Lines Matching +full:pam +full:- +full:enabled
1 # Package metadata for pam-krb5.
10 # Copyright 2017, 2020-2021 Russ Allbery <eagle@eyrie.org>
12 # SPDX-License-Identifier: BSD-3-clause or GPL-1+
16 name: pam-krb5
19 synopsis: PAM module for Kerberos authentication
22 name: BSD-3-clause-or-GPL-1+
24 - holder: Russ Allbery <eagle@eyrie.org>
25 years: 2005-2010, 2014-2015, 2017, 2020-2021
26 - holder: The Board of Trustees of the Leland Stanford Junior University
27 years: 2009-2011
28 - holder: Andres Salomon <dilinger@debian.org>
30 - holder: Frank Cusack <fcusack@fcusack.com>
31 years: 1999-2000
41 expect to have to override this using `--libdir`. The correct
42 installation path for PAM modules varies considerably between systems.
44 under the specified value of `--libdir`. On Red Hat Linux, for example,
45 `--libdir=/usr/lib64` is appropriate to install the module into the system
46 PAM directory. On Debian's amd64 architecture,
47 `--libdir=/usr/lib/x86_64-linux-gnu` would be correct.
54 package: libpam-krb5
57 later releases as libpam-krb5 and libpam-heimdal. The former packages
61 tarname: pam-krb5
62 version: pam-krb5
65 github: rra/pam-krb5
66 web: https://www.eyrie.org/~eagle/software/pam-krb5/
68 browse: https://git.eyrie.org/?p=kerberos/pam-krb5.git
69 github: rra/pam-krb5
74 url: https://git.eyrie.org/git/kerberos/pam-krb5.git
78 date: 2003-11-17
85 - date: 2020-03-30
88 - date: 2009-02-11
93 - name: pam-krb5
97 pam-krb5 is a Kerberos PAM module for either MIT Kerberos or Heimdal. It
99 handling, authentication of non-local accounts for network services,
101 expected PAM features. It works correctly with OpenSSH, even with
102 ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
103 supports extensive configuration either by PAM options or in krb5.conf or
108 pam-krb5 provides a Kerberos PAM module that supports authentication, user
111 be configured through either options in the PAM configuration itself or
113 PAM implementation flaws in commonly-used PAM-enabled applications such as
117 This is not the Kerberos PAM module maintained on Sourceforge and used on
124 PAM module), see
125 [pam-afs-session](https://www.eyrie.org/~eagle/software/pam-afs-session/).
128 Sourceforge PAM module that you're missing in this module, please let me
139 the use_pkinit PAM option.
148 on Linux recently. There is beta-quality support for the AIX NAS Kerberos
149 implementation that has not been tested in years. Other PAM implementations
151 is present for FreeBSD, Mac OS X, and HP-UX. I personally can only test on
159 the PAM level from a screensaver, pam-krb5 when used with these old versions
171 pam-krb5 comes with a comprehensive test suite, but it requires some
172 configuration in order to test anything other than low-level utility
190 library-mediated password change of an expired password. This is fixed in
203 - title: Configuring
214 in `/etc/pam.d/common-auth`, something like:
221 in `/etc/pam.d/common-session`, and something like:
228 in `/etc/pam.d/common-account`. The `minimum_uid` setting tells the PAM
249 in `/etc/pam.d/common-password` will change users' passwords in Kerberos
251 can make this tighter by using the more complex new-style PAM
279 If you use a more complex configuration with the Linux PAM `[]` syntax
285 There are many, many other possibilities. See the Linux PAM
288 On Red Hat systems, modify `/etc/pam.d/system-auth` instead, which
291 You can also use pam-krb5 only for specific services. In that case,
292 modify the files in `/etc/pam.d` for that particular service to use
302 `/etc/pam.conf` file that contains configuration for all programs. For
315 See the pam.conf(5) man page for more information. When using this
317 probably also need to add `retain_after_close` to the PAM configuration
330 `/usr/local/etc/krb5.conf`) instead or in addition to the PAM
333 The Kerberos library, via pam-krb5, will prompt the user to change their
335 only work when `ChallengeResponseAuthentication` is enabled. Unless
336 this option is enabled, OpenSSH doesn't pass PAM messages to the user
343 for `_kerberos-master` as well as `_kerberos`.
344 - title: Debugging
347 `debug` to the PAM options for the module (either in the PAM
353 `krb5.conf`. If pam-krb5 doesn't work, first check that `kinit` works
356 doing authentication via PAM, make sure that the keytab is current and
357 contains a key for `host/<system>` where <system> is the fully-qualified
358 hostname. pam-krb5 prevents KDC spoofing by checking the user's
361 with `klist -k` and `kinit -k`.
363 Be sure that all libraries and modules, including PAM modules, loaded by
365 PAM, such as current versions of OpenSSH, also link against Kerberos
367 and pam-krb5 is linked against a different set of Kerberos libraries,
374 - title: Implementation Notes
391 followed by closing the open PAM session. The corresponding `pam_sm_*`
397 When `pam_authenticate` is called, pam-krb5 creates a temporary ticket
398 cache in `/tmp` and sets the PAM environment variable `PAM_KRB5CCNAME`
400 the PAM session is closed and is there only to pass the initial
403 PAM environment between the calls to `pam_authenticate` and
420 pam-krb5 treats `pam_open_session` and `pam_setcred(PAM_ESTABLISH_CRED)`
436 PAM environment or calls `pam_close_session`, which it should do on user
455 Calling `pam_acct_mgmt` is optional; pam-krb5 doesn't do anything
461 return `PAM_IGNORE`, which tells the PAM library to proceed as if that
462 module wasn't listed in the PAM configuration at all.
465 pam-krb5 as the only PAM module would allow anyone to log in as root
470 By default, `pam_authenticate` intentionally does not follow the PAM
475 PAM behavior (returning success from `pam_authenticate` and
476 `PAM_NEW_AUTHTOK_REQD` from `pam_acct_mgmt`) can be enabled with the
496 What we do is set a flag in our PAM data structure saying that we're
506 our PAM data structure, but this would let the application gain access
508 PAM library guarantee. We could also work around this by having
512 - title: History and Acknowledgements
530 It was packaged by Sam Hartman as the Kerberos v5 PAM module for Debian