pam_krb5afs(8)
NAME
pam_krb5afs - Kerberos 5 authentication with AFS support
SYNOPSIS
auth required /lib/security/pam_krb5afs.so session optional /lib/security/pam_krb5afs.so account sufficient /lib/security/pam_krb5afs.so password sufficient /lib/security/pam_krb5afs.so
DESCRIPTION
pam_krb5afs.so is designed to allow smooth integration of
Kerberos 5 password- checking with applications built
using PAM. It also supports session-specific ticket files
(which are neater), Kerberos IV ticket file grabbing, and
AFS token-grabbing. Its main use is as an authentication
module, but it also supplies the same functions as a ses
sion-management module to better support poorly-written
applications, and a couple of other workarounds as well.
It also supports account management and password-changing.
When a user logs in, the module's authentication function
performs a simple password check and, if possible, obtains
Kerberos 5 and Kerberos IV credentials, caching them for
later use. When the application requests initialization
of credentials (or opens a session), the usual ticket
files are created and AFS tokens are obtained. When the
application subsequently requests deletion of credentials
or closing of the session, the module destroys the tokens
for the current PAG and deletes the ticket files.
Some applications (notably, wu-ftpd, wu-imapd, and Samba)
neither create credentials nor open sessions. For these
applications, it's best to use the tokens option to force
token-grabbing during the password check, which is usually
the right thing to do for these server apps.
ARGUMENTS
- debug turns on debugging via syslog(3). Debugging mes
- sages are logged with priority LOG_DEBUG.
- addressless
- tells pam_krb5afs.so to obtain credentials without
address lists. This may be necessary if your net
work uses NAT, and should otherwise not be used. - hosts=host
- tells pam_krb5afs.so to obtain credentials using
the address of the given host in addition to the
addresses of interfaces on the local workstation.
For example, if your workstation is behind a mas
querading firewall, specifying the firewall's out
ward-facing address here should allow Kerberos
authentication to succeed. - afs_cells=cell
- tells pam_krb5afs.so to obtain tokens for users in
the given cell when they log in. The default is
the current realm name converted to lower case. - banner=Kerberos
- tells pam_krb5afs.so how to identify itself when
users attempt to change their passwords. - ccache_dir=/tmp
- tells pam_krb5afs.so which directory to use for stor
ing credential caches. - forwardable
- tells pam_krb5afs.so that credentials it obtains
should be forwardable. - keytab=/etc/krb5.keytab
- tells pam_krb5afs.so the location of a keytab to use
when validating credentials obtained from KDCs. - krb4_convert
- tells pam_krb5afs.so to obtain Kerberos IV creden
tials for users, in addition to Kerberos 5 creden
tials. - minimum_uid=0
- tells pam_krb5afs.so to ignore authentication
attempts by users with UIDs below the specified num
ber. - no_user_check
- tells pam_krb5afs.so to not check if a user exists on
the local system, and to create ccache files owned by
the current process's UID. This is useful for situa
tions where a non-privileged server process needs to
use Kerberized services on behalf of remote users who
may not have local access. Note that such a server
should have an encrypted connection with its client
in order to avoid allowing the user's password to be
eavesdropped. - proxiable
- tells pam_krb5afs.so that credentials it obtains
should be proxiable. - realm=realm
- overrides the default realm set in /etc/krb5.conf,
which pam_krb5afs.so will attempt to authenticate
users to. - renew_lifetime=36000
- sets the default renewable lifetime for credentials.
- retain_after_close
- tells pam_krb5afs.so to retain the ticket after the
session has been closed. - skip_first_pass
- tells pam_krb5afs.so to not bother checking a pass
word that has been set by a module listed earlier in
the stack. This option is included mainly for com
pleteness. - ticket_lifetime=36000
- sets the default lifetime for credentials.
- tokens
- tells pam_krb5afs.so to get AFS tokens for the user
immediately if the password check succeeds. This is
necessary for some programs that never open sessions
or attempt to initialize credentials (PAM's creden
tials, not Kerberos's). If you have a server app
that requires access to the user's file space, you
might need this. - try_first_pass
- tells pam_krb5afs.so to check the password as with
use_first_pass, but to prompt the user for another one if the previously-entered one fails. This is the
default mode of operation. - use_first_pass
- tells pam_krb5afs.so to get the user's entered pass
word as it was stored by a module listed earlier in
the stack, usually pam_unix or pam_pwdb, instead of prompting the user for it. - use_authtok
- tells pam_krb5afs.so to never prompt for passwords
when changing passwords. This is useful if you are
using pam_cracklib.so to try to enforce use of lesseasy-to-guess passwords. - validate
- tells pam_krb5afs.so to verify that the TGT obtained
from the realm's servers has not been spoofed.
FILES
/etc/krb5.conf
SEE ALSO
BUGS
Probably, but let's hope not. If you find any, please
email the author.
AUTHOR
- Nalin Dahyabhai <nalin@redhat.com> Balazs GAL
<balsa@rit.bme.hu>