pam_krb5 - Kerberos 5 authentication
auth required /$LIB/security/pam_krb5.so
session optional /$LIB/security/pam_krb5.so
account sufficient /$LIB/security/pam_krb5.so
password sufficient /$LIB/security/pam_krb5.so
The pam_krb5.so module is designed to allow smooth integration of Kerberos 5 password-checking for applications which use PAM. It creates session-specific credential cache files, and can obtain Kerberos IV credentials using a krb524 service. If the system is an AFS client, it will also attempt to obtain tokens for the local cell, the cell which contains the users home directory, and any explicitly-configured cells.
When a user logs in, the modules authentication function performs a simple password check and, if possible, obtains Kerberos 5 and Kerberos IV credentials, caching them for later use. When the application requests initialization of credentials (or opens a session), the usual ticket files are created. When the application subsequently requests deletion of credentials or closing of the session, the module deletes the ticket files. When the application requests account management, if the module did not participate in authenticating the user, it will signal libpam to ignore the module. If the module did participate in authenticating the user, it will check for an expired user password and verify the users authorization using the .k5login file of the user being authenticated, which is expected to be accessible to the module.
debug turns on debugging via syslog(3). Debugging messages are logged with priority LOG_DEBUG.
debug_sensitive turns on debugging of sensitive information via syslog(3). Debug messages are logged with priority LOG_DEBUG.
addressless tells pam_krb5.so to obtain credentials without address lists. This may be necessary if your network uses NAT, and should otherwise not be used. This option is deprecated in favor of the noaddresses flag in the libdefaults section of krb5.conf(5).
chpw_prompt tells pam_krb5.so to allow expired passwords to be changed during authentication attempts. While this is the traditional behavior exhibited by "kinit", it is inconsistent with the behavior expected by PAM, which expects authentication to (appear to) succeed, only to have password expiration be flagged by a subsequent call to the account management function. Some applications which dont handle password expiration correctly will fail unconditionally if the users password is expired, and this flag can be used to attempt to work around this bug in those applications. The default is false.
hosts=host tells pam_krb5.so to obtain credentials using the address of the given host in addition to the addresses of interfaces on the local workstation. For example, if your workstation is behind a masquerading firewall, specifying the firewalls outward-facing address here should allow Kerberos authentication to succeed. This option is deprecated in favor of the extra_addresses flag in the libdefaults section of krb5.conf(5).
afs_cells=cell1.example.com cell2.example.com tells pam_krb5.so to obtain tokens for cell1.example.com and cell2.example.com, in addition to the local cell, for the user. in addition to the local cell, for the user. The module will guess the principal name of the AFS service for the named cells, or it can be specified by giving cells in the form cellname=principalname.
banner=Kerberos 5 tells pam_krb5.so how to identify itself when users attempt to change their passwords. The default setting is "Kerberos 5".
ccache_dir=/tmp tells pam_krb5.so which directory to use for storing credential caches. The default setting is /tmp.
existing_ticket tells pam_krb5.so to accept the presence of pre-existing Kerberos credentials provided by the calling application in the default credential cache as sufficient to authenticate the user, and to skip any account management checks. DANGER! Unless validation is also in use, it is relatively easy to produce a credential cache which looks "good enough" to fool pam_krb5.so.
external external=sshd tells pam_krb5.so to use Kerberos credentials provided by the calling application during session setup. This is most often useful for obtaining AFS tokens or a krb4 ticket.
forwardable tells pam_krb5.so that credentials it obtains should be forwardable. This option is deprecated in favor of the forwardable option in the libdefaults section of krb5.conf(5).
ignore_unknown_principals ignore_unknown_spn ignore_unknown_upn specifies that not pam_krb5 should return a PAM_IGNORE code to libpam instead of PAM_USER_UNKNOWN for users for whom the determined principal name is expired or does not exist.
keytab=FILE:/etc/krb5.keytab tells pam_krb5.so the location of a keytab to use when validating credentials obtained from KDCs.
krb4_convert tells pam_krb5.so to obtain Kerberos IV credentials for users, in addition to Kerberos 5 credentials, using either a v4-capable KDC or This option is poorly named. This option is automatically enabled if AFS is detected.
krb4_convert_524 tells pam_krb5.so to obtain Kerberos IV credentials for users using the krb524 service. This option modifies the krb4_convert option. If disabled, pam_krb5 will only attempt to obtain Kerberos IV credentials using the KDC.
krb4_use_as_req tells pam_krb5.so to obtain Kerberos IV credentials for users using the KDC. This option modifies the krb4_convert option. If disabled, pam_krb5 will only attempt to obtain Kerberos IV credentials using the krb524 service.
minimum_uid=0 tells pam_krb5.so to ignore authentication attempts by users with UIDs below the specified number.
multiple_ccaches specifies that pam_krb5 should maintain multiple credential caches for this service, because it both sets credentials and opens a PAM session, but it sets the KRB5CCNAME variable after doing only one of the two. This option is usually not necessary for most services.
no_initial_prompt tells pam_krb5.so to not ask for a password before attempting authentication, and to instead allow the Kerberos library to trigger a request for a password only in cases where one is needed.
no_subsequent_prompt tells pam_krb5.so to only provide the previously-entered password in response to any request for a password which the Kerberos library might make.
no_user_check tells pam_krb5.so to not check if a user exists on the local system, to skip authorization checks using the users .k5login file, and to create ccache files owned by the current processs UID. This is useful for situations where a non-privileged server process needs to use Kerberized services on behalf of remote users who may not have local access. Note that such a server should have an encrypted connection with its client in order to avoid allowing the users password to be eavesdropped.
novalidate novalidate=vlock tells pam_krb5.so to not attempt to use the local keytab to verify that the TGT obtained from the realms servers has not been spoofed. The libdefaults verify_ap_req_nofail setting can affect whether or not errors reading the keytab which are encountered during validation will be suppressed.
null_afs tells pam_krb5.so, when it attempts to set tokens, to try to get credentials for services with names which resemble afs@REALM before attempting to get credentials for services with names resembling afs/cell@REALM. The default is to assume that the cells name is the instance in the AFS services Kerberos principal name.
proxiable tells pam_krb5.so that credentials it obtains should be proxiable. This option is deprecated in favor of the proxiable option in the libdefaults section of krb5.conf(5).
pwhelp= specifies the name of a text file whose contents will be displayed to clients who attempt to change their passwords. There is no default.
realm=realm overrides the default realm set in /etc/krb5.conf, which pam_krb5.so will attempt to authenticate users to.
renew_lifetime=36000 sets the default renewable lifetime for credentials. This option is deprecated in favor of the renew_lifetime option in the libdefaults section of krb5.conf(5).
ticket_lifetime=36000 sets the default lifetime for credentials.
tokens tokens=imap signals that pam_krb5.so should create a new AFS PAG and obtain AFS tokens during authentication in addition to session setup. This is primarily useful in server applications which need to access a users files but which do not open PAM sessions before doing so.
try_first_pass tells pam_krb5.so to check the previously-entered password as with use_first_pass, but to prompt the user for another one if the previously-entered one fails. This is the default mode of operation.
use_first_pass tells pam_krb5.so to get the users entered password as it was stored by a module listed earlier in the stack, usually pam_unix or pam_pwdb, instead of prompting the user for it.
use_authtok tells pam_krb5.so to never prompt for new passwords when changing passwords. This is useful if you are using pam_cracklib.so or pam_passwdqc.so to try to enforce use of less-easy-to-guess passwords.
use_shmem use_shmem=sshd tells pam_krb5.so to pass credentials from the authentication service function to the session management service function using shared memory, or to do so for specific services.
Probably, but lets hope not. If you find any, please file them in the bug database at http://bugzilla.redhat.com/ against the "pam_krb5" component.
Nalin Dahyabhai <email@example.com>
|Red Hat Linux||pam_krb5 (8)||2006/09/08|