HPE Community
Operating System - HP-UX
1833704 Members
3090 Online
110062 Solutions
New Discussion

Authentication

 
SOLVED
Go to solution
Nobody's Hero
Valued Contributor

‎01-10-2007 05:38 AM

‎01-10-2007 05:38 AM

Authentication

I have a question.

If I wanted to use Kerberos as an authentication method for access like secure shell (ssh) into my HP-UX server, can it be done?

Would it not use the /etc/password file at all or work in conjunction with it.

What authentication method is used as default under HP-UX? IS it PAM authentication?
UNIX IS GOOD
0 Kudos
Reply
5 REPLIES 5
Steven E. Protter
Exalted Contributor

‎01-10-2007 05:53 AM

‎01-10-2007 05:53 AM

Solution

Re: Authentication

Shalom,

Yes you can set up your system as either a Kerberos server or client and use it for authetnication.

http://docs.hp.com/en/T1471-90028/ch03s04.html
http://docs.hp.com/en/T1471-90028/ch04s04.html


If your system was a server, it would still use /etc/passwd for at least storing the user names. Your system could also easily become the client of an LDAP or Windows ADS server.

The authentication method standard to hpux does use PAM.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Nobody's Hero
Valued Contributor

‎01-10-2007 05:55 AM

‎01-10-2007 05:55 AM

Re: Authentication

Mr Protter,

Over the years, you and other folks here have just been a huge help and a bucket full of knowledge. Have helped me beyond belief. Do you all ever stop thinking about HPUX ???? : )

Just wanted to pass on my thanks, much appreciated.
UNIX IS GOOD
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎01-10-2007 06:12 AM

‎01-10-2007 06:12 AM

Re: Authentication

You are not the only person who thinks I spend too much time thinking about HP-UX.

My primary job responsibility now is Linux, but because I know HP-UX reasonably well, I pick up a lot of work at our offices and helping our customers with HP-UX. It can be a little frustrating because instead of being on keyboard I will build a patch set, submit it with instructions and have to watch someone else do the work. Sometimes I have to do this work with incomplete information on the customer system. For example trying to build a patch set for a malfunctioning system where a patch assessment has not been done and security policy forbids it.

I do think about things other than HP-UX and Linux. I'm trying to get a home built and that's a process here where the wheels frequently fall of and you think disaster is around the bend in the road.

So dealing with Linux and HP-UX adds some certainty to what is now an uncertain existance. I have a pair of wonderful children and am trying to learn Hebrew the language that is spoken here in Israel.

I'm busy busy busy, and proably should be doing my Hebrew Homework instead of answering questions here.

I'm not looking for points for this and encourage you to assign it zero points. I thought however your question deserved an answer.

There is a contact form in my ITRC profile you can use to get me outside of ITRC. I like talking with people and helping. ITRC members are generally easier to help than my customers.

Note that none of the examples above relates to any of our companies actual customers. The stories are anecdotal.

:-)

Shmuel Protter
Unix Engineer
NDS Technologies
Jerusalem, Israel
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Nobody's Hero
Valued Contributor

‎01-10-2007 06:18 AM

‎01-10-2007 06:18 AM

Re: Authentication

Well,
I did nt want to seem like I was being tongue and cheek. I am amazed at your knowledge with HPUX and I have depended on you many times in the past years and I appreciate it very much. I wish I could transfer all your knowledge into my pea brain. I've been supporting HPUX for 12+ years, and I still need help, all the time.

I appreciate your help and the other gems on this site who have achieved technical mastery.

Good day! and Thanks.
UNIX IS GOOD
0 Kudos
Reply
Denver Osborn
Honored Contributor

‎01-10-2007 03:30 PM

‎01-10-2007 03:30 PM

Re: Authentication

If you implement KRB using PAM, one thing to note is local accounts would still authenticate using /etc/passwd and not Kerberos. You'd setup user policy config to ignore pam_krb5 for local accounts. In this case you'd have users defined in /etc/passwd, but they'd could use krb5 for auth and not /etc/passwd.

example...

# pam.conf
other auth required /usr/lib/security/libpam_updbe.1
other auth sufficient /usr/lib/security/libpam_unix.1
other auth required /usr/lib/security/libpam_krb5.1 use_first_pass

# pam_user.conf
root auth /usr/lib/security/libpam_krb5.1 ignore


just something you may need to consider

-denver
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.