• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

INSTALLH A D29-Sep-2013278 87

MakefileH A D29-Sep-2013943 3825

READMEH A D29-Sep-20132.1 KiB5536

_pam_macros.hH A D03-May-20226 KiB197144

bigcrypt.cH A D29-Sep-20132.3 KiB7529

bigcrypt.hH A D29-Sep-201358 21

changelogH A D29-Sep-20138.3 KiB268183

md5.cH A D03-May-20227.4 KiB238155

md5.hH A D29-Sep-2013872 3220

md5_crypt.cH A D29-Sep-20134 KiB14886

pam_pwdfile.cH A D03-May-20227.5 KiB243162

README

1This pam module provides the authentication service using an own set of user/password pairs.
2
3CONFIGURATION
4=============
5
6simple PAM config
7-----------------
8
9Just add/change the config file for service to contain the line:
10
11auth		required	pam_pwdfile.so pwdfile=/path/to/passwd_file
12
13If your service does more with PAM than auth there will be a fallback to the service "other".
14If that is not what you want, you can use pam_permit.so or pam_deny.so for that:
15
16account		required	pam_permit.so
17session		required	pam_permit.so
18password	required	pam_deny.so
19
20
21options
22-------
23
24* pwdfile=<file>
25* debug: produce a bit of debug output
26* nodelay: don't tell the PAM stack to cause a delay on auth failure
27* flock: use a shared (read) advisory lock on pwdfile, you should better move new versions into place instead
28* legacy_crypt: see section LEGACY CRYPT
29
30
31PASSWORD FILE
32=============
33
34The password file basically looks like passwd(5): one line for each user with two or more colon-separated fields.
35First field contains the username, the second the crypt()ed password.
36Other fields are optional.
37
38crypt()ed passwords in various formats can be generated with mkpasswd from the whois package.
39
40
41LEGACY CRYPT
42============
43
44There are two crypt types that are disabled by default: bigcrypt and broken md5_crypt.
45They are disabled because they use static buffers which is bad when doing PAM authentication using this module in a multithreaded server.
46All the other crypt types are checked via the systems crypt_r function if available, else with the normal crypt function and the same static-buffer-problem.
47
48bigcrypt was used on DEC systems to allow for longer passwords.
49You can check if your passwd file contains any of these with `cut -d: -f2 passwd-file | egrep '^[^$].{13}'`.
50
51Broken md5_crypt is a speciality of big-endian systems.
52An early implementation of md5_crypt got the byte order wrong here and produced different crypt outputs.
53You might have some of these crypt hashes in your passwd file only if you created them on a big-endian system.
54If an md5_crypt hash also worked on a little-endian system (up to and including libpam-pwdfile 0.99) it isn't broken md5_crypt.
55