1*3a8ad333SAlexander Eremin.\" 2*3a8ad333SAlexander Eremin.\" This file and its contents are supplied under the terms of the 3*3a8ad333SAlexander Eremin.\" Common Development and Distribution License ("CDDL"), version 1.0. 4*3a8ad333SAlexander Eremin.\" You may only use this file in accordance with the terms of version 5*3a8ad333SAlexander Eremin.\" 1.0 of the CDDL. 6*3a8ad333SAlexander Eremin.\" 7*3a8ad333SAlexander Eremin.\" A full copy of the text of the CDDL should have accompanied this 8*3a8ad333SAlexander Eremin.\" source. A copy of the CDDL is also available via the Internet at 9*3a8ad333SAlexander Eremin.\" http://www.illumos.org/license/CDDL. 10*3a8ad333SAlexander Eremin.\" 11*3a8ad333SAlexander Eremin.\" Copyright 2014 Nexenta Systems, Inc. 12*3a8ad333SAlexander Eremin.\" 13*3a8ad333SAlexander Eremin.Dd Aug 20, 2014 14*3a8ad333SAlexander Eremin.Dt PAM_TIMESTAMP 5 15*3a8ad333SAlexander Eremin.Os 16*3a8ad333SAlexander Eremin.Sh NAME 17*3a8ad333SAlexander Eremin.Nm pam_timestamp 18*3a8ad333SAlexander Eremin.Nd PAM authentication module using cached successful 19*3a8ad333SAlexander Ereminauthentication attempts 20*3a8ad333SAlexander Eremin.Sh SYNOPSIS 21*3a8ad333SAlexander Eremin.Nm pam_timestamp.so.1 22*3a8ad333SAlexander Eremin.Op Ar debug 23*3a8ad333SAlexander Eremin.Op Ar timeout=min 24*3a8ad333SAlexander Eremin.Sh DESCRIPTION 25*3a8ad333SAlexander EreminThe 26*3a8ad333SAlexander Eremin.Nm 27*3a8ad333SAlexander Ereminmodule caches successful tty-based authentication attempts by 28*3a8ad333SAlexander Eremincreating user's directories and per tty timestamp files in the 29*3a8ad333SAlexander Eremincommon timestamp directory 30*3a8ad333SAlexander Eremin.Pa /var/run/tty_timestamps . 31*3a8ad333SAlexander EreminNext authentication, if the timestamp file exist and not expired, 32*3a8ad333SAlexander Ereminthe user will not be asked for a password, otherwise timestamp 33*3a8ad333SAlexander Ereminfile will be deleted and user will be prompted to enter a password. 34*3a8ad333SAlexander Eremin.Lp 35*3a8ad333SAlexander EreminThe PAM items 36*3a8ad333SAlexander Eremin.Dv PAM_USER , 37*3a8ad333SAlexander Eremin.Dv PAM_AUSER 38*3a8ad333SAlexander Ereminand 39*3a8ad333SAlexander Eremin.Dv PAM_TTY 40*3a8ad333SAlexander Ereminare used by this module. 41*3a8ad333SAlexander Eremin.Sy pam_timestamp 42*3a8ad333SAlexander Ereminis normally configured as 43*3a8ad333SAlexander Eremin.Sy sufficient 44*3a8ad333SAlexander Ereminand must be used in conjunction with the modules that support 45*3a8ad333SAlexander Ereminthe UNIX authentication, which are 46*3a8ad333SAlexander Eremin.Xr pam_authtok_get 5 , 47*3a8ad333SAlexander Eremin.Xr pam_unix_cred 5 48*3a8ad333SAlexander Ereminand 49*3a8ad333SAlexander Eremin.Xr pam_unix_auth 5 . 50*3a8ad333SAlexander EreminProper authentication operation requires 51*3a8ad333SAlexander Eremin.Xr pam_unix_cred 5 52*3a8ad333SAlexander Ereminbe stacked above 53*3a8ad333SAlexander Eremin.Xr pam_timestamp . 54*3a8ad333SAlexander Eremin.Sh OPTIONS 55*3a8ad333SAlexander Eremin.Bl -tag -width Ds 56*3a8ad333SAlexander Eremin.It Dv debug 57*3a8ad333SAlexander EreminProvides 58*3a8ad333SAlexander Eremin.Xr syslog 3 59*3a8ad333SAlexander Eremindebugging information at the 60*3a8ad333SAlexander Eremin.Sy LOG_AUTH | LOG_DEBUG 61*3a8ad333SAlexander Ereminlevel. 62*3a8ad333SAlexander Eremin.It Dv timeout 63*3a8ad333SAlexander EreminSpecifies the period (in miniutes) for which the timestamp 64*3a8ad333SAlexander Ereminfile is valid. The default value is 5 minutes. 65*3a8ad333SAlexander Eremin.El 66*3a8ad333SAlexander Eremin.Sh FILES 67*3a8ad333SAlexander Eremin.Bl -tag -width indent 68*3a8ad333SAlexander Eremin.It Pa /var/run/tty_timestamps/... 69*3a8ad333SAlexander Ereminstores timestamp directories and files 70*3a8ad333SAlexander Eremin.El 71*3a8ad333SAlexander Eremin.Sh EXIT STATUS 72*3a8ad333SAlexander Eremin.Bl -tag -width Ds 73*3a8ad333SAlexander Eremin.It Dv PAM_SUCCESS 74*3a8ad333SAlexander EreminTimestamp file is not expired. 75*3a8ad333SAlexander Eremin.It Dv PAM_IGNORE 76*3a8ad333SAlexander EreminThe 77*3a8ad333SAlexander Eremin.Nm 78*3a8ad333SAlexander Ereminmodule was not able to retrieve required credentials 79*3a8ad333SAlexander Ereminor timestamp file is expired or corrupt. 80*3a8ad333SAlexander Eremin.El 81*3a8ad333SAlexander Eremin.Sh EXAMPLES 82*3a8ad333SAlexander Eremin.Ss Example 1 Allowing su authentication 83*3a8ad333SAlexander Eremin. 84*3a8ad333SAlexander EreminThe following example is a 85*3a8ad333SAlexander Eremin.Xr pam.conf 4 86*3a8ad333SAlexander Ereminfragment that illustartes a default settings for allowing 87*3a8ad333SAlexander Eremin.Xr su 1M 88*3a8ad333SAlexander Ereminauthentication: 89*3a8ad333SAlexander Eremin.Bd -literal -offset indent 90*3a8ad333SAlexander Ereminsu auth required pam_unix_cred.so.1 91*3a8ad333SAlexander Ereminsu auth sufficient pam_timestamp.so.1 92*3a8ad333SAlexander Ereminsu auth requisite pam_authtok_get.so.1 93*3a8ad333SAlexander Ereminsu auth required pam_unix_auth.so.1 94*3a8ad333SAlexander Eremin.Ed 95*3a8ad333SAlexander Eremin.Ss Example 2 Changing default timeout 96*3a8ad333SAlexander Eremin. 97*3a8ad333SAlexander EreminThe default timeout set to 10 minutes: 98*3a8ad333SAlexander Eremin.Bd -literal -offset indent 99*3a8ad333SAlexander Ereminsu auth required pam_unix_cred.so.1 100*3a8ad333SAlexander Ereminsu auth sufficient pam_timestamp.so.1 timeout=10 101*3a8ad333SAlexander Ereminsu auth requisite pam_authtok_get.so.1 102*3a8ad333SAlexander Ereminsu auth required pam_unix_auth.so.1 103*3a8ad333SAlexander Eremin.Ed 104*3a8ad333SAlexander Eremin.Sh INTERFACE STABILITY 105*3a8ad333SAlexander Eremin.Sy Uncommitted . 106*3a8ad333SAlexander Eremin.Sh MT LEVEL 107*3a8ad333SAlexander Eremin.Sy MT-Safe . 108*3a8ad333SAlexander Eremin.Sh SEE ALSO 109*3a8ad333SAlexander Eremin.Xr su 1M , 110*3a8ad333SAlexander Eremin.Xr pam 3PAM , 111*3a8ad333SAlexander Eremin.Xr pam_sm_authenticate 3PAM , 112*3a8ad333SAlexander Eremin.Xr pam_sm_setcred 3PAM , 113*3a8ad333SAlexander Eremin.Xr pam.conf 4 , 114*3a8ad333SAlexander Eremin.Xr syslog 3C 115