| PAM_KRB5(8) | System Manager's Manual | PAM_KRB5(8) | 
pam_krb5 —
pam_sm_authenticate()) and to set
  user specific credentials (pam_sm_setcred()).
  pam_sm_authenticate() converts the supplied username
  into a Kerberos principal, by appending the default local realm name. It also
  supports usernames with explicit realm names. If a realm name is supplied,
  then upon a successful return, it changes the username by mapping the
  principal name into a local username (calling
  krb5_aname_to_localname()). This typically just means
  the realm name is stripped.
It prompts the user for a password and obtains a new Kerberos TGT for the principal. The TGT is verified by obtaining a service ticket for the local host.
When prompting for the current password, the authentication module
    will use the prompt “Password for
    <principal>:”.
The pam_sm_setcred() function stores the
    newly acquired credentials in a credentials cache, and sets the environment
    variable KRB5CCNAME appropriately. The credentials
    cache should be destroyed by the user at logout with
    kdestroy(1).
The following options may be passed to the authentication module:
debugLOG_DEBUG level.no_warnuse_first_passtry_first_passuse_first_pass
      option, except that if the previously obtained password fails, the user is
      prompted for another password.renewable=timeperiodforwardableno_ccacheccache=name%u’, to designate the
      decimal UID of the user; and ‘%p’,
      to designate the current process ID; can be used in
      name.allow_kdc_spoofpam_krb5 to succeed even if there is no host
      or service key available in a keytab to authenticate the Kerberos KDC's
      ticket. If there is no such key, for example on a host with no keytabs,
      pam_krb5 will fail immediately without prompting
      the user.
    Warning: If the host has not been configured
        with a keytab from the KDC, setting this option makes it vulnerable to
        malicious KDCs, e.g. via DNS flooding, because
        pam_krb5 has no way to distinguish the
        legitimate KDC from a spoofed KDC.
pam_sm_acct_mgmt(). The function
  verifies that the authenticated principal is allowed to login to the local
  user account by calling krb5_kuserok() (which checks
  the user's .k5login file).
pam_sm_chauthtok()). The username supplied
  (the user running the passwd(1)
  command, or the username given as an argument) is mapped into a Kerberos
  principal name, using the same technique as in the authentication module. Note
  that if a realm name was explicitly supplied during authentication, but not
  during a password change, the mapping done by the password management module
  may not result in the same principal as was used for authentication.
Unlike when changing a UNIX password, the password management module will allow any user to change any principal's password (if the user knows the principal's old password, of course). Also unlike UNIX, root is always prompted for the principal's old password.
The password management module uses the same heuristics as kpasswd(1) to determine how to contact the Kerberos password server.
The following options may be passed to the password management module:
debugLOG_DEBUG level.use_first_passtry_first_passuse_first_pass
      option, except that if the previously obtained old or new passwords fail,
      the user is prompted for them.pam_sm_open_session()) and terminate
  (pam_sm_close_session()) sessions. Since session
  management is not defined under Kerberos 5, both of these functions simply
  return success. They are provided only because of the naming conventions for
  PAM modules.
KRB5CCNAMEpam_authenticate() more
  than once between calls to pam_start() and
  pam_end() when using the Kerberos 5 PAM module.
pam_krb5 module implements what is fundamentally a
  password authentication scheme. It does not use a Kerberos 5 exchange between
  client and server, but rather authenticates the password provided by the
  client against the Kerberos KDC. Therefore, care should be taken to only use
  this module over a secure session (secure TTY, encrypted session, etc.),
  otherwise the user's Kerberos 5 password could be compromised.
| March 10, 2007 | NetBSD 10.0 |