Go to main content

man pages section 7: Standards, Environments, Macros, Character Sets, and Miscellany

Exit Print View

Updated: Wednesday, July 27, 2022

pam_gss_s4u (7)


pam_gss_s4u - set credential PAM module for Services For Users (S4U)




The pam_gss_s4u module attempts to obtain credentials on behalf of PAM_USER by using the Generic Security Services API (GSS-API) for the Services for User (S4U) protocol. This would be beneficial for non-login processes that require services secured by Kerberos, such as those executed from cron(8) or at(1).

GSS-API Set Credential Module

The GSS-API S4U module provides the set credential function for pam_sm_setcred(). The credentials can be set from initial authentication credentials using the host's keys by stacking the pam_krb5_keytab(7) module before pam_gss_s4u(7). Subsequently, these credentials can be used to obtain credentials for itself on behalf of a user, S4U2Self. The resulting credentials can be used to obtain a service ticket for a target service on behalf of the user, S4U2Proxy.

The following options can be passed to the GSS-API set credential module:


Provides syslog(3C) debugging information at LOG_DEBUG level.


Turns off warning messages.

GSS-API Authentication Module

The Kerberos key table authentication module provides the authentication function for pam_sm_authenticate(). The function returns PAM_IGNORE.


The following error codes are returned for pam_sm_setcred ():


The initial authentication credentials does not exist.


Successfully obtained S4U credentials for the user associated with PAM_USER.


System error.


The user associated with PAM_USER is not found in the database.


Example 1 Set Credential for Initial Authentication Through Kerberos Key Table File Optionally Through S4U Requests

The following is an excerpt of a sample /etc/pam.d/cron file:

auth definitive   pam_user_policy.so.1
auth required     pam_unix_auth.so.1
auth required     pam_unix_cred.so.1
auth requisite    pam_krb5_keytab.so.1
auth optional     pam_gss_s4u.so.1

Given that set credentials uses the same stack as authenticate, the above will provision Kerberos credentials through the successful authentication of the keys found in the system's key table file via pam_krb5_keytab(7). Subsequently, these credentials will be used to obtain S4U credentials for PAM_USER.


See attributes(7) for a description of the following attribute:

Interface Stability

See Also

kinit(1), syslog(3C), libpam(3LIB), pam(3PAM), pam_sm(3PAM), pam_sm_authenticate(3PAM), pam_sm_setcred(3PAM), pam.conf(5), attributes(7), pam_krb5(7), pam_krb5_keytab(7)