Manualshelf

HP Systems Insight Manager 7.2 Technical Reference Guide

ManualsBrandsHP ManualsSoftwareHP Systems Insight Manager 6.x Windows Software
31323334353637383940
Configuring PAM on a Linux system
The administrator of a Linux CMS can customize the PAM that HP SIM uses. The /etc/pam.d/
mxpamauthrealm file contains the authentication steps for the HP SIM web server interface. The
defaults for this file are:
#%PAM-1.0
auth required /lib/security/pam_unix.so
account required /lib/security/pam_unix.so
session required /lib/security/pam_unix.so
This default setup directs PAM to use the standard UNIX authentication module to authenticate
users attempting to sign in to the HP SIM web server interface. Standard calls from the system
libraries access account information usually read from /etc/password or /etc/shadow.
The administrator of the system can adjust these requirements to conform to the security requirements
of the system. For example, if the security policy on the system is time dependent and /etc/
security/time.conf is configured, you could adjust mxpamauthrealm to:
#%PAM-1.0
auth required /lib/security/pam_unix.so
account required /lib/security/pam_unix.so
session required /lib/security/pam_unix.so
Configuring PAM on an HP-UX system
Customizing PAM security on HP-UX is similar. All of the PAM configurations are stored in /etc/
pam.conf.
The lines for HP SIM on HP-UX 11i are:
mxpamauthrealm auth required /usr/lib/security/libpam_unix.1
mxpamauthrealm account required /usr/lib/security/libpam_unix.1
mxpamauthrealm session required /usr/lib/security/libpam_unix.1
The lines for HP SIM on HP-UX 11i v2 are:
mxpamauthrealm auth required /usr/lib/security/$ISA/libpam_unix.1
mxpamauthrealm account required /usr/lib/security/$ISA/libpam_unix.1
mxpamauthrealm session required /usr/lib/security/$ISA/libpam_unix.1
If you want the HP SIM web server login model to match what is configured for your other login
methods (telnet, rlogin, login, ssh, and so on), configure the same plug-in modules that are used
by these other login methods. These modules must be defined by the login service name in the
/etc/pam.conf file or the /etc/pam.d/login file.
Authenticating Windows AD Users from Linux CMS
It is presumed that the Linux CMS has already been joined as a member of the LDAP server such
as Windows AD. By joining the Linux server to AD yield the benefit of making Active Directory’s
authentication process available to the Linux. The Linux user name and password can be
authenticated using mechanisms such as Kerberos 5 network authentication. Authenticating Windows
AD users from the Linux CMS requires changes in the /etc/pam.d/mxpamauthrealm file. By
doing so, it does not require domain name prefix to be passed for the username during login to
HP SIM. Configuring authentication through Kerberos authentication mechanism
auth required /lib/security/pam_unix.so
auth sufficient /lib/security/pam_krb5.so try_first_pass
Sign-in authentication on Linux and HP-UX 39