1.\" $NetBSD: pam_unix.8,v 1.8 2005/02/26 15:59:34 thorpej Exp $ 2.\" Copyright (c) 2001 Mark R V Murray 3.\" All rights reserved. 4.\" Copyright (c) 2001 Networks Associates Technology, Inc. 5.\" All rights reserved. 6.\" 7.\" This software was developed for the FreeBSD Project by ThinkSec AS and 8.\" NAI Labs, the Security Research Division of Network Associates, Inc. 9.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 10.\" DARPA CHATS research program. 11.\" 12.\" Redistribution and use in source and binary forms, with or without 13.\" modification, are permitted provided that the following conditions 14.\" are met: 15.\" 1. Redistributions of source code must retain the above copyright 16.\" notice, this list of conditions and the following disclaimer. 17.\" 2. Redistributions in binary form must reproduce the above copyright 18.\" notice, this list of conditions and the following disclaimer in the 19.\" documentation and/or other materials provided with the distribution. 20.\" 3. The name of the author may not be used to endorse or promote 21.\" products derived from this software without specific prior written 22.\" permission. 23.\" 24.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 25.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 28.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 29.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 30.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34.\" SUCH DAMAGE. 35.\" 36.\" $FreeBSD: src/lib/libpam/modules/pam_unix/pam_unix.8,v 1.11 2005/01/21 10:44:10 ru Exp $ 37.\" 38.Dd February 26, 2005 39.Dt PAM_UNIX 8 40.Os 41.Sh NAME 42.Nm pam_unix 43.Nd UNIX PAM module 44.Sh SYNOPSIS 45.Op Ar service-name 46.Ar module-type 47.Ar control-flag 48.Pa pam_unix 49.Op Ar options 50.Sh DESCRIPTION 51The 52.Ux 53authentication service module for PAM 54provides functionality for two PAM categories: 55authentication 56and account management. 57In terms of the 58.Ar module-type 59parameter, they are the 60.Dq Li auth 61and 62.Dq Li account 63features. 64It also provides a null function for session management. 65.Ss Ux Ss Authentication Module 66The 67.Ux 68authentication component 69provides functions to verify the identity of a user 70.Pq Fn pam_sm_authenticate , 71which obtains the relevant 72.Xr passwd 5 73entry. 74It prompts the user for a password 75and verifies that this is correct with 76.Xr crypt 3 . 77.Pp 78The following options may be passed to the authentication module: 79.Bl -tag -width ".Cm use_first_pass" 80.It Cm debug 81.Xr syslog 3 82debugging information at 83.Dv LOG_DEBUG 84level. 85.It Cm use_first_pass 86If the authentication module 87is not the first in the stack, 88and a previous module 89obtained the user's password, 90that password is used 91to authenticate the user. 92If this fails, 93the authentication module returns failure 94without prompting the user for a password. 95This option has no effect 96if the authentication module 97is the first in the stack, 98or if no previous modules 99obtained the user's password. 100.It Cm try_first_pass 101This option is similar to the 102.Cm use_first_pass 103option, 104except that if the previously obtained password fails, 105the user is prompted for another password. 106.It Cm auth_as_self 107This option will require the user 108to authenticate himself as the user 109given by 110.Xr getlogin 2 , 111not as the account they are attempting to access. 112This is primarily for services like 113.Xr su 1 , 114where the user's ability to retype 115their own password 116might be deemed sufficient. 117.It Cm nullok 118If the password database 119has no password 120for the entity being authenticated, 121then this option 122will forgo password prompting, 123and silently allow authentication to succeed. 124.\" XXX This is not currently implemented. It's debatable whether or not 125.\" XXX it should be. 126.\" .It Cm passwd_db Ns = Ns Ar name 127.\" Use only the specified password database. 128.\" Valid password database names are: 129.\" .Bl -tag -width files 130.\" .It files 131.\" local password file 132.\" .It nis 133.\" NIS password database 134.\" .El 135.\" .Pp 136.\" If the user does not exist in the specified password database or if the 137.\" system is not configured to use the specified password database, an 138.\" authentication failure will occur. 139.El 140.Ss Ux Ss Account Management Module 141The 142.Ux 143account management component 144provides a function to perform account management, 145.Fn pam_sm_acct_mgmt . 146The function verifies 147that the authenticated user 148is allowed to login to the local user account 149by checking the password expiry date. 150.Pp 151The following options may be passed to the management module: 152.Bl -tag -width ".Cm use_first_pass" 153.It Cm debug 154.Xr syslog 3 155debugging information at 156.Dv LOG_DEBUG 157level. 158.El 159.Ss Ux Ss Password Management Module 160The 161.Ux 162password management component 163provides a function to perform account management, 164.Fn pam_sm_chauthtok . 165The function changes 166the user's password. 167.Pp 168The following options may be passed to the password module: 169.Bl -tag -width ".Cm use_first_pass" 170.It Cm debug 171.Xr syslog 3 172debugging information at 173.Dv LOG_DEBUG 174level. 175.It Cm no_warn 176suppress warning messages to the user. 177These messages include 178reasons why the user's 179authentication attempt was declined. 180.It Cm passwd_db Ns = Ns Ar name 181Change the user's password only the specified password database. 182Valid password database names are: 183.Bl -tag -width files 184.It files 185local password file 186.It nis 187NIS password database 188.El 189.El 190.Sh FILES 191.Bl -tag -width ".Pa /etc/master.passwd" -compact 192.It Pa /etc/master.passwd 193default 194.Ux 195password database. 196.El 197.Sh SEE ALSO 198.Xr passwd 1 , 199.Xr getlogin 2 , 200.Xr crypt 3 , 201.Xr getpwent 3 , 202.Xr syslog 3 , 203.Xr nsswitch.conf 5 , 204.Xr passwd 5 , 205.Xr nis 8 , 206.Xr pam 8 207