pam_unix(5)pam_unix(5)NAMEpam_unix - authentication, account, session, and password management
PAM modules for UNIX
SYNOPSISDESCRIPTION
The UNIX service module for PAM, provides functionality for all four
PAM modules: authentication, account management, session management and
password management.
The module is a shared object that can be dynamically loaded to provide
the necessary functionality upon demand.
For an interpretation of the module path, please refer to the related
information in pam.conf(4).
Unix Authentication Module
The UNIX authentication component provides functions to verify the
identity of a user, and to set user specific credentials
compares the user entered password (or password retrieved from the
user's smart card) with the password from UNIX password database,
including the protected password database for trusted systems. If the
passwords match, the user is authenticated. If the user also has
secure RPC credentials and the secure RPC password is the same as the
UNIX password, then the secure RPC credentials are also obtained.
The following options may be passed to the UNIX service module:
syslog(3C) debugging information at level.
Turn off warning messages.
It compares the password in the password database with the user's ini‐
tial
password (entered when the user authenticated to the
first authentication module in the stack). If the
passwords do not match, or if no password has been
entered, quit and do not prompt the user for a pass‐
word. This option should only be used if the authen‐
tication service is designated as optional in the
configuration file.
It compares the password in the password database with the user's ini‐
tial
password (entered when the user authenticated to the
first authentication module in the stack). If the
passwords do not match, or if no password has been
entered, prompt the user for a password.
psd stands for personal security device, for the current implementation
there is only one security device: the smart card.
It compares the password in the password database
with the password stored on the user's smart card.
With this option the PAM Framework prompt "Enter
PIN:" is used instead of the password prompt. This
option is only supported with the authentication or
password module types (auth, password) services in
the or in the configuration files.
When prompting for the current password, the UNIX authentication module
will use the prompt, "Password:" unless one of the following scenarios
occur:
1. The option is specified and the password entered for the
first module in the stack fails for the UNIX module.
2. The option is not specified, and the earlier authentica‐
tion modules listed in the file have prompted the user
for the password.
3. The option is specified. In this case, the UNIX authen‐
tication module will use the prompt "Enter PIN:".
In cases 1 and 2, the UNIX authentication module will use the prompt
"System Password:".
The function sets user specific credentials. If the user had secure
RPC credentials, but the secure RPC password was not the same as the
UNIX password, then a warning message is printed. If the user wants to
get secure RPC credentials, then keylogin(1) needs to be run.
Unix Account Management Module
The UNIX account management component provides a function to perform
account management The function retrieves the user's password entry
from the UNIX password database and verifies that the user's account
and password have not expired. For trusted systems, this module also
validates the allowed access time and access terminal based upon the
security configuration. The following options may be passed in to the
UNIX service module:
syslog(3C) debugging information at level.
Turn off warning messages.
Unix Session Management Module
The UNIX session management component provides functions to initiate
and terminate UNIX sessions. For UNIX, updates the last successful or
unsuccessful login time in the protected password database for trusted
mode. The account management module reads the information to display
the previous time the user logged in.
The following options may be passed in to the UNIX service module:
syslog(3C) debugging information at level.
Turn off warning messages.
is a NULL function.
Unix Password Management Module
The UNIX password management component provides a function to change
passwords in the UNIX password database. This module must be in It can
not be or The following options may be passed in to the UNIX service
module:
syslog(3C) debugging information at level.
Turn off warning messages.
It compares the password in the password database with the user's old
password (entered to the first password module in the
stack). If the passwords do not match, or if no
password has been entered, quit and do not prompt the
user for the old password. It also attempts to use
the new password (entered to the first password mod‐
ule in the stack) as the new password for this mod‐
ule. If the new password fails, quit and do not
prompt the user for a new password.
It compares the password in the password database with the user's old
password (entered to the first password module in the
stack). If the passwords do not match, or if no
password has been entered, prompt the user for the
old password. It also attempts to use the new pass‐
word (entered to the first password module in the
stack) as the new password for this module. If the
new password fails, prompt the user for a new pass‐
word.
It prompts the user for the PIN (with the PIN, the PAM Framework can
retrieve a password from the smart card) and the old
password is retrieved from the smart card. It com‐
pares the password in the password database with the
user's old password. If the passwords match, it
prompts the user for a new password.
If the user's password has expired, the UNIX account module saves this
information in the authentication handle using The UNIX password module
retrieves this information from the authentication handle using to
determine whether or not to force the user to update their password.
APPLICATION USAGE
On trusted systems, the interfaces implemented in the UNIX service mod‐
ule, are not thread-safe. Otherwise, they are thread-safe. A cancel‐
lation point may occur while a thread is executing any of these inter‐
faces. They are not cancel-safe, async-cancel-safe, nor async-signal-
safe.
WARNINGS
HP-UX 11i Version 3 is the last release to support trusted systems
functionality.
SEE ALSOkeylogin(1), pam(3), pam_authenticate(3), pam_setcred(3), syslog(3C),
nsswitch.conf(4), pam.conf(4), pam_user.conf(4).
pam_unix(5)