NAME
pam_ksu —
Kerberos 5 SU PAM
module
SYNOPSIS
[
service-name]
module-type control-flag
pam_ksu
[
options]
DESCRIPTION
The Kerberos 5 SU authentication service module for PAM provides functionality
for only one PAM category: authentication. In terms of the
module-type parameter, this is the
“
auth
” feature. The module is specifically
designed to be used with the
su(1)
utility.
Kerberos 5 SU
Authentication Module
The Kerberos 5 SU authentication component provides functions to verify the
identity of a user (
pam_sm_authenticate()), and determine
whether or not the user is authorized to obtain the privileges of the target
account. If the target account is “root”, then the Kerberos 5
principal used for authentication and authorization will be the
“root” instance of the current user, e.g.
“
user/root@REAL.M
”. Otherwise, the
principal will simply be the current user's default principal, e.g.
“
user@REAL.M
”.
The user is prompted for a password if necessary. Authorization is performed by
comparing the Kerberos 5 principal with those listed in the
.k5login file in the target account's home directory (e.g.
/root/.k5login for root).
The following options may be passed to the authentication module:
-
-
- debug
- syslog(3)
debugging information at
LOG_DEBUG
level.
-
-
- use_first_pass
- If the authentication module is not the first in the stack,
and a previous module obtained the user's password, that password is used
to authenticate the user. If this fails, the authentication module returns
failure without prompting the user for a password. This option has no
effect if the authentication module is the first in the stack, or if no
previous modules obtained the user's password.
-
-
- try_first_pass
- This option is similar to the
use_first_pass option, except that if the previously
obtained password fails, the user is prompted for another password.
SEE ALSO
su(1),
syslog(3),
pam.conf(5),
pam(8)