pam_krb5_keytab (5)

名称

pam_krb5_keytab - set credential PAM module with authentication through the Kerberos key table file

用法概要

/usr/lib/security/pam_krb5_keytab.so.1

描述

The pam_krb5_keytab module attempts to obtain initial credentials through the system's Kerberos key table file. The initial credentials can subsequently be used to obtain credentials for itself on behalf of PAM_USER, through Services for User to Self (S4U2Self) by stacking pam_gss_s4u(5) after this module. In turn, these credentials can be used to obtain service tickets for other services on behalf of the user through Services for User to Proxy (S4U2Proxy).

Kerberos Set Credential Module

The Kerberos key table set credential module provides the set credential function for pam_sm_setcred(). The credentials are set from an initial authentication using system's keys that were stored previously when the system had been previously provisioned for Kerberos.

The following options can be passed to the Kerberos set credential module:

debug

Provides syslog(3C) debugging information at LOG_DEBUG level.

nowarn

Turns off warning messages.

Kerberos Authentication Module

The Kerberos key table authentication module provides the authentication function for pam_sm_authenticate(). The function returns PAM_IGNORE.

错误

The following error codes are returned for pam_sm_setcred ():

PAM_CRED_UNAVAIL

The system's key table file does not exist or the system's principal was not found in the key table file.

PAM_SUCCESS

Successfully initialized credentials for the system's principal.

PAM_SYSTEM_ERR

System error.

PAM_USER_UNKNOWN

The system's principal was not found in the Kerberos database.

示例

示例 1 Set Credential for Initial Authentication Optionally Through Kerberos Key Table File

The following is an excerpt of a sample /etc/pam.d/cron file:

auth definitive  pam_user_policy.so.1
auth required    pam_dhkeys.so.1
auth required    pam_unix_auth.so.1
auth required    pam_unix_cred.so.1
auth requisite   pam_krb5_keytab.so.1
auth optional    pam_gss_s4u.so.1

Given that set credentials uses the same stack as authenticate, the above will provision Kerberos credentials through the successful authentication of the keys found in the system's key table file via pam_krb5_keytab (5) . Subsequently, these credentials will be used to obtain S4U credentials for PAM_USER.

属性

See attributes(5) for a description of the following attribute:

ATTRIBUTE TYPE ATTRIBUTE VALUE Interface Stability Committed

另请参见

kinit(1) , libpam (3LIB), pam (3PAM), pam_sm(3PAM), pam_sm_setcred(3PAM) , pam_sm_authenticate(3PAM), syslog(3C), krb5.conf(4), pam.conf(4), attributes(5), kerberos(5), krb5envvar(5), pam_krb5(5), pam_gss_s4u(5)