HP-UX 11i June 2003 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU

111

112

113

114

115

116

117

118

119

120

HP-UX 11i Version 1.0 Operating Environment Applications

HP-UX 11i Foundation Operating Environment

Chapter 6

116

Pluggable Authentication Module (PAM) Kerberos

Pluggable Authentication Module (PAM) Kerberos version 11i is a service for

authenticating users or services across an open network. HP-UX 11i provides Kerberos

authentication through a Kerberos-Client product which is a part of the HP-UX base

operating system. Kerberos, the primary authentication mechanism for Windows 2000,

is integrated with Active Directory Service to provide enterprise-wide account

management. This necessitates the implementation of the Kerberos authentication

mechanism on HP-UX as a Pluggable Authentication Module.

Pluggable Authentication Module (PAM) [OSF RFC 86.0] is the standard framework,

and is easily configurable to support multiple authentication technologies on HP-UX.

PAM Kerberos provides the PAM mechanism using Kerberos.

The PAM service module was implemented as a shared library, libpam_krb5.1. This

library is built by linking with libkrb5.sl, and is therefore not dependent on the

libsys.sl library.

The HP-UX 11i implementation of Kerberos version 5 protocol provides enterprise-wide

strong user authentication. Using encryption during the user authentication process,

Kerberos infrastructure provides privacy and integrity of user login information since

passwords are no longer communicated in clear text over the network.

HP-UX system entry services can work with any Kerberos v5 Server, namely, MIT

Kerberos and Microsoft Windows 2000. Thus, passwords can be effectively unified in an

Intranet with heterogeneous systems such as UNIX and Microsoft Windows 2000.

Furthermore, support of password change protocol has been implemented. These two

features can significantly reduce user administration complexity in a heterogeneous

environment.

The HP-UX applications using PAM include telnet, login, remsh, ftp, rexec, rlogin,

dtlogin, and rcp. PAM Kerberos interoperates with a Key Distribution Center (KDC)

operating on either a UNIX or a Microsoft Windows 2000 server.

The PAM Kerberos module is compliant with IETF RFC 1510 and Open Group RFC

86.0. PAM Kerberos is also available under the product number J5849AA on the

Applications Software CD. This product provides a libpam_krb5.1 library, a pam_krb5

(1) manpage, and a release note document.

updated for

September 2002

Now included with PAM Kerberos is the pamkrb5val tool, which will help

administrators validate the PAM Kerberos setup. The tool validates the following files

for PAM Kerberos-related entries:

• /etc/pam.conf

• /etc/pam_user.conf

• /etc/krb5.conf

• /etc/krb5.keytab

Also included is a sample pam.conf file.

Installation Requirements

The minimum disk space required to install the product is 1MB. Additional disk space of

about 1KB per user in the system /tmp file is required to store initial Ticket Granting

Tickets in the credential cache file.