1pam_krb5(8) System Administrator's Manual pam_krb5(8)
2
3
4
6 pam_krb5 - Kerberos 5 authentication
7
8
10 auth required /$LIB/security/pam_krb5.so
11 session optional /$LIB/security/pam_krb5.so
12 account sufficient /$LIB/security/pam_krb5.so
13 password sufficient /$LIB/security/pam_krb5.so
14
15
17 The pam_krb5.so module is designed to allow smooth integration of Ker‐
18 beros 5 password-checking for applications which use PAM. It creates
19 session-specific credential cache files. If the system is an AFS
20 client, it will also attempt to obtain tokens for the local cell, the
21 cell which contains the user's home directory, and any explicitly-con‐
22 figured cells.
23
24 When a user logs in, the module's authentication function performs a
25 simple password check and, if possible, obtains Kerberos 5 credentials,
26 caching them for later use. When the application requests initializa‐
27 tion of credentials (or opens a session), the usual ticket files are
28 created. When the application subsequently requests deletion of cre‐
29 dentials or closing of the session, the module deletes the ticket
30 files. When the application requests account management, if the module
31 did not participate in authenticating the user, it will signal libpam
32 to ignore the module. If the module did participate in authenticating
33 the user, it will check for an expired user password and verify the
34 user's authorization using the .k5login file of the user being authen‐
35 ticated, which is expected to be accessible to the module.
36
37
39 debug turns on debugging via syslog(3). Debugging messages are logged
40 with priority LOG_DEBUG.
41
42
43 debug_sensitive
44 turns on debugging of sensitive information via syslog(3).
45 Debug messages are logged with priority LOG_DEBUG.
46
47
48 addressless
49 tells pam_krb5.so to obtain credentials without address lists.
50 This may be necessary if your network uses NAT, and should oth‐
51 erwise not be used. This option is deprecated in favor of the
52 noaddresses flag in the libdefaults section of krb5.conf(5).
53
54
55 afs_cells=cell.example.com[,...]
56 tells pam_krb5.so to obtain tokens for the named cells, in addi‐
57 tion to the local cell, for the user. The module will guess the
58 principal name of the AFS service for the named cells, or it can
59 be specified by giving cell in the form cellname=principalname.
60
61
62 banner=Kerberos 5
63 tells pam_krb5.so how to identify itself when users attempt to
64 change their passwords. The default setting is "Kerberos 5".
65
66
67 ccache_dir=/tmp
68 tells pam_krb5.so which directory to use for storing credential
69 caches. The default setting is /tmp.
70
71
72 ccname_template=FILE:%d/krb5cc_%U_XXXXXX
73 specifies the location in which to place the user's session-spe‐
74 cific credential cache. This value is treated as a template,
75 and these sequences are substituted:
76 %u login name
77 %U login UID
78 %p principal name
79 %r realm name
80 %h home directory
81 %d the default ccache directory (as set with ccache_dir)
82 %P the current process ID
83 %% literal '%'
84 The default setting is "FILE:%d/krb5cc_%U_XXXXXX".
85
86
87 chpw_prompt
88 tells pam_krb5.so to allow expired passwords to be changed dur‐
89 ing authentication attempts. While this is the traditional
90 behavior exhibited by "kinit", it is inconsistent with the
91 behavior expected by PAM, which expects authentication to
92 (appear to) succeed, only to have password expiration be flagged
93 by a subsequent call to the account management function. Some
94 applications which don't handle password expiration correctly
95 will fail unconditionally if the user's password is expired, and
96 this flag can be used to attempt to work around this bug in
97 those applications. The default is false.
98
99
100 cred_session
101 specifies that pam_krb5 should create and destroy credential
102 caches, as it does when the calling application opens and closes
103 a PAM session, when the calling application establishes and
104 deletes PAM credentials. This is done to compensate for appli‐
105 cations which expect to create a credential cache but which
106 don't use PAM session management. It is usually a harmless
107 redundancy in applications which don't require it, so this
108 option is enabled by default. except for services in this list:
109 "sshd".
110
111
112 existing_ticket
113 tells pam_krb5.so to accept the presence of pre-existing Ker‐
114 beros credentials provided by the calling application in the
115 default credential cache as sufficient to authenticate the user,
116 and to skip any account management checks.
117
118 DANGER! Unless validation is also in use, it is relatively easy
119 to produce a credential cache which looks "good enough" to fool
120 pam_krb5.so.
121
122
123 external
124
125 external=sshd
126 tells pam_krb5.so to use Kerberos credentials provided by the
127 calling application during session setup. This is most often
128 useful for obtaining AFS tokens.
129
130
131 forwardable
132 tells pam_krb5.so that credentials it obtains should be forward‐
133 able. This option is deprecated in favor of the forwardable
134 option in the libdefaults section of krb5.conf(5).
135
136
137 hosts=host[,...]
138 tells pam_krb5.so to obtain credentials using the addresses of
139 the given hosts in addition to the addresses of interfaces on
140 the local workstation. For example, if your workstation is
141 behind a masquerading firewall, specifying the firewall's out‐
142 ward-facing address here should allow Kerberos authentication to
143 succeed. This option is deprecated in favor of the
144 extra_addresses flag in the libdefaults section of krb5.conf(5).
145
146
147 ignore_unknown_principals
148
149 ignore_unknown_spn
150
151 ignore_unknown_upn
152 specifies that not pam_krb5 should return a PAM_IGNORE code to
153 libpam instead of PAM_USER_UNKNOWN for users for whom the deter‐
154 mined principal name is expired or does not exist.
155
156
157 keytab=FILE:/etc/krb5.keytab
158 tells pam_krb5.so the location of a keytab to use when validat‐
159 ing credentials obtained from KDCs.
160
161
162 minimum_uid=0
163 tells pam_krb5.so to ignore authentication attempts by users
164 with UIDs below the specified number.
165
166
167 multiple_ccaches
168 specifies that pam_krb5 should maintain multiple credential
169 caches for this service, because it both sets credentials and
170 opens a PAM session, but it sets the KRB5CCNAME variable after
171 doing only one of the two. This option is usually not necessary
172 for most services.
173
174
175 no_initial_prompt
176 tells pam_krb5.so to not ask for a password before attempting
177 authentication, and to instead allow the Kerberos library to
178 trigger a request for a password only in cases where one is
179 needed.
180
181
182 no_subsequent_prompt
183 tells pam_krb5.so to only provide the previously-entered pass‐
184 word in response to any request for a password which the Ker‐
185 beros library might make. If the calling application does not
186 properly support PAM conversations (possibly due to limitations
187 of a network protocol which it is serving), this may be need to
188 be used to prevent the application from supplying the user's
189 current password in a password-changing situations when a new
190 password is called for.
191
192
193 no_user_check
194 tells pam_krb5.so to not check if a user exists on the local
195 system, to skip authorization checks using the user's .k5login
196 file, and to create ccache files owned by the current process's
197 UID. This is useful for situations where a non-privileged
198 server process needs to use Kerberized services on behalf of
199 remote users who may not have local access. Note that such a
200 server should have an encrypted connection with its client in
201 order to avoid allowing the user's password to be eavesdropped.
202
203
204 no_validate
205
206 no_validate=vlock
207 tells pam_krb5.so to not attempt to use the local keytab to ver‐
208 ify that the TGT obtained from the realm's servers has not been
209 spoofed. The libdefaults verify_ap_req_nofail setting can
210 affect whether or not errors reading the keytab which are
211 encountered during validation will be suppressed.
212
213
214 null_afs
215 tells pam_krb5.so, when it attempts to set tokens, to try to get
216 credentials for services with names which resemble afs@REALM
217 before attempting to get credentials for services with names
218 resembling afs/cell@REALM. The default is to assume that the
219 cell's name is the instance in the AFS service's Kerberos prin‐
220 cipal name.
221
222
223 preauth_options=[]
224 controls the preauthentication options which pam_krb5 passes to
225 libkrb5, if the system-defaults need to be overridden. The list
226 is treated as a template, and these sequences are substituted:
227 %u login name
228 %U login UID
229 %p principal name
230 %r realm name
231 %h home directory
232 %d the default ccache directory
233 %P the current process ID
234 %% literal '%'
235
236
237 proxiable
238 tells pam_krb5.so that credentials it obtains should be proxi‐
239 able. This option is deprecated in favor of the proxiable
240 option in the libdefaults section of krb5.conf(5).
241
242
243 pwhelp=filename
244 specifies the name of a text file whose contents will be dis‐
245 played to clients who attempt to change their passwords. There
246 is no default.
247
248
249 realm=realm
250 overrides the default realm set in /etc/krb5.conf, which
251 pam_krb5.so will attempt to authenticate users to.
252
253
254 renew_lifetime=36000
255 sets the default renewable lifetime for credentials. This
256 option is deprecated in favor of the renew_lifetime option in
257 the libdefaults section of krb5.conf(5).
258
259
260 ticket_lifetime=36000
261 sets the default lifetime for credentials.
262
263
264 tokens
265
266 tokens=imap
267 signals that pam_krb5.so should create a new AFS PAG and obtain
268 AFS tokens during authentication in addition to session setup.
269 This is primarily useful in server applications which need to
270 access a user's files but which do not open PAM sessions before
271 doing so. A properly-written server will not need this flag set
272 in order to function correctly.
273
274
275 try_first_pass
276 tells pam_krb5.so to check the previously-entered password as
277 with use_first_pass, but to prompt the user for another one if
278 the previously-entered one fails. This is the default mode of
279 operation.
280
281
282 use_first_pass
283 tells pam_krb5.so to get the user's entered password as it was
284 stored by a module listed earlier in the stack, usually pam_unix
285 or pam_pwdb, instead of prompting the user for it.
286
287
288 use_authtok
289 tells pam_krb5.so to never prompt for new passwords when chang‐
290 ing passwords. This is useful if you are using pam_cracklib or
291 pam_passwdqc to try to enforce use of less-easy-to-guess pass‐
292 words.
293
294
295 use_shmem
296
297 use_shmem=sshd
298 tells pam_krb5.so to pass credentials from the authentication
299 service function to the session management service function
300 using shared memory, or to do so for specific services.
301
302
303
305 /etc/krb5.conf
306
307
309 pam_krb5(5) krb5.conf(5)
310
311
313 Probably, but let's hope not. If you find any, please file them in the
314 bug database at http://bugzilla.redhat.com/ against the "pam_krb5" com‐
315 ponent.
316
317
319 Nalin Dahyabhai <nalin@redhat.com>
320
321
322
323Red Hat Linux 2009/12/11 pam_krb5(8)