147 lines
5.0 KiB
Groff
147 lines
5.0 KiB
Groff
.\" $XConsortium: pam_dce.5 /main/5 1996/10/29 15:41:52 drk $
|
|
.\" Sccs id goes here
|
|
'\"macro stdmacro
|
|
.\" Copyright (c) 1995, Sun Microsystems, Inc.
|
|
.\" All Rights Reserved
|
|
.nr X
|
|
.TH pam_dce 5 "19 Jan 1996"
|
|
.SH NAME
|
|
pam_dce \- authentication, account, and password management PAM functions for DCE
|
|
.SH SYNOPSIS
|
|
.LP
|
|
.B /usr/lib/security/pam_dce.so.1
|
|
.P
|
|
.LP
|
|
.SH DESCRIPTION
|
|
.IX "pam_dce" "" "\fLpam_dce\fP \(em authentication, account, and password management for DCE"
|
|
.PP
|
|
The DCE PAM module allows for integration of DCE into the system entry services
|
|
(such as
|
|
.BR login )
|
|
through the
|
|
.BR pam.conf (4)
|
|
file.
|
|
The DCE service module for PAM consists of
|
|
three components:
|
|
authentication, account management, and password management.
|
|
All three components are supported through the same loadable library,
|
|
.BR /usr/lib/security/pam_dce.so.1 .
|
|
.SH DCE Authentication Module
|
|
The DCE authentication component
|
|
provides functions to verify the identity of a user
|
|
(\f3pam_sm_authenticate\f1(3)),
|
|
and to initialize DCE credentials
|
|
(\f3pam_sm_setcred\f1(3)).
|
|
The DCE implementation of the
|
|
.BR pam_sm_authenticate (3)
|
|
function compares the user entered password with the password from the DCE Security
|
|
Service (i.e., the DCE Registry). If the passwords match, the user is
|
|
authenticated and obtains DCE credentials.
|
|
The following options may be passed to the DCE Authentication module:
|
|
.RS
|
|
.IP debug 15
|
|
Syslog debugging information at the LOG_DEBUG level.
|
|
.IP nowarn 15
|
|
Turns off warning messages about not being able to acquire DCE credentials.
|
|
.IP use_first_pass 15
|
|
Use the user's initial password (entered when the user is authenticated to the
|
|
first authentication module in the stack) to authenticate with DCE.
|
|
If the passwords do not match, or if this is the first authentication module in the
|
|
stack, quit and do not prompt the user for a password. It is
|
|
recommended that this option only be used if the DCE authentication
|
|
module is designated as
|
|
.I optional
|
|
in the
|
|
.B pam.conf
|
|
configuration file.
|
|
.IP try_first_pass 15
|
|
Use the user's initial password (entered when the user is authenticated to the
|
|
first authentication module in the PAM stack) to authenticate with DCE. If the
|
|
passwords do not match, or if this is the first authentication module in the
|
|
stack, prompt the user for a password.
|
|
.IP use_mapped_pass 15
|
|
This option will attempt to retrieve the "onc_dce_passwd" attribute from
|
|
the user's XFN context and use the user's initial password to decrypt
|
|
the DCE password stored in this attribute. If the DCE password stored in
|
|
this attribute is incorrect, then quit and do not prompt the user for a
|
|
password. It is recommended that this option only be used if the DCE
|
|
authentication module is designated as
|
|
.I optional.
|
|
.IP try_mapped_pass 15
|
|
Similar to
|
|
.B use_mapped_pass
|
|
with two exceptions. If the DCE password is incorrect,
|
|
prompt for it. Once a valid DCE password is entered, encrypt it
|
|
using the initial (first) password and store the encrypted value in the
|
|
"onc_dce_passwd" attribute in the user's XFN context.
|
|
.PP
|
|
Note that both
|
|
.B use_mapped_pass
|
|
and
|
|
.B try_mapped_pass
|
|
require that the UNIX authentication module (see
|
|
.BR pam_unix (5))
|
|
occurs before the DCE
|
|
authentication module. This to ensure that the user's secure RPC credentials
|
|
(for XFN/NIS+) have already been acquired.
|
|
.RE
|
|
|
|
If the user's DCE account has expired then an
|
|
error will be returned from
|
|
.BR pam_sm_authenticate (3).
|
|
.PP
|
|
In order to authenticate the user to the DCE security service
|
|
.BR pam_sm_authenticate (3)
|
|
calls
|
|
.BR sec_login_setup_identity (3)
|
|
followed by
|
|
.BR sec_login_valid_and_cert_ident (3).
|
|
.PP
|
|
.BR pam_sm_setcred (3)
|
|
calls the function
|
|
.BR sec_login_set_context (3)
|
|
to set the DCE credentials after they have been validated by
|
|
.BR pam_sm_authenticate .
|
|
.SH DCE Account Management Module
|
|
The DCE account management component
|
|
provides a function to perform account management
|
|
(\f3pam_sm_acct_mgmt\f1(3)).
|
|
The DCE implementation of the
|
|
.BR pam_sm_acct_mgmt (3)
|
|
function retrieves the user's account and password expiration information from
|
|
the DCE Security Server and verifies that the user's account and password
|
|
have not expired.
|
|
The following options may be passed to the DCE account module:
|
|
.RS
|
|
.IP allow_expired_passwd 20
|
|
Allows a user with an expired password to login.
|
|
.IP debug 20
|
|
Syslog debugging information at the LOG_DEBUG level.
|
|
.IP nowarn 20
|
|
Turns off the warning messages displayed when a user's account and/or
|
|
password are going to expire.
|
|
.RE
|
|
.PP
|
|
.BR pam_sm_acct_mgmt (3)
|
|
calls the function
|
|
.BR sec_login_inquire_net_info (3)
|
|
to retrieve information about when a user's account and/or password is
|
|
going to expire.
|
|
.SH DCE Password Management Module
|
|
The DCE password management component
|
|
provides a function to change passwords
|
|
(\f3pam_sm_chauthtok\f1(3)).
|
|
The following option may be passwd to the DCE account module:
|
|
.RS
|
|
.IP debug 15
|
|
Syslog debugging information at the LOG_DEBUG level.
|
|
.RE
|
|
.SH "SEE ALSO"
|
|
.BR pam (3),
|
|
.BR sec_login_setup_identity (3),
|
|
.BR sec_login_valid_and_cert_ident (3),
|
|
.BR sec_login_set_context (3),
|
|
.BR sec_login_inquire_net_info (3),
|
|
.BR pam.conf (4),
|
|
.BR pam_unix (5)
|