table of contents
PAM_SSS(8) | SSSD Manual pages | PAM_SSS(8) |
NAME¶
pam_sss - PAM module for SSSD
SYNOPSIS¶
pam_sss.so [quiet] [forward_pass] [use_first_pass] [use_authtok] [retry=N] [ignore_unknown_user] [ignore_authinfo_unavail] [domains=X] [allow_missing_name] [prompt_always] [try_cert_auth] [require_cert_auth]
DESCRIPTION¶
pam_sss.so is the PAM interface to the System Security Services daemon (SSSD). Errors and results are logged through syslog(3) with the LOG_AUTHPRIV facility.
OPTIONS¶
quiet
forward_pass
use_first_pass
use_authtok
retry=N
Please note that this option might not work as expected if the application calling PAM handles the user dialog on its own. A typical example is sshd with PasswordAuthentication.
ignore_unknown_user
ignore_authinfo_unavail
domains
NOTE: If this is used for a service not running as root user, e.g. a web-server, it must be used in conjunction with the “pam_trusted_users” and “pam_public_domains” options. Please see the sssd.conf(5) manual page for more information on these two PAM responder options.
allow_missing_name
The current use case are login managers which can monitor a Smartcard reader for card events. In case a Smartcard is inserted the login manager will call a PAM stack which includes a line like
auth sufficient pam_sss.so allow_missing_name
In this case SSSD will try to determine the user name based on the content of the Smartcard, returns it to pam_sss which will finally put it on the PAM stack.
prompt_always
try_cert_auth
If no Smartcard is available or certificate based authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL is returned.
require_cert_auth
If no Smartcard is available after the timeout or certificate based authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL is returned.
MODULE TYPES PROVIDED¶
All module types (account, auth, password and session) are provided.
If SSSD's PAM responder is not running, e.g. if the PAM responder socket is not available, pam_sss will return PAM_USER_UNKNOWN when called as account module to avoid issues with users from other sources during access control.
RETURN VALUES¶
PAM_SUCCESS
PAM_USER_UNKNOWN
PAM_AUTH_ERR
PAM_PERM_DENIED
PAM_IGNORE
PAM_AUTHTOK_ERR
PAM_AUTHINFO_UNAVAIL
PAM_BUF_ERR
PAM_SYSTEM_ERR
PAM_CRED_ERR
PAM_CRED_INSUFFICIENT
PAM_SERVICE_ERR
PAM_NEW_AUTHTOK_REQD
PAM_ACCT_EXPIRED
PAM_SESSION_ERR
PAM_CRED_UNAVAIL
PAM_NO_MODULE_DATA
PAM_CONV_ERR
PAM_AUTHTOK_LOCK_BUSY
PAM_ABORT
PAM_MODULE_UNKNOWN
PAM_BAD_ITEM
FILES¶
If a password reset by root fails, because the corresponding SSSD provider does not support password resets, an individual message can be displayed. This message can e.g. contain instructions about how to reset a password.
The message is read from the file pam_sss_pw_reset_message.LOC where LOC stands for a locale string returned by setlocale(3). If there is no matching file the content of pam_sss_pw_reset_message.txt is displayed. Root must be the owner of the files and only root may have read and write permissions while all other users must have only read permissions.
These files are searched in the directory /etc/sssd/customize/DOMAIN_NAME/. If no matching file is present a generic message is displayed.
SEE ALSO¶
sssd(8), sssd.conf(5), sssd-ldap(5), sssd-ldap-attributes(5), sssd-krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-sudo(5), sssd-session-recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8), sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8), sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5) sssd-systemtap(5)
AUTHORS¶
The SSSD upstream - https://github.com/SSSD/sssd/
12/20/2024 | SSSD |