pam_krb5

Clone
Source Code
GIT

Files

  1.   d11b4068efe11a63566e100798c3f6cfd245e709
krb5-pam.d
krb5afs-pam.d
ChangeLog
Makefile.in
README
TODO
acconfig.h
configure.in
dlopen.c
kreset.c
pam_krb5.5
pam_krb5.8
pam_krb5.spec
pam_krb5afs.5
pam_krb5afs.8
pam_krb5afs.c
install-sh
README 
This module for Linux-PAM implements Kerberos 5 password-checking with optional
Kerberos 4 compatible ticket files and and aklog-style AFS token-grabbing.

It implements authentication, session management, and (imperfect) password-
changing functions.  Sample configuration files for ssh and login are included.

The auth module checks the user name and password in the user's realm.  It takes
the standard parameters "debug", "try_first_pass", and "use_first_pass", as
required by the PAM documentation, and "skip_first_pass" for completeness.

With no arguments, the auth module defaults to "try_first_pass" mode.  The TGT
obtained and is saved for use by the setcred function, but the TGT is not stored
on disk.  If CRITICAL_SERVICE was defined at compile-time, the new TGT is used
to obtain a service ticket for it as verification that the TGT wasn't coming
from a spoofed KDC.

The setcred function creates a Kerberos 5 ticket file and, if libkrb524 was
found at compile-time, obtains and creates a Kerberos 4 ticket file using
the krb524 service running on the KDC.  If libkrbafs was found at compile-time,
the module will create a PAG and get tokens for AFS cells.

The session management functions merely wrap calls to pam_setcred with
PAM_ESTABLISH_CREDS and PAM_DELETE_CREDS, respectively, which is handy because
on my test box some things just don't work right.

Because session-specific ticket files require that the KRBTKFILE and KRB5CCNAME
environment variables are set correctly, certain programs that create their own
environments but don't incorporate the results of pam_getenvlist() will work,
but a user running 'klist' will think that she has no tickets.  Currently, this
includes sshd and unpatched versions of every display manager known except gdm2.

Certain settings for the module are now stored in the krb5.conf file, which is
usually stored under /etc.  The section name is "pam":

[pam]
   debug = true
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = true
   afs_cells = eos.ncsu.edu unity.ncsu.edu bp.ncsu.edu
   hosts = thermo.stat.ncsu.edu alf.physics.ncsu.edu

Descriptions of the configuration file directives:
   debug		Gratuitous debugging info via syslog.
   ticket_lifetime	How long tickets are good, in seconds.  The default is
			36000 (= 10 hours).
   renew_lifetime	How long tickets are renewable, in seconds.  The default
			is also 36000 (10 hours).
   forwardable		Whether or not tickets are forwardable.  Default = true.
   krb4_convert		Get krb4 tickets by talking to krb524d on the KDC.
   afs_cells		Cells to get tokens in.  Requires that krb4_convert be
			set.  Default as distributed is "eos unity bp".
   hosts		Hosts this ticket will also be good for, in addition to
			this one.  Primarily for use behind firewalls.

Descriptions of configuration directives for use in /etc/pam.d:
   use_first_pass	Use password obtained by a previous module.
   try_first_pass	Same as above, but prompt for another one to try the
			one used by the other module fails.
   skip_first_pass	Skip trying previously-entered password altogether.
   debug		Switch on debugging via syslog.
   tokens		Get tokens during authentication.  Needed for wu-ftpd,
			Samba, and some other programs that don't use sessions
			and don't call pam_setcred, but need tokens.

This module was built and tested against MIT Kerberos 5 v1.1.1.

Caveat: pam_pwdb will cause things to fail if your user information isn't stored
in one of the databases it knows about (i.e., hesiod).  Switch to pam_unix if
that happens.

Let me know if you have problems,

Nalin Dahyabhai <nalin@redhat.com>
6 January 1999
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.