pam_krb5

pam_krb5(5)              System Administrator's Manual             pam_krb5(5)



NAME
       pam_krb5 - Kerberos 5 authentication


DESCRIPTION
       pam_krb5.so reads its configuration information from the appdefaults
       section of krb5.conf(5).  You should read the krb5.conf(5) man page
       before continuing here.  The module expects its configuration
       information to be in the pam subsection of the appdefaults section.


DIRECTIVES
       debug=[true|false]
              turns on debugging via syslog(3).  Debug messages are logged
              with priority LOG_DEBUG.


       debug_sensitive=[true|false]
              turns on debugging of sensitive information via syslog(3).
              Debug messages are logged with priority LOG_DEBUG.


       addressless=[true|false]
              if set, requests a TGT with no address information.  This can be
              necessary if you are using Kerberos through a NAT, or on systems
              whose IP addresses change regularly.  This directive is
              deprecated in favor of the libdefaults noaddresses directive.


       afs_cells=cell1.example.com cell2.example.com
              tells pam_krb5.so to obtain tokens for cell1.example.com and
              cell2.example.com, in addition to the local cell and the cell
              which contains the user's home directory, for the user.  The
              module will guess the principal name of the AFS service for the
              listed cells, or it can be specified by listing cells in the
              form cellname=principalname.


       banner=Kerberos 5
              specifies what sort of password the module claims to be changing
              whenever it is called upon to change passwords.  The default is
              Kerberos 5.


       ccache_dir=/tmp
              specifies the directory in which to place credential cache
              files.


       existing_ticket=true
              tells pam_krb5.so to accept the presence of pre-existing
              Kerberos credentials provided by the calling application in the
              default credential cache as sufficient to authenticate the user,
              and to skip any account management checks.

              DANGER!  Unless validation is also in use, it is relatively easy
              to produce a credential cache which looks "good enough" to fool
              pam_krb5.so.


       external=true

       external=sshd ftp
              tells pam_krb5.so to use Kerberos credentials provided by the
              calling application during session setup.  This is most often
              useful for obtaining AFS tokens or a krb4 ticket.


       forwardable=[true|false]
              controls whether or not credentials are forwardable.  This
              directive is deprecated in favor of the libdefaults forwardable
              directive.


       hosts=hostnames
              specifies which other hosts credentials obtained by pam_krb5
              will be good on.  If your host is behind a firewall, you should
              add the IP address or name that the KDC sees it as to this list.
              This directive is deprecated in favor of the libdefaults
              extra_addresses directive.


       ignore_afs=[true|false]
              tells pam_krb5.so to completely ignore the presence of AFS,
              preventing any attempts to obtain new tokens on behalf of the
              calling application.


       ignore_unknown_principals=[true|false]

       ignore_unknown_spn=[true|false]

       ignore_unknown_upn=[true|false]
              specifies which other not pam_krb5 should return a PAM_IGNORE
              code to libpam instead of PAM_USER_UNKNOWN for users for whom
              the determined principal name is expired or does not exist.


       initial_prompt=[true|false]
              tells pam_krb5.so whether or not to ask for a password before
              attempting authentication.  If one is needed and pam_krb5.so has
              not prompted for it, the Kerberos library should trigger a
              request for a password.


       keytab=FILE:/etc/krb5.keytab
              specifies the name of a keytab file to search for a service key
              for use in validating TGTs.


       krb4_convert=[true|false]
              controls whether or not pam_krb5 tries to get Kerberos IV
              credentials from the KDC (or using the krb524d service on the
              KDC) and create ticket files with them.  Unless you've converted
              everything on your network over to use Kerberos 5, you'll want
              to leave this set to true.  Note that this may require valid
              Kerberos IV configuration data to be present in /etc/krb.conf
              and /etc/krb.realms.  This option is poorly named.  This option
              is forced to true if AFS is detected.


       krb4_convert_524=[true|false]
              controls whether or not pam_krb5 tries to get Kerberos IV
              credentials using the krb524d service.  This option modifies the
              krb4_convert option.  If disabled, pam_krb5 will only attempt to
              obtain Kerberos IV credentials using the KDC (unless the
              krb4_use_as_req option is also disabled).


       krb4_use_as_req=[true|false]
              controls whether or not pam_krb5 tries to get Kerberos IV
              credentials using the KDC.  This option modifies the
              krb4_convert option.  If disabled, pam_krb5 will only attempt to
              obtain Kerberos IV credentials using the krb524d service (unless
              the krb4_convert_524 option is also disabled).


       mappings=[regex1 regex2]
              specifies that pam_krb5 should derive the user's principal name
              from the Unix user name by first checking if the user name
              matches regex1, and formulating a principal name using regex2.
              For example, "mappings = EXAMPLE\(.*) $1@EXAMPLE.COM" would map
              any user with a name of the form "EXAMPLE\whatever" to a
              principal name of "whatever@EXAMPLE.COM".  This is primarily
              targeted at allowing pam_krb5 to be used to authenticate users
              whose user information is provided by winbindd(8).  This will
              frequently require the reverse to be configured by setting up an
              auth_to_local rule elsewhere in krb5.conf(5).


       minimum_uid=0
              specifies the minimum UID of users being authenticated.  If a
              user with a UID less than this value attempts authentication,
              the request will be ignored.


       proxiable=[true|false]
              controls whether or not credentials are proxiable.  If not
              specified, they are.  This directive is deprecated in favor of
              the libdefaults proxiable directive.


       renew_lifetime=36000
              default renewable lifetime.  This specifies how much time you
              have after getting credentials to renew them.  This directive is
              deprecated in favor of the libdefaults renew_lifetime directive.


       subsequent_prompt=[true|false]
              controls whether or not pam_krb5.so will allow the Kerberos
              library to ask the user for a password or other information, if
              the previously-entered password is somehow insufficient for
              authenticating the user.


       ticket_lifetime=36000
              default credential lifetime.


       tokens=[true|false]

       tokens=imap ftp
              signals that pam_krb5.so should create an AFS PAG and obtain
              tokens during authentication in addition to session setup.  This
              is primarily useful in server applications which need to access
              a user's files but which do not open PAM sessions before doing
              so.


       use_shmem=true

       use_shmem=sshd ftp
              tells pam_krb5.so to pass credentials from the authentication
              service function to the session management service function
              using shared memory for specific services.


       validate=[true|false]

       validate=login sshd
              specifies whether or not to attempt validation of the TGT.  The
              default is false.


EXAMPLE
       [appdefaults]
         pam = {
           ticket_lifetime = 36000
           renew_lifetime = 36000
           forwardable = true
           krb4_convert = true
           validate = true
           ccache_dir = /var/tmp
           external = sshd
           tokens = imap ftpd
           TEST.EXAMPLE.COM = {
             debug = true
             afs_cells = testcell.example.com othercell.example.com
           }
         }


FILES
       /etc/krb5.conf

SEE ALSO
       pam_krb5(8)

BUGS
       Probably, but let's hope not.  If you find any, please file them in the
       bug database at http://bugzilla.redhat.com/ against the "pam_krb5"
       component.


AUTHOR
       Nalin Dahyabhai <nalin@redhat.com>



Red Hat Linux                     2006/02/06                       pam_krb5(5)