Provided by: libpam-unix2_2.6-2_amd64 bug


       pam_unix2 - Standard PAM module for traditional password authentication


       The  pam_unix2  PAM  module  is  for traditional password authentication. It uses standard
       calls from the glibc NSS libraries to retrieve and set  account  information  as  well  as
       authentication.  Usually  this  is  obtained  from  the  the  local  files /etc/passwd and
       /etc/shadow or  from a NIS map.

       The options can be added  in  the  PAM  configuration  files  for  every  single  service.
       /etc/security/pam_unix2.default  defines,  which  password  encryption algorithm should be
       used in case of a password change.


       The following options may be passed to all types of management groups except session:

       debug  A lot of debug information is printed with syslog(3).

       nullok Normally the account is disabled if no password is set or  if  the  length  of  the
              password  is  zero. With this option the user is allowed to change the password for
              such accounts. This option does not overwrite a hardcoded default  by  the  calling

              The  default  is,  that  pam_unix2  tries  to  get  the authentication token from a
              previous module.  If no token is available, the user is asked for the old password.
              With  this option, pam_unix2 aborts with an error if no authentication token from a
              previous module is available.

       The following additional options may be passed to the passwd rules of this modules:

              This options specifies a path to the source files for NIS  maps  on  a  NIS  master
              server.  If this option is given, the passwords of NIS accounts will not be changed
              with yppasswd(1), instead the local passwd and shadow files below  <path>  will  be
              modified.  In  conjunction  with  rpasswdd(8)  and pam_make rpc.yppasswdd(8) can be
              replaced with a more secure solution on the NIS master server.

              Set the new password to the one provided by the previously stacked password module.
              If this option is not set, pam_unix2 would ask the user for the new password.

       One of the following options may be passed to the session rules of this modules:

       debug  Some  messages  (login  time,  logout  time)  are  logged  to  syslog with priority

       trace  Some messages (login  time,  logout  time)  are  logged  to  syslog  with  priority

       none   No messages are logged. This is the default.

       The  acct  management  does  not  recognize any additional options. For root, password and
       login expire are ignored, only on aging warning  is  printed.  If  no  shadow  information
       exists, it always returns success.




       login(1),   passwd(1),   pam.conf(8),   pam.d(8),   pam_pwcheck(8),   pam(8),  rpasswd(1),
       rpasswdd(8), rpc.yppasswdd(8), yppasswd(1)