|
|
| |
pam_krb5(8) |
System Administrator's Manual |
pam_krb5(8) |
pam_krb5 - Kerberos 5 authentication
auth required /usr/local/lib/security/pam_krb5.so
session optional /usr/local/lib/security/pam_krb5.so
account sufficient /usr/local/lib/security/pam_krb5.so
password sufficient /usr/local/lib/security/pam_krb5.so
The pam_krb5.so module is designed to allow smooth integration of Kerberos 5
password-checking for applications which use PAM. It creates session-specific
credential caches.
When a user logs in, the module's authentication function performs
a simple password check and, if possible, obtains Kerberos 5 credentials,
caching them for later use. When the application requests initialization of
credentials (or opens a session), the usual ticket files are created. When
the application subsequently requests deletion of credentials or closing of
the session, the module deletes the ticket files. When the application
requests account management, if the module did not participate in
authenticating the user, it will signal libpam to ignore the module. If the
module did participate in authenticating the user, it will check for an
expired user password and verify the user's authorization using the .k5login
file of the user being authenticated, which is expected to be accessible to
the module.
- debug
- turns on debugging via syslog(3). Debugging messages are logged
with priority LOG_DEBUG.
- debug_sensitive
- turns on debugging of sensitive information via syslog(3). Debug
messages are logged with priority LOG_DEBUG.
- always_allow_localname
- tells pam_krb5.so, when performing an authorization check using the target
user's .k5login file, to always allow access when the principal name being
authenticated maps to the local user's name (as configured using the
auth_to_local_names and auth_to_local settings in
krb5.conf(5), if your implementation provides those settings).
Otherwise, if the file exists and can be read, but the principal is not
explicitly listed, access is typically denied. This setting is disabled by
default.
- banner=Kerberos 5
- tells pam_krb5.so how to identify itself when users attempt to change
their passwords. The default setting is "Kerberos 5".
- ccache_dir=/tmp
- tells pam_krb5.so which directory to use for storing credential caches.
The default setting is /tmp.
- ccname_template=FILE:%d/krb5cc_%U_XXXXXX
- specifies the location in which to place the user's session-specific
credential cache. This value is treated as a template, and these sequences
are substituted:
%u login name
%U login UID
%p principal name
%r principal's realm name
%h home directory
%d the default ccache directory (as set with ccache_dir)
%P the current process ID
%% literal '%'
If the resulting template does not end with "XXXXXX", a suffix
will be added to the configured value. The default is
FILE:%d/krb5cc_%U_XXXXXX".
- chpw_prompt
- tells pam_krb5.so to allow expired passwords to be changed during
authentication attempts. While this is the traditional behavior exhibited
by "kinit", it is inconsistent with the behavior expected by
PAM, which expects authentication to (appear to) succeed, only to have
password expiration be flagged by a subsequent call to the account
management function. Some applications which don't handle password
expiration correctly will fail unconditionally if the user's password is
expired, and this flag can be used to attempt to work around this bug in
those applications. The default is false.
- cred_session
- specifies that pam_krb5 should create and destroy credential caches, as it
does when the calling application opens and closes a PAM session, when the
calling application establishes and deletes PAM credentials. This is done
to compensate for applications which expect to create a credential cache
but which don't use PAM session management. It is usually a harmless
redundancy in applications which don't require it, so this option is
enabled by default except for these services: "sshd".
- external
- external=sshd
- tells pam_krb5.so to use Kerberos credentials provided by the calling
application during session setup.
- ignore_k5login
- specifies that pam_krb5 should skip checking the user's .k5login file to
verify that the principal name of the client being authenticated is
authorized to access the user account. (Actually, the check is performed
by a function offered by the Kerberos library, which controls which files
it will consult.) The default is to perform the check.
- ignore_unknown_principals
- ignore_unknown_spn
- ignore_unknown_upn
- specifies that not pam_krb5 should return a PAM_IGNORE code to libpam
instead of PAM_USER_UNKNOWN for users for whom the determined principal
name is expired or does not exist.
- keytab=FILE:/etc/krb5.keytab
- tells pam_krb5.so the location of a keytab to use when validating
credentials obtained from KDCs.
- minimum_uid=0
- tells pam_krb5.so to ignore authentication attempts by users with UIDs
below the specified number.
- multiple_ccaches
- specifies that pam_krb5 should maintain multiple credential caches for
this service, because it both sets credentials and opens a PAM session,
but it sets the KRB5CCNAME variable after doing only one of the two. This
option is usually not necessary for most services.
- no_initial_prompt
- tells pam_krb5.so to not ask for a password before attempting
authentication, and to instead allow the Kerberos library to trigger a
request for a password only in cases where one is needed.
- no_subsequent_prompt
- tells pam_krb5.so to only provide the previously-entered password in
response to any request for a password which the Kerberos library might
make. If the calling application does not properly support PAM
conversations (possibly due to limitations of a network protocol which it
is serving), this may be need to be used to prevent the application from
supplying the user's current password in a password-changing situations
when a new password is called for.
- no_user_check
- tells pam_krb5.so to not check if a user exists on the local system, to
skip authorization checks using the user's .k5login file, and to create
ccaches owned by the current process's UID. This is useful for situations
where a non-privileged server process needs to use Kerberized services on
behalf of remote users who may not have local access. Note that such a
server should have an encrypted connection with its client in order to
avoid allowing the user's password to be eavesdropped.
- no_validate
- no_validate=vlock
- tells pam_krb5.so to not attempt to use the local keytab to verify that
the TGT obtained from the realm's servers has not been spoofed. The
libdefaults verify_ap_req_nofail setting can affect whether
or not errors reading the keytab which are encountered during validation
will be suppressed.
- pkinit_flags=[0]
- controls the flags value which pam_krb5 passes to libkrb5 when setting up
PKINIT parameters. This is useful mainly for debugging.
- pkinit_identity=[]
- controls where pam_krb5 instructs libkrb5 to search for the user's private
key and certificate, so that the client can be authenticated using PKINIT,
if the KDC supports it. This value is treated as a template, and these
sequences are substituted:
%u login name
%U login UID
%p principal name
%r principal's realm name
%h home directory
%d the default ccache directory
%P the current process ID
%% literal '%'
Other PKINIT-specific default, such as the locations of trust anchors, can
be set in krb5.conf(5).
- pwhelp=filename
- specifies the name of a text file whose contents will be displayed to
clients who attempt to change their passwords. There is no default.
- realm=realm
- overrides the default realm set in /etc/krb5.conf, which
pam_krb5.so will attempt to authenticate users to.
- try_first_pass
- tells pam_krb5.so to check the previously-entered password as with
use_first_pass, but to prompt the user for another one if the
previously-entered one fails. This is the default mode of operation.
- use_first_pass
- tells pam_krb5.so to get the user's entered password as it was stored by a
module listed earlier in the stack, usually pam_unix or
pam_pwdb, instead of prompting the user for it.
- use_authtok
- tells pam_krb5.so to never prompt for new passwords when changing
passwords. This is useful if you are using pam_cracklib or
pam_passwdqc to try to enforce use of less-easy-to-guess passwords.
- use_shmem
- use_shmem=sshd
- tells pam_krb5.so to pass credentials from the authentication service
function to the session management service function using shared memory,
or to do so for specific services.
- validate_user_user
- validate_user_user=gnome-screensaver
- specifies that, when attempting validation of the TGT, the module should
attempt user-to-user authentication using a previously-obtainted TGT in
the default ccache if validation can't be performed using a keytab.
Probably, but let's hope not. If you find any, please file them in the bug
database at http://bugzilla.redhat.com/ against the "pam_krb5"
component.
Nalin Dahyabhai <nalin@redhat.com>
Visit the GSP FreeBSD Man Page Interface. Output converted with ManDoc. |