Skip site navigation (1)Skip section navigation (2)

FreeBSD Man Pages

Man Page or Keyword Search:
Man Architecture
Apropos Keyword Search (all sections) Output format
home | help
PAM_KSU(8)		FreeBSD	System Manager's Manual		    PAM_KSU(8)

NAME
     pam_ksu --	Kerberos 5 SU PAM module

SYNOPSIS
     [service-name] module-type	control-flag pam_ksu [options]

DESCRIPTION
     The Kerberos 5 SU authentication service module for PAM, pam_ksu for only
     one PAM category: authentication.	In terms of the	module-type parameter,
     this is the ``auth'' feature.  The	module is specifically designed	to be
     used with the su(1) utility.

   Kerberos 5 SU Authentication	Module
     The Kerberos 5 SU authentication component	provides functions to verify
     the identity of a user (pam_sm_authenticate()), and determine whether or
     not the user is authorized	to obtain the privileges of the	target
     account.  If the target account is	``root'', then the Kerberos 5 princi-
     pal used for authentication and authorization will	be the ``root''
     instance of the current user, e.g.	``user/root@REAL.M''.  Otherwise, the
     principal will simply be the current user's default principal, e.g.
     ``user@REAL.M''.

     The user is prompted for a	password if necessary.	Authorization is per-
     formed by comparing the Kerberos 5	principal with those listed in the
     .k5login file in the target account's home	directory (e.g.	/root/.k5login
     for root).

     The following options may be passed to the	authentication module:

     debug	     syslog(3) debugging information at	LOG_DEBUG level.

     use_first_pass  If	the authentication module is not the first in the
		     stack, and	a previous module obtained the user's pass-
		     word, that	password is used to authenticate the user.  If
		     this fails, the authentication module returns failure
		     without prompting the user	for a password.	 This option
		     has no effect if the authentication module	is the first
		     in	the stack, or if no previous modules obtained the
		     user's password.

     try_first_pass  This option is similar to the use_first_pass option,
		     except that if the	previously obtained password fails,
		     the user is prompted for another password.

SEE ALSO
     su(1), syslog(3), pam.conf(5), pam(8)

FreeBSD	10.1			 May 15, 2002			  FreeBSD 10.1

NAME | SYNOPSIS | DESCRIPTION | SEE ALSO

Want to link to this manual page? Use this URL:
<http://www.freebsd.org/cgi/man.cgi?query=pam_ksu&manpath=FreeBSD+9.2-RELEASE>

home | help