1 .\" Copyright (c) 2001 Mark R V Murray
2 .\" All rights reserved.
3 .\" Copyright (c) 2001 Networks Associates Technology, Inc.
4 .\" All rights reserved.
6 .\" This software was developed for the FreeBSD Project by ThinkSec AS and
7 .\" NAI Labs, the Security Research Division of Network Associates, Inc.
8 .\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
9 .\" DARPA CHATS research program.
11 .\" Redistribution and use in source and binary forms, with or without
12 .\" modification, are permitted provided that the following conditions
14 .\" 1. Redistributions of source code must retain the above copyright
15 .\" notice, this list of conditions and the following disclaimer.
16 .\" 2. Redistributions in binary form must reproduce the above copyright
17 .\" notice, this list of conditions and the following disclaimer in the
18 .\" documentation and/or other materials provided with the distribution.
19 .\" 3. The name of the author may not be used to endorse or promote
20 .\" products derived from this software without specific prior written
23 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
52 authentication service module for PAM,
54 provides functionality for three PAM categories:
55 authentication, account management, and password management.
58 parameter, they are the
64 It also provides a null function for session management.
65 .Ss Ux Ss Authentication Module
68 authentication component provides functions to verify the identity of
70 .Pq Fn pam_sm_authenticate ,
71 which obtains the relevant
74 It prompts the user for a password and verifies that this is correct with
77 The following options may be passed to the authentication module:
78 .Bl -tag -width ".Cm use_first_pass"
81 debugging information at
85 If the authentication module is not the first in the stack, and a
86 previous module obtained the user's password, that password is used to
87 authenticate the user.
88 If this fails, the authentication module returns failure without
89 prompting the user for a password.
90 This option has no effect if the authentication module is the first in
91 the stack, or if no previous modules obtained the user's password.
93 This option is similar to the
95 option, except that if the previously obtained password fails, the
96 user is prompted for another password.
98 This option will require the user to authenticate themselves as
99 themselves, not as the account they are attempting to access.
100 This is primarily for services like
102 where the user's ability to retype their own password might be deemed
105 If the password database has no password for the entity being
106 authenticated, then this option will forgo password prompting, and
107 silently allow authentication to succeed.
112 is invoked by a process that does not have the privileges required to
113 access the password database (in most cases, this means root
118 to allow any user to log in with any password.
120 Use only the local password database, even if NIS is in use.
121 This will cause an authentication failure if the system is configured
124 Use only the NIS password database.
125 This will cause an authentication failure if the system is not
126 configured to use NIS.
128 .Ss Ux Ss Account Management Module
131 account management component provides a function to perform account
133 .Fn pam_sm_acct_mgmt .
134 The function verifies that the authenticated user is allowed to log
135 into the local user account by checking the following criteria:
136 .Bl -dash -offset indent
138 locked status of the account compatible with
142 the password expiry date from
146 restrictions on the remote host, login time, and tty.
149 The following options may be passed to the management module:
150 .Bl -tag -width ".Cm use_first_pass"
153 debugging information at
157 .Ss Ux Ss Password Management Module
160 password management component provides a function to perform password
162 .Fn pam_sm_chauthtok .
166 The following options may be passed to the password module:
167 .Bl -tag -width ".Cm use_first_pass"
170 debugging information at
174 suppress warning messages to the user.
175 These messages include reasons why the user's authentication attempt
178 forces the password module to change a local password in favour of a
181 forces the password module to change a NIS password in favour of a
185 .Bl -tag -width ".Pa /etc/master.passwd" -compact
186 .It Pa /etc/master.passwd
197 .Xr nsswitch.conf 5 ,
206 .Dv PAM_CHANGE_EXPIRED_AUTHTOK