NAME
pam_hpsec — extended authentication, account, password, and session service module for HP-UX
SYNOPSIS
/usr/lib/security/$ISA/libpam_hpsec.so.1
DESCRIPTION
The
hpsec
service module implements extensions specific to HP-UX for authentication,
account management, password management, and session management.
The use of
pam_hpsec
is recommended for all services, and is mandatory for some services such as
login,
dtlogin,
ftp,
su,
remsh/rexec
and
ssh.
Application writers and system administrators may decide that
it is inappropriate to use
pam_hpsec
for some specific applications.
When the
pam_hpsec
module is present on the stack, it must be on the top of the stack,
above other modules such as
pam_unix,
pam_krb5,
or
pam_ldap.
This module is specific to HP-UX, and the functionality may
vary significantly between releases.
For an interpretation of the module path, please refer to the related
information in
pam.conf(4).
Options
The following options may be passed to the
hpsec
service module for all the components:
- debug
syslog(3C)
debugging information at
LOG_DEBUG.
- nowarn
Turns off warning messages.
- opaque
With this option,
pam_hpsec
returns
PAM_SUCCESS
upon success. Without this option, the module returns
PAM_IGNORE
upon success (which simplifies the PAM configuration).
Authentication Component
The
hpsec
authentication component provides management of credentials
specific to HP-UX.
In the future, this component may also implement
additional HP-UX specific authentication restrictions in addition to
the credential management.
Currently, this component initializes audit attributes for the session.
In addition to the options listed in the
Options
section, the following
options may also be passed to the module for authentication.
- bypass_setaud
With this option,
pam_hpsec
does not initialize audit attributes for the session.
This option is supported solely to maintain
su(1)
backward compatible behavior when
pam_hpsec
is configured with
su(1).
It is recommended that this option not be applied to other services.
- bypass_all
With this option,
pam_hpsec
ignores the restrictions or features
that this module would otherwise enforce.
Note that other common UNIX credentials such as
uid,
gid,
and supplemental
group membership are not managed by any PAM module.
The application
performing the authentication is expected to grant these credentials
(these credentials must be granted after calling
pam_open_session(3))
using the
setuid(2)
and
initgroups(3C)
types of calls.
Account Management Component
This component implements the
AUTH_MAXTRIES
and
LOGIN_TIMES
restrictions described in
security(4).
In addition to the options listed in the
Options
section, the
following options may also be passed to the module for account management.
- bypass_maxtries
With this option,
pam_hpsec
ignores the
AUTH_MAXTRIES
restriction.
- bypass_login_times
With this option,
pam_hpsec
ignores the
LOGIN_TIMES
restriction.
- bypass_all
With this option,
pam_hpsec
ignores the restrictions or features
that this module would otherwise enforce.
Password Management Component
This component unconditionally succeeds.
Session Management Component
This component implements many miscellaneous restrictions such as
DISPLAY_LAST_LOGIN,
NOLOGIN,
NUMBER_OF_LOGINS_ALLOWED,
and
UMASK
documented in
security(4).
In addition to the options listed in the
Options
section, the following
options may also be passed to the module for session management.
- bypass_nologin
With this option,
pam_hpsec
ignores the
NOLOGIN
setting.
- bypass_limit_login
With this option,
pam_hpsec
ignores the
NUMBER_OF_LOGINS_ALLOWED
setting.
- bypass_umask
With this option,
pam_hpsec
ignores the
UMASK
setting.
- bypass_last_login
With this option,
pam_hpsec
ignores the
DISPLAY_LAST_LOGIN
setting.
- bypass_all
With this option,
pam_hpsec
ignores the restrictions or features
that this module would otherwise enforce.
EXAMPLES
The following is an example of stacking using the
pam_hpsec
module:
login session required pam_hpsec.so.1
login session sufficient pam_unix.so.1
login session sufficient pam_ldap.so.1
login session sufficient pam_krb5.so.1
The above rules state that the login's session management requires at
least any one of UNIX, LDAP, and Kerberos PAM modules in addition to
hpsec.
AUTHOR
pam_hpsec
was developed by HP.
Printable version
