LinuxCommandLibrary

pam_unix

Authenticate users using traditional UNIX passwords

SYNOPSIS

Services that use PAM typically call pam_authenticate(3) to authenticate the user. The control flag and the other options influence the behavior of the module. pam_unix reads its configuration options from /etc/pam.d/*service_name*

PARAMETERS

debug
    Logs debugging information to syslog.

nullok
    Allows authentication even if the user has a null (empty) password. Warning: This weakens security.

try_first_pass
    Tries to use a previously entered password from other PAM modules.

use_first_pass
    Requires that a previously entered password from other PAM modules must be used.

remember=
    Remembers the last passwords, preventing reuse.

sha512
    Uses SHA512 as the password hashing algorithm.

md5
    Uses MD5 as the password hashing algorithm. Warning: Considered weak, avoid if possible.

shadow
    Assumes that shadow passwords are in use. (default)

noshadow
    Assumes that shadow passwords are not in use.

passwd
    Changes the password if necessary. Used for password management operations.

use_authtok
    Use the authentication token (password) provided by a previous module.

DESCRIPTION

The pam_unix module is a standard Pluggable Authentication Module (PAM) used for authenticating users against the traditional Unix password database (usually /etc/passwd and /etc/shadow). It verifies the user's identity by comparing the entered password (or other authentication token) against the stored password hash. This module handles tasks such as password changing, account management (checking for expired passwords or locked accounts), and setting up user credentials for the session.

It's a foundational module relied upon by many Linux systems for basic authentication and account security. pam_unix can also integrate with other PAM modules to create more complex authentication schemes, offering flexibility in managing user access control. It has been a long time standart to authenticate a user

CAVEATS

Misconfiguring pam_unix can lock users out of the system. Exercise caution when modifying its configuration files.

CONFIGURATION FILES

pam_unix is configured through the files located in the /etc/pam.d/ directory. These files specify the PAM modules that are invoked for each service (e.g., login, sshd). Each line in the file represents a module invocation and defines the control flag (requisite, required, sufficient, optional) and the module-specific parameters.

SECURITY CONSIDERATIONS

When configuring pam_unix, it is important to choose a strong password hashing algorithm. Avoid using weak algorithms such as MD5. Also, consider using features like password history to prevent users from reusing old passwords.

HISTORY

pam_unix has been a core part of the PAM framework since its inception. It was designed to provide a standardized way to handle Unix password authentication, decoupling authentication mechanisms from individual applications. Over time, the module has been enhanced with features like shadow password support and stronger hashing algorithms (SHA-512) to improve security.

SEE ALSO

pam(8), pam_authenticate(3), passwd(1), shadow(5)

Copied to clipboard