1pam_krb5(5) System Administrator's Manual pam_krb5(5)
2
6 pam_krb5 - Kerberos 5 authentication
7
10 pam_krb5.so reads its configuration information from the appdefaults
11 section of krb5.conf(5). You should read the krb5.conf(5) man page
12 before continuing here. The module expects its configuration informa‐
13 tion to be in the pam subsection of the appdefaults section.
14
17 debug=[true|false]
18 turns on debugging via syslog(3). Debug messages are logged
19 with priority LOG_DEBUG.
20 debug_sensitive=[true|false]
23 turns on debugging of sensitive information via syslog(3).
24 Debug messages are logged with priority LOG_DEBUG.
25 addressless=[true|false]
28 if set, requests a TGT with no address information. This can be
29 necessary if you are using Kerberos through a NAT, or on systems
30 whose IP addresses change regularly. This directive is depre‐
31 cated in favor of the libdefaults noaddresses directive.
32 afs_cells=cell1.example.com cell2.example.com
35 tells pam_krb5.so to obtain tokens for cell1.example.com and
36 cell2.example.com, in addition to the local cell and the cell
37 which contains the user's home directory, for the user. The
38 module will guess the principal name of the AFS service for the
39 listed cells, or it can be specified by listing cells in the
40 form cellname=principalname.
41 banner=Kerberos 5
44 specifies what sort of password the module claims to be changing
45 whenever it is called upon to change passwords. The default is
46 Kerberos 5.
47 ccache_dir=/tmp
50 specifies the directory in which to place credential cache
51 files.
52 existing_ticket=true
55 tells pam_krb5.so to accept the presence of pre-existing Ker‐
56 beros credentials provided by the calling application in the
57 default credential cache as sufficient to authenticate the user,
58 and to skip any account management checks.
59 DANGER! Unless validation is also in use, it is relatively easy
61 to produce a credential cache which looks "good enough" to fool
62 pam_krb5.so.
63 external=true
66 external=sshd ftp
68 tells pam_krb5.so to use Kerberos credentials provided by the
69 calling application during session setup. This is most often
70 useful for obtaining AFS tokens or a krb4 ticket.
71 forwardable=[true|false]
74 controls whether or not credentials are forwardable. This
75 directive is deprecated in favor of the libdefaults forwardable
76 directive.
77 hosts=hostnames
80 specifies which other hosts credentials obtained by pam_krb5
81 will be good on. If your host is behind a firewall, you should
82 add the IP address or name that the KDC sees it as to this list.
83 This directive is deprecated in favor of the libdefaults
84 extra_addresses directive.
85 ignore_afs=[true|false]
88 tells pam_krb5.so to completely ignore the presence of AFS, pre‐
89 venting any attempts to obtain new tokens on behalf of the call‐
90 ing application.
91 ignore_unknown_principals=[true|false]
94 ignore_unknown_spn=[true|false]
96 ignore_unknown_upn=[true|false]
98 specifies which other not pam_krb5 should return a PAM_IGNORE
99 code to libpam instead of PAM_USER_UNKNOWN for users for whom
100 the determined principal name is expired or does not exist.
101 initial_prompt=[true|false]
104 tells pam_krb5.so whether or not to ask for a password before
105 attempting authentication. If one is needed and pam_krb5.so has
106 not prompted for it, the Kerberos library should trigger a
107 request for a password.
108 keytab=FILE:/etc/krb5.keytab
111 specifies the name of a keytab file to search for a service key
112 for use in validating TGTs.
113 krb4_convert=[true|false]
116 controls whether or not pam_krb5 tries to get Kerberos IV cre‐
117 dentials from the KDC (or using the krb524d service on the KDC)
118 and create ticket files with them. Unless you've converted
119 everything on your network over to use Kerberos 5, you'll want
120 to leave this set to true. Note that this may require valid
121 Kerberos IV configuration data to be present in /etc/krb.conf
122 and /etc/krb.realms. This option is poorly named. This option
123 is forced to true if AFS is detected.
124 krb4_convert_524=[true|false]
127 controls whether or not pam_krb5 tries to get Kerberos IV cre‐
128 dentials using the krb524d service. This option modifies the
129 krb4_convert option. If disabled, pam_krb5 will only attempt to
130 obtain Kerberos IV credentials using the KDC (unless the
131 krb4_use_as_req option is also disabled).
132 krb4_use_as_req=[true|false]
135 controls whether or not pam_krb5 tries to get Kerberos IV cre‐
136 dentials using the KDC. This option modifies the krb4_convert
137 option. If disabled, pam_krb5 will only attempt to obtain Ker‐
138 beros IV credentials using the krb524d service (unless the
139 krb4_convert_524 option is also disabled).
140 mappings=[regex1 regex2]
143 specifies that pam_krb5 should derive the user's principal name
144 from the Unix user name by first checking if the user name
145 matches regex1, and formulating a principal name using regex2.
146 For example, "mappings = EXAMPLE\(.*) $1@EXAMPLE.COM" would map
147 any user with a name of the form "EXAMPLE\whatever" to a princi‐
148 pal name of "whatever@EXAMPLE.COM". This is primarily targeted
149 at allowing pam_krb5 to be used to authenticate users whose user
150 information is provided by winbindd(8). This will frequently
151 require the reverse to be configured by setting up an
152 auth_to_local rule elsewhere in krb5.conf(5).
153 minimum_uid=0
156 specifies the minimum UID of users being authenticated. If a
157 user with a UID less than this value attempts authentication,
158 the request will be ignored.
159 proxiable=[true|false]
162 controls whether or not credentials are proxiable. If not spec‐
163 ified, they are. This directive is deprecated in favor of the
164 libdefaults proxiable directive.
165 renew_lifetime=36000
168 default renewable lifetime. This specifies how much time you
169 have after getting credentials to renew them. This directive is
170 deprecated in favor of the libdefaults renew_lifetime directive.
171 subsequent_prompt=[true|false]
174 controls whether or not pam_krb5.so will allow the Kerberos
175 library to ask the user for a password or other information, if
176 the previously-entered password is somehow insufficient for
177 authenticating the user.
178 ticket_lifetime=36000
181 default credential lifetime.
182 tokens=[true|false]
185 tokens=imap ftp
187 signals that pam_krb5.so should create an AFS PAG and obtain
188 tokens during authentication in addition to session setup. This
189 is primarily useful in server applications which need to access
190 a user's files but which do not open PAM sessions before doing
191 so.
192 use_shmem=true
195 use_shmem=sshd ftp
197 tells pam_krb5.so to pass credentials from the authentication
198 service function to the session management service function
199 using shared memory for specific services.
200 validate=[true|false]
203 validate=login sshd
205 specifies whether or not to attempt validation of the TGT. The
206 default is false.
207
210 [appdefaults]
211 pam = {
212 ticket_lifetime = 36000
213 renew_lifetime = 36000
214 forwardable = true
215 krb4_convert = true
216 validate = true
217 ccache_dir = /var/tmp
218 external = sshd
219 tokens = imap ftpd
220 TEST.EXAMPLE.COM = {
221 debug = true
222 afs_cells = testcell.example.com othercell.example.com
223 }
224 }
225
228 /etc/krb5.conf
229
231 pam_krb5(8)
232
234 Probably, but let's hope not. If you find any, please file them in the
235 bug database at http://bugzilla.redhat.com/ against the "pam_krb5" com‐
236 ponent.
237
240 Nalin Dahyabhai <nalin@redhat.com>
241Red Hat Linux 2006/02/06 pam_krb5(5)