Last modified 4 years ago Last modified on 09/13/12 15:03:26


The pam_krb5 module allows PAM-aware applications to authenticate users by performing an AS exchange with a Kerberos KDC. It can optionally set up AFS tokens for a user's session.

Releases can be expected to buildable against MIT Kerberos versions 1.6.1 and later and Heimdal 1.0.2 and later.

The module aims to work with minimal (ideally, no) configuration beyond that provided to the Kerberos library itself.



  • Versions 2.2.11 through 2.2.28 and 2.3.0 through 2.3.4 are vulnerable to CVE-2009-1384: the password prompt could vary based on whether or not a user name was known to the local system and on whether or not the client's principal name was known to the KDC. Versions 2.2.29 and 2.3.5 fix this bug.
  • Versions 2.2.0 through 2.2.25 and 2.3.0 through 2.3.1 are vulnerable to CVE-2008-3825: when using the "existing_ticket" option in a setuid/setgid context, the permissions on the existing credential cache are not enforced correctly. Versions 2.2.26 and 2.3.2 fix this bug.

Trac Starting Points

For a complete list of local wiki pages, see TitleIndex.