HP-UX 11i September 2003 Release Notes

ManualsBrandsHP ManualsSoftwareHP-UX 11i v1.6 Technical Computing (TCOE) LTU

111

112

113

114

115

116

117

118

119

120

HP-UX 11i Version 1.0 Operating Environment Applications

HP-UX 11i Foundation Operating Environment

Chapter 6

117

The HP-UX 11i implementation of Kerberos version 5 protocol provides enterprise-wide

strong user authentication. Using encryption during the user authentication process,

Kerberos infrastructure provides privacy and integrity of user login information since

passwords are no longer communicated in clear text over the network.

HP-UX system entry services can work with any Kerberos v5 Server, namely, MIT

Kerberos and Microsoft Windows 2000. Thus, passwords can be effectively unified in an

Intranet with heterogeneous systems such as UNIX and Microsoft Windows 2000.

Furthermore, support of password change protocol has been implemented. These two

features can significantly reduce user administration complexity in a heterogeneous

environment.

The HP-UX applications using PAM include telnet, login, remsh, ftp, rexec, rlogin,

dtlogin, and rcp. PAM Kerberos interoperates with a Key Distribution Center (KDC)

operating on either a UNIX or a Microsoft Windows 2000 server.

The PAM Kerberos module is compliant with IETF RFC 1510 and Open Group RFC

86.0. PAM Kerberos is also available under the product number J5849AA on the

Applications Software CD. This product provides a libpam_krb5.1 library, a pam_krb5

(1) manpage, and a release note document.

updated for

September 2002

Now included with PAM Kerberos is the pamkrb5val tool, which will help

administrators validate the PAM Kerberos setup. The tool validates the following files

for PAM Kerberos-related entries:

• /etc/pam.conf

• /etc/pam_user.conf

• /etc/krb5.conf

• /etc/krb5.keytab

Also included is a sample pam.conf file.

Installation Requirements

The minimum disk space required to install the product is 1MB. Additional disk space of

about 1KB per user in the system /tmp file is required to store initial Ticket Granting

Tickets in the credential cache file.

Impact

HP-UX PAM Kerberos is implemented under the PAM framework, which allows the new

authentication service module to be plugged in and made available without modifying

the application or rebooting the system.

PAM Kerberos works on HP servers and workstations with a minimum of 32MB of

memory and sufficient swap space (a minimum of 50MB is recommended).

NOTE PAM Kerberos is not thread safe.

Coexistence Issues

PAM Kerberos (libpam_krb5.1) and PAM DCE (libpam_dce.1) plug-in modules can not

be stacked together in the pam.conf file because of different principal styles and

credential file paths. If so stacked, the results will be unpredictable.