Manualshelf

Network Security Features of HP-UX 11i v1 and 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX Security Products and Features Software
21222324252627282930
Page 20
The KDC creates a ticket-granting ticket (TGT) for the client, encrypts it using the KDC key, and then
sends the encrypted TGT back to the client. The client uses the TGT to obtain further service tickets,
which provide proof of the client’s identity.
Kerberos Server
A central Kerberos server, called the Key Distribution Center (KDC), verifies the user’s password. HP-
UX also provides secure key exchange between application clients and servers. Application programs can
take advantage of this feature using GSS-API.
HP-UX Kerberos Server software is available for free from Software Depot and is available on the HP-
UX Application Release CD.
Kerberos Server Features
The key features and benefits of the Kerberos Server are:
Strong security: Passwords never travel over the network. Secret keys are only passed across the
network in an encrypted form.
Mutual authentication: Client and server systems mutually authenticate each other at each step of
the process, thus both the client and the server systems are certain that they are communicating with
their authentic counterparts.
Single sign-on capability: Saves time and reduces network security risks by letting a user sign on to
the network once, with one password to access multiple applications rather than signing on to each
application individually.
Password synchronization: Password changes can be propagated across Kerberos realms. Multiple
realms support for ease of administration.
Increased password flexibility: The password policy is now based on the policy to which the
principal is subscribed, rather than the instance name to which the principal belongs. This provides
the flexibility for a principal to subscribe to any policy in the
/opt/krb5/password.policy file.
Kerberos Libraries, GSS-API, and PAM
HP-UX 11i provides Kerberos utilities and Kerberos client libraries compatible with the MIT reference
implementation. Kerberos client libraries can be linked in either 32- or 64-bit mode. Application
developers can use the Kerberos libraries or the GSS-API libraries equipped with the Kerberos
mechanism to implement kerberized applications. Kerberos client libraries are available as part of the
HP-UX core operating system.
The Kerberos libraries also include a Pluggable Authentication Module (PAM) that allows PAM enabled
utilities, such as login to use Kerberos as the authentication provider.