Manualshelf

Configuration Guide for Kerberos Client Products on HP-UX

ManualsBrandsHP ManualsSoftwareHP-UX Kerberos Data Security Software
31323334353637383940
Introduction to the Kerberos Products and GSS-API
PAM Kerberos
Chapter 236
When using PAM Kerberos, users only configure the application server
as a KDC client. Users are prompted for a password when they first log
into the server from the application client. The user has no credential
and their password is sent in clear text to the application server.
Following are the authentication steps as shown in Figure 2-2:
1. The user sends a password to a remote system
2. The application server invokes libkrb5.sl through PAM to request
for authentication from the KDC
3. KDC replies with an authenticator
4. If the password provided is valid, then the user is authenticated. If
the password is incorrect, the user is denied access.
The Kerberos service module for PAM consists of the following four
modules:
Authentication module
Account management module
Session management module
Password management module
All modules are supported through the same dynamically loadable
library, libpam_krb5. The KRB5 PAM modules are compatible with MIT
Kerberos 5 and Microsoft Windows 2000.
The Authentication Module
The Authentication module verifies the identity of a user and sets
user-specific credentials. It authenticates the user to KDC with a
password. If the password matches, the user is authenticated and a
Ticket Granting Ticket (TGT) is granted.
The Authentication Module supports the following options:
use_first_pass
krb_prompt
try_first_pass
renewable=<time>
forwardable