HP-UX 11i June 2002 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU

211

212

213

214

215

216

217

218

219

220

Internet and Networking Services

Base HP-UX Internet Services

Chapter 12

212

You can take advantage of using an authentication mechanism of your choice like DCE

Integrated Login, UNIX, or Kerberos by making a change in the /etc/pam.conf file. By

default, if you do not edit the /etc/pam.conf file, the rexec and the remsh services will

use the authentication mechanism specified by the OTHER directive in the

/etc/pam.conf file.

The earlier version of rexecd and remshd allowed only those UNIX users who were

included in /etc/passwd to use the rexecd and remshd services. This limitation has

been eliminated with the introduction of the “PAM-ized” modules. By PAM-izing rexec

and remsh services, users belonging to other authenticating services like DCE

Integrated Login can use the remsh and rexec services.

/etc/pam.conf File Changes

To use PAM-ized rexec and remsh, the following lines have to be added to the

/etc/pam.conf file:

rcomds auth required /usr/lib/security/libpam_unix.1

rcomds account required /usr/lib/security/libpam_unix.1

Using PAM-ized remshd in Secure Internet Services (SIS) Environment

rexecd is not Kerber-ized and hence will not work in the SIS environment. However,

remshd is Kerber-ized. To take advantage of the PAM-ized modules, add the following

line to the /etc/pam.conf file:

rcomds auth required /usr/lib/security/libpam_dce.1

Also in the Kerberos environment, remshd has command line options for combining the

UNIX method and the Kerberos method of authentication. These command line options

can be set in the /etc/inetd.conf file for the kremshd service. Refer to the kremshd

(1M) manpage for a more detailed description of the options available.

Changes for GateD

With HP-UX 11i, the HELLO protocol of GateD will be obsoleted and no longer supported.

However, the BGP protocol available with GateD-3.5.9 on HP-UX 11.0 is also available

and supported on HP-UX 11i.

DHCP with Nonsecure DNS Updates

The Dynamic Host Control Protocol (DHCP) available on HP-UX 11i is capable of

updating the Dynamic Domain Name Server (DDNS). This feature updates the DDNS

with the name and IP address of the client. This means that for every client to which

DHCP assigns a name and IP address, it also adds an “A” and “PTR” resource record

(RR) of that client to the DDNS.

To assign a name for every IP address, a new, Boolean tag, pcsn (prioritize client sent

host name), has been introduced. If this is set and the host name is not provided by the

client, the DHCP server gives priority to the name (if any) provided by the client. The

name should be a fully qualified domain name (FQDN). If it is not a FQDN, then the

DHCP server will try to append the domain name (if set using the dn tag); otherwise, it

appends a “.” and updates the DDNS.

If the pcsn tag is not set, then the DHCP server appends a “.” and updates the DDNS.