 |
» |
|
|
|
The Pluggable Authentication Modules (PAM) are
an industry-standard framework providing authentication, account management,
session management, and password services. This section gives an overview
of PAM and describes the PAM configuration files: /etc/pam.conf and /etc/pam_user.conf. For more information, see pam(3), pam_*(5), pam.conf(4), pam_user.conf(4), and security(4). Overview | |
PAM provides the flexibility to choose any authentication
service available on the system. The PAM framework also enables you
to plug in new authentication service modules and make them available
without modifying the applications. Whenever a user logs in either locally or remotely
(for example, using login or rlogin), the user must be checked or authenticated as a valid user of the
system. As authentication methods improve and change over time, the
login services would also have to change. To avoid constant changing
of the login services just to revise the authentication code, PAM
was developed so that different authentication methods can be used
without modifying the login code. As a result, login authentication, account checking,
and password modification use the PAM interface.
Programs requiring user authentication pass their
requests to PAM, which determines the correct verification method
and returns the appropriate response. The programs do not need to
know what authentication method is being used. See Figure 2-1 for an overview.
The authentication methods are specified on both
a systemwide and individual user basis using the following PAM system
files: - /etc/pam.conf
Systemwide control file.
Defines which service modules are to be paired with services. These
are regarded as system defaults. - /etc/pam_user.conf
Individual user control
file. Defines which options are to be used by service modules on specific
users. This is an optional file.
See pam(3), pam.conf(4), pam_updbe(5), pam_user.conf(4) for more information. PAM Libraries | |
PAM service modules are implemented by shared libraries.
PAM enables multiple authentication technologies to co-exist in HP-UX.
The /etc/pam.conf configuration file determines
which authentication module to use. The PAM libraries are as follows: PAM_DCE The PAM_DCE
modules enable integration of DCE into the system entry services (such
as login, telnet, rlogin, ftp). The PAM_DCE modules provide functionality
for the authentication, account management, and password management
modules. These modules are supported through the PAM_DCE library, /usr/lib/security/pam_dce.sl. See pam_dce(5) for more information. PAM_HPSEC The PAM_HPSEC
modules manage extensions specific to HP-UX for authentication, account
management, password management, and session management. The use of /usr/lib/security/$ISA/libpam_hpsec.so.1 is mandatory
for services such as login, dtlogin, ftp, su, remsh, rexec, and ssh. These services
must place libpam_hpsec.so.1 on the top of the
stack above one or more nonoptional modules. The pam_hpsec module also enforces several attributes defined in /etc/default/security. See pam_hpsec(5) and security(4) for more information. PAM_KRB5 Kerberos
is a network authentication protocol that enables secure communication
over networks without transmitting passwords in clear text. A password
is authenticated by the Key Distribution Center (KDC), which then
issues a Ticket Granting Ticket (TGT). The PAM Kerberos shared library
is /usr/lib/security/libpam_krb5.1. See pam_krb5(5) for more information. PAM_LDAP The Lightweight
Directory Access Protocol (LDAP) is a standard for centralizing user,
group, and network management information through directory services.
Authentication takes place on an LDAP directory server. See the LDAP-UX
documentation at http://docs.hp.com/hpux/11iv2/index.html for more information. PAM_NTLM The PAM
NT LAN Manager enables HP-UX users to be authenticated against Windows
servers during system login. PAM NTLM uses NT servers to authenticate
users logging in to an HP-UX system. See the HP CIFS Client
Administrator's Guide at http://docs.hp.com/hpux/11iv2/index.html for more information. PAM_UNIX The PAM_UNIX
modules provide functionality for all four PAM modules: authentication,
account management, session management, and password management. The
modules are supported through the PAM UNIX library, /usr/lib/security/libpam_unix.1. See pam_unix(5) for more information. PAM_UPDBE The user
policy definition service module for PAM, /usr/lib/security/libpam_updbe.1, reads options defined in the user configuration file, /etc/pam_user.conf, and stores the information in the
PAM handle for subsequent service modules to use. See pam_updbe(5) for more information.
Systemwide Configuration Using /etc/pam.conf | |
The PAM configuration file /etc/pam.conf defines the security mechanisms that are used to authenticate users.
Its default values provide the customary operation of the system under
both standard HP-UX and trusted systems. It also provides support
for controls on individual users and for the DCE integrated login
functionality. | | | |  | NOTE: For DCE, use the auth.adm utility
to create the desired configuration file. This file is functionally
equivalent to the former HP integrated login auth.conf file. See auth.adm(1m) for more information. | | | | |
The libpam and libpam_unix PAM libraries and the /etc/pam.conf configuration
file must be on the system in order for users to be able to log in
or change passwords. HP-UX authentication is dependent upon the file /etc/pam.conf. This file must be owned by root with the
following file permissions: -r--r--r-- 1 root sys 1050 Nov 8 10:16 /etc/pam.conf |
If this file is corrupt or missing from the system,
root can log in to the console in single-user mode to fix the problem. The protected service names are listed in the system
control file, /etc/pam.conf, under four test
categories (module-type): authentication,
account, session, and password. See pam(3), pam.conf(4),
and pam_user.conf(4) for more information. Sample /etc/pam.conf File | |
Following is a partial listing of a sample /etc/pam.conf file. Lines beginning with pound (#) are comment lines. The sections in /etc/pam.conf are authentication management, account management,
session management, and password management. |
#
# PAM configuration
#
# Notes:
#
# If the path to a library is not absolute, it is assumed to be
# relative to the directory /usr/lib/security/$ISA/
#
# For PA applications, /usr/lib/security/$ISA/libpam_unix.so.1 is a
# symbolic link that points to the corresponding PA (32 or 64-bit) PAM
# backend library.
#
# The $ISA (i.e. Instruction Set Architecture) token will be replaced
# by the PAM engine with an appropriate directory string.
# See pam.conf(4).
#
# Also note that the use of pam_hpsec(5) is mandatory for some of
# the services. See pam_hpsec(5).
#
# Authentication management
#
login auth required libpam_hpsec.so.1
login auth required libpam_hpsec.so.1
su auth required libpam.hpsec.so.1 bypass_setaud
su auth required libpam_unix.so.1
dtlogin auth required libpam_hpsec.so.1
dtlogin auth required libpam_unix.so.1
dtaction auth required libpam_hpsec.so.1
dtaction auth required libpam_unix.so.1
ftp auth required libpam_hpsec.so.1
ftp auth required libpam_unix.so.1
rcomds auth required libpam_hpsec.so.1
rcomds auth required libpam_unix.so.1
sshd auth required libpam_hpsec.so.1
sshd auth required libpam_unix.so.1
OTHER auth required libpam_unix.so.1
#
# Account management
#
login account required libpam_hpsec.so.1
login account required libpam_unix.so.1
su account required libpam_hpsec.so.1
su account required libpam_unix.so.1 |
|
The /etc/pam_user.conf User Configuration File | |
The PAM configuration file, /etc/pam_user.conf, configures PAM on a per-user basis. This file is optional. It is
needed only if PAM applications need to behave differently for different
users. You assign different options to individual users
by listing them in /etc/pam_user.conf. For a login-name listed here, the options listed here replace any options specified
for the module-type and module-path in /etc/pam.conf. The entries in /etc/pam_user.conf use the following syntax: login-name module-type module-path options |
where: - login-name
User's login name. - module-type
The module-type specified in /etc/pam.conf. - module-path
The module-path associated with module-type in /etc/pam.conf. - options
Zero or more options recognized
by the module.
The default contents of /etc/pam_user.conf are comments: #
# This file defines PAM configuration for a user. The configuration
# here overrides pam.conf.
#
# The format for each entry is:
# user_name module_type module_path options
#
# For example:
#
# user_a auth /usr/lib/security/libpam_unix.1 debug
# user_a auth /usr/lib/security/libpam_dce.1 try_first_pass
# user_a password /usr/lib/security/libpam_unix.1 debug
#
# user_b auth /usr/lib/security/libpam_unix.1 debug use_psd
# user_b password /usr/lib/security/libpam_unix.1 debug use_psd
#
# See the pam_user.conf(4) manual page for more information
# |
Examples: How PAM Works for Login | |
The following examples describe the auth process for login, depending upon how the /etc/pam.conf file is configured: If /etc/pam.conf contains a single
standard login auth, such as
the following, then login proceeds normally: login auth required /usr/lib/security/libpam_unix.1 |
If there are two or more systemwide login auth entries, such as the following, they are
taken in order: login auth required /usr/lib/security/libpam_unix.1
login auth required /usr/lib/security/libpam_dce.1 |
In this case, the standard HP-UX login process
is executed. Then the DCE authentication process occurs. If both are
satisfied, then the login is successful. Both processes are performed,
even if the user fails one of them. If you require different authentication methods for
different users, place the special entry libpam_udpbe ahead of the authentication modules in /etc/pam.conf (the lines are numbered for easy reference): #/etc/pam.conf
#1
login auth required /usr/lib/security/libpam_udpbe.1
#2
login auth required /usr/lib/security/libpam_unix.1
#3
login auth required /usr/lib/security/libpam_dce.1 |
Then place entries for each affected user in /etc/pam_user.conf: #/etc/pam_user.conf
#4
allan auth /usr/lib/security/libpam_unix.1 debug
#5
allan auth /usr/lib/security/libpam_dce.1 try_first_pass
#6
isabel auth /usr/lib/security/libpam_unix.1 debug use_psd |
When allan logs in, line 1 in /etc/pam.conf causes PAM to read/etc/pam_user.conf. Because
the module paths on lines 4 and 5 of /etc/pam_user.conf match the module paths on lines 2 and 3 of /etc/pam.conf, PAM temporarily replaces the null options fields of lines 2 and 3 of /etc/pam.conf with debug and try_first_pass, respectively.
Then the modules specified by lines 2 and 3 are executed with the
revised options. When isabel logs in, line 1 in /etc/pam.conf causes PAM to read /etc/pam_user.conf and temporarily replace the options field
of line 2 of /etc/pam.conf with debug
use_psd. Line 3 is unchanged. Then the modules specified
by lines 2 and 3 are executed with the revised options. When george logs in, line 1 in /etc/pam.conf causes PAM to read /etc/pam_user.conf. Because entries for george do not exist, lines
2 and 3 of /etc/pam_user.conf are not changed.
The modules specified by lines 2 and 3 are executed with no changes.
|
Printable version
