1.\" 2.\" This file and its contents are supplied under the terms of the 3.\" Common Development and Distribution License ("CDDL"), version 1.0. 4.\" You may only use this file in accordance with the terms of version 5.\" 1.0 of the CDDL. 6.\" 7.\" A full copy of the text of the CDDL should have accompanied this 8.\" source. A copy of the CDDL is also available via the Internet at 9.\" http://www.illumos.org/license/CDDL. 10.\" 11.\" Copyright 2014 Nexenta Systems, Inc. 12.\" 13.Dd Aug 20, 2014 14.Dt PAM_TIMESTAMP 5 15.Os 16.Sh NAME 17.Nm pam_timestamp 18.Nd PAM authentication module using cached successful 19authentication attempts 20.Sh SYNOPSIS 21.Nm pam_timestamp.so.1 22.Op Ar debug 23.Op Ar timeout=min 24.Sh DESCRIPTION 25The 26.Nm 27module caches successful tty-based authentication attempts by 28creating user's directories and per tty timestamp files in the 29common timestamp directory 30.Pa /var/run/tty_timestamps . 31Next authentication, if the timestamp file exist and not expired, 32the user will not be asked for a password, otherwise timestamp 33file will be deleted and user will be prompted to enter a password. 34.Lp 35The PAM items 36.Dv PAM_USER , 37.Dv PAM_AUSER 38and 39.Dv PAM_TTY 40are used by this module. 41.Sy pam_timestamp 42is normally configured as 43.Sy sufficient 44and must be used in conjunction with the modules that support 45the UNIX authentication, which are 46.Xr pam_authtok_get 5 , 47.Xr pam_unix_cred 5 48and 49.Xr pam_unix_auth 5 . 50Proper authentication operation requires 51.Xr pam_unix_cred 5 52be stacked above 53.Xr pam_timestamp . 54.Sh OPTIONS 55.Bl -tag -width Ds 56.It Dv debug 57Provides 58.Xr syslog 3 59debugging information at the 60.Sy LOG_AUTH | LOG_DEBUG 61level. 62.It Dv timeout 63Specifies the period (in miniutes) for which the timestamp 64file is valid. The default value is 5 minutes. 65.El 66.Sh FILES 67.Bl -tag -width indent 68.It Pa /var/run/tty_timestamps/... 69stores timestamp directories and files 70.El 71.Sh EXIT STATUS 72.Bl -tag -width Ds 73.It Dv PAM_SUCCESS 74Timestamp file is not expired. 75.It Dv PAM_IGNORE 76The 77.Nm 78module was not able to retrieve required credentials 79or timestamp file is expired or corrupt. 80.El 81.Sh EXAMPLES 82.Ss Example 1 Allowing su authentication 83. 84The following example is a 85.Xr pam.conf 4 86fragment that illustartes a default settings for allowing 87.Xr su 1M 88authentication: 89.Bd -literal -offset indent 90su auth required pam_unix_cred.so.1 91su auth sufficient pam_timestamp.so.1 92su auth requisite pam_authtok_get.so.1 93su auth required pam_unix_auth.so.1 94.Ed 95.Ss Example 2 Changing default timeout 96. 97The default timeout set to 10 minutes: 98.Bd -literal -offset indent 99su auth required pam_unix_cred.so.1 100su auth sufficient pam_timestamp.so.1 timeout=10 101su auth requisite pam_authtok_get.so.1 102su auth required pam_unix_auth.so.1 103.Ed 104.Sh INTERFACE STABILITY 105.Sy Uncommitted . 106.Sh MT LEVEL 107.Sy MT-Safe . 108.Sh SEE ALSO 109.Xr su 1M , 110.Xr pam 3PAM , 111.Xr pam_sm_authenticate 3PAM , 112.Xr pam_sm_setcred 3PAM , 113.Xr pam.conf 4 , 114.Xr syslog 3C 115