1pam_krb5_migrate(5) Standards, Environments, and Macros pam_krb5_migrate(5)
2
6 pam_krb5_migrate - authentication PAM module for the KerberosV5 auto-
7 migration of users feature
8
10 /usr/lib/security/pam_krb5_migrate.so.1
11
14 The KerberosV5 auto-migrate service module for PAM provides functional‐
15 ity for the PAM authentication component. The service module helps in
16 the automatic migration of PAM_USER to the client's local Kerberos
17 realm, using PAM_AUTHTOK (the PAM authentication token associated with
18 PAM_USER) as the new Kerberos principal's password.
19 KerberosV5 Auto-migrate Authentication Module
21 The KerberosV5 auto-migrate authentication component provides the
22 pam_sm_authenticate(3PAM) function to migrate a user who does not have
23 a corresponding krb5 principal account to the default Kerberos realm of
24 the client.
25 pam_sm_authenticate(3PAM) uses a host-based client service principal,
28 present in the local keytab (/etc/krb5/krb5.keytab) to authenticate to
29 kadmind(1M) (defaults to the host/nodename.fqdn service principal), for
30 the principal creation operation. Also, for successful creation of the
31 krb5 user principal account, the host-based client service principal
32 being used needs to be assigned the appropriate privilege on the master
33 KDC's kadm5.acl(4) file. kadmind(1M) checks for the appropriate privi‐
34 lege and validates the user password using PAM by calling pam_authenti‐
35 cate(3PAM) and pam_acct_mgmt(3PAM) for the k5migrate service.
36 If migration of the user to the KerberosV5 infrastructure is success‐
39 ful, the module will inform users about it by means of a PAM_TEXT_INFO
40 message, unless instructed otherwise by the presence of the quiet
41 option.
42 The authentication component always returns PAM_IGNORE and is meant to
45 be stacked in pam.conf with a requirement that it be listed below
46 pam_authtok_get(5) in the authentication stack. Also, if
47 pam_krb5_migrate is used in the authentication stack of a particular
48 service, it is mandatory that pam_krb5(5) be listed in the PAM account
49 stack of that service for proper operation (see EXAMPLES).
50
52 The following options can be passed to the KerberosV5 auto-migrate
53 authentication module:
54 debug
56 Provides syslog(3C) debugging information at LOG_DEBUG level.
58 client_service=<service name>
61 Name of the service used to authenticate to kadmind(1M) defaults to
63 host. This means that the module uses host/<nodename.fqdn> as its
64 client service principal name, KerberosV5 user principal creation
65 operation or <service>/<nodename.fqdn> if this option is provided.
66 quiet
69 Do not explain KerberosV5 migration to the user.
71 This has the same effect as passing the PAM_SILENT flag to
73 pam_sm_authenticate(3PAM) and is useful where applications cannot
74 handle PAM_TEXT_INFO messages.
75 If not set, the authentication component will issue a PAM_TEXT_INFO
77 message after creation of the Kerberos V5 principal, indicating
78 that it has done so.
79 expire_pw
82 Causes the creation of KerberosV5 user principals with password
84 expiration set to now (current time).
85
88 Example 1 Sample Entries from pam.conf
89 The following entries from pam.conf(4) demonstrate the use of the
92 pam_krb5_migrate.so.1 module:
93 login auth requisite pam_authtok_get.so.1
96 login auth required pam_dhkeys.so.1
97 login auth required pam_unix_cred.so.1
98 login auth sufficient pam_krb5.so.1
99 login auth requisite pam_unix_auth.so.1
100 login auth optional pam_krb5_migrate.so.1 expire_pw
101 login auth required pam_dial_auth.so.1
102 other account requisite pam_roles.so.1
104 other account required pam_krb5.so.1
105 other account required pam_unix_account.so.1
106 The pam_krb5_migrate module can generally be present on the authentica‐
110 tion stack of any service where the application calls pam_sm_authenti‐
111 cate(3PAM) and an authentication token (in the preceding example, the
112 authentication token would be the user's Unix password) is available
113 for use as a Kerberos V5 password.
114 Example 2 Sample Entries from kadm5.acl
117 The following entries from kadm5.acl(4) permit or deny privileges to
120 the host client service principal:
121 host/*@ACME.COM U root
124 host/*@ACME.COM ui *
125 The preceding entries permit the pam_krb5_migrate add privilege to the
129 host client service principal of any machine in the ACME.COM KerberosV5
130 realm, but denies the add privilege to all host service principals for
131 addition of the root user account.
132 Example 3 Sample Entries in pam.conf of the Master KDC
135 The entries below enable kadmind(1M) on the master KDC to use the
138 k5migrate PAM service in order to validate Unix user passwords for
139 accounts that require migration to the Kerberos realm.
140 k5migrate auth required pam_unix_auth.so.1
143 k5migrate account required pam_unix_account.so.1
144
147 See attributes(5) for a description of the following attribute:
148 ┌─────────────────────────────┬─────────────────────────────┐
153 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
154 ├─────────────────────────────┼─────────────────────────────┤
155 │Interface Stability │Evolving │
156 └─────────────────────────────┴─────────────────────────────┘
157
159 kadmind(1M), syslog(3C), pam_authenticate(3PAM), pam_acct_mgmt(3PAM),
160 pam_sm_authenticate(3PAM), kadm5.acl(4), pam.conf(4), attributes(5),
161 pam_authtok_get(5), pam_krb5(5)
162SunOS 5.11 Jul 29 2004 pam_krb5_migrate(5)