Man Pages

pam_krb5(8) - phpMan pam_krb5(8) - phpMan

Command: man perldoc info search(apropos)  

pam_krb5(8)              System Administrator's Manual             pam_krb5(8)

       pam_krb5 - Kerberos 5 authentication

       auth required /$LIB/security/
       session optional /$LIB/security/
       account sufficient /$LIB/security/
       password sufficient /$LIB/security/

       The module is designed to allow smooth integration of Kerberos 5 password-checking for applications
       which use PAM.  It creates session-specific credential cache files.  If the system is an AFS  client,  it  will
       also  attempt  to  obtain tokens for the local cell, the cell which contains the user's home directory, and any
       explicitly-configured cells.

       When a user logs in, the module's authentication function performs a simple password check  and,  if  possible,
       obtains  Kerberos  5  credentials, caching them for later use.  When the application requests initialization of
       credentials (or opens a session), the usual ticket  files  are  created.   When  the  application  subsequently
       requests  deletion  of  credentials  or  closing of the session, the module deletes the ticket files.  When the
       application requests account management, if the module did not participate in authenticating the user, it  will
       signal  libpam  to  ignore the module.  If the module did participate in authenticating the user, it will check
       for an expired user password and verify the user's authorization using the .k5login  file  of  the  user  being
       authenticated, which is expected to be accessible to the module.

       debug  turns on debugging via syslog(3).  Debugging messages are logged with priority LOG_DEBUG.

              turns  on  debugging  of  sensitive  information via syslog(3).  Debug messages are logged with priority

              tells to obtain credentials without address lists.  This may be necessary  if  your  network
              uses  NAT, and should otherwise not be used.  This option is deprecated in favor of the noaddresses flag
              in the libdefaults section of krb5.conf(5).[,...]
              tells to obtain tokens for the named cells, in addition to the local  cell,  for  the  user.
              The  module will guess the principal name of the AFS service for the named cells, or it can be specified
              by giving cell in the form cellname=principalname.

       banner=Kerberos 5
              tells how to identify itself when users attempt to change their passwords.  The default set-
              ting is "Kerberos 5".

              tells which directory to use for storing credential caches.  The default setting is /tmp.

              specifies  the  location  in which to place the user's session-specific credential cache.  This value is
              treated as a template, and these sequences are substituted:
                %u login name
                %U login UID
                %p principal name
                %r realm name
                %h home directory
                %d the default ccache directory (as set with ccache_dir)
                %P the current process ID
                %% literal '%'
              The default setting is "FILE:%d/krb5cc_%U_XXXXXX".

              tells to allow expired passwords to be changed during authentication attempts.   While  this
              is  the traditional behavior exhibited by "kinit", it is inconsistent with the behavior expected by PAM,
              which expects authentication to (appear to) succeed, only to have password expiration be  flagged  by  a
              subsequent call to the account management function.  Some applications which don't handle password expi-
              ration correctly will fail unconditionally if the user's password is expired, and this flag can be  used
              to attempt to work around this bug in those applications.  The default is false.

              specifies  that pam_krb5 should create and destroy credential caches, as it does when the calling appli-
              cation opens and closes a PAM session, when the calling application establishes and deletes PAM  creden-
              tials.   This is done to compensate for applications which expect to create a credential cache but which
              don't use PAM session management.  It is usually a  harmless  redundancy  in  applications  which  don't
              require it, so this option is enabled by default.  except for services in this list: "sshd".

              tells  to  accept the presence of pre-existing Kerberos credentials provided by the calling
              application in the default credential cache as sufficient to authenticate the  user,  and  to  skip  any
              account management checks.

              DANGER!   Unless  validation  is  also in use, it is relatively easy to produce a credential cache which
              looks "good enough" to fool


              tells to use Kerberos credentials provided by the calling application during session  setup.
              This is most often useful for obtaining AFS tokens.

              tells that credentials it obtains should be forwardable.  This option is deprecated in favor
              of the forwardable option in the libdefaults section of krb5.conf(5).

              tells to obtain credentials using the addresses of  the  given  hosts  in  addition  to  the
              addresses  of  interfaces  on  the local workstation.  For example, if your workstation is behind a mas-
              querading firewall, specifying the firewall's outward-facing address here should allow Kerberos  authen-
              tication  to succeed.  This option is deprecated in favor of the extra_addresses flag in the libdefaults
              section of krb5.conf(5).



              specifies that not pam_krb5 should return a PAM_IGNORE code to libpam instead  of  PAM_USER_UNKNOWN  for
              users for whom the determined principal name is expired or does not exist.

              tells the location of a keytab to use when validating credentials obtained from KDCs.

              tells to ignore authentication attempts by users with UIDs below the specified number.

              specifies  that  pam_krb5  should  maintain multiple credential caches for this service, because it both
              sets credentials and opens a PAM session, but it sets the KRB5CCNAME variable after doing  only  one  of
              the two.  This option is usually not necessary for most services.

              tells  to not ask for a password before attempting authentication, and to instead allow the
              Kerberos library to trigger a request for a password only in cases where one is needed.

              tells to only provide the previously-entered password in response to any request for a pass-
              word  which  the  Kerberos library might make.  If the calling application does not properly support PAM
              conversations (possibly due to limitations of a network protocol which it is serving), this may be  need
              to  be used to prevent the application from supplying the user's current password in a password-changing
              situations when a new password is called for.

              tells to not check if a user exists on the local system, to skip authorization checks  using
              the user's .k5login file, and to create ccache files owned by the current process's UID.  This is useful
              for situations where a non-privileged server process needs to  use  Kerberized  services  on  behalf  of
              remote users who may not have local access.  Note that such a server should have an encrypted connection
              with its client in order to avoid allowing the user's password to be eavesdropped.


              tells to not attempt to use the local keytab to  verify  that  the  TGT  obtained  from  the
              realm's  servers  has not been spoofed.  The libdefaults verify_ap_req_nofail setting can affect whether
              or not errors reading the keytab which are encountered during validation will be suppressed.

              tells, when it attempts to set tokens, to try to get credentials  for  services  with  names
              which  resemble  afs@REALM  before  attempting  to  get  credentials  for services with names resembling
              afs/cell@REALM.  The default is to assume that the cell's name is the instance in the AFS service's Ker-
              beros principal name.

              controls  the preauthentication options which pam_krb5 passes to libkrb5, if the system-defaults need to
              be overridden.  The list is treated as a template, and these sequences are substituted:
                %u login name
                %U login UID
                %p principal name
                %r realm name
                %h home directory
                %d the default ccache directory
                %P the current process ID
                %% literal '%'

              tells that credentials it obtains should be proxiable.  This option is deprecated  in  favor
              of the proxiable option in the libdefaults section of krb5.conf(5).

              specifies  the  name  of  a  text file whose contents will be displayed to clients who attempt to change
              their passwords.  There is no default.

              overrides the default realm set in /etc/krb5.conf, which will attempt to authenticate  users

              sets  the  default  renewable  lifetime  for  credentials.   This  option  is deprecated in favor of the
              renew_lifetime option in the libdefaults section of krb5.conf(5).

              sets the default lifetime for credentials.


              signals that should create a new AFS PAG and obtain  AFS  tokens  during  authentication  in
              addition  to  session  setup.   This  is  primarily useful in server applications which need to access a
              user's files but which do not open PAM sessions before doing so.  A  properly-written  server  will  not
              need this flag set in order to function correctly.

              tells  to  check  the previously-entered password as with use_first_pass, but to prompt the
              user for another one if the previously-entered one fails. This is the default mode of operation.

              tells to get the user's entered password as it was stored by a module listed earlier in  the
              stack, usually pam_unix or pam_pwdb, instead of prompting the user for it.

              tells to never prompt for new passwords when changing passwords.  This is useful if you are
              using pam_cracklib or pam_passwdqc to try to enforce use of less-easy-to-guess passwords.


              tells to pass credentials from the authentication service function to the session management
              service function using shared memory, or to do so for specific services.


       pam_krb5(5) krb5.conf(5)

       Probably,  but  let's  hope not.  If you find any, please file them in the bug database at against the "pam_krb5" component.

       Nalin Dahyabhai <>

Red Hat Linux                     2009/12/11                       pam_krb5(8)