| Introduction to the Kerberos Products and |
| PAM Kerberos |
| For forwardable tickets to be granted, you must specify |
| that the user can be granted forwardable tickets in the |
| user's account in the Kerberos KDC. |
proxiable | At times, it may be necessary for a principal to allow a |
| service to perform an operation on its behalf. The |
| service must be able to take on the identity of the |
| client, but only for a particular purpose by granting it a |
| proxy. |
| This option allows a client to pass a proxy ticket to a |
| server to perform a remote request on its behalf. For |
| example, a print service client can give the print server |
| a proxy to access the client's files on a particular file |
| server. |
| For proxy tickets to be granted, you must specify that |
| the user can be granted proxy tickets in the user's |
| account in the Kerberos KDC. |
ignore | The ignore option in the pam_user.conf file enables |
| you to configure PAM such that certain users or |
| services need not be authenticated. This option returns |
| PAM_IGNORE. HP recommends not to use this option for |
| Kerberos authentication in the pam.conf file. |
| For example, with the following configuration, no |
| Kerberos authentication is conducted for the root user. |
| On |
pam_user.conf:
#
#configuration for user root. KRB5 PAM module uses the ignore
#option and returns PAM_IGNORE without any processing.
# |
|
root auth | /usr/lib/security/libpam_krb5.1 ignore |
root password | /usr/lib/security/libpam_krb5.1 ignore |
root account | /usr/lib/security/libpam_krb5.1 ignore |
root session | /usr/lib/security/libpam_krb5.1 ignore |
| On |
pam_user.conf:
#
# configuration for user root. KRB5 PAM module uses the ignore
Chapter 2 | 39 |