pam_krb5afs(8) System Administrator's Manual pam_krb5afs(8)
pam_krb5afs - Kerberos 5 authentication with AFS support
auth required /lib/security/pam_krb5afs.so
session optional /lib/security/pam_krb5afs.so
account sufficient /lib/security/pam_krb5afs.so
password sufficient /lib/security/pam_krb5afs.so
pam_krb5afs.so is designed to allow smooth integration of Kerberos 5 password- checking
with applications built using PAM. It also supports session-specific ticket files (which
are neater), Kerberos IV ticket file grabbing, and AFS token-grabbing. Its main use is as
an authentication module, but it also supplies the same functions as a session-management
module to better support poorly-written applications, and a couple of other workarounds as
well. It also supports account management and password-changing.
When a user logs in, the module's authentication function performs a simple password check
and, if possible, obtains Kerberos 5 and Kerberos IV credentials, caching them for later
use. When the application requests initialization of credentials (or opens a session),
the usual ticket files are created and AFS tokens are obtained. When the application sub-
sequently requests deletion of credentials or closing of the session, the module destroys
the tokens for the current PAG and deletes the ticket files.
Some applications (notably, wu-ftpd, wu-imapd, and Samba) neither create credentials nor
open sessions. For these applications, it's best to use the tokens option to force token-
grabbing during the password check, which is usually the right thing to do for these
debug turns on debugging via syslog(3). Debugging messages are logged with priority
tells pam_krb5afs.so to obtain credentials without address lists. This may be nec-
essary if your network uses NAT, and should otherwise not be used.
tells pam_krb5afs.so to obtain credentials using the address of the given host in
addition to the addresses of interfaces on the local workstation. For example, if
your workstation is behind a masquerading firewall, specifying the firewall's out-
ward-facing address here should allow Kerberos authentication to succeed.
tells pam_krb5afs.so to obtain tokens for users in the given cell when they log in.
The default is the current realm name converted to lower case.
tells pam_krb5afs.so how to identify itself when users attempt to change their pass-
tells pam_krb5afs.so which directory to use for storing credential caches.
tells pam_krb5afs.so that credentials it obtains should be forwardable.
tells pam_krb5afs.so the location of a keytab to use when validating credentials
obtained from KDCs.
tells pam_krb5afs.so to obtain Kerberos IV credentials for users, in addition to Ker-
beros 5 credentials.
tells pam_krb5afs.so to ignore authentication attempts by users with UIDs below the
tells pam_krb5afs.so to not check if a user exists on the local system, and to create
ccache files owned by the current process's UID. This is useful for situations where
a non-privileged server process needs to use Kerberized services on behalf of remote
users who may not have local access. Note that such a server should have an
encrypted connection with its client in order to avoid allowing the user's password
to be eavesdropped.
tells pam_krb5afs.so that credentials it obtains should be proxiable.
overrides the default realm set in /etc/krb5.conf, which pam_krb5afs.so will attempt
to authenticate users to.
sets the default renewable lifetime for credentials.
tells pam_krb5afs.so to retain the ticket after the session has been closed.
tells pam_krb5afs.so to not bother checking a password that has been set by a module
listed earlier in the stack. This option is included mainly for completeness.
sets the default lifetime for credentials.
tells pam_krb5afs.so to get AFS tokens for the user immediately if the password check
succeeds. This is necessary for some programs that never open sessions or attempt to
initialize credentials (PAM's credentials, not Kerberos's). If you have a server app
that requires access to the user's file space, you might need this.
tells pam_krb5afs.so to check the password as with use_first_pass, but to prompt the
user for another one if the previously-entered one fails. This is the default mode of
tells pam_krb5afs.so to get the user's entered password as it was stored by a module
listed earlier in the stack, usually pam_unix or pam_pwdb, instead of prompting the
user for it.
tells pam_krb5afs.so to never prompt for passwords when changing passwords. This is
useful if you are using pam_cracklib.so to try to enforce use of less-easy-to-guess
tells pam_krb5afs.so to verify that the TGT obtained from the realm's servers has not
Probably, but let's hope not. If you find any, please email the author.
Nalin Dahyabhai <firstname.lastname@example.org>
Red Hat Linux 2002/02/15 pam_krb5afs(8)