Configuration Guide for Kerberos Client Products on HP-UX 11.0 | HP-UX 11i v1 | HP-UX 11i v1.6 | HP-UX 11i v2
Introduction to the Kerberos Products and GSS-API
PAM Kerberos
Chapter 2 29
The Authentication Module supports seven options: use_first_pass,
krb_prompt, try_first_pass, renewable=<time>, forwardable,
proxiable, debug, and ignore.
The following paragraphs list and describe each of these options.
Option Definition
use_first_pass Uses the same password given to the first module
configured for authentication in the pam.conf file (see
Figure 2-1 on page 28). The module should not prompt
for the password if the user cannot be authenticated by
the first password.
This option is used when the system administrator
wants to enforce the same password across multiple
modules.
In the following code fragment from a pam.conf file,
both libpam_krb5.1 and libpam_unix.1 are defined
in the PAM stack as authentication modules. If a user
is not authenticated under libpam_unix.1, PAM tries
to authenticate the user through libpam_krb5.1 using
the same password used with libpam_unix.1. If the
authentication fails, PAM does not prompt for another
password.
krb_prompt This option allows the administrator to change the
password prompt. When set, the password prompt
displayed is, Kerberos Password.
try_first_pass Same as the use_first_pass option (previous item),
except that if the primary password is not valid, PAM
will prompt for a password.
Table 2-2 On HP-UX 11.0 and 11i
login auth sufficient /usr/lib/security/libpam_unix.1
login auth required /usr/lib/security/libpam_krb5.1 use_first_pass
Table 2-3 On HP-UX 11i v1 and 11i v2
login auth sufficient /usr/lib/security/libpam_unix.1
login auth
required /usr/lib/security/$ISA/libpam_krb5.so.1 use_first_pass