Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX System Administrator's Guide: Security Management: HP-UX 11i Version 3 > Chapter 2 Administering User and System Security

Authenticating Users with PAM

» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

The Pluggable Authentication Modules (PAM) are an industry-standard framework providing authentication, account management, session management, and password services. This section gives an overview of PAM and describes the PAM configuration files: /etc/pam.conf and /etc/pam_user.conf.

For more information, see pam(3), pam_*(5), pam.conf(4), pam_user.conf(4), and security(4).

Overview

PAM provides the flexibility to choose any authentication service available on the system. The PAM framework also enables you to plug in new authentication service modules and make them available without modifying the applications.

Whenever a user logs in either locally or remotely (for example, using login or rlogin), the user must be checked or authenticated as a valid user of the system. As authentication methods improve and change over time, the login services would also have to change. To avoid constant changing of the login services just to revise the authentication code, PAM was developed so that different authentication methods can be used without modifying the login code.

As a result, login authentication, account checking, and password modification use the PAM interface.

Programs requiring user authentication pass their requests to PAM, which determines the correct verification method and returns the appropriate response. The programs do not need to know what authentication method is being used. See Figure 2-1 for an overview.

Figure 2-1 HP-UX Authentication Modules Under PAM

HP-UX Authentication Modules Under
PAM

The authentication methods are specified on both a systemwide and individual user basis using the following PAM system files:

/etc/pam.conf

Systemwide control file. Defines which service modules are to be paired with services. These are regarded as system defaults.

/etc/pam_user.conf

Individual user control file. Defines which options are to be used by service modules on specific users. This is an optional file.

See pam(3), pam.conf(4), pam_updbe(5), pam_user.conf(4) for more information.

PAM Libraries

PAM service modules are implemented by shared libraries. PAM enables multiple authentication technologies to co-exist in HP-UX. The /etc/pam.conf configuration file determines which authentication module to use. The PAM libraries are as follows:

  • PAM_DCE

    The PAM_DCE modules enable integration of DCE into the system entry services (such as login, telnet, rlogin, ftp). The PAM_DCE modules provide functionality for the authentication, account management, and password management modules. These modules are supported through the PAM_DCE library, /usr/lib/security/pam_dce.sl. See pam_dce(5) for more information.

  • PAM_HPSEC

    The PAM_HPSEC modules manage extensions specific to HP-UX for authentication, account management, password management, and session management. The use of /usr/lib/security/$ISA/libpam_hpsec.so.1 is mandatory for services such as login, dtlogin, ftp, su, remsh, rexec, and ssh. These services must place libpam_hpsec.so.1 on the top of the stack above one or more nonoptional modules. The pam_hpsec module also enforces several attributes defined in /etc/default/security. See pam_hpsec(5) and security(4) for more information.

  • PAM_KRB5

    Kerberos is a network authentication protocol that enables secure communication over networks without transmitting passwords in clear text. A password is authenticated by the Key Distribution Center (KDC), which then issues a Ticket Granting Ticket (TGT). The PAM Kerberos shared library is /usr/lib/security/libpam_krb5.1. See pam_krb5(5) for more information.

  • PAM_LDAP

    The Lightweight Directory Access Protocol (LDAP) is a standard for centralizing user, group, and network management information through directory services. Authentication takes place on an LDAP directory server. See the LDAP-UX documentation at http://docs.hp.com/hpux/11iv2/index.html for more information.

  • PAM_NTLM

    The PAM NT LAN Manager enables HP-UX users to be authenticated against Windows servers during system login. PAM NTLM uses NT servers to authenticate users logging in to an HP-UX system. See the HP CIFS Client Administrator's Guide at http://docs.hp.com/hpux/11iv2/index.html for more information.

  • PAM_UNIX

    The PAM_UNIX modules provide functionality for all four PAM modules: authentication, account management, session management, and password management. The modules are supported through the PAM UNIX library, /usr/lib/security/libpam_unix.1. See pam_unix(5) for more information.

  • PAM_UPDBE

    The user policy definition service module for PAM, /usr/lib/security/libpam_updbe.1, reads options defined in the user configuration file, /etc/pam_user.conf, and stores the information in the PAM handle for subsequent service modules to use. See pam_updbe(5) for more information.

Systemwide Configuration Using /etc/pam.conf

The PAM configuration file /etc/pam.conf defines the security mechanisms that are used to authenticate users. Its default values provide the customary operation of the system under both standard HP-UX and trusted systems. It also provides support for controls on individual users and for the DCE integrated login functionality.

NOTE: For DCE, use the auth.adm utility to create the desired configuration file. This file is functionally equivalent to the former HP integrated login auth.conf file. See auth.adm(1m) for more information.

The libpam and libpam_unix PAM libraries and the /etc/pam.conf configuration file must be on the system in order for users to be able to log in or change passwords.

HP-UX authentication is dependent upon the file /etc/pam.conf. This file must be owned by root with the following file permissions:

-r--r--r-- 1 root sys 1050 Nov 8 10:16 /etc/pam.conf

If this file is corrupt or missing from the system, root can log in to the console in single-user mode to fix the problem.

The protected service names are listed in the system control file, /etc/pam.conf, under four test categories (module-type): authentication, account, session, and password.

See pam(3), pam.conf(4), and pam_user.conf(4) for more information.

Sample /etc/pam.conf File

Following is a partial listing of a sample /etc/pam.conf file. Lines beginning with pound (#) are comment lines. The sections in /etc/pam.conf are authentication management, account management, session management, and password management.

# # PAM configuration # # Notes: # # If the path to a library is not absolute, it is assumed to be # relative to the directory /usr/lib/security/$ISA/ # # For PA applications, /usr/lib/security/$ISA/libpam_unix.so.1 is a # symbolic link that points to the corresponding PA (32 or 64-bit) PAM # backend library. # # The $ISA (i.e. Instruction Set Architecture) token will be replaced # by the PAM engine with an appropriate directory string. # See pam.conf(4). # # Also note that the use of pam_hpsec(5) is mandatory for some of # the services. See pam_hpsec(5). # # Authentication management # login auth required libpam_hpsec.so.1 login auth required libpam_hpsec.so.1 su auth required libpam.hpsec.so.1 bypass_setaud su auth required libpam_unix.so.1 dtlogin auth required libpam_hpsec.so.1 dtlogin auth required libpam_unix.so.1 dtaction auth required libpam_hpsec.so.1 dtaction auth required libpam_unix.so.1 ftp auth required libpam_hpsec.so.1 ftp auth required libpam_unix.so.1 rcomds auth required libpam_hpsec.so.1 rcomds auth required libpam_unix.so.1 sshd auth required libpam_hpsec.so.1 sshd auth required libpam_unix.so.1 OTHER auth required libpam_unix.so.1 # # Account management # login account required libpam_hpsec.so.1 login account required libpam_unix.so.1 su account required libpam_hpsec.so.1 su account required libpam_unix.so.1

The /etc/pam_user.conf User Configuration File

The PAM configuration file, /etc/pam_user.conf, configures PAM on a per-user basis. This file is optional. It is needed only if PAM applications need to behave differently for different users.

You assign different options to individual users by listing them in /etc/pam_user.conf. For a login-name listed here, the options listed here replace any options specified for the module-type and module-path in /etc/pam.conf.

The entries in /etc/pam_user.conf use the following syntax:

login-name module-type module-path options

where:

login-name

User's login name.

module-type

The module-type specified in /etc/pam.conf.

module-path

The module-path associated with module-type in /etc/pam.conf.

options

Zero or more options recognized by the module.

The default contents of /etc/pam_user.conf are comments:

# # This file defines PAM configuration for a user. The configuration # here overrides pam.conf. # # The format for each entry is: # user_name module_type module_path options # # For example: # # user_a auth /usr/lib/security/libpam_unix.1 debug # user_a auth /usr/lib/security/libpam_dce.1 try_first_pass # user_a password /usr/lib/security/libpam_unix.1 debug # # user_b auth /usr/lib/security/libpam_unix.1 debug use_psd # user_b password /usr/lib/security/libpam_unix.1 debug use_psd # # See the pam_user.conf(4) manual page for more information #

Examples: How PAM Works for Login

The following examples describe the auth process for login, depending upon how the /etc/pam.conf file is configured:

  • If /etc/pam.conf contains a single standard login auth, such as the following, then login proceeds normally:

    login auth required /usr/lib/security/libpam_unix.1
  • If there are two or more systemwide login auth entries, such as the following, they are taken in order:

    login auth required /usr/lib/security/libpam_unix.1 login auth required /usr/lib/security/libpam_dce.1

    In this case, the standard HP-UX login process is executed. Then the DCE authentication process occurs. If both are satisfied, then the login is successful. Both processes are performed, even if the user fails one of them.

  • If you require different authentication methods for different users, place the special entry libpam_udpbe ahead of the authentication modules in /etc/pam.conf (the lines are numbered for easy reference):

    #/etc/pam.conf #1 login auth required /usr/lib/security/libpam_udpbe.1 #2 login auth required /usr/lib/security/libpam_unix.1 #3 login auth required /usr/lib/security/libpam_dce.1

    Then place entries for each affected user in /etc/pam_user.conf:

    #/etc/pam_user.conf #4 allan auth /usr/lib/security/libpam_unix.1 debug #5 allan auth /usr/lib/security/libpam_dce.1 try_first_pass #6 isabel auth /usr/lib/security/libpam_unix.1 debug use_psd

    When allan logs in, line 1 in /etc/pam.conf causes PAM to read/etc/pam_user.conf. Because the module paths on lines 4 and 5 of /etc/pam_user.conf match the module paths on lines 2 and 3 of /etc/pam.conf, PAM temporarily replaces the null options fields of lines 2 and 3 of /etc/pam.conf with debug and try_first_pass, respectively. Then the modules specified by lines 2 and 3 are executed with the revised options.

    When isabel logs in, line 1 in /etc/pam.conf causes PAM to read /etc/pam_user.conf and temporarily replace the options field of line 2 of /etc/pam.conf with debug use_psd. Line 3 is unchanged. Then the modules specified by lines 2 and 3 are executed with the revised options.

    When george logs in, line 1 in /etc/pam.conf causes PAM to read /etc/pam_user.conf. Because entries for george do not exist, lines 2 and 3 of /etc/pam_user.conf are not changed. The modules specified by lines 2 and 3 are executed with no changes.

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2008 Hewlett-Packard Development Company, L.P.