1PAM_SSS(8)                     SSSD Manual pages                    PAM_SSS(8)
2
3
4

NAME

6       pam_sss - PAM module for SSSD
7

SYNOPSIS

9       pam_sss.so [quiet] [forward_pass] [use_first_pass] [use_authtok]
10                  [retry=N] [ignore_unknown_user] [ignore_authinfo_unavail]
11                  [domains=X] [allow_missing_name] [prompt_always]
12                  [try_cert_auth] [require_cert_auth]
13

DESCRIPTION

15       pam_sss.so is the PAM interface to the System Security Services daemon
16       (SSSD). Errors and results are logged through syslog(3) with the
17       LOG_AUTHPRIV facility.
18

OPTIONS

20       quiet
21           Suppress log messages for unknown users.
22
23       forward_pass
24           If forward_pass is set the entered password is put on the stack for
25           other PAM modules to use.
26
27       use_first_pass
28           The argument use_first_pass forces the module to use a previous
29           stacked modules password and will never prompt the user - if no
30           password is available or the password is not appropriate, the user
31           will be denied access.
32
33       use_authtok
34           When password changing enforce the module to set the new password
35           to the one provided by a previously stacked password module.
36
37       retry=N
38           If specified the user is asked another N times for a password if
39           authentication fails. Default is 0.
40
41           Please note that this option might not work as expected if the
42           application calling PAM handles the user dialog on its own. A
43           typical example is sshd with PasswordAuthentication.
44
45       ignore_unknown_user
46           If this option is specified and the user does not exist, the PAM
47           module will return PAM_IGNORE. This causes the PAM framework to
48           ignore this module.
49
50       ignore_authinfo_unavail
51           Specifies that the PAM module should return PAM_IGNORE if it cannot
52           contact the SSSD daemon. This causes the PAM framework to ignore
53           this module.
54
55       domains
56           Allows the administrator to restrict the domains a particular PAM
57           service is allowed to authenticate against. The format is a
58           comma-separated list of SSSD domain names, as specified in the
59           sssd.conf file.
60
61           NOTE: If this is used for a service not running as root user, e.g.
62           a web-server, it must be used in conjunction with the
63           “pam_trusted_users” and “pam_public_domains” options. Please see
64           the sssd.conf(5) manual page for more information on these two PAM
65           responder options.
66
67       allow_missing_name
68           The main purpose of this option is to let SSSD determine the user
69           name based on additional information, e.g. the certificate from a
70           Smartcard.
71
72           The current use case are login managers which can monitor a
73           Smartcard reader for card events. In case a Smartcard is inserted
74           the login manager will call a PAM stack which includes a line like
75
76               auth sufficient pam_sss.so allow_missing_name
77
78
79           In this case SSSD will try to determine the user name based on the
80           content of the Smartcard, returns it to pam_sss which will finally
81           put it on the PAM stack.
82
83       prompt_always
84           Always prompt the user for credentials. With this option
85           credentials requested by other PAM modules, typically a password,
86           will be ignored and pam_sss will prompt for credentials again.
87           Based on the pre-auth reply by SSSD pam_sss might prompt for a
88           password, a Smartcard PIN or other credentials.
89
90       try_cert_auth
91           Try to use certificate based authentication, i.e. authentication
92           with a Smartcard or similar devices. If a Smartcard is available
93           and the service is allowed for Smartcard authentication the user
94           will be prompted for a PIN and the certificate based authentication
95           will continue
96
97           If no Smartcard is available or certificate based authentication is
98           not allowed for the current service PAM_AUTHINFO_UNAVAIL is
99           returned.
100
101       require_cert_auth
102           Do certificate based authentication, i.e. authentication with a
103           Smartcard or similar devices. If a Smartcard is not available the
104           user will be prompted to insert one. SSSD will wait for a Smartcard
105           until the timeout defined by p11_wait_for_card_timeout passed,
106           please see sssd.conf(5) for details.
107
108           If no Smartcard is available after the timeout or certificate based
109           authentication is not allowed for the current service
110           PAM_AUTHINFO_UNAVAIL is returned.
111

MODULE TYPES PROVIDED

113       All module types (account, auth, password and session) are provided.
114
115       If SSSD's PAM responder is not running, e.g. if the PAM responder
116       socket is not available, pam_sss will return PAM_USER_UNKNOWN when
117       called as account module to avoid issues with users from other sources
118       during access control.
119

RETURN VALUES

121       PAM_SUCCESS
122           The PAM operation finished successfully.
123
124       PAM_USER_UNKNOWN
125           The user is not known to the authentication service or the SSSD's
126           PAM responder is not running.
127
128       PAM_AUTH_ERR
129           Authentication failure. Also, could be returned when there is a
130           problem with getting the certificate.
131
132       PAM_PERM_DENIED
133           Permission denied. The SSSD log files may contain additional
134           information about the error.
135
136       PAM_IGNORE
137           See options ignore_unknown_user and ignore_authinfo_unavail.
138
139       PAM_AUTHTOK_ERR
140           Unable to obtain the new authentication token. Also, could be
141           returned when the user authenticates with certificates and multiple
142           certificates are available, but the installed version of GDM does
143           not support selection from multiple certificates.
144
145       PAM_AUTHINFO_UNAVAIL
146           Unable to access the authentication information. This might be due
147           to a network or hardware failure.
148
149       PAM_BUF_ERR
150           A memory error occurred. Also, could be returned when options
151           use_first_pass or use_authtok were set, but no password was found
152           from the previously stacked PAM module.
153
154       PAM_SYSTEM_ERR
155           A system error occurred. The SSSD log files may contain additional
156           information about the error.
157
158       PAM_CRED_ERR
159           Unable to set the credentials of the user.
160
161       PAM_CRED_INSUFFICIENT
162           The application does not have sufficient credentials to
163           authenticate the user. For example, missing PIN during smartcard
164           authentication or missing factor during two-factor authentication.
165
166       PAM_SERVICE_ERR
167           Error in service module.
168
169       PAM_NEW_AUTHTOK_REQD
170           The user's authentication token has expired.
171
172       PAM_ACCT_EXPIRED
173           The user account has expired.
174
175       PAM_SESSION_ERR
176           Unable to fetch IPA Desktop Profile rules or user info.
177
178       PAM_CRED_UNAVAIL
179           Unable to retrieve Kerberos user credentials.
180
181       PAM_NO_MODULE_DATA
182           No authentication method was found by Kerberos. This might happen
183           if the user has a Smartcard assigned but the pkint plugin is not
184           available on the client.
185
186       PAM_CONV_ERR
187           Conversation failure.
188
189       PAM_AUTHTOK_LOCK_BUSY
190           No KDC suitable for password change is available.
191
192       PAM_ABORT
193           Unknown PAM call.
194
195       PAM_MODULE_UNKNOWN
196           Unsupported PAM task or command.
197
198       PAM_BAD_ITEM
199           The authentication module cannot handle Smartcard credentials.
200

FILES

202       If a password reset by root fails, because the corresponding SSSD
203       provider does not support password resets, an individual message can be
204       displayed. This message can e.g. contain instructions about how to
205       reset a password.
206
207       The message is read from the file pam_sss_pw_reset_message.LOC where
208       LOC stands for a locale string returned by setlocale(3). If there is no
209       matching file the content of pam_sss_pw_reset_message.txt is displayed.
210       Root must be the owner of the files and only root may have read and
211       write permissions while all other users must have only read
212       permissions.
213
214       These files are searched in the directory
215       /etc/sssd/customize/DOMAIN_NAME/. If no matching file is present a
216       generic message is displayed.
217

SEE ALSO

219       sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
220       sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-sudo(5), sssd-session-
221       recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8),
222       sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
223       sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8).  sss_rpcidmapd(5)
224       sssd-systemtap(5)
225

AUTHORS

227       The SSSD upstream - https://github.com/SSSD/sssd/
228
229
230
231SSSD                              05/19/2021                        PAM_SSS(8)
Impressum