| 1 |
.\" $MidnightBSD$ |
| 2 |
.\" Copyright (c) 2001 Mark R V Murray |
| 3 |
.\" All rights reserved. |
| 4 |
.\" Copyright (c) 2001 Networks Associates Technology, Inc. |
| 5 |
.\" All rights reserved. |
| 6 |
.\" |
| 7 |
.\" This software was developed for the FreeBSD Project by ThinkSec AS and |
| 8 |
.\" NAI Labs, the Security Research Division of Network Associates, Inc. |
| 9 |
.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the |
| 10 |
.\" DARPA CHATS research program. |
| 11 |
.\" |
| 12 |
.\" Redistribution and use in source and binary forms, with or without |
| 13 |
.\" modification, are permitted provided that the following conditions |
| 14 |
.\" are met: |
| 15 |
.\" 1. Redistributions of source code must retain the above copyright |
| 16 |
.\" notice, this list of conditions and the following disclaimer. |
| 17 |
.\" 2. Redistributions in binary form must reproduce the above copyright |
| 18 |
.\" notice, this list of conditions and the following disclaimer in the |
| 19 |
.\" documentation and/or other materials provided with the distribution. |
| 20 |
.\" 3. The name of the author may not be used to endorse or promote |
| 21 |
.\" products derived from this software without specific prior written |
| 22 |
.\" permission. |
| 23 |
.\" |
| 24 |
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND |
| 25 |
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 26 |
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
| 27 |
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
| 28 |
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
| 29 |
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
| 30 |
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 31 |
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
| 32 |
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
| 33 |
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| 34 |
.\" SUCH DAMAGE. |
| 35 |
.\" |
| 36 |
.\" $FreeBSD: stable/10/lib/libpam/modules/pam_ksu/pam_ksu.8 107771 2002-12-12 08:19:47Z ru $ |
| 37 |
.\" |
| 38 |
.Dd May 15, 2002 |
| 39 |
.Dt PAM_KSU 8 |
| 40 |
.Os |
| 41 |
.Sh NAME |
| 42 |
.Nm pam_ksu |
| 43 |
.Nd Kerberos 5 SU PAM module |
| 44 |
.Sh SYNOPSIS |
| 45 |
.Op Ar service-name |
| 46 |
.Ar module-type |
| 47 |
.Ar control-flag |
| 48 |
.Pa pam_ksu |
| 49 |
.Op Ar options |
| 50 |
.Sh DESCRIPTION |
| 51 |
The Kerberos 5 SU authentication service module for PAM, |
| 52 |
.Nm |
| 53 |
for only one PAM category: authentication. |
| 54 |
In terms of the |
| 55 |
.Ar module-type |
| 56 |
parameter, this is the |
| 57 |
.Dq Li auth |
| 58 |
feature. |
| 59 |
The module is specifically designed to be used with the |
| 60 |
.Xr su 1 |
| 61 |
utility. |
| 62 |
.\" It also provides a null function for session management. |
| 63 |
.Ss Kerberos 5 SU Authentication Module |
| 64 |
The Kerberos 5 SU authentication component provides functions to verify |
| 65 |
the identity of a user |
| 66 |
.Pq Fn pam_sm_authenticate , |
| 67 |
and determine whether or not the user is authorized to obtain the |
| 68 |
privileges of the target account. |
| 69 |
If the target account is |
| 70 |
.Dq root , |
| 71 |
then the Kerberos 5 principal used |
| 72 |
for authentication and authorization will be the |
| 73 |
.Dq root |
| 74 |
instance of |
| 75 |
the current user, e.g.\& |
| 76 |
.Dq Li user/root@REAL.M . |
| 77 |
Otherwise, the principal will simply be the current user's default |
| 78 |
principal, e.g.\& |
| 79 |
.Dq Li user@REAL.M . |
| 80 |
.Pp |
| 81 |
The user is prompted for a password if necessary. |
| 82 |
Authorization is performed |
| 83 |
by comparing the Kerberos 5 principal with those listed in the |
| 84 |
.Pa .k5login |
| 85 |
file in the target account's home directory |
| 86 |
(e.g.\& |
| 87 |
.Pa /root/.k5login |
| 88 |
for root). |
| 89 |
.Pp |
| 90 |
The following options may be passed to the authentication module: |
| 91 |
.Bl -tag -width ".Cm use_first_pass" |
| 92 |
.It Cm debug |
| 93 |
.Xr syslog 3 |
| 94 |
debugging information at |
| 95 |
.Dv LOG_DEBUG |
| 96 |
level. |
| 97 |
.It Cm use_first_pass |
| 98 |
If the authentication module |
| 99 |
is not the first in the stack, |
| 100 |
and a previous module |
| 101 |
obtained the user's password, |
| 102 |
that password is used |
| 103 |
to authenticate the user. |
| 104 |
If this fails, |
| 105 |
the authentication module returns failure |
| 106 |
without prompting the user for a password. |
| 107 |
This option has no effect |
| 108 |
if the authentication module |
| 109 |
is the first in the stack, |
| 110 |
or if no previous modules |
| 111 |
obtained the user's password. |
| 112 |
.It Cm try_first_pass |
| 113 |
This option is similar to the |
| 114 |
.Cm use_first_pass |
| 115 |
option, |
| 116 |
except that if the previously obtained password fails, |
| 117 |
the user is prompted for another password. |
| 118 |
.El |
| 119 |
.Sh SEE ALSO |
| 120 |
.Xr su 1 , |
| 121 |
.Xr syslog 3 , |
| 122 |
.Xr pam.conf 5 , |
| 123 |
.Xr pam 8 |
