pam_krb5(5) System Administrator's Manual pam_krb5(5)
NAME
pam_krb5 - Kerberos 5 authentication
DESCRIPTION
pam_krb5.so uses a portion of krb5.conf to get its configuration information. You should read the krb5.conf(5) man page before continuing
here. The module expects its configuration information to be in the pam subsection of the appdefaults section of the krb5.conf configura-
tion file (for backward compatibility, the pam section is also checked for the same directives).
DIRECTIVES
debug=[true|false]
turns on debugging via syslog(3).
addressless=[true|false]
disables the checking of the address in the ticket. Allows the ticket to be used from behind NAT firewalls, or on machines whose IP
address changes regularly.
banner=Kerberos
specifies what kind of password the module claims to be changing when called to change passwords. The default is Kerberos 5.
ccache_dir=/tmp
specifies the directory to place credential cache files in.
forwardable=[true|false]
controls whether or not credentials are forwardable. If not specified, they are.
hosts=hostnames
specifies which other hosts credentials obtained by pam_krb5 will be good on. If your host is behind a firewall, you should add the
IP address or name that the KDC sees it as to this list.
initial_timemout
specifies the number of seconds to wait for the first KDC to respond, before attempting incremental backoff.
keytab=/etc/krb5.keytab
specifies the name of a keytab file to find a key for the required_tgs in, for use in validating TGTs.
krb4_convert=[true|false]
controls whether or not pam_krb5 tries to get Kerberos IV credentials from the KDC (or using the krb524d service on the KDC) and cre-
ate ticket files with them. Unless you've converted everything on your network over to use Kerberos 5, you'll want to leave this set
to true. Note that this requires valid Kerberos IV configuration data to be present in /etc/krb.conf and /etc/krb.realms.
max_timeout=30
specifies the maximum amount of time to spend in attempting to get a reply from the KDCs, in seconds. This in effect determines the
amount of time before PAM tries the next authentication scheme, if the network is not available.
minimum_uid=0
specifies the minimum UID of users being authenticated. If a user with a UID less than this value attempts authentication, the
request will be ignored.
proxiable=[true|false]
controls whether or not credentials are proxiable. If not specified, they are.
renew_lifetime=36000
default renewable lifetime. This specifies how much time you have after getting credentials to renew them.
required_tgs=[service]
specifies a principal for which a user must be able to get a session key for for the purpose of verifying that the TGT has not been
forged. The key is decrypted using a copy of the service's key stored in a local keytab file. This is the only certain way to be
absolutely sure the TGT hasn't been forged. The default is host@hostname.
ticket_lifetime=36000
default credential lifetime.
timeout_shift
specifies the number of bits left to shift after each timeout, in implementing the incremental backoff in talking to the KDCs.
validate=[true|false]
specifies whether or not to attempt validation of the TGT. The default is false.
EXAMPLE
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = true
hosts = thermo.example.edu alf.example.edu
validate = true
required_tgs = host/thermo.example.edu
ccache_dir = /var/tmp
}
FILES
/etc/krb5.conf
SEE ALSO
pam_krb5(8)
BUGS
Probably, but let's hope not. If you find any, please email the author.
AUTHOR
Nalin Dahyabhai <nalin@redhat.com>
Red Hat Linux 2002/02/15 pam_krb5(5)