NAME | SYNOPSIS | DESCRIPTION | ATTRIBUTES | SEE ALSO
/usr/lib/security/pam_krb5.so.1
The Kerberos V5 service module for PAM, /usr/lib/security/pam_krb5.so.1, provides functionality for all four PAM modules: authentication, account management, session management,and password management. The pam_krb5.so.1 module is a shared object that can be dynamically loaded to provide the necessary functionality upon demand. Its path is specified in the PAM configuration file.
The Kerberos V5 authentication component provides functions to verify the identity of a user, (pam_sm_authenticate()) and to refresh the Kerberos credentials cache (pam_sm_setcred()). pam_sm_authenticate() authenticates a user principal though the Kerberos authentication service. If the authentication request is successful, the authentication service will send a ticket-granting ticket (tgt) back to the pam_krb5.so.1 module, which will store the tgt in the credentials cache for later use by Kerberized network applications.
The following options may be passed to the Kerberos V5 authentication module:
Prevent the PAM module from performing the authentication service exchange used to obtain the initial ticket-granting ticket. This should be used on Kerberos application servers since the initial ticket is not needed.
syslog(3C) debugging information at LOG_DEBUG level.
Turn off warning messages.
Request Kerberos V5 authentication with the user's initial password (entered when the user authenticated to the first authentication module in the stack). If Kerberos V5 authentication fails, or if no password has been entered, it quits and does not prompt the user for a password. This option should only be used if the authentication service is designated as optional in the pam.conf configuration file.
Request Kerberos V5 authentication with the user's initial password (entered when the user authenticated to the first authentication module in the stack). If Kerberos V5 authentication fails, or if no password has been entered, prompt the user for a password with the prompt "Kerberos Password:".
Request Kerberos V5 authentication with a mapped password that has been stored under XFN. If Kerberos V5 authentication fails, or if no password has been entered, it quits and does not prompt the user for a password. This option should only be used if the authentication service is designated as optional in the pam.conf configuration file.
Request Kerberos V5 authentication with a mapped password that has been stored under XFN. If Kerberos V5 authentication fails, or if no password has been stored, prompt the user for a password with the prompt "Kerberos Password:".
The account management module returns success and performs no funtions. This component is a null function.
The Kerberos V5 session management component provides functions to initiate pam_sm_open_session() and terminate pam_sm_close_session() Kerberos V5 sessions. For Kerberos V5, pam_sm_open_session is a null function. pam_close_session will destory a principal's credential cache as well as the in kernel Kerberos credentials if the session being closed is the last open session on this server for the calling principal.
The Kerberos V5 password management component provides a function to change passwords pam_sm_chauthtok() in the Key Distribution Center (KDC) database. The following options may be passed in to the Kerberos V5 password module:
syslog(3C) Debugging information at LOG_DEBUG level.
Turn off warning messages.
Request Kerberos V5 authentication with the user's initial password (entered when the user authenticated to the first authentication module in the stack). If Kerberos V5 authentication fails, or if no password has been entered, it quits and does not prompt the user for a password. If authentication succeeds, the user is prompted by "New KRB5 password:" for a new password. The user is then prompted a second time for the new password for verification and the KDC database is updated with the new password if both responses match.
Request Kerberos V5 authentication with the user's initial password (entered when the user authenticated to the first authentication module in the stack). If Kerberos V5 authentication fails, or if no password has been entered, prompt the user for a password with the prompt "Old KRB5 Password:". If authentication succeeds, the user is prompted by "New KRB5 password:" for a new password. The user is then prompted a second time for the new password for verification and the KDC database is updated with the new password if both responses match.
Request Kerberos V5 authentication with a mapped password that has been stored under XFN. If Kerberos V5 authentication fails, or if no password has been stored, it quits and does not prompt the user for a password. If authentication succeeds, the user is prompted by "New KRB5 password:" for a new password. The user is then prompted a second time for the new password for verification and the KDC database is updated with the new password if both responses match.
Request Kerberos V5 authentication with a mapped password that has been stored under XFN. If Kerberos V5 authentication fails, or if no password has been stored, prompt the user for a password with the prompt "Old KRB5 Password:". If authentication succeeds, the user is prompted by "New KRB5 password:" for a new password. The user is then prompted a second time for the new password for verification and the KDC database is updated with the new password if both responses match.
See attributes(5) for description of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
---|---|
MT Level | MT-Safe with exceptions |
keylogin(1), pam(3PAM), pam_authenticate(3PAM), syslog(3C), libpam(4), pam.conf(4), attributes(5), SEAM(5)
NAME | SYNOPSIS | DESCRIPTION | ATTRIBUTES | SEE ALSO