File: README

package info (click to toggle)
libpam-ccreds 10-7
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, buster, sid
  • size: 644 kB
  • sloc: sh: 2,981; ansic: 2,066; makefile: 60
file content (66 lines) | stat: -rw-r--r-- 1,999 bytes parent folder | download | duplicates (5)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

                         pam_ccreds
                         ==========

The pam_ccreds module provides a mechanism for caching
credentials when authenticating against a network
authentication service, so that authentication can still
proceed when the service is down. Note at present no
mechanism is provided for caching _authorization_ 
information, i.e. whether you are allowed to login once
authenticated. Doing this is more difficult than it
first sounds.

The present implementation requires Linux-PAM as it takes
advantage of the extended configuration syntax of pam.conf.
(See the example configuration file included with the 
software for an example of configuring it with pam_ldap.)
On platforms that do not use Linux-PAM you would need a
wrapper PAM module to choose an action based on the
previous module's return code.

When invoked via PAM, pam_ccreds performs one of three
actions:

	validate	validate PAM authentication token
			against cached credentials

	store		cache PAM authentication token for
			future validation

	update		if the PAM authentication token is
			cached, then remove it from the
			cache
			
These are configured by the "action=" module option. The
following module options are also recognized:

	use_first_pass	do not prompt for the password if
			the existing PAM authentication
			token does not validate

	try_first_pass	prompt for the password if the
			existing PAM authentication token
			does not validate

	service_specific only check cached credentials for
			 this specific service

	ccredsfile=	name of the cached credentials
			file; default is /var/cache/.security.db

	action=		action (see above)

The "cc_test" and "cc_dump" utilities are also provided;
cc_dump may be removed in a future version.

Things we need to do are:

	o more testing
	o verify it works with Berkeley DB 4.x
	o use transactions rather than flock() when
	  using versions of DB that support it

The pam_ccreds module is distributed under the GNU General
Public License.