Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
PAM_KSU(8)		  BSD System Manager's Manual		    PAM_KSU(8)

NAME
     pam_ksu --	Kerberos 5 SU PAM module

SYNOPSIS
     [service-name] module-type	control-flag pam_ksu [options]

DESCRIPTION
     The Kerberos 5 SU authentication service module for PAM, pam_ksu for only
     one PAM category: authentication.	In terms of the	module-type parameter,
     this is the "auth"	feature.  The module is	specifically designed to be
     used with the su(1) utility.

   Kerberos 5 SU Authentication	Module
     The Kerberos 5 SU authentication component	provides functions to verify
     the identity of a user (pam_sm_authenticate()), and determine whether or
     not the user is authorized	to obtain the privileges of the	target ac-
     count.  If	the target account is "root", then the Kerberos	5 principal
     used for authentication and authorization will be the "root" instance of
     the current user, e.g. "user/root@REAL.M".	 Otherwise, the	principal will
     simply be the current user's default principal, e.g. "user@REAL.M".

     The user is prompted for a	password if necessary.	Authorization is per-
     formed by comparing the Kerberos 5	principal with those listed in the
     .k5login file in the target account's home	directory (e.g.	/root/.k5login
     for root).

     The following options may be passed to the	authentication module:

     debug	     syslog(3) debugging information at	LOG_DEBUG level.

     use_first_pass  If	the authentication module is not the first in the
		     stack, and	a previous module obtained the user's pass-
		     word, that	password is used to authenticate the user.  If
		     this fails, the authentication module returns failure
		     without prompting the user	for a password.	 This option
		     has no effect if the authentication module	is the first
		     in	the stack, or if no previous modules obtained the
		     user's password.

     try_first_pass  This option is similar to the use_first_pass option, ex-
		     cept that if the previously obtained password fails, the
		     user is prompted for another password.

SEE ALSO
     su(1), syslog(3), pam.conf(5), pam(8)

BSD				 May 15, 2002				   BSD

NAME | SYNOPSIS | DESCRIPTION | SEE ALSO

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=pam_ksu&sektion=8&manpath=FreeBSD+12.1-RELEASE+and+Ports>

home | help