1 .\" 2 .\" This file and its contents are supplied under the terms of the 3 .\" Common Development and Distribution License ("CDDL"), version 1.0. 4 .\" You may only use this file in accordance with the terms of version 5 .\" 1.0 of the CDDL. 6 .\" 7 .\" A full copy of the text of the CDDL should have accompanied this 8 .\" source. A copy of the CDDL is also available via the Internet at 9 .\" http://www.illumos.org/license/CDDL. 10 .\" 11 .\" Copyright 2014 Nexenta Systems, Inc. 12 .\" 13 .Dd Nov 26, 2017 14 .Dt PAM_TIMESTAMP 5 15 .Os 16 .Sh NAME 17 .Nm pam_timestamp 18 .Nd PAM authentication module using cached successful authentication attempts 19 .Sh SYNOPSIS 20 .Nm pam_timestamp.so.1 21 .Op Ar debug 22 .Op Ar timeout=min 23 .Sh DESCRIPTION 24 The 25 .Nm 26 module caches successful tty-based authentication attempts by 27 creating user's directories and per tty timestamp files in the 28 common timestamp directory 29 .Pa /var/run/tty_timestamps . 30 Next authentication, if the timestamp file exist and not expired, 31 the user will not be asked for a password, otherwise timestamp 32 file will be deleted and user will be prompted to enter a password. 33 .Lp 34 The PAM items 35 .Dv PAM_USER , 36 .Dv PAM_AUSER 37 and 38 .Dv PAM_TTY 39 are used by this module. 40 .Sy pam_timestamp 41 is normally configured as 42 .Sy sufficient 43 and must be used in conjunction with the modules that support 44 the UNIX authentication, which are 45 .Xr pam_authtok_get 5 , 46 .Xr pam_unix_cred 5 47 and 48 .Xr pam_unix_auth 5 . 49 Proper authentication operation requires 50 .Xr pam_unix_cred 5 51 be stacked above 52 .Nm . 53 .Sh OPTIONS 54 .Bl -tag -width Ds 55 .It Dv debug 56 Provides 57 .Xr syslog 3 58 debugging information at the 59 .Sy LOG_AUTH | LOG_DEBUG 60 level. 61 .It Dv timeout 62 Specifies the period (in minutes) for which the timestamp file is valid. 63 The default value is 5 minutes. 64 .El 65 .Sh FILES 66 .Bl -tag -width indent 67 .It Pa /var/run/tty_timestamps/... 68 stores timestamp directories and files 69 .El 70 .Sh EXIT STATUS 71 .Bl -tag -width Ds 72 .It Dv PAM_SUCCESS 73 Timestamp file is not expired. 74 .It Dv PAM_IGNORE 75 The 76 .Nm 77 module was not able to retrieve required credentials 78 or timestamp file is expired or corrupt. 79 .El 80 .Sh EXAMPLES 81 .Ss Example 1 Allowing su authentication 82 . 83 The following example is a 84 .Xr pam.conf 4 85 fragment that illustrates default settings for allowing 86 .Xr su 1M 87 authentication: 88 .Bd -literal -offset indent 89 su auth required pam_unix_cred.so.1 90 su auth sufficient pam_timestamp.so.1 91 su auth requisite pam_authtok_get.so.1 92 su auth required pam_unix_auth.so.1 93 .Ed 94 .Ss Example 2 Changing default timeout 95 . 96 The default timeout set to 10 minutes: 97 .Bd -literal -offset indent 98 su auth required pam_unix_cred.so.1 99 su auth sufficient pam_timestamp.so.1 timeout=10 100 su auth requisite pam_authtok_get.so.1 101 su auth required pam_unix_auth.so.1 102 .Ed 103 .Sh INTERFACE STABILITY 104 .Sy Uncommitted . 105 .Sh MT LEVEL 106 .Sy MT-Safe . 107 .Sh SEE ALSO 108 .Xr su 1M , 109 .Xr syslog 3C , 110 .Xr pam 3PAM , 111 .Xr pam_sm_authenticate 3PAM , 112 .Xr pam_sm_setcred 3PAM , 113 .Xr pam.conf 4