| < kstart | Russ Allbery > Software | remctl > |
"You're always going to have some people who can't appreciate the thrill of a tepid change for the somewhat better," explained one source.
— Joyce McGreevy, "Look, ma, no hands!", Salon, 2003-11-17
pam-krb5 is a Kerberos PAM module for either MIT Kerberos or Heimdal. It supports ticket refreshing by screen savers, configurable authorization handling, authentication of non-local accounts for network services, password changing, and password expiration, as well as all the standard expected PAM features. It works correctly with OpenSSH, even with ChallengeResponseAuthentication and PrivilegeSeparation enabled, and supports extensive configuration either by PAM options or in krb5.conf or both. PKINIT is supported with recent versions of both MIT Kerberos and Heimdal and FAST is supported with recent MIT Kerberos.
pam-krb5 provides a Kerberos PAM module that supports authentication, user ticket cache handling, simple authorization (via .k5login or checking Kerberos principals against local usernames), and password changing. It can be configured through either options in the PAM configuration itself or through entries in the system krb5.conf file, and it tries to work around PAM implementation flaws in commonly-used PAM-enabled applications such as OpenSSH and xdm. It supports both PKINIT and FAST to the extent that the underlying Kerberos libraries support these features.
This is not the Kerberos PAM module maintained on Sourceforge and used on Red Hat systems. It is an independent implementation that, if it ever shared any common code, diverged long ago. It supports some features that the Sourceforge module does not (particularly around authorization), and does not support some options (particularly ones not directly related to Kerberos) that it does. This module will never support Kerberos v4 or AFS. For an AFS session module that works with this module (or any other Kerberos PAM module), see pam-afs-session.
If there are other options besides AFS and Kerberos v4 support from the Sourceforge PAM module that you're missing in this module, please let me know.
Either MIT Kerberos (or Kerberos implementations based on it) or Heimdal are supported. MIT Keberos 1.3 or later may be required; this module has not been tested with earlier versions.
For PKINIT support, Heimdal 0.8rc1 or later or MIT Kerberos 1.6.3 or later are required. Earlier MIT Kerberos 1.6 releases have a bug in their handling of PKINIT options. MIT Kerberos 1.12 or later is required to use the use_pkinit PAM option.
For FAST (Flexible Authentication Secure Tunneling) support, MIT Kerberos 1.7 or higher is required. For anonymous FAST support, anonymous authentication (generally anonymous PKINIT) support is required in both the Kerberos libraries and in the local KDC.
This module should work on Linux and build with gcc or clang. It may still work on Solaris and build with the Sun C compiler, but I have only tested it on Linux recently. There is beta-quality support for the AIX NAS Kerberos implementation that has not been tested in years. Other PAM implementations will probably require some porting, although untested build system support is present for FreeBSD, Mac OS X, and HP-UX. I personally can only test on Linux and rely on others to report problems on other operating systems.
Old versions of OpenSSH are known to call pam_authenticate followed
by pam_setcred(PAM_REINITIALIZE_CRED) without first calling
pam_open_session, thereby requesting that an existing ticket cache
be renewed (similar to what a screensaver would want) rather than
requesting a new ticket cache be created. Since this behavior is
indistinguishable at the PAM level from a screensaver, pam-krb5 when used
with these old versions of OpenSSH will refresh the ticket cache of the
OpenSSH daemon rather than setting up a new ticket cache for the user.
The resulting ticket cache will have the correct permissions (this is not
a security concern), but will not be named correctly or referenced in the
user's environment and will be overwritten by the next user login. The
best solution to this problem is to upgrade OpenSSH. I'm not sure exactly
when this problem was fixed, but at the very least OpenSSH 4.3 and later
do not exhibit it.
To bootstrap from a Git checkout, or if you change the Automake files and need to regenerate Makefile.in, you will need Automake 1.11 or later. For bootstrap or if you change configure.ac or any of the m4 files it includes and need to regenerate configure or config.h.in, you will need Autoconf 2.64 or later. Perl is also required to generate manual pages from a fresh Git checkout.
The distribution:
| pam-krb5 4.11 | 2021-10-17 | tar.gz (PGP signature) | tar.xz (PGP signature) |
An archive of older releases is also available. Versions older than 4.9 have known security vulnerabilities and should not be used.
Debian packages are available from Debian in Debian 4.0 (etch) and later releases as libpam-krb5 and libpam-heimdal. The former packages are built against the MIT Kerberos libraries and the latter against the Heimdal libraries. See the Debian package tracker for more information.
pam-krb5 is maintained using the Git version control system. To check out the current development tree, see GitHub or clone:
https://git.eyrie.org/git/kerberos/pam-krb5.git
Pull requests on GitHub are welcome. You can also browse the current development source.
User documentation:
Security advisories:
Developer documentation:
The pam-krb5 package as a whole is covered by the following copyright and license:
Copyright 2005-2010, 2014-2015, 2017, 2020-2021 Russ Allbery <eagle@eyrie.org>
Copyright 2009-2011 The Board of Trustees of the Leland Stanford Junior University
Copyright 2005 Andres Salomon <dilinger@debian.org>
Copyright 1999-2000 Frank Cusack <fcusack@fcusack.com>
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, and the entire permission notice in its entirety, including the disclaimer of warranties.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.
ALTERNATIVELY, this product may be distributed under the terms of the GNU General Public License, in which case the provisions of the GPL are required INSTEAD OF the above restrictions. (This clause is necessary due to a potential bad interaction between the GPL and the restrictions contained in a BSD-style copyright.)
THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Some individual source files are covered by other, compatible licenses. For complete copyright and license information, see the file LICENSE in the pam-krb5 source distribution.
| < kstart | Russ Allbery > Software | remctl > |