pam_tcb man page on OpenMandriva

Man page or keyword search:  
man Server   8135 pages
apropos Keyword Search (all sections)
Output format
OpenMandriva logo
[printable version]

PAM_TCB(8)							    PAM_TCB(8)

NAME
       pam_tcb - authentication, account, session, and password management PAM
       module for Unix with support for the tcb password shadowing scheme

DESCRIPTION
       pam_tcb is a PAM module which deals with	 Unix  accounts	 and  provides
       functionality  for  all	four  PAM  management  groups: authentication,
       account management, session management, and password management.	 It is
       a successor to pam_unix and pam_pwdb.

       authentication
	      pam_tcb relies exclusively on getpwnam(3) and getspnam(3) inter‐
	      faces to obtain information necessary for	 user  authentication.
	      It performs password hashing with crypt_ra(3) or crypt(3).  This
	      means that pam_tcb will use NSS and  will	 handle	 any  password
	      hashing method supported by the system libraries.

       account management
	      When  the	 account information is available via getspnam(3), the
	      account management part of pam_tcb checks for  expired  accounts
	      or passwords.  It uses the shadow file entry fields as described
	      in shadow(5).  It is responsibility of applications to interpret
	      the PAM error status and possibly invoke the password management
	      group to get an expired password changed.

       session management
	      By default, pam_tcb logs the opening and closing of PAM sessions
	      via  syslog(3).	It  uses  LOG_AUTH  as the syslog facility and
	      either adds "pam_tcb: " prefix to log messages or, if the	 open‐
	      log  option  is  given, sets the ident to "pam_tcb".  This func‐
	      tionality may be disabled with the nolog option (see below).

       password management
	      pam_chauthtok(3) performs two passes through the	password  man‐
	      agement  stack: PAM_PRELIM_CHECK and PAM_UPDATE_AUTHTOK.	During
	      the PAM_PRELIM_CHECK phase, pam_tcb may  optionally  prompt  for
	      and will always verify the old password.	This allows for stack‐
	      ing of a password policy enforcement module such as pam_passwdqc
	      before pam_tcb, without requiring this other module to take over
	      performing any of the tasks of  pam_tcb.	 The  actual  password
	      change happens during the PAM_UPDATE_AUTHTOK phase.

	      When changing passwords, pam_tcb is able to modify the following
	      password databases:

	      /etc/passwd file, see passwd(5);
	      /etc/shadow file, see shadow(5);
	      /etc/tcb/ directory structure, see tcb(5);
	      NIS and NIS+.

OPTIONS
       Most of the options recognized by pam_unix or pam_pwdb  are  valid  for
       pam_tcb	as  well  and have identical meaning.  There are some semantic
       differences though, so you are advised to browse the list  below.   All
       the  boolean  options  are  off by default.  The default values of non-
       boolean options are given.

       debug  Log debugging information via syslog(3).

       audit  Log even more debugging  information,  including	unknown	 user‐
	      names.  This has the risk of potentially logging a password that
	      a user could have given instead of a username.

       openlog
	      Normally, pam_tcb will add "pam_tcb: " prefix to	log  messages.
	      The  openlog option disables this behavior and causes pam_tcb to
	      call  openlog(3)	with  ident  "pam_tcb"	before	 logging   and
	      closelog(3) afterwards.

       noopenlog
	      If  pam_tcb was compiled with ENABLE_OPENLOG, it will call open‐
	      log(3) with  ident  "pam_tcb"  before  logging  and  closelog(3)
	      afterwards.  The noopenlog option disables this behavior.

       nolog  Suppress logging.

       blank_nolog
	      Do  not log failed authentication attempts when a blank password
	      is tried.	 If this option is not used,  some  services,  notably
	      sshd(8), may generate false alarms.

       nullok Permit blank passwords.

       use_first_pass
	      Don't  prompt the user for passwords, take them from PAM_AUTHTOK
	      and possibly PAM_OLDAUTHTOK items instead.

       try_first_pass
	      Take passwords  from  PAM_AUTHTOK	 and  possibly	PAM_OLDAUTHTOK
	      items, but prompt the user if the appropriate PAM item is unset.

       use_authtok
	      Like  use_first_pass, but applies to the (new) PAM_AUTHTOK only.
	      This is intended for stacking password management modules.

       not_set_pass
	      Don't set the PAM items with passwords used by this module.

       likeauth
	      When called as a credential  setting  module,  return  the  same
	      value as was returned during the authentication.

       passwd If  set,	pam_tcb	 may  use  the second field of user's "passwd"
	      entry (usually taken from /etc/passwd)  as  the  password	 hash.
	      See below for details.

       shadow If  set,	pam_tcb	 may  use  the second field of user's "shadow"
	      entry (usually taken from /etc/shadow or a tcb shadow  file)  as
	      the password hash.  See below for details.

       nisplus
	      If  set,	pam_tcb	 will acquire the user's EUID before obtaining
	      the password hash.  If you're using NIS+, you need to turn  this
	      on.  See below for details.

       write_to=
	      This  option  determines where pam_tcb should store new password
	      hashes  when  changing  passwords.    Possible   settings	  are:
	      "passwd", "shadow", "tcb", and "nis".  The default is "shadow".

       md5    When  updating a user's password, hash the new password with the
	      obsolete FreeBSD-derived MD5-based algorithm.

       prefix=
	      When updating a user's password,	generate  the  salt  with  the
	      specified	 prefix	 (which determines the hashing method to use).
	      The default is "$2y$", which requests bcrypt,  a	Blowfish-based
	      hashing method, which supports variable iteration counts.

       count= The  number  of iterations of an underlying cryptographic primi‐
	      tive to use when hashing passwords.  The	default	 is  0,	 which
	      lets  the	 selected hashing algorithm pick its default iteration
	      count.

	      It is highly recommended that you override this setting.	Please
	      refer  to crypt(3) for information on supported hashing methods,
	      their prefix strings, and their count settings.

       plain_crypt
	      Use plain crypt(3) instead of crypt_ra(3).  This may be required
	      to  access hashing methods for which no reentrant implementation
	      exists in the system libraries.

       nodelay
	      Do not delay after an unsuccessful authentication attempt.

       fork   Create child processes for accessing shadow files.   Using  this
	      option  one can be sure that after a call to pam_end(3) there is
	      no sensitive data left in the process' address space.   However,
	      this  option  may	 confuse some of the more complicated applica‐
	      tions and it has some performance overhead.

       helper=
	      If the hashed password cannot be retrieved by  pam_tcb  and  the
	      UID  of  the  user  being authenticated is equal to the real UID
	      pam_tcb runs as, pam_tcb will execute a privileged  helper  pro‐
	      gram  to perform authentication.	This option determines path to
	      the program's binary.  If an empty  helper  path	is  given,  no
	      helper	 will	  be	 executed.	The	default	    is
	      /usr/libexec/chkpwd/tcb_chkpwd.

OBTAINING PASSWORD HASHES
       The following algorithm is used by pam_tcb  to  retrieve	 the  password
       hash for a user:

       if (passwd option is set and pw_passwd field is not equal to "x" nor
	   "*NP*")
	       use pw_passwd field as the hash;
       if (nisplus option is set) {
	       try to acquire EUID of the user; if unsuccessful, fail;
	       obtain the struct spwd for the user with getspnam(3);
	       regain the previous EUID;
	       use sp_pwdp field as the hash;
       }
       if (shadow option is set and pw_passwd field is equal to "x")
	       use sp_pwdp field as the hash;
       if all the above failed, fail.

BUGS
       The current  pam_tcb  implementation  is	 not  thread-safe  (just  like
       pam_unix and pam_pwdb).

SEE ALSO
       crypt(3),    crypt_ra(3),    getpwnam(3),    getspnam(3),    shadow(3),
       login.defs(5), passwd(5), shadow(5), tcb(5), pam(8), tcb_convert(8)

Openwall Project		 July 17, 2011			    PAM_TCB(8)
[top]

List of man pages available for OpenMandriva

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net