| < kstart | Russ Allbery > Software | remctl > |
"You're always going to have some people who can't appreciate the thrill of a tepid change for the somewhat better," explained one source.
— Joyce McGreevy, "Look, ma, no hands!", Salon, 2003-11-17
pam-krb5 provides a Kerberos v5 PAM module that supports authentication, user ticket cache handling, simple authorization (via .k5login or checking Kerberos principals against local usernames), and password changing. It can be configured through either options in the PAM configuration itself or through entries in the system krb5.conf file, and it tries to work around PAM implementation flaws in commonly-used PAM-enabled applications such as OpenSSH and xdm.
This is not the Kerberos v5 PAM module maintained on Sourceforge and used on Red Hat systems. It is an independent implementation that, if it ever shared any common code, diverged long ago. It supports some features that the Sourceforge module does not (particularly around authorization), and does not support some options (particularly ones not directly related to Kerberos v5) that it does. This module will never support Kerberos v4 and will probably never directly support AFS (AFS is better supported via a dedicated AFS PAM module that can be stacked with the Kerberos module of your choice). The main reason why I use and maintain this module rather than the Sourceforge module is the search_k5login feature, but I also believe the source code is cleaner and easier to understand and maintain.
This module is based on the Kerberos PAM module by Frank Cusack, which in turn was based on ideas taken from PAM modules written by Naomaru Itoi, Curtis King, and Derrick Brashear. It incorporates improvements made to the Debian version of the module by Sam Hartman and other fixes by Joel Kociolek. The 1.1 and 1.2 releases were done by Andres Salomon. I took over maintenance of this module as of 2.0 in order to incorporate many additional fixes and improvements I was doing for Debian and to provide a regular upstream distribution that could be used for the Heimdal module in Debian and that we could use at Stanford for Red Hat and Solaris.
The module is written in C and therefore requires a C compiler. It supports either MIT Kerberos (or Kerberos implementations based on it) or Heimdal. (Note, however, that the Heimdal support is not as heavily tested.) MIT Kerberos 1.3 or later may be required; this module has not been tested with earlier versions.
For PKINIT support, Heimdal 0.8rc1 or later or the MIT Kerberos PKINIT branch are required. The MIT Kerberos PKINIT support is preliminary based on an early unreleased branch and may require further work once a final release of MIT Kerberos with PKINIT support is available.
Currently, this primarily supports Linux and Solaris. There is alpha support for the AIX NAS Kerberos implementation and untested build system support for Mac OS X and HP-UX. The Solaris support has only been tested against Solaris 8; if you have problems with other versions, please let me know. It probably will not support IRIX, *BSDs, or other hosts with different implementations of PAM without some changes.
The pam-krb5 package as a whole is covered by the following license:
Copyright (c) 2005, 2006, 2007 Russ Allbery
Copyright (c) 2005 Andres Salomon
Copyright (c) Frank Cusack, 1999-2000.
fcusack@fcusack.com
All rights reservedRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, and the entire permission notice in its entirety, including the disclaimer of warranties.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.
ALTERNATIVELY, this product may be distributed under the terms of the GNU Public License, in which case the provisions of the GPL are required INSTEAD OF the above restrictions. (This clause is necessary due to a potential bad interaction between the GPL and the restrictions contained in a BSD-style copyright.)
THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Since some code and ideas are taken from other modules, there is more in the full copyright statement, although none of the other licenses contradicts the above. Some individual source files are covered by other, compatible licenses. For complete copyright and license information, see the file LICENSE in the pam-krb5 source distribution.
The distribution:
| pam-krb5 3.10 | 2007-12-29 | Download | PGP signature |
Documentation:
Debian packages are available from Debian as libpam-krb5. The libpam-heimdal package is also derived from this same source, although may not always track the same version.
pam-krb5 is maintained using the bzr version control system. My bzr repository is at:
For those unfamiliar with bzr repositories, that location will have both a
checked-out copy of the latest development source and serves as a bzr
repository that can be used as the target of a bzr branch command
to create your own branch. Once you have a branch, you can then pull
updates from my repository using bzr pull or bzr merge. You
will need bzr 1.0 or later.
| < kstart | Russ Allbery > Software | remctl > |