HP-UX 11i Version 2 Release Notes (October 2003)

Security

PAM Kerberos

Chapter 7

185

Performance

There are no performance issues.

Documentation

• The following manpages have been changed:

— /usr/share/man/man3.Z/libkrb5.3

— /usr/share/man/man4.Z/krb5.conf.4

• Further information may be found in the Configuration Guide for Kerberos Client

Products on HP-UX, available on the Web at

http://www.docs.hp.com/hpux/onlinedocs/J5849-90007/J5849-90007.html.

Obsolescence

Not applicable.

PAM Kerberos

The Pluggable Authentication Modules (PAM) [OSF RFC 86.0] are an easily configurable

framework that provides support for multiple authentication technologies on HP-UX.

PAM Kerberos (Product No. J5849AA) is the PAM module that provides support for the

Kerberos authentication protocol.

Summary of Change

PAM-Kerberos in HP-UX 11i v2 supports both Itanium and PA-RISC applications in

32-bit mode.

To increase security and to conform to standards, a user now cannot change another

user's password even if the user is aware of the other user's password. To achieve this

new feature, the following changes have been made:

• When a user logs onto a system using PAM kerberos they obtain credentials that are

stored in a file. This file is deleted when the user logs out of the system if the

/etc/pam.conf file contains an entry for PAM Kerberos under session management

and the application calls pam_close_session().

• The new tool, pamkrbval, helps administrators validate the PAM Kerberos setup. It

validates the following files for PAM Kerberos related entries:

— /etc/pam.conf

— /etc/pam_user.conf

— /etc/krb5.conf

— /etc/krb5.keytab