pam_krb5afs (8) ( Linux man: Команды системного администрирования )
NAME
pam_krb5afs - Kerberos 5 authentication with AFS support
DESCRIPTION
pam_krb5afs.so uses a portion of krb5.conf to get its configuration
information. You should read the krb5.conf(5) man page before continuing
here. The module expects its configuration information to be in the pam
subsection of the appdefaults section of the krb5.conf
configuration file (for backward compatibility, the pam section is
also checked for the same directives).
disables the checking of the address in the ticket. Allows the ticket to be
used from behind NAT firewalls, or on machines whose IP address changes
regularly.
afs_cells=cells
specifies which cells you want to get tokens for. Set this to the list of all
of your local cells.
banner=Kerberos
specifies what kind of password the module claims to be changing when called
to change passwords. The default is
Kerberos 5.
ccache_dir=/tmp
specifies the directory to place credential cache files in.
forwardable=[true|false]
controls whether or not credentials are forwardable. If not specified, they
are.
hosts=hostnames
specifies which other hosts credentials obtained by pam_krb5afs will be good on.
If your host is behind a firewall, you should add the IP address or name that
the KDC sees it as to this list.
initial_timemout
specifies the number of seconds to wait for the first KDC to respond, before
attempting incremental backoff.
keytab=/etc/krb5.keytab
specifies the name of a keytab file to find a key for the required_tgs in,
for use in validating TGTs.
krb4_convert=[true|false]
controls whether or not pam_krb5 tries to get Kerberos IV credentials from the
KDC (or using the krb524d service on the KDC) and create ticket files with
them. Unless you've converted everything on your network over to use
Kerberos 5, you'll want to leave this set to true. Note that this
requires valid Kerberos IV configuration data to be present in
/etc/krb.conf and /etc/krb.realms.
max_timeout=30
specifies the maximum amount of time to spend in attempting to get a reply
from the KDCs, in seconds. This in effect determines the amount of
time before PAM tries the next authentication scheme, if the network is
not available.
minimum_uid=0
specifies the minimum UID of users being authenticated. If a user with a UID
less than this value attempts authentication, the request will be ignored.
proxiable=[true|false]
controls whether or not credentials are proxiable. If not specified, they
are.
renew_lifetime=36000
default renewable lifetime. This specifies how much time you have after
getting credentials to renew them.
required_tgs=[service]
specifies a principal for which a user must be able to get a session key for for
the purpose of verifying that the TGT has not been forged. The key is
decrypted using a copy of the service's key stored in a local keytab file.
This is the only certain way to be absolutely sure the TGT hasn't been forged.
The default is host@hostname.
retain_after_close=[true|false]
specifies whether or not to retain the ticket after closing the session. The
default is false.
ticket_lifetime=36000
default credential lifetime.
timeout_shift
specifies the number of bits left to shift after each timeout, in
implementing the incremental backoff in talking to the KDCs.
validate=[true|false]
specifies whether or not to attempt validation of the TGT. The default is
false.
