PAM_DHKEYS(5) Standards, Environments, and Macros PAM_DHKEYS(5)


NAME


pam_dhkeys - authentication Diffie-Hellman keys management module

SYNOPSIS


pam_dhkeys.so.1


DESCRIPTION


The pam_dhkeys.so.1 service module provides functionality to two PAM
services: Secure RPC authentication and Secure RPC authentication token
management.


Secure RPC authentication differs from regular unix authentication
because some ONC RPCs use Secure RPC as the underlying security
mechanism.


The following options may be passed to the module:

debug
syslog(3C) debugging information at LOG_DEBUG level


nowarn
Turn off warning messages


Authentication Services


If the user has Diffie-Hellman keys, pam_sm_authenticate() establishes
secret keys for the user specified by the PAM_USER (equivalent to running
keylogin(1)), using the authentication token found in the PAM_AUTHTOK
item. If pam_sm_setcred() is called with PAM_ESTABLISH_CRED and the
user's secure RPC credentials need to be established, these credentials
are set. This is equivalent to running keylogin(1).


If the credentials could not be set and PAM_SILENT is not specified, a
diagnostic message is displayed. If pam_setcred() is called with
PAM_DELETE_CRED, the user's secure RPC credentials are unset. This is
equivalent to running keylogout(1).


PAM_REINITIALIZE_CRED and PAM_REFRESH_CRED are not supported and return
PAM_IGNORE.

Authentication Token Management


The pam_sm_chauthtok() implementation checks whether the old login
password decrypts the users secret keys. If it doesn't this module
prompts the user for an old Secure RPC password and stores it in a pam
data item called SUNW_OLDRPCPASS. This data item can be used by the store
module to effectively update the users secret keys.

ERRORS


The authentication service returns the following error codes:

PAM_SUCCESS
Credentials set successfully.


PAM_IGNORE
Credentials not needed to access the password
repository.


PAM_USER_UNKNOWN
PAM_USER is not set, or the user is unknown.


PAM_AUTH_ERR
No secret keys were set. PAM_AUTHTOK is not set, no
credentials are present or there is a wrong password.


PAM_BUF_ERR
Module ran out of memory.


PAM_SYSTEM_ERR
Credentials could not be stored, or netname could not
be created.


The authentication token management returns the following error codes:

PAM_SUCCESS
Old rpc password is set in SUNW_OLDRPCPASS


PAM_USER_UNKNOWN
User in PAM_USER is unknown.


PAM_AUTHTOK_ERR
User did not provide a password that decrypts the
secret keys.


PAM_BUF_ERR
Module ran out of memory.


ATTRIBUTES


See attributes(5) for descriptions of the following attributes:


+--------------------+-------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-------------------------+
|Interface Stability | Evolving |
+--------------------+-------------------------+
|MT Level | MT-Safe with exceptions |
+--------------------+-------------------------+

SEE ALSO


keylogin(1), keylogout(1), pam(3PAM), pam_authenticate(3PAM),
pam_chauthtok(3PAM), pam_setcred(3PAM), pam_get_item(3PAM),
pam_set_data(3PAM), pam_get_data(3PAM), syslog(3C), libpam(3LIB),
pam.conf(4), attributes(5), pam_authtok_check(5), pam_authtok_get(5),
pam_authtok_store(5), pam_passwd_auth(5), pam_unix_account(5),
pam_unix_auth(5), pam_unix_session(5)

NOTES


The interfaces in libpam(3LIB) are MT-Safe only if each thread within the
multi-threaded application uses its own PAM handle.


The pam_unix(5) module is no longer supported. Similar functionality is
provided by pam_authtok_check(5), pam_authtok_get(5),
pam_authtok_store(5), pam_dhkeys(5), pam_passwd_auth(5),
pam_unix_account(5), pam_unix_auth(5), and pam_unix_session(5).


February 25, 2017 PAM_DHKEYS(5)