pam_unix(5)pam_unix(5)NAMEpam_unix - authentication, account, session, and password management
PAM modules for UNIX
SYNOPSIS
/usr/lib/security/pam_unix.so
DESCRIPTION
The UNIX service module for PAM, /usr/lib/security/pam_unix.so, pro‐
vides functionality for all four PAM modules: The authentication mod‐
ule, the account management module, the session management module, and
the password management module. The pam_unix.so module is a shared
object that can be dynamically loaded to provide the necessary func‐
tionality upon demand. Its path is specified in the PAM configuration
file.
Unix Authentication Module
The UNIX authentication component provides functions to verify the
identity of a user, (pam_sm_authenticate()) and to set user specific
credentials (pam_sm_setcred()). pam_sm_authenticate() compares the
user entered password with the password from UNIX password database.
If the passwords match, the user is authenticated. The following
options may be passed to the UNIX service module:
debug syslog(3) debugging information at LOG_DEBUG
level
nowarn turn off warning messages
use_first_pass It compares the password in the password database
with the user's initial password (entered when
the user authenticated to the first authentica‐
tion module in the stack). If the passwords do
not match, or if no password has been entered,
quit and do not prompt the user for a password.
This option should only be used if the authenti‐
cation service is designated as optional in the
pam.conf configuration file.
try_first_pass It compares the password in the password database
with the user's initial password (entered when
the user authenticated to the first authentica‐
tion module in the stack). If the passwords do
not match, or if no password has been entered,
prompt the user for a password.
The pam_sm_setcred() function sets user specific credentials. For
UNIX, this is a NULL function.
Unix Account Management Module
The UNIX account management component provides a function to perform
account management (pam_sm_acct_mgmt()). The pam_sm_acct_mgmt() func‐
tion retrieves the user's password entry from the UNIX password data‐
base and verifies that the user's account and password have not
expired. The following option may be passed in to the UNIX service
module:
debug syslog(3) debugging information at LOG_DEBUG
level
nowarn turn off warning messages
Unix Session Management Module
The UNIX session management component provides functions to initiate
(pam_sm_open_session()) and terminate (pam_sm_close_session()) UNIX
sessions. Currently for UNIX, these functions are empty. The follow‐
ing option may be passed in to the UNIX service module:
debug syslog(3) debugging information at LOG_DEBUG
level
nowarn turn off warning messages
Unix Password Management Module
The UNIX password management component provides a function to change
passwords (pam_sm_chauthtok()) in the UNIX password database.
This module must be required in pam.conf. It can not be optional or
sufficient.
The following option may be passed in to the UNIX service module:
debug syslog(3) debugging information at LOG_DEBUG
level
nowarn turn off warning messages
use_first_pass It compares the password in the password database
with the user's old password (entered to the
first password module in the stack). If the
passwords do not match, or if no password has
been entered, quit and do not prompt the user for
the old password. It also attempts to use the
new password (entered to the first password mod‐
ule in the stack) as the new password for this
module. If the new password fails, quit and do
not prompt the user for a new password.
try_first_pass It compares the password in the password database
with the user's old password (entered to the
first password module in the stack). If the
passwords do not match, or if no password has
been entered, prompt the user for the old pass‐
word. It also attempts to use the new password
(entered to the first password module in the
stack) as the new password for this module. If
the new password fails, prompt the user for a new
password.
SEE ALSOpam(3), pam_authenticate(3), pam_setcred(3), syslog(3), pam.conf(4)
19 October 1995 pam_unix(5)