United States-English |
|
|
HP-UX Reference > Ppam.conf(4)HP-UX 11i Version 3: February 2007 |
|
NAMEpam.conf — configuration file for pluggable authentication modules DESCRIPTION/etc/pam.conf is the configuration file for the Pluggable Authentication Module architecture, or PAM. A PAM module provides functionality for one or more of four possible services: authentication, account management, session management, and password management. An authentication service module provides functionality to authenticate a user and set up user credentials. An account management module provides functionality to determine if the current user's account is valid. This includes checking for password and account expiration, as well as verifying access hour restrictions. A session management module provides functionality to set up and terminate login sessions. A password management module provides functionality to change a user's authentication token or password. Simplified pam.conf configuration fileThe /etc/pam.conf file contains a listing of services. Each service is paired with a corresponding service module. When a service is requested, its associated module is invoked. Each entry has the following format: service_name module_type control_flag module_path options Below is an example of the /etc/pam.conf configuration file with support for authentication, account management, session management and password management modules. Note that the use of pam_hpsec is mandatory for some of the services. For more information, see pam_hpsec(5). login auth required libpam_hpsec.so.1 debug login auth required libpam_unix.so.1 debug login session required libpam_hpsec.so.1 login session required libpam_unix.so.1 login account required libpam_hpsec.so.1 login account required libpam_unix.so.1 dtlogin auth required libpam_hpsec.so.1 dtlogin auth required libpam_unix.so.1 dtlogin session required libpam_hpsec.so.1 dtlogin session required libpam_unix.so.1 other auth required libpam_hpsec.so.1 other auth required libpam_unix.so.1 other account required libpam_hpsec.so.1 other account required libpam_unix.so.1 other session required libpam_hpsec.so.1 other session required libpam_unix.so.1 other password required libpam_hpsec.so.1 other password required libpam_unix.so.1
Integrating Multiple Authentication Services With StackingWhen a service_name of the same module_type is defined more than once, the service is said to be stacked. Each module referenced in the module_path for that service is then processed in the order that it occurs in the configuration file. The control_flag field specifies the continuation and failure semantics of the modules, and may contain one of the following values:
If no requisite module fails and no sufficient module succeeds, the PAM stack runs to completion. In this case success is returned, providing no required module failed and at least one required, requisite, or optional module succeeded. If no module succeeded and a required module failed, the first of those errors is returned. If all modules return PAM_IGNORE, a default error based on module type is returned. If any entry in /etc/pam.conf is incorrect, or if a module does not exist or cannot be opened, then all PAM services fail and users are not be permitted access to the system. An error will be logged through syslog(3C) at the LOG_CRIT level, and the PAM framework returns PAM_OPEN_ERR error to the application. Below is a sample configuration file that stacks the login, and dtlogin services. login auth required libpam_hpsec.so.1 debug login auth required libpam_unix.so.1 debug login auth optional libpam_inhouse.so.1 dtlogin auth required libpam_hpsec.so.1 debug dtlogin auth sufficient libpam_unix.so.1 debug dtlogin auth required libpam_inhouse.so.1 In the case of login, the user is authenticated by the hpsec, the UNIX, and inhouse authentication modules. The required keyword for control_flag requires that the user be allowed to login only if the user is authenticated by the hpsec and the UNIX service modules. The inhouse authentication is optional by virtue of the optional keyword in the control_flag field. The user can still log in even if inhouse authentication fails, as long as hpsec and UNIX both successfully authenticate the user. In the case of dtlogin, the sufficient keyword for control_flag specifies that if the UNIX authentication check succeeds, then PAM should return success to dtlogin. The inhouse authentication module (the next module in the stack) will only be invoked if the UNIX authentication check fails. Configuration Per User/etc/pam.conf contains information to configure all the users on a system. But sometimes it is necessary to configure user by user. A user policy definition is made through a specific module named libpam_updbe.so.1. This module reads a file named /etc/pam_user.conf which describes the user's configurations. Below is a sample configuration file (/etc/pam.conf) that uses the module libpam_updbe.so.1. login auth required libpam_hpsec.so.1 login auth required libpam_updbe.so.1 login auth required libpam_unix.so.1 su auth required libpam_hpsec.so.1 su auth required libpam_updbe.so.1 su auth required libpam_unix.so.1 OTHER auth required libpam_hpsec.so.1 OTHER auth required libpam_unix.so.1 login password required libpam_hpsec.so.1 login password required libpam_updbe.so.1 login password required libpam_unix.so.1 passwd password required libpam_hpsec.so.1 passwd password required libpam_updbe.so.1 passwd password required libpam_unix.so.1 OTHER password required libpam_hpsec.so.1 OTHER password required libpam_unix.so.1 The module libpam_updbe.so.1 searches the configuration file /etc/pam_user.conf and reads the configuration associated with the login name of the current user. If there is no configuration concerning the current user in the pam_user.conf file, the PAM framework ignores the line containing libpam_updbe.so.1. /etc/pam.conf applies for those users who are not configured in pam_user.conf. EXAMPLESThe following is a sample /etc/pam.conf configuration file. Lines that begin with the # symbol are treated as comments, and therefore ignored. # # PAM configuration # # Authentication management for login service is stacked. # Both UNIX and inhouse authentication functions are invoked, # in addition to hpsec authentication functions. login auth required libpam_hpsec.so.1 login auth required libpam_unix.so.1 login auth required libpam_inhouse.so.1 try_first_pass dtlogin auth required libpam_hpsec.so.1 dtlogin auth required libpam_unix.so.1 dtlogin auth required libpam_inhouse.so.1 try_first_pass # # Other services use hpsec and UNIX authentication other auth required libpam_hpsec.so.1 other auth required libpam_unix.so.1 # # Account management for login service is stacked. # hpsec and UNIX account management are required; # inhouse account management is optional login account required libpam_hpsec.so.1 login account required libpam_unix.so.1 login account optional libpam_inhouse.so.1 dtlogin account required libpam_hpsec.so.1 dtlogin account required libpam_unix.so.1 dtlogin account optional libpam_inhouse.so.1 # # Other services use hpsec and UNIX account management other account required libpam_hpsec.so.1 other account required libpam_unix.so.1 # # Session management for login service is stacked. # hpsec and UNIX account management are required; login session required libpam_hpsec.so.1 login session required libpam_unix.so.1 dtlogin session required libpam_hpsec.so.1 dtlogin session required libpam_unix.so.1 # # Other services use hpsec and UNIX session management other session required libpam_hpsec.so.1 other session required libpam_unix.so.1 # # Password management other password required libpam_hpsec.so.1 other password required libpam_unix.so.1 The following is a sample /etc/pam.conf configuration which uses the libpam_updbe.so.1 module to configure a user. Lines that begin with the # symbol are treated as comments, and therefore ignored. # # PAM configuration # # Authentication management for login service is stacked. # Both UNIX and inhouse authentication functions are invoked, # in addition to hpsec authentication functions. login auth required libpam_hpsec.so.1 login auth required libpam_updbe.so.1 login auth required libpam_unix.so.1 login auth required libpam_inhouse.so.1 try_first_pass dtlogin auth required libpam_hpsec.so.1 dtlogin auth required libpam_updbe.so.1 dtlogin auth required libpam_unix.so.1 dtlogin auth required libpam_inhouse.so.1 try_first_pass # # Other services use hpsec and UNIX authentication other auth required pam_hpsec.so.1 other auth required pam_unix.so.1 # # Account management for login service is stacked. # hpsec and UNIX account management are required; # inhouse account management is optional login account required libpam_hpsec.so.1 login account required libpam_unix.so.1 login account optional libpam_inhouse.so.1 dtlogin account required libpam_hpsec.so.1 dtlogin account required libpam_unix.so.1 dtlogin account optional libpam_inhouse.so.1 other account required libpam_hpsec.so.1 other account required libpam_unix.so.1 # # Session management for login service is stacked. # hpsec and UNIX account management are required login session required libpam_hpsec.so.1 login session required libpam_unix.so.1 login session optional libpam_inhouse.so.1 dtlogin session required libpam_hpsec.so.1 dtlogin session required libpam_unix.so.1 dtlogin session optional libpam_inhouse.so.1 # # Other services use hpsec and UNIX session management other session required libpam_hpsec.so.1 other session required libpam_unix.so.1 # # Password management passwd password required libpam_hpsec.so.1 passwd password required libpam_updbe.so.1 passwd password required libpam_unix.so.1 other password required libpam_hpsec.so.1 other password required libpam_unix.so.1 Utilities and FilesA list of utilities that are known to use PAM includes: login, passwd, su, dtlogin, ftp, remsh/rexec, and ssh. The PAM configuration file does not dictate either the name or the location of the service specific modules. The convention, however, is the following:
|
Printable version | ||
|