pam-krb5

"You're always going to have some people who can't appreciate the thrill of a tepid change for the somewhat better," explained one source.

— Joyce McGreevy, "Look, ma, no hands!", Salon, 2003-11-17

Description

pam-krb5 provides a Kerberos v5 PAM module that supports authentication, user ticket cache handling, simple authorization (via .k5login or checking Kerberos principals against local usernames), and password changing. It can be configured through either options in the PAM configuration itself or through entries in the system krb5.conf file, and it tries to work around PAM implementation flaws in commonly-used PAM-enabled applications such as OpenSSH and xdm. PKINIT is supported with recent versions of both MIT Kerberos and Heimdal and FAST is supported with recent MIT Kerberos.

This is not the Kerberos v5 PAM module maintained on Sourceforge and used on Red Hat systems. It is an independent implementation that, if it ever shared any common code, diverged long ago. It supports many features that the Sourceforge module does not (particularly around authorization and newer Kerberos features), and does not support some options (particularly ones not directly related to Kerberos v5) that it does. This module will never support Kerberos v4 and will probably never directly support AFS (AFS is better supported via a dedicated AFS PAM module that can be stacked with the Kerberos module of your choice, such as pam-afs-session). The main reason why I started writing this module rather than using the Sourceforge module is the search_k5login feature, but at this point I think it is generally superior.

This module is based on the Kerberos PAM module by Frank Cusack, which in turn was based on ideas taken from PAM modules written by Naomaru Itoi, Curtis King, and Derrick Brashear, but at this point all of that code has probably been rewritten. It incorporates improvements made to the Debian version of the module by Sam Hartman and other fixes by Joel Kociolek. The 1.1 and 1.2 releases were done by Andres Salomon. I took over maintenance of this module as of 2.0 in order to incorporate many additional fixes and improvements I was doing for Debian and to provide a regular upstream distribution that could be used for the Heimdal module in Debian and that we could use at Stanford for Red Hat and Solaris.

Requirements

The module is written in C and therefore requires a C compiler. It supports either MIT Kerberos (or Kerberos implementations based on it) or Heimdal. (Note, however, that the Heimdal support is not as heavily tested.) MIT Kerberos 1.3 or later may be required; this module has not been tested with earlier versions.

For PKINIT support, Heimdal 0.8rc1 or later or MIT Kerberos 1.6.3 or later are required. Earlier MIT Kerberos 1.6 releases have a bug in their handling of PKINIT options.

For FAST (Flexible Authentication Secure Tunneling) support, MIT Kerberos 1.7 or higher is required. For anonymous FAST support, anonymous authentication (generally anonymous PKINIT) support is required in both the Kerberos libraries and in the local KDC.

Currently, this module is primarily supported on Linux and Solaris but should also work on FreeBSD. There is beta support for the AIX NAS Kerberos implementation and untested build system support for Mac OS X and HP-UX. It probably will not support IRIX, *BSDs, or other hosts with different implementations of PAM without some changes. I personally can only easily test on Linux and rely on others to report problems on other operating systems.

To bootstrap from a Git checkout, or if you change the Automake files and need to regenerate Makefile.in, you will need Automake 1.11 or later. For bootstrap or if you change configure.ac or any of the m4 files it includes and need to regenerate configure or config.h.in, you will need Autoconf 2.64 or later. Perl is also required to generate the manual pages from a fresh Git checkout.

Download

The distribution:

pam-krb5 4.6 2012-06-03 tar.gz (PGP signature) tar.xz (PGP signature)

An archive of older releases is also available. Versions older than 3.13 have known security vulnerabilities and should not be used.

Debian packages are available from Debian as of Debian 4.0 (etch) as libpam-krb5 and libpam-heimdal. The former packages are built against the MIT Kerberos libraries and the latter against the Heimdal libraries.

pam-krb5 is maintained using the Git version control system. To check out the current development tree, clone:

    git://git.eyrie.org/kerberos/pam-krb5.git

You can also browse the current development source.

Documentation

User documentation:

Security advisories:

Developer documentation:

License

The pam-krb5 package as a whole is covered by the following license:

Copyright 2009, 2010, 2011, 2012 The Board of Trustees of the Leland Stanford Junior University
Copyright 2005, 2006, 2007, 2008, 2009, 2010 Russ Allbery
Copyright (c) 2005 Andres Salomon
Copyright (c) Frank Cusack, 1999-2000.
fcusack@fcusack.com
All rights reserved

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, and the entire permission notice in its entirety, including the disclaimer of warranties.

  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

  3. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.

ALTERNATIVELY, this product may be distributed under the terms of the GNU Public License, in which case the provisions of the GPL are required INSTEAD OF the above restrictions. (This clause is necessary due to a potential bad interaction between the GPL and the restrictions contained in a BSD-style copyright.)

THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Since some code and ideas are taken from other modules, there is more in the full copyright statement, although none of the other licenses contradicts the above. Some individual source files are covered by other, compatible licenses. For complete copyright and license information, see the file LICENSE in the pam-krb5 source distribution.

Last spun 2013-09-17 from thread modified 2013-01-04