Configuration Guide for Kerberos Client Products on HP-UX
Introduction to the Kerberos Products and GSS-API
PAM Kerberos
Chapter 2 41
$ old Kerberos password <--- Output if
krb_prompt is specified
user_first_prompt This option allows the initial password (entered
when the user is authenticated to the first
authentication module in the stack) to authenticate
with Kerberos. If the user cannot be authenticated or if
this is the first authentication module in the stack, it
quits without prompting for a password. HP
recommends using this option only if the
authentication module is designated as optional in the
/etc/pam.conf(4) configuration file.
try_first_pass This option allows the initial password (entered when
the user is authenticated to the first authentication
module in the PAM stack) to authenticate with
Kerberos. If the user cannot be authenticated or if this
is the first authentication module in the stack, it
prompts the user for a password.
ignore This option returns PAM_IGNORE. HP recommends not
using this option. However, if you do not want to
authenticate certain users or services with Kerberos,
you can use this option in the /etc/pam_user.conf(4)
file for per user configuration. HP recommends not
using this option in the pam.conf(4)file.
Refer to /etc/pam.krb5 in Appendix A, “Sample pam.conf File,” for a
sample pam.conf file configured for PAM Kerberos.
Credential Cache
The credential management function in Kerberos sets user-specific
credentials. It stores the credentials in a cache file and exports the
KRB5CCNAME environment variable to identify the cache file. Any
subsequent kerberos service access can use the same credential file. The
name of that file is retrieved from KRB5CCNAME.
A credential file is created in the /tmp directory when the user accesses
the system.
If the user first accesses the system from any system entry service -- such
as login, ftp, rlogin, or telnet -- a unique credential file is created in
the /tmp/creds directory. This file is named krb5cc_<ppid>_<pid>,
where: