Configuration Guide for Kerberos Client Products on HP-UX
Introduction to the Kerberos Products and GSS-API
PAM Kerberos
Chapter 2 39
For forwardable tickets to be granted, you must specify
that the user can be granted forwardable tickets in the
user's account in the Kerberos KDC.
proxiable At times, it may be necessary for a principal to allow a
service to perform an operation on its behalf. The
service must be able to take on the identity of the
client, but only for a particular purpose by granting it a
proxy.
This option allows a client to pass a proxy ticket to a
server to perform a remote request on its behalf. For
example, a print service client can give the print server
a proxy to access the client's files on a particular file
server.
For proxy tickets to be granted, you must specify that
the user can be granted proxy tickets in the user's
account in the Kerberos KDC.
ignore The ignore option in the pam_user.conf file enables
you to configure PAM such that certain users or
services need not be authenticated. This option returns
PAM_IGNORE. HP recommends not to use this option for
Kerberos authentication in the pam.conf file.
For example, with the following configuration, no
Kerberos authentication is conducted for the root user.
On HP-UX 11.0 and HP-UX 11i v1
pam_user.conf:
#
# configuration for user root. KRB5 PAM module uses the ignore
# option and returns PAM_IGNORE without any processing.
#
root auth /usr/lib/security/libpam_krb5.1 ignore
root password /usr/lib/security/libpam_krb5.1 ignore
root account /usr/lib/security/libpam_krb5.1 ignore
root session /usr/lib/security/libpam_krb5.1 ignore
On HP-UX 11i v2 and HP-UX 11i v3
pam_user.conf:
#
# configuration for user root. KRB5 PAM module uses the ignore