Hallo, dies ist ein Test.

PWD: /www/data-lst1/unixsoft/unixsoft/kaempfer/.public_html

Running in File Mode
Relative path: ./../../../../../../usr/man/man7/pam_gss_s4u.7
Real path: /usr/share/man/man7/pam_gss_s4u.7
Zurück

'\" te
.\" Copyright (c) 2004, 2023, Oracle and/or its affiliates.
.TH pam_gss_s4u 7 "15 Mar 2023" "Oracle Solaris 11.4" "Standards, Environments, Macros, Character Sets, and miscellany"
.SH NAME
pam_gss_s4u \- set credential PAM module
for Services For Users (S4U)
.SH SYNOPSIS

.LP
.nf
\fBpam_gss_s4u.so.1\fR [\fBdebug\fR] [\fBnowarn\fR]
.fi
.SH DESCRIPTION
.sp
.LP
The \fBpam_gss_s4u\fR module attempts to obtain credentials on behalf of \fBPAM_USER\fR by using the Generic Security Services API (\fBGSS-API\fR) for the Services for User (\fBS4U\fR) protocol. This would be beneficial for non-login processes that require services secured by Kerberos, such as those executed from \fBcron\fR(8) or \fBat\fR(1).
.SS "GSS-API Set Credential Module"
.sp
.LP
The \fBpam_gss_s4u\fR module provides the set credential function \fBpam_sm_setcred()\fR. The credentials can be set from initial authentication credentials using the host's keys by stacking the \fBpam_krb5_keytab\fR(7) module before \fBpam_gss_s4u\fR(7). Subsequently, these credentials can be used to obtain credentials for itself on behalf of a user, \fBS4U2Self\fR. The resulting credentials can be used to obtain a service ticket for a target service on behalf of the user, \fBS4U2Proxy\fR.
.sp
.LP
The following options can be passed to the \fBpam_gss_s4u\fR set credential module:
.sp
.ne 2
.mk
.na
\fB\fBdebug\fR\fR
.ad
.RS 10n
.rt
Provides \fBsyslog\fR(3C) debugging information at \fBLOG_DEBUG\fR level. 
.RE

.sp
.ne 2
.mk
.na
\fB\fBnowarn\fR\fR
.ad
.RS 10n
.rt
Turns off warning messages.
.RE

.SS "GSS-API Authentication Module"
.sp
.LP
The \fBpam_gss_s4u\fR module also provides the authentication function for \fBpam_sm_authenticete()\fR. This function returns \fBPAM_IGNORE\fR.
.SH RETURN VALUES
.sp
.LP
The following values are returned for \fBpam_sm_setcred()\fR:
.sp
.ne 2
.mk
.na
\fB\fBPAM_CRED_UNAVAIL\fR\fR
.ad
.RS 20n
.rt
The initial authentication credentials does not exist.
.RE

.sp
.ne 2
.mk
.na
\fB\fBPAM_SUCCESS\fR\fR
.ad
.RS 20n
.rt
Successfully obtained S4U credentials for the user associated with \fBPAM_USER\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fBPAM_SYSTEM_ERR\fR\fR
.ad
.RS 20n
.rt
System error.
.RE

.sp
.ne 2
.mk
.na
\fB\fBPAM_USER_UNKNOWN\fR\fR
.ad
.RS 20n
.rt
The user associated with \fBPAM_USER\fR is not found in the database.
.RE

.SH EXAMPLES
.LP
\fBExample 1\fR Set Credential for Initial Authentication
Through Kerberos Key Table File Optionally Through S4U Requests

.sp
.LP
The following is an excerpt of a sample \fB/etc/pam.d/cron\fR file:

.sp
.in +2
.nf
auth definitive   pam_user_policy.so.1
auth required     pam_unix_auth.so.1
auth required     pam_unix_cred.so.1
auth requisite    pam_krb5_keytab.so.1
auth optional     pam_gss_s4u.so.1
.fi
.in -2
.sp

.sp
.LP
Given that set credentials uses the same stack as authenticate, the above will provision Kerberos credentials through the successful authentication of the keys found in the system's key table file via \fBpam_krb5_keytab\fR(7). Subsequently, these credentials will be used to obtain S4U credentials for \fBPAM_USER\fR.
.SH FILES
.sp
.ne 2
.mk
.na
\fB\fB/etc/security/pam_policy/gss_s4u\fR\fR
.ad
.br
.sp .6
.RS 4n
A \fBpam.conf\fR fragment suitable for use with \fBpam_user_policy\fR(7).
.RE

.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(7) for a description of the following attributes:
.sp
.TS
tab(
) box;
cw(2.75i) |cw(2.75i) 
lw(2.75i) |lw(2.75i) 
.
ATTRIBUTE TYPE
ATTRIBUTE VALUE
_
Availability
service/security/kerberos-5
_
Interface Stability
Committed
.TE
.sp
.SH SEE ALSO
.sp
.LP
\fBkinit\fR(1), \fBsyslog\fR(3C), \fBlibpam\fR(3LIB), \fBpam\fR(3PAM), \fBpam_sm\fR(3PAM), \fBpam_sm_authenticate\fR(3PAM), \fBpam_sm_setcred\fR(3PAM), \fBpam.conf\fR(5), \fBattributes\fR(7), \fBpam_krb5\fR(7), \fBpam_krb5_keytab\fR(7), \fBpam_user_policy\fR(7)
.SH HISTORY
.sp
.LP
The \fBpam_gss_s4u\fR module was introduced in Oracle Solaris 11.2.0. This included support for the \fBdebug\fR and \fBnowarn\fR options.