'\" t .\" Title: pam_sss .\" Author: The SSSD upstream - http://fedorahosted.org/sssd .\" Generator: DocBook XSL Stylesheets v1.79.1 .\" Date: 02/04/2017 .\" Manual: SSSD Manual pages .\" Source: SSSD .\" Language: English .\" .TH "PAM_SSS" "8" "02/04/2017" "SSSD" "SSSD Manual pages" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" pam_sss \- PAM module for SSSD .SH "SYNOPSIS" .HP \w'\fBpam_sss\&.so\fR\ 'u \fBpam_sss\&.so\fR [\fIquiet\fR] [\fIforward_pass\fR] [\fIuse_first_pass\fR] [\fIuse_authtok\fR] [\fIretry=N\fR] [\fIignore_unknown_user\fR] [\fIignore_authinfo_unavail\fR] [\fIdomains=X\fR] [\fIallow_missing_name\fR] .SH "DESCRIPTION" .PP \fBpam_sss\&.so\fR is the PAM interface to the System Security Services daemon (SSSD)\&. Errors and results are logged through \fBsyslog(3)\fR with the LOG_AUTHPRIV facility\&. .SH "OPTIONS" .PP \fBquiet\fR .RS 4 Suppress log messages for unknown users\&. .RE .PP \fBforward_pass\fR .RS 4 If \fBforward_pass\fR is set the entered password is put on the stack for other PAM modules to use\&. .RE .PP \fBuse_first_pass\fR .RS 4 The argument use_first_pass forces the module to use a previous stacked modules password and will never prompt the user \- if no password is available or the password is not appropriate, the user will be denied access\&. .RE .PP \fBuse_authtok\fR .RS 4 When password changing enforce the module to set the new password to the one provided by a previously stacked password module\&. .RE .PP \fBretry=N\fR .RS 4 If specified the user is asked another N times for a password if authentication fails\&. Default is 0\&. .sp Please note that this option might not work as expected if the application calling PAM handles the user dialog on its own\&. A typical example is \fBsshd\fR with \fBPasswordAuthentication\fR\&. .RE .PP \fBignore_unknown_user\fR .RS 4 If this option is specified and the user does not exist, the PAM module will return PAM_IGNORE\&. This causes the PAM framework to ignore this module\&. .RE .PP \fBignore_authinfo_unavail\fR .RS 4 Specifies that the PAM module should return PAM_IGNORE if it cannot contact the SSSD daemon\&. This causes the PAM framework to ignore this module\&. .RE .PP \fBdomains\fR .RS 4 Allows the administrator to restrict the domains a particular PAM service is allowed to authenticate against\&. The format is a comma\-separated list of SSSD domain names, as specified in the sssd\&.conf file\&. .sp NOTE: Must be used in conjunction with the \(lqpam_trusted_users\(rq and \(lqpam_public_domains\(rq options\&. Please see the \fBsssd.conf\fR(5) manual page for more information on these two PAM responder options\&. .RE .PP \fBallow_missing_name\fR .RS 4 The main purpose of this option is to let SSSD determine the user name based on additional information, e\&.g\&. the certificate from a Smartcard\&. .sp The current use case are login managers which can monitor a Smartcard reader for card events\&. In case a Smartcard is inserted the login manager will call a PAM stack which includes a line like .sp .if n \{\ .RS 4 .\} .nf auth sufficient pam_sss\&.so allow_missing_name .fi .if n \{\ .RE .\} .sp In this case SSSD will try to determine the user name based on the content of the Smartcard, returns it to pam_sss which will finally put it on the PAM stack\&. .RE .SH "MODULE TYPES PROVIDED" .PP All module types (\fBaccount\fR, \fBauth\fR, \fBpassword\fR and \fBsession\fR) are provided\&. .SH "FILES" .PP If a password reset by root fails, because the corresponding SSSD provider does not support password resets, an individual message can be displayed\&. This message can e\&.g\&. contain instructions about how to reset a password\&. .PP The message is read from the file pam_sss_pw_reset_message\&.LOC where LOC stands for a locale string returned by \fBsetlocale\fR(3)\&. If there is no matching file the content of pam_sss_pw_reset_message\&.txt is displayed\&. Root must be the owner of the files and only root may have read and write permissions while all other users must have only read permissions\&. .PP These files are searched in the directory /etc/sssd/customize/DOMAIN_NAME/\&. If no matching file is present a generic message is displayed\&. .SH "SEE ALSO" .PP \fBsssd\fR(8), \fBsssd.conf\fR(5), \fBsssd-ldap\fR(5), \fBsssd-krb5\fR(5), \fBsssd-simple\fR(5), \fBsssd-ipa\fR(5), \fBsssd-ad\fR(5), \fBsssd-sudo\fR(5), \fBsss_cache\fR(8), \fBsss_debuglevel\fR(8), \fBsss_groupadd\fR(8), \fBsss_groupdel\fR(8), \fBsss_groupshow\fR(8), \fBsss_groupmod\fR(8), \fBsss_useradd\fR(8), \fBsss_userdel\fR(8), \fBsss_usermod\fR(8), \fBsss_obfuscate\fR(8), \fBsss_seed\fR(8), \fBsssd_krb5_locator_plugin\fR(8), \fBsss_ssh_authorizedkeys\fR(8), \fBsss_ssh_knownhostsproxy\fR(8), \fBsssd-ifp\fR(5), \fBpam_sss\fR(8)\&. \fBsss_rpcidmapd\fR(5) .SH "AUTHORS" .PP \fBThe SSSD upstream \- http://fedorahosted\&.org/sssd\fR