127 lines
3.3 KiB
Plaintext
127 lines
3.3 KiB
Plaintext
<!--
|
|
$Id: pam_krb4.sgml,v 1.1 1996/11/30 20:59:32 morgan Exp $
|
|
|
|
This file was written by Derrick J. Brashear <shadow@DEMENTIA.ORG>
|
|
-->
|
|
|
|
<sect1>The Kerberos 4 module.
|
|
|
|
<sect2>Synopsis
|
|
|
|
<p>
|
|
<descrip>
|
|
|
|
<tag><bf>Module Name:</bf></tag>
|
|
<tt/pam_krb4/
|
|
|
|
<tag><bf>Author:</bf></tag>
|
|
Derrick J. Brashear <shadow@dementia.org>
|
|
|
|
<tag><bf>Maintainer:</bf></tag>
|
|
Author.
|
|
|
|
<tag><bf>Management groups provided:</bf></tag>
|
|
authentication; password; session
|
|
|
|
<tag><bf>Cryptographically sensitive:</bf></tag>
|
|
uses API
|
|
|
|
<tag><bf>Security rating:</bf></tag>
|
|
|
|
<tag><bf>Clean code base:</bf></tag>
|
|
|
|
<tag><bf>System dependencies:</bf></tag>
|
|
libraries - <tt/libkrb/, <tt/libdes/, <tt/libcom_err/, <tt/libkadm/;
|
|
and a set of Kerberos include files.
|
|
|
|
<tag><bf>Network aware:</bf></tag>
|
|
Gets Kerberos ticket granting ticket via a Kerberos key distribution
|
|
center reached via the network.
|
|
|
|
</descrip>
|
|
|
|
<sect2>Overview of module
|
|
|
|
<p>
|
|
This module provides an interface for doing Kerberos verification of a
|
|
user's password, getting the user a Kerberos ticket granting ticket
|
|
for use with the Kerberos ticket granting service, destroying the
|
|
user's tickets at logout time, and changing a Kerberos password.
|
|
|
|
<sect2> Session component
|
|
|
|
<p>
|
|
<descrip>
|
|
|
|
<tag><bf>Recognized arguments:</bf></tag>
|
|
|
|
<tag><bf>Description:</bf></tag>
|
|
|
|
This component of the module currently sets the user's <tt/KRBTKFILE/
|
|
environment variable (although there is currently no way to export
|
|
this), as well as deleting the user's ticket file upon logout (until
|
|
<tt/PAM_CRED_DELETE/ is supported by <em/login/).
|
|
|
|
<tag><bf>Examples/suggested usage:</bf></tag>
|
|
|
|
This part of the module won't be terribly useful until we can change
|
|
the environment from within a <tt/Linux-PAM/ module.
|
|
|
|
</descrip>
|
|
|
|
<sect2> Password component
|
|
|
|
<p>
|
|
<descrip>
|
|
|
|
<tag><bf>Recognized arguments:</bf></tag>
|
|
<tt/use_first_pass/; <tt/try_first_pass/
|
|
|
|
<tag><bf>Description:</bf></tag>
|
|
|
|
This component of the module changes a user's Kerberos password
|
|
by first getting and using the user's old password to get
|
|
a session key for the password changing service, then sending
|
|
a new password to that service.
|
|
|
|
<tag><bf>Examples/suggested usage:</bf></tag>
|
|
|
|
This should only be used with a real Kerberos v4 <tt/kadmind/. It
|
|
cannot be used with an AFS kaserver unless special provisions are
|
|
made. Contact the module author for more information.
|
|
|
|
</descrip>
|
|
|
|
<sect2> Authentication component
|
|
|
|
<p>
|
|
<descrip>
|
|
|
|
<tag><bf>Recognized arguments:</bf></tag>
|
|
<tt/use_first_pass/; <tt/try_first_pass/
|
|
|
|
<tag><bf>Description:</bf></tag>
|
|
|
|
This component of the module verifies a user's Kerberos password
|
|
by requesting a ticket granting ticket from the Kerberos server
|
|
and optionally using it to attempt to retrieve the local computer's
|
|
host key and verifying using the key file on the local machine if
|
|
one exists.
|
|
|
|
It also writes out a ticket file for the user to use later, and
|
|
deletes the ticket file upon logout (not until <tt/PAM_CRED_DELETE/
|
|
is called from <em/login/).
|
|
|
|
<tag><bf>Examples/suggested usage:</bf></tag>
|
|
|
|
This module can be used with a real Kerberos server using MIT
|
|
v4 Kerberos keys. The module or the system Kerberos libraries
|
|
may be modified to support AFS style Kerberos keys. Currently
|
|
this is not supported to avoid cryptography constraints.
|
|
|
|
</descrip>
|
|
|
|
<!--
|
|
End of sgml insert for this module.
|
|
-->
|