|HP-UX Reference > P
HP-UX 11i Version 3: February 2007
pam_unix — authentication, account, session, and password management PAM modules for UNIX
The UNIX service module for PAM, /usr/lib/security/$ISA/libpam_unix.so.1, provides functionality for all four PAM modules: authentication, account management, session management and password management.
The libpam_unix.so.1 module is a shared object that can be dynamically loaded to provide the necessary functionality upon demand.
For an interpretation of the module path, please refer to the related information in pam.conf(4).
Unix Authentication Module
The UNIX authentication component provides functions to verify the identity of a user, (pam_sm_authenticate()) and to set user specific credentials (pam_sm_setcred()).
pam_sm_authenticate() compares the user entered password (or password retrieved from the user's smart card) with the password from UNIX password database, including the protected password database for trusted systems. If the passwords match, the user is authenticated. If the user also has secure RPC credentials and the secure RPC password is the same as the UNIX password, then the secure RPC credentials are also obtained.
The following options may be passed to the UNIX service module:
When prompting for the current password, the UNIX authentication module will use the prompt, "Password:" unless one of the following scenarios occur:
In cases 1 and 2, the UNIX authentication module will use the prompt "System Password:".
The pam_sm_setcred() function sets user specific credentials. If the user had secure RPC credentials, but the secure RPC password was not the same as the UNIX password, then a warning message is printed. If the user wants to get secure RPC credentials, then keylogin(1) needs to be run.
Unix Account Management Module
The UNIX account management component provides a function to perform account management (pam_sm_acct_mgmt()). The function retrieves the user's password entry from the UNIX password database and verifies that the user's account and password have not expired. For trusted systems, this module also validates the allowed access time and access terminal based upon the security configuration. The following options may be passed in to the UNIX service module:
Unix Session Management Module
The UNIX session management component provides functions to initiate (pam_sm_open_session()) and terminate (pam_sm_close_session()) UNIX sessions. For UNIX, pam_open_session() updates the last successful or unsuccessful login time in the protected password database for trusted mode. The account management module reads the information to display the previous time the user logged in.
The following options may be passed in to the UNIX service module:
pam_close_session is a NULL function.
Unix Password Management Module
The UNIX password management component provides a function to change passwords (pam_sm_chauthtok()) in the UNIX password database. This module must be required in pam.conf. It can not be optional or sufficient. The following options may be passed in to the UNIX service module:
If the user's password has expired, the UNIX account module saves this information in the authentication handle using pam_set_data(). The UNIX password module retrieves this information from the authentication handle using pam_get_data() to determine whether or not to force the user to update their password.
On trusted systems, the pam_sm_*() interfaces implemented in the UNIX service module, libpam_unix, are not thread-safe. Otherwise, they are thread-safe. A cancellation point may occur while a thread is executing any of these interfaces. They are not cancel-safe, async-cancel-safe, nor async-signal-safe.