Lines Matching +full:security +full:- +full:module
1 pam-krb5 4.11
2 (PAM module for Kerberos authentication)
5 Copyright 2005-2010, 2014-2015, 2017, 2020-2021 Russ Allbery
6 <eagle@eyrie.org>. Copyright 2009-2011 The Board of Trustees of the
8 <dilinger@debian.org>. Copyright 1999-2000 Frank Cusack
9 <fcusack@fcusack.com>. This software is distributed under a BSD-style
14 pam-krb5 is a Kerberos PAM module for either MIT Kerberos or Heimdal.
16 authorization handling, authentication of non-local accounts for network
26 pam-krb5 provides a Kerberos PAM module that supports authentication,
31 and it tries to work around PAM implementation flaws in commonly-used
32 PAM-enabled applications such as OpenSSH and xdm. It supports both
36 This is not the Kerberos PAM module maintained on Sourceforge and used
39 features that the Sourceforge module does not (particularly around
41 directly related to Kerberos) that it does. This module will never
42 support Kerberos v4 or AFS. For an AFS session module that works with
43 this module (or any other Kerberos PAM module), see pam-afs-session [1].
45 [1] https://www.eyrie.org/~eagle/software/pam-afs-session/
48 Sourceforge PAM module that you're missing in this module, please let me
54 are supported. MIT Keberos 1.3 or later may be required; this module
67 This module should work on Linux and build with gcc or clang. It may
69 tested it on Linux recently. There is beta-quality support for the AIX
73 HP-UX. I personally can only test on Linux and rely on others to report
81 indistinguishable at the PAM level from a screensaver, pam-krb5 when
85 (this is not a security concern), but will not be named correctly or
100 You can build and install pam-krb5 with the standard commands:
112 The module will be installed in /usr/local/lib/security by default, but
113 expect to have to override this using --libdir. The correct
115 The module will always be installed in a subdirectory named security
116 under the specified value of --libdir. On Red Hat Linux, for example,
117 --libdir=/usr/lib64 is appropriate to install the module into the system
119 --libdir=/usr/lib/x86_64-linux-gnu would be correct.
121 Normally, configure will use krb5-config to determine the flags to use
123 krb5-config script to use, either set the PATH_KRB5_CONFIG environment
126 ./configure PATH_KRB5_CONFIG=/path/to/krb5-config
128 If krb5-config isn't found, configure will look for the standard
130 the the krb5-config script first in your path is not the one
134 root via --with-krb5=PATH. For example:
136 ./configure --with-krb5=/usr/pubsw
139 library directory with --with-krb5-include and --with-krb5-lib. You may
143 To not use krb5-config and force library probing even if there is a
144 krb5-config script on your path, set PATH_KRB5_CONFIG to a nonexistent
149 krb5-config is not used and library probing is always done if either
150 --with-krb5-include or --with-krb5-lib are given.
152 Pass --enable-silent-rules to configure for a quieter build (similar to
157 You can pass the --enable-reduced-depends flag to configure to try to
171 pam-krb5 comes with a comprehensive test suite, but it requires some
172 configuration in order to test anything other than low-level utility
186 tests/runtests -o <name-of-test>
192 implementation of your KDC for the module/expired test to work, since
197 Several module/expired tests are expected to fail with Heimdal 1.5 due
199 library-mediated password change of an expired password. This is fixed
212 sanity-check the release, set the environment variable RELEASE_TESTING
220 Just installing the module does not enable it or change anything about
221 your system authentication configuration. To use the module for all
227 in /etc/pam.d/common-auth, something like:
232 in /etc/pam.d/common-session, and something like:
237 in /etc/pam.d/common-account. The minimum_uid setting tells the PAM
238 module to pass on any users with a UID lower than 1000, thereby
246 Be sure to include the module in the session group as well as the auth
256 in /etc/pam.d/common-password will change users' passwords in Kerberos
258 can make this tighter by using the more complex new-style PAM
290 On Red Hat systems, modify /etc/pam.d/system-auth instead, which
293 You can also use pam-krb5 only for specific services. In that case,
297 and no_ccache options to the authenticate module. .k5login
301 Configuring the module for Solaris is both simpler and less flexible,
303 Solaris with which this module was extensively tested) use a single
307 login auth sufficient /usr/local/lib/security/pam_krb5.so minimum_uid=100
308 login auth required /usr/lib/security/pam_unix_auth.so.1 use_first_pass
309 login account required /usr/local/lib/security/pam_krb5.so minimum_uid=100
310 login account required /usr/lib/security/pam_unix_account.so.1
311 login session required /usr/local/lib/security/pam_krb5.so retain_after_close minimum_uid=100
312 login session required /usr/lib/security/pam_unix_session.so.1
316 module with Solaris login (at least on Solaris 8 and 9), you will
332 The Kerberos library, via pam-krb5, will prompt the user to change their
342 for _kerberos-master as well as _kerberos.
346 The first step when debugging any problems with this module is to add
347 debug to the PAM options for the module (either in the PAM configuration
349 module and should provide a trace of exactly what failed and any
353 krb5.conf. If pam-krb5 doesn't work, first check that kinit works on
357 contains a key for host/<system> where <system> is the fully-qualified
358 hostname. pam-krb5 prevents KDC spoofing by checking the user's
361 with klist -k and kinit -k.
367 and pam-krb5 is linked against a different set of Kerberos libraries,
389 functions in this module are called when an application calls those
394 When pam_authenticate is called, pam-krb5 creates a temporary ticket
398 to the call to pam_setcred. The module would use a memory cache, but
417 pam-krb5 treats pam_open_session and pam_setcred(PAM_ESTABLISH_CRED) as
424 earlier xdm, which also throws away the module settings the last time it
445 cache, the module instead finds the current ticket cache (from the
450 Calling pam_acct_mgmt is optional; pam-krb5 doesn't do anything
456 which tells the PAM library to proceed as if that module wasn't listed
459 configuration using ignore_root with pam-krb5 as the only PAM module
462 module's behavior, but if you know of a case, please let me know.
497 security reasons. We could hack around this by saving the password in
513 Although no code in this module is directly from these author's
515 from whichever of these authors originally wrote the first module the
519 The module was then patched for the FreeBSD ports collection with
523 It was packaged by Sam Hartman as the Kerberos v5 PAM module for Debian
530 for compatibility with the Sourceforge module, commented and
548 The pam-krb5 web page at:
550 https://www.eyrie.org/~eagle/software/pam-krb5/
557 https://github.com/rra/pam-krb5/issues
565 pam-krb5 is maintained using Git. You can access the current source on
568 https://github.com/rra/pam-krb5
572 https://git.eyrie.org/git/kerberos/pam-krb5.git
576 https://git.eyrie.org/?p=kerberos/pam-krb5.git
584 The pam-krb5 package as a whole is covered by the following copyright
587 Copyright 2005-2010, 2014-2015, 2017, 2020-2021
589 Copyright 2009-2011
592 Copyright 1999-2000 Frank Cusack <fcusack@fcusack.com>
615 restrictions contained in a BSD-style copyright.)
636 include SPDX-License-Identifier tags to enable automated processing of
640 For any copyright range specified by files in this package as YYYY-ZZZZ,