Lines Matching +full:system +full:- +full:on +full:- +full:module
2 KRB5CCNAME ChallengeResponseAuthentication GSS-API Heimdal KDC PKINIT
5 logout pam-krb5 preauth 0.8rc1 screensaver screensavers sshd localname
6 krb5.conf. 0.8rc1. Allbery Cusack Salomon FSFAP SPDX-License-Identifier
11 pam_krb5 - Kerberos PAM module
22 The Kerberos service module for PAM, typically installed at
26 dynamically loaded by the PAM subsystem as necessary, based on the system
27 PAM configuration. PAM is a system for plugging in external
30 user session on that system. For details on how to configure PAM on your
31 system, see the PAM man page, often pam(7).
33 Here are the actions of this module when called from each group:
41 password (unless configured to use an already-entered password), and then
44 depending on the flags it is called with, either takes the contents of the
53 After doing the initial authentication, the Kerberos PAM module will
54 attempt to obtain tickets for a key in the local system keytab and then
56 is vulnerable to KDC spoofing, but it requires that the system have a
57 local key and that the PAM module be running as a user that can read the
59 module at a different keytab with the I<keytab> option. If that keytab
65 this PAM module.
86 password to the PAM module. Also be aware that several other common PAM
93 the user's UID and RANDOM is six randomly-chosen letters. This can be
96 pam-krb5 does not use the default ticket cache location or
105 user's shell as a sub-process, wait for it to exit, and then close the PAM
125 configured to use an already entered one) and the PAM module then obtains
135 Unlike the normal Unix password module, this module will allow any user to
137 unlike the normal Unix password module, root will always be prompted for
144 Both the account and session management calls of the Kerberos PAM module
149 Note that this module assumes the network is available in order to do a
152 process. This means that using this module incautiously can make it
153 impossible to log on to console as root. For this reason, you should
155 authentication module such as B<pam_unix> first with a control field of
156 C<sufficient> so that the Kerberos PAM module will be skipped if local
159 This is not the same PAM module as the Kerberos PAM module available from
160 Sourceforge, or the one included on Red Hat systems. It supports many of
166 The Kerberos PAM module takes many options, not all of which are relevant
170 set in the system F<krb5.conf> file; if this is possible, it will be noted
179 To set an option for the PAM module in the system F<krb5.conf> file, put
182 The Kerberos PAM module will look for options either at the top level of
197 For more information on the syntax of F<krb5.conf>, see krb5.conf(5).
198 Note that options that depend on the realm will be set only on the basis
204 There is no difference to the PAM module whether options are specified at
206 case there are options that should be set for the PAM module but not for
212 configuration that was turned on in F<krb5.conf>.
215 pam-krb5 in which that option was added with the current meaning.
249 back on the local default realm. This is more convenient than running the
250 module multiple times with multiple default realms set with I<realm>, but
265 KDC returns principal unknown does the Kerberos PAM module fall back to
310 system account incorrectly authenticating as that system account.
330 directory, the module will instead open and read that F<.k5login> file,
335 B<sshd> without GSS-API support) to shared accounts. If there is no
354 enabled for the local realm, that PKINIT be configured on the local
355 system, and that the Kerberos library support FAST and anonymous PKINIT.
369 tried first, and the Kerberos PAM module will fall back on attempting
388 the local system. If <ccache_name> names a ticket cache that is readable
393 protect authentications done as non-root users (such as screensavers).
405 I<fast_ccache> will be tried first, and the Kerberos PAM module will fall
406 back on attempting anonymous PKINIT if that cache could not be used.
423 The default is the default system keytab (normally F</etc/krb5.keytab>),
425 that use this PAM module for authentication may wish to point it to
435 rather than in the normal default realm for this system. If this option
469 realm for this system. If this option is used, it should be set for all
474 the system will have to have a custom aname_to_localname mapping.
485 the complete password stack, and then calls each module again to do the
486 password change. After that preliminary check, the order of module
490 module is marked required or requisite. When using multiple password PAM
497 to network errors or password strength checking on the KDC, for example),
498 this module will clear the stored password in the PAM stack. This will
501 The Kerberos PAM module will not meddle with the stored password if it
506 first and falling back on the local Unix password database if that fails.
507 It therefore isn't the default. Turn it on (and list pam_krb5 first after
524 [3.11] By default, pam-krb5 lets the Kerberos library handle prompting for
538 If this option is set, pam-krb5 uses the fully correct PAM mechanism for
541 about enabling this option. It should normally only be turned on to solve
547 This option is only supported when pam-krb5 is built with MIT Kerberos.
557 [4.2] By default, pam-krb5 lets the Kerberos library handle prompting for
574 However, some system Kerberos libraries (such as Solaris's) have password
575 change prompting disabled in the Kerberos library; on those systems, you
583 [4.7] Normally, if pam-krb5 is able to canonicalize the principal to a
601 =item trace=<log-file>
629 B<gnome-screensaver> that call PAM as soon as the mouse is touched and
642 value of this string is highly dependent on the type of PKINIT
645 PKCS11:/usr/lib/pkcs11/lib/soft-pkcs11.so
647 to specify the module to use with a smart card. It may also point to a
659 from the value by C<=> or a boolean option (in which case it's turned on).
685 If PKINIT fails, the PAM module will fall back on regular password
686 authentication. This option is currently only supported if pam-krb5 was
689 If this option is set and pam-krb5 is built against MIT Kerberos, and
690 PKINIT fails and the module falls back to password authentication, the
692 modules. This is a bug in the interaction between the module and MIT
704 pam-krb5 was built against Heimdal 0.8rc1 or later or MIT Kerberos 1.12 or
741 [3.0] By default, the Kerberos PAM module password prompt is simply
742 "Password:". This avoids leaking any information about the system realm
745 user's principal. This string is also added before the colon on prompts
760 module to authenticate the user without prompting the user again. If no
761 previous module obtained the user's password, fail without prompting the
777 The major disadvantage of this option is that it means the PAM module will
779 module data for any subsequent modules. In other words, this option
780 cannot be used if another module is in the stack behind the Kerberos PAM
781 module and wants to use I<use_first_pass>. The Kerberos library also
790 probably not desired behavior, although it's not prohibited by the module.
808 Some PAM-enabled applications expect PAM modules to only prompt for
815 [1.0] If the authentication module isn't the first on the stack, and a
816 previous module obtained the user's password, use that password to
818 authentication fails, fall back on prompting the user for their password.
819 This option has no effect if the authentication module is first in the
820 stack or if no previous module obtained the user's password. Also see
829 [4.0] Use the new password obtained by a previous password module when
832 checked by another, prior module, such as B<pam_cracklib>.
838 [1.0] Use the password obtained by a previous authentication module to
840 module obtained the user's password for either an authentication or
841 password change, fall back on prompting the user. If a previous module
869 <pattern> points to a world-writable directory.
880 may be required on systems that use a cache type other than file as the
885 avoid using the system F</tmp> directory for user ticket caches, you may
888 system F</tmp> directory is full.
912 however, this isn't desirable. (On Solaris 8, for instance, the default
914 user's shell.) If this option is set, the PAM module will never destroy
943 used internal to the PAM module.
954 user and RANDOM is a random six-character string. The pattern may be
963 user-visible. RANDOM is a random six-character string.
974 If I<try_pkinit> is set and pam-krb5 is built with MIT Kerberos, the
976 module falls back to password authentication.
980 Be sure to list this module in the session group as well as the auth group
984 The Kerberos library, via pam-krb5, will prompt the user to change their
994 _kerberos-master as well as _kerberos.
997 requiring the system administrator to use C<optional> or C<sufficient> to
998 ignore the module and move on to the next module. It's arguably more
999 correct to return PAM_IGNORE, which causes the module to be ignored as if
1001 inadvertent security holes when listing pam-krb5 as the only
1002 authentication module.
1004 This module treats the empty password as an authentication failure
1007 intentionally has an empty password, it won't work with this module.
1009 This module will not refresh an existing ticket cache if called with an
1019 from a screensaver, pam-krb5 when used with these old versions of OpenSSH
1030 pam-krb5 was originally written by Frank Cusack. Andres Salomon made
1033 maintains the module.
1037 Copyright 2005-2010, 2014, 2020 Russ Allbery <eagle@eyrie.org>
1039 Copyright 2008-2014 The Board of Trustees of the Leland Stanford Junior
1044 this notice are preserved. This file is offered as-is, without any
1047 SPDX-License-Identifier: FSFAP
1053 The current version of this module is available from its web page at
1054 L<https://www.eyrie.org/~eagle/software/pam-krb5/>.