Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   9747 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

PAM_KSU(8)		  BSD System Manager's Manual		    PAM_KSU(8)

NAME
     pam_ksu — Kerberos 5 SU PAM module

SYNOPSIS
     [service-name] module-type control-flag pam_ksu [options]

DESCRIPTION
     The Kerberos 5 SU authentication service module for PAM, pam_ksu for only
     one PAM category: authentication.	In terms of the module-type parameter,
     this is the “auth” feature.  The module is specifically designed to be
     used with the su(1) utility.

   Kerberos 5 SU Authentication Module
     The Kerberos 5 SU authentication component provides functions to verify
     the identity of a user (pam_sm_authenticate()), and determine whether or
     not the user is authorized to obtain the privileges of the target
     account.  If the target account is “root”, then the Kerberos 5 principal
     used for authentication and authorization will be the “root” instance of
     the current user, e.g. “user/root@REAL.M”.	 Otherwise, the principal will
     simply be the current user's default principal, e.g. “user@REAL.M”.

     The user is prompted for a password if necessary.	Authorization is per‐
     formed by comparing the Kerberos 5 principal with those listed in the
     .k5login file in the target account's home directory (e.g. /root/.k5login
     for root).

     The following options may be passed to the authentication module:

     debug	     syslog(3) debugging information at LOG_DEBUG level.

     use_first_pass  If the authentication module is not the first in the
		     stack, and a previous module obtained the user's pass‐
		     word, that password is used to authenticate the user.  If
		     this fails, the authentication module returns failure
		     without prompting the user for a password.	 This option
		     has no effect if the authentication module is the first
		     in the stack, or if no previous modules obtained the
		     user's password.

     try_first_pass  This option is similar to the use_first_pass option,
		     except that if the previously obtained password fails,
		     the user is prompted for another password.

SEE ALSO
     su(1), syslog(3), pam.conf(5), pam(8)

BSD				 May 15, 2002				   BSD

Vote for polarhome