix/README
index 26c06e23..651ed9c8 100644
--- a/modules/pam_unix/README
+++ b/modules/pam_unix/README
@@ -12,9 +12,9 @@ shadow file as well if shadow is enabled.
The account component performs the task of establishing the status of the
user's account and password based on the following shadow elements: expire,
last_change, max_change, min_change, warn_change. In the case of the latter, it
-may offer advice to the user on changing their password or, through the
+may offer advice to the user on changing their password or, through the
PAM_AUTHTOKEN_REQD return, delay giving service to the user until they have
-established a new password. The entries listed above are documented in the
+established a new password. The entries listed above are documented in the
shadow(5) manual page. Should the user's record not contain one or more of
these entries, the corresponding shadow check is not performed.
@@ -34,6 +34,10 @@ child they didn't know was fork()d. The noreap module argument can be used to
suppress this temporary shielding and may be needed for use with certain
+The maximum length of a password supported by the pam_unix module via the
+helper binary is PAM_MAX_RESP_SIZE - currently 512 bytes. The rest of the
+password provided by the conversation function to the module will be ignored.
The password component of this module performs the task of updating the user's
password. The default encryption hash is taken from the ENCRYPT_METHOD variable
from /etc/login.defs
@@ -54,6 +58,11 @@ audit
A little more extreme than debug.
+ Turns off informational messages namely messages about session open and
+ close via syslog(3).
The default action of this module is to not permit the user access to a
@@ -86,11 +95,10 @@ use_authtok
one provided by a previously stacked password module (this is used in the
example of the stacking of the pam_cracklib module documented below).
- This argument is used to inform the module that it is not to pay attention
- to/make available the old or new passwords from/to other (stacked) password
- modules.
+ This argument can be used to modify the password prompt when changing
+ passwords to include the type of the password. Empty by default.
@@ -100,7 +108,8 @@ remember=n
The last n passwords for each user are saved in /etc/security/opasswd in
order to force password change history and keep the user from alternating
- between the same password too frequently. Instead of this option the
+ between the same password too frequently. The MD5 password hash algorithm
+ is used for storing the old passwords. Instead of this option the
pam_pwhistory module should be used.
@@ -149,6 +158,15 @@ minlen=n
Set a minimum password length of n characters. The max. for DES crypt based
passwords are 8 characters.
+ When set ignore password expiration as defined by the shadow entry of the
+ user. The option has an effect only in case pam_unix was not used for the
+ authentication or it returned authentication failure meaning that other
+ authentication source or method succeeded. The example can be public key
+ authentication in sshd. The module will return PAM_SUCCESS instead of
Invalid arguments are logged with syslog(3).
@@ -159,7 +177,7 @@ An example usage for /etc/pam.d/login would be:
auth required
# Ensure users account and password are still active
account required
-# Change the users password, but at first check the strength
+# Change the user's password, but at first check the strength
# with pam_cracklib(8)
password required retry=3 minlen=6 difok=3
password required use_authtok nullok md5