1pam_krb5(8) System Administrator's Manual pam_krb5(8)
2
6 pam_krb5 - Kerberos 5 authentication
7
10 auth required /$LIB/security/pam_krb5.so
11 session optional /$LIB/security/pam_krb5.so
12 account sufficient /$LIB/security/pam_krb5.so
13 password sufficient /$LIB/security/pam_krb5.so
14
17 The pam_krb5.so module is designed to allow smooth integration of Ker‐
18 beros 5 password-checking for applications which use PAM. It creates
19 session-specific credential cache files. If the system is an AFS
20 client, it will also attempt to obtain tokens for the local cell, the
21 cell which contains the user's home directory, and any explicitly-con‐
22 figured cells.
23 When a user logs in, the module's authentication function performs a
25 simple password check and, if possible, obtains Kerberos 5 credentials,
26 caching them for later use. When the application requests initializa‐
27 tion of credentials (or opens a session), the usual ticket files are
28 created. When the application subsequently requests deletion of cre‐
29 dentials or closing of the session, the module deletes the ticket
30 files. When the application requests account management, if the module
31 did not participate in authenticating the user, it will signal libpam
32 to ignore the module. If the module did participate in authenticating
33 the user, it will check for an expired user password and verify the
34 user's authorization using the .k5login file of the user being authen‐
35 ticated, which is expected to be accessible to the module.
36
39 debug turns on debugging via syslog(3). Debugging messages are logged
40 with priority LOG_DEBUG.
41 debug_sensitive
44 turns on debugging of sensitive information via syslog(3).
45 Debug messages are logged with priority LOG_DEBUG.
46 addressless
49 tells pam_krb5.so to obtain credentials without address lists.
50 This may be necessary if your network uses NAT, and should oth‐
51 erwise not be used. This option is deprecated in favor of the
52 noaddresses flag in the libdefaults section of krb5.conf(5).
53 afs_cells=cell.example.com[,...]
56 tells pam_krb5.so to obtain tokens for the named cells, in addi‐
57 tion to the local cell, for the user. The module will guess the
58 principal name of the AFS service for the named cells, or it can
59 be specified by giving cell in the form cellname=principalname.
60 banner=Kerberos 5
63 tells pam_krb5.so how to identify itself when users attempt to
64 change their passwords. The default setting is "Kerberos 5".
65 ccache_dir=/tmp
68 tells pam_krb5.so which directory to use for storing credential
69 caches. The default setting is /tmp.
70 ccname_template=FILE:%d/krb5cc_%U_XXXXXX
73 specifies the location in which to place the user's session-spe‐
74 cific credential cache. This value is treated as a template,
75 and these sequences are substituted:
76 %u login name
77 %U login UID
78 %p principal name
79 %r realm name
80 %h home directory
81 %d the default ccache directory (as set with ccache_dir)
82 %P the current process ID
83 %% literal '%'
84 The default setting is "FILE:%d/krb5cc_%U_XXXXXX".
85 chpw_prompt
88 tells pam_krb5.so to allow expired passwords to be changed dur‐
89 ing authentication attempts. While this is the traditional
90 behavior exhibited by "kinit", it is inconsistent with the
91 behavior expected by PAM, which expects authentication to
92 (appear to) succeed, only to have password expiration be flagged
93 by a subsequent call to the account management function. Some
94 applications which don't handle password expiration correctly
95 will fail unconditionally if the user's password is expired, and
96 this flag can be used to attempt to work around this bug in
97 those applications. The default is false.
98 existing_ticket
101 tells pam_krb5.so to accept the presence of pre-existing Ker‐
102 beros credentials provided by the calling application in the
103 default credential cache as sufficient to authenticate the user,
104 and to skip any account management checks.
105 DANGER! Unless validation is also in use, it is relatively easy
107 to produce a credential cache which looks "good enough" to fool
108 pam_krb5.so.
109 external
112 external=sshd
114 tells pam_krb5.so to use Kerberos credentials provided by the
115 calling application during session setup. This is most often
116 useful for obtaining AFS tokens.
117 forwardable
120 tells pam_krb5.so that credentials it obtains should be forward‐
121 able. This option is deprecated in favor of the forwardable
122 option in the libdefaults section of krb5.conf(5).
123 hosts=host[,...]
126 tells pam_krb5.so to obtain credentials using the addresses of
127 the given hosts in addition to the addresses of interfaces on
128 the local workstation. For example, if your workstation is
129 behind a masquerading firewall, specifying the firewall's out‐
130 ward-facing address here should allow Kerberos authentication to
131 succeed. This option is deprecated in favor of the
132 extra_addresses flag in the libdefaults section of krb5.conf(5).
133 ignore_unknown_principals
136 ignore_unknown_spn
138 ignore_unknown_upn
140 specifies that not pam_krb5 should return a PAM_IGNORE code to
141 libpam instead of PAM_USER_UNKNOWN for users for whom the deter‐
142 mined principal name is expired or does not exist.
143 keytab=FILE:/etc/krb5.keytab
146 tells pam_krb5.so the location of a keytab to use when validat‐
147 ing credentials obtained from KDCs.
148 minimum_uid=0
151 tells pam_krb5.so to ignore authentication attempts by users
152 with UIDs below the specified number.
153 multiple_ccaches
156 specifies that pam_krb5 should maintain multiple credential
157 caches for this service, because it both sets credentials and
158 opens a PAM session, but it sets the KRB5CCNAME variable after
159 doing only one of the two. This option is usually not necessary
160 for most services.
161 no_initial_prompt
164 tells pam_krb5.so to not ask for a password before attempting
165 authentication, and to instead allow the Kerberos library to
166 trigger a request for a password only in cases where one is
167 needed.
168 no_subsequent_prompt
171 tells pam_krb5.so to only provide the previously-entered pass‐
172 word in response to any request for a password which the Ker‐
173 beros library might make. If the calling application does not
174 properly support PAM conversations (possibly due to limitations
175 of a network protocol which it is serving), this may be need to
176 be used to prevent the application from supplying the user's
177 current password in a password-changing situations when a new
178 password is called for.
179 no_user_check
182 tells pam_krb5.so to not check if a user exists on the local
183 system, to skip authorization checks using the user's .k5login
184 file, and to create ccache files owned by the current process's
185 UID. This is useful for situations where a non-privileged
186 server process needs to use Kerberized services on behalf of
187 remote users who may not have local access. Note that such a
188 server should have an encrypted connection with its client in
189 order to avoid allowing the user's password to be eavesdropped.
190 null_afs
193 tells pam_krb5.so, when it attempts to set tokens, to try to get
194 credentials for services with names which resemble afs@REALM
195 before attempting to get credentials for services with names
196 resembling afs/cell@REALM. The default is to assume that the
197 cell's name is the instance in the AFS service's Kerberos prin‐
198 cipal name.
199 preauth_options=[]
202 controls the preauthentication options which pam_krb5 passes to
203 libkrb5, if the system-defaults need to be overridden. The list
204 is treated as a template, and these sequences are substituted:
205 %u login name
206 %U login UID
207 %p principal name
208 %r realm name
209 %h home directory
210 %d the default ccache directory
211 %P the current process ID
212 %% literal '%'
213 proxiable
216 tells pam_krb5.so that credentials it obtains should be proxi‐
217 able. This option is deprecated in favor of the proxiable
218 option in the libdefaults section of krb5.conf(5).
219 pwhelp=filename
222 specifies the name of a text file whose contents will be dis‐
223 played to clients who attempt to change their passwords. There
224 is no default.
225 realm=realm
228 overrides the default realm set in /etc/krb5.conf, which
229 pam_krb5.so will attempt to authenticate users to.
230 renew_lifetime=36000
233 sets the default renewable lifetime for credentials. This
234 option is deprecated in favor of the renew_lifetime option in
235 the libdefaults section of krb5.conf(5).
236 ticket_lifetime=36000
239 sets the default lifetime for credentials.
240 tokens
243 tokens=imap
245 signals that pam_krb5.so should create a new AFS PAG and obtain
246 AFS tokens during authentication in addition to session setup.
247 This is primarily useful in server applications which need to
248 access a user's files but which do not open PAM sessions before
249 doing so. A properly-written server will not need this flag set
250 in order to function correctly.
251 try_first_pass
254 tells pam_krb5.so to check the previously-entered password as
255 with use_first_pass, but to prompt the user for another one if
256 the previously-entered one fails. This is the default mode of
257 operation.
258 use_first_pass
261 tells pam_krb5.so to get the user's entered password as it was
262 stored by a module listed earlier in the stack, usually pam_unix
263 or pam_pwdb, instead of prompting the user for it.
264 use_authtok
267 tells pam_krb5.so to never prompt for new passwords when chang‐
268 ing passwords. This is useful if you are using pam_cracklib or
269 pam_passwdqc to try to enforce use of less-easy-to-guess pass‐
270 words.
271 use_shmem
274 use_shmem=sshd
276 tells pam_krb5.so to pass credentials from the authentication
277 service function to the session management service function
278 using shared memory, or to do so for specific services.
279 validate
282 validate=sshd
284 tells pam_krb5.so to verify that the TGT obtained from the
285 realm's servers has not been spoofed. Note that the process
286 which is performing authentication must be able to read the
287 keytab in order for validation to be possible.
288
291 /etc/krb5.conf
292
295 pam_krb5(5) krb5.conf(5)
296
299 Probably, but let's hope not. If you find any, please file them in the
300 bug database at http://bugzilla.redhat.com/ against the "pam_krb5" com‐
301 ponent.
302
305 Nalin Dahyabhai <nalin@redhat.com>
306Red Hat Linux 2009/12/11 pam_krb5(8)