unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.10)
Page:
Section:
Apropos / Subsearch:
optional field

pam_dhkeys(5)         Standards, Environments, and Macros        pam_dhkeys(5)



NAME
       pam_dhkeys - authentication Diffie-Hellman keys management module

SYNOPSIS
       pam_dhkeys.so.1

DESCRIPTION
       The  pam_dhkeys.so.1  service  module provides functionality to two PAM
       services: Secure RPC authentication and Secure RPC authentication token
       management.

       Secure  RPC  authentication  differs  from  regular unix authentication
       because NIS+ and other ONC RPCs use Secure RPC as the underlying  secu-
       rity mechanism.

       The following options may be passed to the module:

       debug           syslog(3C) debugging information at LOG_DEBUG level



       nowarn          Turn off warning messages



   Authentication Services
       If  the user has Diffie-Hellman keys, pam_sm_authenticate() establishes
       secret keys for the user specified by the PAM_USER (equivalent to  run-
       ning   keylogin(1)),  using  the  authentication  token  found  in  the
       PAM_AUTHTOK item. Not being able to establish the secret  keys  results
       in  an authentication error if the NIS+ repository is used to authenti-
       cate the user and the NIS+ table permissions require secure RPC creden-
       tials  to access the password field. If pam_sm_setcred() is called with
       PAM_ESTABLISH_CRED and the user's secure RPC  credentials  need  to  be
       established,  these  credentials are set. This is equivalent to running
       keylogin(1).

       If the credentials could not be set and PAM_SILENT is not specified,  a
       diagnostic  message  is  displayed.  If  pam_setcred()  is  called with
       PAM_DELETE_CRED, the user's secure RPC credentials are unset.  This  is
       equivalent to running keylogout(1).

       PAM_REINITIALIZE_CRED and PAM_REFRESH_CRED are not supported and return
       PAM_IGNORE.

   Authentication Token Management
       The pam_sm_chauthtok() implementation  checks  whether  the  old  login
       password  decrypts  the  users  secret  keys. If it doesn't this module
       prompts the user for an old Secure RPC password and stores it in a  pam
       data  item  called  SUNW_OLDRPCPASS.  This data item can be used by the
       store module to effectively update the users secret keys.

ERRORS
       The authentication service returns the following error codes:

       PAM_SUCCESS             Credentials set successfully.



       PAM_IGNORE              Credentials not needed to access  the  password
                               repository.



       PAM_USER_UNKNOWN        PAM_USER is not set, or the user is unknown.



       PAM_AUTH_ERR            No  secret  keys  were  set. PAM_AUTHTOK is not
                               set, no credentials are present or there  is  a
                               wrong password.



       PAM_BUF_ERR             Module ran out of memory.



       PAM_SYSTEM_ERR          The NIS+ subsystem failed .



       The authentication token management returns the following error codes:

       PAM_SUCCESS             Old rpc password is set in SUNW_OLDRPCPASS



       PAM_USER_UNKNOWN        User in PAM_USER is unknown.



       PAM_AUTHTOK_ERR         User  did  not provide a password that decrypts
                               the secret keys.



       PAM_BUF_ERR             Module ran out of memory.



ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:


       tab()    allbox;    cw(2.750000i)|     cw(2.750000i)     lw(2.750000i)|
       lw(2.750000i).  ATTRIBUTE TYPEATTRIBUTE VALUE Interface StabilityEvolv-
       ing MT LevelMT-Safe with exceptions


SEE ALSO
       keylogin(1), keylogout(1), pam(3PAM), pam_authenticate(3PAM), pam_chau-
       thtok(3PAM), pam_setcred(3PAM), pam_get_item(3PAM), pam_set_data(3PAM),
       pam_get_data(3PAM),     syslog(3C),     libpam(3LIB),      pam.conf(4),
       attributes(5),   pam_authtok_check(5),   pam_authtok_get(5),  pam_auth-
       tok_store(5),         pam_passwd_auth(5),          pam_unix_account(5),
       pam_unix_auth(5), pam_unix_session(5)

NOTES
       The  interfaces  in libpam(3LIB) are MT-Safe only if each thread within
       the multi-threaded application uses its own PAM handle.

       The pam_unix(5) module is no longer supported. Similar functionality is
       provided   by   pam_authtok_check(5),   pam_authtok_get(5),   pam_auth-
       tok_store(5), pam_dhkeys(5),  pam_passwd_auth(5),  pam_unix_account(5),
       pam_unix_auth(5), and pam_unix_session(5).



SunOS 5.10                        21 Jan 2003                    pam_dhkeys(5)