Introduction to the Kerberos Products and
PAM Kerberos
In the following code fragment from a pam.conf file, both libpam_krb5.1 and libpam_unix.1 are defined in the PAM stack as authentication modules. If a user is not authenticated under libpam_unix.1, PAM tries to authenticate the user through libpam_krb5.1 using the same password that is used with libpam_unix.1. If the authentication fails, PAM prompts for another password and tries again.
Table | On | ||
| login | auth sufficient | /usr/lib/security/libpam_unix.1 |
| login | auth required | /usr/lib/security/libpam_krb5.1 try_first_pass |
Table | On | ||
| login | auth sufficient | libpam_unix.so.1 |
| login | auth required | libpam_krb5.so.1 try_first_pass |
renewable=<time> This option allows the user to implement ticket renewal. Renewable tickets have two “expiration times”: the first is when the current instance of the ticket expires, and the second is the latest permissible value for an individual expiration time. When the latest permissible expiration time arrives, the ticket expires permanently.
For renewable tickets to be granted, you must specify that the user can be granted renewable tickets in the user’s account in the Kerberos KDC.
forwardable When a user obtains service tickets, they are for a remote system. However, the user can use a secure service to access a remote system and run a secure service from that remote system to a second remote system. This requires a valid TGT for the first remote system. Kerberos provides the option to create TGTs with special attributes, which allow service tickets to be forwarded to remote systems within the realm.
The forwardable flag in a ticket allows the service complete use of the client's identity. It is used when a user logs in to a remote system and wants authentication to work from that system as if the login were local.
38 | Chapter 2 |