The Kerberos 5 SU authentication component provides functions to verify
the identity of a user
(
pam_sm_authenticate()),
and determine whether or not the user is authorized to obtain the
privileges of the target account.
If the target account is
"root",
then the Kerberos 5 principal used
for authentication and authorization will be the
"root"
instance of
the current user, e.g.amp;
"
user/root@REAL.M".
Otherwise, the principal will simply be the current user's default
principal, e.g.amp;
"
user@REAL.M".
The user is prompted for a password if necessary.
Authorization is performed
by comparing the Kerberos 5 principal with those listed in the
.k5login
file in the target account's home directory
(e.g.amp;
/root/.k5login
for root).
The following options may be passed to the authentication module:
|
| debug
|
syslog(3)
debugging information at
LOG_DEBUG
level.
|
| use_first_pass
|
| |
If the authentication module
is not the first in the stack,
and a previous module
obtained the user's password,
that password is used
to authenticate the user.
If this fails,
the authentication module returns failure
without prompting the user for a password.
This option has no effect
if the authentication module
is the first in the stack,
or if no previous modules
obtained the user's password.
|
| try_first_pass
|
| |
This option is similar to the
use_first_pass
option,
except that if the previously obtained password fails,
the user is prompted for another password.
|
|
