aboutsummaryrefslogtreecommitdiff
path: root/modules/pam_unix/pam_unix.8
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_unix/pam_unix.8')
-rw-r--r--modules/pam_unix/pam_unix.8380
1 files changed, 380 insertions, 0 deletions
diff --git a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8
new file mode 100644
index 00000000..6970b9f3
--- /dev/null
+++ b/modules/pam_unix/pam_unix.8
@@ -0,0 +1,380 @@
+.\" Title: pam_unix
+.\" Author: [see the "AUTHOR" section]
+.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
+.\" Date: 06/16/2009
+.\" Manual: Linux-PAM Manual
+.\" Source: Linux-PAM Manual
+.\" Language: English
+.\"
+.TH "PAM_UNIX" "8" "06/16/2009" "Linux-PAM Manual" "Linux\-PAM Manual"
+.\" -----------------------------------------------------------------
+.\" * (re)Define some macros
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" toupper - uppercase a string (locale-aware)
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.de toupper
+.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
+\\$*
+.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
+..
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" SH-xref - format a cross-reference to an SH section
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.de SH-xref
+.ie n \{\
+.\}
+.toupper \\$*
+.el \{\
+\\$*
+.\}
+..
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" SH - level-one heading that works better for non-TTY output
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.de1 SH
+.\" put an extra blank line of space above the head in non-TTY output
+.if t \{\
+.sp 1
+.\}
+.sp \\n[PD]u
+.nr an-level 1
+.set-an-margin
+.nr an-prevailing-indent \\n[IN]
+.fi
+.in \\n[an-margin]u
+.ti 0
+.HTML-TAG ".NH \\n[an-level]"
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+\." make the size of the head bigger
+.ps +3
+.ft B
+.ne (2v + 1u)
+.ie n \{\
+.\" if n (TTY output), use uppercase
+.toupper \\$*
+.\}
+.el \{\
+.nr an-break-flag 0
+.\" if not n (not TTY), use normal case (not uppercase)
+\\$1
+.in \\n[an-margin]u
+.ti 0
+.\" if not n (not TTY), put a border/line under subheading
+.sp -.6
+\l'\n(.lu'
+.\}
+..
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" SS - level-two heading that works better for non-TTY output
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.de1 SS
+.sp \\n[PD]u
+.nr an-level 1
+.set-an-margin
+.nr an-prevailing-indent \\n[IN]
+.fi
+.in \\n[IN]u
+.ti \\n[SN]u
+.it 1 an-trap
+.nr an-no-space-flag 1
+.nr an-break-flag 1
+.ps \\n[PS-SS]u
+\." make the size of the head bigger
+.ps +2
+.ft B
+.ne (2v + 1u)
+.if \\n[.$] \&\\$*
+..
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" BB/BE - put background/screen (filled box) around block of text
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.de BB
+.if t \{\
+.sp -.5
+.br
+.in +2n
+.ll -2n
+.gcolor red
+.di BX
+.\}
+..
+.de EB
+.if t \{\
+.if "\\$2"adjust-for-leading-newline" \{\
+.sp -1
+.\}
+.br
+.di
+.in
+.ll
+.gcolor
+.nr BW \\n(.lu-\\n(.i
+.nr BH \\n(dn+.5v
+.ne \\n(BHu+.5v
+.ie "\\$2"adjust-for-leading-newline" \{\
+\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+.\}
+.el \{\
+\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
+.\}
+.in 0
+.sp -.5v
+.nf
+.BX
+.in
+.sp .5v
+.fi
+.\}
+..
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" BM/EM - put colored marker in margin next to block of text
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.de BM
+.if t \{\
+.br
+.ll -2n
+.gcolor red
+.di BX
+.\}
+..
+.de EM
+.if t \{\
+.br
+.di
+.ll
+.gcolor
+.nr BH \\n(dn
+.ne \\n(BHu
+\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
+.in 0
+.nf
+.BX
+.in
+.fi
+.\}
+..
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "Name"
+pam_unix \- Module for traditional password authentication
+.SH "Synopsis"
+.fam C
+.HP \w'\fBpam_unix\&.so\fR\ 'u
+\fBpam_unix\&.so\fR [\&.\&.\&.]
+.fam
+.SH "DESCRIPTION"
+.PP
+This is the standard Unix authentication module\&. It uses standard calls from the system\'s libraries to retrieve and set account information as well as authentication\&. Usually this is obtained from the /etc/passwd and the /etc/shadow file as well if shadow is enabled\&.
+.PP
+The account component performs the task of establishing the status of the user\'s account and password based on the following
+\fIshadow\fR
+elements: expire, last_change, max_change, min_change, warn_change\&. In the case of the latter, it may offer advice to the user on changing their password or, through the
+\fBPAM_AUTHTOKEN_REQD\fR
+return, delay giving service to the user until they have established a new password\&. The entries listed above are documented in the
+\fBshadow\fR(5)
+manual page\&. Should the user\'s record not contain one or more of these entries, the corresponding
+\fIshadow\fR
+check is not performed\&.
+.PP
+The authentication component performs the task of checking the users credentials (password)\&. The default action of this module is to not permit the user access to a service if their official password is blank\&.
+.PP
+A helper binary,
+\fBunix_chkpwd\fR(8), is provided to check the user\'s password when it is stored in a read protected database\&. This binary is very simple and will only check the password of the user invoking it\&. It is called transparently on behalf of the user by the authenticating component of this module\&. In this way it is possible for applications like
+\fBxlock\fR(1)
+to work without being setuid\-root\&. The module, by default, will temporarily turn off SIGCHLD handling for the duration of execution of the helper binary\&. This is generally the right thing to do, as many applications are not prepared to handle this signal from a child they didn\'t know was
+\fBfork()\fRd\&. The
+\fBnoreap\fR
+module argument can be used to suppress this temporary shielding and may be needed for use with certain applications\&.
+.PP
+The password component of this module performs the task of updating the user\'s password\&.
+.PP
+The session component of this module logs when a user logins or leave the system\&.
+.PP
+Remaining arguments, supported by others functions of this module, are silently ignored\&. Other arguments are logged as errors through
+\fBsyslog\fR(3)\&.
+.SH "OPTIONS"
+.PP
+\fBdebug\fR
+.RS 4
+Turns on debugging via
+\fBsyslog\fR(3)\&.
+.RE
+.PP
+\fBaudit\fR
+.RS 4
+A little more extreme than debug\&.
+.RE
+.PP
+\fBnullok\fR
+.RS 4
+The default action of this module is to not permit the user access to a service if their official password is blank\&. The
+\fBnullok\fR
+argument overrides this default\&.
+.RE
+.PP
+\fBtry_first_pass\fR
+.RS 4
+Before prompting the user for their password, the module first tries the previous stacked module\'s password in case that satisfies this module as well\&.
+.RE
+.PP
+\fBuse_first_pass\fR
+.RS 4
+The argument
+\fBuse_first_pass\fR
+forces the module to use a previous stacked modules password and will never prompt the user \- if no password is available or the password is not appropriate, the user will be denied access\&.
+.RE
+.PP
+\fBnodelay\fR
+.RS 4
+This argument can be used to discourage the authentication component from requesting a delay should the authentication as a whole fail\&. The default action is for the module to request a delay\-on\-failure of the order of two second\&.
+.RE
+.PP
+\fBuse_authtok\fR
+.RS 4
+When password changing enforce the module to set the new password to the one provided by a previously stacked
+\fBpassword\fR
+module (this is used in the example of the stacking of the
+\fBpam_cracklib\fR
+module documented below)\&.
+.RE
+.PP
+\fBnot_set_pass\fR
+.RS 4
+This argument is used to inform the module that it is not to pay attention to/make available the old or new passwords from/to other (stacked) password modules\&.
+.RE
+.PP
+\fBnis\fR
+.RS 4
+NIS RPC is used for setting new passwords\&.
+.RE
+.PP
+\fBremember=\fR\fB\fIn\fR\fR
+.RS 4
+The last
+\fIn\fR
+passwords for each user are saved in
+\FC/etc/security/opasswd\F[]
+in order to force password change history and keep the user from alternating between the same password too frequently\&.
+.RE
+.PP
+\fBshadow\fR
+.RS 4
+Try to maintain a shadow based system\&.
+.RE
+.PP
+\fBmd5\fR
+.RS 4
+When a user changes their password next, encrypt it with the MD5 algorithm\&.
+.RE
+.PP
+\fBbigcrypt\fR
+.RS 4
+When a user changes their password next, encrypt it with the DEC C2 algorithm\&.
+.RE
+.PP
+\fBsha256\fR
+.RS 4
+When a user changes their password next, encrypt it with the SHA256 algorithm\&. If the SHA256 algorithm is not known to the
+\fBcrypt\fR(3)
+function, fall back to MD5\&.
+.RE
+.PP
+\fBsha512\fR
+.RS 4
+When a user changes their password next, encrypt it with the SHA512 algorithm\&. If the SHA512 algorithm is not known to the
+\fBcrypt\fR(3)
+function, fall back to MD5\&.
+.RE
+.PP
+\fBblowfish\fR
+.RS 4
+When a user changes their password next, encrypt it with the blowfish algorithm\&. If the SHA512 algorithm is not known to the
+\fBcrypt\fR(3)
+function, fall back to MD5\&.
+.RE
+.PP
+\fBrounds=\fR\fB\fIn\fR\fR
+.RS 4
+Set the optional number of rounds of the SHA256, SHA512 and blowfish password hashing algorithms to
+\fIn\fR\&.
+.RE
+.PP
+\fBbroken_shadow\fR
+.RS 4
+Ignore errors reading shadow information for users in the account management module\&.
+.RE
+.PP
+Invalid arguments are logged with
+\fBsyslog\fR(3)\&.
+.SH "MODULE TYPES PROVIDED"
+.PP
+All module types (\fBaccount\fR,
+\fBauth\fR,
+\fBpassword\fR
+and
+\fBsession\fR) are provided\&.
+.SH "RETURN VALUES"
+.PP
+PAM_IGNORE
+.RS 4
+Ignore this module\&.
+.RE
+.SH "EXAMPLES"
+.PP
+An example usage for
+\FC/etc/pam\&.d/login\F[]
+would be:
+.sp
+.if n \{\
+.RS 4
+.\}
+.fam C
+.ps -1
+.nf
+.if t \{\
+.sp -1
+.\}
+.BB lightgray adjust-for-leading-newline
+.sp -1
+
+# Authenticate the user
+auth required pam_unix\&.so
+# Ensure users account and password are still active
+account required pam_unix\&.so
+# Change the users password, but at first check the strength
+# with pam_cracklib(8)
+password required pam_cracklib\&.so retry=3 minlen=6 difok=3
+password required pam_unix\&.so use_authtok nullok md5
+session required pam_unix\&.so
+
+.EB lightgray adjust-for-leading-newline
+.if t \{\
+.sp 1
+.\}
+.fi
+.fam
+.ps +1
+.if n \{\
+.RE
+.\}
+.sp
+.SH "SEE ALSO"
+.PP
+
+\fBpam.conf\fR(5),
+\fBpam.d\fR(5),
+\fBpam\fR(8)
+.SH "AUTHOR"
+.PP
+pam_unix was written by various people\&.
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-27 09:41:18 +0000