illumos-gate New usr/src/man/man5/pam

   1 .\"
   2 .\" This file and its contents are supplied under the terms of the
   3 .\" Common Development and Distribution License ("CDDL"), version 1.0.
   4 .\" You may only use this file in accordance with the terms of version
   5 .\" 1.0 of the CDDL.
   6 .\"
   7 .\" A full copy of the text of the CDDL should have accompanied this
   8 .\" source.  A copy of the CDDL is also available via the Internet at
   9 .\" http://www.illumos.org/license/CDDL.
  10 .\"
  11 .\" Copyright 2014 Nexenta Systems, Inc.
  12 .\"
  13 .Dd Aug 20, 2014
  14 .Dt PAM_TIMESTAMP 5
  15 .Os
  16 .Sh NAME
  17 .Nm pam_timestamp
  18 .Nd PAM authentication module using cached successful
  19 authentication attempts
  20 .Sh SYNOPSIS
  21 .Nm pam_timestamp.so.1
  22 .Op Ar debug
  23 .Op Ar timeout=min
  24 .Sh DESCRIPTION
  25 The
  26 .Nm
  27 module caches successful tty-based authentication attempts by
  28 creating user's directories and per tty timestamp files in the
  29 common timestamp directory
  30 .Pa /var/run/tty_timestamps .
  31 Next authentication, if the timestamp file exist and not expired,
  32 the user will not be asked for a password, otherwise timestamp
  33 file will be deleted and user will be prompted to enter a password.
  34 .Lp
  35 The PAM items
  36 .Dv PAM_USER ,
  37 .Dv PAM_AUSER
  38 and
  39 .Dv PAM_TTY
  40 are used by this module.
  41 .Sy pam_timestamp
  42 is normally configured as
  43 .Sy sufficient
  44 and must be used in conjunction with the modules that support
  45 the UNIX authentication, which are
  46 .Xr pam_authtok_get 5 ,
  47 .Xr pam_unix_cred 5
  48 and
  49 .Xr pam_unix_auth 5 .
  50 Proper authentication operation requires
  51 .Xr pam_unix_cred 5
  52 be stacked above
  53 .Xr pam_timestamp .
  54 .Sh OPTIONS
  55 .Bl -tag -width Ds
  56 .It Dv debug
  57 Provides
  58 .Xr syslog 3
  59 debugging information at the
  60 .Sy LOG_AUTH | LOG_DEBUG
  61 level.
  62 .It Dv timeout
  63 Specifies the period (in miniutes) for which the timestamp
  64 file is valid. The default value is 5 minutes.
  65 .El
  66 .Sh FILES
  67 .Bl -tag -width indent
  68 .It Pa /var/run/tty_timestamps/...
  69 stores timestamp directories and files
  70 .El
  71 .Sh EXIT STATUS
  72 .Bl -tag -width Ds
  73 .It Dv PAM_SUCCESS
  74 Timestamp file is not expired.
  75 .It Dv PAM_IGNORE
  76 The
  77 .Nm
  78 module was not able to retrieve required credentials
  79 or timestamp file is expired or corrupt.
  80 .El
  81 .Sh EXAMPLES
  82 .Ss Example 1 Allowing su authentication
  83 .
  84 The following example is a
  85 .Xr pam.conf 4
  86 fragment that illustartes a default settings for allowing
  87 .Xr su 1M
  88 authentication:
  89 .Bd -literal -offset indent
  90 su  auth required       pam_unix_cred.so.1
  91 su  auth sufficient     pam_timestamp.so.1
  92 su  auth requisite      pam_authtok_get.so.1
  93 su  auth required       pam_unix_auth.so.1
  94 .Ed
  95 .Ss Example 2 Changing default timeout
  96 .
  97 The default timeout set to 10 minutes:
  98 .Bd -literal -offset indent
  99 su  auth required       pam_unix_cred.so.1
 100 su  auth sufficient     pam_timestamp.so.1      timeout=10
 101 su  auth requisite      pam_authtok_get.so.1
 102 su  auth required       pam_unix_auth.so.1
 103 .Ed
 104 .Sh INTERFACE STABILITY
 105 .Sy Uncommitted .
 106 .Sh MT LEVEL
 107 .Sy MT-Safe .
 108 .Sh SEE ALSO
 109 .Xr su 1M ,
 110 .Xr pam 3PAM ,
 111 .Xr pam_sm_authenticate 3PAM ,
 112 .Xr pam_sm_setcred 3PAM ,
 113 .Xr pam.conf 4 ,
 114 .Xr syslog 3C