Standards, Environments, and Macros pamkrb5migrate(5)
NAME
pamkrb5migrate - authentication PAM module for the Ker-
berosV5 auto-migration of users feature
SYNOPSIS
/usr/lib/security/pamkrb5migrate.so.1
DESCRIPTION
The KerberosV5 auto-migrate service module for PAM provides
functionality for the PAM authentication component. The ser-
vice module helps in the automatic migration of PAMUSER to
the client's local Kerberos realm, using PAMAUTHTOK (the
PAM authentication token associated with PAMUSER) as the
new Kerberos principal's password.
KerberosV5 Auto-migrate Authentication Module
The KerberosV5 auto-migrate authentication component pro-
vides the pamsmauthenticate(3PAM) function to migrate a
user who does not have a corresponding krb5 principal
account to the default Kerberos realm of the client.
pamsmauthenticate(3PAM) uses a host-based client service
principal, present in the local keytab
(/etc/krb5/krb5.keytab) to authenticate to kadmind(1M)
(defaults to the host/nodename.fqdn service principal), for
the principal creation operation. Also, for successful crea-
tion of the krb5 user principal account, the host-based
client service principal being used needs to be assigned the
appropriate privilege on the master KDC's kadm5.acl(4) file.
kadmind(1M) checks for the appropriate privilege and vali-
dates the user password using PAM by calling
pamauthenticate(3PAM) and pamacctmgmt(3PAM) for the
k5migrate service.
If migration of the user to the KerberosV5 infrastructure is
successful, the module will inform users about it by means
of a PAMTEXTINFO message, unless instructed otherwise by
the presence of the quiet option.
The authentication component always returns PAMIGNORE and
is meant to be stacked in pam.conf with a requirement that
it be listed below pamauthtokget(5) in the authentication
stack. Also, if pamkrb5migrate is used in the authentica-
tion stack of a particular service, it is mandatory that
pamkrb5(5) be listed in the PAM account stack of that ser-
vice for proper operation (see EXAMPLES).
SunOS 5.11 Last change: Jul 29 2004 1
Standards, Environments, and Macros pamkrb5migrate(5)
OPTIONS
The following options can be passed to the KerberosV5 auto-
migrate authentication module:
debug
Provides syslog(3C) debugging information at LOGDEBUG
level.
clientservice=
Name of the service used to authenticate to kadmind(1M)
defaults to host. This means that the module uses
host/ as its client service principal
name, KerberosV5 user principal creation operation or
/ if this option is provided.
quiet
Do not explain KerberosV5 migration to the user.
This has the same effect as passing the PAMSILENT flag
to pamsmauthenticate(3PAM) and is useful where appli-
cations cannot handle PAMTEXTINFO messages.
If not set, the authentication component will issue a
PAMTEXTINFO message after creation of the Kerberos V5
principal, indicating that it has done so.
expirepw
Causes the creation of KerberosV5 user principals with
password expiration set to now (current time).
EXAMPLES
Example 1 Sample Entries from pam.conf
The following entries from pam.conf(4) demonstrate the use
of the pamkrb5migrate.so.1 module:
login auth requisite pamauthtokget.so.1
login auth required pamdhkeys.so.1
login auth required pamunixcred.so.1
login auth sufficient pamkrb5.so.1
login auth requisite pamunixauth.so.1
login auth optional pamkrb5migrate.so.1 expirepw
SunOS 5.11 Last change: Jul 29 2004 2
Standards, Environments, and Macros pamkrb5migrate(5)
login auth required pamdialauth.so.1
other account requisite pamroles.so.1
other account required pamkrb5.so.1
other account required pamunixaccount.so.1
The pamkrb5migrate module can generally be present on the
authentication stack of any service where the application
calls pamsmauthenticate(3PAM) and an authentication token
(in the preceding example, the authentication token would be
the user's Unix password) is available for use as a Kerberos
V5 password.
Example 2 Sample Entries from kadm5.acl
The following entries from kadm5.acl(4) permit or deny
privileges to the host client service principal:
host/*@ACME.COM U root
host/*@ACME.COM ui *
The preceding entries permit the pamkrb5migrate add
privilege to the host client service principal of any
machine in the ACME.COM KerberosV5 realm, but denies the add
privilege to all host service principals for addition of the
root user account.
Example 3 Sample Entries in pam.conf of the Master KDC
The entries below enable kadmind(1M) on the master KDC to
use the k5migrate PAM service in order to validate Unix user
passwords for accounts that require migration to the Ker-
beros realm.
k5migrate auth required pamunixauth.so.1
k5migrate account required pamunixaccount.so.1
ATRIBUTES
See attributes(5) for a description of the following attri-
bute:
SunOS 5.11 Last change: Jul 29 2004 3
Standards, Environments, and Macros pamkrb5migrate(5)
ATRIBUTE TYPE ATRIBUTE VALUE
Interface Stability Evolving
SEE ALSO
kadmind(1M), syslog(3C), pamauthenticate(3PAM),
pamacctmgmt(3PAM), pamsmauthenticate(3PAM),
kadm5.acl(4), pam.conf(4), attributes(5),
pamauthtokget(5), pamkrb5(5)
SunOS 5.11 Last change: Jul 29 2004 4
|
