1                               pam-krb5 4.9
2                 (PAM module for Kerberos authentication)
3               Maintained by Russ Allbery <eagle@eyrie.org>
4
5  Copyright 2005-2010, 2014-2015, 2017, 2020 Russ Allbery
6  <eagle@eyrie.org>.  Copyright 2009-2011 The Board of Trustees of the
7  Leland Stanford Junior University.  Copyright 2005 Andres Salomon
8  <dilinger@debian.org>.  Copyright 1999-2000 Frank Cusack
9  <fcusack@fcusack.com>.  This software is distributed under a BSD-style
10  license.  Please see the section LICENSE below for more information.
11
12BLURB
13
14  pam-krb5 is a Kerberos PAM module for either MIT Kerberos or Heimdal.
15  It supports ticket refreshing by screen savers, configurable
16  authorization handling, authentication of non-local accounts for network
17  services, password changing, and password expiration, as well as all the
18  standard expected PAM features.  It works correctly with OpenSSH, even
19  with ChallengeResponseAuthentication and PrivilegeSeparation enabled,
20  and supports extensive configuration either by PAM options or in
21  krb5.conf or both.  PKINIT is supported with recent versions of both MIT
22  Kerberos and Heimdal and FAST is supported with recent MIT Kerberos.
23
24DESCRIPTION
25
26  pam-krb5 provides a Kerberos PAM module that supports authentication,
27  user ticket cache handling, simple authorization (via .k5login or
28  checking Kerberos principals against local usernames), and password
29  changing.  It can be configured through either options in the PAM
30  configuration itself or through entries in the system krb5.conf file,
31  and it tries to work around PAM implementation flaws in commonly-used
32  PAM-enabled applications such as OpenSSH and xdm.  It supports both
33  PKINIT and FAST to the extent that the underlying Kerberos libraries
34  support these features.
35
36  This is not the Kerberos PAM module maintained on Sourceforge and used
37  on Red Hat systems.  It is an independent implementation that, if it
38  ever shared any common code, diverged long ago.  It supports some
39  features that the Sourceforge module does not (particularly around
40  authorization), and does not support some options (particularly ones not
41  directly related to Kerberos) that it does.  This module will never
42  support Kerberos v4 or AFS.  For an AFS session module that works with
43  this module (or any other Kerberos PAM module), see pam-afs-session [1].
44
45  [1] https://www.eyrie.org/~eagle/software/pam-afs-session/
46
47  If there are other options besides AFS and Kerberos v4 support from the
48  Sourceforge PAM module that you're missing in this module, please let me
49  know.
50
51REQUIREMENTS
52
53  Either MIT Kerberos (or Kerberos implementations based on it) or Heimdal
54  are supported.  MIT Keberos 1.3 or later may be required; this module
55  has not been tested with earlier versions.
56
57  For PKINIT support, Heimdal 0.8rc1 or later or MIT Kerberos 1.6.3 or
58  later are required.  Earlier MIT Kerberos 1.6 releases have a bug in
59  their handling of PKINIT options.  MIT Kerberos 1.12 or later is
60  required to use the use_pkinit PAM option.
61
62  For FAST (Flexible Authentication Secure Tunneling) support, MIT
63  Kerberos 1.7 or higher is required.  For anonymous FAST support,
64  anonymous authentication (generally anonymous PKINIT) support is
65  required in both the Kerberos libraries and in the local KDC.
66
67  This module should work on Linux and build with gcc or clang.  It may
68  still work on Solaris and build with the Sun C compiler, but I have only
69  tested it on Linux recently.  There is beta-quality support for the AIX
70  NAS Kerberos implementation that has not been tested in years.  Other
71  PAM implementations will probably require some porting, although
72  untested build system support is present for FreeBSD, Mac OS X, and
73  HP-UX.  I personally can only test on Linux and rely on others to report
74  problems on other operating systems.
75
76  Old versions of OpenSSH are known to call pam_authenticate followed by
77  pam_setcred(PAM_REINITIALIZE_CRED) without first calling
78  pam_open_session, thereby requesting that an existing ticket cache be
79  renewed (similar to what a screensaver would want) rather than
80  requesting a new ticket cache be created.  Since this behavior is
81  indistinguishable at the PAM level from a screensaver, pam-krb5 when
82  used with these old versions of OpenSSH will refresh the ticket cache of
83  the OpenSSH daemon rather than setting up a new ticket cache for the
84  user.  The resulting ticket cache will have the correct permissions
85  (this is not a security concern), but will not be named correctly or
86  referenced in the user's environment and will be overwritten by the next
87  user login.  The best solution to this problem is to upgrade OpenSSH.
88  I'm not sure exactly when this problem was fixed, but at the very least
89  OpenSSH 4.3 and later do not exhibit it.
90
91  To bootstrap from a Git checkout, or if you change the Automake files
92  and need to regenerate Makefile.in, you will need Automake 1.11 or
93  later.  For bootstrap or if you change configure.ac or any of the m4
94  files it includes and need to regenerate configure or config.h.in, you
95  will need Autoconf 2.64 or later.  Perl is also required to generate
96  manual pages from a fresh Git checkout.
97
98BUILDING AND INSTALLATION
99
100  You can build and install pam-krb5 with the standard commands:
101
102      ./configure
103      make
104      make install
105
106  If you are building from a Git clone, first run ./bootstrap in the
107  source directory to generate the build files.  make install will
108  probably have to be done as root.  Building outside of the source
109  directory is also supported, if you wish, by creating an empty directory
110  and then running configure with the correct relative path.
111
112  The module will be installed in /usr/local/lib/security by default,
113  except on 64-bit versions of Linux which will use
114  /usr/local/lib64/security to match the default PAM configuration.  You
115  can change the installation locations with the --prefix, --mandir, and
116  --libdir options to configure.  The module will always be installed in a
117  subdirectory named security under the specified libdir.  On Linux, use
118  --prefix=/usr to install the man page into /usr/share/man and the PAM
119  module in /lib/security or /lib64/security.
120
121  Normally, configure will use krb5-config to determine the flags to use
122  to compile with your Kerberos libraries.  To specify a particular
123  krb5-config script to use, either set the PATH_KRB5_CONFIG environment
124  variable or pass it to configure like:
125
126      ./configure PATH_KRB5_CONFIG=/path/to/krb5-config
127
128  If krb5-config isn't found, configure will look for the standard
129  Kerberos libraries in locations already searched by your compiler.  If
130  the the krb5-config script first in your path is not the one
131  corresponding to the Kerberos libraries you want to use, or if your
132  Kerberos libraries and includes aren't in a location searched by default
133  by your compiler, you need to specify a different Kerberos installation
134  root via --with-krb5=PATH.  For example:
135
136      ./configure --with-krb5=/usr/pubsw
137
138  You can also individually set the paths to the include directory and the
139  library directory with --with-krb5-include and --with-krb5-lib.  You may
140  need to do this if Autoconf can't figure out whether to use lib, lib32,
141  or lib64 on your platform.
142
143  To not use krb5-config and force library probing even if there is a
144  krb5-config script on your path, set PATH_KRB5_CONFIG to a nonexistent
145  path:
146
147      ./configure PATH_KRB5_CONFIG=/nonexistent
148
149  krb5-config is not used and library probing is always done if either
150  --with-krb5-include or --with-krb5-lib are given.
151
152  Pass --enable-silent-rules to configure for a quieter build (similar to
153  the Linux kernel).  Use make warnings instead of make to build with full
154  compiler warnings (requires either GCC or Clang and may require a
155  relatively current version of the compiler).
156
157  You can pass the --enable-reduced-depends flag to configure to try to
158  minimize the shared library dependencies encoded in the binaries.  This
159  omits from the link line all the libraries included solely because other
160  libraries depend on them and instead links the programs only against
161  libraries whose APIs are called directly.  This will only work with
162  shared libraries and will only work on platforms where shared libraries
163  properly encode their own dependencies (this includes most modern
164  platforms such as all Linux).  It is intended primarily for building
165  packages for Linux distributions to avoid encoding unnecessary shared
166  library dependencies that make shared library migrations more difficult.
167  If none of the above made any sense to you, don't bother with this flag.
168
169TESTING
170
171  pam-krb5 comes with a comprehensive test suite, but it requires some
172  configuration in order to test anything other than low-level utility
173  functions.  For the full test suite, you will need to have a running KDC
174  in which you can create two test accounts, one with admin access to the
175  other.  Using a test KDC environment, if you have one, is recommended.
176
177  Follow the instructions in tests/config/README to configure the test
178  suite.
179
180  Now, you can run the test suite with:
181
182      make check
183
184  If a test fails, you can run a single test with verbose output via:
185
186      tests/runtests -o <name-of-test>
187
188  Do this instead of running the test program directly since it will
189  ensure that necessary environment variables are set up.
190
191  The default libkadm5clnt library on the system must match the
192  implementation of your KDC for the module/expired test to work, since
193  the two kadmin protocols are not compatible.  If you use the MIT library
194  against a Heimdal server, the test will be skipped; if you use the
195  Heimdal library against an MIT server, the test suite may hang.
196
197  Several module/expired tests are expected to fail with Heimdal 1.5 due
198  to a bug in Heimdal with reauthenticating immediately after a
199  library-mediated password change of an expired password.  This is fixed
200  in later releases of Heimdal.
201
202  To run the full test suite, Perl 5.8 or later is required.  The
203  following additional Perl modules will be used if present:
204
205  * Test::Pod
206  * Test::Spelling
207
208  All are available on CPAN.  Those tests will be skipped if the modules
209  are not available.
210
211CONFIGURING
212
213  Just installing the module does not enable it or change anything about
214  your system authentication configuration.  To use the module for all
215  system authentication on Debian systems, put something like:
216
217      auth  sufficient   pam_krb5.so minimum_uid=1000
218      auth  required     pam_unix.so try_first_pass nullok_secure
219
220  in /etc/pam.d/common-auth, something like:
221
222      session  optional  pam_krb5.so minimum_uid=1000
223      session  required  pam_unix.so
224
225  in /etc/pam.d/common-session, and something like:
226
227      account  required  pam_krb5.so minimum_uid=1000
228      account  required  pam_unix.so
229
230  in /etc/pam.d/common-account.  The minimum_uid setting tells the PAM
231  module to pass on any users with a UID lower than 1000, thereby
232  bypassing Kerberos authentication for the root account and any system
233  accounts.  You normally want to do this since otherwise, if the network
234  is down, the Kerberos authentication can time out and make it difficult
235  to log in as root and fix matters.  This also avoids problems with
236  Kerberos principals that happen to match system accounts accidentally
237  getting access to those accounts.
238
239  Be sure to include the module in the session group as well as the auth
240  group.  Without the session entry, the user's ticket cache will not be
241  created properly for ssh logins (among possibly others).
242
243  If your users should normally all use Kerberos passwords exclusively,
244  putting something like:
245
246      password sufficient pam_krb5.so minimum_uid=1000
247      password required   pam_unix.so try_first_pass obscure md5
248
249  in /etc/pam.d/common-password will change users' passwords in Kerberos
250  by default and then only fall back on Unix if that doesn't work.  (You
251  can make this tighter by using the more complex new-style PAM
252  configuration.)  If you instead want to synchronize local and Kerberos
253  passwords and change them both at the same time, you can do something
254  like:
255
256      password required   pam_unix.so obscure sha512
257      password required   pam_krb5.so use_authtok minimum_uid=1000
258
259  If you have multiple environments that you want to synchronize and you
260  don't want password changes to continue if the Kerberos password change
261  fails, use the clear_on_fail option.  For example:
262
263      password required   pam_krb5.so clear_on_fail minimum_uid=1000
264      password required   pam_unix.so use_authtok obscure sha512
265      password required   pam_smbpass.so use_authtok
266
267  In this case, if pam_krb5 cannot change the password (due to password
268  strength rules on the KDC, for example), it will clear the stored
269  password (because of the clear_on_fail option), and since pam_unix and
270  pam_smbpass are both configured with use_authtok, they will both fail.
271  clear_on_fail is not the default because it would interfere with the
272  more common pattern of falling back to local passwords if the user
273  doesn't exist in Kerberos.
274
275  If you use a more complex configuration with the Linux PAM [] syntax for
276  the session and account groups, note that pam_krb5 returns a status of
277  ignore, not success, if the user didn't log on with Kerberos.  You may
278  need to handle that explicitly with ignore=ignore in your action list.
279
280  There are many, many other possibilities.  See the Linux PAM
281  documentation for all the configuration options.
282
283  On Red Hat systems, modify /etc/pam.d/system-auth instead, which
284  contains all of the configuration for the different stacks.
285
286  You can also use pam-krb5 only for specific services.  In that case,
287  modify the files in /etc/pam.d for that particular service to use
288  pam_krb5.so for authentication.  For services that are using passwords
289  over TLS to authenticate users, you may want to use the ignore_k5login
290  and no_ccache options to the authenticate module.  .k5login
291  authorization is only meaningful for local accounts and ticket caches
292  are usually (although not always) only useful for interactive sessions.
293
294  Configuring the module for Solaris is both simpler and less flexible,
295  since Solaris (at least Solaris 8 and 9, which are the last versions of
296  Solaris with which this module was extensively tested) use a single
297  /etc/pam.conf file that contains configuration for all programs.  For
298  console login on Solaris, try something like:
299
300      login auth sufficient /usr/local/lib/security/pam_krb5.so minimum_uid=100
301      login auth required /usr/lib/security/pam_unix_auth.so.1 use_first_pass
302      login account required /usr/local/lib/security/pam_krb5.so minimum_uid=100
303      login account required /usr/lib/security/pam_unix_account.so.1
304      login session required /usr/local/lib/security/pam_krb5.so retain_after_close minimum_uid=100
305      login session required /usr/lib/security/pam_unix_session.so.1
306
307  A similar configuration could be used for other services, such as ssh.
308  See the pam.conf(5) man page for more information.  When using this
309  module with Solaris login (at least on Solaris 8 and 9), you will
310  probably also need to add retain_after_close to the PAM configuration to
311  avoid having the user's credentials deleted before they are logged in.
312
313  The Solaris Kerberos library reportedly does not support prompting for a
314  password change of an expired account during authentication.  Supporting
315  password change for expired accounts on Solaris with native Kerberos may
316  therefore require setting the defer_pwchange or force_pwchange option
317  for selected login applications.  See the description and warnings about
318  that option in the pam_krb5(5) man page.
319
320  Some configuration options may be put in the krb5.conf file used by your
321  Kerberos libraries (usually /etc/krb5.conf or /usr/local/etc/krb5.conf)
322  instead or in addition to the PAM configuration.  See the man page for
323  more details.
324
325  The Kerberos library, via pam-krb5, will prompt the user to change their
326  password if their password is expired, but when using OpenSSH, this will
327  only work when ChallengeResponseAuthentication is enabled.  Unless this
328  option is enabled, OpenSSH doesn't pass PAM messages to the user and can
329  only respond to a simple password prompt.
330
331  If you are using MIT Kerberos, be aware that users whose passwords are
332  expired will not be prompted to change their password unless the KDC
333  configuration for your realm in [realms] in krb5.conf contains a
334  master_kdc setting or, if using DNS SRV records, you have a DNS entry
335  for _kerberos-master as well as _kerberos.
336
337DEBUGGING
338
339  The first step when debugging any problems with this module is to add
340  debug to the PAM options for the module (either in the PAM configuration
341  or in krb5.conf).  This will significantly increase the logging from the
342  module and should provide a trace of exactly what failed and any
343  available error information.
344
345  Many Kerberos authentication problems are due to configuration issues in
346  krb5.conf.  If pam-krb5 doesn't work, first check that kinit works on
347  the same system.  That will test your basic Kerberos configuration.  If
348  the system has a keytab file installed that's readable by the process
349  doing authentication via PAM, make sure that the keytab is current and
350  contains a key for host/<system> where <system> is the fully-qualified
351  hostname.  pam-krb5 prevents KDC spoofing by checking the user's
352  credentials when possible, but this means that if a keytab is present it
353  must be correct or authentication will fail.  You can check the keytab
354  with klist -k and kinit -k.
355
356  Be sure that all libraries and modules, including PAM modules, loaded by
357  a program use the same Kerberos libraries.  Sometimes programs that use
358  PAM, such as current versions of OpenSSH, also link against Kerberos
359  directly.  If your sshd is linked against one set of Kerberos libraries
360  and pam-krb5 is linked against a different set of Kerberos libraries,
361  this will often cause problems (such as segmentation faults, bus errors,
362  assertions, or other strange behavior).  Similar issues apply to the
363  com_err library or any other library used by both modules and shared
364  libraries and by the application that loads them.  If your OS ships
365  Kerberos libraries, it's usually best if possible to build all Kerberos
366  software on the system against those libraries.
367
368IMPLEMENTATION NOTES
369
370  The normal sequence of actions taken for a user login is:
371
372      pam_authenticate
373      pam_setcred(PAM_ESTABLISH_CRED)
374      pam_open_session
375      pam_acct_mgmt
376
377  and then at logout:
378
379      pam_close_session
380
381  followed by closing the open PAM session.  The corresponding pam_sm_*
382  functions in this module are called when an application calls those
383  public interface functions.  Not all applications call all of those
384  functions, or in particularly that order, although pam_authenticate is
385  always first and has to be.
386
387  When pam_authenticate is called, pam-krb5 creates a temporary ticket
388  cache in /tmp and sets the PAM environment variable PAM_KRB5CCNAME to
389  point to it.  This ticket cache will be automatically destroyed when the
390  PAM session is closed and is there only to pass the initial credentials
391  to the call to pam_setcred.  The module would use a memory cache, but
392  memory caches will only work if the application preserves the PAM
393  environment between the calls to pam_authenticate and pam_setcred.  Most
394  do, but OpenSSH notoriously does not and calls pam_authenticate in a
395  subprocess, so this method is used to pass the tickets to the
396  pam_setcred call in a different process.
397
398  pam_authenticate does a complete authentication, including checking the
399  resulting TGT by obtaining a service ticket for the local host if
400  possible, but this requires read access to the system keytab.  If the
401  keytab doesn't exist, can't be read, or doesn't include the appropriate
402  credentials, the default is to accept the authentication.  This can be
403  controlled by setting verify_ap_req_nofail to true in [libdefaults] in
404  /etc/krb5.conf.  pam_authenticate also does a basic authorization check,
405  by default calling krb5_kuserok (which uses ~/.k5login if available and
406  falls back to checking that the principal corresponds to the account
407  name).  This can be customized with several options documented in the
408  pam_krb5(5) man page.
409
410  pam-krb5 treats pam_open_session and pam_setcred(PAM_ESTABLISH_CRED) as
411  synonymous, as some applications call one and some call the other.  Both
412  copy the initial credentials from the temporary cache into a permanent
413  cache for this session and set KRB5CCNAME in the environment.  It will
414  remember when the credential cache has been established and then avoid
415  doing any duplicate work afterwards, since some applications call
416  pam_setcred or pam_open_session multiple times (most notably X.Org 7 and
417  earlier xdm, which also throws away the module settings the last time it
418  calls them).
419
420  pam_acct_mgmt finds the ticket cache, reads it in to obtain the
421  authenticated principal, and then does is another authorization check
422  against .k5login or the local account name as described above.
423
424  After the call to pam_setcred or pam_open_session, the ticket cache will
425  be destroyed whenever the calling application either destroys the PAM
426  environment or calls pam_close_session, which it should do on user
427  logout.
428
429  The normal sequence of events when refreshing a ticket cache (such as
430  inside a screensaver) is:
431
432      pam_authenticate
433      pam_setcred(PAM_REINITIALIZE_CRED)
434      pam_acct_mgmt
435
436  (PAM_REFRESH_CRED may be used instead.)  Authentication proceeds as
437  above.  At the pam_setcred stage, rather than creating a new ticket
438  cache, the module instead finds the current ticket cache (from the
439  KRB5CCNAME environment variable or the default ticket cache location
440  from the Kerberos library) and then reinitializes it with the
441  credentials from the temporary pam_authenticate ticket cache.  When
442  refreshing a ticket cache, the application should not open a session.
443  Calling pam_acct_mgmt is optional; pam-krb5 doesn't do anything
444  different when it's called in this case.
445
446  If pam_authenticate apparently didn't succeed, or if an account was
447  configured to be ignored via ignore_root or minimum_uid, pam_setcred
448  (and therefore pam_open_session) and pam_acct_mgmt return PAM_IGNORE,
449  which tells the PAM library to proceed as if that module wasn't listed
450  in the PAM configuration at all.  pam_authenticate, however, returns
451  failure in the ignored user case by default, since otherwise a
452  configuration using ignore_root with pam-krb5 as the only PAM module
453  would allow anyone to log in as root without a password.  There doesn't
454  appear to be a case where returning PAM_IGNORE instead would improve the
455  module's behavior, but if you know of a case, please let me know.
456
457  By default, pam_authenticate intentionally does not follow the PAM
458  standard for handling expired accounts and instead returns failure from
459  pam_authenticate unless the Kerberos libraries are able to change the
460  account password during authentication.  Too many applications either do
461  not call pam_acct_mgmt or ignore its exit status.  The fully correct PAM
462  behavior (returning success from pam_authenticate and
463  PAM_NEW_AUTHTOK_REQD from pam_acct_mgmt) can be enabled with the
464  defer_pwchange option.
465
466  The defer_pwchange option is unfortunately somewhat tricky to implement.
467  In this case, the calling sequence is:
468
469      pam_authenticate
470      pam_acct_mgmt
471      pam_chauthtok
472      pam_setcred
473      pam_open_session
474
475  During the first pam_authenticate, we can't obtain credentials and
476  therefore a ticket cache since the password is expired.  But
477  pam_authenticate isn't called again after pam_chauthtok, so
478  pam_chauthtok has to create a ticket cache.  We however don't want it to
479  do this for the normal password change (passwd) case.
480
481  What we do is set a flag in our PAM data structure saying that we're
482  processing an expired password, and pam_chauthtok, if it sees that flag,
483  redoes the authentication with password prompting disabled after it
484  finishes changing the password.
485
486  Unfortunately, when handling password changes this way, pam_chauthtok
487  will always have to prompt the user for their current password again
488  even though they just typed it.  This is because the saved
489  authentication tokens are cleared after pam_authenticate returns, for
490  security reasons.  We could hack around this by saving the password in
491  our PAM data structure, but this would let the application gain access
492  to it (exactly what the clearing is intended to prevent) and breaks a
493  PAM library guarantee.  We could also work around this by having
494  pam_authenticate get the kadmin/changepw authenticator in the expired
495  password case and store it for pam_chauthtok, but it doesn't seem worth
496  the hassle.
497
498HISTORY AND ACKNOWLEDGEMENTS
499
500  Originally written by Frank Cusack <fcusack@fcusack.com>, with the
501  following acknowledgement:
502
503    Thanks to Naomaru Itoi <itoi@eecs.umich.edu>, Curtis King
504    <curtis.king@cul.ca>, and Derrick Brashear <shadow@dementia.org>, all
505    of whom have written and made available Kerberos 4/5 modules.
506    Although no code in this module is directly from these author's
507    modules, (except the get_user_info() routine in support.c; derived
508    from whichever of these authors originally wrote the first module the
509    other 2 copied from), it was extremely helpful to look over their code
510    which aided in my design.
511
512  The module was then patched for the FreeBSD ports collection with
513  additional modifications by unknown maintainers and then was modified by
514  Joel Kociolek <joko@logidee.com> to be usable with Debian GNU/Linux.
515
516  It was packaged by Sam Hartman as the Kerberos v5 PAM module for Debian
517  and improved and modified by him and later by Russ Allbery to fix bugs
518  and add additional features.  It was then adopted by Andres Salomon, who
519  added support for refreshing credentials.
520
521  The current distribution is maintained by Russ Allbery, who also added
522  support for reading configuration from krb5.conf, added many features
523  for compatibility with the Sourceforge module, commented and
524  standardized the formatting of the code, and overhauled the
525  documentation.
526
527  Thanks to Douglas E. Engert for the initial implementation of PKINIT
528  support.  I have since modified and reworked it extensively, so any bugs
529  or compilation problems are my fault.
530
531  Thanks to Markus Moeller for lots of debugging and multiple patches and
532  suggestions for improved portability.
533
534  Thanks to Booker Bense for the implementation of the alt_auth_map
535  option.
536
537  Thanks to Sam Hartman for the FAST support implementation.
538
539SUPPORT
540
541  The pam-krb5 web page at:
542
543      https://www.eyrie.org/~eagle/software/pam-krb5/
544
545  will always have the current version of this package, the current
546  documentation, and pointers to any additional resources.
547
548  For bug tracking, use the issue tracker on GitHub:
549
550      https://github.com/rra/pam-krb5/issues
551
552  However, please be aware that I tend to be extremely busy and work
553  projects often take priority.  I'll save your report and get to it as
554  soon as I can, but it may take me a couple of months.
555
556SOURCE REPOSITORY
557
558  pam-krb5 is maintained using Git.  You can access the current source on
559  GitHub at:
560
561      https://github.com/rra/pam-krb5
562
563  or by cloning the repository at:
564
565      https://git.eyrie.org/git/kerberos/pam-krb5.git
566
567  or view the repository via the web at:
568
569      https://git.eyrie.org/?p=kerberos/pam-krb5.git
570
571  The eyrie.org repository is the canonical one, maintained by the author,
572  but using GitHub is probably more convenient for most purposes.  Pull
573  requests are gratefully reviewed and normally accepted.
574
575LICENSE
576
577  The pam-krb5 package as a whole is covered by the following copyright
578  statement and license:
579
580    Copyright 2005-2010, 2014-2015, 2017, 2020
581        Russ Allbery <eagle@eyrie.org>
582    Copyright 2009-2011
583        The Board of Trustees of the Leland Stanford Junior University
584    Copyright 2005 Andres Salomon <dilinger@debian.org>
585    Copyright 1999-2000 Frank Cusack <fcusack@fcusack.com>
586
587    Redistribution and use in source and binary forms, with or without
588    modification, are permitted provided that the following conditions are
589    met:
590
591    1. Redistributions of source code must retain the above copyright
592       notice, and the entire permission notice in its entirety, including
593       the disclaimer of warranties.
594
595    2. Redistributions in binary form must reproduce the above copyright
596       notice, this list of conditions and the following disclaimer in the
597       documentation and/or other materials provided with the distribution.
598
599    3. The name of the author may not be used to endorse or promote products
600       derived from this software without specific prior written permission.
601
602    ALTERNATIVELY, this product may be distributed under the terms of the
603    GNU General Public License, in which case the provisions of the GPL
604    are required INSTEAD OF the above restrictions.  (This clause is
605    necessary due to a potential bad interaction between the GPL and the
606    restrictions contained in a BSD-style copyright.)
607
608    THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
609    WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
610    MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
611    IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
612    INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
613    BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
614    OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
615    ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
616    TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
617    USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
618    DAMAGE.
619
620  Some files in this distribution are individually released under
621  different licenses, all of which are compatible with the above general
622  package license but which may require preservation of additional
623  notices.  All required notices, and detailed information about the
624  licensing of each file, are recorded in the LICENSE file.
625
626  Files covered by a license with an assigned SPDX License Identifier
627  include SPDX-License-Identifier tags to enable automated processing of
628  license information.  See https://spdx.org/licenses/ for more
629  information.
630
631  For any copyright range specified by files in this package as YYYY-ZZZZ,
632  the range specifies every single year in that closed interval.
633