/* Void Main's man pages */
{ phpMan } else { main(); }
pam_krb5(8) System Administrator's Manual pam_krb5(8)
NAME
pam_krb5 - Kerberos 5 authentication
SYNOPSIS
auth required /$LIB/security/pam_krb5.so
session optional /$LIB/security/pam_krb5.so
account sufficient /$LIB/security/pam_krb5.so
password sufficient /$LIB/security/pam_krb5.so
DESCRIPTION
The pam_krb5.so module is designed to allow smooth integration of Kerberos 5 password-checking for applications which use
PAM. It creates session-specific credential cache files. If the system is an AFS client, it will also attempt to obtain
tokens for the local cell, the cell which contains the user's home directory, and any explicitly-configured cells.
When a user logs in, the module's authentication function performs a simple password check and, if possible, obtains Ker-
beros 5 credentials, caching them for later use. When the application requests initialization of credentials (or opens a
session), the usual ticket files are created. When the application subsequently requests deletion of credentials or
closing of the session, the module deletes the ticket files. When the application requests account management, if the
module did not participate in authenticating the user, it will signal libpam to ignore the module. If the module did
participate in authenticating the user, it will check for an expired user password and verify the user's authorization
using the .k5login file of the user being authenticated, which is expected to be accessible to the module.
ARGUMENTS
debug turns on debugging via syslog(3). Debugging messages are logged with priority LOG_DEBUG.
debug_sensitive
turns on debugging of sensitive information via syslog(3). Debug messages are logged with priority LOG_DEBUG.
addressless
tells pam_krb5.so to obtain credentials without address lists. This may be necessary if your network uses NAT,
and should otherwise not be used. This option is deprecated in favor of the noaddresses flag in the libdefaults
section of krb5.conf(5).
afs_cells=cell.example.com[,...]
tells pam_krb5.so to obtain tokens for the named cells, in addition to the local cell, for the user. The module
will guess the principal name of the AFS service for the named cells, or it can be specified by giving cell in the
form cellname=principalname.
banner=Kerberos 5
tells pam_krb5.so how to identify itself when users attempt to change their passwords. The default setting is
"Kerberos 5".
ccache_dir=/tmp
tells pam_krb5.so which directory to use for storing credential caches. The default setting is /tmp.
ccname_template=FILE:%d/krb5cc_%U_XXXXXX
specifies the location in which to place the user's session-specific credential cache. This value is treated as a
template, and these sequences are substituted:
%u login name
%U login UID
%p principal name
%r realm name
%h home directory
%d the default ccache directory (as set with ccache_dir)
%P the current process ID
%% literal '%'
The default setting is "FILE:%d/krb5cc_%U_XXXXXX".
chpw_prompt
tells pam_krb5.so to allow expired passwords to be changed during authentication attempts. While this is the tra-
ditional behavior exhibited by "kinit", it is inconsistent with the behavior expected by PAM, which expects
authentication to (appear to) succeed, only to have password expiration be flagged by a subsequent call to the
account management function. Some applications which don't handle password expiration correctly will fail uncon-
ditionally if the user's password is expired, and this flag can be used to attempt to work around this bug in
those applications. The default is false.
existing_ticket
tells pam_krb5.so to accept the presence of pre-existing Kerberos credentials provided by the calling application
in the default credential cache as sufficient to authenticate the user, and to skip any account management checks.
DANGER! Unless validation is also in use, it is relatively easy to produce a credential cache which looks "good
enough" to fool pam_krb5.so.
external
external=sshd
tells pam_krb5.so to use Kerberos credentials provided by the calling application during session setup. This is
most often useful for obtaining AFS tokens.
forwardable
tells pam_krb5.so that credentials it obtains should be forwardable. This option is deprecated in favor of the
forwardable option in the libdefaults section of krb5.conf(5).
hosts=host[,...]
tells pam_krb5.so to obtain credentials using the addresses of the given hosts in addition to the addresses of
interfaces on the local workstation. For example, if your workstation is behind a masquerading firewall, specify-
ing the firewall's outward-facing address here should allow Kerberos authentication to succeed. This option is
deprecated in favor of the extra_addresses flag in the libdefaults section of krb5.conf(5).
ignore_unknown_principals
ignore_unknown_spn
ignore_unknown_upn
specifies that not pam_krb5 should return a PAM_IGNORE code to libpam instead of PAM_USER_UNKNOWN for users for
whom the determined principal name is expired or does not exist.
keytab=FILE:/etc/krb5.keytab
tells pam_krb5.so the location of a keytab to use when validating credentials obtained from KDCs.
minimum_uid=0
tells pam_krb5.so to ignore authentication attempts by users with UIDs below the specified number.
multiple_ccaches
specifies that pam_krb5 should maintain multiple credential caches for this service, because it both sets creden-
tials and opens a PAM session, but it sets the KRB5CCNAME variable after doing only one of the two. This option
is usually not necessary for most services.
no_initial_prompt
tells pam_krb5.so to not ask for a password before attempting authentication, and to instead allow the Kerberos
library to trigger a request for a password only in cases where one is needed.
no_subsequent_prompt
tells pam_krb5.so to only provide the previously-entered password in response to any request for a password which
the Kerberos library might make. If the calling application does not properly support PAM conversations (possibly
due to limitations of a network protocol which it is serving), this may be need to be used to prevent the applica-
tion from supplying the user's current password in a password-changing situations when a new password is called
for.
no_user_check
tells pam_krb5.so to not check if a user exists on the local system, to skip authorization checks using the user's
.k5login file, and to create ccache files owned by the current process's UID. This is useful for situations where
a non-privileged server process needs to use Kerberized services on behalf of remote users who may not have local
access. Note that such a server should have an encrypted connection with its client in order to avoid allowing
the user's password to be eavesdropped.
null_afs
tells pam_krb5.so, when it attempts to set tokens, to try to get credentials for services with names which resem-
ble afs@REALM before attempting to get credentials for services with names resembling afs/cell@REALM. The default
is to assume that the cell's name is the instance in the AFS service's Kerberos principal name.
preauth_options=[]
controls the preauthentication options which pam_krb5 passes to libkrb5, if the system-defaults need to be over-
ridden. The list is treated as a template, and these sequences are substituted:
%u login name
%U login UID
%p principal name
%r realm name
%h home directory
%d the default ccache directory
%P the current process ID
%% literal '%'
proxiable
tells pam_krb5.so that credentials it obtains should be proxiable. This option is deprecated in favor of the
proxiable option in the libdefaults section of krb5.conf(5).
pwhelp=filename
specifies the name of a text file whose contents will be displayed to clients who attempt to change their pass-
words. There is no default.
realm=realm
overrides the default realm set in /etc/krb5.conf, which pam_krb5.so will attempt to authenticate users to.
renew_lifetime=36000
sets the default renewable lifetime for credentials. This option is deprecated in favor of the renew_lifetime
option in the libdefaults section of krb5.conf(5).
ticket_lifetime=36000
sets the default lifetime for credentials.
tokens
tokens=imap
signals that pam_krb5.so should create a new AFS PAG and obtain AFS tokens during authentication in addition to
session setup. This is primarily useful in server applications which need to access a user's files but which do
not open PAM sessions before doing so. A properly-written server will not need this flag set in order to function
correctly.
try_first_pass
tells pam_krb5.so to check the previously-entered password as with use_first_pass, but to prompt the user for
another one if the previously-entered one fails. This is the default mode of operation.
use_first_pass
tells pam_krb5.so to get the user's entered password as it was stored by a module listed earlier in the stack,
usually pam_unix or pam_pwdb, instead of prompting the user for it.
use_authtok
tells pam_krb5.so to never prompt for new passwords when changing passwords. This is useful if you are using
pam_cracklib or pam_passwdqc to try to enforce use of less-easy-to-guess passwords.
use_shmem
use_shmem=sshd
tells pam_krb5.so to pass credentials from the authentication service function to the session management service
function using shared memory, or to do so for specific services.
validate
validate=sshd
tells pam_krb5.so to verify that the TGT obtained from the realm's servers has not been spoofed. Note that the
process which is performing authentication must be able to read the keytab in order for validation to be possible.
FILES
/etc/krb5.conf
SEE ALSO
pam_krb5(5) krb5.conf(5)
BUGS
Probably, but let's hope not. If you find any, please file them in the bug database at http://bugzilla.redhat.com/
against the "pam_krb5" component.
AUTHOR
Nalin Dahyabhai <nalinATredhat.com>
Red Hat Linux 2009/12/11 pam_krb5(8)
