PAM_KSU(8) | System Manager's Manual | PAM_KSU(8) |
pam_ksu
— Kerberos
5 SU PAM module
[service-name] module-type control-flag pam_ksu [options]
The Kerberos 5 SU authentication service module for PAM provides
functionality for only one PAM category: authentication. In terms of the
module-type parameter, this is the
“auth
” feature. The module is
specifically designed to be used with the
su(1) utility.
The Kerberos 5 SU authentication component provides functions to
verify the identity of a user
(pam_sm_authenticate
()),
and determine whether or not the user is authorized to obtain the privileges
of the target account. If the target account is “root”, then
the Kerberos 5 principal used for authentication and authorization will be
the “root” instance of the current user, e.g.
“user/root@REAL.M
”. Otherwise, the
principal will simply be the current user's default principal, e.g.
“user@REAL.M
”.
The user is prompted for a password if necessary. Authorization is performed by comparing the Kerberos 5 principal with those listed in the .k5login file in the target account's home directory (e.g. /root/.k5login for root).
The following options may be passed to the authentication module:
debug
LOG_DEBUG
level.use_first_pass
try_first_pass
use_first_pass
option, except that if the previously obtained password fails, the user is
prompted for another password.May 15, 2002 | NetBSD 10.99 |