GNU/Linux man pages
Livre :
Expressions régulières,
Syntaxe et mise en oeuvre :
GNU/Linux |
CentOS 2.1AS(Slurm) |
|
 |
pam_krb5(8) |
 |
pam_krb5 − Kerberos 5 authentication
auth
required /lib/security/pam_krb5.so
session optional /lib/security/pam_krb5.so
pam_krb5.so is designed to allow smooth integration of Kerberos 5 password- checking with applications built using PAM. It also supports session-specific ticket files (which are neater) and Kerberos IV ticket file grabbing. Its main use is as an authentication module, but it also supplies the same functions as a session-management module to better support poorly-written applications, and a couple of other workarounds as well.
When a user logs in, the module’s authentication function performs a simple password check and, if possible, obtains Kerberos 5 and Kerberos IV credentials, caching them for later use. When the application requests initialization of credentials (or opens a session), the usual ticket files are created. When the application subsequently requests deletion of credentials or closing of the session, the module deletes the ticket files.
Some applications (notably, wu-ftpd, wu-imapd, and Samba) neither create credentials nor open sessions. For these applications, it’s best to use the tokens option to force token-grabbing during the password check, which is usually the right thing to do for these server apps.
|
debug |
turns on debugging via syslog(3). Debugging messages are logged with priority LOG_DEBUG. |
addressless
tells pam_krb5.so to obtain credentials without address lists. This may be necessary if your network uses NAT, and should otherwise not be used.
hosts=host
tells pam_krb5.so to obtain credentials using the address of the given host in addition to the addresses of interfaces on the local workstation. For example, if your workstation is behind a masquerading firewall, specifying the firewall’s outward-facing address here should allow Kerberos authentication to succeed.
banner=Kerberos
tells pam_krb5.so how to identify itself when users attempt to change their passwords.
ccache_dir=/tmp
tells pam_krb5.so which directory to use for storing credential caches.
forwardable
tells pam_krb5.so that credentials it obtains should be forwardable.
keytab=/etc/krb5.keytab
tells pam_krb5.so the location of a keytab to use when validating credentials obtained from KDCs.
krb4_convert
tells pam_krb5.so to obtain Kerberos IV credentials for users, in addition to Kerberos 5 credentials.
minimum_uid=0
tells pam_krb5.so to ignore authentication attempts by users with UIDs below the specified number.
no_user_check
tells pam_krb5.so to not check if a user exists on the local system, and to create ccache files owned by the current process’s UID. This is useful for situations where a non-privileged server process needs to use Kerberized services on behalf of remote users who may not have local access. Note that such a server should have an encrypted connection with its client in order to avoid allowing the user’s password to be eavesdropped.
proxiable
tells pam_krb5.so that credentials it obtains should be proxiable.
realm=realm
overrides the default realm set in /etc/krb5.conf, which pam_krb5.so will attempt to authenticate users to.
renew_lifetime=36000
sets the default renewable lifetime for credentials.
skip_first_pass
tells pam_krb5.so to not bother checking a password that has been set by a module listed earlier in the stack. This option is included mainly for completeness.
ticket_lifetime=36000
sets the default lifetime for credentials.
try_first_pass
tells pam_krb5.so to check the password as with use_first_pass, but to prompt the user for another one if the previously-entered one fails. This is the default mode of operation.
use_first_pass
tells pam_krb5.so to get the user’s entered password as it was stored by a module listed earlier in the stack, usually pam_unix or pam_pwdb, instead of prompting the user for it.
use_authtok
tells pam_krb5.so to never prompt for passwords when changing passwords. This is useful if you are using pam_cracklib.so to try to enforce use of less-easy-to-guess passwords.
validate
tells pam_krb5.so to verify that the TGT obtained from the realm’s servers has not been spoofed.
/etc/krb5.conf
pam_krb5(5)
Probably, but let’s hope not. If you find any, please email the author.
Nalin Dahyabhai <nalin@redhat.com>
|
pam_krb5(8) | |