1pam_krb5(5)              System Administrator's Manual             pam_krb5(5)
2
3
4

NAME

6       pam_krb5 - Kerberos 5 authentication
7
8

DESCRIPTION

10       pam_krb5.so  reads  its  configuration information from the appdefaults
11       section of krb5.conf(5).  You should read  the  krb5.conf(5)  man  page
12       before  continuing here.  The module expects its configuration informa‐
13       tion to be in the pam subsection of the appdefaults section.
14
15

DIRECTIVES

17       Directives which take a true, false, or a PAM service name can also  be
18       selectively  disabled for specific PAM services using the related "no_"
19       option (exceptions to "debug = true" can be made using "no_debug",  for
20       example).
21
22
23       debug = true|false|service [...]
24              turns  on  debugging  via  syslog(3).  Debug messages are logged
25              with priority LOG_DEBUG.
26
27
28       debug_sensitive = true|false|service [...]
29              turns on  debugging  of  sensitive  information  via  syslog(3).
30              Debug messages are logged with priority LOG_DEBUG.
31
32
33       afs_cells = cell.example.com [...]
34              tells  pam_krb5.so  to  obtain  tokens  for the listed cells, in
35              addition to the local cell  and  the  cell  which  contains  the
36              user's  home directory, for the user.  The module will guess the
37              principal name of the AFS service for the listed  cells,  or  it
38              can  be  specified by listing cells in the form cellname=princi‐
39              palname.
40
41
42       always_allow_localname = true|false|service [...]
43              tells pam_krb5.so, when performing an authorization check  using
44              the target user's .k5login file, to always allow access when the
45              principal name being authenticated maps to the local user's name
46              (as  configured  using the auth_to_local_names and auth_to_local
47              settings in krb5.conf(5), if your implementation provides  those
48              settings).   Otherwise,  if the file exists and can be read, but
49              the principal is not  explicitly  listed,  access  is  typically
50              denied.  This setting is disabled by default.
51
52
53       armor = true|false|service [...]
54              attempt  to  use armoring when communicating with the KDC.  This
55              option is currently mainly  only  useful  for  testing,  as  the
56              keytab  method should not be expected to work when the module is
57              called from an  unprivileged  process,  and  the  pkinit  method
58              requires  that the KDC is properly configured to offer anonymous
59              PKINIT, and that the client is also properly configured to trust
60              the KDC's CA.  The default is false.
61
62
63       armor_strategy = keytab,pkinit
64              controls  how  the module will attempt to obtain tickets for use
65              as armor. The value should be a comma-separated list of methods.
66              Supported  methods  include  ketyab  and pkinit.  The default is
67              keytab,pkinit.
68
69
70       banner = Kerberos 5
71              specifies what sort of password the module claims to be changing
72              whenever  it is called upon to change passwords.  The default is
73              Kerberos 5.
74
75
76       ccache_dir = /var/tmp
77              specifies the directory  in  which  to  place  credential  cache
78              files.  The default is /tmp.
79
80
81       ccname_template = KEYRING:krb5cc_%U_%P
82
83       ccname_template = FILE:%d/krb5cc_%U_XXXXXX
84              specifies the location in which to place the user's session-spe‐
85              cific credential cache.  This value is treated  as  a  template,
86              and these sequences are substituted:
87                %u login name
88                %U login UID
89                %p principal name
90                %r principal's realm name
91                %h home directory
92                %d the default ccache directory (as set with ccache_dir)
93                %P the current process ID
94                %% literal '%'
95
96              If  the  resulting template does not end with "XXXXXX", a suffix
97              will be added to the configured value.  If not set,  the  module
98              attempts  to read the default used by libkrb5 from krb5.conf(5),
99              and    if    one    is    not    found,    the    default     is
100              DIR:/run/user/%U/krb5cc_XXXXXX".
101
102
103       chpw_prompt = true|false|service [...]
104              tells  pam_krb5.so to allow expired passwords to be changed dur‐
105              ing authentication attempts.   While  this  is  the  traditional
106              behavior  exhibited  by  "kinit",  it  is  inconsistent with the
107              behavior  expected  by  PAM,  which  expects  authentication  to
108              (appear to) succeed, only to have password expiration be flagged
109              by a subsequent call to the account management  function.   Some
110              applications  which  don't  handle password expiration correctly
111              will fail unconditionally if the user's password is expired, and
112              this  flag  can  be  used  to attempt to work around this bug in
113              those applications.  The default is false.
114
115
116       cred_session=true|false|service [...]
117              specifies that pam_krb5 should  create  and  destroy  credential
118              caches, as it does when the calling application opens and closes
119              a PAM session, when  the  calling  application  establishes  and
120              deletes  PAM credentials.  This is done to compensate for appli‐
121              cations which expect to create  a  credential  cache  but  which
122              don't  use  PAM  session  management.   It is usually a harmless
123              redundancy in applications  which  don't  require  it,  so  this
124              option  is  enabled by default except for this list of services:
125              "sshd".
126
127
128       external = true|false|sshd ftp [...]
129              tells pam_krb5.so to use Kerberos credentials  provided  by  the
130              calling  application  during  session setup.  This is most often
131              useful for obtaining AFS tokens.  The  default  is  "sshd  sshd-
132              rekey gssftp".
133
134
135       ignore_afs=true|false|service [...]
136              tells pam_krb5.so to completely ignore the presence of AFS, pre‐
137              venting any attempts to obtain new tokens on behalf of the call‐
138              ing application.
139
140
141       ignore_k5login=true|false|service [...]
142              specifies  which  other  not  pam_krb5  should skip checking the
143              user's .k5login file to verify that the principal  name  of  the
144              client  being  authenticated  is  authorized  to access the user
145              account.  (Actually,  the  check  is  performed  by  a  function
146              offered  by  the Kerberos library, which controls which files it
147              will consult.)  The default is false, which causes  pam_krb5  to
148              perform the check.
149
150
151       ignore_unknown_principals=true|false|service [...]
152
153       ignore_unknown_spn=true|false|service [...]
154
155       ignore_unknown_upn=true|false|service [...]
156              specifies  which  other  not pam_krb5 should return a PAM_IGNORE
157              code to libpam instead of PAM_USER_UNKNOWN for  users  for  whom
158              the determined principal name is expired or does not exist.
159
160
161       initial_prompt=true|false|service [...]
162              tells  pam_krb5.so  whether  or not to ask for a password before
163              attempting authentication.  If one is needed and pam_krb5.so has
164              not  prompted  for  it,  the  Kerberos  library should trigger a
165              request for a password.
166
167
168       keytab = FILE:/etc/krb5.keytab
169
170       keytab = FILE:/etc/krb5.keytab imap=FILE:/etc/imap.keytab
171              specifies the name of a keytab file to search for a service  key
172              for  use in validating TGTs.  The location can be specified on a
173              per-service basis by specifying a list of locations in the  form
174              pam_service=location.  The default is FILE:/etc/krb5.keytab.
175
176
177       mappings = regex1 regex2 [...]
178              specifies  that pam_krb5 should derive the user's principal name
179              from the Unix user name by  first  checking  if  the  user  name
180              matches  regex1,  and formulating a principal name using regex2.
181              For example, "mappings = ^EXAMPLE\\(.*)$  $1@EXAMPLE.COM"  would
182              map  any  user  with  a name of the form "EXAMPLE\whatever" to a
183              principal name of  "whatever@EXAMPLE.COM".   This  is  primarily
184              targeted  at  allowing pam_krb5 to be used to authenticate users
185              whose user information is provided by  winbindd(8).   This  will
186              frequently require the reverse to be configured by setting up an
187              auth_to_local rule elsewhere in krb5.conf(5).
188
189
190       minimum_uid = 0
191              specifies the minimum UID of users being  authenticated.   If  a
192              user  with  a  UID less than this value attempts authentication,
193              the request will be ignored.
194
195
196       multiple_ccaches=true|false|service [...]
197              specifies that  pam_krb5  should  maintain  multiple  credential
198              caches for applications that both set credentials and open a PAM
199              session, but which set the KRB5CCNAME variable after doing  only
200              one  of  the two.  This option is usually not necessary for most
201              services.
202
203
204       preauth_options =
205              controls the preauthentication options which pam_krb5 passes  to
206              libkrb5, if the system-defaults need to be overridden.  The list
207              is treated as a template, and these sequences are substituted:
208
209                %u login name
210                %U login UID
211                %p principal name
212                %r principal's realm name
213                %h home directory
214                %d the default ccache directory (as set with ccache_dir)
215                %P the current process ID
216                %% literal '%'
217
218              A list of recognized values should be  listed  in  the  kinit(1)
219              manual page as parameters for its -X option.
220
221
222       null_afs=true|false|service [...]
223              tells pam_krb5.so, when it attempts to set tokens, to try to get
224              credentials for services with  names  which  resemble  afs@REALM
225              before  attempting  to  get  credentials for services with names
226              resembling afs/cell@REALM.  The default is to  assume  that  the
227              cell's  name is the instance in the AFS service's Kerberos prin‐
228              cipal name.
229
230
231       pwhelp = filename
232              specifies the name of a text file whose contents  will  be  dis‐
233              played  to clients who attempt to change their passwords.  There
234              is no default.
235
236
237       subsequent_prompt = true|false|service [...]
238              controls whether or not  pam_krb5.so  will  allow  the  Kerberos
239              library  to ask the user for a password or other information, if
240              the previously-entered  password  is  somehow  insufficient  for
241              authenticating  the  user.   This  is commonly needed to allow a
242              user to log in when  that  user's  password  has  expired.   The
243              default is false during password changes, and true otherwise.
244
245              If the calling application does not properly support PAM conver‐
246              sations (possibly due to limitations of a network protocol which
247              it  is serving), this may be need to be disabled for that appli‐
248              cation to prevent it from supplying the user's current  password
249              in  a  password-changing situation when a new password is called
250              for.
251
252
253       tokens = true|false|service [...]
254              signals that pam_krb5.so should create an  AFS  PAG  and  obtain
255              tokens during authentication in addition to session setup.  This
256              is primarily useful in server applications which need to  access
257              a  user's  files but which do not open PAM sessions before doing
258              so.  For correctly-written applications, this flag is not neces‐
259              sary.
260
261
262       token_strategy = rxk5,2b[,...]
263              controls how, and using which format, pam_krb5.so should attempt
264              to set AFS tokens for the user's session.  By default, the  mod‐
265              ule is configured with "token_strategy = 2b".  Recognized strat‐
266              egy names include:
267               rxk5  rxk5 (requires OpenAFS 1.6 or later)
268               2b    rxkad "2b" (requires OpenAFS 1.2.8 or later)
269
270
271       trace = true|false|service [...]
272              turns on libkrb5's library tracing.  Trace messages  are  logged
273              to syslog(3) with priority LOG_DEBUG.
274
275
276       use_shmem = true|false|service [...]
277              tells  pam_krb5.so  to  pass credentials from the authentication
278              service function to  the  session  management  service  function
279              using shared memory for specific services.  By default, the mod‐
280              ule is configured with "use_shmem = sshd".
281
282
283       validate = true|false|service [...]
284              specifies whether or not to attempt validation of the TGT  using
285              the  local  keytab.   The default is true.  The libdefaults ver‐
286              ify_ap_req_nofail setting can affect whether or not errors read‐
287              ing  the  keytab which are encountered during validation will be
288              suppressed.
289
290
291       validate_user_user = true|false|service [...]
292              specifies whether or not, when attempting validation of the TGT,
293              to  attempt  user-to-user  authentication  using  a  previously-
294              obtainted TGT in the default ccache if validation can't be  per‐
295              formed using a keytab.  The default is false.
296
297

EXAMPLE

299       [appdefaults]
300         pam = {
301           validate = true
302           ccache_dir = /var/tmp
303           external = sshd
304           tokens = imap ftpd
305           TEST.EXAMPLE.COM = {
306             debug = true
307             afs_cells = testcell.example.com othercell.example.com
308             keytab = FILE:/etc/krb5.keytab httpd=FILE:/etc/httpd.keytab
309           }
310         }
311
312

FILES

314       /etc/krb5.conf
315

SEE ALSO

317       pam_krb5(8)
318

BUGS

320       Probably, but let's hope not.  If you find any, please file them in the
321       bug database at http://bugzilla.redhat.com/ against the "pam_krb5" com‐
322       ponent.
323
324

AUTHOR

326       Nalin Dahyabhai <nalin@redhat.com>
327
328
329
330Red Hat Linux                     2014/02/11                       pam_krb5(5)
Impressum