PAM Kerberos v 1.
© Copyright 2007 Hewlett-Packard Development Company, L.P Legal Notices Confidential Computer Software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.11 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
Table of Contents 1 PAM Kerberos v 1.24 Release Notes.............................................................................................7 Announcement........................................................................................................................8 Overview................................................................................................................................8 Features and Benefits ......................................................................
List of Tables 1-1 1-2 1-3 1-4 PAM Kerberos v 1.24 Filesets on HP-UX 11i v1............................................................9 PAM Kerberos v 1.24 Filesets on HP-UX 11i v2 and HP-UX 11i v3..............................9 Defect Fixes in PAM Kerberos v 1.24..........................................................................12 System Requirements for Installing PAM Kerberos v 1.24.........................................
1 PAM Kerberos v 1.24 Release Notes This document discusses the most recent product information for PAM Kerberos v 1.24 that is supported on HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3. This document addresses the following topics: • “Announcement” (page 8) • “Overview” (page 8) • “What Is in This Version” (page 11) • “Defect Fixes in PAM Kerberos v 1.24” (page 12) • “Installing PAM Kerberos v 1.
Announcement PAM Kerberos v 1.24 is implemented under the Pluggable Authentication Module (PAM) framework. It is based on the Kerberos Authentication System V5, developed by Massachusetts Institute of Technology (MIT). The PAM Kerberos v 1.24 module is compliant with IETF RFC 1510 The Kerberos Network Authentication Service (V5) and Open Group RFC 86.0. PAM Kerberos v 1.24 supports HP-UX Kerberos Server Version 3.
Table 1-1 lists the filesets in PAM Kerberos on HP-UX 11i v1. Table 1-1 PAM Kerberos v 1.24 Filesets on HP-UX 11i v1 File Set Name Description Library Name PAM-KRB-64SLIB PAM-Kerberos 64-bit Shared Library /usr/lib/security/pa20_64/libpam_krb5.1 PAM-KRB-DEMO PAM-Kerberos Demonstration /etc/pam.krb5 PAM-KRB-MAN PAM-Kerberos Manpages • /usr/share/man/man5.Z/pam_krb5.5 • /usr/share/man/man1m.z/pamkrbval.
Table 1-2 PAM Kerberos v 1.24 Filesets on HP-UX 11i v2 and HP-UX 11i v3. (continued) Fileset Name Description Library Name PAM-KRB-RUN PAM-Kerberos Runtime Validation Tool /usr/sbin/pamkrbval PAM-KRB-SHLIB PAM-Kerberos 32-bit Shared Library /usr/lib/security/ libpam_krb5.so.1–>/usr/lib/security/ libpam_krb5.1 Modules Supported by PAM Kerberos v 1.24 The PAM Kerberos v1.
Password Management Module The password management module provides a function to change passwords in the Kerberos password database. See the sample /etc/pam.conf file for a configuration example. Additional examples are provided under “Notes, Cautions, and Warnings” (page 16). For more information, see the pam_krb5( 5) manpage.
Defect Fixes in PAM Kerberos v 1.24 Table 1-3 lists the defect fixes in PAM Kerberos v 1.24 available on HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3 operating systems. Table 1-3 Defect Fixes in PAM Kerberos v 1.24 Identifier Description JAGaf63759 The pam_krb5 module does not handle the pam_krb5 ignore flag while using the pam_user.conf file to avoid Kerberos authentication. JAGaf70453 If PAM Kerberos is configured only for session management, it deletes credentials that are not created by it.
Table 1-4 System Requirements for Installing PAM Kerberos v 1.24 (continued) Component Requirement Disk Space 1 MB Additional disk space of 1 KB per user is required to store the initial TGT in credential cache files. The size of each cache file grows in proportion with additional service tickets. You must have enough space in the /tmp directory to accommodate the credential cache files. Memory Minimum of 32 MB memory and sufficient swap space. HP recommends a minimum of 50 MB space.
NOTE: The HP-UX MD5 Secure Checksum software is not installed by default on the system. It is available for download at: http://h20293.www2.hp.com/ 14. To install PAM Kerberos v 1.24, run the following command at the HP-UX prompt: # swinstall -s The swinstall window is displayed. 15. Press the space bar to select the depot name. 16. Select Install in the Action menu. The Install Analysis window is displayed. 17. Select OK when the Status field displays a Ready message.
Known Problems and Limitations Following are the known problems and limitations in PAM Kerberos v 1.24: • If a kernel threaded DCE application linking to libdcekt uses PAM Kerberos for authentication, it results in core dump. This occurs because of a symbol clash between PAM Kerberos and DCE kernel threads. HP has fixed PAM Kerberos v 1.24 and Kerberos Client C.1.3.5.05 to avoid this core dump. However, you must also install linker patch PHSS_28871 or its superseding patches to resolve this defect.
product to work properly, each occurrence of the libpam_krb5.1 library in the /etc/pam.conf file must be specified as a relative path. To view a sample /etc/pam.conf file with the relative path, see the pam.conf( 4) manpage. Notes, Cautions, and Warnings Following are some notes, cautions, and warnings related to PAM Kerberos v 1.24: • • • For each user, ensure that the UNIX uid, home directory, and shell information exist in the UNIX repository, /etc/passwd or any name service database.
Related Documentation Following documents are available for the PAM Kerberos v 1.24 product: • • • • Configuration Guide for Kerberos Products on HP-UX (5991-7718) at: http://www.docs.hp.com Manpages: krb5.conf( 4). kerberos ( 9), pam.conf( 4), pam_user.conf ( 4), pam ( 3), pam_krb5( 5), and pam_updbe( 5), PAM RFC - 86.0 at: http://www.opengroup.org/tech/rfc/rfc86.0.html Kerberos RFC - 1510 at: http://www.ietf.org/rfc/rfc1510.
