PAM_TCB(8)PAM_TCB(8)NAME
pam_tcb - authentication, account, session, and password management PAM
module for Unix with support for the tcb password shadowing scheme
DESCRIPTION
pam_tcb is a PAM module which deals with Unix accounts and provides
functionality for all four PAM management groups: authentication,
account management, session management, and password management. It is
a successor to pam_unix and pam_pwdb.
authentication
pam_tcb relies exclusively on getpwnam(3) and getspnam(3) inter‐
faces to obtain information necessary for user authentication.
It performs password hashing with crypt_ra(3) or crypt(3). This
means that pam_tcb will use NSS and will handle any password
hashing method supported by the system libraries.
account management
When the account information is available via getspnam(3), the
account management part of pam_tcb checks for expired accounts
or passwords. It uses the shadow file entry fields as described
in shadow(5). It is responsibility of applications to interpret
the PAM error status and possibly invoke the password management
group to get an expired password changed.
session management
By default, pam_tcb logs the opening and closing of PAM sessions
via syslog(3). It uses LOG_AUTH as the syslog facility and
either adds "pam_tcb: " prefix to log messages or, if the open‐
log option is given, sets the ident to "pam_tcb". This func‐
tionality may be disabled with the nolog option (see below).
password management
pam_chauthtok(3) performs two passes through the password man‐
agement stack: PAM_PRELIM_CHECK and PAM_UPDATE_AUTHTOK. During
the PAM_PRELIM_CHECK phase, pam_tcb may optionally prompt for
and will always verify the old password. This allows for stack‐
ing of a password policy enforcement module such as pam_passwdqc
before pam_tcb, without requiring this other module to take over
performing any of the tasks of pam_tcb. The actual password
change happens during the PAM_UPDATE_AUTHTOK phase.
When changing passwords, pam_tcb is able to modify the following
password databases:
/etc/passwd file, see passwd(5);
/etc/shadow file, see shadow(5);
/etc/tcb/ directory structure, see tcb(5);
NIS and NIS+.
OPTIONS
Most of the options recognized by pam_unix or pam_pwdb are valid for
pam_tcb as well and have identical meaning. There are some semantic
differences though, so you are advised to browse the list below. All
the boolean options are off by default. The default values of non-
boolean options are given.
debug Log debugging information via syslog(3).
audit Log even more debugging information, including unknown user‐
names. This has the risk of potentially logging a password that
a user could have given instead of a username.
openlog
Normally, pam_tcb will add "pam_tcb: " prefix to log messages.
The openlog option disables this behavior and causes pam_tcb to
call openlog(3) with ident "pam_tcb" before logging and
closelog(3) afterwards.
noopenlog
If pam_tcb was compiled with ENABLE_OPENLOG, it will call open‐
log(3) with ident "pam_tcb" before logging and closelog(3)
afterwards. The noopenlog option disables this behavior.
nolog Suppress logging.
blank_nolog
Do not log failed authentication attempts when a blank password
is tried. If this option is not used, some services, notably
sshd(8), may generate false alarms.
nullok Permit blank passwords.
use_first_pass
Don't prompt the user for passwords, take them from PAM_AUTHTOK
and possibly PAM_OLDAUTHTOK items instead.
try_first_pass
Take passwords from PAM_AUTHTOK and possibly PAM_OLDAUTHTOK
items, but prompt the user if the appropriate PAM item is unset.
use_authtok
Like use_first_pass, but applies to the (new) PAM_AUTHTOK only.
This is intended for stacking password management modules.
not_set_pass
Don't set the PAM items with passwords used by this module.
likeauth
When called as a credential setting module, return the same
value as was returned during the authentication.
passwd If set, pam_tcb may use the second field of user's "passwd"
entry (usually taken from /etc/passwd) as the password hash.
See below for details.
shadow If set, pam_tcb may use the second field of user's "shadow"
entry (usually taken from /etc/shadow or a tcb shadow file) as
the password hash. See below for details.
nisplus
If set, pam_tcb will acquire the user's EUID before obtaining
the password hash. If you're using NIS+, you need to turn this
on. See below for details.
write_to=
This option determines where pam_tcb should store new password
hashes when changing passwords. Possible settings are:
"passwd", "shadow", "tcb", and "nis". The default is "shadow".
md5 When updating a user's password, hash the new password with the
obsolete FreeBSD-derived MD5-based algorithm.
prefix=
When updating a user's password, generate the salt with the
specified prefix (which determines the hashing method to use).
The default is "$2y$", which requests bcrypt, a Blowfish-based
hashing method, which supports variable iteration counts.
count= The number of iterations of an underlying cryptographic primi‐
tive to use when hashing passwords. The default is 0, which
lets the selected hashing algorithm pick its default iteration
count.
It is highly recommended that you override this setting. Please
refer to crypt(3) for information on supported hashing methods,
their prefix strings, and their count settings.
plain_crypt
Use plain crypt(3) instead of crypt_ra(3). This may be required
to access hashing methods for which no reentrant implementation
exists in the system libraries.
nodelay
Do not delay after an unsuccessful authentication attempt.
fork Create child processes for accessing shadow files. Using this
option one can be sure that after a call to pam_end(3) there is
no sensitive data left in the process' address space. However,
this option may confuse some of the more complicated applica‐
tions and it has some performance overhead.
helper=
If the hashed password cannot be retrieved by pam_tcb and the
UID of the user being authenticated is equal to the real UID
pam_tcb runs as, pam_tcb will execute a privileged helper pro‐
gram to perform authentication. This option determines path to
the program's binary. If an empty helper path is given, no
helper will be executed. The default is
/usr/libexec/chkpwd/tcb_chkpwd.
OBTAINING PASSWORD HASHES
The following algorithm is used by pam_tcb to retrieve the password
hash for a user:
if (passwd option is set and pw_passwd field is not equal to "x" nor
"*NP*")
use pw_passwd field as the hash;
if (nisplus option is set) {
try to acquire EUID of the user; if unsuccessful, fail;
obtain the struct spwd for the user with getspnam(3);
regain the previous EUID;
use sp_pwdp field as the hash;
}
if (shadow option is set and pw_passwd field is equal to "x")
use sp_pwdp field as the hash;
if all the above failed, fail.
BUGS
The current pam_tcb implementation is not thread-safe (just like
pam_unix and pam_pwdb).
SEE ALSOcrypt(3), crypt_ra(3), getpwnam(3), getspnam(3), shadow(3),
login.defs(5), passwd(5), shadow(5), tcb(5), pam(8), tcb_convert(8)Openwall Project July 17, 2011 PAM_TCB(8)