unix_chkpwd

unix_chkpwd username

username
    The name of the user whose password is to be verified. The command will then internally check a provided password (typically read from standard input or through other secure communication channels) against this user's stored credentials in /etc/shadow.

The unix_chkpwd command is a low-level utility primarily used by the Pluggable Authentication Modules (PAM) framework, specifically by the pam_unix.so module, to verify a user's password. It is an integral part of the standard Unix password authentication mechanism.

When a user attempts to log in or authenticate, PAM directs the request to modules like pam_unix.so, which then internally calls unix_chkpwd. This command checks the provided password (usually passed via secure means like standard input or internal memory) against the hashed password stored in the system's password database, typically /etc/shadow.

It returns a success or failure status, indicating whether the password is correct for the specified user. It is not intended for direct interactive use by end-users.

This command is a security-sensitive, low-level utility. It is not designed for direct invocation by general users and typically resides with restricted permissions. Misuse or tampering with this command can lead to severe security vulnerabilities or system instability. Its primary role is to be called by privileged processes (like PAM modules) for authentication purposes, and it should never be executed directly by unprivileged users.

unix_chkpwd typically returns an exit status of 0 on successful password verification, and a non-zero status (e.g., 1 for authentication failure, other values for system errors) otherwise. Specific non-zero values might indicate different types of errors or conditions.

This executable is usually installed with the set-user-ID (SUID) root permission, allowing it to temporarily gain root privileges to read the sensitive /etc/shadow file. This privilege escalation is tightly controlled and minimized to perform only the necessary password comparison in a secure and isolated manner.

The unix_chkpwd command evolved as part of the standard Unix password management suite, particularly with the introduction of shadow passwords to enhance security by storing hashed passwords in a file readable only by root. Its functionality became even more crucial with the advent of PAM (Pluggable Authentication Modules) in the mid-1990s.

As systems transitioned to more modular authentication frameworks, unix_chkpwd solidified its role as a core component of the pam_unix.so module, providing the fundamental password verification service for systems using traditional Unix password authentication methods.

pam_unix(8), passwd(1), shadow(5), login(1), pam(8)