Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Contact Us
Online Help
Domain Status
Man Pages

Virtual Servers

Topology Map

Server Agreement
Year 2038

USA Flag



Man Pages

Manual Reference Pages  -  PAM_KRB5 (5)


pam_krb5 - Kerberos 5 authentication



DESCRIPTION reads its configuration information from the appdefaults section of krb5.conf(5). You should read the krb5.conf(5) man page before continuing here. The module expects its configuration information to be in the pam subsection of the appdefaults section.


Directives which take a true, false, or a PAM service name can also be selectively disabled for specific PAM services using the related "no_" option (exceptions to "debug = true" can be made using "no_debug", for example).

debug = true|false|service [...] turns on debugging via syslog(3). Debug messages are logged with priority LOG_DEBUG.

debug_sensitive = true|false|service [...] turns on debugging of sensitive information via syslog(3). Debug messages are logged with priority LOG_DEBUG.

always_allow_localname = true|false|service [...] tells, when performing an authorization check using the target user’s .k5login file, to always allow access when the principal name being authenticated maps to the local user’s name (as configured using the auth_to_local_names and auth_to_local settings in krb5.conf(5), if your implementation provides those settings). Otherwise, if the file exists and can be read, but the principal is not explicitly listed, access is typically denied. This setting is disabled by default.

banner = Kerberos 5 specifies what sort of password the module claims to be changing whenever it is called upon to change passwords. The default is Kerberos 5.

ccache_dir = /var/tmp specifies the directory in which to place credential cache files. The default is /tmp.

ccname_template = KEYRING:krb5cc_%U_%P
ccname_template = FILE:%d/krb5cc_%U_XXXXXX specifies the location in which to place the user’s session-specific credential cache. This value is treated as a template, and these sequences are substituted:
%u    login name
%U    login UID
%p    principal name
%r    principal’s realm name
%h    home directory
%d    the default ccache directory (as set with ccache_dir)
%P    the current process ID
%%    literal ’%’

If the resulting template does not end with "XXXXXX", a suffix will be added to the configured value. The default is FILE:%d/krb5cc_%U_XXXXXX".

chpw_prompt = true|false|service [...] tells to allow expired passwords to be changed during authentication attempts. While this is the traditional behavior exhibited by "kinit", it is inconsistent with the behavior expected by PAM, which expects authentication to (appear to) succeed, only to have password expiration be flagged by a subsequent call to the account management function. Some applications which don’t handle password expiration correctly will fail unconditionally if the user’s password is expired, and this flag can be used to attempt to work around this bug in those applications. The default is false.

cred_session=true|false|service [...] specifies that pam_krb5 should create and destroy credential caches, as it does when the calling application opens and closes a PAM session, when the calling application establishes and deletes PAM credentials. This is done to compensate for applications which expect to create a credential cache but which don’t use PAM session management. It is usually a harmless redundancy in applications which don’t require it, so this option is enabled by default except for this list of services: "sshd".

external = true|false|sshd ftp [...] tells to use Kerberos credentials provided by the calling application during session setup. The default is "sshd".

ignore_k5login=true|false|service [...] specifies which other not pam_krb5 should skip checking the user’s .k5login file to verify that the principal name of the client being authenticated is authorized to access the user account. (Actually, the check is performed by a function offered by the Kerberos library, which controls which files it will consult.) The default is false, which causes pam_krb5 to perform the check.

ignore_unknown_principals=true|false|service [...]
ignore_unknown_spn=true|false|service [...]
ignore_unknown_upn=true|false|service [...] specifies which other not pam_krb5 should return a PAM_IGNORE code to libpam instead of PAM_USER_UNKNOWN for users for whom the determined principal name is expired or does not exist.

initial_prompt=true|false|service [...] tells whether or not to ask for a password before attempting authentication. If one is needed and has not prompted for it, the Kerberos library should trigger a request for a password.

keytab = FILE:/etc/krb5.keytab imap=FILE:/etc/imap.keytab specifies the name of a keytab file to search for a service key for use in validating TGTs. The location can be specified on a per-service basis by specifying a list of locations in the form pam_service=location. The default is FILE:/etc/krb5.keytab.

mappings = regex1 regex2 [...] specifies that pam_krb5 should derive the user’s principal name from the Unix user name by first checking if the user name matches regex1, and formulating a principal name using regex2. For example, "mappings = ^EXAMPLE\\(.*)$ $1@EXAMPLE.COM" would map any user with a name of the form "EXAMPLE\whatever" to a principal name of "whatever@EXAMPLE.COM". This is primarily targeted at allowing pam_krb5 to be used to authenticate users whose user information is provided by winbindd(8). This will frequently require the reverse to be configured by setting up an auth_to_local rule elsewhere in krb5.conf(5).

minimum_uid = 0 specifies the minimum UID of users being authenticated. If a user with a UID less than this value attempts authentication, the request will be ignored.

multiple_ccaches=true|false|service [...] specifies that pam_krb5 should maintain multiple credential caches for applications that both set credentials and open a PAM session, but which set the KRB5CCNAME variable after doing only one of the two. This option is usually not necessary for most services.

pkinit_flags = 0 controls the flags value which pam_krb5 passes to libkrb5 when setting up PKINIT parameters. This is useful mainly for debugging.

pkinit_identity = controls where pam_krb5 instructs libkrb5 to search for the user’s private key and certificate, so that the client can be authenticated using PKINIT, if the KDC supports it. This value is treated as a template, and these sequences are substituted:
%u    login name
%U    login UID
%p    principal name
%r    principal’s realm name
%h    home directory
%d    the default ccache directory (as set with ccache_dir)
%P    the current process ID
%%    literal ’%’
Other PKINIT-specific defaults, such as the locations of trust anchors, can be set in krb5.conf(5).

pwhelp = filename specifies the name of a text file whose contents will be displayed to clients who attempt to change their passwords. There is no default.

subsequent_prompt = true|false|service [...] controls whether or not will allow the Kerberos library to ask the user for a password or other information, if the previously-entered password is somehow insufficient for authenticating the user. This is commonly needed to allow a user to log in when that user’s password has expired. The default is false during password changes, and true otherwise.

If the calling application does not properly support PAM conversations (possibly due to limitations of a network protocol which it is serving), this may be need to be disabled for that application to prevent it from supplying the user’s current password in a password-changing situation when a new password is called for.

use_shmem = true|false|service [...] tells to pass credentials from the authentication service function to the session management service function using shared memory for specific services. By default, the module is configured with "use_shmem = sshd".

validate = true|false|service [...] specifies whether or not to attempt validation of the TGT using the local keytab. The default is true. The libdefaults verify_ap_req_nofail setting can affect whether or not errors reading the keytab which are encountered during validation will be suppressed.

validate_user_user = true|false|service [...] specifies whether or not, when attempting validation of the TGT, to attempt user-to-user authentication using a previously-obtainted TGT in the default ccache if validation can’t be performed using a keytab. The default is false.


pam = {
validate = true
ccache_dir = /var/tmp
external = sshd
tokens = imap ftpd
debug = true
keytab = FILE:/etc/krb5.keytab httpd=FILE:/etc/httpd.keytab






Probably, but let’s hope not. If you find any, please file them in the bug database at against the "pam_krb5" component.


Nalin Dahyabhai <>
Search for    or go to Top of page |  Section 5 |  Main Index

Red Hat Linux PAM_KRB5 (5) 2014/02/11

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.