1=for stopwords 2KRB5CCNAME ChallengeResponseAuthentication GSS-API Heimdal KDC PKINIT 3PasswordAuthentication SRV Solaris Sourceforge aname appdefaults auth 4canonicalized ccache krb5.conf forwardable kdestroy keytab libdefaults 5logout pam-krb5 preauth 0.8rc1 screensaver screensavers sshd localname 6krb5.conf. 0.8rc1. Allbery Cusack Salomon FSFAP SPDX-License-Identifier 7responder 8 9=head1 NAME 10 11pam_krb5 - Kerberos PAM module 12 13=head1 SYNOPSIS 14 15 auth sufficient pam_krb5.so minimum_uid=1000 16 session required pam_krb5.so minimum_uid=1000 17 account required pam_krb5.so minimum_uid=1000 18 password sufficient pam_krb5.so minimum_uid=1000 19 20=head1 DESCRIPTION 21 22The Kerberos service module for PAM, typically installed at 23F</lib/security/pam_krb5.so>, provides functionality for the four PAM 24operations: authentication, account management, session management, and 25password management. F<pam_krb5.so> is a shared object that is 26dynamically loaded by the PAM subsystem as necessary, based on the system 27PAM configuration. PAM is a system for plugging in external 28authentication and session management modules so that each application 29doesn't have to know the best way to check user authentication or create a 30user session on that system. For details on how to configure PAM on your 31system, see the PAM man page, often pam(7). 32 33Here are the actions of this module when called from each group: 34 35=over 4 36 37=item auth 38 39Provides implementations of pam_authenticate() and pam_setcred(). The 40former takes the username from the PAM session, prompts for the user's 41password (unless configured to use an already-entered password), and then 42performs a Kerberos initial authentication, storing the obtained 43credentials (if successful) in a temporary ticket cache. The latter, 44depending on the flags it is called with, either takes the contents of the 45temporary ticket cache and writes it out to a persistent ticket cache 46owned by the user or uses the temporary ticket cache to refresh an 47existing user ticket cache. 48 49Passwords as long or longer than PAM_MAX_RESP_SIZE octets (normally 512 50octets) will be rejected, since excessively long passwords can be used as 51a denial of service attack. 52 53After doing the initial authentication, the Kerberos PAM module will 54attempt to obtain tickets for a key in the local system keytab and then 55verify those tickets. Unless this step is performed, the authentication 56is vulnerable to KDC spoofing, but it requires that the system have a 57local key and that the PAM module be running as a user that can read the 58keytab file (normally F</etc/krb5.keytab>. You can point the Kerberos PAM 59module at a different keytab with the I<keytab> option. If that keytab 60cannot be read or if no keys are found in it, the default (potentially 61insecure) behavior is to skip this check. If you want to instead fail 62authentication if the obtained tickets cannot be checked, set 63C<verify_ap_req_nofail> to true in the [libdefaults] section of 64F</etc/krb5.conf>. Note that this will affect applications other than 65this PAM module. 66 67By default, whenever the user is authenticated, a basic authorization 68check will also be done using krb5_kuserok(). The default behavior of 69this function is to check the user's account for a F<.k5login> file and, 70if one is present, ensure that the user's principal is listed in that 71file. If F<.k5login> is not present, the default check is to ensure that 72the user's principal is in the default local realm and the user portion of 73the principal matches the account name (this can be changed by configuring 74a custom aname to localname mapping in F<krb5.conf>; see the Kerberos 75documentation for details). This can be customized with several 76configuration options; see below. 77 78If the username provided to PAM contains an C<@> and Kerberos can, 79treating the username as a principal, map it to a local account name, 80pam_authenticate() will change the PAM user to that local account name. 81This allows users to log in with their Kerberos principal and let Kerberos 82do the mapping to an account. This can be disabled with the 83I<no_update_user> option. Be aware, however, that this facility cannot be 84used with OpenSSH. OpenSSH will reject usernames that don't match local 85accounts before this remapping can be done and will pass an invalid 86password to the PAM module. Also be aware that several other common PAM 87modules, such as pam_securetty, expect to be able to look up the user with 88getpwnam() and cannot be called before pam_krb5 when using this feature. 89 90When pam_setcred() is called to initialize a new ticket cache, the 91environment variable KRB5CCNAME is set to the path to that ticket cache. 92By default, the cache will be named F</tmp/krb5cc_UID_RANDOM> where UID is 93the user's UID and RANDOM is six randomly-chosen letters. This can be 94configured with the I<ccache> and I<ccache_dir> options. 95 96pam-krb5 does not use the default ticket cache location or 97I<default_cc_name> in the C<[libdefaults]> section of F<krb5.conf>. The 98default cache location would share a cache for all sessions of the same 99user, which causes confusing behavior when the user logs out of one of 100multiple sessions. 101 102If pam_setcred() initializes a new ticket cache, it will also set up that 103ticket cache so that it will be deleted when the PAM session is closed. 104Normally, the calling program (B<login>, B<sshd>, etc.) will run the 105user's shell as a sub-process, wait for it to exit, and then close the PAM 106session, thereby cleaning up the user's session. 107 108=item session 109 110Provides implementations of pam_open_session(), which is equivalent to 111calling pam_setcred() with the PAM_ESTABLISH_CRED flag, and 112pam_close_session(), which destroys the ticket cache created by 113pam_setcred(). 114 115=item account 116 117Provides an implementation of pam_acct_mgmt(). All it does is do the same 118authorization check as performed by the pam_authenticate() implementation 119described above. 120 121=item password 122 123Provides an implementation of pam_chauthtok(), which implements password 124changes. The user is prompted for their existing password (unless 125configured to use an already entered one) and the PAM module then obtains 126credentials for the special Kerberos principal C<kadmin/changepw>. It 127then prompts the user for a new password, twice to ensure that the user 128entered it properly (again, unless configured to use an already entered 129password), and then does a Kerberos password change. 130 131Passwords as long or longer than PAM_MAX_RESP_SIZE octets (normally 512 132octets) will be rejected, since excessively long passwords can be used as 133a denial of service attack. 134 135Unlike the normal Unix password module, this module will allow any user to 136change any other user's password if they know the old password. Also, 137unlike the normal Unix password module, root will always be prompted for 138the old password, since root has no special status in Kerberos. (To 139change passwords in Kerberos without knowing the old password, use 140kadmin(8) instead.) 141 142=back 143 144Both the account and session management calls of the Kerberos PAM module 145will return PAM_IGNORE if called in the context of a PAM session for a 146user who did not authenticate with Kerberos (a return code of C<ignore> in 147the Linux PAM configuration language). 148 149Note that this module assumes the network is available in order to do a 150Kerberos authentication. If the network is not available, some Kerberos 151libraries have timeouts longer than the timeout imposed by the login 152process. This means that using this module incautiously can make it 153impossible to log on to console as root. For this reason, you should 154always use the I<ignore_root> or I<minimum_uid> options, list a local 155authentication module such as B<pam_unix> first with a control field of 156C<sufficient> so that the Kerberos PAM module will be skipped if local 157password authentication was successful. 158 159This is not the same PAM module as the Kerberos PAM module available from 160Sourceforge, or the one included on Red Hat systems. It supports many of 161the same options, has some additional options, and doesn't support some of 162the options those modules do. 163 164=head1 CONFIGURATION 165 166The Kerberos PAM module takes many options, not all of which are relevant 167to every PAM group; options that are not relevant will be silently 168ignored. Any of these options can be set in the PAM configuration as 169arguments listed after C<pam_krb5.so>. Some of the options can also be 170set in the system F<krb5.conf> file; if this is possible, it will be noted 171below in the option description. 172 173To set a boolean option in the PAM configuration file, just give the name 174of the option in the arguments. To set an option that takes an argument, 175follow the option name with an equal sign (=) and the value, with no 176separating whitespace. Whitespace in option arguments is not supported in 177the PAM configuration. 178 179To set an option for the PAM module in the system F<krb5.conf> file, put 180that option in the C<[appdefaults]> section. All options must be followed 181by an equal sign (=) and a value, so for boolean options add C<= true>. 182The Kerberos PAM module will look for options either at the top level of 183the C<[appdefaults]> section or in a subsection named C<pam>, inside or 184outside a section for the realm. For example, the following fragment of a 185F<krb5.conf> file would set I<forwardable> to true, I<minimum_uid> to 1861000, and set I<ignore_k5login> only if the realm is EXAMPLE.COM. 187 188 [appdefaults] 189 forwardable = true 190 pam = { 191 minimum_uid = 1000 192 EXAMPLE.COM = { 193 ignore_k5login = true 194 } 195 } 196 197For more information on the syntax of F<krb5.conf>, see krb5.conf(5). 198Note that options that depend on the realm will be set only on the basis 199of the default realm, either as configured in krb5.conf(5) or as set by 200the I<realm> option described below. If the user authenticates to an 201account qualified with a realm, that realm will not be used when 202determining which options will apply. 203 204There is no difference to the PAM module whether options are specified at 205the top level or in a C<pam> section; the C<pam> section is supported in 206case there are options that should be set for the PAM module but not for 207other applications. 208 209If the same option is set in F<krb5.conf> and in the PAM configuration, 210the latter takes precedent. Note, however, that due to the configuration 211syntax, there's no way to turn off a boolean option in the PAM 212configuration that was turned on in F<krb5.conf>. 213 214The start of each option description is annotated with the version of 215pam-krb5 in which that option was added with the current meaning. 216 217=head2 Authorization 218 219=over 4 220 221=item alt_auth_map=<format> 222 223[3.12] This functions similarly to the I<search_k5login> option. The 224<format> argument is used as the authentication Kerberos principal, with 225any C<%s> in <format> replaced with the username. If the username 226contains an C<@>, only the part of the username before the realm is used 227to replace C<%s>. If <format> contains a realm, it will be used; 228otherwise, the realm of the username (if any) will be appended to the 229result. There is no quote removal. 230 231If this option is present, the default behavior is to try this alternate 232principal first and then fall back to the standard behavior if it fails. 233The primary usage is to allow alternative principals to be used for 234authentication in programs like B<sudo>. Most examples will look like: 235 236 alt_auth_map=%s/root 237 238which attempts authentication as the root instance of the username first 239and then falls back to the regular username (but see I<force_alt_auth> and 240I<only_alt_auth>). 241 242This option also allows a cheap way to attempt authentication in an 243alternative realm first and then fall back to the primary realm. A 244setting like: 245 246 alt_auth_map=%s@EXAMPLE.COM 247 248will attempt authentication in the EXAMPLE.COM realm first and then fall 249back on the local default realm. This is more convenient than running the 250module multiple times with multiple default realms set with I<realm>, but 251it is very limited: only two realms can be tried, and the alternate realm 252is always tried first. 253 254This option can be set in C<[appdefaults]> in F<krb5.conf>, although 255normally it doesn't make sense to do that; normally it is used in the PAM 256options of configuration for specific programs. It is only applicable to 257the auth and account groups. If this option is set for the auth group, be 258sure to set it for the account group as well or account authorization may 259fail. 260 261=item force_alt_auth 262 263[3.12] This option is used with I<alt_auth_map> and forces authentication 264as the mapped principal if that principal exists in the KDC. Only if the 265KDC returns principal unknown does the Kerberos PAM module fall back to 266normal authentication. This can be used to force authentication with an 267alternate instance. If I<alt_auth_map> is not set, it has no effect. 268 269This option can be set in C<[appdefaults]> in F<krb5.conf> and is only 270applicable to the auth group. 271 272=item ignore_k5login 273 274[2.0] Never look for a F<.k5login> file in the user's home directory. 275Instead, only check that the Kerberos principal maps to the local account 276name. The default check is to ensure the realm matches the local realm 277and the user portion of the principal matches the local account name, but 278this can be customized by setting up an aname to localname mapping in 279F<krb5.conf>. 280 281This option can be set in C<[appdefaults]> in F<krb5.conf> and is only 282applicable to the auth and account groups. 283 284=item ignore_root 285 286[1.1] Do not do anything if the username is C<root>. The authentication 287and password calls will silently fail (allowing that status to be ignored 288via a control of C<optional> or C<sufficient>), and the account and 289session calls (including pam_setcred) will return PAM_IGNORE, telling the 290PAM library to proceed as if they weren't mentioned in the PAM 291configuration. This option is supported and will remain, but normally you 292want to use I<minimum_uid> instead. 293 294This option can be set in C<[appdefaults]> in F<krb5.conf>. 295 296=item minimum_uid=<uid> 297 298[2.0] Do not do anything if the authenticated account name corresponds to 299a local account and that local account has a UID lower than <uid>. If 300both of those conditions are true, the authentication and password calls 301will silently fail (allowing that status to be ignored via a control of 302C<optional> or C<sufficient>), and the account and session calls 303(including pam_setcred) will return PAM_IGNORE, telling the PAM library to 304proceed as if they weren't mentioned in the PAM configuration. 305 306Using this option is highly recommended if you don't need to use Kerberos 307to authenticate password logins to the root account (which isn't 308recommended since Kerberos requires a network connection). It provides 309some defense in depth against user principals that happen to match a 310system account incorrectly authenticating as that system account. 311 312This option can be set in C<[appdefaults]> in F<krb5.conf>. 313 314=item only_alt_auth 315 316[3.12] This option is used with I<alt_auth_map> and forces the use of the 317mapped principal for authentication. It disables fallback to normal 318authentication in all cases and overrides I<search_k5login> and 319I<force_alt_auth>. If I<alt_auth_map> is not set, it has no effect and 320the standard authentication behavior is used. 321 322This option can be set in C<[appdefaults]> in F<krb5.conf> and is only 323applicable to the auth group. 324 325=item search_k5login 326 327[2.0] Normally, the Kerberos implementation of pam_authenticate attempts 328to obtain tickets for the authenticating username in the local realm. If 329this option is set and the local user has a F<.k5login> file in their home 330directory, the module will instead open and read that F<.k5login> file, 331attempting to use the supplied password to authenticate as each principal 332listed there in turn. If any of those authentications succeed, the user 333will be successfully authenticated; otherwise, authentication will fail. 334This option is useful for allowing password authentication (via console or 335B<sshd> without GSS-API support) to shared accounts. If there is no 336F<.k5login> file, the behavior is the same as normal. Using this option 337requires that the user's F<.k5login> file be readable at the time of 338authentication. 339 340This option can be set in C<[appdefaults]> in F<krb5.conf> and is only 341applicable to the auth group. 342 343=back 344 345=head2 Kerberos Behavior 346 347=over 4 348 349=item anon_fast 350 351[4.6] Attempt to use Flexible Authentication Secure Tunneling (FAST) by 352first authenticating as the anonymous user (WELLKNOWN/ANONYMOUS) and using 353its credentials as the FAST armor. This requires anonymous PKINIT be 354enabled for the local realm, that PKINIT be configured on the local 355system, and that the Kerberos library support FAST and anonymous PKINIT. 356 357FAST is a mechanism to protect Kerberos against password guessing attacks 358and provide other security improvements. To work, FAST requires that a 359ticket be obtained with a strong key to protect exchanges with potentially 360weaker user passwords. This option uses anonymous authentication to 361obtain that key and then uses it to protect the subsequent authentication. 362 363If anonymous PKINIT is not available or fails, FAST will not be used and 364the authentication will proceed as normal. 365 366To instead use an existing ticket cache for the FAST credentials, use 367I<fast_ccache> instead of this option. If both I<fast_ccache> and 368I<anon_fast> are set, the ticket cache named by I<fast_ccache> will be 369tried first, and the Kerberos PAM module will fall back on attempting 370anonymous PKINIT if that cache could not be used. 371 372This option can be set in C<[appdefaults]> in F<krb5.conf> and is only 373applicable to the auth and password groups. 374 375The operation is the same as if using the I<fast_ccache> option, but the 376cache is created and destroyed automatically. If both I<fast_ccache> and 377I<anon_fast> options are used, the I<fast_ccache> takes precedent and no 378anonymous authentication is done. 379 380=item fast_ccache=<ccache_name> 381 382[4.3] The same as I<anon_fast>, but use an existing Kerberos ticket cache 383rather than anonymous PKINIT. This allows use of FAST with a realm that 384doesn't support PKINIT or doesn't support anonymous authentication. 385 386<ccache_name> should be a credential cache containing a ticket obtained 387using a strong key, such as the randomized key for the host principal of 388the local system. If <ccache_name> names a ticket cache that is readable 389by the authenticating process and has tickets then FAST will be attempted. 390The easiest way to use this option is to use a program like B<k5start> to 391maintain a ticket cache using the host's keytab. This ticket cache should 392normally only be readable by root, so this option will not be able to 393protect authentications done as non-root users (such as screensavers). 394 395If no credentials are present in the ticket cache, or if the ticket cache 396does not exist or is not readable, FAST will not used and authentication 397will proceed as normal. However, if the credentials in that ticket cache 398are expired, authentication will fail if the KDC supports FAST. 399 400To use anonymous PKINIT to protect the FAST exchange, use the I<anon_fast> 401option instead. I<anon_fast> is easier to configure, since no existing 402ticket cache is required, but requires PKINIT be available and configured 403and that the local realm support anonymous authentication. If both 404I<fast_ccache> and I<anon_fast> are set, the ticket cache named by 405I<fast_ccache> will be tried first, and the Kerberos PAM module will fall 406back on attempting anonymous PKINIT if that cache could not be used. 407 408This option can be set in C<[appdefaults]> in F<krb5.conf> and is only 409applicable to the auth and password groups. 410 411=item forwardable 412 413[1.0] Obtain forwardable tickets. If set (to either true or false, 414although it can only be set to false in F<krb5.conf>), this overrides the 415Kerberos library default set in the [libdefaults] section of F<krb5.conf>. 416 417This option can be set in C<[appdefaults]> in F<krb5.conf> and is only 418applicable to the auth group. 419 420=item keytab=<path> 421 422[3.0] Specifies the keytab to use when validating the user's credentials. 423The default is the default system keytab (normally F</etc/krb5.keytab>), 424which is usually only readable by root. Applications not running as root 425that use this PAM module for authentication may wish to point it to 426another keytab the application can read. The first principal found in the 427keytab will be used as the principal for credential verification. 428 429This option can be set in C<[appdefaults]> in F<krb5.conf> and is only 430applicable to the auth group. 431 432=item realm=<realm> 433 434[2.2] Set the default Kerberos realm and obtain credentials in that realm, 435rather than in the normal default realm for this system. If this option 436is used, it should be set for all groups being used for consistent 437results. This setting will affect authorization decisions since it 438changes the default realm. This setting will also change the service 439principal used to verify the obtained credentials to be in the specified 440realm. 441 442If you only want to set the realm assumed for user principals without 443changing the realm for authorization decisions or the service principal 444used to verify credentials, see the I<user_realm> option. 445 446=item renew_lifetime=<lifetime> 447 448[2.0] Obtain renewable tickets with a maximum renewable lifetime of 449<lifetime>. <lifetime> should be a Kerberos lifetime string such as 450C<2d4h10m> or a time in minutes. If set, this overrides the Kerberos 451library default set in the [libdefaults] section of F<krb5.conf>. 452 453This option can be set in C<[appdefaults]> in F<krb5.conf> and is only 454applicable to the auth group. 455 456=item ticket_lifetime=<lifetime> 457 458[3.0] Obtain tickets with a maximum lifetime of <lifetime>. <lifetime> 459should be a Kerberos lifetime string such as C<2d4h10m> or a time in 460minutes. If set, this overrides the Kerberos library default set in the 461[libdefaults] section of F<krb5.conf>. 462 463This option can be set in C<[appdefaults]> in F<krb5.conf> and is only 464applicable to the auth group. 465 466=item user_realm 467 468[4.6] Obtain credentials in the specified realm rather than in the default 469realm for this system. If this option is used, it should be set for all 470groups being used for consistent results (although the account group 471currently doesn't care about realm). This will not change authorization 472decisions. If the obtained credentials are supposed to allow access to a 473shell account, the user will need an appropriate F<.k5login> file entry or 474the system will have to have a custom aname_to_localname mapping. 475 476=back 477 478=head2 PAM Behavior 479 480=over 4 481 482=item clear_on_fail 483 484[3.9] When changing passwords, PAM first does a preliminary check through 485the complete password stack, and then calls each module again to do the 486password change. After that preliminary check, the order of module 487invocation is fixed. This means that even if the Kerberos password change 488fails (or if one of the other password changes in the stack fails), other 489password PAM modules in the stack will still be called even if the failing 490module is marked required or requisite. When using multiple password PAM 491modules to synchronize passwords between multiple systems when they 492change, this behavior can cause unwanted differences between the 493environments. 494 495Setting this option provides a way to work around this behavior. If this 496option is set and a Kerberos password change is attempted and fails (due 497to network errors or password strength checking on the KDC, for example), 498this module will clear the stored password in the PAM stack. This will 499force any subsequent modules that have I<use_authtok> set to fail so that 500those environments won't get out of sync with the password in Kerberos. 501The Kerberos PAM module will not meddle with the stored password if it 502skips the user due to configuration such as minimum_uid. 503 504Unfortunately, setting this option interferes with other desirable PAM 505configurations, such as attempting to change the password in Kerberos 506first and falling back on the local Unix password database if that fails. 507It therefore isn't the default. Turn it on (and list pam_krb5 first after 508pam_cracklib if used) when synchronizing passwords between multiple 509environments. 510 511This option can be set in C<[appdefaults]> in F<krb5.conf> and is only 512applicable to the password group. 513 514=item debug 515 516[1.0] Log more verbose trace and debugging information to syslog at 517LOG_DEBUG priority, including entry and exit from each of the external PAM 518interfaces (except pam_close_session). 519 520This option can be set in C<[appdefaults]> in F<krb5.conf>. 521 522=item defer_pwchange 523 524[3.11] By default, pam-krb5 lets the Kerberos library handle prompting for 525a password change if an account's password is expired during the auth 526group. If this fails, pam_authenticate() returns an error. 527 528According to the PAM standard, this is not the correct way to handle 529expired passwords. Instead, pam_authenticate() should return success 530without attempting a password change, and then pam_acct_mgmt() should 531return PAM_NEW_AUTHTOK_REQD, at which point the calling application is 532responsible for either rejecting the authentication or calling 533pam_chauthtok(). However, following the standard requires that all 534applications call pam_acct_mgmt() and check its return status; otherwise, 535expired accounts may be able to successfully authenticate. Many 536applications do not do this. 537 538If this option is set, pam-krb5 uses the fully correct PAM mechanism for 539handling expired accounts instead of failing in pam_authenticate(). Due 540to the security risk of widespread broken applications, be very careful 541about enabling this option. It should normally only be turned on to solve 542a specific problem (such as using Solaris Kerberos libraries that don't 543support prompting for password changes during authentication), and then 544only for specific applications known to call pam_acct_mgmt() and check its 545return status properly. 546 547This option is only supported when pam-krb5 is built with MIT Kerberos. 548If built against Heimdal, this option does nothing and normal expired 549password change handling still happens. (Heimdal is missing the required 550API to implement this option, at least as of version 1.6.) 551 552This option can be set in C<[appdefaults]> in F<krb5.conf> and is only 553applicable to the auth group. 554 555=item fail_pwchange 556 557[4.2] By default, pam-krb5 lets the Kerberos library handle prompting for 558a password change if an account's password is expired during the auth 559group. If this option is set, expired passwords are instead treated as an 560authentication failure identical to an incorrect password. Also see 561I<defer_pwchange> and I<force_pwchange>. 562 563This option can be set in C<[appdefaults]> in F<krb5.conf> and is only 564applicable to the auth group. 565 566=item force_pwchange 567 568[3.11] If this option is set and authentication fails with a Kerberos 569error indicating the user's password is expired, attempt to immediately 570change their password during the authenticate step. Under normal 571circumstances, this is unnecessary. Most Kerberos libraries will do this 572for you, and setting this option will prompt the user twice to change 573their password if the first attempt (done by the Kerberos library) fails. 574However, some system Kerberos libraries (such as Solaris's) have password 575change prompting disabled in the Kerberos library; on those systems, you 576can set this option to simulate the normal library behavior. 577 578This option can be set in C<[appdefaults]> in F<krb5.conf> and is only 579applicable to the auth group. 580 581=item no_update_user 582 583[4.7] Normally, if pam-krb5 is able to canonicalize the principal to a 584local name using krb5_aname_to_localname() or similar calls, it changes 585the PAM_USER variable for this PAM session to the canonicalized local 586name. Setting this option disables this behavior and leaves PAM_USER set 587to the initial authentication identity. 588 589This option can be set in C<[appdefaults]> in F<krb5.conf> and is only 590applicable to the auth group. 591 592=item silent 593 594[1.0] Don't show messages and errors from Kerberos, such as warnings of 595expiring passwords, to the user via the prompter. This is equivalent to 596the behavior when the application passes in PAM_SILENT, but can be set in 597the PAM configuration. 598 599This option is only applicable to the auth and password groups. 600 601=item trace=<log-file> 602 603[4.6] Enables Kerberos library trace logging to the specified log file if 604it is supported by the Kerberos library. This is intended for temporary 605debugging. The specified file will be appended to without further 606security checks, so do not specify a file in a publicly writable directory 607like F</tmp>. 608 609=back 610 611=head2 PKINIT 612 613=over 4 614 615=item pkinit_anchors=<anchors> 616 617[3.0] When doing PKINIT authentication, use <anchors> as the client trust 618anchors. This is normally a reference to a file containing the trusted 619certificate authorities. This option is only used if I<try_pkinit> or 620I<use_pkinit> are set. 621 622This option can be set in C<[appdefaults]> in F<krb5.conf> and is only 623applicable to the auth and password groups. 624 625=item pkinit_prompt 626 627[3.0] Before attempting PKINIT authentication, prompt the user to insert a 628smart card. You may want to set this option for programs such as 629B<gnome-screensaver> that call PAM as soon as the mouse is touched and 630don't give the user an opportunity to enter the smart card first. Any 631information entered at the first prompt is ignored. If I<try_pkinit> is 632set, a user who wishes to use a password instead can just press Enter and 633then enter their password as normal. This option is only used if 634I<try_pkinit> or I<use_pkinit> are set. 635 636This option can be set in C<[appdefaults]> in F<krb5.conf> and is only 637applicable to the auth and password groups. 638 639=item pkinit_user=<userid> 640 641[3.0] When doing PKINIT authentication, use <userid> as the user ID. The 642value of this string is highly dependent on the type of PKINIT 643implementation you're using, but will generally be something like: 644 645 PKCS11:/usr/lib/pkcs11/lib/soft-pkcs11.so 646 647to specify the module to use with a smart card. It may also point to a 648user certificate or to other types of user IDs. See the Kerberos library 649documentation for more details. This option is only used if I<try_pkinit> 650or I<use_pkinit> are set. 651 652This option can be set in C<[appdefaults]> in F<krb5.conf> and is only 653applicable to the auth and password groups. 654 655=item preauth_opt=<option> 656 657[3.3] Sets a preauth option (currently only applicable when built with MIT 658Kerberos). <option> is either a key/value pair with the key separated 659from the value by C<=> or a boolean option (in which case it's turned on). 660In F<krb5.conf>, multiple options should be separated by whitespace. In 661the PAM configuration, this option can be given multiple times to set 662multiple options. In either case, <option> may not contain whitespace. 663 664The primary use of this option, at least in the near future, will be to 665set options for the MIT Kerberos PKINIT support. For the full list of 666possible options, see the PKINIT plugin documentation. At the time of 667this writing, C<X509_user_identity> is equivalent to I<pkinit_user> and 668C<X509_anchors> is equivalent to I<pkinit_anchors>. C<flag_DSA_PROTOCOL> 669can only be set via this option. 670 671Any settings made with this option are applied after the I<pkinit_anchors> 672and I<pkinit_user> options, so if an equivalent setting is made via 673I<preauth_opt>, it will probably override the other setting. 674 675This option can be set in C<[appdefaults]> in F<krb5.conf> and is only 676applicable to the auth and password groups. Note that there is no way to 677remove a setting made in F<krb5.conf> using the PAM configuration, but 678options set in the PAM configuration are applied after options set in 679F<krb5.conf> and therefore may override earlier settings. 680 681=item try_pkinit 682 683[3.0] Attempt PKINIT authentication before trying a regular password. You 684will probably also need to set the I<pkinit_user> configuration option. 685If PKINIT fails, the PAM module will fall back on regular password 686authentication. This option is currently only supported if pam-krb5 was 687built against Heimdal 0.8rc1 or later or MIT Kerberos 1.6.3 or later. 688 689If this option is set and pam-krb5 is built against MIT Kerberos, and 690PKINIT fails and the module falls back to password authentication, the 691user's password will not be stored in the PAM stack for subsequent 692modules. This is a bug in the interaction between the module and MIT 693Kerberos that requires some reworking of the PKINIT authentication method 694to fix. 695 696This option can be set in C<[appdefaults]> in F<krb5.conf> and is only 697applicable to the auth and password groups. 698 699=item use_pkinit 700 701[3.0, 4.9 for MIT Kerberos] Require PKINIT authentication. You will 702probably also need to set the I<pkinit_user> configuration option. If 703PKINIT fails, authentication will fail. This option is only supported if 704pam-krb5 was built against Heimdal 0.8rc1 or later or MIT Kerberos 1.12 or 705later. 706 707Be aware that, with MIT Kerberos, this option is implemented by using a 708responder without a prompter, and thus any informational messages from the 709Kerberos libraries or KDC during authentication will not be displayed. 710 711This option can be set in C<[appdefaults]> in F<krb5.conf> and is only 712applicable to the auth and password groups. 713 714=back 715 716=head2 Prompting 717 718=over 4 719 720=item banner=<banner> 721 722[3.0] By default, the prompts when a user changes their password are: 723 724 Current Kerberos password: 725 Enter new Kerberos password: 726 Retype new Kerberos password: 727 728The string "Kerberos" is inserted so that users aren't confused about 729which password they're changing. Setting this option replaces the word 730"Kerberos" with whatever this option is set to. Setting this option to 731the empty string removes the word before "password:" entirely. 732 733If set in the PAM configuration, <banner> may not contain whitespace. If 734you want a value containing whitespace, set it in F<krb5.conf>. 735 736This option can be set in C<[appdefaults]> in F<krb5.conf> and is only 737applicable to the password group. 738 739=item expose_account 740 741[3.0] By default, the Kerberos PAM module password prompt is simply 742"Password:". This avoids leaking any information about the system realm 743or account to principal conversions. If this option is set, the string 744"for <principal>" is added before the colon, where <principal> is the 745user's principal. This string is also added before the colon on prompts 746when changing the user's password. 747 748Enabling this option with ChallengeResponseAuthentication enabled in 749OpenSSH may cause problems for some ssh clients that only recognize 750"Password:" as a prompt. This option is automatically disabled if 751I<search_k5login> is enabled since the principal displayed would be 752inaccurate. 753 754This option can be set in C<[appdefaults]> in F<krb5.conf> and is only 755applicable to the auth and password groups. 756 757=item force_first_pass 758 759[4.0] Use the password obtained by a previous authentication or password 760module to authenticate the user without prompting the user again. If no 761previous module obtained the user's password, fail without prompting the 762user. Also see I<try_first_pass> and I<use_first_pass> for weaker 763versions of this option. 764 765This option is only applicable to the auth and password groups. For the 766password group, it applies only to the old password. See I<use_authtok> 767for a similar setting for the new password. 768 769=item no_prompt 770 771[4.6] Never prompt for the current password. Instead, pass in a NULL 772password to the Kerberos library and let the Kerberos library do the 773prompting. This may be needed if, for example, the Kerberos library is 774configured to use other authentication mechanisms than passwords and needs 775full control over the prompting process. 776 777The major disadvantage of this option is that it means the PAM module will 778never see the user's password and therefore cannot save it in the PAM 779module data for any subsequent modules. In other words, this option 780cannot be used if another module is in the stack behind the Kerberos PAM 781module and wants to use I<use_first_pass>. The Kerberos library also 782usually includes the principal in the prompt, and therefore this option 783implies behavior similar to I<expose_account>. Similar to 784I<expose_account>, this can cause problems with OpenSSH if 785ChallengeResponseAuthentication is enabled, since clients may not 786recognize password prompts other than "Password:". 787 788Using this option with I<search_k5login> would result in a password prompt 789for every principal listed in the user's F<.k5login> file. This is 790probably not desired behavior, although it's not prohibited by the module. 791 792This option is only applicable to the auth and password groups. For the 793password group, it applies only to the authentication process; the user 794will still be prompted for a new password. 795 796=item prompt_principal 797 798[3.6] Before prompting for the user's password (or using the previously 799entered password, if I<try_first_pass>, I<use_first_pass>, or 800I<force_first_pass> are set), prompt the user for the Kerberos principal 801to use for authentication. This allows the user to authenticate with a 802different principal than the one corresponding to the local username, 803provided that either a F<.k5login> file or local Kerberos principal to 804account mapping authorize that principal to access the local account. 805 806Be cautious when using this configuration option and don't use it with 807OpenSSH PasswordAuthentication, only ChallengeResponseAuthentication. 808Some PAM-enabled applications expect PAM modules to only prompt for 809passwords and may even blindly give the password to the first prompt, no 810matter what it is. Such applications, in combination with this option, 811may expose the user's password in log messages and Kerberos requests. 812 813=item try_first_pass 814 815[1.0] If the authentication module isn't the first on the stack, and a 816previous module obtained the user's password, use that password to 817authenticate the user without prompting them again. If that 818authentication fails, fall back on prompting the user for their password. 819This option has no effect if the authentication module is first in the 820stack or if no previous module obtained the user's password. Also see 821I<use_first_pass> and I<force_first_pass> for stronger versions of this 822option. 823 824This option is only applicable to the auth and password groups. For the 825password group, it applies only to the old password. 826 827=item use_authtok 828 829[4.0] Use the new password obtained by a previous password module when 830changing passwords rather than prompting for the new password. If the new 831password isn't available, fail. This can be used to require passwords be 832checked by another, prior module, such as B<pam_cracklib>. 833 834This option is only applicable to the password group. 835 836=item use_first_pass 837 838[1.0] Use the password obtained by a previous authentication module to 839authenticate the user without prompting the user again. If no previous 840module obtained the user's password for either an authentication or 841password change, fall back on prompting the user. If a previous module 842did obtain the user's password but authentication with that password 843fails, fail without further prompting the user. Also see 844I<try_first_pass> and I<force_first_pass> for other versions of this 845option. 846 847This option is only applicable to the auth and password groups. For the 848password group, it applies only to the old password. See I<use_authtok> 849for a similar setting for the new password. 850 851=back 852 853=head2 Ticket Caches 854 855=over 4 856 857=item ccache=<pattern> 858 859[2.0] Use <pattern> as the pattern for creating credential cache names. 860<pattern> must be in the form <type>:<residual> where <type> and the 861following colon are optional if a file cache should be used. The special 862token C<%u>, anywhere in <pattern>, is replaced with the user's numeric 863UID. The special token C<%p>, anywhere in <pattern>, is replaced with the 864current process ID. 865 866If <pattern> ends in the literal string C<XXXXXX> (six X's), that string 867will be replaced by randomly generated characters and the ticket cache 868will be created using mkstemp(3). This is strongly recommended if 869<pattern> points to a world-writable directory. 870 871This option can be set in C<[appdefaults]> in F<krb5.conf> and is only 872applicable to the auth and session groups. 873 874=item ccache_dir=<directory> 875 876[1.2] Store both the temporary ticket cache used during authentication and 877user ticket caches in <directory> instead of in F</tmp>. The algorithm 878for generating the ticket cache name is otherwise unchanged. <directory> 879may be prefixed with C<FILE:> to make the cache type unambiguous (and this 880may be required on systems that use a cache type other than file as the 881default). 882 883Be aware that pam_krb5 creates and stores a temporary ticket cache file 884owned by root during the login process. If you set I<ccache> above to 885avoid using the system F</tmp> directory for user ticket caches, you may 886also want to set I<ccache_dir> to move those temporary caches to some 887other location. This will allow pam_krb5 to continue working even if the 888system F</tmp> directory is full. 889 890This option can be set in C<[appdefaults]> in F<krb5.conf> and is only 891applicable to the auth and session groups. 892 893=item no_ccache 894 895[1.0] Do not create a ticket cache after authentication. This option 896shouldn't be set in general, but is useful as part of the PAM 897configuration for a particular service that uses PAM for authentication 898but isn't creating user sessions and doesn't want the overhead of ever 899writing the user credentials to disk. When using this option, the 900application should only call pam_authenticate(); other functions like 901pam_setcred(), pam_start_session(), and pam_acct_mgmt() don't make sense 902with this option. Don't use this option if the application needs PAM 903account and session management calls. 904 905This option is only applicable to the auth group. 906 907=item retain_after_close 908 909[2.3] Normally, the user's ticket cache is destroyed when either pam_end() 910or pam_close_session() is called by the authenticating application so that 911ticket caches aren't left behind after the user logs out. In some cases, 912however, this isn't desirable. (On Solaris 8, for instance, the default 913behavior means login will destroy the ticket cache before running the 914user's shell.) If this option is set, the PAM module will never destroy 915the user's ticket cache. If you set this, you may want to call 916B<kdestroy> in the shell's logout configuration or run a temporary file 917removal program to avoid accumulating hundreds of ticket caches in 918F</tmp>. 919 920This option can be set in C<[appdefaults]> in F<krb5.conf> and is only 921applicable to the auth and session groups. 922 923=back 924 925=head1 ENVIRONMENT 926 927=over 4 928 929=item KRB5CCNAME 930 931Set by pam_setcred() with the PAM_ESTABLISH_CRED option, and therefore 932also by pam_open_session(), to point to the new credential cache for the 933user. See the I<ccache> and I<ccache_dir> options. By default, the cache 934name will be prefixed with C<FILE:> to make the cache type unambiguous. 935 936=item PAM_KRB5CCNAME 937 938Set by pam_authenticate() to point to the temporary ticket cache used for 939authentication (unless the I<no_ccache> option was given). pam_setcred() 940then uses that environment variable to locate the temporary cache even if 941it was not called in the same PAM session as pam_authenticate() (a problem 942with B<sshd> running in some modes). This environment variable is only 943used internal to the PAM module. 944 945=back 946 947=head1 FILES 948 949=over 4 950 951=item F</tmp/krb5cc_UID_RANDOM> 952 953The default credential cache name. UID is the decimal UID of the local 954user and RANDOM is a random six-character string. The pattern may be 955changed with the I<ccache> option and the directory with the I<ccache_dir> 956option. 957 958=item F</tmp/krb5cc_pam_RANDOM> 959 960The credential cache name used for the temporary credential cache created 961by pam_authenticate(). This cache is removed again when the PAM session 962is ended or when pam_setcred() is called and will normally not be 963user-visible. RANDOM is a random six-character string. 964 965=item F<~/.k5login> 966 967File containing Kerberos principals that are allowed access to that 968account. 969 970=back 971 972=head1 BUGS 973 974If I<try_pkinit> is set and pam-krb5 is built with MIT Kerberos, the 975user's password is not saved in the PAM data if PKINIT fails and the 976module falls back to password authentication. 977 978=head1 CAVEATS 979 980Be sure to list this module in the session group as well as the auth group 981when using it for interactive logins. Otherwise, some applications (such 982as OpenSSH) will not set up the user's ticket cache correctly. 983 984The Kerberos library, via pam-krb5, will prompt the user to change their 985password if their password is expired, but when using OpenSSH, this will 986only work when ChallengeResponseAuthentication is enabled. Unless this 987option is enabled, OpenSSH doesn't pass PAM messages to the user and can 988only respond to a simple password prompt. 989 990If you are using MIT Kerberos, be aware that users whose passwords are 991expired will not be prompted to change their password unless the KDC 992configuration for your realm in [realms] in krb5.conf contains a 993master_kdc setting or, if using DNS SRV records, you have a DNS entry for 994_kerberos-master as well as _kerberos. 995 996pam_authenticate() returns failure when called for an ignored account, 997requiring the system administrator to use C<optional> or C<sufficient> to 998ignore the module and move on to the next module. It's arguably more 999correct to return PAM_IGNORE, which causes the module to be ignored as if 1000it weren't in the configuration, but this increases the risk of 1001inadvertent security holes when listing pam-krb5 as the only 1002authentication module. 1003 1004This module treats the empty password as an authentication failure 1005rather than attempting to use that password to avoid unwanted prompting 1006behavior in the Kerberos libraries. If you have a Kerberos principal that 1007intentionally has an empty password, it won't work with this module. 1008 1009This module will not refresh an existing ticket cache if called with an 1010effective UID or GID different than the real UID or GID, since refreshing 1011an existing ticket cache requires trusting the KRB5CCNAME environment 1012variable and the environment should not be trusted in a setuid context. 1013 1014Old versions of OpenSSH are known to call pam_authenticate followed by 1015pam_setcred(PAM_REINITIALIZE_CRED) without first calling pam_open_session, 1016thereby requesting that an existing ticket cache be renewed (similar to 1017what a screensaver would want) rather than requesting a new ticket cache 1018be created. Since this behavior is indistinguishable at the PAM level 1019from a screensaver, pam-krb5 when used with these old versions of OpenSSH 1020will refresh the ticket cache of the OpenSSH daemon rather than setting up 1021a new ticket cache for the user. The resulting ticket cache will have the 1022correct permissions, but will not be named correctly or referenced in the 1023user's environment and will be overwritten by the next user login. The 1024best solution to this problem is to upgrade OpenSSH. I'm not sure exactly 1025when this problem was fixed, but at the very least OpenSSH 4.3 and later 1026do not exhibit it. 1027 1028=head1 AUTHOR 1029 1030pam-krb5 was originally written by Frank Cusack. Andres Salomon made 1031extensive modifications, and then Russ Allbery <eagle@eyrie.org> adopted 1032it and made even more extensive modifications. Russ Allbery currently 1033maintains the module. 1034 1035=head1 COPYRIGHT AND LICENSE 1036 1037Copyright 2005-2010, 2014, 2020 Russ Allbery <eagle@eyrie.org> 1038 1039Copyright 2008-2014 The Board of Trustees of the Leland Stanford Junior 1040University 1041 1042Copying and distribution of this file, with or without modification, are 1043permitted in any medium without royalty provided the copyright notice and 1044this notice are preserved. This file is offered as-is, without any 1045warranty. 1046 1047SPDX-License-Identifier: FSFAP 1048 1049=head1 SEE ALSO 1050 1051kadmin(8), kdestroy(1), krb5.conf(5), pam(7), passwd(1), syslog(3) 1052 1053The current version of this module is available from its web page at 1054L<https://www.eyrie.org/~eagle/software/pam-krb5/>. 1055 1056=cut 1057