Contact Us Contact Us

PAM Kerberos

  Software Depot
Electronic download
Frequently asked questions
Product details and specifications

PAM Kerberos provides Kerberos authentication as per the Pluggable Authentication Module (PAM) architecture that is specified in Open Group RFC 86.0. PAM allows multiple authentication technologies to coexist. A /etc/pam.conf configuration file determines the authentication module to use that is transparent to the applications that use the PAM library. PAM Kerberos supports the following modules:

  • Authentication module
  • Account management module
  • Session management module
  • Password management module

PAM Kerberos is one of the authentication modules that PAM can invoke based on the authentication method defined in the /etc/pam.conf PAM configuration file. If the shared, dynamically loadable PAM Kerberos library (for example, /usr/lib/security/libpam_krb5.1) is defined for the PAM authentication module, PAM Kerberos is invoked for user authentication.

Following are the PAM Kerberos features on HP-UX:

  • PAM Kerberos validation tool: This tool validates the PAM-Kerberos-related entries in the /etc/pam.conf, /etc/pam_user.conf, /etc/krb5.conf, and the /etc/krb5.keytab configuration files. This tool also checks for the presence of the authentication server (Key Distribution Center(KDC)).

  • Session Management: The credentials created by PAM Kerberos for the user while logging in are not deleted from the system when the user closes the session. This can result in unnesessary usage of disk space. The session management uses the pam_sm_close_session() function to delete the credentials that are created by the pam_sm_setcred() function.

  • Configurable Password prompt: The password for PAM Kerberos can be configured by specifying the krb_prompt flag to the corresponding entry in the /etc/pam.conf PAM configuration file.

Following are the Kerberos-support features on the HP-UX 11i v1 operating system:

  • Appdefault support : The Kerberos client configuration file /etc/krb5.conf supports the [appdefaults] section. In this section, users can use the default flags to be used while obtaining credentials in an application.

  • ADS Multidomain Support: If the user's account exists in the Windows 2000 multidomain, the Kerberos client resolves the Windows 2000 domain to which the user belongs. This makes the authentication consistent with nss_ldap, a name service switch module provided by LDAP-UX.

features and security fixes

PAM Kerberos v 1.26 contains the following changes:

  • QXCR1000900218
    On HP-UX 11i v1, 11i v2, and 11i v3 operating systems, PAM Kerberos v 1.26 may be vulnerable to security threat when setuid applications modify the system environment variables. This issue is fixed.
  • QXCR1000901435
    On HP-UX 11i v2 operating system, the sample PAM configuration file, /etc/pam.conf, is updated to include the same entries as that of the /etc/pam.krb5 file, which is delivered by the core fileset.
  • QXCR1000584992
    On HP-UX 11i v2 operating system, the dtlogin (CDE) ignores the user entries present in the /etc/pam_user.conf file. This issue is fixed.
  • QXCR1000924790
    System login using su on all HP-UX operating systems fails when PAM Kerberos v1.25 is installed. This issue is fixed.
PAM Kerberos versions on HP-UX

Table 1 lists and describes the PAM Kerberos versions available on different HP-UX operating systems.

Table 1: PAM Kerberos Versions on HP-UX

Operating System PAM Kerberos Version Number
PAM Kerberos Bundle Number
Bundle Contents
Kerberos Client Dependency
HP-UX 11i v1 PAM Kerberos v 1.26 B.11.11.17 PAM Kerberos and Kerberos Support v1.1 KRB5-Client.KRB5-SHLIB, KRB5-Client.KRB5-64SLIB
HP-UX 11i v2 PAM Kerberos v 1.26 C.01.26 PAM Kerberos KRB5-Client.KRB5-IA32SLIB, KRB5-Client.KRB5-IA64SLIB
KRB5-Client.KRB5-SHLIB, KRB5-Client.KRB5-64SLIB
HP-UX 11i v3 PAM Kerberos v 1.26 D.01.26 PAM Kerberos KRB5-Client.KRB5-IA32SLIB, KRB5-Client.KRB5-IA64SLIB
KRB5-Client.KRB5-SHLIB, KRB5-Client.KRB5-64SLIB
Additional product information
Product #: J5849AA
Version: 1.26
Software specification: HP-UX 11i v1 - B.11.11.17
HP-UX 11i v2 - C.01.26
HP-UX 11i v3 - D.01.26