Introduction to the Kerberos Products and GSS-API

PAM Kerberos

proxiable

debug

ignore

The following paragraphs list and describe each of these options.

OptionDefinition

use_first_pass Uses the same password given to the first module configured for authentication in the pam.conf file (see Figure 2-1). The module does not prompt for the password if the user cannot be authenticated by the first password.

This option is used when the system administrator wants to enforce the same password across multiple modules.

In the following code fragment from a pam.conf file, both libpam_krb5.1 and libpam_unix.1 are defined in the PAM stack as authentication modules. If a user is not authenticated under libpam_unix.1, PAM tries to authenticate the user through libpam_krb5.1 using the same password used with libpam_unix.1. If the authentication fails, PAM does not prompt for another password.

Table 2-2

On HP-UX 11.0 and HP-UX 11i v1

 

login

auth sufficient

/usr/lib/security/libpam_unix.1

 

login

auth required

/usr/lib/security/libpam_krb5.1 use_first_pass

Table 2-3

On HP-UX 11i v2 and HP-UX 11i v3

 

login

auth sufficient

libpam_unix.so.1

 

login

auth required

libpam_krb5.so.1 use_first_pass

krb_prompt This option allows the administrator to change the password prompt. When set, the password prompt displayed is, Kerberos Password.

try_first_pass This option is similar to the use_first_pass option, except that if the primary password is not valid, PAM prompts for a password.

Chapter 2

37