pam_krb5(8) System Administrator's Manual pam_krb5(8)NAMEpam_krb5 - Kerberos 5 authentication
SYNOPSIS
auth required /$LIB/security/pam_krb5.so
session optional /$LIB/security/pam_krb5.so
account sufficient /$LIB/security/pam_krb5.so
password sufficient /$LIB/security/pam_krb5.so
DESCRIPTION
The pam_krb5.so module is designed to allow smooth integration of Ker‐
beros 5 password-checking for applications which use PAM. It creates
session-specific credential cache files. If the system is an AFS
client, it will also attempt to obtain tokens for the local cell, the
cell which contains the user's home directory, and any explicitly-con‐
figured cells.
When a user logs in, the module's authentication function performs a
simple password check and, if possible, obtains Kerberos 5 credentials,
caching them for later use. When the application requests initializa‐
tion of credentials (or opens a session), the usual ticket files are
created. When the application subsequently requests deletion of cre‐
dentials or closing of the session, the module deletes the ticket
files. When the application requests account management, if the module
did not participate in authenticating the user, it will signal libpam
to ignore the module. If the module did participate in authenticating
the user, it will check for an expired user password and verify the
user's authorization using the .k5login file of the user being authen‐
ticated, which is expected to be accessible to the module.
ARGUMENTS
debug turns on debugging via syslog(3). Debugging messages are logged
with priority LOG_DEBUG.
debug_sensitive
turns on debugging of sensitive information via syslog(3).
Debug messages are logged with priority LOG_DEBUG.
addressless
tells pam_krb5.so to obtain credentials without address lists.
This may be necessary if your network uses NAT, and should oth‐
erwise not be used. This option is deprecated in favor of the
noaddresses flag in the libdefaults section of krb5.conf(5).
afs_cells=cell.example.com[,...]
tells pam_krb5.so to obtain tokens for the named cells, in addi‐
tion to the local cell, for the user. The module will guess the
principal name of the AFS service for the named cells, or it can
be specified by giving cell in the form cellname=principalname.
always_allow_localname
tells pam_krb5.so, when performing an authorization check using
the target user's .k5login file, to always allow access when the
principal name being authenticated maps to the local user's name
(as configured using the auth_to_local_names and auth_to_local
settings in krb5.conf(5), if your implementation provides those
settings). Otherwise, if the file exists and can be read, but
the principal is not explicitly listed, access is typically
denied. This setting is disabled by default.
banner=Kerberos 5
tells pam_krb5.so how to identify itself when users attempt to
change their passwords. The default setting is "Kerberos 5".
ccache_dir=/tmp
tells pam_krb5.so which directory to use for storing credential
caches. The default setting is /tmp.
ccname_template=FILE:%d/krb5cc_%U_XXXXXX
specifies the location in which to place the user's session-spe‐
cific credential cache. This value is treated as a template,
and these sequences are substituted:
%u login name
%U login UID
%p principal name
%r realm name
%h home directory
%d the default ccache directory (as set with ccache_dir)
%P the current process ID
%% literal '%'
The default setting is "FILE:%d/krb5cc_%U_XXXXXX".
chpw_prompt
tells pam_krb5.so to allow expired passwords to be changed dur‐
ing authentication attempts. While this is the traditional
behavior exhibited by "kinit", it is inconsistent with the
behavior expected by PAM, which expects authentication to
(appear to) succeed, only to have password expiration be flagged
by a subsequent call to the account management function. Some
applications which don't handle password expiration correctly
will fail unconditionally if the user's password is expired, and
this flag can be used to attempt to work around this bug in
those applications. The default is false.
cred_session
specifies that pam_krb5 should create and destroy credential
caches, as it does when the calling application opens and closes
a PAM session, when the calling application establishes and
deletes PAM credentials. This is done to compensate for appli‐
cations which expect to create a credential cache but which
don't use PAM session management. It is usually a harmless
redundancy in applications which don't require it, so this
option is enabled by default. except for services in this list:
"sshd".
existing_ticket
tells pam_krb5.so to accept the presence of pre-existing Ker‐
beros credentials provided by the calling application in the
default credential cache as sufficient to authenticate the user,
and to skip any account management checks.
DANGER! Unless validation is also in use, it is relatively easy
to produce a credential cache which looks "good enough" to fool
pam_krb5.so.
external
external=sshd
tells pam_krb5.so to use Kerberos credentials provided by the
calling application during session setup. This is most often
useful for obtaining AFS tokens.
forwardable
tells pam_krb5.so that credentials it obtains should be forward‐
able. This option is deprecated in favor of the forwardable
option in the libdefaults section of krb5.conf(5).
hosts=host[,...]
tells pam_krb5.so to obtain credentials using the addresses of
the given hosts in addition to the addresses of interfaces on
the local workstation. For example, if your workstation is
behind a masquerading firewall, specifying the firewall's out‐
ward-facing address here should allow Kerberos authentication to
succeed. This option is deprecated in favor of the
extra_addresses flag in the libdefaults section of krb5.conf(5).
ignore_k5login
specifies that pam_krb5 should skip checking the user's .k5login
file to verify that the principal name of the client being
authenticated is authorized to access the user account. (Actu‐
ally, the check is performed by a function offered by the Ker‐
beros library, which controls which files it will consult.) The
default is to perform the check.
ignore_unknown_principals
ignore_unknown_spn
ignore_unknown_upn
specifies that not pam_krb5 should return a PAM_IGNORE code to
libpam instead of PAM_USER_UNKNOWN for users for whom the deter‐
mined principal name is expired or does not exist.
keytab=FILE:/etc/krb5.keytab
tells pam_krb5.so the location of a keytab to use when validat‐
ing credentials obtained from KDCs.
minimum_uid=0
tells pam_krb5.so to ignore authentication attempts by users
with UIDs below the specified number.
multiple_ccaches
specifies that pam_krb5 should maintain multiple credential
caches for this service, because it both sets credentials and
opens a PAM session, but it sets the KRB5CCNAME variable after
doing only one of the two. This option is usually not necessary
for most services.
no_initial_prompt
tells pam_krb5.so to not ask for a password before attempting
authentication, and to instead allow the Kerberos library to
trigger a request for a password only in cases where one is
needed.
no_subsequent_prompt
tells pam_krb5.so to only provide the previously-entered pass‐
word in response to any request for a password which the Ker‐
beros library might make. If the calling application does not
properly support PAM conversations (possibly due to limitations
of a network protocol which it is serving), this may be need to
be used to prevent the application from supplying the user's
current password in a password-changing situations when a new
password is called for.
no_user_check
tells pam_krb5.so to not check if a user exists on the local
system, to skip authorization checks using the user's .k5login
file, and to create ccache files owned by the current process's
UID. This is useful for situations where a non-privileged
server process needs to use Kerberized services on behalf of
remote users who may not have local access. Note that such a
server should have an encrypted connection with its client in
order to avoid allowing the user's password to be eavesdropped.
no_validate
no_validate=vlock
tells pam_krb5.so to not attempt to use the local keytab to ver‐
ify that the TGT obtained from the realm's servers has not been
spoofed. The libdefaults verify_ap_req_nofail setting can
affect whether or not errors reading the keytab which are
encountered during validation will be suppressed.
null_afs
tells pam_krb5.so, when it attempts to set tokens, to try to get
credentials for services with names which resemble afs@REALM
before attempting to get credentials for services with names
resembling afs/cell@REALM. The default is to assume that the
cell's name is the instance in the AFS service's Kerberos prin‐
cipal name.
preauth_options=[]
controls the preauthentication options which pam_krb5 passes to
libkrb5, if the system-defaults need to be overridden. The list
is treated as a template, and these sequences are substituted:
%u login name
%U login UID
%p principal name
%r realm name
%h home directory
%d the default ccache directory
%P the current process ID
%% literal '%'
proxiable
tells pam_krb5.so that credentials it obtains should be proxi‐
able. This option is deprecated in favor of the proxiable
option in the libdefaults section of krb5.conf(5).
pwhelp=filename
specifies the name of a text file whose contents will be dis‐
played to clients who attempt to change their passwords. There
is no default.
realm=realm
overrides the default realm set in /etc/krb5.conf, which
pam_krb5.so will attempt to authenticate users to.
renew_lifetime=36000
sets the default renewable lifetime for credentials. This
option is deprecated in favor of the renew_lifetime option in
the libdefaults section of krb5.conf(5).
ticket_lifetime=36000
sets the default lifetime for credentials.
tokens
tokens=imap
signals that pam_krb5.so should create a new AFS PAG and obtain
AFS tokens during authentication in addition to session setup.
This is primarily useful in server applications which need to
access a user's files but which do not open PAM sessions before
doing so. A properly-written server will not need this flag set
in order to function correctly.
try_first_pass
tells pam_krb5.so to check the previously-entered password as
with use_first_pass, but to prompt the user for another one if
the previously-entered one fails. This is the default mode of
operation.
use_first_pass
tells pam_krb5.so to get the user's entered password as it was
stored by a module listed earlier in the stack, usually pam_unix
or pam_pwdb, instead of prompting the user for it.
use_authtok
tells pam_krb5.so to never prompt for new passwords when chang‐
ing passwords. This is useful if you are using pam_cracklib or
pam_passwdqc to try to enforce use of less-easy-to-guess pass‐
words.
use_shmem
use_shmem=sshd
tells pam_krb5.so to pass credentials from the authentication
service function to the session management service function
using shared memory, or to do so for specific services.
validate_user_user
validate_user_user=gnome-screensaver
specifies that, when attempting validation of the TGT, the mod‐
ule should attempt user-to-user authentication using a previ‐
ously-obtainted TGT in the default ccache if validation can't be
performed using a keytab.
FILES
/etc/krb5.conf
SEE ALSOpam_krb5(5)krb5.conf(5)BUGS
Probably, but let's hope not. If you find any, please file them in the
bug database at http://bugzilla.redhat.com/ against the "pam_krb5" com‐
ponent.
AUTHOR
Nalin Dahyabhai <nalin@redhat.com>
Red Hat Linux 2011/07/28 pam_krb5(8)