README
1This pam module provides the authentication service using an own set of user/password pairs.
2
3CONFIGURATION
4=============
5
6simple PAM config
7-----------------
8
9Just add/change the config file for service to contain the line:
10
11auth required pam_pwdfile.so pwdfile=/path/to/passwd_file
12
13If your service does more with PAM than auth there will be a fallback to the service "other".
14If that is not what you want, you can use pam_permit.so or pam_deny.so for that:
15
16account required pam_permit.so
17session required pam_permit.so
18password required pam_deny.so
19
20
21options
22-------
23
24* pwdfile=<file>
25* debug: produce a bit of debug output
26* nodelay: don't tell the PAM stack to cause a delay on auth failure
27* flock: use a shared (read) advisory lock on pwdfile, you should better move new versions into place instead
28* legacy_crypt: see section LEGACY CRYPT
29
30
31PASSWORD FILE
32=============
33
34The password file basically looks like passwd(5): one line for each user with two or more colon-separated fields.
35First field contains the username, the second the crypt()ed password.
36Other fields are optional.
37
38crypt()ed passwords in various formats can be generated with mkpasswd from the whois package.
39
40
41LEGACY CRYPT
42============
43
44There are two crypt types that are disabled by default: bigcrypt and broken md5_crypt.
45They are disabled because they use static buffers which is bad when doing PAM authentication using this module in a multithreaded server.
46All the other crypt types are checked via the systems crypt_r function if available, else with the normal crypt function and the same static-buffer-problem.
47
48bigcrypt was used on DEC systems to allow for longer passwords.
49You can check if your passwd file contains any of these with `cut -d: -f2 passwd-file | egrep '^[^$].{13}'`.
50
51Broken md5_crypt is a speciality of big-endian systems.
52An early implementation of md5_crypt got the byte order wrong here and produced different crypt outputs.
53You might have some of these crypt hashes in your passwd file only if you created them on a big-endian system.
54If an md5_crypt hash also worked on a little-endian system (up to and including libpam-pwdfile 0.99) it isn't broken md5_crypt.
55