NAME
pam_ksu —
Kerberos 5 SU PAM module
SYNOPSIS
[service-name] module-type control-flag pam_ksu [options]
DESCRIPTION
The Kerberos 5 SU authentication service module for PAM provides functionality for only one PAM category: authentication. In terms of the module-type parameter, this is the “auth” feature. The module is
specifically designed to be used with the
su(1)
utility.
Kerberos 5 SU Authentication Module
The Kerberos 5 SU authentication component provides functions to
verify the identity of a user
(pam_sm_authenticate()),
and determine whether or not the user is authorized to obtain the privileges
of the target account. If the target account is “root”, then
the Kerberos 5 principal used for authentication and authorization will be
the “root” instance of the current user, e.g.
“user/root@REAL.M”. Otherwise, the
principal will simply be the current user's default principal, e.g.
“user@REAL.M”.
The user is prompted for a password if necessary. Authorization is performed by comparing the Kerberos 5 principal with those listed in the .k5login file in the target account's home directory (e.g. /root/.k5login for root).
The following options may be passed to the authentication module:
debug- syslog(3) debugging information at
LOG_DEBUGlevel. use_first_pass- If the authentication module is not the first in the stack, and a previous module obtained the user's password, that password is used to authenticate the user. If this fails, the authentication module returns failure without prompting the user for a password. This option has no effect if the authentication module is the first in the stack, or if no previous modules obtained the user's password.
try_first_pass- This option is similar to the
use_first_passoption, except that if the previously obtained password fails, the user is prompted for another password.