This is the standard Unix authentication module. It uses standard
calls from the system's libraries to retrieve and set account
information as well as authentication. Usually this is obtained
from the /etc/passwd and the /etc/shadow file as well if shadow is
enabled.
The account component performs the task of establishing the status
of the user's account and password based on the following
shadow elements: expire, last_change, max_change,
min_change, warn_change. In the case of the latter, it may offer advice
to the user on changing their password or, through the
PAM_AUTHTOKEN_REQD return, delay
giving service to the user until they have established a new password.
The entries listed above are documented in the shadow(5) manual page. Should the user's record not contain
one or more of these entries, the corresponding
shadow check is not performed.
The authentication component performs the task of checking the
users credentials (password). The default action of this module
is to not permit the user access to a service if their official
password is blank.
A helper binary, unix_chkpwd(8), is provided
to check the user's password when it is stored in a read
protected database. This binary is very simple and will only
check the password of the user invoking it. It is called
transparently on behalf of the user by the authenticating
component of this module. In this way it is possible
for applications like