Managing Systems and Workgroups: A Guide for HP-UX System Administrators
Administering a System: Managing System Security
Pluggable Authentication Modules (PAM)
Chapter 8 843
Pluggable Authentication Modules (PAM)
The Pluggable Authentication Module (PAM) is an industry standard
authentication framework.
PAM gives system administrators the flexibility of choosing any
authentication service available on the system to perform
authentication. The PAM framework also allows new authentication
service modules to be plugged in and made available without modifying
the applications.
For example, a system may use any user-authentication method, such as
the /etc/passwd file, NIS, NIS+, or Trusted System. Programs requiring
user authentication pass their requests to PAM, which determines the
correct verification method and returns the appropriate response. The
programs do not need to know what authentication method is being
used.
• HP-UX Release 10.20 introduced PAM for authenticating CDE
components.
• In Release 10.30, PAM was extended to provide authentication for
system commands on standard HP-UX, Trusted Systems, and the
Distributed Computing Environment (DCE) and to allow third-party
modules.
• In Release 11.0, PAM completely replaced the HP Integrated Login
technology.
• In Release 11i, PAM processing was extended to the remote login and
execution daemons, rexecd and remshd. See rexecd (1M) and remshd
(1M).
The PAM framework provides easy integration of additional security
technologies into HP-UX system entry commands. CDE components use
PAM to authenticate users, as well as establish user credentials (for
example, for DCE). CDE components are also capable of authenticating
users using the commercial security databases. Login authentication,
account checking, and password modification use the PAM interface.
The CDE users on systems belonging to DCE cells are able to
authenticate themselves with the DCE registry and obtain DCE
credentials at login time.