NAME<\/a> pam_tcb<\/b> \u2212 authentication, account, session, and password management PAM module for Unix with support for the tcb password shadowing scheme<\/p>\n pam_tcb<\/b> is a PAM module which deals with Unix accounts and provides functionality for all four PAM management groups: authentication, account management, session management, and password management. It is a successor to pam_unix<\/b> and pam_pwdb<\/b>. pam_tcb<\/b> relies exclusively on getpwnam<\/b>(3) and getspnam<\/b>(3) interfaces to obtain information necessary for user authentication. It performs password hashing with crypt_ra<\/b>(3) or crypt<\/b>(3). This means that pam_tcb<\/b> will use NSS and will handle any password hashing method supported by the system libraries.<\/p>\n account management<\/b><\/p>\n When the account information is available via getspnam<\/b>(3), the account management part of pam_tcb<\/b> checks for expired accounts or passwords. It uses the shadow file entry fields as described in shadow<\/b>(5). It is responsibility of applications to interpret the PAM error status and possibly invoke the password management group to get an expired password changed.<\/p>\n session management<\/b><\/p>\n By default, pam_tcb<\/b> logs the opening and closing of PAM sessions via syslog<\/b>(3). It uses LOG_AUTH<\/b> as the syslog facility and either adds “pam_tcb: ” prefix to log messages or, if the openlog<\/b> option is given, sets the ident to “pam_tcb”. This functionality may be disabled with the nolog<\/b> option (see below).<\/p>\n password management<\/b><\/p>\n pam_chauthtok<\/b>(3) performs two passes through the password management stack: PAM_PRELIM_CHECK<\/b> and PAM_UPDATE_AUTHTOK<\/b>. During the PAM_PRELIM_CHECK<\/b> phase, pam_tcb<\/b> may optionally prompt for and will always verify the old password. This allows for stacking of a password policy enforcement module such as pam_passwdqc<\/b> before pam_tcb<\/b>, without requiring this other module to take over performing any of the tasks of pam_tcb<\/b>. The actual password change happens during the PAM_UPDATE_AUTHTOK<\/b> phase.<\/p>\n When changing passwords, pam_tcb<\/b> is able to modify the following password databases:<\/p>\n \/etc\/passwd<\/i> file, see passwd<\/b>(5); Most of the options recognized by pam_unix<\/b> or pam_pwdb<\/b> are valid for pam_tcb<\/b> as well and have identical meaning. There are some semantic differences though, so you are advised to browse the list below. All the boolean options are off by default. The default values of non-boolean options are given.<\/p>\n debug<\/b><\/p>\n<\/td>\n Log debugging information via syslog<\/b>(3).<\/p>\n<\/td>\n<\/tr>\n audit<\/b><\/p>\n<\/td>\n Log even more debugging information, including unknown usernames. This has the risk of potentially logging a password that a user could have given instead of a username.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n openlog<\/b><\/p>\n Normally, pam_tcb<\/b> will add “pam_tcb: ” prefix to log messages. The openlog<\/b> option disables this behavior and causes pam_tcb<\/b> to call openlog<\/b>(3) with ident “pam_tcb” before logging and closelog<\/b>(3) afterwards.<\/p>\n noopenlog<\/b><\/p>\n If pam_tcb<\/b> was compiled with ENABLE_OPENLOG, it will call openlog<\/b>(3) with ident “pam_tcb” before logging and closelog<\/b>(3) afterwards. The noopenlog<\/b> option disables this behavior.<\/p>\n nolog<\/b><\/p>\n<\/td>\n Suppress logging.<\/p>\n<\/td>\n blank_nolog<\/b><\/p>\n Do not log failed authentication attempts when a blank password is tried. If this option is not used, some services, notably sshd<\/b>(8), may generate false alarms.<\/p>\n nullok<\/b><\/p>\n<\/td>\n Permit blank passwords.<\/p>\n<\/td>\n use_first_pass<\/b><\/p>\n Don\u2019t prompt the user for passwords, take them from PAM_AUTHTOK<\/b> and possibly PAM_OLDAUTHTOK<\/b> items instead.<\/p>\n try_first_pass<\/b><\/p>\n Take passwords from PAM_AUTHTOK<\/b> and possibly PAM_OLDAUTHTOK<\/b> items, but prompt the user if the appropriate PAM item is unset.<\/p>\n use_authtok<\/b><\/p>\n Like use_first_pass<\/b>, but applies to the (new) PAM_AUTHTOK<\/b> only. This is intended for stacking password management modules.<\/p>\n not_set_pass<\/b><\/p>\n Don\u2019t set the PAM items with passwords used by this module.<\/p>\n likeauth<\/b><\/p>\n When called as a credential setting module, return the same value as was returned during the authentication.<\/p>\n passwd<\/b><\/p>\n<\/td>\n If set, pam_tcb<\/b> may use the second field of user\u2019s “passwd” entry (usually taken from \/etc\/passwd<\/i>) as the password hash. See below for details.<\/p>\n<\/td>\n<\/tr>\n shadow<\/b><\/p>\n<\/td>\n If set, pam_tcb<\/b> may use the second field of user\u2019s “shadow” entry (usually taken from \/etc\/shadow<\/i> or a tcb shadow file) as the password hash. See below for details.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n nisplus<\/b><\/p>\n If set, pam_tcb<\/b> will acquire the user\u2019s EUID before obtaining the password hash. If you\u2019re using NIS+, you need to turn this on. See below for details.<\/p>\n write_to<\/b>=<\/p>\n This option determines where pam_tcb<\/b> should store new password hashes when changing passwords. Possible settings are: “passwd”, “shadow”, “tcb”, and “nis”. The default is “shadow”.<\/p>\n md5<\/b><\/p>\n<\/td>\n When updating a user\u2019s password, hash the new password with the obsolete FreeBSD-derived MD5-based algorithm.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n prefix<\/b>=<\/p>\n When updating a user\u2019s password, generate the salt with the specified prefix<\/i> (which determines the hashing method to use). The default is “$2y$”, which requests bcrypt<\/b>, a Blowfish-based hashing method, which supports variable iteration counts.<\/p>\n count<\/b>=<\/p>\n<\/td>\n The number of iterations of an underlying cryptographic primitive to use when hashing passwords. The default is 0, which lets the selected hashing algorithm pick its default iteration count.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n It is highly recommended that you override this setting. Please refer to crypt<\/b>(3) for information on supported hashing methods, their prefix<\/i> strings, and their count<\/i> settings.<\/p>\n plain_crypt<\/b><\/p>\n Use plain crypt<\/b>(3) instead of crypt_ra<\/b>(3). This may be required to access hashing methods for which no reentrant implementation exists in the system libraries.<\/p>\n nodelay<\/b><\/p>\n Do not delay after an unsuccessful authentication attempt.<\/p>\n fork<\/b><\/p>\n<\/td>\n Create child processes for accessing shadow files. Using this option one can be sure that after a call to pam_end<\/b>(3) there is no sensitive data left in the process\u2019 address space. However, this option may confuse some of the more complicated applications and it has some performance overhead.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n helper<\/b>=<\/p>\n If the hashed password cannot be retrieved by pam_tcb<\/b> and the UID of the user being authenticated is equal to the real UID pam_tcb<\/b> runs as, pam_tcb<\/b> will execute a privileged helper program to perform authentication. This option determines path to the program\u2019s binary. If an empty helper path is given, no helper will be executed. The default is \/usr\/libexec\/chkpwd\/tcb_chkpwd<\/i>.<\/p>\n The following algorithm is used by pam_tcb<\/b> to retrieve the password hash for a user:<\/p>\n if (passwd<\/b> option is set and pw_passwd<\/b> field is not equal to “x” nor “*NP*”)<\/p>\n use pw_passwd<\/b> field as the hash;<\/p>\n if (nisplus<\/b> option is set) {<\/p>\n try to acquire EUID of the user; if unsuccessful, fail; } use sp_pwdp<\/b> field as the hash;<\/p>\n if all the above failed, fail.<\/p>\n
DESCRIPTION<\/a>
OPTIONS<\/a>
OBTAINING PASSWORD HASHES<\/a>
BUGS<\/a>
SEE ALSO<\/a> <\/p>\n
\nNAME <\/a> <\/h2>\n
DESCRIPTION <\/a> <\/h2>\n
authentication<\/b><\/p>\n
\/etc\/shadow<\/i> file, see shadow<\/b>(5);
\/etc\/tcb\/<\/i> directory structure, see tcb<\/b>(5);
NIS and NIS+.<\/p>\nOPTIONS <\/a> <\/h2>\n
\n
\n <\/td>\n \n <\/td>\n \n \n <\/td>\n \n <\/td>\n \n \n
\n <\/td>\n \n <\/td>\n \n <\/td>\n<\/tr>\n<\/table>\n \n
\n <\/td>\n \n <\/td>\n \n <\/td>\n<\/tr>\n<\/table>\n \n
\n <\/td>\n \n <\/td>\n \n \n <\/td>\n \n <\/td>\n \n \n
\n <\/td>\n \n <\/td>\n \n \n
\n <\/td>\n \n <\/td>\n \n \n
\n <\/td>\n \n <\/td>\n \n OBTAINING PASSWORD HASHES <\/a> <\/h2>\n
obtain the struct spwd<\/b> for the user with getspnam<\/b>(3);
regain the previous EUID;
use sp_pwdp<\/b> field as the hash;<\/p>\n
if (shadow<\/b> option is set and pw_passwd<\/b> field is equal to “x”)<\/p>\nBUGS <\/a> <\/h2>\n