1.\" Copyright (c) 2001 Mark R V Murray 2.\" All rights reserved. 3.\" Copyright (c) 2001 Networks Associates Technology, Inc. 4.\" All rights reserved. 5.\" 6.\" This software was developed for the FreeBSD Project by ThinkSec AS and 7.\" NAI Labs, the Security Research Division of Network Associates, Inc. 8.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 9.\" DARPA CHATS research program. 10.\" 11.\" Redistribution and use in source and binary forms, with or without 12.\" modification, are permitted provided that the following conditions 13.\" are met: 14.\" 1. Redistributions of source code must retain the above copyright 15.\" notice, this list of conditions and the following disclaimer. 16.\" 2. Redistributions in binary form must reproduce the above copyright 17.\" notice, this list of conditions and the following disclaimer in the 18.\" documentation and/or other materials provided with the distribution. 19.\" 3. The name of the author may not be used to endorse or promote 20.\" products derived from this software without specific prior written 21.\" permission. 22.\" 23.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 24.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 27.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33.\" SUCH DAMAGE. 34.\" 35.\" $FreeBSD$ 36.\" 37.Dd March 27, 2007 38.Dt PAM_UNIX 8 39.Os 40.Sh NAME 41.Nm pam_unix 42.Nd UNIX PAM module 43.Sh SYNOPSIS 44.Op Ar service-name 45.Ar module-type 46.Ar control-flag 47.Pa pam_unix 48.Op Ar options 49.Sh DESCRIPTION 50The 51.Ux 52authentication service module for PAM, 53.Nm 54provides functionality for three PAM categories: 55authentication, 56account management, and password management. 57In terms of the 58.Ar module-type 59parameter, they are the 60.Dq Li auth , 61.Dq Li account , 62and 63.Dq Li password 64features. 65It also provides a null function for session management. 66.Ss Ux Ss Authentication Module 67The 68.Ux 69authentication component 70provides functions to verify the identity of a user 71.Pq Fn pam_sm_authenticate , 72which obtains the relevant 73.Xr passwd 5 74entry. 75It prompts the user for a password 76and verifies that this is correct with 77.Xr crypt 3 . 78.Pp 79The following options may be passed to the authentication module: 80.Bl -tag -width ".Cm use_first_pass" 81.It Cm debug 82.Xr syslog 3 83debugging information at 84.Dv LOG_DEBUG 85level. 86.It Cm use_first_pass 87If the authentication module 88is not the first in the stack, 89and a previous module 90obtained the user's password, 91that password is used 92to authenticate the user. 93If this fails, 94the authentication module returns failure 95without prompting the user for a password. 96This option has no effect 97if the authentication module 98is the first in the stack, 99or if no previous modules 100obtained the user's password. 101.It Cm try_first_pass 102This option is similar to the 103.Cm use_first_pass 104option, 105except that if the previously obtained password fails, 106the user is prompted for another password. 107.It Cm auth_as_self 108This option will require the user 109to authenticate himself as the user 110given by 111.Xr getlogin 2 , 112not as the account they are attempting to access. 113This is primarily for services like 114.Xr su 1 , 115where the user's ability to retype 116their own password 117might be deemed sufficient. 118.It Cm nullok 119If the password database 120has no password 121for the entity being authenticated, 122then this option 123will forgo password prompting, 124and silently allow authentication to succeed. 125.It Cm local_pass 126Use only the local password database, 127even if NIS is in use. 128This will cause an authentication failure 129if the system is configured 130to only use NIS. 131.It Cm nis_pass 132Use only the NIS password database. 133This will cause an authentication failure 134if the system is not configured 135to use NIS. 136.El 137.Ss Ux Ss Account Management Module 138The 139.Ux 140account management component 141provides a function to perform account management, 142.Fn pam_sm_acct_mgmt . 143The function verifies 144that the authenticated user 145is allowed to log into the local user account 146by checking the following criteria: 147.Bl -dash -offset indent 148.It 149locked status of the account compatible with 150.Xr pw 8 151.Cm lock ; 152.It 153the password expiry date from 154.Xr passwd 5 ; 155.It 156.Xr login.conf 5 157restrictions on the remote host, login time, and tty. 158.El 159.Pp 160The following options may be passed to the management module: 161.Bl -tag -width ".Cm use_first_pass" 162.It Cm debug 163.Xr syslog 3 164debugging information at 165.Dv LOG_DEBUG 166level. 167.El 168.Ss Ux Ss Password Management Module 169The 170.Ux 171password management component 172provides a function to perform password management, 173.Fn pam_sm_chauthtok . 174The function changes 175the user's password. 176.Pp 177The following options may be passed to the password module: 178.Bl -tag -width ".Cm use_first_pass" 179.It Cm debug 180.Xr syslog 3 181debugging information at 182.Dv LOG_DEBUG 183level. 184.It Cm no_warn 185suppress warning messages to the user. 186These messages include 187reasons why the user's 188authentication attempt was declined. 189.It Cm local_pass 190forces the password module 191to change a local password 192in favour of a NIS one. 193.It Cm nis_pass 194forces the password module 195to change a NIS password 196in favour of a local one. 197.El 198.Sh FILES 199.Bl -tag -width ".Pa /etc/master.passwd" -compact 200.It Pa /etc/master.passwd 201default 202.Ux 203password database. 204.El 205.Sh SEE ALSO 206.Xr passwd 1 , 207.Xr getlogin 2 , 208.Xr crypt 3 , 209.Xr getpwent 3 , 210.Xr syslog 3 , 211.Xr nsswitch.conf 5 , 212.Xr passwd 5 , 213.Xr pam 8 , 214.Xr pw 8 , 215.Xr yp 8 216