Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.10)
Apropos / Subsearch:
optional field

pam_dhkeys(5)         Standards, Environments, and Macros        pam_dhkeys(5)

       pam_dhkeys - authentication Diffie-Hellman keys management module


       The  pam_dhkeys.so.1  service  module provides functionality to two PAM
       services: Secure RPC authentication and Secure RPC authentication token

       Secure  RPC  authentication  differs  from  regular unix authentication
       because NIS+ and other ONC RPCs use Secure RPC as the underlying  secu-
       rity mechanism.

       The following options may be passed to the module:

       debug           syslog(3C) debugging information at LOG_DEBUG level

       nowarn          Turn off warning messages

   Authentication Services
       If  the user has Diffie-Hellman keys, pam_sm_authenticate() establishes
       secret keys for the user specified by the PAM_USER (equivalent to  run-
       ning   keylogin(1)),  using  the  authentication  token  found  in  the
       PAM_AUTHTOK item. Not being able to establish the secret  keys  results
       in  an authentication error if the NIS+ repository is used to authenti-
       cate the user and the NIS+ table permissions require secure RPC creden-
       tials  to access the password field. If pam_sm_setcred() is called with
       PAM_ESTABLISH_CRED and the user's secure RPC  credentials  need  to  be
       established,  these  credentials are set. This is equivalent to running

       If the credentials could not be set and PAM_SILENT is not specified,  a
       diagnostic  message  is  displayed.  If  pam_setcred()  is  called with
       PAM_DELETE_CRED, the user's secure RPC credentials are unset.  This  is
       equivalent to running keylogout(1).

       PAM_REINITIALIZE_CRED and PAM_REFRESH_CRED are not supported and return

   Authentication Token Management
       The pam_sm_chauthtok() implementation  checks  whether  the  old  login
       password  decrypts  the  users  secret  keys. If it doesn't this module
       prompts the user for an old Secure RPC password and stores it in a  pam
       data  item  called  SUNW_OLDRPCPASS.  This data item can be used by the
       store module to effectively update the users secret keys.

       The authentication service returns the following error codes:

       PAM_SUCCESS             Credentials set successfully.

       PAM_IGNORE              Credentials not needed to access  the  password

       PAM_USER_UNKNOWN        PAM_USER is not set, or the user is unknown.

       PAM_AUTH_ERR            No  secret  keys  were  set. PAM_AUTHTOK is not
                               set, no credentials are present or there  is  a
                               wrong password.

       PAM_BUF_ERR             Module ran out of memory.

       PAM_SYSTEM_ERR          The NIS+ subsystem failed .

       The authentication token management returns the following error codes:

       PAM_SUCCESS             Old rpc password is set in SUNW_OLDRPCPASS

       PAM_USER_UNKNOWN        User in PAM_USER is unknown.

       PAM_AUTHTOK_ERR         User  did  not provide a password that decrypts
                               the secret keys.

       PAM_BUF_ERR             Module ran out of memory.

       See attributes(5) for descriptions of the following attributes:

       tab()    allbox;    cw(2.750000i)|     cw(2.750000i)     lw(2.750000i)|
       lw(2.750000i).  ATTRIBUTE TYPEATTRIBUTE VALUE Interface StabilityEvolv-
       ing MT LevelMT-Safe with exceptions

       keylogin(1), keylogout(1), pam(3PAM), pam_authenticate(3PAM), pam_chau-
       thtok(3PAM), pam_setcred(3PAM), pam_get_item(3PAM), pam_set_data(3PAM),
       pam_get_data(3PAM),     syslog(3C),     libpam(3LIB),      pam.conf(4),
       attributes(5),   pam_authtok_check(5),   pam_authtok_get(5),  pam_auth-
       tok_store(5),         pam_passwd_auth(5),          pam_unix_account(5),
       pam_unix_auth(5), pam_unix_session(5)

       The  interfaces  in libpam(3LIB) are MT-Safe only if each thread within
       the multi-threaded application uses its own PAM handle.

       The pam_unix(5) module is no longer supported. Similar functionality is
       provided   by   pam_authtok_check(5),   pam_authtok_get(5),   pam_auth-
       tok_store(5), pam_dhkeys(5),  pam_passwd_auth(5),  pam_unix_account(5),
       pam_unix_auth(5), and pam_unix_session(5).

SunOS 5.10                        21 Jan 2003                    pam_dhkeys(5)