PAM_DHKEYS(5)PAM_DHKEYS(5)NAME
pam_dhkeys - authentication Diffie-Hellman keys management module
SYNOPSIS
pam_dhkeys.so.1
DESCRIPTION
The pam_dhkeys.so.1 service module provides functionality to two PAM
services: Secure RPC authentication and Secure RPC authentication token
management.
Secure RPC authentication differs from regular unix authentication
because NIS+ and other ONC RPCs use Secure RPC as the underlying secu‐
rity mechanism.
The following options may be passed to the module:
debug
syslog(3C) debugging information at LOG_DEBUG level
nowarn
Turn off warning messages
Authentication Services
If the user has Diffie-Hellman keys, pam_sm_authenticate() establishes
secret keys for the user specified by the PAM_USER (equivalent to run‐
ning keylogin(1)), using the authentication token found in the
PAM_AUTHTOK item. Not being able to establish the secret keys results
in an authentication error if the NIS+ repository is used to authenti‐
cate the user and the NIS+ table permissions require secure RPC creden‐
tials to access the password field. If pam_sm_setcred() is called with
PAM_ESTABLISH_CRED and the user's secure RPC credentials need to be
established, these credentials are set. This is equivalent to running
keylogin(1).
If the credentials could not be set and PAM_SILENT is not specified, a
diagnostic message is displayed. If pam_setcred() is called with
PAM_DELETE_CRED, the user's secure RPC credentials are unset. This is
equivalent to running keylogout(1).
PAM_REINITIALIZE_CRED and PAM_REFRESH_CRED are not supported and return
PAM_IGNORE.
Authentication Token Management
The pam_sm_chauthtok() implementation checks whether the old login
password decrypts the users secret keys. If it doesn't this module
prompts the user for an old Secure RPC password and stores it in a pam
data item called SUNW_OLDRPCPASS. This data item can be used by the
store module to effectively update the users secret keys.
ERRORS
The authentication service returns the following error codes:
PAM_SUCCESS
Credentials set successfully.
PAM_IGNORE
Credentials not needed to access the password
repository.
PAM_USER_UNKNOWN
PAM_USER is not set, or the user is unknown.
PAM_AUTH_ERR
No secret keys were set. PAM_AUTHTOK is not set, no
credentials are present or there is a wrong pass‐
word.
PAM_BUF_ERR
Module ran out of memory.
PAM_SYSTEM_ERR
The NIS+ subsystem failed .
The authentication token management returns the following error codes:
PAM_SUCCESS
Old rpc password is set in SUNW_OLDRPCPASS
PAM_USER_UNKNOWN
User in PAM_USER is unknown.
PAM_AUTHTOK_ERR
User did not provide a password that decrypts the
secret keys.
PAM_BUF_ERR
Module ran out of memory.
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌────────────────────┬─────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├────────────────────┼─────────────────────────┤
│Interface Stability │ Evolving │
├────────────────────┼─────────────────────────┤
│MT Level │ MT-Safe with exceptions │
└────────────────────┴─────────────────────────┘
SEE ALSOkeylogin(1), keylogout(1), pam(3PAM), pam_authenticate(3PAM), pam_chau‐
thtok(3PAM), pam_setcred(3PAM), pam_get_item(3PAM), pam_set_data(3PAM),
pam_get_data(3PAM), syslog(3C), libpam(3LIB), pam.conf(4),
attributes(5), pam_authtok_check(5), pam_authtok_get(5), pam_auth‐
tok_store(5), pam_passwd_auth(5), pam_unix_account(5),
pam_unix_auth(5), pam_unix_session(5)NOTES
The interfaces in libpam(3LIB) are MT-Safe only if each thread within
the multi-threaded application uses its own PAM handle.
The pam_unix(5) module is no longer supported. Similar functionality is
provided by pam_authtok_check(5), pam_authtok_get(5), pam_auth‐
tok_store(5), pam_dhkeys(5), pam_passwd_auth(5), pam_unix_account(5),
pam_unix_auth(5), and pam_unix_session(5).
Jan 21, 2003 PAM_DHKEYS(5)