Unix/Linux Go Back    

RedHat 9 (Linux i386) - man page for pam_krb5 (redhat section 5)

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:   man
Select Man Page Set:       apropos Keyword Search (sections above)

pam_krb5(5)			  System Administrator's Manual 		      pam_krb5(5)

       pam_krb5 - Kerberos 5 authentication

       pam_krb5.so  uses a portion of krb5.conf to get its configuration information.  You should
       read the krb5.conf(5) man page before continuing here.  The module expects its  configura-
       tion  information  to be in the pam subsection of the appdefaults section of the krb5.conf
       configuration file (for backward compatibility, the pam section is also	checked  for  the
       same directives).

	      turns on debugging via syslog(3).

	      disables	the  checking  of the address in the ticket. Allows the ticket to be used
	      from behind NAT firewalls, or on machines whose IP address changes regularly.

	    specifies what kind of password the module claims  to  be  changing  when  called  to
	    change passwords.  The default is Kerberos 5.

	    specifies the directory to place credential cache files in.

	    controls whether or not credentials are forwardable.  If not specified, they are.

	    specifies  which  other  hosts  credentials obtained by pam_krb5 will be good on.  If
	    your host is behind a firewall, you should add the IP address or name  that  the  KDC
	    sees it as to this list.

	    specifies the number of seconds to wait for the first KDC to respond, before attempt-
	    ing incremental backoff.

	    specifies the name of a keytab file to find a key for the required_tgs in, for use in
	    validating TGTs.

	    controls  whether  or  not pam_krb5 tries to get Kerberos IV credentials from the KDC
	    (or using the krb524d service on the KDC) and create ticket files with them.   Unless
	    you've  converted  everything  on your network over to use Kerberos 5, you'll want to
	    leave this set to true.  Note that this requires valid Kerberos IV configuration data
	    to be present in /etc/krb.conf and /etc/krb.realms.

	    specifies  the  maximum amount of time to spend in attempting to get a reply from the
	    KDCs, in seconds. This in effect determines the amount of time before PAM  tries  the
	    next authentication scheme, if the network is not available.

	    specifies  the  minimum  UID of users being authenticated.	If a user with a UID less
	    than this value attempts authentication, the request will be ignored.

	    controls whether or not credentials are proxiable.	If not specified, they are.

	    default renewable lifetime.  This specifies how much time you have after getting cre-
	    dentials to renew them.

	    specifies  a principal for which a user must be able to get a session key for for the
	    purpose of verifying that the TGT has not been forged.  The key is decrypted using	a
	    copy  of  the  service's key stored in a local keytab file.  This is the only certain
	    way to be absolutely sure the TGT hasn't been forged.  The default is host@hostname.

	    default credential lifetime.

	    specifies the number of bits left to shift after each timeout,  in	implementing  the
	    incremental backoff in talking to the KDCs.

	    specifies whether or not to attempt validation of the TGT.	The default is false.

	 pam = {
	   debug = true
	   ticket_lifetime = 36000
	   renew_lifetime = 36000
	   forwardable = true
	   krb4_convert = true
	   hosts = thermo.example.edu alf.example.edu
	   validate = true
	   required_tgs = host/thermo.example.edu
	   ccache_dir = /var/tmp



       Probably, but let's hope not.  If you find any, please email the author.

       Nalin Dahyabhai <nalin@redhat.com>

Red Hat Linux				    2002/02/15				      pam_krb5(5)
Unix & Linux Commands & Man Pages : ©2000 - 2018 Unix and Linux Forums

All times are GMT -4. The time now is 08:06 AM.