Manual Reference Pages - CHECKPASSWORD-PAM (8)
checkpassword-pam - PAM-based checkpassword compatible authentication
checkpassword-pam [-s PAM-SERVICE] [-e|--noenv] -- prog args...
Additional debugging options (see below):
Additional rarely used options (see below):
checkpassword-pam uses PAM to authenticate the remote user with
checkpassword-style programs are usually run by network server programs that wish to
authenticate remote user.
checkpassword-pam uses PAM service name specified by
PAM_SERVICE environment variable, or by the
-s or --service command-line option.
After successful authentication, if
--noenv option is not specified,
checkpassword-pam sets up supplementary groups of authenticated user,
and its working directory (those values are taken from the system
checkpassword-pam switches to user home directory. If
-H option is specified, this step is skipped. This option is useful when
you have automounted home directories, but mail is delivered to a
args as its arguments.
-- is used as usual to separate the
checkpassword-pam own options from
checkpassword-pam logs authentication failures (or all actions, if
--debug option is used) to
syslog (or to stdout, if
--stdout option is used).
checkpassword-pam sets environment variables
USER, HOME, and SHELL to appropriate values. If
--noenv option is specified, this step is skipped and the variables are left
alone. This is needed when you have virtual users which are not
listed in your
/etc/passwd, and you need to only do authentication. Setting up process
environment is handled by some other application like
checkpassword-pam uses contents of
PAM_SERVICE environment variable to specify the PAM service name. This could be
-s option, see above.
You can turn on debugging using the
checkpassword-pam starts to log all of its actions and the results of those actions to
syslog (or to stdout, based on the state of
--stdout option, see above).
There is a way to manually trace how the
checkpassword-pam authenticates: use the shell redirection and the
--stdout option. In this case
checkpassword protocol data from stdin, and logs actions to stdout. You can trace
the authentication for the given user and password with the following
command-line (usually as root):
# echo -e "username\0password\0timestamp\0" \
| checkpassword-pam -s SERVICE \
--debug --stdout -- /usr/bin/id 3<&0
It will trace the PAM authentication process for the user
username with password
password, and run the
id program, which will report the user and groups
checkpassword-pam switched to.
The idea of this method is courtesy of Mark Delany
If youve found a bug in
checkpasswd-pam, please report it to
"PAM Administrators Guide" for your operating system.
There are alternate older checkpassword-pam packages available. They
are derived from original DJBs checkpassword code, and usually are less
administrator-friendly than this version. You can tell those packages
apart by looking at their version number: it is less than 0.95.
This version of checkpassword-pam was written from scratch by Alexey
checkpassword interface was designed by Daniel J. Bernstein.
|GNU/Linux ||CHECKPASSWORD-PAM (8) ||22 Sep 2004 |
Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.