PAM Kerberos Release Notes for HP-UX 11i v2

Product Description

Chapter 1 9

In the following pam.conf conﬁguration example, both the

libpam_krb5.so.1 and libpam_unix.so.1 are deﬁned in the PAM stack as

authentication modules. After authenticating the user under

libpam_unix.so.1, PAM will try to authenticate to libpam_krb5.so.1

using the same password used with libpam_unix.so.1. If PAM fails to

authenticate with this password, authentication will fail.

use_first_pass

try_first_pass This option uses the user’s previous password (entered to the ﬁrst module in

the stack). If a user cannot be authenticated, PAM will prompt for a

password.

In the following pam.conf conﬁguration example, both the

libpam_krb5.so.1 and libpam_unix.so.1 are deﬁned in the PAM stack as

authentication modules. After authenticating the user under

libpam_unix.so.1, PAM will try to authenticate to libpam_krb5.so.1

using the same password used with libpam_unix.so.1. If PAM fails to

authenticate with this password, PAM will prompt for another password

and try again.

try_first_pass

renewable=<time> This option allows tickets issued to the user to be renewed. Renewable

tickets have two "expiration times": the ﬁrst is when the current instance of

the ticket expires, and the second is the latest permissible value for an

individual expiration time. When the latest permissible expiration time

arrives, the ticket expires permanently.

The latest permissible expiration time is speciﬁed in hour by <time>.

For renewable tickets to be granted, the user’s account in Kerberos Key

Distribution Center (KDC) must specify that the user can be granted

renewable tickets.

In the following example the TGT’s obtained by the user will have the latest

permissible expiration time of 10 hours.

renewable=10h

forwardable When a user obtains service tickets, they are for a remote system. However,

the user may want to use a secure service to access a remote system and

then run a secure service from that remote system to a second remote