Manualshelf

PAM Kerberos Release Note, HP 9000 Networking

ManualsBrandsHP ManualsSoftwareHP-UX Kerberos Data Security Software
11121314151617181920
Chapter 1 11
PAM Kerberos Release Note
Product Description
For the forwardable tickets to be granted, the user's account in Kerberos
Key Distribution Center (KDC) must specify that the user can be granted
forwardable tickets.
proxiable At times it may be necessary for a principal to allow a service to perform an
operation on its behalf. The service must be able to take on the identity of
the client, but only for a particular purpose by granting it a proxy.
This option allows a client to pass a proxy ticket to a server to perform a
remote request on its behalf. For example, a print service client can give the
print server a proxy to access the client's files on a particular file server.
For proxy tickets to be granted, the user's account in Kerberos Key
Distribution Center (KDC) must specify that the user can be granted the
proxy tickets.
ignore Returns PAM_IGNORE. HP recommends not using this option for Kerberos
authentication in pam.conf. However, you may choose to use this option in
pam_user.conf for per user configuration when it is unnecessary to
authenticate certain users or services.
For example, with the following configuration, noKerberos authentication is
conducted for "root" user.
# pam_user.conf:
#
# configuration for user root. KRB5 PAM module uses the ignore
# option and returns PAM_IGNORE without any processing.
#
root auth /usr/lib/security/libpam_krb5.1 ignore
root password /usr/lib/security/libpam_krb5.1 ignore
root account /usr/lib/security/libpam_krb5.1 ignore
root session /usr/lib/security/libpam_krb5.1 ignore
#
Refer to the man page of pam_updbe(5) for more information on
pam_user.conf.
debug This option allows syslog(3C) debugging information at LOG_DEBUG level.
Account Management
The account management module retrieves the user's expiration information and verifies that
the user's account and password have not expired. Since account management is not defined
under Kerberos, this function returns success. It is provided for compatibility with the PAM
specification.
Session Management