pam_krb5

a b c d e f g h i j k l m n o p q r s t u v w x y z _
pam_krb5(5)		System Administrator’s Manual		  pam_krb5(5)



NAME
       pam_krb5 - Kerberos 5 authentication


DESCRIPTION
       pam_krb5.so  reads  its configuration information from the appdefaults
       section of krb5.conf(5).	 You should read the  krb5.conf(5)  man	 page
       before continuing here.	The module expects its configuration informa-
       tion to be in the pam subsection of the appdefaults section.


DIRECTIVES
       debug=[true|false]
	      turns on debugging via syslog(3).	 Debug	messages  are  logged
	      with priority LOG_DEBUG.


       addressless=[true|false]
	      if  set,	requests a TGT with no address information.  This can
	      be necessary if you are using Kerberos through  a	 NAT,  or  on
	      systems whose IP addresses change regularly.  This directive is
	      deprecated in favor of the libdefaults noaddresses directive.


       afs_cells=cell1.example.com
	      tells pam_krb5.so to obtain tokens  for  cell1.example.com  and
	      cell2.example.com, in addition to the local cell, for the user.


       banner=Kerberos
	    specifies what sort of password the module claims to be  changing
	    whenever  it  is called upon to change passwords.  The default is
	    Kerberos 5.


       ccache_dir=/tmp
	    specifies the directory to place credential cache files in.


       external=true

       external=sshd ftp
	    tells pam_krb5.so to use Kerberos  credentials  provided  by  the
	    calling  application  during  session  setup.  This is most often
	    useful for obtaining a krb4 ticket.


       forwardable=[true|false]
	    controls whether or not credentials are forwardable.  This direc-
	    tive is deprecated in favor of the libdefaults forwardable direc-
	    tive.


       hosts=hostnames
	    specifies which other hosts credentials obtained by pam_krb5 will
	    be	good  on.   If your host is behind a firewall, you should add
	    the IP address or name that the KDC sees  it  as  to  this	list.
	    This   directive  is  deprecated  in  favor	 of  the  libdefaults
	    extra_addresses directive.


       keytab=/etc/krb5.keytab
	    specifies the name of a keytab file to search for a	 service  key
	    for use in validating TGTs.


       krb4_convert=[true|false]
	    controls whether or not pam_krb5 tries to get Kerberos IV creden-
	    tials from the KDC (or using the krb524d service on the KDC)  and
	    create  ticket  files  with them.  Unless you’ve converted every-
	    thing on your network over to use  Kerberos	 5,  you’ll  want  to
	    leave  this	 set  to true.	Note that this may require valid Ker-
	    beros IV configuration data to be present  in  /etc/krb.conf  and
	    /etc/krb.realms.


       krb4_convert_524
	    controls whether or not pam_krb5 tries to get Kerberos IV creden-
	    tials using	 the  krb524d  service.	  This	option	modifies  the
	    krb4_convert  option.  If disabled, pam_krb5 will only attempt to
	    obtain  Kerberos  IV  credentials  using  the  KDC	(unless	  the
	    krb4_use_as_req option is also disabled).


       krb4_use_as_req
	    controls whether or not pam_krb5 tries to get Kerberos IV creden-
	    tials using the  KDC.   This  option  modifies  the	 krb4_convert
	    option.   If  disabled, pam_krb5 will only attempt to obtain Ker-
	    beros IV  credentials  using  the  krb524d	service	 (unless  the
	    krb4_convert_524 option is also disabled).


       minimum_uid=0
	    specifies  the  minimum  UID  of users being authenticated.	 If a
	    user with a UID less than this value attempts authentication, the
	    request will be ignored.


       proxiable=[true|false]
	    controls whether or not credentials are proxiable.	If not speci-
	    fied, they are.  This directive is deprecated  in  favor  of  the
	    libdefaults proxiable directive.


       renew_lifetime=36000
	    default  renewable	lifetime.   This  specifies how much time you
	    have after getting credentials to renew them.  This directive  is
	    deprecated	in favor of the libdefaults renew_lifetime directive.


       ticket_lifetime=36000
	    default credential lifetime.


       tokens
	    signals that pam_krb5.so should obtain tokens during  authentica-
	    tion  in  addition to session setup.  This is primarily useful in
	    server applications which need to access a user’s files but which
	    do not open PAM sessions before doing so.


       validate=[true|false]
	    specifies  whether	or not to attempt validation of the TGT.  The
	    default is false.


EXAMPLE
       [appdefaults]
	 pam = {
	   ticket_lifetime = 36000
	   renew_lifetime = 36000
	   forwardable = true
	   krb4_convert = true
	   validate = true
	   ccache_dir = /var/tmp
	   TEST.EXAMPLE.COM = {
	     debug = true
	     afs_cells = testcell.example.com othercell.example.com
	   }
	 }


FILES
       /etc/krb5.conf

SEE ALSO
       pam_krb5(8)

BUGS
       Probably, but let’s hope not.  If you find any, please  file  them  in
       the bug database at http://bugzilla.redhat.com/ against the "pam_krb5"
       component.


AUTHOR
       Nalin Dahyabhai <nalin@redhat.com>



Red Hat Linux			  2008/04/10			  pam_krb5(5)