1pam_krb5(5) System Administrator's Manual pam_krb5(5)
2
6 pam_krb5 - Kerberos 5 authentication
7
10 pam_krb5.so reads its configuration information from the appdefaults
11 section of krb5.conf(5). You should read the krb5.conf(5) man page
12 before continuing here. The module expects its configuration informa‐
13 tion to be in the pam subsection of the appdefaults section.
14
17 Directives which take a true, false, or a PAM service name can also be
18 selectively disabled for specific PAM services using the related "no_"
19 option (exceptions to "debug = true" can be made using "no_debug", for
20 example).
21 debug = true|false|service [...]
24 turns on debugging via syslog(3). Debug messages are logged
25 with priority LOG_DEBUG.
26 debug_sensitive = true|false|service [...]
29 turns on debugging of sensitive information via syslog(3).
30 Debug messages are logged with priority LOG_DEBUG.
31 addressless = true|false|service [...]
34 if set, requests a TGT with no address information. This can be
35 necessary if you are using Kerberos through a NAT, or on systems
36 whose IP addresses change regularly. This directive is depre‐
37 cated in favor of the libdefaults noaddresses directive.
38 afs_cells = cell.example.com [...]
41 tells pam_krb5.so to obtain tokens for the listed cells, in
42 addition to the local cell and the cell which contains the
43 user's home directory, for the user. The module will guess the
44 principal name of the AFS service for the listed cells, or it
45 can be specified by listing cells in the form cellname=princi‐
46 palname.
47 banner = Kerberos 5
50 specifies what sort of password the module claims to be changing
51 whenever it is called upon to change passwords. The default is
52 Kerberos 5.
53 ccache_dir = /var/tmp
56 specifies the directory in which to place credential cache
57 files. The default is /tmp.
58 ccname_template = KEYRING:krb5cc_%U_%P
61 ccname_template = FILE:%d/krb5cc_%U_XXXXXX
63 specifies the location in which to place the user's session-spe‐
64 cific credential cache. This value is treated as a template,
65 and these sequences are substituted:
66 %u login name
67 %U login UID
68 %p principal name
69 %r realm name
70 %h home directory
71 %d the default ccache directory (as set with ccache_dir)
72 %P the current process ID
73 %% literal '%'
74 The default is FILE:%d/krb5cc_%U_XXXXXX".
76 chpw_prompt = true|false|service [...]
79 tells pam_krb5.so to allow expired passwords to be changed dur‐
80 ing authentication attempts. While this is the traditional
81 behavior exhibited by "kinit", it is inconsistent with the
82 behavior expected by PAM, which expects authentication to
83 (appear to) succeed, only to have password expiration be flagged
84 by a subsequent call to the account management function. Some
85 applications which don't handle password expiration correctly
86 will fail unconditionally if the user's password is expired, and
87 this flag can be used to attempt to work around this bug in
88 those applications. The default is false.
89 existing_ticket = true|false|service [...]
92 tells pam_krb5.so to accept the presence of pre-existing Ker‐
93 beros credentials provided by the calling application in the
94 default credential cache as sufficient to authenticate the user,
95 and to skip any account management checks. The default is
96 false.
97 DANGER! Unless validation is also in use, it is relatively easy
99 to produce a credential cache which looks "good enough" to fool
100 pam_krb5.so.
101 external = true|false|sshd ftp [...]
104 tells pam_krb5.so to use Kerberos credentials provided by the
105 calling application during session setup. This is most often
106 useful for obtaining AFS tokens. The default is "sshd".
107 forwardable = true|false|service [...]
110 controls whether or not credentials are forwardable. This
111 directive is deprecated in favor of the libdefaults forwardable
112 directive.
113 hosts = hostname [...]
116 specifies which other hosts credentials obtained by pam_krb5
117 will be good on. If your host is behind a firewall, you should
118 add the IP address or name that the KDC sees it as to this list.
119 This directive is deprecated in favor of the libdefaults
120 extra_addresses directive.
121 ignore_afs=true|false|service [...]
124 tells pam_krb5.so to completely ignore the presence of AFS, pre‐
125 venting any attempts to obtain new tokens on behalf of the call‐
126 ing application.
127 ignore_unknown_principals=true|false|service [...]
130 ignore_unknown_spn=true|false|service [...]
132 ignore_unknown_upn=true|false|service [...]
134 specifies which other not pam_krb5 should return a PAM_IGNORE
135 code to libpam instead of PAM_USER_UNKNOWN for users for whom
136 the determined principal name is expired or does not exist.
137 initial_prompt=true|false|service [...]
140 tells pam_krb5.so whether or not to ask for a password before
141 attempting authentication. If one is needed and pam_krb5.so has
142 not prompted for it, the Kerberos library should trigger a
143 request for a password.
144 keytab = FILE:/etc/krb5.keytab
147 keytab = FILE:/etc/krb5.keytab imap=FILE:/etc/imap.keytab
149 specifies the name of a keytab file to search for a service key
150 for use in validating TGTs. The location can be specified on a
151 per-service basis by specifying a list of locations in the form
152 pam_service=location. The default is FILE:/etc/krb5.keytab.
153 mappings = regex1 regex2 [...]
156 specifies that pam_krb5 should derive the user's principal name
157 from the Unix user name by first checking if the user name
158 matches regex1, and formulating a principal name using regex2.
159 For example, "mappings = EXAMPLE\(.*) $1@EXAMPLE.COM" would map
160 any user with a name of the form "EXAMPLE\whatever" to a princi‐
161 pal name of "whatever@EXAMPLE.COM". This is primarily targeted
162 at allowing pam_krb5 to be used to authenticate users whose user
163 information is provided by winbindd(8). This will frequently
164 require the reverse to be configured by setting up an
165 auth_to_local rule elsewhere in krb5.conf(5).
166 minimum_uid = 0
169 specifies the minimum UID of users being authenticated. If a
170 user with a UID less than this value attempts authentication,
171 the request will be ignored.
172 multiple_ccaches=true|false|service [...]
175 specifies that pam_krb5 should maintain multiple credential
176 caches for applications that both set credentials and open a PAM
177 session, but which set the KRB5CCNAME variable after doing only
178 one of the two. This option is usually not necessary for most
179 services.
180 preauth_options =
183 controls the preauthentication options which pam_krb5 passes to
184 libkrb5, if the system-defaults need to be overridden. The list
185 is treated as a template, and these sequences are substituted:
186 %u login name
187 %U login UID
188 %p principal name
189 %r realm name
190 %h home directory
191 %d the default ccache directory (as set with ccache_dir)
192 %P the current process ID
193 %% literal '%'
194 proxiable = true|false|service [...]
197 controls whether or not credentials are proxiable. If not spec‐
198 ified, they are. This directive is deprecated in favor of the
199 libdefaults proxiable directive.
200 null_afs=true|false|service [...]
203 tells pam_krb5.so, when it attempts to set tokens, to try to get
204 credentials for services with names which resemble afs@REALM
205 before attempting to get credentials for services with names
206 resembling afs/cell@REALM. The default is to assume that the
207 cell's name is the instance in the AFS service's Kerberos prin‐
208 cipal name.
209 pwhelp = filename
212 specifies the name of a text file whose contents will be dis‐
213 played to clients who attempt to change their passwords. There
214 is no default.
215 renew_lifetime = 36000
218 default renewable lifetime, in seconds. This specifies how much
219 time you have after getting credentials to renew them. This
220 directive is deprecated in favor of the libdefaults renew_life‐
221 time directive.
222 subsequent_prompt = true|false|service [...]
225 controls whether or not pam_krb5.so will allow the Kerberos
226 library to ask the user for a password or other information, if
227 the previously-entered password is somehow insufficient for
228 authenticating the user. This is commonly needed to allow a
229 user to log in when that user's password has expired. The
230 default is true.
231 If the calling application does not properly support PAM conver‐
233 sations (possibly due to limitations of a network protocol which
234 it is serving), this may be need to be disabled for that appli‐
235 cation to prevent it from supplying the user's current password
236 in a password-changing situations when a new password is called
237 for.
238 ticket_lifetime = 36000
241 default credential lifetime, in seconds.
242 tokens = true|false|service [...]
245 signals that pam_krb5.so should create an AFS PAG and obtain
246 tokens during authentication in addition to session setup. This
247 is primarily useful in server applications which need to access
248 a user's files but which do not open PAM sessions before doing
249 so. For correctly-written applications, this flag is not neces‐
250 sary.
251 token_strategy = rxk5,2b[,...]
254 controls how, and using which format, pam_krb5.so should attept
255 to set AFS tokens for the user's session. By default, the mod‐
256 ule is configured with "token_strategy = v4,524,2b,rxk5". Rec‐
257 ognized strategy names include:
258 rxk5 rxk5 (requires OpenAFS 1.6 or later)
259 2b rxkad "2b" (requires OpenAFS 1.2.8 or later)
260 use_shmem = true|false|service [...]
263 tells pam_krb5.so to pass credentials from the authentication
264 service function to the session management service function
265 using shared memory for specific services. By default, the mod‐
266 ule is configured with "use_shmem = sshd".
267 validate = true|false|service [...]
270 specifies whether or not to attempt validation of the TGT. The
271 default is false.
272
275 [appdefaults]
276 pam = {
277 ticket_lifetime = 36000
278 renew_lifetime = 36000
279 forwardable = true
280 validate = true
281 ccache_dir = /var/tmp
282 external = sshd
283 tokens = imap ftpd
284 TEST.EXAMPLE.COM = {
285 debug = true
286 afs_cells = testcell.example.com othercell.example.com
287 keytab = FILE:/etc/krb5.keytab httpd=FILE:/etc/httpd.keytab
288 }
289 }
290
293 /etc/krb5.conf
294
296 pam_krb5(8)
297
299 Probably, but let's hope not. If you find any, please file them in the
300 bug database at http://bugzilla.redhat.com/ against the "pam_krb5" com‐
301 ponent.
302
305 Nalin Dahyabhai <nalin@redhat.com>
306Red Hat Linux 2009/12/11 pam_krb5(5)