Introduction to the Kerberos Products and
PAM Kerberos
• Checks for the validity of the control_flags and the module_types specified for the PAM Kerberos specific entries in the /etc/pam.conf file.
• Checks if the PAM Kerberos specific module_path specified in the /etc/pam.conf file exists. If the module_path name is not absolute it is assumed to be relative to /usr/lib/security/$ISA/. The $ISA (Instruction Set Architecture) token is replaced by this tool with hpux32 for Itanium
• Checks if the options specified for the pam_krb5 library are valid PAM Kerberos options.
• Validates the /etc/pam_user.conf file only if libpam_updbe is
configured in the /etc/pam.conf file. This validation is similar to the /etc/pam.conf validation.
• Validates the syntax of the Kerberos configuration file,
/etc/krb5.conf.
• Validates if the default realm KDC is issuing tickets. At least one KDC must reply to the ticket requests for the default realm.
| • Validates the host service principal, |
| host/<hostname>@default_realm> in /etc/krb5.keytab, if |
| present. If the keytab entry for this host service principal is not |
| present in the default keytab file, /etc/krb5.keytab then that |
| validation is ignored and success is assumed. |
|
|
NOTE | An entry in /etc/pam.conf file is considered to be PAM Kerberos |
| entry if the file name in the module_path begins with libpam_krb5. |
| An example of a PAM Kerberos entry in /etc/pam.conf is as shown: |
| login auth required /usr/lib/security/$ISA/libpam_krb5.so.1 |
| The machine is considered to be configured with libpam_updbe if the file |
| |
| name in the module_path of an entry in /etc/pam.conf begins with |
| libpam_updbe. Following is an example of a pam_updbe entry in the |
| /etc/pam.conf file: |
| login auth required /usr/lib/security/$ISA/libpam_updbe.so.1 |
Chapter 2 | 49 |