Lines Matching +full:system +full:- +full:on +full:- +full:module
1 .\" -*- mode: troff; coding: utf-8 -*-
33 .\" If the F register is >0, we'll generate index entries on stderr for
58 .TH PAM_KRB5 1 2025-06-05 "perl v5.40.2" "User Contributed Perl Documentation"
64 pam_krb5 \- Kerberos PAM module
75 The Kerberos service module for PAM, typically installed at
79 dynamically loaded by the PAM subsystem as necessary, based on the system
80 PAM configuration. PAM is a system for plugging in external
83 user session on that system. For details on how to configure PAM on your
84 system, see the PAM man page, often \fBpam\fR\|(7).
86 Here are the actions of this module when called from each group:
91 password (unless configured to use an already-entered password), and then
94 depending on the flags it is called with, either takes the contents of the
103 After doing the initial authentication, the Kerberos PAM module will
104 attempt to obtain tickets for a key in the local system keytab and then
106 is vulnerable to KDC spoofing, but it requires that the system have a
107 local key and that the PAM module be running as a user that can read the
109 module at a different keytab with the \fIkeytab\fR option. If that keytab
115 this PAM module.
136 password to the PAM module. Also be aware that several other common PAM
143 the user's UID and RANDOM is six randomly-chosen letters. This can be
146 pam\-krb5 does not use the default ticket cache location or
155 user's shell as a sub-process, wait for it to exit, and then close the PAM
172 configured to use an already entered one) and the PAM module then obtains
182 Unlike the normal Unix password module, this module will allow any user to
184 unlike the normal Unix password module, root will always be prompted for
189 Both the account and session management calls of the Kerberos PAM module
194 Note that this module assumes the network is available in order to do a
197 process. This means that using this module incautiously can make it
198 impossible to log on to console as root. For this reason, you should
200 authentication module such as \fBpam_unix\fR first with a control field of
201 \&\f(CW\*(C`sufficient\*(C'\fR so that the Kerberos PAM module will be skipped if local
204 This is not the same PAM module as the Kerberos PAM module available from
205 Sourceforge, or the one included on Red Hat systems. It supports many of
210 The Kerberos PAM module takes many options, not all of which are relevant
214 set in the system \fIkrb5.conf\fR file; if this is possible, it will be noted
223 To set an option for the PAM module in the system \fIkrb5.conf\fR file, put
226 The Kerberos PAM module will look for options either at the top level of
243 For more information on the syntax of \fIkrb5.conf\fR, see \fBkrb5.conf\fR\|(5).
244 Note that options that depend on the realm will be set only on the basis
250 There is no difference to the PAM module whether options are specified at
252 case there are options that should be set for the PAM module but not for
258 configuration that was turned on in \fIkrb5.conf\fR.
261 pam\-krb5 in which that option was added with the current meaning.
296 back on the local default realm. This is more convenient than running the
297 module multiple times with multiple default realms set with \fIrealm\fR, but
311 KDC returns principal unknown does the Kerberos PAM module fall back to
353 system account incorrectly authenticating as that system account.
371 directory, the module will instead open and read that \fI.k5login\fR file,
376 \&\fBsshd\fR without GSS-API support) to shared accounts. If there is no
390 enabled for the local realm, that PKINIT be configured on the local
391 system, and that the Kerberos library support FAST and anonymous PKINIT.
405 tried first, and the Kerberos PAM module will fall back on attempting
423 the local system. If <ccache_name> names a ticket cache that is readable
428 protect authentications done as non-root users (such as screensavers).
440 \&\fIfast_ccache\fR will be tried first, and the Kerberos PAM module will fall
441 back on attempting anonymous PKINIT if that cache could not be used.
456 The default is the default system keytab (normally \fI/etc/krb5.keytab\fR),
458 that use this PAM module for authentication may wish to point it to
467 rather than in the normal default realm for this system. If this option
498 realm for this system. If this option is used, it should be set for all
503 the system will have to have a custom aname_to_localname mapping.
509 the complete password stack, and then calls each module again to do the
510 password change. After that preliminary check, the order of module
514 module is marked required or requisite. When using multiple password PAM
521 to network errors or password strength checking on the KDC, for example),
522 this module will clear the stored password in the PAM stack. This will
525 The Kerberos PAM module will not meddle with the stored password if it
530 first and falling back on the local Unix password database if that fails.
531 It therefore isn't the default. Turn it on (and list pam_krb5 first after
546 [3.11] By default, pam\-krb5 lets the Kerberos library handle prompting for
560 If this option is set, pam\-krb5 uses the fully correct PAM mechanism for
563 about enabling this option. It should normally only be turned on to solve
569 This option is only supported when pam\-krb5 is built with MIT Kerberos.
578 [4.2] By default, pam\-krb5 lets the Kerberos library handle prompting for
594 However, some system Kerberos libraries (such as Solaris's) have password
595 change prompting disabled in the Kerberos library; on those systems, you
602 [4.7] Normally, if pam\-krb5 is able to canonicalize the principal to a
618 .IP trace=<log\-file> 4
619 .IX Item "trace=<log-file>"
640 \&\fBgnome-screensaver\fR that call PAM as soon as the mouse is touched and
652 value of this string is highly dependent on the type of PKINIT
656 \& PKCS11:/usr/lib/pkcs11/lib/soft\-pkcs11.so
659 to specify the module to use with a smart card. It may also point to a
670 from the value by \f(CW\*(C`=\*(C'\fR or a boolean option (in which case it's turned on).
695 If PKINIT fails, the PAM module will fall back on regular password
696 authentication. This option is currently only supported if pam\-krb5 was
699 If this option is set and pam\-krb5 is built against MIT Kerberos, and
700 PKINIT fails and the module falls back to password authentication, the
702 modules. This is a bug in the interaction between the module and MIT
713 pam\-krb5 was built against Heimdal 0.8rc1 or later or MIT Kerberos 1.12 or
746 [3.0] By default, the Kerberos PAM module password prompt is simply
747 "Password:". This avoids leaking any information about the system realm
750 user's principal. This string is also added before the colon on prompts
764 module to authenticate the user without prompting the user again. If no
765 previous module obtained the user's password, fail without prompting the
780 The major disadvantage of this option is that it means the PAM module will
782 module data for any subsequent modules. In other words, this option
783 cannot be used if another module is in the stack behind the Kerberos PAM
784 module and wants to use \fIuse_first_pass\fR. The Kerberos library also
793 probably not desired behavior, although it's not prohibited by the module.
810 Some PAM-enabled applications expect PAM modules to only prompt for
816 [1.0] If the authentication module isn't the first on the stack, and a
817 previous module obtained the user's password, use that password to
819 authentication fails, fall back on prompting the user for their password.
820 This option has no effect if the authentication module is first in the
821 stack or if no previous module obtained the user's password. Also see
829 [4.0] Use the new password obtained by a previous password module when
832 checked by another, prior module, such as \fBpam_cracklib\fR.
837 [1.0] Use the password obtained by a previous authentication module to
839 module obtained the user's password for either an authentication or
840 password change, fall back on prompting the user. If a previous module
863 <pattern> points to a world-writable directory.
873 may be required on systems that use a cache type other than file as the
878 avoid using the system \fI/tmp\fR directory for user ticket caches, you may
881 system \fI/tmp\fR directory is full.
903 however, this isn't desirable. (On Solaris 8, for instance, the default
905 user's shell.) If this option is set, the PAM module will never destroy
928 used internal to the PAM module.
934 user and RANDOM is a random six-character string. The pattern may be
942 user-visible. RANDOM is a random six-character string.
949 If \fItry_pkinit\fR is set and pam\-krb5 is built with MIT Kerberos, the
951 module falls back to password authentication.
954 Be sure to list this module in the session group as well as the auth group
958 The Kerberos library, via pam\-krb5, will prompt the user to change their
968 _kerberos\-master as well as _kerberos.
971 requiring the system administrator to use \f(CW\*(C`optional\*(C'\fR or \f(CW\*(C`sufficient\*(C'\f…
972 ignore the module and move on to the next module. It's arguably more
973 correct to return PAM_IGNORE, which causes the module to be ignored as if
975 inadvertent security holes when listing pam\-krb5 as the only
976 authentication module.
978 This module treats the empty password as an authentication failure
981 intentionally has an empty password, it won't work with this module.
983 This module will not refresh an existing ticket cache if called with an
993 from a screensaver, pam\-krb5 when used with these old versions of OpenSSH
1003 pam\-krb5 was originally written by Frank Cusack. Andres Salomon made
1006 maintains the module.
1009 Copyright 2005\-2010, 2014, 2020 Russ Allbery <eagle@eyrie.org>
1011 Copyright 2008\-2014 The Board of Trustees of the Leland Stanford Junior
1016 this notice are preserved. This file is offered as-is, without any
1019 SPDX-License-Identifier: FSFAP
1024 The current version of this module is available from its web page at
1025 <https://www.eyrie.org/~eagle/software/pam\-krb5/>.