1 .\" Copyright (c) 2001 Mark R V Murray
2 .\" All rights reserved.
3 .\" Copyright (c) 2001 Networks Associates Technology, Inc.
4 .\" All rights reserved.
6 .\" This software was developed for the FreeBSD Project by ThinkSec AS and
7 .\" NAI Labs, the Security Research Division of Network Associates, Inc.
8 .\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
9 .\" DARPA CHATS research program.
11 .\" Redistribution and use in source and binary forms, with or without
12 .\" modification, are permitted provided that the following conditions
14 .\" 1. Redistributions of source code must retain the above copyright
15 .\" notice, this list of conditions and the following disclaimer.
16 .\" 2. Redistributions in binary form must reproduce the above copyright
17 .\" notice, this list of conditions and the following disclaimer in the
18 .\" documentation and/or other materials provided with the distribution.
19 .\" 3. The name of the author may not be used to endorse or promote
20 .\" products derived from this software without specific prior written
23 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
52 authentication service module for PAM,
54 provides functionality for three PAM categories:
55 authentication, account management, and password management.
58 parameter, they are the
64 It also provides a null function for session management.
65 .Ss Ux Ss Authentication Module
68 authentication component provides functions to verify the identity of
70 .Pq Fn pam_sm_authenticate ,
71 which obtains the relevant
74 It prompts the user for a password and verifies that this is correct with
77 The following options may be passed to the authentication module:
78 .Bl -tag -width ".Cm use_first_pass"
81 debugging information at
85 If the authentication module is not the first in the stack, and a
86 previous module obtained the user's password, that password is used to
87 authenticate the user.
88 If this fails, the authentication module returns failure without
89 prompting the user for a password.
90 This option has no effect if the authentication module is the first in
91 the stack, or if no previous modules obtained the user's password.
93 This option is similar to the
95 option, except that if the previously obtained password fails, the
96 user is prompted for another password.
98 This option will require the user to authenticate themselves as
99 themselves, not as the account they are attempting to access.
100 This is primarily for services like
102 where the user's ability to retype their own password might be deemed
105 If the password database has no password for the entity being
106 authenticated, then this option will forgo password prompting, and
107 silently allow authentication to succeed.
109 Use only the local password database, even if NIS is in use.
110 This will cause an authentication failure if the system is configured
113 Use only the NIS password database.
114 This will cause an authentication failure if the system is not
115 configured to use NIS.
117 .Ss Ux Ss Account Management Module
120 account management component provides a function to perform account
122 .Fn pam_sm_acct_mgmt .
123 The function verifies that the authenticated user is allowed to log
124 into the local user account by checking the following criteria:
125 .Bl -dash -offset indent
127 locked status of the account compatible with
131 the password expiry date from
135 restrictions on the remote host, login time, and tty.
138 The following options may be passed to the management module:
139 .Bl -tag -width ".Cm use_first_pass"
142 debugging information at
146 .Ss Ux Ss Password Management Module
149 password management component provides a function to perform password
151 .Fn pam_sm_chauthtok .
155 The following options may be passed to the password module:
156 .Bl -tag -width ".Cm use_first_pass"
159 debugging information at
163 suppress warning messages to the user.
164 These messages include reasons why the user's authentication attempt
167 forces the password module to change a local password in favour of a
170 forces the password module to change a NIS password in favour of a
174 .Bl -tag -width ".Pa /etc/master.passwd" -compact
175 .It Pa /etc/master.passwd
186 .Xr nsswitch.conf 5 ,