This repository has been archived by the owner on Feb 24, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREADME
171 lines (166 loc) · 8.4 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
This is a major rewrite of pam_krb5afs. Call it 2.x, for lack of a better term.
o Compared to the earlier releases, this tree builds a single module which
"knows" how to do everything which is knowable at compile-time.
o Configuration options which can now be set as library defaults in the
system-wide krb5.conf are now largely ignored by the module.
Standard options:
o debug
Log debugging messages at LOG_DEBUG priority.
o debug_sensitive
Even log passwords when logging debugging messages at LOG_DEBUG priority.
o no_warn
When authenticating, don't warn the user about an expired password.
o use_authtok
When changing passwords, never prompt for password data. Instead, use
data stored by a previously-called module.
o use_first_pass
When authenticating, never prompt for password data. Instead, use a
password which was stored by a previously-called module.
o try_first_pass
When authenticating, first try to authenticate using the password which
was stored by a previously-called module. If it fails, then prompt for
the correct password and try again.
Recognized options (krb5.conf's appdefaults/pam section, and command-line):
o always_allow_localname
Always allow the local user, as derived from the principal name being
authenticated, to access the account, even when not explicitly listed in
the .k5login file or its equivalent(s).
o armor
Attempt to use a secondary credential cache for armoring exchanges with
the KDC.
o armor_strategy
Override how the module attempts to obtain credentials for use as armor.
By default, the module supports these methods:
keytab Use the default or configured keytab to get a service's TGT.
pkinit Use anonymous PKINIT.
The default list of methods, and their order, is noted in the manual pages.
o banner=Kerberos
When changing passwords, tell users that they are changing their Kerberos
passwords (unset to avoid using any term other than "password").
o ccache_dir=/tmp
Directory in which to store ccache and ticket files.
o ccname_template=FILE:%d/krb5cc_%U_XXXXXX
Location of the user's v5 ccache files. If not configured, the module will
attempt to read the library's default.
o chpw_prompt
Allow expired passwords to be changed during authentication attempts. While
this is the traditional behavior exhibited by "kinit", it is inconsistent
with the behavior expected by PAM, which expects authentication to (appear to)
succeed and to have password expiration be flagged by the account management
function. Some applications which don't handle password expiration will fail
incorrectly if the user's password is correct but expired, and setting this
flag attempts to work around the bug.
o cred_session
Control whether or not pam_krb5 will create/remove credential caches when
the calling application initializes or deletes PAM credentials. The module
will do so when the application opens and closes the PAM session, and this
is usually harmless, so it is typically enabled by default.
o debug
debug = service1 service2
Log debug messages to syslog with priority LOG_DEBUG.
o external
external = service1 service2
Attempt to reuse credentials stored in a ccache pointed to by the KRB5CCNAME
variable in the PAM environment. This is mainly useful for situations where
the calling application authenticated the user using GSSAPI, the user
delegated credentials to the calling application, and you're using pam_krb5
to obtain a v4 Kerberos ticket via krb524, or AFS tokens. The calling
application MUST ensure that KRB5CCNAME points to a ccache which should be
used for the authenticating user. A default list of services can be set at
compile-time.
o ignore_afs
Disable the default behavior of attempting to obtain tokens for the local
AFS cell on behalf of clients.
o ignore_k5login
Disables additional authorization checks using the krb5_kuserok() function,
which typically checks the user's .k5login file.
o ignore_unknown_principals
ignore_unknown_spn
ignore_unknown_upn
Controls whether or not users with unknown principal names should trigger
a PAM_IGNORE error instead of a PAM_USER_UNKNOWN error.
o initial_prompt
Controls whether or not pam_krb5 should ask for the user's password, or let
libkrb5 do it as needed.
o keytab=/etc/krb5.keytab
Default keytab to use when validating initial credentials. Can be overridden
at configure-time.
o mappings = regex regex [regex regex...]
Specifies that pam_krb5 should derive the user's principal name from the Unix
user name by first checking if the user name matches the first regex, and
if it matches, formulating a principal name using the second regex. Multiple
pairs of regular expressions can be used.
For example,
mappings = ^EXAMPLE\\(.*)$ [email protected]
would map any user with a name of the form "EXAMPLE\whatever" to a principal
name of "[email protected]". This is primarily targeted at allowing
pam_krb5 to be used to authenticate users whose user information is provided
by winbindd.
Note that this will frequently require the reverse to be configured by
setting up an auth_to_local rule elsewhere in krb5.conf.
o minimum_uid=NUMBER
Minimum UID which the user must have before pam_krb5.so will attempt to
authenticate that user, otherwise it will ignore the user.
o multiple_ccaches
Specifies that pam_krb5 should maintain multiple credential caches for
the application, which sets credentials and opens a PAM session, but
sets the KRB5CCNAME variable after doing only one of the two. This
option is usually not necessary for most services, but the option is
provided as a workaround.
o no_validate
no_validate = service1 service2
Don't try to validate initial credentials.
o no_user_check
Go ahead and authenticate users for whom getpwnam() returns no information.
Credential cache and ticket files will be created and owned by the current
user and group ID instead of the user's.
o null_afs
Attempt to get credentials for AFS by guessing a service name of the form
afs@REALM first, and then one of the form afs/cell@REALM, rather than
proceeding in the opposite order.
o pkinit_identity=LOCATION (Heimdal-specific)
Specify the location of the user's private key and certificate information,
in the same format which would be passed to kinit as an argument for its
-C/--pk-user command-line option.
o pkinit_flags=NUMBER (Heimdal-specific)
Specify a flags value to pass to libkrb5, useful mainly for debugging.
o preauth_options=OPT=VAL[,...] (MIT-specific)
Specify arbitrary preauthentication options to pass to libkrb5, useful
mainly for debugging.
o realm=REALM
Override the default realm.
o subsequent_prompt
Controls whether or not pam_krb5 should just return the PAM_AUTHTOK when
libkrb5 requests that pam_krb5 get information from the user.
o tokens
tokens = service1 service2
Create a new AFS PAG and obtain AFS tokens during the authentication phase.
By default, tokens are obtained for the local cell (and the cell which
contains the user's home directory, if they're not the same).
o token_strategy
Override how the module attempts to get credentials and set AFS tokens.
By default, the module supports these methods:
2b Get krb5 credentials, and use the "2b" rxkad token format, which
is only supported in OpenAFS 1.2.8 and later.
rxk5 Get krb5 credentials, and use the rxk5 token format, which may be
supported in OpenAFS 1.6 and later.
The default list of methods, and their order, is noted in the manual pages.
o trace
trace = service1 service2
Log libkrb5 trace messages to syslog with priority LOG_DEBUG, if the
Kerberos implementation provides a means to let pam_krb5 do so.
o use_shmem
use_shmem = service1 service2
Pass credentials from authentication to session management using shared
memory instead of PAM data items. This allows authentication and session-
managment to be performed in different processes, so long as the PAM
environment is correctly propagated from one to the other. A default list
of services can be set at compile-time.
o validate_user_user
validate_user_user = service1 service2
If validation fails due to permissions problems, attempt to validate initial
credentials using previously-obtained credentials in the default ccache.
Configuration file only:
o afs_cells = cell1 cell2 cell3 cell4=afs/[email protected]
This module is hosted on fedorahosted.org. For more information, point a
web browser at "http://fedorahosted.org/pam_krb5/".