HP-UX 11i Version 2 Release Notes (October 2003)
Security
Kerberos Client (KRB5-Client)
Chapter 7
184
Kerberos Client (KRB5-Client)
The KRB5-Client product helps to provide Kerberos authentication and strong
cryptography for secure communication over the network.
Summary of Change
The KRB5-Client is now delivered as part of HP-UX 11i v2. The following changes have
been made to the KRB5-Client:
• Support for appdefaults section in the /etc/krb5.conf:
Each tag in the [appdefaults] section of the /etc/krb5.conf defines a Kerberos V5
application. The value of the tag is a subsection with relations that define the default
behaviors for that application. For example:
[appdefaults]
kinit = {
forwardable = true
}
The application defaults specified in this section are over-ridden by those specified in
the [realms]section.
Two new APIs, krb5_get_appdefault_string() and
krb5_get_appdefault_boolean(), have been added to /usr/share/libkrb5
library. Applications can now use these APIs to get the default values from the
appdefaults section of the Kerberos Configuration file.
• Multidomain support:
The krb5_parse_name() has been modified to obtain the principal's realm name
from the W2K multidomain if the LDAPUX product has been configured with W2K
multidomain. If the principal is not present in the W2K multidomain, then the
principal's realm will be the default realm, as specified in the Kerberos
Configuration file.
The ldapux_multidomain flag needs to be set to 1 by the administrator if the realm
name of the user needs to be obtained from the W2K multidomain.
• Support for IPv6 is enabled in KRB5-Client
See also “Generic Security Service Application Programming Interface (GSS-API)” on
page 175.
Impact
Users must recompile their existing Kerberos and GSS-API applications to take
advantage of the IPv6 features.
Compatibility
There are no compatibility issues.