PAM_KSU(8) BSD System Manager's Manual PAM_KSU(8)
pam_ksu -- Kerberos 5 SU PAM module
[service-name] module-type control-flag pam_ksu [options]
The Kerberos 5 SU authentication service module for PAM provides functionality for only one
PAM category: authentication. In terms of the module-type parameter, this is the ``auth''
feature. The module is specifically designed to be used with the su(1) utility.
Kerberos 5 SU Authentication Module
The Kerberos 5 SU authentication component provides functions to verify the identity of a
user (pam_sm_authenticate()), and determine whether or not the user is authorized to obtain
the privileges of the target account. If the target account is ``root'', then the Kerberos
5 principal used for authentication and authorization will be the ``root'' instance of the
current user, e.g. ``user/root@REAL.M''. Otherwise, the principal will simply be the cur-
rent user's default principal, e.g. ``user@REAL.M''.
The user is prompted for a password if necessary. Authorization is performed by comparing
the Kerberos 5 principal with those listed in the .k5login file in the target account's home
directory (e.g. /root/.k5login for root).
The following options may be passed to the authentication module:
debug syslog(3) debugging information at LOG_DEBUG level.
use_first_pass If the authentication module is not the first in the stack, and a previous
module obtained the user's password, that password is used to authenticate
the user. If this fails, the authentication module returns failure without
prompting the user for a password. This option has no effect if the authen-
tication module is the first in the stack, or if no previous modules
obtained the user's password.
try_first_pass This option is similar to the use_first_pass option, except that if the pre-
viously obtained password fails, the user is prompted for another password.
su(1), syslog(3), pam.conf(5), pam(8)
BSD May 15, 2002 BSD