Russ Allbery rra at
Thu Jan 27 15:06:51 EST 2011

Brian Candler <B.Candler at> writes:

> As I understand it, pam_krb5 is basically a password checker; it uses
> the password you supply to acquire a Kerberos ticket, and as a
> side-effect lets you login if it was able to acquire one.  That's the
> "auth" functionality anyway.  The "account" functionality is a bit more
> subtle.  According to the manpage:

> "If the module did participate in authenticating the user, it will check
> for an expired user password and verify the user's authorization using
> the .k5login file of the user being authenticated, which is expected to
> be accessible to the module."

It had better be doing this in the auth action as well, since otherwise
there are going to be vulnerabilities in practice.  The account group
isn't as consistently and properly used as it should be.

Russ Allbery (rra at             <>

More information about the Kerberos mailing list