pam_krb5(8) -- Linux man page



pam_krb5 - Kerberos 5 authentication



auth required /lib/security/
session optional /lib/security/
account sufficient /lib/security/
password sufficient /lib/security/



The module is designed to allow smooth integration of Kerberos 5 password-checking for applications which use PAM. It creates session-specific credential cache files, and can obtain Kerberos IV credentials using a krb524 service or a v4-capable KDC. If the system is an AFS client, it will also attempt to obtain tokens for the local cell.

When a user logs in, the module's authentication function performs a simple password check and, if possible, obtains Kerberos 5 and Kerberos IV credentials, caching them for later use. When the application requests initialization of credentials (or opens a session), the usual ticket files are created. When the application subsequently requests deletion of credentials or closing of the session, the module deletes the ticket files. When the application requests account management, if the module did not participate in authenticating the user, it will signal libpam to ignore the module. If the module did participate in authenticating the user, it will check for an expired user password and verify the user's authorization using the .k5login file of the user being authenticated, which is expected to be accessible to the module.



turns on debugging via syslog(3). Debugging messages are logged with priority LOG_DEBUG.

tells to obtain credentials without address lists. This may be necessary if your network uses NAT, and should otherwise not be used. This option is deprecated in favor of the noaddresses flag in the libdefaults section of krb5.conf(5).

tells to obtain credentials using the address of the given host in addition to the addresses of interfaces on the local workstation. For example, if your workstation is behind a masquerading firewall, specifying the firewall's outward-facing address here should allow Kerberos authentication to succeed. This option is deprecated in favor of the extra_addresses flag in the libdefaults section of krb5.conf(5).
tells to obtain tokens for and, in addition to the local cell, for the user.

tells how to identify itself when users attempt to change their passwords. The default setting is "Kerberos 5".

tells which directory to use for storing credential caches. The default setting is /tmp.

tells that credentials it obtains should be forwardable. This option is deprecated in favor of the forwardable option in the libdefaults section of krb5.conf(5).

tells the location of a keytab to use when validating credentials obtained from KDCs.

tells to obtain Kerberos IV credentials for users, in addition to Kerberos 5 credentials.

tells to ignore authentication attempts by users with UIDs below the specified number.

tells to not check if a user exists on the local system, to skip authorization checks using the user's .k5login file, and to create ccache files owned by the current process's UID. This is useful for situations where a non-privileged server process needs to use Kerberized services on behalf of remote users who may not have local access. Note that such a server should have an encrypted connection with its client in order to avoid allowing the user's password to be eavesdropped.

tells that credentials it obtains should be proxiable. This option is deprecated in favor of the proxiable option in the libdefaults section of krb5.conf(5).

overrides the default realm set in /etc/krb5.conf, which will attempt to authenticate users to.

sets the default renewable lifetime for credentials. This option is deprecated in favor of the renew_lifetime option in the libdefaults section of krb5.conf(5).

sets the default lifetime for credentials.

signals that should obtain tokens during authentication in addition to session setup. This is primarily useful in server applications which need to access a user's files but which do not open PAM sessions before doing so.

tells to check the previously-entered password as with use_first_pass, but to prompt the user for another one if the previously-entered one fails. This is the default mode of operation.

tells to get the user's entered password as it was stored by a module listed earlier in the stack, usually pam_unix or pam_pwdb, instead of prompting the user for it.

tells to never prompt for new passwords when changing passwords. This is useful if you are using to try to enforce use of less-easy-to-guess passwords.

tells to verify that the TGT obtained from the realm's servers has not been spoofed. Note that the process which is performing authentication must be able to read the keytab in order for validation to be possible.






pam_krb5(5) krb5.conf(5)



Probably, but let's hope not. If you find any, please email the author.



Nalin Dahyabhai <>