Lines Matching +full:system +full:- +full:on +full:- +full:module
1 # pam-krb5
4 status](https://github.com/rra/pam-krb5/workflows/build/badge.svg)](https://github.com/rra/pam-krb5…
6 package](https://img.shields.io/debian/v/libpam-krb5/unstable)](https://tracker.debian.org/pkg/libp…
8 Copyright 2005-2010, 2014-2015, 2017, 2020-2021 Russ Allbery
9 <eagle@eyrie.org>. Copyright 2009-2011 The Board of Trustees of the
11 <dilinger@debian.org>. Copyright 1999-2000 Frank Cusack
12 <fcusack@fcusack.com>. This software is distributed under a BSD-style
18 pam-krb5 is a Kerberos PAM module for either MIT Kerberos or Heimdal. It
20 handling, authentication of non-local accounts for network services,
30 pam-krb5 provides a Kerberos PAM module that supports authentication, user
34 or through entries in the system krb5.conf file, and it tries to work
35 around PAM implementation flaws in commonly-used PAM-enabled applications
39 This is not the Kerberos PAM module maintained on Sourceforge and used on
42 the Sourceforge module does not (particularly around authorization), and
44 Kerberos) that it does. This module will never support Kerberos v4 or
45 AFS. For an AFS session module that works with this module (or any other
46 Kerberos PAM module), see
47 [pam-afs-session](https://www.eyrie.org/~eagle/software/pam-afs-session/).
50 Sourceforge PAM module that you're missing in this module, please let me
55 Either MIT Kerberos (or Kerberos implementations based on it) or Heimdal
56 are supported. MIT Keberos 1.3 or later may be required; this module has
69 This module should work on Linux and build with gcc or clang. It may
70 still work on Solaris and build with the Sun C compiler, but I have only
71 tested it on Linux recently. There is beta-quality support for the AIX
74 build system support is present for FreeBSD, Mac OS X, and HP-UX. I
75 personally can only test on Linux and rely on others to report problems on
83 at the PAM level from a screensaver, pam-krb5 when used with these old
102 You can build and install pam-krb5 with the standard commands:
116 The module will be installed in `/usr/local/lib/security` by default, but
117 expect to have to override this using `--libdir`. The correct
119 The module will always be installed in a subdirectory named `security`
120 under the specified value of `--libdir`. On Red Hat Linux, for example,
121 `--libdir=/usr/lib64` is appropriate to install the module into the system
122 PAM directory. On Debian's amd64 architecture,
123 `--libdir=/usr/lib/x86_64-linux-gnu` would be correct.
125 Normally, configure will use `krb5-config` to determine the flags to use
127 `krb5-config` script to use, either set the `PATH_KRB5_CONFIG` environment
131 ./configure PATH_KRB5_CONFIG=/path/to/krb5-config
134 If `krb5-config` isn't found, configure will look for the standard
136 the `krb5-config` script first in your path is not the one corresponding
140 `--with-krb5=PATH`. For example:
143 ./configure --with-krb5=/usr/pubsw
147 library directory with `--with-krb5-include` and `--with-krb5-lib`. You
149 `lib32`, or `lib64` on your platform.
151 To not use `krb5-config` and force library probing even if there is a
152 `krb5-config` script on your path, set `PATH_KRB5_CONFIG` to a nonexistent
159 `krb5-config` is not used and library probing is always done if either
160 `--with-krb5-include` or `--with-krb5-lib` are given.
162 Pass `--enable-silent-rules` to configure for a quieter build (similar to
167 You can pass the `--enable-reduced-depends` flag to configure to try to
170 libraries depend on them and instead links the programs only against
172 libraries and will only work on platforms where shared libraries properly
181 pam-krb5 comes with a comprehensive test suite, but it requires some
182 configuration in order to test anything other than low-level utility
199 tests/runtests -o <name-of-test>
205 The default libkadm5clnt library on the system must match the
206 implementation of your KDC for the module/expired test to work, since the
211 Several `module/expired` tests are expected to fail with Heimdal 1.5 due
213 library-mediated password change of an expired password. This is fixed in
222 All are available on CPAN. Those tests will be skipped if the modules are
226 sanity-check the release, set the environment variable `RELEASE_TESTING`
234 Just installing the module does not enable it or change anything about
235 your system authentication configuration. To use the module for all
236 system authentication on Debian systems, put something like:
243 in `/etc/pam.d/common-auth`, something like:
250 in `/etc/pam.d/common-session`, and something like:
257 in `/etc/pam.d/common-account`. The `minimum_uid` setting tells the PAM
258 module to pass on any users with a UID lower than 1000, thereby bypassing
259 Kerberos authentication for the root account and any system accounts. You
263 that happen to match system accounts accidentally getting access to those
266 Be sure to include the module in the session group as well as the auth
278 in `/etc/pam.d/common-password` will change users' passwords in Kerberos
279 by default and then only fall back on Unix if that doesn't work. (You can
280 make this tighter by using the more complex new-style PAM configuration.)
300 strength rules on the KDC, for example), it will clear the stored password
309 ignore, not success, if the user didn't log on with Kerberos. You may
315 On Red Hat systems, modify `/etc/pam.d/system-auth` instead, which
318 You can also use pam-krb5 only for specific services. In that case,
322 and `no_ccache` options to the authenticate module. `.k5login`
326 Configuring the module for Solaris is both simpler and less flexible,
328 Solaris with which this module was extensively tested) use a single
330 console login on Solaris, try something like:
342 See the pam.conf(5) man page for more information. When using this module
343 with Solaris login (at least on Solaris 8 and 9), you will probably also
349 password change for expired accounts on Solaris with native Kerberos may
359 The Kerberos library, via pam-krb5, will prompt the user to change their
369 for `_kerberos-master` as well as `_kerberos`.
373 The first step when debugging any problems with this module is to add
374 `debug` to the PAM options for the module (either in the PAM configuration
376 module and should provide a trace of exactly what failed and any available
380 `krb5.conf`. If pam-krb5 doesn't work, first check that `kinit` works on
381 the same system. That will test your basic Kerberos configuration. If
382 the system has a keytab file installed that's readable by the process
384 contains a key for `host/<system>` where <system> is the fully-qualified
385 hostname. pam-krb5 prevents KDC spoofing by checking the user's
388 with `klist -k` and `kinit -k`.
393 If your sshd is linked against one set of Kerberos libraries and pam-krb5
399 usually best if possible to build all Kerberos software on the system
420 functions in this module are called when an application calls those public
425 When `pam_authenticate` is called, pam-krb5 creates a temporary ticket
429 the call to `pam_setcred`. The module would use a memory cache, but
438 possible, but this requires read access to the system keytab. If the
448 pam-krb5 treats `pam_open_session` and `pam_setcred(PAM_ESTABLISH_CRED)`
455 and earlier xdm, which also throws away the module settings the last time
464 environment or calls `pam_close_session`, which it should do on user
478 cache, the module instead finds the current ticket cache (from the
483 `pam_acct_mgmt` is optional; pam-krb5 doesn't do anything different when
489 `PAM_IGNORE`, which tells the PAM library to proceed as if that module
492 otherwise a configuration using `ignore_root` with pam-krb5 as the only
493 PAM module would allow anyone to log in as root without a password. There
495 improve the module's behavior, but if you know of a case, please let me
548 > code in this module is directly from these author's modules, (except the
550 > authors originally wrote the first module the other 2 copied from), it
553 The module was then patched for the FreeBSD ports collection with
557 It was packaged by Sam Hartman as the Kerberos v5 PAM module for Debian
564 for compatibility with the Sourceforge module, commented and standardized
581 The [pam-krb5 web page](https://www.eyrie.org/~eagle/software/pam-krb5/)
585 For bug tracking, use the [issue tracker on
586 GitHub](https://github.com/rra/pam-krb5/issues). However, please be aware
593 pam-krb5 is maintained using Git. You can access the current source on
594 [GitHub](https://github.com/rra/pam-krb5) or by cloning the repository at:
596 https://git.eyrie.org/git/kerberos/pam-krb5.git
598 or [view the repository on the
599 web](https://git.eyrie.org/?p=kerberos/pam-krb5.git).
607 The pam-krb5 package as a whole is covered by the following copyright
610 > Copyright 2005-2010, 2014-2015, 2017, 2020-2021
613 > Copyright 2009-2011
619 > Copyright 1999-2000
641 > contained in a BSD-style copyright.)
649 > PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
661 include SPDX-License-Identifier tags to enable automated processing of
664 For any copyright range specified by files in this package as YYYY-ZZZZ,