CADDesignCodeWorkEtcContact
ABCDEFGHIJKLMNOPQRSTUVWXYZ

pam_krb5

pam_krb5(8)              System Administrator's Manual             pam_krb5(8)



NAME
       pam_krb5 - Kerberos 5 authentication

SYNOPSIS
       auth required /lib/security/pam_krb5.so
       session optional /lib/security/pam_krb5.so
       account sufficient /lib/security/pam_krb5.so
       password sufficient /lib/security/pam_krb5.so

DESCRIPTION
       pam_krb5.so is designed to allow smooth integration of Kerberos 5 pass-
       word- checking with applications built using  PAM.   It  also  supports
       session-specific  ticket  files  (which  are  neater),  and Kerberos IV
       ticket file grabbing.  Its main use is as an authentication module, but
       it  also  supplies the same functions as a session-management module to
       better support poorly-written  applications,  and  a  couple  of  other
       workarounds as well.  It also supports account management and password-
       changing.

       When a user logs in, the module's authentication  function  performs  a
       simple password check and, if possible, obtains Kerberos 5 and Kerberos
       IV credentials, caching them  for  later  use.   When  the  application
       requests  initialization of credentials (or opens a session), the usual
       ticket files are created.  When the application  subsequently  requests
       deletion  of  credentials or closing of the session, the module deletes
       the ticket files.


ARGUMENTS
       debug  turns on debugging via syslog(3).  Debugging messages are logged
              with priority LOG_DEBUG.

       addressless
              tells  pam_krb5.so  to obtain credentials without address lists.
              This may be necessary if your network uses NAT, and should  oth-
              erwise not be used.

       hosts=host
              tells pam_krb5.so to obtain credentials using the address of the
              given host in addition to the addresses  of  interfaces  on  the
              local workstation.  For example, if your workstation is behind a
              masquerading firewall, specifying the firewall's  outward-facing
              address here should allow Kerberos authentication to succeed.

       banner=Kerberos
            tells  pam_krb5.so  how  to  identify itself when users attempt to
            change their passwords.

       ccache_dir=/tmp
            tells pam_krb5.so which directory to use  for  storing  credential
            caches.

       forwardable
            tells  pam_krb5.so  that credentials it obtains should be forward-
            able.

       keytab=/etc/krb5.keytab
            tells pam_krb5.so the location of a keytab to use when  validating
            credentials obtained from KDCs.

       krb4_convert
            tells  pam_krb5.so to obtain Kerberos IV credentials for users, in
            addition to Kerberos 5 credentials.

       minimum_uid=0
            tells pam_krb5.so to ignore authentication attempts by users  with
            UIDs below the specified number.

       no_user_check
            tells  pam_krb5.so to not check if a user exists on the local sys-
            tem, and to create ccache files owned  by  the  current  process's
            UID.   This is useful for situations where a non-privileged server
            process needs to use Kerberized services on behalf of remote users
            who  may  not  have  local access.  Note that such a server should
            have an encrypted connection with its client  in  order  to  avoid
            allowing the user's password to be eavesdropped.

       proxiable
            tells pam_krb5.so that credentials it obtains should be proxiable.

       realm=realm
            overrides  the  default  realm  set   in   /etc/krb5.conf,   which
            pam_krb5.so will attempt to authenticate users to.

       renew_lifetime=36000
            sets the default renewable lifetime for credentials.

       skip_first_pass
            tells  pam_krb5.so to not bother checking a password that has been
            set by a module listed earlier  in  the  stack.   This  option  is
            included mainly for completeness.

       ticket_lifetime=36000
            sets the default lifetime for credentials.

       try_first_pass
            tells  pam_krb5.so  to  check the password as with use_first_pass,
            but to prompt the user for another one if  the  previously-entered
            one fails. This is the default mode of operation.

       use_first_pass
            tells  pam_krb5.so  to  get  the user's entered password as it was
            stored by a module listed earlier in the stack,  usually  pam_unix
            or pam_pwdb, instead of prompting the user for it.

       use_authtok
            tells  pam_krb5.so  to  never  prompt  for passwords when changing
            passwords.  This is useful if you are using pam_cracklib.so to try
            to enforce use of less-easy-to-guess passwords.

       validate
            tells pam_krb5.so to verify that the TGT obtained from the realm's
            servers has not been spoofed.


FILES
       /etc/krb5.conf

SEE ALSO
       pam_krb5(5)

BUGS
       Probably, but let's hope not.   If  you  find  any,  please  email  the
       author.

AUTHOR
       Nalin Dahyabhai <nalin@redhat.com>



Red Hat Linux                     2002/02/15                       pam_krb5(8)
Copyright © JRX Toronto, Canada. All rights reserved.