1pam_krb5(8) System Administrator's Manual pam_krb5(8)
2
6 pam_krb5 - Kerberos 5 authentication
7
10 auth required /$LIB/security/pam_krb5.so
11 session optional /$LIB/security/pam_krb5.so
12 account sufficient /$LIB/security/pam_krb5.so
13 password sufficient /$LIB/security/pam_krb5.so
14
17 The pam_krb5.so module is designed to allow smooth integration of Ker‐
18 beros 5 password-checking for applications which use PAM. It creates
19 session-specific credential cache files, and can obtain Kerberos IV
20 credentials using a krb524 service. If the system is an AFS client, it
21 will also attempt to obtain tokens for the local cell, the cell which
22 contains the user's home directory, and any explicitly-configured
23 cells.
24 When a user logs in, the module's authentication function performs a
26 simple password check and, if possible, obtains Kerberos 5 and Kerberos
27 IV credentials, caching them for later use. When the application
28 requests initialization of credentials (or opens a session), the usual
29 ticket files are created. When the application subsequently requests
30 deletion of credentials or closing of the session, the module deletes
31 the ticket files. When the application requests account management, if
32 the module did not participate in authenticating the user, it will sig‐
33 nal libpam to ignore the module. If the module did participate in
34 authenticating the user, it will check for an expired user password and
35 verify the user's authorization using the .k5login file of the user
36 being authenticated, which is expected to be accessible to the module.
37
40 debug turns on debugging via syslog(3). Debugging messages are logged
41 with priority LOG_DEBUG.
42 debug_sensitive
45 turns on debugging of sensitive information via syslog(3).
46 Debug messages are logged with priority LOG_DEBUG.
47 addressless
50 tells pam_krb5.so to obtain credentials without address lists.
51 This may be necessary if your network uses NAT, and should oth‐
52 erwise not be used. This option is deprecated in favor of the
53 noaddresses flag in the libdefaults section of krb5.conf(5).
54 hosts=host
57 tells pam_krb5.so to obtain credentials using the address of the
58 given host in addition to the addresses of interfaces on the
59 local workstation. For example, if your workstation is behind a
60 masquerading firewall, specifying the firewall's outward-facing
61 address here should allow Kerberos authentication to succeed.
62 This option is deprecated in favor of the extra_addresses flag
63 in the libdefaults section of krb5.conf(5).
64 afs_cells=cell1.example.com cell2.example.com
67 tells pam_krb5.so to obtain tokens for cell1.example.com and
68 cell2.example.com, in addition to the local cell, for the user.
69 in addition to the local cell, for the user. The module will
70 guess the principal name of the AFS service for the named cells,
71 or it can be specified by giving cells in the form cell‐
72 name=principalname.
73 banner=Kerberos 5
76 tells pam_krb5.so how to identify itself when users attempt to
77 change their passwords. The default setting is "Kerberos 5".
78 ccache_dir=/tmp
81 tells pam_krb5.so which directory to use for storing credential
82 caches. The default setting is /tmp.
83 existing_ticket
86 tells pam_krb5.so to accept the presence of pre-existing Ker‐
87 beros credentials provided by the calling application in the
88 default credential cache as sufficient to authenticate the user,
89 and to skip any account management checks.
90 DANGER! Unless validation is also in use, it is relatively easy
92 to produce a credential cache which looks "good enough" to fool
93 pam_krb5.so.
94 external
97 external=sshd
99 tells pam_krb5.so to use Kerberos credentials provided by the
100 calling application during session setup. This is most often
101 useful for obtaining AFS tokens or a krb4 ticket.
102 forwardable
105 tells pam_krb5.so that credentials it obtains should be forward‐
106 able. This option is deprecated in favor of the forwardable
107 option in the libdefaults section of krb5.conf(5).
108 ignore_unknown_principals
111 ignore_unknown_spn
113 ignore_unknown_upn
115 specifies that not pam_krb5 should return a PAM_IGNORE code to
116 libpam instead of PAM_USER_UNKNOWN for users for whom the deter‐
117 mined principal name is expired or does not exist.
118 keytab=FILE:/etc/krb5.keytab
121 tells pam_krb5.so the location of a keytab to use when validat‐
122 ing credentials obtained from KDCs.
123 krb4_convert
126 tells pam_krb5.so to obtain Kerberos IV credentials for users,
127 in addition to Kerberos 5 credentials, using either a v4-capable
128 KDC or This option is poorly named. This option is automati‐
129 cally enabled if AFS is detected.
130 krb4_convert_524
133 tells pam_krb5.so to obtain Kerberos IV credentials for users
134 using the krb524 service. This option modifies the krb4_convert
135 option. If disabled, pam_krb5 will only attempt to obtain Ker‐
136 beros IV credentials using the KDC.
137 krb4_use_as_req
140 tells pam_krb5.so to obtain Kerberos IV credentials for users
141 using the KDC. This option modifies the krb4_convert option.
142 If disabled, pam_krb5 will only attempt to obtain Kerberos IV
143 credentials using the krb524 service.
144 minimum_uid=0
147 tells pam_krb5.so to ignore authentication attempts by users
148 with UIDs below the specified number.
149 no_initial_prompt
152 tells pam_krb5.so to not ask for a password before attempting
153 authentication, and to instead allow the Kerberos library to
154 trigger a request for a password only in cases where one is
155 needed.
156 no_subsequent_prompt
159 tells pam_krb5.so to only provide the previously-entered pass‐
160 word in response to any request for a password which the Ker‐
161 beros library might make.
162 no_user_check
165 tells pam_krb5.so to not check if a user exists on the local
166 system, to skip authorization checks using the user's .k5login
167 file, and to create ccache files owned by the current process's
168 UID. This is useful for situations where a non-privileged
169 server process needs to use Kerberized services on behalf of
170 remote users who may not have local access. Note that such a
171 server should have an encrypted connection with its client in
172 order to avoid allowing the user's password to be eavesdropped.
173 proxiable
176 tells pam_krb5.so that credentials it obtains should be proxi‐
177 able. This option is deprecated in favor of the proxiable
178 option in the libdefaults section of krb5.conf(5).
179 realm=realm
182 overrides the default realm set in /etc/krb5.conf, which
183 pam_krb5.so will attempt to authenticate users to.
184 renew_lifetime=36000
187 sets the default renewable lifetime for credentials. This
188 option is deprecated in favor of the renew_lifetime option in
189 the libdefaults section of krb5.conf(5).
190 ticket_lifetime=36000
193 sets the default lifetime for credentials.
194 tokens
197 tokens=imap
199 signals that pam_krb5.so should create a new AFS PAG and obtain
200 AFS tokens during authentication in addition to session setup.
201 This is primarily useful in server applications which need to
202 access a user's files but which do not open PAM sessions before
203 doing so.
204 try_first_pass
207 tells pam_krb5.so to check the previously-entered password as
208 with use_first_pass, but to prompt the user for another one if
209 the previously-entered one fails. This is the default mode of
210 operation.
211 use_first_pass
214 tells pam_krb5.so to get the user's entered password as it was
215 stored by a module listed earlier in the stack, usually pam_unix
216 or pam_pwdb, instead of prompting the user for it.
217 use_authtok
220 tells pam_krb5.so to never prompt for new passwords when chang‐
221 ing passwords. This is useful if you are using pam_cracklib.so
222 or pam_passwdqc.so to try to enforce use of less-easy-to-guess
223 passwords.
224 use_shmem
227 use_shmem=sshd
229 tells pam_krb5.so to pass credentials from the authentication
230 service function to the session management service function
231 using shared memory, or to do so for specific services.
232 validate
235 validate=sshd
237 tells pam_krb5.so to verify that the TGT obtained from the
238 realm's servers has not been spoofed. Note that the process
239 which is performing authentication must be able to read the
240 keytab in order for validation to be possible.
241
244 /etc/krb5.conf
245
248 pam_krb5(5) krb5.conf(5)
249
252 Probably, but let's hope not. If you find any, please file them in the
253 bug database at http://bugzilla.redhat.com/ against the "pam_krb5" com‐
254 ponent.
255
258 Nalin Dahyabhai <nalin@redhat.com>
259Red Hat Linux 2006/09/08 pam_krb5(8)