/usr/share/doc/libpam-ccreds/README is in libpam-ccreds 10-5.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 | pam_ccreds
==========
The pam_ccreds module provides a mechanism for caching
credentials when authenticating against a network
authentication service, so that authentication can still
proceed when the service is down. Note at present no
mechanism is provided for caching _authorization_
information, i.e. whether you are allowed to login once
authenticated. Doing this is more difficult than it
first sounds.
The present implementation requires Linux-PAM as it takes
advantage of the extended configuration syntax of pam.conf.
(See the example configuration file included with the
software for an example of configuring it with pam_ldap.)
On platforms that do not use Linux-PAM you would need a
wrapper PAM module to choose an action based on the
previous module's return code.
When invoked via PAM, pam_ccreds performs one of three
actions:
validate validate PAM authentication token
against cached credentials
store cache PAM authentication token for
future validation
update if the PAM authentication token is
cached, then remove it from the
cache
These are configured by the "action=" module option. The
following module options are also recognized:
use_first_pass do not prompt for the password if
the existing PAM authentication
token does not validate
try_first_pass prompt for the password if the
existing PAM authentication token
does not validate
service_specific only check cached credentials for
this specific service
ccredsfile= name of the cached credentials
file; default is /var/cache/.security.db
action= action (see above)
The "cc_test" and "cc_dump" utilities are also provided;
cc_dump may be removed in a future version.
Things we need to do are:
o more testing
o verify it works with Berkeley DB 4.x
o use transactions rather than flock() when
using versions of DB that support it
The pam_ccreds module is distributed under the GNU General
Public License.
|