pam_unix

pam_unix is not invoked as a standalone command but rather configured within PAM policy files, typically located in /etc/pam.d/. Its syntax within these files follows the PAM module standard:

module_type control_flag module_path [module_options]

A common entry for pam_unix would look like:

auth     required     pam_unix.so try_first_pass

Where:
module_type: Specifies the interface (e.g., auth, account, password, session).
control_flag: Determines the module's behavior relative to others (e.g., required, requisite, sufficient, optional).
module_path: The path to the module library, usually pam_unix.so.
[module_options]: Specific parameters to modify the module's behavior (see Parameters section).

nullok
    Allows users to authenticate with a null (empty) password. This is generally considered a security risk and should be used with extreme caution or avoided.

nodelay
    Disables the delay normally imposed after a failed authentication attempt. Removing the delay can make brute-force attacks slightly easier.

audit
    Enables logging of all authentication attempts, including successful and failed ones, to the system's audit logs. Useful for security monitoring.

shadow
    Forces pam_unix to consult the /etc/shadow file for password hashes. This is the default and recommended behavior on modern systems, but this option explicitly ensures it.

try_first_pass
    If a password has been obtained by a preceding module in the PAM stack, pam_unix will try that password first. If it fails, it will then prompt the user for a new password.

use_first_pass
    Similar to try_first_pass, but if the password from a preceding module fails, pam_unix will not prompt the user for a new password and will instead return an authentication failure immediately.

old_pass_was_used
    Primarily for the password module type. Indicates that the old password has already been verified by a previous module in the stack, so pam_unix should skip its own old password verification.

md5
    Historically used for enforcing MD5 password hashing. This option is largely obsolete on modern systems, which default to stronger hashing algorithms like SHA512.

pam_unix is a fundamental Pluggable Authentication Modules (PAM) module on Linux systems. It is responsible for authenticating users against the traditional Unix password database, typically found in /etc/passwd and /etc/shadow files. When a service (like login, sudo, or sshd) requires authentication, it consults its PAM configuration file (e.g., /etc/pam.d/login). If pam_unix.so is listed, it will handle the process of prompting for a password and verifying it against the stored hash in /etc/shadow.

Beyond authentication, pam_unix also plays a role in account management (e.g., checking password expiration), password changes (updating the hash in /etc/shadow), and session management (though less prominent here compared to other modules). It acts as the backbone for traditional local user authentication, ensuring system security by managing access based on user credentials.

pam_unix is a core component of Linux authentication. Improper configuration of this module in PAM policy files can lead to severe security vulnerabilities (e.g., allowing empty passwords) or completely lock users out of the system. Always test PAM changes on a separate, non-critical system or with extreme caution. It relies heavily on the integrity and permissions of /etc/passwd and /etc/shadow.

PAM configuration for services is managed through individual files in the /etc/pam.d/ directory. Each file (e.g., /etc/pam.d/login, /etc/pam.d/sudo) defines a stack of PAM modules and their behavior for that specific service. Understanding the order and control flags within these files is critical for correctly configuring pam_unix and the overall authentication flow.

PAM modules operate across four distinct management groups or 'types':
auth: Verifies the user's identity (e.g., password, biometrics) and sets credentials.
account: Checks non-authentication related account management (e.g., password expiration, account validity, time restrictions).
password: Handles password changes (e.g., prompting for old password, setting new password, enforcing complexity policies).
session: Manages tasks performed before and after a user's service session (e.g., logging activity, mounting home directories).

PAM (Pluggable Authentication Modules) was originally developed by Sun Microsystems in the mid-1990s as a flexible authentication framework. Linux adopted PAM in the late 1990s, with pam_unix becoming the cornerstone module for interfacing with the traditional Unix user and password databases. Its development has focused on maintaining compatibility with standard Unix authentication mechanisms while adapting to modern security practices, such as stronger password hashing algorithms and tighter integration with system logging.

pam(8), passwd(5), shadow(5), pam_pwquality(8), login(1), sudo(8), sshd(8)