1 pam-krb5 4.9 2 (PAM module for Kerberos authentication) 3 Maintained by Russ Allbery <eagle@eyrie.org> 4 5 Copyright 2005-2010, 2014-2015, 2017, 2020 Russ Allbery 6 <eagle@eyrie.org>. Copyright 2009-2011 The Board of Trustees of the 7 Leland Stanford Junior University. Copyright 2005 Andres Salomon 8 <dilinger@debian.org>. Copyright 1999-2000 Frank Cusack 9 <fcusack@fcusack.com>. This software is distributed under a BSD-style 10 license. Please see the section LICENSE below for more information. 11 12BLURB 13 14 pam-krb5 is a Kerberos PAM module for either MIT Kerberos or Heimdal. 15 It supports ticket refreshing by screen savers, configurable 16 authorization handling, authentication of non-local accounts for network 17 services, password changing, and password expiration, as well as all the 18 standard expected PAM features. It works correctly with OpenSSH, even 19 with ChallengeResponseAuthentication and PrivilegeSeparation enabled, 20 and supports extensive configuration either by PAM options or in 21 krb5.conf or both. PKINIT is supported with recent versions of both MIT 22 Kerberos and Heimdal and FAST is supported with recent MIT Kerberos. 23 24DESCRIPTION 25 26 pam-krb5 provides a Kerberos PAM module that supports authentication, 27 user ticket cache handling, simple authorization (via .k5login or 28 checking Kerberos principals against local usernames), and password 29 changing. It can be configured through either options in the PAM 30 configuration itself or through entries in the system krb5.conf file, 31 and it tries to work around PAM implementation flaws in commonly-used 32 PAM-enabled applications such as OpenSSH and xdm. It supports both 33 PKINIT and FAST to the extent that the underlying Kerberos libraries 34 support these features. 35 36 This is not the Kerberos PAM module maintained on Sourceforge and used 37 on Red Hat systems. It is an independent implementation that, if it 38 ever shared any common code, diverged long ago. It supports some 39 features that the Sourceforge module does not (particularly around 40 authorization), and does not support some options (particularly ones not 41 directly related to Kerberos) that it does. This module will never 42 support Kerberos v4 or AFS. For an AFS session module that works with 43 this module (or any other Kerberos PAM module), see pam-afs-session [1]. 44 45 [1] https://www.eyrie.org/~eagle/software/pam-afs-session/ 46 47 If there are other options besides AFS and Kerberos v4 support from the 48 Sourceforge PAM module that you're missing in this module, please let me 49 know. 50 51REQUIREMENTS 52 53 Either MIT Kerberos (or Kerberos implementations based on it) or Heimdal 54 are supported. MIT Keberos 1.3 or later may be required; this module 55 has not been tested with earlier versions. 56 57 For PKINIT support, Heimdal 0.8rc1 or later or MIT Kerberos 1.6.3 or 58 later are required. Earlier MIT Kerberos 1.6 releases have a bug in 59 their handling of PKINIT options. MIT Kerberos 1.12 or later is 60 required to use the use_pkinit PAM option. 61 62 For FAST (Flexible Authentication Secure Tunneling) support, MIT 63 Kerberos 1.7 or higher is required. For anonymous FAST support, 64 anonymous authentication (generally anonymous PKINIT) support is 65 required in both the Kerberos libraries and in the local KDC. 66 67 This module should work on Linux and build with gcc or clang. It may 68 still work on Solaris and build with the Sun C compiler, but I have only 69 tested it on Linux recently. There is beta-quality support for the AIX 70 NAS Kerberos implementation that has not been tested in years. Other 71 PAM implementations will probably require some porting, although 72 untested build system support is present for FreeBSD, Mac OS X, and 73 HP-UX. I personally can only test on Linux and rely on others to report 74 problems on other operating systems. 75 76 Old versions of OpenSSH are known to call pam_authenticate followed by 77 pam_setcred(PAM_REINITIALIZE_CRED) without first calling 78 pam_open_session, thereby requesting that an existing ticket cache be 79 renewed (similar to what a screensaver would want) rather than 80 requesting a new ticket cache be created. Since this behavior is 81 indistinguishable at the PAM level from a screensaver, pam-krb5 when 82 used with these old versions of OpenSSH will refresh the ticket cache of 83 the OpenSSH daemon rather than setting up a new ticket cache for the 84 user. The resulting ticket cache will have the correct permissions 85 (this is not a security concern), but will not be named correctly or 86 referenced in the user's environment and will be overwritten by the next 87 user login. The best solution to this problem is to upgrade OpenSSH. 88 I'm not sure exactly when this problem was fixed, but at the very least 89 OpenSSH 4.3 and later do not exhibit it. 90 91 To bootstrap from a Git checkout, or if you change the Automake files 92 and need to regenerate Makefile.in, you will need Automake 1.11 or 93 later. For bootstrap or if you change configure.ac or any of the m4 94 files it includes and need to regenerate configure or config.h.in, you 95 will need Autoconf 2.64 or later. Perl is also required to generate 96 manual pages from a fresh Git checkout. 97 98BUILDING AND INSTALLATION 99 100 You can build and install pam-krb5 with the standard commands: 101 102 ./configure 103 make 104 make install 105 106 If you are building from a Git clone, first run ./bootstrap in the 107 source directory to generate the build files. make install will 108 probably have to be done as root. Building outside of the source 109 directory is also supported, if you wish, by creating an empty directory 110 and then running configure with the correct relative path. 111 112 The module will be installed in /usr/local/lib/security by default, 113 except on 64-bit versions of Linux which will use 114 /usr/local/lib64/security to match the default PAM configuration. You 115 can change the installation locations with the --prefix, --mandir, and 116 --libdir options to configure. The module will always be installed in a 117 subdirectory named security under the specified libdir. On Linux, use 118 --prefix=/usr to install the man page into /usr/share/man and the PAM 119 module in /lib/security or /lib64/security. 120 121 Normally, configure will use krb5-config to determine the flags to use 122 to compile with your Kerberos libraries. To specify a particular 123 krb5-config script to use, either set the PATH_KRB5_CONFIG environment 124 variable or pass it to configure like: 125 126 ./configure PATH_KRB5_CONFIG=/path/to/krb5-config 127 128 If krb5-config isn't found, configure will look for the standard 129 Kerberos libraries in locations already searched by your compiler. If 130 the the krb5-config script first in your path is not the one 131 corresponding to the Kerberos libraries you want to use, or if your 132 Kerberos libraries and includes aren't in a location searched by default 133 by your compiler, you need to specify a different Kerberos installation 134 root via --with-krb5=PATH. For example: 135 136 ./configure --with-krb5=/usr/pubsw 137 138 You can also individually set the paths to the include directory and the 139 library directory with --with-krb5-include and --with-krb5-lib. You may 140 need to do this if Autoconf can't figure out whether to use lib, lib32, 141 or lib64 on your platform. 142 143 To not use krb5-config and force library probing even if there is a 144 krb5-config script on your path, set PATH_KRB5_CONFIG to a nonexistent 145 path: 146 147 ./configure PATH_KRB5_CONFIG=/nonexistent 148 149 krb5-config is not used and library probing is always done if either 150 --with-krb5-include or --with-krb5-lib are given. 151 152 Pass --enable-silent-rules to configure for a quieter build (similar to 153 the Linux kernel). Use make warnings instead of make to build with full 154 compiler warnings (requires either GCC or Clang and may require a 155 relatively current version of the compiler). 156 157 You can pass the --enable-reduced-depends flag to configure to try to 158 minimize the shared library dependencies encoded in the binaries. This 159 omits from the link line all the libraries included solely because other 160 libraries depend on them and instead links the programs only against 161 libraries whose APIs are called directly. This will only work with 162 shared libraries and will only work on platforms where shared libraries 163 properly encode their own dependencies (this includes most modern 164 platforms such as all Linux). It is intended primarily for building 165 packages for Linux distributions to avoid encoding unnecessary shared 166 library dependencies that make shared library migrations more difficult. 167 If none of the above made any sense to you, don't bother with this flag. 168 169TESTING 170 171 pam-krb5 comes with a comprehensive test suite, but it requires some 172 configuration in order to test anything other than low-level utility 173 functions. For the full test suite, you will need to have a running KDC 174 in which you can create two test accounts, one with admin access to the 175 other. Using a test KDC environment, if you have one, is recommended. 176 177 Follow the instructions in tests/config/README to configure the test 178 suite. 179 180 Now, you can run the test suite with: 181 182 make check 183 184 If a test fails, you can run a single test with verbose output via: 185 186 tests/runtests -o <name-of-test> 187 188 Do this instead of running the test program directly since it will 189 ensure that necessary environment variables are set up. 190 191 The default libkadm5clnt library on the system must match the 192 implementation of your KDC for the module/expired test to work, since 193 the two kadmin protocols are not compatible. If you use the MIT library 194 against a Heimdal server, the test will be skipped; if you use the 195 Heimdal library against an MIT server, the test suite may hang. 196 197 Several module/expired tests are expected to fail with Heimdal 1.5 due 198 to a bug in Heimdal with reauthenticating immediately after a 199 library-mediated password change of an expired password. This is fixed 200 in later releases of Heimdal. 201 202 To run the full test suite, Perl 5.8 or later is required. The 203 following additional Perl modules will be used if present: 204 205 * Test::Pod 206 * Test::Spelling 207 208 All are available on CPAN. Those tests will be skipped if the modules 209 are not available. 210 211CONFIGURING 212 213 Just installing the module does not enable it or change anything about 214 your system authentication configuration. To use the module for all 215 system authentication on Debian systems, put something like: 216 217 auth sufficient pam_krb5.so minimum_uid=1000 218 auth required pam_unix.so try_first_pass nullok_secure 219 220 in /etc/pam.d/common-auth, something like: 221 222 session optional pam_krb5.so minimum_uid=1000 223 session required pam_unix.so 224 225 in /etc/pam.d/common-session, and something like: 226 227 account required pam_krb5.so minimum_uid=1000 228 account required pam_unix.so 229 230 in /etc/pam.d/common-account. The minimum_uid setting tells the PAM 231 module to pass on any users with a UID lower than 1000, thereby 232 bypassing Kerberos authentication for the root account and any system 233 accounts. You normally want to do this since otherwise, if the network 234 is down, the Kerberos authentication can time out and make it difficult 235 to log in as root and fix matters. This also avoids problems with 236 Kerberos principals that happen to match system accounts accidentally 237 getting access to those accounts. 238 239 Be sure to include the module in the session group as well as the auth 240 group. Without the session entry, the user's ticket cache will not be 241 created properly for ssh logins (among possibly others). 242 243 If your users should normally all use Kerberos passwords exclusively, 244 putting something like: 245 246 password sufficient pam_krb5.so minimum_uid=1000 247 password required pam_unix.so try_first_pass obscure md5 248 249 in /etc/pam.d/common-password will change users' passwords in Kerberos 250 by default and then only fall back on Unix if that doesn't work. (You 251 can make this tighter by using the more complex new-style PAM 252 configuration.) If you instead want to synchronize local and Kerberos 253 passwords and change them both at the same time, you can do something 254 like: 255 256 password required pam_unix.so obscure sha512 257 password required pam_krb5.so use_authtok minimum_uid=1000 258 259 If you have multiple environments that you want to synchronize and you 260 don't want password changes to continue if the Kerberos password change 261 fails, use the clear_on_fail option. For example: 262 263 password required pam_krb5.so clear_on_fail minimum_uid=1000 264 password required pam_unix.so use_authtok obscure sha512 265 password required pam_smbpass.so use_authtok 266 267 In this case, if pam_krb5 cannot change the password (due to password 268 strength rules on the KDC, for example), it will clear the stored 269 password (because of the clear_on_fail option), and since pam_unix and 270 pam_smbpass are both configured with use_authtok, they will both fail. 271 clear_on_fail is not the default because it would interfere with the 272 more common pattern of falling back to local passwords if the user 273 doesn't exist in Kerberos. 274 275 If you use a more complex configuration with the Linux PAM [] syntax for 276 the session and account groups, note that pam_krb5 returns a status of 277 ignore, not success, if the user didn't log on with Kerberos. You may 278 need to handle that explicitly with ignore=ignore in your action list. 279 280 There are many, many other possibilities. See the Linux PAM 281 documentation for all the configuration options. 282 283 On Red Hat systems, modify /etc/pam.d/system-auth instead, which 284 contains all of the configuration for the different stacks. 285 286 You can also use pam-krb5 only for specific services. In that case, 287 modify the files in /etc/pam.d for that particular service to use 288 pam_krb5.so for authentication. For services that are using passwords 289 over TLS to authenticate users, you may want to use the ignore_k5login 290 and no_ccache options to the authenticate module. .k5login 291 authorization is only meaningful for local accounts and ticket caches 292 are usually (although not always) only useful for interactive sessions. 293 294 Configuring the module for Solaris is both simpler and less flexible, 295 since Solaris (at least Solaris 8 and 9, which are the last versions of 296 Solaris with which this module was extensively tested) use a single 297 /etc/pam.conf file that contains configuration for all programs. For 298 console login on Solaris, try something like: 299 300 login auth sufficient /usr/local/lib/security/pam_krb5.so minimum_uid=100 301 login auth required /usr/lib/security/pam_unix_auth.so.1 use_first_pass 302 login account required /usr/local/lib/security/pam_krb5.so minimum_uid=100 303 login account required /usr/lib/security/pam_unix_account.so.1 304 login session required /usr/local/lib/security/pam_krb5.so retain_after_close minimum_uid=100 305 login session required /usr/lib/security/pam_unix_session.so.1 306 307 A similar configuration could be used for other services, such as ssh. 308 See the pam.conf(5) man page for more information. When using this 309 module with Solaris login (at least on Solaris 8 and 9), you will 310 probably also need to add retain_after_close to the PAM configuration to 311 avoid having the user's credentials deleted before they are logged in. 312 313 The Solaris Kerberos library reportedly does not support prompting for a 314 password change of an expired account during authentication. Supporting 315 password change for expired accounts on Solaris with native Kerberos may 316 therefore require setting the defer_pwchange or force_pwchange option 317 for selected login applications. See the description and warnings about 318 that option in the pam_krb5(5) man page. 319 320 Some configuration options may be put in the krb5.conf file used by your 321 Kerberos libraries (usually /etc/krb5.conf or /usr/local/etc/krb5.conf) 322 instead or in addition to the PAM configuration. See the man page for 323 more details. 324 325 The Kerberos library, via pam-krb5, will prompt the user to change their 326 password if their password is expired, but when using OpenSSH, this will 327 only work when ChallengeResponseAuthentication is enabled. Unless this 328 option is enabled, OpenSSH doesn't pass PAM messages to the user and can 329 only respond to a simple password prompt. 330 331 If you are using MIT Kerberos, be aware that users whose passwords are 332 expired will not be prompted to change their password unless the KDC 333 configuration for your realm in [realms] in krb5.conf contains a 334 master_kdc setting or, if using DNS SRV records, you have a DNS entry 335 for _kerberos-master as well as _kerberos. 336 337DEBUGGING 338 339 The first step when debugging any problems with this module is to add 340 debug to the PAM options for the module (either in the PAM configuration 341 or in krb5.conf). This will significantly increase the logging from the 342 module and should provide a trace of exactly what failed and any 343 available error information. 344 345 Many Kerberos authentication problems are due to configuration issues in 346 krb5.conf. If pam-krb5 doesn't work, first check that kinit works on 347 the same system. That will test your basic Kerberos configuration. If 348 the system has a keytab file installed that's readable by the process 349 doing authentication via PAM, make sure that the keytab is current and 350 contains a key for host/<system> where <system> is the fully-qualified 351 hostname. pam-krb5 prevents KDC spoofing by checking the user's 352 credentials when possible, but this means that if a keytab is present it 353 must be correct or authentication will fail. You can check the keytab 354 with klist -k and kinit -k. 355 356 Be sure that all libraries and modules, including PAM modules, loaded by 357 a program use the same Kerberos libraries. Sometimes programs that use 358 PAM, such as current versions of OpenSSH, also link against Kerberos 359 directly. If your sshd is linked against one set of Kerberos libraries 360 and pam-krb5 is linked against a different set of Kerberos libraries, 361 this will often cause problems (such as segmentation faults, bus errors, 362 assertions, or other strange behavior). Similar issues apply to the 363 com_err library or any other library used by both modules and shared 364 libraries and by the application that loads them. If your OS ships 365 Kerberos libraries, it's usually best if possible to build all Kerberos 366 software on the system against those libraries. 367 368IMPLEMENTATION NOTES 369 370 The normal sequence of actions taken for a user login is: 371 372 pam_authenticate 373 pam_setcred(PAM_ESTABLISH_CRED) 374 pam_open_session 375 pam_acct_mgmt 376 377 and then at logout: 378 379 pam_close_session 380 381 followed by closing the open PAM session. The corresponding pam_sm_* 382 functions in this module are called when an application calls those 383 public interface functions. Not all applications call all of those 384 functions, or in particularly that order, although pam_authenticate is 385 always first and has to be. 386 387 When pam_authenticate is called, pam-krb5 creates a temporary ticket 388 cache in /tmp and sets the PAM environment variable PAM_KRB5CCNAME to 389 point to it. This ticket cache will be automatically destroyed when the 390 PAM session is closed and is there only to pass the initial credentials 391 to the call to pam_setcred. The module would use a memory cache, but 392 memory caches will only work if the application preserves the PAM 393 environment between the calls to pam_authenticate and pam_setcred. Most 394 do, but OpenSSH notoriously does not and calls pam_authenticate in a 395 subprocess, so this method is used to pass the tickets to the 396 pam_setcred call in a different process. 397 398 pam_authenticate does a complete authentication, including checking the 399 resulting TGT by obtaining a service ticket for the local host if 400 possible, but this requires read access to the system keytab. If the 401 keytab doesn't exist, can't be read, or doesn't include the appropriate 402 credentials, the default is to accept the authentication. This can be 403 controlled by setting verify_ap_req_nofail to true in [libdefaults] in 404 /etc/krb5.conf. pam_authenticate also does a basic authorization check, 405 by default calling krb5_kuserok (which uses ~/.k5login if available and 406 falls back to checking that the principal corresponds to the account 407 name). This can be customized with several options documented in the 408 pam_krb5(5) man page. 409 410 pam-krb5 treats pam_open_session and pam_setcred(PAM_ESTABLISH_CRED) as 411 synonymous, as some applications call one and some call the other. Both 412 copy the initial credentials from the temporary cache into a permanent 413 cache for this session and set KRB5CCNAME in the environment. It will 414 remember when the credential cache has been established and then avoid 415 doing any duplicate work afterwards, since some applications call 416 pam_setcred or pam_open_session multiple times (most notably X.Org 7 and 417 earlier xdm, which also throws away the module settings the last time it 418 calls them). 419 420 pam_acct_mgmt finds the ticket cache, reads it in to obtain the 421 authenticated principal, and then does is another authorization check 422 against .k5login or the local account name as described above. 423 424 After the call to pam_setcred or pam_open_session, the ticket cache will 425 be destroyed whenever the calling application either destroys the PAM 426 environment or calls pam_close_session, which it should do on user 427 logout. 428 429 The normal sequence of events when refreshing a ticket cache (such as 430 inside a screensaver) is: 431 432 pam_authenticate 433 pam_setcred(PAM_REINITIALIZE_CRED) 434 pam_acct_mgmt 435 436 (PAM_REFRESH_CRED may be used instead.) Authentication proceeds as 437 above. At the pam_setcred stage, rather than creating a new ticket 438 cache, the module instead finds the current ticket cache (from the 439 KRB5CCNAME environment variable or the default ticket cache location 440 from the Kerberos library) and then reinitializes it with the 441 credentials from the temporary pam_authenticate ticket cache. When 442 refreshing a ticket cache, the application should not open a session. 443 Calling pam_acct_mgmt is optional; pam-krb5 doesn't do anything 444 different when it's called in this case. 445 446 If pam_authenticate apparently didn't succeed, or if an account was 447 configured to be ignored via ignore_root or minimum_uid, pam_setcred 448 (and therefore pam_open_session) and pam_acct_mgmt return PAM_IGNORE, 449 which tells the PAM library to proceed as if that module wasn't listed 450 in the PAM configuration at all. pam_authenticate, however, returns 451 failure in the ignored user case by default, since otherwise a 452 configuration using ignore_root with pam-krb5 as the only PAM module 453 would allow anyone to log in as root without a password. There doesn't 454 appear to be a case where returning PAM_IGNORE instead would improve the 455 module's behavior, but if you know of a case, please let me know. 456 457 By default, pam_authenticate intentionally does not follow the PAM 458 standard for handling expired accounts and instead returns failure from 459 pam_authenticate unless the Kerberos libraries are able to change the 460 account password during authentication. Too many applications either do 461 not call pam_acct_mgmt or ignore its exit status. The fully correct PAM 462 behavior (returning success from pam_authenticate and 463 PAM_NEW_AUTHTOK_REQD from pam_acct_mgmt) can be enabled with the 464 defer_pwchange option. 465 466 The defer_pwchange option is unfortunately somewhat tricky to implement. 467 In this case, the calling sequence is: 468 469 pam_authenticate 470 pam_acct_mgmt 471 pam_chauthtok 472 pam_setcred 473 pam_open_session 474 475 During the first pam_authenticate, we can't obtain credentials and 476 therefore a ticket cache since the password is expired. But 477 pam_authenticate isn't called again after pam_chauthtok, so 478 pam_chauthtok has to create a ticket cache. We however don't want it to 479 do this for the normal password change (passwd) case. 480 481 What we do is set a flag in our PAM data structure saying that we're 482 processing an expired password, and pam_chauthtok, if it sees that flag, 483 redoes the authentication with password prompting disabled after it 484 finishes changing the password. 485 486 Unfortunately, when handling password changes this way, pam_chauthtok 487 will always have to prompt the user for their current password again 488 even though they just typed it. This is because the saved 489 authentication tokens are cleared after pam_authenticate returns, for 490 security reasons. We could hack around this by saving the password in 491 our PAM data structure, but this would let the application gain access 492 to it (exactly what the clearing is intended to prevent) and breaks a 493 PAM library guarantee. We could also work around this by having 494 pam_authenticate get the kadmin/changepw authenticator in the expired 495 password case and store it for pam_chauthtok, but it doesn't seem worth 496 the hassle. 497 498HISTORY AND ACKNOWLEDGEMENTS 499 500 Originally written by Frank Cusack <fcusack@fcusack.com>, with the 501 following acknowledgement: 502 503 Thanks to Naomaru Itoi <itoi@eecs.umich.edu>, Curtis King 504 <curtis.king@cul.ca>, and Derrick Brashear <shadow@dementia.org>, all 505 of whom have written and made available Kerberos 4/5 modules. 506 Although no code in this module is directly from these author's 507 modules, (except the get_user_info() routine in support.c; derived 508 from whichever of these authors originally wrote the first module the 509 other 2 copied from), it was extremely helpful to look over their code 510 which aided in my design. 511 512 The module was then patched for the FreeBSD ports collection with 513 additional modifications by unknown maintainers and then was modified by 514 Joel Kociolek <joko@logidee.com> to be usable with Debian GNU/Linux. 515 516 It was packaged by Sam Hartman as the Kerberos v5 PAM module for Debian 517 and improved and modified by him and later by Russ Allbery to fix bugs 518 and add additional features. It was then adopted by Andres Salomon, who 519 added support for refreshing credentials. 520 521 The current distribution is maintained by Russ Allbery, who also added 522 support for reading configuration from krb5.conf, added many features 523 for compatibility with the Sourceforge module, commented and 524 standardized the formatting of the code, and overhauled the 525 documentation. 526 527 Thanks to Douglas E. Engert for the initial implementation of PKINIT 528 support. I have since modified and reworked it extensively, so any bugs 529 or compilation problems are my fault. 530 531 Thanks to Markus Moeller for lots of debugging and multiple patches and 532 suggestions for improved portability. 533 534 Thanks to Booker Bense for the implementation of the alt_auth_map 535 option. 536 537 Thanks to Sam Hartman for the FAST support implementation. 538 539SUPPORT 540 541 The pam-krb5 web page at: 542 543 https://www.eyrie.org/~eagle/software/pam-krb5/ 544 545 will always have the current version of this package, the current 546 documentation, and pointers to any additional resources. 547 548 For bug tracking, use the issue tracker on GitHub: 549 550 https://github.com/rra/pam-krb5/issues 551 552 However, please be aware that I tend to be extremely busy and work 553 projects often take priority. I'll save your report and get to it as 554 soon as I can, but it may take me a couple of months. 555 556SOURCE REPOSITORY 557 558 pam-krb5 is maintained using Git. You can access the current source on 559 GitHub at: 560 561 https://github.com/rra/pam-krb5 562 563 or by cloning the repository at: 564 565 https://git.eyrie.org/git/kerberos/pam-krb5.git 566 567 or view the repository via the web at: 568 569 https://git.eyrie.org/?p=kerberos/pam-krb5.git 570 571 The eyrie.org repository is the canonical one, maintained by the author, 572 but using GitHub is probably more convenient for most purposes. Pull 573 requests are gratefully reviewed and normally accepted. 574 575LICENSE 576 577 The pam-krb5 package as a whole is covered by the following copyright 578 statement and license: 579 580 Copyright 2005-2010, 2014-2015, 2017, 2020 581 Russ Allbery <eagle@eyrie.org> 582 Copyright 2009-2011 583 The Board of Trustees of the Leland Stanford Junior University 584 Copyright 2005 Andres Salomon <dilinger@debian.org> 585 Copyright 1999-2000 Frank Cusack <fcusack@fcusack.com> 586 587 Redistribution and use in source and binary forms, with or without 588 modification, are permitted provided that the following conditions are 589 met: 590 591 1. Redistributions of source code must retain the above copyright 592 notice, and the entire permission notice in its entirety, including 593 the disclaimer of warranties. 594 595 2. Redistributions in binary form must reproduce the above copyright 596 notice, this list of conditions and the following disclaimer in the 597 documentation and/or other materials provided with the distribution. 598 599 3. The name of the author may not be used to endorse or promote products 600 derived from this software without specific prior written permission. 601 602 ALTERNATIVELY, this product may be distributed under the terms of the 603 GNU General Public License, in which case the provisions of the GPL 604 are required INSTEAD OF the above restrictions. (This clause is 605 necessary due to a potential bad interaction between the GPL and the 606 restrictions contained in a BSD-style copyright.) 607 608 THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED 609 WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 610 MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 611 IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 612 INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 613 BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS 614 OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 615 ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR 616 TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 617 USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH 618 DAMAGE. 619 620 Some files in this distribution are individually released under 621 different licenses, all of which are compatible with the above general 622 package license but which may require preservation of additional 623 notices. All required notices, and detailed information about the 624 licensing of each file, are recorded in the LICENSE file. 625 626 Files covered by a license with an assigned SPDX License Identifier 627 include SPDX-License-Identifier tags to enable automated processing of 628 license information. See https://spdx.org/licenses/ for more 629 information. 630 631 For any copyright range specified by files in this package as YYYY-ZZZZ, 632 the range specifies every single year in that closed interval. 633