unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.10)
Page:
Section:
Apropos / Subsearch:
optional field

pam_unix_auth(5)      Standards, Environments, and Macros     pam_unix_auth(5)



NAME
       pam_unix_auth - PAM authentication module for UNIX

SYNOPSIS
       pam_unix_auth.so.1

DESCRIPTION
       The  pam_unix_auth  module implements pam_sm_authenticate(), which pro-
       vides functionality to the PAM authentication stack.  It provides func-
       tions to verify that the password contained in the PAM item PAM_AUTHTOK
       is the correct password for the user specified in the item PAM_USER. If
       PAM_REPOSITORY  is  specified,  then user's passwd is fetched from that
       repository.  Otherwise,  the  default  nsswitch.conf(4)  repository  is
       searched for that user. For accounts in the name services which support
       automatic account locking, the account may be configured to be automat-
       ically  locked  (see  user_attr(4)  and  policy.conf(4)) after multiple
       failed login attempts. If the number of successive failures  equals  or
       exceeds  RETRIES,  the  account is locked and PAM_MAXTRIES is returned.
       Currently, only the "files" repository (see  passwd(4)  and  shadow(4))
       supports automatic account locking. A successful authentication by this
       module clears the failed login counter and reports the number of failed
       attempts since the last successful authentication.

       Authentication  service  modules  must  implement both pam_sm_authenti-
       cate() and pam_sm_setcred(). To allow replacability of the  authentica-
       tion  portion  of  UNIX authentication, pam_sm_setcred() in this module
       always  returns  PAM_IGNORE.   This  module  should  be  stacked   with
       pam_unix_cred(5) to ensure a successful return from pam_setcred(3PAM).

       The following options can be passed to the module:

       nowarn          Turn off warning messages.



       server_policy   If  the account authority for the user, as specified by
                       PAM_USER, is a server, do not  apply  the  Unix  policy
                       from the passwd entry in the name service switch.



       nolock          Regardless of the automatic account locking setting for
                       the account, do not  lock  the  account,  increment  or
                       clear  the failed login count. The nolock option allows
                       for exempting account locking on a per service basis.



ERRORS
       The following error codes are returned from pam_sm_authenticate():

       PAM_AUTH_ERR

           Authentication failure.



       PAM_BUF_ERR

           Memory buffer error.



       PAM_IGNORE

           Ignores module, not participating in result.



       PAM_MAXTRIES

           Maximum number of retries exceeded.



       PAM_PERM_DENIED

           Permission denied.



       PAM_SUCCESS

           Successfully obtains authentication token.



       PAM_SYSTEM_ERR

           System error.



       PAM_USER_UNKNOWN

           No account present for user.



       The following error codes are returned from pam_sm_setcred():

       PAM_IGNORE

           Ignores this module regardless of the control flag.



ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:


       tab()    allbox;    cw(2.750000i)|     cw(2.750000i)     lw(2.750000i)|
       lw(2.750000i).  ATTRIBUTE TYPEATTRIBUTE VALUE Interface StabilityEvolv-
       ing MT LevelMT-Safe with exceptions


SEE ALSO
       login(1),  passwd(1),  useradd(1M),  usermod(1M),  roleadd(1M),   role-
       mod(1M),   libpam(3LIB),  pam(3PAM),  pam_authenticate(3PAM),  pam_set-
       cred(3PAM), syslog(3C), pam.conf(4),  passwd(4),  policy.conf(4),  nss-
       witch.conf(4),   shadow(4),   user_attr(4),   attributes(5),  pam_auth-
       tok_check(5), pam_authtok_get(5), pam_authtok_store(5),  pam_dhkeys(5),
       pam_passwd_auth(5), pam_unix_account(5), pam_unix_session(5)

NOTES
       The  interfaces  in libpam(3LIB) are MT-Safe only if each thread within
       the multi-threaded application uses its own PAM handle.

       The pam_unix(5) module is no longer supported. Similar functionality is
       provided   by   pam_authtok_check(5),   pam_authtok_get(5),   pam_auth-
       tok_store(5),   pam_dhkeys(5),    pam_passwd_auth(5),pam_setcred(3PAM),
       pam_unix_account(5), pam_unix_cred(5), pam_unix_session(5).

       If  the  PAM_REPOSITORY  item_type is set and a service module does not
       recognize the type, the service module does not  process  any  informa-
       tion,  and  returns PAM_IGNORE.  If the PAM_REPOSITORY item_type is not
       set, a service module performs its default action.



SunOS 5.10                        2 Aug 2004                  pam_unix_auth(5)