pam_krb5afs(5)
NAME
pam_krb5afs - Kerberos 5 authentication with AFS support
DESCRIPTION
pam_krb5afs.so uses a portion of krb5.conf to get its con
figuration information. You should read the krb5.conf(5)
man page before continuing here. The module expects its
configuration information to be in the pam subsection of
the appdefaults section of the krb5.conf configuration
file (for backward compatibility, the pam section is also
checked for the same directives).
DIRECTIVES
- debug=[true|false]
- turns on debugging via syslog(3).
- addressless=[true|false]
- disables the checking of the address in the ticket.
Allows the ticket to be used from behind NAT fire
walls, or on machines whose IP address changes reg
ularly. - afs_cells=cells
- specifies which cells you want to get tokens for.
Set this to the list of all of your local cells.
The default is the current realm name converted to
lower case. - banner=Kerberos
- specifies what kind of password the module claims to
be changing when called to change passwords. The
default is Kerberos 5. - ccache_dir=/tmp
- specifies the directory to place credential cache
files in. - forwardable=[true|false]
- controls whether or not credentials are forwardable.
If not specified, they are. - hosts=hostnames
- specifies which other hosts credentials obtained by
pam_krb5afs will be good on. If your host is behind
a firewall, you should add the IP address or name
that the KDC sees it as to this list. - initial_timemout
- specifies the number of seconds to wait for the first
KDC to respond, before attempting incremental back
off. - keytab=/etc/krb5.keytab
- specifies the name of a keytab file to find a key for
the required_tgs in, for use in validating TGTs. - krb4_convert=[true|false]
- controls whether or not pam_krb5 tries to get Ker
beros IV credentials from the KDC (or using the
krb524d service on the KDC) and create ticket files with them. Unless you've converted everything on your network over to use Kerberos 5, you'll want to
leave this set to true. Note that this requires
valid Kerberos IV configuration data to be present in
/etc/krb.conf and /etc/krb.realms. - max_timeout=30
- specifies the maximum amount of time to spend in
attempting to get a reply from the KDCs, in seconds.
This in effect determines the amount of time before
PAM tries the next authentication scheme, if the net
work is not available. - minimum_uid=0
- specifies the minimum UID of users being authenti
cated. If a user with a UID less than this value
attempts authentication, the request will be ignored. - proxiable=[true|false]
- controls whether or not credentials are proxiable.
If not specified, they are. - renew_lifetime=36000
- default renewable lifetime. This specifies how much
time you have after getting credentials to renew
them. - required_tgs=[service]
- specifies a principal for which a user must be able
to get a session key for for the purpose of verifying
that the TGT has not been forged. The key is
decrypted using a copy of the service's key stored in
a local keytab file. This is the only certain way to
be absolutely sure the TGT hasn't been forged. The
default is host@hostname. - retain_after_close=[true|false]
- specifies whether or not to retain the ticket after
closing the session. The default is false. - ticket_lifetime=36000
- default credential lifetime.
- timeout_shift
- specifies the number of bits left to shift after each
timeout, in implementing the incremental backoff in
talking to the KDCs. - validate=[true|false]
- specifies whether or not to attempt validation of the
TGT. The default is false.
EXAMPLE
- [appdefaults]
- pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = true
afs_cells = transarc.com foo.example.edu
hosts = thermo.example.edu alf.example.edu
validate = true
required_tgs = host/thermo.example.edu
ccache_dir = /var/tmp - }
FILES
/etc/krb5.conf
SEE ALSO
BUGS
Probably, but let's hope not. If you find any, please
email the author.
AUTHOR
- Nalin Dahyabhai <nalin@redhat.com> Balazs GAL
<balsa@rit.bme.hu>