NAME
pam_ksu — 
Kerberos 5 SU PAM
  module
SYNOPSIS
[
service-name]
  
module-type control-flag
  pam_ksu
  [
options]
DESCRIPTION
The Kerberos 5 SU authentication service module for PAM provides functionality
  for only one PAM category: authentication. In terms of the
  
module-type parameter, this is the
  “
auth” feature. The module is specifically
  designed to be used with the 
su(1)
  utility.
Kerberos 5 SU
  Authentication Module
The Kerberos 5 SU authentication component provides functions to verify the
  identity of a user (
pam_sm_authenticate()), and determine
  whether or not the user is authorized to obtain the privileges of the target
  account. If the target account is “root”, then the Kerberos 5
  principal used for authentication and authorization will be the
  “root” instance of the current user, e.g.
  “
user/root@REAL.M”. Otherwise, the
  principal will simply be the current user's default principal, e.g.
  “
user@REAL.M”.
The user is prompted for a password if necessary. Authorization is performed by
  comparing the Kerberos 5 principal with those listed in the
  
.k5login file in the target account's home directory (e.g.
  
/root/.k5login for root).
The following options may be passed to the authentication module:
  -  
-  
- debug
- syslog(3)
      debugging information at LOG_DEBUGlevel.
-  
-  
- use_first_pass
- If the authentication module is not the first in the stack,
      and a previous module obtained the user's password, that password is used
      to authenticate the user. If this fails, the authentication module returns
      failure without prompting the user for a password. This option has no
      effect if the authentication module is the first in the stack, or if no
      previous modules obtained the user's password.
-  
-  
- try_first_pass
- This option is similar to the
      use_first_pass option, except that if the previously
      obtained password fails, the user is prompted for another password.
SEE ALSO
su(1),
  
syslog(3),
  
pam.conf(5),
  
pam(8)