xref: /illumos-gate/usr/src/man/man7/pam_timestamp.7 (revision 9b9d39d2a32ff806d2431dbcc50968ef1e6d46b2) 
1.\"
2.\" This file and its contents are supplied under the terms of the
3.\" Common Development and Distribution License ("CDDL"), version 1.0.
4.\" You may only use this file in accordance with the terms of version
5.\" 1.0 of the CDDL.
6.\"
7.\" A full copy of the text of the CDDL should have accompanied this
8.\" source.  A copy of the CDDL is also available via the Internet at
9.\" http://www.illumos.org/license/CDDL.
10.\"
11.\" Copyright 2014 Nexenta Systems, Inc.
12.\"
13.Dd Nov 26, 2017
14.Dt PAM_TIMESTAMP 7
15.Os
16.Sh NAME
17.Nm pam_timestamp
18.Nd PAM authentication module using cached successful authentication attempts
19.Sh SYNOPSIS
20.Nm pam_timestamp.so.1
21.Op Ar debug
22.Op Ar timeout=min
23.Sh DESCRIPTION
24The
25.Nm
26module caches successful tty-based authentication attempts by
27creating user's directories and per tty timestamp files in the
28common timestamp directory
29.Pa /var/run/tty_timestamps .
30Next authentication, if the timestamp file exist and not expired,
31the user will not be asked for a password, otherwise timestamp
32file will be deleted and user will be prompted to enter a password.
33.Lp
34The PAM items
35.Dv PAM_USER ,
36.Dv PAM_AUSER
37and
38.Dv PAM_TTY
39are used by this module.
40.Sy pam_timestamp
41is normally configured as
42.Sy sufficient
43and must be used in conjunction with the modules that support
44the UNIX authentication, which are
45.Xr pam_authtok_get 7 ,
46.Xr pam_unix_cred 7
47and
48.Xr pam_unix_auth 7 .
49Proper authentication operation requires
50.Xr pam_unix_cred 7
51be stacked above
52.Nm .
53.Sh OPTIONS
54.Bl -tag -width Ds
55.It Dv debug
56Provides
57.Xr syslog 3C
58debugging information at the
59.Sy LOG_AUTH | LOG_DEBUG
60level.
61.It Dv timeout
62Specifies the period (in minutes) for which the timestamp file is valid.
63The default value is 5 minutes.
64.El
65.Sh FILES
66.Bl -tag -width indent
67.It Pa /var/run/tty_timestamps/...
68stores timestamp directories and files
69.El
70.Sh EXIT STATUS
71.Bl -tag -width Ds
72.It Dv PAM_SUCCESS
73Timestamp file is not expired.
74.It Dv PAM_IGNORE
75The
76.Nm
77module was not able to retrieve required credentials
78or timestamp file is expired or corrupt.
79.El
80.Sh EXAMPLES
81.Ss Example 1 Allowing su authentication
82.
83The following example is a
84.Xr pam.conf 5
85fragment that illustrates default settings for allowing
86.Xr su 8
87authentication:
88.Bd -literal -offset indent
89su  auth required	pam_unix_cred.so.1
90su  auth sufficient	pam_timestamp.so.1
91su  auth requisite	pam_authtok_get.so.1
92su  auth required	pam_unix_auth.so.1
93.Ed
94.Ss Example 2 Changing default timeout
95.
96The default timeout set to 10 minutes:
97.Bd -literal -offset indent
98su  auth required	pam_unix_cred.so.1
99su  auth sufficient	pam_timestamp.so.1	timeout=10
100su  auth requisite	pam_authtok_get.so.1
101su  auth required	pam_unix_auth.so.1
102.Ed
103.Sh INTERFACE STABILITY
104.Sy Uncommitted .
105.Sh MT LEVEL
106.Sy MT-Safe .
107.Sh SEE ALSO
108.Xr syslog 3C ,
109.Xr pam 3PAM ,
110.Xr pam_sm_authenticate 3PAM ,
111.Xr pam_sm_setcred 3PAM ,
112.Xr pam.conf 5 ,
113.Xr su 8
114