1. Manuals
  2. Tumbleweed
  3. account-utils
  4. pam_unix_ng(8)

Scroll to navigation

PAM_UNIX_NG(8) pam_unix_ng PAM_UNIX_NG(8)

NAME

pam_unix_ng - PAM module for traditional password authentication

SYNOPSIS

pam_unix_ng.so [...]

DESCRIPTION

This is a standard UNIX authentication PAM module which delegates tasks requiring access to /etc/shadow to pwaccessd(8), which allows to use this module in environments without setuid binaries. If pwaccessd is not running, it tries to read the local files as fallback itself.

OPTIONS

debug

Print debug information via syslog(3).

quiet

Avoid all messages except errors.

nullok

The default action of this module is to not permit the user access to a service if their official password is blank. The nullok argument overrides this default.

If the application sets the PAM_DISALLOW_NULL_AUTHTOK flag, nullok is ignored in the auth module type.

try_first_pass

The module first attempts to use the password from the previously stacked modules to see if it is also suitable for this module before prompting the user to enter their password again.

use_first_pass

The module only attempts to use the password from the previously stacked modules and never prompts the user for input. If no password is available or the password does not match, the user is denied access.

use_authtok

When a password is changed, the module will set the new password to the one provided by a previously stacked password module.

authtok_type=type

The default action is for the module to use the following prompts when requesting passwords: "New UNIX password: " and "Retype UNIX password: ". The example word UNIX can be replaced with this option, by default it is empty.

minlen=<number>

Minimal length of new password. The default is 8 characters.

crypt_prefix=<prefix>

Prefix of the hash algorithm to use. See crypt(5) for valid values.

crypt_count=<number>

This option controls the processing cost of the hash. See crypt(5) for valid values.

fail_delay=<milliseconds>

The module requests by default a delay of 2000 milliseconds should the authentication as a whole fail. This argument can be used to adjust the delay or disable it (fail_delay=0).

MODULE TYPES PROVIDED

All module types (account, auth, password, session) are provided.

RETURN VALUES

PAM_SUCCESS

Everything was successful.

PAM_SERVICE_ERR

Internal service module error.

PAM_USER_UNKNOWN

User not known.

PAM_IGNORE

Returned by service types which do nothing.

EXAMPLES

Add the following line to e.g. /etc/pam.d/login to log when a user logs in and out to syslog(8):



      session  required  pam_unix_ng.so

SEE ALSO

pwaccessd(8), pam.conf(5), pam.d(5), pam(8)

AUTHOR

pam_unix_ng was written by Thorsten Kukuk <kukuk@suse.com>.

12/17/2025 account-utils 1.0.0