.TH pam_krb5 5 2006/02/06 "Red Hat Linux" "System Administrator's Manual" .SH NAME pam_krb5 \- Kerberos 5 authentication .SH DESCRIPTION pam_krb5.so reads its configuration information from the \fBappdefaults\fR section of \fBkrb5.conf\fR(5). You should read the \fBkrb5.conf\fR(5) man page before continuing here. The module expects its configuration information to be in the \fBpam\fR subsection of the \fBappdefaults\fR section. .SH DIRECTIVES .IP debug=[\fItrue\fR|\fIfalse\fR] turns on debugging via \fBsyslog\fR(3). Debug messages are logged with priority \fILOG_DEBUG\fR. .IP addressless=[\fItrue\fR|\fIfalse\fR] if set, requests a TGT with no address information. This can be necessary if you are using Kerberos through a NAT, or on systems whose IP addresses change regularly. This directive is deprecated in favor of the \fBlibdefaults\fR \fBnoaddresses\fR directive. .IP "afs_cells=\fIcell1.example.com cell2.example.com\fR" tells pam_krb5.so to obtain tokens for cell1.example.com and cell2.example.com, in addition to the local cell and the cell which contains the user's home directory, for the user. The module will guess the principal name of the AFS service for the listed cells, or it can be specified by listing cells in the form \fIcellname\fB=principalname\fR. .IP "banner=\fIKerberos 5\fR" specifies what sort of password the module claims to be changing whenever it is called upon to change passwords. The default is \fBKerberos 5\fR. .IP ccache_dir=\fI/tmp\fR specifies the directory in which to place credential cache files. .IP existing_ticket=\fItrue\fR tells pam_krb5.so to accept the presence of pre-existing Kerberos credentials provided by the calling application in the default credential cache as sufficient to authenticate the user, and to skip any account management checks. .IP DANGER! Unless validation is also in use, it is relatively easy to produce a credential cache which looks "good enough" to fool pam_krb5.so. .IP external=\fItrue\fR .IP "external=\fIsshd ftp\fR" tells pam_krb5.so to use Kerberos credentials provided by the calling application during session setup. This is most often useful for obtaining AFS tokens or a krb4 ticket. .\" This is most often useful for obtaining AFS tokens. .IP forwardable=[\fItrue\fR|\fIfalse\fR] controls whether or not credentials are forwardable. This directive is deprecated in favor of the \fBlibdefaults\fR \fBforwardable\fR directive. .IP hosts=\fIhostnames\fR specifies which other hosts credentials obtained by pam_krb5 will be good on. If your host is behind a firewall, you should add the IP address or name that the \fIKDC\fR sees it as to this list. This directive is deprecated in favor of the \fBlibdefaults\fR \fBextra_addresses\fR directive. .IP ignore_afs=[\fItrue\fR|\fIfalse\fR] tells pam_krb5.so to completely ignore the presence of AFS, preventing any attempts to obtain new tokens on behalf of the calling application. .IP ignore_unknown_principals=[\fItrue\fR|\fIfalse\fR] .IP ignore_unknown_spn=[\fItrue\fR|\fIfalse\fR] .IP ignore_unknown_upn=[\fItrue\fR|\fIfalse\fR] specifies which other not pam_krb5 should return a PAM_IGNORE code to libpam instead of PAM_USER_UNKNOWN for users for whom the determined principal name is expired or does not exist. .IP initial_prompt=[\fItrue\fR|\fIfalse\fR] tells pam_krb5.so whether or not to ask for a password before attempting authentication. If one is needed and pam_krb5.so has not prompted for it, the Kerberos library should trigger a request for a password. .IP keytab=\fIFILE:/etc/krb5.keytab\fR specifies the name of a keytab file to search for a service key for use in validating TGTs. .IP krb4_convert=[\fItrue\fR|\fIfalse\fR] controls whether or not pam_krb5 tries to get Kerberos IV credentials from the KDC (or using the \fBkrb524d\fR service on the KDC) and create ticket files with them. Unless you've converted \fIeverything\fR on your network over to use Kerberos 5, you'll want to leave this set to \fBtrue\fR. Note that this may require valid Kerberos IV configuration data to be present in \fB/etc/krb.conf\fR and \fB/etc/krb.realms\fR. This option is poorly named. This option is forced to \fItrue\fR if AFS is detected. .IP krb4_convert_524=[\fItrue\fR|\fIfalse\fR] controls whether or not pam_krb5 tries to get Kerberos IV credentials using the \fBkrb524d\fR service. This option modifies the \fBkrb4_convert\fP option. If disabled, pam_krb5 will only attempt to obtain Kerberos IV credentials using the KDC (unless the \fBkrb4_use_as_req\fR option is also disabled). .IP krb4_use_as_req=[\fItrue\fR|\fIfalse\fR] controls whether or not pam_krb5 tries to get Kerberos IV credentials using the KDC. This option modifies the \fBkrb4_convert\fP option. If disabled, pam_krb5 will only attempt to obtain Kerberos IV credentials using the \fBkrb524d\fR service (unless the \fBkrb4_convert_524\fR option is also disabled). .IP "mappings=[\fIregex1 regex2\fR]" specifies that pam_krb5 should derive the user's principal name from the Unix user name by first checking if the user name matches \fBregex1\fR, and formulating a principal name using \fBregex2\fR. For example, \fB"mappings = EXAMPLE\e(.*) $1@EXAMPLE.COM\fR" would map any user with a name of the form "EXAMPLE\ewhatever" to a principal name of "whatever@EXAMPLE.COM". This is primarily targeted at allowing pam_krb5 to be used to authenticate users whose user information is provided by \fBwinbindd\fP(8). This will frequently require the reverse to be configured by setting up an auth_to_local rule elsewhere in \fBkrb5.conf\fP(5). .IP minimum_uid=\fI0\fR specifies the minimum UID of users being authenticated. If a user with a UID less than this value attempts authentication, the request will be ignored. .IP proxiable=[\fItrue\fR|\fIfalse\fR] controls whether or not credentials are proxiable. If not specified, they are. This directive is deprecated in favor of the \fBlibdefaults\fR \fBproxiable\fR directive. .IP renew_lifetime=\fI36000\fR default renewable lifetime. This specifies how much time you have after getting credentials to renew them. This directive is deprecated in favor of the \fBlibdefaults\fR \fBrenew_lifetime\fR directive. .IP ticket_lifetime=\fI36000\fR default credential lifetime. .IP tokens=[\fItrue\fR|\fIfalse\fR] .IP "tokens=\fIimap ftp\fR" signals that pam_krb5.so should create an AFS PAG and obtain tokens during authentication in addition to session setup. This is primarily useful in server applications which need to access a user's files but which do not open PAM sessions before doing so. .IP use_shmem=\fItrue\fR .IP "use_shmem=\fIsshd\fR \fIftp\fR" tells pam_krb5.so to pass credentials from the authentication service function to the session management service function using shared memory for specific services. .IP validate=[\fItrue\fR|\fIfalse\fR] .IP "validate=\fIlogin sshd\fR" specifies whether or not to attempt validation of the TGT. The default is \fBfalse\fR. .SH EXAMPLE [appdefaults] pam = { ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = true validate = true ccache_dir = /var/tmp external = sshd tokens = imap ftpd TEST.EXAMPLE.COM = { debug = true afs_cells = testcell.example.com othercell.example.com } } .SH FILES \fI/etc/krb5.conf\fR .br .SH "SEE ALSO" .BR pam_krb5 (8) .br .SH BUGS Probably, but let's hope not. If you find any, please file them in the bug database at http://bugzilla.redhat.com/ against the "pam_krb5" component. .SH AUTHOR Nalin Dahyabhai