PAM Kerberos v 1.24 Release Notes

Password Management Module

The password management module provides a function to change passwords in the

Kerberos password database.

See the sample /etc/pam.conf file for a configuration example. Additional examples

are provided under “Notes, Cautions, and Warnings” (page 16). For more information,

see the pam_krb5( 5) manpage.

Options Supported by the PAM Kerberos Modules

The PAM Kerberos modules support the following options:

• use_first_pass

• try_first_pass

• renewable=<time>

• forwardable

• proxiable

• ignore

• debug

• krb_prompt

For more information on these options, see Configuration Guide for Kerberos Client Products

on HP-UX (5991-7718) at: www.docs.hp.com

What Is in This Version

PAM Kerberos v 1.24 includes the following enhancements:

• The pamkrbval( 1m) tool generates a warning when the keytable entry is not found

for the host service principal.

• On HP-UX 11i v3 operating systems, the pamkrbval( 1m) validates the keytab entry

when Common Internet File System (CIFS) is configured on the system.

NOTE: This feature is available on HP-UX 11i v3 only.

• The pamkrbval tool checks the ownership of the /usr/tmp/rc_host_0 file for

better troubleshooting.

• PAM Kerberos provides an appropriate message if a user's ADC account is locked

or is expired.

• PAM Kerberos v 1.24 on HP-UX 11i v1 delivers the 64-bit

/usr/lib/security/pa20_64/libpam_krb5.1 library to provide Kerberos

authentication to 64-bit PAM applications.

What Is in This Version 11