unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.9)
Page:
Section:
Apropos / Subsearch:
optional field



Standards, Environments, and Macros                 pam_dhkeys(5)



NAME
     pam_dhkeys - authentication Diffie-Hellman  keys  management
     module

SYNOPSIS
     pam_dhkeys.so.1

DESCRIPTION
     The pam_dhkeys.so.1 service module provides functionality to
     two  PAM  services: Secure RPC authentication and Secure RPC
     authentication token management.

     Secure RPC authentication differs from regular unix  authen-
     tication  because  NIS+ and other ONC RPCs use Secure RPC as
     the underlying security mechanism.

     The following options may be passed to the module:

     debug syslog(3C)debugging information at LOG_DEBUG level

     nowarn
           Turn off warning messages

  Authentication Services
      If the user has Diffie-Hellman keys,  pam_sm_authenticate()
     establishes  secret  keys  for  the  user  specified  by the
     PAM_USER (equivalent  to  running  keylogin(1)),  using  the
     authentication  token  found  in  the  PAM_AUTHTOK item. Not
     being able to  establish  the  secret  keys  results  in  an
     authentication  error  if  the  NIS+  repository  is used to
     authenticate the user and the NIS+ table permissions require
     secure  RPC  credentials  to  access  the password field. If
     pam_sm_setcred() is called with PAM_ESTABLISH_CRED  and  the
     user's  secure RPC credentials need to be established, these
     credentials are set. This is equivalent  to  running  keylo-
     gin(1).

     If the credentials could not be set and  PAM_SILENT  is  not
     specified,   a   diagnostic   message   is   displayed.   If
     pam_setcred() is called  with  PAM_DELETE_CRED,  the  user's
     secure RPC credentials are unset. This is equivalent to run-
     ning keylogout(1).

     PAM_REINITIALIZE_CRED and PAM_REFRESH_CRED are not supported
     and return PAM_IGNORE.

  Authentication Token Management
     The pam_sm_chauthtok() implementation checks whether the old
     login password decrypts the users secret keys. If it doesn't
     this module prompts the user for an old Secure RPC  password
     and  stores  it  in  a pam data item called SUNW_OLDRPCPASS.
     This  data  item  can  be  used  by  the  store  module   to



SunOS 5.9           Last change: 21 Jan 2003                    1






Standards, Environments, and Macros                 pam_dhkeys(5)



     effectively update the users secret keys.

ERRORS
     The  authentication  service  returns  the  following  error
     codes:

     PAM_SUCCESS
           Credentials set successfully.

     PAM_IGNORE
           Credentials not needed to access the password  reposi-
           tory.

     PAM_USER_UNKNOWN
           PAM_USER is not set, or the user is unknown.

     PAM_AUTH_ERR
           No secret keys were set. PAM_AUTHTOK is  not  set,  no
           credentials are present or there is a wrong password.

     PAM_BUF_ERR
           Module ran out of memory.

     PAM_SYSTEM_ERR
           NIS+ subsystem failed .

     The authentication token management  returns  the  following
     error codes:

     PAM_SUCCESS
           Old rpc password is set in SUNW_OLDRPCPASS

     PAM_USER_UNKNOWN
           User in PAM_USER is unknown.

     PAM_AUTHTOK_ERR
           User did not provide  a  password  that  decrypts  the
           secret keys.

     PAM_BUF_ERR
           Module ran out of memory.

ATTRIBUTES
     See attributes(5) for descriptions of the  following  attri-
     butes:










SunOS 5.9           Last change: 21 Jan 2003                    2






Standards, Environments, and Macros                 pam_dhkeys(5)



     ____________________________________________________________
    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    |_____________________________|_____________________________|
    | Interface Stability         | Evolving                    |
    |_____________________________|_____________________________|
    | MT Level                    | MT-Safe with exceptions     |
    |_____________________________|_____________________________|


SEE ALSO
     keylogin(1),            keylogout(1),             pam(3PAM),
     pam_authenticate(3PAM),                 pam_chauthtok(3PAM),
     pam_setcred(3PAM),  pam_get_item(3PAM),  pam_set_data(3PAM),
     pam_get_data(3PAM),  syslog(3C),  libpam(3LIB), pam.conf(4),
     attributes(5),   pam_authtok_check(5),   pam_authtok_get(5),
     pam_authtok_store(5),    pam_passwd_auth(5),    pam_unix(5),
     pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5)

NOTES
     The interfaces in libpam(3LIB)  are  MT-Safe  only  if  each
     thread  within  the  multi-threaded application uses its own
     PAM handle.

     The pam_unix(5) module might not be supported  in  a  future
     release.    Similar    functionality    is    provided    by
     pam_authtok_check(5),                    pam_authtok_get(5),
     pam_authtok_store(5),   pam_dhkeys(5),   pam_passwd_auth(5),
     pam_unix_account(5),          pam_unix_auth(5),          and
     pam_unix_session(5).


























SunOS 5.9           Last change: 21 Jan 2003                    3