Unix/Linux Go Back    

RedHat 9 (Linux i386) - man page for pam_krb5 (redhat section 8)

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:   man
Select Man Page Set:       apropos Keyword Search (sections above)

pam_krb5(8)			  System Administrator's Manual 		      pam_krb5(8)

       pam_krb5 - Kerberos 5 authentication

       auth required /lib/security/pam_krb5.so
       session optional /lib/security/pam_krb5.so
       account sufficient /lib/security/pam_krb5.so
       password sufficient /lib/security/pam_krb5.so

       pam_krb5.so  is designed to allow smooth integration of Kerberos 5 password- checking with
       applications built using PAM.  It also supports session-specific ticket files  (which  are
       neater),  and Kerberos IV ticket file grabbing.	Its main use is as an authentication mod-
       ule, but it also supplies the same functions as a session-management module to better sup-
       port poorly-written applications, and a couple of other workarounds as well.  It also sup-
       ports account management and password-changing.

       When a user logs in, the module's authentication function performs a simple password check
       and,  if  possible, obtains Kerberos 5 and Kerberos IV credentials, caching them for later
       use.  When the application requests initialization of credentials (or  opens  a	session),
       the  usual  ticket files are created.  When the application subsequently requests deletion
       of credentials or closing of the session, the module deletes the ticket files.

       debug  turns on debugging via syslog(3).  Debugging  messages  are  logged  with  priority

	      tells  pam_krb5.so to obtain credentials without address lists.  This may be neces-
	      sary if your network uses NAT, and should otherwise not be used.

	      tells pam_krb5.so to obtain credentials using the address  of  the  given  host  in
	      addition	to the addresses of interfaces on the local workstation.  For example, if
	      your workstation is behind a masquerading firewall, specifying the firewall's  out-
	      ward-facing address here should allow Kerberos authentication to succeed.

	    tells  pam_krb5.so	how  to  identify itself when users attempt to change their pass-

	    tells pam_krb5.so which directory to use for storing credential caches.

	    tells pam_krb5.so that credentials it obtains should be forwardable.

	    tells pam_krb5.so the location  of	a  keytab  to  use  when  validating  credentials
	    obtained from KDCs.

	    tells  pam_krb5.so	to  obtain Kerberos IV credentials for users, in addition to Ker-
	    beros 5 credentials.

	    tells pam_krb5.so to ignore authentication attempts by  users  with  UIDs  below  the
	    specified number.

	    tells  pam_krb5.so	to  not check if a user exists on the local system, and to create
	    ccache files owned by the current process's UID.  This is useful for situations where
	    a  non-privileged server process needs to use Kerberized services on behalf of remote
	    users who may not have local  access.   Note  that	such  a  server  should  have  an
	    encrypted  connection  with its client in order to avoid allowing the user's password
	    to be eavesdropped.

	    tells pam_krb5.so that credentials it obtains should be proxiable.

	    overrides the default realm set in /etc/krb5.conf, which pam_krb5.so will attempt  to
	    authenticate users to.

	    sets the default renewable lifetime for credentials.

	    tells  pam_krb5.so	to  not  bother checking a password that has been set by a module
	    listed earlier in the stack.  This option is included mainly for completeness.

	    sets the default lifetime for credentials.

	    tells pam_krb5.so to check the password as with use_first_pass,  but  to  prompt  the
	    user for another one if the previously-entered one fails. This is the default mode of

	    tells pam_krb5.so to get the user's entered password as it was  stored  by	a  module
	    listed  earlier  in the stack, usually pam_unix or pam_pwdb, instead of prompting the
	    user for it.

	    tells pam_krb5.so to never prompt for passwords when  changing  passwords.	 This  is
	    useful  if	you are using pam_cracklib.so to try to enforce use of less-easy-to-guess

	    tells pam_krb5.so to verify that the TGT obtained from the realm's	servers  has  not
	    been spoofed.



       Probably, but let's hope not.  If you find any, please email the author.

       Nalin Dahyabhai <nalin@redhat.com>

Red Hat Linux				    2002/02/15				      pam_krb5(8)
Unix & Linux Commands & Man Pages : 2000 - 2018 Unix and Linux Forums

All times are GMT -4. The time now is 05:59 AM.