ABCDEFGHIJKLMNOPQRSTUVWXYZ

pam_krb5afs

pam_krb5afs(8)           System Administrator's Manual          pam_krb5afs(8)



NAME
       pam_krb5afs - Kerberos 5 authentication with AFS support

SYNOPSIS
       auth required /lib/security/pam_krb5afs.so
       session optional /lib/security/pam_krb5afs.so
       account sufficient /lib/security/pam_krb5afs.so
       password sufficient /lib/security/pam_krb5afs.so

DESCRIPTION
       pam_krb5afs.so  is  designed  to allow smooth integration of Kerberos 5
       password- checking with applications built using PAM.  It also supports
       session-specific  ticket  files  (which are neater), Kerberos IV ticket
       file grabbing, and AFS token-grabbing.  Its main use is as an authenti-
       cation  module,  but  it also supplies the same functions as a session-
       management module to better support poorly-written applications, and  a
       couple  of other workarounds as well.  It also supports account manage-
       ment and password-changing.

       When a user logs in, the module's authentication  function  performs  a
       simple password check and, if possible, obtains Kerberos 5 and Kerberos
       IV credentials, caching them  for  later  use.   When  the  application
       requests  initialization of credentials (or opens a session), the usual
       ticket files are created and AFS tokens are obtained.  When the  appli-
       cation  subsequently requests deletion of credentials or closing of the
       session, the module destroys the tokens for the current PAG and deletes
       the ticket files.

       Some  applications (notably, wu-ftpd, wu-imapd, and Samba) neither cre-
       ate credentials nor open sessions.  For these applications,  it's  best
       to  use  the  tokens option to force token-grabbing during the password
       check, which is usually the right thing to do for these server apps.


ARGUMENTS
       debug  turns on debugging via syslog(3).  Debugging messages are logged
              with priority LOG_DEBUG.

       addressless
              tells  pam_krb5afs.so  to  obtain  credentials  without  address
              lists.  This may be necessary if  your  network  uses  NAT,  and
              should otherwise not be used.

       hosts=host
              tells  pam_krb5afs.so to obtain credentials using the address of
              the given host in addition to the addresses of interfaces on the
              local workstation.  For example, if your workstation is behind a
              masquerading firewall, specifying the firewall's  outward-facing
              address here should allow Kerberos authentication to succeed.

       afs_cells=cell
              tells  pam_krb5afs.so  to  obtain  tokens for users in the given
              cell when they log in.  The default is the  current  realm  name
              converted to lower case.

       banner=Kerberos
            tells  pam_krb5afs.so how to identify itself when users attempt to
            change their passwords.

       ccache_dir=/tmp
            tells pam_krb5afs.so which directory to use for storing credential
            caches.

       forwardable
            tells  pam_krb5afs.so  that  credentials it obtains should be for-
            wardable.

       keytab=/etc/krb5.keytab
            tells pam_krb5afs.so the location of a keytab to use when validat-
            ing credentials obtained from KDCs.

       krb4_convert
            tells  pam_krb5afs.so to obtain Kerberos IV credentials for users,
            in addition to Kerberos 5 credentials.

       minimum_uid=0
            tells pam_krb5afs.so to ignore authentication  attempts  by  users
            with UIDs below the specified number.

       no_user_check
            tells  pam_krb5afs.so  to  not check if a user exists on the local
            system, and to create ccache files owned by the current  process's
            UID.   This is useful for situations where a non-privileged server
            process needs to use Kerberized services on behalf of remote users
            who  may  not  have  local access.  Note that such a server should
            have an encrypted connection with its client  in  order  to  avoid
            allowing the user's password to be eavesdropped.

       proxiable
            tells  pam_krb5afs.so that credentials it obtains should be proxi-
            able.

       realm=realm
            overrides  the  default  realm  set   in   /etc/krb5.conf,   which
            pam_krb5afs.so will attempt to authenticate users to.

       renew_lifetime=36000
            sets the default renewable lifetime for credentials.

       retain_after_close
            tells  pam_krb5afs.so  to  retain the ticket after the session has
            been closed.

       skip_first_pass
            tells pam_krb5afs.so to not bother checking a  password  that  has
            been  set by a module listed earlier in the stack.  This option is
            included mainly for completeness.

       ticket_lifetime=36000
            sets the default lifetime for credentials.

       tokens
            tells pam_krb5afs.so to get AFS tokens for the user immediately if
            the  password check succeeds.  This is necessary for some programs
            that never open sessions  or  attempt  to  initialize  credentials
            (PAM's  credentials,  not  Kerberos's).   If you have a server app
            that requires access to the user's  file  space,  you  might  need
            this.

       try_first_pass
            tells pam_krb5afs.so to check the password as with use_first_pass,
            but to prompt the user for another one if  the  previously-entered
            one fails. This is the default mode of operation.

       use_first_pass
            tells  pam_krb5afs.so to get the user's entered password as it was
            stored by a module listed earlier in the stack,  usually  pam_unix
            or pam_pwdb, instead of prompting the user for it.

       use_authtok
            tells  pam_krb5afs.so  to never prompt for passwords when changing
            passwords.  This is useful if you are using pam_cracklib.so to try
            to enforce use of less-easy-to-guess passwords.

       validate
            tells  pam_krb5afs.so  to  verify  that  the TGT obtained from the
            realm's servers has not been spoofed.


FILES
       /etc/krb5.conf

SEE ALSO
       pam_krb5afs(5)

BUGS
       Probably, but let's hope not.   If  you  find  any,  please  email  the
       author.

AUTHOR
       Nalin Dahyabhai <nalin@redhat.com>



Red Hat Linux                     2002/02/15                    pam_krb5afs(8)