1 .\" Copyright (c) 2001 Mark R V Murray
2 .\" All rights reserved.
3 .\" Copyright (c) 2001 Networks Associates Technology, Inc.
4 .\" All rights reserved.
6 .\" This software was developed for the FreeBSD Project by ThinkSec AS and
7 .\" NAI Labs, the Security Research Division of Network Associates, Inc.
8 .\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
9 .\" DARPA CHATS research program.
11 .\" Redistribution and use in source and binary forms, with or without
12 .\" modification, are permitted provided that the following conditions
14 .\" 1. Redistributions of source code must retain the above copyright
15 .\" notice, this list of conditions and the following disclaimer.
16 .\" 2. Redistributions in binary form must reproduce the above copyright
17 .\" notice, this list of conditions and the following disclaimer in the
18 .\" documentation and/or other materials provided with the distribution.
19 .\" 3. The name of the author may not be used to endorse or promote
20 .\" products derived from this software without specific prior written
23 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
52 authentication service module for PAM,
54 provides functionality for three PAM categories:
56 account management, and password management.
59 parameter, they are the
65 It also provides a null function for session management.
66 .Ss Ux Ss Authentication Module
69 authentication component
70 provides functions to verify the identity of a user
71 .Pq Fn pam_sm_authenticate ,
72 which obtains the relevant
75 It prompts the user for a password
76 and verifies that this is correct with
79 The following options may be passed to the authentication module:
80 .Bl -tag -width ".Cm use_first_pass"
83 debugging information at
87 If the authentication module
88 is not the first in the stack,
90 obtained the user's password,
92 to authenticate the user.
94 the authentication module returns failure
95 without prompting the user for a password.
96 This option has no effect
97 if the authentication module
98 is the first in the stack,
99 or if no previous modules
100 obtained the user's password.
101 .It Cm try_first_pass
102 This option is similar to the
105 except that if the previously obtained password fails,
106 the user is prompted for another password.
108 This option will require the user
109 to authenticate himself as the user
112 not as the account they are attempting to access.
113 This is primarily for services like
115 where the user's ability to retype
117 might be deemed sufficient.
119 If the password database
121 for the entity being authenticated,
123 will forgo password prompting,
124 and silently allow authentication to succeed.
126 Use only the local password database,
127 even if NIS is in use.
128 This will cause an authentication failure
129 if the system is configured
132 Use only the NIS password database.
133 This will cause an authentication failure
134 if the system is not configured
137 .Ss Ux Ss Account Management Module
140 account management component
141 provides a function to perform account management,
142 .Fn pam_sm_acct_mgmt .
143 The function verifies
144 that the authenticated user
145 is allowed to log into the local user account
146 by checking the following criteria:
147 .Bl -dash -offset indent
149 locked status of the account compatible with
153 the password expiry date from
157 restrictions on the remote host, login time, and tty.
160 The following options may be passed to the management module:
161 .Bl -tag -width ".Cm use_first_pass"
164 debugging information at
168 .Ss Ux Ss Password Management Module
171 password management component
172 provides a function to perform password management,
173 .Fn pam_sm_chauthtok .
177 The following options may be passed to the password module:
178 .Bl -tag -width ".Cm use_first_pass"
181 debugging information at
185 suppress warning messages to the user.
186 These messages include
187 reasons why the user's
188 authentication attempt was declined.
190 forces the password module
191 to change a local password
192 in favour of a NIS one.
194 forces the password module
195 to change a NIS password
196 in favour of a local one.
199 .Bl -tag -width ".Pa /etc/master.passwd" -compact
200 .It Pa /etc/master.passwd
211 .Xr nsswitch.conf 5 ,