pam_localuser

pam_localuser.so [debug] [noum] [try_first_pass] [use_first_pass] [remember]

debug
    Logs debugging information to syslog.

noum
    Prevents this module from updating the user's utmp/wtmp files with user and login information. This option is rarely used.

try_first_pass
    If a password has already been entered (from a previous PAM module), attempt to use it. If it fails, prompt the user again.

use_first_pass
    If a password has already been entered, use it. If it fails, authentication fails immediately.

remember
    If this module uses try_first_pass or use_first_pass, keep the password for other pam modules

The pam_localuser PAM module allows authentication to succeed if the user exists in the /etc/passwd file. This module typically is used to allow only local users to proceed with authentication and to prevent access from users defined elsewhere such as in LDAP or NIS. The module doesn't perform any authentication itself. It simply checks if the user is present locally.

It is most commonly used as a 'requisite' module, meaning if the user is not local, the entire authentication process will fail immediately. Alternatively, it can be used as 'sufficient' module to allow the user to proceed after local user check.

This module is often configured with other authentication modules such as pam_unix or pam_ldap to verify a password or other credentials. It is important to place this module correctly in your PAM configuration file (/etc/pam.d/*) to achieve the desired authentication flow.

If the module is not configured correctly, it can inadvertently lock out all users or allow unintended access. Ensure proper testing is performed after any changes to the PAM configuration.

In a typical PAM configuration file (e.g., /etc/pam.d/login or /etc/pam.d/sshd), a line like 'auth requisite pam_localuser.so' ensures that only users found in /etc/passwd can proceed with authentication. The module is often paired with pam_unix.so which actualy checks the password

The pam_localuser module is part of the Linux-PAM project, a modular authentication system for Linux. Its purpose is to provide a simple way to restrict access to local users defined in the standard system user database. It has been used since Linux-PAM was introduced to provide basic security rules.

pam.conf(5), passwd(5), getent(1)