pam_unix_cred(7) 맨 페이지 - 윈디하나의 솔라나라

개요

섹션
맨 페이지 이름
검색(S)

pam_unix_cred(7)

Standards, Environments, Macros, Character Sets, and miscellany
                                                              pam_unix_cred(7)



NAME
       pam_unix_cred - PAM user credential authentication module for UNIX

SYNOPSIS
       pam_unix_cred.so.1

DESCRIPTION
       The  pam_unix_cred  module implements pam_sm_setcred(3PAM). It provides
       functions that establish user credential information. It  is  a  module
       separate  from  the pam_unix_auth(7) module to allow replacement of the
       authentication functionality independently from  the  credential  func‐
       tionality.


       The  pam_unix_cred  module  must  always be stacked along with whatever
       authentication module is used to ensure correct credential setting.


       Authentication service modules  must  implement  both  pam_sm_authenti‐
       cate() and pam_sm_setcred().


       pam_sm_authenticate() in this module always returns PAM_IGNORE.


       pam_sm_setcred()  initializes  the user's project, privilege sets, ini‐
       tializes or updates the user's audit context if it hasn't already  been
       initialized, and sets the process clearance.


       The  new  clearance  is  set  to the lower bound of the current process
       clearance and the minimum label  returned  by  getuserrange(3TSOL).  If
       these  two  labels  are  disjoint, the clearance is set to the greatest
       lower bound.


       The following flags may be set in the flags field:

       PAM_ESTABLISH_CRED
       PAM_REFRESH_CRED
       PAM_REINITIALIZE_CRED

           Initializes  the  user's  project  to  the  project  specified   in
           PAM_RESOURCE,  or  if  PAM_RESOURCE is not specified, to the user's
           default project. Establishes the user's privilege sets.

           If the audit context is not already  initialized  and  auditing  is
           configured, these flags cause the context to be initialized to that
           of the user specified in PAM_AUSER (if any) merged  with  the  user
           specified in PAM_USER and host specified in PAM_RHOST. If PAM_RHOST
           is not  specified,  PAM_TTY  specifies  the  local  terminal  name.
           Attributing audit to PAM_AUSER and merging PAM_USER is required for
           correctly attributing auditing when the system entry  is  performed
           by another user that can be identified as trustworthy.

           If  the  audit  context  is already initialized, the PAM_REINITIAL‐
           IZE_CRED flag merges the current audit context  with  that  of  the
           user  specified in PAM_USER. PAM_REINITIALIZE_CRED is useful when a
           user is assuming a new identity, as with su(8).




       PAM_ESTABLISH_CRED
       PAM_REINITIALIZE_CRED

           Prompt for an "audit record annotation string" for a PAM_USER,  who
           is configured to request audit record annotation.



       PAM_DELETE_CRED

           This flag has no effect and always returns PAM_SUCCESS.



       The following options are interpreted:

       debug                 Provides  syslog(3C) debugging information at the
                             LOG_DEBUG level.


       nowarn                Disables any warning messages.


       noannotation          Do not prompt for audit record annotation. It  is
                             an  error  to include this option and the annota‐
                             tion_prompt= option.


       annotation_prompt=    Provides a prompt string to override the  default
                             audit record annotation prompt of Session Annota‐
                             tion:. The prompt string must immediately  follow
                             the  =.  If  the  string following the = contains
                             white space, it must be surrounded  by  quotation
                             marks,  for  example  annotation_prompt=My Prompt
                             String. It is an error to include this option and
                             the noannotation option.


ERRORS
       Upon   successful   completion   of  pam_sm_setcred(),  PAM_SUCCESS  is
       returned. The following error codes are returned upon error:

       PAM_CRED_UNAVAIL    Underlying authentication service  cannot  retrieve
                           user credentials


       PAM_CRED_EXPIRED    User credentials have expired


       PAM_USER_UNKNOWN    User is unknown to the authentication service


       PAM_CRED_ERR        Failure in setting user credentials


       PAM_BUF_ERR         Memory buffer error


       PAM_SERVICE_ERR     An illegal option


       PAM_SYSTEM_ERR      System error



       The following values are returned from pam_sm_authenticate():

       PAM_IGNORE    Ignores this module regardless of the control flag


ATTRIBUTES
       See attributes(7) for descriptions of the following attributes:


       tab()  box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
       TRIBUTE VALUE _ Interface StabilityCommitted  _  MT  LevelMT-Safe  with
       exceptions


SEE ALSO
       ssh(1),     settaskid(2),    syslog(3C),    libpam(3LIB),    pam(3PAM),
       pam_set_item(3PAM),  pam_sm_authenticate(3PAM),   setproject(3PROJECT),
       getprojent(3PROJECT),    nsswitch.conf(5),   pam.conf(5),   project(5),
       user_attr(5), attributes(7), labels(7), pam_authtok_check(7), pam_auth‐
       tok_get(7),  pam_authtok_store(7),  pam_dhkeys(7),  pam_passwd_auth(7),
       pam_unix_account(7),  pam_unix_auth(7),   pam_unix_session(7),   privi‐
       leges(7), su(8)

NOTES
       The  interfaces  in libpam(3LIB) are MT-Safe only if each thread within
       the multi-threaded application uses its own PAM handle.


       If this module is replaced, the audit context and credential may not be
       correctly configured.



Oracle Solaris 11.4               14 May 2018                 pam_unix_cred(7)
맨 페이지 내용의 저작권은 맨 페이지 작성자에게 있습니다.
RSS ATOM XHTML 5 CSS3

Copyright © 2004-2024 Jo HoSeok. All rights reserved.