Lines Matching +full:pam +full:- +full:enabled

1 .\" -*- mode: troff; coding: utf-8 -*-
58 .TH PAM_KRB5 1 2025-06-05 "perl v5.40.2" "User Contributed Perl Documentation"
64 pam_krb5 \- Kerberos PAM module
75 The Kerberos service module for PAM, typically installed at
76 \&\fI/lib/security/pam_krb5.so\fR, provides functionality for the four PAM
79 dynamically loaded by the PAM subsystem as necessary, based on the system
80 PAM configuration.  PAM is a system for plugging in external
83 user session on that system.  For details on how to configure PAM on your
84 system, see the PAM man page, often \fBpam\fR\|(7).
90 former takes the username from the PAM session, prompts for the user's
91 password (unless configured to use an already-entered password), and then
103 After doing the initial authentication, the Kerberos PAM module will
107 local key and that the PAM module be running as a user that can read the
108 keytab file (normally \fI/etc/krb5.keytab\fR.  You can point the Kerberos PAM
115 this PAM module.
128 If the username provided to PAM contains an \f(CW\*(C`@\*(C'\fR and Kerberos can,
130 \&\fBpam_authenticate()\fR will change the PAM user to that local account name.
136 password to the PAM module.  Also be aware that several other common PAM
143 the user's UID and RANDOM is six randomly-chosen letters.  This can be
146 pam\-krb5 does not use the default ticket cache location or
153 ticket cache so that it will be deleted when the PAM session is closed.
155 user's shell as a sub-process, wait for it to exit, and then close the PAM
172 configured to use an already entered one) and the PAM module then obtains
189 Both the account and session management calls of the Kerberos PAM module
190 will return PAM_IGNORE if called in the context of a PAM session for a
192 the Linux PAM configuration language).
201 \&\f(CW\*(C`sufficient\*(C'\fR so that the Kerberos PAM module will be skipped if local
204 This is not the same PAM module as the Kerberos PAM module available from
210 The Kerberos PAM module takes many options, not all of which are relevant
211 to every PAM group; options that are not relevant will be silently
212 ignored.  Any of these options can be set in the PAM configuration as
217 To set a boolean option in the PAM configuration file, just give the name
221 the PAM configuration.
223 To set an option for the PAM module in the system \fIkrb5.conf\fR file, put
226 The Kerberos PAM module will look for options either at the top level of
227 the \f(CW\*(C`[appdefaults]\*(C'\fR section or in a subsection named \f(CW\*(C`pam\*(C'\fR, inside …
235 \&        pam = {
250 There is no difference to the PAM module whether options are specified at
251 the top level or in a \f(CW\*(C`pam\*(C'\fR section; the \f(CW\*(C`pam\*(C'\fR section is supported…
252 case there are options that should be set for the PAM module but not for
255 If the same option is set in \fIkrb5.conf\fR and in the PAM configuration,
257 syntax, there's no way to turn off a boolean option in the PAM
261 pam\-krb5 in which that option was added with the current meaning.
302 normally it doesn't make sense to do that; normally it is used in the PAM
311 KDC returns principal unknown does the Kerberos PAM module fall back to
334 PAM library to proceed as if they weren't mentioned in the PAM
346 (including pam_setcred) will return PAM_IGNORE, telling the PAM library to
347 proceed as if they weren't mentioned in the PAM configuration.
376 \&\fBsshd\fR without GSS-API support) to shared accounts.  If there is no
390 enabled for the local realm, that PKINIT be configured on the local
405 tried first, and the Kerberos PAM module will fall back on attempting
428 protect authentications done as non-root users (such as screensavers).
440 \&\fIfast_ccache\fR will be tried first, and the Kerberos PAM module will fall
458 that use this PAM module for authentication may wish to point it to
504 .SS "PAM Behavior"
505 .IX Subsection "PAM Behavior"
508 [3.9] When changing passwords, PAM first does a preliminary check through
513 password PAM modules in the stack will still be called even if the failing
514 module is marked required or requisite.  When using multiple password PAM
522 this module will clear the stored password in the PAM stack.  This will
525 The Kerberos PAM module will not meddle with the stored password if it
528 Unfortunately, setting this option interferes with other desirable PAM
540 LOG_DEBUG priority, including entry and exit from each of the external PAM
546 [3.11] By default, pam\-krb5 lets the Kerberos library handle prompting for
550 According to the PAM standard, this is not the correct way to handle
560 If this option is set, pam\-krb5 uses the fully correct PAM mechanism for
569 This option is only supported when pam\-krb5 is built with MIT Kerberos.
578 [4.2] By default, pam\-krb5 lets the Kerberos library handle prompting for
602 [4.7] Normally, if pam\-krb5 is able to canonicalize the principal to a
604 the PAM_USER variable for this PAM session to the canonicalized local
615 the PAM configuration.
618 .IP trace=<log\-file> 4
619 .IX Item "trace=<log-file>"
640 \&\fBgnome-screensaver\fR that call PAM as soon as the mouse is touched and
656 \&    PKCS11:/usr/lib/pkcs11/lib/soft\-pkcs11.so
672 the PAM configuration, this option can be given multiple times to set
688 remove a setting made in \fIkrb5.conf\fR using the PAM configuration, but
689 options set in the PAM configuration are applied after options set in
695 If PKINIT fails, the PAM module will fall back on regular password
696 authentication.  This option is currently only supported if pam\-krb5 was
699 If this option is set and pam\-krb5 is built against MIT Kerberos, and
701 user's password will not be stored in the PAM stack for subsequent
713 pam\-krb5 was built against Heimdal 0.8rc1 or later or MIT Kerberos 1.12 or
739 If set in the PAM configuration, <banner> may not contain whitespace.  If
746 [3.0] By default, the Kerberos PAM module password prompt is simply
753 Enabling this option with ChallengeResponseAuthentication enabled in
756 \&\fIsearch_k5login\fR is enabled since the principal displayed would be
780 The major disadvantage of this option is that it means the PAM module will
781 never see the user's password and therefore cannot save it in the PAM
783 cannot be used if another module is in the stack behind the Kerberos PAM
788 ChallengeResponseAuthentication is enabled, since clients may not
810 Some PAM-enabled applications expect PAM modules to only prompt for
863 <pattern> points to a world-writable directory.
888 shouldn't be set in general, but is useful as part of the PAM
889 configuration for a particular service that uses PAM for authentication
894 with this option.  Don't use this option if the application needs PAM
905 user's shell.)  If this option is set, the PAM module will never destroy
926 it was not called in the same PAM session as \fBpam_authenticate()\fR (a problem
928 used internal to the PAM module.
934 user and RANDOM is a random six-character string.  The pattern may be
940 by \fBpam_authenticate()\fR.  This cache is removed again when the PAM session
942 user-visible.  RANDOM is a random six-character string.
949 If \fItry_pkinit\fR is set and pam\-krb5 is built with MIT Kerberos, the
950 user's password is not saved in the PAM data if PKINIT fails and the
958 The Kerberos library, via pam\-krb5, will prompt the user to change their
960 only work when ChallengeResponseAuthentication is enabled.  Unless this
961 option is enabled, OpenSSH doesn't pass PAM messages to the user and can
968 _kerberos\-master as well as _kerberos.
975 inadvertent security holes when listing pam\-krb5 as the only
992 be created.  Since this behavior is indistinguishable at the PAM level
993 from a screensaver, pam\-krb5 when used with these old versions of OpenSSH
1003 pam\-krb5 was originally written by Frank Cusack.  Andres Salomon made
1009 Copyright 2005\-2010, 2014, 2020 Russ Allbery <eagle@eyrie.org>
1011 Copyright 2008\-2014 The Board of Trustees of the Leland Stanford Junior
1016 this notice are preserved.  This file is offered as-is, without any
1019 SPDX-License-Identifier: FSFAP
1022 \&\fBkadmin\fR\|(8), \fBkdestroy\fR\|(1), \fBkrb5.conf\fR\|(5), \fBpam\fR\|(7), \fBpasswd\fR\|(1), …
1025 <https://www.eyrie.org/~eagle/software/pam\-krb5/>.