unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (HP-UX-11.11)
Page:
Section:
Apropos / Subsearch:
optional field



 auth.adm(1M)							auth.adm(1M)




 NAME
      auth.adm - activate, deactivate, or query about HP-UX Integrated Login

 SYNOPSIS
      auth.adm -install -l tech_name [ -b tech_name ]
	       [ -a tech_name[:tech_name]... ]
	       [ -p tech_name:parameter=value[:parameter=value]... ]...


      auth.adm -uninstall


      auth.adm -query [ -f filename ]

 DESCRIPTION
      The auth.adm command makes it easy to activate, deactivate or make
      queries about HP-UX Integrated Login.


      During activation, auth.adm sets up a machine to obtain integrated
      behavior from the following commands: login, rlogin, telnet, dtlogin,
      su, passwd, chfn, chsh and ftpd.


      auth.adm saves the Integrated Login configuration, specified by -l, -b
      and -a arguments, in the file /etc/auth.conf. The configuration
      specifies authentication technologies used to authenticate users on a
      system. System administrators can specify a technology for system
      login; for the case where this login technology is unavailable, a
      fallback technology for system login may also be specified.  System
      administrators can also specify technologies for additional user
      authentications that will be done after a user has successfully
      completed the system login phase.


      The integrated commands installed on a system are:


	   /usr/bin/chfn.auth
	   /usr/bin/chsh.auth
	   /usr/lbin/ftpd.auth.


      Integrated behavior of login, su, passwd, and dtlogin is obtained by
      replacing the current /etc/pam.conf with one that specifies the
      behavior requested by the auth.adm arguments.


      To activate ftpd.auth, auth.adm modifies the ftp entry in the file
      /etc/inetd.conf to have ftpd.auth directly invoked by the Internet
      services daemon. The integrated versions of chfn.auth and chsh.auth



 Hewlett-Packard Company	    - 1 -		  HP-UX Release 10.0






 auth.adm(1M)							auth.adm(1M)




      are dynamically invoked by their corresponding HP-UX commands if the
      file /etc/auth.conf exists on the system.


      Upon deactivation, auth.adm restores the previous versions of the
      above commands, removes the /etc/auth.conf configuration file, and
      restores the /etc/pam.conf file that was present on the system before
      Integrated Login was installed.


      When making a query, auth.adm reads the /etc/auth.conf file and prints
      the result of the query to stdout or to filename specified by the -f
      argument.


      All actions performed by auth.adm are logged into the file
      /var/adm/ilogin/auth.adm.log.

 ARGUMENTS
      auth.adm recognizes the following arguments:


	   -install
		activates HP-UX Integrated Login.


	   tech_name
		an abbreviated name representing an authentication
		technology.  At 10.0 release, the tech_name's supported are:


		     dce  for DCE Registry


		     ux	  for /etc/passwd and other HP-UX login
			  technologies.


	   -l tech_name
		specifies the technology used for system login.


	   -b tech_name
		specifies the technology used for fallback login.


	   -a tech_name[:tech_name]...
		specifies technologies used for additional authentications
		after a user has been successfully logged in to a system.





 Hewlett-Packard Company	    - 2 -		  HP-UX Release 10.0






 auth.adm(1M)							auth.adm(1M)





	   -p tech_name:parameter=value[:parameter=value]...
		specifies configurable parameters applicable to a
		technology.  Parameters for different technologies can be
		specified by repeating the -p argument. At 10.30 release,
		the supported configurable parameters include the following:


		     TIMEOUT   Timeout (in seconds) on communications with a
			       technology.  Default values for TIMEOUT are
			       as follows.


				    dce	 180 seconds


				    ux	 ignored


		     WARNPWDEXP
			       Password expiration warning period (in days).
			       If the user's password is due to expire
			       within the specified number of days, the user
			       receives a warning message during login. This
			       parameter applies to DCE technology only. If
			       this parameter is not specified, no warning
			       is given.


		     FORCEPWDCHANGE
			       Password force-change period (in days). If
			       the user's password is due to expire within
			       the specified number of days, the user is
			       forced to change the password before login is
			       allowed. This parameter applies to the DCE
			       technology only. If this parameter is not
			       specified, a password change is not forced.


		     FORWARDABLETGT
			       Enable DCE TGT to be forwardable.  When
			       forwarding a user's DCE TGT from machine A to
			       machine B, it enables the user from machine A
			       to reuse its Kerberos credentials on machine
			       B. A parameter value is required, but its
			       content is ignored.  This parameter applies
			       to DCE technology only.


      -uninstall
	   deactivates HP-UX Integrated Login.



 Hewlett-Packard Company	    - 3 -		  HP-UX Release 10.0






 auth.adm(1M)							auth.adm(1M)





	   -query
		makes a query about the current Integrated Login
		configuration.


	   -f filename
		prints result of a query to filename.

 EXAMPLES
      The following command activates HP-UX Integrated Login. The
      configuration is set to login the user upon successful password
      verification by DCE. In the case where DCE is not available, a
      fallback for login via /etc/passwd or another HP-UX technology is
      configured.  (Note that this strategy is effective only if the HP-UX
      password and DCE password are identical.)


	   auth.adm -install -l dce -b ux


      The following command activates HP-UX Integrated Login. The
      configuration is set to login the user upon successful password
      verification by /etc/passwd or another HP-UX technology.	After
      machine access has been granted to the user, the configuration
      specifies that a DCE login should also be done.


	   auth.adm -install -l ux -a dce

 RETURN VALUE
      auth.adm -install/-uninstall returns one of the following:


	   0	Successfully completed


	   1	Error(s) occurred


      auth.adm -query returns one of the following:


	   0	HP-UX Integrated Login is not activated on the system.


	   1	HP-UX Integrated Login is activated and ux is the technology
		for performing system login.






 Hewlett-Packard Company	    - 4 -		  HP-UX Release 10.0






 auth.adm(1M)							auth.adm(1M)




	   2	HP-UX Integrated Login is activated and ux is the technology
		for performing system login. However, the system must not be
		converted to a Commercial Security Trusted system.


	   3	HP-UX Integrated Login is activated and ux is NOT the
		technology for performing system login. The system must not
		be converted to a Commercial Security Trusted system.


	   4	Query fails due to error(s).

 WARNING
      If activation or deactivation fails to complete, the error(s) should
      be corrected and re-execution of the activation/deactivation should be
      done.  auth.adm cannot deactivate a failed activation.


 AUTHOR
      auth.adm was developed by HP.

 FILES
      /var/adm/ilogin/auth.adm.log  log file containing records of actions
				    performed by auth.adm.

 SEE ALSO
      auth(5), auth.dce(5), pam(3).



























 Hewlett-Packard Company	    - 5 -		  HP-UX Release 10.0