Kerberos White Paper
Figure 2: The PAM Library
Figure 2 shows the relationship between the PAM Kerberos library and various authentication
modules that HP-UX provides. The PAM Kerberos library is one of the many authentication modules
that PAM can invoke based on what is defined under the PAM configuration file: /etc/pam.conf. If
PAM's authentication-management points to the shared, dynamically loadable PAM Kerberos library,
PAM Kerberos is invoked for user authentication.
In Kerberos, authentication takes place between clients and servers. So, in Kerberos terminology, a
"Kerberos client" is any entity that gets a service ticket for a Kerberos service. A client is typically a
user, but any principal can be a client (unless for some reason the administrator has explicitly
forbidden a principal to be a client).
On HP-UX 11i onwards, the Kerberos utilities are part of the OS core. The Kerberos Client software
consists of libraries, header files, manpages, and Kerberos utilities for implementing Kerberized
client/server applications in either 32-bit or 64-bit development environment. The client libraries are
based on MIT Kerberos V5 1.1.1. The HP-UX implementation of Kerberos utilities is compatible with
the MIT reference implementation. The Kerberos Client libraries support encryption types such as DES,
3DES, and AES. There is a new Kerberos Client version 1.3.5.01 based on MIT Kerberos version
1.3.5, available as a Web release.
The Kerberos Client includes the following utilities:
kinit, klist, and kdestroy: Manage credentials
kpasswd: Change Kerberos passwords
ktutil: Maintain the keytab file
kvno: Display the Kerberos key version number of the principals
Kerberos Client (KRB5-Client) Software
HP Kerberos Server Version 3.1