Hi,
We've configured Kerberos to authenticate AIX 5.3 users with Active Directory and I now have to port an application written in C to the new security model.
Currently, our users can login as normal and running a "klist" command reveals that they have been successfully granted a ticket. ... (2 Replies)
Hi,
Anyone can point me a good link to setup IPSec using racoon IKE which uses gssapi_krb authentication method?
I have a debain linux box and Windows 2003R2 system, and I want them to communicate using IPSec.
Thanks,
Emily. (0 Replies)
I am in the process of developing a application that needs to be able to authenticate users details with a kerberos server, which is proving to be rather difficult. There seems to be a lack of good information on how to do this using the MIT kerberos api.
Can anyone point me in the right... (0 Replies)
Hi,
I've configured two linux boxes to authenticate against Windows Active Directory using Kerberos while retrieving authorization data (uids, gids ,,,)from NIS.
The problem I ran into with my PAM configuration is that all authentication attempts succeed in order.i.e. if someone tried his... (0 Replies)
I've configured an AIX 5.3 client to use our Windows AD for user authentication via Kerberos.
When I try to ssh to the server using the AD credentials, I eventually get access but not after getting prompted for a password 3 times (which doesn't work) followed by an accepted login on the 4th... (3 Replies)
I have two servers with a fresh install of Solaris 11, and having problems when doing rpcinfo between them. There is no firewall involved, so everything should theoretically be getting through. Does anyone have any ideas? I did a lot of Google searches, and haven't found a working solution yet.
... (2 Replies)
Hi All,
I am currently writing script to get the details for lot of hosts from jump server. Means each and every time it will ssh to the host and get the information. To achieve that I need to automatically accept the password from Jump server to that main hosts. We are using kerberos password... (6 Replies)
I am installing Authen::Krb5::Easy and during make test I am getting the follwing error :
kinit not ok 2
error was: could not get initial credentials: Cannot contact any KDC for requested realm
we are stroring krb5.conf in diff location ( not in /etc/krb5.conf) , but, PERL is... (1 Reply)
Hello All,
I have below piece of code executing via shell script but for some reason even if the flag is set to KERBEROS_FLAG="N" It displays an message at the end of script execution. It should not call /usr/bin/kdestroy but looks like it is happening and this happens only for one application id... (4 Replies)
Discussion started by: Ariean
4 Replies
LEARN ABOUT REDHAT
pam_krb5
pam_krb5(5) System Administrator's Manual pam_krb5(5)NAME
pam_krb5 - Kerberos 5 authentication
DESCRIPTION
pam_krb5.so uses a portion of krb5.conf to get its configuration information. You should read the krb5.conf(5) man page before continuing
here. The module expects its configuration information to be in the pam subsection of the appdefaults section of the krb5.conf configura-
tion file (for backward compatibility, the pam section is also checked for the same directives).
DIRECTIVES
debug=[true|false]
turns on debugging via syslog(3).
addressless=[true|false]
disables the checking of the address in the ticket. Allows the ticket to be used from behind NAT firewalls, or on machines whose IP
address changes regularly.
banner=Kerberos
specifies what kind of password the module claims to be changing when called to change passwords. The default is Kerberos 5.
ccache_dir=/tmp
specifies the directory to place credential cache files in.
forwardable=[true|false]
controls whether or not credentials are forwardable. If not specified, they are.
hosts=hostnames
specifies which other hosts credentials obtained by pam_krb5 will be good on. If your host is behind a firewall, you should add the
IP address or name that the KDC sees it as to this list.
initial_timemout
specifies the number of seconds to wait for the first KDC to respond, before attempting incremental backoff.
keytab=/etc/krb5.keytab
specifies the name of a keytab file to find a key for the required_tgs in, for use in validating TGTs.
krb4_convert=[true|false]
controls whether or not pam_krb5 tries to get Kerberos IV credentials from the KDC (or using the krb524d service on the KDC) and cre-
ate ticket files with them. Unless you've converted everything on your network over to use Kerberos 5, you'll want to leave this set
to true. Note that this requires valid Kerberos IV configuration data to be present in /etc/krb.conf and /etc/krb.realms.
max_timeout=30
specifies the maximum amount of time to spend in attempting to get a reply from the KDCs, in seconds. This in effect determines the
amount of time before PAM tries the next authentication scheme, if the network is not available.
minimum_uid=0
specifies the minimum UID of users being authenticated. If a user with a UID less than this value attempts authentication, the
request will be ignored.
proxiable=[true|false]
controls whether or not credentials are proxiable. If not specified, they are.
renew_lifetime=36000
default renewable lifetime. This specifies how much time you have after getting credentials to renew them.
required_tgs=[service]
specifies a principal for which a user must be able to get a session key for for the purpose of verifying that the TGT has not been
forged. The key is decrypted using a copy of the service's key stored in a local keytab file. This is the only certain way to be
absolutely sure the TGT hasn't been forged. The default is host@hostname.
ticket_lifetime=36000
default credential lifetime.
timeout_shift
specifies the number of bits left to shift after each timeout, in implementing the incremental backoff in talking to the KDCs.
validate=[true|false]
specifies whether or not to attempt validation of the TGT. The default is false.
EXAMPLE
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = true
hosts = thermo.example.edu alf.example.edu
validate = true
required_tgs = host/thermo.example.edu
ccache_dir = /var/tmp
}
FILES
/etc/krb5.conf
SEE ALSO pam_krb5(8)BUGS
Probably, but let's hope not. If you find any, please email the author.
AUTHOR
Nalin Dahyabhai <nalin@redhat.com>
Red Hat Linux 2002/02/15 pam_krb5(5)