Managing Systems and Workgroups: A Guide for HP-UX System Administrators
Administering a System: Managing System Security
Pluggable Authentication Modules (PAM)
Chapter 8844
System administrators can require CDE users to conform to the security
policies enforced in the Trusted System databases.
Control is available on both a system-wide and an individual user basis.
The system files are:
/etc/pam.conf System-wide control file.
/etc/pam_user.conf Individual user control file.
HP References pam (3), pam.conf (4), pam_updbe (5), pam_user.conf (4).
Using SAM with PAM
In the System Administration Manager (SAM), you can use the
Authenticated Commands subarea of Auditing and Security to
manage the PAM configuration file (/etc/pam.conf). For each type of
PAM authentication — User Authentication (auth), Account
Management (account), Session Management (session), and Password
Management (password) — you can add, modify, or remove service
names from the PAM configuration file.
SAM is not able to manage the per-user file (/etc/pam_user.conf) or
the DCE interface; you must modify these by hand.
System-Wide Configuration
The PAM configuration file /etc/pam.conf defines the security
mechanisms that are used to authenticate users. Its default values
provide the customary operation of the system under both standard
HP-UX and Trusted Systems. It also provides support for controls on
individual users and for the DCE integrated login functionality.
(For DCE, use the auth.adm utility to create the desired configuration
file that is functionally equivalent to the former HP integrated login
auth.conf file.)
The PAM libraries (libpam and libpam_unix) and the configuration file
(/etc/pam.conf) must be in the system for users to be able to log in or
change passwords.
HP-UX authentication is dependent upon the file /etc/pam.conf. This
file must be owned by root with the following file permissions:
-r--r--r-- 1 root sys 1050 Nov 8 10:16 /etc/pam.conf