pam_krb5_keytab - set credential PAM module with authentication through the Kerberos key table file
The pam_krb5_keytab module attempts to obtain initial credentials through the system's Kerberos key table file. The initial credentials can subsequently be used to obtain credentials for itself on behalf of PAM_USER, through Services for User to Self (S4U2Self) by stacking pam_gss_s4u(7) after this module. In turn, these credentials can be used to obtain service tickets for other services on behalf of the user through Services for User to Proxy (S4U2Proxy).
The Kerberos key table set credential module provides the set credential function for pam_sm_setcred(). The credentials are set from an initial authentication using system's keys that were stored previously when the system had been previously provisioned for Kerberos.
The following options can be passed to the Kerberos set credential module:
Provides syslog(3C) debugging information at LOG_DEBUG level.
Turns off warning messages.
The Kerberos key table authentication module provides the authentication function for pam_sm_authenticate(). The function returns PAM_IGNORE.
The following error codes are returned for pam_sm_setcred ():
The system's key table file does not exist or the system's principal was not found in the key table file.
Successfully initialized credentials for the system's principal.
The system's principal was not found in the Kerberos database.
The following is an excerpt of a sample /etc/pam.d/cron file:
auth definitive pam_user_policy.so.1 auth required pam_unix_auth.so.1 auth required pam_unix_cred.so.1 auth requisite pam_krb5_keytab.so.1 auth optional pam_gss_s4u.so.1
Given that set credentials uses the same stack as authenticate, the above will provision Kerberos credentials through the successful authentication of the keys found in the system's key table file via pam_krb5_keytab(7). Subsequently, these credentials will be used to obtain S4U credentials for PAM_USER.Example 2 Using pam_user_policy to Configure pam_krb5_keytab
The pam_user_policy PAM module can be configured to refer to the supplied /etc/security/pam_policy/krb5_keytab file which uses pam_krb5_keytab for PAM authentication with Kerberos through keytab and optionally, authentication through pam_gss_s4u for Services For Users (S4U). The following command assigns the /etc/security/pam_policy/krb5_keytab file to user cronuser as the PAM policy:
# usermod -K pam_policy=krb5_keytab cronuser
For more information, see the pam_user_policy(7) man page.
See attributes(7) for a description of the following attribute: