1.\" Copyright (c) 2001 Mark R V Murray
2.\" All rights reserved.
| 1.\" Copyright (c) 2001 Mark R V Murray
2.\" All rights reserved.
|
3.\" Copyright (c) 2001 Networks Associates Technologies, Inc.
| 3.\" Copyright (c) 2001 Networks Associates Technology, Inc.
|
4.\" All rights reserved.
5.\"
6.\" This software was developed for the FreeBSD Project by ThinkSec AS and
7.\" NAI Labs, the Security Research Division of Network Associates, Inc.
8.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
9.\" DARPA CHATS research program.
10.\"
11.\" Redistribution and use in source and binary forms, with or without
12.\" modification, are permitted provided that the following conditions
13.\" are met:
14.\" 1. Redistributions of source code must retain the above copyright
15.\" notice, this list of conditions and the following disclaimer.
16.\" 2. Redistributions in binary form must reproduce the above copyright
17.\" notice, this list of conditions and the following disclaimer in the
18.\" documentation and/or other materials provided with the distribution.
19.\" 3. The name of the author may not be used to endorse or promote
20.\" products derived from this software without specific prior written
21.\" permission.
22.\"
23.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33.\" SUCH DAMAGE.
34.\"
| 4.\" All rights reserved.
5.\"
6.\" This software was developed for the FreeBSD Project by ThinkSec AS and
7.\" NAI Labs, the Security Research Division of Network Associates, Inc.
8.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
9.\" DARPA CHATS research program.
10.\"
11.\" Redistribution and use in source and binary forms, with or without
12.\" modification, are permitted provided that the following conditions
13.\" are met:
14.\" 1. Redistributions of source code must retain the above copyright
15.\" notice, this list of conditions and the following disclaimer.
16.\" 2. Redistributions in binary form must reproduce the above copyright
17.\" notice, this list of conditions and the following disclaimer in the
18.\" documentation and/or other materials provided with the distribution.
19.\" 3. The name of the author may not be used to endorse or promote
20.\" products derived from this software without specific prior written
21.\" permission.
22.\"
23.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33.\" SUCH DAMAGE.
34.\"
|
35.\" $FreeBSD: head/lib/libpam/modules/pam_unix/pam_unix.8 87525 2001-12-08 16:28:20Z ru $
| 35.\" $FreeBSD: head/lib/libpam/modules/pam_unix/pam_unix.8 92297 2002-03-14 23:27:59Z des $
|
36.\"
37.Dd November 26, 2001
38.Dt PAM_UNIX 8
39.Os
40.Sh NAME
41.Nm pam_unix
42.Nd UNIX PAM module
43.Sh SYNOPSIS
44.Op Ar service-name
45.Ar module-type
46.Ar control-flag
47.Pa pam_unix
48.Op Ar options
49.Sh DESCRIPTION
50The
51.Ux
52authentication service module for PAM,
53.Nm
54provides functionality for two PAM categories:
55authentication
56and account management.
57In terms of the
58.Ar module-type
59parameter, they are the
60.Dq Li auth
61and
62.Dq Li account
63features.
64It also provides a null function for session management.
65.Ss Ux Ss Authentication Module
66The
67.Ux
68authentication component
69provides functions to verify the identity of a user
70.Pq Fn pam_sm_authenticate ,
71which obtains the relevant
72.Xr passwd 5
73entry.
74It prompts the user for a password
75and verifies that this is correct with
76.Xr crypt 3 .
77.Pp
78The following options may be passed to the authentication module:
79.Bl -tag -width ".Cm use_first_pass"
80.It Cm debug
81.Xr syslog 3
82debugging information at
83.Dv LOG_DEBUG
84level.
85.It Cm use_first_pass
86If the authentication module
87is not the first in the stack,
88and a previous module
89obtained the user's password,
90that password is used
91to authenticate the user.
92If this fails,
93the authentication module returns failure
94without prompting the user for a password.
95This option has no effect
96if the authentication module
97is the first in the stack,
98or if no previous modules
99obtained the user's password.
100.It Cm try_first_pass
101This option is similar to the
102.Cm use_first_pass
103option,
104except that if the previously obtained password fails,
105the user is prompted for another password.
106.It Cm auth_as_self
107This option will require the user
108to authenticate themself as the user
109given by
110.Xr getlogin 2 ,
111not as the account they are attempting to access.
112This is primarily for services like
113.Xr su 1 ,
114where the user's ability to retype
115their own password
116might be deemed sufficient.
117.It Cm nullok
118If the password database
119has no password
120for the entity being authenticated,
121then this option
122will forgo password prompting,
123and silently allow authentication to succeed.
124.It Cm local_pass
125Use only the local password database,
126even if NIS is in use.
127This will cause an authentication failure
128if the system is configured
129to only use NIS.
130.It Cm nis_pass
131Use only the NIS password database.
132This will cause an authentication failure
133if the system is not configured
134to use NIS.
135.El
136.Ss Ux Ss Account Management Module
137The
138.Ux
139account management component
140provides a function to perform account management,
141.Fn pam_sm_acct_mgmt .
142The function verifies
143that the authenticated user
144is allowed to login to the local user account
145by checking the password expiry date.
146.Pp
147The following options may be passed to the management module:
148.Bl -tag -width ".Cm use_first_pass"
149.It Cm debug
150.Xr syslog 3
151debugging information at
152.Dv LOG_DEBUG
153level.
154.El
155.Ss Ux Ss Password Management Module
156The
157.Ux
158password management component
159provides a function to perform account management,
160.Fn pam_sm_chauthtok .
161The function changes
162the user's password.
163.Pp
164The following options may be passed to the password module:
165.Bl -tag -width ".Cm use_first_pass"
166.It Cm debug
167.Xr syslog 3
168debugging information at
169.Dv LOG_DEBUG
170level.
171.It Cm no_warn
172suppress warning messages to the user.
173These messages include
174reasons why the user's
175authentication attempt was declined.
176.It Cm local_pass
177forces the password module
178to change a local password
179in favour of a NIS one.
180.It Cm nis_pass
181forces the password module
182to change a NIS password
183in favour of a local one.
184.El
185.Sh FILES
186.Bl -tag -width ".Pa /etc/master.passwd" -compact
187.It Pa /etc/master.passwd
188default
189.Ux
190password database.
191.El
192.Sh SEE ALSO
193.Xr passwd 1 ,
194.Xr getlogin 2 ,
195.Xr crypt 3 ,
196.Xr getpwent 3 ,
197.Xr syslog 3 ,
198.Xr nis 4 ,
199.Xr nsswitch.conf 5 ,
200.Xr pam.conf 5 ,
201.Xr passwd 5 ,
202.Xr pam 8
| 36.\"
37.Dd November 26, 2001
38.Dt PAM_UNIX 8
39.Os
40.Sh NAME
41.Nm pam_unix
42.Nd UNIX PAM module
43.Sh SYNOPSIS
44.Op Ar service-name
45.Ar module-type
46.Ar control-flag
47.Pa pam_unix
48.Op Ar options
49.Sh DESCRIPTION
50The
51.Ux
52authentication service module for PAM,
53.Nm
54provides functionality for two PAM categories:
55authentication
56and account management.
57In terms of the
58.Ar module-type
59parameter, they are the
60.Dq Li auth
61and
62.Dq Li account
63features.
64It also provides a null function for session management.
65.Ss Ux Ss Authentication Module
66The
67.Ux
68authentication component
69provides functions to verify the identity of a user
70.Pq Fn pam_sm_authenticate ,
71which obtains the relevant
72.Xr passwd 5
73entry.
74It prompts the user for a password
75and verifies that this is correct with
76.Xr crypt 3 .
77.Pp
78The following options may be passed to the authentication module:
79.Bl -tag -width ".Cm use_first_pass"
80.It Cm debug
81.Xr syslog 3
82debugging information at
83.Dv LOG_DEBUG
84level.
85.It Cm use_first_pass
86If the authentication module
87is not the first in the stack,
88and a previous module
89obtained the user's password,
90that password is used
91to authenticate the user.
92If this fails,
93the authentication module returns failure
94without prompting the user for a password.
95This option has no effect
96if the authentication module
97is the first in the stack,
98or if no previous modules
99obtained the user's password.
100.It Cm try_first_pass
101This option is similar to the
102.Cm use_first_pass
103option,
104except that if the previously obtained password fails,
105the user is prompted for another password.
106.It Cm auth_as_self
107This option will require the user
108to authenticate themself as the user
109given by
110.Xr getlogin 2 ,
111not as the account they are attempting to access.
112This is primarily for services like
113.Xr su 1 ,
114where the user's ability to retype
115their own password
116might be deemed sufficient.
117.It Cm nullok
118If the password database
119has no password
120for the entity being authenticated,
121then this option
122will forgo password prompting,
123and silently allow authentication to succeed.
124.It Cm local_pass
125Use only the local password database,
126even if NIS is in use.
127This will cause an authentication failure
128if the system is configured
129to only use NIS.
130.It Cm nis_pass
131Use only the NIS password database.
132This will cause an authentication failure
133if the system is not configured
134to use NIS.
135.El
136.Ss Ux Ss Account Management Module
137The
138.Ux
139account management component
140provides a function to perform account management,
141.Fn pam_sm_acct_mgmt .
142The function verifies
143that the authenticated user
144is allowed to login to the local user account
145by checking the password expiry date.
146.Pp
147The following options may be passed to the management module:
148.Bl -tag -width ".Cm use_first_pass"
149.It Cm debug
150.Xr syslog 3
151debugging information at
152.Dv LOG_DEBUG
153level.
154.El
155.Ss Ux Ss Password Management Module
156The
157.Ux
158password management component
159provides a function to perform account management,
160.Fn pam_sm_chauthtok .
161The function changes
162the user's password.
163.Pp
164The following options may be passed to the password module:
165.Bl -tag -width ".Cm use_first_pass"
166.It Cm debug
167.Xr syslog 3
168debugging information at
169.Dv LOG_DEBUG
170level.
171.It Cm no_warn
172suppress warning messages to the user.
173These messages include
174reasons why the user's
175authentication attempt was declined.
176.It Cm local_pass
177forces the password module
178to change a local password
179in favour of a NIS one.
180.It Cm nis_pass
181forces the password module
182to change a NIS password
183in favour of a local one.
184.El
185.Sh FILES
186.Bl -tag -width ".Pa /etc/master.passwd" -compact
187.It Pa /etc/master.passwd
188default
189.Ux
190password database.
191.El
192.Sh SEE ALSO
193.Xr passwd 1 ,
194.Xr getlogin 2 ,
195.Xr crypt 3 ,
196.Xr getpwent 3 ,
197.Xr syslog 3 ,
198.Xr nis 4 ,
199.Xr nsswitch.conf 5 ,
200.Xr pam.conf 5 ,
201.Xr passwd 5 ,
202.Xr pam 8
|