2
$Id: pam_krb4.sgml,v 1.1 2001/04/29 04:16:55 hartmans Exp $
4
This file was written by Derrick J. Brashear <shadow@DEMENTIA.ORG>
7
<sect1>The Kerberos 4 module.
14
<tag><bf>Module Name:</bf></tag>
17
<tag><bf>Author:</bf></tag>
18
Derrick J. Brashear <shadow@dementia.org>
20
<tag><bf>Maintainer:</bf></tag>
23
<tag><bf>Management groups provided:</bf></tag>
24
authentication; password; session
26
<tag><bf>Cryptographically sensitive:</bf></tag>
29
<tag><bf>Security rating:</bf></tag>
31
<tag><bf>Clean code base:</bf></tag>
33
<tag><bf>System dependencies:</bf></tag>
34
libraries - <tt/libkrb/, <tt/libdes/, <tt/libcom_err/, <tt/libkadm/;
35
and a set of Kerberos include files.
37
<tag><bf>Network aware:</bf></tag>
38
Gets Kerberos ticket granting ticket via a Kerberos key distribution
39
center reached via the network.
43
<sect2>Overview of module
46
This module provides an interface for doing Kerberos verification of a
47
user's password, getting the user a Kerberos ticket granting ticket
48
for use with the Kerberos ticket granting service, destroying the
49
user's tickets at logout time, and changing a Kerberos password.
51
<sect2> Session component
56
<tag><bf>Recognized arguments:</bf></tag>
58
<tag><bf>Description:</bf></tag>
60
This component of the module currently sets the user's <tt/KRBTKFILE/
61
environment variable (although there is currently no way to export
62
this), as well as deleting the user's ticket file upon logout (until
63
<tt/PAM_CRED_DELETE/ is supported by <em/login/).
65
<tag><bf>Examples/suggested usage:</bf></tag>
67
This part of the module won't be terribly useful until we can change
68
the environment from within a <tt/Linux-PAM/ module.
72
<sect2> Password component
77
<tag><bf>Recognized arguments:</bf></tag>
78
<tt/use_first_pass/; <tt/try_first_pass/
80
<tag><bf>Description:</bf></tag>
82
This component of the module changes a user's Kerberos password
83
by first getting and using the user's old password to get
84
a session key for the password changing service, then sending
85
a new password to that service.
87
<tag><bf>Examples/suggested usage:</bf></tag>
89
This should only be used with a real Kerberos v4 <tt/kadmind/. It
90
cannot be used with an AFS kaserver unless special provisions are
91
made. Contact the module author for more information.
95
<sect2> Authentication component
100
<tag><bf>Recognized arguments:</bf></tag>
101
<tt/use_first_pass/; <tt/try_first_pass/
103
<tag><bf>Description:</bf></tag>
105
This component of the module verifies a user's Kerberos password
106
by requesting a ticket granting ticket from the Kerberos server
107
and optionally using it to attempt to retrieve the local computer's
108
host key and verifying using the key file on the local machine if
111
It also writes out a ticket file for the user to use later, and
112
deletes the ticket file upon logout (not until <tt/PAM_CRED_DELETE/
113
is called from <em/login/).
115
<tag><bf>Examples/suggested usage:</bf></tag>
117
This module can be used with a real Kerberos server using MIT
118
v4 Kerberos keys. The module or the system Kerberos libraries
119
may be modified to support AFS style Kerberos keys. Currently
120
this is not supported to avoid cryptography constraints.
125
End of sgml insert for this module.