xref: /titanic_51/usr/src/man/man5/pam_timestamp.5 (revision 1886f67eb9de99edbcda88765f2c603a30c87fc2)
1.\"
2.\" This file and its contents are supplied under the terms of the
3.\" Common Development and Distribution License ("CDDL"), version 1.0.
4.\" You may only use this file in accordance with the terms of version
5.\" 1.0 of the CDDL.
6.\"
7.\" A full copy of the text of the CDDL should have accompanied this
8.\" source.  A copy of the CDDL is also available via the Internet at
9.\" http://www.illumos.org/license/CDDL.
10.\"
11.\" Copyright 2014 Nexenta Systems, Inc.
12.\"
13.Dd Aug 20, 2014
14.Dt PAM_TIMESTAMP 5
15.Os
16.Sh NAME
17.Nm pam_timestamp
18.Nd PAM authentication module using cached successful
19authentication attempts
20.Sh SYNOPSIS
21.Nm pam_timestamp.so.1
22.Op Ar debug
23.Op Ar timeout=min
24.Sh DESCRIPTION
25The
26.Nm
27module caches successful tty-based authentication attempts by
28creating user's directories and per tty timestamp files in the
29common timestamp directory
30.Pa /var/run/tty_timestamps .
31Next authentication, if the timestamp file exist and not expired,
32the user will not be asked for a password, otherwise timestamp
33file will be deleted and user will be prompted to enter a password.
34.Lp
35The PAM items
36.Dv PAM_USER ,
37.Dv PAM_AUSER
38and
39.Dv PAM_TTY
40are used by this module.
41.Sy pam_timestamp
42is normally configured as
43.Sy sufficient
44and must be used in conjunction with the modules that support
45the UNIX authentication, which are
46.Xr pam_authtok_get 5 ,
47.Xr pam_unix_cred 5
48and
49.Xr pam_unix_auth 5 .
50Proper authentication operation requires
51.Xr pam_unix_cred 5
52be stacked above
53.Xr pam_timestamp .
54.Sh OPTIONS
55.Bl -tag -width Ds
56.It Dv debug
57Provides
58.Xr syslog 3
59debugging information at the
60.Sy LOG_AUTH | LOG_DEBUG
61level.
62.It Dv timeout
63Specifies the period (in miniutes) for which the timestamp
64file is valid. The default value is 5 minutes.
65.El
66.Sh FILES
67.Bl -tag -width indent
68.It Pa /var/run/tty_timestamps/...
69stores timestamp directories and files
70.El
71.Sh EXIT STATUS
72.Bl -tag -width Ds
73.It Dv PAM_SUCCESS
74Timestamp file is not expired.
75.It Dv PAM_IGNORE
76The
77.Nm
78module was not able to retrieve required credentials
79or timestamp file is expired or corrupt.
80.El
81.Sh EXAMPLES
82.Ss Example 1 Allowing su authentication
83.
84The following example is a
85.Xr pam.conf 4
86fragment that illustartes a default settings for allowing
87.Xr su 1M
88authentication:
89.Bd -literal -offset indent
90su  auth required	pam_unix_cred.so.1
91su  auth sufficient	pam_timestamp.so.1
92su  auth requisite	pam_authtok_get.so.1
93su  auth required	pam_unix_auth.so.1
94.Ed
95.Ss Example 2 Changing default timeout
96.
97The default timeout set to 10 minutes:
98.Bd -literal -offset indent
99su  auth required	pam_unix_cred.so.1
100su  auth sufficient	pam_timestamp.so.1	timeout=10
101su  auth requisite	pam_authtok_get.so.1
102su  auth required	pam_unix_auth.so.1
103.Ed
104.Sh INTERFACE STABILITY
105.Sy Uncommitted .
106.Sh MT LEVEL
107.Sy MT-Safe .
108.Sh SEE ALSO
109.Xr su 1M ,
110.Xr pam 3PAM ,
111.Xr pam_sm_authenticate 3PAM ,
112.Xr pam_sm_setcred 3PAM ,
113.Xr pam.conf 4 ,
114.Xr syslog 3C
115