HP-UX 11i Version 1.6 Release Notes
Other Functionality
PAM Kerberos
Chapter 8
131
PAM Kerberos
The Pluggable Authentication Modules (PAM) [OSF RFC 86.0] are an easily
configurable framework that provides support for multiple authentication technologies
on HP-UX.
PAM Kerberos (Product No. J5849AA) is the PAM module that provides support for
the Kerberos authentication protocol.
Summary of Change
• PAM-Kerberos in HP-UX 11i v1.6 supports both IPF and PA-RISC applications in
32-bit mode.
• A new tool, pamkrbval, used to validate the PAM Kerberos configuration is now
available with this product.
• The credentials obtained by a user during login with PAM Kerberos are now cleaned
up after the user logs out.
• The PAM kerberos password prompt is now configurable.
Details of Change
Users cannot change another user’s password even if the user is aware of the other user’s
password. This change has been made to conform to the standards. Systems are now
more secure.
The new tool, pamkrbval, helps administrators validate the PAM Kerberos setup. It
validates the following files for PAM Kerberos related entries:
• /etc/pam.conf
• /etc/pam_user.conf
• /etc/krb5.conf
• /etc/krb5.keytab
When a user logs onto a system using PAM kerberos they obtain credentials that are
stored in a file. This file is deleted when the user logs out of the system if the
/etc/pam.conf file contains an entry for PAM Kerberos under session management and
the application calls pam_close_session().
In the /etc/pam.conf file, if the flag
krb_prompt
is added to either the login/password
entry, the prompt explicitly specifies kerberos as shown below:
$ old password <----- Previous output
$ old kerberos password <----- Output if krb_prompt is specified
Impact
There is no impact.