1pam_dhkeys(5)         Standards, Environments, and Macros        pam_dhkeys(5)
2
3
4

NAME

6       pam_dhkeys - authentication Diffie-Hellman keys management module
7

SYNOPSIS

9       pam_dhkeys.so.1
10
11

DESCRIPTION

13       The  pam_dhkeys.so.1  service  module provides functionality to two PAM
14       services: Secure RPC authentication and Secure RPC authentication token
15       management.
16
17
18       Secure  RPC  authentication  differs  from  regular unix authentication
19       because NIS+ and other ONC RPCs use Secure RPC as the underlying  secu‐
20       rity mechanism.
21
22
23       The following options may be passed to the module:
24
25       debug     syslog(3C) debugging information at LOG_DEBUG level
26
27
28       nowarn    Turn off warning messages
29
30
31   Authentication Services
32       If  the user has Diffie-Hellman keys, pam_sm_authenticate() establishes
33       secret keys for the user specified by the PAM_USER (equivalent to  run‐
34       ning   keylogin(1)),  using  the  authentication  token  found  in  the
35       PAM_AUTHTOK item. Not being able to establish the secret  keys  results
36       in  an authentication error if the NIS+ repository is used to authenti‐
37       cate the user and the NIS+ table permissions require secure RPC creden‐
38       tials  to access the password field. If pam_sm_setcred() is called with
39       PAM_ESTABLISH_CRED and the user's secure RPC  credentials  need  to  be
40       established,  these  credentials are set. This is equivalent to running
41       keylogin(1).
42
43
44       If the credentials could not be set and PAM_SILENT is not specified,  a
45       diagnostic  message  is  displayed.  If  pam_setcred()  is  called with
46       PAM_DELETE_CRED, the user's secure RPC credentials are unset.  This  is
47       equivalent to running keylogout(1).
48
49
50       PAM_REINITIALIZE_CRED and PAM_REFRESH_CRED are not supported and return
51       PAM_IGNORE.
52
53   Authentication Token Management
54       The pam_sm_chauthtok() implementation  checks  whether  the  old  login
55       password  decrypts  the  users  secret  keys. If it doesn't this module
56       prompts the user for an old Secure RPC password and stores it in a  pam
57       data  item  called  SUNW_OLDRPCPASS.  This data item can be used by the
58       store module to effectively update the users secret keys.
59

ERRORS

61       The authentication service returns the following error codes:
62
63       PAM_SUCCESS         Credentials set successfully.
64
65
66       PAM_IGNORE          Credentials  not  needed  to  access  the  password
67                           repository.
68
69
70       PAM_USER_UNKNOWN    PAM_USER is not set, or the user is unknown.
71
72
73       PAM_AUTH_ERR        No secret keys were set. PAM_AUTHTOK is not set, no
74                           credentials are present or there is a  wrong  pass‐
75                           word.
76
77
78       PAM_BUF_ERR         Module ran out of memory.
79
80
81       PAM_SYSTEM_ERR      The NIS+ subsystem failed .
82
83
84
85       The authentication token management returns the following error codes:
86
87       PAM_SUCCESS         Old rpc password is set in SUNW_OLDRPCPASS
88
89
90       PAM_USER_UNKNOWN    User in PAM_USER is unknown.
91
92
93       PAM_AUTHTOK_ERR     User  did  not provide a password that decrypts the
94                           secret keys.
95
96
97       PAM_BUF_ERR         Module ran out of memory.
98
99

ATTRIBUTES

101       See attributes(5) for descriptions of the following attributes:
102
103
104
105
106       ┌─────────────────────────────┬─────────────────────────────┐
107       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
108       ├─────────────────────────────┼─────────────────────────────┤
109       │Interface Stability          │Evolving                     │
110       ├─────────────────────────────┼─────────────────────────────┤
111       │MT Level                     │MT-Safe with exceptions      │
112       └─────────────────────────────┴─────────────────────────────┘
113

SEE ALSO

115       keylogin(1), keylogout(1), pam(3PAM), pam_authenticate(3PAM), pam_chau‐
116       thtok(3PAM), pam_setcred(3PAM), pam_get_item(3PAM), pam_set_data(3PAM),
117       pam_get_data(3PAM),     syslog(3C),     libpam(3LIB),      pam.conf(4),
118       attributes(5),   pam_authtok_check(5),   pam_authtok_get(5),  pam_auth‐
119       tok_store(5),         pam_passwd_auth(5),          pam_unix_account(5),
120       pam_unix_auth(5), pam_unix_session(5)
121

NOTES

123       The  interfaces  in libpam(3LIB) are MT-Safe only if each thread within
124       the multi-threaded application uses its own PAM handle.
125
126
127       The pam_unix(5) module is no longer supported. Similar functionality is
128       provided   by   pam_authtok_check(5),   pam_authtok_get(5),   pam_auth‐
129       tok_store(5), pam_dhkeys(5),  pam_passwd_auth(5),  pam_unix_account(5),
130       pam_unix_auth(5), and pam_unix_session(5).
131
132
133
134SunOS 5.11                        21 Jan 2003                    pam_dhkeys(5)
Impressum