pam_krb5 (8) ( FreeBSD man: Команды системного администрирования )
pam_krb5 (8) ( Linux man: Команды системного администрирования )
NAME
pam_krb5 - Kerberos 5 authentication
DESCRIPTION
pam_krb5.so reads its configuration information from the appdefaults
section of krb5.conf(5). You should read the krb5.conf(5) man page
before continuing here. The module expects its configuration information to be
in the pam subsection of the appdefaults section.
DIRECTIVES
debug=[true|false]
turns on debugging via syslog(3). Debug messages are logged with
priority LOG_DEBUG.
debug_sensitive=[true|false]
turns on debugging of sensitive information via syslog(3). Debug
messages are logged with priority LOG_DEBUG.
addressless=[true|false]
if set, requests a TGT with no address information. This can be necessary
if you are using Kerberos through a NAT, or on systems whose IP addresses change
regularly. This directive is deprecated in favor of the libdefaultsnoaddresses directive.
afs_cells=cell1.example.com cell2.example.com
tells pam_krb5.so to obtain tokens for cell1.example.com and
cell2.example.com, in addition to the local cell and the cell which
contains the user's home directory, for the user.
The module will guess the principal name of the AFS
service for the listed cells, or it can be specified by listing cells
in the form cellname=principalname.
banner=Kerberos 5
specifies what sort of password the module claims to be changing whenever it is
called upon to change passwords. The default is Kerberos 5.
ccache_dir=/tmp
specifies the directory in which to place credential cache files.
existing_ticket=true
tells pam_krb5.so to accept the presence of pre-existing Kerberos credentials
provided by the calling application in the default credential cache as
sufficient to authenticate the user, and to skip any account management checks.
DANGER! Unless validation is also in use, it is relatively easy to produce a
credential cache which looks "good enough" to fool pam_krb5.so.
external=true
external=sshd ftp
tells pam_krb5.so to use Kerberos credentials provided by the calling
application during session setup.
This is most often useful for obtaining
AFS tokens or a
krb4 ticket.
forwardable=[true|false]
controls whether or not credentials are forwardable.
This directive is deprecated in favor of the libdefaultsforwardable directive.
hosts=hostnames
specifies which other hosts credentials obtained by pam_krb5 will be good on.
If your host is behind a firewall, you should add the IP address or name that
the KDC sees it as to this list.
This directive is deprecated in favor of the libdefaultsextra_addresses directive.
ignore_afs=[true|false]
tells pam_krb5.so to completely ignore the presence of AFS, preventing
any attempts to obtain new tokens on behalf of the calling application.
ignore_unknown_principals=[true|false]
ignore_unknown_spn=[true|false]
ignore_unknown_upn=[true|false]
specifies which other not pam_krb5 should return a PAM_IGNORE code to libpam
instead of PAM_USER_UNKNOWN for users for whom the determined principal name
is expired or does not exist.
initial_prompt=[true|false]
tells pam_krb5.so whether or not to ask for a password before attempting
authentication. If one is needed and pam_krb5.so has not prompted for it, the
Kerberos library should trigger a request for a password.
keytab=FILE:/etc/krb5.keytab
specifies the name of a keytab file to search for a service key
for use in validating TGTs.
krb4_convert=[true|false]
controls whether or not pam_krb5 tries to get Kerberos IV credentials
from the KDC (or using the krb524d service on the KDC) and
create ticket files with them. Unless you've converted
everything on your network over to use Kerberos 5, you'll want
to leave this set to true. Note that this may require valid
Kerberos IV configuration data to be present in /etc/krb.conf
and /etc/krb.realms. This option is poorly named.
This option is forced to true if AFS is detected.
krb4_convert_524=[true|false]
controls whether or not pam_krb5 tries to get Kerberos IV credentials
using the krb524d service. This option modifies the
krb4_convert option. If disabled, pam_krb5 will only attempt
to obtain Kerberos IV credentials using the KDC
(unless the krb4_use_as_req option is also disabled).
krb4_use_as_req=[true|false]
controls whether or not pam_krb5 tries to get Kerberos IV credentials
using the KDC. This option modifies the
krb4_convert option. If disabled, pam_krb5 will only attempt
to obtain Kerberos IV credentials using the krb524d service
(unless the krb4_convert_524 option is also disabled).
mappings=[regex1 regex2]
specifies that pam_krb5 should derive the user's principal name from the Unix
user name by first checking if the user name matches regex1, and
formulating a principal name using regex2. For example,
"mappings = EXAMPLE\(.*) $1@EXAMPLE.COM"
would map any user with a name of the form "EXAMPLE\whatever" to a principal
name of "whatever@EXAMPLE.COM". This is primarily targeted at allowing
pam_krb5 to be used to authenticate users whose user information is provided by
winbindd(8). This will frequently require the reverse to be configured by
setting up an auth_to_local rule elsewhere in krb5.conf(5).
minimum_uid=0
specifies the minimum UID of users being authenticated. If a user with a UID
less than this value attempts authentication, the request will be ignored.
proxiable=[true|false]
controls whether or not credentials are proxiable. If not specified, they
are.
This directive is deprecated in favor of the libdefaultsproxiable directive.
pwhelp=
specifies the name of a text file whose contents will be displayed to
clients who attempt to change their passwords. There is no default.
renew_lifetime=36000
default renewable lifetime. This specifies how much time you have after
getting credentials to renew them.
This directive is deprecated in favor of the libdefaultsrenew_lifetime directive.
subsequent_prompt=[true|false]
controls whether or not pam_krb5.so will allow the Kerberos library to ask
the user for a password or other information, if the previously-entered
password is somehow insufficient for authenticating the user.
ticket_lifetime=36000
default credential lifetime.
tokens=[true|false]
tokens=imap ftp
signals that pam_krb5.so should create an AFS PAG and obtain tokens
during authentication in addition to session setup. This is primarily
useful in server applications which need to access a user's files but
which do not open PAM sessions before doing so.
use_shmem=true
use_shmem=sshdftp
tells pam_krb5.so to pass credentials from the authentication service function
to the session management service function using shared memory for specific
services.
validate=[true|false]
validate=login sshd
specifies whether or not to attempt validation of the TGT. The default is
false.
