SUSE® Linux Enterprise comes with a PAM module named pam_krb5
,
which supports Kerberos login and password
update. This module can be used by applications, such as console login, su,
and graphical login applications like KDM, where
the user presents a password and would like the authenticating application
to obtain an initial Kerberos ticket on his
behalf.
The pam_unix2
module also supports
Kerberos authentication and password update. To
enable Kerberos support in
pam_unix2
, edit the file
/etc/security/pam_unix2.conf
so it contains the
following lines:
auth: use_krb5 nullok account: use_krb5 password: use_krb5 nullok session: none
After that, all programs evaluating the entries in this file use
Kerberos for user authentication. For a user that
does not have a Kerberos principal,
pam_unix2
falls back on the normal password
authentication mechanism. For those users who have a principal, it should
now be possible to change their Kerberos
passwords transparently using the passwd command.
To make fine adjustments to the way in which
pam_krb5
is used, edit the file
/etc/krb5.conf
and add default applications to
pam
. For details, refer to the manual page with
man 5 pam_krb5
.
The pam_krb5
module was specifically not designed for
network services that accept
Kerberos tickets as part of user authentication. This is an entirely
different matter, which is discussed below.