PAM Kerberos

The pam_krb5 module

© 2014 Dennis Leeuw dleeuw at made-it dot com
License: GPLv2 or later

Index

    1. Introduction
      2.
    2. PAM configuration
      3.
    3. Test
      4.

Introduction

First we are going to enable PAM. This has nothing to do with single sign on, this is just telling the system that it needs to look in the Kerberos database to find passwords. So this is "normal" authentication, just a different database. We are using the pam_krb5 module to make Kerberos integrate with PAM. For now we assume that you still have passwords in your LDAP-tree, which means we need to also support pam_ldap. The following configuration makes it possible to set a Kerberos password and simultaniously support the LDAP-password. If that's not what you want remove the userPassword field from LDAP or remove the pam_ldap lines from the PAM configuration.

After the installation of pam_krb5 module (libpam_krb5 on Debian based systems) add the following lines to the /etc/krb5.conf file: 

[appdefaults]
    pam = {
	debug = false
	minimum_uid = 500
	EXAMPLE.COM = {
	    ignore_k5login = true
	}
    }
This section configures the pam_krb5 module. On Debian based systems replace 500 with 1000.

PAM configuration

Red Hat based system before 6 had a single global configuration file in the /etc/pam.d directory called system-auth, since version 6 there is also a password-auth file. Both files also have a corresponding -ac file.

Debian uses seperate files for auth, session, account, and password sections. Each file is prefixed with the common- prefix.

You have to figure out for your distribution what is needed, but the end result should look more or less like the following snippets, I skipped all other modules and only concentrated on pam_unix.so, pam_ldap.so and pam_krb5.so.

NOTE: On Debian based system replace 500 with 1000

Authentication
auth        sufficient    				 pam_unix.so nullok 
auth        sufficient    				 pam_krb5.so use_first_pass
auth        sufficient    				 pam_ldap.so use_first_pass pam_min_uid=500
Account
account     required      				 pam_unix.so broken_shadow
account     sufficient					 pam_krb5.so
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
Session
session     required      				 pam_unix.so
session     optional      				 pam_krb5.so
session     optional      				 pam_ldap.so pam_min_uid=500
Password
password    sufficient    				 pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    				 pam_ldap.so use_authtok

Test

If you created a principal in the previous section you should now be able to login (through login or ssh) on one of the KDC servers with the username and the password you set in Kerberos.