Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
pam_krb5(5)		 System	Administrator's	Manual		   pam_krb5(5)

       pam_krb5	- Kerberos 5 authentication

DESCRIPTION  reads  its	configuration information from the appdefaults
       section of krb5.conf(5).	 You should read the krb5.conf(5) man page be-
       fore continuing here.  The module expects its configuration information
       to be in	the pam	subsection of the appdefaults section.

       Directives which	take a true, false, or a PAM service name can also  be
       selectively  disabled for specific PAM services using the related "no_"
       option (exceptions to "debug = true" can	be made	using "no_debug",  for

       debug = true|false|service [...]
	      turns  on	 debugging  via	 syslog(3).  Debug messages are	logged
	      with priority LOG_DEBUG.

       debug_sensitive = true|false|service [...]
	      turns on debugging of sensitive information via syslog(3).   De-
	      bug messages are logged with priority LOG_DEBUG.

       always_allow_localname =	true|false|service [...]
	      tells, when performing an authorization check using
	      the target user's	.k5login file, to always allow access when the
	      principal	name being authenticated maps to the local user's name
	      (as configured using the auth_to_local_names  and	 auth_to_local
	      settings	in krb5.conf(5), if your implementation	provides those
	      settings).  Otherwise, if	the file exists	and can	be  read,  but
	      the  principal is	not explicitly listed, access is typically de-
	      nied.  This setting is disabled by default.

       banner =	Kerberos 5
	      specifies	what sort of password the module claims	to be changing
	      whenever	it is called upon to change passwords.	The default is
	      Kerberos 5.

       ccache_dir = /var/tmp
	      specifies	the directory  in  which  to  place  credential	 cache
	      files.  The default is /tmp.

       ccname_template = KEYRING:krb5cc_%U_%P

       ccname_template = FILE:%d/krb5cc_%U_XXXXXX
	      specifies	the location in	which to place the user's session-spe-
	      cific credential cache.  This value is treated  as  a  template,
	      and these	sequences are substituted:
		%u login name
		%U login UID
		%p principal name
		%r principal's realm name
		%h home	directory
		%d the default ccache directory	(as set	with ccache_dir)
		%P the current process ID
		%% literal '%'

	      If  the  resulting template does not end with "XXXXXX", a	suffix
	      will  be	added  to  the	configured  value.   The  default   is

       chpw_prompt = true|false|service	[...]
	      tells to allow expired passwords to be changed dur-
	      ing authentication attempts.  While this is the traditional  be-
	      havior  exhibited	by "kinit", it is inconsistent with the	behav-
	      ior expected by PAM, which expects authentication	to (appear to)
	      succeed, only to have password expiration	be flagged by a	subse-
	      quent call to the	account	management  function.	Some  applica-
	      tions which don't	handle password	expiration correctly will fail
	      unconditionally if the user's password is	expired, and this flag
	      can be used to attempt to	work around this bug in	those applica-
	      tions.  The default is false.

       cred_session=true|false|service [...]
	      specifies	that pam_krb5 should  create  and  destroy  credential
	      caches, as it does when the calling application opens and	closes
	      a	PAM session, when  the	calling	 application  establishes  and
	      deletes  PAM credentials.	 This is done to compensate for	appli-
	      cations which expect to create  a	 credential  cache  but	 which
	      don't  use PAM session management.  It is	usually	a harmless re-
	      dundancy in applications which don't require it, so this	option
	      is enabled by default except for this list of services: "sshd".

       external	= true|false|sshd ftp [...]
	      tells  to  use Kerberos credentials provided	by the
	      calling  application  during  session  setup.   The  default  is

       ignore_k5login=true|false|service [...]
	      specifies	 which	other  not  pam_krb5  should skip checking the
	      user's .k5login file to verify that the principal	 name  of  the
	      client  being authenticated is authorized	to access the user ac-
	      count.  (Actually, the check is performed	by a function  offered
	      by the Kerberos library, which controls which files it will con-
	      sult.)  The default is false, which causes pam_krb5  to  perform
	      the check.

       ignore_unknown_principals=true|false|service [...]

       ignore_unknown_spn=true|false|service [...]

       ignore_unknown_upn=true|false|service [...]
	      specifies	 which	other  not pam_krb5 should return a PAM_IGNORE
	      code to libpam instead of	PAM_USER_UNKNOWN for  users  for  whom
	      the determined principal name is expired or does not exist.

       initial_prompt=true|false|service [...]
	      tells  whether  or not to ask for a password	before
	      attempting authentication.  If one is needed and has
	      not  prompted  for it, the Kerberos library should trigger a re-
	      quest for	a password.

       keytab =	FILE:/etc/krb5.keytab

       keytab =	FILE:/etc/krb5.keytab imap=FILE:/etc/imap.keytab
	      specifies	the name of a keytab file to search for	a service  key
	      for  use in validating TGTs.  The	location can be	specified on a
	      per-service basis	by specifying a	list of	locations in the  form
	      pam_service=location.  The default is FILE:/etc/krb5.keytab.

       mappings	= regex1 regex2	[...]
	      specifies	 that pam_krb5 should derive the user's	principal name
	      from the Unix user name by  first	 checking  if  the  user  name
	      matches  regex1,	and formulating	a principal name using regex2.
	      For example, "mappings = ^EXAMPLE\\(.*)$	$1@EXAMPLE.COM"	 would
	      map  any	user  with  a name of the form "EXAMPLE\whatever" to a
	      principal	name of	 "whatever@EXAMPLE.COM".   This	 is  primarily
	      targeted	at  allowing pam_krb5 to be used to authenticate users
	      whose user information is	provided by  winbindd(8).   This  will
	      frequently require the reverse to	be configured by setting up an
	      auth_to_local rule elsewhere in krb5.conf(5).

       minimum_uid = 0
	      specifies	the minimum UID	of users being	authenticated.	 If  a
	      user  with  a  UID less than this	value attempts authentication,
	      the request will be ignored.

       multiple_ccaches=true|false|service [...]
	      specifies	that  pam_krb5	should	maintain  multiple  credential
	      caches for applications that both	set credentials	and open a PAM
	      session, but which set the KRB5CCNAME variable after doing  only
	      one  of  the two.	 This option is	usually	not necessary for most

       pkinit_flags = 0
	      controls the flags value which pam_krb5 passes to	 libkrb5  when
	      setting  up PKINIT parameters.  This is useful mainly for	debug-

       pkinit_identity =
	      controls where pam_krb5 instructs	 libkrb5  to  search  for  the
	      user's  private  key  and	certificate, so	that the client	can be
	      authenticated using PKINIT, if the KDC supports it.  This	 value
	      is treated as a template,	and these sequences are	substituted:
		%u login name
		%U login UID
		%p principal name
		%r principal's realm name
		%h home	directory
		%d the default ccache directory	(as set	with ccache_dir)
		%P the current process ID
		%% literal '%'
	      Other  PKINIT-specific  defaults,	such as	the locations of trust
	      anchors, can be set in krb5.conf(5).

       pwhelp =	filename
	      specifies	the name of a text file	whose contents	will  be  dis-
	      played  to clients who attempt to	change their passwords.	 There
	      is no default.

       subsequent_prompt = true|false|service [...]
	      controls whether or not will allow the Kerberos  li-
	      brary  to	 ask  the user for a password or other information, if
	      the previously-entered password is somehow insufficient for  au-
	      thenticating  the	user.  This is commonly	needed to allow	a user
	      to log in	when that user's password has expired.	The default is
	      false during password changes, and true otherwise.

	      If the calling application does not properly support PAM conver-
	      sations (possibly	due to limitations of a	network	protocol which
	      it  is serving), this may	be need	to be disabled for that	appli-
	      cation to	prevent	it from	supplying the user's current  password
	      in  a  password-changing situation when a	new password is	called

       use_shmem = true|false|service [...]
	      tells	to pass	credentials  from  the	authentication
	      service  function	to the session management service function us-
	      ing shared memory	for specific services.	By default, the	module
	      is configured with "use_shmem = sshd".

       validate	= true|false|service [...]
	      specifies	 whether or not	to attempt validation of the TGT using
	      the local	keytab.	 The default is	true.	The  libdefaults  ver-
	      ify_ap_req_nofail	setting	can affect whether or not errors read-
	      ing the keytab which are encountered during validation  will  be

       validate_user_user = true|false|service [...]
	      specifies	whether	or not,	when attempting	validation of the TGT,
	      to attempt user-to-user authentication  using  a	previously-ob-
	      tainted  TGT  in	the default ccache if validation can't be per-
	      formed using a keytab.  The default is false.

	 pam = {
	   validate = true
	   ccache_dir =	/var/tmp
	   external = sshd
	   tokens = imap ftpd
	     debug = true
	     keytab = FILE:/etc/krb5.keytab httpd=FILE:/etc/httpd.keytab



       Probably, but let's hope	not.  If you find any, please file them	in the
       bug database at against the "pam_krb5" com-

       Nalin Dahyabhai <>

Red Hat	Linux			  2014/02/11			   pam_krb5(5)


Want to link to this manual page? Use this URL:

home | help