1 .\"
   2 .\" This file and its contents are supplied under the terms of the
   3 .\" Common Development and Distribution License ("CDDL"), version 1.0.
   4 .\" You may only use this file in accordance with the terms of version
   5 .\" 1.0 of the CDDL.
   6 .\"
   7 .\" A full copy of the text of the CDDL should have accompanied this
   8 .\" source.  A copy of the CDDL is also available via the Internet at
   9 .\" http://www.illumos.org/license/CDDL.
  10 .\"
  11 .\" Copyright 2014 Nexenta Systems, Inc.
  12 .\"
  13 .Dd Nov 26, 2017
  14 .Dt PAM_TIMESTAMP 5
  15 .Os
  16 .Sh NAME
  17 .Nm pam_timestamp
  18 .Nd PAM authentication module using cached successful authentication attempts
  19 .Sh SYNOPSIS
  20 .Nm pam_timestamp.so.1
  21 .Op Ar debug
  22 .Op Ar timeout=min
  23 .Sh DESCRIPTION
  24 The
  25 .Nm
  26 module caches successful tty-based authentication attempts by
  27 creating user's directories and per tty timestamp files in the
  28 common timestamp directory
  29 .Pa /var/run/tty_timestamps .
  30 Next authentication, if the timestamp file exist and not expired,
  31 the user will not be asked for a password, otherwise timestamp
  32 file will be deleted and user will be prompted to enter a password.
  33 .Lp
  34 The PAM items
  35 .Dv PAM_USER ,
  36 .Dv PAM_AUSER
  37 and
  38 .Dv PAM_TTY
  39 are used by this module.
  40 .Sy pam_timestamp
  41 is normally configured as
  42 .Sy sufficient
  43 and must be used in conjunction with the modules that support
  44 the UNIX authentication, which are
  45 .Xr pam_authtok_get 5 ,
  46 .Xr pam_unix_cred 5
  47 and
  48 .Xr pam_unix_auth 5 .
  49 Proper authentication operation requires
  50 .Xr pam_unix_cred 5
  51 be stacked above
  52 .Nm .
  53 .Sh OPTIONS
  54 .Bl -tag -width Ds
  55 .It Dv debug
  56 Provides
  57 .Xr syslog 3
  58 debugging information at the
  59 .Sy LOG_AUTH | LOG_DEBUG
  60 level.
  61 .It Dv timeout
  62 Specifies the period (in minutes) for which the timestamp file is valid.
  63 The default value is 5 minutes.
  64 .El
  65 .Sh FILES
  66 .Bl -tag -width indent
  67 .It Pa /var/run/tty_timestamps/...
  68 stores timestamp directories and files
  69 .El
  70 .Sh EXIT STATUS
  71 .Bl -tag -width Ds
  72 .It Dv PAM_SUCCESS
  73 Timestamp file is not expired.
  74 .It Dv PAM_IGNORE
  75 The
  76 .Nm
  77 module was not able to retrieve required credentials
  78 or timestamp file is expired or corrupt.
  79 .El
  80 .Sh EXAMPLES
  81 .Ss Example 1 Allowing su authentication
  82 .
  83 The following example is a
  84 .Xr pam.conf 4
  85 fragment that illustrates default settings for allowing
  86 .Xr su 1M
  87 authentication:
  88 .Bd -literal -offset indent
  89 su  auth required       pam_unix_cred.so.1
  90 su  auth sufficient     pam_timestamp.so.1
  91 su  auth requisite      pam_authtok_get.so.1
  92 su  auth required       pam_unix_auth.so.1
  93 .Ed
  94 .Ss Example 2 Changing default timeout
  95 .
  96 The default timeout set to 10 minutes:
  97 .Bd -literal -offset indent
  98 su  auth required       pam_unix_cred.so.1
  99 su  auth sufficient     pam_timestamp.so.1      timeout=10
 100 su  auth requisite      pam_authtok_get.so.1
 101 su  auth required       pam_unix_auth.so.1
 102 .Ed
 103 .Sh INTERFACE STABILITY
 104 .Sy Uncommitted .
 105 .Sh MT LEVEL
 106 .Sy MT-Safe .
 107 .Sh SEE ALSO
 108 .Xr su 1M ,
 109 .Xr syslog 3C ,
 110 .Xr pam 3PAM ,
 111 .Xr pam_sm_authenticate 3PAM ,
 112 .Xr pam_sm_setcred 3PAM ,
 113 .Xr pam.conf 4