The Kerberos V5 authentication component provides functions to verify the identity of a user, pam_sm_authenticate(), and to refresh the Kerberos credentials cache, pam_sm_setcred(). pam_sm_authenticate() authenticates a user principal though the Kerberos authentication service. If the authentication request is successful, the authentication service sends a ticket-granting ticket (tgt) back to the pam_krb5.so.1 module, which then verifies that the TGT came from a valid KDC by attempting to get a service ticket for the local host service. For this to succeed, the local host's keytab file (/etc/krb5/krb5.keytab) must contain the entry for the local host service (for example, host/hostname.com@REALM where hostname.com is the fully qualified local hostname and REALM is the default realm of the local host as defined in /etc/krb5/krb5.conf). Once the TGT is verified, it is stored in the credentials cache for later use by Kerberized network applications. If the host entry is not found in the keytab file, the authentication fails.

The following options can be passed to the Kerberos V5 authentication module:

acceptor

Prevents the PAM module from performing the authentication service exchange used to obtain the initial ticket-granting ticket. This should be used on Kerberos application servers since the initial ticket is not needed.

debug

Provides syslog(3C) debugging information at LOG_DEBUG level.

nowarn

Turns off warning messages.

use_first_pass

Requests Kerberos V5 authentication with the user's initial password (entered when the user authenticated to the first authentication module in the stack). If Kerberos V5 authentication fails, or if no password has been entered, it quits and does not prompt the user for a password. This option should only be used if the authentication service is designated as optional in the pam.conf configuration file.

try_first_pass

Requests Kerberos V5 authentication with the user's initial password (entered when the user authenticated to the first authentication module in the stack). If Kerberos V5 authentication fails, or if no password has been entered, the user is prompted for a password with the prompt "Kerberos Password:".

use_xfn_pass

Requests Kerberos V5 authentication with a mapped password that has been stored under XFN. If Kerberos V5 authentication fails, or if no password has been entered, it quits and does not prompt the user for a password. This option should only be used if the authentication service is designated as optional in the pam.conf configuration file.

try_xfn_Pass

Requests Kerberos V5 authentication with a mapped password that has been stored under XFN. If Kerberos V5 authentication fails, or if no password has been stored, the user is prompted for a password with the prompt "Kerberos Password:".

The Kerberos account management component provides a function to perform account management, pam_sm_acct_mgmt(). This function checks to see if the pam_krb5 authentication module has noted that the user's password has not expired. The following options may be passed in to the Kerberos V5 service module:

debug

Provides syslog(3C) debugging information at LOG_DEBUG level

nowarn

Turn off warning messages.

The Kerberos V5 session management component provides functions to initiate pam_sm_open_session() and terminate pam_sm_close_session() Kerberos V5 sessions. For Kerberos V5, pam_sm_open_session is a null function. pam_close_session destroys a principal's credential cache as well as the kernel Kerberos credentials if the session being closed is the last open session on this server for the calling principal.

The Kerberos V5 password management component provides a function to change passwords pam_sm_chauthtok() in the Key Distribution Center (KDC) database. The following options can be passed in to the Kerberos V5 password module:

debug

Provides syslog(3C) debugging information at LOG_DEBUG level.

nowarn

Turns off warning messages.

use_first_pass

Requests Kerberos V5 authentication with the user's initial password (entered when the user authenticated to the first authentication module in the stack). If Kerberos V5 authentication fails, or if no password has been entered, it quits and does not prompt the user for a password. If authentication succeeds, the user is prompted by "New KRB5 password:" for a new password. The user is then prompted a second time for the new password for verification and the KDC database is updated with the new password if both responses match.

try_first_pass

Requests Kerberos V5 authentication with the user's initial password (entered when the user authenticated to the first authentication module in the stack). If Kerberos V5 authentication fails, or if no password has been entered, the user is prompted for a password with the prompt "Old KRB5 Password:". If authentication succeeds, the user is prompted by "New KRB5 password:" for a new password. The user is then prompted a second time for the new password for verification and the KDC database is updated with the new password if both responses match.

use_xfn_pass

Requests Kerberos V5 authentication with a mapped password that has been stored under XFN. If Kerberos V5 authentication fails, or if no password has been stored, it quits and does not prompt the user for a password. If authentication succeeds, the user is prompted by "New KRB5 password:" for a new password. The user is then prompted a second time for the new password for verification and the KDC database is updated with the new password if both responses match.

try_xfn_pass

Requests Kerberos V5 authentication with a mapped password that has been stored under XFN. If Kerberos V5 authentication fails, or if no password has been stored, the user is prompted for a password with the prompt "Old KRB5 Password:". If authentication succeeds, the user is prompted by "New KRB5 password:" for a new password. The user is then prompted a second time for the new password for verification and the KDC database is updated with the new password if both responses match.

The following is a sample pam.conf configuration file with Kerberos V5 support. Please note that this is only intended to give the flavor of the pam.conf Kerberos V5 entries and is not complete.

#
# Authentication management
#
login auth required /usr/lib/security/$ISA/pam_unix.so.1 
login auth optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass
#
# Account management
#
dtlogin  account required  /usr/lib/security/$ISA/pam_unix.so.1
dtlogin  account optional  /usr/lib/security/$ISA/pam_krb5.so.1
#
# Session management
#
other  session required  /usr/lib/security/$ISA/pam_unix.so.1
other  session optional  /usr/lib/security/$ISA/pam_krb5.so.1
#
# Password management
#
other password required /usr/lib/security/$ISA/pam_unix.so.1
other password optional /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass

The Kerberos V5 module entries typically follow the Unix module entries. Thus, the Kerberos V5 modules are "stacked" behind the Unix module. For the login service, the Kerberos V5 authentication module runs after the Unix module. Its entry is optional, so the user can still login if it fails, assuming that the previous Unix module succeeded. If the entry designates required instead of optional, the user cannot login if Kerberos V5 authentication fails. Because the try_first_pass option is designated, it tries the user's password entered for the Unix module. If Kerberos V5 authentication fails, or no password has been entered, the user is prompted for the Kerberos V5 password. For all session related services, the Kerberos V5 session module runs after the Unix module. For the dtlogin service, the Kerberos V5 account management module runs after the Unix module. For all password changing related services, the Kerberos V5 module runs after the Unix module. Because the try_first_pass option is designated, if the initial password entered for the Unix module authenticates Kerberos V5 successfully, the old Kerberos V5 password is not requested from the user; only the new Kerberos V5 password is requested.