pam_krb5(8) System Administrator's Manual pam_krb5(8)
pam_krb5 - Kerberos 5 authentication
auth required /lib/security/pam_krb5.so
session optional /lib/security/pam_krb5.so
account sufficient /lib/security/pam_krb5.so
password sufficient /lib/security/pam_krb5.so
pam_krb5.so is designed to allow smooth integration of Kerberos 5 pass-
word- checking with applications built using PAM. It also supports
session-specific ticket files (which are neater), and Kerberos IV
ticket file grabbing. Its main use is as an authentication module, but
it also supplies the same functions as a session-management module to
better support poorly-written applications, and a couple of other
workarounds as well. It also supports account management and password-
When a user logs in, the module's authentication function performs a
simple password check and, if possible, obtains Kerberos 5 and Kerberos
IV credentials, caching them for later use. When the application
requests initialization of credentials (or opens a session), the usual
ticket files are created. When the application subsequently requests
deletion of credentials or closing of the session, the module deletes
the ticket files.
debug turns on debugging via syslog(3). Debugging messages are logged
with priority LOG_DEBUG.
tells pam_krb5.so to obtain credentials without address lists.
This may be necessary if your network uses NAT, and should oth-
erwise not be used.
tells pam_krb5.so to obtain credentials using the address of the
given host in addition to the addresses of interfaces on the
local workstation. For example, if your workstation is behind a
masquerading firewall, specifying the firewall's outward-facing
address here should allow Kerberos authentication to succeed.
tells pam_krb5.so how to identify itself when users attempt to
change their passwords.
tells pam_krb5.so which directory to use for storing credential
tells pam_krb5.so that credentials it obtains should be forward-
tells pam_krb5.so the location of a keytab to use when validating
credentials obtained from KDCs.
tells pam_krb5.so to obtain Kerberos IV credentials for users, in
addition to Kerberos 5 credentials.
tells pam_krb5.so to ignore authentication attempts by users with
UIDs below the specified number.
tells pam_krb5.so to not check if a user exists on the local sys-
tem, and to create ccache files owned by the current process's
UID. This is useful for situations where a non-privileged server
process needs to use Kerberized services on behalf of remote users
who may not have local access. Note that such a server should
have an encrypted connection with its client in order to avoid
allowing the user's password to be eavesdropped.
tells pam_krb5.so that credentials it obtains should be proxiable.
overrides the default realm set in /etc/krb5.conf, which
pam_krb5.so will attempt to authenticate users to.
sets the default renewable lifetime for credentials.
tells pam_krb5.so to not bother checking a password that has been
set by a module listed earlier in the stack. This option is
included mainly for completeness.
sets the default lifetime for credentials.
tells pam_krb5.so to check the password as with use_first_pass,
but to prompt the user for another one if the previously-entered
one fails. This is the default mode of operation.
tells pam_krb5.so to get the user's entered password as it was
stored by a module listed earlier in the stack, usually pam_unix
or pam_pwdb, instead of prompting the user for it.
tells pam_krb5.so to never prompt for passwords when changing
passwords. This is useful if you are using pam_cracklib.so to try
to enforce use of less-easy-to-guess passwords.
tells pam_krb5.so to verify that the TGT obtained from the realm's
servers has not been spoofed.
Probably, but let's hope not. If you find any, please email the
Nalin Dahyabhai <firstname.lastname@example.org>
Red Hat Linux 2002/02/15 pam_krb5(8)