pam_krb5
Section: System Administrator's Manual (8)
Updated: 2008/03/03
Index
Return to Main Contents
NAME
pam_krb5 - Kerberos 5 authentication
SYNOPSIS
auth required /$LIB/security/pam_krb5.so
session optional /$LIB/security/pam_krb5.so
account sufficient /$LIB/security/pam_krb5.so
password sufficient /$LIB/security/pam_krb5.so
DESCRIPTION
The pam_krb5.so module is designed to allow smooth integration of Kerberos 5
password-checking for applications which use PAM.
It creates session-specific credential cache files.
If the system is an AFS client, it will also attempt to obtain tokens
for the local cell, the cell which contains the user's home directory,
and any explicitly-configured cells.
When a user logs in, the module's authentication function performs a simple
password check and, if possible, obtains Kerberos 5
credentials, caching them for later use. When the application requests
initialization of credentials (or opens a session), the usual ticket files are
created. When the application subsequently requests deletion of credentials or
closing of the session, the module deletes the ticket files. When the
application requests account management, if the module did not participate in
authenticating the user, it will signal libpam to ignore the module. If the
module did participate in authenticating the user, it will check for an expired
user password and verify the user's authorization using the .k5login file of the
user being authenticated, which is expected to be accessible to the module.
ARGUMENTS
- debug
-
turns on debugging via syslog(3). Debugging messages are logged with
priority LOG_DEBUG.
- debug_sensitive
-
turns on debugging of sensitive information via syslog(3). Debug
messages are logged with priority LOG_DEBUG.
- addressless
-
tells pam_krb5.so to obtain credentials without address lists. This may be
necessary if your network uses NAT, and should otherwise not be used. This
option is deprecated in favor of the noaddresses flag in the
libdefaults section of krb5.conf(5).
- afs_cells=cell.example.com[,...]
-
tells pam_krb5.so to obtain tokens for the named cells,
in addition to the local cell, for the user. The module will guess
the principal name of the AFS service for the named cells, or it can
be specified by giving cell in the form
cellname=principalname.
- banner=Kerberos 5
-
tells pam_krb5.so how to identify itself when users attempt to change their
passwords. The default setting is "Kerberos 5".
- ccache_dir=/tmp
-
tells pam_krb5.so which directory to use for storing credential caches. The
default setting is /tmp.
- ccname_template=FILE:%d/krb5cc_%U_XXXXXX
-
specifies the location in which to place the user's session-specific
credential cache. This value is treated as a template, and these sequences
are substituted:
%u login name
%U login UID
%p principal name
%r realm name
%h home directory
%d the default ccache directory (as set with ccache_dir)
%P the current process ID
%% literal '%'
The default setting is "FILE:%d/krb5cc_%U_XXXXXX".
- existing_ticket
-
tells pam_krb5.so to accept the presence of pre-existing Kerberos credentials
provided by the calling application in the default credential cache as
sufficient to authenticate the user, and to skip any account management checks.
-
DANGER! Unless validation is also in use, it is relatively easy to produce a
credential cache which looks "good enough" to fool pam_krb5.so.
- external
-
- external=sshd
-
tells pam_krb5.so to use Kerberos credentials provided by the calling
application during session setup.
This is most often useful for obtaining AFS tokens.
- forwardable
-
tells pam_krb5.so that credentials it obtains should be forwardable. This
option is deprecated in favor of the forwardable option in the
libdefaults section of krb5.conf(5).
- hosts=host[,...]
-
tells pam_krb5.so to obtain credentials using the addresses of the given hosts in
addition to the addresses of interfaces on the local workstation. For example,
if your workstation is behind a masquerading firewall, specifying the
firewall's outward-facing address here should allow Kerberos authentication to
succeed. This option is deprecated in favor of the extra_addresses flag
in the libdefaults section of krb5.conf(5).
- ignore_unknown_principals
-
- ignore_unknown_spn
-
- ignore_unknown_upn
-
specifies that not pam_krb5 should return a PAM_IGNORE code to libpam
instead of PAM_USER_UNKNOWN for users for whom the determined principal
name is expired or does not exist.
- keytab=FILE:/etc/krb5.keytab
-
tells pam_krb5.so the location of a keytab to use when validating
credentials obtained from KDCs.
- minimum_uid=0
-
tells pam_krb5.so to ignore authentication attempts by users with
UIDs below the specified number.
- no_initial_prompt
-
tells pam_krb5.so to not ask for a password before attempting authentication,
and to instead allow the Kerberos library to trigger a request for a password
only in cases where one is needed.
- no_subsequent_prompt
-
tells pam_krb5.so to only provide the previously-entered password in response
to any request for a password which the Kerberos library might make.
If the calling application does not properly support PAM conversations
(possibly due to limitations of a network protocol which it is serving),
this may be need to be used to prevent the application
from supplying the user's current password in a password-changing
situations when a new password is called for.
- no_user_check
-
tells pam_krb5.so to not check if a user exists on the local system, to skip
authorization checks using the user's .k5login file, and to create ccache files
owned by the current process's UID. This is useful for situations where a
non-privileged server process needs to use Kerberized services on behalf of
remote users who may not have local access. Note that such a server should
have an encrypted connection with its client in order to avoid allowing the
user's password to be eavesdropped.
- null_afs
-
tells pam_krb5.so, when it attempts to set tokens, to try to get
credentials for services with names which resemble afs@REALM
before attempting to get credentials for services with names resembling
afs/cell@REALM. The default is to assume that the cell's
name is the instance in the AFS service's Kerberos principal name.
- preauth_options=[]
-
controls the preauthentication options which pam_krb5 passes
to libkrb5, if the system-defaults need to be overridden.
The list is treated as a template, and these sequences are
substituted:
%u login name
%U login UID
%p principal name
%r realm name
%h home directory
%d the default ccache directory
%P the current process ID
%% literal '%'
- proxiable
-
tells pam_krb5.so that credentials it obtains should be proxiable. This
option is deprecated in favor of the proxiable option in the
libdefaults section of krb5.conf(5).
- pwhelp=filename
-
specifies the name of a text file whose contents will be displayed to
clients who attempt to change their passwords. There is no default.
- realm=realm
-
overrides the default realm set in /etc/krb5.conf, which pam_krb5.so
will attempt to authenticate users to.
- renew_lifetime=36000
-
sets the default renewable lifetime for credentials. This
option is deprecated in favor of the renew_lifetime option in the
libdefaults section of krb5.conf(5).
- ticket_lifetime=36000
-
sets the default lifetime for credentials.
- tokens
-
- tokens=imap
-
signals that pam_krb5.so should create a new AFS PAG and obtain AFS
tokens during authentication in addition to session setup. This is
primarily useful in server applications which need to access a user's
files but which do not open PAM sessions before doing so. A
properly-written server will not need this flag set in order to
function correctly.
- try_first_pass
-
tells pam_krb5.so to check the previously-entered password as with
use_first_pass, but to prompt the user for another one if the
previously-entered one fails. This is the default mode of operation.
- use_first_pass
-
tells pam_krb5.so to get the user's entered password as it was stored by a
module listed earlier in the stack, usually pam_unix or pam_pwdb,
instead of prompting the user for it.
- use_authtok
-
tells pam_krb5.so to never prompt for new passwords when changing passwords.
This is useful if you are using pam_cracklib or pam_passwdqc to try
to enforce use of less-easy-to-guess passwords.
- use_shmem
-
- use_shmem=sshd
-
tells pam_krb5.so to pass credentials from the authentication service function
to the session management service function using shared memory, or to do so for
specific services.
- validate
-
- validate=sshd
-
tells pam_krb5.so to verify that the TGT obtained from the realm's servers has
not been spoofed. Note that the process which is performing authentication
must be able to read the keytab in order for validation to be possible.
FILES
/etc/krb5.conf
SEE ALSO
pam_krb5(5)
krb5.conf(5)
BUGS
Probably, but let's hope not. If you find any, please file them in the
bug database at http://bugzilla.redhat.com/ against the "pam_krb5" component.
AUTHOR
Nalin Dahyabhai <nalin@redhat.com>