Headers, Environments, and Macros			pam_role_auth(5)

NAME
	pam_role_auth - Role authentication PAM module for Solaris8.

SYNOPSIS
	/usr/lib/security/pam_role_auth.so.1

DESCRIPTION
	The Role Authentication service module for PAM, 
	/usr/lib/security/pam_role_auth.so.1, provides functionality for 
	one PAM module: authentication. The pam_role_auth.so.1 is a shared 
	object that can be dynamically loaded to provide the necessary 
	functionality upon demand. Its path is specified in the PAM 
	configuration file.


Role Authentication module
	The Role authentication component provides a function to
	check for authorization to assume a role. It prevents
	direct logins to a role. It uses the userattr(4) database 
	to specify which users can assume which roles.	 

	The following options may be passed to the Role
 	Authentication service module:

	debug			syslog(3) debugging information at LOG_DEBUG
				level. 

	If PAM_USER (see pam_set_item(3)) is specified as type normal in 
	the user_attr(4) database, the module returns PAM_SUCCESS. 

	If PAM_RUSER (see pam_set_item(3)) is not set, the uid of the process 
	loading the module is used to determine PAM_RUSER.

	The module returns success if the user_attr(4) entry for 
	PAM_RUSER has an entry in the roles field for PAM_USER;
	otherwise it returns PAM_AUTH_ERR.

	This module is generally stacked below the authentication
	module pam_unix.so.1 so that error messages indicating that
	roles cannot be logged into correctly are only issued if
	the user has entered the correct password.

	Here are some sample entries from pam.conf(4) demonstrating
	the use of the pam_role_auth.so.1 module:

	dtlogin	auth requisite 	/usr/lib/security/pam_unix.so.1 
	dtlogin	auth required 	/usr/lib/security/pam_role_auth.so.1 
	#
	su	auth requisite	/usr/lib/security/pam_unix.so.1
	su	auth required	/usr/lib/security/pam_role_auth.so.1
	#
	rlogin	auth sufficient	/usr/lib/security/pam_rhosts_auth.so.1
	rlogin	auth requisite	/usr/lib/security/pam_unix.so.1
	rlogin	auth required	/usr/lib/security/pam_role_auth.so.1

	The dtlogin program invokes pam_role_auth.so.1. PAM_RUSER
	is the username corresponding to the uid of the dtlogin process,
	which is 0. The user_attr entry for root user (uid 0) is empty, 
	so all role logins are prevented through dtlogin. Same rule 
	applies to login. 

	The su program invokes pam_role_auth.so.1. PAM_RUSER is the
	username of the userid of the shell that invokes su.
	A user needs the appropriate entry in the roles list in
	user_attr(4) to be able to su to another user.

	In the example above, the rlogin program invokes the 
	pam_role_auth.so.1 module. The module checks for PAM_RUSER and 
	determines whether the role being assumed, PAM_USER, is in the 
	roles list of the userattr entry for PAM_RUSER. If it is in the 
	roles list, the module returns PAM_SUCCESS; otherwise it returns 
	PAM_AUTH_ERR.
			 
	
SEE ALSO
	keylogin(1), pam(3), pam_authenticate(3), pam_setcred(3),
	pam_set_item(3), syslog(3), libpam(4), pam.conf(4), 
	attributes(5), user_attr(4)

NOTES
	The interfaces in libpam(4) are MT-Safe only if each thread
	within the multi-threaded application uses its own PAM  
	handle.