Manualshelf

PAM Kerberos Release Note, HP 9000 Networking

ManualsBrandsHP ManualsSoftwareHP-UX Kerberos Data Security Software
12345678910
10 Chapter1
PAM Kerberos Release Note
Product Description
and libpam_unix.1 are defined in the PAM stack as authentication
modules. If a user is not authenticated under libpam_krb5.1, PAM will try
to authenticate to libpam_unix.1 using the same password used with
libpam_krb5.1. If PAM fails to authenticate with this password,
authentication will fail.
try_first_pass This option uses the user's previous password (entered to the first module in
the stack). If a user cannot be authenticated, PAM will prompt for a
password.
In the following pam.conf configuration example, both the libpam_krb5.1
and libpam_unix.1 are defined in the PAM stack as authentication
modules. If a user is not authenticated under libpam_krb5.1, PAM will try
to authenticate to libpam_unix.1 using the same password used with
libpam_krb5.1. If PAM fails to authenticate with this password, PAM will
prompt for another password and try again.
renewable=<time> This option allows tickets issued to the user to be renewed. Renewable
tickets have two "expiration times": the first is when the current instance of
the ticket expires, and the second is the latest permissible value for an
individual expiration time. When the latest permissible expiration time
arrives, the ticket expires permanently.
The latest permissible expiration time is specified in hour by <time>.
For renewable tickets to be granted, the user's account in Kerberos Key
Distribution Center (KDC) must specify that the user can be granted
renewable tickets.
forwardable When a user obtains service tickets, they are for a remote system. However,
the user may want to use a secure service to access a remote system and
then run a secure service from that remote system to a second remote
system. This would require possession of a valid TGT for the first remote
system. Kerberos provides the option to create TGTs with special attributes
allowing them to be forwarded to remote systems within the realm.
The forwardable flag in a ticket allows the service complete use of the
client's identify. It is used when a user logs in to a remote system and wants
authentication to work from that system as if the login were local.
login auth sufficient /usr/lib/security/libpam_krb5.1
login auth required /usr/lib/security/libpam_unix.1 use_first_pass
login auth sufficient /usr/lib/security/libpam_krb5.1
login auth required /usr/lib/security/libpam_unix.1 try_first_pass