Lines Matching full:be

46 octets) will be rejected, since excessively long passwords can be used
54 PAM module be running as a user that can read the keytab file (normally
59 If that keytab cannot be read or if no keys are found in it, the default
68 check will also be done using
79 matches the account name (this can be changed by configuring a custom
83 This can be customized with several configuration options; see below.
93 This can be disabled with the
96 Be aware, however, that this facility cannot be used with OpenSSH.
98 this remapping can be done and will pass an invalid password to the PAM
100 Also be aware that several other common PAM modules, such as
101 pam_securetty, expect to be able to look up the user with
103 and cannot be called before pam_krb5 when using this feature.
109 By default, the cache will be named
112 This can be configured with the
131 that it will be deleted when the PAM session is closed.
166 octets) will be rejected, since excessively long passwords can be used
171 Also, unlike the normal Unix password module, root will always be
198 so that the Kerberos PAM module will be skipped if local password
207 relevant to every PAM group; options that are not relevant will be
209 Any of these options can be set in the PAM configuration as arguments
212 Some of the options can also be set in the system
214 file; if this is possible, it will be noted below in the option
229 All options must be followed by an equal sign (=) and a value, so for
260 see krb5.conf(5). Note that options that depend on the realm will be set
266 realm will not be used when determining which options will apply.
273 section is supported in case there are options that should be set for
302 If <format> contains a realm, it will be used; otherwise, the realm of
303 the username (if any) will be appended to the result.
308 The primary usage is to allow alternative principals to be used for
334 but it is very limited: only two realms can be tried, and the alternate
337 This option can be set in
344 If this option is set for the auth group, be sure to set it for the
352 This can be used to force authentication with an alternate instance.
357 This option can be set in
370 can be customized by setting up an aname to localname mapping in
373 This option can be set in
382 status to be ignored via a control of
393 This option can be set in
401 will silently fail (allowing that status to be ignored via a control of
416 This option can be set in
433 This option can be set in
447 If any of those authentications succeed, the user will be successfully
458 file be readable at the time of authentication.
460 This option can be set in
472 This requires anonymous PKINIT be enabled for the local realm, that
473 PKINIT be configured on the local system, and that the Kerberos library
478 To work, FAST requires that a ticket be obtained with a strong key to
483 If anonymous PKINIT is not available or fails, FAST will not be used and
495 will be tried first, and the Kerberos PAM module will fall back on
496 attempting anonymous PKINIT if that cache could not be used.
498 This option can be set in
521 <ccache_name> should be a credential cache containing a ticket obtained
525 authenticating process and has tickets then FAST will be attempted.
529 This ticket cache should normally only be readable by root, so this
530 option will not be able to protect authentications done as non-root
544 requires PKINIT be available and configured and that the local realm
552 will be tried first, and the Kerberos PAM module will fall back on
553 attempting anonymous PKINIT if that cache could not be used.
555 This option can be set in
562 If set (to either true or false, although it can only be set to false in
568 This option can be set in
582 The first principal found in the keytab will be used as the principal
585 This option can be set in
593 If this option is used, it should be set for all groups being used for
598 obtained credentials to be in the specified realm.
607 <lifetime>. <lifetime> should be a Kerberos lifetime string such as
614 This option can be set in
621 should be a Kerberos lifetime string such as
628 This option can be set in
636 If this option is used, it should be set for all groups being used for
655 modules in the stack will still be called even if the failing module is
681 This option can be set in
691 This option can be set in
715 and check its return status; otherwise, expired accounts may be able to
722 Due to the security risk of widespread broken applications, be very
724 It should normally only be turned on to solve a specific problem (such
737 This option can be set in
753 This option can be set in
771 This option can be set in
785 This option can be set in
794 PAM_SILENT, but can be set in the PAM configuration.
801 The specified file will be appended to without further security checks,
818 This option can be set in
841 This option can be set in
849 implementation you're using, but will generally be something like:
863 This option can be set in
877 multiple options should be separated by whitespace.
878 In the PAM configuration, this option can be given multiple times to set
882 The primary use of this option, at least in the near future, will be to
895 can only be set via this option.
905 This option can be set in
928 user's password will not be stored in the PAM stack for subsequent
933 This option can be set in
949 the Kerberos libraries or KDC during authentication will not be
952 This option can be set in
979 This option can be set in
998 is enabled since the principal displayed would be inaccurate.
1000 This option can be set in
1025 This may be needed if, for example, the Kerberos library is configured
1032 In other words, this option cannot be used if another module is in the
1055 the user will still be prompted for a new password.
1098 This can be used to require passwords be checked by another, prior
1126 <pattern> must be in the form <type>:<residual> where <type> and the
1127 following colon are optional if a file cache should be used.
1137 (six X's), that string will be replaced by randomly generated characters
1138 and the ticket cache will be created using mkstemp(3). This is strongly
1141 This option can be set in
1152 <directory> may be prefixed with
1154 to make the cache type unambiguous (and this may be required on systems
1170 This option can be set in
1177 This option shouldn't be set in general, but is useful as part of the
1211 This option can be set in
1230 By default, the cache name will be prefixed with
1255 The pattern may be changed with the
1266 is called and will normally not be user-visible.
1290 If you are using MIT Kerberos, be aware that users whose passwords are
1291 expired will not be prompted to change their password unless the KDC
1304 to be ignored as if it weren't in the configuration, but this increases
1317 environment variable and the environment should not be trusted in a
1322 pam_open_session, thereby requesting that an existing ticket cache be
1324 requesting a new ticket cache be created.
1330 not be named correctly or referenced in the user's environment and will