HP-UX 11i June 2004 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU

131

132

133

134

135

136

137

138

139

140

HP-UX 11i Version 1 Operating Environment Applications

HP-UX 11i v1 Foundation Operating Environment

Chapter 6

131

HP-UX system entry services can work with any Kerberos v5 Server, namely, MIT

Kerberos and Microsoft Windows 2000. Thus, passwords can be effectively unified in an

Intranet with heterogeneous systems such as UNIX and Microsoft Windows 2000.

Furthermore, support of password change protocol has been implemented. These two

features can significantly reduce user administration complexity in a heterogeneous

environment.

The HP-UX applications using PAM include telnet, login, remsh, ftp, rexec, rlogin,

dtlogin, and rcp. PAM Kerberos interoperates with a Key Distribution Center (KDC)

operating on either a UNIX or a Microsoft Windows 2000 server.

The PAM Kerberos module is compliant with IETF RFC 1510 and Open Group RFC

86.0. PAM Kerberos is also available under the product number J5849AA on the

Applications Software CD. This product provides a libpam_krb5.1 library, a pam_krb5

(1) manpage, and a release note document.

updated for

September 2002

Now included with PAM Kerberos is the pamkrb5val tool, which will help

administrators validate the PAM Kerberos setup. The tool validates the following files

for PAM Kerberos-related entries:

• /etc/pam.conf

• /etc/pam_user.conf

• /etc/krb5.conf

• /etc/krb5.keytab

Also included is a sample pam.conf file.

Installation Requirements

The minimum disk space required to install the product is 1MB. Additional disk space of

about 1KB per user in the system /tmp file is required to store initial Ticket Granting

Tickets in the credential cache file.

Impact

HP-UX PAM Kerberos is implemented under the PAM framework, which allows the new

authentication service module to be plugged in and made available without modifying

the application or rebooting the system.

PAM Kerberos works on HP servers and workstations with a minimum of 32MB of

memory and sufficient swap space (a minimum of 50MB is recommended).

NOTE PAM Kerberos is not thread safe.

Coexistence Issues

PAM Kerberos (libpam_krb5.1) and PAM DCE (libpam_dce.1) plug-in modules can not

be stacked together in the pam.conf file because of different principal styles and

credential file paths. If so stacked, the results will be unpredictable.

If the password has expired on a Microsoft Windows 2000 KDC, you will not be asked for

a new password and will not be allowed to log in. When changing passwords on a MIT

KDC with a version prior to 1.1, up to 45 seconds may elapse before the password is

actually changed due to the selection mechanism of the change password protocol.