pam_timestamp(8) System Administrator's Manual pam_timestamp(8)NAME
pam_timestamp - authenticate using cached successful authentication attempts
SYNOPSIS
auth sufficient /lib/security/pam_timestamp.so
session optional /lib/security/pam_timestamp.so
DESCRIPTION
In a nutshell, pam_timestamp caches successful authentication attempts, and allows you to use a recent successful attempt as the basis for
authentication.
When an application opens a session using pam_timestamp, a timestamp file is created in the timestampdir directory for the user. When an
application attempts to authenticate the user, a pam_timestamp will treat a sufficiently- recent timestamp file as grounds for succeeding.
ARGUMENTS
debug turns on debugging via syslog(3).
timestampdir=name
tells pam_timestamp.so where to place and search for timestamp files. This should match the directory configured for sudo(1) in the
sudoers(5) file.
timestamp_timeout=number
tells pam_timestamp.so how long it should treat timestamp files as valid after their last modification date. This should match the
value configured for sudo(1) in the sudoers(5) file.
verbose
attempt to inform the user when access is granted.
EXAMPLE
/etc/pam.d/some-config-tool:
auth sufficient /lib/security/pam_timestamp.so verbose auth required /lib/security/pam_unix.so
session required /lib/security/pam_permit.so session optional /lib/security/pam_timestamp.so
CAVEATS
Users can get confused when they aren't always asked for passwords when running a given program. Some users reflexively begin typing
information before noticing that it's not being asked for.
SEE ALSO pam_timestamp_check(8)BUGS
Let's hope not, but if you find any, please email the author.
AUTHOR
Nalin Dahyabhai <nalin@redhat.com>
Red Hat Linux 2002/02/07 pam_timestamp(8)
Check Out this Related Man Page
pam_krb5(8) System Administrator's Manual pam_krb5(8)NAME
pam_krb5 - Kerberos 5 authentication
SYNOPSIS
auth required /lib/security/pam_krb5.so
session optional /lib/security/pam_krb5.so
account sufficient /lib/security/pam_krb5.so
password sufficient /lib/security/pam_krb5.so
DESCRIPTION
pam_krb5.so is designed to allow smooth integration of Kerberos 5 password- checking with applications built using PAM. It also supports
session-specific ticket files (which are neater), and Kerberos IV ticket file grabbing. Its main use is as an authentication module, but
it also supplies the same functions as a session-management module to better support poorly-written applications, and a couple of other
workarounds as well. It also supports account management and password-changing.
When a user logs in, the module's authentication function performs a simple password check and, if possible, obtains Kerberos 5 and Ker-
beros IV credentials, caching them for later use. When the application requests initialization of credentials (or opens a session), the
usual ticket files are created. When the application subsequently requests deletion of credentials or closing of the session, the module
deletes the ticket files.
ARGUMENTS
debug turns on debugging via syslog(3). Debugging messages are logged with priority LOG_DEBUG.
addressless
tells pam_krb5.so to obtain credentials without address lists. This may be necessary if your network uses NAT, and should otherwise
not be used.
hosts=host
tells pam_krb5.so to obtain credentials using the address of the given host in addition to the addresses of interfaces on the local
workstation. For example, if your workstation is behind a masquerading firewall, specifying the firewall's outward-facing address
here should allow Kerberos authentication to succeed.
banner=Kerberos
tells pam_krb5.so how to identify itself when users attempt to change their passwords.
ccache_dir=/tmp
tells pam_krb5.so which directory to use for storing credential caches.
forwardable
tells pam_krb5.so that credentials it obtains should be forwardable.
keytab=/etc/krb5.keytab
tells pam_krb5.so the location of a keytab to use when validating credentials obtained from KDCs.
krb4_convert
tells pam_krb5.so to obtain Kerberos IV credentials for users, in addition to Kerberos 5 credentials.
minimum_uid=0
tells pam_krb5.so to ignore authentication attempts by users with UIDs below the specified number.
no_user_check
tells pam_krb5.so to not check if a user exists on the local system, and to create ccache files owned by the current process's UID.
This is useful for situations where a non-privileged server process needs to use Kerberized services on behalf of remote users who may
not have local access. Note that such a server should have an encrypted connection with its client in order to avoid allowing the
user's password to be eavesdropped.
proxiable
tells pam_krb5.so that credentials it obtains should be proxiable.
realm=realm
overrides the default realm set in /etc/krb5.conf, which pam_krb5.so will attempt to authenticate users to.
renew_lifetime=36000
sets the default renewable lifetime for credentials.
skip_first_pass
tells pam_krb5.so to not bother checking a password that has been set by a module listed earlier in the stack. This option is
included mainly for completeness.
ticket_lifetime=36000
sets the default lifetime for credentials.
try_first_pass
tells pam_krb5.so to check the password as with use_first_pass, but to prompt the user for another one if the previously-entered one
fails. This is the default mode of operation.
use_first_pass
tells pam_krb5.so to get the user's entered password as it was stored by a module listed earlier in the stack, usually pam_unix or
pam_pwdb, instead of prompting the user for it.
use_authtok
tells pam_krb5.so to never prompt for passwords when changing passwords. This is useful if you are using pam_cracklib.so to try to
enforce use of less-easy-to-guess passwords.
validate
tells pam_krb5.so to verify that the TGT obtained from the realm's servers has not been spoofed.
FILES
/etc/krb5.conf
SEE ALSO pam_krb5(5)BUGS
Probably, but let's hope not. If you find any, please email the author.
AUTHOR
Nalin Dahyabhai <nalin@redhat.com>
Red Hat Linux 2002/02/15 pam_krb5(8)