Updated: 2022/Sep/29

Please read Privacy Policy. It's for your privacy.

PAM_KSU(8)                  System Manager's Manual                 PAM_KSU(8)

     pam_ksu - Kerberos 5 SU PAM module

     [service-name] module-type control-flag pam_ksu [options]

     The Kerberos 5 SU authentication service module for PAM provides
     functionality for only one PAM category: authentication.  In terms of the
     module-type parameter, this is the "auth" feature.  The module is
     specifically designed to be used with the su(1) utility.

   Kerberos 5 SU Authentication Module
     The Kerberos 5 SU authentication component provides functions to verify
     the identity of a user (pam_sm_authenticate()), and determine whether or
     not the user is authorized to obtain the privileges of the target
     account.  If the target account is "root", then the Kerberos 5 principal
     used for authentication and authorization will be the "root" instance of
     the current user, e.g. "user/root@REAL.M".  Otherwise, the principal will
     simply be the current user's default principal, e.g. "user@REAL.M".

     The user is prompted for a password if necessary.  Authorization is
     performed by comparing the Kerberos 5 principal with those listed in the
     .k5login file in the target account's home directory (e.g. /root/.k5login
     for root).

     The following options may be passed to the authentication module:

     debug               syslog(3) debugging information at LOG_DEBUG level.

     use_first_pass      If the authentication module is not the first in the
                         stack, and a previous module obtained the user's
                         password, that password is used to authenticate the
                         user.  If this fails, the authentication module
                         returns failure without prompting the user for a
                         password.  This option has no effect if the
                         authentication module is the first in the stack, or
                         if no previous modules obtained the user's password.

     try_first_pass      This option is similar to the use_first_pass option,
                         except that if the previously obtained password
                         fails, the user is prompted for another password.

     su(1), syslog(3), pam.conf(5), pam(8)

NetBSD 10.99                     May 15, 2002                     NetBSD 10.99