Introduction to the Kerberos Products and GSS-API

PAM Kerberos

$ old Kerberos password <--- Output if krb_prompt is specified

user_first_prompt This option allows the initial password (entered when the user is authenticated to the first authentication module in the stack) to authenticate with Kerberos. If the user cannot be authenticated or if this is the first authentication module in the stack, it quits without prompting for a password. HP recommends using this option only if the authentication module is designated as optional in the /etc/pam.conf(4) configuration file.

try_first_pass This option allows the initial password (entered when the user is authenticated to the first authentication module in the PAM stack) to authenticate with Kerberos. If the user cannot be authenticated or if this is the first authentication module in the stack, it prompts the user for a password.

ignore

This option returns PAM_IGNORE. HP recommends not

 

using this option. However, if you do not want to

 

authenticate certain users or services with Kerberos,

 

you can use this option in the /etc/pam_user.conf(4)

 

file for per user configuration. HP recommends not

 

using this option in the pam.conf(4)file.

Refer to /etc/pam.krb5 in Appendix A, “Sample pam.conf File,” for a sample pam.conf file configured for PAM Kerberos.

Credential Cache

The credential management function in Kerberos sets user-specific credentials. It stores the credentials in a cache file and exports the KRB5CCNAME environment variable to identify the cache file. Any subsequent kerberos service access can use the same credential file. The name of that file is retrieved from KRB5CCNAME.

A credential file is created in the /tmp directory when the user accesses the system.

If the user first accesses the system from any system entry service -- such as login, ftp, rlogin, or telnet -- a unique credential file is created in the /tmp/creds directory. This file is named krb5cc_<ppid>_<pid>, where:

Chapter 2

41