pam_unix
Authenticate users using traditional UNIX passwords
SYNOPSIS
Services that use PAM typically call pam_authenticate(3) to authenticate the user. The control flag and the other options influence the behavior of the module. pam_unix reads its configuration options from /etc/pam.d/*service_name*
PARAMETERS
debug
Logs debugging information to syslog.
nullok
Allows authentication even if the user has a null (empty) password. Warning: This weakens security.
try_first_pass
Tries to use a previously entered password from other PAM modules.
use_first_pass
Requires that a previously entered password from other PAM modules must be used.
remember=
Remembers the last
sha512
Uses SHA512 as the password hashing algorithm.
md5
Uses MD5 as the password hashing algorithm. Warning: Considered weak, avoid if possible.
shadow
Assumes that shadow passwords are in use. (default)
noshadow
Assumes that shadow passwords are not in use.
passwd
Changes the password if necessary. Used for password management operations.
use_authtok
Use the authentication token (password) provided by a previous module.
DESCRIPTION
The pam_unix module is a standard Pluggable Authentication Module (PAM) used for authenticating users against the traditional Unix password database (usually /etc/passwd and /etc/shadow). It verifies the user's identity by comparing the entered password (or other authentication token) against the stored password hash. This module handles tasks such as password changing, account management (checking for expired passwords or locked accounts), and setting up user credentials for the session.
It's a foundational module relied upon by many Linux systems for basic authentication and account security. pam_unix can also integrate with other PAM modules to create more complex authentication schemes, offering flexibility in managing user access control. It has been a long time standart to authenticate a user
CAVEATS
Misconfiguring pam_unix can lock users out of the system. Exercise caution when modifying its configuration files.
CONFIGURATION FILES
pam_unix is configured through the files located in the /etc/pam.d/ directory. These files specify the PAM modules that are invoked for each service (e.g., login, sshd). Each line in the file represents a module invocation and defines the control flag (requisite, required, sufficient, optional) and the module-specific parameters.
SECURITY CONSIDERATIONS
When configuring pam_unix, it is important to choose a strong password hashing algorithm. Avoid using weak algorithms such as MD5. Also, consider using features like password history to prevent users from reusing old passwords.
HISTORY
pam_unix has been a core part of the PAM framework since its inception. It was designed to provide a standardized way to handle Unix password authentication, decoupling authentication mechanisms from individual applications. Over time, the module has been enhanced with features like shadow password support and stronger hashing algorithms (SHA-512) to improve security.
SEE ALSO
pam(8), pam_authenticate(3), passwd(1), shadow(5)