.\" Title: pam_unix .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.74.0 .\" Date: 10/27/2010 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" .TH "PAM_UNIX" "8" "10/27/2010" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * (re)Define some macros .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" toupper - uppercase a string (locale-aware) .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .de toupper .tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ \\$* .tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz .. .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" SH-xref - format a cross-reference to an SH section .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .de SH-xref .ie n \{\ .\} .toupper \\$* .el \{\ \\$* .\} .. .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" SH - level-one heading that works better for non-TTY output .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .de1 SH .\" put an extra blank line of space above the head in non-TTY output .if t \{\ .sp 1 .\} .sp \\n[PD]u .nr an-level 1 .set-an-margin .nr an-prevailing-indent \\n[IN] .fi .in \\n[an-margin]u .ti 0 .HTML-TAG ".NH \\n[an-level]" .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 \." make the size of the head bigger .ps +3 .ft B .ne (2v + 1u) .ie n \{\ .\" if n (TTY output), use uppercase .toupper \\$* .\} .el \{\ .nr an-break-flag 0 .\" if not n (not TTY), use normal case (not uppercase) \\$1 .in \\n[an-margin]u .ti 0 .\" if not n (not TTY), put a border/line under subheading .sp -.6 \l'\n(.lu' .\} .. .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" SS - level-two heading that works better for non-TTY output .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .de1 SS .sp \\n[PD]u .nr an-level 1 .set-an-margin .nr an-prevailing-indent \\n[IN] .fi .in \\n[IN]u .ti \\n[SN]u .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .ps \\n[PS-SS]u \." make the size of the head bigger .ps +2 .ft B .ne (2v + 1u) .if \\n[.$] \&\\$* .. .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" BB/BE - put background/screen (filled box) around block of text .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .de BB .if t \{\ .sp -.5 .br .in +2n .ll -2n .gcolor red .di BX .\} .. .de EB .if t \{\ .if "\\$2"adjust-for-leading-newline" \{\ .sp -1 .\} .br .di .in .ll .gcolor .nr BW \\n(.lu-\\n(.i .nr BH \\n(dn+.5v .ne \\n(BHu+.5v .ie "\\$2"adjust-for-leading-newline" \{\ \M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] .\} .el \{\ \M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] .\} .in 0 .sp -.5v .nf .BX .in .sp .5v .fi .\} .. .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" BM/EM - put colored marker in margin next to block of text .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .de BM .if t \{\ .br .ll -2n .gcolor red .di BX .\} .. .de EM .if t \{\ .br .di .ll .gcolor .nr BH \\n(dn .ne \\n(BHu \M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] .in 0 .nf .BX .in .fi .\} .. .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "Name" pam_unix \- Module for traditional password authentication .SH "Synopsis" .fam C .HP \w'\fBpam_unix\&.so\fR\ 'u \fBpam_unix\&.so\fR [\&.\&.\&.] .fam .SH "DESCRIPTION" .PP This is the standard Unix authentication module\&. It uses standard calls from the system\'s libraries to retrieve and set account information as well as authentication\&. Usually this is obtained from the /etc/passwd and the /etc/shadow file as well if shadow is enabled\&. .PP The account component performs the task of establishing the status of the user\'s account and password based on the following \fIshadow\fR elements: expire, last_change, max_change, min_change, warn_change\&. In the case of the latter, it may offer advice to the user on changing their password or, through the \fBPAM_AUTHTOKEN_REQD\fR return, delay giving service to the user until they have established a new password\&. The entries listed above are documented in the \fBshadow\fR(5) manual page\&. Should the user\'s record not contain one or more of these entries, the corresponding \fIshadow\fR check is not performed\&. .PP The authentication component performs the task of checking the users credentials (password)\&. The default action of this module is to not permit the user access to a service if their official password is blank\&. .PP A helper binary, \fBunix_chkpwd\fR(8), is provided to check the user\'s password when it is stored in a read protected database\&. This binary is very simple and will only check the password of the user invoking it\&. It is called transparently on behalf of the user by the authenticating component of this module\&. In this way it is possible for applications like \fBxlock\fR(1) to work without being setuid\-root\&. The module, by default, will temporarily turn off SIGCHLD handling for the duration of execution of the helper binary\&. This is generally the right thing to do, as many applications are not prepared to handle this signal from a child they didn\'t know was \fBfork()\fRd\&. The \fBnoreap\fR module argument can be used to suppress this temporary shielding and may be needed for use with certain applications\&. .PP The password component of this module performs the task of updating the user\'s password\&. .PP The session component of this module logs when a user logins or leave the system\&. .PP Remaining arguments, supported by others functions of this module, are silently ignored\&. Other arguments are logged as errors through \fBsyslog\fR(3)\&. .SH "OPTIONS" .PP \fBdebug\fR .RS 4 Turns on debugging via \fBsyslog\fR(3)\&. .RE .PP \fBaudit\fR .RS 4 A little more extreme than debug\&. .RE .PP \fBnullok\fR .RS 4 The default action of this module is to not permit the user access to a service if their official password is blank\&. The \fBnullok\fR argument overrides this default\&. .RE .PP \fBtry_first_pass\fR .RS 4 Before prompting the user for their password, the module first tries the previous stacked module\'s password in case that satisfies this module as well\&. .RE .PP \fBuse_first_pass\fR .RS 4 The argument \fBuse_first_pass\fR forces the module to use a previous stacked modules password and will never prompt the user \- if no password is available or the password is not appropriate, the user will be denied access\&. .RE .PP \fBnodelay\fR .RS 4 This argument can be used to discourage the authentication component from requesting a delay should the authentication as a whole fail\&. The default action is for the module to request a delay\-on\-failure of the order of two second\&. .RE .PP \fBuse_authtok\fR .RS 4 When password changing enforce the module to set the new password to the one provided by a previously stacked \fBpassword\fR module (this is used in the example of the stacking of the \fBpam_cracklib\fR module documented below)\&. .RE .PP \fBnot_set_pass\fR .RS 4 This argument is used to inform the module that it is not to pay attention to/make available the old or new passwords from/to other (stacked) password modules\&. .RE .PP \fBnis\fR .RS 4 NIS RPC is used for setting new passwords\&. .RE .PP \fBremember=\fR\fB\fIn\fR\fR .RS 4 The last \fIn\fR passwords for each user are saved in \FC/etc/security/opasswd\F[] in order to force password change history and keep the user from alternating between the same password too frequently\&. .RE .PP \fBshadow\fR .RS 4 Try to maintain a shadow based system\&. .RE .PP \fBmd5\fR .RS 4 When a user changes their password next, encrypt it with the MD5 algorithm\&. .RE .PP \fBbigcrypt\fR .RS 4 When a user changes their password next, encrypt it with the DEC C2 algorithm\&. .RE .PP \fBsha256\fR .RS 4 When a user changes their password next, encrypt it with the SHA256 algorithm\&. If the SHA256 algorithm is not known to the \fBcrypt\fR(3) function, fall back to MD5\&. .RE .PP \fBsha512\fR .RS 4 When a user changes their password next, encrypt it with the SHA512 algorithm\&. If the SHA512 algorithm is not known to the \fBcrypt\fR(3) function, fall back to MD5\&. .RE .PP \fBblowfish\fR .RS 4 When a user changes their password next, encrypt it with the blowfish algorithm\&. If the blowfish algorithm is not known to the \fBcrypt\fR(3) function, fall back to MD5\&. .RE .PP \fBrounds=\fR\fB\fIn\fR\fR .RS 4 Set the optional number of rounds of the SHA256, SHA512 and blowfish password hashing algorithms to \fIn\fR\&. .RE .PP \fBbroken_shadow\fR .RS 4 Ignore errors reading shadow information for users in the account management module\&. .RE .PP \fBminlen=\fR\fB\fIn\fR\fR .RS 4 Set a minimum password length of \fIn\fR characters\&. The max\&. for DES crypt based passwords are 8 characters\&. .RE .PP Invalid arguments are logged with \fBsyslog\fR(3)\&. .SH "MODULE TYPES PROVIDED" .PP All module types (\fBaccount\fR, \fBauth\fR, \fBpassword\fR and \fBsession\fR) are provided\&. .SH "RETURN VALUES" .PP PAM_IGNORE .RS 4 Ignore this module\&. .RE .SH "EXAMPLES" .PP An example usage for \FC/etc/pam\&.d/login\F[] would be: .sp .if n \{\ .RS 4 .\} .fam C .ps -1 .nf .if t \{\ .sp -1 .\} .BB lightgray adjust-for-leading-newline .sp -1 # Authenticate the user auth required pam_unix\&.so # Ensure users account and password are still active account required pam_unix\&.so # Change the users password, but at first check the strength # with pam_cracklib(8) password required pam_cracklib\&.so retry=3 minlen=6 difok=3 password required pam_unix\&.so use_authtok nullok md5 session required pam_unix\&.so .EB lightgray adjust-for-leading-newline .if t \{\ .sp 1 .\} .fi .fam .ps +1 .if n \{\ .RE .\} .sp .SH "SEE ALSO" .PP \fBpam.conf\fR(5), \fBpam.d\fR(5), \fBpam\fR(8) .SH "AUTHOR" .PP pam_unix was written by various people\&.