The Kerberos 5 SU authentication service module for PAM,
for only one PAM category: authentication.
In terms of the
module-type
parameter, this is the
``auth
''
feature.
The module is specifically designed to be used with the
su(1)
utility.
Kerberos 5 SU Authentication Module
The Kerberos 5 SU authentication component provides functions to verify
the identity of a user
(Fn pam_sm_authenticate
)
and determine whether or not the user is authorized to obtain the
privileges of the target account.
If the target account is
``root''
then the Kerberos 5 principal used
for authentication and authorization will be the
``root''
instance of
the current user, e.g.
``user/[email protected]
''
Otherwise, the principal will simply be the current user's default
principal, e.g.
``[email protected]
''
The user is prompted for a password if necessary.
Authorization is performed
by comparing the Kerberos 5 principal with those listed in the
.k5login
file in the target account's home directory
(e.g.
/root/.k5login
for root).
The following options may be passed to the authentication module:
debug
syslog(3)
debugging information at
LOG_DEBUG
level.
use_first_pass
If the authentication module
is not the first in the stack,
and a previous module
obtained the user's password,
that password is used
to authenticate the user.
If this fails,
the authentication module returns failure
without prompting the user for a password.
This option has no effect
if the authentication module
is the first in the stack,
or if no previous modules
obtained the user's password.
try_first_pass
This option is similar to the
use_first_pass
option,
except that if the previously obtained password fails,
the user is prompted for another password.