PAM_TCB
Section: Maintenance Commands (8)
Updated: July 17, 2011
Page Index
NAME
pam_tcb - authentication, account, session, and password management
PAM module for Unix with support for the tcb password shadowing scheme
DESCRIPTION
pam_tcb
is a PAM module which deals with Unix accounts and provides
functionality for all four PAM management groups: authentication,
account management, session management, and password management.
It is a successor to
pam_unix
and
pam_pwdb.
- authentication
-
pam_tcb
relies exclusively on
getpwnam(3)
and
getspnam(3)
interfaces to obtain information necessary for user authentication.
It performs password hashing with
crypt_ra(3)
or
crypt(3).
This means that
pam_tcb
will use NSS and will handle any password hashing method
supported by the system libraries.
- account management
-
When the account information is available via
getspnam(3),
the account management part of
pam_tcb
checks for expired accounts or passwords. It uses the shadow file
entry fields as described in
shadow(5).
It is responsibility of applications to interpret the PAM error status
and possibly invoke the password management group to get an expired
password changed.
- session management
-
By default,
pam_tcb
logs the opening and closing of PAM sessions via
syslog(3).
It uses
LOG_AUTH
as the syslog facility and either adds "pam_tcb: " prefix to log messages
or, if the
openlog
option is given, sets the ident to "pam_tcb".
This functionality may be disabled with the
nolog
option (see below).
- password management
-
pam_chauthtok(3)
performs two passes through the password management stack:
PAM_PRELIM_CHECK
and
PAM_UPDATE_AUTHTOK.
During the
PAM_PRELIM_CHECK
phase,
pam_tcb
may optionally prompt for and will always verify the old password.
This allows for stacking of a password policy enforcement module such as
pam_passwdqc
before
pam_tcb,
without requiring this other module to take over performing any of the
tasks of
pam_tcb.
The actual password change happens during the
PAM_UPDATE_AUTHTOK
phase.
When changing passwords,
pam_tcb
is able to modify the following password databases:
/etc/passwd
file, see
passwd(5);
/etc/shadow
file, see
shadow(5);
/etc/tcb/
directory structure, see
tcb(5);
NIS and NIS+.
OPTIONS
Most of the options recognized by
pam_unix
or
pam_pwdb
are valid for
pam_tcb
as well and have identical meaning.
There are some semantic differences though, so you are advised to
browse the list below. All the boolean options are off by default.
The default values of non-boolean options are given.
- debug
-
Log debugging information via
syslog(3).
- audit
-
Log even more debugging information, including unknown usernames.
This has the risk of potentially logging a password that a user could
have given instead of a username.
- openlog
-
Normally,
pam_tcb
will add "pam_tcb: " prefix to log messages.
The
openlog
option disables this behavior and causes
pam_tcb
to call
openlog(3)
with ident "pam_tcb" before logging and
closelog(3)
afterwards.
- noopenlog
-
If
pam_tcb
was compiled with ENABLE_OPENLOG, it will call
openlog(3)
with ident "pam_tcb" before logging and
closelog(3)
afterwards. The
noopenlog
option disables this behavior.
- nolog
-
Suppress logging.
- blank_nolog
-
Do not log failed authentication attempts when a blank password is
tried. If this option is not used, some services, notably
sshd(8),
may generate false alarms.
- nullok
-
Permit blank passwords.
- use_first_pass
-
Don't prompt the user for passwords, take them from
PAM_AUTHTOK
and possibly
PAM_OLDAUTHTOK
items instead.
- try_first_pass
-
Take passwords from
PAM_AUTHTOK
and possibly
PAM_OLDAUTHTOK
items, but prompt the user if the appropriate PAM item is unset.
- use_authtok
-
Like
use_first_pass,
but applies to the (new)
PAM_AUTHTOK
only. This is intended for stacking password management modules.
- not_set_pass
-
Don't set the PAM items with passwords used by this module.
- likeauth
-
When called as a credential setting module, return the same value as
was returned during the authentication.
- passwd
-
If set,
pam_tcb
may use the second field of user's "passwd" entry (usually taken from
/etc/passwd)
as the password hash.
See below for details.
- shadow
-
If set,
pam_tcb
may use the second field of user's "shadow" entry (usually taken from
/etc/shadow
or a tcb shadow file) as the password hash.
See below for details.
- nisplus
-
If set,
pam_tcb
will acquire the user's EUID before obtaining the password hash.
If you're using NIS+, you need to turn this on.
See below for details.
- write_to=
-
This option determines where
pam_tcb
should store new password hashes when changing passwords.
Possible settings are: "passwd", "shadow", "tcb", and "nis".
The default is "shadow".
- md5
-
When updating a user's password, hash the new password with the
obsolete FreeBSD-derived MD5-based algorithm.
- prefix=
-
When updating a user's password, generate the salt with the specified
prefix
(which determines the hashing method to use).
The default is "$2y$", which requests
bcrypt,
a Blowfish-based hashing method, which supports variable iteration counts.
- count=
-
The number of iterations of an underlying cryptographic primitive to
use when hashing passwords. The default is 0, which lets the selected
hashing algorithm pick its default iteration count.
It is highly recommended that you override this setting. Please refer to
crypt(3)
for information on supported hashing methods, their
prefix
strings, and their
count
settings.
- plain_crypt
-
Use plain
crypt(3)
instead of
crypt_ra(3).
This may be required to access hashing methods for which no reentrant
implementation exists in the system libraries.
- nodelay
-
Do not delay after an unsuccessful authentication attempt.
- fork
-
Create child processes for accessing shadow files.
Using this option one can be sure that after a call to
pam_end(3)
there is no sensitive data left in the process' address space.
However, this option may confuse some of the more complicated
applications and it has some performance overhead.
- helper=
-
If the hashed password cannot be retrieved by
pam_tcb
and the UID of the user being authenticated is equal to the real UID
pam_tcb
runs as,
pam_tcb
will execute a privileged helper program to perform authentication.
This option determines path to the program's binary.
If an empty helper path is given, no helper will be executed.
The default is
/usr/libexec/chkpwd/tcb_chkpwd.
OBTAINING PASSWORD HASHES
The following algorithm is used by
pam_tcb
to retrieve the password hash for a user:
if
(passwd
option is set and
pw_passwd
field is not equal to "x" nor "*NP*")
use
pw_passwd
field as the hash;
if
(nisplus
option is set) {
try to acquire EUID of the user; if unsuccessful, fail;
obtain the
struct spwd
for the user with
getspnam(3);
regain the previous EUID;
use
sp_pwdp
field as the hash;
}
if
(shadow
option is set and
pw_passwd
field is equal to "x")
use
sp_pwdp
field as the hash;
if all the above failed, fail.
BUGS
The current
pam_tcb
implementation is not thread-safe (just like
pam_unix
and
pam_pwdb).
SEE ALSO
crypt(3),
crypt_ra(3),
getpwnam(3),
getspnam(3),
shadow(3),
login.defs(5),
passwd(5),
shadow(5),
tcb(5),
pam(8),
tcb_convert(8)