Configuration Guide for Kerberos Client Products on HP-UX 11.0 | HP-UX 11i v1 | HP-UX 11i v1.6 | HP-UX 11i v2
Introduction to the Kerberos Products and GSS-API
PAM Kerberos
Chapter 230
In the following code fragment from a pam.conf file,
both libpam_krb5.1 and libpam_unix.1 are defined
in the PAM stack as authentication modules. If a user
is not authenticated under libpam_unix.1, PAM tries
to authenticate the user through libpam_krb5.1 using
the same password that is used with libpam_unix.1.
If the authentication fails, PAM prompts for another
password and tries again.
renewable=<time> This option allows the user to implement ticket
renewal. Renewable tickets have two “expiration
times”: the first is when the current instance of the
ticket expires, and the second is the latest permissible
value for an individual expiration time. When the
latest permissible expiration time arrives, the ticket
expires permanently.
The latest permissible expiration time is specified as
follows:
For renewable tickets to be granted, the user's account
in the Kerberos Key Distribution Center (KDC) must
specify that the user can be granted renewable tickets.
Table 2-4 On HP-UX 11.0 and 11i
login auth sufficient /usr/lib/security/libpam_unix.1
login auth required /usr/lib/security/libpam_krb5.1 try_first_pass
Table 2-5 On HP-UX 11i v1 and 11i v2
login auth sufficient /usr/lib/security/libpam_unix.1
login auth
required /usr/lib/security/$ISA/libpam_krb5.so.1 try_first_pass
Table 2-6
s seconds
m minutes
h hours
ddays