1Either MIT Kerberos (or Kerberos implementations based on it) or Heimdal 2are supported. MIT Keberos 1.3 or later may be required; this module has 3not been tested with earlier versions. 4 5For PKINIT support, Heimdal 0.8rc1 or later or MIT Kerberos 1.6.3 or later 6are required. Earlier MIT Kerberos 1.6 releases have a bug in their 7handling of PKINIT options. MIT Kerberos 1.12 or later is required to use 8the use_pkinit PAM option. 9 10For FAST (Flexible Authentication Secure Tunneling) support, MIT Kerberos 111.7 or higher is required. For anonymous FAST support, anonymous 12authentication (generally anonymous PKINIT) support is required in both 13the Kerberos libraries and in the local KDC. 14 15This module should work on Linux and build with gcc or clang. It may 16still work on Solaris and build with the Sun C compiler, but I have only 17tested it on Linux recently. There is beta-quality support for the AIX 18NAS Kerberos implementation that has not been tested in years. Other PAM 19implementations will probably require some porting, although untested 20build system support is present for FreeBSD, Mac OS X, and HP-UX. I 21personally can only test on Linux and rely on others to report problems on 22other operating systems. 23 24Old versions of OpenSSH are known to call `pam_authenticate` followed by 25`pam_setcred(PAM_REINITIALIZE_CRED)` without first calling 26`pam_open_session`, thereby requesting that an existing ticket cache be 27renewed (similar to what a screensaver would want) rather than requesting 28a new ticket cache be created. Since this behavior is indistinguishable 29at the PAM level from a screensaver, pam-krb5 when used with these old 30versions of OpenSSH will refresh the ticket cache of the OpenSSH daemon 31rather than setting up a new ticket cache for the user. The resulting 32ticket cache will have the correct permissions (this is not a security 33concern), but will not be named correctly or referenced in the user's 34environment and will be overwritten by the next user login. The best 35solution to this problem is to upgrade OpenSSH. I'm not sure exactly when 36this problem was fixed, but at the very least OpenSSH 4.3 and later do not 37exhibit it. 38