Ask the Expert

Shadow modules with PAM

How do I use shadow modules with PAM?

    Requires Free Membership to View

To use shadow passwords with PAM, you must first enable shadow passwords. Most distributions have an option to enable this at installations. If you need to enable it later, then you will need to install the shadow package(s), called "shadow-utils" on Red Hat variations and "shadow" on Debian.

Once you've followed the shadow installation process, you need to enable support for shadow passwords in PAM. In a Red Hat distribution, this means adjusting the system-auth file in the /etc/pam.d. The system-auth file contains the default PAM authentication process. This includes the pam_unix.so PAM authentication module. This module is stacked in all contexts: auth, password, account and session. The auth context stack uses the pam_unix.so module and handles authentication like so:

auth sufficient pam_unix.so try_first_pass nullok

It should automatically detect the presence of shadow passwords.

In the password context, the pam_unix.so module is also stacked to handle the changing of user passwords, like so:

password sufficient pam_unix.so nullok try_first_pass use_authtok md5 shadow

The last option on the line, shadow, is used to ensure shadow passwords are created when a password is changed. A good explanation for that can be found here.

Configuration for other distributions, like Debian, is similar and you can find more details on configuring PAM.

This was first published in October 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: