Configuration Guide for Kerberos Client Products on HP-UX 11.0 | HP-UX 11i v1 | HP-UX 11i v1.6 | HP-UX 11i v2
Introduction to the Kerberos Products and GSS-API
PAM Kerberos
Chapter 2 31
forwardable When a user obtains service tickets, they are for a
remote system. However, the user may want to use a
secure service to access a remote system and then run
a secure service from that remote system to a second
remote system. It requires possession of a valid TGT
for the first remote system. Kerberos provides the
option to create TGTs with special attributes allowing
them to be forwarded to the remote systems within the
REALM.
The forwardable flag in a ticket allows the service
complete use of the client's identity. It is used when a
user logs in to a remote system and wants
authentication to work from that system as if the login
were local.
For the forwardable tickets to be granted, the user's
account in Kerberos Key Distribution Center (KDC)
must specify that the user can be granted forwardable
tickets.
proxiable At times, it may be necessary for a principal to allow a
service to perform an operation on its behalf. The
service must be able to take on the identity of the
client, but only for a particular purpose by granting it a
proxy.
This option allows a client to pass a proxy ticket to a
server to perform a remote request on its behalf. For
example, a print service client can give the print server
a proxy to access the client's files on a particular file
server.
For proxy tickets to be granted, the user's account in
Kerberos Key Distribution Center (KDC) must specify
that the user can be granted the proxy tickets.
ignore The ignore option, which returns PAM_IGNORE, is used
when the system administrator wants to authenticate
certain users or services using /etc/pam_user.conf.