xenial (8) pam_unix2.8.gz

Provided by: libpam-unix2_2.6-2_amd64 bug

NAME
       pam_unix2 - Standard PAM module for traditional password authentication


DESCRIPTION
       The  pam_unix2  PAM  module  is  for traditional password authentication. It uses standard calls from the
       glibc NSS libraries to retrieve and set account information as well as authentication.  Usually  this  is
       obtained from the the local files /etc/passwd and /etc/shadow or  from a NIS map.

       The   options   can   be   added   in   the   PAM   configuration   files   for   every  single  service.
       /etc/security/pam_unix2.default defines, which password encryption algorithm should be used in case of  a
       password change.


OPTIONS
       The following options may be passed to all types of management groups except session:

       debug  A lot of debug information is printed with syslog(3).

       nullok Normally  the  account is disabled if no password is set or if the length of the password is zero.
              With this option the user is allowed to change the password for such accounts.  This  option  does
              not overwrite a hardcoded default by the calling process.

       use_first_pass
              The  default  is, that pam_unix2 tries to get the authentication token from a previous module.  If
              no token is available, the user is asked for the old password.  With this option, pam_unix2 aborts
              with an error if no authentication token from a previous module is available.

       The following additional options may be passed to the passwd rules of this modules:

       nisdir=<path>
              This  options  specifies  a  path to the source files for NIS maps on a NIS master server. If this
              option is given, the passwords of NIS accounts will not be changed with yppasswd(1),  instead  the
              local  passwd  and shadow files below <path> will be modified. In conjunction with rpasswdd(8) and
              pam_make rpc.yppasswdd(8) can be replaced with a more secure solution on the NIS master server.

       use_authtok
              Set the new password to the one provided by the previously stacked password module. If this option
              is not set, pam_unix2 would ask the user for the new password.

       One of the following options may be passed to the session rules of this modules:

       debug  Some messages (login time, logout time) are logged to syslog with priority LOG_DEBUG.

       trace  Some messages (login time, logout time) are logged to syslog with priority LOG_NOTICE.

       none   No messages are logged. This is the default.

       The  acct  management  does not recognize any additional options. For root, password and login expire are
       ignored, only on aging warning is printed. If no shadow information exists, it always returns success.


FILES
       /etc/security/pam_unix2.default


SEE ALSO
       login(1),  passwd(1),   pam.conf(8),   pam.d(8),   pam_pwcheck(8),   pam(8),   rpasswd(1),   rpasswdd(8),
       rpc.yppasswdd(8), yppasswd(1)