Configuring the Kerberos Environment

Configuration Files for Kerberos Clients

pam.conf

The configuration file /etc/pam.conf controls the behavior of the PAM

 

modules. The pam.conf file contains a listing of system entry services,

 

each of which is paired with its corresponding service module. When a

 

service is requested, its associated module is invoked.

 

Each entry has the following format:

 

<service_name> <module_type> <control_flag> <module_path> <options>

 

The following is a sample entry for PAM Kerberos in the pam.conf file on

 

HP-UX 11.0 and 11i v1:

 

 

login

auth required

/usr/lib/security/libpam_krb5.1 debug

 

ftp

auth required

/usr/lib/security/libpam_unix.1

The following is a sample entry for PAM Kerberos in the pam.conf file on HP-UX 11i v2 and HP-UX 11i v3:

login auth required libpam_krb5.so.1 debug

ftp auth required libpam_unix.1

As mentioned in Chapter 2, “Introduction to the Kerberos Products and GSS-API,” on page 31 the PAM Kerberos module provides functionality for the authentication (auth), and password management (password) modules.

Using either the required, optional, or sufficient option, the control_flag field determines the priority and behavior of the modules stacked for a module_type. For example,

login auth sufficient /usr/lib/security/libpam_krb5.1 debug

login auth required /usr/lib/security/libpam_unix.1

The PAM Kerberos options are renewable=<time>, forwardable, proxiable, use_first_pass, try_first_pass, ignore, and debug.

For more information, see the pam. conf(4) and the pam_krb5(5) manpages.

Appendix A, “Sample pam.conf File,” on page 105 contains a sample /etc/pam.conf file.

In the HP-UX 11i version, a sample pam.conf file for Kerberos is available as /etc/pam.krb5.

78

Chapter 3