PAM account interface vs /etc/shadow
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
According to the official Red Had documentation on pam for the account interface:
account — This module interface verifies that access is allowed. For example, it checks if a user account has expired or if a user is allowed to log in at a particular time of day.
However, similar information (on account validity) is incorporated in /etc/shadow file. As the tldp pages mention, some of the last fields include:
The number of days after password expires that account is disabled
The number of days since January 1, 1970 that an account has been
disabled
A reserved field for possible future use
So when does an application (even a PAM-enabled one) reside to when checking account validity?
What happens when rules in /etc/pam.d/application may contradict /etc/shadow?
security password pam
asked Sep 8 at 9:16
pkaramol
380112
add a comment |Â
up vote
1
down vote
favorite
According to the official Red Had documentation on pam for the account interface:
account — This module interface verifies that access is allowed. For example, it checks if a user account has expired or if a user is allowed to log in at a particular time of day.
However, similar information (on account validity) is incorporated in /etc/shadow file. As the tldp pages mention, some of the last fields include:
The number of days after password expires that account is disabled
The number of days since January 1, 1970 that an account has been
disabled
A reserved field for possible future use
So when does an application (even a PAM-enabled one) reside to when checking account validity?
What happens when rules in /etc/pam.d/application may contradict /etc/shadow?
security password pam
asked Sep 8 at 9:16
pkaramol
380112
I'm not sure but PAM can use different backend in order and it will match the first one in the list making the other usless if another backend then etc/shadow matchs
– Kiwy
Sep 8 at 14:33
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
According to the official Red Had documentation on pam for the account interface:
account — This module interface verifies that access is allowed. For example, it checks if a user account has expired or if a user is allowed to log in at a particular time of day.
However, similar information (on account validity) is incorporated in /etc/shadow file. As the tldp pages mention, some of the last fields include:
The number of days after password expires that account is disabled
The number of days since January 1, 1970 that an account has been
disabled
A reserved field for possible future use
So when does an application (even a PAM-enabled one) reside to when checking account validity?
What happens when rules in /etc/pam.d/application may contradict /etc/shadow?
security password pam
asked Sep 8 at 9:16
pkaramol
380112
According to the official Red Had documentation on pam for the account interface:
account — This module interface verifies that access is allowed. For example, it checks if a user account has expired or if a user is allowed to log in at a particular time of day.
However, similar information (on account validity) is incorporated in /etc/shadow file. As the tldp pages mention, some of the last fields include:
The number of days after password expires that account is disabled
The number of days since January 1, 1970 that an account has been
disabled
A reserved field for possible future use
So when does an application (even a PAM-enabled one) reside to when checking account validity?
What happens when rules in /etc/pam.d/application may contradict /etc/shadow?
security password pam
security password pam
asked Sep 8 at 9:16
pkaramol
380112
asked Sep 8 at 9:16
pkaramol
380112
asked Sep 8 at 9:16
pkaramol
380112
asked Sep 8 at 9:16
pkaramol
380112
asked Sep 8 at 9:16
pkaramol
380112
380112
I'm not sure but PAM can use different backend in order and it will match the first one in the list making the other usless if another backend then etc/shadow matchs
– Kiwy
Sep 8 at 14:33
add a comment |Â
I'm not sure but PAM can use different backend in order and it will match the first one in the list making the other usless if another backend then etc/shadow matchs
– Kiwy
Sep 8 at 14:33
I'm not sure but PAM can use different backend in order and it will match the first one in the list making the other usless if another backend then etc/shadow matchs
– Kiwy
Sep 8 at 14:33
I'm not sure but PAM can use different backend in order and it will match the first one in the list making the other usless if another backend then etc/shadow matchs
– Kiwy
Sep 8 at 14:33
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
2
down vote
accepted
Normally /etc/group,passwd,shadow are not used directly, but rather through pam. You can think of pam as kind of a connector that can be configured to use different backends like the /etc/group,passwd,shadow things or LDAP to query user information.
To make pam work this way, each backend does have a pam module that can query the backend and retrieve information.
The very basic configuration of pam is to use the pam_unix.so module which retrieves the information from /etc/group,passwd,shadow files.
You can also read more about the capabilities of the pam_unix.soin man pam_unix.
answered Sep 8 at 14:47
Thomas
3,64141225
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
accepted
Normally /etc/group,passwd,shadow are not used directly, but rather through pam. You can think of pam as kind of a connector that can be configured to use different backends like the /etc/group,passwd,shadow things or LDAP to query user information.
To make pam work this way, each backend does have a pam module that can query the backend and retrieve information.
The very basic configuration of pam is to use the pam_unix.so module which retrieves the information from /etc/group,passwd,shadow files.
You can also read more about the capabilities of the pam_unix.soin man pam_unix.
answered Sep 8 at 14:47
Thomas
3,64141225
add a comment |Â
up vote
2
down vote
accepted
Normally /etc/group,passwd,shadow are not used directly, but rather through pam. You can think of pam as kind of a connector that can be configured to use different backends like the /etc/group,passwd,shadow things or LDAP to query user information.
To make pam work this way, each backend does have a pam module that can query the backend and retrieve information.
The very basic configuration of pam is to use the pam_unix.so module which retrieves the information from /etc/group,passwd,shadow files.
You can also read more about the capabilities of the pam_unix.soin man pam_unix.
answered Sep 8 at 14:47
Thomas
3,64141225
add a comment |Â
up vote
2
down vote
accepted
up vote
2
down vote
accepted
Normally /etc/group,passwd,shadow are not used directly, but rather through pam. You can think of pam as kind of a connector that can be configured to use different backends like the /etc/group,passwd,shadow things or LDAP to query user information.
To make pam work this way, each backend does have a pam module that can query the backend and retrieve information.
The very basic configuration of pam is to use the pam_unix.so module which retrieves the information from /etc/group,passwd,shadow files.
You can also read more about the capabilities of the pam_unix.soin man pam_unix.
answered Sep 8 at 14:47
Thomas
3,64141225
Normally /etc/group,passwd,shadow are not used directly, but rather through pam. You can think of pam as kind of a connector that can be configured to use different backends like the /etc/group,passwd,shadow things or LDAP to query user information.
To make pam work this way, each backend does have a pam module that can query the backend and retrieve information.
The very basic configuration of pam is to use the pam_unix.so module which retrieves the information from /etc/group,passwd,shadow files.
You can also read more about the capabilities of the pam_unix.soin man pam_unix.
answered Sep 8 at 14:47
Thomas
3,64141225
answered Sep 8 at 14:47
Thomas
3,64141225
answered Sep 8 at 14:47
Thomas
3,64141225
answered Sep 8 at 14:47
Thomas
3,64141225
3,64141225
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f467689%2fpam-account-interface-vs-etc-shadow%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
I'm not sure but PAM can use different backend in order and it will match the first one in the list making the other usless if another backend then etc/shadow matchs
– Kiwy
Sep 8 at 14:33