Introduction to the Kerberos Products and
PAM Kerberos
#option and returns PAM_IGNORE without any processing.
root auth | /usr/lib/security/$ISA/libpam_krb5.so.1 ignore |
root password | /usr/lib/security/$ISA/libpam_krb5.so.1 ignore |
root account | /usr/lib/security/$ISA/libpam_krb5.so.1 ignore |
root session | /usr/lib/security/$ISA/libpam_krb5.so.1 ignore |
| To enable the configuration defined in the pam_user.conf |
| file, the libpam_updbe module must be the first module |
| in the stack in the pam.conf file. PAM Kerberos uses |
| libpam_updbe to read user policy definitions from the |
| pam_user.conf file. Refer to the manpage pam_updbe (5) |
| for more information about per user PAM |
| configuration. |
debug | The debug option sets syslog debugging information |
| at the LOG_DEBUG level. |
The Password Module
The Password Management module provides a function to change passwords in the Kerberos password database. Unlike when changing a Unix password, a root user is always prompted for the old password.
The following options can be passed to this PAM module through the /etc/pam.conf (4) file:
debug | This option allows syslog(3C) debugging information | |
| at LOG_DEBUG level. |
|
krb_prompt | This option allows the administrator to change the | |
| password prompt. When set, the password prompt | |
| displayed is Old/New Kerberos Password. | |
| When a user logs onto a system using PAM kerberos | |
| they obtain credentials that are stored in a file. This | |
| file is deleted when the user logs out of the system if | |
| the /etc/pam.conf file contains an entry for PAM | |
| Kerberos under session management and the | |
| application calls pam_close_session(). | |
| In the /etc/pam.conf, if the flag krb_prompt is added | |
| to either the login/password entry, the prompt | |
| explicitly specifies Kerberos as shown below: | |
| $ old password | Previous output |
40 | Chapter 2 |