pam_krb5

NAME

pam_krb5 - Kerberos 5 authentication

DESCRIPTION

pam_krb5.so reads its configuration information from the appdefaults section of krb5.conf(5). You should read the krb5.conf(5) man page before continuing here. The module expects its configuration information to be in the pam subsection of the appdefaults section.

DIRECTIVES

debug=[true|false]: turns on debugging via syslog(3). Debug messages are logged with priority LOG_DEBUG.
addressless=[true|false]: if set, requests a TGT with no address information. This can be necessary if you are using Kerberos through a NAT, or on systems whose IP addresses change regularly. This directive is deprecated in favor of the libdefaults noaddresses directive.
afs_cells=cell1.example.com: tells pam_krb5.so to obtain tokens for cell1.example.com and cell2.example.com, in addition to the local cell, for the user.
banner=Kerberos: specifies what sort of password the module claims to be changing whenever it is called upon to change passwords. The default is Kerberos 5.
ccache_dir=/tmp: specifies the directory to place credential cache files in.
forwardable=[true|false]: controls whether or not credentials are forwardable. This directive is deprecated in favor of the libdefaults forwardable directive.
hosts=hostnames: specifies which other hosts credentials obtained by pam_krb5 will be good on. If your host is behind a firewall, you should add the IP address or name that the KDC sees it as to this list. This directive is deprecated in favor of the libdefaults extra_addresses directive.
keytab=/etc/krb5.keytab: specifies the name of a keytab file to search for a service key for use in validating TGTs.
krb4_convert=[true|false]: controls whether or not pam_krb5 tries to get Kerberos IV credentials from the KDC (or using the krb524d service on the KDC) and create ticket files with them. Unless you've converted everything on your network over to use Kerberos 5, you'll want to leave this set to true. Note that this may require valid Kerberos IV configuration data to be present in /etc/krb.conf and /etc/krb.realms.
minimum_uid=0: specifies the minimum UID of users being authenticated. If a user with a UID less than this value attempts authentication, the request will be ignored.
proxiable=[true|false]: controls whether or not credentials are proxiable. If not specified, they are. This directive is deprecated in favor of the libdefaults proxiable directive.
renew_lifetime=36000: default renewable lifetime. This specifies how much time you have after getting credentials to renew them. This directive is deprecated in favor of the libdefaults renew_lifetime directive.
ticket_lifetime=36000: default credential lifetime.
tokens: signals that pam_krb5.so should obtain tokens during authentication in addition to session setup. This is primarily useful in server applications which need to access a user's files but which do not open PAM sessions before doing so.
validate=[true|false]: specifies whether or not to attempt validation of the TGT. The default is false.

EXAMPLE

[appdefaults]
  pam = {
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = true
    validate = true
    ccache_dir = /var/tmp
    TEST.EXAMPLE.COM = {
      debug = true
      afs_cells = testcell.example.com othercell.example.com
    }
  }

FILES

/etc/krb5.conf

BUGS

Probably, but let's hope not. If you find any, please email the author.

AUTHOR

Nalin Dahyabhai <nalin@redhat.com>