pam_ksu(8)
NAME
pam_ksu - Kerberos 5 SU PAM module
SYNOPSIS
[service-name] module-type control-flag pam_ksu [options]
DESCRIPTION
- The Kerberos 5 SU authentication service module for PAM,
- pam_ksu for only
one PAM category: authentication. In terms of the - module-type parameter,
this is the ``auth'' feature. The module is specifically - designed to be
used with the su(1) utility. - Kerberos 5 SU Authentication Module
- The Kerberos 5 SU authentication component provides func
- tions to verify
the identity of a user (pam_sm_authenticate()), and deter - mine whether or
not the user is authorized to obtain the privileges of the - target
account. If the target account is ``root'', then the Ker - beros 5 principal used for authentication and authorization will be the
- ``root''
instance of the current user, e.g. ``user/root@REAL.M''. - Otherwise, the
principal will simply be the current user's default princi - pal, e.g.
``user@REAL.M''. - The user is prompted for a password if necessary. Autho
- rization is performed by comparing the Kerberos 5 principal with those
- listed in the
.k5login file in the target account's home directory (e.g. - /root/.k5login
for root). - The following options may be passed to the authentication
- module:
- debug syslog(3) debugging information at
- LOG_DEBUG level.
- use_first_pass If the authentication module is not the
- first in the
stack, and a previous module obtainedthe user's
password, that password is used to authenticate the
user. If this fails, the authenticationmodule
returns failure without prompting theuser for a
password. This option has no effect ifthe authentication module is the first in the stack,or if no
previous modules obtained the user'spassword. - try_first_pass This option is similar to the
- use_first_pass option,
- except that if the previously obtained
- password
fails, the user is prompted for another - password.
SEE ALSO
- su(1), syslog(3), pam.conf(5), pam(8)
- BSD May 15, 2002