Go to main content

man pages section 7: Standards, Environments, Macros, Character Sets, and Miscellany

Exit Print View

Updated: Wednesday, February 9, 2022

pam_krb5_keytab (7)


pam_krb5_keytab - set credential PAM module with authentication through the Kerberos key table file




The pam_krb5_keytab module attempts to obtain initial credentials through the system's Kerberos key table file. The initial credentials can subsequently be used to obtain credentials for itself on behalf of PAM_USER, through Services for User to Self (S4U2Self) by stacking pam_gss_s4u(7) after this module. In turn, these credentials can be used to obtain service tickets for other services on behalf of the user through Services for User to Proxy (S4U2Proxy).

Kerberos Set Credential Module

The Kerberos key table set credential module provides the set credential function for pam_sm_setcred(). The credentials are set from an initial authentication using system's keys that were stored previously when the system had been previously provisioned for Kerberos.

The following options can be passed to the Kerberos set credential module:


Provides syslog(3C) debugging information at LOG_DEBUG level.


Turns off warning messages.

Kerberos Authentication Module

The Kerberos key table authentication module provides the authentication function for pam_sm_authenticate(). The function returns PAM_IGNORE.


The following error codes are returned for pam_sm_setcred ():


The system's key table file does not exist or the system's principal was not found in the key table file.


Successfully initialized credentials for the system's principal.


System error.


The system's principal was not found in the Kerberos database.


Example 1 Set Credential for Initial Authentication Optionally Through Kerberos Key Table File

The following is an excerpt of a sample /etc/pam.d/cron file:

auth definitive  pam_user_policy.so.1
auth required    pam_unix_auth.so.1
auth required    pam_unix_cred.so.1
auth requisite   pam_krb5_keytab.so.1
auth optional    pam_gss_s4u.so.1

Given that set credentials uses the same stack as authenticate, the above will provision Kerberos credentials through the successful authentication of the keys found in the system's key table file via pam_krb5_keytab(7). Subsequently, these credentials will be used to obtain S4U credentials for PAM_USER.

Example 2 Using pam_user_policy to Configure pam_krb5_keytab

The pam_user_policy PAM module can be configured to refer to the supplied /etc/security/pam_policy/krb5_keytab file which uses pam_krb5_keytab for PAM authentication with Kerberos through keytab and optionally, authentication through pam_gss_s4u for Services For Users (S4U). The following command assigns the /etc/security/pam_policy/krb5_keytab file to user cronuser as the PAM policy:

# usermod -K pam_policy=krb5_keytab cronuser

For more information, see the pam_user_policy(7) man page.


See attributes(7) for a description of the following attribute:

Interface Stability

See Also

kinit(1), syslog(3C), libpam(3LIB), pam(3PAM), pam_sm(3PAM), pam_sm_authenticate(3PAM), pam_sm_setcred(3PAM), pam.conf(5), attributes(7), pam_gss_s4u(7), pam_krb5(7)