184d6cd8eSMark Murray.\" 284d6cd8eSMark Murray.\" $Id: pam_krb5.5,v 1.5 2000/01/05 00:59:56 fcusack Exp $ 384d6cd8eSMark Murray.\" $FreeBSD$ 48b136a6dSChris Costello.Dd January 15, 1999 588de1238SRuslan Ermilov.Dt PAM_KRB5 8 688de1238SRuslan Ermilov.Os 78b136a6dSChris Costello.Sh NAME 88b136a6dSChris Costello.Nm pam_krb5 98b136a6dSChris Costello.Nd Kerberos 5 PAM module 108b136a6dSChris Costello.Sh SYNOPSIS 118b136a6dSChris Costello.Pa /usr/lib/pam_krb5.so 128b136a6dSChris Costello.Sh DESCRIPTION 1384d6cd8eSMark MurrayThe Kerberos 5 service module for PAM, typically 148b136a6dSChris Costello.Pa /usr/lib/pam_krb5.so , 1584d6cd8eSMark Murrayprovides functionality for three PAM categories: 1684d6cd8eSMark Murrayauthentication, 1784d6cd8eSMark Murrayaccount management, 1884d6cd8eSMark Murrayand password management. 1984d6cd8eSMark MurrayIt also provides null functions for session management. 2084d6cd8eSMark MurrayThe 218b136a6dSChris Costello.Pa pam_krb5.so 2284d6cd8eSMark Murraymodule is a shared object 2384d6cd8eSMark Murraythat can be dynamically loaded to provide 2484d6cd8eSMark Murraythe necessary functionality upon demand. 2584d6cd8eSMark MurrayIts path is specified in the 268b136a6dSChris CostelloPAM configuration file. 278b136a6dSChris Costello.Ss Kerberos 5 Authentication Module 2884d6cd8eSMark MurrayThe Kerberos 5 authentication component 298b136a6dSChris Costelloprovides functions to verify the identity of a user 308b136a6dSChris Costello.Pq Fn pam_sm_authenticate 3184d6cd8eSMark Murrayand to set user specific credentials 328b136a6dSChris Costello.Pq Fn pam_sm_setcred . 338b136a6dSChris Costello.Fn pam_sm_authenticate 3484d6cd8eSMark Murrayconverts the supplied username into a Kerberos principal, 3584d6cd8eSMark Murrayby appending the default local realm name. 3684d6cd8eSMark MurrayIt also supports usernames with explicit realm names. 3784d6cd8eSMark MurrayIf a realm name is supplied, then upon a sucessful return, it 3884d6cd8eSMark Murraychanges the username by mapping the principal name into a local username 398b136a6dSChris Costello(calling 4088de1238SRuslan Ermilov.Fn krb5_aname_to_localname ) . 418b136a6dSChris CostelloThis typically just means 4284d6cd8eSMark Murraythe realm name is stripped. 438b136a6dSChris Costello.Pp 4484d6cd8eSMark MurrayIt prompts the user for a password and obtains a new Kerberos TGT for 4588de1238SRuslan Ermilovthe principal. 4688de1238SRuslan ErmilovThe TGT is verified by obtaining a service 4784d6cd8eSMark Murrayticket for the local host. 488b136a6dSChris Costello.Pp 4984d6cd8eSMark MurrayWhen prompting for the current password, the authentication 508b136a6dSChris Costellomodule will use the prompt 5188de1238SRuslan Ermilov.Dq Li "Password for <principal>:" . 528b136a6dSChris Costello.Pp 5384d6cd8eSMark MurrayThe 548b136a6dSChris Costello.Fn pam_sm_setcred 5584d6cd8eSMark Murrayfunction stores the newly acquired credentials in a credentials cache, 5684d6cd8eSMark Murrayand sets the environment variable 578b136a6dSChris Costello.Ev KRB5CCNAME 5884d6cd8eSMark Murrayappropriately. 5984d6cd8eSMark MurrayThe credentials cache should be destroyed by the user at logout with 608b136a6dSChris Costello.Xr kdestroy 1 . 618b136a6dSChris Costello.Pp 6284d6cd8eSMark MurrayThe following options may be passed to the authentication module: 63e8b02a42SRuslan Ermilov.Bl -tag -width ".Cm use_first_pass" 6488de1238SRuslan Ermilov.It Cm debug 658b136a6dSChris Costello.Xr syslog 3 6684d6cd8eSMark Murraydebugging information at 678b136a6dSChris Costello.Dv LOG_DEBUG 6884d6cd8eSMark Murraylevel. 6988de1238SRuslan Ermilov.It Cm use_first_pass 7084d6cd8eSMark MurrayIf the authentication module is not the first in the stack, 7184d6cd8eSMark Murrayand a previous module obtained the user's password, that password is 7288de1238SRuslan Ermilovused to authenticate the user. 7388de1238SRuslan ErmilovIf this fails, the authentication 7484d6cd8eSMark Murraymodule returns failure without prompting the user for a password. 7584d6cd8eSMark MurrayThis option has no effect if the authentication module is 7684d6cd8eSMark Murraythe first in the stack, or if no previous modules obtained the 7784d6cd8eSMark Murrayuser's password. 7888de1238SRuslan Ermilov.It Cm try_first_pass 7984d6cd8eSMark MurrayThis option is similar to the 8088de1238SRuslan Ermilov.Cm use_first_pass 8184d6cd8eSMark Murrayoption, except that if the previously obtained password fails, the 8284d6cd8eSMark Murrayuser is prompted for another password. 8388de1238SRuslan Ermilov.It Cm forwardable 8484d6cd8eSMark MurrayObtain forwardable Kerberos credentials for the user. 8588de1238SRuslan Ermilov.It Cm no_ccache 8688de1238SRuslan ErmilovDo not save the obtained credentials in a credentials cache. 8788de1238SRuslan ErmilovThis is a 8884d6cd8eSMark Murrayuseful option if the authentication module is used for services such 8988de1238SRuslan Ermilovas ftp or pop, where the user would not be able to destroy them. 9088de1238SRuslan Ermilov[This 9184d6cd8eSMark Murrayis not a recommendation to use the module for those services.] 9288de1238SRuslan Ermilov.It Cm ccache Ns = Ns Ar name 9388de1238SRuslan ErmilovUse 9488de1238SRuslan Ermilov.Ar name 9588de1238SRuslan Ermilovas the credentials cache. 9688de1238SRuslan Ermilov.Ar name 9788de1238SRuslan Ermilovmust be in the form 9888de1238SRuslan Ermilov.Ar type : Ns Ar residual . 9984d6cd8eSMark MurrayThe special tokens 10088de1238SRuslan Ermilov.Ql %u , 10188de1238SRuslan Ermilovto designate the decimal UID of the user; 10284d6cd8eSMark Murrayand 10388de1238SRuslan Ermilov.Ql %p , 10488de1238SRuslan Ermilovto designate the current process ID; can be used in 10588de1238SRuslan Ermilov.Ar name . 1068b136a6dSChris Costello.El 1078b136a6dSChris Costello.Ss Kerberos 5 Account Management Module 10884d6cd8eSMark MurrayThe Kerberos 5 account management component 10984d6cd8eSMark Murrayprovides a function to perform account management, 1108b136a6dSChris Costello.Fn pam_sm_acct_mgmt . 11184d6cd8eSMark MurrayThe function verifies that the authenticated principal is allowed 11284d6cd8eSMark Murrayto login to the local user account by calling 1138b136a6dSChris Costello.Fn krb5_kuserok 11488de1238SRuslan Ermilov(which checks the user's 11588de1238SRuslan Ermilov.Pa .k5login 11688de1238SRuslan Ermilovfile). 1178b136a6dSChris Costello.Ss Kerberos 5 Password Management Module 11884d6cd8eSMark MurrayThe Kerberos 5 password management component 11984d6cd8eSMark Murrayprovides a function to change passwords 1208b136a6dSChris Costello.Pq Fn pam_sm_chauthtok . 1218b136a6dSChris CostelloThe username supplied (the 12284d6cd8eSMark Murrayuser running the 1238b136a6dSChris Costello.Xr passwd 1 12484d6cd8eSMark Murraycommand, or the username given as an argument) is mapped into 12584d6cd8eSMark Murraya Kerberos principal name, using the same technique as in 12688de1238SRuslan Ermilovthe authentication module. 12788de1238SRuslan ErmilovNote that if a realm name was 12884d6cd8eSMark Murrayexplicitly supplied during authentication, but not during 12984d6cd8eSMark Murraya password change, the mapping 13084d6cd8eSMark Murraydone by the password management module may not result in the 13184d6cd8eSMark Murraysame principal as was used for authentication. 1328b136a6dSChris Costello.Pp 13384d6cd8eSMark MurrayUnlike when 13488de1238SRuslan Ermilovchanging a 13588de1238SRuslan Ermilov.Ux 13688de1238SRuslan Ermilovpassword, the password management module will 13784d6cd8eSMark Murrayallow any user to change any principal's password (if the user knows 13888de1238SRuslan Ermilovthe principal's old password, of course). 13988de1238SRuslan ErmilovAlso unlike 14088de1238SRuslan Ermilov.Ux , 14188de1238SRuslan Ermilovroot 14284d6cd8eSMark Murrayis always prompted for the principal's old password. 1438b136a6dSChris Costello.Pp 14484d6cd8eSMark MurrayThe password management module uses the same heuristics as 1458b136a6dSChris Costello.Xr kpasswd 1 14684d6cd8eSMark Murrayto determine how to contact the Kerberos password server. 1478b136a6dSChris Costello.Pp 14884d6cd8eSMark MurrayThe following options may be passed to the password management 14984d6cd8eSMark Murraymodule: 150e8b02a42SRuslan Ermilov.Bl -tag -width ".Cm use_first_pass" 15188de1238SRuslan Ermilov.It Cm debug 15288de1238SRuslan Ermilov.Xr syslog 3 15384d6cd8eSMark Murraydebugging information at 1548b136a6dSChris Costello.Dv LOG_DEBUG 15584d6cd8eSMark Murraylevel. 15688de1238SRuslan Ermilov.It Cm use_first_pass 15784d6cd8eSMark MurrayIf the password management module is not the first in the stack, 15884d6cd8eSMark Murrayand a previous module obtained the user's old password, that password is 15988de1238SRuslan Ermilovused to authenticate the user. 16088de1238SRuslan ErmilovIf this fails, the password 16184d6cd8eSMark Murraymanagement 16284d6cd8eSMark Murraymodule returns failure without prompting the user for the old password. 16384d6cd8eSMark MurrayIf successful, the new password entered to the previous module is also 16488de1238SRuslan Ermilovused as the new Kerberos password. 16588de1238SRuslan ErmilovIf the new password fails, 16684d6cd8eSMark Murraythe password management module returns failure without 16784d6cd8eSMark Murrayprompting the user for a new password. 16888de1238SRuslan Ermilov.It Cm try_first_pass 16984d6cd8eSMark MurrayThis option is similar to the 17088de1238SRuslan Ermilov.Cm use_first_pass 17184d6cd8eSMark Murrayoption, except that if the previously obtained old or new passwords fail, 17284d6cd8eSMark Murraythe user is prompted for them. 1738b136a6dSChris Costello.El 1748b136a6dSChris Costello.Ss Kerberos 5 Session Management Module 17584d6cd8eSMark MurrayThe Kerberos 5 session management component 17684d6cd8eSMark Murrayprovides functions to initiate 1778b136a6dSChris Costello.Pq Fn pam_sm_open_session 17884d6cd8eSMark Murrayand terminate 1798b136a6dSChris Costello.Pq Fn pam_sm_close_session 18088de1238SRuslan Ermilovsessions. 18188de1238SRuslan ErmilovSince session management is not defined under Kerberos 5, 18288de1238SRuslan Ermilovboth of these functions simply return success. 18388de1238SRuslan ErmilovThey are provided 18484d6cd8eSMark Murrayonly because of the naming conventions for PAM modules. 1858b136a6dSChris Costello.Sh ENVIRONMENT 1868b136a6dSChris Costello.Bl -tag -width "KRB5CCNAME" 1878b136a6dSChris Costello.It Ev KRB5CCNAME 18884d6cd8eSMark MurrayLocation of the credentials cache. 1898b136a6dSChris Costello.El 1908b136a6dSChris Costello.Sh FILES 191e8b02a42SRuslan Ermilov.Bl -tag -width ".Pa /tmp/krb5cc_ Ns Ar uid" -compact 19288de1238SRuslan Ermilov.It Pa /tmp/krb5cc_ Ns Ar uid 19388de1238SRuslan Ermilovdefault credentials cache 19488de1238SRuslan Ermilov.Ar ( uid 19588de1238SRuslan Ermilovis the decimal UID of the user). 1968b136a6dSChris Costello.It Pa $HOME/.k5login 19784d6cd8eSMark Murrayfile containing Kerberos principals that are allowed access. 1988b136a6dSChris Costello.El 1998b136a6dSChris Costello.Sh SEE ALSO 2008b136a6dSChris Costello.Xr kdestroy 1 , 2018b136a6dSChris Costello.Xr passwd 1 , 2028b136a6dSChris Costello.Xr syslog 3 , 2038b136a6dSChris Costello.Xr pam.conf 5 , 20488de1238SRuslan Ermilov.Xr pam 8 2058b136a6dSChris Costello.Sh NOTES 20684d6cd8eSMark MurrayApplications should not call 2078b136a6dSChris Costello.Fn pam_authenticate 20884d6cd8eSMark Murraymore than once between calls to 2098b136a6dSChris Costello.Fn pam_start 21084d6cd8eSMark Murrayand 2118b136a6dSChris Costello.Fn pam_end 21284d6cd8eSMark Murraywhen using the Kerberos 5 PAM module. 213