pam_gss_s4u (5)

Name

pam_gss_s4u - set credential PAM module for Services For Users (S4U)

Synopsis

/usr/lib/security/pam_gss_s4u.so.1

Description

The pam_gss_s4u module attempts to obtain credentials on behalf of PAM_USER by using the Generic Security Services API (GSS-API) for the Services for User (S4U) protocol. This would be beneficial for non-login processes that require services secured by Kerberos, such as those executed from cron (1M) or at (1).

GSS-API Set Credential Module

The GSS-API S4U module provides the set credential function for pam_sm_setcred(). The credentials can be set from initial authentication credentials using the host's keys by stacking the pam_krb5_keytab(5) module before pam_gss_s4u (5) . Subsequently, these credentials can be used to obtain credentials for itself on behalf of a user, S4U2Self. The resulting credentials can be used to obtain a service ticket for a target service on behalf of the user, S4U2Proxy.

The following options can be passed to the GSS-API set credential module:

debug

Provides syslog(3C) debugging information at LOG_DEBUG level.

nowarn

Turns off warning messages.

GSS-API Authentication Module

The Kerberos key table authentication module provides the authentication function for pam_sm_authenticate(). The function returns PAM_IGNORE.

Errors

The following error codes are returned for pam_sm_setcred ():

PAM_CRED_UNAVAIL

The initial authentication credentials does not exist.

PAM_SUCCESS

Successfully obtained S4U credentials for the user associated with PAM_USER.

PAM_SYSTEM_ERR

System error.

PAM_USER_UNKNOWN

The user associated with PAM_USER is not found in the database.

Examples

Example 1 Set Credential for Initial Authentication Through Kerberos Key Table File Optionally Through S4U Requests

The following is an excerpt of a sample /etc/pam.d/cron file:

auth definitive   pam_user_policy.so.1
auth required     pam_dhkeys.so.1
auth required     pam_unix_auth.so.1
auth required     pam_unix_cred.so.1
auth requisite    pam_krb5_keytab.so.1
auth optional     pam_gss_s4u.so.1

Given that set credentials uses the same stack as authenticate, the above will provision Kerberos credentials through the successful authentication of the keys found in the system's key table file via pam_krb5_keytab(5). Subsequently, these credentials will be used to obtain S4U credentials for PAM_USER.

Attributes

See attributes(5) for a description of the following attribute:

ATTRIBUTE TYPE ATTRIBUTE VALUE Interface Stability Committed

See also

kinit(1) , libpam (3LIB), pam (3PAM), pam_sm(3PAM), pam_sm_setcred(3PAM) , pam_sm_authenticate(3PAM), syslog(3C), krb5.conf(4), pam.conf(4), attributes(5), kerberos(5), krb5envvar(5), pam_krb5(5), pam_krb5_keytab(5)