Content-type: text/html Man page of pam_dhkeys

pam_dhkeys

Section: Standards, Environments, and Macros (5)
Updated: 21 Jan 2003
Index Return to Main Contents
 

NAME

pam_dhkeys - authentication Diffie-Hellman keys management module  

SYNOPSIS

pam_dhkeys.so.1
 

DESCRIPTION

The pam_dhkeys.so.1 service module provides functionality to two PAM services: Secure RPC authentication and Secure RPC authentication token management.

Secure RPC authentication differs from regular unix authentication because NIS+ and other ONC RPCs use Secure RPC as the underlying security mechanism.

The following options may be passed to the module:

debug syslog(3C) debugging information at LOG_DEBUG level

nowarn Turn off warning messages

 

Authentication Services

If the user has Diffie-Hellman keys, pam_sm_authenticate() establishes secret keys for the user specified by the PAM_USER (equivalent to running keylogin(1)), using the authentication token found in the PAM_AUTHTOK item. Not being able to establish the secret keys results in an authentication error if the NIS+ repository is used to authenticate the user and the NIS+ table permissions require secure RPC credentials to access the password field. If pam_sm_setcred() is called with PAM_ESTABLISH_CRED and the user's secure RPC credentials need to be established, these credentials are set. This is equivalent to running keylogin(1).

If the credentials could not be set and PAM_SILENT is not specified, a diagnostic message is displayed. If pam_setcred() is called with PAM_DELETE_CRED, the user's secure RPC credentials are unset. This is equivalent to running keylogout(1).

PAM_REINITIALIZE_CRED and PAM_REFRESH_CRED are not supported and return PAM_IGNORE.  

Authentication Token Management

The pam_sm_chauthtok() implementation checks whether the old login password decrypts the users secret keys. If it doesn't this module prompts the user for an old Secure RPC password and stores it in a pam data item called SUNW_OLDRPCPASS. This data item can be used by the store module to effectively update the users secret keys.  

ERRORS

The authentication service returns the following error codes:

PAM_SUCCESS Credentials set successfully.

PAM_IGNORE Credentials not needed to access the password repository.

PAM_USER_UNKNOWN PAM_USER is not set, or the user is unknown.

PAM_AUTH_ERR No secret keys were set. PAM_AUTHTOK is not set, no credentials are present or there is a wrong password.

PAM_BUF_ERR Module ran out of memory.

PAM_SYSTEM_ERR The NISma+ subsystem failed .

The authentication token management returns the following error codes:

PAM_SUCCESS Old rpc password is set in SUNW_OLDRPCPASS

PAM_USER_UNKNOWN User in PAM_USER is unknown.

PAM_AUTHTOK_ERR User did not provide a password that decrypts the secret keys.

PAM_BUF_ERR Module ran out of memory.

 

ATTRIBUTES

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPEATTRIBUTE VALUE
Interface StabilityEvolving
MT LevelMT-Safe with exceptions

 

SEE ALSO

keylogin(1), keylogout(1), pam(3PAM), pam_authenticate(3PAM), pam_chauthtok(3PAM), pam_setcred(3PAM), pam_get_item(3PAM), pam_set_data(3PAM), pam_get_data(3PAM), syslog(3C), libpam(3LIB), pam.conf(4), attributes(5), pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5), pam_passwd_auth(5), pam_unix_account(5), pam_unix_auth(5), pam_unix_session(5)  

NOTES

The interfaces in libpam(3LIB) are MT-Safe only if each thread within the multi-threaded application uses its own PAM handle.

The pam_unix(5) module is no longer supported. Similar functionality is provided by pam_authtok_check(5), pam_authtok_get(5), pam_authtok_store(5), pam_dhkeys(5), pam_passwd_auth(5), pam_unix_account(5), pam_unix_auth(5), and pam_unix_session(5).


 

Index

NAME
SYNOPSIS
DESCRIPTION
Authentication Services
Authentication Token Management
ERRORS
ATTRIBUTES
SEE ALSO
NOTES

This document was created by man2html, using the manual pages.
Time: 02:39:51 GMT, October 02, 2010