4 This file was written by Derrick J. Brashear <shadow@DEMENTIA.ORG>
7 <sect1>The Kerberos 4 module.
14 <tag><bf>Module Name:</bf></tag>
17 <tag><bf>Author:</bf></tag>
18 Derrick J. Brashear <shadow@dementia.org>
20 <tag><bf>Maintainer:</bf></tag>
23 <tag><bf>Management groups provided:</bf></tag>
24 authentication; password; session
26 <tag><bf>Cryptographically sensitive:</bf></tag>
29 <tag><bf>Security rating:</bf></tag>
31 <tag><bf>Clean code base:</bf></tag>
33 <tag><bf>System dependencies:</bf></tag>
34 libraries - <tt/libkrb/, <tt/libdes/, <tt/libcom_err/, <tt/libkadm/;
35 and a set of Kerberos include files.
37 <tag><bf>Network aware:</bf></tag>
38 Gets Kerberos ticket granting ticket via a Kerberos key distribution
39 center reached via the network.
43 <sect2>Overview of module
46 This module provides an interface for doing Kerberos verification of a
47 user's password, getting the user a Kerberos ticket granting ticket
48 for use with the Kerberos ticket granting service, destroying the
49 user's tickets at logout time, and changing a Kerberos password.
51 <sect2> Session component
56 <tag><bf>Recognized arguments:</bf></tag>
58 <tag><bf>Description:</bf></tag>
60 This component of the module currently sets the user's <tt/KRBTKFILE/
61 environment variable (although there is currently no way to export
62 this), as well as deleting the user's ticket file upon logout (until
63 <tt/PAM_CRED_DELETE/ is supported by <em/login/).
65 <tag><bf>Examples/suggested usage:</bf></tag>
67 This part of the module won't be terribly useful until we can change
68 the environment from within a <tt/Linux-PAM/ module.
72 <sect2> Password component
77 <tag><bf>Recognized arguments:</bf></tag>
78 <tt/use_first_pass/; <tt/try_first_pass/
80 <tag><bf>Description:</bf></tag>
82 This component of the module changes a user's Kerberos password
83 by first getting and using the user's old password to get
84 a session key for the password changing service, then sending
85 a new password to that service.
87 <tag><bf>Examples/suggested usage:</bf></tag>
89 This should only be used with a real Kerberos v4 <tt/kadmind/. It
90 cannot be used with an AFS kaserver unless special provisions are
91 made. Contact the module author for more information.
95 <sect2> Authentication component
100 <tag><bf>Recognized arguments:</bf></tag>
101 <tt/use_first_pass/; <tt/try_first_pass/
103 <tag><bf>Description:</bf></tag>
105 This component of the module verifies a user's Kerberos password
106 by requesting a ticket granting ticket from the Kerberos server
107 and optionally using it to attempt to retrieve the local computer's
108 host key and verifying using the key file on the local machine if
111 It also writes out a ticket file for the user to use later, and
112 deletes the ticket file upon logout (not until <tt/PAM_CRED_DELETE/
113 is called from <em/login/).
115 <tag><bf>Examples/suggested usage:</bf></tag>
117 This module can be used with a real Kerberos server using MIT
118 v4 Kerberos keys. The module or the system Kerberos libraries
119 may be modified to support AFS style Kerberos keys. Currently
120 this is not supported to avoid cryptography constraints.
125 End of sgml insert for this module.