xref: /freebsd/lib/libpam/modules/pam_ksu/pam_ksu.8 (revision 2e3f49888ec8851bafb22011533217487764fdb0)
1.\" Copyright (c) 2001 Mark R V Murray
2.\" All rights reserved.
3.\" Copyright (c) 2001 Networks Associates Technology, Inc.
4.\" All rights reserved.
5.\"
6.\" This software was developed for the FreeBSD Project by ThinkSec AS and
7.\" NAI Labs, the Security Research Division of Network Associates, Inc.
8.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
9.\" DARPA CHATS research program.
10.\"
11.\" Redistribution and use in source and binary forms, with or without
12.\" modification, are permitted provided that the following conditions
13.\" are met:
14.\" 1. Redistributions of source code must retain the above copyright
15.\"    notice, this list of conditions and the following disclaimer.
16.\" 2. Redistributions in binary form must reproduce the above copyright
17.\"    notice, this list of conditions and the following disclaimer in the
18.\"    documentation and/or other materials provided with the distribution.
19.\" 3. The name of the author may not be used to endorse or promote
20.\"    products derived from this software without specific prior written
21.\"    permission.
22.\"
23.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33.\" SUCH DAMAGE.
34.\"
35.Dd May 15, 2002
36.Dt PAM_KSU 8
37.Os
38.Sh NAME
39.Nm pam_ksu
40.Nd Kerberos 5 SU PAM module
41.Sh SYNOPSIS
42.Op Ar service-name
43.Ar module-type
44.Ar control-flag
45.Pa pam_ksu
46.Op Ar options
47.Sh DESCRIPTION
48The Kerberos 5 SU authentication service module for PAM,
49.Nm
50for only one PAM category: authentication.
51In terms of the
52.Ar module-type
53parameter, this is the
54.Dq Li auth
55feature.
56The module is specifically designed to be used with the
57.Xr su 1
58utility.
59.\" It also provides a null function for session management.
60.Ss Kerberos 5 SU Authentication Module
61The Kerberos 5 SU authentication component provides functions to verify
62the identity of a user
63.Pq Fn pam_sm_authenticate ,
64and determine whether or not the user is authorized to obtain the
65privileges of the target account.
66If the target account is
67.Dq root ,
68then the Kerberos 5 principal used
69for authentication and authorization will be the
70.Dq root
71instance of
72the current user, e.g.\&
73.Dq Li user/root@REAL.M .
74Otherwise, the principal will simply be the current user's default
75principal, e.g.\&
76.Dq Li user@REAL.M .
77.Pp
78The user is prompted for a password if necessary.
79Authorization is performed
80by comparing the Kerberos 5 principal with those listed in the
81.Pa .k5login
82file in the target account's home directory
83(e.g.\&
84.Pa /root/.k5login
85for root).
86.Pp
87The following options may be passed to the authentication module:
88.Bl -tag -width ".Cm use_first_pass"
89.It Cm debug
90.Xr syslog 3
91debugging information at
92.Dv LOG_DEBUG
93level.
94.It Cm use_first_pass
95If the authentication module
96is not the first in the stack,
97and a previous module
98obtained the user's password,
99that password is used
100to authenticate the user.
101If this fails,
102the authentication module returns failure
103without prompting the user for a password.
104This option has no effect
105if the authentication module
106is the first in the stack,
107or if no previous modules
108obtained the user's password.
109.It Cm try_first_pass
110This option is similar to the
111.Cm use_first_pass
112option,
113except that if the previously obtained password fails,
114the user is prompted for another password.
115.El
116.Sh SEE ALSO
117.Xr su 1 ,
118.Xr syslog 3 ,
119.Xr pam.conf 5 ,
120.Xr pam 3
121