Home Man
Search
Today's Posts
Register

Linux & Unix Commands - Search Man Pages

RedHat 9 (Linux i386) - man page for pam_krb5afs (redhat section 8)

pam_krb5afs(8)			  System Administrator's Manual 		   pam_krb5afs(8)

NAME
       pam_krb5afs - Kerberos 5 authentication with AFS support

SYNOPSIS
       auth required /lib/security/pam_krb5afs.so
       session optional /lib/security/pam_krb5afs.so
       account sufficient /lib/security/pam_krb5afs.so
       password sufficient /lib/security/pam_krb5afs.so

DESCRIPTION
       pam_krb5afs.so  is  designed  to allow smooth integration of Kerberos 5 password- checking
       with applications built using PAM.  It also supports session-specific ticket files  (which
       are neater), Kerberos IV ticket file grabbing, and AFS token-grabbing.  Its main use is as
       an authentication module, but it also supplies the same functions as a  session-management
       module to better support poorly-written applications, and a couple of other workarounds as
       well.  It also supports account management and password-changing.

       When a user logs in, the module's authentication function performs a simple password check
       and,  if  possible, obtains Kerberos 5 and Kerberos IV credentials, caching them for later
       use.  When the application requests initialization of credentials (or  opens  a	session),
       the usual ticket files are created and AFS tokens are obtained.	When the application sub-
       sequently requests deletion of credentials or closing of the session, the module  destroys
       the tokens for the current PAG and deletes the ticket files.

       Some  applications  (notably, wu-ftpd, wu-imapd, and Samba) neither create credentials nor
       open sessions.  For these applications, it's best to use the tokens option to force token-
       grabbing  during  the  password	check,	which  is usually the right thing to do for these
       server apps.

ARGUMENTS
       debug  turns on debugging via syslog(3).  Debugging  messages  are  logged  with  priority
	      LOG_DEBUG.

       addressless
	      tells pam_krb5afs.so to obtain credentials without address lists.  This may be nec-
	      essary if your network uses NAT, and should otherwise not be used.

       hosts=host
	      tells pam_krb5afs.so to obtain credentials using the address of the given  host  in
	      addition	to the addresses of interfaces on the local workstation.  For example, if
	      your workstation is behind a masquerading firewall, specifying the firewall's  out-
	      ward-facing address here should allow Kerberos authentication to succeed.

       afs_cells=cell
	      tells pam_krb5afs.so to obtain tokens for users in the given cell when they log in.
	      The default is the current realm name converted to lower case.

       banner=Kerberos
	    tells pam_krb5afs.so how to identify itself when users attempt to change their  pass-
	    words.

       ccache_dir=/tmp
	    tells pam_krb5afs.so which directory to use for storing credential caches.

       forwardable
	    tells pam_krb5afs.so that credentials it obtains should be forwardable.

       keytab=/etc/krb5.keytab
	    tells  pam_krb5afs.so  the	location  of  a keytab to use when validating credentials
	    obtained from KDCs.

       krb4_convert
	    tells pam_krb5afs.so to obtain Kerberos IV credentials for users, in addition to Ker-
	    beros 5 credentials.

       minimum_uid=0
	    tells  pam_krb5afs.so  to ignore authentication attempts by users with UIDs below the
	    specified number.

       no_user_check
	    tells pam_krb5afs.so to not check if a user exists on the local system, and to create
	    ccache files owned by the current process's UID.  This is useful for situations where
	    a non-privileged server process needs to use Kerberized services on behalf of  remote
	    users  who	may  not  have	local  access.	 Note  that  such a server should have an
	    encrypted connection with its client in order to avoid allowing the  user's  password
	    to be eavesdropped.

       proxiable
	    tells pam_krb5afs.so that credentials it obtains should be proxiable.

       realm=realm
	    overrides  the default realm set in /etc/krb5.conf, which pam_krb5afs.so will attempt
	    to authenticate users to.

       renew_lifetime=36000
	    sets the default renewable lifetime for credentials.

       retain_after_close
	    tells pam_krb5afs.so to retain the ticket after the session has been closed.

       skip_first_pass
	    tells pam_krb5afs.so to not bother checking a password that has been set by a  module
	    listed earlier in the stack.  This option is included mainly for completeness.

       ticket_lifetime=36000
	    sets the default lifetime for credentials.

       tokens
	    tells pam_krb5afs.so to get AFS tokens for the user immediately if the password check
	    succeeds.  This is necessary for some programs that never open sessions or attempt to
	    initialize credentials (PAM's credentials, not Kerberos's).  If you have a server app
	    that requires access to the user's file space, you might need this.

       try_first_pass
	    tells pam_krb5afs.so to check the password as with use_first_pass, but to prompt  the
	    user for another one if the previously-entered one fails. This is the default mode of
	    operation.

       use_first_pass
	    tells pam_krb5afs.so to get the user's entered password as it was stored by a  module
	    listed  earlier  in the stack, usually pam_unix or pam_pwdb, instead of prompting the
	    user for it.

       use_authtok
	    tells pam_krb5afs.so to never prompt for passwords when changing passwords.  This  is
	    useful  if	you are using pam_cracklib.so to try to enforce use of less-easy-to-guess
	    passwords.

       validate
	    tells pam_krb5afs.so to verify that the TGT obtained from the realm's servers has not
	    been spoofed.

FILES
       /etc/krb5.conf

SEE ALSO
       pam_krb5afs(5)

BUGS
       Probably, but let's hope not.  If you find any, please email the author.

AUTHOR
       Nalin Dahyabhai <nalin@redhat.com>

Red Hat Linux				    2002/02/15				   pam_krb5afs(8)


All times are GMT -4. The time now is 05:32 PM.

Unix & Linux Forums Content Copyrightę1993-2018. All Rights Reserved.
UNIX.COM Login
Username:
Password:  
Show Password