PAM Kerberos Release Notes for HP-UX 11i v2

Product Description

Chapter 110

system. This would require possession of a valid TGT for the ﬁrst remote

system. Kerberos provides the option to create TGTs with special attributes

allowing them to be forwarded to remote systems within the realm.

The forwardable ﬂag in a ticket allows the service complete use of the

client’s identify. It is used when a user logs in to a remote system and wants

authentication to work from that system as if the login were local.

For the forwardable tickets to be granted, the user’s account in Kerberos

Key Distribution Center (KDC) must specify that the user can be granted

forwardable tickets.

Given below is an example of a TGT that has the forwardable ﬂag set.

forwardable

proxiable At times it may be necessary for a principal to allow a service to perform an

operation on its behalf. The service must be able to take on the identity of

the client, but only for a particular purpose by granting it a proxy.

This option allows a client to pass a proxy ticket to a server to perform a

remote request on its behalf. For example, a print service client can give the

print server a proxy to access the client’s ﬁles on a particular ﬁle server.

For proxy tickets to be granted, the user’s account in Kerberos Key

Distribution Center (KDC) must specify that the user can be granted the

proxy tickets.

Given below is an example of a TGT that has the proxiable ﬂag set.

proxiable

ignore Returns PAM_IGNORE. HP recommends not using this option for Kerberos

authentication in pam.conf. However, you may choose to use this option in

pam_user.conf for per user conﬁguration when it is unnecessary to

authenticate certain users or services.

For example, with the following conﬁguration, no Kerberos authentication is

conducted for "root" user.

# pam_user.conf:

# configuration for user root. KRB5 PAM module uses the ignore

# option and returns PAM_IGNORE without any processing.

root auth /usr/lib/security/$ISA/libpam_krb5.so.1

ignore