Configuration Guide for Kerberos Client Products on HP-UX
Introduction to the Kerberos Products and GSS-API
PAM Kerberos
Chapter 238
In the following code fragment from a pam.conf file,
both libpam_krb5.1 and libpam_unix.1 are defined
in the PAM stack as authentication modules. If a user
is not authenticated under libpam_unix.1, PAM tries
to authenticate the user through libpam_krb5.1 using
the same password that is used with libpam_unix.1.
If the authentication fails, PAM prompts for another
password and tries again.
renewable=<time> This option allows the user to implement ticket
renewal. Renewable tickets have two “expiration
times”: the first is when the current instance of the
ticket expires, and the second is the latest permissible
value for an individual expiration time. When the
latest permissible expiration time arrives, the ticket
expires permanently.
For renewable tickets to be granted, you must specify
that the user can be granted renewable tickets in the
user’s account in the Kerberos KDC.
forwardable When a user obtains service tickets, they are for a
remote system. However, the user can use a secure
service to access a remote system and run a secure
service from that remote system to a second remote
system. This requires a valid TGT for the first remote
system. Kerberos provides the option to create TGTs
with special attributes, which allow service tickets to
be forwarded to remote systems within the realm.
The forwardable flag in a ticket allows the service
complete use of the client's identity. It is used when a
user logs in to a remote system and wants
authentication to work from that system as if the login
were local.
Table 2-4 On HP-UX 11.0 and 11iv1
login auth sufficient /usr/lib/security/libpam_unix.1
login auth required /usr/lib/security/libpam_krb5.1 try_first_pass
Table 2-5 On HP-UX 11i v2 and HP-UX 11i v3
login auth sufficient libpam_unix.so.1
login auth required libpam_krb5.so.1 try_first_pass