 |
» |
|
|
|
|  | |
HP-UX provides Kerberos authentication as part of the Pluggable Authentication
Module (PAM) architecture that is specified in RFC 86 of the Open
Group. PAM allows multiple authentication technologies to coexist
on HP-UX. A configuration file determines which authentication module
to use, in a manner transparent to the applications that use the PAM
library. The PAM Framework | |
Figure 2-1 “HP-UX authentication modules under
PAM” shows the relationship between
the
PAM Kerberos Library and various authentication modules that HP-UX
provides. Notice that the PAM Kerberos Library is one of the many
authentication modules that PAM can invoke based on what is defined
under the PAM configuration file: pam.conf. If PAM's authentication-management is pointed
to the shared, dynamically loadable PAM Kerberos library
(/usr/lib/security/libpam_krb5.1), PAM Kerberos is invoked for user authentication.
For more information on the configuration file pam.conf, see the section “Configuring for PAM Kerberos”. The PAM Kerberos Library always returns success for Account Management
and Session Management, since they are not defined under Kerberos. The following subsections describe the other two areas of
functionality: the Authentication module and the Password module. The Authentication Module | |
The Authentication Module verifies the identity of a user
and sets user-specific credentials. It authenticates the user to KDC
with a password. If the password matches, the user is authenticated
and a Ticket Granting Ticket (TGT) is granted. The Authentication Module supports seven options: use_first_pass, try_first_pass, renewable=<time>, forwardable, proxiable, debug, and ignore. The following paragraphs list and describe each of these options. - Option
Definition - use_first_pass
Uses the same password given to the first module configured
for authentication in the pam.conf file (see Figure 2-1 “HP-UX authentication modules under
PAM”). The module should
not ask for the password if the user cannot be authenticated by
the first password. This option is used when the system administrator wants to
enforce the same password across multiple modules. In the following code fragment from a pam.conf file, both libpam_krb5.1 and libpam_unix.1 are defined in the PAM stack as authentication
modules. If a user is not authenticated under libpam_krb5.1, PAM tries to authenticate the user through libpam_unix.1 using the same password used with libpam_krb5.1. If the authentication fails, PAM does not prompt for
another password. login auth sufficient /usr/lib/security/libpam_krb5.1
login auth required /usr/lib/security/libpam_unix.1 use_first_pass |
|
- try_first_pass
Same as the use_first_pass option (previous item), except that if the primary
password is not valid, PAM will prompt for a password. In the following code fragment from a pam.conf file, both libpam_krb5.1 and libpam_unix.1 are defined in the PAM stack as authentication
modules. If a user is not authenticated under libpam_krb5.1, PAM tries to authenticate the user through libpam_unix.1 using the same password used with libpam_krb5.1. If the authentication fails, PAM prompts for
another password and tries again. login auth sufficient /usr/lib/security/libpam_krb5.1
login auth required /usr/lib/security/libpam_unix.1 try_first_pass |
|
- renewable=<time>
This option allows the user to implement ticket renewal.
Renewable tickets have two "expiration times":
the first is when the current instance of the ticket expires, and
the second is the latest permissible value for an individual expiration
time. When the latest permissible expiration time arrives, the ticket expires
permanently. The latest permissible expiration time is specified as an
hour by <time>. For renewable tickets to be granted, the user's account in
the Kerberos Key Distribution Center (KDC) must specify that the
user can be granted renewable tickets. - forwardable
When a user obtains service tickets, they are for
a remote system. However, the user may want to use a secure service
to access a remote system and then run a secure service from that
remote system to a second remote system. It requires possession
of a valid TGT for the first remote system. Kerberos provides the option
to create TGTs with special attributes allowing them to be forwarded
to the remote systems within the realm. The forwardable flag in a ticket allows the service complete
use of the client's identify. It is used when a user logs in to
a remote system and wants authentication to work from that system
as if the login were local. For the forwardable tickets to be granted, the user's account
in Kerberos Key Distribution Center (KDC) must specify that the
user can be granted forwardable tickets. - proxiable
At times it may be necessary for a principal to
allow a service to perform an operation on its behalf. The service
must be able to take on the identity of the client, but only for
a particular purpose by granting it a proxy. This option allows a client to pass a proxy ticket to a server
to perform a remote request on its behalf. For example, a print
service client can give the print server a proxy to access the client's
files on a particular file server. For proxy tickets to be granted, the user's account in Kerberos
Key Distribution Center (KDC) must specify that the user can be
granted the proxy tickets. - ignore
The ignore option, which returns PAM_IGNORE, is used when the system administrator wants to
authenticate certain users or services using pam_user.conf. For example, with the following configuration, no Kerberos
authentication is conducted for the root user. pam_user.conf:
#
# configuration for user root. KRB5 PAM module uses the ignore
# option and returns PAM_IGNORE without any processing.
#
root auth /usr/lib/security/libpam_krb5.1 ignore
root password /usr/lib/security/libpam_krb5.1 ignore
root account /usr/lib/security/libpam_krb5.1 ignore
root session /usr/lib/security/libpam_krb5.1 ignore |
Refer to the man-page of pam_updbe for more information about the configuration file, pam_user.conf. - debug
The debug option sets syslog debugging information at the LOG_DEBUG level.
The Password Module | |
The password management module changes Kerberos passwords.
The following options may be passed to this PAM module: use_first_pass, try_first_pass, debug and ignore. See /etc/pam.conf.krb5 and Appendix A “Sample pam.conf
File” for a sample
pam.conf file configured for PAM Kerberos. Credential Cache | |
The credential management function in Kerberos sets user-specific credentials.
It stores the credentials in a cache file and exports an environment
variable, KRB5CCNAME, to identify the cache file. Any subsequent accesses
use the same credential file. The name of that file is retrieved
from the variable KRB5CCNAME. If the variable KRB5CCNAME does not exist, a credential file
is created, either in the /tmp/pam_krb5/creds directory or in the /tmp directory -- depending upon how the user accesses the
system. If the user first accesses the system from any system entry
service -- such as login, ftp, rlogin, or telnet -- a unique credential file is created in the /tmp/pam_krb5/creds directory. This file is named krb5cc_xxxxxxxxx, where xxxxxxxxx is a randomly generated number. If the user first accesses the KDC database through the kinit utility, or from any of the system entry services from Secure
Internet Services (SIS), a credential file is created in a /tmp directory. This file is named/tmp/krb5cc_xxx, where xxx is a UID number. |
Printable version
