Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX Reference > P

pam_authz(5)

HP-UX 11i Version 3: February 2007
» 

Technical documentation

» Feedback
Content starts here

 » Table of Contents

 » Index

NAME

pam_authz — PAM module that provides user authorization

SYNOPSIS

/usr/lib/security/$ISA/libpam_authz.so.1

DESCRIPTION

The pam_authz service module for PAM, /usr/lib/security/$ISA/libpam_authz.so.1, provides functionality which allows the administrator to control who can login to the system based on netgroup information found in the /etc/passwd file or the access rules that are defined in the access policy file /etc/opt/ldapux/pam_authz.policy.

By default, pam_authz has been created to provide access control similar to the netgroup filtering feature that is performed by NIS. pam_authz is intended to be used when NIS is not used, such as when the pam_ldap or pam_kerberos authentication modules are used. Because pam_authz does not provide authentication, it does not verify if a user account exists.

pam_authz also broadens its ability to define host and service access management policy. pam_authz supports a local access policy file, which allows you to define access rules based on a variety of information. allow or deny access rules can be defined base on LDAP X.500 style groups, regular POSIX groups, netgroups, ldap filters and individual users. To activate this feature, create a pam_authz.policy file under /etc/opt/ldapux.

pam_authz provides an interface for all four PAM components: authentication, account management, session management and password management. However, only the account management components need to be configured. The PAM components for session management and password management are NULL functions. These components always return PAM_SUCCESS.

The libpam_authz.so.1 library is a shared object that can be dynamically loaded to provide the necessary functionality upon demand. Its path is specified in the PAM configuration file.

Authentication and Account Managment Modules

The pam_authz authentication component does not provide authentication. Instead, it provides authorization via pam_sm_acct_mgmt(). pam_authz is intended to be used as a supplementary module along with other authentication modules, where another module is used to verify user identities, while pam_authz is used to verify user access rights. pam_authz is intended to be used when the list of users that are allowed to gain access to a system is a subset of the users that are stored in a large repository (such as an LDAP directory server, or other database.)

Because pam_authz provides authorization only, not authentication, it is highly recommended that pam_authz is set to required in the configuration file (see pam.conf(4)). Typically pam_authz is configured as the first module under the account management section of the /etc/pam.conf file.

However, for PAM applications that neglect to call the PAM account management procedure, pam_authz may also be configured as an authentication module. When pam_authz is configured as an authentication module, at least one other PAM module must be set to required to authenticate a user.

Without the access policy file /etc/opt/ldapux/pam_authz.policy, pam_sm_acct_mgmt() use netgroups (see netgroup(4)) and the /etc/passwd file to determine user access rights, using a similar syntax as was defined by NIS. However, pam_authz does not support the password entry filtering syntax as defined by NIS, other than to determine if a netgroup member should be granted (or denied) access based on if the password field is blocked or not.

pam_authz scans the /etc/passwd file for the matching NIS style entry and returns grant or deny access based on the first rule that matches the account in question. For example, pam_authz will grant or deny access when the following entries are defined in the /etc/passwd file:

+

Grants access to all the users in the database.

+@name

Grants access to all members of the network group name.

+name

Grants access to user name.

+@name:any_non_NULL_string

Denies access to all members of the network group name.

+name:*

Denies access to user name.

-@name

Denies access to all members of the network group name.

-name

Denies access to user name.

Please refer to passwd(4) for a sample /etc/passwd file.

With the access policy file, pam_sm_acct_mgmt() would use the /etc/opt/ldapux/pam_authz.policy file to help to determine which users may login. Each access rule in the access policy file will be evaluated until an authorative rule is found. An authorative rule is the first access rule that matches user's login name. pam_sm_acct_mgmt() returns allow or deny access based on the information of the authorative rule. If an authorative rule is not found, users will be denied to log in.

Access rules are the basic elements of an access policy. A "policy" is the collection of these different sets of access rules in a given order. An access rule consists of three fields.

action:type:object

where the following means:

action

The action field defines the access permission if an access rule evaluated to be true. There are two possible values in this field:

allow

login authorization is granted

deny

login authorization is restricted

type

The value in the type field represents the source of the information. It signifies the kinds of user information that PAM_AUTHZ should look for. The value also helps to determine the correct syntax in the following object field. The following values are supported:

Type

Usage

unix_user

Control the access permission by comparing a user's login name with a list of users names in object field.

unix_group

Control the access permission by examining user's posix group membership. A list of Unix POSIX group is specified in the object field. pam_authz retrieves the group information of each listed group by querying the name services specified in nsswitch.conf.

netgroup

Control the access permission by examining user's netgroup membership. A list of netgroup names is specified in the object field. pam_authz obtains the netgroup information by querying the name services that are specified in the nsswitch.conf.

ldapgroup

Control the access permission by examining user's non-posixgroup membership. pam_authz supports X.500 style group with groupOfNames or groupOfUniqueNames objectclass. pam_authz retrieves group membership of each listed group from the directory server through the LDAP-UX client.

ldapfilter

Control the access permission by examining user's role in the organization. pam_authz queries user ldap information by using the provided ldap filter.

other

The other access rule serves as a wild card rule. Use this rule to allow or deny access permission to all users.

object

The values in the object field define the criteria that pam_authz need to be validated with the login name. The following table provides a summary of all possible values and syntax of object field.

Type

Object

unix_user

This field contains a list of usernames. Each value (username) is a character string that is separated by a comma (,) separator, ASCII 2C HEX. Multi-valued field.

unix_group

This field contains a list of unix group names. Each value (group name) is a character string that is separated by a comma (,) separator, ASCII 2C HEX. Multi-valued field.

netgroup

This field contains a list of netgroup names. Each value (group name) is a character string that is separated by a comma separator (,), ASCII 2C HEX. Multi-valued field.

ldapgroup

This field contains a distinguished name (DN) of an LDAP group (non-Posix group) with groupOfNames objectclass or groupOfUniqueNames objectclass. Syntax of DN is defined in RFC2253. Single-valued field. No separator is required. Only one distinguished name is allowed.

In ldapfilter access rules, this field contains a single search filter that specifies one or more (attribute=value) pairs. Syntax of string search filter is defined in RFC2254 Single-valued field. No separator is required. Only one search filter is allowed.

Here is an example of access rules in /etc/opt/ldapux/pam_authz.policy:

allow:unix_user:peter,john,mary allow:unix_group:admin,operator,support deny:unix_group:guest,contractor,vendor allow:netgroup:netcom,netprint,netmail allow:ldap_group:cn=admingroup,ou=eng,dc=example,dc=com allow:ldap_filter:(&(manager=tomc)(departmentnumber=113))

The following options may be passed to the pam_authz service module:

debug

syslog() debugging information at LOG_DEBUG level.

nowarn

Turn off warning messages.

use_first_pass

This option is ignored.

try_first_pass

This option is ignored.

The pam_sm_setcred() function sets user specific credentials. In the case of pam_authz, this is a NULL function.

Session Management Module

The session management component provides functions to initiate (pam_sm_open_session()) and terminate (pam_sm_close_session()) sessions. For pam_authz, pam_open_session() is a NULL function. The following options may be passed in to the pam_authz service module:

debug

syslog() debugging information at LOG_DEBUG level.

nowarn

Turn off warning messages.

pam_close_session is a NULL function.

Password Management Module

The password management component provides a function to change passwords (pam_sm_chauthtok()). In the case of pam_authz, the module is a NULL function. The following options may be passed in to the pam_authz service module:

debug

syslog() debugging information at LOG_DEBUG level.

nowarn

Turn off warning messages.

use_first_pass

This option is ignored.

try_first_pass

This option is ignored.

EXAMPLES

The following is a sample pam.conf configuration file. Lines that begin with the # symbol are treated as comments, and therefore ignored.

# # PAM configuration # # Authentication management # login auth required libpam_hpsec.so.1 login auth sufficient libpam_unix.so.1 login auth required libpam_ldap.so.1 try_first_pass OTHER auth required libpam_hpsec.so.1 OTHER auth sufficient libpam_unix.so.1 OTHER auth required libpam_ldap.so.1 try_first_pass # # Account management # login account required libpam_hpsec.so.1 login account required libpam_authz.so.1 login account sufficient libpam_unix.so.1 login account required libpam_ldap.so.1 OTHER account required libpam_authz.so.1 OTHER account required libpam_hpsec.so.1 OTHER account sufficient libpam_unix.so.1 OTHER account required libpam_ldap.so.1 # # Session management # login session required libpam_hpsec.so.1 login session sufficient libpam_unix.so.1 login session required libpam_ldap.so.1 OTHER session required libpam_hpsec.so.1 OTHER session sufficient libpam_unix.so.1 OTHER session required libpam_ldap.so.1 # # Password management # login password required libpam_hpsec.so.1 login password sufficient libpam_unix.so.1 login password required libpam_ldap.so.1 try_first_pass OTHER password required libpam_hpsec.so.1 OTHER password sufficient libpam_unix.so.1 OTHER password required libpam_ldap.so.1 try_first_pass

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1983-2007 Hewlett-Packard Development Company, L.P.