SGI Techpubs Library

Linux  »  Man Pages
find in page



       auth required /lib/security/
       session optional /lib/security/
       account sufficient /lib/security/
       password sufficient /lib/security/

DESCRIPTION  is  designed  to allow smooth integration of Kerberos 5
       password- checking with applications built using PAM.  It also supports
       session-specific  ticket  files  (which are neater), Kerberos IV ticket
       file grabbing, and AFS token-grabbing.  Its main use is as an authenti-
       cation  module,  but  it also supplies the same functions as a session-
       management module to better support poorly-written applications, and  a
       couple  of other workarounds as well.  It also supports account manage-
       ment and password-changing.

       When a user logs in, the module’s authentication  function  performs  a
       simple password check and, if possible, obtains Kerberos 5 and Kerberos
       IV credentials, caching them  for  later  use.   When  the  application
       requests  initialization of credentials (or opens a session), the usual
       ticket files are created and AFS tokens are obtained.  When the  appli-
       cation  subsequently requests deletion of credentials or closing of the
       session, the module destroys the tokens for the current PAG and deletes
       the ticket files.

       Some  applications (notably, wu-ftpd, wu-imapd, and Samba) neither cre-
       ate credentials nor open sessions.  For these applications,  it’s  best
       to  use  the  tokens option to force token-grabbing during the password
       check, which is usually the right thing to do for these server apps.


       debug  turns on debugging via syslog(3).  Debugging messages are logged
              with priority LOG_DEBUG.

              tells  to  obtain  credentials  without  address
              lists.  This may be necessary if  your  network  uses  NAT,  and
              should otherwise not be used.

              tells to obtain credentials using the address of
              the given host in addition to the addresses of interfaces on the
              local workstation.  For example, if your workstation is behind a
              masquerading firewall, specifying the firewall’s  outward-facing
              address here should allow Kerberos authentication to succeed.

              tells  to  obtain  tokens for users in the given
              cell when they log in.  The default is the  current  realm  name
              converted to lower case.

            tells how to identify itself when users attempt to
            change their passwords.

            ing credentials obtained from KDCs.

            tells to obtain Kerberos IV credentials for users,
            in addition to Kerberos 5 credentials.

            tells to ignore authentication  attempts  by  users
            with UIDs below the specified number.

            tells  to  not check if a user exists on the local
            system, and to create ccache files owned by the current  process’s
            UID.   This is useful for situations where a non-privileged server
            process needs to use Kerberized services on behalf of remote users
            who  may  not  have  local access.  Note that such a server should
            have an encrypted connection with its client  in  order  to  avoid
            allowing the user’s password to be eavesdropped.

            tells that credentials it obtains should be proxi-

            overrides  the  default  realm  set   in   /etc/krb5.conf,   which
   will attempt to authenticate users to.

            sets the default renewable lifetime for credentials.

            tells  to  retain the ticket after the session has
            been closed.

            tells to not bother checking a  password  that  has
            been  set by a module listed earlier in the stack.  This option is
            included mainly for completeness.

            sets the default lifetime for credentials.

            tells to get AFS tokens for the user immediately if
            the  password check succeeds.  This is necessary for some programs
            that never open sessions  or  attempt  to  initialize  credentials
            (PAM’s  credentials,  not  Kerberos’s).   If you have a server app
            that requires access to the user’s  file  space,  you  might  need

            tells to check the password as with use_first_pass,
            but to prompt the user for another one if  the  previously-entered
            one fails. This is the default mode of operation.

            tells  to  verify  that  the TGT obtained from the
            realm’s servers has not been spoofed.






       Probably, but let’s hope not.   If  you  find  any,  please  email  the


       Nalin Dahyabhai <>

Red Hat Linux                     2002/02/15                    pam_krb5afs(8)

Output converted with man2html

home/search | what's new | help