Figure 2: The PAM Library

Figure 2 shows the relationship between the PAM Kerberos library and various authentication modules that HP-UX provides. The PAM Kerberos library is one of the many authentication modules

that PAM can invoke based on what is defined under the PAM configuration file: /etc/pam.conf. If

PAM's authentication-management points to the shared, dynamically loadable PAM Kerberos library, PAM Kerberos is invoked for user authentication.

Kerberos Client (KRB5-Client) Software

In Kerberos, authentication takes place between clients and servers. So, in Kerberos terminology, a "Kerberos client" is any entity that gets a service ticket for a Kerberos service. A client is typically a user, but any principal can be a client (unless for some reason the administrator has explicitly forbidden a principal to be a client).

On HP-UX 11i onwards, the Kerberos utilities are part of the OS core. The Kerberos Client software consists of libraries, header files, manpages, and Kerberos utilities for implementing Kerberized client/server applications in either 32-bit or 64-bit development environment. The client libraries are based on MIT Kerberos V5 1.1.1. The HP-UX implementation of Kerberos utilities is compatible with the MIT reference implementation. The Kerberos Client libraries support encryption types such as DES, 3DES, and AES. There is a new Kerberos Client version 1.3.5.01 based on MIT Kerberos version 1.3.5, available as a Web release.

The Kerberos Client includes the following utilities:

ƒkinit, klist, and kdestroy: Manage credentials

ƒkpasswd: Change Kerberos passwords

ƒktutil: Maintain the keytab file

ƒkvno: Display the Kerberos key version number of the principals

HP Kerberos Server Version 3.1

Page 7
Image 7
HP UX Kerberos Data Security Software manual Kerberos Client KRB5-Client Software, HP Kerberos Server Version