'\" te .\" Copyright (c) 2010, 2014, Oracle and/or its affiliates. All rights reserved .TH pam_krb5 5 "11 Mar 2014" "SunOS 5.11" "Standards, Environments, and Macros" .SH NAME pam_krb5 \- authentication, account, session, and password management PAM modules for Kerberos V5 .SH SYNOPSIS .LP .nf /usr/lib/security/pam_krb5.so.1 .fi .SH DESCRIPTION .sp .LP The Kerberos V5 service module for \fBPAM\fR provides functionality for all four \fBPAM\fR modules: authentication, account management, session management, and password management. The service module is a shared object that can be dynamically loaded to provide the necessary functionality upon demand. Its path is specified in the \fBPAM\fR configuration file. .SS "Kerberos Authentication Module" .sp .LP The Kerberos V5 authentication component provides functions to verify the identity of a user, \fBpam_sm_authenticate()\fR, and to manage the Kerberos credentials cache, \fBpam_sm_setcred()\fR. .sp .LP \fBpam_sm_authenticate()\fR authenticates a user principal through the Kerberos authentication service. If the authentication request is successful, the authentication service sends a ticket-granting ticket (\fBTGT\fR) back to the service module, which then verifies that the \fBTGT\fR came from a valid Key Distribution Center (\fBKDC\fR) by attempting to get a service ticket for the local host service. For this to succeed, the local host's \fBkeytab\fR file (\fB/etc/krb5/krb5.keytab\fR) must contain the entry for the local host service. For example, in the file \fBhost/\fIhostname.com\fR@\fIREALM\fR\fR, \fIhostname.com\fR is the fully qualified local hostname and \fIREALM\fR is the default realm of the local host as defined in \fB/etc/krb5/krb5.conf\fR. If the host entry is not found in the keytab file, the authentication fails. Administrators can optionally disable this "strict" verification by setting "\fBverify_ap_req_nofail = false\fR" in \fB/etc/krb5/krb5.conf\fR. See \fBkrb5.conf\fR(4) for more details on this option. This allows \fBTGT\fR verification to succeed in the absence of a \fBkeytab\fR host principal entry. .sp .LP If \fBpam_sm_authenticate()\fR is called and the \fBpkinit\fR module option is set, the Kerberos V5 authentication module tries to do \fBPKINIT\fR authentication, assuming that both the system and the \fBKDC\fR are configured to support this type of authentication. This form of authentication uses a user's certificate and private key to acquire the user's initial Kerberos credential (\fBTGT\fR). One of the keystore formats supported is \fBPKCS11\fR which supports use of any \fBPKCS11\fR compatible keystore capable of storing the required credential and private key needed for \fBPKINIT\fR authentication (\fBPKCS11\fR compatible smartcards are an example). See \fBkrb5.conf\fR(4) for more details on \fBPKINIT\fR configuration. This form of authentication is typically useful for services where the system on which the \fBauth\fR stack is being processed has access to the user's certificate and private key. .sp .LP If \fBpam_sm_authenticate()\fR is called and the \fBpkinit\fR module option is not set then the Kerberos V5 authentication module does password based authentication. .sp .LP In either case, if the \fBPAM_AUTHTOK\fR password item has been set when \fBpam_sm_authenticate()\fR is called, which is the case when \fBpam_krb5\fR is stacked after \fBpam_authtok_get\fR in the \fBauth\fR stack, the Kerberos V5 authentication module uses that \fBPAM_AUTHTOK\fR password for either \fBPKINIT\fR or password based Kerberos authentication. .sp .LP If the \fBPAM_USER\fR item is not set \fBpam_krb5\fR with the \fBpkinit\fR option prompts for and set that item. .sp .LP If the \fBPAM_AUTHTOK\fR password item has not been set when \fBpam_sm_authenticate()\fR is called, which is the case when \fBpam_krb5\fR is stacked before \fBpam_authtok_get\fR in the \fBauth\fR stack, and the \fBpkinit\fR option is present the Kerberos V5 authentication module allows the Kerberos \fBpkinit preauth\fR plugin to prompt for whatever information is needed to perform \fBPKINIT\fR (typically this is for the user's PIN). No PAM items are set by way of this prompting. See \fBkrb5.conf\fR(4) for more information on \fBPKINIT\fR configuration options. .sp .LP The \fBpam_krb5\fR module sets the \fBKRB5CCNAME\fR shell environment variable upon successful authentication or password change to \fBFILE:/tmp/krb5cc_\fR\fIuid\fR where \fIuid\fR is the UID of the user that \fBpam_krb5\fR authenticated. \fBKRB5CCNAME\fR is documented in \fBkrb5envvar\fR(5). .sp .LP If it is desirable to initially have the Kerberos V5 authentication module try \fBPKINIT\fR Kerberos authentication and fall back to password based Kerberos authentication then either the sufficient or optional control flags must be provided for the instance of \fBpam_krb5\fR with the \fBpkinit\fR module option set and another instance of \fBpam_krb5\fR without the \fBpkinit\fR module option must be stacked below \fBpam_authtok_get\fR. If there are PAM modules other than \fBpam_krb5\fR that must be evaluated below \fBpam_authtok_get\fR then the control flag should be set to optional for the instance of \fBpam_krb5\fR with the \fBpkinit\fR module option set otherwise the control flag should be set to sufficient. .sp .LP Only two instances of \fBpam_krb5\fR are supported in a \fBauth\fR stack. .sp .LP \fBpam_sm_authenticate\fR(3PAM) can be passed the following flag: .sp .ne 2 .mk .na \fB\fBPAM_DISALLOW_NULL_AUTHTOK\fR\fR .ad .sp .6 .RS 4n This flag is ignored. The Kerberos authentication mechanism does not allow an empty password string by default. .RE .sp .LP \fBpam_sm_setcred()\fR creates and modifies the user's credential cache. This function initializes the user's credential cache, if it does not already exist, and stores the initial credentials for later use by Kerberos network applications. The following flags can be set in the flags field. They are best described by their effect on the user's credential cache. .sp .ne 2 .mk .na \fB\fBPAM_ESTABLISH_CRED\fR\fR .ad .sp .6 .RS 4n Stores the initial credentials in the user's credential cache so that the user can access Kerberos network services. If a successful authentication pass was made, the new credentials are stored in the credential cache, overwriting any existing credentials that were previously stored. If an unsuccessful authentication pass was made, \fBPAM_CRED_UNAVAIL\fR is returned. .RE .sp .ne 2 .mk .na \fB\fBPAM_DELETE_CRED\fR\fR .ad .sp .6 .RS 4n This flag has no effect on the credential cache and always returns \fBPAM_SUCCESS\fR. The credential cache is not deleted because there is no accurate method to determine if the credentials are needed by another process. The credential cache can be deleted with the \fBkdestroy\fR(1) command. .RE .sp .ne 2 .mk .na \fB\fBPAM_REINITIALIZE_CRED\fR\fR .ad .sp .6 .RS 4n Deletes the user's existing credential cache, if it exists, and creates a new credential cache. The new credentials are stored in the new cache and the user's ticket lifetime and renewable life time values are reset. .RE .sp .ne 2 .mk .na \fB\fBPAM_REFRESH_CRED\fR\fR .ad .sp .6 .RS 4n Does not require a previous authentication pass, but if a successful one is made, the new credentials are stored in the credential cache. If a previous authentication pass was not made or was unsuccessful, an attempt to renew the existing credentials is made. This function fails if the user's renewable ticket lifetime is expired. .RE .sp .LP The following options can be passed to the Kerberos V5 authentication module: .sp .ne 2 .mk .na \fB\fBdebug\fR\fR .ad .RS 20n .rt Provides \fBsyslog\fR(3C) debugging information at \fBLOG_DEBUG\fR level. .RE .sp .ne 2 .mk .na \fB\fBnowarn\fR\fR .ad .RS 20n .rt Turns off warning messages. .RE .sp .ne 2 .mk .na \fBpkinit\fR .ad .RS 20n .rt Indicates that the Kerberos V5 authentication module should try Kerberos \fBPKINIT\fR authentication instead of the default password based Kerberos authentication. .RE .sp .ne 2 .mk .na \fB\fBrealm=realm_name\fR\fR .ad .RS 20n .rt Indicates the realm name used to authenticate the user rather than the system's \fBdefault_realm\fR as defined in \fB/etc/krb5/krb5.conf\fR. .LP Note - .sp .RS 2 There could be possibilities that principals names have collisions across multiple realms. This could have a negative affect in environments that have n-strikes for authentication attempts. .LP Given that the system may not have host credentials for every realm configured to perform initial authentication with, they will not have the ability to prevent KDC spoofing. .RE .RE .SS "Kerberos V5 Account Management Module" .sp .LP The Kerberos account management component provides a function to perform account management, \fBpam_sm_acct_mgmt()\fR. This function checks to see if the \fBpam_krb5\fR authentication module has noted that the user's password has not expired. The following options can be passed in to the Kerberos V5 account management module: .sp .ne 2 .mk .na \fBdebug\fR .ad .RS 10n .rt Provides \fBsyslog\fR(3C) debugging information at \fBLOG_DEBUG\fR level .RE .sp .ne 2 .mk .na \fBnowarn\fR .ad .RS 10n .rt Turns off warning messages. Also, does not query KDC for impending password expiration information used to warn the user. .RE .SS "Kerberos V5 Session Management Module" .sp .LP The Kerberos V5 session management component provides functions to initiate \fBpam_sm_open_session()\fR and terminate \fBpam_sm_close_session()\fR Kerberos sessions. For Kerberos V5, both \fBpam_sm_open_session\fR and \fBpam_sm_close_session()\fR are null functions, returning \fBPAM_IGNORE\fR. .SS "Kerberos V5 Password Management Module" .sp .LP The Kerberos V5 password management component provides a function to change passwords, \fBpam_sm_chauthtok()\fR, in the Key Distribution Center (\fBKDC\fR) database. .sp .LP If the Kerberos V5 authentication module used \fBPKINIT\fR authentication in the auth stack then the Kerberos V5 password management module returns \fBPAM_IGNORE\fR in the following cases: .RS +4 .TP .ie t \(bu .el o The new password is NULL. .RE .RS +4 .TP .ie t \(bu .el o The old password is NULL. .RE .RS +4 .TP .ie t \(bu .el o Verification of the old password fails. .RE .sp .LP The rationale behind this is that the \fBKDC\fR can not allow a \fBPKINIT\fR user to change/set a password since the user can be expected to use \fBPKINIT\fR only. If all of the cases above are false the Kerberos V5 password management module tries to change the user's password in the \fBKDC\fR database. .sp .LP If the \fBKDC\fR only supports \fBPKINIT\fR authentication then the Kerberos V5 password management module should not be present in any password stacks. .sp .LP Related to \fBPKINIT\fR the Kerberos V5 password management module does not support changing the key store PIN used to access a user's private key and certificate. .sp .LP The following flags can be passed to \fBpam_sm_chauthtok\fR(3PAM): .sp .ne 2 .mk .na \fB\fBPAM_CHANGE_EXPIRED_AUTHTOK\fR\fR .ad .sp .6 .RS 4n The password service should only update the user's Kerberos password if it is expired. Otherwise, this function returns \fBPAM_IGNORE\fR. The default behaviour is to always change the user's Kerberos password. .RE .sp .ne 2 .mk .na \fB\fBPAM_PRELIM_CHECK\fR\fR .ad .sp .6 .RS 4n This is a null function that always returns \fBPAM_IGNORE\fR. .RE .sp .ne 2 .mk .na \fB\fBPAM_UPDATE_AUTHTOK\fR\fR .ad .sp .6 .RS 4n This flag is necessary to change the user's Kerberos password. If this flag is not set, \fBpam_krb5\fR returns \fBPAM_SYSTEM_ERR\fR. .RE .sp .LP The following option can be passed to the Kerberos V5 password module: .sp .ne 2 .mk .na \fB\fBdebug\fR\fR .ad .RS 9n .rt Provides \fBsyslog\fR(3C) debugging information at \fBLOG_DEBUG\fR level. .RE .SH ERRORS .sp .LP The following error codes are returned for \fBpam_sm_authenticate()\fR: .sp .ne 2 .mk .na \fB\fBPAM_AUTH_ERR\fR\fR .ad .RS 20n .rt Authentication failure .RE .sp .ne 2 .mk .na \fB\fBPAM_BUF_ERR\fR\fR .ad .RS 20n .rt Memory buffer error. .RE .sp .ne 2 .mk .na \fB\fBPAM_IGNORE\fR\fR .ad .RS 20n .rt The user is "\fBroot\fR" and the root key exists in the default keytab. .RE .sp .ne 2 .mk .na \fB\fBPAM_SUCCESS\fR\fR .ad .RS 20n .rt Successfully obtained Kerberos credentials . .RE .sp .ne 2 .mk .na \fB\fBPAM_SYSTEM_ERR\fR\fR .ad .RS 20n .rt System error. .RE .sp .ne 2 .mk .na \fB\fBPAM_USER_UNKNOWN\fR\fR .ad .RS 20n .rt An unknown Kerberos principal was requested. .RE .sp .LP The following error codes are returned for \fBpam_sm_setcred()\fR: .sp .ne 2 .mk .na \fB\fBPAM_AUTH_ERR\fR\fR .ad .RS 18n .rt Authentication failure. .RE .sp .ne 2 .mk .na \fB\fBPAM_BUF_ERR\fR\fR .ad .RS 18n .rt Memory buffer error. .RE .sp .ne 2 .mk .na \fB\fBPAM_IGNORE\fR\fR .ad .RS 18n .rt The user is "\fBroot\fR" and the root key exists in the default keytab. .RE .sp .ne 2 .mk .na \fB\fBPAM_SYSTEM_ERR\fR\fR .ad .RS 18n .rt System error. .RE .sp .ne 2 .mk .na \fB\fBPAM_SUCCESS\fR\fR .ad .RS 18n .rt Successfully modified the Kerberos credential cache. .RE .sp .LP The following error codes are returned for \fBpam_sm_acct_mgmt()\fR: .sp .ne 2 .mk .na \fB\fBPAM_AUTH_ERR\fR\fR .ad .RS 24n .rt Authentication failure. .RE .sp .ne 2 .mk .na \fB\fBPAM_IGNORE\fR\fR .ad .RS 24n .rt Kerberos service module \fBpam_sm_authenticate()\fR was never called, or the user is "\fBroot\fR" and the root key exists in the default keytab. .RE .sp .ne 2 .mk .na \fB\fBPAM_NEW_AUTHTOK_REQD\fR\fR .ad .RS 24n .rt Obtain new authentication token from the user. .RE .sp .ne 2 .mk .na \fB\fBPAM_SERVICE_ERR\fR\fR .ad .RS 24n .rt Error in underlying service module. .RE .sp .ne 2 .mk .na \fB\fBPAM_SUCCESS\fR\fR .ad .RS 24n .rt Kerberos principal account is valid. .RE .sp .ne 2 .mk .na \fB\fBPAM_SYSTEM_ERR\fR\fR .ad .RS 24n .rt System error. .RE .sp .ne 2 .mk .na \fB\fBPAM_USER_UNKNOWN\fR\fR .ad .RS 24n .rt An unknown Kerberos principal was requested. .RE .sp .LP The following error code is returned for \fBpam_sm_open_session()\fR and \fBpam_sm_close_session()\fR: .sp .ne 2 .mk .na \fB\fBPAM_IGNORE\fR\fR .ad .RS 14n .rt These two functions are null functions in \fBpam_krb5\fR: .RE .sp .LP The following error codes are returned for \fBpam_sm_chauthtok()\fR: .sp .ne 2 .mk .na \fB\fBPAM_AUTH_ERR\fR\fR .ad .RS 24n .rt Authentication failure. .RE .sp .ne 2 .mk .na \fB\fBPAM_IGNORE\fR\fR .ad .RS 24n .rt The user has not been authenticated by Kerberos service module \fBpam_sm_authenticate()\fR, or the user is "\fBroot\fR" and the root key exists in the default keytab. .RE .sp .ne 2 .mk .na \fB\fBPAM_NEW_AUTHTOK_REQD\fR\fR .ad .RS 24n .rt User's Kerberos password has expired. .RE .sp .ne 2 .mk .na \fB\fBPAM_SERVICE_ERR\fR\fR .ad .RS 24n .rt Error in module. At least one input parameter is missing. .RE .sp .ne 2 .mk .na \fB\fBPAM_SYSTEM_ERR\fR\fR .ad .RS 24n .rt System error. .RE .sp .ne 2 .mk .na \fB\fBPAM_USER_UNKNOWN\fR\fR .ad .RS 24n .rt An unknown Kerberos principal was requested. .RE .sp .ne 2 .mk .na \fB\fBPAM_SUCCESS\fR\fR .ad .RS 24n .rt Successfully changed the user's Kerberos password. .RE .SH EXAMPLES .LP \fBExample 1 \fRAuthenticating Users Through Kerberos as First Choice Using Password-based Authentication .sp .LP The following is an excerpt of a sample \fBpam.conf\fR configuration file that authenticates users through the Kerberos authentication service and authenticates through the Unix login only if the Kerberos authentication fails. This arrangement is helpful when a majority of the users are networked by means of Kerberos and when there are only a few non-Kerberos type user accounts, such as root. The service illustrated below is for \fBgdm\fR. .sp .in +2 .nf gdm auth requisite pam_authtok_get.so.1 gdm auth required pam_dhkeys.so.1 gdm auth required pam_unix_cred.so.1 gdm auth sufficient pam_krb5.so.1 gdm auth required pam_unix_auth.so.1 .fi .in -2 .sp .LP These changes should not be made to the existing \fBkrlogin\fR, \fBkrsh\fR, and \fBktelnet\fR service entries. Those services require Kerberos authentication, so using a seemingly sufficient control flag would not provide the necessary functionality for privacy and integrity. There should be no need to change those entries. .sp .LP The following entries check for password expiration when dealing with Kerberos and Unix password aging policies: .sp .in +2 .nf other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account required pam_krb5.so.1 .fi .in -2 .sp .LP The following entries would change the Kerberos password of the user and continue to change the Unix login password only if the Kerberos password change had failed: .sp .in +2 .nf other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 .fi .in -2 .LP \fBExample 2 \fRAuthenticating Users Through Kerberos Only Using Password-based Authentication .sp .LP The following example allows authentication only to users that have Kerberos-based accounts. .sp .in +2 .nf gdm auth requisite pam_authtok_get.so.1 gdm auth required pam_dhkeys.so.1 gdm auth required pam_unix_cred.so.1 gdm auth required pam_krb5.so.1 .fi .in -2 .sp .LP Typically, you would have another service specified in the \fBpam.conf\fR file that would allow local users, such as database, web server, system administrator accounts, to log in to the host machine. For example, the service name "login" could be used for these users. These users should not belong to any roles. .sp .LP The rest of the module types look similar to that shown in the previous example: .sp .in +2 .nf other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account required pam_krb5.so.1 .fi .in -2 .sp .LP With binding specified in the following, it is important that non-Kerberos users specify the repository in which they reside using the \fB-r\fR option with the \fBpasswd\fR(1) command. This configuration is also based on the assumptions that: .RS +4 .TP .ie t \(bu .el o Kerberos users maintain only their Kerberos passwords; .RE .RS +4 .TP .ie t \(bu .el o changing their Unix password is not necessary, given that they are authenticated only through their Kerberos passwords when logging in. .RE .sp .in +2 .nf other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password binding pam_krb5.so.1 .fi .in -2 .LP \fBExample 3 \fRAuthenticating Through Kerberos Optionally Using Password-based Authentication .sp .LP This configuration is helpful when the majority of users are non-Kerberos users and would like to authenticate through Kerberos if they happened to exist in the Kerberos database. The effect of this is similar to users voluntarily executing \fBkinit\fR(1) after they have successfully logged in: .sp .in +2 .nf gdm auth requisite pam_authtok_get.so.1 gdm auth required pam_dhkeys.so.1 gdm auth required pam_unix_cred.so.1 gdm auth required pam_unix_auth.so.1 gdm auth optional pam_krb5.so.1 .fi .in -2 .sp .LP The rest of the configuration is as follows: .sp .in +2 .nf other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account optional pam_krb5.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 other password optional pam_krb5.so.1 .fi .in -2 .sp .LP Non-Kerberos users should specify their respective repositories by using the \fB-r\fR option when changing their password with the \fBpasswd\fR(1) command. .LP \fBExample 4 \fRAuthenticating Users Through Kerberos PKINIT as First Choice .sp .LP The following is an excerpt of a sample \fBpam.conf\fR configuration file that authenticates users through the Kerberos authentication service and authenticates through the Unix login only if the Kerberos authentication (using \fBPKINIT\fR) fails. This arrangement is helpful when a majority of the users are networked by means of Kerberos and when there are only a few non-Kerberos type user accounts, such as root. The service illustrated below is for login. The user is prompted once for the PIN by \fBpam_krb5\fR. .sp .in +2 .nf login auth required pam_unix_cred.so.1 login auth sufficient pam_krb5.so.1 pkinit login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_auth.so.1 .fi .in -2 .LP \fBExample 5 \fRAuthenticating Users Through Kerberos PKINIT Only .sp .LP The following example allows authentication only to users that have kerberos-based accounts requiring \fBPKINIT\fR authentication. .sp .in +2 .nf login auth required pam_unix_cred.so.1 login auth required pam_krb5.so.1 pkinit .fi .in -2 .LP \fBExample 6 \fRAuthenticating Users Through Kerberos PKINIT Optionally .sp .LP The following example allows users to acquire a Kerberos credential using \fBPKINIT\fR authentication if they have a Kerberos account. Whether \fBpam_krb5\fR succeeds or fails the user must provide their Unix password to login. .sp .in +2 .nf login auth required pam_unix_cred.so.1 login auth optional pam_krb5.so.1 pkinit login auth requisite pam_authtok_get.so.1 login auth required pam_unix_auth.so.1 .fi .in -2 .LP \fBExample 7 \fRAuthenticating Users Through Kerberos PKINIT as a Requirement .sp .LP The following example allows users to login if \fBpam_krb5\fR is able to acquire a Kerberos credential using \fBPKINT\fR authentication and in addition must provide their Unix password to \fBpam_unix_auth\fR. .sp .in +2 .nf login auth required pam_unix_cred.so.1 login auth required pam_krb5.so.1 pkinit login auth requisite pam_authtok_get.so.1 login auth required pam_unix_auth.so.1 .fi .in -2 .LP \fBExample 8 \fRAuthenticating Users Through Kerberos PKINIT as a Requirement .sp .LP The following example allows users to login using their \fBPAM_AUTHTOK\fR password acquired by \fBpam_authtok_get\fR. This password is used by \fBpam_krb5\fR to try \fBPKINIT\fR authentication and is also used by \fBpam_unix_auth\fR to authenticate the user using the user's Unix account. If \fBPKINIT\fR requires a password/PIN that differs from the user's Unix password then \fBpam_krb5\fR must be stacked above \fBpam_authtok_get\fR. .sp .in +2 .nf login auth required pam_unix_cred.so.1 login auth requisite pam_authtok_get.so.1 login auth required pam_krb5.so.1 pkinit login auth required pam_unix_auth.so.1 .fi .in -2 .LP \fBExample 9 \fRAuthenticating Users Through Kerberos PKINIT with a Fall Back to Password-based \fBkrb auth\fR .sp .LP The following example allows users to acquire a Kerberos credential using \fBPKINIT\fR authentication or using password based authentication if \fBPKINIT\fR fails. If \fBPKINIT\fR succeeds the user is not prompted for their password. If \fBpam_krb5 PKINIT\fR succeeds, the second instance of \fBpam_krb5\fR does not try password authentication and returns success. If \fBPKINIT\fR fails the user is prompted for their Kerberos password. .sp .in +2 .nf login auth required pam_unix_cred.so.1 login auth sufficient pam_krb5.so.1 pkinit login auth requisite pam_authtok_get.so.1 login auth required pam_krb5.so.1 .fi .in -2 .LP \fBExample 10 \fRAuthenticating Users Through Kerberos Requiring Users to Authenticate Either through Kerberos PKINIT or Fall Back to Password-based \fBkrb auth\fR .sp .LP The following example allows users to acquire a Kerberos credential using \fBPKINIT\fR authentication or using password based authentication if \fBPKINIT\fR fails. If \fBpam_krb5\fR \fBPKINIT\fR succeeds, the second instance of \fBpam_krb5\fR does not try password authentication and returns ignore. If \fBpam_krb5\fR \fBPKINIT\fR fails the second instance of \fBpam_krb5\fR tries password based authentication and return success or failure. .sp .in +2 .nf login auth required pam_unix_cred.so.1 login auth optional pam_krb5.so.1 pkinit login auth requisite pam_authtok_get.so.1 login auth required pam_krb5.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_auth.so.1 .fi .in -2 .LP \fBExample 11 \fRAuthenticating Users Through Kerberos Requiring Users to Authenticate Either through Kerberos PKINIT or Fall Back to \fBpam_pkcs11\fR .sp .LP The following example allows users to acquire a Kerberos credential using \fBPKINIT\fR authentication or if that fails use \fBpam_pkcs11\fR to validate the user's PIN using their certificate and private key. .sp .in +2 .nf login auth required pam_unix_cred.so.1 login auth sufficient pam_krb5.so.1 pkinit login auth sufficient pam_pkcs11.so .fi .in -2 .LP \fBExample 12 \fRAuthenticating Users Through Multiple Realms as First Choice Using Password-based Authentication .sp .LP This configuration can be used in combination with multiple \fBpam_krb5\fR in which different realms can be specified for one authentication pass. For example: .sp .in +2 .nf gdm auth definitive pam_user_policy.so.1 gdm auth required pam_dhkeys.so.1 gdm auth required pam_unix_cred.so.1 gdm auth sufficient pam_krb5.so.1 gdm auth sufficient pam_krb5.so.1 realm=EXAMPLE1.COM gdm auth required pam_unix_auth.so.1 .fi .in -2 .sp .LP This will cause an initial authentication attempt for \fBdefault_realm\fR, as configured in the \fB/etc/krb5/krb5.conf\fR file, realm first. If this fails then an initial authentication attempt for the EXAMPLE1.COM is attempted. .SH ATTRIBUTES .sp .LP See \fBattributes\fR(5) for descriptions of the following attributes: .sp .sp .TS tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) . ATTRIBUTE TYPEATTRIBUTE VALUE _ Interface StabilityCommitted .TE .SH SEE ALSO .sp .LP \fBkdestroy\fR(1), \fBkinit\fR(1), \fBpasswd\fR(1), \fBktkt_warnd\fR(1M), \fBlibpam\fR(3LIB), \fBpam\fR(3PAM), \fBpam_sm\fR(3PAM), \fBpam_sm_acct_mgmt\fR(3PAM), \fBpam_sm_authenticate\fR(3PAM), \fBpam_sm_chauthtok\fR(3PAM), \fBpam_sm_close_session\fR(3PAM), \fBpam_sm_open_session\fR(3PAM), \fBpam_sm_setcred\fR(3PAM), \fBsyslog\fR(3C), \fBkrb5.conf\fR(4), \fBpam.conf\fR(4), \fBattributes\fR(5), \fBkerberos\fR(5), \fBkrb5envvar\fR(5), \fBpam_krb5_migrate\fR(5) .SH NOTES .sp .LP The interfaces in \fBlibpam\fR(3LIB) are MT-Safe only if each thread within the multi-threaded application uses its own \fBPAM\fR handle. .sp .LP On successful acquisition of initial credentials (ticket-granting ticket), \fBktkt_warnd\fR(1M) is notified, to alert the user when the initial credentials are about to expire.