Lines Matching +full:system +full:- +full:on +full:- +full:module
1 pam-krb5 4.11
2 (PAM module for Kerberos authentication)
5 Copyright 2005-2010, 2014-2015, 2017, 2020-2021 Russ Allbery
6 <eagle@eyrie.org>. Copyright 2009-2011 The Board of Trustees of the
8 <dilinger@debian.org>. Copyright 1999-2000 Frank Cusack
9 <fcusack@fcusack.com>. This software is distributed under a BSD-style
14 pam-krb5 is a Kerberos PAM module for either MIT Kerberos or Heimdal.
16 authorization handling, authentication of non-local accounts for network
26 pam-krb5 provides a Kerberos PAM module that supports authentication,
30 configuration itself or through entries in the system krb5.conf file,
31 and it tries to work around PAM implementation flaws in commonly-used
32 PAM-enabled applications such as OpenSSH and xdm. It supports both
36 This is not the Kerberos PAM module maintained on Sourceforge and used
37 on Red Hat systems. It is an independent implementation that, if it
39 features that the Sourceforge module does not (particularly around
41 directly related to Kerberos) that it does. This module will never
42 support Kerberos v4 or AFS. For an AFS session module that works with
43 this module (or any other Kerberos PAM module), see pam-afs-session [1].
45 [1] https://www.eyrie.org/~eagle/software/pam-afs-session/
48 Sourceforge PAM module that you're missing in this module, please let me
53 Either MIT Kerberos (or Kerberos implementations based on it) or Heimdal
54 are supported. MIT Keberos 1.3 or later may be required; this module
67 This module should work on Linux and build with gcc or clang. It may
68 still work on Solaris and build with the Sun C compiler, but I have only
69 tested it on Linux recently. There is beta-quality support for the AIX
72 untested build system support is present for FreeBSD, Mac OS X, and
73 HP-UX. I personally can only test on Linux and rely on others to report
74 problems on other operating systems.
81 indistinguishable at the PAM level from a screensaver, pam-krb5 when
100 You can build and install pam-krb5 with the standard commands:
112 The module will be installed in /usr/local/lib/security by default, but
113 expect to have to override this using --libdir. The correct
115 The module will always be installed in a subdirectory named security
116 under the specified value of --libdir. On Red Hat Linux, for example,
117 --libdir=/usr/lib64 is appropriate to install the module into the system
118 PAM directory. On Debian's amd64 architecture,
119 --libdir=/usr/lib/x86_64-linux-gnu would be correct.
121 Normally, configure will use krb5-config to determine the flags to use
123 krb5-config script to use, either set the PATH_KRB5_CONFIG environment
126 ./configure PATH_KRB5_CONFIG=/path/to/krb5-config
128 If krb5-config isn't found, configure will look for the standard
130 the the krb5-config script first in your path is not the one
134 root via --with-krb5=PATH. For example:
136 ./configure --with-krb5=/usr/pubsw
139 library directory with --with-krb5-include and --with-krb5-lib. You may
141 or lib64 on your platform.
143 To not use krb5-config and force library probing even if there is a
144 krb5-config script on your path, set PATH_KRB5_CONFIG to a nonexistent
149 krb5-config is not used and library probing is always done if either
150 --with-krb5-include or --with-krb5-lib are given.
152 Pass --enable-silent-rules to configure for a quieter build (similar to
157 You can pass the --enable-reduced-depends flag to configure to try to
160 libraries depend on them and instead links the programs only against
162 shared libraries and will only work on platforms where shared libraries
171 pam-krb5 comes with a comprehensive test suite, but it requires some
172 configuration in order to test anything other than low-level utility
186 tests/runtests -o <name-of-test>
191 The default libkadm5clnt library on the system must match the
192 implementation of your KDC for the module/expired test to work, since
197 Several module/expired tests are expected to fail with Heimdal 1.5 due
199 library-mediated password change of an expired password. This is fixed
208 All are available on CPAN. Those tests will be skipped if the modules
212 sanity-check the release, set the environment variable RELEASE_TESTING
220 Just installing the module does not enable it or change anything about
221 your system authentication configuration. To use the module for all
222 system authentication on Debian systems, put something like:
227 in /etc/pam.d/common-auth, something like:
232 in /etc/pam.d/common-session, and something like:
237 in /etc/pam.d/common-account. The minimum_uid setting tells the PAM
238 module to pass on any users with a UID lower than 1000, thereby
239 bypassing Kerberos authentication for the root account and any system
243 Kerberos principals that happen to match system accounts accidentally
246 Be sure to include the module in the session group as well as the auth
256 in /etc/pam.d/common-password will change users' passwords in Kerberos
257 by default and then only fall back on Unix if that doesn't work. (You
258 can make this tighter by using the more complex new-style PAM
275 strength rules on the KDC, for example), it will clear the stored
284 ignore, not success, if the user didn't log on with Kerberos. You may
290 On Red Hat systems, modify /etc/pam.d/system-auth instead, which
293 You can also use pam-krb5 only for specific services. In that case,
297 and no_ccache options to the authenticate module. .k5login
301 Configuring the module for Solaris is both simpler and less flexible,
303 Solaris with which this module was extensively tested) use a single
305 console login on Solaris, try something like:
316 module with Solaris login (at least on Solaris 8 and 9), you will
322 password change for expired accounts on Solaris with native Kerberos may
332 The Kerberos library, via pam-krb5, will prompt the user to change their
342 for _kerberos-master as well as _kerberos.
346 The first step when debugging any problems with this module is to add
347 debug to the PAM options for the module (either in the PAM configuration
349 module and should provide a trace of exactly what failed and any
353 krb5.conf. If pam-krb5 doesn't work, first check that kinit works on
354 the same system. That will test your basic Kerberos configuration. If
355 the system has a keytab file installed that's readable by the process
357 contains a key for host/<system> where <system> is the fully-qualified
358 hostname. pam-krb5 prevents KDC spoofing by checking the user's
361 with klist -k and kinit -k.
367 and pam-krb5 is linked against a different set of Kerberos libraries,
373 software on the system against those libraries.
389 functions in this module are called when an application calls those
394 When pam_authenticate is called, pam-krb5 creates a temporary ticket
398 to the call to pam_setcred. The module would use a memory cache, but
407 possible, but this requires read access to the system keytab. If the
417 pam-krb5 treats pam_open_session and pam_setcred(PAM_ESTABLISH_CRED) as
424 earlier xdm, which also throws away the module settings the last time it
433 environment or calls pam_close_session, which it should do on user
445 cache, the module instead finds the current ticket cache (from the
450 Calling pam_acct_mgmt is optional; pam-krb5 doesn't do anything
456 which tells the PAM library to proceed as if that module wasn't listed
459 configuration using ignore_root with pam-krb5 as the only PAM module
462 module's behavior, but if you know of a case, please let me know.
513 Although no code in this module is directly from these author's
515 from whichever of these authors originally wrote the first module the
519 The module was then patched for the FreeBSD ports collection with
523 It was packaged by Sam Hartman as the Kerberos v5 PAM module for Debian
530 for compatibility with the Sourceforge module, commented and
548 The pam-krb5 web page at:
550 https://www.eyrie.org/~eagle/software/pam-krb5/
555 For bug tracking, use the issue tracker on GitHub:
557 https://github.com/rra/pam-krb5/issues
565 pam-krb5 is maintained using Git. You can access the current source on
568 https://github.com/rra/pam-krb5
572 https://git.eyrie.org/git/kerberos/pam-krb5.git
576 https://git.eyrie.org/?p=kerberos/pam-krb5.git
584 The pam-krb5 package as a whole is covered by the following copyright
587 Copyright 2005-2010, 2014-2015, 2017, 2020-2021
589 Copyright 2009-2011
592 Copyright 1999-2000 Frank Cusack <fcusack@fcusack.com>
615 restrictions contained in a BSD-style copyright.)
624 ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
636 include SPDX-License-Identifier tags to enable automated processing of
640 For any copyright range specified by files in this package as YYYY-ZZZZ,