Introduction to the Kerberos Products and
PAM Kerberos
Example
The following is a sample configuration in which no authentication is done with Kerberos for root. KRB5 PAM module does nothing. It just returns PAM_IGNORE for user root. For every user other than root, it tries to authenticate using Kerberos. If Kerberos succeeds, the user is authenticated. If Kerberos fails to authenticate the user, PAM tries to authenticate with UNIX PAM using the same password.
The pam_user.conf File on
#configuration for user root. KRB5 PAM module uses the
#ignore option and returns PAM_IGNORE
root | auth | /usr/lib/security/libpam_krb5.1 ignore | |
root | password | /usr/lib/security/libpam_krb5.1 ignore | |
root | account | /usr/lib/security/libpam_krb5.1 | ignore |
root | session | /usr/lib/security/libpam_krb5.1 | ignore |
The pam_user.conf File on
#configuration for user root. KRB5 PAM module uses the
#ignore option and returns PAM_IGNORE
root | auth | /usr/lib/security/$ISA/libpam_krb5.so.1 ignore | |
root | password | /usr/lib/security/$ISA/libpam_krb5.so.1 ignore | |
root | account | /usr/lib/security/$ISA/libpam_krb5.so.1 | ignore |
root | session | /usr/lib/security/$ISA/libpam_krb5.so.1 | ignore |
The pam.conf File on
#For per user configuration the libpam_updbe.1 (pam_updbe(5)) module
#must be the first module in the stack. If Kerberos authentication
#is valid the UNIX authentication function will not be invoked.
login | auth | required | /usr/lib/security/libpam_updbe.1 |
login | auth | sufficient | /usr/lib/security/libpam_krb5.1 |
login | auth | required | /usr/lib/security/libpam_unix.1 try_first_pass |
login | password | required | /usr/lib/security/libpam_updbe.1 |
login | password | required | /usr/lib/security/libpam_krb5.1 |
login | password | required | /usr/lib/security/libpam_unix.1 try_first_pass |
login | account | required | /usr/lib/security/libpam_updbe. |
login | account | required | /usr/lib/security/libpam_krb5.1 |
Chapter 2 | 47 |