blob: 2fc8518eb846071f6140e0fce39aa9371984afb6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
<!--
$Id: pam_krb4.sgml,v 1.1.1.1 2001/04/29 04:16:55 hartmans Exp $
This file was written by Derrick J. Brashear <shadow@DEMENTIA.ORG>
-->
<sect1>The Kerberos 4 module.
<sect2>Synopsis
<p>
<descrip>
<tag><bf>Module Name:</bf></tag>
<tt/pam_krb4/
<tag><bf>Author:</bf></tag>
Derrick J. Brashear <shadow@dementia.org>
<tag><bf>Maintainer:</bf></tag>
Author.
<tag><bf>Management groups provided:</bf></tag>
authentication; password; session
<tag><bf>Cryptographically sensitive:</bf></tag>
uses API
<tag><bf>Security rating:</bf></tag>
<tag><bf>Clean code base:</bf></tag>
<tag><bf>System dependencies:</bf></tag>
libraries - <tt/libkrb/, <tt/libdes/, <tt/libcom_err/, <tt/libkadm/;
and a set of Kerberos include files.
<tag><bf>Network aware:</bf></tag>
Gets Kerberos ticket granting ticket via a Kerberos key distribution
center reached via the network.
</descrip>
<sect2>Overview of module
<p>
This module provides an interface for doing Kerberos verification of a
user's password, getting the user a Kerberos ticket granting ticket
for use with the Kerberos ticket granting service, destroying the
user's tickets at logout time, and changing a Kerberos password.
<sect2> Session component
<p>
<descrip>
<tag><bf>Recognized arguments:</bf></tag>
<tag><bf>Description:</bf></tag>
This component of the module currently sets the user's <tt/KRBTKFILE/
environment variable (although there is currently no way to export
this), as well as deleting the user's ticket file upon logout (until
<tt/PAM_CRED_DELETE/ is supported by <em/login/).
<tag><bf>Examples/suggested usage:</bf></tag>
This part of the module won't be terribly useful until we can change
the environment from within a <tt/Linux-PAM/ module.
</descrip>
<sect2> Password component
<p>
<descrip>
<tag><bf>Recognized arguments:</bf></tag>
<tt/use_first_pass/; <tt/try_first_pass/
<tag><bf>Description:</bf></tag>
This component of the module changes a user's Kerberos password
by first getting and using the user's old password to get
a session key for the password changing service, then sending
a new password to that service.
<tag><bf>Examples/suggested usage:</bf></tag>
This should only be used with a real Kerberos v4 <tt/kadmind/. It
cannot be used with an AFS kaserver unless special provisions are
made. Contact the module author for more information.
</descrip>
<sect2> Authentication component
<p>
<descrip>
<tag><bf>Recognized arguments:</bf></tag>
<tt/use_first_pass/; <tt/try_first_pass/
<tag><bf>Description:</bf></tag>
This component of the module verifies a user's Kerberos password
by requesting a ticket granting ticket from the Kerberos server
and optionally using it to attempt to retrieve the local computer's
host key and verifying using the key file on the local machine if
one exists.
It also writes out a ticket file for the user to use later, and
deletes the ticket file upon logout (not until <tt/PAM_CRED_DELETE/
is called from <em/login/).
<tag><bf>Examples/suggested usage:</bf></tag>
This module can be used with a real Kerberos server using MIT
v4 Kerberos keys. The module or the system Kerberos libraries
may be modified to support AFS style Kerberos keys. Currently
this is not supported to avoid cryptography constraints.
</descrip>
<!--
End of sgml insert for this module.
-->
|
