1.Dd November 21, 2025 2.Dt PAM_KRB5 8 3.Os 4.Sh NAME 5.Nm pam_krb5 6.Nd Kerberos PAM module 7.Sh SYNOPSIS 8.Bd -literal 9 auth sufficient pam_krb5.so minimum_uid=1000 10 session required pam_krb5.so minimum_uid=1000 11 account required pam_krb5.so minimum_uid=1000 12 password sufficient pam_krb5.so minimum_uid=1000 13.Ed 14.Sh DESCRIPTION 15The Kerberos service module for PAM, typically installed at 16.Pa /lib/security/pam_krb5.so , 17provides functionality for the four PAM operations: authentication, 18account management, session management, and password management. 19.Pa pam_krb5.so 20is a shared object that is dynamically loaded by the PAM subsystem as 21necessary, based on the system PAM configuration. 22PAM is a system for plugging in external authentication and session 23management modules so that each application doesn't have to know the 24best way to check user authentication or create a user session on that 25system. 26For details on how to configure PAM on your system, see the PAM man 27page, often pam.conf(5). 28.Pp 29Here are the actions of this module when called from each group: 30.Bl -tag -width Ds 31.It auth 32Provides implementations of 33.Xr pam_authenticate 3 34and 35.Xr pam_setcred 3 . 36The former takes the username from the PAM session, prompts for the 37user's password (unless configured to use an already-entered password), 38and then performs a Kerberos initial authentication, storing the 39obtained credentials (if successful) in a temporary ticket cache. 40The latter, depending on the flags it is called with, either takes the 41contents of the temporary ticket cache and writes it out to a persistent 42ticket cache owned by the user or uses the temporary ticket cache to 43refresh an existing user ticket cache. 44.Pp 45Passwords as long or longer than PAM_MAX_RESP_SIZE octets (normally 512 46octets) will be rejected, since excessively long passwords can be used 47as a denial of service attack. 48.Pp 49After doing the initial authentication, the Kerberos PAM module will 50attempt to obtain tickets for a key in the local system keytab and then 51verify those tickets. 52Unless this step is performed, the authentication is vulnerable to KDC 53spoofing, but it requires that the system have a local key and that the 54PAM module be running as a user that can read the keytab file (normally 55.Pa /etc/krb5.keytab . 56You can point the Kerberos PAM module at a different keytab with the 57.Em keytab 58option. 59If that keytab cannot be read or if no keys are found in it, the default 60behavior is to fail authentication. 61If you want to skip this check, set the 62.Qo Li allow_kdc_spoof Qc 63option to true either in the [appdefaults] section of 64.Pa /etc/krb5.conf 65or in the PAM policy. 66.Pp 67By default, whenever the user is authenticated, a basic authorization 68check will also be done using 69.Xr krb5_kuserok 3 . 70The default behavior of this function is to check the user's account for 71a 72.Pa .k5login 73file and, if one is present, ensure that the user's principal is listed 74in that file. 75If 76.Pa .k5login 77is not present, the default check is to ensure that the user's principal 78is in the default local realm and the user portion of the principal 79matches the account name (this can be changed by configuring a custom 80aname to localname mapping in 81.Pa krb5.conf ; 82see the Kerberos documentation for details). 83This can be customized with several configuration options; see below. 84.Pp 85If the username provided to PAM contains an 86.Qo Li @ Qc 87and Kerberos can, treating the username as a principal, map it to a 88local account name, 89.Xr pam_authenticate 3 90will change the PAM user to that local account name. 91This allows users to log in with their Kerberos principal and let 92Kerberos do the mapping to an account. 93This can be disabled with the 94.Em no_update_user 95option. 96Be aware, however, that this facility cannot be used with OpenSSH. 97OpenSSH will reject usernames that don't match local accounts before 98this remapping can be done and will pass an invalid password to the PAM 99module. 100Also be aware that several other common PAM modules, such as 101pam_securetty, expect to be able to look up the user with 102.Xr getpwnam 3 103and cannot be called before pam_krb5 when using this feature. 104.Pp 105When 106.Xr pam_setcred 3 107is called to initialize a new ticket cache, the environment variable 108KRB5CCNAME is set to the path to that ticket cache. 109By default, the cache will be named 110.Pa /tmp/krb5cc_UID_RANDOM 111where UID is the user's UID and RANDOM is six randomly-chosen letters. 112This can be configured with the 113.Em ccache 114and 115.Em ccache_dir 116options. 117.Pp 118pam-krb5 does not use the default ticket cache location or 119.Em default_cc_name 120in the 121.Qo Li [libdefaults] Qc 122section of 123.Pa krb5.conf . 124The default cache location would share a cache for all sessions of the 125same user, which causes confusing behavior when the user logs out of one 126of multiple sessions. 127.Pp 128If 129.Xr pam_setcred 3 130initializes a new ticket cache, it will also set up that ticket cache so 131that it will be deleted when the PAM session is closed. 132Normally, the calling program 133.Pf ( Sy login , 134.Sy sshd , 135etc.) 136will run the user's shell as a sub-process, wait for it to exit, and 137then close the PAM session, thereby cleaning up the user's session. 138.It session 139Provides implementations of 140.Xr pam_open_session 3 , 141which is equivalent to calling 142.Xr pam_setcred 3 143with the PAM_ESTABLISH_CRED flag, and 144.Xr pam_close_session 3 , 145which destroys the ticket cache created by 146.Xr pam_setcred 3 . 147.It account 148Provides an implementation of 149.Xr pam_acct_mgmt 3 . 150All it does is do the same authorization check as performed by the 151.Xr pam_authenticate 3 152implementation described above. 153.It password 154Provides an implementation of 155.Xr pam_chauthtok 3 , 156which implements password changes. 157The user is prompted for their existing password (unless configured to 158use an already entered one) and the PAM module then obtains credentials 159for the special Kerberos principal 160.Qo Li kadmin/changepw Qc . 161It then prompts the user for a new password, twice to ensure that the 162user entered it properly (again, unless configured to use an already 163entered password), and then does a Kerberos password change. 164.Pp 165Passwords as long or longer than PAM_MAX_RESP_SIZE octets (normally 512 166octets) will be rejected, since excessively long passwords can be used 167as a denial of service attack. 168.Pp 169Unlike the normal Unix password module, this module will allow any user 170to change any other user's password if they know the old password. 171Also, unlike the normal Unix password module, root will always be 172prompted for the old password, since root has no special status in 173Kerberos. 174(To change passwords in Kerberos without knowing the old password, use 175kadmin(8) instead.) 176.El 177.Pp 178Both the account and session management calls of the Kerberos PAM module 179will return PAM_IGNORE if called in the context of a PAM session for a 180user who did not authenticate with Kerberos (a return code of 181.Qo Li ignore Qc 182in the Linux PAM configuration language). 183.Pp 184Note that this module assumes the network is available in order to do a 185Kerberos authentication. 186If the network is not available, some Kerberos libraries have timeouts 187longer than the timeout imposed by the login process. 188This means that using this module incautiously can make it impossible to 189log on to console as root. 190For this reason, you should always use the 191.Em ignore_root 192or 193.Em minimum_uid 194options, list a local authentication module such as 195.Sy pam_unix 196first with a control field of 197.Qo Li sufficient Qc 198so that the Kerberos PAM module will be skipped if local password 199authentication was successful. 200.Pp 201This is not the same PAM module as the Kerberos PAM module available 202from Sourceforge, or the one included on Red Hat systems. 203It supports many of the same options, has some additional options, and 204doesn't support some of the options those modules do. 205.Sh CONFIGURATION 206The Kerberos PAM module takes many options, not all of which are 207relevant to every PAM group; options that are not relevant will be 208silently ignored. 209Any of these options can be set in the PAM configuration as arguments 210listed after 211.Qo Li pam_krb5.so Qc . 212Some of the options can also be set in the system 213.Pa krb5.conf 214file; if this is possible, it will be noted below in the option 215description. 216.Pp 217To set a boolean option in the PAM configuration file, just give the 218name of the option in the arguments. 219To set an option that takes an argument, follow the option name with an 220equal sign (=) and the value, with no separating whitespace. 221Whitespace in option arguments is not supported in the PAM 222configuration. 223.Pp 224To set an option for the PAM module in the system 225.Pa krb5.conf 226file, put that option in the 227.Qo Li [appdefaults] Qc 228section. 229All options must be followed by an equal sign (=) and a value, so for 230boolean options add 231.Qo Li = true Qc . 232The Kerberos PAM module will look for options either at the top level of 233the 234.Qo Li [appdefaults] Qc 235section or in a subsection named 236.Qo Li pam Qc , 237inside or outside a section for the realm. 238For example, the following fragment of a 239.Pa krb5.conf 240file would set 241.Em forwardable 242to true, 243.Em minimum_uid 244to 1000, and set 245.Em ignore_k5login 246only if the realm is EXAMPLE.COM. 247.Bd -literal 248 [appdefaults] 249 forwardable = true 250 pam = { 251 minimum_uid = 1000 252 EXAMPLE.COM = { 253 ignore_k5login = true 254 } 255 } 256.Ed 257.Pp 258For more information on the syntax of 259.Pa krb5.conf , 260see krb5.conf(5). Note that options that depend on the realm will be set 261only on the basis of the default realm, either as configured in 262krb5.conf(5) or as set by the 263.Em realm 264option described below. 265If the user authenticates to an account qualified with a realm, that 266realm will not be used when determining which options will apply. 267.Pp 268There is no difference to the PAM module whether options are specified 269at the top level or in a 270.Qo Li pam Qc 271section; the 272.Qo Li pam Qc 273section is supported in case there are options that should be set for 274the PAM module but not for other applications. 275.Pp 276If the same option is set in 277.Pa krb5.conf 278and in the PAM configuration, the latter takes precedent. 279Note, however, that due to the configuration syntax, there's no way to 280turn off a boolean option in the PAM configuration that was turned on in 281.Pa krb5.conf . 282.Pp 283The start of each option description is annotated with the version of 284pam-krb5 in which that option was added with the current meaning. 285.Ss Authorization 286.Bl -tag -width Ds 287.It allow_kdc_spoof 288Allow authentication to succeed even if there is no host or service key 289available in a keytab to authenticate the Kerberos KDC's ticket. 290.It alt_auth_map=<format> 291[3.12] This functions similarly to the 292.Em search_k5login 293option. 294The <format> argument is used as the authentication Kerberos principal, 295with any 296.Qo Li %s Qc 297in <format> replaced with the username. 298If the username contains an 299.Qo Li @ Qc , 300only the part of the username before the realm is used to replace 301.Qo Li %s Qc . 302If <format> contains a realm, it will be used; otherwise, the realm of 303the username (if any) will be appended to the result. 304There is no quote removal. 305.Pp 306If this option is present, the default behavior is to try this alternate 307principal first and then fall back to the standard behavior if it fails. 308The primary usage is to allow alternative principals to be used for 309authentication in programs like 310.Sy sudo . 311Most examples will look like: 312.Bd -literal 313 alt_auth_map=%s/root 314.Ed 315.Pp 316which attempts authentication as the root instance of the username first 317and then falls back to the regular username (but see 318.Em force_alt_auth 319and 320.Em only_alt_auth Ns ). 321.Pp 322This option also allows a cheap way to attempt authentication in an 323alternative realm first and then fall back to the primary realm. 324A setting like: 325.Bd -literal 326 alt_auth_map=%s@EXAMPLE.COM 327.Ed 328.Pp 329will attempt authentication in the EXAMPLE.COM realm first and then fall 330back on the local default realm. 331This is more convenient than running the module multiple times with 332multiple default realms set with 333.Em realm , 334but it is very limited: only two realms can be tried, and the alternate 335realm is always tried first. 336.Pp 337This option can be set in 338.Qo Li [appdefaults] Qc 339in 340.Pa krb5.conf , 341although normally it doesn't make sense to do that; normally it is used 342in the PAM options of configuration for specific programs. 343It is only applicable to the auth and account groups. 344If this option is set for the auth group, be sure to set it for the 345account group as well or account authorization may fail. 346.It force_alt_auth 347[3.12] This option is used with 348.Em alt_auth_map 349and forces authentication as the mapped principal if that principal 350exists in the KDC. Only if the KDC returns principal unknown does the 351Kerberos PAM module fall back to normal authentication. 352This can be used to force authentication with an alternate instance. 353If 354.Em alt_auth_map 355is not set, it has no effect. 356.Pp 357This option can be set in 358.Qo Li [appdefaults] Qc 359in 360.Pa krb5.conf 361and is only applicable to the auth group. 362.It ignore_k5login 363[2.0] Never look for a 364.Pa .k5login 365file in the user's home directory. 366Instead, only check that the Kerberos principal maps to the local 367account name. 368The default check is to ensure the realm matches the local realm and the 369user portion of the principal matches the local account name, but this 370can be customized by setting up an aname to localname mapping in 371.Pa krb5.conf . 372.Pp 373This option can be set in 374.Qo Li [appdefaults] Qc 375in 376.Pa krb5.conf 377and is only applicable to the auth and account groups. 378.It ignore_root 379[1.1] Do not do anything if the username is 380.Qo Li root Qc . 381The authentication and password calls will silently fail (allowing that 382status to be ignored via a control of 383.Qo Li optional Qc 384or 385.Qo Li sufficient Qc Ns ), 386and the account and session calls (including pam_setcred) will return 387PAM_IGNORE, telling the PAM library to proceed as if they weren't 388mentioned in the PAM configuration. 389This option is supported and will remain, but normally you want to use 390.Em minimum_uid 391instead. 392.Pp 393This option can be set in 394.Qo Li [appdefaults] Qc 395in 396.Pa krb5.conf . 397.It minimum_uid=<uid> 398[2.0] Do not do anything if the authenticated account name corresponds 399to a local account and that local account has a UID lower than <uid>. If 400both of those conditions are true, the authentication and password calls 401will silently fail (allowing that status to be ignored via a control of 402.Qo Li optional Qc 403or 404.Qo Li sufficient Qc Ns ), 405and the account and session calls (including pam_setcred) will return 406PAM_IGNORE, telling the PAM library to proceed as if they weren't 407mentioned in the PAM configuration. 408.Pp 409Using this option is highly recommended if you don't need to use 410Kerberos to authenticate password logins to the root account (which 411isn't recommended since Kerberos requires a network connection). 412It provides some defense in depth against user principals that happen to 413match a system account incorrectly authenticating as that system 414account. 415.Pp 416This option can be set in 417.Qo Li [appdefaults] Qc 418in 419.Pa krb5.conf . 420.It only_alt_auth 421[3.12] This option is used with 422.Em alt_auth_map 423and forces the use of the mapped principal for authentication. 424It disables fallback to normal authentication in all cases and overrides 425.Em search_k5login 426and 427.Em force_alt_auth . 428If 429.Em alt_auth_map 430is not set, it has no effect and the standard authentication behavior is 431used. 432.Pp 433This option can be set in 434.Qo Li [appdefaults] Qc 435in 436.Pa krb5.conf 437and is only applicable to the auth group. 438.It search_k5login 439[2.0] Normally, the Kerberos implementation of pam_authenticate attempts 440to obtain tickets for the authenticating username in the local realm. 441If this option is set and the local user has a 442.Pa .k5login 443file in their home directory, the module will instead open and read that 444.Pa .k5login 445file, attempting to use the supplied password to authenticate as each 446principal listed there in turn. 447If any of those authentications succeed, the user will be successfully 448authenticated; otherwise, authentication will fail. 449This option is useful for allowing password authentication (via console 450or 451.Sy sshd 452without GSS-API support) to shared accounts. 453If there is no 454.Pa .k5login 455file, the behavior is the same as normal. 456Using this option requires that the user's 457.Pa .k5login 458file be readable at the time of authentication. 459.Pp 460This option can be set in 461.Qo Li [appdefaults] Qc 462in 463.Pa krb5.conf 464and is only applicable to the auth group. 465.El 466.Ss Kerberos Behavior 467.Bl -tag -width Ds 468.It anon_fast 469[4.6] Attempt to use Flexible Authentication Secure Tunneling (FAST) by 470first authenticating as the anonymous user (WELLKNOWN/ANONYMOUS) and 471using its credentials as the FAST armor. 472This requires anonymous PKINIT be enabled for the local realm, that 473PKINIT be configured on the local system, and that the Kerberos library 474support FAST and anonymous PKINIT. 475.Pp 476FAST is a mechanism to protect Kerberos against password guessing 477attacks and provide other security improvements. 478To work, FAST requires that a ticket be obtained with a strong key to 479protect exchanges with potentially weaker user passwords. 480This option uses anonymous authentication to obtain that key and then 481uses it to protect the subsequent authentication. 482.Pp 483If anonymous PKINIT is not available or fails, FAST will not be used and 484the authentication will proceed as normal. 485.Pp 486To instead use an existing ticket cache for the FAST credentials, use 487.Em fast_ccache 488instead of this option. 489If both 490.Em fast_ccache 491and 492.Em anon_fast 493are set, the ticket cache named by 494.Em fast_ccache 495will be tried first, and the Kerberos PAM module will fall back on 496attempting anonymous PKINIT if that cache could not be used. 497.Pp 498This option can be set in 499.Qo Li [appdefaults] Qc 500in 501.Pa krb5.conf 502and is only applicable to the auth and password groups. 503.Pp 504The operation is the same as if using the 505.Em fast_ccache 506option, but the cache is created and destroyed automatically. 507If both 508.Em fast_ccache 509and 510.Em anon_fast 511options are used, the 512.Em fast_ccache 513takes precedent and no anonymous authentication is done. 514.It fast_ccache=<ccache_name> 515[4.3] The same as 516.Em anon_fast , 517but use an existing Kerberos ticket cache rather than anonymous PKINIT. 518This allows use of FAST with a realm that doesn't support PKINIT or 519doesn't support anonymous authentication. 520.Pp 521<ccache_name> should be a credential cache containing a ticket obtained 522using a strong key, such as the randomized key for the host principal of 523the local system. 524If <ccache_name> names a ticket cache that is readable by the 525authenticating process and has tickets then FAST will be attempted. 526The easiest way to use this option is to use a program like 527.Sy k5start 528to maintain a ticket cache using the host's keytab. 529This ticket cache should normally only be readable by root, so this 530option will not be able to protect authentications done as non-root 531users (such as screensavers). 532.Pp 533If no credentials are present in the ticket cache, or if the ticket 534cache does not exist or is not readable, FAST will not used and 535authentication will proceed as normal. 536However, if the credentials in that ticket cache are expired, 537authentication will fail if the KDC supports FAST. 538.Pp 539To use anonymous PKINIT to protect the FAST exchange, use the 540.Em anon_fast 541option instead. 542.Em anon_fast 543is easier to configure, since no existing ticket cache is required, but 544requires PKINIT be available and configured and that the local realm 545support anonymous authentication. 546If both 547.Em fast_ccache 548and 549.Em anon_fast 550are set, the ticket cache named by 551.Em fast_ccache 552will be tried first, and the Kerberos PAM module will fall back on 553attempting anonymous PKINIT if that cache could not be used. 554.Pp 555This option can be set in 556.Qo Li [appdefaults] Qc 557in 558.Pa krb5.conf 559and is only applicable to the auth and password groups. 560.It forwardable 561[1.0] Obtain forwardable tickets. 562If set (to either true or false, although it can only be set to false in 563.Pa krb5.conf Ns ), 564this overrides the Kerberos library default set in the [libdefaults] 565section of 566.Pa krb5.conf . 567.Pp 568This option can be set in 569.Qo Li [appdefaults] Qc 570in 571.Pa krb5.conf 572and is only applicable to the auth group. 573.It keytab=<path> 574[3.0] Specifies the keytab to use when validating the user's 575credentials. 576The default is the default system keytab (normally 577.Pa /etc/krb5.keytab Ns ), 578which is usually only readable by root. 579Applications not running as root that use this PAM module for 580authentication may wish to point it to another keytab the application 581can read. 582The first principal found in the keytab will be used as the principal 583for credential verification. 584.Pp 585This option can be set in 586.Qo Li [appdefaults] Qc 587in 588.Pa krb5.conf 589and is only applicable to the auth group. 590.It realm=<realm> 591[2.2] Set the default Kerberos realm and obtain credentials in that 592realm, rather than in the normal default realm for this system. 593If this option is used, it should be set for all groups being used for 594consistent results. 595This setting will affect authorization decisions since it changes the 596default realm. 597This setting will also change the service principal used to verify the 598obtained credentials to be in the specified realm. 599.Pp 600If you only want to set the realm assumed for user principals without 601changing the realm for authorization decisions or the service principal 602used to verify credentials, see the 603.Em user_realm 604option. 605.It renew_lifetime=<lifetime> 606[2.0] Obtain renewable tickets with a maximum renewable lifetime of 607<lifetime>. <lifetime> should be a Kerberos lifetime string such as 608.Qo Li 2d4h10m Qc 609or a time in minutes. 610If set, this overrides the Kerberos library default set in the 611[libdefaults] section of 612.Pa krb5.conf . 613.Pp 614This option can be set in 615.Qo Li [appdefaults] Qc 616in 617.Pa krb5.conf 618and is only applicable to the auth group. 619.It ticket_lifetime=<lifetime> 620[3.0] Obtain tickets with a maximum lifetime of <lifetime>. <lifetime> 621should be a Kerberos lifetime string such as 622.Qo Li 2d4h10m Qc 623or a time in minutes. 624If set, this overrides the Kerberos library default set in the 625[libdefaults] section of 626.Pa krb5.conf . 627.Pp 628This option can be set in 629.Qo Li [appdefaults] Qc 630in 631.Pa krb5.conf 632and is only applicable to the auth group. 633.It user_realm 634[4.6] Obtain credentials in the specified realm rather than in the 635default realm for this system. 636If this option is used, it should be set for all groups being used for 637consistent results (although the account group currently doesn't care 638about realm). 639This will not change authorization decisions. 640If the obtained credentials are supposed to allow access to a shell 641account, the user will need an appropriate 642.Pa .k5login 643file entry or the system will have to have a custom aname_to_localname 644mapping. 645.El 646.Ss PAM Behavior 647.Bl -tag -width Ds 648.It clear_on_fail 649[3.9] When changing passwords, PAM first does a preliminary check 650through the complete password stack, and then calls each module again to 651do the password change. 652After that preliminary check, the order of module invocation is fixed. 653This means that even if the Kerberos password change fails (or if one of 654the other password changes in the stack fails), other password PAM 655modules in the stack will still be called even if the failing module is 656marked required or requisite. 657When using multiple password PAM modules to synchronize passwords 658between multiple systems when they change, this behavior can cause 659unwanted differences between the environments. 660.Pp 661Setting this option provides a way to work around this behavior. 662If this option is set and a Kerberos password change is attempted and 663fails (due to network errors or password strength checking on the KDC, 664for example), this module will clear the stored password in the PAM 665stack. 666This will force any subsequent modules that have 667.Em use_authtok 668set to fail so that those environments won't get out of sync with the 669password in Kerberos. 670The Kerberos PAM module will not meddle with the stored password if it 671skips the user due to configuration such as minimum_uid. 672.Pp 673Unfortunately, setting this option interferes with other desirable PAM 674configurations, such as attempting to change the password in Kerberos 675first and falling back on the local Unix password database if that 676fails. 677It therefore isn't the default. 678Turn it on (and list pam_krb5 first after pam_cracklib if used) when 679synchronizing passwords between multiple environments. 680.Pp 681This option can be set in 682.Qo Li [appdefaults] Qc 683in 684.Pa krb5.conf 685and is only applicable to the password group. 686.It debug 687[1.0] Log more verbose trace and debugging information to syslog at 688LOG_DEBUG priority, including entry and exit from each of the external 689PAM interfaces (except pam_close_session). 690.Pp 691This option can be set in 692.Qo Li [appdefaults] Qc 693in 694.Pa krb5.conf . 695.It defer_pwchange 696[3.11] By default, pam-krb5 lets the Kerberos library handle prompting 697for a password change if an account's password is expired during the 698auth group. 699If this fails, 700.Xr pam_authenticate 3 701returns an error. 702.Pp 703According to the PAM standard, this is not the correct way to handle 704expired passwords. 705Instead, 706.Xr pam_authenticate 3 707should return success without attempting a password change, and then 708.Xr pam_acct_mgmt 3 709should return PAM_NEW_AUTHTOK_REQD, at which point the calling 710application is responsible for either rejecting the authentication or 711calling 712.Xr pam_chauthtok 3 . 713However, following the standard requires that all applications call 714.Xr pam_acct_mgmt 3 715and check its return status; otherwise, expired accounts may be able to 716successfully authenticate. 717Many applications do not do this. 718.Pp 719If this option is set, pam-krb5 uses the fully correct PAM mechanism for 720handling expired accounts instead of failing in 721.Xr pam_authenticate 3 . 722Due to the security risk of widespread broken applications, be very 723careful about enabling this option. 724It should normally only be turned on to solve a specific problem (such 725as using Solaris Kerberos libraries that don't support prompting for 726password changes during authentication), and then only for specific 727applications known to call 728.Xr pam_acct_mgmt 3 729and check its return status properly. 730.Pp 731This option is only supported when pam-krb5 is built with MIT Kerberos. 732If built against Heimdal, this option does nothing and normal expired 733password change handling still happens. 734(Heimdal is missing the required API to implement this option, at least 735as of version 1.6.) 736.Pp 737This option can be set in 738.Qo Li [appdefaults] Qc 739in 740.Pa krb5.conf 741and is only applicable to the auth group. 742.It fail_pwchange 743[4.2] By default, pam-krb5 lets the Kerberos library handle prompting 744for a password change if an account's password is expired during the 745auth group. 746If this option is set, expired passwords are instead treated as an 747authentication failure identical to an incorrect password. 748Also see 749.Em defer_pwchange 750and 751.Em force_pwchange . 752.Pp 753This option can be set in 754.Qo Li [appdefaults] Qc 755in 756.Pa krb5.conf 757and is only applicable to the auth group. 758.It force_pwchange 759[3.11] If this option is set and authentication fails with a Kerberos 760error indicating the user's password is expired, attempt to immediately 761change their password during the authenticate step. 762Under normal circumstances, this is unnecessary. 763Most Kerberos libraries will do this for you, and setting this option 764will prompt the user twice to change their password if the first attempt 765(done by the Kerberos library) fails. 766However, some system Kerberos libraries (such as Solaris's) have 767password change prompting disabled in the Kerberos library; on those 768systems, you can set this option to simulate the normal library 769behavior. 770.Pp 771This option can be set in 772.Qo Li [appdefaults] Qc 773in 774.Pa krb5.conf 775and is only applicable to the auth group. 776.It no_update_user 777[4.7] Normally, if pam-krb5 is able to canonicalize the principal to a 778local name using 779.Xr krb5_aname_to_localname 3 780or similar calls, it changes the PAM_USER variable for this PAM session 781to the canonicalized local name. 782Setting this option disables this behavior and leaves PAM_USER set to 783the initial authentication identity. 784.Pp 785This option can be set in 786.Qo Li [appdefaults] Qc 787in 788.Pa krb5.conf 789and is only applicable to the auth group. 790.It silent 791[1.0] Don't show messages and errors from Kerberos, such as warnings of 792expiring passwords, to the user via the prompter. 793This is equivalent to the behavior when the application passes in 794PAM_SILENT, but can be set in the PAM configuration. 795.Pp 796This option is only applicable to the auth and password groups. 797.It trace=<log-file> 798[4.6] Enables Kerberos library trace logging to the specified log file 799if it is supported by the Kerberos library. 800This is intended for temporary debugging. 801The specified file will be appended to without further security checks, 802so do not specify a file in a publicly writable directory like 803.Pa /tmp . 804.El 805.Ss PKINIT 806.Bl -tag -width Ds 807.It pkinit_anchors=<anchors> 808[3.0] When doing PKINIT authentication, use <anchors> as the client 809trust anchors. 810This is normally a reference to a file containing the trusted 811certificate authorities. 812This option is only used if 813.Em try_pkinit 814or 815.Em use_pkinit 816are set. 817.Pp 818This option can be set in 819.Qo Li [appdefaults] Qc 820in 821.Pa krb5.conf 822and is only applicable to the auth and password groups. 823.It pkinit_prompt 824[3.0] Before attempting PKINIT authentication, prompt the user to insert 825a smart card. 826You may want to set this option for programs such as 827.Sy gnome-screensaver 828that call PAM as soon as the mouse is touched and don't give the user an 829opportunity to enter the smart card first. 830Any information entered at the first prompt is ignored. 831If 832.Em try_pkinit 833is set, a user who wishes to use a password instead can just press Enter 834and then enter their password as normal. 835This option is only used if 836.Em try_pkinit 837or 838.Em use_pkinit 839are set. 840.Pp 841This option can be set in 842.Qo Li [appdefaults] Qc 843in 844.Pa krb5.conf 845and is only applicable to the auth and password groups. 846.It pkinit_user=<userid> 847[3.0] When doing PKINIT authentication, use <userid> as the user ID. The 848value of this string is highly dependent on the type of PKINIT 849implementation you're using, but will generally be something like: 850.Bd -literal 851 PKCS11:/usr/lib/pkcs11/lib/soft-pkcs11.so 852.Ed 853.Pp 854to specify the module to use with a smart card. 855It may also point to a user certificate or to other types of user IDs. 856See the Kerberos library documentation for more details. 857This option is only used if 858.Em try_pkinit 859or 860.Em use_pkinit 861are set. 862.Pp 863This option can be set in 864.Qo Li [appdefaults] Qc 865in 866.Pa krb5.conf 867and is only applicable to the auth and password groups. 868.It preauth_opt=<option> 869[3.3] Sets a preauth option (currently only applicable when built with 870MIT Kerberos). 871<option> is either a key/value pair with the key separated from the 872value by 873.Qo Li = Qc 874or a boolean option (in which case it's turned on). 875In 876.Pa krb5.conf , 877multiple options should be separated by whitespace. 878In the PAM configuration, this option can be given multiple times to set 879multiple options. 880In either case, <option> may not contain whitespace. 881.Pp 882The primary use of this option, at least in the near future, will be to 883set options for the MIT Kerberos PKINIT support. 884For the full list of possible options, see the PKINIT plugin 885documentation. 886At the time of this writing, 887.Qo Li X509_user_identity Qc 888is equivalent to 889.Em pkinit_user 890and 891.Qo Li X509_anchors Qc 892is equivalent to 893.Em pkinit_anchors . 894.Qo Li flag_DSA_PROTOCOL Qc 895can only be set via this option. 896.Pp 897Any settings made with this option are applied after the 898.Em pkinit_anchors 899and 900.Em pkinit_user 901options, so if an equivalent setting is made via 902.Em preauth_opt , 903it will probably override the other setting. 904.Pp 905This option can be set in 906.Qo Li [appdefaults] Qc 907in 908.Pa krb5.conf 909and is only applicable to the auth and password groups. 910Note that there is no way to remove a setting made in 911.Pa krb5.conf 912using the PAM configuration, but options set in the PAM configuration 913are applied after options set in 914.Pa krb5.conf 915and therefore may override earlier settings. 916.It try_pkinit 917[3.0] Attempt PKINIT authentication before trying a regular password. 918You will probably also need to set the 919.Em pkinit_user 920configuration option. 921If PKINIT fails, the PAM module will fall back on regular password 922authentication. 923This option is currently only supported if pam-krb5 was built against 924Heimdal 0.8rc1 or later or MIT Kerberos 1.6.3 or later. 925.Pp 926If this option is set and pam-krb5 is built against MIT Kerberos, and 927PKINIT fails and the module falls back to password authentication, the 928user's password will not be stored in the PAM stack for subsequent 929modules. 930This is a bug in the interaction between the module and MIT Kerberos 931that requires some reworking of the PKINIT authentication method to fix. 932.Pp 933This option can be set in 934.Qo Li [appdefaults] Qc 935in 936.Pa krb5.conf 937and is only applicable to the auth and password groups. 938.It use_pkinit 939[3.0, 4.9 for MIT Kerberos] Require PKINIT authentication. 940You will probably also need to set the 941.Em pkinit_user 942configuration option. 943If PKINIT fails, authentication will fail. 944This option is only supported if pam-krb5 was built against Heimdal 9450.8rc1 or later or MIT Kerberos 1.12 or later. 946.Pp 947Be aware that, with MIT Kerberos, this option is implemented by using a 948responder without a prompter, and thus any informational messages from 949the Kerberos libraries or KDC during authentication will not be 950displayed. 951.Pp 952This option can be set in 953.Qo Li [appdefaults] Qc 954in 955.Pa krb5.conf 956and is only applicable to the auth and password groups. 957.El 958.Ss Prompting 959.Bl -tag -width Ds 960.It banner=<banner> 961[3.0] By default, the prompts when a user changes their password are: 962.Bd -literal 963 Current Kerberos password: 964 Enter new Kerberos password: 965 Retype new Kerberos password: 966.Ed 967.Pp 968The string "Kerberos" is inserted so that users aren't confused about 969which password they're changing. 970Setting this option replaces the word "Kerberos" with whatever this 971option is set to. 972Setting this option to the empty string removes the word before 973"password:" entirely. 974.Pp 975If set in the PAM configuration, <banner> may not contain whitespace. 976If you want a value containing whitespace, set it in 977.Pa krb5.conf . 978.Pp 979This option can be set in 980.Qo Li [appdefaults] Qc 981in 982.Pa krb5.conf 983and is only applicable to the password group. 984.It expose_account 985[3.0] By default, the Kerberos PAM module password prompt is simply 986"Password:". This avoids leaking any information about the system realm 987or account to principal conversions. 988If this option is set, the string "for <principal>" is added before the 989colon, where <principal> is the user's principal. 990This string is also added before the colon on prompts when changing the 991user's password. 992.Pp 993Enabling this option with ChallengeResponseAuthentication enabled in 994OpenSSH may cause problems for some ssh clients that only recognize 995"Password:" as a prompt. 996This option is automatically disabled if 997.Em search_k5login 998is enabled since the principal displayed would be inaccurate. 999.Pp 1000This option can be set in 1001.Qo Li [appdefaults] Qc 1002in 1003.Pa krb5.conf 1004and is only applicable to the auth and password groups. 1005.It force_first_pass 1006[4.0] Use the password obtained by a previous authentication or password 1007module to authenticate the user without prompting the user again. 1008If no previous module obtained the user's password, fail without 1009prompting the user. 1010Also see 1011.Em try_first_pass 1012and 1013.Em use_first_pass 1014for weaker versions of this option. 1015.Pp 1016This option is only applicable to the auth and password groups. 1017For the password group, it applies only to the old password. 1018See 1019.Em use_authtok 1020for a similar setting for the new password. 1021.It no_prompt 1022[4.6] Never prompt for the current password. 1023Instead, pass in a NULL password to the Kerberos library and let the 1024Kerberos library do the prompting. 1025This may be needed if, for example, the Kerberos library is configured 1026to use other authentication mechanisms than passwords and needs full 1027control over the prompting process. 1028.Pp 1029The major disadvantage of this option is that it means the PAM module 1030will never see the user's password and therefore cannot save it in the 1031PAM module data for any subsequent modules. 1032In other words, this option cannot be used if another module is in the 1033stack behind the Kerberos PAM module and wants to use 1034.Em use_first_pass . 1035The Kerberos library also usually includes the principal in the prompt, 1036and therefore this option implies behavior similar to 1037.Em expose_account . 1038Similar to 1039.Em expose_account , 1040this can cause problems with OpenSSH if ChallengeResponseAuthentication 1041is enabled, since clients may not recognize password prompts other than 1042"Password:". 1043.Pp 1044Using this option with 1045.Em search_k5login 1046would result in a password prompt for every principal listed in the 1047user's 1048.Pa .k5login 1049file. 1050This is probably not desired behavior, although it's not prohibited by 1051the module. 1052.Pp 1053This option is only applicable to the auth and password groups. 1054For the password group, it applies only to the authentication process; 1055the user will still be prompted for a new password. 1056.It prompt_principal 1057[3.6] Before prompting for the user's password (or using the previously 1058entered password, if 1059.Em try_first_pass , 1060.Em use_first_pass , 1061or 1062.Em force_first_pass 1063are set), prompt the user for the Kerberos principal to use for 1064authentication. 1065This allows the user to authenticate with a different principal than the 1066one corresponding to the local username, provided that either a 1067.Pa .k5login 1068file or local Kerberos principal to account mapping authorize that 1069principal to access the local account. 1070.Pp 1071Be cautious when using this configuration option and don't use it with 1072OpenSSH PasswordAuthentication, only ChallengeResponseAuthentication. 1073Some PAM-enabled applications expect PAM modules to only prompt for 1074passwords and may even blindly give the password to the first prompt, no 1075matter what it is. 1076Such applications, in combination with this option, may expose the 1077user's password in log messages and Kerberos requests. 1078.It try_first_pass 1079[1.0] If the authentication module isn't the first on the stack, and a 1080previous module obtained the user's password, use that password to 1081authenticate the user without prompting them again. 1082If that authentication fails, fall back on prompting the user for their 1083password. 1084This option has no effect if the authentication module is first in the 1085stack or if no previous module obtained the user's password. 1086Also see 1087.Em use_first_pass 1088and 1089.Em force_first_pass 1090for stronger versions of this option. 1091.Pp 1092This option is only applicable to the auth and password groups. 1093For the password group, it applies only to the old password. 1094.It use_authtok 1095[4.0] Use the new password obtained by a previous password module when 1096changing passwords rather than prompting for the new password. 1097If the new password isn't available, fail. 1098This can be used to require passwords be checked by another, prior 1099module, such as 1100.Sy pam_cracklib . 1101.Pp 1102This option is only applicable to the password group. 1103.It use_first_pass 1104[1.0] Use the password obtained by a previous authentication module to 1105authenticate the user without prompting the user again. 1106If no previous module obtained the user's password for either an 1107authentication or password change, fall back on prompting the user. 1108If a previous module did obtain the user's password but authentication 1109with that password fails, fail without further prompting the user. 1110Also see 1111.Em try_first_pass 1112and 1113.Em force_first_pass 1114for other versions of this option. 1115.Pp 1116This option is only applicable to the auth and password groups. 1117For the password group, it applies only to the old password. 1118See 1119.Em use_authtok 1120for a similar setting for the new password. 1121.El 1122.Ss Ticket Caches 1123.Bl -tag -width Ds 1124.It ccache=<pattern> 1125[2.0] Use <pattern> as the pattern for creating credential cache names. 1126<pattern> must be in the form <type>:<residual> where <type> and the 1127following colon are optional if a file cache should be used. 1128The special token 1129.Qo Li %u Qc , 1130anywhere in <pattern>, is replaced with the user's numeric UID. The 1131special token 1132.Qo Li %p Qc , 1133anywhere in <pattern>, is replaced with the current process ID. 1134.Pp 1135If <pattern> ends in the literal string 1136.Qo Li XXXXXX Qc 1137(six X's), that string will be replaced by randomly generated characters 1138and the ticket cache will be created using mkstemp(3). This is strongly 1139recommended if <pattern> points to a world-writable directory. 1140.Pp 1141This option can be set in 1142.Qo Li [appdefaults] Qc 1143in 1144.Pa krb5.conf 1145and is only applicable to the auth and session groups. 1146.It ccache_dir=<directory> 1147[1.2] Store both the temporary ticket cache used during authentication 1148and user ticket caches in <directory> instead of in 1149.Pa /tmp . 1150The algorithm for generating the ticket cache name is otherwise 1151unchanged. 1152<directory> may be prefixed with 1153.Qo Li FILE: Qc 1154to make the cache type unambiguous (and this may be required on systems 1155that use a cache type other than file as the default). 1156.Pp 1157Be aware that pam_krb5 creates and stores a temporary ticket cache file 1158owned by root during the login process. 1159If you set 1160.Em ccache 1161above to avoid using the system 1162.Pa /tmp 1163directory for user ticket caches, you may also want to set 1164.Em ccache_dir 1165to move those temporary caches to some other location. 1166This will allow pam_krb5 to continue working even if the system 1167.Pa /tmp 1168directory is full. 1169.Pp 1170This option can be set in 1171.Qo Li [appdefaults] Qc 1172in 1173.Pa krb5.conf 1174and is only applicable to the auth and session groups. 1175.It no_ccache 1176[1.0] Do not create a ticket cache after authentication. 1177This option shouldn't be set in general, but is useful as part of the 1178PAM configuration for a particular service that uses PAM for 1179authentication but isn't creating user sessions and doesn't want the 1180overhead of ever writing the user credentials to disk. 1181When using this option, the application should only call 1182.Xr pam_authenticate 3 ; 1183other functions like 1184.Xr pam_setcred 3 , 1185.Xr pam_start_session 3 , 1186and 1187.Xr pam_acct_mgmt 3 1188don't make sense with this option. 1189Don't use this option if the application needs PAM account and session 1190management calls. 1191.Pp 1192This option is only applicable to the auth group. 1193.It retain_after_close 1194[2.3] Normally, the user's ticket cache is destroyed when either 1195.Xr pam_end 3 1196or 1197.Xr pam_close_session 3 1198is called by the authenticating application so that ticket caches aren't 1199left behind after the user logs out. 1200In some cases, however, this isn't desirable. 1201(On Solaris 8, for instance, the default behavior means login will 1202destroy the ticket cache before running the user's shell.) 1203If this option is set, the PAM module will never destroy the user's 1204ticket cache. 1205If you set this, you may want to call 1206.Sy kdestroy 1207in the shell's logout configuration or run a temporary file removal 1208program to avoid accumulating hundreds of ticket caches in 1209.Pa /tmp . 1210.Pp 1211This option can be set in 1212.Qo Li [appdefaults] Qc 1213in 1214.Pa krb5.conf 1215and is only applicable to the auth and session groups. 1216.El 1217.Sh ENVIRONMENT 1218.Bl -tag -width Ds 1219.It KRB5CCNAME 1220Set by 1221.Xr pam_setcred 3 1222with the PAM_ESTABLISH_CRED option, and therefore also by 1223.Xr pam_open_session 3 , 1224to point to the new credential cache for the user. 1225See the 1226.Em ccache 1227and 1228.Em ccache_dir 1229options. 1230By default, the cache name will be prefixed with 1231.Qo Li FILE: Qc 1232to make the cache type unambiguous. 1233.It PAM_KRB5CCNAME 1234Set by 1235.Xr pam_authenticate 3 1236to point to the temporary ticket cache used for authentication (unless 1237the 1238.Em no_ccache 1239option was given). 1240.Xr pam_setcred 3 1241then uses that environment variable to locate the temporary cache even 1242if it was not called in the same PAM session as 1243.Xr pam_authenticate 3 1244(a problem with 1245.Sy sshd 1246running in some modes). 1247This environment variable is only used internal to the PAM module. 1248.El 1249.Sh FILES 1250.Bl -tag -width Ds 1251.It Pa /tmp/krb5cc_UID_RANDOM 1252The default credential cache name. 1253UID is the decimal UID of the local user and RANDOM is a random 1254six-character string. 1255The pattern may be changed with the 1256.Em ccache 1257option and the directory with the 1258.Em ccache_dir 1259option. 1260.It Pa /tmp/krb5cc_pam_RANDOM 1261The credential cache name used for the temporary credential cache 1262created by 1263.Xr pam_authenticate 3 . 1264This cache is removed again when the PAM session is ended or when 1265.Xr pam_setcred 3 1266is called and will normally not be user-visible. 1267RANDOM is a random six-character string. 1268.It Pa ~/.k5login 1269File containing Kerberos principals that are allowed access to that 1270account. 1271.El 1272.Sh BUGS 1273If 1274.Em try_pkinit 1275is set and pam-krb5 is built with MIT Kerberos, the user's password is 1276not saved in the PAM data if PKINIT fails and the module falls back to 1277password authentication. 1278.Sh CAVEATS 1279Be sure to list this module in the session group as well as the auth 1280group when using it for interactive logins. 1281Otherwise, some applications (such as OpenSSH) will not set up the 1282user's ticket cache correctly. 1283.Pp 1284The Kerberos library, via pam-krb5, will prompt the user to change their 1285password if their password is expired, but when using OpenSSH, this will 1286only work when ChallengeResponseAuthentication is enabled. 1287Unless this option is enabled, OpenSSH doesn't pass PAM messages to the 1288user and can only respond to a simple password prompt. 1289.Pp 1290If you are using MIT Kerberos, be aware that users whose passwords are 1291expired will not be prompted to change their password unless the KDC 1292configuration for your realm in [realms] in krb5.conf contains a 1293master_kdc setting or, if using DNS SRV records, you have a DNS entry 1294for _kerberos-master as well as _kerberos. 1295.Pp 1296.Xr pam_authenticate 3 1297returns failure when called for an ignored account, requiring the system 1298administrator to use 1299.Qo Li optional Qc 1300or 1301.Qo Li sufficient Qc 1302to ignore the module and move on to the next module. 1303It's arguably more correct to return PAM_IGNORE, which causes the module 1304to be ignored as if it weren't in the configuration, but this increases 1305the risk of inadvertent security holes when listing pam-krb5 as the only 1306authentication module. 1307.Pp 1308This module treats the empty password as an authentication failure 1309rather than attempting to use that password to avoid unwanted prompting 1310behavior in the Kerberos libraries. 1311If you have a Kerberos principal that intentionally has an empty 1312password, it won't work with this module. 1313.Pp 1314This module will not refresh an existing ticket cache if called with an 1315effective UID or GID different than the real UID or GID, since 1316refreshing an existing ticket cache requires trusting the KRB5CCNAME 1317environment variable and the environment should not be trusted in a 1318setuid context. 1319.Pp 1320Old versions of OpenSSH are known to call pam_authenticate followed by 1321pam_setcred(PAM_REINITIALIZE_CRED) without first calling 1322pam_open_session, thereby requesting that an existing ticket cache be 1323renewed (similar to what a screensaver would want) rather than 1324requesting a new ticket cache be created. 1325Since this behavior is indistinguishable at the PAM level from a 1326screensaver, pam-krb5 when used with these old versions of OpenSSH will 1327refresh the ticket cache of the OpenSSH daemon rather than setting up a 1328new ticket cache for the user. 1329The resulting ticket cache will have the correct permissions, but will 1330not be named correctly or referenced in the user's environment and will 1331be overwritten by the next user login. 1332The best solution to this problem is to upgrade OpenSSH. I'm not sure 1333exactly when this problem was fixed, but at the very least OpenSSH 4.3 1334and later do not exhibit it. 1335.Sh AUTHOR 1336pam-krb5 was originally written by Frank Cusack. 1337Andres Salomon made extensive modifications, and then Russ Allbery 1338<eagle@eyrie.org> adopted it and made even more extensive modifications. 1339Russ Allbery currently maintains the module. 1340.Sh COPYRIGHT AND LICENSE 1341Copyright 2005-2010, 2014, 2020 Russ Allbery <eagle@eyrie.org> 1342.Pp 1343Copyright 2008-2014 The Board of Trustees of the Leland Stanford Junior 1344University 1345.Pp 1346Copying and distribution of this file, with or without modification, are 1347permitted in any medium without royalty provided the copyright notice 1348and this notice are preserved. 1349This file is offered as-is, without any warranty. 1350.Pp 1351SPDX-License-Identifier: FSFAP 1352.Sh SEE ALSO 1353kadmin(8), kdestroy(1), krb5.conf(5), pam.conf(5), passwd(1), syslog(3) 1354.Pp 1355The current version of this module is available from its web page at 1356.Lk https://www.eyrie.org/~eagle/software/pam-krb5/ . 1357