pam_unix.5 (2010 09)
p
pam_unix(5) pam_unix(5)
Unix Account Management Module
The UNIX account management component provides a function to perform account management
(pam_sm_acct_mgmt()
). The function retrieves the user’s password entry from the UNIX password
database and verifies that the user’s account and password have not expired. For trusted systems, this
module also validates the allowed access time and access terminal based upon the security configuration.
The following options may be passed in to the UNIX service module:
debug syslog (3C) debugging information at LOG_DEBUG level.
nowarn Turn off warning messages.
Unix Session Management Module
The UNIX session management component provides functions to initiate (
pam_sm_open_session()
)
and terminate (
pam_sm_close_session()
) UNIX sessions. For UNIX, pam_open_session()
updates the last successful or unsuccessful login time in the protected password database for trusted
mode. The account management module reads the information to display the previous time the user
logged in.
The following options may be passed in to the UNIX service module:
debug syslog (3C) debugging information at LOG_DEBUG
level.
nowarn Turn off warning messages.
pam_close_session
is a NULL function.
Unix Password Management Module
The UNIX password management component provides a function to change passwords
(
pam_sm_chauthtok()
) in the UNIX password database. This module must be required in
pam.conf. It can not be optional or sufficient. The following options may be passed in to the
UNIX service module:
debug syslog (3C) debugging information at LOG_DEBUG level.
nowarn Turn off warning messages.
use_first_pass
It compares the password in the password database with the user’s old password
(entered to the first password module in the stack). If the passwords do not match, or
if no password has been entered, quit and do not prompt the user for the old pass-
word. It also attempts to use the new password (entered to the first password module
in the stack) as the new password for this module. If the new password fails, quit and
do not prompt the user for a new password.
try_first_pass
It compares the password in the password database with the user’s old password
(entered to the first password module in the stack). If the passwords do not match, or
if no password has been entered, prompt the user for the old password. It also
attempts to use the new password (entered to the first password module in the stack)
as the new password for this module. If the new password fails, prompt the user for a
new password.
use_psd It prompts the user for the PIN (with the PIN, the PAM Framework can retrieve a
password from the smart card) and the old password is retrieved from the smart card.
It compares the password in the password database with the user’s old password. If
the passwords match, it prompts the user for a new password.
If the user’s password has expired, the UNIX account module saves this information in the authentication
handle using
pam_set_data(). The UNIX password module retrieves this information from the
authentication handle using pam_get_data() to determine whether or not to force the user to update
their password.
APPLICATION USAGE
On trusted systems, the
pam_sm_*() interfaces implemented in the UNIX service module,
libpam_unix, are not thread-safe. Otherwise, they are thread-safe. A cancellation point may occur
while a thread is executing any of these interfaces. They are not cancel-safe, async-cancel-safe, nor
async-signal-safe.
2 Hewlett-Packard Company − 2 − HP-UX 11i Version 3: September 2010