Configuration Guide for Kerberos Client Products on HP-UX
Introduction to the Kerberos Products and GSS-API
PAM Kerberos
Chapter 2 37
• proxiable
• debug
• ignore
The following paragraphs list and describe each of these options.
Option Definition
use_first_pass Uses the same password given to the first module
configured for authentication in the pam.conf file (see
Figure 2-1). The module does not prompt for the
password if the user cannot be authenticated by the
first password.
This option is used when the system administrator
wants to enforce the same password across multiple
modules.
In the following code fragment from a pam.conf file,
both libpam_krb5.1 and libpam_unix.1 are defined
in the PAM stack as authentication modules. If a user
is not authenticated under libpam_unix.1, PAM tries
to authenticate the user through libpam_krb5.1 using
the same password used with libpam_unix.1. If the
authentication fails, PAM does not prompt for another
password.
krb_prompt This option allows the administrator to change the
password prompt. When set, the password prompt
displayed is, Kerberos Password.
try_first_pass This option is similar to the use_first_pass option,
except that if the primary password is not valid, PAM
prompts for a password.
Table 2-2 On HP-UX 11.0 and HP-UX 11i v1
login auth sufficient /usr/lib/security/libpam_unix.1
login auth required /usr/lib/security/libpam_krb5.1 use_first_pass
Table 2-3 On HP-UX 11i v2 and HP-UX 11i v3
login auth sufficient libpam_unix.so.1
login auth required libpam_krb5.so.1 use_first_pass