Provided by: libpam-unix2_1.25-1_i386 bug

NAME

       pam_unix2 - Standard PAM module for traditional password authentication

DESCRIPTION

       The pam_unix2 PAM module is for traditional password authentication. It
       uses  standard  calls  from the glibc NSS libraries to retrieve and set
       account information as well as authentication. Usually this is obtained
       from  the  the local files /etc/passwd and /etc/shadow, from a NIS map,
       from the NIS+ passwd.org_dir table or from a LDAP database.

       The options can be added in  the  PAM  configuration  files  for  every
       single    service    or    global    in   /etc/security/pam_unix2.conf.
       /etc/default/passwd defines, which password encryption algorithm should
       be used in case of a password change.

OPTIONS

       The  following  options may be passed to all types of management groups
       except session:

       debug  A lot of debug informations are printed with syslog(3).

       nullok Normally the account is disabled if no password is set or if the
              length  of  the  password  is zero. With this option the user is
              allowed to change the password for such  accounts.  This  option
              does not overwrite a hardcoded default by the calling process.

       not_set_pass
              If  this  option  is  given,  pam_unix2  will  not  make the new
              password available for other modules.

       use_first_pass
              The default is, that pam_unix2 tries to get  the  authentication
              token  from  a  previous  module.  If no token is available, the
              user is asked for the old password.  With this option, pam_unix2
              aborts  with an error if no authentication token from a previous
              module is available.

       call_modules=x,y,z
              With this list of PAM modules names,  pam_unix2  tries  to  load
              every  module  and check, if this knows about the user.  This is
              important, if you have some users in a LDAP database and  wishes
              to fallback to traditional password authentication for the other
              accounts. For  example  call_modules=winbind,ldap  will  try  to
              authenticate  the  user  at first against a running winbindd(8).
              If the winbind daemon does not know the user, an  authentication
              with  pam_ldap  is  tried.  If the user is also not known to the
              LDAP database, an  authentiation  against  the  normal  password
              database is done.

       The  following  additional  options  may be passed to the auth rules of
       this module:

       set_secrpc
              If SecureRPC is in use, the secret key of a  user  needs  to  be
              make  known to keyserv(8).  This option will set the secret key.

       The following additional options may be passed to the passwd  rules  of
       this modules:

       nisdir=<path>
              This  options  specifies a path to the source files for NIS maps
              on a NIS master server. If this option is given,  the  passwords
              of  NIS  accounts  will not be changed with yppasswd(1), instead
              the local passwd and shadow files below <path> will be modified.
              In  conjunction  with  rpasswdd(8) and pam_make rpc.yppasswdd(8)
              can be replaced with a more secure solution on  the  NIS  master
              server.

       use_authtok
              Set  the  new  password  to  the  one provided by the previously
              stacked password module. If this option is  not  set,  pam_unix2
              would ask the user for the new password.

       One of the following options may be passed to the session rules of this
       modules:

       debug  Some messages (login time, logout time)  are  logged  to  syslog
              with priority LOG_DEBUG.

       trace  Some  messages  (login  time,  logout time) are logged to syslog
              with priority LOG_NOTICE.

       none   No messages are logged. This is the default.

       The acct management does not  recognize  any  additional  options.  For
       root,  password  and login expire are ignored, only on aging warning is
       printed. If no shadow information exists, it always returns success.

FILES

       /etc/security/pam_unix2.conf
       /etc/default/passwd

BUGS

       This manual page is  far  from  complete,  most  options  are  missing.
       Please read the README and look at the source package.

SEE ALSO

       login(1),  passwd(1),  pam.conf(8),  pam.d(8),  pam_pwcheck(8), pam(8),
       rpasswd(1), rpasswdd(8), rpc.yppasswdd(8), yppasswd(1)