Configuration Guide for Kerberos Client Products on HP-UX
Introduction to the Kerberos Products and GSS-API
PAM Kerberos
Chapter 240
# option and returns PAM_IGNORE without any processing.
#
root auth /usr/lib/security/$ISA/libpam_krb5.so.1 ignore
root password /usr/lib/security/$ISA/libpam_krb5.so.1 ignore
root account /usr/lib/security/$ISA/libpam_krb5.so.1 ignore
root session /usr/lib/security/$ISA/libpam_krb5.so.1 ignore
To enable the configuration defined in the pam_user.conf
file, the libpam_updbe module must be the first module
in the stack in the pam.conf file. PAM Kerberos uses
libpam_updbe to read user policy definitions from the
pam_user.conf file. Refer to the manpage pam_updbe (5)
for more information about per user PAM
configuration.
debug The debug option sets syslog debugging information
at the LOG_DEBUG level.
The Password Module
The Password Management module provides a function to change
passwords in the Kerberos password database. Unlike when changing a
Unix password, a root user is always prompted for the old password.
The following options can be passed to this PAM module through the
/etc/pam.conf (4) file:
debug This option allows syslog(3C) debugging information
at LOG_DEBUG level.
krb_prompt This option allows the administrator to change the
password prompt. When set, the password prompt
displayed is Old/New Kerberos Password.
When a user logs onto a system using PAM kerberos
they obtain credentials that are stored in a file. This
file is deleted when the user logs out of the system if
the /etc/pam.conf file contains an entry for PAM
Kerberos under session management and the
application calls pam_close_session().
In the /etc/pam.conf, if the flag krb_prompt is added
to either the login/password entry, the prompt
explicitly specifies Kerberos as shown below:
$ old password <--- Previous output