PAM Kerberos Release Notes for HP-UX 11i v2
PAM Kerberos Release Notes for HP-UX 11i v2
Notes, Cautions and Warnings
Chapter 114
Notes, Cautions and Warnings
• For each user, make sure that the UNIX uid, home directory, and shell information exist
in the UNIX repository, /etc/passwd or any name service database.
• The Kerberos PAM module sets and uses an environment variable, KRB5CCNAME, during
authentication. Concurrent execution in the same shell environment of any applications
that access KRB5CCNAME may result in unexpected behavior.
• If the superuser root changes a user's password, the passwd program under the HP-UX
environment does not prompt for the old password. However, when the user’s password
needs to be changed through PAM-Kerberos the old password of the user needs to be
entered. For instance, when the PAM-Kerberos module, libpam_krb5.so.1, is stacked
with UNIX PAM, libpam_unix.so.1 in the pam.conf file, the behavior is different.
For example, under this pam.conf configuration:
passwd password required /usr/lib/security/$ISA/libpam_unix.so.1
passwd password required /usr/lib/security/$ISA/libpam_krb5.so.1
use_first_pass
When the superuser root changes a user's Kerberos password, the old password is
required. However, when UNIX PAM is the first module in the stack, it does not store the
old password, so a special situation arises in which the Kerberos password change fails.
This failure is caused by the fact that the password is changed for the UNIX account, but
is not changed for the Kerberos account. You can avoid this situation by not using the
use_first_pass option.
• To take advantage of the user policy definition service module libpam_updbe.so.1
(pam_updbe(5)), this module must be the first module in the stack, as shown in the
example below:
# pam.conf:
#
login auth required /usr/lib/security/$ISA/libpam_updbe.so.1
login auth sufficient /usr/lib/security/$ISA/libpam_krb5.so.1
login auth required /usr/lib/security/$ISA/libpam_unix.so.1
try_first_pass