Two Different Ways to Use pam krb5

From Superk

Jump to: navigation, search

This is taken from the README.SuSE doc included with the pam_krb5.so module in SuSE 8.2. The doc describes two different ways of configuring PAM to use pam_krb5.so depending on the type of authentication environment being used. Environments include Local as Primary and Kerberos as Primary with Local Failover.

Contents

Here are some hints how to make the PAM Kerberos module work:

Authentication

If your primary authentication is still against the password database, make the auth section look something like this (long lines folded for better legibility): 

auth required pam_unix.so ...
auth optional pam_krb5.so try_first_pass missing_keytab_ok ccache=SAFE putenv_direct

With this setup, a user must have a valid password in the local shadow file or NIS or wherever nsswitch gets its account information from.

Alternatively, if you want to make Kerberos your primary authentication method, and accept normal password logins as a fallback (e.g. for accounts not migrated to Kerberos, or in case the KDC is not reachable), use something like this: 

auth sufficient pam_krb5.so missing_keytab_ok ccache=SAFE putenv_direct
auth required pam_unix.so use_first_pass ...

With this setup, users do not have to have valid passwords in the account databases used by nsswitch (there need to be entries specifying user id, group, home directory etc).

Note the dots on the pam_unix lines above: the original pam_unix line often contains additional arguments to the module; be sure to leave them intact. The arguments shown here on the pam_unix.so lines must appear in addition to the ones that are already there.

Depending on the service, there may be other PAM modules before or after pam_unix. For instance, su has pam_rootok which will allow the super user to become any other user without having to present his/her password; the rlogind service calls the pam_rhosts module to check the user's .rhosts file. Make sure to leave these lines in place.

Password Updates

In order to be able to update Kerberos passwords via the passwd utility, you need to add the following line to /etc/pam.d/passwd: 

password required pam_krb5.so use_first_pass

You can do this either after or before the pam_unix line. Note that kerberos will fail silently if it cannot find a kpasswd server; you either have to configure one in /etc/krb5.conf (in the [realms] definition for your Kerberos realm, set kpasswd_server = name.of.your.kpasswd.server), or in your DNS.

For additional information, please refer to the pam_krb5(5) manual page.

Retrieved from "http://www.superk.org/index.php/Two_Different_Ways_to_Use_pam_krb5"
Personal tools