unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.9)
Page:
Section:
Apropos / Subsearch:
optional field



Standards, Environments, and Macros                   pam_unix(5)



NAME
     pam_unix - authentication, account,  session,  and  password
     management PAM modules for UNIX

SYNOPSIS
     /usr/lib/security/pam_unix.so.1

DESCRIPTION
     The      UNIX      service       module       for       PAM,
     /usr/lib/security/pam_unix.so.1,  provides functionality for
     all four PAM modules:  authentication,  account  management,
     session    management    and    password   management.   The
     pam_unix.so.1 module is a shared object that can be  dynami-
     cally  loaded  to  provide  the necessary functionality upon
     demand. Its path is specified in the PAM configuration file.

  UNIX Authentication Module
     The UNIX authentication component provides functions to ver-
     ify  the  identity of a user, (pam_sm_authenticate()) and to
     set   user    specific    credentials    (pam_sm_setcred()).
     pam_sm_authenticate()  compares  the  user  entered password
     with the password from the UNIX password database.   If  the
     passwords match, the user is authenticated. If the user also
     has secure RPC credentials and the secure  RPC  password  is
     the  same  as the UNIX password, then the secure RPC creden-
     tials are also obtained.

     The following options may be  passed  to  the  UNIX  service
     module:

     debug syslog(3C) debugging information at  LOG_DEBUG level.

     nowarn
           Turn off warning messages.

     use_first_pass
           It compares the password in the password database with
           the  user's  initial  password  (entered when the user
           authenticated to the first  authentication  module  in
           the  stack).   If the passwords do not match, or if no
           password has been  entered,  it  quits  and  does  not
           prompt  the  user for a password.   This option should
           only be used if the authentication service  is  desig-
           nated as optional in the pam.conf configuration file.

     try_first_pass
           It compares the password in the password database with
           the  user's  initial  password  (entered when the user
           authenticated to the first  authentication  module  in
           the  stack).   If the passwords do not match, or if no
           password has been entered, prompt the user for a pass-
           word.  When  prompting  for  the current password, the



SunOS 5.9           Last change: 11 Dec 2001                    1






Standards, Environments, and Macros                   pam_unix(5)



           UNIX authentication module will use the prompt, "pass-
           word:" unless one of the following scenarios occur:


           1. The option  try_first_pass  is  specified  and  the
              password  entered for the first module in the stack
              fails for the UNIX module.

           2. The option  try_first_pass is  not  specified,  and
              the  earlier  authentication  modules listed in the
              pam.conf file have prompted the user for the  pass-
              word.

           In these two cases,  the  UNIX  authentication  module
           will   use   the   prompt   "SYSTEM   password:".  The
           pam_sm_setcred() function sets user  specific  creden-
           tials. If the user had secure RPC credentials, but the
           secure RPC password was not the same as the UNIX pass-
           word,  then  a warning message is printed. If the user
           wants to get secure RPC credentials, then  keylogin(1)
           needs to be run.

  UNIX Account Management Module
     The UNIX account management component provides a function to
     perform account management, pam_sm_acct_mgmt(). The function
     retrieves the user's password entry from the  UNIX  password
     database  and  verifies that the user's account and password
     have not expired. The following options may be passed in  to
     the UNIX service module:

     debug syslog(3C) debugging information at  LOG_DEBUG level.

     nowarn
           Turn off warning messages.

  UNIX Session Management Module
     The UNIX session management component provides functions  to
     initiate       pam_sm_open_session()      and      terminate
     pam_sm_close_session()    UNIX    sessions.    For     UNIX,
     pam_open_session  updates  the  /var/adm/lastlog  file.  The
     account management module reads this file to  determine  the
     previous  time the user logged in. The following options may
     be passed in to the UNIX service module:

     debug syslog(3C) debugging information at  LOG_DEBUG level.

     nowarn
           Turn off warning messages. pam_close_session is a null
           function.

  UNIX Password Management Module




SunOS 5.9           Last change: 11 Dec 2001                    2






Standards, Environments, and Macros                   pam_unix(5)



     The UNIX password management component provides  a  function
     to  change passwords pam_sm_chauthtok() in the UNIX password
     database. This module must be required in pam.conf. It  can-
     not  be optional or sufficient. The following options may be
     passed in to the UNIX service module:

     debug syslog(3C) Debugging information at  LOG_DEBUG level.

     nowarn
           Turn off warning messages.

     use_first_pass
           It compares the password in the password database with
           the user's old password (entered to the first password
           module in the stack). If the passwords do  not  match,
           or  if no password has been entered, it quits and does
           not prompt the user for the  old  password.   It  also
           attempts to use the new password (entered to the first
           password module in the stack) as the new password  for
           this  module.  If the new password fails, it quits and
           does not prompt the user for a new password.

     try_first_pass
           It compares the password in the password database with
           the user's old password (entered to the first password
           module in the stack). If the passwords do  not  match,
           or  if  no  password  has been entered, it prompts the
           user for the old password.  It also  attempts  to  use
           the new password (entered to the first password module
           in the stack) as the new password for this module.  If
           the  new password fails, it prompts the user for a new
           password. If the user's password has expired, the UNIX
           account module saves this information in the authenti-
           cation handle  using  pam_set_data(),  with  a  unique
           name,  SUNW_UNIX_AUTHOK_DATA. The UNIX password module
           retrieves this  information  from  the  authentication
           handle  using  pam_get_data()  to determine whether or
           not to force the user to update the user's password.

ATTRIBUTES
     See attributes(5) for description of  the  following  attri-
     butes:

     ____________________________________________________________
    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    | MT Level                    | MT-Safe with exceptions     |
    |_____________________________|_____________________________|


SEE ALSO
     keylogin(1),       pam(3PAM),        pam_authenticate(3PAM),
     pam_setcred(3PAM),  syslog(3C),  libpam(3LIB),  pam.conf(4),



SunOS 5.9           Last change: 11 Dec 2001                    3






Standards, Environments, and Macros                   pam_unix(5)



     attributes(5),   pam_authtok_check(5),   pam_authtok_get(5),
     pam_authtok_store(5),   pam_dhkeys(5),   pam_passwd_auth(5),
     pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5)

NOTES
     The interfaces in libpam(3LIB)  are  MT-Safe  only  if  each
     thread  within  the  multi-threaded application uses its own
     PAM handle.

     The pam_unix(5) module might not be supported  in  a  future
     release.    Similar    functionality    is    provided    by
     pam_authtok_check(5),                    pam_authtok_get(5),
     pam_authtok_store(5),   pam_dhkeys(5),   pam_passwd_auth(5),
     pam_unix_account(5),          pam_unix_auth(5),          and
     pam_unix_session(5).








































SunOS 5.9           Last change: 11 Dec 2001                    4