Lines Matching full:and
19 .\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
34 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
77 operations: authentication, account management, session management, and
81 authentication and session management modules so that each application
89 Provides implementations of \fBpam_authenticate()\fR and \fBpam_setcred()\fR. The
91 password (unless configured to use an already-entered password), and then
95 temporary ticket cache and writes it out to a persistent ticket cache
104 attempt to obtain tickets for a key in the local system keytab and then
107 local key and that the PAM module be running as a user that can read the
119 this function is to check the user's account for a \fI.k5login\fR file and,
122 the user's principal is in the default local realm and the user portion of
128 If the username provided to PAM contains an \f(CW\*(C`@\*(C'\fR and Kerberos can,
131 This allows users to log in with their Kerberos principal and let Kerberos
135 accounts before this remapping can be done and will pass an invalid
138 \&\fBgetpwnam()\fR and cannot be called before pam_krb5 when using this feature.
143 the user's UID and RANDOM is six randomly-chosen letters. This can be
144 configured with the \fIccache\fR and \fIccache_dir\fR options.
155 user's shell as a sub-process, wait for it to exit, and then close the PAM
160 calling \fBpam_setcred()\fR with the PAM_ESTABLISH_CRED flag, and
172 configured to use an already entered one) and the PAM module then obtains
176 password), and then does a Kerberos password change.
189 Both the account and session management calls of the Kerberos PAM module
206 the same options, has some additional options, and doesn't support some of
219 follow the option name with an equal sign (=) and the value, with no
225 by an equal sign (=) and a value, so for boolean options add \f(CW\*(C`= true\*(C'\fR.
230 1000, and set \fIignore_k5login\fR only if the realm is EXAMPLE.COM.
255 If the same option is set in \fIkrb5.conf\fR and in the PAM configuration,
275 principal first and then fall back to the standard behavior if it fails.
284 and then falls back to the regular username (but see \fIforce_alt_auth\fR and
288 alternative realm first and then fall back to the primary realm. A
295 will attempt authentication in the EXAMPLE.COM realm first and then fall
298 it is very limited: only two realms can be tried, and the alternate realm
304 the auth and account groups. If this option is set for the auth group, be
309 [3.12] This option is used with \fIalt_auth_map\fR and forces authentication
315 This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only
326 This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only
327 applicable to the auth and account groups.
332 via a control of \f(CW\*(C`optional\*(C'\fR or \f(CW\*(C`sufficient\*(C'\fR), and the account and
335 configuration. This option is supported and will remain, but normally you
342 a local account and that local account has a UID lower than <uid>. If
343 both of those conditions are true, the authentication and password calls
345 \&\f(CW\*(C`optional\*(C'\fR or \f(CW\*(C`sufficient\*(C'\fR), and the account and session calls
358 [3.12] This option is used with \fIalt_auth_map\fR and forces the use of the
360 authentication in all cases and overrides \fIsearch_k5login\fR and
361 \&\fIforce_alt_auth\fR. If \fIalt_auth_map\fR is not set, it has no effect and
364 This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only
370 this option is set and the local user has a \fI.k5login\fR file in their home
371 directory, the module will instead open and read that \fI.k5login\fR file,
381 This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only
388 first authenticating as the anonymous user (WELLKNOWN/ANONYMOUS) and using
391 system, and that the Kerberos library support FAST and anonymous PKINIT.
397 obtain that key and then uses it to protect the subsequent authentication.
399 If anonymous PKINIT is not available or fails, FAST will not be used and
403 \&\fIfast_ccache\fR instead of this option. If both \fIfast_ccache\fR and
405 tried first, and the Kerberos PAM module will fall back on attempting
408 This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only
409 applicable to the auth and password groups.
412 cache is created and destroyed automatically. If both \fIfast_ccache\fR and
413 \&\fIanon_fast\fR options are used, the \fIfast_ccache\fR takes precedent and no
424 by the authenticating process and has tickets then FAST will be attempted.
431 does not exist or is not readable, FAST will not used and authentication
437 ticket cache is required, but requires PKINIT be available and configured
439 \&\fIfast_ccache\fR and \fIanon_fast\fR are set, the ticket cache named by
440 \&\fIfast_ccache\fR will be tried first, and the Kerberos PAM module will fall
443 This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only
444 applicable to the auth and password groups.
451 This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only
462 This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only
466 [2.2] Set the default Kerberos realm and obtain credentials in that realm,
484 This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only
493 This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only
509 the complete password stack, and then calls each module again to do the
520 option is set and a Kerberos password change is attempted and fails (due
530 first and falling back on the local Unix password database if that fails.
531 It therefore isn't the default. Turn it on (and list pam_krb5 first after
535 This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only
539 [1.0] Log more verbose trace and debugging information to syslog at
540 LOG_DEBUG priority, including entry and exit from each of the external PAM
552 without attempting a password change, and then \fBpam_acct_mgmt()\fR should
556 applications call \fBpam_acct_mgmt()\fR and check its return status; otherwise,
565 support prompting for password changes during authentication), and then
566 only for specific applications known to call \fBpam_acct_mgmt()\fR and check its
570 If built against Heimdal, this option does nothing and normal expired
574 This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only
582 \&\fIdefer_pwchange\fR and \fIforce_pwchange\fR.
584 This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only
588 [3.11] If this option is set and authentication fails with a Kerberos
592 for you, and setting this option will prompt the user twice to change
598 This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only
605 name. Setting this option disables this behavior and leaves PAM_USER set
608 This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only
612 [1.0] Don't show messages and errors from Kerberos, such as warnings of
617 This option is only applicable to the auth and password groups.
634 This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only
635 applicable to the auth and password groups.
640 \&\fBgnome-screensaver\fR that call PAM as soon as the mouse is touched and
643 set, a user who wishes to use a password instead can just press Enter and
647 This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only
648 applicable to the auth and password groups.
664 This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only
665 applicable to the auth and password groups.
678 this writing, \f(CW\*(C`X509_user_identity\*(C'\fR is equivalent to \fIpkinit_user\fR and
686 This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only
687 applicable to the auth and password groups. Note that there is no way to
690 \&\fIkrb5.conf\fR and therefore may override earlier settings.
699 If this option is set and pam\-krb5 is built against MIT Kerberos, and
700 PKINIT fails and the module falls back to password authentication, the
702 modules. This is a bug in the interaction between the module and MIT
706 This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only
707 applicable to the auth and password groups.
717 responder without a prompter, and thus any informational messages from the
720 This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only
721 applicable to the auth and password groups.
742 This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only
759 This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only
760 applicable to the auth and password groups.
766 user. Also see \fItry_first_pass\fR and \fIuse_first_pass\fR for weaker
769 This option is only applicable to the auth and password groups. For the
775 password to the Kerberos library and let the Kerberos library do the
777 configured to use other authentication mechanisms than passwords and needs
781 never see the user's password and therefore cannot save it in the PAM
784 module and wants to use \fIuse_first_pass\fR. The Kerberos library also
785 usually includes the principal in the prompt, and therefore this option
795 This option is only applicable to the auth and password groups. For the
808 Be cautious when using this configuration option and don't use it with
811 passwords and may even blindly give the password to the first prompt, no
813 may expose the user's password in log messages and Kerberos requests.
816 [1.0] If the authentication module isn't the first on the stack, and a
822 \&\fIuse_first_pass\fR and \fIforce_first_pass\fR for stronger versions of this
825 This option is only applicable to the auth and password groups. For the
843 \&\fItry_first_pass\fR and \fIforce_first_pass\fR for other versions of this
846 This option is only applicable to the auth and password groups. For the
854 <pattern> must be in the form <type>:<residual> where <type> and the
861 will be replaced by randomly generated characters and the ticket cache
865 This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only
866 applicable to the auth and session groups.
869 [1.2] Store both the temporary ticket cache used during authentication and
872 may be prefixed with \f(CW\*(C`FILE:\*(C'\fR to make the cache type unambiguous (and this
876 Be aware that pam_krb5 creates and stores a temporary ticket cache file
883 This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only
884 applicable to the auth and session groups.
890 but isn't creating user sessions and doesn't want the overhead of ever
893 \&\fBpam_setcred()\fR, \fBpam_start_session()\fR, and \fBpam_acct_mgmt()\fR don't make sense
895 account and session management calls.
911 This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only
912 applicable to the auth and session groups.
917 Set by \fBpam_setcred()\fR with the PAM_ESTABLISH_CRED option, and therefore
919 user. See the \fIccache\fR and \fIccache_dir\fR options. By default, the cache
934 user and RANDOM is a random six-character string. The pattern may be
935 changed with the \fIccache\fR option and the directory with the \fIccache_dir\fR
941 is ended or when \fBpam_setcred()\fR is called and will normally not be
949 If \fItry_pkinit\fR is set and pam\-krb5 is built with MIT Kerberos, the
950 user's password is not saved in the PAM data if PKINIT fails and the
961 option is enabled, OpenSSH doesn't pass PAM messages to the user and can
972 ignore the module and move on to the next module. It's arguably more
986 variable and the environment should not be trusted in a setuid context.
997 user's environment and will be overwritten by the next user login. The
999 when this problem was fixed, but at the very least OpenSSH 4.3 and later
1004 extensive modifications, and then Russ Allbery <eagle@eyrie.org> adopted
1005 it and made even more extensive modifications. Russ Allbery currently
1007 .SH "COPYRIGHT AND LICENSE"
1008 .IX Header "COPYRIGHT AND LICENSE"
1014 Copying and distribution of this file, with or without modification, are
1015 permitted in any medium without royalty provided the copyright notice and