README: CSS pam_krb5.so Module v1.60.1
Table of Contents
=====================================================================
pam_krb5 v1.60-1 PATCH
September 2003
=====================================================================
Copyright (c) 2003 Certified Security Solutions, Inc.
This document contains information describing this component,
including the files that make up the component and the installation
information for these files.
This file also contains usage information for this component.
This utility is intended for operation on Solaris versions 7 and up,
Red Hat Linux versions 7 and up, HP-UX version 11.0 and up.
======================================================================
Installing the Files
======================================================================
This release includes the files listed below.
SOLARIS & LINUX:
pam_krb5.so
pam_krb5afs.c.patch
install.sh
README
HP-UX:
libpam_krb5.1
pam_krb5afs.c.patch
install.sh
README
Run this command with root privilege to install:
./install.sh
======================================================================
Configuration
======================================================================
The suggested PAM configurations for this module on Solaris, Linux and
HP-UX are shown below. The configurations shown below are the only
ones specifically tested. Additional configurations may be used at
your own risk, if desired. Changing PAM configurations can sometimes
introduce unintended side-effects, so be certain to create backup
copies of configuration files before making any changes.
On Linux, add these entries to /etc/pam.d/system-auth. These entries
are added automatically on Linux when you run auth-config and choose
krb5 authentication.
On Solaris and HP-UX, add these entries to /etc/pam.conf.
Linux:
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_krb5.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/pam_krb5.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_krb5.so
Solaris (only the modified portions of the file are shown):
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth sufficient pam_krb5.so use_first_pass
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
#
dtlogin auth requisite pam_authtok_get.so.1
dtlogin auth sufficient pam_krb5.so use_first_pass
dtlogin auth required pam_unix_auth.so.1
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth sufficient pam_krb5.so use_first_pass
other auth required pam_unix_auth.so.1
#
#
other password optional pam_dhkeys.so.1
other password optional pam_authtok_get.so.1
other password optional pam_authtok_check.so.1
other password sufficient pam_authtok_store.so.1
HP-UX:
#
# Authentication management
#
login auth sufficient /usr/lib/security/libpam_krb5_css.1
login auth required /usr/lib/security/libpam_unix.1 use_first_pass
su auth required /usr/lib/security/libpam_unix.1
dtlogin auth sufficient /usr/lib/security/libpam_krb5_hpux.1
dtlogin auth required /usr/lib/security/libpam_unix.1 use_first_pass
dtaction auth sufficient /usr/lib/security/libpam_krb5_hpux.1
dtaction auth required /usr/lib/security/libpam_unix.1 use_first_pass
ftp auth required /usr/lib/security/libpam_unix.1
OTHER auth required /usr/lib/security/libpam_unix.1
#
# Account management
#
login account sufficient /usr/lib/security/libpam_krb5.1
login account required /usr/lib/security/libpam_unix.1
su account required /usr/lib/security/libpam_unix.1
dtlogin account sufficient /usr/lib/security/libpam_krb5.1
dtlogin account required /usr/lib/security/libpam_unix.1
dtaction account sufficient /usr/lib/security/libpam_krb5.1
dtaction account required /usr/lib/security/libpam_unix.1
ftp account required /usr/lib/security/libpam_unix.1
#
OTHER account required /usr/lib/security/libpam_unix.1
#
# Session management
#
login session sufficient /usr/lib/security/libpam_krb5.1
login session required /usr/lib/security/libpam_unix.1
dtlogin session sufficient /usr/lib/security/libpam_krb5.1
dtlogin session required /usr/lib/security/libpam_unix.1
dtaction session sufficient /usr/lib/security/libpam_krb5.1
dtaction session required /usr/lib/security/libpam_unix.1
OTHER session required /usr/lib/security/libpam_unix.1
#
# Password management
#
login password sufficient /usr/lib/security/libpam_krb5.1
login password required /usr/lib/security/libpam_unix.1
passwd password sufficient /usr/lib/security/libpam_krb5.1
passwd password required /usr/lib/security/libpam_unix.1
dtlogin password sufficient /usr/lib/security/libpam_krb5.1
dtlogin password required /usr/lib/security/libpam_unix.1
dtaction password sufficient /usr/lib/security/libpam_krb5.1
dtaction password required /usr/lib/security/libpam_unix.1
OTHER password required /usr/lib/security/libpam_unix.1
Additional configuration information can be found here:
http://www.ibiblio.org/gferg/ldp/man/man5/pam_krb5.5.html
http://www.ibiblio.org/gferg/ldp/man/man8/pam_krb5.8.html
======================================================================
Description of Functionality
======================================================================
This distribution contains a patch for the RedHat Linux
pam_krb5-1.60.1 authentication module. Both the built binary and
source code patch are contained in this distribution. The Solaris
version of this patch is a port of the RedHat pam_krb5 implementation
to Solaris 9 for Sparc. The HP-UX version of this patch is a port of
the RedHat pam_krb5 implementation to HP-UX 11.0.
This patch fixes the following defects present in the RedHat
pam_krb5-1.60.1 distribution that were discovered during
authentication interoperability testing with Microsoft Active
Directory:
1. The password cannot be changed when it has expired.
The pam_krb5.so module gives the appearance of changing the
password, but does not actually successfully change the password.
2. Password expiration warning messages are never displayed.
3. Error messages are not displayed when a user's account is
expired or locked out.
4. During the password change operation, inconsistent password
change prompts are displayed when an empty password is provided,
e.g. ^D or .
======================================================================
Options
======================================================================
addressless=[true|false]
Disables the checking of the address in the ticket. Allows the
ticket to be used from behind NAT firewalls, or on machines whose
IP addresses change regularly. The default is false.
afs_cells="cell list"
Specify AFS cells to log into. Overrides default AFS cell, that
is the currently configured Kerberos realm.
banner="message"
Specifies the message string to display when called to change
passwords. The default is "Kerberos 5".
ccache_dir="/path"
Specifies the directory to place credential cache files in. The
default is "/tmp".
debug=[true|false]
Turns on debugging via syslog. The default is false.
forwardable=[true|false]
Controls whether or not credentials are forwardable. The default
is true.
get_tokens
tokens
force_cred
Set AFS credentials when specified.
hosts="hostnames"
Specifies additional hosts on which the credentials obtained by
pam_krb5 will be valid. If your host is behind a firewall, you
should add the IP address or name that the KDC sees it as to
this list. There is no default.
initial_timeout=seconds
Specifies the number of seconds to wait for the first KDC to
respond, before attempting incremental backoff. The default is 1.
keytab="/path/krb5.keytab"
Specifies the name of a keytab file to find a key for the
required_tgs in, for use in validating TGTs. When no value is
specified, the Kerberos library default value is used. The
Kerberos library default for Solaris is "/etc/krb5/krb5.keytab",
for all other platforms this default is "/etc/krb5.keytab".
krb4_convert=[true|false]
Controls whether or not pam_krb5 tries to get Kerberos IV
credentials from the KDC. Note that this requires valid
Kerberos IV configuration data to be present in /etc/krb.conf
and /etc/krb.realms. The default is false.
max_timeout=seconds
Specifies the maximum amount of time to spend attempting to
get a reply from the KDCs, in seconds. This, in effect,
determines the amount of time before PAM tries the next
authentication scheme, if the network is not available.
The default value is 30.
minimum_uid=number
Specifies the minimum UID of users being authenticated. If a
user with a UID less than this value attempts authentication,
the request will be ignored. The default value is 0.
no_warn
Allowable parameter with no implemented function.
proxiable=[true|false]
Controls whether or not credentials are proxiable. The default
is true.
realm="realm"
Overrides the default realm set in /etc/krb5.conf, to which
pam_krb5.so will attempt to authenticate users.
renew_lifetime=seconds
Default renewable lifetime. This specifies the time period beyond
which the ticket cannot be renewed. The default value is 36000.
required_tgs="service"
Specifies a principal for which a user must be able to get a
session key for the purpose of verifying that the TGT has not
been forged. The key is decrypted using a copy of the service's
key stored in a local keytab file. This is the only certain way
to be sure that the TGT hasn't been forged. The default is
host@hostname.
retain_after_close=[true|false]
Specifies whether or not to retain the Kerberos credential's cache
after session close. The default is false.
skip_first_pass
Tells pam_krb5.so not to bother checking a password that has been
set by a module listed earlier in the stack. This option is
included mainly for completeness.
ticket_lifetime=seconds
Default credential lifetime. The default value is 36000.
timeout_shift=count
Specifies the number of bits to left-shift after each timeout,
in implementing the incremental backoff in talking to the KDCs.
The default count is 2.
try_first_pass
Tells pam_krb5.so to check the password as with use_first_pass,
but to prompt the user for another one if the previously-entered
one fails. This is the default mode of operation.
validate=[true|false]
Specifies whether or not to attempt validation of the TGT. The
default is true.
use_authtok=[true|false]
Tells pam_krb5.so to never prompt for passwords when changing
passwords. This is useful if you are using pam_cracklib.so to try
to enforce use of less-easy-to-guess passwords. The default is
false.
use_first_pass
Tells pam_krb5.so to get the user's entered password as it was
stored by a module listed earlier in the stack, usually pam_unix
or pam_pwdb, instead of prompting the user for it.
user_check=[true|false]
Verifies the authentication user name has a valid account on the
system when true. Otherwise, the user ID in the current context
is used. The default is true.
warn_period=seconds
Warning period before the user's password expires. The default
value is 604800 seconds. This option is ignored in the current
implementation.
======================================================================
Notices
======================================================================
This product includes software developed at the Massachusetts
Institute of Technology (http://www.mit.edu/).
This product includes software developed by RedHat Software
(http://www.redhat.com/).
======================================================================
Certified Security Solutions Notices
======================================================================
DISCLAIMER
This software is provided by Certified Security Solutions, Inc. (CSS)
"AS IS" without any express or implied warranties, including, but not
limited to, the implied warranties of merchantability and fitness for
a particular purpose. In no event shall CSS be liable for any direct,
indirect, incidental, special, exemplary, or consequential damages,
including, but not limited to, procurement of substitute goods or
services; loss of use, data, or profits; or business interruption,
however caused and on any theory of liability, whether in contract,
strict liability, or tort, including negligence or otherwise, arising
in any way out of the use of this software, even if advised of the
possibility of such damage.
======================================================================
MIT Notices
======================================================================
Copyright (C) 1985-2001 by the Massachusetts Institute of Technology.
All rights reserved.
Export of this software from the United States of America may require
a specific license from the United States Government. It is the
responsibility of any person or organization contemplating export to
obtain such a license before exporting.
WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
distribute this software and its documentation for any purpose and
without fee is hereby granted, provided that the above copyright
notice appear in all copies and that both that copyright notice and
this permission notice appear in supporting documentation, and that
the name of M.I.T. not be used in advertising or publicity pertaining
to distribution of the software without specific, written prior
permission. Furthermore if you modify this software you must label
your software as modified software and not distribute it in such a
fashion that it might be confused with the original MIT software.
M.I.T. makes no representations about the suitability of this software
for any purpose. It is provided "as is" without express or implied
warranty.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Individual source code files are copyright MIT, Cygnus Support,
OpenVision, Oracle, Sun Soft, FundsXpress, and others.
Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira,
and Zephyr are trademarks of the Massachusetts Institute of Technology
(MIT). No commercial use of these trademarks may be made without
prior written permission of MIT.
"Commercial use" means use of a name in a product or other for-profit
manner. It does NOT prevent a commercial firm from referring to the
MIT trademarks in order to convey information (although in doing so,
recognition of their trademark status should be given).
----
Copyright 1987, 1989 by the Student Information Processing Board
of the Massachusetts Institute of Technology
Permission to use, copy, modify, and distribute this software
and its documentation for any purpose and without fee is
hereby granted, provided that the above copyright notice
appear in all copies and that both that copyright notice and
this permission notice appear in supporting documentation,
and that the names of M.I.T. and the M.I.T. S.I.P.B. not be
used in advertising or publicity pertaining to distribution
of the software without specific, written prior permission.
Furthermore if you modify this software you must label
your software as modified software and not distribute it in such a
fashion that it might be confused with the original M.I.T. software.
M.I.T. and the M.I.T. S.I.P.B. make no representations about
the suitability of this software for any purpose. It is
provided "as is" without express or implied warranty.
======================================================================
RedHat Notices
======================================================================
Copyright 2000-2003 Red Hat, Inc.
Portions Copyright 1999 Nalin Dahyabhai.
(Nalin Dahyabhai (nalin@redhat.com))
This is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*********************************************************************/
