1 |
.\" $MidnightBSD$ |
2 |
.\" Copyright (c) 2001 Mark R V Murray |
3 |
.\" All rights reserved. |
4 |
.\" Copyright (c) 2001 Networks Associates Technology, Inc. |
5 |
.\" All rights reserved. |
6 |
.\" |
7 |
.\" This software was developed for the FreeBSD Project by ThinkSec AS and |
8 |
.\" NAI Labs, the Security Research Division of Network Associates, Inc. |
9 |
.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the |
10 |
.\" DARPA CHATS research program. |
11 |
.\" |
12 |
.\" Redistribution and use in source and binary forms, with or without |
13 |
.\" modification, are permitted provided that the following conditions |
14 |
.\" are met: |
15 |
.\" 1. Redistributions of source code must retain the above copyright |
16 |
.\" notice, this list of conditions and the following disclaimer. |
17 |
.\" 2. Redistributions in binary form must reproduce the above copyright |
18 |
.\" notice, this list of conditions and the following disclaimer in the |
19 |
.\" documentation and/or other materials provided with the distribution. |
20 |
.\" 3. The name of the author may not be used to endorse or promote |
21 |
.\" products derived from this software without specific prior written |
22 |
.\" permission. |
23 |
.\" |
24 |
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND |
25 |
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
26 |
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
27 |
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
28 |
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
29 |
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
30 |
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
31 |
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
32 |
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
33 |
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
34 |
.\" SUCH DAMAGE. |
35 |
.\" |
36 |
.\" $FreeBSD: stable/10/lib/libpam/modules/pam_ksu/pam_ksu.8 107771 2002-12-12 08:19:47Z ru $ |
37 |
.\" |
38 |
.Dd May 15, 2002 |
39 |
.Dt PAM_KSU 8 |
40 |
.Os |
41 |
.Sh NAME |
42 |
.Nm pam_ksu |
43 |
.Nd Kerberos 5 SU PAM module |
44 |
.Sh SYNOPSIS |
45 |
.Op Ar service-name |
46 |
.Ar module-type |
47 |
.Ar control-flag |
48 |
.Pa pam_ksu |
49 |
.Op Ar options |
50 |
.Sh DESCRIPTION |
51 |
The Kerberos 5 SU authentication service module for PAM, |
52 |
.Nm |
53 |
for only one PAM category: authentication. |
54 |
In terms of the |
55 |
.Ar module-type |
56 |
parameter, this is the |
57 |
.Dq Li auth |
58 |
feature. |
59 |
The module is specifically designed to be used with the |
60 |
.Xr su 1 |
61 |
utility. |
62 |
.\" It also provides a null function for session management. |
63 |
.Ss Kerberos 5 SU Authentication Module |
64 |
The Kerberos 5 SU authentication component provides functions to verify |
65 |
the identity of a user |
66 |
.Pq Fn pam_sm_authenticate , |
67 |
and determine whether or not the user is authorized to obtain the |
68 |
privileges of the target account. |
69 |
If the target account is |
70 |
.Dq root , |
71 |
then the Kerberos 5 principal used |
72 |
for authentication and authorization will be the |
73 |
.Dq root |
74 |
instance of |
75 |
the current user, e.g.\& |
76 |
.Dq Li user/root@REAL.M . |
77 |
Otherwise, the principal will simply be the current user's default |
78 |
principal, e.g.\& |
79 |
.Dq Li user@REAL.M . |
80 |
.Pp |
81 |
The user is prompted for a password if necessary. |
82 |
Authorization is performed |
83 |
by comparing the Kerberos 5 principal with those listed in the |
84 |
.Pa .k5login |
85 |
file in the target account's home directory |
86 |
(e.g.\& |
87 |
.Pa /root/.k5login |
88 |
for root). |
89 |
.Pp |
90 |
The following options may be passed to the authentication module: |
91 |
.Bl -tag -width ".Cm use_first_pass" |
92 |
.It Cm debug |
93 |
.Xr syslog 3 |
94 |
debugging information at |
95 |
.Dv LOG_DEBUG |
96 |
level. |
97 |
.It Cm use_first_pass |
98 |
If the authentication module |
99 |
is not the first in the stack, |
100 |
and a previous module |
101 |
obtained the user's password, |
102 |
that password is used |
103 |
to authenticate the user. |
104 |
If this fails, |
105 |
the authentication module returns failure |
106 |
without prompting the user for a password. |
107 |
This option has no effect |
108 |
if the authentication module |
109 |
is the first in the stack, |
110 |
or if no previous modules |
111 |
obtained the user's password. |
112 |
.It Cm try_first_pass |
113 |
This option is similar to the |
114 |
.Cm use_first_pass |
115 |
option, |
116 |
except that if the previously obtained password fails, |
117 |
the user is prompted for another password. |
118 |
.El |
119 |
.Sh SEE ALSO |
120 |
.Xr su 1 , |
121 |
.Xr syslog 3 , |
122 |
.Xr pam.conf 5 , |
123 |
.Xr pam 8 |