NAME
pam_ksu
- Kerberos 5 SU PAM module
SYNOPSIS
[service-name]
module-type
control-flag
pam_ksu
[options]
DESCRIPTION
The Kerberos 5 SU authentication service module for PAM
provides functionality for only one PAM category: authentication.
In terms of the
module-type
parameter, this is the
``
auth
''
feature.
The module is specifically designed to be used with the
su(1)
utility.
Kerberos 5 SU Authentication Module
The Kerberos 5 SU authentication component provides functions to verify
the identity of a user
(pam_sm_authenticate(
)),
and determine whether or not the user is authorized to obtain the
privileges of the target account.
If the target account is
``root'',
then the Kerberos 5 principal used
for authentication and authorization will be the
``root''
instance of
the current user, e.g.
``
user/root@REAL.M
''.
Otherwise, the principal will simply be the current user's default
principal, e.g.
``
user@REAL.M
''.
The user is prompted for a password if necessary.
Authorization is performed
by comparing the Kerberos 5 principal with those listed in the
.k5login
file in the target account's home directory
(e.g.
/root/.k5login
for root).
The following options may be passed to the authentication module:
- debug
-
syslog(3)
debugging information at
LOG_DEBUG
level.
- use_first_pass
-
If the authentication module
is not the first in the stack,
and a previous module
obtained the user's password,
that password is used
to authenticate the user.
If this fails,
the authentication module returns failure
without prompting the user for a password.
This option has no effect
if the authentication module
is the first in the stack,
or if no previous modules
obtained the user's password.
- try_first_pass
-
This option is similar to the
use_first_pass
option,
except that if the previously obtained password fails,
the user is prompted for another password.
SEE ALSO
su(1),
syslog(3),
pam.conf(5),
pam(8)