PWAUTH(8) System Manager's Manual PWAUTH(8)NAME
pwauth - authenticator for mod_authnz_external and the Apache HTTP Daemon
SYNOPSIS
pwauth
DESCRIPTION
Pwauth is an authenticator designed to be used with mod_auth_external or mod_authnz_external and the Apache HTTP Daemon to support reason-
ably secure web authentication out of the system password database on most versions of Unix. Particulary - secure authentication against
PAM.
The simplest test pwauth is to start a root shell and just run pwauth. It will attempt to read the login and password from standard input,
so type a login name, hit return, then type a password, and hit return (the password will echo on your screen). The check the status code
that was returned (in csh: "echo $status" in sh: "echo $?").
If the login/password were correct you should get a zero status code. If not, you will get some other value. See below the list of status
codes to find the meaning of the various values returned. Any values 50 or greater indicate a configuration error.
STATUS CODES
0 STATUS_OK
Login OK.
1 STATUS_UNKNOWN
Nonexistant login or (for some configurations) incorrect password.
2 STATUS_INVALID
Incorrect password (for some configurations).
3 STATUS_BLOCKED
Uid number is below MIN_UNIX_UID value configured in config.h.
4 STATUS_EXPIRED
Login ID has expired.
5 STATUS_PW_EXPIRED
Login's password has expired.
6 SSTATUS_NOLOGIN
Logins to system have been turned off (usually by /etc/nologin file).
7 STATUS_MANYFAILES
Limit on number of bad logins exceeded.
50 STATUS_INT_USER
pwauth was invoked by a uid not on the SERVER_UIDS list. If you get this error code, you probably have SERVER_UIDS set incorrectly
in pwauth's config.h file.
51 STATUS_INT_ARGS
pwauth was not given a login & password to check. The means the passing of data from mod_auth_external to pwauth is messed up. Most
likely one is trying to pass data via environment variables, while the other is trying to pass data via a pipe.
52 STATUS_INT_ERR
one of several rare and unlikely internal errors occurred. You'll have to read the source code to figure these out.
53 STATUS_INT_NOROOT
pwauth was not able to read the password database. Usually this means it is not running as root. (PAM and login.conf configurations
will return 1 in this case.)
AUTHOR
pwauth was written by Jan Wolter <jan@unixpapa.com>.
This manual page was written by Hai Zaar <haizaar@haizaar.com>, for the Debian project (but may be used by others).
2009-05-02 PWAUTH(8)
Check Out this Related Man Page
LOGIN(1) Linux Administrator's Manual LOGIN(1)NAME
login - Begin session on the system
SYNOPSIS
login [ -p ] [ -h host ] [ -H ] [ -f username | username ]
DESCRIPTION
login is used when signing onto a system. If no argument is given, login prompts for the username.
The user is then prompted for a password, where approprate. Echoing is disabled to prevent revealing the password. Only a small number of
password failures are permitted before login exits and the communications link is severed.
If password aging has been enabled for the account, the user may be prompted for a new password before proceeding. He will be forced to
provide his old password and the new password before continuing. Please refer to passwd(1) for more information.
The user and group ID will be set according to their values in the file. There is one exception if the user ID is zero: in this case, only
the primary group ID of the account is set. This should prevent that the system adminitrator cannot login in case of network problems. The
value for $HOME, $SHELL, $PATH, $LOGNAME, and $MAIL are set according to the appropriate fields in the password entry. $PATH defaults to
/usr/local/bin:/bin:/usr/bin:. for normal users, and to /sbin:/bin:/usr/sbin:/usr/bin for root if not other configured. The environment
variable $TERM will be preserved, if it exists (other environment variables are preserved if the -p option is given) or be initialize to
the terminal type on your tty line, as specified in /etc/ttytype.
Then the user's shell is started. If no shell is specified for the user in /etc/passwd, then /bin/sh is used. If there is no directory
specified in /etc/passwd, then / is used (the home directory is checked for the .hushlogin file described above).
login reads the /etc/login.defs(5) configuration file. Please refer to this documenation for options which could be set.
OPTIONS -p Used by getty(8) to tell login not to destroy the environment
-f Used to skip a second login authentication. This option is deprecated and should not be used. It does specifically not work for
root. Using this option also means, that not all PAM functions are called.
-h Used by other servers (i.e., telnetd(8)) to pass the name of the remote host to login so that it may be placed in utmp and wtmp.
Only the superuser may use this option.
-H Used by other servers (i.e., telnetd(8)) to tell login that printing the hostname should be suppressed in the login: prompt.
FILES
/var/run/utmp - list of current login sessins
/var/log/wtmp - list of previous login sessions
/etc/passwd - user account information
/etc/shadow - encrypted passwords and age information
/etc/motd - system message file
/etc/login.defs - configuration file
SEE ALSO init(8), getty(8), mail(1), passwd(1), passwd(5), environ(7), shutdown(8), login.defs(5)BUGS
A recursive login, as used to be possible in the good old days, no longer works; for most purposes su(1) is a satisfactory substitute.
Indeed, for security reasons, login does a vhangup() system call to remove any possible listening processes on the tty. This is to avoid
password sniffing. If one uses the command "login", then the surrounding shell gets killed by vhangup() because it's no longer the true
owner of the tty. This can be avoided by using "exec login" in a top-level shell or xterm.
AUTHOR
Derived from BSD login 5.40 (5/9/89) by Michael Glad (glad@daimi.dk) for HP-UX
Ported to Linux 0.12: Peter Orbaek (poe@daimi.aau.dk)
Added new features: Thorsten Kukuk (kukuk@suse.de)
PAM Login 3.32 2. May 2007 LOGIN(1)