Standards, Environments, and Macros pamdhkeys(5)
NAME
pamdhkeys - authentication Diffie-Hellman keys management
module
SYNOPSIS
pamdhkeys.so.1
DESCRIPTION
The pamdhkeys.so.1 service module provides functionality to
two PAM services: Secure RPC authentication and Secure RPC
authentication token management.
Secure RPC authentication differs from regular unix authen-
tication because NIS] and other ONC RPCs use Secure RPC as
the underlying security mechanism.
The following options may be passed to the module:
debug syslog(3C) debugging information at LOGDEBUG
level
nowarn Turn off warning messages
Authentication Services
If the user has Diffie-Hellman keys, pamsmauthenticate()
establishes secret keys for the user specified by the
PAMUSER (equivalent to running keylogin(1)), using the
authentication token found in the PAMAUTHTOK item. Not
being able to establish the secret keys results in an
authentication error if the NIS] repository is used to
authenticate the user and the NIS] table permissions require
secure RPC credentials to access the password field. If
pamsmsetcred() is called with PAMESTABLISHCRED and the
user's secure RPC credentials need to be established, these
credentials are set. This is equivalent to running keylo-
gin(1).
If the credentials could not be set and PAMSILENT is not
specified, a diagnostic message is displayed. If
pamsetcred() is called with PAMDELETECRED, the user's
secure RPC credentials are unset. This is equivalent to run-
ning keylogout(1).
PAMREINITIALIZECRED and PAMREFRESHCRED are not supported
and return PAMIGNORE.
SunOS 5.11 Last change: 21 Jan 2003 1
Standards, Environments, and Macros pamdhkeys(5)
Authentication Token Management
The pamsmchauthtok() implementation checks whether the old
login password decrypts the users secret keys. If it doesn't
this module prompts the user for an old Secure RPC password
and stores it in a pam data item called SUNWOLDRPCPAS.
This data item can be used by the store module to effec-
tively update the users secret keys.
ERORS
The authentication service returns the following error
codes:
PAMSUCES Credentials set successfully.
PAMIGNORE Credentials not needed to access the
password repository.
PAMUSERUNKNOWN PAMUSER is not set, or the user is
unknown.
PAMAUTHER No secret keys were set. PAMAUTHTOK is
not set, no credentials are present or
there is a wrong password.
PAMBUFER Module ran out of memory.
PAMSYSTEMER The NIS] subsystem failed .
The authentication token management returns the following
error codes:
PAMSUCES Old rpc password is set in
SUNWOLDRPCPAS
PAMUSERUNKNOWN User in PAMUSER is unknown.
PAMAUTHTOKER User did not provide a password that
decrypts the secret keys.
PAMBUFER Module ran out of memory.
SunOS 5.11 Last change: 21 Jan 2003 2
Standards, Environments, and Macros pamdhkeys(5)
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Interface Stability Evolving
MT Level MT-Safe with exceptions
SEE ALSO
keylogin(1), keylogout(1), pam(3PAM),
pamauthenticate(3PAM), pamchauthtok(3PAM),
pamsetcred(3PAM), pamgetitem(3PAM), pamsetdata(3PAM),
pamgetdata(3PAM), syslog(3C), libpam(3LIB), pam.conf(4),
attributes(5), pamauthtokcheck(5), pamauthtokget(5),
pamauthtokstore(5), pampasswdauth(5),
pamunixaccount(5), pamunixauth(5), pamunixsession(5)
NOTES
The interfaces in libpam(3LIB) are MT-Safe only if each
thread within the multi-threaded application uses its own
PAM handle.
The pamunix(5) module is no longer supported. Similar func-
tionality is provided by pamauthtokcheck(5),
pamauthtokget(5), pamauthtokstore(5), pamdhkeys(5),
pampasswdauth(5), pamunixaccount(5), pamunixauth(5),
and pamunixsession(5).
SunOS 5.11 Last change: 21 Jan 2003 3
|
