1pam_krb5(5) System Administrator's Manual pam_krb5(5)
2
6 pam_krb5 - Kerberos 5 authentication
7
10 pam_krb5.so reads its configuration information from the appdefaults
11 section of krb5.conf(5). You should read the krb5.conf(5) man page
12 before continuing here. The module expects its configuration informa‐
13 tion to be in the pam subsection of the appdefaults section.
14
17 Directives which take a true, false, or a PAM service name can also be
18 selectively disabled for specific PAM services using the related "no_"
19 option (exceptions to "debug = true" can be made using "no_debug", for
20 example).
21 debug = true|false|service [...]
24 turns on debugging via syslog(3). Debug messages are logged
25 with priority LOG_DEBUG.
26 debug_sensitive = true|false|service [...]
29 turns on debugging of sensitive information via syslog(3).
30 Debug messages are logged with priority LOG_DEBUG.
31 addressless = true|false|service [...]
34 if set, requests a TGT with no address information. This can be
35 necessary if you are using Kerberos through a NAT, or on systems
36 whose IP addresses change regularly. This directive is depre‐
37 cated in favor of the libdefaults noaddresses directive.
38 afs_cells = cell.example.com [...]
41 tells pam_krb5.so to obtain tokens for the listed cells, in
42 addition to the local cell and the cell which contains the
43 user's home directory, for the user. The module will guess the
44 principal name of the AFS service for the listed cells, or it
45 can be specified by listing cells in the form cellname=princi‐
46 palname.
47 banner = Kerberos 5
50 specifies what sort of password the module claims to be changing
51 whenever it is called upon to change passwords. The default is
52 Kerberos 5.
53 ccache_dir = /var/tmp
56 specifies the directory in which to place credential cache
57 files. The default is /tmp.
58 ccname_template = KEYRING:krb5cc_%U_%P
61 ccname_template = FILE:%d/krb5cc_%U_XXXXXX
63 specifies the location in which to place the user's session-spe‐
64 cific credential cache. This value is treated as a template,
65 and these sequences are substituted:
66 %u login name
67 %U login UID
68 %p principal name
69 %r realm name
70 %h home directory
71 %d the default ccache directory (as set with ccache_dir)
72 %P the current process ID
73 %% literal '%'
74 The default is FILE:%d/krb5cc_%U_XXXXXX".
76 chpw_prompt = true|false|service [...]
79 tells pam_krb5.so to allow expired passwords to be changed dur‐
80 ing authentication attempts. While this is the traditional
81 behavior exhibited by "kinit", it is inconsistent with the
82 behavior expected by PAM, which expects authentication to
83 (appear to) succeed, only to have password expiration be flagged
84 by a subsequent call to the account management function. Some
85 applications which don't handle password expiration correctly
86 will fail unconditionally if the user's password is expired, and
87 this flag can be used to attempt to work around this bug in
88 those applications. The default is false.
89 cred_session=true|false|service [...]
92 specifies that pam_krb5 should create and destroy credential
93 caches, as it does when the calling application opens and closes
94 a PAM session, when the calling application establishes and
95 deletes PAM credentials. This is done to compensate for appli‐
96 cations which expect to create a credential cache but which
97 don't use PAM session management. It is usually a harmless
98 redundancy in applications which don't require it, so this
99 option is enabled by default except for this list of services:
100 "sshd".
101 existing_ticket = true|false|service [...]
104 tells pam_krb5.so to accept the presence of pre-existing Ker‐
105 beros credentials provided by the calling application in the
106 default credential cache as sufficient to authenticate the user,
107 and to skip any account management checks. The default is
108 false.
109 DANGER! Unless validation is also in use, it is relatively easy
111 to produce a credential cache which looks "good enough" to fool
112 pam_krb5.so.
113 external = true|false|sshd ftp [...]
116 tells pam_krb5.so to use Kerberos credentials provided by the
117 calling application during session setup. This is most often
118 useful for obtaining AFS tokens. The default is "sshd sshd-
119 rekey".
120 forwardable = true|false|service [...]
123 controls whether or not credentials are forwardable. This
124 directive is deprecated in favor of the libdefaults forwardable
125 directive.
126 hosts = hostname [...]
129 specifies which other hosts credentials obtained by pam_krb5
130 will be good on. If your host is behind a firewall, you should
131 add the IP address or name that the KDC sees it as to this list.
132 This directive is deprecated in favor of the libdefaults
133 extra_addresses directive.
134 ignore_afs=true|false|service [...]
137 tells pam_krb5.so to completely ignore the presence of AFS, pre‐
138 venting any attempts to obtain new tokens on behalf of the call‐
139 ing application.
140 ignore_unknown_principals=true|false|service [...]
143 ignore_unknown_spn=true|false|service [...]
145 ignore_unknown_upn=true|false|service [...]
147 specifies which other not pam_krb5 should return a PAM_IGNORE
148 code to libpam instead of PAM_USER_UNKNOWN for users for whom
149 the determined principal name is expired or does not exist.
150 initial_prompt=true|false|service [...]
153 tells pam_krb5.so whether or not to ask for a password before
154 attempting authentication. If one is needed and pam_krb5.so has
155 not prompted for it, the Kerberos library should trigger a
156 request for a password.
157 keytab = FILE:/etc/krb5.keytab
160 keytab = FILE:/etc/krb5.keytab imap=FILE:/etc/imap.keytab
162 specifies the name of a keytab file to search for a service key
163 for use in validating TGTs. The location can be specified on a
164 per-service basis by specifying a list of locations in the form
165 pam_service=location. The default is FILE:/etc/krb5.keytab.
166 mappings = regex1 regex2 [...]
169 specifies that pam_krb5 should derive the user's principal name
170 from the Unix user name by first checking if the user name
171 matches regex1, and formulating a principal name using regex2.
172 For example, "mappings = EXAMPLE\(.*) $1@EXAMPLE.COM" would map
173 any user with a name of the form "EXAMPLE\whatever" to a princi‐
174 pal name of "whatever@EXAMPLE.COM". This is primarily targeted
175 at allowing pam_krb5 to be used to authenticate users whose user
176 information is provided by winbindd(8). This will frequently
177 require the reverse to be configured by setting up an
178 auth_to_local rule elsewhere in krb5.conf(5).
179 minimum_uid = 0
182 specifies the minimum UID of users being authenticated. If a
183 user with a UID less than this value attempts authentication,
184 the request will be ignored.
185 multiple_ccaches=true|false|service [...]
188 specifies that pam_krb5 should maintain multiple credential
189 caches for applications that both set credentials and open a PAM
190 session, but which set the KRB5CCNAME variable after doing only
191 one of the two. This option is usually not necessary for most
192 services.
193 preauth_options =
196 controls the preauthentication options which pam_krb5 passes to
197 libkrb5, if the system-defaults need to be overridden. The list
198 is treated as a template, and these sequences are substituted:
199 %u login name
200 %U login UID
201 %p principal name
202 %r realm name
203 %h home directory
204 %d the default ccache directory (as set with ccache_dir)
205 %P the current process ID
206 %% literal '%'
207 proxiable = true|false|service [...]
210 controls whether or not credentials are proxiable. If not spec‐
211 ified, they are. This directive is deprecated in favor of the
212 libdefaults proxiable directive.
213 null_afs=true|false|service [...]
216 tells pam_krb5.so, when it attempts to set tokens, to try to get
217 credentials for services with names which resemble afs@REALM
218 before attempting to get credentials for services with names
219 resembling afs/cell@REALM. The default is to assume that the
220 cell's name is the instance in the AFS service's Kerberos prin‐
221 cipal name.
222 pwhelp = filename
225 specifies the name of a text file whose contents will be dis‐
226 played to clients who attempt to change their passwords. There
227 is no default.
228 renew_lifetime = 36000
231 default renewable lifetime, in seconds. This specifies how much
232 time you have after getting credentials to renew them. This
233 directive is deprecated in favor of the libdefaults renew_life‐
234 time directive.
235 subsequent_prompt = true|false|service [...]
238 controls whether or not pam_krb5.so will allow the Kerberos
239 library to ask the user for a password or other information, if
240 the previously-entered password is somehow insufficient for
241 authenticating the user. This is commonly needed to allow a
242 user to log in when that user's password has expired. The
243 default is true.
244 If the calling application does not properly support PAM conver‐
246 sations (possibly due to limitations of a network protocol which
247 it is serving), this may be need to be disabled for that appli‐
248 cation to prevent it from supplying the user's current password
249 in a password-changing situations when a new password is called
250 for.
251 ticket_lifetime = 36000
254 default credential lifetime, in seconds.
255 tokens = true|false|service [...]
258 signals that pam_krb5.so should create an AFS PAG and obtain
259 tokens during authentication in addition to session setup. This
260 is primarily useful in server applications which need to access
261 a user's files but which do not open PAM sessions before doing
262 so. For correctly-written applications, this flag is not neces‐
263 sary.
264 token_strategy = rxk5,2b[,...]
267 controls how, and using which format, pam_krb5.so should attept
268 to set AFS tokens for the user's session. By default, the mod‐
269 ule is configured with "token_strategy = v4,524,2b,rxk5". Rec‐
270 ognized strategy names include:
271 rxk5 rxk5 (requires OpenAFS 1.6 or later)
272 2b rxkad "2b" (requires OpenAFS 1.2.8 or later)
273 use_shmem = true|false|service [...]
276 tells pam_krb5.so to pass credentials from the authentication
277 service function to the session management service function
278 using shared memory for specific services. By default, the mod‐
279 ule is configured with "use_shmem = sshd".
280 validate = true|false|service [...]
283 specifies whether or not to attempt validation of the TGT using
284 the local keytab. The default is true. The libdefaults ver‐
285 ify_ap_req_nofail setting can affect whether or not errors read‐
286 ing the keytab which are encountered during validation will be
287 suppressed.
288
291 [appdefaults]
292 pam = {
293 ticket_lifetime = 36000
294 renew_lifetime = 36000
295 forwardable = true
296 validate = true
297 ccache_dir = /var/tmp
298 external = sshd
299 tokens = imap ftpd
300 TEST.EXAMPLE.COM = {
301 debug = true
302 afs_cells = testcell.example.com othercell.example.com
303 keytab = FILE:/etc/krb5.keytab httpd=FILE:/etc/httpd.keytab
304 }
305 }
306
309 /etc/krb5.conf
310
312 pam_krb5(8)
313
315 Probably, but let's hope not. If you find any, please file them in the
316 bug database at http://bugzilla.redhat.com/ against the "pam_krb5" com‐
317 ponent.
318
321 Nalin Dahyabhai <nalin@redhat.com>
322Red Hat Linux 2009/12/11 pam_krb5(5)