the user's UID and RANDOM is six randomly-chosen letters. This can be
configured with the I<ccache> and I<ccache_dir> options.
+pam-krb5 does not use the default ticket cache location or
+I<default_cc_name> in the C<[libdefaults]> section of F<krb5.conf>. The
+default cache location would share a cache for all sessions of the same
+user, which causes confusing behavior when the user logs out of one of
+multiple sessions.
+
If pam_setcred() initializes a new ticket cache, it will also set up that
ticket cache so that it will be deleted when the PAM session is closed.
Normally, the calling program (B<login>, B<sshd>, etc.) will run the
the PAM configuration.
To set an option for the PAM module in the system F<krb5.conf> file, put
-that option in the [appdefaults] section. All options must be followed by
-an equal sign (=) and a value, so for boolean options add C<= true>. The
-Kerberos PAM module will look for options either at the top level of the
-[appdefaults] section or in a subsection named C<pam>, inside or outside a
-section for the realm. For example, the following fragment of a
+that option in the C<[appdefaults]> section. All options must be followed
+by an equal sign (=) and a value, so for boolean options add C<= true>.
+The Kerberos PAM module will look for options either at the top level of
+the C<[appdefaults]> section or in a subsection named C<pam>, inside or
+outside a section for the realm. For example, the following fragment of a
F<krb5.conf> file would set I<forwardable> to true, I<minimum_uid> to
1000, and set I<ignore_k5login> only if the realm is EXAMPLE.COM.
it is very limited: only two realms can be tried, and the alternate realm
is always tried first.
-This option can be set in F<krb5.conf>, although normally it doesn't make
-sense to do that; normally it is used in the PAM options of configuration
-for specific programs. It is only applicable to the auth and account
-groups. If this option is set for the auth group, be sure to set it for
-the account group as well or account authorization may fail.
+This option can be set in C<[appdefaults]> in F<krb5.conf>, although
+normally it doesn't make sense to do that; normally it is used in the PAM
+options of configuration for specific programs. It is only applicable to
+the auth and account groups. If this option is set for the auth group, be
+sure to set it for the account group as well or account authorization may
+fail.
=item force_alt_auth
normal authentication. This can be used to force authentication with an
alternate instance. If I<alt_auth_map> is not set, it has no effect.
-This option can be set in F<krb5.conf> and is only applicable to the auth
-group.
+This option can be set in C<[appdefaults]> in F<krb5.conf> and is only
+applicable to the auth group.
=item ignore_k5login
this can be customized by setting up an aname to localname mapping in
F<krb5.conf>.
-This option can be set in F<krb5.conf> and is only applicable to the auth
-and account groups.
+This option can be set in C<[appdefaults]> in F<krb5.conf> and is only
+applicable to the auth and account groups.
=item ignore_root
configuration. This option is supported and will remain, but normally you
want to use I<minimum_uid> instead.
-This option can be set in F<krb5.conf>.
+This option can be set in C<[appdefaults]> in F<krb5.conf>.
=item minimum_uid=<uid>
some defense in depth against user principals that happen to match a
system account incorrectly authenticating as that system account.
-This option can be set in F<krb5.conf>.
+This option can be set in C<[appdefaults]> in F<krb5.conf>.
=item only_alt_auth
I<force_alt_auth>. If I<alt_auth_map> is not set, it has no effect and
the standard authentication behavior is used.
-This option can be set in F<krb5.conf> and is only applicable to the auth
-group.
+This option can be set in C<[appdefaults]> in F<krb5.conf> and is only
+applicable to the auth group.
=item search_k5login
requires that the user's F<.k5login> file be readable at the time of
authentication.
-This option can be set in F<krb5.conf> and is only applicable to the auth
-group.
+This option can be set in C<[appdefaults]> in F<krb5.conf> and is only
+applicable to the auth group.
=back
tried first, and the Kerberos PAM module will fall back on attempting
anonymous PKINIT if that cache could not be used.
-This option can be set in F<krb5.conf> and is only applicable to the auth
-and password groups.
+This option can be set in C<[appdefaults]> in F<krb5.conf> and is only
+applicable to the auth and password groups.
The operation is the same as if using the I<fast_ccache> option, but the
cache is created and destroyed automatically. If both I<fast_ccache> and
I<fast_ccache> will be tried first, and the Kerberos PAM module will fall
back on attempting anonymous PKINIT if that cache could not be used.
-This option can be set in F<krb5.conf> and is only applicable to the auth
-and password groups.
+This option can be set in C<[appdefaults]> in F<krb5.conf> and is only
+applicable to the auth and password groups.
=item forwardable
although it can only be set to false in F<krb5.conf>), this overrides the
Kerberos library default set in the [libdefaults] section of F<krb5.conf>.
-This option can be set in F<krb5.conf> and is only applicable to the auth
-group.
+This option can be set in C<[appdefaults]> in F<krb5.conf> and is only
+applicable to the auth group.
=item keytab=<path>
another keytab the application can read. The first principal found in the
keytab will be used as the principal for credential verification.
-This option can be set in F<krb5.conf> and is only applicable to the auth
-group.
+This option can be set in C<[appdefaults]> in F<krb5.conf> and is only
+applicable to the auth group.
=item realm=<realm>
C<2d4h10m> or a time in minutes. If set, this overrides the Kerberos
library default set in the [libdefaults] section of F<krb5.conf>.
-This option can be set in F<krb5.conf> and is only applicable to the auth
-group.
+This option can be set in C<[appdefaults]> in F<krb5.conf> and is only
+applicable to the auth group.
=item ticket_lifetime=<lifetime>
minutes. If set, this overrides the Kerberos library default set in the
[libdefaults] section of F<krb5.conf>.
-This option can be set in F<krb5.conf> and is only applicable to the auth
-group.
+This option can be set in C<[appdefaults]> in F<krb5.conf> and is only
+applicable to the auth group.
=item user_realm
pam_cracklib if used) when synchronizing passwords between multiple
environments.
-This option can be set in F<krb5.conf> and is only applicable to the
-password group.
+This option can be set in C<[appdefaults]> in F<krb5.conf> and is only
+applicable to the password group.
=item debug
LOG_DEBUG priority, including entry and exit from each of the external PAM
interfaces (except pam_close_session).
-This option can be set in F<krb5.conf>.
+This option can be set in C<[appdefaults]> in F<krb5.conf>.
=item defer_pwchange
password change handling still happens. (Heimdal is missing the required
API to implement this option, at least as of version 1.6.)
-This option can be set in F<krb5.conf> and is only applicable to the auth
-group.
+This option can be set in C<[appdefaults]> in F<krb5.conf> and is only
+applicable to the auth group.
=item fail_pwchange
authentication failure identical to an incorrect password. Also see
I<defer_pwchange> and I<force_pwchange>.
-This option can be set in F<krb5.conf> and is only applicable to the auth
-group.
+This option can be set in C<[appdefaults]> in F<krb5.conf> and is only
+applicable to the auth group.
=item force_pwchange
change prompting disabled in the Kerberos library; on those systems, you
can set this option to simulate the normal library behavior.
-This option can be set in F<krb5.conf> and is only applicable to the auth
-group.
+This option can be set in C<[appdefaults]> in F<krb5.conf> and is only
+applicable to the auth group.
=item no_update_user
name. Setting this option disables this behavior and leaves PAM_USER set
to the initial authentication identity.
-This option can be set in F<krb5.conf> and is only applicable to the auth
-group.
+This option can be set in C<[appdefaults]> in F<krb5.conf> and is only
+applicable to the auth group.
=item silent
certificate authorities. This option is only used if I<try_pkinit> or
I<use_pkinit> are set.
-This option can be set in F<krb5.conf> and is only applicable to the auth
-and password groups.
+This option can be set in C<[appdefaults]> in F<krb5.conf> and is only
+applicable to the auth and password groups.
=item pkinit_prompt
then enter their password as normal. This option is only used if
I<try_pkinit> or I<use_pkinit> are set.
-This option can be set in F<krb5.conf> and is only applicable to the auth
-and password groups.
+This option can be set in C<[appdefaults]> in F<krb5.conf> and is only
+applicable to the auth and password groups.
=item pkinit_user=<userid>
documentation for more details. This option is only used if I<try_pkinit>
or I<use_pkinit> are set.
-This option can be set in F<krb5.conf> and is only applicable to the auth
-and password groups.
+This option can be set in C<[appdefaults]> in F<krb5.conf> and is only
+applicable to the auth and password groups.
=item preauth_opt=<option>
and I<pkinit_user> options, so if an equivalent setting is made via
I<preauth_opt>, it will probably override the other setting.
-This option can be set in F<krb5.conf> and is only applicable to the auth
-and password groups. Note that there is no way to remove a setting made
-in F<krb5.conf> using the PAM configuration, but options set in the PAM
-configuration are applied after options set in F<krb5.conf> and therefore
-may override earlier settings.
+This option can be set in C<[appdefaults]> in F<krb5.conf> and is only
+applicable to the auth and password groups. Note that there is no way to
+remove a setting made in F<krb5.conf> using the PAM configuration, but
+options set in the PAM configuration are applied after options set in
+F<krb5.conf> and therefore may override earlier settings.
=item try_pkinit
Kerberos that requires some reworking of the PKINIT authentication method
to fix.
-This option can be set in F<krb5.conf> and is only applicable to the auth
-and password groups.
+This option can be set in C<[appdefaults]> in F<krb5.conf> and is only
+applicable to the auth and password groups.
=item use_pkinit
enforce use of PKINIT, so I<try_pkinit> must be used with that
implementation instead.
-This option can be set in F<krb5.conf> and is only applicable to the auth
-and password groups.
+This option can be set in C<[appdefaults]> in F<krb5.conf> and is only
+applicable to the auth and password groups.
=back
If set in the PAM configuration, <banner> may not contain whitespace. If
you want a value containing whitespace, set it in F<krb5.conf>.
-This option can be set in F<krb5.conf> and is only applicable to the
-password group.
+This option can be set in C<[appdefaults]> in F<krb5.conf> and is only
+applicable to the password group.
=item expose_account
I<search_k5login> is enabled since the principal displayed would be
inaccurate.
-This option can be set in F<krb5.conf> and is only applicable to the auth
-and password groups.
+This option can be set in C<[appdefaults]> in F<krb5.conf> and is only
+applicable to the auth and password groups.
=item force_first_pass
will be created using mkstemp(3). This is strongly recommended if
<pattern> points to a world-writable directory.
-This option can be set in F<krb5.conf> and is only applicable to the auth
-and session groups.
+This option can be set in C<[appdefaults]> in F<krb5.conf> and is only
+applicable to the auth and session groups.
=item ccache_dir=<directory>
other location. This will allow pam_krb5 to continue working even if the
system F</tmp> directory is full.
-This option can be set in F<krb5.conf> and is only applicable to the auth
-and session groups.
+This option can be set in C<[appdefaults]> in F<krb5.conf> and is only
+applicable to the auth and session groups.
=item no_ccache
removal program to avoid accumulating hundreds of ticket caches in
F</tmp>.
-This option can be set in F<krb5.conf> and is only applicable to the auth
-and session groups.
+This option can be set in C<[appdefaults]> in F<krb5.conf> and is only
+applicable to the auth and session groups.
=back