1 .\" Copyright (c) 2001 Mark R V Murray
2 .\" All rights reserved.
3 .\" Copyright (c) 2001 Networks Associates Technology, Inc.
4 .\" All rights reserved.
6 .\" This software was developed for the FreeBSD Project by ThinkSec AS and
7 .\" NAI Labs, the Security Research Division of Network Associates, Inc.
8 .\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
9 .\" DARPA CHATS research program.
11 .\" Redistribution and use in source and binary forms, with or without
12 .\" modification, are permitted provided that the following conditions
14 .\" 1. Redistributions of source code must retain the above copyright
15 .\" notice, this list of conditions and the following disclaimer.
16 .\" 2. Redistributions in binary form must reproduce the above copyright
17 .\" notice, this list of conditions and the following disclaimer in the
18 .\" documentation and/or other materials provided with the distribution.
19 .\" 3. The name of the author may not be used to endorse or promote
20 .\" products derived from this software without specific prior written
23 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 .\" $FreeBSD: src/lib/libpam/modules/pam_unix/pam_unix.8,v 1.13 2007/03/27 09:59:15 yar Exp $
36 .\" $DragonFly: src/lib/pam_module/pam_unix/pam_unix.8,v 1.1 2005/08/01 16:15:19 joerg Exp $
53 authentication service module for PAM,
55 provides functionality for three PAM categories:
57 account management, and password management.
60 parameter, they are the
66 It also provides a null function for session management.
67 .Ss Ux Ss Authentication Module
70 authentication component
71 provides functions to verify the identity of a user
72 .Pq Fn pam_sm_authenticate ,
73 which obtains the relevant
76 It prompts the user for a password
77 and verifies that this is correct with
80 The following options may be passed to the authentication module:
81 .Bl -tag -width ".Cm use_first_pass"
84 debugging information at
88 If the authentication module
89 is not the first in the stack,
91 obtained the user's password,
93 to authenticate the user.
95 the authentication module returns failure
96 without prompting the user for a password.
97 This option has no effect
98 if the authentication module
99 is the first in the stack,
100 or if no previous modules
101 obtained the user's password.
102 .It Cm try_first_pass
103 This option is similar to the
106 except that if the previously obtained password fails,
107 the user is prompted for another password.
109 This option will require the user
110 to authenticate himself as the user
113 not as the account they are attempting to access.
114 This is primarily for services like
116 where the user's ability to retype
118 might be deemed sufficient.
120 If the password database
122 for the entity being authenticated,
124 will forgo password prompting,
125 and silently allow authentication to succeed.
127 Use only the local password database,
128 even if NIS is in use.
129 This will cause an authentication failure
130 if the system is configured
133 Use only the NIS password database.
134 This will cause an authentication failure
135 if the system is not configured
138 .Ss Ux Ss Account Management Module
141 account management component
142 provides a function to perform account management,
143 .Fn pam_sm_acct_mgmt .
144 The function verifies
145 that the authenticated user
146 is allowed to log into the local user account
147 by checking the following criteria:
148 .Bl -dash -offset indent
150 locked status of the account compatible with
154 the password expiry date from
158 restrictions on the remote host, login time, and tty.
161 The following options may be passed to the management module:
162 .Bl -tag -width ".Cm use_first_pass"
165 debugging information at
169 .Ss Ux Ss Password Management Module
172 password management component
173 provides a function to perform password management,
174 .Fn pam_sm_chauthtok .
178 The following options may be passed to the password module:
179 .Bl -tag -width ".Cm use_first_pass"
182 debugging information at
186 suppress warning messages to the user.
187 These messages include
188 reasons why the user's
189 authentication attempt was declined.
191 forces the password module
192 to change a local password
193 in favour of a NIS one.
195 forces the password module
196 to change a NIS password
197 in favour of a local one.
200 .Bl -tag -width ".Pa /etc/master.passwd" -compact
201 .It Pa /etc/master.passwd
212 .Xr nsswitch.conf 5 ,