pam_krb4
Derrick J. Brashear <shadow@dementia.org>
Author.
authentication; password; session
uses API
libraries - libkrb
, libdes
, libcom_err
, libkadm
;
and a set of Kerberos include files.
Gets Kerberos ticket granting ticket via a Kerberos key distribution center reached via the network.
This module provides an interface for doing Kerberos verification of a user's password, getting the user a Kerberos ticket granting ticket for use with the Kerberos ticket granting service, destroying the user's tickets at logout time, and changing a Kerberos password.
This component of the module currently sets the user's KRBTKFILE
environment variable (although there is currently no way to export
this), as well as deleting the user's ticket file upon logout (until
PAM_CRED_DELETE
is supported by login).
This part of the module won't be terribly useful until we can change
the environment from within a Linux-PAM
module.
use_first_pass
; try_first_pass
This component of the module changes a user's Kerberos password by first getting and using the user's old password to get a session key for the password changing service, then sending a new password to that service.
This should only be used with a real Kerberos v4 kadmind
. It
cannot be used with an AFS kaserver unless special provisions are
made. Contact the module author for more information.
use_first_pass
; try_first_pass
This component of the module verifies a user's Kerberos password by requesting a ticket granting ticket from the Kerberos server and optionally using it to attempt to retrieve the local computer's host key and verifying using the key file on the local machine if one exists.
It also writes out a ticket file for the user to use later, and
deletes the ticket file upon logout (not until PAM_CRED_DELETE
is called from login).
This module can be used with a real Kerberos server using MIT v4 Kerberos keys. The module or the system Kerberos libraries may be modified to support AFS style Kerberos keys. Currently this is not supported to avoid cryptography constraints.