*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->FreeBSD man pages -> pam_ksu (8)              
Title
Content
Arch
Section
 

PAM_KSU(8)

Contents


NAME    [Toc]    [Back]

     pam_ksu -- Kerberos 5 SU PAM module

SYNOPSIS    [Toc]    [Back]

     [service-name] module-type control-flag pam_ksu [options]

DESCRIPTION    [Toc]    [Back]

     The Kerberos 5 SU authentication service module for PAM, pam_ksu for only
     one PAM category: authentication.  In terms of the module-type parameter,
     this is the ``auth'' feature.  The module is specifically designed to be
     used with the su(1) utility.

   Kerberos 5 SU Authentication Module    [Toc]    [Back]
     The Kerberos 5 SU authentication component provides functions to verify
     the identity of a user (pam_sm_authenticate()), and determine whether or
     not the user is authorized to obtain the privileges of the target
     account.  If the target account is ``root'', then the Kerberos 5 principal
 used for authentication and authorization will be the ``root''
     instance of the current user, e.g. ``user/root@REAL.M''.  Otherwise, the
     principal will simply be the current user's default principal, e.g.
     ``user@REAL.M''.

     The user is prompted for a password if necessary.  Authorization is performed
 by comparing the Kerberos 5 principal with those listed in the
     .k5login file in the target account's home directory (e.g. /root/.k5login
     for root).

     The following options may be passed to the authentication module:

     debug           syslog(3) debugging information at LOG_DEBUG level.

     use_first_pass  If the authentication module is not the first in the
                     stack, and a previous module obtained the user's password,
 that password is used to authenticate the user.  If
                     this fails, the authentication module returns failure
                     without prompting the user for a password.  This option
                     has no effect if the authentication module is the first
                     in the stack, or if no previous modules obtained the
                     user's password.

     try_first_pass  This option is similar to the use_first_pass option,
                     except that if the previously obtained password fails,
                     the user is prompted for another password.

SEE ALSO    [Toc]    [Back]

      
      
     su(1), syslog(3), pam.conf(5), pam(8)


FreeBSD 5.2.1                    May 15, 2002                    FreeBSD 5.2.1
[ Back ]
 Similar pages
Name OS Title
pam_krb5 FreeBSD Kerberos 5 PAM module
ldr_inq_region Tru64 Return module information about a region in a loaded module
krb5 FreeBSD kerberos 5 library
kdc OpenBSD Kerberos 5 server
krb5 NetBSD kerberos 5 library
kdc FreeBSD Kerberos 5 server
krb5_krbhst_free FreeBSD lookup Kerberos KDC hosts
krb5_krbhst_next FreeBSD lookup Kerberos KDC hosts
krb5_krbhst_format_string FreeBSD lookup Kerberos KDC hosts
krb5_get_krb_changepw_hst FreeBSD lookup Kerberos KDC hosts
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service