pam_unix_account

- PAM account management module for UNIX

Synopsis

pam_unix_account.so.1

Description

pam_unix_account module implements pam_sm_acct_mgmt(), which provides functionality to the PAM account management stack. The module provides functions to validate that the user's account is not locked or expired and that the user's password does not need to be changed. The module retrieves account information from the configured databases in nsswitch.conf(4).

The following options can be passed to the module:

debug

syslog(3C) debugging information at the LOG_DEBUG level

nowarn

Turn off warning messages

server_policy

If the account authority for the user, as specified by PAM_USER, is a server, do not apply the Unix policy from the passwd entry in the name service switch.

Errors

The following values are returned:

PAM_UNIX_ACCOUNT

User account has expired

PAM_AUTHTOK_EXPIRED

Password expired and no longer usable

PAM_BUF_ERR

Memory buffer error

PAM_IGNORE

Ignore module, not participating in result

PAM_NEW_AUTHTOK_REQD

Obtain new authentication token from the user

PAM_PERM_DENIED

The account is locked or has been inactive for too long

PAM_SERVICE_ERR

Error in underlying service module

PAM_SUCCESS

The account is valid for use at this time

PAM_USER_UNKNOWN

No account is present for the user

Attributes

See attributes(5) for descriptions of the following attributes:

See Also

pam(3PAM), pam_authenticate(3PAM), syslog(3C), libpam(3LIB), pam.conf(4), nsswitch.conf(4), attributes(5)

Notes

The interfaces in libpam(3LIB) are MT-Safe only if each thread within the multi-threaded application uses its own PAM handle.

Attempts to validate locked accounts are logged via syslog(3C) to the LOG_AUTH facility with a LOG_NOTICE severity.