This is a major rewrite of pam_krb5afs. Call it 2.0, for lack of a better term. o Compared to the earlier releases, this tree builds a single module which "knows" how to do everything which is knowable at compile-time. o Configuration options which can now be set as library defaults in the system-wide krb5.conf are now largely ignored by the module. Standard options: o debug Log debugging messages at LOG_DEBUG priority. o no_warn When authenticating, don't warn the user about an expired password. o use_authtok When changing passwords, never prompt for password data. Instead, use data stored by a previously-called module. o use_first_pass When authenticating, never prompt for password data. Instead, use a password which was stored by a previously-called module. o try_first_pass When authenticating, first try to authenticate using the password which was stored by a previously-called module. If it fails, then prompt for the correct password and try again. Recognized options (krb5.conf's appdefaults/pam section, and command-line): o banner=Kerberos When changing passwords, tell users that they are changing their Kerberos passwords (unset to avoid using any term other than "password"). o ccache_dir=/tmp Directory in which to store ccache and ticket files. o external external = service1 service2 Attempt to reuse credentials stored in a ccache pointed to by the KRB5CCNAME variable in the PAM environment. This is mainly useful for situations where the calling application authenticated the user using GSSAPI, the user delegated credentials to the calling application, and you're using pam_krb5 to obtain a v4 Kerberos ticket via krb524, or AFS tokens. The calling application MUST ensure that KRB5CCNAME points to a ccache which should be used for the authenticating user. o keytab=/etc/krb5.keytab Default keytab to use when validating initial credentials. o krb4_convert Obtain Kerberos IV ticket files, even if not required for the sake of AFS. o minimum_uid=NUMBER Default keytab to use when validating initial credentials. o no_user_check Go ahead and authenticate users for whom getpwnam() returns no information. Credential cache and ticket files will be created and owned by the current user and group ID instead of the user's. o null_afs Attempt to get credentials for AFS by guessing a service name of the form afs@REALM first, and then one of the form afs/cell@REALM, rather than proceeding in the opposite order. o realm=REALM Override the default realm. o renew_lifetime Override the default renewable lifetime (set in libdefaults, else 0). o ticket_lifetime Override the default ticket lifetime (24 hours with krb5 1.3, else 10 hours). o tokens Obtain AFS tokens during the authentication phase. o validate Validate initial credentials. By default, credentials are validated if the specified keytab file can be read. Configuration file only: o afs_cells = cell1 cell2 cell3 This module is hosted on git.fedorahosted.org. For more information, point a web browser at "http://git.fedorahosted.org/git/pam_krb5.git/" and poke at the "pam_krb5-2_1-branch" branch.