PAM_KRB5(8) | System Manager's Manual | PAM_KRB5(8) |
pam_krb5
—
pam_sm_authenticate
()) and to set
user specific credentials (pam_sm_setcred
()).
pam_sm_authenticate
() converts the supplied username
into a Kerberos principal, by appending the default local realm name. It also
supports usernames with explicit realm names. If a realm name is supplied,
then upon a successful return, it changes the username by mapping the
principal name into a local username (calling
krb5_aname_to_localname
()). This typically just means
the realm name is stripped.
It prompts the user for a password and obtains a new Kerberos TGT for the principal. The TGT is verified by obtaining a service ticket for the local host.
When prompting for the current password, the authentication module
will use the prompt “Password for
<principal>:
”.
The pam_sm_setcred
() function stores the
newly acquired credentials in a credentials cache, and sets the environment
variable KRB5CCNAME
appropriately. The credentials
cache should be destroyed by the user at logout with
kdestroy(1).
The following options may be passed to the authentication module:
debug
LOG_DEBUG
level.no_warn
use_first_pass
try_first_pass
use_first_pass
option, except that if the previously obtained password fails, the user is
prompted for another password.renewable
=timeperiodforwardable
no_ccache
ccache
=name%u
’, to designate the
decimal UID of the user; and ‘%p
’,
to designate the current process ID; can be used in
name.allow_kdc_spoof
pam_krb5
to succeed even if there is no host
or service key available in a keytab to authenticate the Kerberos KDC's
ticket. If there is no such key, for example on a host with no keytabs,
pam_krb5
will fail immediately without prompting
the user.
Warning: If the host has not been configured
with a keytab from the KDC, setting this option makes it vulnerable to
malicious KDCs, e.g. via DNS flooding, because
pam_krb5
has no way to distinguish the
legitimate KDC from a spoofed KDC.
pam_sm_acct_mgmt
(). The function
verifies that the authenticated principal is allowed to login to the local
user account by calling krb5_kuserok
() (which checks
the user's .k5login file).
pam_sm_chauthtok
()). The username supplied
(the user running the passwd(1)
command, or the username given as an argument) is mapped into a Kerberos
principal name, using the same technique as in the authentication module. Note
that if a realm name was explicitly supplied during authentication, but not
during a password change, the mapping done by the password management module
may not result in the same principal as was used for authentication.
Unlike when changing a UNIX password, the password management module will allow any user to change any principal's password (if the user knows the principal's old password, of course). Also unlike UNIX, root is always prompted for the principal's old password.
The password management module uses the same heuristics as kpasswd(1) to determine how to contact the Kerberos password server.
The following options may be passed to the password management module:
debug
LOG_DEBUG
level.use_first_pass
try_first_pass
use_first_pass
option, except that if the previously obtained old or new passwords fail,
the user is prompted for them.pam_sm_open_session
()) and terminate
(pam_sm_close_session
()) sessions. Since session
management is not defined under Kerberos 5, both of these functions simply
return success. They are provided only because of the naming conventions for
PAM modules.
KRB5CCNAME
pam_authenticate
() more
than once between calls to pam_start
() and
pam_end
() when using the Kerberos 5 PAM module.
pam_krb5
module implements what is fundamentally a
password authentication scheme. It does not use a Kerberos 5 exchange between
client and server, but rather authenticates the password provided by the
client against the Kerberos KDC. Therefore, care should be taken to only use
this module over a secure session (secure TTY, encrypted session, etc.),
otherwise the user's Kerberos 5 password could be compromised.
March 10, 2007 | NetBSD 9.4 |