2002-05-28 20:52:31 +00:00
|
|
|
.\" Copyright (c) 2001 Mark R V Murray
|
|
|
|
.\" All rights reserved.
|
|
|
|
.\" Copyright (c) 2001 Networks Associates Technology, Inc.
|
|
|
|
.\" All rights reserved.
|
|
|
|
.\"
|
|
|
|
.\" This software was developed for the FreeBSD Project by ThinkSec AS and
|
|
|
|
.\" NAI Labs, the Security Research Division of Network Associates, Inc.
|
|
|
|
.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
|
|
|
|
.\" DARPA CHATS research program.
|
|
|
|
.\"
|
|
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
|
|
.\" modification, are permitted provided that the following conditions
|
|
|
|
.\" are met:
|
|
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
|
|
.\" 3. The name of the author may not be used to endorse or promote
|
|
|
|
.\" products derived from this software without specific prior written
|
|
|
|
.\" permission.
|
|
|
|
.\"
|
|
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
.\" SUCH DAMAGE.
|
|
|
|
.\"
|
|
|
|
.\" $FreeBSD$
|
|
|
|
.\"
|
|
|
|
.Dd May 15, 2002
|
|
|
|
.Dt pam_ksu 8
|
|
|
|
.Os
|
|
|
|
.Sh NAME
|
|
|
|
.Nm pam_ksu
|
|
|
|
.Nd Kerberos 5 SU PAM module
|
|
|
|
.Sh SYNOPSIS
|
|
|
|
.Op Ar service-name
|
|
|
|
.Ar module-type
|
|
|
|
.Ar control-flag
|
|
|
|
.Pa pam_ksu
|
|
|
|
.Op Ar options
|
|
|
|
.Sh DESCRIPTION
|
|
|
|
The Kerberos 5 SU authentication service module for PAM,
|
|
|
|
.Nm
|
|
|
|
for only one PAM category: authentication.
|
|
|
|
In terms of the
|
|
|
|
.Ar module-type
|
|
|
|
parameter, this is the
|
|
|
|
.Dq Li auth
|
|
|
|
feature.
|
|
|
|
The module is specifically designed to be used with the
|
|
|
|
.Xr su 1
|
|
|
|
utility.
|
|
|
|
.\" It also provides a null function for session management.
|
|
|
|
.Ss Kerberos 5 SU Authentication Module
|
|
|
|
The Kerberos 5 SU authentication component provides functions to verify
|
|
|
|
the identity of a user
|
|
|
|
.Pq Fn pam_sm_authenticate ,
|
|
|
|
and determine whether or not the user is authorized to obtain the
|
|
|
|
privileges of the target account.
|
2002-05-30 14:32:48 +00:00
|
|
|
If the target account is
|
|
|
|
.Dq root ,
|
|
|
|
then the Kerberos 5 principal used
|
|
|
|
for authentication and authorization will be the
|
|
|
|
.Dq root
|
|
|
|
instance of
|
|
|
|
the current user, e.g.\&
|
|
|
|
.Dq Li user/root@REAL.M .
|
2002-05-28 20:52:31 +00:00
|
|
|
Otherwise, the principal will simply be the current user's default
|
2002-05-30 14:32:48 +00:00
|
|
|
principal, e.g.\&
|
|
|
|
.Dq Li user@REAL.M .
|
2002-05-28 20:52:31 +00:00
|
|
|
.Pp
|
2002-05-30 14:32:48 +00:00
|
|
|
The user is prompted for a password if necessary.
|
|
|
|
Authorization is performed
|
2002-05-28 20:52:31 +00:00
|
|
|
by comparing the Kerberos 5 principal with those listed in the
|
|
|
|
.Pa .k5login
|
|
|
|
file in the target account's home directory
|
2002-05-30 14:32:48 +00:00
|
|
|
(e.g.\&
|
|
|
|
.Pa /root/.k5login
|
|
|
|
for root).
|
2002-05-28 20:52:31 +00:00
|
|
|
.Pp
|
|
|
|
The following options may be passed to the authentication module:
|
|
|
|
.Bl -tag -width ".Cm use_first_pass"
|
|
|
|
.It Cm debug
|
|
|
|
.Xr syslog 3
|
|
|
|
debugging information at
|
|
|
|
.Dv LOG_DEBUG
|
|
|
|
level.
|
|
|
|
.It Cm use_first_pass
|
|
|
|
If the authentication module
|
|
|
|
is not the first in the stack,
|
|
|
|
and a previous module
|
|
|
|
obtained the user's password,
|
|
|
|
that password is used
|
|
|
|
to authenticate the user.
|
|
|
|
If this fails,
|
|
|
|
the authentication module returns failure
|
|
|
|
without prompting the user for a password.
|
|
|
|
This option has no effect
|
|
|
|
if the authentication module
|
|
|
|
is the first in the stack,
|
|
|
|
or if no previous modules
|
|
|
|
obtained the user's password.
|
|
|
|
.It Cm try_first_pass
|
|
|
|
This option is similar to the
|
|
|
|
.Cm use_first_pass
|
|
|
|
option,
|
|
|
|
except that if the previously obtained password fails,
|
|
|
|
the user is prompted for another password.
|
|
|
|
.El
|
|
|
|
.Sh SEE ALSO
|
|
|
|
.Xr su 1 ,
|
|
|
|
.Xr syslog 3 ,
|
|
|
|
.Xr pam.conf 5 ,
|
|
|
|
.Xr pam 8
|