Linux and UNIX Man Pages

Test Your Knowledge in Computers #249
Difficulty: Easy
Senator Albert Gore, Jr. authored the High Performance Computing and Communication Act of 1991, creating what Gore referred to as the information superhighway.
True or False?
Linux & Unix Commands - Search Man Pages

pam_ksu(8) [freebsd man page]

PAM_KSU(8)						    BSD System Manager's Manual 						PAM_KSU(8)

NAME
pam_ksu -- Kerberos 5 SU PAM module SYNOPSIS
[service-name] module-type control-flag pam_ksu [options] DESCRIPTION
The Kerberos 5 SU authentication service module for PAM, pam_ksu for only one PAM category: authentication. In terms of the module-type parameter, this is the ``auth'' feature. The module is specifically designed to be used with the su(1) utility. Kerberos 5 SU Authentication Module The Kerberos 5 SU authentication component provides functions to verify the identity of a user (pam_sm_authenticate()), and determine whether or not the user is authorized to obtain the privileges of the target account. If the target account is ``root'', then the Kerberos 5 princi- pal used for authentication and authorization will be the ``root'' instance of the current user, e.g. ``user/root@REAL.M''. Otherwise, the principal will simply be the current user's default principal, e.g. ``user@REAL.M''. The user is prompted for a password if necessary. Authorization is performed by comparing the Kerberos 5 principal with those listed in the .k5login file in the target account's home directory (e.g. /root/.k5login for root). The following options may be passed to the authentication module: debug syslog(3) debugging information at LOG_DEBUG level. use_first_pass If the authentication module is not the first in the stack, and a previous module obtained the user's password, that password is used to authenticate the user. If this fails, the authentication module returns failure without prompting the user for a password. This option has no effect if the authentication module is the first in the stack, or if no previous modules obtained the user's password. try_first_pass This option is similar to the use_first_pass option, except that if the previously obtained password fails, the user is prompted for another password. SEE ALSO
su(1), syslog(3), pam.conf(5), pam(8) BSD
May 15, 2002 BSD

Check Out this Related Man Page

pam_krb5(5)							File Formats Manual						       pam_krb5(5)

NAME
pam_krb5 - authentication, account, session and password management modules for Kerberos 5 SYNOPSIS
/usr/lib/security/$ISA/libpam_krb5.so.1 DESCRIPTION
The KRB5 PAM modules allow integration of Kerberos authentication into the system entry services (such as login, using pam.conf(4) configu- ration file. The Kerberos service module for PAM consists of the following three modules: the authentication module, the account management module and the password module. It also provides null functions for session management. All modules are supported through the same dynami- cally loadable library. The KRB5 PAM modules are compatible with MIT Kerberos 5 and Microsoft Windows 2000. Authentication Module The authentication module verifies the user identity and sets the user credentials. It passes the authentication key derived from the user's password to the Kerberos security service. The security service uses the authentication key to verify the user and issues a ticket- granting ticket. The credential management function sets user specific credentials. It stores the credentials in a cache file and exports the environment variable KRB5CCNAME to identify the cache file. The cache file is stored in /tmp/pam_krb5/creds directory. This module cre- ates a unique cache file for every session. The credentials cache should be destroyed by the user at logout with kdestroy(1m). The following options may be passed to the authentication module through pam.conf(4): debug This option allows syslog(3C) debugging information at LOG_DEBUG level. use_first_pass This option allows the initial password (entered when the user is authenticated to the first authentication module in the stack) to authenticate with Kerberos. If the user cannot be authenticated or if this is the first authentication module in the stack, quit without prompting for a password. It is recommended that this option be used only if the authentication mod- ule is designated as optional in the pam.conf(4) configuration file. try_first_pass This option allows the initial password (entered when the user is authenticated to the first authentication module in the PAM stack) to authenticate with Kerberos. If the user cannot be authenticated or if this is the first authentication module in the stack, prompt for a password. forwardable This option allows a ticket-granting ticket with a different network address than the present ticket-granting ticket to be issued to the user. For forwardable tickets to be granted, the user's account in Kerberos must specify that the user can be granted forwardable tickets. renewable=<time> This option allows tickets issued to the user to be renewed. For renewable tickets to be granted, the user's account in Ker- beros must specify that the user can be granted renewable tickets. The renewal time of the ticket-granting ticket is speci- fied by <time>. The form of time is the same as the one in kinit(1m). proxiable This option allows a ticket with a different network address than the present ticket to be issued to the user. For proxiable tickets to be granted, the user's account in Kerberos must specify that the user can be granted proxiable tickets. ignore Returns PAM_IGNORE. Generally this option should not be used. But sometimes it may not be desirable or may not be necessary to authenticate certain users (root, ftp, ...) with Kerberos. In such cases you can use this option in pam_user.conf(4) for per user configuration. It is not recommended for you to use this option in pam.conf(4). See the examples section. Account Management Module The account management module provides a function to perform account management. This function retrieves the user's account and password expiration information from Kerberos database and verifies that they have not expired. The module does not issue any warning if the account or the password is about to expire. The following options can be passed to the Account Management module through pam.conf(4): debug This option allows syslog(3C) debugging information at LOG_DEBUG level. ignore Returns PAM_IGNORE. Generally this option should not be used. But sometimes it may not be desirable or may not be necessary to authenticate certain users (root, ftp, ...) with Kerberos. In such cases you can use this option in pam_user.conf(4) for per user configuration. It is not recommended for you to use this option in pam.conf(4). See the examples section. Password Management Module The password management module provides a function to change passwords in the Kerberos password database. Unlike when changing a Unix pass- word, the password management module will allow any user to change any other's password(if the user knows the other's old password, of course). Also unlike Unix, root is always prompted for the user's old password. The following options can be passed into the password module through the pam.conf(4) file: debug This option allows syslog(3C) debugging information at LOG_DEBUG level. use_first_pass This option allows the initial password (entered when the user is authenticated to the first authentication module in the stack) to authenticate with Kerberos. If the user cannot be authenticated or if this is the first authentication module in the stack, quit without prompting for a password. It is recommended that this option be used only if the authentication mod- ule is designated as optional in the pam.conf(4) configuration file. try_first_pass This option allows the initial password (entered when the user is authenticated to the first authentication module in the PAM stack) to authenticate with Kerberos. If the user cannot be authenticated or if this is the first authentication module in the stack, prompt for a password. ignore Returns PAM_IGNORE. Generally this option should not be used. But sometimes it may not be desirable or may not be necessary to authenticate certain users (root, ftp, ...) with Kerberos. In such cases you can use this option in pam_user.conf(4) for per user configuration. It is not recommended for you to use this option in pam.conf(4). See the examples section. Session Management Module The session management module provides functions to initiate and terminate sessions. Since session management is not defined under Ker- beros, both of these functions simply return PAM_SUCCESS. They are provided only because of the naming conventions for PAM modules. The following options can be passed into the session management module through the pam.conf(4) file: debug This option allows syslog(3C) debugging information at LOG_DEBUG level. ignore Returns PAM_IGNORE. Generally this option should not be used. But sometimes it may not be desirable or may not be necessary to authenticate certain users (root, ftp, ...) with Kerberos. In such cases you can use this option in pam_user.conf(4) for per user configuration. It is not recommended for you to use this option in pam.conf(4). See the examples section. EXAMPLE
Following is a sample configuration in which no authentication is done with Kerberos for root ie. KRB5 PAM module does nothing. It just returns PAM_IGNORE for user root. For every user other than root, it will try to authenticate using Kerberos. If Kerberos succeeds, the user is authenticated. If Kerberos fails to authenticate the user, PAM will try to authenticate via UNIX PAM using same the password. PAM_IGNORE for user root. pam_user.conf: # configuration for user root. KRB5 PAM module uses the # ignore option and returns PAM_IGNORE root auth libpam_krb5.so.1 ignore root password libpam_krb5.so.1 ignore root account libpam_krb5.so.1 ignore root session libpam_krb5.so.1 ignore pam.conf: # For per user configuration the libpam_updbe.so.1 (pam_updbe(5)) module # must be the first module in the stack. If Kerberos authentication # is valid the UNIX authentication function will not be invoked. login auth required libpam_hpsec.so.1 login auth required libpam_updbe.so.1 login auth sufficient libpam_krb5.so.1 login auth required libpam_unix.so.1 try_first_pass login password required libpam_hpsec.so.1 login password required libpam_updbe.so.1 login password required libpam_krb5.so.1 login password required libpam_unix.so.1 try_first_pass login account required libpam_hpsec.so.1 login account required libpam_updbe.so.1 login account required libpam_krb5.so.1 login account required libpam_unix.so.1 login session required libpam_hpsec.so.1 login session required libpam_updbe.so.1 login session required libpam_krb5.so.1 login session required libpam_unix.so.1 NOTES
The use of pam_hpsec is mandatory for services like login, dtlogin, su, ftp, rcomds and sshd (see attached pam.conf). It is required that these services stack this module above one or more additional modules such as pam_unix, pam_kerberos, etc... However, for 'OTHER' services, pam_hpsec is not configured by default. System administrators and application writers must consider whether it is appropriate to use pam_hpsec for any given application. SEE ALSO
pam(3), pam_authenticate(3), pam_setcred(3), syslog(3C), pam.conf(4), pam_user.conf(4), pam_updbe(5), kinit(1m), klist(1m), kdestroy(1m) pam_krb5(5)

Featured Tech Videos