'\" t .\" Title: pam_unix .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 .\" Date: 09/19/2013 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" .TH "PAM_UNIX" "8" "09/19/2013" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" pam_unix \- Module for traditional password authentication .SH "SYNOPSIS" .HP \w'\fBpam_unix\&.so\fR\ 'u \fBpam_unix\&.so\fR [\&.\&.\&.] .SH "DESCRIPTION" .PP This is the standard Unix authentication module\&. It uses standard calls from the system\*(Aqs libraries to retrieve and set account information as well as authentication\&. Usually this is obtained from the /etc/passwd and the /etc/shadow file as well if shadow is enabled\&. .PP The account component performs the task of establishing the status of the user\*(Aqs account and password based on the following \fIshadow\fR elements: expire, last_change, max_change, min_change, warn_change\&. In the case of the latter, it may offer advice to the user on changing their password or, through the \fBPAM_AUTHTOKEN_REQD\fR return, delay giving service to the user until they have established a new password\&. The entries listed above are documented in the \fBshadow\fR(5) manual page\&. Should the user\*(Aqs record not contain one or more of these entries, the corresponding \fIshadow\fR check is not performed\&. .PP The authentication component performs the task of checking the users credentials (password)\&. The default action of this module is to not permit the user access to a service if their official password is blank\&. .PP A helper binary, \fBunix_chkpwd\fR(8), is provided to check the user\*(Aqs password when it is stored in a read protected database\&. This binary is very simple and will only check the password of the user invoking it\&. It is called transparently on behalf of the user by the authenticating component of this module\&. In this way it is possible for applications like \fBxlock\fR(1) to work without being setuid\-root\&. The module, by default, will temporarily turn off SIGCHLD handling for the duration of execution of the helper binary\&. This is generally the right thing to do, as many applications are not prepared to handle this signal from a child they didn\*(Aqt know was \fBfork()\fRd\&. The \fBnoreap\fR module argument can be used to suppress this temporary shielding and may be needed for use with certain applications\&. .PP The maximum length of a password supported by the pam_unix module via the helper binary is \fIPAM_MAX_RESP_SIZE\fR \- currently 512 bytes\&. The rest of the password provided by the conversation function to the module will be ignored\&. .PP The password component of this module performs the task of updating the user\*(Aqs password\&. The default encryption hash is taken from the \fBENCRYPT_METHOD\fR variable from \fI/etc/login\&.defs\fR .PP The session component of this module logs when a user logins or leave the system\&. .PP Remaining arguments, supported by others functions of this module, are silently ignored\&. Other arguments are logged as errors through \fBsyslog\fR(3)\&. .SH "OPTIONS" .PP \fBdebug\fR .RS 4 Turns on debugging via \fBsyslog\fR(3)\&. .RE .PP \fBaudit\fR .RS 4 A little more extreme than debug\&. .RE .PP \fBnullok\fR .RS 4 The default action of this module is to not permit the user access to a service if their official password is blank\&. The \fBnullok\fR argument overrides this default and allows any user with a blank password to access the service\&. .RE .PP \fBnullok_secure\fR .RS 4 The default action of this module is to not permit the user access to a service if their official password is blank\&. The \fBnullok_secure\fR argument overrides this default and allows any user with a blank password to access the service as long as the value of PAM_TTY is set to one of the values found in /etc/securetty\&. .RE .PP \fBtry_first_pass\fR .RS 4 Before prompting the user for their password, the module first tries the previous stacked module\*(Aqs password in case that satisfies this module as well\&. .RE .PP \fBuse_first_pass\fR .RS 4 The argument \fBuse_first_pass\fR forces the module to use a previous stacked modules password and will never prompt the user \- if no password is available or the password is not appropriate, the user will be denied access\&. .RE .PP \fBnodelay\fR .RS 4 This argument can be used to discourage the authentication component from requesting a delay should the authentication as a whole fail\&. The default action is for the module to request a delay\-on\-failure of the order of two second\&. .RE .PP \fBuse_authtok\fR .RS 4 When password changing enforce the module to set the new password to the one provided by a previously stacked \fBpassword\fR module (this is used in the example of the stacking of the \fBpam_cracklib\fR module documented below)\&. .RE .PP \fBnot_set_pass\fR .RS 4 This argument is used to inform the module that it is not to pay attention to/make available the old or new passwords from/to other (stacked) password modules\&. .RE .PP \fBnis\fR .RS 4 NIS RPC is used for setting new passwords\&. .RE .PP \fBremember=\fR\fB\fIn\fR\fR .RS 4 The last \fIn\fR passwords for each user are saved in /etc/security/opasswd in order to force password change history and keep the user from alternating between the same password too frequently\&. Instead of this option the \fBpam_pwhistory\fR module should be used\&. .RE .PP \fBshadow\fR .RS 4 Try to maintain a shadow based system\&. .RE .PP \fBmd5\fR .RS 4 When a user changes their password next, encrypt it with the MD5 algorithm\&. .RE .PP \fBbigcrypt\fR .RS 4 When a user changes their password next, encrypt it with the DEC C2 algorithm\&. .RE .PP \fBsha256\fR .RS 4 When a user changes their password next, encrypt it with the SHA256 algorithm\&. If the SHA256 algorithm is not known to the \fBcrypt\fR(3) function, fall back to MD5\&. .RE .PP \fBsha512\fR .RS 4 When a user changes their password next, encrypt it with the SHA512 algorithm\&. If the SHA512 algorithm is not known to the \fBcrypt\fR(3) function, fall back to MD5\&. .RE .PP \fBblowfish\fR .RS 4 When a user changes their password next, encrypt it with the blowfish algorithm\&. If the blowfish algorithm is not known to the \fBcrypt\fR(3) function, fall back to MD5\&. .RE .PP \fBrounds=\fR\fB\fIn\fR\fR .RS 4 Set the optional number of rounds of the SHA256, SHA512 and blowfish password hashing algorithms to \fIn\fR\&. .RE .PP \fBbroken_shadow\fR .RS 4 Ignore errors reading shadow information for users in the account management module\&. .RE .PP \fBminlen=\fR\fB\fIn\fR\fR .RS 4 Set a minimum password length of \fIn\fR characters\&. The default value is 6\&. The maximum for DES crypt\-based passwords is 8 characters\&. .RE .PP \fBobscure\fR .RS 4 Enable some extra checks on password strength\&. These checks are based on the "obscure" checks in the original shadow package\&. The behavior is similar to the pam_cracklib module, but for non\-dictionary\-based checks\&. The following checks are implemented: .PP \fBPalindrome\fR .RS 4 Verifies that the new password is not a palindrome of (i\&.e\&., the reverse of) the previous one\&. .RE .PP \fBCase Change Only\fR .RS 4 Verifies that the new password isn\*(Aqt the same as the old one with a change of case\&. .RE .PP \fBSimilar\fR .RS 4 Verifies that the new password isn\*(Aqt too much like the previous one\&. .RE .PP \fBSimple\fR .RS 4 Is the new password too simple? This is based on the length of the password and the number of different types of characters (alpha, numeric, etc\&.) used\&. .RE .PP \fBRotated\fR .RS 4 Is the new password a rotated version of the old password? (E\&.g\&., "billy" and "illyb") .RE .sp .RE .PP Invalid arguments are logged with \fBsyslog\fR(3)\&. .SH "MODULE TYPES PROVIDED" .PP All module types (\fBaccount\fR, \fBauth\fR, \fBpassword\fR and \fBsession\fR) are provided\&. .SH "RETURN VALUES" .PP PAM_IGNORE .RS 4 Ignore this module\&. .RE .SH "EXAMPLES" .PP An example usage for /etc/pam\&.d/login would be: .sp .if n \{\ .RS 4 .\} .nf # Authenticate the user auth required pam_unix\&.so # Ensure users account and password are still active account required pam_unix\&.so # Change the users password, but at first check the strength # with pam_cracklib(8) password required pam_cracklib\&.so retry=3 minlen=6 difok=3 password required pam_unix\&.so use_authtok nullok md5 session required pam_unix\&.so .fi .if n \{\ .RE .\} .sp .SH "SEE ALSO" .PP \fBlogin.defs\fR(5), \fBpam.conf\fR(5), \fBpam.d\fR(5), \fBpam\fR(7) .SH "AUTHOR" .PP pam_unix was written by various people\&.