1PAM_SSS(8)                     SSSD Manual pages                    PAM_SSS(8)
2
3
4

NAME

6       pam_sss - PAM module for SSSD
7

SYNOPSIS

9       pam_sss.so [quiet] [forward_pass] [use_first_pass] [use_authtok]
10                  [retry=N] [ignore_unknown_user] [ignore_authinfo_unavail]
11                  [domains=X] [allow_missing_name] [prompt_always]
12

DESCRIPTION

14       pam_sss.so is the PAM interface to the System Security Services daemon
15       (SSSD). Errors and results are logged through syslog(3) with the
16       LOG_AUTHPRIV facility.
17

OPTIONS

19       quiet
20           Suppress log messages for unknown users.
21
22       forward_pass
23           If forward_pass is set the entered password is put on the stack for
24           other PAM modules to use.
25
26       use_first_pass
27           The argument use_first_pass forces the module to use a previous
28           stacked modules password and will never prompt the user - if no
29           password is available or the password is not appropriate, the user
30           will be denied access.
31
32       use_authtok
33           When password changing enforce the module to set the new password
34           to the one provided by a previously stacked password module.
35
36       retry=N
37           If specified the user is asked another N times for a password if
38           authentication fails. Default is 0.
39
40           Please note that this option might not work as expected if the
41           application calling PAM handles the user dialog on its own. A
42           typical example is sshd with PasswordAuthentication.
43
44       ignore_unknown_user
45           If this option is specified and the user does not exist, the PAM
46           module will return PAM_IGNORE. This causes the PAM framework to
47           ignore this module.
48
49       ignore_authinfo_unavail
50           Specifies that the PAM module should return PAM_IGNORE if it cannot
51           contact the SSSD daemon. This causes the PAM framework to ignore
52           this module.
53
54       domains
55           Allows the administrator to restrict the domains a particular PAM
56           service is allowed to authenticate against. The format is a
57           comma-separated list of SSSD domain names, as specified in the
58           sssd.conf file.
59
60           NOTE: Must be used in conjunction with the “pam_trusted_users” and
61           “pam_public_domains” options. Please see the sssd.conf(5) manual
62           page for more information on these two PAM responder options.
63
64       allow_missing_name
65           The main purpose of this option is to let SSSD determine the user
66           name based on additional information, e.g. the certificate from a
67           Smartcard.
68
69           The current use case are login managers which can monitor a
70           Smartcard reader for card events. In case a Smartcard is inserted
71           the login manager will call a PAM stack which includes a line like
72
73               auth sufficient pam_sss.so allow_missing_name
74
75
76           In this case SSSD will try to determine the user name based on the
77           content of the Smartcard, returns it to pam_sss which will finally
78           put it on the PAM stack.
79
80       prompt_always
81           Always prompt the user for credentials. With this option
82           credentials requested by other PAM modules, typically a password,
83           will be ignored and pam_sss will prompt for credentials again.
84           Based on the pre-auth reply by SSSD pam_sss might prompt for a
85           password, a Smartcard PIN or other credentials.
86

MODULE TYPES PROVIDED

88       All module types (account, auth, password and session) are provided.
89

FILES

91       If a password reset by root fails, because the corresponding SSSD
92       provider does not support password resets, an individual message can be
93       displayed. This message can e.g. contain instructions about how to
94       reset a password.
95
96       The message is read from the file pam_sss_pw_reset_message.LOC where
97       LOC stands for a locale string returned by setlocale(3). If there is no
98       matching file the content of pam_sss_pw_reset_message.txt is displayed.
99       Root must be the owner of the files and only root may have read and
100       write permissions while all other users must have only read
101       permissions.
102
103       These files are searched in the directory
104       /etc/sssd/customize/DOMAIN_NAME/. If no matching file is present a
105       generic message is displayed.
106

SEE ALSO

108       sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
109       sssd-ipa(5), sssd-ad(5), sssd-sudo(5),sssd-secrets(5),sssd-session-
110       recording(5), sss_cache(8), sss_debuglevel(8), sss_groupadd(8),
111       sss_groupdel(8), sss_groupshow(8), sss_groupmod(8), sss_useradd(8),
112       sss_userdel(8), sss_usermod(8), sss_obfuscate(8), sss_seed(8),
113       sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
114       sss_ssh_knownhostsproxy(8),sssd-ifp(5),pam_sss(8).
115       sss_rpcidmapd(5)sssd-systemtap(5)
116

AUTHORS

118       The SSSD upstream - https://pagure.io/SSSD/sssd/
119
120
121
122SSSD                              04/25/2019                        PAM_SSS(8)
Impressum