pam_krb5






pam_krb5 − Kerberos 5 authentication


/$LIB/security/pam_krb5.soauthrequired
/$LIB/security/pam_krb5.sosessionoptional
/$LIB/security/pam_krb5.soaccountsufficient
/$LIB/security/pam_krb5.sopasswordsufficient


The pam_krb5.so module is designed to allow smooth
integration of Kerberos 5 password‐checking for applications
which use PAM.  It creates session‐specific credential cache
files, and can obtain Kerberos IV credentials using a krb524
service.  If the system is an AFS client, it will also
attempt to obtain tokens for the local cell, the cell which
contains the user’s home directory, and any explicitly‐
configured cells.

When a user logs in, the module’s authentication function
performs a simple password check and, if possible, obtains
Kerberos 5 and Kerberos IV credentials, caching them for
later use.  When the application requests initialization of
credentials (or opens a session), the usual ticket files are
created.  When the application subsequently requests
deletion of credentials or closing of the session, the
module deletes the ticket files.  When the application
requests account management, if the module did not
participate in authenticating the user, it will signal
libpam to ignore the module.  If the module did participate
in authenticating the user, it will check for an expired
user password and verify the user’s authorization using the
.k5login file of the user being authenticated, which is
expected to be accessible to the module.





debug
     turns on debugging via syslog(3).  Debugging messages
     are logged with priority LOG_DEBUG.


debug_sensitive
     turns on debugging of sensitive information via
     syslog(3).  Debug messages are logged with priority
     LOG_DEBUG.


addressless
     tells pam_krb5.so to obtain credentials without address
     lists.  This may be necessary if your network uses NAT,
     and should otherwise not be used.  This option is
     deprecated in favor of the noaddresses flag in the









                             ‐2‐


     libdefaults section of krb5.conf(5).


hosts=host
     tells pam_krb5.so to obtain credentials using the
     address of the given host in addition to the addresses
     of interfaces on the local workstation.  For example,
     if your workstation is behind a masquerading firewall,
     specifying the firewall’s outward‐facing address here
     should allow Kerberos authentication to succeed.  This
     option is deprecated in favor of the extra_addresses
     flag in the libdefaults section of krb5.conf(5).


afs_cells=cell1.example.com cell2.example.com
     tells pam_krb5.so to obtain tokens for
     cell1.example.com and cell2.example.com, in addition to
     the local cell, for the user.  in addition to the local
     cell, for the user.  The module will guess the
     principal name of the AFS service for the named cells,
     or it can be specified by giving cells in the form
     cellname=principalname.


banner=Kerberos 5
     tells pam_krb5.so how to identify itself when users
     attempt to change their passwords.  The default setting
     is "Kerberos 5".


ccache_dir=/tmp
     tells pam_krb5.so which directory to use for storing
     credential caches.  The default setting is /tmp.


existing_ticket
     tells pam_krb5.so to accept the presence of pre‐
     existing Kerberos credentials provided by the calling
     application in the default credential cache as
     sufficient to authenticate the user, and to skip any
     account management checks.

     DANGER!  Unless validation is also in use, it is
     relatively easy to produce a credential cache which
     looks "good enough" to fool pam_krb5.so.


external

external=sshd
     tells pam_krb5.so to use Kerberos credentials provided
     by the calling application during session setup.  This
     is most often useful for obtaining AFS tokens or a krb4
     ticket.









                             ‐3‐


forwardable
     tells pam_krb5.so that credentials it obtains should be
     forwardable.  This option is deprecated in favor of the
     forwardable option in the libdefaults section of
     krb5.conf(5).


ignore_unknown_principals

ignore_unknown_spn

ignore_unknown_upn
     specifies that not pam_krb5 should return a PAM_IGNORE
     code to libpam instead of PAM_USER_UNKNOWN for users
     for whom the determined principal name is expired or
     does not exist.


keytab=FILE:/etc/krb5.keytab
     tells pam_krb5.so the location of a keytab to use when
     validating credentials obtained from KDCs.


krb4_convert
     tells pam_krb5.so to obtain Kerberos IV credentials for
     users, in addition to Kerberos 5 credentials, using
     either a v4‐capable KDC or This option is poorly named.
     This option is automatically enabled if AFS is
     detected.


krb4_convert_524
     tells pam_krb5.so to obtain Kerberos IV credentials for
     users using the krb524 service.  This option modifies
     the krb4_convert option.  If disabled, pam_krb5 will
     only attempt to obtain Kerberos IV credentials using
     the KDC.


krb4_use_as_req
     tells pam_krb5.so to obtain Kerberos IV credentials for
     users using the KDC.  This option modifies the
     krb4_convert option.  If disabled, pam_krb5 will only
     attempt to obtain Kerberos IV credentials using the
     krb524 service.


minimum_uid=0
     tells pam_krb5.so to ignore authentication attempts by
     users with UIDs below the specified number.


no_initial_prompt
     tells pam_krb5.so to not ask for a password before









                             ‐4‐


     attempting authentication, and to instead allow the
     Kerberos library to trigger a request for a password
     only in cases where one is needed.


no_subsequent_prompt
     tells pam_krb5.so to only provide the previously‐
     entered password in response to any request for a
     password which the Kerberos library might make.


no_user_check
     tells pam_krb5.so to not check if a user exists on the
     local system, to skip authorization checks using the
     user’s .k5login file, and to create ccache files owned
     by the current process’s UID.  This is useful for
     situations where a non‐privileged server process needs
     to use Kerberized services on behalf of remote users
     who may not have local access.  Note that such a server
     should have an encrypted connection with its client in
     order to avoid allowing the user’s password to be
     eavesdropped.


proxiable
     tells pam_krb5.so that credentials it obtains should be
     proxiable.  This option is deprecated in favor of the
     proxiable option in the libdefaults section of
     krb5.conf(5).


realm=realm
     overrides the default realm set in /etc/krb5.conf,
     which pam_krb5.so will attempt to authenticate users
     to.


renew_lifetime=36000
     sets the default renewable lifetime for credentials.
     This option is deprecated in favor of the
     renew_lifetime option in the libdefaults section of
     krb5.conf(5).


ticket_lifetime=36000
     sets the default lifetime for credentials.


tokens

tokens=imap
     signals that pam_krb5.so should create a new AFS PAG
     and obtain AFS tokens during authentication in addition
     to session setup.  This is primarily useful in server









                             ‐5‐


     applications which need to access a user’s files but
     which do not open PAM sessions before doing so.


try_first_pass
     tells pam_krb5.so to check the previously‐entered
     password as with use_first_pass, but to prompt the user
     for another one if the previously‐entered one fails.
     This is the default mode of operation.


use_first_pass
     tells pam_krb5.so to get the user’s entered password as
     it was stored by a module listed earlier in the stack,
     usually pam_unix or pam_pwdb, instead of prompting the
     user for it.


use_authtok
     tells pam_krb5.so to never prompt for new passwords
     when changing passwords.  This is useful if you are
     using pam_cracklib.so or pam_passwdqc.so to try to
     enforce use of less‐easy‐to‐guess passwords.


use_shmem

use_shmem=sshd
     tells pam_krb5.so to pass credentials from the
     authentication service function to the session
     management service function using shared memory, or to
     do so for specific services.


validate

validate=sshd
     tells pam_krb5.so to verify that the TGT obtained from
     the realm’s servers has not been spoofed.  Note that
     the process which is performing authentication must be
     able to read the keytab in order for validation to be
     possible.


/etc/krb5.conf





Probably, but let’s hope not.  If you find any, please file
them in the bug database at http://bugzilla.redhat.com/
against the "pam_krb5" component.










                             ‐6‐


Nalin Dahyabhai <nalin@redhat.com>