Pefs Authentication Module

The pefs authentication component provides a function to verify the identity of a user (pam_sm_authenticate()), by prompting the user for a passphrase and verifying that it exists in pefs key chain database.

The following options may be passed to the authentication module:

use_first_pass

If the authentication module is not the first in the stack, and a previous module obtained the user's password, that password is used to authenticate the user. If this fails, the authentication module returns failure without prompting the user for a password. This option has no effect if the authentication module is the first in the stack, or if no previous modules obtained the user's password.

try_first_pass

This option is similar to the use_first_pass option, except that if the previously obtained password fails, the user is prompted for another password.

ignore_missing

Accept any passphrase provided by the user. This option is used not to authenticate user, but to preserve keys that should be added to pefs file system by session management module. Option is incompatible with try_first_pass option and should be used with use_first_pass option.

delkeys

Remove keys at the end of last session. Module tracks the number of concurrent sessions, removing all keys from file system when session count reaches zero.

Pefs Session Management Module

The pefs session management component provides functions to initiate (pam_sm_open_session()) and terminate (pam_sm_close_session()) sessions. The pam_sm_open_session() function adds key or key chain decrypted during the authentication phase to the pefs file system mounted on user home directory.