1*45405cceSAlexander Eremin.\" 2*45405cceSAlexander Eremin.\" This file and its contents are supplied under the terms of the 3*45405cceSAlexander Eremin.\" Common Development and Distribution License ("CDDL"), version 1.0. 4*45405cceSAlexander Eremin.\" You may only use this file in accordance with the terms of version 5*45405cceSAlexander Eremin.\" 1.0 of the CDDL. 6*45405cceSAlexander Eremin.\" 7*45405cceSAlexander Eremin.\" A full copy of the text of the CDDL should have accompanied this 8*45405cceSAlexander Eremin.\" source. A copy of the CDDL is also available via the Internet at 9*45405cceSAlexander Eremin.\" http://www.illumos.org/license/CDDL. 10*45405cceSAlexander Eremin.\" 11*45405cceSAlexander Eremin.\" Copyright 2014 Nexenta Systems, Inc. 12*45405cceSAlexander Eremin.\" 13*45405cceSAlexander Eremin.Dd Aug 20, 2014 14*45405cceSAlexander Eremin.Dt PAM_TIMESTAMP 5 15*45405cceSAlexander Eremin.Os 16*45405cceSAlexander Eremin.Sh NAME 17*45405cceSAlexander Eremin.Nm pam_timestamp 18*45405cceSAlexander Eremin.Nd PAM authentication module using cached successful 19*45405cceSAlexander Ereminauthentication attempts 20*45405cceSAlexander Eremin.Sh SYNOPSIS 21*45405cceSAlexander Eremin.Nm pam_timestamp.so.1 22*45405cceSAlexander Eremin.Op Ar debug 23*45405cceSAlexander Eremin.Op Ar timeout=min 24*45405cceSAlexander Eremin.Sh DESCRIPTION 25*45405cceSAlexander EreminThe 26*45405cceSAlexander Eremin.Nm 27*45405cceSAlexander Ereminmodule caches successful tty-based authentication attempts by 28*45405cceSAlexander Eremincreating user's directories and per tty timestamp files in the 29*45405cceSAlexander Eremincommon timestamp directory 30*45405cceSAlexander Eremin.Pa /var/run/tty_timestamps . 31*45405cceSAlexander EreminNext authentication, if the timestamp file exist and not expired, 32*45405cceSAlexander Ereminthe user will not be asked for a password, otherwise timestamp 33*45405cceSAlexander Ereminfile will be deleted and user will be prompted to enter a password. 34*45405cceSAlexander Eremin.Lp 35*45405cceSAlexander EreminThe PAM items 36*45405cceSAlexander Eremin.Dv PAM_USER , 37*45405cceSAlexander Eremin.Dv PAM_AUSER 38*45405cceSAlexander Ereminand 39*45405cceSAlexander Eremin.Dv PAM_TTY 40*45405cceSAlexander Ereminare used by this module. 41*45405cceSAlexander Eremin.Sy pam_timestamp 42*45405cceSAlexander Ereminis normally configured as 43*45405cceSAlexander Eremin.Sy sufficient 44*45405cceSAlexander Ereminand must be used in conjunction with the modules that support 45*45405cceSAlexander Ereminthe UNIX authentication, which are 46*45405cceSAlexander Eremin.Xr pam_authtok_get 5 , 47*45405cceSAlexander Eremin.Xr pam_unix_cred 5 48*45405cceSAlexander Ereminand 49*45405cceSAlexander Eremin.Xr pam_unix_auth 5 . 50*45405cceSAlexander EreminProper authentication operation requires 51*45405cceSAlexander Eremin.Xr pam_unix_cred 5 52*45405cceSAlexander Ereminbe stacked above 53*45405cceSAlexander Eremin.Xr pam_timestamp . 54*45405cceSAlexander Eremin.Sh OPTIONS 55*45405cceSAlexander Eremin.Bl -tag -width Ds 56*45405cceSAlexander Eremin.It Dv debug 57*45405cceSAlexander EreminProvides 58*45405cceSAlexander Eremin.Xr syslog 3 59*45405cceSAlexander Eremindebugging information at the 60*45405cceSAlexander Eremin.Sy LOG_AUTH | LOG_DEBUG 61*45405cceSAlexander Ereminlevel. 62*45405cceSAlexander Eremin.It Dv timeout 63*45405cceSAlexander EreminSpecifies the period (in miniutes) for which the timestamp 64*45405cceSAlexander Ereminfile is valid. The default value is 5 minutes. 65*45405cceSAlexander Eremin.El 66*45405cceSAlexander Eremin.Sh FILES 67*45405cceSAlexander Eremin.Bl -tag -width indent 68*45405cceSAlexander Eremin.It Pa /var/run/tty_timestamps/... 69*45405cceSAlexander Ereminstores timestamp directories and files 70*45405cceSAlexander Eremin.El 71*45405cceSAlexander Eremin.Sh EXIT STATUS 72*45405cceSAlexander Eremin.Bl -tag -width Ds 73*45405cceSAlexander Eremin.It Dv PAM_SUCCESS 74*45405cceSAlexander EreminTimestamp file is not expired. 75*45405cceSAlexander Eremin.It Dv PAM_IGNORE 76*45405cceSAlexander EreminThe 77*45405cceSAlexander Eremin.Nm 78*45405cceSAlexander Ereminmodule was not able to retrieve required credentials 79*45405cceSAlexander Ereminor timestamp file is expired or corrupt. 80*45405cceSAlexander Eremin.El 81*45405cceSAlexander Eremin.Sh EXAMPLES 82*45405cceSAlexander Eremin.Ss Example 1 Allowing su authentication 83*45405cceSAlexander Eremin. 84*45405cceSAlexander EreminThe following example is a 85*45405cceSAlexander Eremin.Xr pam.conf 4 86*45405cceSAlexander Ereminfragment that illustartes a default settings for allowing 87*45405cceSAlexander Eremin.Xr su 1M 88*45405cceSAlexander Ereminauthentication: 89*45405cceSAlexander Eremin.Bd -literal -offset indent 90*45405cceSAlexander Ereminsu auth required pam_unix_cred.so.1 91*45405cceSAlexander Ereminsu auth sufficient pam_timestamp.so.1 92*45405cceSAlexander Ereminsu auth requisite pam_authtok_get.so.1 93*45405cceSAlexander Ereminsu auth required pam_unix_auth.so.1 94*45405cceSAlexander Eremin.Ed 95*45405cceSAlexander Eremin.Ss Example 2 Changing default timeout 96*45405cceSAlexander Eremin. 97*45405cceSAlexander EreminThe default timeout set to 10 minutes: 98*45405cceSAlexander Eremin.Bd -literal -offset indent 99*45405cceSAlexander Ereminsu auth required pam_unix_cred.so.1 100*45405cceSAlexander Ereminsu auth sufficient pam_timestamp.so.1 timeout=10 101*45405cceSAlexander Ereminsu auth requisite pam_authtok_get.so.1 102*45405cceSAlexander Ereminsu auth required pam_unix_auth.so.1 103*45405cceSAlexander Eremin.Ed 104*45405cceSAlexander Eremin.Sh INTERFACE STABILITY 105*45405cceSAlexander Eremin.Sy Uncommitted . 106*45405cceSAlexander Eremin.Sh MT LEVEL 107*45405cceSAlexander Eremin.Sy MT-Safe . 108*45405cceSAlexander Eremin.Sh SEE ALSO 109*45405cceSAlexander Eremin.Xr su 1M , 110*45405cceSAlexander Eremin.Xr pam 3PAM , 111*45405cceSAlexander Eremin.Xr pam_sm_authenticate 3PAM , 112*45405cceSAlexander Eremin.Xr pam_sm_setcred 3PAM , 113*45405cceSAlexander Eremin.Xr pam.conf 4 , 114*45405cceSAlexander Eremin.Xr syslog 3C 115