Configuration Guide for Kerberos Client Products on HP-UX 11.0 | HP-UX 11i v1 | HP-UX 11i v1.6 | HP-UX 11i v2
Introduction to the Kerberos Products and GSS-API
PAM Kerberos
Chapter 2 33
The Password Module
The Password Management module provides a function to change
passwords in the Kerberos password database. Unlike when changing a
Unix password, a root user is always prompted for the old password.
The following options may be passed to this PAM module through the
/etc/pam.conf (4) file:
debug This option allows syslog(3C) debugging information
at LOG_DEBUG level.
krb_prompt This option allows the administrator to change the
password prompt. When set, the password prompt
displayed could be, Old/New Kerberos Password.
When a user logs onto a system using PAM kerberos
they obtain credentials that are stored in a file. This
file is deleted when the user logs out of the system if
the /etc/pam.conf file contains an entry for PAM
Kerberos under session management and the
application calls pam_close_session().
In the /etc/pam.conf, if the flag krb_prompt is added
to either the login/password entry, the prompt
explicitly specifies kerberos as shown below:
$ old password <--- Previous output
$ old Kerberos password <--- Output if
krb_prompt is specified
user_first_prompt This option allows the initial password (entered
when the user is authenticated to the first
authentication module in the stack) to authenticate
with Kerberos. If the user cannot be authenticated or if
this is the first authentication module inthe stack, quit
without prompting for a password. It is recommended
that this option be used only if the authentication
module is designated as optional in the
/etc/pam.conf(4) configuration file.
try_first_pass This option allows the initial password (entered when
the user is authenticated to the first authentication
module in the PAM stack) to authenticate with