PAM-modules Manual (split by section):   Section:   Chapter:FastBack: fshadow   Up: fshadow   FastForward: regex   Contents: Table of ContentsIndex: Concept Index

3.1 Using pam_fshadow in plain mode.

Plain mode is the default operation mode for pam_fshadow. In this mode, the module checks the supplied user name and authentication token against the passwd/shadow pair located in the system configuration directory (which is set when configuring the package and defaults to prefix/etc). This default location can be changed using the sysconfdir option (see below). The authentication is performed as follows:

First, the user name is looked up in passwd file and the corresponding record is fetched. If this record contains a valid password hash (i.e. its second field is at least 2 characters long), the system crypt function is called on the supplied authentication token with the retrieved hash as its second argument (the seed) and its result is compared with the hash. If the two strings compare equal, the user is authenticated successfully.

Otherwise, if passwd contains no password, the shadow file is examined and hash retrieved from there is used. If the record retrieved from the shadow file has not expired, and if its password hash field matches the authentication token (using the algorithm described above), the user is authenticated successfully.

Several options are provided to alter the default behavior. All of them, except sysconfdir, have the same effect in the virtual domain mode as well. The table below summarizes these options.

nopasswd

Do not require passwd file to be present. Only shadow is used for authentication.

noshadow

Do not require shadow file to be present. Only passwd is used for authentication. Notice, that it is an error to specify both nopasswd and noshadow.

sysconfdir=dir

Set full name of the directory where shadow and passwd are located. By default the system configuration directory will be used.

use_authtok

Do not prompt the user for password, take it from the saved authentication tokens. This option is useful when pam_fshadow is used as a non-first module in a stack of authentication modules.

The following example illustrates the use of pam_fshadow in plain mode in pam.conf file: 

tuhs auth  required   pam_fshadow.so \
                      sysconfdir=/home/tuhs/tuhs/etc nopasswd use_authtok

PAM-modules Manual (split by section):   Section:   Chapter:FastBack: fshadow   Up: fshadow   FastForward: regex   Contents: Table of ContentsIndex: Concept Index

This document was generated on August 11, 2021 using makeinfo.

Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.