Configuration Guide for Kerberos Client Products on HP-UX
Introduction to the Kerberos Products and GSS-API
PAM Kerberos
Chapter 2 47
Example
The following is a sample configuration in which no authentication is
done with Kerberos for root. KRB5 PAM module does nothing. It just
returns PAM_IGNORE for user root. For every user other than root, it tries
to authenticate using Kerberos. If Kerberos succeeds, the user is
authenticated. If Kerberos fails to authenticate the user, PAM tries to
authenticate with UNIX PAM using the same password.
The pam_user.conf File on HP-UX 11.0 and 11i v1
# configuration for user root. KRB5 PAM module uses the
# ignore option and returns PAM_IGNORE
root auth /usr/lib/security/libpam_krb5.1 ignore
root password /usr/lib/security/libpam_krb5.1 ignore
root account /usr/lib/security/libpam_krb5.1 ignore
root session /usr/lib/security/libpam_krb5.1 ignore
The pam_user.conf File on HP-UX 11i v2 and HP-UX 11i v3
# configuration for user root. KRB5 PAM module uses the
# ignore option and returns PAM_IGNORE
root auth /usr/lib/security/$ISA/libpam_krb5.so.1 ignore
root password /usr/lib/security/$ISA/libpam_krb5.so.1 ignore
root account /usr/lib/security/$ISA/libpam_krb5.so.1 ignore
root session /usr/lib/security/$ISA/libpam_krb5.so.1 ignore
The pam.conf File on HP-UX 11.0 and HP-UX 11i v1
# For per user configuration the libpam_updbe.1 (pam_updbe(5)) module
# must be the first module in the stack. If Kerberos authentication
# is valid the UNIX authentication function will not be invoked.
login auth required /usr/lib/security/libpam_updbe.1
login auth sufficient /usr/lib/security/libpam_krb5.1
login auth required /usr/lib/security/libpam_unix.1 try_first_pass
login password required /usr/lib/security/libpam_updbe.1
login password required /usr/lib/security/libpam_krb5.1
login password required /usr/lib/security/libpam_unix.1 try_first_pass
login account required /usr/lib/security/libpam_updbe.
login account required /usr/lib/security/libpam_krb5.1