1pam_krb5(8)              System Administrator's Manual             pam_krb5(8)
2
3
4

NAME

6       pam_krb5 - Kerberos 5 authentication
7
8

SYNOPSIS

10       auth required /$LIB/security/pam_krb5.so
11       session optional /$LIB/security/pam_krb5.so
12       account sufficient /$LIB/security/pam_krb5.so
13       password sufficient /$LIB/security/pam_krb5.so
14
15

DESCRIPTION

17       The  pam_krb5.so module is designed to allow smooth integration of Ker‐
18       beros 5 password-checking for applications which use PAM.   It  creates
19       session-specific  credential  cache  files.   If  the  system is an AFS
20       client, it will also attempt to obtain tokens for the local  cell,  the
21       cell  which contains the user's home directory, and any explicitly-con‐
22       figured cells.
23
24       When a user logs in, the module's authentication  function  performs  a
25       simple password check and, if possible, obtains Kerberos 5 credentials,
26       caching them for later use.  When the application requests  initializa‐
27       tion  of  credentials  (or opens a session), the usual ticket files are
28       created.  When the application subsequently requests deletion  of  cre‐
29       dentials  or  closing  of  the  session,  the module deletes the ticket
30       files.  When the application requests account management, if the module
31       did  not  participate in authenticating the user, it will signal libpam
32       to ignore the module.  If the module did participate in  authenticating
33       the  user,  it  will  check for an expired user password and verify the
34       user's authorization using the .k5login file of the user being  authen‐
35       ticated, which is expected to be accessible to the module.
36
37

ARGUMENTS

39       debug  turns on debugging via syslog(3).  Debugging messages are logged
40              with priority LOG_DEBUG.
41
42
43       debug_sensitive
44              turns on  debugging  of  sensitive  information  via  syslog(3).
45              Debug messages are logged with priority LOG_DEBUG.
46
47
48       addressless
49              tells  pam_krb5.so  to obtain credentials without address lists.
50              This may be necessary if your network uses NAT, and should  oth‐
51              erwise  not  be used.  This option is deprecated in favor of the
52              noaddresses flag in the libdefaults section of krb5.conf(5).
53
54
55       afs_cells=cell.example.com[,...]
56              tells pam_krb5.so to obtain tokens for the named cells, in addi‐
57              tion to the local cell, for the user.  The module will guess the
58              principal name of the AFS service for the named cells, or it can
59              be specified by giving cell in the form cellname=principalname.
60
61
62       banner=Kerberos 5
63              tells  pam_krb5.so  how to identify itself when users attempt to
64              change their passwords.  The default setting is "Kerberos 5".
65
66
67       ccache_dir=/tmp
68              tells pam_krb5.so which directory to use for storing  credential
69              caches.  The default setting is /tmp.
70
71
72       ccname_template=FILE:%d/krb5cc_%U_XXXXXX
73              specifies the location in which to place the user's session-spe‐
74              cific credential cache.  This value is treated  as  a  template,
75              and these sequences are substituted:
76                %u login name
77                %U login UID
78                %p principal name
79                %r realm name
80                %h home directory
81                %d the default ccache directory (as set with ccache_dir)
82                %P the current process ID
83                %% literal '%'
84              The default setting is "FILE:%d/krb5cc_%U_XXXXXX".
85
86
87       chpw_prompt
88              tells  pam_krb5.so to allow expired passwords to be changed dur‐
89              ing authentication attempts.   While  this  is  the  traditional
90              behavior  exhibited  by  "kinit",  it  is  inconsistent with the
91              behavior  expected  by  PAM,  which  expects  authentication  to
92              (appear to) succeed, only to have password expiration be flagged
93              by a subsequent call to the account management  function.   Some
94              applications  which  don't  handle password expiration correctly
95              will fail unconditionally if the user's password is expired, and
96              this  flag  can  be  used  to attempt to work around this bug in
97              those applications.  The default is false.
98
99
100       cred_session
101              specifies that pam_krb5 should  create  and  destroy  credential
102              caches, as it does when the calling application opens and closes
103              a PAM session, when  the  calling  application  establishes  and
104              deletes  PAM credentials.  This is done to compensate for appli‐
105              cations which expect to create  a  credential  cache  but  which
106              don't  use  PAM  session  management.   It is usually a harmless
107              redundancy in applications  which  don't  require  it,  so  this
108              option is enabled by default.  except for services in this list:
109              "sshd".
110
111
112       existing_ticket
113              tells pam_krb5.so to accept the presence  of  pre-existing  Ker‐
114              beros  credentials  provided  by  the calling application in the
115              default credential cache as sufficient to authenticate the user,
116              and to skip any account management checks.
117
118              DANGER!  Unless validation is also in use, it is relatively easy
119              to produce a credential cache which looks "good enough" to  fool
120              pam_krb5.so.
121
122
123       external
124
125       external=sshd
126              tells  pam_krb5.so  to  use Kerberos credentials provided by the
127              calling application during session setup.  This  is  most  often
128              useful for obtaining AFS tokens.
129
130
131       forwardable
132              tells pam_krb5.so that credentials it obtains should be forward‐
133              able.  This option is deprecated in  favor  of  the  forwardable
134              option in the libdefaults section of krb5.conf(5).
135
136
137       hosts=host[,...]
138              tells  pam_krb5.so  to obtain credentials using the addresses of
139              the given hosts in addition to the addresses  of  interfaces  on
140              the  local  workstation.   For  example,  if your workstation is
141              behind a masquerading firewall, specifying the  firewall's  out‐
142              ward-facing address here should allow Kerberos authentication to
143              succeed.   This  option  is   deprecated   in   favor   of   the
144              extra_addresses flag in the libdefaults section of krb5.conf(5).
145
146
147       ignore_unknown_principals
148
149       ignore_unknown_spn
150
151       ignore_unknown_upn
152              specifies  that  not pam_krb5 should return a PAM_IGNORE code to
153              libpam instead of PAM_USER_UNKNOWN for users for whom the deter‐
154              mined principal name is expired or does not exist.
155
156
157       keytab=FILE:/etc/krb5.keytab
158              tells  pam_krb5.so the location of a keytab to use when validat‐
159              ing credentials obtained from KDCs.
160
161
162       minimum_uid=0
163              tells pam_krb5.so to ignore  authentication  attempts  by  users
164              with UIDs below the specified number.
165
166
167       multiple_ccaches
168              specifies  that  pam_krb5  should  maintain  multiple credential
169              caches for this service, because it both  sets  credentials  and
170              opens  a  PAM session, but it sets the KRB5CCNAME variable after
171              doing only one of the two.  This option is usually not necessary
172              for most services.
173
174
175       no_initial_prompt
176              tells  pam_krb5.so  to  not ask for a password before attempting
177              authentication, and to instead allow  the  Kerberos  library  to
178              trigger  a  request  for  a  password only in cases where one is
179              needed.
180
181
182       no_subsequent_prompt
183              tells pam_krb5.so to only provide the  previously-entered  pass‐
184              word  in  response  to any request for a password which the Ker‐
185              beros library might make.  If the calling application  does  not
186              properly  support PAM conversations (possibly due to limitations
187              of a network protocol which it is serving), this may be need  to
188              be  used  to  prevent  the application from supplying the user's
189              current password in a password-changing situations  when  a  new
190              password is called for.
191
192
193       no_user_check
194              tells  pam_krb5.so  to  not  check if a user exists on the local
195              system, to skip authorization checks using the  user's  .k5login
196              file,  and to create ccache files owned by the current process's
197              UID.  This is  useful  for  situations  where  a  non-privileged
198              server  process  needs  to  use Kerberized services on behalf of
199              remote users who may not have local access.  Note  that  such  a
200              server  should  have  an encrypted connection with its client in
201              order to avoid allowing the user's password to be eavesdropped.
202
203
204       no_validate
205
206       no_validate=vlock
207              tells pam_krb5.so to not attempt to use the local keytab to ver‐
208              ify  that the TGT obtained from the realm's servers has not been
209              spoofed.   The  libdefaults  verify_ap_req_nofail  setting   can
210              affect  whether  or  not  errors  reading  the  keytab which are
211              encountered during validation will be suppressed.
212
213
214       null_afs
215              tells pam_krb5.so, when it attempts to set tokens, to try to get
216              credentials  for  services  with  names which resemble afs@REALM
217              before attempting to get credentials  for  services  with  names
218              resembling  afs/cell@REALM.   The  default is to assume that the
219              cell's name is the instance in the AFS service's Kerberos  prin‐
220              cipal name.
221
222
223       preauth_options=[]
224              controls  the preauthentication options which pam_krb5 passes to
225              libkrb5, if the system-defaults need to be overridden.  The list
226              is treated as a template, and these sequences are substituted:
227                %u login name
228                %U login UID
229                %p principal name
230                %r realm name
231                %h home directory
232                %d the default ccache directory
233                %P the current process ID
234                %% literal '%'
235
236
237       proxiable
238              tells  pam_krb5.so  that credentials it obtains should be proxi‐
239              able.  This option is  deprecated  in  favor  of  the  proxiable
240              option in the libdefaults section of krb5.conf(5).
241
242
243       pwhelp=filename
244              specifies  the  name  of a text file whose contents will be dis‐
245              played to clients who attempt to change their passwords.   There
246              is no default.
247
248
249       realm=realm
250              overrides   the  default  realm  set  in  /etc/krb5.conf,  which
251              pam_krb5.so will attempt to authenticate users to.
252
253
254       renew_lifetime=36000
255              sets the  default  renewable  lifetime  for  credentials.   This
256              option  is  deprecated  in favor of the renew_lifetime option in
257              the libdefaults section of krb5.conf(5).
258
259
260       ticket_lifetime=36000
261              sets the default lifetime for credentials.
262
263
264       tokens
265
266       tokens=imap
267              signals that pam_krb5.so should create a new AFS PAG and  obtain
268              AFS  tokens  during authentication in addition to session setup.
269              This is primarily useful in server applications  which  need  to
270              access  a user's files but which do not open PAM sessions before
271              doing so.  A properly-written server will not need this flag set
272              in order to function correctly.
273
274
275       try_first_pass
276              tells  pam_krb5.so  to  check the previously-entered password as
277              with use_first_pass, but to prompt the user for another  one  if
278              the  previously-entered  one  fails. This is the default mode of
279              operation.
280
281
282       use_first_pass
283              tells pam_krb5.so to get the user's entered password as  it  was
284              stored by a module listed earlier in the stack, usually pam_unix
285              or pam_pwdb, instead of prompting the user for it.
286
287
288       use_authtok
289              tells pam_krb5.so to never prompt for new passwords when  chang‐
290              ing  passwords.  This is useful if you are using pam_cracklib or
291              pam_passwdqc to try to enforce use of  less-easy-to-guess  pass‐
292              words.
293
294
295       use_shmem
296
297       use_shmem=sshd
298              tells  pam_krb5.so  to  pass credentials from the authentication
299              service function to  the  session  management  service  function
300              using shared memory, or to do so for specific services.
301
302
303

FILES

305       /etc/krb5.conf
306
307

SEE ALSO

309       pam_krb5(5) krb5.conf(5)
310
311

BUGS

313       Probably, but let's hope not.  If you find any, please file them in the
314       bug database at http://bugzilla.redhat.com/ against the "pam_krb5" com‐
315       ponent.
316
317

AUTHOR

319       Nalin Dahyabhai <nalin@redhat.com>
320
321
322
323Red Hat Linux                     2009/12/11                       pam_krb5(8)
Impressum