1pam_krb5(5) System Administrator's Manual pam_krb5(5)
2
6 pam_krb5 - Kerberos 5 authentication
7
10 pam_krb5.so reads its configuration information from the appdefaults
11 section of krb5.conf(5). You should read the krb5.conf(5) man page
12 before continuing here. The module expects its configuration informa‐
13 tion to be in the pam subsection of the appdefaults section.
14
17 Directives which take a true, false, or a PAM service name can also be
18 selectively disabled for specific PAM services using the related "no_"
19 option (exceptions to "debug = true" can be made using "no_debug", for
20 example).
21 debug = true|false|service [...]
24 turns on debugging via syslog(3). Debug messages are logged
25 with priority LOG_DEBUG.
26 debug_sensitive = true|false|service [...]
29 turns on debugging of sensitive information via syslog(3).
30 Debug messages are logged with priority LOG_DEBUG.
31 afs_cells = cell.example.com [...]
34 tells pam_krb5.so to obtain tokens for the listed cells, in
35 addition to the local cell and the cell which contains the
36 user's home directory, for the user. The module will guess the
37 principal name of the AFS service for the listed cells, or it
38 can be specified by listing cells in the form cellname=princi‐
39 palname.
40 always_allow_localname = true|false|service [...]
43 tells pam_krb5.so, when performing an authorization check using
44 the target user's .k5login file, to always allow access when the
45 principal name being authenticated maps to the local user's name
46 (as configured using the auth_to_local_names and auth_to_local
47 settings in krb5.conf(5), if your implementation provides those
48 settings). Otherwise, if the file exists and can be read, but
49 the principal is not explicitly listed, access is typically
50 denied. This setting is disabled by default.
51 armor = true|false|service [...]
54 attempt to use armoring when communicating with the KDC. This
55 option is currently mainly only useful for testing, as the
56 keytab method should not be expected to work when the module is
57 called from an unprivileged process, and the pkinit method
58 requires that the KDC is properly configured to offer anonymous
59 PKINIT, and that the client is also properly configured to trust
60 the KDC's CA. The default is false.
61 armor_strategy = keytab,pkinit
64 controls how the module will attempt to obtain tickets for use
65 as armor. The value should be a comma-separated list of methods.
66 Supported methods include ketyab and pkinit. The default is
67 keytab,pkinit.
68 banner = Kerberos 5
71 specifies what sort of password the module claims to be changing
72 whenever it is called upon to change passwords. The default is
73 Kerberos 5.
74 ccache_dir = /var/tmp
77 specifies the directory in which to place credential cache
78 files. The default is /tmp.
79 ccname_template = KEYRING:krb5cc_%U_%P
82 ccname_template = FILE:%d/krb5cc_%U_XXXXXX
84 specifies the location in which to place the user's session-spe‐
85 cific credential cache. This value is treated as a template,
86 and these sequences are substituted:
87 %u login name
88 %U login UID
89 %p principal name
90 %r principal's realm name
91 %h home directory
92 %d the default ccache directory (as set with ccache_dir)
93 %P the current process ID
94 %% literal '%'
95 If the resulting template does not end with "XXXXXX", a suffix
97 will be added to the configured value. If not set, the module
98 attempts to read the default used by libkrb5 from krb5.conf(5),
99 and if one is not found, the default is
100 DIR:/run/user/%U/krb5cc_XXXXXX".
101 chpw_prompt = true|false|service [...]
104 tells pam_krb5.so to allow expired passwords to be changed dur‐
105 ing authentication attempts. While this is the traditional
106 behavior exhibited by "kinit", it is inconsistent with the
107 behavior expected by PAM, which expects authentication to
108 (appear to) succeed, only to have password expiration be flagged
109 by a subsequent call to the account management function. Some
110 applications which don't handle password expiration correctly
111 will fail unconditionally if the user's password is expired, and
112 this flag can be used to attempt to work around this bug in
113 those applications. The default is false.
114 cred_session=true|false|service [...]
117 specifies that pam_krb5 should create and destroy credential
118 caches, as it does when the calling application opens and closes
119 a PAM session, when the calling application establishes and
120 deletes PAM credentials. This is done to compensate for appli‐
121 cations which expect to create a credential cache but which
122 don't use PAM session management. It is usually a harmless
123 redundancy in applications which don't require it, so this
124 option is enabled by default except for this list of services:
125 "sshd".
126 external = true|false|sshd ftp [...]
129 tells pam_krb5.so to use Kerberos credentials provided by the
130 calling application during session setup. This is most often
131 useful for obtaining AFS tokens. The default is "sshd sshd-
132 rekey gssftp".
133 ignore_afs=true|false|service [...]
136 tells pam_krb5.so to completely ignore the presence of AFS, pre‐
137 venting any attempts to obtain new tokens on behalf of the call‐
138 ing application.
139 ignore_k5login=true|false|service [...]
142 specifies which other not pam_krb5 should skip checking the
143 user's .k5login file to verify that the principal name of the
144 client being authenticated is authorized to access the user
145 account. (Actually, the check is performed by a function
146 offered by the Kerberos library, which controls which files it
147 will consult.) The default is false, which causes pam_krb5 to
148 perform the check.
149 ignore_unknown_principals=true|false|service [...]
152 ignore_unknown_spn=true|false|service [...]
154 ignore_unknown_upn=true|false|service [...]
156 specifies which other not pam_krb5 should return a PAM_IGNORE
157 code to libpam instead of PAM_USER_UNKNOWN for users for whom
158 the determined principal name is expired or does not exist.
159 initial_prompt=true|false|service [...]
162 tells pam_krb5.so whether or not to ask for a password before
163 attempting authentication. If one is needed and pam_krb5.so has
164 not prompted for it, the Kerberos library should trigger a
165 request for a password.
166 keytab = FILE:/etc/krb5.keytab
169 keytab = FILE:/etc/krb5.keytab imap=FILE:/etc/imap.keytab
171 specifies the name of a keytab file to search for a service key
172 for use in validating TGTs. The location can be specified on a
173 per-service basis by specifying a list of locations in the form
174 pam_service=location. The default is FILE:/etc/krb5.keytab.
175 mappings = regex1 regex2 [...]
178 specifies that pam_krb5 should derive the user's principal name
179 from the Unix user name by first checking if the user name
180 matches regex1, and formulating a principal name using regex2.
181 For example, "mappings = ^EXAMPLE\\(.*)$ $1@EXAMPLE.COM" would
182 map any user with a name of the form "EXAMPLE\whatever" to a
183 principal name of "whatever@EXAMPLE.COM". This is primarily
184 targeted at allowing pam_krb5 to be used to authenticate users
185 whose user information is provided by winbindd(8). This will
186 frequently require the reverse to be configured by setting up an
187 auth_to_local rule elsewhere in krb5.conf(5).
188 minimum_uid = 0
191 specifies the minimum UID of users being authenticated. If a
192 user with a UID less than this value attempts authentication,
193 the request will be ignored.
194 multiple_ccaches=true|false|service [...]
197 specifies that pam_krb5 should maintain multiple credential
198 caches for applications that both set credentials and open a PAM
199 session, but which set the KRB5CCNAME variable after doing only
200 one of the two. This option is usually not necessary for most
201 services.
202 preauth_options =
205 controls the preauthentication options which pam_krb5 passes to
206 libkrb5, if the system-defaults need to be overridden. The list
207 is treated as a template, and these sequences are substituted:
208 %u login name
210 %U login UID
211 %p principal name
212 %r principal's realm name
213 %h home directory
214 %d the default ccache directory (as set with ccache_dir)
215 %P the current process ID
216 %% literal '%'
217 A list of recognized values should be listed in the kinit(1)
219 manual page as parameters for its -X option.
220 null_afs=true|false|service [...]
223 tells pam_krb5.so, when it attempts to set tokens, to try to get
224 credentials for services with names which resemble afs@REALM
225 before attempting to get credentials for services with names
226 resembling afs/cell@REALM. The default is to assume that the
227 cell's name is the instance in the AFS service's Kerberos prin‐
228 cipal name.
229 pwhelp = filename
232 specifies the name of a text file whose contents will be dis‐
233 played to clients who attempt to change their passwords. There
234 is no default.
235 subsequent_prompt = true|false|service [...]
238 controls whether or not pam_krb5.so will allow the Kerberos
239 library to ask the user for a password or other information, if
240 the previously-entered password is somehow insufficient for
241 authenticating the user. This is commonly needed to allow a
242 user to log in when that user's password has expired. The
243 default is false during password changes, and true otherwise.
244 If the calling application does not properly support PAM conver‐
246 sations (possibly due to limitations of a network protocol which
247 it is serving), this may be need to be disabled for that appli‐
248 cation to prevent it from supplying the user's current password
249 in a password-changing situation when a new password is called
250 for.
251 tokens = true|false|service [...]
254 signals that pam_krb5.so should create an AFS PAG and obtain
255 tokens during authentication in addition to session setup. This
256 is primarily useful in server applications which need to access
257 a user's files but which do not open PAM sessions before doing
258 so. For correctly-written applications, this flag is not neces‐
259 sary.
260 token_strategy = rxk5,2b[,...]
263 controls how, and using which format, pam_krb5.so should attempt
264 to set AFS tokens for the user's session. By default, the mod‐
265 ule is configured with "token_strategy = 2b". Recognized strat‐
266 egy names include:
267 rxk5 rxk5 (requires OpenAFS 1.6 or later)
268 2b rxkad "2b" (requires OpenAFS 1.2.8 or later)
269 trace = true|false|service [...]
272 turns on libkrb5's library tracing. Trace messages are logged
273 to syslog(3) with priority LOG_DEBUG.
274 use_shmem = true|false|service [...]
277 tells pam_krb5.so to pass credentials from the authentication
278 service function to the session management service function
279 using shared memory for specific services. By default, the mod‐
280 ule is configured with "use_shmem = sshd".
281 validate = true|false|service [...]
284 specifies whether or not to attempt validation of the TGT using
285 the local keytab. The default is true. The libdefaults ver‐
286 ify_ap_req_nofail setting can affect whether or not errors read‐
287 ing the keytab which are encountered during validation will be
288 suppressed.
289 validate_user_user = true|false|service [...]
292 specifies whether or not, when attempting validation of the TGT,
293 to attempt user-to-user authentication using a previously-
294 obtainted TGT in the default ccache if validation can't be per‐
295 formed using a keytab. The default is false.
296
299 [appdefaults]
300 pam = {
301 validate = true
302 ccache_dir = /var/tmp
303 external = sshd
304 tokens = imap ftpd
305 TEST.EXAMPLE.COM = {
306 debug = true
307 afs_cells = testcell.example.com othercell.example.com
308 keytab = FILE:/etc/krb5.keytab httpd=FILE:/etc/httpd.keytab
309 }
310 }
311
314 /etc/krb5.conf
315
317 pam_krb5(8)
318
320 Probably, but let's hope not. If you find any, please file them in the
321 bug database at http://bugzilla.redhat.com/ against the "pam_krb5" com‐
322 ponent.
323
326 Nalin Dahyabhai <nalin@redhat.com>
327Red Hat Linux 2014/02/11 pam_krb5(5)