svcadm(1M)을 검색하려면 섹션에서 1M 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
pam_gss_s4u(7)
Standards, Environments, Macros, Character Sets, and miscellany
pam_gss_s4u(7)
NAME
pam_gss_s4u - set credential PAM module for Services For Users (S4U)
SYNOPSIS
/usr/lib/security/pam_gss_s4u.so.1
DESCRIPTION
The pam_gss_s4u module attempts to obtain credentials on behalf of
PAM_USER by using the Generic Security Services API (GSS-API) for the
Services for User (S4U) protocol. This would be beneficial for non-
login processes that require services secured by Kerberos, such as
those executed from cron(8) or at(1).
GSS-API Set Credential Module
The GSS-API S4U module provides the set credential function for
pam_sm_setcred(). The credentials can be set from initial authentica‐
tion credentials using the host's keys by stacking the
pam_krb5_keytab(7) module before pam_gss_s4u(7). Subsequently, these
credentials can be used to obtain credentials for itself on behalf of a
user, S4U2Self. The resulting credentials can be used to obtain a ser‐
vice ticket for a target service on behalf of the user, S4U2Proxy.
The following options can be passed to the GSS-API set credential mod‐
ule:
debug Provides syslog(3C) debugging information at LOG_DEBUG level.
nowarn Turns off warning messages.
GSS-API Authentication Module
The Kerberos key table authentication module provides the authentica‐
tion function for pam_sm_authenticate(). The function returns
PAM_IGNORE.
ERRORS
The following error codes are returned for pam_sm_setcred():
PAM_CRED_UNAVAIL The initial authentication credentials does not
exist.
PAM_SUCCESS Successfully obtained S4U credentials for the user
associated with PAM_USER.
PAM_SYSTEM_ERR System error.
PAM_USER_UNKNOWN The user associated with PAM_USER is not found in
the database.
EXAMPLES
Example 1 Set Credential for Initial Authentication Through Kerberos
Key Table File Optionally Through S4U Requests
The following is an excerpt of a sample /etc/pam.d/cron file:
auth definitive pam_user_policy.so.1
auth required pam_unix_auth.so.1
auth required pam_unix_cred.so.1
auth requisite pam_krb5_keytab.so.1
auth optional pam_gss_s4u.so.1
Given that set credentials uses the same stack as authenticate, the
above will provision Kerberos credentials through the successful
authentication of the keys found in the system's key table file via
pam_krb5_keytab(7). Subsequently, these credentials will be used to
obtain S4U credentials for PAM_USER.
ATTRIBUTES
See attributes(7) for a description of the following attribute:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ Interface StabilityCommitted
SEE ALSO
kinit(1), syslog(3C), libpam(3LIB), pam(3PAM), pam_sm(3PAM),
pam_sm_authenticate(3PAM), pam_sm_setcred(3PAM), pam.conf(5),
attributes(7), pam_krb5(7), pam_krb5_keytab(7)
Oracle Solaris 11.4 6 Feb 2020 pam_gss_s4u(7)