xref: /titanic_52/usr/src/man/man5/pam_timestamp.5 (revision 3a005aada8ac0e291c13cbc488ba9ae1473f0a96) 
145405cceSAlexander Eremin.\"
245405cceSAlexander Eremin.\" This file and its contents are supplied under the terms of the
345405cceSAlexander Eremin.\" Common Development and Distribution License ("CDDL"), version 1.0.
445405cceSAlexander Eremin.\" You may only use this file in accordance with the terms of version
545405cceSAlexander Eremin.\" 1.0 of the CDDL.
645405cceSAlexander Eremin.\"
745405cceSAlexander Eremin.\" A full copy of the text of the CDDL should have accompanied this
845405cceSAlexander Eremin.\" source.  A copy of the CDDL is also available via the Internet at
945405cceSAlexander Eremin.\" http://www.illumos.org/license/CDDL.
1045405cceSAlexander Eremin.\"
1145405cceSAlexander Eremin.\" Copyright 2014 Nexenta Systems, Inc.
1245405cceSAlexander Eremin.\"
1345405cceSAlexander Eremin.Dd Aug 20, 2014
1445405cceSAlexander Eremin.Dt PAM_TIMESTAMP 5
1545405cceSAlexander Eremin.Os
1645405cceSAlexander Eremin.Sh NAME
1745405cceSAlexander Eremin.Nm pam_timestamp
1845405cceSAlexander Eremin.Nd PAM authentication module using cached successful
1945405cceSAlexander Ereminauthentication attempts
2045405cceSAlexander Eremin.Sh SYNOPSIS
2145405cceSAlexander Eremin.Nm pam_timestamp.so.1
2245405cceSAlexander Eremin.Op Ar debug
2345405cceSAlexander Eremin.Op Ar timeout=min
2445405cceSAlexander Eremin.Sh DESCRIPTION
2545405cceSAlexander EreminThe
2645405cceSAlexander Eremin.Nm
2745405cceSAlexander Ereminmodule caches successful tty-based authentication attempts by
2845405cceSAlexander Eremincreating user's directories and per tty timestamp files in the
2945405cceSAlexander Eremincommon timestamp directory
3045405cceSAlexander Eremin.Pa /var/run/tty_timestamps .
3145405cceSAlexander EreminNext authentication, if the timestamp file exist and not expired,
3245405cceSAlexander Ereminthe user will not be asked for a password, otherwise timestamp
3345405cceSAlexander Ereminfile will be deleted and user will be prompted to enter a password.
3445405cceSAlexander Eremin.Lp
3545405cceSAlexander EreminThe PAM items
3645405cceSAlexander Eremin.Dv PAM_USER ,
3745405cceSAlexander Eremin.Dv PAM_AUSER
3845405cceSAlexander Ereminand
3945405cceSAlexander Eremin.Dv PAM_TTY
4045405cceSAlexander Ereminare used by this module.
4145405cceSAlexander Eremin.Sy pam_timestamp
4245405cceSAlexander Ereminis normally configured as
4345405cceSAlexander Eremin.Sy sufficient
4445405cceSAlexander Ereminand must be used in conjunction with the modules that support
4545405cceSAlexander Ereminthe UNIX authentication, which are
4645405cceSAlexander Eremin.Xr pam_authtok_get 5 ,
4745405cceSAlexander Eremin.Xr pam_unix_cred 5
4845405cceSAlexander Ereminand
4945405cceSAlexander Eremin.Xr pam_unix_auth 5 .
5045405cceSAlexander EreminProper authentication operation requires
5145405cceSAlexander Eremin.Xr pam_unix_cred 5
5245405cceSAlexander Ereminbe stacked above
5345405cceSAlexander Eremin.Xr pam_timestamp .
5445405cceSAlexander Eremin.Sh OPTIONS
5545405cceSAlexander Eremin.Bl -tag -width Ds
5645405cceSAlexander Eremin.It Dv debug
5745405cceSAlexander EreminProvides
5845405cceSAlexander Eremin.Xr syslog 3
5945405cceSAlexander Eremindebugging information at the
6045405cceSAlexander Eremin.Sy LOG_AUTH | LOG_DEBUG
6145405cceSAlexander Ereminlevel.
6245405cceSAlexander Eremin.It Dv timeout
6345405cceSAlexander EreminSpecifies the period (in miniutes) for which the timestamp
6445405cceSAlexander Ereminfile is valid. The default value is 5 minutes.
6545405cceSAlexander Eremin.El
6645405cceSAlexander Eremin.Sh FILES
6745405cceSAlexander Eremin.Bl -tag -width indent
6845405cceSAlexander Eremin.It Pa /var/run/tty_timestamps/...
6945405cceSAlexander Ereminstores timestamp directories and files
7045405cceSAlexander Eremin.El
7145405cceSAlexander Eremin.Sh EXIT STATUS
7245405cceSAlexander Eremin.Bl -tag -width Ds
7345405cceSAlexander Eremin.It Dv PAM_SUCCESS
7445405cceSAlexander EreminTimestamp file is not expired.
7545405cceSAlexander Eremin.It Dv PAM_IGNORE
7645405cceSAlexander EreminThe
7745405cceSAlexander Eremin.Nm
7845405cceSAlexander Ereminmodule was not able to retrieve required credentials
7945405cceSAlexander Ereminor timestamp file is expired or corrupt.
8045405cceSAlexander Eremin.El
8145405cceSAlexander Eremin.Sh EXAMPLES
8245405cceSAlexander Eremin.Ss Example 1 Allowing su authentication
8345405cceSAlexander Eremin.
8445405cceSAlexander EreminThe following example is a
8545405cceSAlexander Eremin.Xr pam.conf 4
8645405cceSAlexander Ereminfragment that illustartes a default settings for allowing
8745405cceSAlexander Eremin.Xr su 1M
8845405cceSAlexander Ereminauthentication:
8945405cceSAlexander Eremin.Bd -literal -offset indent
9045405cceSAlexander Ereminsu  auth required	pam_unix_cred.so.1
9145405cceSAlexander Ereminsu  auth sufficient	pam_timestamp.so.1
9245405cceSAlexander Ereminsu  auth requisite	pam_authtok_get.so.1
9345405cceSAlexander Ereminsu  auth required	pam_unix_auth.so.1
9445405cceSAlexander Eremin.Ed
9545405cceSAlexander Eremin.Ss Example 2 Changing default timeout
9645405cceSAlexander Eremin.
9745405cceSAlexander EreminThe default timeout set to 10 minutes:
9845405cceSAlexander Eremin.Bd -literal -offset indent
9945405cceSAlexander Ereminsu  auth required	pam_unix_cred.so.1
10045405cceSAlexander Ereminsu  auth sufficient	pam_timestamp.so.1	timeout=10
10145405cceSAlexander Ereminsu  auth requisite	pam_authtok_get.so.1
10245405cceSAlexander Ereminsu  auth required	pam_unix_auth.so.1
10345405cceSAlexander Eremin.Ed
10445405cceSAlexander Eremin.Sh INTERFACE STABILITY
10545405cceSAlexander Eremin.Sy Uncommitted .
10645405cceSAlexander Eremin.Sh MT LEVEL
10745405cceSAlexander Eremin.Sy MT-Safe .
10845405cceSAlexander Eremin.Sh SEE ALSO
10945405cceSAlexander Eremin.Xr su 1M ,
110*3a005aadSYuri Pankov.Xr syslog 3C ,
11145405cceSAlexander Eremin.Xr pam 3PAM ,
11245405cceSAlexander Eremin.Xr pam_sm_authenticate 3PAM ,
11345405cceSAlexander Eremin.Xr pam_sm_setcred 3PAM ,
114*3a005aadSYuri Pankov.Xr pam.conf 4
115