pam_krb5(5)pam_krb5(5)NAMEpam_krb5 - authentication, account, session and password management
modules for Kerberos 5
SYNOPSIS
/usr/lib/security/$ISA/libpam_krb5.so.1
DESCRIPTION
The KRB5 PAM modules allow integration of Kerberos authentication into
the system entry services (such as login, using pam.conf(4) configura‐
tion file. The Kerberos service module for PAM consists of the follow‐
ing three modules: the authentication module, the account management
module and the password module. It also provides null functions for
session management. All modules are supported through the same dynami‐
cally loadable library.
The KRB5 PAM modules are compatible with MIT Kerberos 5 and Microsoft
Windows 2000.
Authentication Module
The authentication module verifies the user identity and sets the user
credentials. It passes the authentication key derived from the user's
password to the Kerberos security service. The security service uses
the authentication key to verify the user and issues a ticket-granting
ticket. The credential management function sets user specific creden‐
tials. It stores the credentials in a cache file and exports the envi‐
ronment variable KRB5CCNAME to identify the cache file. The cache file
is stored in /tmp/pam_krb5/creds directory. This module creates a
unique cache file for every session. The credentials cache should be
destroyed by the user at logout with kdestroy(1m).
The following options may be passed to the authentication module
through pam.conf(4):
debug This option allows syslog(3C) debugging information at
LOG_DEBUG level.
use_first_pass This option allows the initial password (entered when
the user is authenticated to the first authentication
module in the stack) to authenticate with Kerberos. If
the user cannot be authenticated or if this is the first
authentication module in the stack, quit without prompt‐
ing for a password. It is recommended that this option
be used only if the authentication module is designated
as optional in the pam.conf(4) configuration file.
try_first_pass This option allows the initial password (entered when
the user is authenticated to the first authentication
module in the PAM stack) to authenticate with Kerberos.
If the user cannot be authenticated or if this is the
first authentication module in the stack, prompt for a
password.
forwardable This option allows a ticket-granting ticket with a dif‐
ferent network address than the present ticket-granting
ticket to be issued to the user. For forwardable tickets
to be granted, the user's account in Kerberos must spec‐
ify that the user can be granted forwardable tickets.
renewable=<time>
This option allows tickets issued to the user to be
renewed. For renewable tickets to be granted, the user's
account in Kerberos must specify that the user can be
granted renewable tickets. The renewal time of the
ticket-granting ticket is specified by <time>. The form
of time is the same as the one in kinit(1m).
proxiable This option allows a ticket with a different network
address than the present ticket to be issued to the
user. For proxiable tickets to be granted, the user's
account in Kerberos must specify that the user can be
granted proxiable tickets.
ignore Returns PAM_IGNORE. Generally this option should not be
used. But sometimes it may not be desirable or may not
be necessary to authenticate certain users (root, ftp,
...) with Kerberos. In such cases you can use this
option in pam_user.conf(4) for per user configuration.
It is not recommended for you to use this option in
pam.conf(4). See the examples section.
Account Management Module
The account management module provides a function to perform account
management. This function retrieves the user's account and password
expiration information from Kerberos database and verifies that they
have not expired. The module does not issue any warning if the account
or the password is about to expire.
The following options can be passed to the Account Management module
through pam.conf(4):
debug This option allows syslog(3C) debugging information at
LOG_DEBUG level.
ignore Returns PAM_IGNORE. Generally this option should not be
used. But sometimes it may not be desirable or may not
be necessary to authenticate certain users (root, ftp,
...) with Kerberos. In such cases you can use this
option in pam_user.conf(4) for per user configuration.
It is not recommended for you to use this option in
pam.conf(4). See the examples section.
Password Management Module
The password management module provides a function to change passwords
in the Kerberos password database. Unlike when changing a Unix pass‐
word, the password management module will allow any user to change any
other's password(if the user knows the other's old password, of
course). Also unlike Unix, root is always prompted for the user's old
password.
The following options can be passed into the password module through
the pam.conf(4) file:
debug This option allows syslog(3C) debugging information at
LOG_DEBUG level.
use_first_pass This option allows the initial password (entered when
the user is authenticated to the first authentication
module in the stack) to authenticate with Kerberos. If
the user cannot be authenticated or if this is the first
authentication module in the stack, quit without prompt‐
ing for a password. It is recommended that this option
be used only if the authentication module is designated
as optional in the pam.conf(4) configuration file.
try_first_pass This option allows the initial password (entered when
the user is authenticated to the first authentication
module in the PAM stack) to authenticate with Kerberos.
If the user cannot be authenticated or if this is the
first authentication module in the stack, prompt for a
password.
ignore Returns PAM_IGNORE. Generally this option should not be
used. But sometimes it may not be desirable or may not
be necessary to authenticate certain users (root, ftp,
...) with Kerberos. In such cases you can use this
option in pam_user.conf(4) for per user configuration.
It is not recommended for you to use this option in
pam.conf(4). See the examples section.
Session Management Module
The session management module provides functions to initiate and termi‐
nate sessions. Since session management is not defined under Kerberos,
both of these functions simply return PAM_SUCCESS. They are provided
only because of the naming conventions for PAM modules.
The following options can be passed into the session management module
through the pam.conf(4) file:
debug This option allows syslog(3C) debugging information at
LOG_DEBUG level.
ignore Returns PAM_IGNORE. Generally this option should not be
used. But sometimes it may not be desirable or may not
be necessary to authenticate certain users (root, ftp,
...) with Kerberos. In such cases you can use this
option in pam_user.conf(4) for per user configuration.
It is not recommended for you to use this option in
pam.conf(4). See the examples section.
EXAMPLE
Following is a sample configuration in which no authentication is done
with Kerberos for root ie. KRB5 PAM module does nothing. It just
returns PAM_IGNORE for user root. For every user other than root, it
will try to authenticate using Kerberos. If Kerberos succeeds, the user
is authenticated. If Kerberos fails to authenticate the user, PAM will
try to authenticate via UNIX PAM using same the password. PAM_IGNORE
for user root.
pam_user.conf:
# configuration for user root. KRB5 PAM module uses the
# ignore option and returns PAM_IGNORE
root auth libpam_krb5.so.1 ignore
root password libpam_krb5.so.1 ignore
root account libpam_krb5.so.1 ignore
root session libpam_krb5.so.1 ignore
pam.conf:
# For per user configuration the libpam_updbe.so.1 (pam_updbe(5)) mod‐
ule
# must be the first module in the stack. If Kerberos authentication
# is valid the UNIX authentication function will not be invoked.
login auth required libpam_hpsec.so.1
login auth required libpam_updbe.so.1
login auth sufficient libpam_krb5.so.1
login auth required libpam_unix.so.1 try_first_pass
login password required libpam_hpsec.so.1
login password required libpam_updbe.so.1
login password required libpam_krb5.so.1
login password required libpam_unix.so.1 try_first_pass
login account required libpam_hpsec.so.1
login account required libpam_updbe.so.1
login account required libpam_krb5.so.1
login account required libpam_unix.so.1
login session required libpam_hpsec.so.1
login session required libpam_updbe.so.1
login session required libpam_krb5.so.1
login session required libpam_unix.so.1
NOTES
The use of pam_hpsec is mandatory for services like login, dtlogin, su,
ftp, rcomds and sshd (see attached pam.conf). It is required that these
services stack this module above one or more additional modules such as
pam_unix, pam_kerberos, etc... However, for 'OTHER' services, pam_hpsec
is not configured by default. System administrators and application
writers must consider whether it is appropriate to use pam_hpsec for
any given application.
SEE ALSOpam(3), pam_authenticate(3), pam_setcred(3), syslog(3C), pam.conf(4),
pam_user.conf(4), pam_updbe(5), kinit(1m), klist(1m), kdestroy(1m)pam_krb5(5)