|HP-UX Reference > P
pam_hpsec(5)HP-UX 11i Version 3: February 2007
pam_hpsec — extended authentication, account, password, and session service module for HP-UX
The hpsec service module implements extensions specific to HP-UX for authentication, account management, password management, and session management.
The use of pam_hpsec is recommended for all services, and is mandatory for some services such as login, dtlogin, ftp, su, remsh/rexec and ssh. Application writers and system administrators may decide that it is inappropriate to use pam_hpsec for some specific applications. When the pam_hpsec module is present on the stack, it must be on the top of the stack, above other modules such as pam_unix, pam_krb5, or pam_ldap. This module is specific to HP-UX, and the functionality may vary significantly between releases.
For an interpretation of the module path, please refer to the related information in pam.conf(4).
The following options may be passed to the hpsec service module for all the components:
The hpsec authentication component provides management of credentials specific to HP-UX. In the future, this component may also implement additional HP-UX specific authentication restrictions in addition to the credential management.
Currently, this component initializes audit attributes for the session. In addition to the options listed in the Options section, the following options may also be passed to the module for authentication.
Note that other common UNIX credentials such as uid, gid, and supplemental group membership are not managed by any PAM module. The application performing the authentication is expected to grant these credentials (these credentials must be granted after calling pam_open_session(3)) using the setuid(2) and initgroups(3C) types of calls.
Account Management Component
This component implements the AUTH_MAXTRIES and LOGIN_TIMES restrictions described in security(4). In addition to the options listed in the Options section, the following options may also be passed to the module for account management.
Session Management Component
This component implements many miscellaneous restrictions such as DISPLAY_LAST_LOGIN, NOLOGIN, NUMBER_OF_LOGINS_ALLOWED, and UMASK documented in security(4). In addition to the options listed in the Options section, the following options may also be passed to the module for session management.
The following is an example of stacking using the pam_hpsec module:
login session required pam_hpsec.so.1 login session sufficient pam_unix.so.1 login session sufficient pam_ldap.so.1 login session sufficient pam_krb5.so.1
The above rules state that the login's session management requires at least any one of UNIX, LDAP, and Kerberos PAM modules in addition to hpsec.