PAM Kerberos Release Notes HP-UX 11i v2 Manufacturing Part Number: J5849-90011 August 2003 U.S.A. © Copyright 2003 Hewlett-Packard Development Company L.P. All rights reserved.
Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material.
©copyright 1988 Carnegie Mellon University ©copyright 1991-2000 Mentat Inc. ©copyright 1996 Morning Star Technologies, Inc. ©copyright 1996 Progressive Systems, Inc. ©copyright 1991-2000 Isogon Corporation, All Rights Reserved. Trademark Notices UNIX is a registered trademark of The Open Group. X Window System is a trademark of the Massachusetts Institute of Technology. MS-DOS and Microsoft are U.S. registered trademarks of Microsoft Corporation.
1 PAM Kerberos Release Notes for HP-UX 11i v2 Chapter 1 5
PAM Kerberos Release Notes for HP-UX 11i v2 Announcement Announcement PAM Kerberos is supported on the HP-UX 11i v2 system. It is based on Kerberos Authentication System V5, developed by Massachusetts Institute of Technology (MIT). The PAM Kerberos module is compliant with IETF RFC 1510 and Open Group RFC 86.0. HP-UX PAM Kerberos is implemented under the PAM (Pluggable Authentication Module) framework. PAM Kerberos works with HP-UX Kerberos Server version 2.
PAM Kerberos Release Notes for HP-UX 11i v2 What’s in This Version What’s in This Version The PAM service modules are implemented as a shared library: the Kerberos PAM library, /usr/lib/security/$ISA/libpam_krb5.so.1, which uses KRB5-Client APIs. PAM Kerberos for HP-UX 11i v2 consists of the following: • libpam_krb5.so.1 library • pam_krb5 man page • PAM Kerberos configuration validation tool - pamkrbval • sample pam.
PAM Kerberos Release Notes for HP-UX 11i v2 Product Description Product Description PAM Kerberos, HP product number J5849AA, contains the following filesets as shown under HP-Software Distributor (SD): PAM-KRB-SHLIB /usr/lib/security/$ISA/libpam_krb5.so.1 PAM-KRB-MAN /usr/share/man/man5.Z/pam_krb5.5 /usr/share/man/man1m.z/pamkrbval.1m PAM-KRB-RUN /usr/sbin/pamkrbval PAM-KRB-DEMO /etc/pam.krb5 PAM Kerberos Library This library supports all the four module types.
PAM Kerberos Release Notes for HP-UX 11i v2 Product Description In the following pam.conf configuration example, both the libpam_krb5.so.1 and libpam_unix.so.1 are defined in the PAM stack as authentication modules. After authenticating the user under libpam_unix.so.1, PAM will try to authenticate to libpam_krb5.so.1 using the same password used with libpam_unix.so.1. If PAM fails to authenticate with this password, authentication will fail.
PAM Kerberos Release Notes for HP-UX 11i v2 Product Description system. This would require possession of a valid TGT for the first remote system. Kerberos provides the option to create TGTs with special attributes allowing them to be forwarded to remote systems within the realm. The forwardable flag in a ticket allows the service complete use of the client’s identify. It is used when a user logs in to a remote system and wants authentication to work from that system as if the login were local.
PAM Kerberos Release Notes for HP-UX 11i v2 Product Description root root root # password account session /usr/lib/security/$ISA/libpam_krb5.so.1 ignore /usr/lib/security/$ISA/libpam_krb5.so.1 ignore /usr/lib/security/$ISA/libpam_krb5.so.1 ignore Refer to the man page of pam_updbe(5) for more information on pam_user.conf. debug This option allows syslog (3C) debugging information at LOG_DEBUG level. krb_prompt In the /etc/pam.
PAM Kerberos Release Notes for HP-UX 11i v2 Known Problems and Workarounds Known Problems and Workarounds There are no known problems for PAM-Kerberos on HP-UX 11i v2.
PAM Kerberos Release Notes for HP-UX 11i v2 Compatibility Information and Installation Requirements Compatibility Information and Installation Requirements Hardware Requirements HP-UX workstations and servers with a minimum of 32 MB of memory and sufficient swap space (a minimum of 50 MB is recommended). Operating System Requirements HP-UX 11i v2 Disk Space Requirements Minimum disk space required to install the product is 1 MB.
PAM Kerberos Release Notes for HP-UX 11i v2 Notes, Cautions and Warnings Notes, Cautions and Warnings • For each user, make sure that the UNIX uid, home directory, and shell information exist in the UNIX repository, /etc/passwd or any name service database. • The Kerberos PAM module sets and uses an environment variable, KRB5CCNAME, during authentication. Concurrent execution in the same shell environment of any applications that access KRB5CCNAME may result in unexpected behavior.
PAM Kerberos Release Notes for HP-UX 11i v2 Patches and Fixes in This Version Patches and Fixes in This Version There are no bug fixes or patches included in PAM-Kerberos on HP-UX 11i v2.
PAM Kerberos Release Notes for HP-UX 11i v2 Related Documentation Related Documentation The list below contains documentation related to the PAM Kerberos product: • Configuration Guide for Kerberos Products on HP-UX (T1417-90006) • HP-UX 11i v2 Enterprise Release Delta Document • Man Pages: krb5.conf (4), kerberos (9), pam.conf (4), pam_user.conf (4), pam (3),pam_krb5 (5) • PAM RFC - 86.0 http://www.opengroup.org/tech/rfc/rfc86.0.html • Kerberos RFC - 1510: http://www.ietf.org/rfc/rfc1510.
PAM Kerberos Release Notes for HP-UX 11i v2 Software Availability in Native Languages Software Availability in Native Languages There is no information in non-English languages for this version of PAM-Kerberos.
