Lines Matching +full:system +full:- +full:on +full:- +full:module
1 # Package metadata for pam-krb5.
10 # Copyright 2017, 2020-2021 Russ Allbery <eagle@eyrie.org>
12 # SPDX-License-Identifier: BSD-3-clause or GPL-1+
16 name: pam-krb5
19 synopsis: PAM module for Kerberos authentication
22 name: BSD-3-clause-or-GPL-1+
24 - holder: Russ Allbery <eagle@eyrie.org>
25 years: 2005-2010, 2014-2015, 2017, 2020-2021
26 - holder: The Board of Trustees of the Leland Stanford Junior University
27 years: 2009-2011
28 - holder: Andres Salomon <dilinger@debian.org>
30 - holder: Frank Cusack <fcusack@fcusack.com>
31 years: 1999-2000
40 The module will be installed in `/usr/local/lib/security` by default, but
41 expect to have to override this using `--libdir`. The correct
43 The module will always be installed in a subdirectory named `security`
44 under the specified value of `--libdir`. On Red Hat Linux, for example,
45 `--libdir=/usr/lib64` is appropriate to install the module into the system
46 PAM directory. On Debian's amd64 architecture,
47 `--libdir=/usr/lib/x86_64-linux-gnu` would be correct.
54 package: libpam-krb5
57 later releases as libpam-krb5 and libpam-heimdal. The former packages
61 tarname: pam-krb5
62 version: pam-krb5
65 github: rra/pam-krb5
66 web: https://www.eyrie.org/~eagle/software/pam-krb5/
68 browse: https://git.eyrie.org/?p=kerberos/pam-krb5.git
69 github: rra/pam-krb5
74 url: https://git.eyrie.org/git/kerberos/pam-krb5.git
78 date: 2003-11-17
85 - date: 2020-03-30
88 - date: 2009-02-11
93 - name: pam-krb5
97 pam-krb5 is a Kerberos PAM module for either MIT Kerberos or Heimdal. It
99 handling, authentication of non-local accounts for network services,
108 pam-krb5 provides a Kerberos PAM module that supports authentication, user
112 through entries in the system krb5.conf file, and it tries to work around
113 PAM implementation flaws in commonly-used PAM-enabled applications such as
117 This is not the Kerberos PAM module maintained on Sourceforge and used on
120 the Sourceforge module does not (particularly around authorization), and
122 Kerberos) that it does. This module will never support Kerberos v4 or AFS.
123 For an AFS session module that works with this module (or any other Kerberos
124 PAM module), see
125 [pam-afs-session](https://www.eyrie.org/~eagle/software/pam-afs-session/).
128 Sourceforge PAM module that you're missing in this module, please let me
132 Either MIT Kerberos (or Kerberos implementations based on it) or Heimdal are
133 supported. MIT Keberos 1.3 or later may be required; this module has not
146 This module should work on Linux and build with gcc or clang. It may still
147 work on Solaris and build with the Sun C compiler, but I have only tested it
148 on Linux recently. There is beta-quality support for the AIX NAS Kerberos
150 will probably require some porting, although untested build system support
151 is present for FreeBSD, Mac OS X, and HP-UX. I personally can only test on
152 Linux and rely on others to report problems on other operating systems.
159 the PAM level from a screensaver, pam-krb5 when used with these old versions
171 pam-krb5 comes with a comprehensive test suite, but it requires some
172 configuration in order to test anything other than low-level utility
182 The default libkadm5clnt library on the system must match the
183 implementation of your KDC for the module/expired test to work, since the
188 Several `module/expired` tests are expected to fail with Heimdal 1.5 due
190 library-mediated password change of an expired password. This is fixed in
199 All are available on CPAN. Those tests will be skipped if the modules are
203 - title: Configuring
205 Just installing the module does not enable it or change anything about
206 your system authentication configuration. To use the module for all
207 system authentication on Debian systems, put something like:
214 in `/etc/pam.d/common-auth`, something like:
221 in `/etc/pam.d/common-session`, and something like:
228 in `/etc/pam.d/common-account`. The `minimum_uid` setting tells the PAM
229 module to pass on any users with a UID lower than 1000, thereby
230 bypassing Kerberos authentication for the root account and any system
234 Kerberos principals that happen to match system accounts accidentally
237 Be sure to include the module in the session group as well as the auth
249 in `/etc/pam.d/common-password` will change users' passwords in Kerberos
250 by default and then only fall back on Unix if that doesn't work. (You
251 can make this tighter by using the more complex new-style PAM
272 strength rules on the KDC, for example), it will clear the stored
281 status of ignore, not success, if the user didn't log on with Kerberos.
288 On Red Hat systems, modify `/etc/pam.d/system-auth` instead, which
291 You can also use pam-krb5 only for specific services. In that case,
295 and `no_ccache` options to the authenticate module. `.k5login`
299 Configuring the module for Solaris is both simpler and less flexible,
301 Solaris with which this module was extensively tested) use a single
303 console login on Solaris, try something like:
316 module with Solaris login (at least on Solaris 8 and 9), you will
323 password change for expired accounts on Solaris with native Kerberos may
333 The Kerberos library, via pam-krb5, will prompt the user to change their
343 for `_kerberos-master` as well as `_kerberos`.
344 - title: Debugging
346 The first step when debugging any problems with this module is to add
347 `debug` to the PAM options for the module (either in the PAM
349 logging from the module and should provide a trace of exactly what
353 `krb5.conf`. If pam-krb5 doesn't work, first check that `kinit` works
354 on the same system. That will test your basic Kerberos configuration.
355 If the system has a keytab file installed that's readable by the process
357 contains a key for `host/<system>` where <system> is the fully-qualified
358 hostname. pam-krb5 prevents KDC spoofing by checking the user's
361 with `klist -k` and `kinit -k`.
367 and pam-krb5 is linked against a different set of Kerberos libraries,
373 software on the system against those libraries.
374 - title: Implementation Notes
392 functions in this module are called when an application calls those
397 When `pam_authenticate` is called, pam-krb5 creates a temporary ticket
401 credentials to the call to `pam_setcred`. The module would use a memory
410 possible, but this requires read access to the system keytab. If the
420 pam-krb5 treats `pam_open_session` and `pam_setcred(PAM_ESTABLISH_CRED)`
428 module settings the last time it calls them).
436 PAM environment or calls `pam_close_session`, which it should do on user
450 cache, the module instead finds the current ticket cache (from the
455 Calling `pam_acct_mgmt` is optional; pam-krb5 doesn't do anything
462 module wasn't listed in the PAM configuration at all.
465 pam-krb5 as the only PAM module would allow anyone to log in as root
467 `PAM_IGNORE` instead would improve the module's behavior, but if you
512 - title: History and Acknowledgements
520 > Although no code in this module is directly from these author's
522 > from whichever of these authors originally wrote the first module the
526 The module was then patched for the FreeBSD ports collection with
530 It was packaged by Sam Hartman as the Kerberos v5 PAM module for Debian
537 for compatibility with the Sourceforge module, commented and