pam_krb5

a b c d e f g h i j k l m n o p q r s t u v w x y z _
pam_krb5(8)		System Administrator’s Manual		  pam_krb5(8)



NAME
       pam_krb5 - Kerberos 5 authentication


SYNOPSIS
       auth required /lib/security/pam_krb5.so
       session optional /lib/security/pam_krb5.so
       account sufficient /lib/security/pam_krb5.so
       password sufficient /lib/security/pam_krb5.so


DESCRIPTION
       The pam_krb5.so module is designed to allow smooth integration of Ker-
       beros 5 password-checking for applications which use PAM.  It  creates
       session-specific	 credential  cache  files, and can obtain Kerberos IV
       credentials using a krb524 service or a v4-capable KDC.	If the system
       is  an AFS client, it will also attempt to obtain tokens for the local
       cell.

       When a user logs in, the module’s authentication function  performs  a
       simple  password	 check	and, if possible, obtains Kerberos 5 and Ker-
       beros IV credentials, caching them for later use.  When	the  applica-
       tion  requests initialization of credentials (or opens a session), the
       usual ticket files are created.	 When  the  application	 subsequently
       requests deletion of credentials or closing of the session, the module
       deletes the ticket files.  When the application requests account	 man-
       agement, if the module did not participate in authenticating the user,
       it will signal libpam to ignore the module.  If the module did partic-
       ipate  in  authenticating  the user, it will check for an expired user
       password and verify the user’s authorization using the  .k5login	 file
       of the user being authenticated, which is expected to be accessible to
       the module.


ARGUMENTS
       debug  turns on	debugging  via	syslog(3).   Debugging	messages  are
	      logged with priority LOG_DEBUG.


       addressless
	      tells  pam_krb5.so to obtain credentials without address lists.
	      This may be necessary if your network uses NAT, and should oth-
	      erwise  not be used.  This option is deprecated in favor of the
	      noaddresses flag in the libdefaults section of krb5.conf(5).


       hosts=host
	      tells pam_krb5.so to obtain credentials using  the  address  of
	      the  given  host	in addition to the addresses of interfaces on
	      the local workstation.  For example,  if	your  workstation  is
	      behind  a masquerading firewall, specifying the firewall’s out-
	      ward-facing address here should allow  Kerberos  authentication
	      to  succeed.   This  option  is  deprecated  in  favor  of  the
	      extra_addresses	flag   in   the	  libdefaults	section	   of
	      krb5.conf(5).


       afs_cells=cell1.example.com
	      tells  pam_krb5.so  to  obtain tokens for cell1.example.com and
	      cell2.example.com, in addition to the local cell, for the user.


       banner=Kerberos
	    tells  pam_krb5.so	how  to identify itself when users attempt to
	    change their passwords.  The default setting is "Kerberos 5".


       ccache_dir=/tmp
	    tells pam_krb5.so which directory to use for  storing  credential
	    caches.  The default setting is /tmp.


       external

       external=sshd
	    tells  pam_krb5.so	to  use	 Kerberos credentials provided by the
	    calling application during session setup.	This  is  most	often
	    useful for obtaining a krb4 ticket.


       forwardable
	    tells  pam_krb5.so that credentials it obtains should be forward-
	    able.  This option is deprecated  in  favor	 of  the  forwardable
	    option in the libdefaults section of krb5.conf(5).


       keytab=/etc/krb5.keytab
	    tells pam_krb5.so the location of a keytab to use when validating
	    credentials obtained from KDCs.


       krb4_convert
	    tells pam_krb5.so to obtain Kerberos IV credentials for users, in
	    addition to Kerberos 5 credentials.


       no_krb4_convert_524
	    tells  pam_krb5.so	not  to try to obtain Kerberos IV credentials
	    for users using the krb524 service.	  This	option	modifies  the
	    krb4_convert  option.  If this option is specified, pam_krb5 will
	    only attempt to obtain Kerberos IV	credentials  using  the	 KDC,
	    unless no_krb4_use_as_req is also specified.


       no_krb4_use_as_req
	    tells  pam_krb5.so	not  to try to obtain Kerberos IV credentials
	    for users using the KDC.  This option modifies  the	 krb4_convert
	    option.   If this option is specified, pam_krb5 will only attempt
	    to obtain Kerberos	IV  credentials	 using	the  krb524  service,
	    unless no_krb4_convert_524 is also specified.



       minimum_uid=0
	    tells pam_krb5.so to ignore authentication attempts by users with
	    UIDs below the specified number.


       no_user_check
	    tells pam_krb5.so to not check if a user exists on the local sys-
	    tem, to skip authorization checks using the user’s .k5login file,
	    and to create ccache files owned by the  current  process’s	 UID.
	    This  is useful for situations where a non-privileged server pro-
	    cess needs to use Kerberized services on behalf of	remote	users
	    who	 may  not  have local access.  Note that such a server should
	    have an encrypted connection with its client in  order  to	avoid
	    allowing the user’s password to be eavesdropped.


       proxiable
	    tells  pam_krb5.so	that  credentials it obtains should be proxi-
	    able.  This option is deprecated in favor of the proxiable option
	    in the libdefaults section of krb5.conf(5).


       realm=realm
	    overrides	the   default  realm  set  in  /etc/krb5.conf,	which
	    pam_krb5.so will attempt to authenticate users to.


       renew_lifetime=36000
	    sets the default renewable lifetime for credentials.  This option
	    is deprecated in favor of the renew_lifetime option in the libde-
	    faults section of krb5.conf(5).


       ticket_lifetime=36000
	    sets the default lifetime for credentials.


       tokens
	    signals that pam_krb5.so should obtain tokens during  authentica-
	    tion  in  addition to session setup.  This is primarily useful in
	    server applications which need to access a user’s files but which
	    do not open PAM sessions before doing so.


       try_first_pass
	    tells  pam_krb5.so	to  check  the previously-entered password as
	    with use_first_pass, but to prompt the user for  another  one  if
	    the	 previously-entered  one  fails.  This is the default mode of
	    operation.


       use_first_pass
	    tells pam_krb5.so to get the user’s entered password  as  it  was
	    stored  by a module listed earlier in the stack, usually pam_unix
	    or pam_pwdb, instead of prompting the user for it.


       use_authtok
	    tells pam_krb5.so to never prompt for new passwords when changing
	    passwords.	 This  is  useful if you are using pam_cracklib.so to
	    try to enforce use of less-easy-to-guess passwords.


       validate
	    tells pam_krb5.so to  verify  that	the  TGT  obtained  from  the
	    realm’s  servers  has  not	been  spoofed.	Note that the process
	    which is performing authentication	must  be  able	to  read  the
	    keytab in order for validation to be possible.


FILES
       /etc/krb5.conf


SEE ALSO
       pam_krb5(5) krb5.conf(5)


BUGS
       Probably,  but  let’s  hope not.	 If you find any, please file them in
       the bug database at http://bugzilla.redhat.com/ against the "pam_krb5"
       component.


AUTHOR
       Nalin Dahyabhai <nalin@redhat.com>



Red Hat Linux			  2008/04/10			  pam_krb5(8)