unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (HP-UX-11.11)
Page:
Section:
Apropos / Subsearch:
optional field



 pam.conf(4)							 pam.conf(4)




 NAME
      pam.conf - configuration file for pluggable authentication modules

 SYNOPSIS
      /etc/pam.conf

 DESCRIPTION
      pam.conf is the configuration file for the Pluggable Authentication
      Module architecture, or PAM.  A PAM module provides functionality for
      one or more of four possible services: authentication, account
      management, session management, and password management.

      An authentication service module provides functionality to
      authenticate a user and set up user credentials.	A account management
      module provides functionality to determine if the current user's
      account is valid.	 This includes checking for password and account
      expiration, as well as verifying access hour restrictions.  A session
      management module provides functionality to set up and terminate login
      sessions.	 A password management module provides functionality to
      change a user's authentication token or password.

    Simplified PAM.CONF configuration file
      The pam.conf file contains a listing of services.	 Each service is
      paired with a corresponding service module.  When a service is
      requested, its associated module is invoked.  Each entry has the
      following format:

	   service_name module_type control_flag module_path options

      Below is an example of the pam.conf configuration file with support
      for authentication, account management, and session management
      modules.

	   login     auth     required	 /usr/lib/security/libpam_unix.1  debug
	   login     session  required	 /usr/lib/security/libpam_unix.1
	   login     account  required	 /usr/lib/security/libpam_unix.1
	   dtlogin   session  required	 /usr/lib/security/libpam_unix.1
	   other     auth     required	 /usr/lib/security/libpam_unix.1
	   other     password required	 /usr/lib/security/libpam_unix.1

      service_name   The service_name denotes the service (for example,
		     login, or dtlogin).  The keyword, other, indicates the
		     module all other applications which have not been
		     specified should use.  The other keyword can also be
		     used if all services of the same module_type have the
		     same requirements.	 In the example above, since all of
		     the services use the same session module, they could
		     have been replaced by a single other line.

      module_type    module_type denotes the service module type:
		     authentication (auth), account management (account),



 Hewlett-Packard Company	    - 1 -   HP-UX Release 11i: November 2000






 pam.conf(4)							 pam.conf(4)




		     session management (session), or password management
		     (password).

      control_flag   The control_flag field determines the behavior of
		     stacking, and will be discussed in more detail below.

      module_path    The module_path field specifies the pathname to a
		     shared library object which implements the service
		     functionality.  If the pathname is not absolute, it is
		     assumed to be relative to /usr/lib/security.

      options	     The options field is used by the PAM framework layer to
		     pass module specific options to the modules.  It is up
		     to the module to parse and interpret the options.	This
		     field can be used by the modules to turn on debugging
		     or to pass any module specific parameters such as a
		     TIMEOUT value.  It can also be used to support unified
		     login.  The options supported by the modules are
		     documented in their respective manual pages.  For
		     example, pam_unix(5) lists the options accepted by the
		     UNIX module.

    Integrating Multiple Authentication Services With Stacking
      When a service_name of the same module_type is defined more than once,
      the service is said to be stacked. Each module referenced in the
      module_path for that service is then processed in the order that it
      occurs in the configuration file.	 The control_flag field specifies
      the continuation and failure semantics of the modules, and may be
      required, optional, or sufficient.

      The PAM framework processes each service module in the stack.  If all
      required modules in the stack succeed, then success is returned
      (optional and sufficient error values are ignored).  If one or more
      required modules fail, then the error value from the first required
      module that failed is returned.

      If none of the service modules in the stack are designated as
      required, then the PAM framework requires that at least one optional
      or sufficient module succeed.  If all fail then the error value from
      the first service module in the stack is returned.

      The only exception to the above is caused by the sufficient flag.	 If
      a service module that is designated as sufficient succeeds, then the
      PAM framework immediately returns success to the application (all
      subsequent services modules, even required ones, in the stack are
      ignored), given that all prior required modules had also succeeded.
      If a prior required module failed, then the error value from that
      module is returned.

      If a module does not exist or can not be opened, then the pam.conf
      entry is ignored and an error will be logged through syslog(3C) at the



 Hewlett-Packard Company	    - 2 -   HP-UX Release 11i: November 2000






 pam.conf(4)							 pam.conf(4)




      LOG_CRIT level.

      Below is a sample configuration file that stacks the login, and
      dtlogin services.

	   login    auth    required	  /usr/lib/security/libpam_unix.1. debug
	   login    auth    optional	  /usr/lib/security/libpam_inhouse.1
	   dtlogin  auth    sufficient	  /usr/lib/security/libpam_unix.1  debug
	   dtlogin  auth    required	  /usr/lib/security/libpam_inhouse.1

      In the case of login, the user is authenticated by the UNIX and
      inhouse authentication modules.  The required keyword for control_flag
      requires that the user be allowed to login only if the user is
      authenticated by the UNIX service module.	 Inhouse authentication is
      optional by virtue of the optional keyword in the control_flag field.
      The user can still log in even if inhouse authentication fails.

      In the case of dtlogin, the sufficient keyword for control_flag
      specifies that if the UNIX authentication check succeeds, then PAM
      should return success to dtlogin.	 The inhouse authentication module
      (the next module in the stack) will only be invoked if the UNIX
      authentication check fails.

      Some modules may return PAM_IGNORE in certain situations.	 In these
      cases the PAM framework ignores the entire entry in pam.conf
      regardless of whether or not it is required, optional or sufficient.

    Configuration Per User
      pam.conf contains information to configure all the users on a system.
      But sometimes it is necessary to configure user by user.	A user
      policy definition is made through a specific module named
      libpam_updbe.1.  This module reads a file named /etc/pam_user.conf
      which describes the user's configurations.

      Below is a sample configuration file (/etc/pam.conf) that uses the
      module libpam_updbe.1.

	   login    auth     required	   /usr/lib/security/libpam_updbe.1
	   login    auth     required	   /usr/lib/security/libpam_unix.1
	   su	    auth     required	   /usr/lib/security/libpam_updbe.1
	   su	    auth     required	   /usr/lib/security/libpam_unix.1
	   OTHER    auth     required	   /usr/lib/security/libpam_unix.1

	   login    password required	   /usr/lib/security/libpam_updbe.1
	   login    password required	   /usr/lib/security/libpam_unix.1
	   passwd   password required	   /usr/lib/security/libpam_updbe.1
	   passwd   password required	   /usr/lib/security/libpam_unix.1
	   OTHER    password required	   /usr/lib/security/libpam_unix.1

      The module libpam_updbe.1 searches the configuration file
      /etc/pam_user.conf and reads the configuration associated with the



 Hewlett-Packard Company	    - 3 -   HP-UX Release 11i: November 2000






 pam.conf(4)							 pam.conf(4)




      login name of the current user. If there is no configuration
      concerning the current user in the pam_user.conf file, the PAM
      framework ignores the line containing libpam_updbe.1.  The pam.conf
      applies for those users who are not configured in pam_user.conf.

 NOTES
      If an error is found in an entry due to invalid service_name,
      module_type, or control_flag, then the entry is ignored.	If there are
      no valid entries for the given module_type, the PAM framework returns
      an error to the application.

 EXAMPLES
      The following is a sample pam.conf configuration file.  Lines that
      begin with the # symbol are treated as comments, and therefore
      ignored.

      #
      # PAM configuration
      #
      # Authentication management for login service is stacked.
      # Both UNIX and inhouse authentication functions are invoked.
      login   auth   required	/usr/lib/security/libpam_unix.1
      login   auth   required	/usr/lib/security/libpam_inhouse.1  try_first_pass
      dtlogin auth   required	/usr/lib/security/libpam_unix.1
      dtlogin auth   required	/usr/lib/security/libpam_inhouse.1  try_first_pass
      #
      # Other services use UNIX authentication
      other   auth     required	    /usr/lib/security/libpam_unix.1
      #
      # Account management for login service is stacked.
      # UNIX account management is required; inhouse account management is optional
      login   account  required	    /usr/lib/security/libpam_unix.1
      login   account  optional	    /usr/lib/security/libpam_inhouse.1
      dtlogin account  required	    /usr/lib/security/libpam_unix.1
      dtlogin account  optional	    /usr/lib/security/libpam_inhouse.1
      other   account  required	    /usr/lib/security/libpam_unix.1
      #
      # Session management
      other   session  required	    /usr/lib/security/libpam_unix.1
      #
      # Password management
      other   password required	    /usr/lib/security/libpam_unix.1

      The following is a sample pam.conf configuration which uses the
      libpam_updbe.1 module to configure a user.  Lines that begin with the
      # symbol are treated as comments, and therefore ignored.

      #
      # PAM configuration
      #
      # Authentication management for login service is stacked.



 Hewlett-Packard Company	    - 4 -   HP-UX Release 11i: November 2000






 pam.conf(4)							 pam.conf(4)




      # Both UNIX and inhouse authentication functions are invoked.
      login   auth   required	/usr/lib/security/libpam_updbe.1
      login   auth   required	/usr/lib/security/libpam_unix.1
      login   auth   required	/usr/lib/security/libpam_inhouse.1  try_first_pass
      dtlogin auth   required	/usr/lib/security/libpam_updbe.1
      dtlogin auth   required	/usr/lib/security/libpam_unix.1
      dtlogin auth   required	/usr/lib/security/libpam_inhouse.1  try_first_pass
      #
      # Other services use UNIX authentication
      other   auth     required	    /usr/lib/security/pam_unix.so.1
      #
      # Account management for login service is stacked.
      # UNIX account management is required; inhouse account management is optional
      login   account  required	    /usr/lib/security/libpam_unix.1
      login   account  optional	    /usr/lib/security/libpam_inhouse.1
      dtlogin account  required	    /usr/lib/security/libpam_unix.1
      dtlogin account  optional	    /usr/lib/security/libpam_inhouse.1
      other   account  required	    /usr/lib/security/libpam_unix.1
      #
      # Session management
      other   session  required	    /usr/lib/security/libpam_unix.1
      #
      # Password management
      passwd  password required	    /usr/lib/security/libpam_updbe.1
      passwd  password required	    /usr/lib/security/libpam_unix.1
      other   password required	    /usr/lib/security/libpam_unix.1

    Utilities and Files
      A list of utilities that are known to use PAM include: login, passwd,
      su, and dtlogin.

      The PAM configuration file does not dictate either the name or the
      location of the service specific modules.	 The convention, however, is
      the following:

	   /usr/lib/security/libpam_service_name.x
		Implements various function of specific authentication
		services.

	   /etc/pam.conf
		Configuration file.

	   /usr/lib/libpam.1
		Implements the PAM framework library.

 SEE ALSO
      dtlogin(1), login(1), passwd(1), su(1), pam(3).







 Hewlett-Packard Company	    - 5 -   HP-UX Release 11i: November 2000