| blob | 3094bf66569f2a5b6ec4856529768d2dd77b74d8 |
1 .\"
2 .\" This file and its contents are supplied under the terms of the
3 .\" Common Development and Distribution License ("CDDL"), version 1.0.
4 .\" You may only use this file in accordance with the terms of version
5 .\" 1.0 of the CDDL.
6 .\"
7 .\" A full copy of the text of the CDDL should have accompanied this
8 .\" source. A copy of the CDDL is also available via the Internet at
9 .\" http://www.illumos.org/license/CDDL.
10 .\"
11 .\" Copyright 2014 Nexenta Systems, Inc.
12 .\"
13 .Dd Nov 26, 2017
14 .Dt PAM_TIMESTAMP 5
15 .Os
16 .Sh NAME
17 .Nm pam_timestamp
18 .Nd PAM authentication module using cached successful authentication attempts
19 .Sh SYNOPSIS
20 .Nm pam_timestamp.so.1
21 .Op Ar debug
22 .Op Ar timeout=min
23 .Sh DESCRIPTION
24 The
25 .Nm
26 module caches successful tty-based authentication attempts by
27 creating user's directories and per tty timestamp files in the
28 common timestamp directory
29 .Pa /var/run/tty_timestamps .
30 Next authentication, if the timestamp file exist and not expired,
31 the user will not be asked for a password, otherwise timestamp
32 file will be deleted and user will be prompted to enter a password.
33 .Lp
34 The PAM items
35 .Dv PAM_USER ,
36 .Dv PAM_AUSER
37 and
38 .Dv PAM_TTY
39 are used by this module.
40 .Sy pam_timestamp
41 is normally configured as
42 .Sy sufficient
43 and must be used in conjunction with the modules that support
44 the UNIX authentication, which are
45 .Xr pam_authtok_get 5 ,
46 .Xr pam_unix_cred 5
47 and
48 .Xr pam_unix_auth 5 .
49 Proper authentication operation requires
50 .Xr pam_unix_cred 5
51 be stacked above
52 .Nm .
53 .Sh OPTIONS
54 .Bl -tag -width Ds
55 .It Dv debug
56 Provides
57 .Xr syslog 3
58 debugging information at the
59 .Sy LOG_AUTH | LOG_DEBUG
60 level.
61 .It Dv timeout
62 Specifies the period (in minutes) for which the timestamp file is valid.
63 The default value is 5 minutes.
64 .El
65 .Sh FILES
66 .Bl -tag -width indent
67 .It Pa /var/run/tty_timestamps/...
68 stores timestamp directories and files
69 .El
70 .Sh EXIT STATUS
71 .Bl -tag -width Ds
72 .It Dv PAM_SUCCESS
73 Timestamp file is not expired.
74 .It Dv PAM_IGNORE
75 The
76 .Nm
77 module was not able to retrieve required credentials
78 or timestamp file is expired or corrupt.
79 .El
80 .Sh EXAMPLES
81 .Ss Example 1 Allowing su authentication
82 .
83 The following example is a
84 .Xr pam.conf 4
85 fragment that illustrates default settings for allowing
86 .Xr su 8
87 authentication:
88 .Bd -literal -offset indent
89 su auth required pam_unix_cred.so.1
90 su auth sufficient pam_timestamp.so.1
91 su auth requisite pam_authtok_get.so.1
92 su auth required pam_unix_auth.so.1
93 .Ed
94 .Ss Example 2 Changing default timeout
95 .
96 The default timeout set to 10 minutes:
97 .Bd -literal -offset indent
98 su auth required pam_unix_cred.so.1
99 su auth sufficient pam_timestamp.so.1 timeout=10
100 su auth requisite pam_authtok_get.so.1
101 su auth required pam_unix_auth.so.1
102 .Ed
103 .Sh INTERFACE STABILITY
104 .Sy Uncommitted .
105 .Sh MT LEVEL
106 .Sy MT-Safe .
107 .Sh SEE ALSO
108 .Xr su 8 ,
109 .Xr syslog 3C ,
110 .Xr pam 3PAM ,
111 .Xr pam_sm_authenticate 3PAM ,
112 .Xr pam_sm_setcred 3PAM ,
113 .Xr pam.conf 4