The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

Интерактивная система просмотра системных руководств (man-ов)

 ТемаНаборКатегория 
 
 [Cписок руководств | Печать]

pam_krb5afs (8)
  • pam_krb5afs (5) ( Linux man: Форматы файлов )
  • >> pam_krb5afs (8) ( Linux man: Команды системного администрирования )
  •  

    NAME

    pam_krb5afs - Kerberos 5 authentication with AFS support
     
    

    SYNOPSIS

    auth required /lib/security/pam_krb5afs.so
    session optional /lib/security/pam_krb5afs.so
    account sufficient /lib/security/pam_krb5afs.so
    password sufficient /lib/security/pam_krb5afs.so  

    DESCRIPTION

    pam_krb5afs.so is designed to allow smooth integration of Kerberos 5 password- checking with applications built using PAM. It also supports session-specific ticket files (which are neater), Kerberos IV ticket file grabbing, and AFS token-grabbing. Its main use is as an authentication module, but it also supplies the same functions as a session-management module to better support poorly-written applications, and a couple of other workarounds as well. It also supports account management and password-changing.

    When a user logs in, the module's authentication function performs a simple password check and, if possible, obtains Kerberos 5 and Kerberos IV credentials, caching them for later use. When the application requests initialization of credentials (or opens a session), the usual ticket files are created and AFS tokens are obtained. When the application subsequently requests deletion of credentials or closing of the session, the module destroys the tokens for the current PAG and deletes the ticket files.

    Some applications (notably, wu-ftpd, wu-imapd, and Samba) neither create credentials nor open sessions. For these applications, it's best to use the tokens option to force token-grabbing during the password check, which is usually the right thing to do for these server apps.

     

    ARGUMENTS

    debug
    turns on debugging via syslog(3). Debugging messages are logged with priority LOG_DEBUG.
    addressless
    tells pam_krb5afs.so to obtain credentials without address lists. This may be necessary if your network uses NAT, and should otherwise not be used.
    hosts=host
    tells pam_krb5afs.so to obtain credentials using the address of the given host in addition to the addresses of interfaces on the local workstation. For example, if your workstation is behind a masquerading firewall, specifying the firewall's outward-facing address here should allow Kerberos authentication to succeed.
    afs_cells=cell
    tells pam_krb5afs.so to obtain tokens for users in the given cell when they log in.
    banner=Kerberos
    tells pam_krb5afs.so how to identify itself when users attempt to change their passwords.
    ccache_dir=/tmp
    tells pam_krb5afs.so which directory to use for storing credential caches.
    forwardable
    tells pam_krb5afs.so that credentials it obtains should be forwardable.
    keytab=/etc/krb5.keytab
    tells pam_krb5afs.so the location of a keytab to use when validating credentials obtained from KDCs.
    krb4_convert
    tells pam_krb5afs.so to obtain Kerberos IV credentials for users, in addition to Kerberos 5 credentials.
    minimum_uid=0
    tells pam_krb5afs.so to ignore authentication attempts by users with UIDs below the specified number.
    no_user_check
    tells pam_krb5afs.so to not check if a user exists on the local system, and to create ccache files owned by the current process's UID. This is useful for situations where a non-privileged server process needs to use Kerberized services on behalf of remote users who may not have local access. Note that such a server should have an encrypted connection with its client in order to avoid allowing the user's password to be eavesdropped.
    proxiable
    tells pam_krb5afs.so that credentials it obtains should be proxiable.
    realm=realm
    overrides the default realm set in /etc/krb5.conf, which pam_krb5afs.so will attempt to authenticate users to.
    renew_lifetime=36000
    sets the default renewable lifetime for credentials.
    retain_after_close
    tells pam_krb5afs.so to retain the ticket after the session has been closed.
    skip_first_pass
    tells pam_krb5afs.so to not bother checking a password that has been set by a module listed earlier in the stack. This option is included mainly for completeness.
    ticket_lifetime=36000
    sets the default lifetime for credentials.
    tokens
    tells pam_krb5afs.so to get AFS tokens for the user immediately if the password check succeeds. This is necessary for some programs that never open sessions or attempt to initialize credentials (PAM's credentials, not Kerberos's). If you have a server app that requires access to the user's file space, you might need this.
    try_first_pass
    tells pam_krb5afs.so to check the password as with use_first_pass, but to prompt the user for another one if the previously-entered one fails. This is the default mode of operation.
    use_first_pass
    tells pam_krb5afs.so to get the user's entered password as it was stored by a module listed earlier in the stack, usually pam_unix or pam_pwdb, instead of prompting the user for it.
    use_authtok
    tells pam_krb5afs.so to never prompt for passwords when changing passwords. This is useful if you are using pam_cracklib.so to try to enforce use of less-easy-to-guess passwords.
    validate
    tells pam_krb5afs.so to verify that the TGT obtained from the realm's servers has not been spoofed.

     

    FILES

    /etc/krb5.conf
     

    SEE ALSO

    pam_krb5afs(5)
     

    BUGS

    Probably, but let's hope not. If you find any, please email the author.  

    AUTHOR

    Nalin Dahyabhai <[email protected]>


     

    Index

    NAME
    SYNOPSIS
    DESCRIPTION
    ARGUMENTS
    FILES
    SEE ALSO
    BUGS
    AUTHOR


    Поиск по тексту MAN-ов: 




    Партнёры:
    PostgresPro
    Inferno Solutions
    Hosting by Hoster.ru
    Хостинг:

    Закладки на сайте
    Проследить за страницей
    Created 1996-2024 by Maxim Chirkov
    Добавить, Поддержать, Вебмастеру