Linux » Man Pages
find in page
auth required /lib/security/pam_krb5afs.so
session optional /lib/security/pam_krb5afs.so
account sufficient /lib/security/pam_krb5afs.so
password sufficient /lib/security/pam_krb5afs.so
pam_krb5afs.so is designed to allow smooth integration of Kerberos 5
password- checking with applications built using PAM. It also supports
session-specific ticket files (which are neater), Kerberos IV ticket
file grabbing, and AFS token-grabbing. Its main use is as an authenti-
cation module, but it also supplies the same functions as a session-
management module to better support poorly-written applications, and a
couple of other workarounds as well. It also supports account manage-
ment and password-changing.
When a user logs in, the module’s authentication function performs a
simple password check and, if possible, obtains Kerberos 5 and Kerberos
IV credentials, caching them for later use. When the application
requests initialization of credentials (or opens a session), the usual
ticket files are created and AFS tokens are obtained. When the appli-
cation subsequently requests deletion of credentials or closing of the
session, the module destroys the tokens for the current PAG and deletes
the ticket files.
Some applications (notably, wu-ftpd, wu-imapd, and Samba) neither cre-
ate credentials nor open sessions. For these applications, it’s best
to use the tokens option to force token-grabbing during the password
check, which is usually the right thing to do for these server apps.
debug turns on debugging via syslog(3). Debugging messages are logged
with priority LOG_DEBUG.
tells pam_krb5afs.so to obtain credentials without address
lists. This may be necessary if your network uses NAT, and
should otherwise not be used.
tells pam_krb5afs.so to obtain credentials using the address of
the given host in addition to the addresses of interfaces on the
local workstation. For example, if your workstation is behind a
masquerading firewall, specifying the firewall’s outward-facing
address here should allow Kerberos authentication to succeed.
tells pam_krb5afs.so to obtain tokens for users in the given
cell when they log in. The default is the current realm name
converted to lower case.
tells pam_krb5afs.so how to identify itself when users attempt to
change their passwords.
ing credentials obtained from KDCs.
tells pam_krb5afs.so to obtain Kerberos IV credentials for users,
in addition to Kerberos 5 credentials.
tells pam_krb5afs.so to ignore authentication attempts by users
with UIDs below the specified number.
tells pam_krb5afs.so to not check if a user exists on the local
system, and to create ccache files owned by the current process’s
UID. This is useful for situations where a non-privileged server
process needs to use Kerberized services on behalf of remote users
who may not have local access. Note that such a server should
have an encrypted connection with its client in order to avoid
allowing the user’s password to be eavesdropped.
tells pam_krb5afs.so that credentials it obtains should be proxi-
overrides the default realm set in /etc/krb5.conf, which
pam_krb5afs.so will attempt to authenticate users to.
sets the default renewable lifetime for credentials.
tells pam_krb5afs.so to retain the ticket after the session has
tells pam_krb5afs.so to not bother checking a password that has
been set by a module listed earlier in the stack. This option is
included mainly for completeness.
sets the default lifetime for credentials.
tells pam_krb5afs.so to get AFS tokens for the user immediately if
the password check succeeds. This is necessary for some programs
that never open sessions or attempt to initialize credentials
(PAM’s credentials, not Kerberos’s). If you have a server app
that requires access to the user’s file space, you might need
tells pam_krb5afs.so to check the password as with use_first_pass,
but to prompt the user for another one if the previously-entered
one fails. This is the default mode of operation.
tells pam_krb5afs.so to verify that the TGT obtained from the
realm’s servers has not been spoofed.
Probably, but let’s hope not. If you find any, please email the
Nalin Dahyabhai <email@example.com>
Red Hat Linux 2002/02/15 pam_krb5afs(8)
Output converted with
what's new |