Standards, Environments, and Macros pamunixcred(5)
NAME
pamunixcred - PAM user credential authentication module
for UNIX
SYNOPSIS
pamunixcred.so.1
DESCRIPTION
The pamunixcred module implements pamsmsetcred(3PAM). It
provides functions that establish user credential informa-
tion. It is a module separate from the pamunixauth(5)
module to allow replacement of the authentication func-
tionality independently from the credential functionality.
The pamunixcred module must always be stacked along with
whatever authentication module is used to ensure correct
credential setting.
Authentication service modules must implement both
pamsmauthenticate() and pamsmsetcred().
pamsmauthenticate() in this module always returns
PAMIGNORE.
pamsmsetcred() initializes the user's project, privilege
sets and initializes or updates the user's audit context if
it hasn't already been initialized. The following flags may
be set in the flags field:
PAMESTABLISHCRED
PAMREFRESHCRED
PAMREINITIALIZECRED
Initializes the user's project to the project specified
in PAMRESOURCE, or if PAMRESOURCE is not specified, to
the user's default project. Establishes the user's
privilege sets.
If the audit context is not already initialized and
auditing is configured, these flags cause the context to
be initialized to that of the user specified in
PAMAUSER (if any) merged with the user specified in
PAMUSER and host specified in PAMRHOST. If PAMRHOST
is not specified, PAMTY specifies the local terminal
name. Attributing audit to PAMAUSER and merging
PAMUSER is required for correctly attributing auditing
when the system entry is performed by another user that
SunOS 5.11 Last change: 9 Mar 2005 1
Standards, Environments, and Macros pamunixcred(5)
can be identified as trustworthy.
If the audit context is already initialized, the
PAMREINITIALIZECRED flag merges the current audit con-
text with that of the user specified in PAMUSER.
PAMREINITIALIZECRED is useful when a user is assuming
a new identity, as with su(1M).
PAMDELETECRED
This flag has no effect and always returns PAMSUCES.
The following options are interpreted:
debug Provides syslog(3C) debugging information at the
LOGDEBUG level.
nowarn Disables any warning messages.
ERORS
Upon successful completion of pamsmsetcred(), PAMSUCES
is returned. The following error codes are returned upon
error:
PAMCREDUNAVAIL Underlying authentication service cannot
retrieve user credentials
PAMCREDEXPIRED User credentials have expired
PAMUSERUNKNOWN User is unknown to the authentication
service
PAMCREDER Failure in setting user credentials
PAMBUFER Memory buffer error
PAMSYSTEMER System error
The following values are returned from
pamsmauthenticate():
SunOS 5.11 Last change: 9 Mar 2005 2
Standards, Environments, and Macros pamunixcred(5)
PAMIGNORE Ignores this module regardless of the control
flag
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Interface Stability Evolving
MT Level MT-Safe with exceptions
SEE ALSO
ssh(1), su(1M), settaskid(2), libpam(3LIB),
getprojent(3PROJECT), pam(3PAM), pamsetitem(3PAM),
pamsmauthenticate(3PAM), syslog(3C),
setproject(3PROJECT),pam.conf(4), nsswitch.conf(4), pro-
ject(4), attributes(5), pamauthtokcheck(5),
pamauthtokget(5), pamauthtokstore(5), pamdhkeys(5),
pampasswdauth(5), pamunixauth(5), pamunixaccount(5),
pamunixsession(5), privileges(5)
NOTES
The interfaces in libpam(3LIB) are MT-Safe only if each
thread within the multi-threaded application uses its own
PAM handle.
If this module is replaced, the audit context and credential
may not be correctly configured.
SunOS 5.11 Last change: 9 Mar 2005 3
|
