pam_gss_s4u - set credential PAM module for Services For Users (S4U)
The pam_gss_s4u module attempts to obtain credentials on behalf of PAM_USER by using the Generic Security Services API (GSS-API) for the Services for User (S4U) protocol. This would be beneficial for non-login processes that require services secured by Kerberos, such as those executed from cron(8) or at(1).
The GSS-API S4U module provides the set credential function for pam_sm_setcred(). The credentials can be set from initial authentication credentials using the host's keys by stacking the pam_krb5_keytab(7) module before pam_gss_s4u(7). Subsequently, these credentials can be used to obtain credentials for itself on behalf of a user, S4U2Self. The resulting credentials can be used to obtain a service ticket for a target service on behalf of the user, S4U2Proxy.
The following options can be passed to the GSS-API set credential module:
Provides syslog(3C) debugging information at LOG_DEBUG level.
Turns off warning messages.
The Kerberos key table authentication module provides the authentication function for pam_sm_authenticate(). The function returns PAM_IGNORE.
The following error codes are returned for pam_sm_setcred ():
The initial authentication credentials does not exist.
Successfully obtained S4U credentials for the user associated with PAM_USER.
The user associated with PAM_USER is not found in the database.
The following is an excerpt of a sample /etc/pam.d/cron file:
auth definitive pam_user_policy.so.1 auth required pam_dhkeys.so.1 auth required pam_unix_auth.so.1 auth required pam_unix_cred.so.1 auth requisite pam_krb5_keytab.so.1 auth optional pam_gss_s4u.so.1
Given that set credentials uses the same stack as authenticate, the above will provision Kerberos credentials through the successful authentication of the keys found in the system's key table file via pam_krb5_keytab(7). Subsequently, these credentials will be used to obtain S4U credentials for PAM_USER.
See attributes(7) for a description of the following attribute: