xref: /illumos-gate/usr/src/man/man7/pam_timestamp.7 (revision bbf215553c7233fbab8a0afdf1fac74c44781867) 
1*bbf21555SRichard Lowe.\"
2*bbf21555SRichard Lowe.\" This file and its contents are supplied under the terms of the
3*bbf21555SRichard Lowe.\" Common Development and Distribution License ("CDDL"), version 1.0.
4*bbf21555SRichard Lowe.\" You may only use this file in accordance with the terms of version
5*bbf21555SRichard Lowe.\" 1.0 of the CDDL.
6*bbf21555SRichard Lowe.\"
7*bbf21555SRichard Lowe.\" A full copy of the text of the CDDL should have accompanied this
8*bbf21555SRichard Lowe.\" source.  A copy of the CDDL is also available via the Internet at
9*bbf21555SRichard Lowe.\" http://www.illumos.org/license/CDDL.
10*bbf21555SRichard Lowe.\"
11*bbf21555SRichard Lowe.\" Copyright 2014 Nexenta Systems, Inc.
12*bbf21555SRichard Lowe.\"
13*bbf21555SRichard Lowe.Dd Nov 26, 2017
14*bbf21555SRichard Lowe.Dt PAM_TIMESTAMP 7
15*bbf21555SRichard Lowe.Os
16*bbf21555SRichard Lowe.Sh NAME
17*bbf21555SRichard Lowe.Nm pam_timestamp
18*bbf21555SRichard Lowe.Nd PAM authentication module using cached successful authentication attempts
19*bbf21555SRichard Lowe.Sh SYNOPSIS
20*bbf21555SRichard Lowe.Nm pam_timestamp.so.1
21*bbf21555SRichard Lowe.Op Ar debug
22*bbf21555SRichard Lowe.Op Ar timeout=min
23*bbf21555SRichard Lowe.Sh DESCRIPTION
24*bbf21555SRichard LoweThe
25*bbf21555SRichard Lowe.Nm
26*bbf21555SRichard Lowemodule caches successful tty-based authentication attempts by
27*bbf21555SRichard Lowecreating user's directories and per tty timestamp files in the
28*bbf21555SRichard Lowecommon timestamp directory
29*bbf21555SRichard Lowe.Pa /var/run/tty_timestamps .
30*bbf21555SRichard LoweNext authentication, if the timestamp file exist and not expired,
31*bbf21555SRichard Lowethe user will not be asked for a password, otherwise timestamp
32*bbf21555SRichard Lowefile will be deleted and user will be prompted to enter a password.
33*bbf21555SRichard Lowe.Lp
34*bbf21555SRichard LoweThe PAM items
35*bbf21555SRichard Lowe.Dv PAM_USER ,
36*bbf21555SRichard Lowe.Dv PAM_AUSER
37*bbf21555SRichard Loweand
38*bbf21555SRichard Lowe.Dv PAM_TTY
39*bbf21555SRichard Loweare used by this module.
40*bbf21555SRichard Lowe.Sy pam_timestamp
41*bbf21555SRichard Loweis normally configured as
42*bbf21555SRichard Lowe.Sy sufficient
43*bbf21555SRichard Loweand must be used in conjunction with the modules that support
44*bbf21555SRichard Lowethe UNIX authentication, which are
45*bbf21555SRichard Lowe.Xr pam_authtok_get 7 ,
46*bbf21555SRichard Lowe.Xr pam_unix_cred 7
47*bbf21555SRichard Loweand
48*bbf21555SRichard Lowe.Xr pam_unix_auth 7 .
49*bbf21555SRichard LoweProper authentication operation requires
50*bbf21555SRichard Lowe.Xr pam_unix_cred 7
51*bbf21555SRichard Lowebe stacked above
52*bbf21555SRichard Lowe.Nm .
53*bbf21555SRichard Lowe.Sh OPTIONS
54*bbf21555SRichard Lowe.Bl -tag -width Ds
55*bbf21555SRichard Lowe.It Dv debug
56*bbf21555SRichard LoweProvides
57*bbf21555SRichard Lowe.Xr syslog 3C
58*bbf21555SRichard Lowedebugging information at the
59*bbf21555SRichard Lowe.Sy LOG_AUTH | LOG_DEBUG
60*bbf21555SRichard Lowelevel.
61*bbf21555SRichard Lowe.It Dv timeout
62*bbf21555SRichard LoweSpecifies the period (in minutes) for which the timestamp file is valid.
63*bbf21555SRichard LoweThe default value is 5 minutes.
64*bbf21555SRichard Lowe.El
65*bbf21555SRichard Lowe.Sh FILES
66*bbf21555SRichard Lowe.Bl -tag -width indent
67*bbf21555SRichard Lowe.It Pa /var/run/tty_timestamps/...
68*bbf21555SRichard Lowestores timestamp directories and files
69*bbf21555SRichard Lowe.El
70*bbf21555SRichard Lowe.Sh EXIT STATUS
71*bbf21555SRichard Lowe.Bl -tag -width Ds
72*bbf21555SRichard Lowe.It Dv PAM_SUCCESS
73*bbf21555SRichard LoweTimestamp file is not expired.
74*bbf21555SRichard Lowe.It Dv PAM_IGNORE
75*bbf21555SRichard LoweThe
76*bbf21555SRichard Lowe.Nm
77*bbf21555SRichard Lowemodule was not able to retrieve required credentials
78*bbf21555SRichard Loweor timestamp file is expired or corrupt.
79*bbf21555SRichard Lowe.El
80*bbf21555SRichard Lowe.Sh EXAMPLES
81*bbf21555SRichard Lowe.Ss Example 1 Allowing su authentication
82*bbf21555SRichard Lowe.
83*bbf21555SRichard LoweThe following example is a
84*bbf21555SRichard Lowe.Xr pam.conf 5
85*bbf21555SRichard Lowefragment that illustrates default settings for allowing
86*bbf21555SRichard Lowe.Xr su 8
87*bbf21555SRichard Loweauthentication:
88*bbf21555SRichard Lowe.Bd -literal -offset indent
89*bbf21555SRichard Lowesu  auth required	pam_unix_cred.so.1
90*bbf21555SRichard Lowesu  auth sufficient	pam_timestamp.so.1
91*bbf21555SRichard Lowesu  auth requisite	pam_authtok_get.so.1
92*bbf21555SRichard Lowesu  auth required	pam_unix_auth.so.1
93*bbf21555SRichard Lowe.Ed
94*bbf21555SRichard Lowe.Ss Example 2 Changing default timeout
95*bbf21555SRichard Lowe.
96*bbf21555SRichard LoweThe default timeout set to 10 minutes:
97*bbf21555SRichard Lowe.Bd -literal -offset indent
98*bbf21555SRichard Lowesu  auth required	pam_unix_cred.so.1
99*bbf21555SRichard Lowesu  auth sufficient	pam_timestamp.so.1	timeout=10
100*bbf21555SRichard Lowesu  auth requisite	pam_authtok_get.so.1
101*bbf21555SRichard Lowesu  auth required	pam_unix_auth.so.1
102*bbf21555SRichard Lowe.Ed
103*bbf21555SRichard Lowe.Sh INTERFACE STABILITY
104*bbf21555SRichard Lowe.Sy Uncommitted .
105*bbf21555SRichard Lowe.Sh MT LEVEL
106*bbf21555SRichard Lowe.Sy MT-Safe .
107*bbf21555SRichard Lowe.Sh SEE ALSO
108*bbf21555SRichard Lowe.Xr syslog 3C ,
109*bbf21555SRichard Lowe.Xr pam 3PAM ,
110*bbf21555SRichard Lowe.Xr pam_sm_authenticate 3PAM ,
111*bbf21555SRichard Lowe.Xr pam_sm_setcred 3PAM ,
112*bbf21555SRichard Lowe.Xr pam.conf 5 ,
113*bbf21555SRichard Lowe.Xr su 8
114