Configuration Guide for Kerberos Client Products on HP-UX

Configuring the Kerberos Environment
Configuration Files for Kerberos Clients
Chapter 378
pam.conf The configuration file /etc/pam.conf controls the behavior of the PAM
modules. The pam.conf file contains a listing of system entry services,
each of which is paired with its corresponding service module. When a
service is requested, its associated module is invoked.
Each entry has the following format:
<service_name> <module_type> <control_flag> <module_path> <options>
The following is a sample entry for PAM Kerberos in the pam.conf file on
HP-UX 11.0 and 11i v1:
login auth required /usr/lib/security/libpam_krb5.1 debug
ftp auth required /usr/lib/security/libpam_unix.1
The following is a sample entry for PAM Kerberos in the pam.conf file on
HP-UX 11i v2 and HP-UX 11i v3:
login auth required libpam_krb5.so.1 debug
ftp auth required libpam_unix.1
As mentioned in Chapter 2, Introduction to the Kerberos Products and
GSS-API, on page 31 the PAM Kerberos module provides functionality
for the authentication (auth), and password management (password)
modules.
Using either the required, optional, or sufficient option, the
control_flag field determines the priority and behavior of the modules
stacked for a module_type. For example,
login auth sufficient /usr/lib/security/libpam_krb5.1 debug
login auth required /usr/lib/security/libpam_unix.1
The PAM Kerberos options are renewable=<time>, forwardable,
proxiable, use_first_pass, try_first_pass, ignore, and debug.
For more information, see the pam. conf(4) and the pam_krb5(5)
manpages.
Appendix A, Sample pam.conf File, on page 105 contains a sample
/etc/pam.conf file.
In the HP-UX 11i version, a sample pam.conf file for Kerberos is
available as /etc/pam.krb5.